1. Manuals
  2. Brands
  3. Symantec Manuals
  4. Software
  5. 10551441 - AntiVirus Corporate Edition
  6. Administrator's manual

Symantec 10551441 - AntiVirus Corporate Edition Administrator's Manual

Administration guide
Hide thumbs Also See for 10551441 - AntiVirus Corporate Edition:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual, User Manual
Symantec AntiVirus™
Corporate Edition
Administrator's Guide

Advertisement

Table of Contents
loading

Related Manuals for Symantec 10551441 - AntiVirus Corporate Edition

Summary of Contents for Symantec 10551441 - AntiVirus Corporate Edition

  • Page 1 Symantec AntiVirus™ Corporate Edition Administrator’s Guide...
  • Page 2 NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user.

  • Page 3: Technical Support

    Technical support As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base.

  • Page 4: Customer Service

    Recent software configuration changes and/or network changes ■ Customer Service To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, and then choose Service and Support. Customer Service is available to assist with the following types of...

  • Page 5: Table Of Contents

    Managing Symantec AntiVirus Chapter 1 Managing Symantec AntiVirus About managing Symantec AntiVirus .............. 13 Managing with the Symantec System Center ..........14 Using console views ..................15 Saving console settings ................16 Understanding Symantec System Center icons ........17 Discovering computers and refreshing the console ....... 19 Auditing computers ..................
  • Page 6 6 Contents Managing with client groups ................53 Creating new client groups ................ 53 Adding clients to a client group ..............53 Configuring settings and running tasks at the client group level ..54 Finding client group settings ..............54 Moving clients in client groups ..............
  • Page 7 How to specify exclusions ................114 Deleting files and folders that are left on computers by threats ..115 Configuring scheduled scans ................115 Scheduling scans for server groups or individual Symantec AntiVirus servers ................115 Scheduling scans for Symantec AntiVirus clients .......118 Setting options for missed scheduled scans ..........120 Editing, deleting, or disabling a scheduled scan ........121...
  • Page 8 Best practice: Using the Virus Definition Transport Method and LiveUpdate together ................149 Best practice: Using Continuous LiveUpdate on 64-bit computers ... 149 Updating virus definitions files on Symantec AntiVirus servers ....150 Updating and configuring Symantec AntiVirus servers using the Virus Definition Transport Method ..........150 Updating servers using LiveUpdate ............
  • Page 9 Analyzing and mapping your Symantec AntiVirus network ....184 Identifying servers for each hierarchical level ........185 Creating a list of 0 level Symantec AntiVirus servers ......185 Creating a hierarchical list of Symantec AntiVirus servers ....186 Configuring roaming client support options from the Symantec System Center console ..............186...
  • Page 10 10 Contents...
  • Page 11 Section Managing Symantec AntiVirus Managing Symantec AntiVirus ■ Setting up the Alert Management System ■...

  • Page 13: Managing Symantec Antivirus

    Symantec AntiVirus servers and clients. In addition to the Symantec System Center, you can also use configuration files (Grc.dat) to configure Symantec AntiVirus clients. You can use configuration files if you want to use a third-...

  • Page 14: Managing With The Symantec System Center

    Managing with the Symantec System Center Managing with the Symantec System Center When the Symantec System Center runs, it displays a system hierarchy of server groups, client groups, and servers displayed in an expandable/collapsible tree. The system hierarchy is the top level that contains all server groups and client groups.

  • Page 15: Using Console Views

    Symantec System Center console. For example, when you install the Symantec AntiVirus management snap-in, the Symantec AntiVirus view is added, which includes fields related to Symantec AntiVirus, such as Last Scan and Definitions. The columns that appear in the right pane change based on the selected view.

  • Page 16: Saving Console Settings

    ■ Server ■ Changing console views Unless you change the view, the Symantec System Center console displays the Console Default View. The other views available depend upon which managed Symantec AntiVirus products you have installed. To change console views In the Symantec System Center console, in the left pane, expand System Hierarchy.

  • Page 17: Understanding Symantec System Center Icons

    Quarantine Server. Note: If a newer version of MMC is present on the system, you may need to upgrade to the newer version to save changes upon exiting the Symantec System Center console. Understanding Symantec System Center icons The Symantec System Center uses icons to represent the different states of computers that are running Symantec managed products.
  • Page 18 A threat other than a virus, such as adware or spyware, was detected on the computer that is running Symantec AntiVirus server. Note: If Symantec AntiVirus detects a virus and a threat other than a virus on the same computer, the virus icon appears.

  • Page 19: Discovering Computers And Refreshing The Console

    Discovering computers and refreshing the console At the first startup of a newly installed Symantec System Center console, the console will ping the network to find all available computers running Symantec AntiVirus servers. As soon as the servers respond, they are added to the console.
  • Page 20 When the computer was last infected ■ Both IP and IPX pings are sent to the remote computer running Symantec AntiVirus server to determine what type of protocol it uses. Pings are also sent that support Norton AntiVirus Corporate Edition and LANDesk Virus Protect, legacy versions of Symantec AntiVirus.
  • Page 21 Normal Discovery Following all types of Discovery, a Normal Discovery runs. In a Normal Discovery, the Symantec System Center console broadcasts to all servers that are in unlocked server groups. This additional Discovery queries the primary server of the server group for the list of secondary servers in its address cache.
  • Page 22 Changing the Discovery Cycle interval While the Discovery Cycle interval can be changed, be aware that increasing the interval can result in a display of outdated information from the Symantec System Center console. To change the Discovery Cycle interval In the Symantec System Center console, on the Tools menu, click Discovery Service.
  • Page 23 Intense Discovery walks the NetWare or Microsoft branches of the network tree, or both. From the Symantec System Center console, you can select any node beneath the console root, and then choose Discovery Service from the Tools menu to perform a new discovery of servers.
  • Page 24 You can run the Discovery Service and find servers with or without including IP addresses and subnets. To run IP Discovery In the Symantec System Center console, in the left pane, select any node below the console root. On the Tools menu, click Discovery Service.
  • Page 25 Symantec System Center console status bar. You can also access IP Discovery functionality in the Find Computer dialog box. “Using the Find Computer feature” on page 27. To discover without IP In the Symantec System Center console, on the Tools menu, click Discovery Service.
  • Page 26 In the Discovery Service Properties window, on the General tab, select one of the following options: Load from cache only: This is the quickest method. The Symantec ■ System Center reads the list of servers and clients stored in the local cache.
  • Page 27 Servers on segments using only IPX protocol can also be skipped in the discovery process. If you cannot locate some servers on your LAN, you can locate them manually with the Find Computer feature in the Symantec System Center console. Once you use the Find Computer feature to locate a server, you can manage it from the Symantec System Center console.
  • Page 28 Managing with the Symantec System Center To find computers by searching the local cache In the Symantec System Center console, on the Tools menu, click Find Computer. In the Find Computer window, on the Local Search tab, type the network name of the server that you want to find.
  • Page 29 Locating found items in the Symantec System Center console You can match an item in a Find Computer list to the same item as it appears in the Symantec System Center console tree. To do so, the server group to which the item belongs must be unlocked.
  • Page 30 Refresh feature does not find servers or server groups that may have been added since the current session of the Symantec System Center started. If the refresh determines that a server that previously appeared in the server group view is no longer communicating, the unavailable server icon appears.

  • Page 31: Auditing Computers

    Managing Symantec AntiVirus Managing with the Symantec System Center Auditing computers Computers on your network that do not have Symantec AntiVirus running leave holes open in your network security. You can run a network audit of remote computers to determine the following: Whether a Symantec AntiVirus component is installed and running.
  • Page 32 32 Managing Symantec AntiVirus Managing with the Symantec System Center To run a network audit In the Symantec System Center console, on the Tools menu, click Find Computer. In the Find Computer dialog box, on the Audit Network tab, type the beginning and end of the IP address range.
  • Page 33 Managing Symantec AntiVirus Managing with the Symantec System Center Click Find Now to run the audit. You can see the audit progress at the bottom of the Find Computer dialog box. When the audit completes, the following types of information appear: Machine The name of the remote computer.
  • Page 34 Computers that cannot be located or to which a connection cannot be made ■ Routers and network drives ■ Computers that do not have Symantec AntiVirus software installed ■ To label an item and rerun the audit In the Find Computer dialog box, in the Machine column, right-click an item, and then click Label.
  • Page 35 Check Show parent servers discovered through clients even if they fall out of the specified IP range if you want the parent servers of the computers running Symantec AntiVirus client or server out of the specified range to appear in the results.
  • Page 36 36 Managing Symantec AntiVirus Managing with the Symantec System Center Under Symantec AntiVirus UDP Ports, enter up to four port numbers that you want to ping. Port 1 defaults to 2967, which is the default port number for RTVScan, the main Symantec AntiVirus service.

  • Page 37: About Clients And Servers

    It can also be responsible for new virus definitions files updates. From the Symantec System Center console, when you launch a task at the server group level, the task runs on the server group’s primary server. The primary server also forwards the task on to all other servers in the server group.

  • Page 38: About Secondary Servers

    About server and client groups Server group members can share a single Symantec AntiVirus configuration, and you can also run a Symantec AntiVirus operation on all members of a server group. From the Symantec System Center console, you can create new server groups and manage their membership.

  • Page 39: Deciding Whether To Manage With Server Groups And/Or Client Groups

    By setting up client groups, you can set up and manage different policies under a single parent server. Assigned clients are Symantec clients that have been assigned to a client ■ group. They receive virus definitions files from the server to which they are physically attached, but receive configuration settings and updates based upon the client group to which the Symantec AntiVirus policies are applied.

  • Page 40: Server And Client Group Scenario

    40 Managing Symantec AntiVirus About server and client groups Table 1-3 lists each context you can select in the Symantec System Center, and what it configures, when selected. Table 1-3 Configuration priority Context What it configures System hierarchy All unlocked server groups and the clients they manage...

  • Page 41: Managing With Server Groups

    The installation program groups all of the servers that you select into one server group. This might be adequate if you want all of your managed computers running Symantec AntiVirus to use the same settings. However, if you want to make global configuration changes for groups of servers, you can create new server groups and easily use a drag-and-drop operation (or cut-and-paste) to move servers from one server group to another.

  • Page 42: Locking And Unlocking Server Groups

    To lock a server group In the Symantec System Center console, in the left pane, right-click the ◆ server group that you want to lock, and then click Lock Server Group.

  • Page 43: Working With Server Group Passwords

    When you attempt to unlock a server group, the Symantec System Center tries all of the saved passwords. You will be prompted for a password only if none of the saved passwords works.
  • Page 44 44 Managing Symantec AntiVirus Managing with server groups To no longer save the server group password In the Symantec System Center console, in the left pane, right-click an unlocked server group, and then click Lock Server Group. Type the old password.

  • Page 45: Renaming Server Groups

    You can rename server groups as necessary. To rename a server group In the Symantec System Center console, in the left pane, unlock the server group that you want to rename, if necessary. Right-click the server group, and then click Rename.

  • Page 46: Changing Primary And Parent Servers

    Symantec AntiVirus product configuration settings. To change a primary server In the Symantec System Center console, in the left pane, double-click the server group icon. Right-click the secondary server that you are designating as a primary server, and then click Make Server A Primary Server.

  • Page 47: Viewing Server Groups

    Managing with server groups The server configurations file is located in the same directory to which Symantec AntiVirus was installed on the server. It has the same format as a client configurations file (Grc.dat). It is created only when synchronizing a server to a new server group’s settings.

  • Page 48: Deleting Server Groups

    IP and IPX addresses that are specified in the access list. For example, you can prevent an attacker who has access to the Symantec System Center console and a valid server group password from making unauthorized changes to the following: Server and client antivirus protection settings ■...

  • Page 49: Implementing Enhanced Server Group Security

    Managing Symantec AntiVirus Enhancing server group security Figure 1-2 Enhanced server group security Read Write Primary Server Authorized Symantec System Center console Read Only Read Read Only Write Access List Read Only Unauthorized Symantec Secondary Server System Center console Registry...
  • Page 50 Add IP and IPX addresses to the access list only when you need to allow the Symantec System Center to access the server. Delete the value for an address when you no longer require access.
  • Page 51 Symantec AntiVirus Event Log. When the event occurs on a computer running Symantec AntiVirus, the log event is forwarded to the parent server.
  • Page 52 52 Managing Symantec AntiVirus Enhancing server group security Open the HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\ VirusProtect6\CurrentVersion\AccessList key. Type LogAccessDenied as a new DWord. Type 1 as the binary data associated with the LogAccessDenied DWord value to enable logging. Close the registry editor. To set the frequency for logging unauthorized configuration change attempts Start a registry editor, such as Regedt32.

  • Page 53: Managing With Client Groups

    A client can belong to only one client group. To add a client to a client group In the Symantec System Center console, in the left pane, click the server that contains the client. In the right pane, move the client to the client group using a drag-and-drop...

  • Page 54: Configuring Settings And Running Tasks At The Client Group Level

    To configure settings and run tasks at the client group level In the Symantec System Center console, in the left pane, right-click the client group.

  • Page 55: Filtering The Client Group View

    When the Groups folder is selected in the left pane and Default Console View or a Symantec product view is selected from the View menu, the client groups appear in the right pane along with information specific to the view. For example, when the Default Console View is active, the number of clients in each client group appears.

  • Page 56: Filtering The Client Group View

    These options may impact performance if there are many clients and servers in the server group. Under Client Options, check Indicate when clients are offline to display a unique icon in the Symantec System Center console when a client is not connected to the network. Click OK.

  • Page 57: Renaming Client Groups

    They continue to assume the settings of that group. To delete a client group In the Symantec System Center console, in the left pane, unlock the server group from which you want to delete the client group. Double-click the server group.

  • Page 58: Configuring Clients Directly

    58 Managing Symantec AntiVirus Configuring clients directly Configuring clients directly You can allow for the direct configuration of Symantec AntiVirus clients. The options that you set directly remain in force until a new configurations file (Grc.dat) is copied to the client.

  • Page 59: How Settings Propagate

    When prompted to make the client either managed or unmanaged, choose unmanaged. How settings propagate The method that Symantec AntiVirus uses to propagate settings depends upon the item that you choose in the Symantec System Center console. Table 1-4 describes how settings propagate when you choose server groups, servers, and clients.

  • Page 60: New Grc.dat Files Overwrite Old Grc.dat Files

    New Grc.dat files overwrite old Grc.dat files New Grc.dat files are propagated and overwrite old Grc.dat files any time that they are sent to the client. This behavior occurs even when you open a Symantec AntiVirus window or dialog box that contains options from the Symantec System Center console, and then click OK without changing options.

  • Page 61: Setting Up The Alert Management System

    Chapter Setting up the Alert Management System This chapter includes the following topics: About the Alert Management System ■ How Alert Management System works ■ Configuring alert actions ■ Working with configured alerts ■ Using the Alert Management System Alert Log ■...

  • Page 62: How Alert Management System Works

    Symantec AntiVirus into AMS through the Symantec AntiVirus service. On a computer running the Symantec AntiVirus client, the Symantec AntiVirus service waits for an event thread that requires an alert. These threads can be generated by the following events: Configuration change ■...

  • Page 63: Configuring Alert Actions

    Setting up the Alert Management System Configuring alert actions Configuring alert actions lets you configure many different methods of notification—such as pager, SNMP, and email—for detected threats and configuration changes. Alert configuration tasks alert configuration requires the following related tasks: Select an alert in the Alert Actions dialog box.

  • Page 64: Configuring Alert Action Messages

    64 Setting up the Alert Management System Configuring alert actions To configure an alert In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select an alert, and then click Configure to define an alert action.
  • Page 65 You can configure this default alert to notify you when a message exceeds 1 KB. To configure a default alert message In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Click Default Alert, and then click Configure.

  • Page 66: Speeding Up Alert Configuration

    66 Setting up the Alert Management System Configuring alert actions Select whether you want an error beep and whether you want the dialog box to always appear on top until it is cleared. Click Next. Type the action name that describes the message that you are configuring. The action name and the action computer name appear in the Alert Actions dialog box beside this action.
  • Page 67 Setting up the Alert Management System Configuring alert actions To speed up alert configuration In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Click Options. In the Options dialog box, do one of the following: If you use an IPX network, in the Add IPX address box, type the IPX ■...

  • Page 68: Configuring The Message Box Alert Action

    To configure the Message Box alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.

  • Page 69: Configuring The Broadcast Alert Action

    To configure the Broadcast alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.

  • Page 70: Configuring The Load An Nlm Alert Action

    Configuring alert actions To configure the Run Program alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.

  • Page 71: Configuring The Send Internet Mail Alert Action

    To configure the Send Internet Mail alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.

  • Page 72: Configuring The Send Page Alert Action

    Entering a pager message ■ To configure the Send Page alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.
  • Page 73 Setting up the Alert Management System Configuring alert actions Click Next. If you’re creating a message for an alphanumeric pager, in the Message box type any message text you want to display and move available parameters from Alert Parameters to the Message box. If you’re creating a message for a numeric pager, you can only type numbers in the Message box.

  • Page 74: Configuring The Send Snmp Trap Alert Action

    Configuring alert actions To configure the Send Page alert action for an unlisted paging service In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.
  • Page 75 SNMP traps sent. To configure the Send SNMP Trap alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.
  • Page 76 76 Setting up the Alert Management System Configuring alert actions Configuring trap destinations for Windows 2000 Server You can configure SNMP traps for Windows 2000 Server. To configure trap destinations for Windows 2000 Server On the Windows taskbar, click Start > Settings > Control Panel. Double-click Administrative Tools.

  • Page 77: Configuring The Write To Event Log Alert Action

    To configure the Write To Event Log alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.

  • Page 78: Testing Configured Alert Actions

    You can delete actions associated with an alert as necessary. To delete an alert action from an alert In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert action you want to delete, and then click Delete.
  • Page 79 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Do one of the following: Click the Symantec AntiVirus folder if you want to export all alerts ■ associated with Symantec AntiVirus.

  • Page 80: Using The Alert Management System Alert Log

    Using the Alert Management System Alert Log You can use the Alert Log to view a list of all alerts generated by network computers running Symantec AntiVirus. You can configure the Alert Log to do one of the following: Display only the alerts that match the conditions that you specify.
  • Page 81 Setting up the Alert Management System Using the Alert Management System Alert Log To view the Alert Log ◆ Right-click the server group, and then click All Tasks > AMS > View Log. To change the number of entries displayed in the Alert Log In the Alert Log window, right-click, and then click Options.

  • Page 82: Viewing Detailed Alert Information

    82 Setting up the Alert Management System Using the Alert Management System Alert Log To delete all visible log entries In the Alert Log window, right-click, and then click Delete > Filtered ◆ Entries. To copy Alert Log contents to the Clipboard Press and hold the Ctrl key, and then select the multiple log entries.

  • Page 83: Filtering The Alert Log Display List

    When you finish viewing the alert information, click Close. The computer listed in the Alert Log is the primary server that recorded the action because it records all events for the Symantec server group. To see which computer actually generated the alert, double-click the Alert Log entry about which you want more information.

  • Page 84: Forwarding Alerts From Unmanaged Clients

    Forwarding alerts from unmanaged clients To specify which alerts display in the Alert Log In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > View Log. In the Alert Log window, right-click, and then click Options.
  • Page 85 Be sure to include the S preceding <SERVERNAME>. Do not include the brackets. Save the file as Grc.dat to one of the following folders on the client: For Windows 98\Me: C:\Program Files\Symantec AntiVirus ■ For Windows NT: C:\Winnt\Profiles\All Users\Application ■...
  • Page 86 86 Setting up the Alert Management System Forwarding alerts from unmanaged clients...
  • Page 87 Section Configuring Symantec AntiVirus Scanning for viruses and other threats ■ Updating virus definitions files ■ Responding to virus outbreaks ■ Managing roaming clients ■ Working with Histories and Event Logs ■...

  • Page 89: Scanning For Viruses And Other Threats

    Configuring scan options ■ About threats Symantec AntiVirus can scan for viruses and known and emerging threats, such as spyware, adware, and other files that could put your computer at risk. Symantec AntiVirus can scan for the following threat types: Viruses: Programs or code that attach a copy of themselves to another ■...
  • Page 90 90 Scanning for viruses and other threats About threats Worms: Programs that replicate without infecting other programs. Some ■ worms spread by copying themselves from disk to disk, while others replicate only in memory to slow a computer down. Trojan horses: Programs that contain code that is disguised as or hiding in ■...

  • Page 91: About Scans In Symantec Antivirus

    Symantec AntiVirus. They remain detected as viruses so that Symantec AntiVirus can continue to provide protection for legacy systems. About scans in Symantec AntiVirus You can configure the following types of scans from the Symantec System Center console: File System Auto-Protect scans ■...

  • Page 92: Understanding Auto-Protect Scans

    Understanding scheduled scans From the Symantec System Center console, you can schedule scans for Symantec AntiVirus servers or clients. Users can also schedule scans for their computers from Symantec AntiVirus clients, but they cannot change or disable scans that you schedule for their computers. Symantec AntiVirus runs one scheduled scan at a time.

  • Page 93: Selecting Computers To Scan

    Figure 3-1 Scan Options dialog box Selecting computers to scan In the Symantec System Center console, you select the computers that you want to scan, determine the types of scans that are available, where scans are performed, and the scan options.
  • Page 94 Note: Clients’ settings must be locked before Auto-Protect options that are configured in the Symantec System Center console can be propagated to them. If you make a change but do not lock the setting, the change is not propagated to clients.
  • Page 95 Scanning for viruses and other threats About scans in Symantec AntiVirus Determining scan options for multiple computers When you view Auto-Protect, virus sweep, or manual scan options for multiple selected computers, the configuration check boxes and options have a tri-state feature that is apparent only when the computers have different options configured.

  • Page 96: Configuring Auto-Protect Scans

    A and also have Auto-Protect enabled on server B, when client A writes a file to a network drive on server B, Symantec AntiVirus scans the file on client A and scans the file again on server B. This could reduce network performance on the client computer.
  • Page 97 Right-click the server group or servers with Symantec AntiVirus ■ clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. The Symantec System Center will configure all of the clients that are associated with the server or server group.
  • Page 98 12 Click OK. About Scan all file types and SmartScan You can configure Symantec AntiVirus to scan all file types or to use SmartScan. SmartScan scans a specific, configurable group of file extensions that contain executable code and all .exe and .doc files. SmartScan reads each file’s header to determine its file type.
  • Page 99 Fun Love. If Auto- Protect detects a virus during shutdown, it places the infected file in a temporary Quarantine directory. Auto-Protect then detects the virus on startup and creates an alert notification. Symantec Load Auto-Protect when Symantec AntiVirus starts. AntiVirus start...
  • Page 100 File caching decreases Auto-Protect’s memory usage and can help you to track problems. Symantec AntiVirus adds a 16-byte entry to the cache index, which remains until Symantec AntiVirus detects a change to the file.
  • Page 101 Higher values decrease Threat Tracer’s ability to detect infections. Client firewall auto blocks IP Enable this option if you are using Symantec Client address of the source computer Security firewall client and want the firewall to automatically block the IP addresses of computers that transmit infected files.
  • Page 102 For example, after you receive the alert, you can decide what course of action to take. Do not check floppies Symantec AntiVirus skips the scan of any floppy disk in the upon system floppy drive when the computer is shut down normally.
  • Page 103 103. How to bypass Auto-Protect for files that are being backed up You can have Symantec AntiVirus bypass Auto-Protect during a backup. This allows backup software to operate without the overhead of an additional Auto- Protect scan. The setting applies only to files that are being backed up. Files that...
  • Page 104 File caching decreases Auto-Protect’s memory usage and can help you to track problems. The file cache includes an index of files that were scanned and determined to be clean. Symantec AntiVirus adds a 16-byte ID to the cache index, which remains until Symantec AntiVirus detects a change to the file.

  • Page 105: Configuring Auto-Protect Email Scanning For Groupware Applications

    To configure email scanning In the Symantec System Center console, right-click the server group or servers to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Lotus Notes or Microsoft Exchange tab, check Enable Auto-Protect.

  • Page 106: Configuring Auto-Protect Scanning For Internet Email

    (such as GroupWise) save attachments to a temporary directory when users launch attachments from the email program. If you enable Auto- Protect on your file system, Symantec AntiVirus detects the virus as it is written to the temporary directory. Symantec AntiVirus also detects the virus if the user tries to save the infected attachment to a local drive or network drive.
  • Page 107 Auto-Protect scanning for Internet email uses the standard POP3 and SMTP email ports by default. However, if you have configured your network to use a different port for either protocol, you must change the port setting in Symantec AntiVirus to match the port that you have selected.

  • Page 108: How To Specify Exclusions

    To enable outbound email heuristics scanning In the Symantec System Center console, right-click the server group or servers to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Internet E-mail tab, check Enable Internet E-mail Auto-Protect.

  • Page 109: Configuring Auto-Protect Settings

    In the Symantec System Center console, do one of the following: To change server Auto-Protect settings, right-click a server group or ■ server, and then click All Tasks > Symantec AntiVirus > Server Auto- Protect Options. To change client Auto-Protect settings, right-click a server-group, ■...

  • Page 110: How To Lock And Unlock Auto-Protect Options

    If you want to scan all servers and clients in a server group, run a virus sweep or create a scheduled scan. Symantec AntiVirus backs up viruses but does not back up other threats, such as adware or spyware, when it deletes them. Once you delete the file, Symantec...
  • Page 111 Scanning for viruses and other threats Configuring manual scans To configure a manual scan In the Symantec System Center console, do one of the following: Right-click a server or client computer. ■ Select one or more servers that are in the same server group, and then ■...
  • Page 112 Enable scans of compressed files on NetWare servers. ■ Click OK to save advanced options. 10 In the Scan Options dialog box, click Save Settings if you want Symantec AntiVirus to remember these options for future manual scans on this computer.

  • Page 113: How To Specify Exclusions

    139. Deleting files and folders that are left on computers by threats When Symantec AntiVirus deletes a file that is part of a threat category, such as adware or spyware, other files related to the threat may remain on the computer.

  • Page 114: Scheduling Scans For Server Groups Or Individual Symantec Antivirus Servers

    You can schedule scans for one or more server groups as well as for individual Symantec AntiVirus servers. To schedule a scan for a server group In the Symantec System Center console, do one of the following: In the console tree, click System Hierarchy. In the right pane, ■...
  • Page 115 Scanning for viruses and other threats Configuring scheduled scans In the Scheduled Scans dialog box, on the Server Group Scans tab, click New. In the Scheduled Scan dialog box, under Name, type a name for the scan. Ensure that Enable scan is checked. Set a frequency for the scan.

  • Page 116: Scheduling Scans For Symantec Antivirus Clients

    Once you delete the file, Symantec AntiVirus cannot restore it. Set options for scanning compressed files. ■ 16 Click OK until you return to the main screen in the Symantec System Center console. “Configuring scan options” on page 123.
  • Page 117 Scanning for viruses and other threats Configuring scheduled scans In the Scheduled Scans dialog box, on the Client Scans tab, click New. In the Scheduled Scan dialog box, under Name, type a name for the scan. Set a frequency for the scan. Set a time for the scan.
  • Page 118 ■ to repair them as a data safety precaution. The files are encrypted before Symantec AntiVirus backs them up. The files get backed up to the Quarantine directory. Once the file is backed up, it must be restored before it can be accessed again.

  • Page 119: Setting Options For Missed Scheduled Scans

    Scanning for viruses and other threats Configuring scheduled scans 15 Click OK until you return to the main screen in the Symantec System Center console. “Configuring scan options” on page 123. Setting options for missed scheduled scans If a computer misses a scheduled scan (for example, if it is turned off), Symantec AntiVirus will attempt the scan for a specific time interval.

  • Page 120: Running A Scheduled Scan On Demand

    Select an existing scan, and then click Edit. Change any properties that ■ you want, and then click OK until you return to the Symantec System Center main window. Select an existing scan, and then click Delete. Click OK until you return ■...

  • Page 121: Deleting Files And Folders That Are Left On Computers By Threats

    Click Start Scan. Deleting files and folders that are left on computers by threats When Symantec AntiVirus deletes a file that is part of a threat category, such as adware or spyware, other files related to the threat may remain on the computer.
  • Page 122 Click OK. Exit Regedit. To modify the client check-in interval In the Symantec System Center console, right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Update Virus Definitions From Parent Server.

  • Page 123: Configuring Scan Options

    You can assign a primary action and, in case the primary action is not possible, a secondary action for Symantec AntiVirus to take when it discovers a virus. You can assign separate actions for macro viruses and non-macro viruses.

  • Page 124: How To Assign Primary Actions And Secondary Actions For Other Detected Threats

    You can assign a primary action and, in case the primary action is not possible, a secondary action for Symantec AntiVirus to take when it discovers a threat other than a virus, such as adware or spyware. Figure 3-2 Scheduled Scan Options dialog box with Exp.

  • Page 125: Controlling The User Experience

    Denying or permitting users the ability to unload Symantec AntiVirus You can deny or permit users the ability to unload Symantec AntiVirus. To deny or permit users the ability to unload Symantec AntiVirus In the Symantec System Center console, right-click a server, server group, or client group, and then click All Tasks >...
  • Page 126 126 Scanning for viruses and other threats Configuring scan options To require a password before uninstalling In the Symantec System Center console, right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options.
  • Page 127 By default, a user can pause a scan for one hour. You must enable this option to allow a user to pause a scan for three hours. 11 Click OK until the main Symantec System Center console window appears. To allow users to stop a scan In the Symantec System Center console, right-click a server group, server, or client group, and then click All Tasks >...
  • Page 128 128 Scanning for viruses and other threats Configuring scan options Displaying and customizing a warning message on an infected computer When you run a remote scan on a user’s computer, you can immediately notify the user of a problem by displaying a warning message on the infected computer’s screen.
  • Page 129 The warning message tells you which virus was found and explains the action that was taken. Symantec AntiVirus appends this text to the top of the email message that is associated with the infected attachment: Symantec AntiVirus found a virus in an attachment from [EmailSender].
  • Page 130 To add an infection warning to an infected email message In the Symantec System Center console, right-click a server group, Symantec AntiVirus server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Insert warning into email message.
  • Page 131 For supported email software, you can configure Auto-Protect to notify others whenever an email message that contains an infected attachment is opened. Symantec AntiVirus sends an email message to the selected recipients with the following subject: Virus Found in message “[EmailSubject]”...

  • Page 132: Scanning For In-Memory Threats

    To notify others of an infected email message In the Symantec System Center console, right-click a server group, Symantec AntiVirus server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Enable Lotus Notes (Microsoft Exchange) Auto-Protect.
  • Page 133 Symantec AntiVirus to register a false positive. Check with Symantec Technical Support if you are not sure if a file is infected. Table 3-5 describes exclusions.

  • Page 134: Selecting File Types And Extensions To Scan For Viruses

    Click OK until the Symantec System Center console appears. Selecting file types and extensions to scan for viruses By default, Symantec AntiVirus scans all files during a virus scan. For scans other than Auto-Protect scanning, you can select to scan only files of a specific file type or with specific extensions.
  • Page 135 Scanning for viruses and other threats Configuring scan options When you scan by file extension, Symantec AntiVirus does not read the file header to determine the file type and scans only files with the extensions that you specify. Table 3-6 describes the recommended extensions.
  • Page 136 136 Scanning for viruses and other threats Configuring scan options Table 3-6 Recommended file extensions for scanning File extension Description JavaScript JavaScript Encoded Ichitaro Microsoft Access Microsoft Project Microsoft Office 2000 Microsoft Office binder Microsoft Office binder Microsoft object linking and embedding custom control Overlay Program information file PERL program source code (UNIX)
  • Page 137 Use Defaults: Add all extensions and program types. ■ Click OK until the Symantec System Center console appears. To select files to scan by program type In the Scan Options dialog box for the scan that you want to configure, click the appropriate Selected button.
  • Page 138 Tree view icons Icon Description Symantec AntiVirus will scan all of the files in this folder and also all of the files in subfolders. Symantec AntiVirus will scan one or more items that you’ve selected in the folder or one of the subfolders.

  • Page 139: Enabling Expanded Threat Categories

    Enable expanded threat scanning and exclude threat categories if necessary By default, Symantec AntiVirus does not scan for threats other than viruses and blended threats. You must enable expanded threat scanning. You can also exclude an expanded threat category for which you don’t want Symantec AntiVirus to scan.
  • Page 140 140 Scanning for viruses and other threats Configuring scan options To exclude an expanded threat category from scanning In the Symantec System Center console, do one of the following: Right-click a server or client computer. ■ Select one or more servers that are in the same server group, and then ■...

  • Page 141: Setting Options For Scanning Compressed Files

    Performance and disk space issues arise during scans if Symantec AntiVirus opens all of the stubs and the HSM system places the files back on the original disk. Consult your HSM or backup vendor to select the appropriate settings.
  • Page 142 This is the default Symantec AntiVirus setting because it is the most reliable for vendors that use reparse points. Consult your HSM vendor to determine if this setting is appropriate.
  • Page 143 Storage migration options (Windows 2000 and later) Option Description Scan all files without forcing Symantec AntiVirus copies a file from secondary demigration (slow) storage to the local hard drive as a temp file for scanning, but the HSM application leaves the original file on the secondary storage.

  • Page 144: Setting Cpu Utilization

    Configuring scan options Setting CPU utilization For scheduled and manual scans, Symantec AntiVirus allows you to control the scan’s CPU priority. Giving a scan a lower priority means that the scan will take longer to complete, but also frees the CPU to work on other tasks. You may want to set a lower priority in some situations.

  • Page 145: Chapter 4 Updating Virus Definitions Files

    Virus definitions files contain sample code for thousands of threats. When Symantec AntiVirus scans for threats, it attempts to find matches between your files and sample code that is inside of the virus definitions files. If Symantec AntiVirus finds a match, the file may be infected.

  • Page 146: Virus Definitions Files Update Methods

    A push operation starts when Use the Virus Definition Transport Method new virus definitions are received Transport Method when you via the Symantec FTP site or want to control virus LiveUpdate server by a primary definitions files updates from server on your network. The the Symantec System Center.

  • Page 147: Best Practice: Using The Virus Definition Transport Method And Liveupdate Together

    LiveUpdate. These installations do not permit direct access to the Symantec site by a large number of servers and clients. One or more servers act as an internal LiveUpdate server to all of the other servers on the network, and in some installations, to all clients.

  • Page 148: Updating Virus Definitions Files On Symantec Antivirus Servers

    Click Yes in the confirmation dialog box. Click OK in the status dialog box. To update servers manually In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager.
  • Page 149 Click Update Now. A message appears with information about how you can view the date of the new virus definitions file. Read the information that appears, and then click OK until the Symantec System Center console reappears. To update servers automatically In the Symantec System Center console, right-click a server or server group, and then click All Tasks >...
  • Page 150 10 Click OK until you return to the Symantec System Center main window. Updating NetWare servers using the Virus Definition...
  • Page 151 Updating virus definitions files Updating virus definitions files on Symantec AntiVirus servers To update NetWare servers without TCP/IP Temporarily move the NetWare server into a server group that has a ◆ Windows NT server that is running the IPX protocol.
  • Page 152 Configure primary server 2 to retrieve the latest update from primary server 1. This makes primary server 1 a master primary server. Symantec AntiVirus servers in server group B receive updates from their primary server. Clients automatically receive updates from their Symantec AntiVirus servers.
  • Page 153 East region West region Server group primary servers on separate WANs retrieve the update from the Symantec FTP site or LiveUpdate server. Primary servers distribute the update to primary servers in other server groups in their local networks. The primary...

  • Page 154: Updating Servers Using Liveupdate

    Update Symantec AntiVirus servers directly from the Symantec FTP site or LiveUpdate server You can update all of the Symantec AntiVirus servers in a server group from a primary server, or update each server in the group individually. To update primary servers In the Symantec System Center console, right-click a server group, and then click All Tasks >...
  • Page 155 Virus Definition Manager dialog box to manually and automatically update the virus definitions files on that server. If you use a computer that does not run Symantec AntiVirus as an internal LiveUpdate server, use the LiveUpdate Administration Utility to update the virus definitions on that server.
  • Page 156 FTP servers, type the logon name and password for the FTP server and directory that will be accessed. Click OK until you return to the Symantec System Center main window. Specifying multiple internal LiveUpdate servers for failover support To compensate for unavailable internal LiveUpdate servers, Symantec...

  • Page 157: Updating Servers With Intelligent Updater

    Download Intelligent Updater from the Symantec Web site, and then install Intelligent Updater to servers with the latest virus definitions files. Note: Make sure to use Intelligent Updater files for Symantec AntiVirus rather than the consumer version of the product.

  • Page 158: Minimizing Network Traffic And Handling Missed Updates

    Minimize network traffic and handle missed updates You can set separate randomization schedules for Symantec AntiVirus servers and clients on your network to minimize the impact on network traffic. You can specify separate policies for handling missed LiveUpdate events for...
  • Page 159 Updating virus definitions files Updating virus definitions files on Symantec AntiVirus servers To randomize the LiveUpdate schedule for servers In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager.

  • Page 160: Updating Virus Definitions Files On Symantec Antivirus Clients

    For example, you might want a weekly LiveUpdate event to run only if it is within three days after the scheduled time for the missed event. Click OK until you return to the Symantec System Center main window. To handle missed LiveUpdate events for clients In the Symantec System Center console, right-click a server or server group, and then click All Tasks >...
  • Page 161 64-bit computers. To update clients using the Virus Definition Transport Method In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Update Virus Definitions From Parent Server.

  • Page 162: Updating Virus Definitions Files On Symantec Antivirus Clients Immediately

    Click Settings. In the Update Settings dialog box, set the frequency with which the parent server will push updates. Click OK until you return to the Symantec System Center main window. Updating virus definitions files on Symantec AntiVirus clients immediately You can force clients to update virus definitions files immediately using LiveUpdate.

  • Page 163: Configuring Managed Clients To Use An Internal Liveupdate Server

    To update one or more clients immediately with LiveUpdate In the Symantec System Center console, right-click one or more clients in the right pane, and then click All Tasks > Symantec AntiVirus > Update Virus Defs Now. If you selected more than the administrator-specified number of clients, in the confirmation dialog box, select one of the following: ■...

  • Page 164: Enabling And Configuring Continuous Liveupdate For Managed Clients

    ■ HTTP ■ Click OK until you return to the Symantec System Center main window. If you are using multiple parent servers, repeat steps 1–6 for each parent server so that all Symantec AntiVirus clients and servers receive the changes. You can also configure LiveUpdate for an entire group by right- clicking the server group.

  • Page 165: Setting Liveupdate Usage Policies

    Updating virus definitions files Updating virus definitions files on Symantec AntiVirus clients To enable Continuous LiveUpdate by changing registry values Using Regedit, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\PatternManager Add EnableAdminForcedLU as a new DWORD. Set the value of the DWORD to one of the following values: 1: Enable ■...

  • Page 166: Controlling Virus Definitions Files

    Allow Client To Manually Launch LiveUpdate is unchecked, LiveUpdate can run on the client at any time. Controlling virus definitions files The Symantec System Center console provides a set of tools for controlling the deployment of virus definitions files on your network. Use these tools to do the following: Verify the dates of virus definitions files on servers.

  • Page 167: Verifying The Version Number Of Virus Definitions Files

    The Symantec System Center displays a warning icon if a virus definitions file is out-of-date on one or more computers that are managed by a parent server, server group, or client group.

  • Page 168: Testing Virus Definitions Files

    Note: When you roll back virus definitions files, virus definitions that are newer than those in the rolled back version are deleted. To roll back virus definitions files In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager.

  • Page 169: Update Scenarios

    At Company A, the administrator downloads the new virus definitions file ■ from the Symantec FTP site or Symantec LiveUpdate server to a primary server on the test network. He tests the virus definitions file. When testing is completed, he copies the virus definitions file to the master primary server on his production network.
  • Page 170 170 Updating virus definitions files About scanning after updating virus definitions files...

  • Page 171: Chapter 5 Responding To Virus Outbreaks

    Responding to virus outbreaks requires preparing before an outbreak occurs, and having a strategy in place for handling an outbreak should one occur. In addition to installing Symantec AntiVirus on the servers and workstations in your network, preparing for a virus outbreak consists of the following tasks: Creating and reviewing a virus outbreak plan.

  • Page 172: Preparing For A Virus Outbreak

    ■ Use the Central Quarantine Console to track infected computers on ■ your network, and submit suspicious file samples to Symantec Security Response for analysis and cure. Preparing for a virus outbreak To prepare for a virus outbreak, you should create a virus outbreak plan and define actions for handling suspicious files.
  • Page 173 Understand security solutions. In addition to understanding your network topology, you need to understand your implementation of Symantec AntiVirus as well as the implementation of any other security products that are used on your network. Consider the following questions: What security programs are protecting network ■...

  • Page 174: Defining Symantec Antivirus Actions For Handling Suspicious Files

    Guide. Automatically purging suspicious files from local Quarantines When Symantec AntiVirus scans a suspicious file, it places the file in the local Quarantine folder on the affected computer. The Quarantine purge feature automatically deletes files in the Quarantine that exceed a specified age.

  • Page 175: Handling A Virus Outbreak On Your Network

    RepairedItemPurgeFrequency Sets the frequency value for purging repaired files: 0=Days, 1=Months, 2=Years Handling a virus outbreak on your network Symantec AntiVirus provides the following tools for handling a virus outbreak on your network: Alerts: Sends AMS and built-in alerts ■...

  • Page 176: Using Virus Alerts And Messages

    176 Responding to virus outbreaks Handling a virus outbreak on your network Using virus alerts and messages You can use alerts and messages to learn about suspicious files that Symantec AntiVirus discovers on your network. Symantec AntiVirus offers the following notification mechanisms: : If configured, Symantec AntiVirus clients can send threat events to ■...

  • Page 177: Tracking Virus Alerts Using Event Logs And Histories

    To run a virus sweep In the Symantec System Center console, right-click the network, a server group, or a server, and then click All Tasks > Symantec AntiVirus > Start Virus Sweep. In the Name box, type a name for the sweep.
  • Page 178 178 Responding to virus outbreaks Handling a virus outbreak on your network...

  • Page 179: Chapter 6 Managing Roaming Clients

    Chapter Managing roaming clients This chapter includes the following topics: About roaming clients ■ Roaming client components ■ How roaming works ■ Implementing roaming ■ Command-line options ■ Registry values ■ About roaming clients A roaming client can do the following: Automatically identify its best parent server, based on speed and proximity, ■...

  • Page 180: Roaming Client Components

    Administrators enable roaming on the computers before they are sent to branch offices. This entails specifying all of the possible roam servers for the new computers. When end users connect the new computers to the network, Symantec AntiVirus automatically assigns the best parent server. Roaming client components Table 6-1 lists roaming client components.

  • Page 181: How Roaming Works

    After you roll out this data, roaming clients work in the following manner: SavRoam.exe launches on the Symantec AntiVirus client during startup, ■ and selects the best Symantec AntiVirus server, based on registry values and server feedback. The selected server provides the client with a list of servers at the next level ■...

  • Page 182: Analyzing And Mapping Your Symantec Antivirus Network

    Figure 6-1 illustrates a map of an enterprise network that spans three continents. While this organization has more Symantec AntiVirus servers than appear in the map, only the mapped servers are identified as regional pointer servers.

  • Page 183: Identifying Servers For Each Hierarchical Level

    The only limit to the number of levels that you can define is the text file size limit of 512 characters. Creating a list of 0 level Symantec AntiVirus servers You can create the clients’ server list text file using a text editor such as Notepad.

  • Page 184: Creating A Hierarchical List Of Symantec Antivirus Servers

    In the Symantec System Center console, right-click the server group, Symantec AntiVirus servers, client group, or Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Roaming Options. If you select a server group, the Symantec System Center will configure all...
  • Page 185 Managing roaming clients Implementing roaming Symantec System Center will configure all of the clients that are in the client group. In the Client Roaming Options dialog box, do the following: Enable roaming on clients on which the Symantec AntiVirus roam ■...
  • Page 186 ■ Configuring additional roaming on each roaming client You can configure additional roaming on Symantec AntiVirus clients by setting the required values in a configurations file (Grc.dat), or by directly editing each roaming client’s registry using Regedit. Type the registry values under the...

  • Page 187: Configuring Additional Roaming Client Support For Roam Servers

    ProductControl\RoamManagingAlert List of Alert servers to check for proximity. Level0 For information on using the configurations file, see the Symantec AntiVirus Reference Guide. Configuring additional roaming client support for roam servers To configure a Symantec AntiVirus server for additional roaming options, you...
  • Page 188 188 Managing roaming clients Implementing roaming Enable roaming and roll out the hierarchal list of servers Enabling roaming requires adding a value to the registry of each roam server, and rolling out server list data. When you run RoamAdmn, it communicates with each server named at the beginning of each line in the hierarchical list of servers.

  • Page 189: Configuring Additional Server Types For Roaming Clients

    Configuring additional server types for roaming clients In addition to parent, load balancing, and failover servers that you can configure from the Symantec System Center console, you can specify the following server types in the registry: Central Quarantine Server (this must also have Symantec AntiVirus server ■...
  • Page 190 190 Managing roaming clients Command-line options You must have local Administrator rights to use command-line options. Table 6-4 Command-line options Option Description Displays a list of the options with descriptions of their usages. /import <server list> Sets up client or server registry keys. When you use RoamAdmn.exe, you can import the server list to remote servers.

  • Page 191: Registry Values

    Managing roaming clients Registry values Table 6-4 Command-line options Option Description /nearest_alerts Finds and sets the nearest Alert (Alert Management System server. /check_parent Verifies that the parent server is running. /shutdown Disconnects the client from the parent server. /time-network <elapsed- Provides the average amount of time that it takes to contact time-in-seconds>...
  • Page 192 GRC parent and overwrites the parent copy. ParentLiveUpdateHstPath Defines the directory beneath the SAV home directory. For example: \MyLiveUpdateHost\Liveupdt.hst The .hst file must be placed under OSDRIVE/ ProgramFiles/Symantec/LiveUpdate. The agent copies the LiveUpdate host file to this location.

  • Page 193: Chapter 7 Working With Histories And Event Logs

    About Histories and Event Logs Histories and Event Logs offer a central view of virus and other threat activity and scanning on your network. Using the Symantec System Center, you can do the following: View data at the server group, server, or individual managed workstation ■...

  • Page 194: Sorting And Filtering History And Event Log Data

    194 Working with Histories and Event Logs Sorting and filtering History and Event Log data Symantec AntiVirus provides several types of Histories and Event Logs as described in Table 7-1. Table 7-1 History and Event Log types Name Description Available for...

  • Page 195: Sorting And Filtering History And Event Log Data

    To filter History and Event Log data by date In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs, and then select one of the following: Event Log ■...
  • Page 196 Sorting and filtering History and Event Log data In the Event Log dialog box, click the filter icon. In the Filter Event Log dialog box, select the events you want to display: Configuration change ■ Symantec AntiVirus startup and shutdown ■ Virus definition file ■ Scan omissions ■...

  • Page 197: Viewing Histories

    198. To view a Threat History In the Symantec System Center console, right-click a server, server group, or ◆ client, and then click All Tasks > Symantec AntiVirus > Logs > Threat History. “Understanding Event Log icons” on page 202.

  • Page 198: Working With Threat Histories

    To view the Scan History In the Symantec System Center console, right-click a server group, server, or ◆ client, and then click All Tasks > Symantec AntiVirus > Logs > Scan History. Working with Threat Histories In the Threat History window, icons display information about the viruses that were found.
  • Page 199 For viruses, you can undo the last action that was taken on a file, clean a file, delete it permanently, or move the file to the Central Quarantine. For other threats, you can access a Symantec Security Response web page to learn how to handle the threat.

  • Page 200: Working With Scan Histories

    In the Take Action dialog box, click Quarantine. To handle a threat in an expanded threat category Double-click the file. A Symantec Security Response web page appears that describes the threat in detail and provides information about removal methods. Take the recommended actions to remove the threat.
  • Page 201 Action Description Undo Action Taken Symantec AntiVirus can undo the last action that was taken on an infected file, including removing a file from the Quarantine, and removing the .vbn extension from a renamed file. Symantec AntiVirus cannot restore a file that has been permanently deleted.

  • Page 202: Understanding Event Log Icons

    202 Working with Histories and Event Logs Viewing Histories Work with Scan Histories In a Scan History, you can undo the last action that was taken on a file, clean a file, delete it permanently, or move the file to the Central Quarantine. You can also export Scan History data.

  • Page 203: Forwarding Client Logs To Parent Servers

    The client logs are located in the following directory: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus\7.5\Logs Symantec AntiVirus tracks a client log throughout the forwarding process and handles delivery failures by resending the log when necessary. Configuring log forwarding options You can edit the client log forwarding registry values using a registry editor such as Regedit or Regedt32.

  • Page 204: Configuring Log Events To Forward

    10 records. There is no minimum or maximum number. Configuring log events to forward You can configure the events that you want Symantec AntiVirus to forward. Table 7-9 lists the client and server events in the order in which they appear in the Log Event Forwarding dialog box.
  • Page 205 Client and server events Event name Forwarding Required Forwarded by Default Virus definitions downloaded from parent File forwarded to Quarantine Server File forwarded to Symantec File backed-up/restored to/from Quarantine Scan aborted Error loading services Services loaded Services unloaded Client removed from parent...

  • Page 206: Best Practice: Configuring Events To Forward For Sometimes Managed Clients

    To configure events to forward from clients to their parent servers In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Client Log Forwarding. Check the events that you want the clients to forward to their parent servers.

  • Page 207: Reviewing The Forwarding Status File

    Histories and Event Logs that is older than a specified date. To set the delete frequency In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Configure History.
  • Page 208 208 Working with Histories and Event Logs Deleting Histories and Event Logs...
  • Page 209 Index Numerics export status 79 exporting to other computers 78, 79 32-bit and 16-bit operating systems, running virus limiting to network segments 66 sweeps 176 testing 78 64-bit operating systems configuring using Continuous LiveUpdate 147 Broadcast 69 virus definitions files 147 default messages 65 paging services 73 SNMP traps 74...
  • Page 210 167 server group passwords 43 with intermittent connectivity 121 server names and IP addresses in compressed files, configuring scanning 141 Symantec System Center console 21 computers Load from cache only discovery type 22 finding Normal Discovery address cache...
  • Page 211 Discovery Cycle configuration 21 forward log events 204 how it works 20 forward logs to parent servers 203 how to find NetWare computers 21 found items, locating in the Symantec System Intense Discovery 23 Center console 29 limitations 23 IP Discovery 23...
  • Page 212 90 parent server 46 See also servers passwords LiveUpdate cached 43 configuring servers to retrieve from Symantec changing 43 FTP site 154 changing for server groups 44 setting client policy for 165 saving or unsaving 43 using with internal LiveUpdate server 155...
  • Page 213 105 roaming client support exclusions 108, 113 configuring for viruses 89 for clients 186 History 194 from Symantec System Center option precedence 95 console 184 recommended file extensions 135 how it works 181 scheduled scans, configuring 113 roaming clients...
  • Page 214 SNMP trap destinations, configuring 75 cached passwords 43 spyware 90 changing passwords 43, 44 subnet, IP discovery for 23 configuration change priority 39 Symantec Security Response, tracking creating 41 submissions 177 deciding whether to manage with 39 Symantec System Center deleting 48...
  • Page 215 54 Histories 197 server groups 47 virus list 167 views changing 16 Symantec System Center console 15 Virus Definition Transport Method configuring antivirus servers with 148 implementation examples 168 updating NetWare servers 150 virus definitions files finding computers with outdated...
  • Page 216 216 Index...

This manual is also suitable for:

11281411 - antivirus corporate editionAntivirus corporate edition

Table of Contents