Symantec AntiVirus Corporate Edition Reference Guide

Transcription

1 Symantec AntiVirus Corporate Edition Reference Guide

2 Symantec AntiVirus Corporate Edition Reference Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 10.0 Copyright Notice Copyright 2005 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, Stevens Creek Blvd., Cupertino, CA Trademarks Symantec, the Symantec logo, LiveUpdate, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. Norton Internet Security, Norton Personal Firewall, Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, and Symantec Security Response are trademarks of Symantec Corporation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America

3 Technical support Licensing and registration Contacting Technical Support As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and virus definitions updates for virus outbreaks and security alerts. Symantec technical support offerings include: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using. If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at Alternatively, you may go to select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link. Customers with a current support agreement may contact the Technical Support group via phone or online at Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at www-secure.symantec.com/platinum/.

4 When contacting the Technical Support group, please have the following: Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes Customer Service To contact Enterprise Customer Service online, go to select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals

5 Contents Technical support Chapter 1 Chapter 2 Chapter 3 Chapter 4 Introducing the reference guide What is in the reference guide... 7 Antivirus protection and servers About configuring Symantec AntiVirus on servers... 9 Stand-alone server configuration Managed client configuration Unmanaged client configuration File scanning on Exchange servers Directories to include Directories and files to exclude Extensions to exclude Directories to exclude when other Symantec products are installed Reset ACL tool About the Reset ACL tool Restricting registry access with the Reset ACL tool Importer tool About the Importer tool How the Importer tool works Where the Importer tool is located Importing addresses using the Importer tool Deleting entries from the address cache Advanced usage Getting Help while using the Importer tool Known problems... 24

6 6 Contents Chapter 5 Chapter 6 Chapter 7 Chapter 8 Windows services Symantec AntiVirus services Symantec System Center services Cryptography basics Overview About cryptographic keys and algorithms About one-way hashes and digital signatures About digital certificates and PKIs About SSL Event Log entries Symantec AntiVirus events How certificates are implemented How certificates establish a chain of trust How clients and servers authenticate certificates Authentication paths and methods Certificate store directories File naming conventions Server group root certificates and private keys Server certificates and private keys Login CA certificates and private keys Certificate signing requests Other certificate details Certificate and CSR counters Certificate and key file formats Server group root key archival About promoting secondary servers to primary servers About viewing certificates About preserving certificates and issue time Install a primary server and secondary server in each server group Index

7 Chapter 1 Introducing the reference guide This chapter includes the following topics: What is in the reference guide This reference guide contains technical product information for Symantec AntiVirus, including information on tools that are on the Symantec AntiVirus CD. It is intended for system administrators and others who install and maintain this product in a networked, corporate environment. What is in the reference guide Table 1-1 lists and describes the topics in this reference guide. Table 1-1 Topic Reference guide topics Description Antivirus protection and servers Reset ACL tool Importer tool This chapter provides examples of how you should implement antivirus protection on servers. Many of the configuration settings for Symantec AntiVirus are stored in the Windows registry. Reset ACL lets you restrict access to these registry settings on Windows XP/2000 operating systems to prevent unauthorized users from making changes. The Importer tool is a command-line utility specifically for use with the Symantec System Center. The Importer tool lets you import as many sets of computer names and IP addresses into a special address cache as you need. Symantec AntiVirus can then locate computers during the Discovery process in situations where the computer names cannot be resolved using WINS/DNS.

8 8 Introducing the reference guide What is in the reference guide Table 1-1 Topic Windows services Event Log entries Reference guide topics Description This chapter lists the names of services run automatically by Symantec AntiVirus and the Symantec System Center. Those names appear in the Windows Services control panel. This chapter lists the events written by Symantec AntiVirus to the Windows Event Log. Cryptography basics How certificates are implemented This chapter provides an overview of the cryptography concepts that administrators need to understand if they do not know the difference between a digital signature and a digital certificate. Administrators need this knowledge to understand how Symantec AntiVirus uses certificates. This chapter provides an overview of how Symantec AntiVirus implements digital certificates to secure communications between the Symantec System Center, servers, and clients by using SSL.

9 Chapter 2 Antivirus protection and servers This chapter includes the following topics: About configuring Symantec AntiVirus on servers File scanning on Exchange servers About configuring Symantec AntiVirus on servers Symantec AntiVirus antivirus software is a file system scanner, and is not designed to handle server functions. Products that are specifically designed to protect Microsoft Exchange, Domino, and other gateway servers handle server functions. Allowing Symantec AntiVirus to scan certain parts of a mail server can cause unexpected behavior, problems, or even total data loss. If you install Symantec AntiVirus antivirus software on an server, you need to take some precaution to prevent damage to the data on the server. One precaution that you must take is to exclude certain directories and files from scanning. How you make these exclusions depends on the following circumstances: Whether you install Symantec AntiVirus server or client on servers Whether you want to manage servers from the Symantec System Center Note: For the latest details on which directories and files to exclude from scanning, consult the Symantec Knowledge Base on the Symantec Web site.

10 10 Antivirus protection and servers About configuring Symantec AntiVirus on servers Symantec AntiVirus client software also has Auto-Protect for , which monitors the standard ports. Auto-Protect can cause performance degradation or failure if it is installed and enabled on an server. Therefore, you must disable this feature if you install the client software on an server. You can install Symantec AntiVirus software in the following configurations: Stand-alone server configuration Managed client configuration Unmanaged client configuration Stand-alone server configuration In the stand-alone server configuration, you install antivirus server software on an server, and then place the server in a separate server group that is dedicated to servers. This configuration is the preferred one because it generates the smallest exposure for error. Be sure to name the server group in a way that indicates that it contains servers. Configure the File System Auto-Protect options, Scheduled Scan options, and Manual Scan options for the server group to exclude the server software directory structure and the temporary processing directory for the server. The Symantec AntiVirus antivirus server does not include Auto-Protect options that are provided by the antivirus client, so you do not have to disable it. Configure the servers in the server group to receive virus definitions updates from the primary server by using the Virus Definition Transport Manager (VDTM). If a Symantec antivirus product for the server is also installed, disable the LiveUpdate schedule for that product. The virus definitions downloads are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions.

11 Antivirus protection and servers About configuring Symantec AntiVirus on servers 11 Managed client configuration In the managed client configuration, you install Symantec AntiVirus antivirus client software on an Exchange server, and then place the server in a separate client group that is dedicated to Exchange servers. Be sure to name the client group in a way that indicates that it contains Exchange servers. Configure the File System Auto-Protect options, Scheduled Scan options, and Manual Scan options for the client group to exclude the server software directory structure and the temporary processing directory for the antivirus scanner. Be sure to disable all Auto-Protect options if they are installed and enabled. Warning: If you configure Symantec AntiVirus as a client on an server, be sure to disable Auto-Protect if it is installed. This feature monitors the standard mail ports, and can cause performance degradation or failure if it is installed on servers. Configure the clients in the client group to receive virus definitions updates from the parent server by using VDTM. If a Symantec antivirus product for the server is also installed, disable the LiveUpdate schedule for that product. The virus definitions that Symantec AntiVirus and the antivirus products for servers download are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions. Unmanaged client configuration In the unmanaged client configuration, you install Symantec AntiVirus client software from the installation CD and execute the Setup.exe file in the SAV directory. If you use the installation files from an installed Symantec AntiVirus server or use the client rollout installers, the client will automatically retrieve configuration information from the selected parent server and become a managed client. Configure the File System Auto-Protect options, Scheduled Scan options, and Manual Scan options for the client to exclude the server software directory structure and the temporary processing directory for the antivirus scanner. Be sure to disable all Auto-Protect options if they are installed and enabled.

12 12 Antivirus protection and servers File scanning on Exchange servers Warning: If you configure Symantec AntiVirus as a client on an server, be sure to disable Auto-Protect if it is installed. This feature monitors the standard mail ports, and can cause performance degradation or failure if it is installed on mail servers. Configure the client software to use LiveUpdate to retrieve updates from Symantec on a regular schedule. If a Symantec antivirus product for the server is also installed, disable the LiveUpdate schedule for that product, and configure Symantec AntiVirus to run LiveUpdate. The virus definitions that Symantec AntiVirus and the antivirus products for servers download are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions. File scanning on Exchange servers Symantec AntiVirus protects the file system on an Exchange server, not the Exchange server. Products such as Symantec Mail Security for Microsoft Exchange protect Exchange servers. Certain directories must be excluded from scanning by Symantec AntiVirus to prevent problems with the Internet Mail Connector (IMC) or Information Store (IS). If Auto-Protect scans the Exchange directory structure or the Symantec Mail Security processing directory, it can cause the following: False positive virus detections Unexpected behavior on the Exchange server Damage to the Exchange databases To correctly configure file scanning, you need to understand the following information: Directories to include Directories and files to exclude Extensions to exclude Directories to exclude when other Symantec products are installed Note: For the latest details on which directories and files to exclude from scanning, consult the Symantec Knowledge Base on the Symantec Web site.

13 Antivirus protection and servers File scanning on Exchange servers 13 Directories to include You can safely include the following directories and files in scans on all versions of Microsoft Exchange Server: Exchsrvr\Address Exchsrvr\Bin Exchsrvr\Conndata Exchsrvr\Exchweb Exchsrvr\Res Exchsrvr\Schema Any additional directories that are not a part of a standard Exchange installation, and that are not included in the list of directories and files to exclude, are safe to include. Directories and files to exclude The directories and files to exclude depend on the version of Microsoft Exchange Server that you have installed. Add all listed directories and files to the exclusion lists for File System Auto-Protect, Scheduled Scans, and Manual Scans. Note: The Tmp.edb file might be in multiple locations. Search for the file, and exclude it in any found locations. You can exclude single files by using the client and server software that is installed on the Exchange server. You cannot exclude single files by using the Symantec System Center with server and client group configurations. Therefore, for all three configurations, you must exclude Tmp.edb by using the Symantec AntiVirus user interface on the Exchange server.

14 14 Antivirus protection and servers File scanning on Exchange servers Microsoft Exchange Server 5.5 Table 2-1 lists the directories and files to exclude for Microsoft Exchange Server 5.5. Table 2-1 Files to exclude for Microsoft Exchange Server 5.5 Directory and files Exchange databases Exchange MTA files Exchange temporary files Additional log files Site Replication Service (SRS) files Inbox for Internet Mail Connector Microsoft Internet Information Service (IIS) system files Outbox for Internet Mail Connector Default file location Default location: Exchsrvr\Mdbdata Default location: Exchsrvr\Mtadata Tmp.edb Default location and name: Exchsrvr\server_name.log Default location: Exchsrvr\Srsdata Default location: Exchsrvr\IMCDATA <Drive>:\Winnt\System32\Inetsrv Exchsrvr\IMCDATA\OUT director Microsoft Exchange Server 2000 Table 2-2 lists the directories and files to exclude for Microsoft Exchange Server Table 2-2 Files to exclude for Microsoft Exchange Server 2000 Directory and files The Installable File System (IFS) Exchange databases Exchange MTA files Exchange temporary files Additional log files Virtual server directory Site Replication Service (SRS) files Internet Information Service (IIS) system files Default file location Default location: Drive M Default location: Exchsrvr\Mdbdata Default location: Exchsrvr\Mtadata Tmp.edb Default location: Exchsrvr\server_name.log Default location: Exchsrvr\Mailroot Default location: Exchsrvr\Srsdata <Drive>:\Winnt\System32\Inetsrv

15 Antivirus protection and servers File scanning on Exchange servers 15 Microsoft Exchange Server 2003 Table 2-3 lists the directories and files to exclude for Microsoft Exchange Server Table 2-3 Files to exclude for Microsoft Exchange Server 2003 Directory and files Exchange databases Exchange MTA files Exchange temporary files Additional log files Virtual server directory Site Replication Service (SRS) files Internet Information Service (IIS) system files Working directory for message conversion.tmp files The temporary directory that is used with offline maintenance utilities such as Eeseutil.exe The directory that contains the checkpoint (.chk) file Default file location Default location: Exchsrvr\Mdbdata Default location: Exchsrvr\Mtadata Tmp.edb Default location: Exchsrvr\server_name.log Default location: Exchsrvr\Mailroot Default location: Exchsrvr\Srsdata Default location: Exchsrvr\Srsdata Default location: Exchsrvr\Mdbdata You can change the location of this directory. For additional information, consult the Microsoft Knowledge Base. By default, this directory is the location from which you run the executable, but you can specify where you run the file from when you run the utility. For information on the location of this file, consult the Microsoft Knowledge Base. Extensions to exclude Because certain files are not always saved in the expected locations, exclude the following file extensions on all versions of Microsoft Exchange Server:.log.edb

16 16 Antivirus protection and servers File scanning on Exchange servers Directories to exclude when other Symantec products are installed Excluding these directories is critical to product operation. Each product uses its temp directory as a processing directory. If the temp directories are not excluded from file system scanning, the antivirus programs might conflict and cause unexpected behavior, including potential data loss. Norton AntiVirus 2.x for Microsoft Exchange Exclude the following directories when you use this product: <drive>:\program Files\NAVMSE\Temp <drive>:\program Files\NAVMSE\Quarantine <drive>:\program Files\NAVMSE\Backup Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange Exclude the following directories when you use this product: <drive>:\program Files\Symantec\SAVFMSE\Temp <drive>:\program Files\Symantec\SAVFMSE\Quarantine Symantec Mail Security 4.0 for Microsoft Exchange Exclude the following directories when you use this product: <drive>:\program Files\Symantec\SMSMSE\4.0\Server\Temp <drive>:\program Files\Symantec\SMSMSE\4.0\Server\Quarantine Symantec Mail Security 4.5 for Microsoft Exchange Exclude the following directories when you use this product: <drive>:\program Files\Symantec\SMSMSE\4.5\Server\Temp <drive>:\program Files\Symantec\SMSMSE\4.5\Server\Quarantine

17 Chapter 3 Reset ACL tool This chapter includes the following topics: About the Reset ACL tool Restricting registry access with the Reset ACL tool About the Reset ACL tool Reset ACL (Resetacl.exe) lets you limit access to the Symantec AntiVirus registry key on Windows XP/2000 computers. By default, these computers allow all users to modify the data stored in the registry for any application, including Symantec AntiVirus. Reset ACL removes the permissions that allow full access by all users to the following Symantec AntiVirus registry key and its subkeys: HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion Restricting registry access with the Reset ACL tool You can use the Reset ACL tool to restrict registry access. To restrict registry access with the Reset ACL tool 1 Roll out Resetacl.exe, located on the Symantec AntiVirus CD in the Tools folder, to unsecured computers. 2 Run Resetacl.exe on each of these computers. After you have run Resetacl.exe, only users with Administrator rights can change the registry key values. While the Reset ACL tool boosts security for Symantec AntiVirus on these computers, administrators should be aware that there are several trade-off considerations.

18 18 Reset ACL tool Restricting registry access with the Reset ACL tool In addition to losing access to the registry, users without Administrator rights will not be able to do the following: Start or stop the Symantec AntiVirus service. Run LiveUpdate. Schedule LiveUpdate. Configure Symantec AntiVirus. For example, users cannot set Auto-Protect or scanning options. The options associated with these operations appear dimmed in the Symantec AntiVirus interface. In addition, the user can modify scan options, but the changes are not saved in the registry or processed. The user can also save manual scan options as the default set, but the options are not written to the registry.

19 Chapter 4 Importer tool This chapter includes the following topics: About the Importer tool Importing addresses using the Importer tool Deleting entries from the address cache Advanced usage Getting Help while using the Importer tool About the Importer tool The Importer tool (Importer.exe) identifies computers in a non-wins environment to the Symantec System Center console. This lets Symantec AntiVirus locate computers during the network discovery process, when the names cannot be browsed using WINS/DNS. It is a command-line utility. In addition to importing the paired names and IP addresses of computers located in non-wins environments, you can add any other computer name and IP address pairing to the text file so that the computer is discovered in the future. For example, you may want to add the name and address of a computer that has not been discovered successfully for an unknown reason. Note: In most cases, you should not need the Importer tool. The Find Computer feature of the Symantec System Center can usually find and identify Symantec AntiVirus servers on the network by means of address caching and the normal Discovery process.

20 20 Importer tool Importing addresses using the Importer tool How the Importer tool works The Importer tool runs on any computer on which the Symantec System Center is installed. You can use it to import pairs of computer names and IP addresses from a text file into the address cache registry entries used by the Symantec System Center. Once the computer name and address pairs are imported, entries are created in the registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache You must run a Local Discovery or Intense Discovery after importing the data file. The Discovery queries the addresses of the computers. The computers running the Symantec AntiVirus server are added to the Discovery Service in memory and have complete entries created in the registry. The Discovery Service can then find the computers each time that the Discovery Service is run. Where the Importer tool is located The Importer tool consists of a single file, Importer.exe. Importer.exe is located on the Symantec AntiVirus CD in the Tools folder. You can copy Importer.exe to any folder on a computer on which the Symantec System Center is installed, and then run it. Importing addresses using the Importer tool To import addresses to the address cache, you must be logged on with Administrator rights. This is necessary so that you have write access to HKEY_LOCAL_MACHINE. Import addresses using the Importer tool To import addresses using the Importer tool, you must complete the following tasks: Create a data file containing paired computer names and IP addresses. Run the Importer tool. Note: You must run the Importer tool from a command prompt. Run the Discovery Service.

21 Importer tool Deleting entries from the address cache 21 To create a data file 1 Create a new file with a text editor such as Notepad. 2 Type the data in the following format: <server name><comma><ip address><linefeed> Avoid typing incorrect IP addresses for servers. No validation is performed to determine if two servers have the same IP address in the Importer text file. 3 Save the file. For example, a data file named Computers.txt might look as follows: Computer 1, Computer 2, Computer 3, Computer 4, Computer 5, Computer 6, Note: You can type a semicolon or colon to the left of an address to comment it out. For example, if you know that a network segment is down, you can comment out associated subnet addresses. To run the Importer tool 1 At the command-line prompt, type the following command: <fullpath> importer <filename> where <fullpath> represents the full path to the Importer and <filename> represents the full path of the import file, such as C:\Computers\Computers.txt 2 Press Enter. Deleting entries from the address cache Data imported from the data file does not overwrite information that is already stored in the address cache. If you have data that should be overwritten, such as an incorrect computer address, clear the cache before running the Importer. Note: After importing the contents of the data file, do not click Clear Cache Now. Doing so deletes the contents of the address cache, including the imported data.

22 22 Importer tool Advanced usage Advanced usage To delete entries from the address cache 1 In the Symantec System Center console, on the Tools menu, click Discovery Service. 2 Under Cache Information, click Clear Cache Now. Once you run Discovery after the data import, the correct data is available for future discovery sessions. The command line takes four parameters: Import file path First delimiter Second delimiter Order (1 = computer name/ip address, 2 = IP address/computer name; the default is 1) Note: The second delimiter needs to be a single character only. For example, the ampersand cannot be used because the user would have to enter the following: & For example, an import file named Machines.txt, in C:\MACHINES, could read as follows: /Server /Server /Server 3 The above example is in IP address/computer name order (2). The first parameter is a slash (/) and the second is a linefeed. The corresponding syntax for the command line would be: importer C:\MACHINES\Machines.txt / LF 2 After the computer name and IP address pairs are imported, entries are created in the registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache You must run a local or intense discovery after importing the data file. The discovery queries the computer IP addresses. The computers running Symantec AntiVirus are added to the Discovery Service in memory and have complete

23 Importer tool Getting Help while using the Importer tool 23 entries created in the registry. The Discovery Service can then find the computers each time that the Discovery Service is run. Getting Help while using the Importer tool You can access Help on Importer switch and syntax information. To get Help while using the Importer tool 1 At the command line, type the following: Importer 2 Press Enter. The Importer tool displays the following Help information: Simple Usage : IMPORTER <filename> <filename> : full path of import file File format : <server name><comma><ip address><linefeed> Example File : Server 1, Server 2, Server 3, press "a" for advanced usage When "a" is pressed for advanced usage, the following help will be displayed: Advanced Usage: IMPORTER <filename> <delimiter 1> <delimiter 2> <order> <filename> : full path of import file <delimiter 1> : separator between first and second item in pair <delimiter 2> : separator between pairs NOTE: for carriage return/linefeed delimiters, use LF for space delimiters, use SP for comma, use, <order> : order of computer name/ip address pairs 1 = computer name/ip address order 2 = ip address/computer name order EXAMPLE - File contents : /Server /Server /Server 3 Command line : IMPORTER C:\MyFolder\MyFile.txt / LF 2

24 24 Importer tool Getting Help while using the Importer tool Known problems Importer depends on the HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\AddressCache key used by the Symantec System Center. If this key is not present, an error message appears. The Importer modifies the AddressCache key under HKLM, so the user needs local administrator rights. The Importer tool aids in the discovery process of the Symantec System Center. The Importer determines whether the Symantec System Center is present on the local computer. If not, an error message appears. After an import, the computer names paired with their IP addresses in the registry are not complete. They show only the computer under the Address_0 and Protocol dword values. A discovery must be run to complete the process (using the Run Discovery Now button in the Discovery Service Properties dialog box). Do not click the Clear Cache Now option in the Discovery Service Properties dialog box. This deletes the contents of the address cache, including the imported data. The Importer cannot assist in locating computers during the installation process. Note: When you are pushing the Symantec AntiVirus client and server to remote computers, an Import option appears in the Select Computer dialog box. Do not confuse this Import option with the Import option on the ClientRemote Install and AV Server Rollout installation screens. The Importer does not overwrite existing IP addresses in the address cache; this is an intended design feature. However, there is a possibility that an incorrect IP address may exist in the cache. In such a case, the Importer cannot correct it.

25 Chapter 5 Windows services This chapter includes the following topics: Symantec AntiVirus services Symantec System Center services Symantec AntiVirus services Table 5-1 lists the names and descriptions for Symantec AntiVirus server services. These appear in the Windows Services control panel. Table 5-1 Symantec AntiVirus server services Service name Binary name Description Common client application Common client event manager Common client settings manager ccapp.exe CcEvtMgr.exe CcSetMgr.exe Primary client application service that is also used by Auto-Protect for file systems and . Service that is used to scan POP3 messages. Service that is used to store encrypted settings. Defwatch Defwatch.exe Service that watches for newly arriving virus definitions. Launches a scan of the files in Quarantine when the new virus definitions arrive. Temper Protection SPBBCSvc.exe Service that protects Symantec proccesses.

26 26 Windows services Symantec AntiVirus services Table 5-1 Symantec AntiVirus server services Service name Binary name Description Intel PDS Pds.exe Ping Discovery Service. Allows Discovery of Symantec AntiVirus on this computer to occur. Applications register with this service, along with an APP ID, and a pong packet to return in response to ping requests. Symantec AntiVirus Server Rtvscan.exe Main Symantec AntiVirus service. Most Symantec AntiVirus serverrelated tasks are performed in this service. Virus protection tray icon VPtray.exe Service that provides the system tray icon. Table 5-2 lists the names and descriptions for Symantec AntiVirus client services. These appear in the Windows Services control panel. Table 5-2 Symantec AntiVirus client services Service name Binary name Description Common client application Common client event manager Common client password service Common client settings manager Configuration Wizard service ccapp.exe CcEvtMgr.exe CcPwdSvc.exe CcSetMgr.exe CfgWzSvc.exe Primary client application service that is also used by Auto-Protect for file systems and . Service that is used to scan POP3 messages. Service that is used to scan client password service POP3 messages. Service that is used to store encrypted settings. This service appears in the Windows Task Manager Processes when an installation fails. The service normally deletes itself after the Symantec AntiVirus Configuration Wizard runs.

27 Windows services Symantec AntiVirus services 27 Table 5-2 Symantec AntiVirus client services Service name Binary name Description Defwatch Defwatch.exe Service that watches for newly arriving virus definitions. Launches a scan of the files in Quarantine when the new virus definitions arrive. Temper Protection SPBBCSvc.exe Service that protects Symantec proccesses. Symantec AntiVirus Client Rtvscan.exe One of the main Symantec AntiVirus virus scanning services. Most Symantec AntiVirus clientrelated tasks are performed in this service. Client roaming service Savroam.exe Provides roaming server data to roaming clients. Common client Symantec Network Drivers Virus protection for 32-bit operating systems SNDSrvc.exe VPC32.exe Symantec Network Drivers. One of the main Symantec AntiVirus services. Virus protection tray icon VPtray.exe Service that provides the system tray icon.

28 28 Windows services Symantec System Center services Symantec System Center services Table 5-3 lists the names and descriptions for Symantec System Center services. These appear in the Windows Services control panel. Table 5-3 Symantec System Center services Service name Binary name Description Symantec System Center Discovery Service Nsctop.exe Discovery Service used to find Symantec AntiVirus servers on the network. The Discovery Service also populates the console with objects. Table 5-4 lists the names and descriptions for Alert Management System 2 services. These appear in the Windows Services control panel. Table 5-4 Alert Management System 2 services Service name Binary name Description Intel Alert Handler Hndlrsvc.exe AMS 2 Alert Handler service. Provides alerting actions such as message boxes, pages, s, and so on. Intel Alert Originator Iao.exe AMS 2 Alert Originator service. Lets alerts be received on this computer. Alerts can be received from either the local computer (in the case of a primary server), or from a remote computer (in the case of unmanaged clients using a centralized AMS 2 server). Intel File Transfer Xfr.exe File transfer service. Provides file transfer capabilities to AMS 2. Intel PDS Pds.exe Ping Discovery Service. Allows Discovery of Symantec AntiVirus on this computer to occur. Applications register with this service, along with an APP ID, and a pong packet to return in response to ping requests.

29 Chapter 6 Cryptography basics This chapter includes the following topics: Overview About cryptographic keys and algorithms About one-way hashes and digital signatures About digital certificates and PKIs About SSL Overview Symantec AntiVirus communications use the Secure Sockets Layer (SSL) protocol, which Netscape created to conduct secure transactions between Web servers and clients. Most online transactions that involve money moving across the Internet use SSL. SSL uses a Public Key Infrastructure (PKI), digital certificates, and cryptography. For administrative purposes, you might need to understand how SSL uses certificates because you might need to manage or create certificates. To understand what a certificate is and how it is used, you need to understand the basics of cryptography as it is used in SSL.

30 30 Cryptography basics About cryptographic keys and algorithms About cryptographic keys and algorithms In its simplest form, a cryptographic key is a secret code that a cryptographic algorithm (instruction sequence) uses to encrypt and decrypt messages. This algorithm might be nothing more than transposing one alphabetic letter with another. The key in this algorithm is knowing which letter is transposed with another. For example, you might transpose the letter A with B, the letter B with C, and so on. More complicated algorithms and keys might break a message into a series of groups, each of which has the same number of letters. The algorithm assigns each group a unique key that rearranges the numbered sequence. For example, in the first group the first letter is transposed to the third letter, the second letter is transposed to the first letter, and the third letter is transposed to the second letter. To decrypt the message, you need the algorithm and the key for each group. These examples illustrate a symmetric algorithm and key where the same key is used to encrypt and decrypt messages. For security reasons, you keep this key hidden and private, and you distribute this key only to the intended receiver. Asymmetric keys and algorithms are also used in cryptography when two different keys are used to encrypt and decrypt messages. One key is called a private key that you keep hidden, and one key is called a public key that you distribute to anyone who wants to send you encrypted messages or read your encrypted messages. Your private key decrypts messages that are encrypted with your public key, and your public key decrypts messages that are encrypted with your private key. One public and private key is called a key pair. If you distribute your public key to all of your friends, or if you place your public key where all of your friends can retrieve it, you can encrypt a message and send it to all of your friends. Your friends obtain your public key and decrypt the message. They know with certainty that the message came from you because only your private key can encrypt the message and only you possess this key. If one of your friends wants to send a message to you that only you can read, that person encrypts the message with your public key, sends you the message, and only you can decrypt the message because you have not given your private key to anyone else. If someone else intercepts the message, that person cannot decrypt the message without possessing your private key. These concepts form the foundation for understanding how SSL works. Modern symmetric-key algorithms include Triple-DES, RC5, and the current NIST standard of Advanced Encryption Standard (AES). Modern implementations of asymmetric-key algorithms include RSA, ECC, and El Gamal.

31 Cryptography basics About one-way hashes and digital signatures 31 About one-way hashes and digital signatures A one-way hash is an algorithm that takes the contents of a variable-length computer file (message) and produces a fixed-length value. This fixed-length value has at least three names: hash, hash value, and message digest. If you change one bit in the computer file and then rerun the hashing algorithm on the file, the second value differs from the first value. For example, suppose that you create an unencrypted file that contains the name of a one-way hashing algorithm, generate a hash value for the file, and send the file to a friend along with the hash value. Upon receipt, your friend reads the file, notices the name of the hashing algorithm, uses this algorithm to generate a hash value on the same file, and compares the values. If the values match, your friend knows with certainty that the file contents have not been altered or tampered with. If the values do not match, your friend knows that the file contents have been altered and does not trust the information in the file. If you want your friend to know with certainty that the unencrypted message came from you, you encrypt the hash value by using your private key. Upon receipt, your friend decrypts the hash value by using your public key. If decryption is successful, your friend knows with certainty that the message came from you because only you possess your private key. To verify the integrity of the file, your friend then recalculates the hash value and compares it to the value that you sent with the message. A hash value that is encrypted with a private key is called a digital signature. The digital part of the term implies 1s and 0s. The signature part of the term implies the uniqueness of a fingerprint, and the identity of the person who encrypted the hash value is known with certainty. The act of encrypting a hash value with a private key is called signing. These concepts form the foundation for understanding how SSL uses digital certificates. Modern implementations of one-way hashing algorithms include MD4, MD5, and SHA.

32 32 Cryptography basics About digital certificates and PKIs About digital certificates and PKIs A digital certificate is a file that contains the following: A public key Identifying information about the claimed owner of the certificate A one-way hash that is encrypted with the claimed owner s private key (digital signature) Other information such as the name of the one-way hashing algorithm and the asymmetric encryption strength Root Certificate Authorities (CAs) provide digital certificates to people who request and pay for certificates. Root CAs can create and sign certificates that allow other CAs to create certificates as well, which forms a hierarchy of CAs. The root CA is always at the top of the hierarchy, and the root CA always signs its own certificate, which is called a self-signed certificate. Two root CAs that are widely used across the Internet are VeriSign and Entrust. Figure 6-1 illustrates the type of digital certificate that Symantec AntiVirus uses, which is based on the X.509v3 standard. This certificate is a self-signed server group root certificate.

33 Cryptography basics About digital certificates and PKIs 33 Figure 6-1 Digital certificate example Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1withrsaencryption // Hashing and asymmetric algorithms Issuer: OU=Server Group Root CA, CN= c2aa91e4abb4e6c9d527eb762 Validity Not Before: Nov 20 05:47: GMT Not After: Nov 20 05:47: GMT Subject: Subject: OU=Server Group Root CA, CN= c2aa91e4abb4e6c9d527eb762 Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Modulus (1024 bit): // Public key that is used for decryption and encryption 00:ba:54:2c:ab:88:74:aa:6b:35:a5:a9:c1:d0:5a: 9c:fb:6b:b5:71:bc:ef:d3:ab:15:cc:5b:75:73:36: b8:01:d1:59:3f:c1:88:c0:33:91:04:f1:bf:1a:b4: 7b:c8:39:c2:89:1f:87:0f:91:19:81:09:46:0c:86: 08:d8:75:c4:6f:5a:98:4a:f9:f8:f7:38:24:fc:bd: 99:24:37:ab:f1:1c:d8:91:ee:fb:1b:9f:88:ba:25: da:f6:21:7f:04:32:35:17:3d:36:1c:fb:b7:32:9e: 42:af:77:b6:25:1c:59:69:af:be:00:a1:f8:b0:1a: 6c:14:e2:ae:62:e7:6b:30:e9 Exponent: (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Key Usage: Certificate Sign, CRL Sign X509v3 Subject Key Identifier: FE:04:46:ED:A0:15:BE:C1:4B:59:03:F8:2D:0D:ED:2A:E0:ED:F9:2F X509v3 Authority Key Identifier: keyid:e6:12:7c:3d:a1:02:e5:ba:1f:da:9e:37:be:e3:45:3e:9b:ae:e5:a6 Signature Algorithm: sha1withrsaencryption 34:8d:fb:65:0b:85:5b:e2:44:09:f0:55:31:3b:29:2b:f4:fd: aa:5f:db:b8:11:1a:c6:ab:33:67:59:c1:04:de:34:df:08:57: 2e:c6:60:dc:f7:d4:e2:f1:73:97:57:23:50:02:63:fc:78:96: 34:b3:ca:c4:1b:c5:4c:c8:16:69:bb:9c:4a:7e:00:19:48:62: e2:51:ab:3a:fa:fd:88:cd:e0:9d:ef:67:50:da:fe:4b:13:c5: 0c:8c:fc:ad:6e:b5:ee:40:e3:fd:34:10:9f:ad:34:bd:db:06: ed:09:3d:f2:a6:81:22:63:16:dc:ae:33:0c:70:fd:0a:6c:af: bc:5a -----BEGIN CERTIFICATE----- // Certificate in encoded format MIIDoTCCAwqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCRkox DTALBgNVBAgTBEZpamkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQww CgYDVQQLEwNJQ1QxFjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0B CQEWF2FkbWluaXN0cmF0b3JAc29wYWMub3JnMB4XDTAxMTEyMDA1NDc0NFoXDTAy MTEyMDA1NDc0NFowgYkxCzAJBgNVBAYTAkZKMQ0wCwYDVQQIEwRGaWppMQ0wCwYD VQQHEwRTdXZhMQ4wDAYDVQQKEwVTT1BBQzEMMAoGA1UECxMDSUNUMRYwFAYDVQQD Ew13d3cuc29wYWMub3JnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbmlzdHJhdG9yQHNv cgfjlm9yzzcbnzanbgkqhkig9w0baqefaaobjqawgykcgyeaulqsq4h0qms1panb 0Fqb+2u1cbzv06sVzFt1cza4AdFZP8GIwDORBPG/GrR6yDnCiR+HD5EZgQlGDIYI 2HXEb1qYSvn49zgk/L2UJDer8RzYke77G5+IuiXa9iF/BDI1Fz02HPu3Mp5Cr3e2 JRxZaa++AKH4sBpsFOKuYudrMOkCAwEAAaOCARUwggERMAkGA1UdEwQCMAAwLAYJ YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud DgQWBBT+BEbtoBW+wUtZA/gtDe0q4O35LzCBtgYDVR0jBIGuMIGrgBTmEnw9oQLl -----END CERTIFICATE-----

34 34 Cryptography basics About digital certificates and PKIs When a person or corporation wants a certificate to use in a Public Key Infrastructure (PKI) that is used across the Internet, that person (John, for example) completes a Certificate Signing Request (CSR), which contains identifying information such as a phone number, address, and so forth. In some implementations, John can generate a private and public key pair, and include the public key with the request. In other implementations, John can request that the CA create the private and public key pair, and return the private key securely. John sends the CSR to a Registration Authority (RA). The RA confirms the person s identity, and then the RA sends the CSR to a CA. The CA creates a digital certificate, defines a time over which the certificate is valid, adds John s personal information, inserts John s public key, digitally signs the certificate with the CA s private key, and then sends the certificate to John along with John s private key if the CA created the private key. The CA is now responsible for managing the certificate for John for as long as it is valid. To verify that the CA created the certificate, people can decrypt the digital signature by using the CA s public key. Now, if John wants to send a message to Mary and wants Mary to know that the message actually came from him, John creates his message, creates a one-way hash of the message, digitally signs the hash with his private key, and sends the message along with his digital certificate to Mary. Before Mary reads the message, she sends a request to the CA to validate John s certificate. Certificates can be revoked for a variety of reasons, one of which is that John lost his private key, it became public and was distributed in Internet chat rooms, and John sent a request to the CA to put his key on the Certificate Revocation List (CRL), which lists invalid certificates. The CA checks its database to see if the certificate is John s and has not expired, and then checks the CRL to see if his certificate has been revoked. If the certificate is not on the CRL and has not expired, the CA responds to Mary that the certificate is John s and is valid. Mary then successfully decrypts John s digital signature by using John s public key, and knows that John s message has not been altered in transit, and that it came from John. For reference, Symantec AntiVirus uses an internal root CA (external CAs include Entrust and VeriSign), and the primary server in each server group performs root CA activities. The primary server creates a self-signed certificate that serves as the highest level of trust, and is valid for 10 years. Symantec AntiVirus does not implement an RA or CRL, but does use CSRs. Finally, Symantec AntiVirus implements these components to support SSL, which secures communications between clients, servers, and the Symantec System Center.