Symantec AntiVirus Corporate Edition Reference Guide

Transcription

1 Symantec AntiVirus Corporate Edition Reference Guide

2 Symantec AntiVirus Corporate Edition Reference Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 10.0 Copyright Notice Copyright 2005 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, Stevens Creek Blvd., Cupertino, CA Trademarks Symantec, the Symantec logo, LiveUpdate, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. Norton Internet Security, Norton Personal Firewall, Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, and Symantec Security Response are trademarks of Symantec Corporation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America

3 Technical support Licensing and registration Contacting Technical Support As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and virus definitions updates for virus outbreaks and security alerts. Symantec technical support offerings include: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using. If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at Alternatively, you may go to select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link. Customers with a current support agreement may contact the Technical Support group via phone or online at Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at www-secure.symantec.com/platinum/.

4 When contacting the Technical Support group, please have the following: Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes Customer Service To contact Enterprise Customer Service online, go to select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals

5 Contents Technical support Chapter 1 Chapter 2 Chapter 3 Chapter 4 Introducing the reference guide What is in the reference guide... 7 Antivirus protection and servers About configuring Symantec AntiVirus on servers... 9 Stand-alone server configuration Managed client configuration Unmanaged client configuration File scanning on Exchange servers Directories to include Directories and files to exclude Extensions to exclude Directories to exclude when other Symantec products are installed Reset ACL tool About the Reset ACL tool Restricting registry access with the Reset ACL tool Importer tool About the Importer tool How the Importer tool works Where the Importer tool is located Importing addresses using the Importer tool Deleting entries from the address cache Advanced usage Getting Help while using the Importer tool Known problems... 24

6 6 Contents Chapter 5 Chapter 6 Chapter 7 Chapter 8 Windows services Symantec AntiVirus services Symantec System Center services Cryptography basics Overview About cryptographic keys and algorithms About one-way hashes and digital signatures About digital certificates and PKIs About SSL Event Log entries Symantec AntiVirus events How certificates are implemented How certificates establish a chain of trust How clients and servers authenticate certificates Authentication paths and methods Certificate store directories File naming conventions Server group root certificates and private keys Server certificates and private keys Login CA certificates and private keys Certificate signing requests Other certificate details Certificate and CSR counters Certificate and key file formats Server group root key archival About promoting secondary servers to primary servers About viewing certificates About preserving certificates and issue time Install a primary server and secondary server in each server group Index

7 Chapter 1 Introducing the reference guide This chapter includes the following topics: What is in the reference guide This reference guide contains technical product information for Symantec AntiVirus, including information on tools that are on the Symantec AntiVirus CD. It is intended for system administrators and others who install and maintain this product in a networked, corporate environment. What is in the reference guide Table 1-1 lists and describes the topics in this reference guide. Table 1-1 Topic Reference guide topics Description Antivirus protection and servers Reset ACL tool Importer tool This chapter provides examples of how you should implement antivirus protection on servers. Many of the configuration settings for Symantec AntiVirus are stored in the Windows registry. Reset ACL lets you restrict access to these registry settings on Windows XP/2000 operating systems to prevent unauthorized users from making changes. The Importer tool is a command-line utility specifically for use with the Symantec System Center. The Importer tool lets you import as many sets of computer names and IP addresses into a special address cache as you need. Symantec AntiVirus can then locate computers during the Discovery process in situations where the computer names cannot be resolved using WINS/DNS.

8 8 Introducing the reference guide What is in the reference guide Table 1-1 Topic Windows services Event Log entries Reference guide topics Description This chapter lists the names of services run automatically by Symantec AntiVirus and the Symantec System Center. Those names appear in the Windows Services control panel. This chapter lists the events written by Symantec AntiVirus to the Windows Event Log. Cryptography basics How certificates are implemented This chapter provides an overview of the cryptography concepts that administrators need to understand if they do not know the difference between a digital signature and a digital certificate. Administrators need this knowledge to understand how Symantec AntiVirus uses certificates. This chapter provides an overview of how Symantec AntiVirus implements digital certificates to secure communications between the Symantec System Center, servers, and clients by using SSL.

9 Chapter 2 Antivirus protection and servers This chapter includes the following topics: About configuring Symantec AntiVirus on servers File scanning on Exchange servers About configuring Symantec AntiVirus on servers Symantec AntiVirus antivirus software is a file system scanner, and is not designed to handle server functions. Products that are specifically designed to protect Microsoft Exchange, Domino, and other gateway servers handle server functions. Allowing Symantec AntiVirus to scan certain parts of a mail server can cause unexpected behavior, problems, or even total data loss. If you install Symantec AntiVirus antivirus software on an server, you need to take some precaution to prevent damage to the data on the server. One precaution that you must take is to exclude certain directories and files from scanning. How you make these exclusions depends on the following circumstances: Whether you install Symantec AntiVirus server or client on servers Whether you want to manage servers from the Symantec System Center Note: For the latest details on which directories and files to exclude from scanning, consult the Symantec Knowledge Base on the Symantec Web site.

10 10 Antivirus protection and servers About configuring Symantec AntiVirus on servers Symantec AntiVirus client software also has Auto-Protect for , which monitors the standard ports. Auto-Protect can cause performance degradation or failure if it is installed and enabled on an server. Therefore, you must disable this feature if you install the client software on an server. You can install Symantec AntiVirus software in the following configurations: Stand-alone server configuration Managed client configuration Unmanaged client configuration Stand-alone server configuration In the stand-alone server configuration, you install antivirus server software on an server, and then place the server in a separate server group that is dedicated to servers. This configuration is the preferred one because it generates the smallest exposure for error. Be sure to name the server group in a way that indicates that it contains servers. Configure the File System Auto-Protect options, Scheduled Scan options, and Manual Scan options for the server group to exclude the server software directory structure and the temporary processing directory for the server. The Symantec AntiVirus antivirus server does not include Auto-Protect options that are provided by the antivirus client, so you do not have to disable it. Configure the servers in the server group to receive virus definitions updates from the primary server by using the Virus Definition Transport Manager (VDTM). If a Symantec antivirus product for the server is also installed, disable the LiveUpdate schedule for that product. The virus definitions downloads are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions.

11 Antivirus protection and servers About configuring Symantec AntiVirus on servers 11 Managed client configuration In the managed client configuration, you install Symantec AntiVirus antivirus client software on an Exchange server, and then place the server in a separate client group that is dedicated to Exchange servers. Be sure to name the client group in a way that indicates that it contains Exchange servers. Configure the File System Auto-Protect options, Scheduled Scan options, and Manual Scan options for the client group to exclude the server software directory structure and the temporary processing directory for the antivirus scanner. Be sure to disable all Auto-Protect options if they are installed and enabled. Warning: If you configure Symantec AntiVirus as a client on an server, be sure to disable Auto-Protect if it is installed. This feature monitors the standard mail ports, and can cause performance degradation or failure if it is installed on servers. Configure the clients in the client group to receive virus definitions updates from the parent server by using VDTM. If a Symantec antivirus product for the server is also installed, disable the LiveUpdate schedule for that product. The virus definitions that Symantec AntiVirus and the antivirus products for servers download are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions. Unmanaged client configuration In the unmanaged client configuration, you install Symantec AntiVirus client software from the installation CD and execute the Setup.exe file in the SAV directory. If you use the installation files from an installed Symantec AntiVirus server or use the client rollout installers, the client will automatically retrieve configuration information from the selected parent server and become a managed client. Configure the File System Auto-Protect options, Scheduled Scan options, and Manual Scan options for the client to exclude the server software directory structure and the temporary processing directory for the antivirus scanner. Be sure to disable all Auto-Protect options if they are installed and enabled.

12 12 Antivirus protection and servers File scanning on Exchange servers Warning: If you configure Symantec AntiVirus as a client on an server, be sure to disable Auto-Protect if it is installed. This feature monitors the standard mail ports, and can cause performance degradation or failure if it is installed on mail servers. Configure the client software to use LiveUpdate to retrieve updates from Symantec on a regular schedule. If a Symantec antivirus product for the server is also installed, disable the LiveUpdate schedule for that product, and configure Symantec AntiVirus to run LiveUpdate. The virus definitions that Symantec AntiVirus and the antivirus products for servers download are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions. File scanning on Exchange servers Symantec AntiVirus protects the file system on an Exchange server, not the Exchange server. Products such as Symantec Mail Security for Microsoft Exchange protect Exchange servers. Certain directories must be excluded from scanning by Symantec AntiVirus to prevent problems with the Internet Mail Connector (IMC) or Information Store (IS). If Auto-Protect scans the Exchange directory structure or the Symantec Mail Security processing directory, it can cause the following: False positive virus detections Unexpected behavior on the Exchange server Damage to the Exchange databases To correctly configure file scanning, you need to understand the following information: Directories to include Directories and files to exclude Extensions to exclude Directories to exclude when other Symantec products are installed Note: For the latest details on which directories and files to exclude from scanning, consult the Symantec Knowledge Base on the Symantec Web site.

13 Antivirus protection and servers File scanning on Exchange servers 13 Directories to include You can safely include the following directories and files in scans on all versions of Microsoft Exchange Server: Exchsrvr\Address Exchsrvr\Bin Exchsrvr\Conndata Exchsrvr\Exchweb Exchsrvr\Res Exchsrvr\Schema Any additional directories that are not a part of a standard Exchange installation, and that are not included in the list of directories and files to exclude, are safe to include. Directories and files to exclude The directories and files to exclude depend on the version of Microsoft Exchange Server that you have installed. Add all listed directories and files to the exclusion lists for File System Auto-Protect, Scheduled Scans, and Manual Scans. Note: The Tmp.edb file might be in multiple locations. Search for the file, and exclude it in any found locations. You can exclude single files by using the client and server software that is installed on the Exchange server. You cannot exclude single files by using the Symantec System Center with server and client group configurations. Therefore, for all three configurations, you must exclude Tmp.edb by using the Symantec AntiVirus user interface on the Exchange server.

14 14 Antivirus protection and servers File scanning on Exchange servers Microsoft Exchange Server 5.5 Table 2-1 lists the directories and files to exclude for Microsoft Exchange Server 5.5. Table 2-1 Files to exclude for Microsoft Exchange Server 5.5 Directory and files Exchange databases Exchange MTA files Exchange temporary files Additional log files Site Replication Service (SRS) files Inbox for Internet Mail Connector Microsoft Internet Information Service (IIS) system files Outbox for Internet Mail Connector Default file location Default location: Exchsrvr\Mdbdata Default location: Exchsrvr\Mtadata Tmp.edb Default location and name: Exchsrvr\server_name.log Default location: Exchsrvr\Srsdata Default location: Exchsrvr\IMCDATA <Drive>:\Winnt\System32\Inetsrv Exchsrvr\IMCDATA\OUT director Microsoft Exchange Server 2000 Table 2-2 lists the directories and files to exclude for Microsoft Exchange Server Table 2-2 Files to exclude for Microsoft Exchange Server 2000 Directory and files The Installable File System (IFS) Exchange databases Exchange MTA files Exchange temporary files Additional log files Virtual server directory Site Replication Service (SRS) files Internet Information Service (IIS) system files Default file location Default location: Drive M Default location: Exchsrvr\Mdbdata Default location: Exchsrvr\Mtadata Tmp.edb Default location: Exchsrvr\server_name.log Default location: Exchsrvr\Mailroot Default location: Exchsrvr\Srsdata <Drive>:\Winnt\System32\Inetsrv

15 Antivirus protection and servers File scanning on Exchange servers 15 Microsoft Exchange Server 2003 Table 2-3 lists the directories and files to exclude for Microsoft Exchange Server Table 2-3 Files to exclude for Microsoft Exchange Server 2003 Directory and files Exchange databases Exchange MTA files Exchange temporary files Additional log files Virtual server directory Site Replication Service (SRS) files Internet Information Service (IIS) system files Working directory for message conversion.tmp files The temporary directory that is used with offline maintenance utilities such as Eeseutil.exe The directory that contains the checkpoint (.chk) file Default file location Default location: Exchsrvr\Mdbdata Default location: Exchsrvr\Mtadata Tmp.edb Default location: Exchsrvr\server_name.log Default location: Exchsrvr\Mailroot Default location: Exchsrvr\Srsdata Default location: Exchsrvr\Srsdata Default location: Exchsrvr\Mdbdata You can change the location of this directory. For additional information, consult the Microsoft Knowledge Base. By default, this directory is the location from which you run the executable, but you can specify where you run the file from when you run the utility. For information on the location of this file, consult the Microsoft Knowledge Base. Extensions to exclude Because certain files are not always saved in the expected locations, exclude the following file extensions on all versions of Microsoft Exchange Server:.log.edb

16 16 Antivirus protection and servers File scanning on Exchange servers Directories to exclude when other Symantec products are installed Excluding these directories is critical to product operation. Each product uses its temp directory as a processing directory. If the temp directories are not excluded from file system scanning, the antivirus programs might conflict and cause unexpected behavior, including potential data loss. Norton AntiVirus 2.x for Microsoft Exchange Exclude the following directories when you use this product: <drive>:\program Files\NAVMSE\Temp <drive>:\program Files\NAVMSE\Quarantine <drive>:\program Files\NAVMSE\Backup Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange Exclude the following directories when you use this product: <drive>:\program Files\Symantec\SAVFMSE\Temp <drive>:\program Files\Symantec\SAVFMSE\Quarantine Symantec Mail Security 4.0 for Microsoft Exchange Exclude the following directories when you use this product: <drive>:\program Files\Symantec\SMSMSE\4.0\Server\Temp <drive>:\program Files\Symantec\SMSMSE\4.0\Server\Quarantine Symantec Mail Security 4.5 for Microsoft Exchange Exclude the following directories when you use this product: <drive>:\program Files\Symantec\SMSMSE\4.5\Server\Temp <drive>:\program Files\Symantec\SMSMSE\4.5\Server\Quarantine

17 Chapter 3 Reset ACL tool This chapter includes the following topics: About the Reset ACL tool Restricting registry access with the Reset ACL tool About the Reset ACL tool Reset ACL (Resetacl.exe) lets you limit access to the Symantec AntiVirus registry key on Windows XP/2000 computers. By default, these computers allow all users to modify the data stored in the registry for any application, including Symantec AntiVirus. Reset ACL removes the permissions that allow full access by all users to the following Symantec AntiVirus registry key and its subkeys: HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion Restricting registry access with the Reset ACL tool You can use the Reset ACL tool to restrict registry access. To restrict registry access with the Reset ACL tool 1 Roll out Resetacl.exe, located on the Symantec AntiVirus CD in the Tools folder, to unsecured computers. 2 Run Resetacl.exe on each of these computers. After you have run Resetacl.exe, only users with Administrator rights can change the registry key values. While the Reset ACL tool boosts security for Symantec AntiVirus on these computers, administrators should be aware that there are several trade-off considerations.

18 18 Reset ACL tool Restricting registry access with the Reset ACL tool In addition to losing access to the registry, users without Administrator rights will not be able to do the following: Start or stop the Symantec AntiVirus service. Run LiveUpdate. Schedule LiveUpdate. Configure Symantec AntiVirus. For example, users cannot set Auto-Protect or scanning options. The options associated with these operations appear dimmed in the Symantec AntiVirus interface. In addition, the user can modify scan options, but the changes are not saved in the registry or processed. The user can also save manual scan options as the default set, but the options are not written to the registry.

19 Chapter 4 Importer tool This chapter includes the following topics: About the Importer tool Importing addresses using the Importer tool Deleting entries from the address cache Advanced usage Getting Help while using the Importer tool About the Importer tool The Importer tool (Importer.exe) identifies computers in a non-wins environment to the Symantec System Center console. This lets Symantec AntiVirus locate computers during the network discovery process, when the names cannot be browsed using WINS/DNS. It is a command-line utility. In addition to importing the paired names and IP addresses of computers located in non-wins environments, you can add any other computer name and IP address pairing to the text file so that the computer is discovered in the future. For example, you may want to add the name and address of a computer that has not been discovered successfully for an unknown reason. Note: In most cases, you should not need the Importer tool. The Find Computer feature of the Symantec System Center can usually find and identify Symantec AntiVirus servers on the network by means of address caching and the normal Discovery process.

20 20 Importer tool Importing addresses using the Importer tool How the Importer tool works The Importer tool runs on any computer on which the Symantec System Center is installed. You can use it to import pairs of computer names and IP addresses from a text file into the address cache registry entries used by the Symantec System Center. Once the computer name and address pairs are imported, entries are created in the registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache You must run a Local Discovery or Intense Discovery after importing the data file. The Discovery queries the addresses of the computers. The computers running the Symantec AntiVirus server are added to the Discovery Service in memory and have complete entries created in the registry. The Discovery Service can then find the computers each time that the Discovery Service is run. Where the Importer tool is located The Importer tool consists of a single file, Importer.exe. Importer.exe is located on the Symantec AntiVirus CD in the Tools folder. You can copy Importer.exe to any folder on a computer on which the Symantec System Center is installed, and then run it. Importing addresses using the Importer tool To import addresses to the address cache, you must be logged on with Administrator rights. This is necessary so that you have write access to HKEY_LOCAL_MACHINE. Import addresses using the Importer tool To import addresses using the Importer tool, you must complete the following tasks: Create a data file containing paired computer names and IP addresses. Run the Importer tool. Note: You must run the Importer tool from a command prompt. Run the Discovery Service.

21 Importer tool Deleting entries from the address cache 21 To create a data file 1 Create a new file with a text editor such as Notepad. 2 Type the data in the following format: <server name><comma><ip address><linefeed> Avoid typing incorrect IP addresses for servers. No validation is performed to determine if two servers have the same IP address in the Importer text file. 3 Save the file. For example, a data file named Computers.txt might look as follows: Computer 1, Computer 2, Computer 3, Computer 4, Computer 5, Computer 6, Note: You can type a semicolon or colon to the left of an address to comment it out. For example, if you know that a network segment is down, you can comment out associated subnet addresses. To run the Importer tool 1 At the command-line prompt, type the following command: <fullpath> importer <filename> where <fullpath> represents the full path to the Importer and <filename> represents the full path of the import file, such as C:\Computers\Computers.txt 2 Press Enter. Deleting entries from the address cache Data imported from the data file does not overwrite information that is already stored in the address cache. If you have data that should be overwritten, such as an incorrect computer address, clear the cache before running the Importer. Note: After importing the contents of the data file, do not click Clear Cache Now. Doing so deletes the contents of the address cache, including the imported data.

22 22 Importer tool Advanced usage Advanced usage To delete entries from the address cache 1 In the Symantec System Center console, on the Tools menu, click Discovery Service. 2 Under Cache Information, click Clear Cache Now. Once you run Discovery after the data import, the correct data is available for future discovery sessions. The command line takes four parameters: Import file path First delimiter Second delimiter Order (1 = computer name/ip address, 2 = IP address/computer name; the default is 1) Note: The second delimiter needs to be a single character only. For example, the ampersand cannot be used because the user would have to enter the following: & For example, an import file named Machines.txt, in C:\MACHINES, could read as follows: /Server /Server /Server 3 The above example is in IP address/computer name order (2). The first parameter is a slash (/) and the second is a linefeed. The corresponding syntax for the command line would be: importer C:\MACHINES\Machines.txt / LF 2 After the computer name and IP address pairs are imported, entries are created in the registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache You must run a local or intense discovery after importing the data file. The discovery queries the computer IP addresses. The computers running Symantec AntiVirus are added to the Discovery Service in memory and have complete

23 Importer tool Getting Help while using the Importer tool 23 entries created in the registry. The Discovery Service can then find the computers each time that the Discovery Service is run. Getting Help while using the Importer tool You can access Help on Importer switch and syntax information. To get Help while using the Importer tool 1 At the command line, type the following: Importer 2 Press Enter. The Importer tool displays the following Help information: Simple Usage : IMPORTER <filename> <filename> : full path of import file File format : <server name><comma><ip address><linefeed> Example File : Server 1, Server 2, Server 3, press "a" for advanced usage When "a" is pressed for advanced usage, the following help will be displayed: Advanced Usage: IMPORTER <filename> <delimiter 1> <delimiter 2> <order> <filename> : full path of import file <delimiter 1> : separator between first and second item in pair <delimiter 2> : separator between pairs NOTE: for carriage return/linefeed delimiters, use LF for space delimiters, use SP for comma, use, <order> : order of computer name/ip address pairs 1 = computer name/ip address order 2 = ip address/computer name order EXAMPLE - File contents : /Server /Server /Server 3 Command line : IMPORTER C:\MyFolder\MyFile.txt / LF 2

24 24 Importer tool Getting Help while using the Importer tool Known problems Importer depends on the HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\AddressCache key used by the Symantec System Center. If this key is not present, an error message appears. The Importer modifies the AddressCache key under HKLM, so the user needs local administrator rights. The Importer tool aids in the discovery process of the Symantec System Center. The Importer determines whether the Symantec System Center is present on the local computer. If not, an error message appears. After an import, the computer names paired with their IP addresses in the registry are not complete. They show only the computer under the Address_0 and Protocol dword values. A discovery must be run to complete the process (using the Run Discovery Now button in the Discovery Service Properties dialog box). Do not click the Clear Cache Now option in the Discovery Service Properties dialog box. This deletes the contents of the address cache, including the imported data. The Importer cannot assist in locating computers during the installation process. Note: When you are pushing the Symantec AntiVirus client and server to remote computers, an Import option appears in the Select Computer dialog box. Do not confuse this Import option with the Import option on the ClientRemote Install and AV Server Rollout installation screens. The Importer does not overwrite existing IP addresses in the address cache; this is an intended design feature. However, there is a possibility that an incorrect IP address may exist in the cache. In such a case, the Importer cannot correct it.

25 Chapter 5 Windows services This chapter includes the following topics: Symantec AntiVirus services Symantec System Center services Symantec AntiVirus services Table 5-1 lists the names and descriptions for Symantec AntiVirus server services. These appear in the Windows Services control panel. Table 5-1 Symantec AntiVirus server services Service name Binary name Description Common client application Common client event manager Common client settings manager ccapp.exe CcEvtMgr.exe CcSetMgr.exe Primary client application service that is also used by Auto-Protect for file systems and . Service that is used to scan POP3 messages. Service that is used to store encrypted settings. Defwatch Defwatch.exe Service that watches for newly arriving virus definitions. Launches a scan of the files in Quarantine when the new virus definitions arrive. Temper Protection SPBBCSvc.exe Service that protects Symantec proccesses.

26 26 Windows services Symantec AntiVirus services Table 5-1 Symantec AntiVirus server services Service name Binary name Description Intel PDS Pds.exe Ping Discovery Service. Allows Discovery of Symantec AntiVirus on this computer to occur. Applications register with this service, along with an APP ID, and a pong packet to return in response to ping requests. Symantec AntiVirus Server Rtvscan.exe Main Symantec AntiVirus service. Most Symantec AntiVirus serverrelated tasks are performed in this service. Virus protection tray icon VPtray.exe Service that provides the system tray icon. Table 5-2 lists the names and descriptions for Symantec AntiVirus client services. These appear in the Windows Services control panel. Table 5-2 Symantec AntiVirus client services Service name Binary name Description Common client application Common client event manager Common client password service Common client settings manager Configuration Wizard service ccapp.exe CcEvtMgr.exe CcPwdSvc.exe CcSetMgr.exe CfgWzSvc.exe Primary client application service that is also used by Auto-Protect for file systems and . Service that is used to scan POP3 messages. Service that is used to scan client password service POP3 messages. Service that is used to store encrypted settings. This service appears in the Windows Task Manager Processes when an installation fails. The service normally deletes itself after the Symantec AntiVirus Configuration Wizard runs.

27 Windows services Symantec AntiVirus services 27 Table 5-2 Symantec AntiVirus client services Service name Binary name Description Defwatch Defwatch.exe Service that watches for newly arriving virus definitions. Launches a scan of the files in Quarantine when the new virus definitions arrive. Temper Protection SPBBCSvc.exe Service that protects Symantec proccesses. Symantec AntiVirus Client Rtvscan.exe One of the main Symantec AntiVirus virus scanning services. Most Symantec AntiVirus clientrelated tasks are performed in this service. Client roaming service Savroam.exe Provides roaming server data to roaming clients. Common client Symantec Network Drivers Virus protection for 32-bit operating systems SNDSrvc.exe VPC32.exe Symantec Network Drivers. One of the main Symantec AntiVirus services. Virus protection tray icon VPtray.exe Service that provides the system tray icon.

28 28 Windows services Symantec System Center services Symantec System Center services Table 5-3 lists the names and descriptions for Symantec System Center services. These appear in the Windows Services control panel. Table 5-3 Symantec System Center services Service name Binary name Description Symantec System Center Discovery Service Nsctop.exe Discovery Service used to find Symantec AntiVirus servers on the network. The Discovery Service also populates the console with objects. Table 5-4 lists the names and descriptions for Alert Management System 2 services. These appear in the Windows Services control panel. Table 5-4 Alert Management System 2 services Service name Binary name Description Intel Alert Handler Hndlrsvc.exe AMS 2 Alert Handler service. Provides alerting actions such as message boxes, pages, s, and so on. Intel Alert Originator Iao.exe AMS 2 Alert Originator service. Lets alerts be received on this computer. Alerts can be received from either the local computer (in the case of a primary server), or from a remote computer (in the case of unmanaged clients using a centralized AMS 2 server). Intel File Transfer Xfr.exe File transfer service. Provides file transfer capabilities to AMS 2. Intel PDS Pds.exe Ping Discovery Service. Allows Discovery of Symantec AntiVirus on this computer to occur. Applications register with this service, along with an APP ID, and a pong packet to return in response to ping requests.

29 Chapter 6 Cryptography basics This chapter includes the following topics: Overview About cryptographic keys and algorithms About one-way hashes and digital signatures About digital certificates and PKIs About SSL Overview Symantec AntiVirus communications use the Secure Sockets Layer (SSL) protocol, which Netscape created to conduct secure transactions between Web servers and clients. Most online transactions that involve money moving across the Internet use SSL. SSL uses a Public Key Infrastructure (PKI), digital certificates, and cryptography. For administrative purposes, you might need to understand how SSL uses certificates because you might need to manage or create certificates. To understand what a certificate is and how it is used, you need to understand the basics of cryptography as it is used in SSL.

30 30 Cryptography basics About cryptographic keys and algorithms About cryptographic keys and algorithms In its simplest form, a cryptographic key is a secret code that a cryptographic algorithm (instruction sequence) uses to encrypt and decrypt messages. This algorithm might be nothing more than transposing one alphabetic letter with another. The key in this algorithm is knowing which letter is transposed with another. For example, you might transpose the letter A with B, the letter B with C, and so on. More complicated algorithms and keys might break a message into a series of groups, each of which has the same number of letters. The algorithm assigns each group a unique key that rearranges the numbered sequence. For example, in the first group the first letter is transposed to the third letter, the second letter is transposed to the first letter, and the third letter is transposed to the second letter. To decrypt the message, you need the algorithm and the key for each group. These examples illustrate a symmetric algorithm and key where the same key is used to encrypt and decrypt messages. For security reasons, you keep this key hidden and private, and you distribute this key only to the intended receiver. Asymmetric keys and algorithms are also used in cryptography when two different keys are used to encrypt and decrypt messages. One key is called a private key that you keep hidden, and one key is called a public key that you distribute to anyone who wants to send you encrypted messages or read your encrypted messages. Your private key decrypts messages that are encrypted with your public key, and your public key decrypts messages that are encrypted with your private key. One public and private key is called a key pair. If you distribute your public key to all of your friends, or if you place your public key where all of your friends can retrieve it, you can encrypt a message and send it to all of your friends. Your friends obtain your public key and decrypt the message. They know with certainty that the message came from you because only your private key can encrypt the message and only you possess this key. If one of your friends wants to send a message to you that only you can read, that person encrypts the message with your public key, sends you the message, and only you can decrypt the message because you have not given your private key to anyone else. If someone else intercepts the message, that person cannot decrypt the message without possessing your private key. These concepts form the foundation for understanding how SSL works. Modern symmetric-key algorithms include Triple-DES, RC5, and the current NIST standard of Advanced Encryption Standard (AES). Modern implementations of asymmetric-key algorithms include RSA, ECC, and El Gamal.

31 Cryptography basics About one-way hashes and digital signatures 31 About one-way hashes and digital signatures A one-way hash is an algorithm that takes the contents of a variable-length computer file (message) and produces a fixed-length value. This fixed-length value has at least three names: hash, hash value, and message digest. If you change one bit in the computer file and then rerun the hashing algorithm on the file, the second value differs from the first value. For example, suppose that you create an unencrypted file that contains the name of a one-way hashing algorithm, generate a hash value for the file, and send the file to a friend along with the hash value. Upon receipt, your friend reads the file, notices the name of the hashing algorithm, uses this algorithm to generate a hash value on the same file, and compares the values. If the values match, your friend knows with certainty that the file contents have not been altered or tampered with. If the values do not match, your friend knows that the file contents have been altered and does not trust the information in the file. If you want your friend to know with certainty that the unencrypted message came from you, you encrypt the hash value by using your private key. Upon receipt, your friend decrypts the hash value by using your public key. If decryption is successful, your friend knows with certainty that the message came from you because only you possess your private key. To verify the integrity of the file, your friend then recalculates the hash value and compares it to the value that you sent with the message. A hash value that is encrypted with a private key is called a digital signature. The digital part of the term implies 1s and 0s. The signature part of the term implies the uniqueness of a fingerprint, and the identity of the person who encrypted the hash value is known with certainty. The act of encrypting a hash value with a private key is called signing. These concepts form the foundation for understanding how SSL uses digital certificates. Modern implementations of one-way hashing algorithms include MD4, MD5, and SHA.

32 32 Cryptography basics About digital certificates and PKIs About digital certificates and PKIs A digital certificate is a file that contains the following: A public key Identifying information about the claimed owner of the certificate A one-way hash that is encrypted with the claimed owner s private key (digital signature) Other information such as the name of the one-way hashing algorithm and the asymmetric encryption strength Root Certificate Authorities (CAs) provide digital certificates to people who request and pay for certificates. Root CAs can create and sign certificates that allow other CAs to create certificates as well, which forms a hierarchy of CAs. The root CA is always at the top of the hierarchy, and the root CA always signs its own certificate, which is called a self-signed certificate. Two root CAs that are widely used across the Internet are VeriSign and Entrust. Figure 6-1 illustrates the type of digital certificate that Symantec AntiVirus uses, which is based on the X.509v3 standard. This certificate is a self-signed server group root certificate.

33 Cryptography basics About digital certificates and PKIs 33 Figure 6-1 Digital certificate example Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1withrsaencryption // Hashing and asymmetric algorithms Issuer: OU=Server Group Root CA, CN= c2aa91e4abb4e6c9d527eb762 Validity Not Before: Nov 20 05:47: GMT Not After: Nov 20 05:47: GMT Subject: Subject: OU=Server Group Root CA, CN= c2aa91e4abb4e6c9d527eb762 Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Modulus (1024 bit): // Public key that is used for decryption and encryption 00:ba:54:2c:ab:88:74:aa:6b:35:a5:a9:c1:d0:5a: 9c:fb:6b:b5:71:bc:ef:d3:ab:15:cc:5b:75:73:36: b8:01:d1:59:3f:c1:88:c0:33:91:04:f1:bf:1a:b4: 7b:c8:39:c2:89:1f:87:0f:91:19:81:09:46:0c:86: 08:d8:75:c4:6f:5a:98:4a:f9:f8:f7:38:24:fc:bd: 99:24:37:ab:f1:1c:d8:91:ee:fb:1b:9f:88:ba:25: da:f6:21:7f:04:32:35:17:3d:36:1c:fb:b7:32:9e: 42:af:77:b6:25:1c:59:69:af:be:00:a1:f8:b0:1a: 6c:14:e2:ae:62:e7:6b:30:e9 Exponent: (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Key Usage: Certificate Sign, CRL Sign X509v3 Subject Key Identifier: FE:04:46:ED:A0:15:BE:C1:4B:59:03:F8:2D:0D:ED:2A:E0:ED:F9:2F X509v3 Authority Key Identifier: keyid:e6:12:7c:3d:a1:02:e5:ba:1f:da:9e:37:be:e3:45:3e:9b:ae:e5:a6 Signature Algorithm: sha1withrsaencryption 34:8d:fb:65:0b:85:5b:e2:44:09:f0:55:31:3b:29:2b:f4:fd: aa:5f:db:b8:11:1a:c6:ab:33:67:59:c1:04:de:34:df:08:57: 2e:c6:60:dc:f7:d4:e2:f1:73:97:57:23:50:02:63:fc:78:96: 34:b3:ca:c4:1b:c5:4c:c8:16:69:bb:9c:4a:7e:00:19:48:62: e2:51:ab:3a:fa:fd:88:cd:e0:9d:ef:67:50:da:fe:4b:13:c5: 0c:8c:fc:ad:6e:b5:ee:40:e3:fd:34:10:9f:ad:34:bd:db:06: ed:09:3d:f2:a6:81:22:63:16:dc:ae:33:0c:70:fd:0a:6c:af: bc:5a -----BEGIN CERTIFICATE----- // Certificate in encoded format MIIDoTCCAwqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCRkox DTALBgNVBAgTBEZpamkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQww CgYDVQQLEwNJQ1QxFjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0B CQEWF2FkbWluaXN0cmF0b3JAc29wYWMub3JnMB4XDTAxMTEyMDA1NDc0NFoXDTAy MTEyMDA1NDc0NFowgYkxCzAJBgNVBAYTAkZKMQ0wCwYDVQQIEwRGaWppMQ0wCwYD VQQHEwRTdXZhMQ4wDAYDVQQKEwVTT1BBQzEMMAoGA1UECxMDSUNUMRYwFAYDVQQD Ew13d3cuc29wYWMub3JnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbmlzdHJhdG9yQHNv cgfjlm9yzzcbnzanbgkqhkig9w0baqefaaobjqawgykcgyeaulqsq4h0qms1panb 0Fqb+2u1cbzv06sVzFt1cza4AdFZP8GIwDORBPG/GrR6yDnCiR+HD5EZgQlGDIYI 2HXEb1qYSvn49zgk/L2UJDer8RzYke77G5+IuiXa9iF/BDI1Fz02HPu3Mp5Cr3e2 JRxZaa++AKH4sBpsFOKuYudrMOkCAwEAAaOCARUwggERMAkGA1UdEwQCMAAwLAYJ YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud DgQWBBT+BEbtoBW+wUtZA/gtDe0q4O35LzCBtgYDVR0jBIGuMIGrgBTmEnw9oQLl -----END CERTIFICATE-----

34 34 Cryptography basics About digital certificates and PKIs When a person or corporation wants a certificate to use in a Public Key Infrastructure (PKI) that is used across the Internet, that person (John, for example) completes a Certificate Signing Request (CSR), which contains identifying information such as a phone number, address, and so forth. In some implementations, John can generate a private and public key pair, and include the public key with the request. In other implementations, John can request that the CA create the private and public key pair, and return the private key securely. John sends the CSR to a Registration Authority (RA). The RA confirms the person s identity, and then the RA sends the CSR to a CA. The CA creates a digital certificate, defines a time over which the certificate is valid, adds John s personal information, inserts John s public key, digitally signs the certificate with the CA s private key, and then sends the certificate to John along with John s private key if the CA created the private key. The CA is now responsible for managing the certificate for John for as long as it is valid. To verify that the CA created the certificate, people can decrypt the digital signature by using the CA s public key. Now, if John wants to send a message to Mary and wants Mary to know that the message actually came from him, John creates his message, creates a one-way hash of the message, digitally signs the hash with his private key, and sends the message along with his digital certificate to Mary. Before Mary reads the message, she sends a request to the CA to validate John s certificate. Certificates can be revoked for a variety of reasons, one of which is that John lost his private key, it became public and was distributed in Internet chat rooms, and John sent a request to the CA to put his key on the Certificate Revocation List (CRL), which lists invalid certificates. The CA checks its database to see if the certificate is John s and has not expired, and then checks the CRL to see if his certificate has been revoked. If the certificate is not on the CRL and has not expired, the CA responds to Mary that the certificate is John s and is valid. Mary then successfully decrypts John s digital signature by using John s public key, and knows that John s message has not been altered in transit, and that it came from John. For reference, Symantec AntiVirus uses an internal root CA (external CAs include Entrust and VeriSign), and the primary server in each server group performs root CA activities. The primary server creates a self-signed certificate that serves as the highest level of trust, and is valid for 10 years. Symantec AntiVirus does not implement an RA or CRL, but does use CSRs. Finally, Symantec AntiVirus implements these components to support SSL, which secures communications between clients, servers, and the Symantec System Center.

35 Cryptography basics About SSL 35 About SSL Netscape developed SSL to secure traffic between Web servers and browsers. SSL uses public and private keys, and digital certificates to negotiate a symmetric key and algorithm to use to encrypt traffic between the two. However, most Web browsers rarely query the root CA to see if a certificate is valid. They verify that the root CA s certificate is installed locally and is valid. Browsers compare the received certificate against the installed certificate to verify that digital signatures match. To see a list of trusted root certificates that are installed with Internet Explorer, check Tools, Internet Options, Content, Certificates, Trusted Root Certification Authorities. You can also view the content of the certificates. The following list summarizes a successful SSL connection between a Web browser and a Web server: A browser sends a request to a server for a secure page. The server sends its digital certificate to the browser. The browser authenticates the server by validating the digital certificate against its list of installed certificates, and concludes that the certificate is valid. The browser chooses a random symmetric key and an algorithm that it wants to use to encrypt traffic to and from the server, encrypts the key and algorithm by using the server s public key that is contained in its digital certificate, and sends the certificate to the server. The server decrypts the message by using its private key, and then encrypts all additional information that it sends to the client by using the symmetric key and algorithm. The server can also tell the client to try another symmetric key and algorithm, which is the negotiation process. The client decrypts all information that it receives from the server by using the symmetric key and algorithm, and encrypts all information that it sends back to the server by using the same symmetric key and algorithm. The server and client use this symmetric key to encrypt communications until the communications session ends. This symmetric key is also called a session key and is used only for the duration of the communications session. If the browser wants to talk to the server at a later date, the browser and server negotiate a different session key by using the same process, and potentially a different algorithm. The traffic between the server and client is encrypted by using symmetric cryptography because is it much faster than asymmetric cryptography.

36 36 Cryptography basics About SSL Symantec AntiVirus uses SSL between clients, servers, and the Symantec System Center. However, Symantec AntiVirus does not use Web servers or browsers. Symantec AntiVirus uses SSL-enabled primary and secondary servers, and SSL-enabled clients. However, the way that they communicate is very similar to the way that Web servers and browsers communicate. Furthermore, root certificates are installed locally on clients by default. Symantec AntiVirus server certificates are digitally signed by a self-signed server group root CA, so server certificates contain information that identifies the root CA. When Symantec AntiVirus clients receive a server certificate, they validate that the server group root CA signed it by comparing it to the server group root CA certificate that is installed locally. Both certificates contains fields that identify the server group root CA, and these fields must match. The server s certificate is also known as a chained certificate, because it contains information that identifies the server group root CA. A chain of trust can then be traced back to the server group root CA.

37 Chapter 7 Event Log entries This chapter includes the following topics: Symantec AntiVirus events Symantec AntiVirus events Table 7-1 lists events that are forwarded to the Symantec System Center. Many, but not all, of these events appear in the Windows 2000/XP Application Log. Also, the Windows Application Log might not completely conform to this list. For example, event number 34 appears as a log forwarding error in the Symantec System Center, but the event number 34 appears as an Information event for starting Event and Settings Manager. Table 7-1 Events Event Event number Description Scan Stopped 2 Occurs when antivirus scanning completes. Scan Started 3 Occurs when antivirus scanning starts. Definition File Sent To Server 4 Occurs when a parent server sends a.vdb file to a secondary server. Virus Found 5 Occurs when scanning detects a virus. Scan Omission 6 Occurs when scanning fails to gain access to a file or directory. Definition File Loaded 7 Occurs when Symantec AntiVirus loads a new.vdb file.

38 38 Event Log entries Symantec AntiVirus events Table 7-1 Events Event Event number Description Checksum 10 Occurs when a checksum error occurs when verifying a digitally signed file. Auto-Protect 11 Occurs when Auto-Protect is not fully operational. Configuration Changed 12 Occurs when a server updates its configurations according to the changes made from the console, excluding configuration changes made in the PRODUCTCONTROL or DOMAINDATA registry keys. Symantec AntiVirus Shutdown 13 Occurs when the Rtvscan.exe service is unloaded. Symantec AntiVirus Startup 14 Occurs when the Rtvscan.exe service is loaded. Definition File Download 16 Occurs when new definitions are downloaded by a scheduled definitions update. Scan Action Auto-Changed 17 Occurs when Symantec AntiVirus has deleted or quarantined more than 5 infected files within the last minute. The number of files quarantined or deleted and the time interval are configurable from the registry. The defaults are 5 files in 60 seconds. Sent To Quarantine Server 18 Occurs when quarantined files are sent to a Quarantine Server. Delivered To Symantec Security Response 19 Occurs when a file is delivered to Symantec Security Response. Backup Restore Error 20 Occurs when Symantec AntiVirus cannot back up a file or restore a file from Quarantine. Scan Aborted 21 Occurs when a scan is stopped before it completes.

39 Event Log entries Symantec AntiVirus events 39 Table 7-1 Events Event Event number Description Symantec AntiVirus Auto-Protect Load Error Symantec AntiVirus Auto-Protect Loaded Symantec AntiVirus Auto-Protect Unloaded 22 Occurs when Auto-Protect fails to load. 23 Occurs when Auto-Protect loads successfully. 24 Occurs when Auto-Protect is unloaded. Removed Client 25 Occurs when a parent server removes a client computer from its clients list. This will happen by default when a client computer fails to check in with its parent server for over thirty days. Scan Delayed 26 Occurs when a scheduled scan is snoozed/paused (delayed). Scan Re-started 27 Occurs when a snoozed/paused scan is restarted. Roaming Client added to Server 28 Occurs when a roaming client is added to a server. Roaming Client deleted from Server 29 Occurs when a roaming client is removed from a server. License Warning 30 Occurs when a license warning message is generated. License Error 31 Occurs when there is a license error. Access Denied Warning 33 Occurs when an unauthorized communication attempt is made. Log Forwarding Error 34 Occurs when there is a problem with the log forwarding process. Also logs when Event and Settings Manager are started. License Installed 35 Occurs when a license is installed. License Allocated 36 Occurs when a license is allocated. License Status 37 Occurs when a license is validated.

40 40 Event Log entries Symantec AntiVirus events Table 7-1 Events Event Event number Description License Deallocated 38 Occurs when a license is deallocated. Definitions Rollback 39 Occurs when definitions are rolled back. Definitions Unprotected 40 Occurs when a computer is not protected with definitions. Detection Action 40 Occurs when Auto-Protect detects a threat. Successful Remediation Action 42 Occurs when Auto-Protect performs a successful side-effects repair for adware or spyware. Failed Remediaton Action 43 Occurs when Auto-Protect fails to perform a successful side-effects repair for adware or spyware. Pending Remediation Action 44 Occurs when Auto-Protect is ready to perform a side-effects repair for adware or spyware. Auto-Protect Error 46 Occurs when an error occurs with Auto-Protect. Compliancy Failure 47 Occurs when a managed computer configuration fails a compliancy test. Compliancy Success 48 Occurs when a managed computer configuration passes a compliancy test. SymProtect Action 49 Occurs when SymProtect blocks a tamper attempt. Scan Started 64 Occurs when adware and spyware scans start. Note: This event number is out of numerical sequence in this table and placed here for convenience. Scan Stopped 50 Occurs when adware and spyware scans stop.

41 Event Log entries Symantec AntiVirus events 41 Table 7-1 Events Event Event number Description Login Failed 51 Occurs when a user login is not authenticated and fails. Login Succeeded 52 Occurs when a user login is authenticated and successful. Unauthorized Communications 53 Occurs when an attempt is made to access functionality that is not permitted. Antivirus Client Installation 54 Occurs when antivirus client software is installed. Firewall Client Installation 55 Occurs when firewall client software is installed. Client Software Uninstalled 56 Occurs when client software is uninstalled. Client Software Uninstall Rollback Server Group Root Certificate Issued 57 Occurs when an attempt to uninstall client software fails, and the client software is restored. 58 Occurs when a server group root certificate is created for a server group and installed in the roots directory. Server Certificate Issued 59 Occurs when a primary server issues a login CA certificate and a server certificate to a secondary server in a server group. Trusted Root Change 60 Occurs when a server group root certificate is added or deleted. Server Certificate Startup Failed 61 Occurs when a server tries to initialize its secure protocol but fails. Client Checkin 62 Occurs when a client checks in with its parent server for configuration changes. No Client Checkin 63 Occurs when a client fails to check in with its parent server within a specified time interval.

42 42 Event Log entries Symantec AntiVirus events

43 Chapter 8 How certificates are implemented This chapter includes the following topics: How certificates establish a chain of trust How clients and servers authenticate certificates Authentication paths and methods Certificate store directories File naming conventions Other certificate details How certificates establish a chain of trust This version of Symantec AntiVirus introduces a new and enhanced network security communications architecture that uses the Secure Sockets Layer (SSL) protocol and digital certificates over TCP. This new architecture encrypts management communications between Symantec AntiVirus entities, and requires authentication processes to occur before servers and clients accept configuration changes. To understand these authentication processes, you must understand the difference between a digital signature and a digital certificate. See Cryptography basics on page 29. Figure 8-1 illustrates the hierarchical trust model that Symantec AntiVirus uses to establish secure communications over SSL with certificates. Symantec AntiVirus uses these certificates during SSL negotiations between the Symantec System Center, servers, and clients to perform authentication.

44 44 How certificates are implemented How certificates establish a chain of trust Figure 8-1 Certificates and the chain of trust The primary server in each server group creates and manages a self-signed root certificate. This certificate is called the server group root certificate, and is the foundation on which servers and clients trust each other in a server group. The server group root certificate has a lifetime of 10 years. If you promote secondary servers to primary servers, the server group certificate is automatically promoted to the new primary server.

45 How certificates are implemented How clients and servers authenticate certificates 45 All servers, both primary and secondary, also possess a server end-entity certificate. Each server initially generates and self-signs this certificate during installation, generates a certificate signing request (CSR), and submits both to the primary server for processing and signing. The primary server processes the CSR, creates and digitally signs a new server certificate, increments a numerical counter value in the certificate name by one, and then returns it to the server. The new server end-entity certificate now has an established chain of trust to the server group root certificate. Note: The primary server creates this server certificate for itself automatically from its server group root certificate. How clients and servers authenticate certificates When a server tries to push a new configuration to a client, it presents its server certificate to the client, the client compares the server certificate to the server group root certificates that it possesses, and verifies that the server certificate is digitally signed by one of client s server group root certificates. When the client finds the appropriate server group root certificate and verifies the chain of trust back to the server group root certificate, the client accepts the new configuration. If the client cannot verify the chain of trust, it does not accept the new configuration. A similar system is used to authenticate users. A login CA certificate is created and signed by the server group root certificate when a primary server is created to establish a chain of trust back to the server group root certificate. This login CA certificate is also valid for 10 years. When a user successfully authenticates to a server group (unlocks it from the Symantec System Center), the user initially authenticates by using a user name and password. The user then receives a temporary login certificate that is signed by the login CA certificate. This certificate is time-stamped and is valid for a specific amount of time, after which it expires. The default time value is 24 hours. You can modify this time value by using the Login Certificate Settings dialog box for a server group in the Symantec System Center. When servers and clients receive the user s request for configuration changes, they verify that the user s login certificate establishes a chain of trust back to the server group root certificate. If clients successfully authenticate the chain of trust, they then compare their system clocks to the certificate s time stamp. If they verify that the certificate has not expired, they accept the user s configuration changes.

46 46 How certificates are implemented Authentication paths and methods The login certificate is generated with a time limitation for security purposes, but is valid across all time zones. If a specific user account is deleted in the Symantec System Center, the temporary login certificate that is associated with that user cannot be renewed after it expires, regardless of the time zone. If the login certificate expires after the user authenticates to a server or client, the user is automatically issued another valid login certificate. Be aware that unsynchronized computer system clocks in a server group might prohibit servers and clients from authenticating a user s login certificates because of the time differential. For example, suppose that you have a login certificate that contains a primary server s time stamp and is valid for 30 minutes. Then, suppose that the user attempts to authenticate to a client that has a clock that is set 45 minutes ahead of the primary server clock. When the client receives the login certificate, it believes that the login certificate expired 15 minutes ago based on its system clock setting, and does not permit configuration changes by the logged in user. Note: Use a system clock synchronization method in your computer networks. Otherwise, communications might fail until computers have clock values that are within the client certificate s time expiration window. You can set the certificate s time value in the Symantec System Center. Authentication paths and methods Table 8-1 describes the authentication paths and methods that are used to authenticate Symantec AntiVirus entities. Table 8-1 Authentication paths and methods Authentication path Symantec System Center to server Server to client Client to server Client to Symantec System Center Symantec System Center to client Method Servers authenticate the Symantec System Center users by using either a password or certificate. The Symantec System Center authenticates servers by using certificates. Servers do not authenticate clients. Clients authenticate servers by using certificates. Clients authenticate the Symantec System Center users by using certificates. The Symantec System Center does not authenticate clients.

47 How certificates are implemented Certificate store directories 47 Certificate store directories A typical installation creates top-level directories that store executable files for servers, clients, and the Symantec System Center. The default names of these directories are different. For example, on servers the default name is \SAV, and on the computer that hosts the Symantec System Center, the default name is \Symantec System Center. Under these top-level directories, a typical installation creates subdirectories that store certificates, private keys, and certificate signing requests (CSRs). These directories are called the certificate store, and are contained under a directory called \pki. The subdirectory names are certs, private-keys, cert-signing-requests, and roots. Server certificate stores are controlled by Access Control Lists (ACLs) for administrator access only. The Symantec System Center certificate store is not controlled by ACLs for administrator access, because restricted users might need to access the certificates in the certificate store. As a result, private keys are not saved to the Symantec System Center certificate store. Client certificate stores are controlled by parent servers, and client certificate stores use only the roots directory, which is auto-populated and controlled by parent servers. Table 8-2 lists and describes the directories that the certificate store contains under the \pki directory, and the files that the directories contain by location. Table 8-2 Component Symantec System Center Primary server Certificate store directories and files Directory Certs: Empty. Private-keys: Empty. Cert-signing-requests: Empty. Roots: Contains the root certificates for all server groups. Certs: Contains the login CA and server certificates. Private-keys: Contains the private keys for the server group, login CA, and servers. Cert-signing-requests: Contains generated certificate signing requests (CSRs) for the server group, login CA, and servers. Use the server group CSR when you manually create an enterprise root certificate. The other two CSRs are used dynamically. Roots: Contains the root certificate for the server group in which it is installed. Might also contain root certificates for other server groups.

48 48 How certificates are implemented File naming conventions Table 8-2 Component Secondary server Clients Certificate store directories and files Directory Certs: Contains the login CA and server certificates. Private-keys: Contains the private keys for the login CA and servers. Cert-signing-requests: Empty. Roots: Contains the root certificate for the first server group in which it is a member. Might also contain root certificates for other server groups. Certs: Empty. Private-keys: Empty. Cert-signing-requests: Empty. Roots: Contains the root certificate for the first server group in which it is a member. Might also contain root certificates for other server groups to permit roaming. File naming conventions Certificate names contain globally unique identifiers (GUIDs). GUIDs are unique IDs that are installed on each computer to prevent name collisions so that you can move servers from one server group to another. Certificate names also contain counters to provide historical records of a server's previous membership in the same domain and to permit the reissuing of a certificate to the same entity. Server group names are not included in certificates or file names so that you can rename server groups. File naming conventions fall into the following categories: Server group root certificates and private keys Server certificates and private keys Login CA certificates and private keys Certificate signing requests Server group root certificates and private keys The following examples show server group root certificate and private key naming conventions: <server-group-guid>.<counter>.servergroupca.cer <server-group-guid>.<counter>.servergroupca.pvk

49 How certificates are implemented File naming conventions 49 The following examples show actual names for a certificate and private key: c2aa91e4abb4e6c9d527eb762.0.servergroupca.cer c2aa91e4abb4e6c9d527eb762.0.servergroupca.pvk The server group root private key is used only to add new servers to a server group, so you should safely archive the key after you set up a server group with a primary server, and after you add any necessary secondary servers. The key is not necessary for high-volume activity, such as adding clients and authenticating users. Server certificates and private keys The following examples show server certificate and private key naming conventions: <server-name>.<server-group-guid>.<counter>.server.cer <server-name> <server-group-guid>.<counter>.server.pvk The following examples show actual names for a certificate and private key: INFODEV-TEST c2aa91e4abb4e6c9d527eb762.0.server.cer INFODEV-TEST c2aa91e4abb4e6c9d527eb762.0.server.pvk Login CA certificates and private keys Certificate signing requests The following examples show login CA certificate and private key naming conventions: <server-name>.<server-group-guid>.<counter>.loginca.cer <server-name> <server-group-guid>.<counter>.loginca.pvk The following examples show actual names for a certificate and private key: INFODEV-TEST c2aa91e4abb4e6c9d527eb762.0.loginca.cer INFODEV-TEST c2aa91e4abb4e6c9d527eb762.0.loginca.pvk The following examples show server group root, server, and login CA CSR naming conventions: <server-group-guid>.<counter>.servergroupca.csr <server-name>.<server-group-guid>.<counter>.server.csr <server-name>.<server-group-guid>.<counter>.loginca.csr

50 50 How certificates are implemented Other certificate details The following examples show actual names for CSRs: c2aa91e4abb4e6c9d527eb762.0.servergroupca.cer INFODEV-TEST c2aa91e4abb4e6c9d527eb762.0.server.cer INFODEV-TEST c2aa91e4abb4e6c9d527eb762.0.loginca.cer Other certificate details These details are provided for your information: Certificate and CSR counters Certificate and key file formats Server group root key archival About promoting secondary servers to primary servers About viewing certificates Certificate and CSR counters About preserving certificates and issue time Install a primary server and secondary server in each server group Each certificate and CSR has a <counter> field. Each time a certificate or request is generated, the certificate or CSR that is generated next has the counter field incremented by a value of one. For example, each server group root certificate, as it is generated for each primary server in a new server group, has the <counter> field incremented by one. All server group root certificates are in the \pki\roots directory under the directory that contains the Symantec System Center files. Certificate and key file formats All certificates and private keys are held in unencrypted PEM-formatted files. The PEM format is DER for ASN.1 format data that has been Base-64 encoded.

51 How certificates are implemented Other certificate details 51 Server group root key archival You must closely guard the private key that is associated with the server group root certificate. No tool should be capable of moving your private key from the primary server in your environment. You should back up your private key to a removable storage device, secure the device in a vault, delete it from the primary server, and remove it from the Recycle Bin on Windows computers. Use this key when you add secondary servers only. When you need to add secondary servers, replace the private key in the private-keys directory on the primary server, add the secondary server, and then re-secure the key. Warning: Do not lose your server group root private key. If you do, you will not be able to add secondary servers to your server group. If you lose your key, create another server group and move your secondary servers and clients to that group. About promoting secondary servers to primary servers About viewing certificates When you promote a secondary server to a primary server, the server group private key is not automatically copied to the new primary server even if it exists on the demoted primary server. To add additional servers to the server group that has a new primary server, you must copy the server group private key to the \pki\private-keys directory on the new primary server. Internet Explorer and most Web browsers let you view certificates. Typically, most Web browsers have file associations for the.cer extensions, so you can double-click the.cer files and view them in a certificate viewer. If you have not installed a certificate in a Web browser before you view it, the certificate viewer typically lets you know that the certificate is not to be trusted. If you install the certificate from the certificate viewer, most Web browsers then trust the certificate, and display additional information about the certificate.

52 52 How certificates are implemented Other certificate details About preserving certificates and issue time Login certificates are short-lived and are not normally preserved on management servers like server and login CA certificates are. Furthermore, certificate names do not indicate the date and time that they are issued. To preserve all certificates and include the date and time that they are issued in the name, set the following registry key DWORD value to a value other than 0: HKLM\Software\LANDesk\VirusProtect6\CurrentVersion\ArchiveCerts When you set the registry key DWORD value to non-0 on a management server, issued-yymmddhhmmssmmmm-<certtype>.cer certificate files are written to the \Program Files\SAV directory every time that a new certificate is issued. The YYMMDDHHMMSSMMMM is a hex output of 2-digit year, 2-digit month, 2-digit day, 2-digit 24 hour, 2-digit minute, 2-digit seconds, and 4-digit milliseconds. Install a primary server and secondary server in each server group A best practice for implementing server groups is to always have a primary server and secondary server in each group. When a server group contains two or more antivirus servers, every server other than the primary antivirus server is defined as a secondary server. Symantec AntiVirus servers do not require server operating systems, and do not support scanning. If your server group contains only one antivirus server, which would be the primary server, and if that server crashes, you will not be able to unlock and manage that server group from the Symantec System Center, and your certificate infrastructure will become obsolete until you restore a backup. If you have a secondary antivirus server in the group, you will be able to unlock that server group, promote the secondary server to a primary server, move the clients to the new primary server by copying the Grc.dat file from the primary server to the clients, and reestablish communications with your managed clients. For additional information about the Grc.dat file and client communications, refer to the Symantec AntiVirus Installation Guide in the client installation chapter.

53 Index A access, limiting with the Reset ACL tool 17 address cache and administrator rights 20 deleting entries from 21 Administrator rights and the Importer tool 20 alerts and the Intel Alert Handler service 28 and the Intel Alert Originator service 28 AMS services Intel Alert Handler 28 Intel Alert Originator 28 Intel File Transfer 28 Intel PDS 28 C certificates about promoting secondary servers to primary servers 51 authentication paths and methods 46 backing up 51 CSR counters 50 directory locations 47 end entity 45 establishing a chain of trust 43 file formats 50 file naming conventions 48 how clients and servers authenticate 45 server group root lifetime 44 server root key archival 51 viewing 51 client services See also server services; services Defwatch 27 Symantec AntiVirus 27 command line and the Importer tool 19 computer names creating a data file for the Importer tool 21 importing 7 D data file, creating 21 Defwatch.exe 25, 27 Discovery and the Importer tool 7, 19 Intense Discovery 20 Local Discovery 20 E servers configuring 9 managed client configuration 11 stand-alone configuration 10 unmanaged client configuration 11 Exchange servers directories and files to exclude 13 extensions to exclude 15 file scanning on 12 F file transfer service and AMS 28 Find Computer feature and the Importer tool 19 H Help for the Importer tool 23 Hndlrsvc.exe 28 I Iao.exe 28 Importer tool about 7, 19 advanced usage 22 and the Find Computer feature 19 getting help with 23 how it works 20 importing addresses with 20 known problems with 24 running 21 where it is located 20

54 54 Index Importer.exe 20 Intel Alert Handler 28 Intel Alert Originator 28 Intel File Transfer 28 Intel PDS 28 Intense Discovery 20 IP addresses creating a data file for the Importer tool 21 importing 7 L license events 39 LiveUpdate and the Reset ACL tool 18 Local Discovery 20 V virus definitions updates and the Defwatch client service 27 and the Defwatch server service 25 W Windows registry configuration settings in 7 restricting access to 17 X Xfr.exe 28 N Nsctop.exe 28 P Pds.exe 26, 28 Ping Discovery Service and the Intel PDS service 26 R registry key 17 restricting access 17 settings 7 Reset ACL tool about 7, 17 restricting registry access with 17 Resetacl.exe 17 Rtvscan.exe 26, 27 S Savroam.exe 27 security and the Reset ACL tool 17 server services See also client services; services Defwatch 25 Intel PDS 26 Symantec AntiVirus 26 services 25 See also client services; server services Symantec System Center 28