Page 2
NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user.
Technical support As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base.
Recent software configuration changes and/or network changes ■ Customer Service To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, and then choose Service and Support. Customer Service is available to assist with the following types of...
Managing Symantec AntiVirus Chapter 1 Managing Symantec AntiVirus About managing Symantec AntiVirus .............. 13 Managing with the Symantec System Center ..........14 Using console views ..................15 Saving console settings ................16 Understanding Symantec System Center icons ........17 Discovering computers and refreshing the console ....... 19 Auditing computers ..................
Page 6
6 Contents Managing with client groups ................53 Creating new client groups ................ 53 Adding clients to a client group ..............53 Configuring settings and running tasks at the client group level ..54 Finding client group settings ..............54 Moving clients in client groups ..............
Page 7
How to specify exclusions ................114 Deleting files and folders that are left on computers by threats ..115 Configuring scheduled scans ................115 Scheduling scans for server groups or individual Symantec AntiVirus servers ................115 Scheduling scans for Symantec AntiVirus clients .......118 Setting options for missed scheduled scans ..........120 Editing, deleting, or disabling a scheduled scan ........121...
Page 8
Best practice: Using the Virus Definition Transport Method and LiveUpdate together ................149 Best practice: Using Continuous LiveUpdate on 64-bit computers ... 149 Updating virus definitions files on Symantec AntiVirus servers ....150 Updating and configuring Symantec AntiVirus servers using the Virus Definition Transport Method ..........150 Updating servers using LiveUpdate ............
Page 9
Analyzing and mapping your Symantec AntiVirus network ....184 Identifying servers for each hierarchical level ........185 Creating a list of 0 level Symantec AntiVirus servers ......185 Creating a hierarchical list of Symantec AntiVirus servers ....186 Configuring roaming client support options from the Symantec System Center console ..............186...
Symantec AntiVirus servers and clients. In addition to the Symantec System Center, you can also use configuration files (Grc.dat) to configure Symantec AntiVirus clients. You can use configuration files if you want to use a third-...
Managing with the Symantec System Center Managing with the Symantec System Center When the Symantec System Center runs, it displays a system hierarchy of server groups, client groups, and servers displayed in an expandable/collapsible tree. The system hierarchy is the top level that contains all server groups and client groups.
Symantec System Center console. For example, when you install the Symantec AntiVirus management snap-in, the Symantec AntiVirus view is added, which includes fields related to Symantec AntiVirus, such as Last Scan and Definitions. The columns that appear in the right pane change based on the selected view.
■ Server ■ Changing console views Unless you change the view, the Symantec System Center console displays the Console Default View. The other views available depend upon which managed Symantec AntiVirus products you have installed. To change console views In the Symantec System Center console, in the left pane, expand System Hierarchy.
Quarantine Server. Note: If a newer version of MMC is present on the system, you may need to upgrade to the newer version to save changes upon exiting the Symantec System Center console. Understanding Symantec System Center icons The Symantec System Center uses icons to represent the different states of computers that are running Symantec managed products.
Page 18
A threat other than a virus, such as adware or spyware, was detected on the computer that is running Symantec AntiVirus server. Note: If Symantec AntiVirus detects a virus and a threat other than a virus on the same computer, the virus icon appears.
Discovering computers and refreshing the console At the first startup of a newly installed Symantec System Center console, the console will ping the network to find all available computers running Symantec AntiVirus servers. As soon as the servers respond, they are added to the console.
Page 20
When the computer was last infected ■ Both IP and IPX pings are sent to the remote computer running Symantec AntiVirus server to determine what type of protocol it uses. Pings are also sent that support Norton AntiVirus Corporate Edition and LANDesk Virus Protect, legacy versions of Symantec AntiVirus.
Page 21
Normal Discovery Following all types of Discovery, a Normal Discovery runs. In a Normal Discovery, the Symantec System Center console broadcasts to all servers that are in unlocked server groups. This additional Discovery queries the primary server of the server group for the list of secondary servers in its address cache.
Page 22
Changing the Discovery Cycle interval While the Discovery Cycle interval can be changed, be aware that increasing the interval can result in a display of outdated information from the Symantec System Center console. To change the Discovery Cycle interval In the Symantec System Center console, on the Tools menu, click Discovery Service.
Page 23
Intense Discovery walks the NetWare or Microsoft branches of the network tree, or both. From the Symantec System Center console, you can select any node beneath the console root, and then choose Discovery Service from the Tools menu to perform a new discovery of servers.
Page 24
You can run the Discovery Service and find servers with or without including IP addresses and subnets. To run IP Discovery In the Symantec System Center console, in the left pane, select any node below the console root. On the Tools menu, click Discovery Service.
Page 25
Symantec System Center console status bar. You can also access IP Discovery functionality in the Find Computer dialog box. “Using the Find Computer feature” on page 27. To discover without IP In the Symantec System Center console, on the Tools menu, click Discovery Service.
Page 26
In the Discovery Service Properties window, on the General tab, select one of the following options: Load from cache only: This is the quickest method. The Symantec ■ System Center reads the list of servers and clients stored in the local cache.
Page 27
Servers on segments using only IPX protocol can also be skipped in the discovery process. If you cannot locate some servers on your LAN, you can locate them manually with the Find Computer feature in the Symantec System Center console. Once you use the Find Computer feature to locate a server, you can manage it from the Symantec System Center console.
Page 28
Managing with the Symantec System Center To find computers by searching the local cache In the Symantec System Center console, on the Tools menu, click Find Computer. In the Find Computer window, on the Local Search tab, type the network name of the server that you want to find.
Page 29
Locating found items in the Symantec System Center console You can match an item in a Find Computer list to the same item as it appears in the Symantec System Center console tree. To do so, the server group to which the item belongs must be unlocked.
Page 30
Refresh feature does not find servers or server groups that may have been added since the current session of the Symantec System Center started. If the refresh determines that a server that previously appeared in the server group view is no longer communicating, the unavailable server icon appears.
Managing Symantec AntiVirus Managing with the Symantec System Center Auditing computers Computers on your network that do not have Symantec AntiVirus running leave holes open in your network security. You can run a network audit of remote computers to determine the following: Whether a Symantec AntiVirus component is installed and running.
Page 32
32 Managing Symantec AntiVirus Managing with the Symantec System Center To run a network audit In the Symantec System Center console, on the Tools menu, click Find Computer. In the Find Computer dialog box, on the Audit Network tab, type the beginning and end of the IP address range.
Page 33
Managing Symantec AntiVirus Managing with the Symantec System Center Click Find Now to run the audit. You can see the audit progress at the bottom of the Find Computer dialog box. When the audit completes, the following types of information appear: Machine The name of the remote computer.
Page 34
Computers that cannot be located or to which a connection cannot be made ■ Routers and network drives ■ Computers that do not have Symantec AntiVirus software installed ■ To label an item and rerun the audit In the Find Computer dialog box, in the Machine column, right-click an item, and then click Label.
Page 35
Check Show parent servers discovered through clients even if they fall out of the specified IP range if you want the parent servers of the computers running Symantec AntiVirus client or server out of the specified range to appear in the results.
Page 36
36 Managing Symantec AntiVirus Managing with the Symantec System Center Under Symantec AntiVirus UDP Ports, enter up to four port numbers that you want to ping. Port 1 defaults to 2967, which is the default port number for RTVScan, the main Symantec AntiVirus service.
It can also be responsible for new virus definitions files updates. From the Symantec System Center console, when you launch a task at the server group level, the task runs on the server group’s primary server. The primary server also forwards the task on to all other servers in the server group.
About server and client groups Server group members can share a single Symantec AntiVirus configuration, and you can also run a Symantec AntiVirus operation on all members of a server group. From the Symantec System Center console, you can create new server groups and manage their membership.
By setting up client groups, you can set up and manage different policies under a single parent server. Assigned clients are Symantec clients that have been assigned to a client ■ group. They receive virus definitions files from the server to which they are physically attached, but receive configuration settings and updates based upon the client group to which the Symantec AntiVirus policies are applied.
40 Managing Symantec AntiVirus About server and client groups Table 1-3 lists each context you can select in the Symantec System Center, and what it configures, when selected. Table 1-3 Configuration priority Context What it configures System hierarchy All unlocked server groups and the clients they manage...
The installation program groups all of the servers that you select into one server group. This might be adequate if you want all of your managed computers running Symantec AntiVirus to use the same settings. However, if you want to make global configuration changes for groups of servers, you can create new server groups and easily use a drag-and-drop operation (or cut-and-paste) to move servers from one server group to another.
To lock a server group In the Symantec System Center console, in the left pane, right-click the ◆ server group that you want to lock, and then click Lock Server Group.
When you attempt to unlock a server group, the Symantec System Center tries all of the saved passwords. You will be prompted for a password only if none of the saved passwords works.
Page 44
44 Managing Symantec AntiVirus Managing with server groups To no longer save the server group password In the Symantec System Center console, in the left pane, right-click an unlocked server group, and then click Lock Server Group. Type the old password.
You can rename server groups as necessary. To rename a server group In the Symantec System Center console, in the left pane, unlock the server group that you want to rename, if necessary. Right-click the server group, and then click Rename.
Symantec AntiVirus product configuration settings. To change a primary server In the Symantec System Center console, in the left pane, double-click the server group icon. Right-click the secondary server that you are designating as a primary server, and then click Make Server A Primary Server.
Managing with server groups The server configurations file is located in the same directory to which Symantec AntiVirus was installed on the server. It has the same format as a client configurations file (Grc.dat). It is created only when synchronizing a server to a new server group’s settings.
IP and IPX addresses that are specified in the access list. For example, you can prevent an attacker who has access to the Symantec System Center console and a valid server group password from making unauthorized changes to the following: Server and client antivirus protection settings ■...
Managing Symantec AntiVirus Enhancing server group security Figure 1-2 Enhanced server group security Read Write Primary Server Authorized Symantec System Center console Read Only Read Read Only Write Access List Read Only Unauthorized Symantec Secondary Server System Center console Registry...
Page 50
Add IP and IPX addresses to the access list only when you need to allow the Symantec System Center to access the server. Delete the value for an address when you no longer require access.
Page 51
Symantec AntiVirus Event Log. When the event occurs on a computer running Symantec AntiVirus, the log event is forwarded to the parent server.
Page 52
52 Managing Symantec AntiVirus Enhancing server group security Open the HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\ VirusProtect6\CurrentVersion\AccessList key. Type LogAccessDenied as a new DWord. Type 1 as the binary data associated with the LogAccessDenied DWord value to enable logging. Close the registry editor. To set the frequency for logging unauthorized configuration change attempts Start a registry editor, such as Regedt32.
A client can belong to only one client group. To add a client to a client group In the Symantec System Center console, in the left pane, click the server that contains the client. In the right pane, move the client to the client group using a drag-and-drop...
When the Groups folder is selected in the left pane and Default Console View or a Symantec product view is selected from the View menu, the client groups appear in the right pane along with information specific to the view. For example, when the Default Console View is active, the number of clients in each client group appears.
These options may impact performance if there are many clients and servers in the server group. Under Client Options, check Indicate when clients are offline to display a unique icon in the Symantec System Center console when a client is not connected to the network. Click OK.
They continue to assume the settings of that group. To delete a client group In the Symantec System Center console, in the left pane, unlock the server group from which you want to delete the client group. Double-click the server group.
58 Managing Symantec AntiVirus Configuring clients directly Configuring clients directly You can allow for the direct configuration of Symantec AntiVirus clients. The options that you set directly remain in force until a new configurations file (Grc.dat) is copied to the client.
When prompted to make the client either managed or unmanaged, choose unmanaged. How settings propagate The method that Symantec AntiVirus uses to propagate settings depends upon the item that you choose in the Symantec System Center console. Table 1-4 describes how settings propagate when you choose server groups, servers, and clients.
New Grc.dat files overwrite old Grc.dat files New Grc.dat files are propagated and overwrite old Grc.dat files any time that they are sent to the client. This behavior occurs even when you open a Symantec AntiVirus window or dialog box that contains options from the Symantec System Center console, and then click OK without changing options.
Chapter Setting up the Alert Management System This chapter includes the following topics: About the Alert Management System ■ How Alert Management System works ■ Configuring alert actions ■ Working with configured alerts ■ Using the Alert Management System Alert Log ■...
Symantec AntiVirus into AMS through the Symantec AntiVirus service. On a computer running the Symantec AntiVirus client, the Symantec AntiVirus service waits for an event thread that requires an alert. These threads can be generated by the following events: Configuration change ■...
Setting up the Alert Management System Configuring alert actions Configuring alert actions lets you configure many different methods of notification—such as pager, SNMP, and email—for detected threats and configuration changes. Alert configuration tasks alert configuration requires the following related tasks: Select an alert in the Alert Actions dialog box.
64 Setting up the Alert Management System Configuring alert actions To configure an alert In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select an alert, and then click Configure to define an alert action.
Page 65
You can configure this default alert to notify you when a message exceeds 1 KB. To configure a default alert message In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Click Default Alert, and then click Configure.
66 Setting up the Alert Management System Configuring alert actions Select whether you want an error beep and whether you want the dialog box to always appear on top until it is cleared. Click Next. Type the action name that describes the message that you are configuring. The action name and the action computer name appear in the Alert Actions dialog box beside this action.
Page 67
Setting up the Alert Management System Configuring alert actions To speed up alert configuration In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Click Options. In the Options dialog box, do one of the following: If you use an IPX network, in the Add IPX address box, type the IPX ■...
To configure the Message Box alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.
To configure the Broadcast alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.
Configuring alert actions To configure the Run Program alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.
To configure the Send Internet Mail alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.
Entering a pager message ■ To configure the Send Page alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.
Page 73
Setting up the Alert Management System Configuring alert actions Click Next. If you’re creating a message for an alphanumeric pager, in the Message box type any message text you want to display and move available parameters from Alert Parameters to the Message box. If you’re creating a message for a numeric pager, you can only type numbers in the Message box.
Configuring alert actions To configure the Send Page alert action for an unlisted paging service In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.
Page 75
SNMP traps sent. To configure the Send SNMP Trap alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.
Page 76
76 Setting up the Alert Management System Configuring alert actions Configuring trap destinations for Windows 2000 Server You can configure SNMP traps for Windows 2000 Server. To configure trap destinations for Windows 2000 Server On the Windows taskbar, click Start > Settings > Control Panel. Double-click Administrative Tools.
To configure the Write To Event Log alert action In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions.
You can delete actions associated with an alert as necessary. To delete an alert action from an alert In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert action you want to delete, and then click Delete.
Page 79
In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Do one of the following: Click the Symantec AntiVirus folder if you want to export all alerts ■ associated with Symantec AntiVirus.
Using the Alert Management System Alert Log You can use the Alert Log to view a list of all alerts generated by network computers running Symantec AntiVirus. You can configure the Alert Log to do one of the following: Display only the alerts that match the conditions that you specify.
Page 81
Setting up the Alert Management System Using the Alert Management System Alert Log To view the Alert Log ◆ Right-click the server group, and then click All Tasks > AMS > View Log. To change the number of entries displayed in the Alert Log In the Alert Log window, right-click, and then click Options.
82 Setting up the Alert Management System Using the Alert Management System Alert Log To delete all visible log entries In the Alert Log window, right-click, and then click Delete > Filtered ◆ Entries. To copy Alert Log contents to the Clipboard Press and hold the Ctrl key, and then select the multiple log entries.
When you finish viewing the alert information, click Close. The computer listed in the Alert Log is the primary server that recorded the action because it records all events for the Symantec server group. To see which computer actually generated the alert, double-click the Alert Log entry about which you want more information.
Forwarding alerts from unmanaged clients To specify which alerts display in the Alert Log In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > View Log. In the Alert Log window, right-click, and then click Options.
Page 85
Be sure to include the S preceding <SERVERNAME>. Do not include the brackets. Save the file as Grc.dat to one of the following folders on the client: For Windows 98\Me: C:\Program Files\Symantec AntiVirus ■ For Windows NT: C:\Winnt\Profiles\All Users\Application ■...
Page 86
86 Setting up the Alert Management System Forwarding alerts from unmanaged clients...
Page 87
Section Configuring Symantec AntiVirus Scanning for viruses and other threats ■ Updating virus definitions files ■ Responding to virus outbreaks ■ Managing roaming clients ■ Working with Histories and Event Logs ■...
Configuring scan options ■ About threats Symantec AntiVirus can scan for viruses and known and emerging threats, such as spyware, adware, and other files that could put your computer at risk. Symantec AntiVirus can scan for the following threat types: Viruses: Programs or code that attach a copy of themselves to another ■...
Page 90
90 Scanning for viruses and other threats About threats Worms: Programs that replicate without infecting other programs. Some ■ worms spread by copying themselves from disk to disk, while others replicate only in memory to slow a computer down. Trojan horses: Programs that contain code that is disguised as or hiding in ■...
Symantec AntiVirus. They remain detected as viruses so that Symantec AntiVirus can continue to provide protection for legacy systems. About scans in Symantec AntiVirus You can configure the following types of scans from the Symantec System Center console: File System Auto-Protect scans ■...
Understanding scheduled scans From the Symantec System Center console, you can schedule scans for Symantec AntiVirus servers or clients. Users can also schedule scans for their computers from Symantec AntiVirus clients, but they cannot change or disable scans that you schedule for their computers. Symantec AntiVirus runs one scheduled scan at a time.
Figure 3-1 Scan Options dialog box Selecting computers to scan In the Symantec System Center console, you select the computers that you want to scan, determine the types of scans that are available, where scans are performed, and the scan options.
Page 94
Note: Clients’ settings must be locked before Auto-Protect options that are configured in the Symantec System Center console can be propagated to them. If you make a change but do not lock the setting, the change is not propagated to clients.
Page 95
Scanning for viruses and other threats About scans in Symantec AntiVirus Determining scan options for multiple computers When you view Auto-Protect, virus sweep, or manual scan options for multiple selected computers, the configuration check boxes and options have a tri-state feature that is apparent only when the computers have different options configured.
A and also have Auto-Protect enabled on server B, when client A writes a file to a network drive on server B, Symantec AntiVirus scans the file on client A and scans the file again on server B. This could reduce network performance on the client computer.
Page 97
Right-click the server group or servers with Symantec AntiVirus ■ clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. The Symantec System Center will configure all of the clients that are associated with the server or server group.
Page 98
12 Click OK. About Scan all file types and SmartScan You can configure Symantec AntiVirus to scan all file types or to use SmartScan. SmartScan scans a specific, configurable group of file extensions that contain executable code and all .exe and .doc files. SmartScan reads each file’s header to determine its file type.
Page 99
Fun Love. If Auto- Protect detects a virus during shutdown, it places the infected file in a temporary Quarantine directory. Auto-Protect then detects the virus on startup and creates an alert notification. Symantec Load Auto-Protect when Symantec AntiVirus starts. AntiVirus start...
Page 100
File caching decreases Auto-Protect’s memory usage and can help you to track problems. Symantec AntiVirus adds a 16-byte entry to the cache index, which remains until Symantec AntiVirus detects a change to the file.
Page 101
Higher values decrease Threat Tracer’s ability to detect infections. Client firewall auto blocks IP Enable this option if you are using Symantec Client address of the source computer Security firewall client and want the firewall to automatically block the IP addresses of computers that transmit infected files.
Page 102
For example, after you receive the alert, you can decide what course of action to take. Do not check floppies Symantec AntiVirus skips the scan of any floppy disk in the upon system floppy drive when the computer is shut down normally.
Page 103
103. How to bypass Auto-Protect for files that are being backed up You can have Symantec AntiVirus bypass Auto-Protect during a backup. This allows backup software to operate without the overhead of an additional Auto- Protect scan. The setting applies only to files that are being backed up. Files that...
Page 104
File caching decreases Auto-Protect’s memory usage and can help you to track problems. The file cache includes an index of files that were scanned and determined to be clean. Symantec AntiVirus adds a 16-byte ID to the cache index, which remains until Symantec AntiVirus detects a change to the file.
To configure email scanning In the Symantec System Center console, right-click the server group or servers to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Lotus Notes or Microsoft Exchange tab, check Enable Auto-Protect.
(such as GroupWise) save attachments to a temporary directory when users launch attachments from the email program. If you enable Auto- Protect on your file system, Symantec AntiVirus detects the virus as it is written to the temporary directory. Symantec AntiVirus also detects the virus if the user tries to save the infected attachment to a local drive or network drive.
Page 107
Auto-Protect scanning for Internet email uses the standard POP3 and SMTP email ports by default. However, if you have configured your network to use a different port for either protocol, you must change the port setting in Symantec AntiVirus to match the port that you have selected.
To enable outbound email heuristics scanning In the Symantec System Center console, right-click the server group or servers to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Internet E-mail tab, check Enable Internet E-mail Auto-Protect.
In the Symantec System Center console, do one of the following: To change server Auto-Protect settings, right-click a server group or ■ server, and then click All Tasks > Symantec AntiVirus > Server Auto- Protect Options. To change client Auto-Protect settings, right-click a server-group, ■...
If you want to scan all servers and clients in a server group, run a virus sweep or create a scheduled scan. Symantec AntiVirus backs up viruses but does not back up other threats, such as adware or spyware, when it deletes them. Once you delete the file, Symantec...
Page 111
Scanning for viruses and other threats Configuring manual scans To configure a manual scan In the Symantec System Center console, do one of the following: Right-click a server or client computer. ■ Select one or more servers that are in the same server group, and then ■...
Page 112
Enable scans of compressed files on NetWare servers. ■ Click OK to save advanced options. 10 In the Scan Options dialog box, click Save Settings if you want Symantec AntiVirus to remember these options for future manual scans on this computer.
139. Deleting files and folders that are left on computers by threats When Symantec AntiVirus deletes a file that is part of a threat category, such as adware or spyware, other files related to the threat may remain on the computer.
You can schedule scans for one or more server groups as well as for individual Symantec AntiVirus servers. To schedule a scan for a server group In the Symantec System Center console, do one of the following: In the console tree, click System Hierarchy. In the right pane, ■...
Page 115
Scanning for viruses and other threats Configuring scheduled scans In the Scheduled Scans dialog box, on the Server Group Scans tab, click New. In the Scheduled Scan dialog box, under Name, type a name for the scan. Ensure that Enable scan is checked. Set a frequency for the scan.
Once you delete the file, Symantec AntiVirus cannot restore it. Set options for scanning compressed files. ■ 16 Click OK until you return to the main screen in the Symantec System Center console. “Configuring scan options” on page 123.
Page 117
Scanning for viruses and other threats Configuring scheduled scans In the Scheduled Scans dialog box, on the Client Scans tab, click New. In the Scheduled Scan dialog box, under Name, type a name for the scan. Set a frequency for the scan. Set a time for the scan.
Page 118
■ to repair them as a data safety precaution. The files are encrypted before Symantec AntiVirus backs them up. The files get backed up to the Quarantine directory. Once the file is backed up, it must be restored before it can be accessed again.
Scanning for viruses and other threats Configuring scheduled scans 15 Click OK until you return to the main screen in the Symantec System Center console. “Configuring scan options” on page 123. Setting options for missed scheduled scans If a computer misses a scheduled scan (for example, if it is turned off), Symantec AntiVirus will attempt the scan for a specific time interval.
Select an existing scan, and then click Edit. Change any properties that ■ you want, and then click OK until you return to the Symantec System Center main window. Select an existing scan, and then click Delete. Click OK until you return ■...
Click Start Scan. Deleting files and folders that are left on computers by threats When Symantec AntiVirus deletes a file that is part of a threat category, such as adware or spyware, other files related to the threat may remain on the computer.
Page 122
Click OK. Exit Regedit. To modify the client check-in interval In the Symantec System Center console, right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Update Virus Definitions From Parent Server.
You can assign a primary action and, in case the primary action is not possible, a secondary action for Symantec AntiVirus to take when it discovers a virus. You can assign separate actions for macro viruses and non-macro viruses.
You can assign a primary action and, in case the primary action is not possible, a secondary action for Symantec AntiVirus to take when it discovers a threat other than a virus, such as adware or spyware. Figure 3-2 Scheduled Scan Options dialog box with Exp.
Denying or permitting users the ability to unload Symantec AntiVirus You can deny or permit users the ability to unload Symantec AntiVirus. To deny or permit users the ability to unload Symantec AntiVirus In the Symantec System Center console, right-click a server, server group, or client group, and then click All Tasks >...
Page 126
126 Scanning for viruses and other threats Configuring scan options To require a password before uninstalling In the Symantec System Center console, right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options.
Page 127
By default, a user can pause a scan for one hour. You must enable this option to allow a user to pause a scan for three hours. 11 Click OK until the main Symantec System Center console window appears. To allow users to stop a scan In the Symantec System Center console, right-click a server group, server, or client group, and then click All Tasks >...
Page 128
128 Scanning for viruses and other threats Configuring scan options Displaying and customizing a warning message on an infected computer When you run a remote scan on a user’s computer, you can immediately notify the user of a problem by displaying a warning message on the infected computer’s screen.
Page 129
The warning message tells you which virus was found and explains the action that was taken. Symantec AntiVirus appends this text to the top of the email message that is associated with the infected attachment: Symantec AntiVirus found a virus in an attachment from [EmailSender].
Page 130
To add an infection warning to an infected email message In the Symantec System Center console, right-click a server group, Symantec AntiVirus server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Insert warning into email message.
Page 131
For supported email software, you can configure Auto-Protect to notify others whenever an email message that contains an infected attachment is opened. Symantec AntiVirus sends an email message to the selected recipients with the following subject: Virus Found in message “[EmailSubject]”...
To notify others of an infected email message In the Symantec System Center console, right-click a server group, Symantec AntiVirus server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Enable Lotus Notes (Microsoft Exchange) Auto-Protect.
Page 133
Symantec AntiVirus to register a false positive. Check with Symantec Technical Support if you are not sure if a file is infected. Table 3-5 describes exclusions.
Click OK until the Symantec System Center console appears. Selecting file types and extensions to scan for viruses By default, Symantec AntiVirus scans all files during a virus scan. For scans other than Auto-Protect scanning, you can select to scan only files of a specific file type or with specific extensions.
Page 135
Scanning for viruses and other threats Configuring scan options When you scan by file extension, Symantec AntiVirus does not read the file header to determine the file type and scans only files with the extensions that you specify. Table 3-6 describes the recommended extensions.
Page 136
136 Scanning for viruses and other threats Configuring scan options Table 3-6 Recommended file extensions for scanning File extension Description JavaScript JavaScript Encoded Ichitaro Microsoft Access Microsoft Project Microsoft Office 2000 Microsoft Office binder Microsoft Office binder Microsoft object linking and embedding custom control Overlay Program information file PERL program source code (UNIX)
Page 137
Use Defaults: Add all extensions and program types. ■ Click OK until the Symantec System Center console appears. To select files to scan by program type In the Scan Options dialog box for the scan that you want to configure, click the appropriate Selected button.
Page 138
Tree view icons Icon Description Symantec AntiVirus will scan all of the files in this folder and also all of the files in subfolders. Symantec AntiVirus will scan one or more items that you’ve selected in the folder or one of the subfolders.
Enable expanded threat scanning and exclude threat categories if necessary By default, Symantec AntiVirus does not scan for threats other than viruses and blended threats. You must enable expanded threat scanning. You can also exclude an expanded threat category for which you don’t want Symantec AntiVirus to scan.
Page 140
140 Scanning for viruses and other threats Configuring scan options To exclude an expanded threat category from scanning In the Symantec System Center console, do one of the following: Right-click a server or client computer. ■ Select one or more servers that are in the same server group, and then ■...
Performance and disk space issues arise during scans if Symantec AntiVirus opens all of the stubs and the HSM system places the files back on the original disk. Consult your HSM or backup vendor to select the appropriate settings.
Page 142
This is the default Symantec AntiVirus setting because it is the most reliable for vendors that use reparse points. Consult your HSM vendor to determine if this setting is appropriate.
Page 143
Storage migration options (Windows 2000 and later) Option Description Scan all files without forcing Symantec AntiVirus copies a file from secondary demigration (slow) storage to the local hard drive as a temp file for scanning, but the HSM application leaves the original file on the secondary storage.
Configuring scan options Setting CPU utilization For scheduled and manual scans, Symantec AntiVirus allows you to control the scan’s CPU priority. Giving a scan a lower priority means that the scan will take longer to complete, but also frees the CPU to work on other tasks. You may want to set a lower priority in some situations.
Virus definitions files contain sample code for thousands of threats. When Symantec AntiVirus scans for threats, it attempts to find matches between your files and sample code that is inside of the virus definitions files. If Symantec AntiVirus finds a match, the file may be infected.
A push operation starts when Use the Virus Definition Transport Method new virus definitions are received Transport Method when you via the Symantec FTP site or want to control virus LiveUpdate server by a primary definitions files updates from server on your network. The the Symantec System Center.
LiveUpdate. These installations do not permit direct access to the Symantec site by a large number of servers and clients. One or more servers act as an internal LiveUpdate server to all of the other servers on the network, and in some installations, to all clients.
Click Yes in the confirmation dialog box. Click OK in the status dialog box. To update servers manually In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager.
Page 149
Click Update Now. A message appears with information about how you can view the date of the new virus definitions file. Read the information that appears, and then click OK until the Symantec System Center console reappears. To update servers automatically In the Symantec System Center console, right-click a server or server group, and then click All Tasks >...
Page 150
10 Click OK until you return to the Symantec System Center main window. Updating NetWare servers using the Virus Definition...
Page 151
Updating virus definitions files Updating virus definitions files on Symantec AntiVirus servers To update NetWare servers without TCP/IP Temporarily move the NetWare server into a server group that has a ◆ Windows NT server that is running the IPX protocol.
Page 152
Configure primary server 2 to retrieve the latest update from primary server 1. This makes primary server 1 a master primary server. Symantec AntiVirus servers in server group B receive updates from their primary server. Clients automatically receive updates from their Symantec AntiVirus servers.
Page 153
East region West region Server group primary servers on separate WANs retrieve the update from the Symantec FTP site or LiveUpdate server. Primary servers distribute the update to primary servers in other server groups in their local networks. The primary...
Update Symantec AntiVirus servers directly from the Symantec FTP site or LiveUpdate server You can update all of the Symantec AntiVirus servers in a server group from a primary server, or update each server in the group individually. To update primary servers In the Symantec System Center console, right-click a server group, and then click All Tasks >...
Page 155
Virus Definition Manager dialog box to manually and automatically update the virus definitions files on that server. If you use a computer that does not run Symantec AntiVirus as an internal LiveUpdate server, use the LiveUpdate Administration Utility to update the virus definitions on that server.
Page 156
FTP servers, type the logon name and password for the FTP server and directory that will be accessed. Click OK until you return to the Symantec System Center main window. Specifying multiple internal LiveUpdate servers for failover support To compensate for unavailable internal LiveUpdate servers, Symantec...
Download Intelligent Updater from the Symantec Web site, and then install Intelligent Updater to servers with the latest virus definitions files. Note: Make sure to use Intelligent Updater files for Symantec AntiVirus rather than the consumer version of the product.
Minimize network traffic and handle missed updates You can set separate randomization schedules for Symantec AntiVirus servers and clients on your network to minimize the impact on network traffic. You can specify separate policies for handling missed LiveUpdate events for...
Page 159
Updating virus definitions files Updating virus definitions files on Symantec AntiVirus servers To randomize the LiveUpdate schedule for servers In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager.
For example, you might want a weekly LiveUpdate event to run only if it is within three days after the scheduled time for the missed event. Click OK until you return to the Symantec System Center main window. To handle missed LiveUpdate events for clients In the Symantec System Center console, right-click a server or server group, and then click All Tasks >...
Page 161
64-bit computers. To update clients using the Virus Definition Transport Method In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Update Virus Definitions From Parent Server.
Click Settings. In the Update Settings dialog box, set the frequency with which the parent server will push updates. Click OK until you return to the Symantec System Center main window. Updating virus definitions files on Symantec AntiVirus clients immediately You can force clients to update virus definitions files immediately using LiveUpdate.
To update one or more clients immediately with LiveUpdate In the Symantec System Center console, right-click one or more clients in the right pane, and then click All Tasks > Symantec AntiVirus > Update Virus Defs Now. If you selected more than the administrator-specified number of clients, in the confirmation dialog box, select one of the following: ■...
■ HTTP ■ Click OK until you return to the Symantec System Center main window. If you are using multiple parent servers, repeat steps 1–6 for each parent server so that all Symantec AntiVirus clients and servers receive the changes. You can also configure LiveUpdate for an entire group by right- clicking the server group.
Updating virus definitions files Updating virus definitions files on Symantec AntiVirus clients To enable Continuous LiveUpdate by changing registry values Using Regedit, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\PatternManager Add EnableAdminForcedLU as a new DWORD. Set the value of the DWORD to one of the following values: 1: Enable ■...
Allow Client To Manually Launch LiveUpdate is unchecked, LiveUpdate can run on the client at any time. Controlling virus definitions files The Symantec System Center console provides a set of tools for controlling the deployment of virus definitions files on your network. Use these tools to do the following: Verify the dates of virus definitions files on servers.
The Symantec System Center displays a warning icon if a virus definitions file is out-of-date on one or more computers that are managed by a parent server, server group, or client group.
Note: When you roll back virus definitions files, virus definitions that are newer than those in the rolled back version are deleted. To roll back virus definitions files In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager.
At Company A, the administrator downloads the new virus definitions file ■ from the Symantec FTP site or Symantec LiveUpdate server to a primary server on the test network. He tests the virus definitions file. When testing is completed, he copies the virus definitions file to the master primary server on his production network.
Page 170
170 Updating virus definitions files About scanning after updating virus definitions files...
Responding to virus outbreaks requires preparing before an outbreak occurs, and having a strategy in place for handling an outbreak should one occur. In addition to installing Symantec AntiVirus on the servers and workstations in your network, preparing for a virus outbreak consists of the following tasks: Creating and reviewing a virus outbreak plan.
■ Use the Central Quarantine Console to track infected computers on ■ your network, and submit suspicious file samples to Symantec Security Response for analysis and cure. Preparing for a virus outbreak To prepare for a virus outbreak, you should create a virus outbreak plan and define actions for handling suspicious files.
Page 173
Understand security solutions. In addition to understanding your network topology, you need to understand your implementation of Symantec AntiVirus as well as the implementation of any other security products that are used on your network. Consider the following questions: What security programs are protecting network ■...
Guide. Automatically purging suspicious files from local Quarantines When Symantec AntiVirus scans a suspicious file, it places the file in the local Quarantine folder on the affected computer. The Quarantine purge feature automatically deletes files in the Quarantine that exceed a specified age.
RepairedItemPurgeFrequency Sets the frequency value for purging repaired files: 0=Days, 1=Months, 2=Years Handling a virus outbreak on your network Symantec AntiVirus provides the following tools for handling a virus outbreak on your network: Alerts: Sends AMS and built-in alerts ■...
176 Responding to virus outbreaks Handling a virus outbreak on your network Using virus alerts and messages You can use alerts and messages to learn about suspicious files that Symantec AntiVirus discovers on your network. Symantec AntiVirus offers the following notification mechanisms: : If configured, Symantec AntiVirus clients can send threat events to ■...
To run a virus sweep In the Symantec System Center console, right-click the network, a server group, or a server, and then click All Tasks > Symantec AntiVirus > Start Virus Sweep. In the Name box, type a name for the sweep.
Page 178
178 Responding to virus outbreaks Handling a virus outbreak on your network...
Chapter Managing roaming clients This chapter includes the following topics: About roaming clients ■ Roaming client components ■ How roaming works ■ Implementing roaming ■ Command-line options ■ Registry values ■ About roaming clients A roaming client can do the following: Automatically identify its best parent server, based on speed and proximity, ■...
Administrators enable roaming on the computers before they are sent to branch offices. This entails specifying all of the possible roam servers for the new computers. When end users connect the new computers to the network, Symantec AntiVirus automatically assigns the best parent server. Roaming client components Table 6-1 lists roaming client components.
After you roll out this data, roaming clients work in the following manner: SavRoam.exe launches on the Symantec AntiVirus client during startup, ■ and selects the best Symantec AntiVirus server, based on registry values and server feedback. The selected server provides the client with a list of servers at the next level ■...
Figure 6-1 illustrates a map of an enterprise network that spans three continents. While this organization has more Symantec AntiVirus servers than appear in the map, only the mapped servers are identified as regional pointer servers.
The only limit to the number of levels that you can define is the text file size limit of 512 characters. Creating a list of 0 level Symantec AntiVirus servers You can create the clients’ server list text file using a text editor such as Notepad.
In the Symantec System Center console, right-click the server group, Symantec AntiVirus servers, client group, or Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Roaming Options. If you select a server group, the Symantec System Center will configure all...
Page 185
Managing roaming clients Implementing roaming Symantec System Center will configure all of the clients that are in the client group. In the Client Roaming Options dialog box, do the following: Enable roaming on clients on which the Symantec AntiVirus roam ■...
Page 186
■ Configuring additional roaming on each roaming client You can configure additional roaming on Symantec AntiVirus clients by setting the required values in a configurations file (Grc.dat), or by directly editing each roaming client’s registry using Regedit. Type the registry values under the...
ProductControl\RoamManagingAlert List of Alert servers to check for proximity. Level0 For information on using the configurations file, see the Symantec AntiVirus Reference Guide. Configuring additional roaming client support for roam servers To configure a Symantec AntiVirus server for additional roaming options, you...
Page 188
188 Managing roaming clients Implementing roaming Enable roaming and roll out the hierarchal list of servers Enabling roaming requires adding a value to the registry of each roam server, and rolling out server list data. When you run RoamAdmn, it communicates with each server named at the beginning of each line in the hierarchical list of servers.
Configuring additional server types for roaming clients In addition to parent, load balancing, and failover servers that you can configure from the Symantec System Center console, you can specify the following server types in the registry: Central Quarantine Server (this must also have Symantec AntiVirus server ■...
Page 190
190 Managing roaming clients Command-line options You must have local Administrator rights to use command-line options. Table 6-4 Command-line options Option Description Displays a list of the options with descriptions of their usages. /import <server list> Sets up client or server registry keys. When you use RoamAdmn.exe, you can import the server list to remote servers.
Managing roaming clients Registry values Table 6-4 Command-line options Option Description /nearest_alerts Finds and sets the nearest Alert (Alert Management System server. /check_parent Verifies that the parent server is running. /shutdown Disconnects the client from the parent server. /time-network <elapsed- Provides the average amount of time that it takes to contact time-in-seconds>...
Page 192
GRC parent and overwrites the parent copy. ParentLiveUpdateHstPath Defines the directory beneath the SAV home directory. For example: \MyLiveUpdateHost\Liveupdt.hst The .hst file must be placed under OSDRIVE/ ProgramFiles/Symantec/LiveUpdate. The agent copies the LiveUpdate host file to this location.
About Histories and Event Logs Histories and Event Logs offer a central view of virus and other threat activity and scanning on your network. Using the Symantec System Center, you can do the following: View data at the server group, server, or individual managed workstation ■...
194 Working with Histories and Event Logs Sorting and filtering History and Event Log data Symantec AntiVirus provides several types of Histories and Event Logs as described in Table 7-1. Table 7-1 History and Event Log types Name Description Available for...
To filter History and Event Log data by date In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs, and then select one of the following: Event Log ■...
Page 196
Sorting and filtering History and Event Log data In the Event Log dialog box, click the filter icon. In the Filter Event Log dialog box, select the events you want to display: Configuration change ■ Symantec AntiVirus startup and shutdown ■ Virus definition file ■ Scan omissions ■...
198. To view a Threat History In the Symantec System Center console, right-click a server, server group, or ◆ client, and then click All Tasks > Symantec AntiVirus > Logs > Threat History. “Understanding Event Log icons” on page 202.
To view the Scan History In the Symantec System Center console, right-click a server group, server, or ◆ client, and then click All Tasks > Symantec AntiVirus > Logs > Scan History. Working with Threat Histories In the Threat History window, icons display information about the viruses that were found.
Page 199
For viruses, you can undo the last action that was taken on a file, clean a file, delete it permanently, or move the file to the Central Quarantine. For other threats, you can access a Symantec Security Response web page to learn how to handle the threat.
In the Take Action dialog box, click Quarantine. To handle a threat in an expanded threat category Double-click the file. A Symantec Security Response web page appears that describes the threat in detail and provides information about removal methods. Take the recommended actions to remove the threat.
Page 201
Action Description Undo Action Taken Symantec AntiVirus can undo the last action that was taken on an infected file, including removing a file from the Quarantine, and removing the .vbn extension from a renamed file. Symantec AntiVirus cannot restore a file that has been permanently deleted.
202 Working with Histories and Event Logs Viewing Histories Work with Scan Histories In a Scan History, you can undo the last action that was taken on a file, clean a file, delete it permanently, or move the file to the Central Quarantine. You can also export Scan History data.
The client logs are located in the following directory: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus\7.5\Logs Symantec AntiVirus tracks a client log throughout the forwarding process and handles delivery failures by resending the log when necessary. Configuring log forwarding options You can edit the client log forwarding registry values using a registry editor such as Regedit or Regedt32.
10 records. There is no minimum or maximum number. Configuring log events to forward You can configure the events that you want Symantec AntiVirus to forward. Table 7-9 lists the client and server events in the order in which they appear in the Log Event Forwarding dialog box.
Page 205
Client and server events Event name Forwarding Required Forwarded by Default Virus definitions downloaded from parent File forwarded to Quarantine Server File forwarded to Symantec File backed-up/restored to/from Quarantine Scan aborted Error loading services Services loaded Services unloaded Client removed from parent...
To configure events to forward from clients to their parent servers In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Client Log Forwarding. Check the events that you want the clients to forward to their parent servers.
Histories and Event Logs that is older than a specified date. To set the delete frequency In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Configure History.
Page 208
208 Working with Histories and Event Logs Deleting Histories and Event Logs...
Page 209
Index Numerics export status 79 exporting to other computers 78, 79 32-bit and 16-bit operating systems, running virus limiting to network segments 66 sweeps 176 testing 78 64-bit operating systems configuring using Continuous LiveUpdate 147 Broadcast 69 virus definitions files 147 default messages 65 paging services 73 SNMP traps 74...
Page 210
167 server group passwords 43 with intermittent connectivity 121 server names and IP addresses in compressed files, configuring scanning 141 Symantec System Center console 21 computers Load from cache only discovery type 22 finding Normal Discovery address cache...
Page 211
Discovery Cycle configuration 21 forward log events 204 how it works 20 forward logs to parent servers 203 how to find NetWare computers 21 found items, locating in the Symantec System Intense Discovery 23 Center console 29 limitations 23 IP Discovery 23...
Page 212
90 parent server 46 See also servers passwords LiveUpdate cached 43 configuring servers to retrieve from Symantec changing 43 FTP site 154 changing for server groups 44 setting client policy for 165 saving or unsaving 43 using with internal LiveUpdate server 155...
Page 213
105 roaming client support exclusions 108, 113 configuring for viruses 89 for clients 186 History 194 from Symantec System Center option precedence 95 console 184 recommended file extensions 135 how it works 181 scheduled scans, configuring 113 roaming clients...
Page 214
SNMP trap destinations, configuring 75 cached passwords 43 spyware 90 changing passwords 43, 44 subnet, IP discovery for 23 configuration change priority 39 Symantec Security Response, tracking creating 41 submissions 177 deciding whether to manage with 39 Symantec System Center deleting 48...
Page 215
54 Histories 197 server groups 47 virus list 167 views changing 16 Symantec System Center console 15 Virus Definition Transport Method configuring antivirus servers with 148 implementation examples 168 updating NetWare servers 150 virus definitions files finding computers with outdated...