Symantec AntiVirus Corporate Edition Administrator's Guide

Transcription

1 Symantec AntiVirus Corporate Edition Administrator's Guide

2 Symantec AntiVirus Corporate Edition Administrator's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version Legal Notice Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec logo, LiveUpdate, Norton AntiVirus, Symantec AntiVirus, Symantec Client Security, Symantec Security Response, and Symantec System Center are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections and DFARS Section Symantec Corporation Stevens Creek Blvd. Cupertino, CA USA

3 Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using. Customers with a current maintenance agreement may access Technical Support information at the following URL: Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

4 When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Select your region or language under Global Support, and then select the Licensing and Registration page. Customer service information is available at the following URL: Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program

5 Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: Europe, Middle-East, and Africa: North America and Latin America: Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL:

6 Select your country or language from the site index.

7 Contents Technical Support Section 1 Chapter 1 Managing Symantec AntiVirus Symantec AntiVirus basics About Symantec AntiVirus About the Symantec System Center Symantec System Center console icons Using the Symantec System Center Starting the Symantec System Center Selecting a primary management server for a server group About console views Changing console views Saving console settings Customizing console view columns Showing when clients are offline Showing client Auto-Protect status Showing client infection state About refreshing the console About the Discovery Service How Discovery works Types of Discovery Discovery Service requirement for WINS or Active Directory NetWare computers and the Discovery Service Running the Discovery Service Configuring the Discovery Service to use IP addresses Configuring the Discovery Service Configuring the Discovery Cycle interval Using the Find Computer feature Finding computers using a local cache search Finding computers using a network search Locating found items in the Symantec System Center console Using the Refresh feature Auditing computers... 39

8 8 Contents Configuring login certificates Configuring login certificate lifetime and time tolerance Configuring login certificate key size Chapter 2 Managing Symantec AntiVirus About servers About primary management servers About secondary management servers About parent management servers About server groups and client groups Deciding whether to use server groups, client groups, or both About Grc.dat files Locating the Symantec AntiVirus program folder Client groups and configuration priority How settings propagate Server and client group scenario Using server groups to manage Creating server groups Locking and unlocking server groups Viewing and filtering server groups Renaming server groups Deleting server groups Changing primary management servers Changing parent management servers Moving a server to a different server group Best practice: maintaining server-client communication Restoring client communication when a primary server is lost Restoring communication with a server group Managing user accounts for server groups Configuring options for Windows Security Center (WSC) Configuring the out-of-date time for definitions Configuring alerts to appear on the host computer Configuring Symantec AntiVirus to disable Windows Security Center Optimizing server performance Optimizing definitions and configuration rollouts Monitoring clients Using Tamper Protection Enabling, disabling, and configuring Tamper Protection Creating Tamper Protection messages... 81

9 Contents 9 Using client groups to manage Creating client groups Adding clients to a client group Configuring settings and running tasks at the client group level About client group settings Moving a client to a different client group Viewing and filtering client groups Renaming client groups Deleting client groups Using client group settings instead of server group settings Managing clients Managing legacy clients Enabling direct client configuration Handling clients with intermittent connectivity Changing the management mode of a client Restoring communication between servers and managed client computers Restoring communication if you have made a server change or reinstalled a client computer Restoring communication when you use a drive image to create clones on the same network Restoring communication if the client computers can receive definitions updates Restoring communication if the client computers cannot receive definitions updates Chapter 3 Alert Management System About the Alert Management System How Alert Management System works Configuring alert actions Alert configuration tasks Speeding up alert configuration Configuring the Message Box alert action Configuring the Broadcast alert action Configuring the Run Program alert action Configuring the Load An NLM alert action Configuring the Send Internet Mail alert action About paging services Configuring the Send Page alert action Configuring the Send SNMP Trap alert action Configuring the Write To Event Log alert action

10 10 Contents About configuring alert action messages Configuring a default alert message Working with configured alerts Testing configured alert actions Deleting an alert action from an alert Exporting alert actions to other computers Using the Alert Management System Alert Log Viewing detailed alert information Filtering the Alert Log display list Forwarding alerts from unmanaged clients Section 2 Chapter 4 Configuring antivirus protection Scanning for viruses and security risks About viruses and security risks About Symantec AntiVirus scans About the automatic exclusion of Microsoft Exchange files and directories About the global exclusion of security risks from scans Understanding Auto-Protect scans About manual scans About virus sweep scans About scheduled scans Selecting computers to scan About inclusions and exclusions in scans Configuring file and folder inclusions and exclusions If client applications use a single Inbox file Configuring global security risk exclusions About actions for viruses and security risks that scans detect Configuring Auto-Protect About propagating Auto-Protect settings Locking and unlocking Auto-Protect options Configuring File System Auto-Protect Configuring Auto-Protect scanning for groupware applications Configuring Auto-Protect scanning for Internet Configuring manual scans Configuring actions for manual scans Configuring notifications for manual scans Creating and configuring scheduled scans Creating scheduled scans Configuring scheduled scans

11 Contents 11 Managing the client user experience Enabling users to pause, snooze, or stop scheduled scans Preventing or allowing users to unload Symantec AntiVirus services Changing the password that is required to uninstall Changing the password that is required to scan mapped drives Modifying scanning options for clients Displaying a warning when definitions are out of date or missing Managing warnings and notifications about infected files Chapter 5 Updating definitions About definitions About legacy client definitions Definitions files update methods Best practice: Using the Virus Definition Transport Method and LiveUpdate together Best practice: Using Continuous LiveUpdate on 64-bit computers Updating definitions files on servers Updating and configuring servers using the Virus Definition Transport Method Updating servers using LiveUpdate Updating servers with Intelligent Updater Updating virus definitions by using an.xdb file About using Central Quarantine polling to update servers Minimizing network traffic and handling missed updates Updating definitions files on clients Forcing definitions files on clients to update immediately Configuring managed clients to use an internal LiveUpdate server Enabling and configuring Continuous LiveUpdate for managed clients Setting LiveUpdate usage policies Controlling definitions file deployment Finding computers with outdated definitions files Verifying the version number of definitions files Viewing the risk list Rolling back definitions files Testing definitions files Scenarios for definitions updates

12 12 Contents About scanning after updating definitions files Chapter 6 Chapter 7 Chapter 8 Responding to virus outbreaks Preparing for virus outbreaks Creating a virus outbreak plan Defining Symantec AntiVirus actions for handling suspicious files Specifying a local quarantine directory Configuring automatic Quarantine purge options Registry settings for Quarantine Purge options Forwarding items to the Quarantine Server Enabling scan and deliver Configuring actions to take when new definitions arrive Handling a virus outbreak on your network Using alerts and messages Running a virus sweep Tracking virus alerts using reporting, Event Logs, and Histories Tracking submissions to Symantec Security Response with Central Quarantine Console Managing roaming clients About roaming clients Roaming client components How roaming works Implementing roaming Analyzing and mapping your Symantec AntiVirus network Identifying servers for each hierarchical level Creating a list of level 0 Symantec AntiVirus servers Creating a hierarchical list of Symantec AntiVirus servers Configuring roaming client support options from the Symantec System Center console Roaming server example Command-line options Registry values Working with Histories and Event Logs About Histories and Event Logs Sorting and filtering History and Event Log data About Event Log icons Viewing Histories

13 Contents 13 Working with Histories Working with Scan Histories Working with Risk Histories Viewing Risk properties Working with Tamper Histories Working with Virus Sweep Histories Forwarding client and server logs Configuring log forwarding options Configuring log events to forward Best practice: configuring events to forward for sometimes-managed clients Reviewing the forwarding status file Deleting Histories and Event Logs Index

14 14 Contents

15 Section 1 Managing Symantec AntiVirus Symantec AntiVirus basics Managing Symantec AntiVirus Alert Management System

16 16

17 Chapter 1 Symantec AntiVirus basics This chapter includes the following topics: About Symantec AntiVirus About the Symantec System Center Using the Symantec System Center About the Discovery Service Running the Discovery Service Using the Find Computer feature Configuring login certificates About Symantec AntiVirus For workstations and network servers, Symantec AntiVirus provides scalable, cross-platform protection from viruses and security risks, and repairs their side effects. Among the tasks you can perform by using Symantec AntiVirus are the following: Establish and enforce an antivirus and security risk policy for your business. Retrieve content updates such as virus and security risk definitions. Quarantine and delete live viruses. Analyze logged events. Create pre-defined and customizable graphical reports that are based on Symantec AntiVirus security information from your network.

18 18 Symantec AntiVirus basics About the Symantec System Center Symantec AntiVirus product components and system requirements, including the protocols and ports that are used for Symantec AntiVirus, are described in the Symantec AntiVirus Installation Guide. Note: The Symantec AntiVirus client software provides antivirus and security risk protection for supported Windows 32-bit and 64-bit computers. The Symantec AntiVirus client software protects both networked and non-networked computers. The term, Symantec AntiVirus, refers to both the Symantec AntiVirus server and the Symantec AntiVirus client software. Computers that run Symantec AntiVirus server software might be required to do so because of system requirements. Computers that run Symantec AntiVirus server software are not required to act as management servers. The Symantec AntiVirus server software can manage other computers that run Symantec AntiVirus and supported legacy versions of Norton AntiVirus Corporate Edition. It can also push configuration updates, as well as virus and security risk definitions file updates, to these clients. The Symantec AntiVirus server software also provides antivirus and security risk protection for the computers on which it runs. Note: The Symantec AntiVirus server software is not supported on 64-bit computers. About the Symantec System Center By using the Symantec System Center, you can manage network security by performing administrative operations such as the following: Installing antivirus and security risk protection on workstations and network servers. Updating Symantec AntiVirus definitions. Managing Symantec AntiVirus servers and clients. Managing content licensing, if you use a content license rather than a site license for your computers. See the Content Licensing chapter in the Symantec AntiVirus Installation Guide. In addition to the Symantec System Center, you can also use Grc.dat configuration files to configure Symantec AntiVirus clients. You can use configuration files if you want to use a third-party tool to remotely configure your network.

19 Symantec AntiVirus basics About the Symantec System Center 19 The following information about the Symantec System Center is not included in this guide: Information about the configuration and use of reporting functionality is in the Reporting User's Guide. Information about the configuration and use of endpoint compliance functionality is in the Endpoint Compliance Implementation Guide. Symantec System Center console icons When the Symantec System Center runs, it displays a system hierarchy of server groups, client groups, and the servers that the icons represent. The icons appear in an expandable hierarchy in the Symantec System Center console. The Symantec System Center uses icons to represent the different states of computers that are running Symantec managed products. For example, if the server group icon in the server group view appears with a padlock icon, the server group must be unlocked with its password before you can configure or run scans for the computers in the server group. Table 1-1 describes the Symantec System Center icons. Table 1-1 Icon Symantec System Center icons Icon descriptions Highest level object representing the system hierarchy, which contains all server groups. Unlocked server group or client group. Compare this icon to the locked server group icon. For security reasons, all server groups default to locked when you start the Symantec System Center. Locked server group. You must enter a password before you can view the computers in the server group to configure and run updates and scans. An issue needs to be resolved in this server group. For example, there may not be a primary management server that is assigned to the server group or a server may have detected a virus or security risk. A security risk, such as adware or spyware, was detected on a computer in this server group. Note: If Symantec AntiVirus detects both a virus and a security risk on the same computer, the virus icon appears.

20 20 Symantec AntiVirus basics About the Symantec System Center Table 1-1 Icon Symantec System Center icons (continued) Icon descriptions Symantec AntiVirus server running on a supported computer. Compare this icon to the next one, which is the primary management server for the server group. Symantec AntiVirus primary management server running on a supported computer. Unavailable Symantec AntiVirus server. This icon appears when communication is severed between the Symantec AntiVirus server and the Symantec System Center console. The communication error may result from one of several different causes. For example, the server system is not running; the Symantec software has been removed; the server, client, and Symantec System Center system times are out of sync; or there could be a network failure between the console and the system. A virus was detected on the computer that is running Symantec AntiVirus server. A security risk, such as adware or spyware, was detected on the computer that is running Symantec AntiVirus server. If Symantec AntiVirus detects both a virus and a security risk on the same computer, the virus icon appears. Symantec AntiVirus client running on a supported Windows computer. If you use Symantec endpoint compliance, this icon also indicates that this client computer is compliant. When you select this computer, you view options only on that computer. A virus was detected on the computer that is running Symantec AntiVirus client. Note: Client infection state will not display in the Symantec System Center console unless you enable that option under Tools > SSC Console Options, on the Virus Alert Filter tab. A security risk, such as adware or spyware, was detected on the computer that is running Symantec AntiVirus client. If Symantec AntiVirus detects both a virus and a security risk on the same computer, the virus icon appears.

21 Symantec AntiVirus basics Using the Symantec System Center 21 Table 1-1 Icon Symantec System Center icons (continued) Icon descriptions An issue needs to be resolved with this client. For example, virus and security risk definitions files may be out of date or the client group to which the client was assigned may be no longer valid. The status field in the Symantec System Center console indicates the actual problem. This computer, which runs Symantec AntiVirus client software, has access to the network, but failed an endpoint compliance audit. You may want to examine why it failed and take action to remediate the problem. The computer, which runs Symantec AntiVirus client software, failed an endpoint compliance check. The computer, which runs Symantec AntiVirus client software, is not currently connected to the network. This situation could occur because the server, client, and Symantec System Center system times are out of sync. You must enable a setting for the Symantec System Center console to show when clients are not connected to the network. Using the Symantec System Center The system hierarchy in the Symantec System Center console is the top level that contains all server groups and client groups. Note: The system hierarchy is not populated until you install at least one Symantec AntiVirus server. Starting the Symantec System Center Start the Symantec System Center when you want to manage Symantec AntiVirus. Note: You can use the Run As command from the Start menu to open the Symantec System Center, but there is a restriction. The Symantec System Center will not open when you are running as Current User and also have checked the "Protect my computer and data from unauthorized program activity" box.

22 22 Symantec AntiVirus basics Using the Symantec System Center To start the Symantec System Center On the Windows taskbar, click Start > Programs > Symantec System Center Console > Symantec System Center Console. The Symantec System Center opens to the Default Console View. Figure 1-1 The Symantec System Center console Console tree tab Top server group level Contents of object selected in tree appear in right pane Locked server group Unlocked server group Client groups Note: You can use a remote terminal session to view the Symantec System Center console and to view reports from the console. Selecting a primary management server for a server group If you have not already done so, the first thing that you must do to use Symantec System Center is to assign a primary management server for the server group that you created at the time of installation. You must specify a server in the server group as the primary management server; no server is specified as the primary management server by default. Until you specify a primary management server, you cannot perform most Symantec product management operations. After promoting a server to primary and installing additional secondary management servers, you should remove and archive the server group private key from the pki\private-keys directory that is located under the Symantec AntiVirus directory that you selected at the time of installation.

23 Symantec AntiVirus basics Using the Symantec System Center 23 For more information, see the Symantec AntiVirus Reference Guide. When you select a server group object in the Symantec System Center console and set options, the settings are saved to the primary management server in the server group. Other servers in the server group also use the new configuration. Computers that are running any of the following operating systems can be primary management servers: Windows 2000 Server/Advanced Server/Professional Windows Server 2003 Web/Standard/Enterprise/Datacenter Editions Windows XP Professional The primary management server plays an important role, so select a stable server that is always running. To select the primary management server for a server group About console views Right-click the server that you want to be the primary management server, and then click Make Server A Primary Server. Each product management snap-in makes a new product view available within the Symantec System Center console. For example, when you install the Symantec AntiVirus management snap-in, the Symantec AntiVirus view is added, which includes the fields that are related to Symantec AntiVirus, such as Last Scan and Definitions. Note: After an initial client software installation, the user's logon domain information does not appear in the Symantec System Center until the client computer is restarted. After a restart, this information is available in the Symantec System Center Symantec AntiVirus View, the network audit results, the Event Log, the Risk History, and the Tamper History. In the Symantec AntiVirus user interface, it is available in the Event Log, the Risk History, and the Tamper History. Changing console views Unless you change the view, the Symantec System Center console displays the Default Console View. The other views available depend upon which managed Symantec AntiVirus snap-ins you have installed.

24 24 Symantec AntiVirus basics Using the Symantec System Center To change console views 1 In the left pane, right-click an object, such as System Hierarchy. 2 On the View menu, in the list that appears at the bottom of the menu, click a view. Saving console settings When you close the Symantec System Center, you are prompted to save Microsoft Management Console (MMC) console settings for the Symantec System Center. This process has no effect on the Symantec AntiVirus configuration changes that you make when you use the Symantec System Center. To save console settings Do one of the following: Click Yes if you want to see the same console view the next time that you launch the Symantec System Center. Click No if you want to see the last saved view the next time you launch the Symantec System Center. Customizing console view columns The columns that appear in the right pane change based on the selected view. When System Hierarchy is selected, the Default Console View includes the following data columns: Name Status Primary Server Valid State Table 1-2 lists the data columns in the Symantec AntiVirus view. Table 1-2 Data columns in the Symantec AntiVirus view Level selected in left pane Data columns that appear in right pane System hierarchy Server Group Status Definition Sharing Newest Definitions Status of Server Updates

25 Symantec AntiVirus basics Using the Symantec System Center 25 Table 1-2 Data columns in the Symantec AntiVirus view (continued) Level selected in left pane Data columns that appear in right pane Server group Server Type Status Last Scan Definitions Version Scan Engine Address Status of Client Updates Groups (for client groups) Group Name Configuration Change Date Number of Clients Client group or server Client User, including the domain that authenticated the user Status Last Scan Definitions Version Scan Engine Address Group Server You can rearrange the order of the columns to better suit your needs. To customize the columns in a view 1 In the left pane, under Symantec System Center, select an object. 2 On the View menu, in the list that appears at the bottom of the menu, select the view that you want to customize. 3 On the View menu at the top of the Symantec System Center window, click Choose Columns. 4 In the Modify Columns dialog box, use the Add, Remove, Move Up, and Move Down buttons to customize your view as needed, or use Reset to return the settings to the last saved state.

26 26 Symantec AntiVirus basics Using the Symantec System Center Showing when clients are offline You can configure the Symantec System Center console to show when computers running Symantec AntiVirus client software are not currently connected to the network. The icon in the last row of Table 1-1 indicates that the client is offline. To show when clients are offline 1 On the Tools menu, click SSC Console Options. 2 In the SSC Console Options Properties dialog box, on the Client Display tab, under Client Configuration Options, check Indicate when clients are offline. This option is unchecked by default. Showing client Auto-Protect status You can configure the Symantec AntiVirus client or server icon to appear on the Windows system tray. Showing client infection state The icon shows a client or server's Auto-Protect status as follows: When Auto-Protect is enabled, the icon appears as a full shield. When you right-click the icon, a check mark appears before Enable Auto-Protect. When Auto-Protect is disabled, the icon is covered by a universal no sign (a red circle with a diagonal slash). When you right-click the icon, no check mark appears before Enable Auto-Protect. You can configure the Symantec System Center to display client infection state that is based on client check-in data on the Symantec System Center console. This option is disabled by default. To show client infection state on the Symantec System Center console 1 On the Tools menu, click SSC Console Options. 2 In the SSC Console Options Properties dialog box, on the Virus Alert Filter tab, check Display the infected state of each client that is based on client check-in data.

27 Symantec AntiVirus basics About the Discovery Service 27 3 To configure how long the information displays, use the arrows or type the number of days you want virus infection data to remain on the Symantec System Center console. By default, the console does not display the infections that occurred more than three days ago. 4 To reset the Symantec System Center to display client infection state from the current time forward, check Don t show virus alerts before:, and then click Set to Current Time. Note: Use the reporting console for more comprehensive and up-to-date infection status. For information about the reporting console, see the Reporting User's Guide. About refreshing the console At the first startup of a newly installed Symantec System Center console, the console pings the network to find all available computers that run Symantec AntiVirus server software. As soon as the servers respond, they are added to the console. Connected workstations running a managed Symantec client product are added when their parent management server is selected in the console tree. If you start the servers that are running a manageable Symantec product while the Symantec System Center is already running, you may need to locate the servers by using the Find Computer feature or by running the Discovery Service so that they appear in the server group view. See Using the Find Computer feature on page 35. You can also use Discovery to locate network computers on which Symantec AntiVirus is not installed. See About the Discovery Service on page 27. About the Discovery Service The Symantec System Center console runs a single service: the Symantec System Center Discovery Service (Nsctop.exe). This service is responsible for discovering the computers running Symantec AntiVirus server software that appear in the Symantec System Center console. The Discovery Service also populates the Symantec System Center console with the objects in the hierarchy. From the Symantec System Center console, you can select any object beneath the console root, and then choose Discovery Service from the Tools menu to perform a new Discovery of servers.

28 28 Symantec AntiVirus basics About the Discovery Service How Discovery works Types of Discovery To discover computers on the network, a computer that runs the Symantec System Center sends several pings to the network. The pings are UDP broadcasts to port The ping program verifies that the remote computer exists and can accept requests. When Symantec AntiVirus servers and AMS2 servers that run the Ping Discovery Service (Intel PDS) hear a ping, they respond with pong packets. Only antivirus servers are discovered by using this ping and pong mechanism. Symantec AntiVirus finds client information by querying the server for its client information. Clients ping the server to get the port number that the server's Rtvscan listens on. The client's Rtvscan can then send its keep-alive packet to the parent server's Rtvscan, and communication can begin. The keep-alive packet contains information such as the following: Date of the computer's virus definitions files When the computer was last infected IP pings are sent to the remote computer running Symantec AntiVirus server software to determine what type of protocol it uses. Pings are also sent that support Norton AntiVirus Corporate Edition and Intel LANDesk Virus Protect, legacy versions of Symantec AntiVirus. The data from the computer that runs Symantec AntiVirus client software is stored on the computer that runs Symantec AntiVirus server software that is the client's parent management server. The Symantec System Center console reads each parent management server's registry to get the data that it displays in the console. Following the completion of this process, Normal Discovery runs. Symantec System Center uses the following types of Discovery: Load from cache only (with or without using IP Discovery) Local Discovery (with or without using IP Discovery) Intense Discovery (with or without using IP Discovery) Normal Discovery (not user-initiated) Table 1-3 describes the types of Discovery that Symantec AntiVirus uses:

29 Symantec AntiVirus basics About the Discovery Service 29 Table 1-3 Discovery types Type Load from cache only Description Load from cache only offers the most basic type of Discovery. It tries to refresh all of the servers for which the Symantec System Center console address cache contains information. Each server is then sent a series of pings to see if the server checks back in, and to refresh information on the console. Load from cache only reduces traffic on the network when you launch the Symantec System Center. In most cases, you may find that choosing Load from cache only finds all of the servers that you need to add to the Symantec System Center console. What follows Normal Discovery Local Discovery (default) In Local Discovery, a ping packet is broadcast over the local subnet of the computer that runs the Symantec System Center console. Intel PDS services that run on servers on the local subnet reply with pong data. Load from cache only Normal Discovery Local Discovery generates less ping noise, but is limited to the local subnet. Local Discovery works very well on small subnets. In very large subnets, you might obtain better results by using Intense Discovery. Intense Discovery Intense Discovery walks My Network Places on the local Windows computer and attempts to resolve all computers that it finds into a network address. When it has the network address, it attempts to send ping requests. You can configure whether Intense Discovery walks the NetWare or Microsoft branches of the network tree, or both. Local Discovery Load from cache only Normal Discovery The ability of Intense Discovery to locate computers is limited by several factors: the availability of a Windows Internet Naming Service (WINS) server or Active Directory, network subnet and router configuration, DNS configuration, and Microsoft domain and workgroup configuration. Searching by IP address range in most cases is not affected by these factors. For this reason, you may want to use IP Discovery.

30 30 Symantec AntiVirus basics About the Discovery Service Table 1-3 Discovery types (continued) Type Description What follows Normal Discovery The Symantec System Center console broadcasts to all servers that are in unlocked server groups. Normal Discovery queries the primary management server of the server group for the list of secondary management servers in its address cache. Runs automatically after other types of Discovery; not user-initiated. The Symantec System Center console address cache stores information for all servers that have ever reported to it. The primary management server address cache contains information for every server within the server group. The address cache includes the names of all secondary management servers and their IP addresses. The Symantec System Center console compares its own address cache with the address cache sent by the primary management server. When a mismatch is identified, the console pings the associated server. When the pong data returns, it is added to all other servers in the list. In this way, Normal Discovery can identify every server in the server group and attempt to resolve information conflicts between parent management servers. You can configure Load from cache only, Local Discovery, and Intense Discovery to use IP Discovery by using either an IP address or an IP subnet address range. You may want to use IP Discovery only periodically to discover computers across the network. After the computers are in the address cache, you can then use the Load from cache only method. Discovery Service requirement for WINS or Active Directory The Discovery Service requires the use of Windows Internet Naming Service (WINS) or Active Directory name resolution. If you attempt to run the Discovery Service in an environment where WINS or Active Directory is not available, you need to find at least one computer running Symantec AntiVirus server on your network first. To find the computer, you can use the Find Computer feature or the Importer tool. See Using the Find Computer feature on page 35. See the Symantec AntiVirus Reference Guide for information about the Importer tool.

31 Symantec AntiVirus basics Running the Discovery Service 31 NetWare computers and the Discovery Service The Discovery Service may not find NetWare computers that are running IP only. To find the computers that are not located by the Discovery Service, you can use the Find Computer feature. See Using the Find Computer feature on page 35. Running the Discovery Service You initiate all types of Discovery in the Symantec System Center console. Note: The Discovery Service uses WINS or Active Directory when it browses for new computers that run Symantec AntiVirus. If you are trying to discover new computers in an environment in which WINS or Active Directory is unavailable, you may want to run the Find Computer feature or the Importer tool first. See Using the Find Computer feature on page 35. See the Symantec AntiVirus Reference Guide for information about the Importer tool. Configuring the Discovery Service to use IP addresses You can run the Discovery Service and find servers with or without including IP addresses and subnets. To configure the Discovery Service to use IP addresses 1 In the left pane, select any object below the console root. 2 On the Tools menu, click Discovery Service.

32 32 Symantec AntiVirus basics Running the Discovery Service 3 In the Discovery Service Properties window, on the Advanced tab, check Enable IP Discovery. Once Enable IP Discovery is checked, an IP Discovery session runs whenever you run an Intense Discovery. To run any type of Discovery without also running IP Discovery, uncheck Enable IP Discovery. You can also access IP Discovery functionality in the Find Computer dialog box. 4 In the Scan Type list, select one of the following: IP Address: The console pings every computer in the range of IP addresses. IP Subnet: The console broadcasts to each subnet. 5 In the Beginning of range and End of range boxes, type the addresses. 6 If you clicked IP Subnet, type the subnet mask to refine the search. IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results are displayed in the Symantec System Center console status bar.

33 Symantec AntiVirus basics Running the Discovery Service 33 Configuring the Discovery Service You can configure and run three types of Discovery. To configure the Discovery Service 1 In the Symantec System Center console, on the Tools menu, click Discovery Service. 2 If you want to run Discovery using IP addresses, configure the settings on the Advanced tab. See To configure the Discovery Service to use IP addresses on page 31.

34 34 Symantec AntiVirus basics Running the Discovery Service 3 In the Discovery Service Properties window, on the General tab, select one of the following options: Load from cache only Local Discovery Intense Discovery This is the quickest method. The Symantec System Center reads the list of servers and clients stored in the local cache. Broadcasts to the Symantec System Center console's local subnet. Servers respond immediately with information about themselves and their clients. Each server's server group appears in the console unless you have filtered the view by using the View menu. Load from cache only runs as well. This is the most thorough method. If you have a large network, the Discovery process may take a long time. The Symantec System Center serially pings every server in the Network Neighborhood. Server names appear in the message area of the Symantec System Center console as they are found during the Discovery process. Intense Discovery also performs the same local subnet broadcast as Local Discovery. Load from cache only and Local Discovery run as well. See Table 1-3 on page Under Discovery Cycle, select the interval in minutes, if necessary. 5 If you plan to run Intense Discovery, under Intense Discovery Properties, specify the number of Intense Discovery threads, between 2 and 50. Each Discovery thread is an independent search for servers and clients. To maintain the most up-to-date Discovery information, select a lower Discovery interval and a higher number of Discovery threads. 6 If you want to clear all server and client information out of the active memory and address cache, and immediately run Discovery based on the current Discovery settings, under Cache Information, click Clear Cache Now. When you clear the cache, unlocked server groups are locked. 7 Do one of the following: Click OK to save your changes. If you want to immediately run Discovery, click Run Discovery Now, and then click Close. Only one Discovery can run at a time.

35 Symantec AntiVirus basics Using the Find Computer feature 35 Rebuilding a list of servers on a large network during Discovery may take a long time. Configuring the Discovery Cycle interval You can configure the Discovery Cycle time-out interval. By default, the interval is set to 480 minutes (every 8 hours), but you can set the time-out to any value from 1 to 1440 minutes between Discovery attempts. A new Discovery is skipped if the last Discovery is still running. For example, if you have Discovery set to run once a minute, and Discovery takes 20 minutes, 19 Discovery attempts are skipped. Note: Increasing the Discovery Cycle interval can result in a display of outdated information in the Symantec System Center console. To change the Discovery Cycle interval 1 On the Tools menu, click Discovery Service. 2 Change the Interval in minutes setting as necessary. Using the Find Computer feature If you quickly want to find a server without having to expand and browse through the tree, you can use the Find Computer feature. You can search using TCP/IP addresses or computer names. The Find Computer feature is also useful if you install a server and then do not see it in the tree view when you expand a server group or server, which may occur for the following reasons: The Symantec System Center may not automatically discover servers on LAN segments that are separated by routers. Servers may not be visible in the Network Neighborhood. For example, Windows Internet Naming Service (WINS) servers or Active Directory may not be replicated across network segments. If you cannot locate some servers on your LAN, you can locate them manually by using the Find Computer feature in the Symantec System Center console. After you use the Find Computer feature to locate a server, you can manage it from the Symantec System Center console.

36 36 Symantec AntiVirus basics Using the Find Computer feature Finding computers using a local cache search Rather than search the entire network for computers, you can restrict the search to those known to be stored already in the local cache. To find computers using a local cache search 1 On the Tools menu, click Find Computer. 2 In the Find Computer window, on the Local Search tab, type the network name of the server that you want to find. 3 Under Match Type, select one of the following: Partial Exact Searches for a server name that is a partial match. Searches for a server name that is an exact match. If you leave the Search For text box empty, and then specify Partial as the match type, all computers in the local cache appear when you run the search. 4 Click Find Now.

37 Symantec AntiVirus basics Using the Find Computer feature 37 Finding computers using a network search You can use a network search to find individual computers running the Symantec AntiVirus server software. The Symantec System Center console contains the following Find Computer options that search the network: Network Discovery Scan Network Audit Network Finds computers that run the Symantec AntiVirus server software by computer name or address. Finds the computers that run the Symantec AntiVirus server software by using an IP address or subnet range. This broad network search allows you to not only locate the computers, but also to determine the protection that is available on them, including whether other antivirus software is installed, and to configure a number of search settings. This option takes the most time and resources. See To run a network audit on page 40. To find computers using an address type 1 On the Tools menu, click Find Computer. 2 In the Find Computer window, on the Network Discovery tab, specify whether you want to use a computer name or an IP address as the search criterion. 3 Type the server address or computer name. 4 Click Find Now. To find computers using an IP address range 1 On the Tools menu, click Find Computer. 2 In the Find Computer window, on the Scan Network tab, select one of the following: IP Subnet IP Address Sends out a broadcast to each subnet. Pings every computer in the range of IP addresses. 3 Type the addresses for Beginning of range and End of range.

38 38 Symantec AntiVirus basics Using the Find Computer feature 4 If you clicked IP Subnet in step 2, type the subnet mask to refine the search. 5 Click Find Now. IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results appear in the Symantec System Center console status bar. Locating found items in the Symantec System Center console You can use an item in a Find Computer list to locate the same item in the Symantec System Center console tree. This list can be particularly useful if you have a very large number of computers in your network. To match an item, the server group to which the item belongs must be unlocked. To locate found items in the Symantec System Center console 1 On the Tools menu, click Find Computer. 2 In the Find Computer window, select the wanted computer. 3 Click Sync Item. The Symantec System Center console tree view moves to the selected item, which is then highlighted in the right pane. 4 Click Save if you want to save the search results as a comma-delimited file.

39 Symantec AntiVirus basics Using the Find Computer feature 39 Using the Refresh feature In the Symantec System Center console, you can refresh the information in the console at the system hierarchy, server group, or server level to validate active communication with the list of currently displayed servers. If the refresh determines that a server that previously appeared in the server group view is no longer communicating, the unavailable server icon appears. Note: The Refresh feature does not find the servers or the server groups that may have been added since the current session of the Symantec System Center started. To use the Refresh feature In the left pane, right-click the system hierarchy, unlocked server group, server, or client group, and then click Refresh. Auditing computers Computers on your network that do not have Symantec AntiVirus running leave holes open in your network security. You can run a network audit of remote computers to determine the following: Whether a Symantec AntiVirus component is installed and running. The type of protection that is installed, such as Symantec AntiVirus server, client, or unmanaged client software. Whether antivirus software from other vendors or from Symantec (such as a Norton AntiVirus consumer version), including the type and version of that software, is installed on the computer. You must be able to log in as Administrator to the remote computers that you audit. Note: Because Symantec AntiVirus now uses secure communications over SSL, server and server group information for the clients that run the current version of Symantec AntiVirus does not appear after a network audit. If a firewall is running on the remote computer, the network audit may not be able to gather information.

40 40 Symantec AntiVirus basics Using the Find Computer feature To run a network audit 1 On the Tools menu, click Find Computer. 2 In the Find Computer window, on the Audit Network tab, type the beginning and end of the IP address range that you want to search. 3 Click Options to set custom network audit options. For example, if you want to find the remote computers that have unmanaged Symantec AntiVirus client software that is installed, you can enable the related option. 4 In the Audit Network Options dialog box, set the number of audit threads to use to a value between 2 and 50. A higher number yields faster results but requires more network resources. 5 Under Ping Options, set the following options: The time-out period in milliseconds for Symantec PDS and Windows ICMP pings. Whether the search should continue even if an ICMP ping fails. This option is useful if you know that a firewall is set up with a rule to block an ICMP ping, because you can still audit the network for the computers that run Symantec AntiVirus. 6 Under Symantec AntiVirus IP ports, configure the search to ping up to four Symantec AntiVirus IP ports. To support legacy and current clients, both UDP and TCP ports are pinged. Port 1 defaults to 2967, which is the default port number of Rtvscan, the main Symantec AntiVirus service.

41 Symantec AntiVirus basics Using the Find Computer feature 41 7 Under Display Options, specify whether you want to display the following: Previously labeled machines. Parent management servers that are discovered through clients even if they are outside the IP address range. 8 Under Search Options, set the following options: Whether to look for the computers that run unmanaged Symantec AntiVirus client software, and offline servers and clients. This option requires you to specify valid administrator account information, such as a user name and password. Whether to look for the computers that run other vendors' antivirus software. This option requires that you know valid administrator account information, such as a user name and password. Whether or not always to use name resolution. See Setting administrator account options on page 43.

42 42 Symantec AntiVirus basics Using the Find Computer feature 9 Click OK. 10 Click Find Now to run the audit. You can see the audit progress at the bottom of the Find Computer dialog box. When the audit completes, the following types of information appear: Machine Server Group Server Type Version Address User The name of the remote computer. The name of the server group to which the remote computer belongs. The name of the server that controls the remote computer. The server or client type. Login errors are also reported in this column. The version of the antivirus product running on the computer. The IP address of the computer. The user name that is associated with the compute, including the domain that authenticated the user.

43 Symantec AntiVirus basics Using the Find Computer feature 43 Syncing found computers to locate them After the status of the computers in your audit search is identified, you can locate selected computers by syncing to them. To sync found computers 1 In the Find Computer dialog box, select a computer, and then click Sync Item to locate the selected computer that runs Symantec AntiVirus client software. 2 If the computer is in a locked server group, type the user name and password of the server group to which the computer belongs. Setting administrator account options When you run a network audit, if you select the following options in the Audit Network Options dialog box, you are required to specify administrator account information: Look for unmanaged clients, offline servers, and offline clients. Look for other AntiVirus software. Figure 1-2 Remote Administrator Account dialog box To set administrator account options 1 In the Remote Administrator Account dialog box, do one of the following: Type the name of the domain that contains the computers that you want to find, followed by valid domain administrator account information.

44 44 Symantec AntiVirus basics Configuring login certificates Check Use local accounts to access a specific computer, and then type the Admin user name and password. 2 Click OK. Labeling found items and rerunning the audit You can label the items that an audit finds. It may be useful to label items such as the following: The computers that cannot be located or to which a connection cannot be made. Routers and network drives. Computers that do not have Symantec AntiVirus software installed. To label a found item and rerun the audit 1 In the Find Computer dialog box, in the Machine column, right-click an item, and then click Label. 2 In the Edit description for dialog box, type a new label for the item. 3 Click OK. 4 Right-click the item again, and then click Audit again. Configuring login certificates Clients and servers use a temporary login certificate to authenticate Symantec System Center users. Because the user's login certificate is chained through the primary management server's login CA certificate back to the Server Group root certificate, the client or server knows that the user is authorized to manage the server group. When servers and clients receive a user's request for configuration changes, they authenticate the user. If authentication succeeds, the clients compare their system clocks to the certificate's time-stamp. If they verify that the user's temporary login certificate has not expired, they accept the user's configuration changes. For more information about certificates and their use in Symantec AntiVirus, see the Symantec AntiVirus Reference Guide. The login certificate is time-limited for security purposes, but is valid across all time zones. If a specific user account is deleted in the Symantec System Center, the temporary login certificate that is associated with that user cannot be renewed after it expires, regardless of the time zone. If the login certificate expires after the user authenticates to a server or client, the user is automatically issued another valid login certificate.

45 Symantec AntiVirus basics Configuring login certificates 45 You can use the Symantec System Center to configure the login certificate lifetime. Login certificates are time-stamped, and by default, expire 24 hours after being issued. You can configure a shorter lifetime to increase the level of network security, but this configuration also increases processing overhead. Warning: Unsynchronized computer system clocks in a server group can prohibit servers and clients from authenticating a user's login certificate because of the time difference. Synchronize your computer system clocks to prevent this situation from occurring. For example, suppose that a user has a temporary login certificate that contains a primary management server's time-stamp and is valid for 30 minutes. If that user attempts to authenticate to a client that has a clock setting that is set 45 minutes ahead of the primary management server, then when the client receives the login certificate, it believes that the login certificate expired 15 minutes ago based on its system clock setting, and does not permit configuration changes by that user. Because login certificates are issued by the primary management server in a server group, you can configure login certificate settings only at the server group level. Configuring login certificate lifetime and time tolerance If you do not use some method that automatically synchronizes system clocks in your network, be sure that the time periods that you configure are sufficient to cover any likely time discrepancies between your primary management servers, and the clients and secondary management servers that are managed by the primary management servers. When you configure the login certificate settings, Symantec System Center automatically compensates for time zone differences.

46 46 Symantec AntiVirus basics Configuring login certificates To configure login certificate settings 1 Right-click the server group that you want to configure, and then click Configure login certificate settings. 2 In the Login Certificate Settings dialog box, under Length of time login certificate is valid, set the number of hours and days that you want the certificate to last. A Symantec System Center user whose login session exceeds this setting is prompted for a user name and password to obtain a new login certificate. The default is 1 day. All computers in this server group whose system clocks are ahead of the primary management server system clock must be no further ahead than this setting to be managed by the Symantec System Center. 3 Under Tolerate time discrepancy between computers of: <hours> <days>, set the number of hours and days to the amount of backwards time discrepancy that you want to allow between the system clocks of the primary management server, and the system clock of its clients and secondary management servers. The default is 1 day. All computers in this server group whose system clocks are behind the primary management server clock must be no further behind than this setting to be managed by the Symantec System Center.

47 Symantec AntiVirus basics Configuring login certificates 47 Configuring login certificate key size You can configure the size of the keys that the Symantec System Center generates for end-entity login certificates. A larger key provides a greater degree of security. To configure login certificate key size 1 Click Tools > SSC console options. 2 In the SSC Console Options Properties dialog box, click the Certificates tab. 3 Select the number of bits that you want to use for your login certificate key: 1024, 2048, 3072, or 4096.

48 48 Symantec AntiVirus basics Configuring login certificates

49 Chapter 2 Managing Symantec AntiVirus This chapter includes the following topics: About servers About server groups and client groups Using server groups to manage Configuring options for Windows Security Center (WSC) Optimizing server performance Using Tamper Protection Using client groups to manage Managing clients Restoring communication between servers and managed client computers About servers The current version of Symantec AntiVirus uses the Secure Sockets Layer (SSL) to encrypt communications between its servers and clients. Symantec AntiVirus versions 9.x and earlier used UDP for such communications. Servers that run the current version of Symantec AntiVirus can manage most legacy clients by default, but in certain cases, configuration is required. See Optimizing definitions and configuration rollouts on page 74.

50 50 Managing Symantec AntiVirus About servers Warning: Symantec AntiVirus 9.x and earlier servers cannot be used to manage clients running version 10.0 and later of Symantec AntiVirus. When you manage with the Symantec System Center, computers running Symantec AntiVirus server software can assume the following roles: Primary management server Secondary management server Parent management server About primary management servers Each server group has an administrator-designated primary management server. This primary management server is responsible for configuration functions in the server group. It can also be responsible for updating virus and security risk definitions. From the Symantec System Center console, when you launch a task at the server group level, the task runs on the server group's primary management server. The primary management server also forwards the task to all other servers in the server group. If you use Alert Management System 2, the primary management server also processes all notifications. Computers running any of the supported operating systems for servers can be made primary management servers. How the registry is affected When you modify server options, you directly modify the registries of the selected servers. The modification is made through the transport manager, which handles communications. The primary management server acts as the repository of all server options on a group level. If you modify on a group level, the changes are recorded first in the registry of the primary management server for that group in the HKLM\Software\ Intel\LANDesk\VirusProtect6\CurrentVersion\DomainData key. Then they are recorded in each of the other servers. About secondary management servers Servers that are not assigned the status of primary management server are called secondary management servers. Secondary management servers are children of

51 Managing Symantec AntiVirus About server groups and client groups 51 primary management servers. They retrieve information from the primary management server and share it with clients. All servers in a server group are secondary management servers until you assign one as the primary management server. You must designate the primary management server before you can perform most tasks at the server group level. About parent management servers A parent management server is a computer running Symantec AntiVirus server software with which a connected computer running Symantec AntiVirus client software communicates to obtain configuration updates and to send alerts. Some servers may act as parent management servers. Other servers may act as primary management servers. These two functions are not mutually exclusive. A primary management server may also act as a parent management server. About server groups and client groups Server group members can share a single Symantec AntiVirus configuration, and you can also run a Symantec AntiVirus operation on all members of a server group. From the Symantec System Center console, you can create new server groups and manage their membership. Server groups are independent of Windows domains and other products. You can combine NetWare and Windows computers into the same server groups, which allow simultaneous remote configuration of these systems. The server group level is the highest level at which you can manage Symantec product configuration changes. Client groups are logical groupings of computers running Symantec AntiVirus client software. Although client groups are always attached to a server group, each client group can be managed individually. By setting up client groups, you can set up and manage different policies under a single parent. Symantec AntiVirus clients are categorized as follows: Assigned clients are the Symantec clients that have been assigned to a client group. They receive virus and security risk definitions files from the server to which they are physically attached. However, they receive the configuration settings and the updates that are based upon the client group to which the Symantec AntiVirus policies are applied. Unassigned clients are the Symantec clients that have not been assigned to a client group. They receive configuration settings and updates from their parent management server.

52 52 Managing Symantec AntiVirus About server groups and client groups Note: You must have simple host name resolution configured in your environment to manage Symantec AntiVirus servers and clients. Fully qualified domain name resolution is not required. Deciding whether to use server groups, client groups, or both About Grc.dat files Each Symantec AntiVirus server group supports a single configuration for all of the clients it manages. Each additional configuration requires adding an additional server to the server group. Server groups may provide you with all the configuration flexibility you need if all of your clients require the same configuration options. If you need more configuration flexibility, you may benefit from using client groups. When you manage using client groups, clients on the same physical server do not need to share the same configuration as other clients in the same server group. In addition, client groups can also decrease the number of servers that are required to manage Symantec AntiVirus. While each server group requires at least one server per unique configuration, a server group can contain any number of client groups, each with its own configuration. Grc.dat files are text files that contains configuration information for the client computers of a Symantec AntiVirus server. When you change client options by using the Symantec System Center, the parent server writes the changes to the Windows registry, under the HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\ LANDesk\VirusProtect6\CurrentVersion\ClientConfig key. The server recreates the Grc.dat file with the contents of the ClientConfig key whenever you make client configuration changes in the Symantec System Center, and also whenever the Symantec AntiVirus Server Service starts. This means that it is not useful to edit a parent server's Grc.dat file manually by using a text editor such as Notepad, because any changes to the file will be lost the next time the server recreates it. After recreating the Grc.dat file, the parent server copies the updated file to its client computers. Note: If necessary, you can copy a Grc.dat file to a client computer manually at any time. Manually copying the file is an effective way to restore communication or reset corrupted settings. For information about restoring communication, see Restoring communication between servers and managed client computers

53 Managing Symantec AntiVirus About server groups and client groups 53 The client computer processes the Grc.dat file by adding the contents of the file to the Windows registry under the HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\ LANDesk\VirusProtect6\CurrentVersion key. After copying the Grc.dat file to the client computer, it may take several minutes for the client computer to process the manually-copied file. You can force a client computer to process the Grc.dat file by stopping and then restarting the Symantec AntiVirus client service. After the client computer processes the Grc.dat file, it deletes the local copy of the file, so it is normal to be unable to locate this file on a client computer. By default, the location of the Grc.dat file on client computers depends on the operating system and on whether or not the installation was upgraded from a previous version. Drive letters and paths may also differ, depending on the configuration of the operating system. For client computers where the installation was upgraded from a previous version, in the Symantec Knowledge Base, see one of the following documents to determine the default location: Norton AntiVirus Corporate Edition 7.x: A guide to the Grc.dat file and its uses in Norton AntiVirus Corporate Edition 7 Symantec AntiVirus Corporate Edition 8.x or 9.x: A guide to the Grc.dat file in Symantec AntiVirus Corporate Edition 8.x and 9.x For Symantec AntiVirus servers where the installation was not an upgrade, the default is one of the following locations: Windows: \Program Files\SAV or \Program Files\Symantec AntiVirus NetWare: SYS:\SAV In addition, on Windows computers, servers always share the file as \\<servername>\vphome\grc.dat. If you are using client groups to manage your client computers, there is a separate Grc.dat file for each client group, since different client groups can have different configurations. These are kept on the primary server of the server group, in the following locations: Windows: \Program Files\SAV\Groups\<group name>\ or \Program Files\Symantec AntiVirus\Groups\<group name>\ NetWare: SYS:\SAV\Groups\<group name>\ On Windows computers, this appears in the VPHOME share as \\<servername>\vphome\groups\<group name>\grc.dat. For Symantec AntiVirus 10.x clients, place the Grc.dat file in the following folder: \Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5

54 54 Managing Symantec AntiVirus About server groups and client groups Locating the Symantec AntiVirus program folder You may need to find the Symantec AntiVirus program folder to find where the Grc.dat file is located on a computer. To locate the Symantec AntiVirus program folder 1 On the Windows taskbar, click Start > Run. 2 In the Open box, type the following command: cmd 3 Click OK. 4 At the command prompt, type the following command: net share 5 Under Share name, find the VPHOME listing. The folder that appears in the Resource column is the Symantec AntiVirus program folder, which contains the Grc.dat file. Client groups and configuration priority When you manage using client groups, clients that are assigned to a group receive their configuration from their group, rather than their parent management server. Configuration changes made at the server level are ignored, and apply only to unassigned clients. Configuration changes that are made at the server group level or system hierarchy level have priority over client group settings, however and override any settings that are made at the client group level. To change this default priority, you can configure client groups to use their own settings instead of inheriting settings from their server group. See Using client group settings instead of server group settings on page 88. Table 2-1 lists each item that you can select in the Symantec System Center and what you can configure when you select it. Table 2-1 Item selected System Hierarchy Server group Configuration item options What you can configure All unlocked server groups and the clients they manage, regardless of their client group membership All servers and clients in the server group, regardless of their client group membership

55 Managing Symantec AntiVirus About server groups and client groups 55 Table 2-1 Item selected Server Configuration item options (continued) What you can configure The server and its clients, regardless of their client group membership: Virus sweep Update virus and security risk definitions now History configuration The server and/or its unassigned clients: Scheduled and manual scans Virus and security risk definitions updates Quarantine options Client and server Auto-Protect options Client administrator-only options Client roaming options Client and server tamper protection options LiveUpdate Auto-Protect status View risk list Clear risk status Reporting agent configuration Client group Clients that are assigned to the client group: Scheduled scans Virus and security risk definitions updates Quarantine options History configuration Client Auto-Protect options Client tamper protection options Client roaming options Client administrator only options LiveUpdate Client Read-only By default, you cannot use the Symantec System Center to configure individual clients. However, you can use the Allow direct configuration of individual clients option to enable the Symantec System Center to configure individual clients. See Enabling direct client configuration on page 89.

56 56 Managing Symantec AntiVirus About server groups and client groups How settings propagate The method that Symantec AntiVirus uses to propagate settings depends upon the item that you choose in the Symantec System Center console. Table 2-2 describes how settings propagate when you choose server groups, servers, client groups, and clients. Table 2-2 Object Server groups How settings propagate from the Symantec System Center console Description When you set options at the server group level, and then click OK, the Symantec System Center communicates directly to every server in the server group. Parent management servers update their clients by rolling out a new Grc.dat file. This file replaces the existing Grc.dat file. Custom settings in the old Grc.dat file are not retained. If you click Cancel, no options change. If you click Reset All, Symantec AntiVirus overwrites all settings in the dialog box. Servers When you set options at the server level, and then click OK, the Symantec System Center topology service communicates directly with the selected server. Only the selected server is affected. If you click Cancel, no options change. If you click OK without changing options, Symantec AntiVirus does not overwrite the server's current options. Client groups When you set options at the client group level, and then click OK, the primary management server creates a Grcgrp.dat file and sends it to secondary management servers. The secondary management servers update their clients by rolling out a new Grc.dat file. This file replaces the existing Grc.dat file. Custom settings in the old Grc.dat file are not retained. If you click Cancel, no options change. Clients When you set options at the client level, and then click OK, the System Center Topology service communicates with the client directly and makes the single change in the registry. If you click Cancel, no options change. Only locked settings are propagated to clients. To change settings on clients, you must lock the settings in the Symantec System Center. If you change a setting for clients, and if that setting is not locked, the change does not occur on the clients.

57 Managing Symantec AntiVirus About server groups and client groups 57 This feature also affects client computers that are installed by using the ClientRemote tool in the Symantec System Center. Only changed settings that are locked are configured on client computers during installation. Note: Auto-Protect scanning settings must be locked before they are propagated to clients. Group settings are applied to out-of-sync clients By default, client computers that have system clocks set more than 24 hours in advance of or behind the time on the primary management server do not let administrators configure settings directly. For example, you cannot right-click on an out-of-sync client computer in the Symantec System Center and view the client logs. Out-of-sync client computers do accept settings that administrators apply to groups. For example, if you right-click a group in the Symantec System Center and change the Client Auto-Protect setting, an out-of-sync client computer accepts the new setting. You cannot configure client settings directly because the Symantec AntiVirus client uses the client login certificate, which is valid for a specified time only. You can change the times in the Symantec System Center by using the Configure login certificate settings options at the group level. The out-of-sync client computers then accept group-level changes because the Symantec AntiVirus client uses the server certificate, which is valid for five years. For more information about certificates, see the Symantec AntiVirus Reference Guide in the Docs folder on the installation CD. New Grc.dat values overwrite old Grc.dat values New Grc.dat files are propagated and their values overwrite the values from the old Grc.dat files any time that they are sent to the client. This behavior occurs even when you open a Symantec AntiVirus window or dialog box that contains options from the Symantec System Center console and then click OK without changing options. If the earlier Grc.dat version contained custom settings that are not in the new Grc.dat, the settings are overwritten. See the Symantec AntiVirus Installation Guide for additional information on using Grc.dat files for client configuration. Server and client group scenario A company has telemarketing and accounting departments. These departments have staff in the company's Boston, New York, and Newark offices. All computers

58 58 Managing Symantec AntiVirus Using server groups to manage in both departments have been assigned to the same server group so that they receive virus and security risk definitions updates from the same source. However, IT reports indicate that the telemarketing department is more vulnerable to risks than the accounting department. As a result, the system administrator creates telemarketing and accounting client groups. Telemarketing clients share configuration options that strictly limit how users can interact with their antivirus and security risk protection. Using server groups to manage The installation program groups all of the servers that you select into one server group. This grouping might be adequate if you want all of your managed computers running Symantec AntiVirus to use the same settings. However, if you want to make global configuration changes for groups of servers, you can create new server groups. You can easily use a drag-and-drop or cut-and-paste operation to move servers from one server group to another. When you move a server, all of its connected client computers move with it. For example, if you have specific servers that require higher levels of protection, you can place all of them in the same server group and set special options to protect the server group. Note: If you prefer to manage by using client groups, you can achieve the same end by setting up a new client group. See About server groups and client groups on page 51. Creating server groups You can create as many server groups as you need to manage your servers and clients efficiently. Each server group requires a primary management server. See Selecting a primary management server for a server group on page 22.

59 Managing Symantec AntiVirus Using server groups to manage 59 To create a server group 1 Right-click System Hierarchy, and then click New > Server Group. 2 In the New Server Group dialog box, type the name for the server group. The name cannot have more than 47 characters. 3 In the User name text box, type the user name to use for the new server group. This can be any user name you want to use. The user account is automatically created and assigned to the Administrator role and added to the account management list for this server group. 4 In the Password text box, type a password to use when unlocking the server group. 5 In the Confirm password text box, retype the password. Locking and unlocking server groups You can lock a server group with a password to prevent unauthorized administrators from making configuration changes. The password for the initial server group was created for the admin user during installation. You can change passwords at any time by using the Account Management option for each server group. See Managing user accounts for server groups on page 68. Note: Server group passwords are not used to uninstall clients and servers. By default, the password for permitting a client uninstallation is set to symantec. You can change the password that permits a client user to uninstall Symantec AntiVirus. See Changing the password that is required to uninstall on page 201.

60 60 Managing Symantec AntiVirus Using server groups to manage Server groups are automatically locked by default each time that you start the Symantec System Center, unless you configure the Symantec System Center to automatically unlock the server group when you start the Symantec System Center. User names and passwords are not saved unless you explicitly configure the Symantec System Center to do so. You can lock and unlock server groups as necessary. To lock a server group Right-click the server group that you want to lock, and then click Lock Server Group. To unlock a server group 1 In the Symantec System Center console, in the left pane, right-click the server group, and then click Unlock Server Group. 2 In the Unlock Server Group dialog box, type the user account name and password for the server group. 3 If you want these options to be filled in automatically each time that you unlock this server group, check Remember this user name and password. 4 If you enable the Symantec System Center to remember the user name and password for this server group, then you can configure the Symantec System Center to start with this server group unlocked. Click Automatically unlock this server group when Symantec System Center starts. 5 Click OK.

61 Managing Symantec AntiVirus Using server groups to manage 61 To stop saving user name and password or to stop automatic unlocking 1 To stop saving your user name and password, and to stop having the Symantec System Center open with this server group unlocked, right-click the server group, and then click Lock Server Group. 2 Right-click the server group again, and then click Unlock Server Group. 3 In the Unlock Server Group dialog box, uncheck Remember this user name and password and Automatically unlock this server group when Symantec System Center starts. 4 Click OK. If you are the administrator on the primary server in a server group, you can reset the server group admin user password from the primary server. To reset the server group admin user password 1 On the computer running the Symantec System Center, start Windows Explorer. 2 Go to \Program Files\Symantec\Symantec System Center\Tools. 3 In the right pane, double-click the IFORGOT.exe file. 4 In the Primary server field, type the name of the server group's primary server. 5 In the user field, type admin. 6 In the New Password and Confirm New Password fields, type the new password. 7 Click Reset Password. You may be prompted for a Windows user name and password if you specify a remote server. Server groups and server root certificates The first time that you try to unlock a server group that does not have its server group root certificate on the same computer as the Symantec System Center, the following dialog box appears:

62 62 Managing Symantec AntiVirus Using server groups to manage You can either have the Symantec System Center copy the root certificate to the Symantec System Center computer the first time that you log on to the server group or copy it by using Windows authentication. If you choose to copy the root certificate, you can suppress this message in the future. Select Windows authentication to provide a greater degree of security. Viewing and filtering server groups When you run the Symantec System Center console, you see the servers that are running managed Symantec AntiVirus products in a tree format. Servers are grouped under server groups. By default, the Symantec System Center console displays all server groups. You can view a single server group and its contents from the Symantec System Center console or you can filter the server group view to show only a subset of your servers. This view is helpful if you have too many servers to manage easily from one window. You can monitor and administer only the server groups that appear in the list. Note: You receive notifications only for displayed server groups. If you filter a server group, you do not receive notifications from that server group. To view a single server group Right-click the server group, and then click New Window From Here.

63 Managing Symantec AntiVirus Using server groups to manage 63 Renaming server groups Deleting server groups To filter the server group view 1 In the left pane, right-click System Hierarchy, and then click View > Filter Server Group View. 2 Uncheck the server groups that you want to filter from the server group list. You can rename server groups as necessary. To rename server groups 1 Unlock the server group that you want to rename, if necessary. 2 Right-click the server group, and then click Rename. 3 Type the new server group name. Before you can delete a server group, you must move its members to a new or existing server group. To delete a server group 1 Right-click the server group that you want to delete, and then click Unlock Server Group, if necessary. 2 In the server group that you want to delete, drag any servers into another server group. You can only delete a server group if it is empty. 3 Right-click the empty server group, and then click Delete. 4 Right-click System Hierarchy, and then click Refresh. Changing primary management servers You can change primary management servers easily at any time. You can promote secondary management servers as necessary, thereby demoting the primary management server in that group. If you did not remove the primary key file from the primary management server to store it in a safer location, then the primary key file will be copied automatically to the new primary management server. When you change primary management servers, you may lose the AMS 2 alerts that you have set up. You can reconfigure the alerts on the new primary management server, or export the alerts to the new server before you change primary management servers.

64 64 Managing Symantec AntiVirus Using server groups to manage To change primary management servers 1 Double-click the server group icon. 2 Right-click the secondary management server that you want to designate as a primary management server, and then click Make Server A Primary Server. Changing parent management servers To change the parent management server of a managed client, you can click and drag the client to a new management server or you can copy the Grc.dat client configuration file and the server group certificate from the new parent to the client. Then restart the client. The Grc.dat client configuration file is a text-format file that acts as a repository of changes that are made to a group of clients. The Grc.dat client configuration file facilitates communication between the computers that run Symantec AntiVirus server software and the computers that run Symantec AntiVirus client software. They store important information such as parent management server identity and Symantec AntiVirus product configuration settings. The server group root certificate file, xxx.x.servergroupca.cer, contains the server group root certificate for the server group. If you copy the files from the server that you want to act as the parent server and place them on the client, you distribute all of the client settings for that server and establish communications. You can change the parent management server by using the Symantec System Center or by manually copying files. To change the parent management server of a client by using the Symantec System Center Drag the client from the old server to the new server. To change the parent management server of a client manually when the servers are in the same server group 1 On the intended parent management server, copy the Grc.dat configuration file from the Symantec AntiVirus folder. 2 On the client computer, paste the Grc.dat file into the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 folder. 3 Restart the client.

65 Managing Symantec AntiVirus Using server groups to manage 65 To change the parent management server of a client manually when the servers are not in the same server group 1 On the intended parent management server, copy the Grc.dat configuration file from the Symantec AntiVirus folder. 2 On the client computer, paste the Grc.dat file into the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 folder. 3 On the intended parent management server, open the pki\roots folder and copy the xxx.x.servergroupca.cer file. 4 On the client computer, paste the xxx.x.servergroupca.cer file into the pki\roots directory, which appears under the directory that contains the Symantec AntiVirus files. 5 Restart the client. Moving a server to a different server group When you move a server, a server configuration file that is named Grcsrv.dat is created on the server automatically. This file synchronizes the new server group settings with the server. The new server group must have a primary management server. The server configuration file is located in the same directory in which Symantec AntiVirus was installed on the server. It has the same format as a Grc.dat client configuration file. It is created when you synchronize a server to a new server group's settings. Note: If you want to add more servers to a server group, and you have archived the private key for the server group, you must copy the server group private key back to the pki\private-keys directory on the primary management server. To move a server to a different group Drag the server that you want to move into the new server group. Best practice: maintaining server-client communication Symantec AntiVirus communication uses the Secure Sockets Layer (SSL) protocol to conduct secure transactions between parent servers and clients. SSL uses a Public Key Infrastructure (PKI), digital certificates, and cryptography. As a result, if your primary server becomes unavailable, you are unable to immediately restore

66 66 Managing Symantec AntiVirus Using server groups to manage communications with secondary servers and managed clients unless you take steps to secure the information required for secure communications. You should always follow these steps to minimize recovery time in the event that the primary server becomes unavailable: Install a secondary management server in each server group to help maintain communication with clients. Use of a secondary management server shortens the time it take to recover from disasters. If you do not add a secondary management server and your primary management server fails, you are not able to access the server group from the Symantec System Center. Make a backup of the primary server's pki folder. Locate the the pki folder under the Symantec AntiVirus program folder, copy it, and place it in a safe location such as a removable drive stored in a vault. For directions on how to locate the Symantec AntiVirus program folder, see Locating the Symantec AntiVirus program folder on page 54. Restoring client communication when a primary server is lost If you lose your primary server and you did not create a secondary management server in your server group, then you must reinstall Symantec AntiVirus on the primary server. To restore communication with managed client computers after reinstalling Symantec AntiVirus server, when you do not have a backup copy of the primary server's pki folder, you must do the following: Delete the old certificates on the server's managed client computers. Copy the server's new certificates and Grc.dat file to its managed client computers. To restore communication with managed client computers after reinstalling Symantec AntiVirus server 1 On the managed client computer, stop the Symantec AntiVirus service. 2 Delete all certificates in the pki\roots folder in the client computer's Symantec AntiVirus program folder. The default path to the Symantec AntiVirus program folder is <Drive>:\Program Files\Symantec Client Security\Symantec AntiVirus. 3 On the Windows taskbar, click Start > Run. 4 In the Run dialog box, type the following text: \\<server name>\vphome where <server name> is the name of the Symantec AntiVirus server.

67 Managing Symantec AntiVirus Using server groups to manage 67 5 Click OK. 6 Copy the Grc.dat file from the server's vphome folder to the following folder on the client computer: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\ 7 Copy the <xxx.x>.servergroupca.cer file from the vphome\pki\roots folder on the server to the \pki\roots folder on the client computer. The default location of the \pki\roots folder on the client computer is <Drive>:\Program Files\Symantec Client Security\Symantec AntiVirus\pki\ roots\ 8 Set the DWORD value of the HKLM\Software\Intel\LANdesk\VirusProtect6\ CurrentVersion\ProductControl\ReloadRootCertsNow registry key to one. Rtvscan then picks up the new roots. If you need more information about restoring communication, in the Symantec Knowledge Base, see "Step to minimize recovery time in the event of a server failure." Restoring communication with a server group Loss of communication with a server group may occur for the following reasons: You left the user name field or the password field blank when you attempted to unlock the server group. You are using the wrong version of the Symantec System Center. You must use the latest version of the Symantec System Center to manage the latest version of the client computer software. For directions, in the Symantec Knowledge Base, see "Determining the version of Symantec System Center." The primary server or the computer that is running the Symantec System Center runs Windows 2003/XP with Windows Firewall enabled. If this is the case, you may want to perform one or more of the following tasks: Add port exceptions to Windows Internet Connection Firewall. For directions, in the Symantec Knowledge Base, see "Adding port exceptions to Windows Internet Connection Firewall for Symantec AntiVirus Corporate Edition." Add service exceptions to Windows Internet Connection Firewall. For directions, in the Symantec Knowledge Base, see "Adding service exceptions in Windows Internet Connection Firewall to allow Symantec AntiVirus to communicate."

68 68 Managing Symantec AntiVirus Using server groups to manage Disable Windows Internet Connection Firewall. For directions, in the Symantec Knowledge Base, see "Disabling the Microsoft Internet Connection Firewall." If none of these reasons applies, you may need to perform one or more of the following tasks to reestablish communication: Restart the Symantec AntiVirus service. Reset the LoginCaCertIssueSerialNum registry value on the primary server. Restore or recreate private keys if the loginca.pvk or the server.pvk private key is corrupted or missing. For information about how to perform these tasks, in the Symantec Knowledge Base, see "Error: "Can't communicate with the Server Group..."". Managing user accounts for server groups Account management provides the secure user accounts and the passwords that you use to unlock and configure server groups. Symantec AntiVirus provides several preexisting roles with various levels of privileges for user accounts. You can assign a user to one of these roles when you create user accounts for server groups in the Symantec System Center. Table 2-3 describes the roles and their associated privileges. Table 2-3 Role name Read-only Administrator User account roles and privileges Description This role allows the user to lock and unlock the server group, and to view information about the server group. Users have no write access to the server group, so they cannot make any configuration changes to the server group, or to any of its servers and clients. This role gives the user full access to the server group. The user can lock and unlock the server group, and configure both servers and clients in the server group.

69 Managing Symantec AntiVirus Using server groups to manage 69 Table 2-3 Role name User account roles and privileges (continued) Description Central Quarantine This role allows the user to do the following: Read from and write to virus definitions files. Roll out virus definitions updates to a client or server in the server group. Ping machines in the server group. Users that are assigned to this role are not allowed to lock and unlock the server group by using the Symantec System Center. Gateway Security This role allows the user to ping computers in the server group. Users that are assigned to this role are not allowed to lock and unlock the server group by using the Symantec System Center. If the Symantec System Center cannot verify the user's role, the user account defaults to Gateway Security, the least privileged of the roles. Symantec AntiVirus also provides one preexisting user who is named admin, and who is assigned to the Administrator role. You cannot delete the admin user account or change its user name, but you can change its password. The following restrictions apply to user accounts: Passwords that you set must be at least six characters long. Account user names must be unique and are not case-sensitive. Passwords are case-sensitive. User names cannot contain spaces. User names cannot contain the following special characters: " / ; \ -. + ' : = You can assign multiple user accounts with administrative privileges to a server group. You can manage the accounts for only one server group at a time. To create a user account for a server group 1 Right-click the appropriate server group. 2 Click Account Management. 3 In the Configure Server Group Accounts dialog box, click Add. 4 In the Account Setup dialog box, do the following: Type the user name.

70 70 Managing Symantec AntiVirus Using server groups to manage Type the password twice. Under Account Type, select the role that you want to assign to the user: Read-only, Administrator, Central Quarantine, or Gateway Security. 5 Click OK. 6 Click Finished. The changes are then sent to the secondary management servers in the server group. To change a user account for a server group 1 Right-click the appropriate server group. 2 Click Account Management. 3 In the Configure Server Group Accounts dialog box, select a user account name. 4 Click Update. 5 In the Account Setup dialog box, type a new password twice. Under Account Type, if you want to change the user's role, select the new role. If you only change the role that is under Account Type, you should leave the password options blank. 6 Click OK. 7 Click Finished. To delete a user account for a server group 1 Right-click the appropriate server group. 2 Click Account Management. 3 In the Configure Server Group Accounts dialog box, select a user account name. 4 Click Delete. 5 Click Yes to confirm the deletion. 6 Click Finished.

71 Managing Symantec AntiVirus Configuring options for Windows Security Center (WSC) 71 Configuring options for Windows Security Center (WSC) If you use Windows Security Center running on Windows XP Service Pack 2 to monitor security status, you can use the Symantec System Center to configure the following options for Symantec AntiVirus: The time period after which WSC considers definitions files to be out of date. Whether WSC displays antivirus alerts for Symantec products on the host computer. Note: Symantec product status is always available in the Symantec System Center console, regardless of whether WSC is enabled or disabled. Configuring the out-of-date time for definitions By default, WSC considers Symantec AntiVirus definitions to be out of date after 30 days. You can change the number of days that definitions can be out of date during installation in the Windows installer or after installation in the Symantec System Center. Symantec AntiVirus checks every 15 minutes to compare the out-of-date time, the date of the definitions, and the current date. Typically, no out-of-date status is reported to WSC because definitions are usually updated automatically. In the case of a manual update, depending on the out-of-date time that is configured, administrators might have to wait up to 15 minutes to view an accurate status in WSC. To configure the out-of-date time for definitions 1 Right-click the server group that you want to change. 2 Click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 3 If the prompt for Symantec AntiVirus Management Snap-In appears, click Yes. 4 In the Client Administrator Only Options dialog box, under Windows Security Center, next to Definition of AntiVirus up-to-date, type the number of days, or use the up or down arrow to select the number of days that the virus and security risk definitions can be out of date. The value must be in the range from 1 to Click OK.

72 72 Managing Symantec AntiVirus Configuring options for Windows Security Center (WSC) Configuring alerts to appear on the host computer You can configure WSC to display alerts from Symantec AntiVirus by using the Symantec System Center. To configure alerts to appear on the host computer 1 Right-click the server group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 If the prompt for Symantec AntiVirus Management Snap-In appears, click Yes.

73 Managing Symantec AntiVirus Configuring options for Windows Security Center (WSC) 73 3 In the Client Administrator Only Options dialog box, under Windows Security Center, in the Windows Security Center AntiVirus Alerts drop-down list, select one of the following: Disable Enable No action WSC does not display these alerts on the Windows system tray. WSC displays these alerts on the Windows system tray. WSC uses the existing setting to display these alerts. 4 Click OK. 5 Restart the clients in each server group to make the changes take effect. Configuring Symantec AntiVirus to disable Windows Security Center You can configure the circumstances under which Symantec AntiVirus disables WSC. To configure Symantec AntiVirus to disable WSC 1 Right-click the server group that you want to change. 2 Click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 3 In the Client Administrator Only Options dialog box, under Windows Security Center, in the Disable Windows Security Center drop-down list, select one of the following: Never Once Always Restore if disabled Never disable WSC. Disable WSC only once. If a user re-enables it, Symantec AntiVirus does not disable it again. Always disable WSC. If a user re-enables it, it will be disabled again immediately. Re-enable WSC only if Symantec AntiVirus disabled it. 4 Click OK.

74 74 Managing Symantec AntiVirus Optimizing server performance Optimizing server performance The Symantec System Center allows you to tune server performance in a number of ways. Tuning can be particularly useful in the large deployments that include many servers and managed clients. Optimizing definitions and configuration rollouts The Symantec System Center provides several options for tuning how servers roll out definitions and configuration changes to clients. You might need to experiment with these settings to optimize them for your environment. Table 2-4 describes the options for tuning server rollouts. Table 2-4 Options Server rollout tuning options Description Before attempting rollout, verify that clients have not roamed to another server Symantec AntiVirus concatenates GUIDs and IP addresses to verify client identity. If you use DHCP and experience parent management server contention for clients with IP addresses that change, and have a highly mobile environment, leave this option checked to reduce parent management server conflict over managed clients. If you have a very static environment in which your clients never or rarely change IP addresses, unchecking this option might result in some improvement in performance. Skip the clients that are late checking in (and are probably offline) By default, clients are configured to check in for configuration updates every 60 minutes. Configuring clients to be skipped if they check in late should result in faster performance during rollouts. If they are not skipped, the thread that is used for each offline client is tied up until it times out. Clients receive the appropriate updates after they check in. Checking this option is not recommended in environments in which multiple clients are offline frequently, such as when many clients use VPN tunnels. Skip the clients that have not checked in since the last failed rollout attempt (and are probably offline) Enabling this option should increase performance, but is not recommended in environments in which clients might be offline frequently, for example, as when using VPN tunnels.

75 Managing Symantec AntiVirus Optimizing server performance 75 Table 2-4 Options Server rollout tuning options (continued) Description Number of threads to use during rollout Each thread represents a rollout to a single client. The valid range is A reasonable number of threads to use for most single-processor computers is 30. Use numbers at the high end only if you tune a very powerful server that manages many clients and you have a network that can support the increased bandwidth. Start a rollout every <number> minutes More frequent rollouts use more network bandwidth and server resources, but result in more frequent updates to the clients. The valid range is (one week). Monitoring clients For information about the option to manage legacy clients and servers, see Managing legacy clients on page 88. To optimize definitions and configuration rollouts 1 Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tuning Options. 2 Check or uncheck the following options: Before attempting rollout, verify that clients have not roamed to another server. Skip the clients that check in late (and are probably offline). Skip the clients that have not checked in since the last failed rollout attempt (and are probably offline). 3 Set the number of threads to use during rollout to a value that is between 1 and Set the number of minutes to wait between rollouts to a value that is between 1 and Click OK. Symantec AntiVirus allows you to monitor the following major transitions in the life cycle of a client computer: The client's initial contact with a parent. The times when a client roams from one parent to another.

76 76 Managing Symantec AntiVirus Optimizing server performance The client's failure to check in after a specified amount of time has elapsed. The uninstallation of Symantec AntiVirus software from a client. To log whether or not a client checks in with the server that manages it, Symantec AntiVirus compares the last check-in time for each client to a saved value for that client. If the elapsed time is greater than the configured time, the event is logged in the Event Log as a system event. You can specify how often the Symantec System Center notifies you of these system events. For example, you might want to set the minutes of inactivity before logging a no-check-in event to (one week) before Symantec AntiVirus logs an initial event that a client has not checked in. You might then set the minutes between no-check-in events to 1440 (one day) and the maximum number of events to log to 7. You are then notified in the Event Log every day for a week if the client does not reappear on the network. For particularly large environments with many thousands of clients managed by a single server, you might want to tune the server parameters to regulate its CPU usage. Note: These changes do not take effect until you restart the Symantec AntiVirus Service on the server that you are configuring. To set options for monitoring clients 1 Right-click a server or server group, and then click All Tasks > Symantec AntiVirus Server Tuning Options. 2 On the Client Tracking tab, under Processing Parameters, type the following information: The number of minutes that Symantec AntiVirus should wait for information from the client. The number of clients that Symantec AntiVirus should process before pausing. The number of seconds that Symantec AntiVirus should pause when it checks clients.

77 Managing Symantec AntiVirus Optimizing server performance 77 3 Under Log Client Behavior, type values for the following options: Minutes of inactivity before logging a no-check-in event The number of minutes without client activity that Symantec AntiVirus should wait before it logs the first instance of a client's failure to check in. Maximum number of no-check-in events per client Minutes between no-check-in events The maximum number of no-check-in events to log per client. The number of minutes without client activity to wait before subsequent no-check-in events are logged. 4 Click OK. Turning off client monitoring You can turn client monitoring off by adding a new DWORD value, HKLM\ Software\Intel\LANDesk\VirusProtect6\CurrentVersion\ClientTrack\ Enabled, to the server's registry. Set its value to 0 to turn off client tracking, Set its value to 1 to turn on client tracking. By default, client tracking is enabled. You must restart the server for a change to take effect. Dynamic parent server check-in Some network environments contain the computers that are connected to the network only for brief periods of time. Symantec AntiVirus client computers check in with their parent server at a regular, configurable interval. If the connection time window when the client computer is connected to the network overlaps with the client computer's parent server check-in time, then the client computer checks in. If the connection time windows do not overlap, and the Symantec AntiVirus client computer fails to check in with its parent server during the check-in interval, the client computer begins to monitor IP address changes. If the client computer detects a new IP address, the client computer attempts another connection to the parent server. After a successful connection, configuration files and logs are exchanged as configured and the client computer check-in period is reset. The client computer does not respond to further IP address changes until the check-in period has expired again. If the check-in is unsuccessful, the Symantec AntiVirus client computer continues to respond to IP address changes until it makes a successful connection to the parent server.

78 78 Managing Symantec AntiVirus Using Tamper Protection Note: This functionality is only available on Windows client computers. It is not supported on NetWare or Linux computers. Using Tamper Protection Tamper Protection provides real-time protection for Symantec applications. It prevents Symantec processes and internal objects from being attacked or affected by non-symantec processes such as worms, Trojan horses, viruses, and security risks. Note: If you use third-party security risk scanners that detect and defend against unwanted adware and spyware, these scanners typically impact Symantec processes. If Tamper Protection is enabled when you run such a third-party security risk scanner, Tamper Protection generates a large number of alerts and log entries. Enabling, disabling, and configuring Tamper Protection When Tamper Protection is enabled, you can configure Symantec AntiVirus to block or log attempts to modify the Symantec processes or the internal software objects that synchronize Symantec threads and processes. Internal objects coordinate the activity of programs running on a computer. For example, when you use Microsoft Outlook to send an message, the Symantec AntiVirus Snap-in for Outlook coordinates with the Symantec AntiVirus service to ask that the service scan the message. Windows computers use several different kinds of internal objects. Tamper Protection protects the internal objects that are classified as named mutexes and named events. Mutexes ensure that only one program or thread can use the same resource, such as file access, at any given time. Mutexes are the synchronization objects that can be owned by only one thread at a time. When the thread that owns the mutex finishes with the resource, the thread releases the mutex object so that another program or thread can use the resource. Processes create named events, which notify another program or a waiting thread that processing is complete. For example, event objects can be used by a master thread to prevent other threads from reading from a shared memory buffer while it writes to that buffer. When the master thread is finished writing to the buffer, it can send a named event to signal the waiting threads that they can resume read operations. On the Windows API level, Tamper Protection intercepts calls to create, open, or modify these objects, such as CreateEvent, SetEvent, CreateMutex, ReleaseMutex, and so on. It then checks the name of the object against its list of protected names,

79 Managing Symantec AntiVirus Using Tamper Protection 79 which is called a manifest. If the names match, it next checks to see if the executable backing the process that made this call has a valid Symantec digital signature. If the process has a valid signature, the request is permitted, otherwise, it is denied with an ERROR_ACCESS_DENIED error code. This protection works on both single user systems and terminal servers. You can also configure a message to appear on your computer when Symantec AntiVirus detects a tampering attempt. By default, notification messages appear when Symantec AntiVirus detects tampering with internal objects. If you enable notifications to be sent when Symantec AntiVirus detects tampering with processes, affected machines may receive notifications about Windows processes as well as Symantec processes. To enable, disable, and configure Tamper Protection 1 Do one of the following: Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Client Tamper Protection Options. Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tamper Protection Options.

80 80 Managing Symantec AntiVirus Using Tamper Protection 2 Check or uncheck Enable tamper protection. 3 If you enabled Tamper Protection, then under Protection, check or uncheck Processes and Internal objects. In the drop-down list for each option, do one of the following: To block unauthorized activity, click Block. To log unauthorized activity but allow the activity to take place, click Log Only. 4 Under Notifications, check or uncheck Displaymessageonaffectedcomputer. 5 Under Notifications, check or uncheck Processes and Internal objects. 6 Under Options, check or uncheck Keep Tamper Protection enabled even if Symantec AntiVirus is shut down.

81 Managing Symantec AntiVirus Using Tamper Protection 81 7 If you configure Client Tamper Protection Options, lock or unlock each setting as appropriate for your network. 8 If you configure Client Tamper Protection Options, or you configure Server Tamper Protection Options at the server group level, click Reset All if you want to propagate the settings on this tab to every client that is attached to the server or server group. Creating Tamper Protection messages Tamper Protection lets you create a message that appears on clients when Tamper Protection detects attacks against Symantec applications. The message that you create can contain a mix of text that you type and fields that you select. The fields that you select are the variables that are populated with the values that identify characteristics of the attack. Table 2-5 describes the fields for Tamper Protection messages. Table 2-5 Field Filename PathAndFilename Location Computer User DateFound Action Taken System Event Entity Type Actor Process ID Fields for Tamper Protection messages Description The name of the file that attacked protected processes. The complete path and name of the file that attacked protected processes. The area of the computer hardware or software that was protected from tampering. For Tamper Protection messages, this is Symantec applications. The name of the computer that was attacked. The name of the logged on user when the attack occurred. The date on which the attack occurred. The action that Tamper Protection performed to respond to the attack. The type of tampering that occurred. The type of target that the process attacked. The ID number of the process that attacked a Symantec application.

82 82 Managing Symantec AntiVirus Using Tamper Protection Table 2-5 Field Fields for Tamper Protection messages (continued) Description Actor Process Name Target Pathname Target Process ID Target Terminal Session ID The name of the process that attacked a Symantec application. The location of the target that the process attacked. The process ID of the target that the process attacked. The ID of the terminal session on which the event occurred. Use the following format to create messages: Text that you type: [Field Name 1] [Field Name 2] (Optional and additional text that you type [Field Name x]) The following example illustrates a message that tells you which process attempted to take which action and when: Date: [DateFound] Process Located At: [PathAndFilename] (Named: [Actor Process Name]) Attacked: [Target Pathname] [Target Process ID] To create Tamper Protection messages 1 Do one of the following: Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Tamper Protection Options. Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tamper Protection Options. 2 Under Notifications, check Display message on affected computer and click the lock icon to lock this option.

83 Managing Symantec AntiVirus Using client groups to manage 83 3 Click Message. 4 In the Message box, click to insert a cursor. 5 Use your keyboard to move the cursor, add rows, and type and delete text. 6 Move the cursor to a position in which you want to insert a field, right-click, click Insert Field, and then select the field to insert. See Table 2-5 on page Repeat steps 5 and 6 as necessary. 8 Right-click in the field and use any of the following as necessary: Cut, Copy, Paste, Clear, or Undo. Using client groups to manage Creating client groups You can create as many client groups as you need to manage your clients efficiently. All server groups contain a single Groups folder that contains all of the groups for that server group. When you create a new client group, the client group appears inside the Groups folder. By default, client groups inherit their settings from their server group, but you can change this setting. See Using client group settings instead of server group settings on page 88.

84 84 Managing Symantec AntiVirus Using client groups to manage To create a client group 1 Under the server group to which you want to add the client group, right-click the Groups folder, and then click New Group. 2 In the New Client Group dialog box, type the name for the new client group. The name cannot have more than 15 characters. 3 To apply the settings from an existing client group to the new client group, select the name of the existing client group from the drop-down list. 4 Click Create. Adding clients to a client group Computers that are running Symantec AntiVirus server, client, and legacy versions can be added to client groups. All clients are treated identically. If a legacy antivirus client does not have the feature for which a configuration option setting is set, the setting is ignored. A client can belong to only one client group. To add a client to a client group 1 Click the server that contains the client. 2 In the right pane, drag the client into the client group. Configuring settings and running tasks at the client group level You can set configuration options and run tasks at the client group level. The settings apply to, or the task runs on, all clients in the client group. To configure settings and run tasks at the client group level 1 Right-click the client group. 2 Click All Tasks. About client group settings 3 Select the product for which you want to set options. 4 Make the appropriate changes for the settings that you want to configure or the task that you want to run. Client group settings are stored in the primary management server's registry. They are rolled out to each server in a client group configuration file named Grcgrp.dat. The primary management server packages all client group settings into the client group configuration file and then copies it to each secondary

85 Managing Symantec AntiVirus Using client groups to manage 85 management server in the server group. The secondary management server rolls out the settings to the clients that it manages. Moving a client to a different client group You can move clients easily from one client group to another. To move a client to a different client group Viewing and filtering client groups Drag the client that you want to move into the new client group. Once you move the client, it receives the new client group's configuration settings. When you view client groups, you can do the following: View a single client group. View information about client groups. Filter the client group view to show only the information that interests you. Note: Filtering is disabled by default. When you select a client group in the left pane, all of the clients that are assigned to it appear in the right pane. When the Groups folder is selected in the left pane and Default Console View or a Symantec product view is selected from the View menu, the client groups appear in the right pane along with information specific to the view. For example, when the Default Console View is active, the number of clients in each client group appears. The clients must be enumerated to display the client groups accurately. Client group filtering must be enabled in the SSC Console Options Properties dialog box on the Client Display tab for the clients to be enumerated. When you select the Groups folder, the number of clients that are reported for each client group may not be accurate until a client group is selected. Filtering improves client viewing performance in the Symantec System Center console. However, if there are many clients and servers in the server group, filtering may have a performance impact. See To filter the client group view on page 86.

86 86 Managing Symantec AntiVirus Using client groups to manage To view a single client group 1 In the Symantec System Center console, in the left pane, right-click the server group that contains the client group, and then click Unlock Server Group. 2 Double-click the server group. 3 Double-click the Groups folder. The client groups appear nested beneath the Groups folder. To filter the client group view 1 On the Tools menu, click Symantec System Center Console Options. 2 In the Symantec System Center Console Options Properties dialog box, on the Client Display tab, under Client Group Display Options, check Show client computers when viewing client groups. 3 Under Client list cache option, check Build client lists when the server group is unlocked, if appropriate. This option enumerates all of the clients in the server group when it is unlocked. When this option is unchecked, clients are not added to their client groups until the server is selected. The number of clients in a client group is not accurate until all of the servers in the server group have been selected. This option might affect performance if the server group contains many clients and servers.

87 Managing Symantec AntiVirus Using client groups to manage 87 4 Under Client configuration options, check Indicate when clients are offline to display a unique icon in the Symantec System Center console when a client is not connected to the network. 5 Click OK. Renaming client groups Deleting client groups 6 On the Action menu, click Refresh. If you need to change the client group name, you must complete the following tasks: Create a new client group and import settings from another client group, if appropriate. See Creating client groups on page 83. Move clients from the old client group to the new client group. See Moving a client to a different client group on page 85. Delete the old client group. See Deleting client groups on page 87. When a client group is deleted, the clients that are assigned to it retain the settings of the deleted client group. The clients are not assigned new settings until one of the following actions occurs: The client checks in with its parent management server. The client is then assigned the server's default settings for unassigned clients. The client is assigned to another client group. The client is then assigned the settings of the new client group. If you delete a client group, and then recreate it before the clients check in with their parent management servers or are reassigned, the clients resume membership in the group automatically. They continue to assume the settings of that group. To delete a client group 1 In the Symantec System Center console, in the left pane, unlock the server group from which you want to delete the client group. 2 Double-click the server group. 3 Double-click the Groups folder. 4 Right-click the target client group, and then click Delete Group.

88 88 Managing Symantec AntiVirus Managing clients 5 Click Yes. 6 Click Delete. Using client group settings instead of server group settings Managing clients Managing legacy clients By default, client groups inherit their settings from the server group that they are in, but you can toggle this setting on or off at the client group level. To configure a client group to use its own settings Right-click the client group, and then uncheck Inherit settings from Server Group. You can perform several client management tasks in the Symantec System Center to manage the clients on your network. The current version of Symantec AntiVirus uses the Secure Sockets Layer protocol running over TCP to encrypt communications between servers and clients. Symantec AntiVirus versions 9.x and earlier used UDP for such communications. If you migrate version 9.x and earlier servers that manage legacy clients, UDP communications are permitted by default to support the legacy clients. If you perform a new installation (not a migration) of a Symantec AntiVirus server that has no clients, the ability to manage legacy clients is disabled by default. In this instance, if you want to manage the clients that run version 9.x or earlier, you must explicitly enable the management of legacy clients on the server. After you enable this option, you need to restart the server that you configured for the change to take effect. To manage legacy clients 1 Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tuning Options. 2 On the Rollout and Management tab, check Allow this server to manage 9.x and earlier clients and servers (requires reboot to take effect). 3 Click OK.

89 Managing Symantec AntiVirus Managing clients 89 Enabling direct client configuration You can permit the direct configuration of Symantec AntiVirus clients. The options that you set directly remain in force until a new Grc.dat configuration file is copied to the client. To enable direct client configuration 1 Click Tools > SSC Console Options. 2 In the SSC Console Options Properties dialog box, on the Client Display tab, under Client Configuration Options, click Allow direct configuration of individual clients. 3 Click OK. Handling clients with intermittent connectivity Each Symantec AntiVirus server stores a list of Symantec AntiVirus clients that it manages and provides this data to the Symantec System Center. By default, clients check in with their parent management servers once an hour. Parent management servers review their lists of clients once an hour. Parent management servers track client check-in times. If a client fails to check in with its parent management server for more than 30 days, the parent management server removes that client from its list of clients and logs that client as deleted. The next time that the Symantec System Center queries the parent management server for a list of its clients, that client will not appear. You can control this behavior by configuring the following settings: The client check-in interval. The client expiration interval. Changing the client check-in interval By default, the client check-in interval is set to 60 minutes. You can change the check-in interval by editing the CheckConfigMinutes registry value or by using the Symantec System Center. To change the client check-in interval 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, under How Clients Retrieve Virus Definitions Updates, check Update virus definitions from parent server. 3 Click Settings.

90 90 Managing Symantec AntiVirus Managing clients 4 In the Update Settings dialog box, in the Check for updates every box, type the interval in minutes. 5 Click OK until the main Symantec System Center console window appears. Changing the client expiration interval On the parent management server, change the client expiration interval by adding a new DWORD, ClientExpirationTimeout, to the HKEY_LOCAL_MACHINE\ Software\Intel\LANDesk\VirusProtect6\CurrentVersion registry key. Make its value a number greater than 0. Warning: The client expiration interval must be greater than the client check-in interval or the parent management server deletes and adds clients continually. Without the use of the ClientExpirationTimeout value, the default time is 720 hours. Use a smaller value to decrease the number of minutes that it takes for the client to be removed from the console, or use a larger value to increase the time. For example, if a large number of your client computers are removed from the Symantec System Center because people are away from the office and their computers are turned off, you can specify a larger number. If the new client configuration is not immediately received by the parent management server or by the client, the information is updated during the client check-in. Changing the management mode of a client You can change an unmanaged client into a managed client and a managed client into an unmanaged client. When you change an unmanaged client into a managed client, it appears in and can be configured by the Symantec System Center. Similarly, changing a managed client into an unmanaged client causes the client to disappear from the Symantec System Center. To change unmanaged clients into managed clients 1 Open Network Neighborhood or My Network Places. 2 Locate and double-click the computer that you want to act as the parent management server. The Symantec AntiVirus server software must be installed on the computer that you select. 3 Open the VPHOME\Clt-inst\Win32 folder.

91 Managing Symantec AntiVirus Restoring communication between servers and managed client computers 91 4 Copy the Grc.dat configuration file in that folder to the <volume>:\documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 folder on the unmanaged client. 5 On the intended parent management server, open the pki\roots folder and copy the <xxx.x>.servergroupca.cer file. 6 On the client computer, paste the <xxx.x>.servergroupca.cer file into the pki\roots directory, which appears under the directory that contains the Symantec AntiVirus files. 7 Restart the client. To change managed clients into unmanaged clients 1 Uninstall Symantec AntiVirus from the client workstation. See the Symantec AntiVirus Installation Guide for more information. 2 Using the registry editor, delete the following subkey: HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6 3 Begin to reinstall Symantec AntiVirus client software, and when you are prompted to select managed or unmanaged, select unmanaged. 4 Finish the installation. Restoring communication between servers and managed client computers Managed client computers might not appear in the Symantec System Center for several reasons. If the following situations occur after you have installed Symantec AntiVirus 10.x on your client computers, you lose the ability to manage the client computers from the Symantec System Center: The Symantec AntiVirus server is renamed or its IP address is changed. Symantec AntiVirus 10.0 or later is uninstalled and then reinstalled without having a copy of the <OS Drive>:\Program Files\SAV\PKI\ folder. Restoring communication if you have made a server change or reinstalled a client computer If you cannot see the client computers from the Symantec System Center, then you will need to copy the Grc.dat file and the server group root certificate from the intended server to the client computer to restore communication.

92 92 Managing Symantec AntiVirus Restoring communication between servers and managed client computers The next time that the client computer checks in with the parent server after you copy the new Grc.dat file to the client computer, the client computer appears in the Symantec System Center. You can force the check-in by restarting the Symantec AntiVirus service on the client computer. To copy the Grc.dat file to a client computer 1 On the parent management server, copy the Grc.dat configuration file from the Symantec AntiVirus program folder from the following default location: The following location is the default location on a server: <OS drive>:\program Files\SAV 2 On the client computer, paste the Grc.dat file into the following folder: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 After a few minutes, the client finds the Grc.dat file in this folder, makes the appropriate changes to the registry, and then deletes the Grc.dat file. To copy the server group certificate to the client computer 1 On the intended parent management server, copy the server group certificate file from the Symantec AntiVirus program folder. The file to copy has a file name that ends in.servergroupca.cer. The following is the default location on a server: <OS drive>:\program Files\SAV\PKI\Roots 2 On the client computer, paste the certificate file into the Roots folder. The following location is the default location on a client computer: <OS drive>:\program Files\Symantec AntiVirus\PKI\Roots To restart the Symantec AntiVirus service 1 Right-click My Computer, and then click Manage. 2 In the right pane, double-click Services and Applications, and then click Services. 3 Right-click Symantec AntiVirus, then click Restart. Make sure to restart the Symantec AntiVirus service, not the Symantec AntiVirus Definition Watcher service.

93 Managing Symantec AntiVirus Restoring communication between servers and managed client computers 93 Restoring communication when you use a drive image to create clones on the same network Every Symantec AntiVirus installation creates a globally unique identifier (GUID) for that installation when the Rtvscan service first starts. If you use a computer with Symantec AntiVirus installed on it to create a drive image, and then use that image to create clones of that computer on the same network, then each computer has the same GUID. This situation can cause managed client computers to disappear from the Symantec System Center, although they should still be able to receive definitions updates. To fix the problem, delete the GUID registry value on the client computers and then restart the Symantec AntiVirus service. To delete the GUID registry value on client computers 1 In the Registry Editor, go to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion 2 In the right pane, right-click GUID, and then click Delete. 3 Exit the Registry Editor. 4 Restart the Symantec AntiVirus service. For information about how to restart the Symantec AntiVirus service, see To restart the Symantec AntiVirus service. Restoring communication if the client computers can receive definitions updates If your managed client computers receive virus definition updates from a parent server but are not visible in the Symantec System Center, you may need to stop and then restart all the related Symantec AntiVirus services on the parent server in the correct order. To stop and restart all of the Symantec AntiVirus services 1 Stop the Symantec AntiVirus services in the following sequence: Symantec System Center Discovery Service Intel Alert Handler Intel Alert Originator Intel File Transfer Intel PDS Symantec AntiVirus

94 94 Managing Symantec AntiVirus Restoring communication between servers and managed client computers In Symantec AntiVirus 8.x and earlier, the service name is Symantec AntiVirus Server. Symantec Quarantine Agent Symantec Central Quarantine 2 After all the services are stopped, restart the services in the following sequence: Symantec AntiVirus In Symantec AntiVirus 8.x and earlier, the service name is Symantec AntiVirus Server. Intel PDS Intel Alert Handler Intel Alert Originator Intel File Transfer Symantec Quarantine Agent Symantec Central Quarantine Symantec System Center Discovery Service Restoring communication if the client computers cannot receive definitions updates There are several reasons that managed client computers may not appear in the Symantec System Center. If the affected client computers are not receiving virus definitions updates, the loss of communication may be caused by one of the following reasons: There is a network communication problem. See To confirm there is no network communication problem on page 95. You are not using the correct version of the Symantec System Center. For information about how to determine the version you are using, in the Symantec Knowledge Base, see "Determining the version of Symantec System Center." You have not configured the Symantec System Center 10.x to manage legacy client computers and servers. For information about how to set up the Symantec System Center to manage legacy client computers, see Managing legacy clients The server group root certificate is missing from the server or client computer. The Grc.dat file on the client computer is missing or corrupted.

95 Managing Symantec AntiVirus Restoring communication between servers and managed client computers 95 There is a problem with the Symantec Network Drivers service. The Windows firewall settings are interfering with communication. For information about how to configure or disable the Windows firewall, in the Symantec Knowledge Base, see "Adding port exceptions to Windows Internet Connection Firewall for Symantec AntiVirus" or "How to disable the Windows XP firewall." Note: Each of these possible causes should be investigated in the order in which they are listed. To confirm there is no network communication problem 1 On the parent server, open a command prompt and ping the client by computer name. For example, type: ping <client1> where <client1> is the computer name of the client computer. The command should return the client computer's correct IP address. 2 On the parent server, open a command prompt and use the ping -a command with the client's IP address. For example, type: ping -a XXX.XXX.X.X where XXX.XXX.X.X is the client computer's IP address. The command should return the client computer's correct fully qualified domain name.

96 96 Managing Symantec AntiVirus Restoring communication between servers and managed client computers 3 On the client, open a command prompt and ping the parent server by computer name. For example, type: ping <server1> where <server1> is the computer name of the parent server. The command should return the parent server's correct IP address. 4 On the client, open a command prompt and use the ping -a command with the parent server's IP address. For example, type: ping -a XXX.XXX.X.X where is the parent server's IP address. The command should return the parent server's correct fully qualified domain name. If network communication fails, fix any problems on the network that are related to DNS or name resolution before trying other solutions. Communication will fail if the server group root certificate is not present the servers, managed client computers, and the computer on which you are using the Symantec System Center. Legacy client computers and servers do not need a copy of the root certificate. To confirm the presence of the server group root certificate on parent servers and computers that run Symantec System Center 1 Start Windows Explorer. 2 Open the Symantec AntiVirus program folder. The default location is either <OS drive>:\program Files\SAV or OS drive>:\program Files\SAV\Symantec AntiVirus. 3 Open the pki\roots folder and find the xxx.x.servergroupca.cer file. 4 If the xxx.x.servergroupca.cer file is not present, do one of the following: Copy the file from another parent server and restart the Symantec AntiVirus service. For information about how to restart the Symantec AntiVirus service, see To restart the Symantec AntiVirus service. Restore a backup copy of the pki folder and restart the Symantec AntiVirus service. The pki folder is located in the primary server's Symantec AntiVirus program folder, which on Windows computers is either <OS drive>:\program Files\SAV or <OS drive>:\program Files\SAV\Symantec AntiVirus. If you do not have a backup copy of the pki folder, follow the directions in Restoring client communication when a primary server is lost

97 Managing Symantec AntiVirus Restoring communication between servers and managed client computers 97 To confirm the presence of the certificate on managed client computers 1 Start Windows Explorer. 2 Go to the Symantec AntiVirus program folder. The default location is <OS Drive>\Program Files\Symantec AntiVirus. 3 Open the pki\roots folder and find the xxx.x.servergroupca.cer file. 4 Make sure that the file matches the xxx.x.servergroupca.cer file on the client computer's parent server. 5 If the xxx.x.servergroupca.cer file is not present, copy the file from the pki\roots folder on the parent server. To confirm that Symantec AntiVirus works correctly on the client computers 1 Start Symantec AntiVirus. 2 Make sure that the correct parent server name appears under General Information. If the correct parent server name does not appear, copy the Grc.dat file from the parent server to the client. For information about how to copy the Grc.dat file, see To copy the Grc.dat file to a client computer.

98 98 Managing Symantec AntiVirus Restoring communication between servers and managed client computers

99 Chapter 3 Alert Management System This chapter includes the following topics: About the Alert Management System How Alert Management System works Configuring alert actions About configuring alert action messages Configuring a default alert message Working with configured alerts Using the Alert Management System Alert Log Forwarding alerts from unmanaged clients About the Alert Management System Alert Management System 2 (AMS 2 ) provides emergency management capabilities. AMS 2 supports alerts on any supported NetWare server or Windows server. You must explicitly install AMS 2. It is not installed by default. AMS 2 can generate alerts through the following means: Message box Broadcast Internet mail Page Run a program Write to the Windows Event Log

100 100 Alert Management System How Alert Management System works Send an SNMP trap Load an NLM Note: Alerts that are generated through SNMP traps can be sent to any third-party SNMP management console. To receive SNMP traps from Symantec AntiVirus, you must have the Symantec System Center and AMS 2 installed. Install AMS 2 on a primary management server if you want SNMP traps that are generated from that system. You must use the Symantec System Center to designate the primary management server. See Configuring the Send SNMP Trap alert action on page 109. How Alert Management System works AMS 2 alerts are transferred from Symantec AntiVirus into AMS 2 through the Symantec AntiVirus service. On a computer running the Symantec AntiVirus client software, the Symantec AntiVirus service waits for an event thread that requires an alert. These threads can be generated by the following events: Configuration change Default Alert Symantec AntiVirus startup/shutdown Scan Start/Stop Risk Repair Failed Risk Repaired Virus Definitions File Update Virus Found If you have configured an alert for any of these events, when the event occurs it generates a thread. The thread prompts the Symantec AntiVirus service to create a risk information block, which it forwards to the client's parent management server. When the parent management server receives the risk information block, it enters it into its AMS 2 log. The risk information is then forwarded to the primary management server, which makes a call to AMS 2. AMS 2 enters the information into the AMS 2 database and acts on it. The action that is taken depends on how you have the alert configured.

101 Alert Management System Configuring alert actions 101 Communication in AMS 2 is carried out through CBA, which is part of the Intel Communication Method. Configuring alert actions Alert configuration tasks AMS 2 lets you configure many different methods of notification, such as pager, SNMP, and , for detected viruses or security risks and configuration changes. AMS 2 alert configuration requires the following related tasks: Select an alert in the Alert Actions dialog box. Select the alert action that you want to configure for that alert. The alert action is the response AMS 2 that sends you when an alert parameter is detected. Configure the alert action that you selected. For example, you can configure the Send Page alert action to notify you if a virus or security risk is detected on a protected server. The pager message can also include information such as virus or security risk name and type, and actions that are taken. There are no default alert actions for any of the alerts. Until you configure AMS 2, no alerts are generated, though virus and security risk events are logged in the AMS 2 log file. You can set up more than one action for each alert. Once you have configured alert actions for an alert, a plus (+) or minus (-) sign appears next to each configured alert, depending on whether the entry is collapsed or expanded. Each AMS 2 alert action has its own configuration wizard. Once you have configured an alert action, the action appears in the Alert Actions dialog box under the alert for which you configured the action. All alert actions execute on the computer that you select when you configure the action. Actions will not execute if you configure them on a computer that does not support that particular action. For example, any computer that you configure the Send Page action on must have a modem. Speeding up alert configuration If you have a large network, you may be able to speed up and simplify your configuration of AMS 2 by only searching a certain segment of your network for AMS 2 computers.

102 102 Alert Management System Configuring alert actions This is especially useful if you manage a large network with many different servers, and you want to confine your search to one section of the network, or one specific subnet mask. The process is faster when you limit your search, and alerts are contained in the defined network segment. You can get a faster response across a large network if you limit the network segments. You can specify whether you want AMS 2 to discover clients only within a certain octet or subnet mask. To speed up alert configuration 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Click Options. 3 In the Options dialog box, in the Add IP address box, type the TCP/IP network broadcast address where you want to search for AMS 2 computers. This is the first three segments of the computer's IP address that is followed by an all-inclusive segment. For example, if you enter a search broadcast address of , any of the 256 computers with AMS 2 in the subnet will receive the broadcast. So if you are searching for an AMS 2 computer that has an IP address of , you will find it.

103 Alert Management System Configuring alert actions Click Add to add this net address to the Current discovery broadcast addresses list. Only broadcast networks that are listed here are searched to discover new AMS 2 computers. If you have not specified any broadcast networks, the entire network is searched each time that you start a Discovery. 5 To remove a net address that is no longer needed from the Current discovery broadcast addresses list, select the address, and then click Remove. When you remove a net address from this list, it does not disable that section of the network. Removing a net address only prevents AMS 2 from searching that section of the network for AMS 2 computers. 6 Click OK to save the list and return to the Alert Actions dialog box. Configuring the Message Box alert action The Message Box alert action displays a message box on the computer from which you configure the action. You can select whether the message box sounds a beep when it appears and whether the message box always appears on the screen until cleared. To configure the Message Box alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Message Box, and then click Next. 5 Select a computer to execute the action, and then click Next. 6 Select whether you want an error beep and whether you want the dialog box always to appear on top until it is cleared. 7 Click Next. 8 Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 9 In the Message box, type any message text that you want to display and move available the parameters that you want from Alert Parameters to the Message box. See About configuring alert action messages on page Click Finish.

104 104 Alert Management System Configuring alert actions Configuring the Broadcast alert action The Broadcast alert action sends a message to all computers logged on to the server that generates the alert. To configure the Broadcast alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Broadcast, and then click Next. 5 Select a computer to execute the action, and then click Next. 6 In the Message box, type any message text that you want to display and move available parameters you want from Alert Parameters to the Message box. See About configuring alert action messages on page Type an action name. The action name and the action computer name will appear in the Alert Actions dialog box beside this action. 8 Click Finish. Configuring the Run Program alert action The Run Program alert action runs a program on the computer for which you configure the alert action. You must complete two fields in the Run Program dialog box. The Program box should contain the full path to the program that you want to run. The Command Line box should contain any command-line options for that program. The program that you select should be on the computer's local drive to ensure that AMS 2 can find it. If you are running the program on a remote computer, you must enter the path to the program from that computer. If you are running a Windows program, you can select whether that program runs in a normal, minimized, or maximized state. This option has no effect on MS-DOS programs.

105 Alert Management System Configuring alert actions 105 To configure the Run Program alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Run Program, and then click Next. 5 Select a computer to execute the action, and then click Next. 6 Type the full path name to the program that you want to run, including the program name. 7 Type any command-line options that you want the program to use. 8 Select a Windows execution state of normal or minimized. 9 Click Finish. Configuring the Load An NLM alert action The Load An NLM alert action loads a NetWare Loadable Module (NLM) on a selected NetWare server when the AMS 2 alert occurs. You must configure this alert to determine which NLM is loaded, and the server onto which it loads. This alert action is similar to the Run Program alert action for a Windows computer. For example, if you were running the Symantec AntiVirus management Snap-in, you could configure the Load An NLM alert action to load an NLM that you or a third party created on a selected NetWare server when Symantec AntiVirus detects a risk. This NLM could monitor who accesses the server and who uses the infected file. It could also back up files if the server crashes because of the infection. To configure the Load An NLM alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Load An NLM, and then click Next. The first time that you configure this action, AMS 2 needs to search the network for NetWare computers that can perform this action. When you complete this action, the NetWare computers appear in tree format. 5 If the computer that you look for does not appear in the list, click Options. See Speeding up alert configuration on page 101.

106 106 Alert Management System Configuring alert actions 6 Select the computer on which the NLM should load, and then click Next. 7 Type or select the NLM to load. NLMs are usually stored in the SYS:\SYSTEM directory on NetWare servers. 8 Type any command-line options you want the program to use. 9 Click Finish. Configuring the Send Internet Mail alert action The Send Internet Mail alert action sends an Internet mail message to the user that you specify. When you use the Send Internet Mail alert action, you also need to specify the SMTP Internet mail server through which the alert action will send the message. If you specify the mail server by name, you need to have a DNS server that is configured so that the Send Internet Mail alert action can resolve the server's IP address. If you do not have a DNS server, you can enter the mail server's IP address directly. If you do not have access to an SMTP Internet mail server at your site, this alert action does not work. To configure the Send Internet Mail alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Send Internet Mail, and then click Next. 5 Select the computer to execute the action, and then click Next. 6 In the To Internet Mail Address, Return Internet Mail Address, Subject, and SMTP Mail Server boxes, type or select information as appropriate. It is preferable to provide the mail server's IP address rather than its name. The Return Internet Mail Address box must contain a valid Internet address. Most servers will not send a message if the server can't validate the sender's address. 7 Click Next. 8 In the Message box, type any message text you need and move available parameters you want from Alert Parameters to the Message box. See About configuring alert action messages on page 112.

107 Alert Management System Configuring alert actions Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 10 Click Finish. About paging services You can access a paging service either directly or indirectly. Direct paging refers to dialing the service provider network access phone number and accessing the service provider's computer network directly to enter the pager identification number. The paging service network then sends the message to the pager. AMS 2 alerting does not work with indirect paging. Indirect paging involves calling a paging service, speaking with an operator, and giving the operator the pager's identification number. The paging service operator enters the information into the paging network, and then sends the message to the pager. The indirect paging method that is often used when contacting the network directly may be a toll call, and the pager service offers toll-free service through the operator. Configuring the Send Page alert action The Send Page alert action sends a pager message to the number that you specify. You need to configure the Pager alert action for your paging service. At a minimum, this information includes the paging service phone number and the name of the paging service that you use. Note: Any computer on which you configure a Send Page action needs to have a modem. See Testing configured alert actions on page 114. To configure the Send Page alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Send Page, and then click Next. 5 Select a computer to execute the action, and then click Next.

108 108 Alert Management System Configuring alert actions 6 Type the access telephone number that you call to reach the paging service. Be sure to include any numbers necessary to access an outside line from your site. 7 Type the pager ID number and password that you use to access the paging service network. If your paging service does not use a password, leave the Password box blank. 8 Select your service type. If your paging service is not in the Service drop-down list in the Send Page dialog box, try to use the Standard Numeric or the Standard Alpha/Numeric service. Select the one that most closely matches the type of pager that you use. If the generic service that you select does not work with your pager, you must configure the communication parameters that the Send Page alert action needs to use. You can get this information from your paging service. If necessary, do the following: Click Settings. In the drop-down lists, select the baud rate, data and stop bits, parity, and the paging protocol that your paging service uses, and then click OK. If your paging service is in the Service drop-down list, these parameters are configured automatically when you select the service.

109 Alert Management System Configuring alert actions Click Next. If you create a message for an alphanumeric pager, in the Message box type any message text you want to display and move available parameters from Alert Parameters to the Message box. If you create a message for a numeric pager, you can only type numbers in the Message box. The Send Page alert action supports both alphanumeric and numeric-only pagers (numeric-only pagers are sometimes called beepers). If you're paging an alphanumeric pager, the message can include any text that you type in and information from the alert that generated the message. This message should not exceed the maximum number of characters that your paging service supports; otherwise, you could get a truncated message. If you're paging a numeric-only pager, you may want to create a system of server numbers and numeric error codes that correspond to alerts that you configure. For instance, you could create a system where 1 refers to your main production server and number 101 means some specific event has occurred. If you received the message 1 101, then you would know that the event had occurred on your main production server. 10 Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 11 Click Finish. Configuring the Send SNMP Trap alert action Simple Network Management Protocol (SNMP) is a message-based protocol based on a manager/agent model consisting of Get, GetNext, and Set messages and responses. SNMP uses traps to report exception conditions such as component failures and threshold violations. AMS 2 can generate an SNMP trap when an alert occurs. You can configure systems generating alerts to send these traps to a management console, such as HP OpenView, Tivoli Enterprise Console, or Computer Associates Unicenter. You must specify the IP address of the computers to which you want SNMP traps sent. To configure the Send SNMP Trap alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions.

110 110 Alert Management System Configuring alert actions 3 Click Configure. 4 Click Send SNMP Trap, and then click Next. 5 Select a computer to execute the action, and then click Next. 6 In the SNMP trap, type any message text that you want to display and move the parameters that you want from Alert Parameters to the Message box. 7 Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 8 Click Finish. Configuring trap destinations for Windows 2000/2003 Server You can configure SNMP traps for Windows 2000/2003 Server. To configure trap destinations for Windows 2000/2003 Server 1 On the Windows taskbar, click Start > Settings > Control Panel. 2 Double-click Administrative Tools. 3 Double-click Computer Management. 4 Click Services and Applications. 5 Click Services. 6 In the right pane, click SNMP Service. 7 On the Action menu, click Properties. 8 On the Traps tab, under Community name, type the case-sensitive community name to which this computer will send trap messages, and then click Add to List. 9 In Trap destinations, click Add. 10 In Host name, IP address, type information for the host, and click Add. 11 Repeat steps 8 through 10 until you have added all the communities and trap destinations you want. Configuring trap destinations for NetWare You can configure SNMP traps for NetWare 5.x and 6.x servers.

111 Alert Management System Configuring alert actions 111 To configure trap destinations for NetWare 1 In the NetWare server console, type: load inetcfg 2 Select Protocols and press Enter. 3 Select TCP/IP and press Enter. 4 Select SNMP Manager Table, and then press Enter to display the SNMP Manager Table. 5 Do one of the following: To modify an existing address, select it, and then press Enter. To add a new address, press Insert, type an IP address, and then press Enter. To delete an address, select it, press Delete, and then press Enter to confirm the deletion. 6 Press the Esc key to close the dialog box. 7 Press Enter to confirm the change to the database. Configuring the Write To Event Log alert action The Write To Event Log alert action creates an entry in the Windows Event Log's Application Log. This entry is logged on the server from which the alert came. This alert action is available only on supported Windows computers. To configure the Write To Event Log alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Write To Event Log, and then click Next. 5 Select a computer to execute the action, and then click Next. 6 In the Message box, type any message text that you want to display and move the parameters that you want from Alert Parameters to the Message box. 7 Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 8 Click Finish.

112 112 Alert Management System About configuring alert action messages About configuring alert action messages For the alert actions that generate messages (for example, Message Box, Broadcast, Send Page, and Send Internet Mail), you can include additional information from the alert that generated the message. The additional types of information available vary, depending on the type of alert action that you configure. Table 3-1 describes the additional types of information. Table 3-1 Alert parameter <Actual Action> <Alert Name> <Computer Name> Alert message parameters Description The actual action that was taken on the threat or security risk. The name of the alert; for example, Symantec AntiVirus Startup/Shutdown. The name of the computer on which the alert originated. <Corrective Actions> <Date> <Description> <Failed Alert Name> <File Path> <Logger> <Requested Action> <Severity> <Source> <Risk Name> The actions that were taken to correct the risk. The date when the notification was generated. More information about the nature of the notification; for example, Symantec AntiVirus services shutdown was successful. The name of the alert that failed. This parameter is available for default alerts. The location of the file that was infected by the threat or security risk. The type of scan that found and logged the alert. The primary action that was configured for this threat or security risk. The level of severity that is assigned to the alert; for example, Critical, or Non-Critical. The product source of the notification; for example, Symantec AntiVirus. The name of the threat or security risk that triggered the alert.

113 Alert Management System Configuring a default alert message 113 Table 3-1 Alert parameter <Time> <User> <Virus Name> Alert message parameters (continued) Description The time when the notification was generated. The name of the user who was logged in when the alert-triggering event occurred. The name of the virus or security risk that triggered the alert. The Message dialog box includes a text box in which you can enter as many as 256 characters to be used as the text of the message that you want to send. You can use the variables in Alert parameters to insert information generated by the alert. Parameters are delimited by < and > characters. Each parameter placeholder that you add to the Message text box is substituted with corresponding alert information when an alert occurs. Figure 3-1 shows the Alerting System Notification dialog box. Figure 3-1 Alerting System Notification Configuring a default alert message If the AMS 2 alerting system detects a message larger than 1 KB, the message will not be delivered. If you have configured a default alert message, it will be delivered instead. You can configure this default alert to notify you when a message exceeds 1 KB.

114 114 Alert Management System Working with configured alerts To configure a default alert message 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Click Default Alert, and then click Configure. 3 Click Message Box, and then click Next. 4 Select a computer on which to execute the action, and then click Next. 5 Select whether you want an error beep and whether you want the dialog box always to appear on top until it is cleared. 6 Click Next. 7 Type the action name that describes the message that you are configuring. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 8 In the Message box, do one of the following: Type custom message text that you want to display and move available the parameters that you want from Alert Parameters to the Message box. Click Default to use the default message information for this alert action, and then type the custom message text that you want to display. 9 Click Finish. Working with configured alerts Once you have configured alert actions, you can do the following: Test them to make sure they work as expected. Delete them. Export them to other computers. Testing configured alert actions After you configure alert actions, you can test them in the Alert Actions dialog box. When you select an alert and then click Test Action, all alert actions that are configured for that alert execute. When you select a specific alert action and click Test Action, only that alert action executes. To test an alert In the Alert Actions dialog box, select an alert, and then click Test Action.

115 Alert Management System Working with configured alerts 115 Deleting an alert action from an alert You can delete actions that are associated with an alert as necessary. To delete an alert action from an alert 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert action you want to delete, and then click Delete. Exporting alert actions to other computers Each computer that generates AMS 2 alerts stores its alert information in a local AMS 2 database. Typically, the alerts and actions that are stored in one database are not visible to AMS 2 databases on other computers. There may be times when you want to duplicate configurations of AMS 2 alert actions on a computer across multiple computers so you do not have to repeat your work. The AMS 2 export option lets you export alert actions to other computers that generate AMS 2 alerts. Alert actions, such as a Send Page alert action configuration or a Message Box alert action configuration, only export if the alert for which you configured the action exists on both computers. In most cases, you can ensure this is the case by installing the same application on both computers. This way, both applications will register their alerts with their respective AMS 2 databases. When you export alert actions from one computer to another, you have the choice of exporting a single alert action or all alert actions. Once AMS 2 exports alert actions to a computer, AMS 2 displays the Export Status dialog box to let you know the results of the export. If the export option cannot export an alert action because the alert for which the action was configured does not exist on the target computer (or for any other reason), the Export Status dialog box indicates that the alert action could not be exported. Alert actions also may fail to export if the target computer's AMS 2 installation is not working correctly. To export alert actions to other computers 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Click Symantec AntiVirus Corporate Edition and then click Export. 3 In the Select Actions dialog box, check the actions that you want to export, and then click Next. To select all configured actions, click Symantec AntiVirus Corporate Edition.

116 116 Alert Management System Using the Alert Management System Alert Log 4 In the Select Computers dialog box, check the computers that you want to receive the alert actions that you selected. 5 If the computer you want has AMS 2 active on it and it is not in the Available Computers list, click Options. 6 Click Finish. 7 In the Export Status dialog box, verify that the alert actions were exported successfully, and then click Close. Viewing export status After AMS 2 exports alert actions to the computers that you selected in the Select Computers dialog box, AMS 2 displays the export results in the Export Status dialog box. The Export Status dialog box displays the alert actions that do not export successfully. If the alerts do not export successfully, it may be for the following reasons: AMS 2 is not up or working correctly on the target computer. Verify AMS 2 by testing a configured alert action on that computer from the Alert Actions dialog box. The alert for which the action was configured does not exist on the target computer. Make sure that the application that registered the alert with AMS 2 on the source computer is installed on the target computer. Using the Alert Management System Alert Log You can use the Alert Log to view a list of all alerts generated by network computers running Symantec AntiVirus. You can configure the Alert Log to do one of the following: Display only the alerts that match the conditions that you specify. Display a specified number of entries. The Alert Log displays a list of alerts with the following information about each alert: Alert Name Source Computer Date

117 Alert Management System Using the Alert Management System Alert Log 117 Time Severity You can view more detailed information about each alert in the Alert Information dialog box. Each server stores its own copy of the Alert Log locally. When you select a server and view its Alert Log, you are retrieving a copy of that server's Alert Log to your local console. Therefore, if that server is not powered on or available, you won't able to retrieve its Alert Log for viewing. You can view the Alert Log and interact with it in the following ways: Change the number of entries that are displayed in the log Delete entries Copy the contents to the clipboard To view the Alert Log Right-click the server group, and then click All Tasks > AMS > View Log. To change the number of entries that are displayed in the Alert Log 1 In the Alert Log window, right-click, and then click Options. 2 On the Settings tab, specify the maximum number of log entries that you want the log to store. You can independently configure the number of entries that an Alert Log stores on each server. To delete a single entry Right-click the log entry, and then click Delete > Selected Entries.

118 118 Alert Management System Using the Alert Management System Alert Log To delete multiple log entries 1 Press Ctrl and select the multiple log entries. 2 In the Alert Log window, right-click, and then click Delete > Selected Entries. To select a range, click the first entry, and then press Shift and click the last entry. To delete all visible log entries In the Alert Log window, right-click, and then click Delete > Filtered Entries. To copy Alert Log contents to the Clipboard 1 Press and hold the Ctrl key, and then select the multiple log entries. 2 In the Alert Log window, right-click, and then click Copy. Viewing detailed alert information Only the alerts visible in the log are copied. If you want to limit the number of entries that the Alert Log copies to the Clipboard, apply filters to limit the number of visible log entries. You can view detailed information about each alert that the Alert Log displays. The Alert Information dialog box displays a list of parameters such as Alert name, Source, Date, Severity, and Description, as well as values for the selected alert action. Table 3-2 describes the status types that appear in the Alert Information dialog box. Table 3-2 Action Status Action Name Action Type Action Host Status Action Status types Description A name that is given to the specific action. The type of action that is generated by the alert, such as Message Box, Pager, Internet Mail, Execute Program, or Broadcast. The name of the computer that generates the alert. The status of the alert. The status type can include Pending, Processing Action, Error, Completed Successfully, and Failed To Complete.

119 Alert Management System Using the Alert Management System Alert Log 119 To view the alert information and Action Status 1 In the Alert Log window, double-click the alert for which you want to display detailed information. 2 When you finish viewing the alert information, click Close. Filtering the Alert Log display list The computer that is listed in the Alert Log is the primary management server that recorded the action because it records all events for the Symantec server group. Look at the Alert Information dialog box to see which computer generated the alert. You can configure the Alert Log to display only those alerts that match specified criteria. Table 3-3 describes the parameters for filtering alerts. Table 3-3 Filter Computer Source Alert Severity Date Alert Log filters Description Displays alerts from a specific computer. Displays alerts from the same type of alert source on one or more computers. Displays all alerts with a specific alert name. Displays only alerts matching the severity levels that you select. You can specify the following severity levels: Monitor, Information, OK, Warning, Critical, and Fatal. Displays only the alerts that occurred between the specified from and to dates and times.

120 120 Alert Management System Forwarding alerts from unmanaged clients To specify which alerts appear in the Alert Log 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > View Log. 2 In the Alert Log window, right-click, and then click Options. 3 Select the filters you want to apply to the Alert Log list. 4 Click OK. Forwarding alerts from unmanaged clients Unmanaged Symantec AntiVirus clients can be configured to forward their alerts to an AMS 2 server. The AMS 2 client software is not installed as part of the client installation. If you want to use the alerting features that AMS 2 provides for unmanaged clients, you can install the AMS 2 client program that is included on the Symantec AntiVirus CD. For the alert to be sent, the client computer must be connected to the network and must be able to connect to the AMS 2 server.

121 Alert Management System Forwarding alerts from unmanaged clients 121 To forward the alerts to an AMS 2 server 1 Use a text editor such as Notepad to create a new text file. 2 Add the following lines: [KEYS]!KEY!=$REGROOT$\Common AMSServer=S<AMSServerName> AMS=D1!KEY!=$REGROOT$\ProductControl LoadAMS=D1 3 In the <AMSServerName> line, do one of the following: Type the IP address for the intended AMS 2 server. Be sure to include the S that precedes <AMSServerName>. Do not include the brackets. Type the name of the intended AMS 2 server (make sure that the client can resolve the server name). 4 Save the file as Grc.dat to the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus folder on the client computer. After you create the Grc.dat configuration file, you can copy it to other unmanaged clients. These unmanaged clients then forward alerts to the same AMS 2 server.

122 122 Alert Management System Forwarding alerts from unmanaged clients

123 Section 2 Configuring antivirus protection Scanning for viruses and security risks Updating definitions Responding to virus outbreaks Managing roaming clients Working with Histories and Event Logs

124 124

125 Chapter 4 Scanning for viruses and security risks This chapter includes the following topics: About viruses and security risks About Symantec AntiVirus scans Configuring Auto-Protect Configuring manual scans Creating and configuring scheduled scans Managing the client user experience About viruses and security risks Symantec AntiVirus can scan for both viruses and for security risks, such as spyware, adware, and other files that can put a computer, as well as a network, at risk. By default, Symantec AntiVirus does the following: Detects, removes, and repairs the side effects of viruses, worms, Trojan horses, and blended threats. Detects, removes, and repairs the side effects of security risks such as adware, dialers, hack tools, joke programs, remote access programs, spyware, trackware, and others. Table 4-1 describes the types of risks for which Symantec AntiVirus scans.

126 126 Scanning for viruses and security risks About viruses and security risks Table 4-1 Risk Viruses Viruses and security risks Description Programs or code that attach a copy of themselves to another computer program or document when it runs. Whenever the infected program runs or a user opens a document containing a macro virus, the attached virus program activates and attaches itself to other programs and documents. Viruses generally deliver a payload, such as displaying a message on a particular date. Some viruses specifically damage data by corrupting programs, deleting files, or reformatting disks. Worms Trojan horses Blended threats Adware Programs that replicate without infecting other programs. Some worms spread by copying themselves from disk to disk, while others replicate only in memory to slow a computer down. Programs that contain code that is disguised as or hiding in something benign, such as a game or utility. Threats that blend the characteristics of viruses, worms, Trojan horses, and code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. Blended threats use multiple methods and techniques to spread rapidly and cause widespread damage throughout the network. Stand-alone or appended programs that secretly gather personal information through the Internet and relay it back to another computer. Adware may track browsing habits for advertising purposes. Adware can also deliver advertising content. Adware can be unknowingly downloaded from Web sites, typically in shareware or freeware, or can arrive through messages or instant messenger programs. Often a user unknowingly downloads adware by accepting an End User License Agreement from a software program. Dialers Programs that use a computer, without the user's permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges.

127 Scanning for viruses and security risks About viruses and security risks 127 Table 4-1 Risk Hack tools Joke programs Other Viruses and security risks (continued) Description Programs used by a hacker to gain unauthorized access to a user's computer. For example, one hack tool is a keystroke logger, which tracks and records individual keystrokes and sends this information back to the hacker. The hacker can then perform port scans or vulnerability scans. Hack tools may also be used to create viruses. Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or frightening. For example, a program can be downloaded from a Web site, message, or instant messenger program. It can then move the Recycle Bin away from the mouse when the user attempts to delete it or cause the mouse to click in reverse. Other security risks that do not conform to the strict definitions of viruses, Trojan horses, worms, or other security risk categories, but that might present a risk to a user's computer and data. Remote access programs Spyware Programs that allow access over the Internet from another computer so that they can gain information or attack or alter a user's computer. For example, a program may be installed by the user, or installed as part of some other process without the user's knowledge. The program can be used for malicious purposes with or without modification of the original remote access program. Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and relay it back to another computer. Spyware can be unknowingly downloaded from Web sites, typically in shareware or freeware, or can arrive through messages or instant messenger programs. Often a user unknowingly downloads spyware by accepting an End User License Agreement from a software program. Trackware Stand-alone or appended applications that trace a user's path on the Internet and send information to the target system. For example, the application can be downloaded from a Web site, message, or instant messenger program. It can then obtain confidential information regarding user behavior.

128 128 Scanning for viruses and security risks About Symantec AntiVirus scans By default, Auto-Protect scans for viruses, Trojan horses, worms, and security risks when it runs. Some risks, such as Back Orifice, were detected as viruses in earlier versions of Symantec AntiVirus. They remain detected as viruses so that Symantec AntiVirus can continue to provide protection for legacy computers. About Symantec AntiVirus scans You can configure the following types of scans from the Symantec AntiVirus view in the Symantec System Center console: Auto-Protect scans Auto-Protect File System scans Auto-Protect attachment scanning for Lotus Notes, Microsoft Exchange, and Outlook (MAPI and Internet) Auto-Protect scanning for Internet messages and attachments that use the POP3 or SMTP communications protocols; Auto-Protect scanning for Internet also includes outbound heuristics scanning Manual scans Virus sweep scans Scheduled scans By default, all Symantec AntiVirus scans detect viruses and security risks, such as adware and spyware, and quarantine them and remove or repair their side effects. Note: Sometimes, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec determines that blocking the risk does not harm the computer, Symantec AntiVirus blocks the risk. If blocking the risk might leave the computer in an unstable state, Symantec AntiVirus waits until the application installation is complete before it quarantines the risk. It then repairs the risk's side effects. You can scan the following: Individual and multiple Symantec AntiVirus servers and clients. Groups of Symantec AntiVirus servers and clients, using server groups.

129 Scanning for viruses and security risks About Symantec AntiVirus scans 129 About the automatic exclusion of Microsoft Exchange files and directories If Microsoft Exchange servers, including clustered servers, are installed on the computer where you installed Symantec AntiVirus, Symantec AntiVirus automatically detects the presence of Exchange and creates appropriate file and directory exclusions for Auto-Protect and all other scans. Symantec AntiVirus checks for changes in the location of the appropriate Exchange files and directories at regular intervals. So if you install Exchange on a computer where Symantec AntiVirus is already installed, the exclusions are created when Symantec AntiVirus checks for changes. Symantec AntiVirus excludes both files and directories, so if a single file is moved from an excluded directory, the file remains excluded. Symantec AntiVirus creates file and directory scan exclusions for the following Microsoft Exchange versions: Exchange 5.5 Exchange 2000 Exchange 2003 Symantec AntiVirus also creates appropriate file and directory scan exclusions for the following Symantec products when they are detected: Symantec Mail Security 4.0, 4.5, 4.6, and 5.0 for Microsoft Exchange Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange Norton AntiVirus 2.x for Microsoft Exchange Note: To see the exclusions that Symantec AntiVirus creates for Exchange, you can examine the contents of the HKLM\Software\Intel\LANdesk\VirusProtect6\ CurrentVersion\Exclusions\Exchange Server registry key. Do not edit this registry key directly. Configure any additional exclusions using the Symantec System Center Auto-Protect, manual, and scheduled scan exclusion options. Symantec AntiVirus does not exclude the system temporary folders from scanning because doing so could create a significant security vulnerability on a computer. About the global exclusion of security risks from scans If there are certain security risks that your company's security policy allows you to keep on your computers, you can configure Symantec AntiVirus to exclude these risks from all scans. See Configuring global security risk exclusions on page 140.

130 130 Scanning for viruses and security risks About Symantec AntiVirus scans Understanding Auto-Protect scans Auto-Protect continuously scans files and data for viruses and for security risks, such as spyware and adware, as they are read from or written to a computer. Auto-Protect scans data only on Symantec AntiVirus clients. Symantec AntiVirus automatically detects the presence of Microsoft Exchange and creates Auto-Protect scan exclusions for it at the time of installation. Auto-Protect includes the SmartScan feature. When this feature is enabled, it can determine a file's type even when a virus changes the file's extension. You can use Symantec AntiVirus to set Auto-Protect options for servers at the server group or individual server level, and clients at the server group, individual server, or client group level. When you configure Auto-Protect, the configuration pages look slightly different depending on whether you set options for servers or clients. When you configure Auto-Protect, you can lock Auto-Protect options on clients to enforce a company security policy for viruses and security risks. Users cannot change the options that you lock. Note: You must lock the Auto-Protect client settings that you configure in the Symantec System Center console before the Symantec System Center can propagate them to the clients. If you make a change but do not lock the setting, the change is not propagated to clients. See Configuring Auto-Protect on page 143. Auto-Protect is enabled by default. You can view Auto-Protect status in the Symantec System Center. To view Auto-Protect status Right-click a server or client, and then click All Tasks > Symantec AntiVirus > Auto-Protect Status. About manual scans Manual or on-demand scans inspect selected files and folders on selected computers. Manual scans provide immediate results from a scan on an area of the network or a local hard drive. Manual scans inspect files for viruses and security risks, such as spyware and adware. See Configuring manual scans on page 180.

131 Scanning for viruses and security risks About Symantec AntiVirus scans 131 About virus sweep scans A virus sweep scan scans at the system hierarchy, server group, or individual server level. A virus sweep scans for both viruses and security risks. You can name a virus sweep and view its history in a Virus Sweep History log. Warning: Virus sweeps do not automatically pick up the exclusions that are set for other types of scans. In addition, you cannot stop a virus sweep. Once the sweep starts, it must complete. About scheduled scans Selecting computers to scan See Running a virus sweep on page 244. From the Symantec System Center console, you can schedule scans to run at certain times on Symantec AntiVirus servers and clients. Users can also schedule scans for their computers from Symantec AntiVirus clients, but they cannot change or disable the scans that you schedule for their computers. Symantec AntiVirus runs one scheduled scan at a time. If more than one scan is scheduled at the same time, they run sequentially. When you create and save a scheduled scan, Symantec AntiVirus remembers the server group, server, or computer on which to run the scan and the settings that you chose for that scan. If a computer is turned off during a scheduled scan, the scan does not run unless the computer is configured to run missed scan events. Scheduled scans inspect files for viruses and security risks, such as spyware and adware. See Creating and configuring scheduled scans on page 192. In the Symantec System Center console, you select the computers that you want to scan, determine the types of scans that are available, decide where the scans are performed, and set the scan options. Table 4-2 lists the types of scans that are available for each type of object in the Symantec System Center navigation tree.

132 132 Scanning for viruses and security risks About Symantec AntiVirus scans Table 4-2 Object selected System Hierarchy What you can scan Scans available Virus sweep scanning of all Symantec AntiVirus servers and clients in the network. A virus sweep also scans for security risks. Multiple server groups Server group Selected servers in a server group Single server Virus sweep scanning of all Symantec AntiVirus servers and their clients in the selected server groups. Scheduled scanning for the selected Symantec AntiVirus servers. Virus sweep scanning of all Symantec AntiVirus servers and their clients in the selected server group. Scheduled scanning for the Symantec AntiVirus servers in the selected server group. Virus sweep scanning of the selected Symantec AntiVirus servers. Manual scanning of the selected Symantec AntiVirus server. Virus sweep scanning of the Symantec AntiVirus server and all of its Symantec AntiVirus clients. Manual scanning of the Symantec AntiVirus server. Scheduled scanning of the Symantec AntiVirus server or its Symantec AntiVirus clients. Selected Symantec AntiVirus clients for a single Symantec AntiVirus server Manual scanning of the selected Symantec AntiVirus clients that are managed by the Symantec AntiVirus server. An individual Symantec AntiVirus client Manual scanning of the selected Symantec AntiVirus client. Scheduled scanning of the selected Symantec AntiVirus client. Determining scan options for multiple computers When you view Auto-Protect, virus sweep, or manual scan options for multiple selected computers, the configuration check boxes and options have a tri-state feature that is apparent only when the computers have different options configured. To toggle through an option's available states, click the option repeatedly. Table 4-3 describes the possible states for options.

133 Scanning for viruses and security risks About Symantec AntiVirus scans 133 Table 4-3 Symbol Check box and option symbols and their meaning Description A solid black check mark in a check box A solid black bullet in an option Means that the option is selected for all of the computers in that group. Setting an option to a state other than the dimmed state resets that option for selected computers. A blank check box Means that the option is not selected for any computer in that group. Setting an option to a state other than the dimmed state resets that option for selected computers. A dimmed check mark in a dimmed box A blank series of options A blank box Means that some of the computers in the group have that option selected and some do not. Setting an option to a state other than the dimmed state resets that option for selected computers. Note: Some options, such as excluding files and folders, are not available when you select multiple computers because the option applies only to a specific computer. Scan option precedence The scan configuration changes that you make at the server group level override any changes that you make at the client group or server level, unless you configure a client group so that it does not inherit its server group settings. See Using client group settings instead of server group settings on page 88. Note: Auto-Protect options work differently from the other scan options. Auto-Protect options must be locked at the server group or server level before they can be propagated to clients. If you make a change but do not lock the setting, the change is not propagated to clients. See Understanding Auto-Protect scans on page 130. About inclusions and exclusions in scans Inclusions and exclusions help you to balance the amount of protection that your network requires with the amount of time and resources that are required to provide that protection. For example, if you choose to scan all file types, you might want to exclude certain folders that contain only the data files that are not subject to viruses. Or, you might want to scan only the files with the extensions that are

134 134 Scanning for viruses and security risks About Symantec AntiVirus scans likely to contain a virus or other risk. When you scan only certain extensions, you automatically exclude all files with other extensions from the scan. These choices decrease the overhead that is associated with scanning files. Depending on the type of scan and the objects of your scan, you can exclude by files, folders, or file extensions. You can include only certain extensions in a scan. Warning: Because excluded files and folders are not scanned, they are not protected from viruses and security risks. You can include and exclude items from the scans that you initiate from the Symantec AntiVirus client or server user interface, or from the Symantec System Center console. Table 4-4 describes the types of exclusions that you can configure by the object type in the Symantec System Center console navigation hierarchy. Table 4-4 Object type Server group Exclusions by object type Exclusions available Server scans: File extensions and named folders. Server Server scans: File extensions, drives, files, and folders. Client scans: File extensions, drives, and named folders. Client group NetWare servers Client scans: File extensions, drives, and named folders. Files by drives and named folders; you cannot exclude files by file extension. Note: If you use the ifolder feature in NetWare 6, you should exclude the ifolder directory from virus scans. The default directory to exclude is sys:\ifolder. Configure this option using the Server Auto-Protect Options dialog box in the Symantec System Center. See Configuring file and folder inclusions and exclusions on page 138. About excluding named files and folders You can exclude named files and folders from Auto-Protect, virus sweep, manual (Quick, Full, and Custom), and scheduled scans. For example, you might want to exclude the path C:\Temp\Install or folders that contain an allowable security risk (if your company's security policy allows users to run a particular program

135 Scanning for viruses and security risks About Symantec AntiVirus scans 135 that might be a security risk). You might also want to exclude the files that trigger false-positive alerts. For example, if you used another virus scanning program to clean infected files and the program did not completely remove the virus code, the file may be harmless but the disabled virus code might cause Symantec AntiVirus to register a false positive. Check with Symantec Technical Support if you are not sure if a file is infected. The icons in the Symantec AntiVirus hierarchy reflect the status of the files and folders you choose to exclude. Table 4-5 shows the icons and describes their meaning when configuring exclusions. Table 4-5 Icon Tree view icons and their meaning for exclusions Description Excludes all of the files in this folder and also all of the files in subfolders. Excludes one or more items that you have selected in the folder or one of the subfolders. Excludes the selected file. This is available only from the client or server interface. Scans the folder or subitems. About including and excluding files by file type and extension By default, Symantec AntiVirus scans all files during a virus scan, but you can configure Symantec AntiVirus to do the following: Scan only files with specific extensions. Exclude from the scan files with specific extensions. You can use the Symantec System Center to set inclusions and exclusions for specific extensions. Scans by extension are available when you select the following objects and scan types: Client object: Manual scan, scheduled scan, and client Auto-Protect. Server object: Virus sweep, manual scan, scheduled server scan, and server Auto-Protect (Windows only). When you scan by file extension, Symantec AntiVirus does not read the file header to determine the file type and scans only files with the extensions that you specify.

136 136 Scanning for viruses and security risks About Symantec AntiVirus scans Note: Scanning files by type is not an option when you configure any scan. All types of files are scanned. Any previously configured scan that is migrated to the current version will scan all file types. Table 4-6 describes the recommended extensions for scanning. Table 4-6 File extension 386 ACM ACV ADT AX BAT BTM BIN CLA COM CPL CSC DLL DOC DOT DRV EXE HLP HTA HTM HTML Recommended file extensions for scanning Description Driver Driver; audio compression manager Driver; audio compression/decompression manager ADT file; fax AX file Batch Batch Binary Java Class Executable Applet Control Panel for Microsoft Windows Corel Script Dynamic Link Library Microsoft Word Microsoft Word Driver Executable Help file HTML application HTML HTML

137 Scanning for viruses and security risks About Symantec AntiVirus scans 137 Table 4-6 File extension HTT INF INI JPEG JPG JS JSE JTD MDB MP? MSO OBD OBT OCX OV? PIF PL PM POT PPT PPS RTF SCR SH Recommended file extensions for scanning (continued) Description HTML Installation script Initialization file Graphics file Graphics file JavaScript JavaScript Encoded Ichitaro Microsoft Access Microsoft Project Microsoft Office 2000 Microsoft Office binder Microsoft Office binder Microsoft object linking and embedding custom control Overlay Program information file PERL program source code (UNIX ) Presentation Manager Bitmaps Graphics Microsoft PowerPoint Microsoft PowerPoint Microsoft PowerPoint Rich Text Format document Fax/screensaver/snapshot, script for Faxview/Microsoft Windows Shell Script (UNIX)

138 138 Scanning for viruses and security risks About Symantec AntiVirus scans Table 4-6 File extension SHB SHS SMM SYS VBE VBS VSD VSS VST VXD WSF WSH XL? Recommended file extensions for scanning (continued) Description Corel Show Background file Shell scrap file Lotus AmiPro Device driver VESA BIOS (Core Functions) VBScript Microsoft Office Visio Microsoft Office Visio Microsoft Office Visio Virtual device driver Windows Script File Windows Script Host Settings File Microsoft Excel Note: A question mark (?) in a file extension in Table 4-6 means that the letter in the file extension might vary, depending on the version of the program or application that produces it. Configuring file and folder inclusions and exclusions Symantec AntiVirus exclusions behavior is as follows: When Symantec AntiVirus applies exclusions, the excluded items are not scanned. If the file is not excluded, it is scanned. For virus sweep, manual, Auto-Protect, and scheduled scans, Symantec AntiVirus takes no action on excluded files. Enabling and disabling exclusions can improve performance depending on the situation. For example, if you copy a large folder that is in the exclusions list and the exclusions setting is enabled, the copying process is faster since the folder's contents are excluded.

139 Scanning for viruses and security risks About Symantec AntiVirus scans 139 Files that you exclude appear with various icons in the Symantec AntiVirus hierarchy. See Table 4-5 on page 135. For all scan types, you can select files to include in a scan by extension or by type. For scheduled and manual scans, you can also select files to scan by extension and type at the folder level. To configure exclusions for scans 1 Open the Scan Options dialog box for the type of scan that you want to configure: Auto-Protect, Manual, Virus Sweep, Scheduled. 2 Click Exclude files and folders. 3 Click Exclusions. 4 Depending on the types and numbers of computers that you configure, you can do the following: Click Extensions and select file extensions to exclude. You can use wildcards when you exclude by extension. Select files to exclude within specific folders by extension or file type. Click Files/Folders or Folders, as available, and select folders to exclude from the scan. 5 Click OK until the Symantec System Center console appears. To select files to include in scans by extension 1 In the Scan Options dialog box for the scan that you want to configure, under File Types, click Selected extensions. 2 Click Extensions. 3 In the Selected Extensions dialog box, you can do any of the following: To add your own extensions, type the extension, and then click Add. To add all document extensions, click Documents. To add all program extensions, click Add. To add all extensions and program types, click Use Defaults. 4 Click OK until the Symantec System Center console appears. To select files to include in manual scans by folder 1 Right-click the object that you want to scan, and then click All Tasks > Symantec AntiVirus > Start Manual Scan. 2 In the Select Items dialog box, select the folders to scan.

140 140 Scanning for viruses and security risks About Symantec AntiVirus scans 3 Click Options and select the extensions and types to scan for the selected folders. 4 Click OK until the Symantec System Center console appears. To select files to include in a scheduled scan by folder 1 Right-click the object that you want to scan, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. 2 On the Server Scans tab, in the Server scans list, select a scan. 3 Click Edit. 4 In the Scheduled Scan dialog box, click Scan Settings. 5 In the Select Items dialog box, select the folders to scan. 6 Click Options and select the extensions and types to scan for the selected folders. 7 Click OK until the Symantec System Center console appears. If client applications use a single Inbox file If your clients use applications that store all in a single file, such as Outlook Express, Eudora, Mozilla, and Netscape, you and your users should probably exclude the Inbox file from manual and scheduled scans. If Symantec AntiVirus detects a virus in the Inbox file during a manual or scheduled scan, and the action configured for the virus is Quarantine, Symantec AntiVirus quarantines the entire Inbox and users cannot access their . Although regularly excluding a file from scanning is not recommended as a general practice, excluding the Inbox file from being scanned prevents it from being quarantined while still allowing a virus to be detected. If Symantec AntiVirus detects a virus when a user opens an message rather than when a user downloads the message or during a scan, it can safely quarantine or delete the message without causing a problem with the entire Inbox. Configuring global security risk exclusions If there are one or more security risks that you want to remain on the computers in your network, you may want to create a list of security risks that are excluded from all scans on servers and client computers. Global security risk exclusions can be configured on the server group, client group, server, and client levels. If a user has configured custom actions for a security risk that you have added to the global exclusions list, the user's custom actions are ignored.

141 Scanning for viruses and security risks About Symantec AntiVirus scans 141 Note: When you add a security risk to the global exclusions list, Symantec AntiVirus no longer logs any events that involve that security risk. Users are not notified in any way when the risk is present on their computers. To configure global security risk exclusions 1 Right-click the computer, server, or group you want to configure, and then click All Tasks > Symantec AntiVirus > Global Security Risk Exclusions. 2 In the Global Security Risk Exclusions dialog box, click either the Server tab or the Client tab. If you selected a server Use the Server tab to configure exclusions that will apply to scans on the server. Use the Client tab to configure exclusions that will apply to scans on all the unassigned client computers attached to that server. Client computers are unassigned if they are not part of a client group. If you selected a server group Use the Server tab to configure exclusions that will apply to scans on all the servers in the group Use the Client tab to configure exclusions that will apply to scans on all the unassigned client computers attached to the servers in the group. Client computers are unassigned if they are not part of a client group. If you selected a client computer If you selected a client group The Server tab is not available. Use the Client tab to configure exclusions that will apply to all scans on the computer. The Server tab is not available. Use the Client tab to configure exclusions that will apply to all scans on the computers in the client group. 3 Click Add. 4 In the Select Security risks dialog box, click each of the security risks you want to exclude from all scans. You can use the Control and Shift keys to select more than one risk at a time. 5 Click OK.

142 142 Scanning for viruses and security risks About Symantec AntiVirus scans To remove a security risk from global security risk exclusions 1 Right-click the computer, server, or group you want to configure, and then click All Tasks > Symantec AntiVirus > Global Security Risk Exclusions. 2 In the Global Security Risk Exclusions dialog box, click either the Server tab or the Client tab. 3 In the list of excluded security risks, select each of the risks you want Symantec AntiVirus to begin scanning for, and then click Remove. You can use the Control and Shift keys to select more than one risk at a time. 4 Click OK. About actions for viruses and security risks that scans detect Many of the same scan options are available in different types of scans. For example, when you configure manual, scheduled, or Auto-Protect scans, you can assign first and second actions for Symantec AntiVirus to take when it finds viruses and security risks. You can assign individual first and second actions for Symantec AntiVirus to take when it discovers the following: Macro viruses Non-macro viruses All security risks (adware, spyware, joke programs, dialers, hack tools, remote access programs, trackware, and others) Individual categories of security risks, such as spyware Custom actions for a particular instance of a security risk For viruses, by default, Symantec AntiVirus first attempts to clean the file. If Symantec AntiVirus cannot clean the file, it moves the file to the Quarantine on the infected computer, denies access to the file, and logs the event. For security risks, by default, Symantec AntiVirus moves any infected files to the Quarantine on the infected computer and attempts to remove or repair the risk's side effects. For security risks, by default, Quarantine contains a record of all actions that Symantec AntiVirus performed so that if needed, the computer can be returned to the state that existed before Symantec AntiVirus attempted the removal and repair. If it is not possible to quarantine and repair a security risk, the second action is to log the risk. See Table 4-10 on page 161.

143 Scanning for viruses and security risks Configuring Auto-Protect 143 Configuring Auto-Protect Configuring Auto-Protect consists of the following tasks: Configuring Auto-Protect for files Configuring Auto-Protect scanning About propagating Auto-Protect settings Using the Symantec System Center, you can configure Auto-Protect settings at the server group, individual server, and client group levels. When you configure Auto-Protect settings, follow these guidelines to propagate the settings to the computers that you want to receive them: Changing server Auto-Protect settings for an individual server allows you to push a specific configuration to that server, which overrides settings that are made at the server group level. Resetting server Auto-Protect settings at the server group level allows you to reset previous settings made at the individual server level. Changing client Auto-Protect settings at the parent management server or client group level allows you to push a specific configuration to the clients of that parent management server or client group. Resetting client Auto-Protect settings at the server group level resets previous settings made at the parent management server or client group level, for all clients. Changing client Auto-Protect settings at the parent management server level changes the settings for clients not assigned to client groups; clients assigned to a client group retain their settings. Warning: You must lock Auto-Protect options that you want to propagate to clients or the options are not propagated. The buttons in the Auto-Protect Options dialog box affect settings propagation as follows: Clicking OK propagates the settings that you change. Clicking Reset All propagates all settings in the dialog box, regardless of whether you change or visit them. See How settings propagate on page 56.

144 144 Scanning for viruses and security risks Configuring Auto-Protect Locking and unlocking Auto-Protect options You can lock or unlock Auto-Protect options for clients to control the user experience in the Symantec AntiVirus user interface. Table 4-7 describes the Auto-Protect lock icons. Table 4-7 Icon What it means Auto-Protect lock icons Users can change this setting in the Symantec AntiVirus user interface. Users cannot change this setting in the Symantec AntiVirus user interface. To lock or unlock Auto-Protect options 1 In the Symantec System Center console, do one of the following: To change server Auto-Protect settings, right-click a server group or server, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. To change client Auto-Protect settings, right-click a server-group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Auto-Protect Options dialog box, click the lock icon next to the option that you want to lock or unlock to change its current state. 3 Click OK. Configuring File System Auto-Protect When you configure Auto-Protect for files, you select a server group or server, configure scan settings, and configure other settings that define how Auto-Protect and its associated features behave. You specify whether you want to scan floppy disk drives, network drives, or both. Note: When you configure Client Auto-Protect options, you can click the lock icon next to the Auto-Protect settings to lock the settings so that users cannot change them. Table 4-8 describes the Auto-Protect scan options.

145 Scanning for viruses and security risks Configuring Auto-Protect 145 Table 4-8 Auto-Protect scan options Section or option name Enable Auto-Protect File types Available options Check to enable Auto-Protect. You can configure Symantec AntiVirus to scan all file types, to include the files that have only the selected extensions in the scan, or to use SmartScan. The following options are available: All Types Scans all files on the computer, regardless of type. Selected Extensions Scans only the files that have certain extensions. You can add more extensions for programs and documents, if you have the files that use the extensions that are not already in the list. You can also reset this option to its default value. SmartScan Scans a specific, configurable group of file extensions that contain executable code, and all.exe and.doc files. SmartScan reads each file's header to determine its file type. It scans.exe and.doc files even if the file extensions for the.exe and the.doc files are changed by a virus. SmartScan is enabled by default. Options Uncheck Scan for security risks to stop Auto-Protect from scanning for security risks. Scanning for security risks is enabled by default. Note: This option has no effect on computers that run earlier versions of Symantec AntiVirus or on NetWare computers that run any version of Symantec AntiVirus. If Symantec determines that it would not be harmful to a computer to block a security risk, then by default, it blocks the risk. Uncheck Block security risks to stop Auto-Protect from blocking the security risks that it finds. Check Exclude selected files and folders to exclude certain files and folders from being scanned by Auto-Protect. Click Exclusions to select the file extensions and paths for folders to exclude.

146 146 Scanning for viruses and security risks Configuring Auto-Protect Table 4-8 Auto-Protect scan options (continued) Section or option name Drive types Available options Drive types provides the following options: CD-ROM If you enable Auto-Protect on CD-ROM drives, Symantec AntiVirus can scan files as they are read from or written to CD-ROM disks. Floppy Symantec AntiVirus can scan files as they are read from or written to floppy disks. Floppy disks are common sources of virus infections because users might bring infected disks from home.

147 Scanning for viruses and security risks Configuring Auto-Protect 147 Table 4-8 Auto-Protect scan options (continued) Section or option name Available options Network Scanning Options

148 148 Scanning for viruses and security risks Configuring Auto-Protect Table 4-8 Auto-Protect scan options (continued) Section or option name Available options Uncheck Enable scanning to stop Auto-Protect from scanning network drives. When scanning is enabled on network drives, Symantec AntiVirus scans files as they are accessed by a client computer from a server or by one server from another server. When network scanning is enabled, you can also enable Auto-Protect to trust remote versions of Auto-Protect and to use a network cache. The Trust remote Auto-Protects option keeps Auto-Protect from performing duplicate scanning while network scanning is enabled. If this option is enabled on both the client computer and the server, the client computer Auto-Protect checks to see that the server's Auto-Protect settings provide at least as high a level of security as its own Auto-Protect settings. If this is so, the local computer trusts the Auto-Protect scan on the remote computer and does not rescan the file. For example, when client A requests access to a file on a network drive on server B, client A's Auto-Protect checks to see if it should trust the Auto-Protect on server B. If server B's Auto-Protect is trustworthy, client A Auto-Protect does not scan the file again. If server B's Auto-Protect is not trustworthy, client A's Auto-Protect does scan the file. Trust remote Auto-Protects is enabled by default when network scanning is enabled. Uncheck Trust remote Auto-Protects if you want to disable the trust feature and allow duplicate scanning. You may not consider it necessary to check the Enable Scanning option if you have enabled Auto-Protect on all of your servers since the implementations of Auto-Protect on your servers will scan files whenever clients request them. If you do enable network scanning, and you do not use the Trust remote Auto-Protects option, you should be aware that the repeat Auto-Protect scanning is likely to reduce network performance on the client computer because the client computers will pull the files across the network to do their scans. Uncheck Trust files on remote computers running Auto-Protect if you want to disable the trust feature and allow duplicate scanning. Unchecking this option is likely to reduce network performance. Check Network cache on a client computer so that Auto-Protect stores a record of the files it has already scanned from a network server. This option prevents Auto-Protect

149 Scanning for viruses and security risks Configuring Auto-Protect 149 Table 4-8 Auto-Protect scan options (continued) Section or option name Available options from scanning the same file more than once and may improve system performance. You can set the number of files (entries) that Auto-Protect scans and remembers; you can also set the timeout before the files are removed from the cache. Once the timeout expires, the files are removed from the cache and network files are scanned again if the client requests them from the network server. Advanced Click this button to set advanced Auto-Protect scan options, including startup, file cache, backup, and so on. See Configuring advanced File System Auto-Protect options on page 152. Actions Click this button to set the kind of actions that you want Symantec AntiVirus to take when it finds a virus or a security risk. See Configuring actions for File System Auto-Protect on page 160. Notifications Click this button to set the notifications that you want to appear when Auto-Protect finds a virus or a security risk. See Configuring notifications for File System Auto-Protect on page 168. Reset All This option is available only for server Auto-Protect options at the server group level and client Auto-Protect options at the server level. To ensure that all computers use the same Auto-Protect scanning configuration that you set at a higher level, click Reset All when you set the options. For server Auto-Protect, when you click Reset All at the server group level, the server group settings overwrite any scan options that were previously set at the server level. All options are propagated to all of the servers that belong to the server group. For client Auto-Protect, when you click Reset All at the server group level, the server group settings overwrite any scan options that were previously set at the server and client level. When you click Reset All at the server level, any scan options that were previously set at the client level are overwritten by the server settings.

150 150 Scanning for viruses and security risks Configuring Auto-Protect To configure File System Auto-Protect 1 Do one of the following: Right-click the server group or the Symantec AntiVirus servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group. Right-click an individual server or multiple selected servers, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Right-click the server group or the servers that manage the Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. The Symantec System Center configures all of the clients that are associated with the server or the server group. Right-click an individual client or multiple selected clients for a server, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.

151 Scanning for viruses and security risks Configuring Auto-Protect In the Auto-Protect Options dialog box, enable Auto-Protect, select all file types or selected extensions to include, enable, or disable scanning for security risks, exclude files by extension and folders, set network scanning options, and set drive types, as needed. See Table 4-8 on page To set advanced scan options, click Advanced. See Table 4-9 on page To set the actions that you want Symantec AntiVirus to take when it finds macro viruses, non-macro viruses, and individual or categories of security risks, click Actions. See Table 4-10 on page 161.

152 152 Scanning for viruses and security risks Configuring Auto-Protect 5 To set the notifications (messages) that you want to display on infected computers when risks are found, click Notifications. See Table 4-12 on page If you configure client Auto-Protect options, click the lock icon next to each Auto-Protect option that you want to lock to propagate the option to clients. 7 If you configure Auto-Protect options for a server group, click Reset All to ensure that all of the computers use the Auto-Protect scanning configuration that you set at this level. See About propagating Auto-Protect settings on page Click OK. Configuring advanced File System Auto-Protect options Table 4-9 describes the advanced scan options for File System Auto-Protect. Table 4-9 Section or option name Startup options Advanced scan options for File System Auto-Protect Available options Options include the following: System start Loads Auto-Protect when the computer's operating system starts and unloads it when the computer shuts down. This option can help protect against some viruses, such as Fun Love. If Auto-Protect detects a virus during shutdown, it places the infected file in a temporary Quarantine directory. Auto-Protect then detects the virus on startup and creates an alert notification. Symantec AntiVirus start Loads Auto-Protect when Symantec AntiVirus starts. Note: If you disable Auto-Protect on a computer that has this option set to System start, Auto-Protect still functions briefly each time that the computer restarts until the main Symantec AntiVirus service starts and disables Auto-Protect. Changes requiring Auto-Protect reload Options include the following: Wait until system restart Stops and reloads Auto-Protect when the computer restarts. Stop and reload Auto-Protect Stops and reloads Auto-Protect immediately.

153 Scanning for viruses and security risks Configuring Auto-Protect 153 Table 4-9 Section or option name Scan files when Advanced scan options for File System Auto-Protect (continued) Available options Scan files when provides the following file system protection options for monitoring and acting on files: Modified (scan on create) Scans files when they are written, modified, or copied. Use this option for slightly faster performance, because Auto-Protect scans files only when they are written, modified, or copied. Accessed or modified (scan on create, open, move, copy, or run) Scans files when they are written, opened, moved, copied, or run. Use this option for more complete file system protection. This option might have a performance impact, because Auto-Protect scans files during all types of file operations. Opened for backup (not applicable to Windows 9x or NetWare) Scans files when they are accessed during a backup operation. Use this option if you haven't run a virus check on the files that you want to back up. Do not enable this option if you want to bypass Auto-Protect for the files that are being backed up. By using this option, you can significantly slow backup operations, because Auto-Protect scans each file that is included in the backup. The setting applies only to files that are backed up. Files that are being restored from a backup are scanned regardless of this setting. For Leave Alone (Log only), delete infected files on creation Enable this option if you want the Modified option or the Accessed or modified option to delete a newly created infected file when you configure Leave alone (log only) as the action. For an existing infected file, Scan on Access and Modify detects the infected file and the Leave alone action applies. The file is denied access and logged, but it is not deleted. When you disable this option, Symantec AntiVirus permits the infected file to be created. Preserve file times Enable this option if you do not want the file system to change the last access time. Preserving the last access time prevents backup software from backing up unchanged files.

154 154 Scanning for viruses and security risks Configuring Auto-Protect Table 4-9 Section or option name File cache Advanced scan options for File System Auto-Protect (continued) Available options File caching decreases Auto-Protect's memory usage and can help you to track problems. The file cache includes an index of files that were scanned and determined to be clean. Symantec AntiVirus adds a 16-byte ID to the cache index, which remains until Symantec AntiVirus detects a change to the file. The following options are available: Disable file cache Disable the file cache. This option is useful during troubleshooting. Use default file cache size Use the default file cache size setting for desktop computers and use as close to the maximum setting as possible for servers. The default file cache size is based on the computer's operating system and the amount of available disk space. Custom file cache entries Select the number of custom file cache entries to include. This option is useful for file servers or Web servers on which you want to cache a large number of files. Risk Tracer Risk Tracer provides the following options for identifying the source of network share-based virus infections from the computers that run supported Windows operating systems: Enable Risk Tracer Ensure that this option is checked to use Risk Tracer. Resolve source computer IP address If this option is checked, Symantec AntiVirus looks up and records only the computer's NetBIOS name. When it is checked, it also reports who was logged on to the computer at delivery time. This feature is supported on Windows XP systems only. Poll for network sessions every <number> milliseconds Symantec AntiVirus polls once every second (1000 milliseconds) by default. Lower values use greater amounts of CPU and memory, but also increase the possibility that Symantec AntiVirus can record the network session information before the risk can shut down network shares. Higher values decrease system overhead, but also decrease Risk Tracer's ability to detect infections. See About Risk Tracer on page 159.

155 Scanning for viruses and security risks Configuring Auto-Protect 155 Table 4-9 Section or option name Automatic enabler Advanced scan options for File System Auto-Protect (continued) Available options Check this option to re-enable Auto-Protect automatically after <number> number of minutes. Valid values range from 3 to 60. This option is useful if your end users need to disable Auto-Protect on occasion. When scanning compressed files This option is available when you configure Server Auto-Protect Options. If you check this option, Symantec AntiVirus scans the container, such as Files.zip, and the contents of the container, which are the individual compressed files. Symantec AntiVirus supports a maximum depth of eight levels of nested compressed files for NetWare servers. Symantec AntiVirus scans compressed files during Auto-Protect and scheduled scans. To scan the contents of a compressed file, Symantec AntiVirus extracts each file, one file at a time, from the container and copies it to the SYS volume where it is scanned. The SYS volume must have enough space available to accommodate the largest file in the container. Note: You cannot stop a scan that is in progress on a compressed file. If you click Stop Scan, Symantec AntiVirus stops the scan only after it has finished scanning the compressed file. Backup options As a data safety precaution, before you attempt to repair a file, check Back up file before attempting repair. This option is checked by default. The original virus-infected file is encrypted and then copied into the Quarantine directory. If you need, you can use this unrepaired backup file to return the file to its original, but infected state. Note: Uncheck this option with caution, since it means that files containing viruses are not going to be backed up before repairs are attempted. This setting applies only to virus-infected files. For security risks, if the action you have configured is Delete risk, no backup files are created. If the action you have configured is Quarantine risk, the security risk files are always backed up in the Quarantine before repair is attempted, regardless of this setting.

156 156 Scanning for viruses and security risks Configuring Auto-Protect Table 4-9 Section or option name Advanced scan options for File System Auto-Protect (continued) Available options Additional advanced options: Heuristics Change the level of protection that Bloodhound Heuristic Scanning provides. Select the Minimum, Default, or Maximum level of protection. Bloodhound can detect a high percentage of unknown viruses by isolating and locating the logical regions of a file. Bloodhound then analyzes the program logic for virus-like behavior. Additional advanced options: Floppies The following options are available for floppy disk scans: Check floppies for boot viruses upon access Symantec AntiVirus scans the floppy disk in the floppy drive for boot viruses when the drive is first accessed. When Symantec AntiVirus finds a boot virus, select whether to clean a virus from the boot record or leave it alone. If you click Leave alone (log only), an alert is sent when a virus is detected but no action is taken. Use this option if you want to control the virus cleaning and handling process. Do not check floppies upon system shutdown Symantec AntiVirus skips the scan of any floppy disk in the floppy drive when the computer is shut down normally.

157 Scanning for viruses and security risks Configuring Auto-Protect 157 Table 4-9 Section or option name Advanced scan options for File System Auto-Protect (continued) Available options Additional advanced options: Monitor These options are available when you configure Client Auto-Protect Options. You might want to monitor virus-like activities, which are the activities that viruses perform when they attempt to infect your files. The listed activities might be legitimate, depending on the work context. You can set each activity to be allowed, not allowed, or to alert the user before the activity is performed. Low-Level Format Of Hard Disk All information on the drive is erased and cannot be recovered. This type of formatting is generally performed at the factory only. If this activity is detected, it usually indicates an unknown virus at work. This is not an option for NEC PC98xx computers. Write To Hard Disk Boot Records Very few programs write to hard disk boot records. If this activity is detected, it could indicate an unknown virus at work. Write To Floppy Disk Boot Records Only a few programs, such as the operating system Format command, write to floppy disk boot records. If this activity is detected, it could indicate an unknown virus at work. Remove the alert dialog after <number> seconds If you selected Prompt to alert the user for any of the activities, you can set the number of seconds that you want the alert to appear. To configure advanced File System Auto-Protect options 1 Do one of the following: Right-click the server group or the Symantec AntiVirus servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group. Right-click an individual server or multiple selected servers, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Right-click the server group or the servers that manage the Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.

158 158 Scanning for viruses and security risks Configuring Auto-Protect The Symantec System Center configures all of the clients that are associated with the server or the server group. 2 In the Auto-Protect Options dialog box, on the File System tab, click Advanced. 3 In the Auto-Protect Advanced Options dialog box, set the following options: Startup options Changes requiring Auto-Protect reload Scan files when File cache Risk Tracer Automatic enabler When scanning compressed files (if configuring Server Auto-Protect Options) Backup options, and additional advanced options, if needed See Table 4-9 on page 152.

159 Scanning for viruses and security risks Configuring Auto-Protect If you configure Client Auto-Protect Options, in the Monitor dialog box, set one or more of the following options for virus-like activities: Low-Level Format Of Hard Disk Write To Hard Disk Boot Records Write To Floppy Disk Boot Records Allow, Prompt, or Don't Allow Allow, Prompt, or Don't Allow Allow, Prompt, or Don't Allow 5 If you selected Prompt for any of the options, check Remove the alert dialog after <number> seconds and type the number of seconds that you want the alert to last. 6 In the Auto-Protect Advanced Options dialog box, when you have finished configuring Auto-Protect Advanced Options, click OK. 7 If you want to propagate all the settings in the dialog box, regardless of whether you changed or visited them, click Reset All. 8 In the Auto-Protect Options dialog box, click OK. About Risk Tracer Risk Tracer identifies the source of network share-based virus infections on the computers that run Windows XP operating systems. When Auto-Protect detects an infection, it sends information to Rtvscan, the main Symantec AntiVirus service. Rtvscan determines if the infection originated locally or remotely. If the infection came from a remote computer, Rtvscan can look up and record the computer's NetBIOS computer name and its IP address, and who was logged on to the computer at delivery time, and then display this information in the Risk properties dialog box. Rtvscan polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information, which you can configure in the Auto-Protect Advanced Options dialog box, maximizes the frequency with which Risk Tracer can successfully identify the infected remote computer. For example, a risk may close the network share before Rtvscan can record the network session. Risk Tracer then uses the secondary source list to try to identify the remote computer. Risk Tracer information appears in the Risk properties dialog box, and is available only for the risk entries that the infected files cause. When Risk Tracer determines that the infection came from local host activity, it lists the source as the local host. Risk Tracer lists a source as unknown in the Risk properties dialog box when the following conditions are true:

160 160 Scanning for viruses and security risks Configuring Auto-Protect It cannot identify the remote computer. The authenticated user for a file share refers to multiple computers. This condition can occur when a user ID is associated with multiple network sessions. For example, multiple computers might be logged on to a file sharing server with the same server user ID. To record the full list of multiple remote computers that are infecting the current computer, set the HKEY_LOCAL_MACHINE\Software\Intel\LANDesk \ VirusProtect6\CurrentVersion\ProtectControl\Debug string value to THREATTRACER X on the current computer. The THREATTRACER value turns on the debug output and the X ensures th at only debug output that is related to Risk Tracer appears. You can also add an L to ensure that the logging goes to the <SAV_Program_Folder>\vpdebug.log log file. To ensure that the debug window does not appear, add XW. If you want to experiment with this feature, use the test virus file Eicar.com available from the following URL: Configuring actions for File System Auto-Protect Actions allow you to set how Symantec AntiVirus responds when it detects a virus or a security risk. You can assign a first action and, in case the first action is not possible, a second action for Symantec AntiVirus to take when it discovers a virus or a security risk such as adware or spyware. Types of viruses and security risks are listed in the hierarchy. You can configure options on the tabs to the right. Note: For security risks, use the delete action with caution. In some cases, deleting security risks causes applications to lose functionality. Table 4-10 describes the options that you can configure for File System Auto-Protect and manual scan actions.

161 Scanning for viruses and security risks Configuring Auto-Protect 161 Tab Actions tab Table 4-10 Type of risk Macro virus Non-macro virus Actions for File System Auto-Protect and manual scans Options You can configure a first action to take and a second action to take if the first action fails. Actions for viruses include the following: Clean risk (default first action): Attempts to clean the infected file when a virus is found. Quarantine risk (default second action): Attempts to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, no user can execute it until you take an action, such as clean, and move the file back to its original location. Delete risk: Attempts to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy because the file is permanently deleted and cannot be recovered from the Recycle Bin. If Symantec AntiVirus cannot delete the file, detailed information about the action that Symantec AntiVirus took appears in the Notification dialog box and the Symantec AntiVirus Event Log. Leave alone (log only): Denies the access to the file, displays a notification, and logs the event. Use this option to take manual control of how Symantec AntiVirus handles a virus. When you are notified of a virus, open the Risk History for the computer, right-click the name of the file, and select one of the following actions: Clean (viruses only), Delete Permanently, or Move To Quarantine.

162 162 Scanning for viruses and security risks Configuring Auto-Protect Tab Actions tab Table 4-10 Type of risk Security risks Actions for File System Auto-Protect and manual scans (continued) Options Adware Dialers Hack Tools Joke Programs Other (programs that might pose a security risk but do not fit into other security risk categories) Remote Access Spyware Trackware

163 Scanning for viruses and security risks Configuring Auto-Protect 163 Tab Table 4-10 Type of risk Actions for File System Auto-Protect and manual scans (continued) Options You can configure Symantec AntiVirus security risk actions as follows: Configure the same actions to take for all security risks. Configure the same actions for a whole category of security risks. Configure individual security risk exceptions to the actions that you set for specific categories. You can configure a first action to take and a second action to take if the first action fails. Actions for security risks include the following: Quarantine risk (default first action): Attempts to move any infected files to the Quarantine on the infected computer as soon as the security risk is detected or completes its installation. Symantec AntiVirus removes or repairs any side effects of the risk, such as deleting registry keys that were added, reverting the registry key values that were changed, deleting additions to.ini or.bat files, deleting entries in host files, repairing a Layered Service Provider (LSP) system driver, or the effects of a rootkit. You can restore the security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair. Delete risk: Attempts to delete security risk files. Use this option only if you can replace the files with a security risk-free backup copy because files are permanently deleted and cannot be recovered from the Recycle Bin. Use this action with caution, because in some cases, deleting security risks can cause applications to lose functionality. If Symantec AntiVirus cannot delete files, detailed information about the actions that Symantec AntiVirus took appear in the Notification dialog box and the Symantec AntiVirus Event Log. Leave alone (log only) (default second action): The risk is left alone and its detection is logged. Use this option to take manual control of how Symantec AntiVirus handles a security risk. When you are notified of a security risk, open the Risk History for the computer, right-click the name of the infected file or files, and select one of the following actions: Delete Permanently or Move To Quarantine. You can also lock exceptions on the Actions tab for Client File System Auto-Protect so that users cannot create their own security risk exceptions for Auto-Protect scans.

164 164 Scanning for viruses and security risks Configuring Auto-Protect Tab Table 4-10 Type of risk Actions for File System Auto-Protect and manual scans (continued) Options Note: In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that blocking the risk will not harm the computer, then by default Symantec AntiVirus blocks the risk. If blocking the risk might leave the computer in an unstable state, Symantec AntiVirus waits until that application installation is complete before it performs the configured action on the security risk so that it does not leave the computer in an unstable state. Exceptions tab Available only for security risks You can configure exceptions to the actions that you set for security risk categories. You can select specific instances of a category and assign actions to those instances that are different from the actions that you assigned to the category as a whole. In each category list, you can select and add the security risks for which you want to configure custom actions, or edit or remove the risks that are already in the list. To see the whole list and assign a custom action to several different types of security risks at once, you can select Security Risks in the tree instead of selecting each category of security risk separately. An additional custom action, Exclude, is available for the security risks that you want to exclude from Auto-Protect scans. Note: Exclusions that you configure for Auto-Protect scans are not recognized by manual and scheduled scans and vice versa. Exclusions are configured separately for manual, scheduled, and Auto-Protect scans. You can only exclude a security risk from all scans on client computers by configuring it globally. See Configuring global security risk exclusions on page 140. You can lock exceptions on the Actions tab for Client File System Auto-Protect to keep users from making any Auto-Protect scan exceptions for security risks. Note: When you exclude a security risk from scans, that risk is not logged or reported. Warning: If you configure Symantec AntiVirus to delete the files that are infected by a security risk such as adware or spyware, it cannot restore those files. To back up the files that are affected by security risks such as adware or spyware, configure Symantec AntiVirus to quarantine them.

165 Scanning for viruses and security risks Configuring Auto-Protect 165 About risk impact ratings Symantec assesses security risks to determine how much effect they have on a computer. The following factors are rated low, medium, or high: privacy impact, performance impact, stealth, and removal difficulty. A factor that is rated low has been assessed as having a minimal impact. A factor that is rated medium has been assessed as having some impact. A factor that is rated high has been assessed as having a significant impact in that area. If a particular security risk has not been assessed yet, a default rating is displayed. If a particular security risk has been assessed but the factor being rated does not apply to that particular risk, a rating of None displays for that factor. These ratings appear in the Symantec System Center when you use the Exceptions tab to assign custom actions to particular security risks. Exceptions to standard actions are available from the Actions button when configuring Client and Server Auto-Protect options, as well as when configuring any type of scan. They are also available to end users from the Symantec AntiVirus user interface when configuring any type of scan. You can use these ratings to help to determine which security risks you want to exclude from scans and allow to remain on computers. Clicking a factor name sorts that column beginning with all low risks; clicking the factor name again sorts the column beginning with high ratings. Table 4-11 describes the rating factors and what a high rating means for each of them. Table 4-11 Rating factor Privacy Impact Performance Impact Stealth Rating Removal Rating Overall Rating Risk impact rating factors Description Privacy measures the level of privacy that is lost due to the security risk's presence on the computer. A high rating indicates that personal or other sensitive information may be stolen. Performance measures the extent to which a security risk degrades a computer's performance. A high rating indicates that performance is seriously degraded. Stealth measures how easy it is to determine if the security risk is present on a computer. A high rating indicates that the security risk attempts to hide its presence, which may make it difficult to determine if the security risk is present on the computer. Removal measures the degree of difficulty in removing a security risk from a computer. A high rating indicates that the risk is difficult to remove. Overall rating is an average of the other factors.

166 166 Scanning for viruses and security risks Configuring Auto-Protect Table 4-11 Rating factor Dependent Program Risk impact rating factors (continued) Description Dependent Program indicates whether or not there is another application that depends on the presence of this security risk to function properly. To configure actions for File System Auto-Protect 1 Do one of the following: Right-click the server group or the Symantec AntiVirus servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group. Right-click an individual server or multiple selected servers, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Right-click the server group or the servers that manage the Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. The Symantec System Center configures all of the clients that are associated with the server or the server group. 2 In the Auto-Protect Options dialog box, on the File System tab, click Actions.

167 Scanning for viruses and security risks Configuring Auto-Protect In the Actions dialog box, in the hierarchy, select a type of virus or security risk. By default, each security risk subcategory, such as Spyware, is automatically configured to use the actions that are set at the top level for the entire Security Risks category. To configure a category or specific instances of a category to use different actions, check Override actions configured for Security risks, and then set the actions for that category only. See Table 4-10 on page Select the first and second actions that you want Symantec AntiVirus to take when it detects that category of virus or security risk. For security risks, use the delete action with caution. In some cases, deleting security risks causes applications to lose functionality. 5 If you selected Security Risks as a whole or an individual security risk category, click the Exceptions tab to configure custom actions for one or more specific instances of that security risk category. An additional action, Exclude, is available for Exceptions that you configure. If you assign the same actions, you can select multiple security risks and assign the actions to them at the same time. If you are configuring Client Auto-Protect Options, you can lock Exceptions that you configure on the Actions tab, so that users cannot make any security risk exceptions for Auto-Protect scans. 6 Click Add.

168 168 Scanning for viruses and security risks Configuring Auto-Protect 7 In the Select Security Risks dialog box, check the specific risks in the list for which you want to configure custom actions, and then click Next. 8 In the Configure Security Risks dialog box, select the first and second actions that you want Symantec AntiVirus to take when it detects the specific risks that you selected, and then click Finish. 9 Repeat step 4 for each category for which you want to set actions (viruses and security risks). 10 Repeat steps 5 through 8 for all security risk categories in which you want to set custom actions for individual risks. 11 Click OK. Configuring notifications for File System Auto-Protect When you configure notifications, you set how Symantec AntiVirus notifies users when the following occurs: Symantec AntiVirus finds a virus or a security risk. Symantec AntiVirus needs to stop a process or service to remove or repair the effects of a virus or security risk. You can suppress all or some user notifications. On unmanaged clients, users are notified and processes and services are not terminated automatically by default. This option allows users to save data before Symantec AntiVirus initiates actions to remove or repair a virus or security risk. On servers and managed clients, notifications are turned off and processes and services are terminated automatically by default.

169 Scanning for viruses and security risks Configuring Auto-Protect 169 Note: Notifications options are the same for File System Auto-Protect and for all types of manual scans with one exception. The Display Auto-Protect results dialog on infected computer option is available only for File System Auto-Protect. Table 4-12 describes the notifications options for File System Auto-Protect and manual scans. Table 4-12 Option Detection options Notifications options for File System Auto-Protect and manual scans Description Check Display notification message on infected computer to display a message on the computer when a virus or security risk is found. Right-click in the text field to insert new fields or type or edit directly in the field to alter the message. See Table 4-13 on page 170. Uncheck Display Auto-Protect results dialog on infected computer to suppress the dialog box that displays the results on the infected computer when Auto-Protect finds viruses and security risks. This option is available only when you configure File System Auto-Protect. Remediation options If you check both remediation options, then users are not notified when Symantec AntiVirus needs to terminate a process or application, such as a Web browser, or stop a service on the user's computer to complete the removal or repair of a risk. Symantec AntiVirus automatically takes the necessary action without notifying users. Automatically terminate processes Check this option if you do not want users to be notified when Symantec AntiVirus must terminate a process to remove or repair a risk. Automatically stop services Check this option if you do not want users to be notified when Symantec AntiVirus must stop a service to remove or repair a risk. Note: Users are always notified when a restart is required. They are allowed to save data and close open applications or to opt out of restarting. You can construct a custom message to appear on infected computers when a virus or a security risk is found. You can type directly in the message field to add your own text, and you can right-click in the field to select variables. Table 4-13 describes the variable fields that are available for File System Auto-Protect and manual scan notification messages.

170 170 Scanning for viruses and security risks Configuring Auto-Protect Table 4-13 Field SecurityRiskName ActionTaken Status File System Auto-Protect and manual scan message fields Description The name of the virus or security risk that was found. The action that was taken in response to detecting the virus or security risk. This action can be either the first action or second action that was configured. The state of the file: Infected, Not Infected, or Deleted. This message variable is not used by default. To display this information, manually add this variable to the message. Filename PathAndFilename Location Computer User Event LoggedBy DateFound StorageName ActionDescription The name of the file that the virus or the security risk has infected. The complete path and name of the file that the virus or the security risk has infected. The drive on the computer on which the virus or security risk was located. The name of the computer on which the virus or security risk was found. The name of the user who was logged on when the virus or security risk occurred. The type of event, such as Risk Found. The type of scan, manual, scheduled, and so on, that detected the virus or security risk. The date on which the virus or security risk was found. The affected area of the application, for example, File System Auto-Protect or Lotus Notes Auto-Protect. A full description of the actions that were taken in response to detecting the virus or security risk. To configure notifications for File System Auto-Protect 1 Do one of the following: Right-click the server group or the Symantec AntiVirus servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group.

171 Scanning for viruses and security risks Configuring Auto-Protect 171 Right-click a server group, an individual server, or multiple selected servers that manage the Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client or Server Auto-Protect Options dialog box, on the File System tab, click Notifications. 3 In the Notification Options window, under Detection Options, check Display notification message on infected computer if you want a message to appear on the infected computer when a virus or security risk is found. 4 In the message box, do any or all of the following to construct the message that you want: Click to type or edit text. Right-click, click Insert Field, and then select the variable field that you want to insert. See Table 4-13 on page 170. Right-click, and then select Cut, Copy, Paste, Clear, or Undo. 5 Under the message box, uncheck Display Auto-Protect results dialog on infected computer if you want to suppress the dialog box that displays results when Auto-Protect finds viruses and security risks.

172 172 Scanning for viruses and security risks Configuring Auto-Protect 6 Under Remediation Options, check each option that you want to set. Your options are as follows: Automatically terminate processes Automatically stop services If checked, Symantec AntiVirus automatically terminates processes when it needs to do so to remove or repair a virus or security risk. Users are not prompted to save data before Symantec AntiVirus terminates the processes. If checked, Symantec AntiVirus automatically stops services when it needs to do so to remove or repair a virus or security risk. Users are not prompted to save data before Symantec AntiVirus stops the services. Use these options with caution on clients, because users can potentially lose data when Symantec AntiVirus terminates processes or applications or stops services. 7 Click OK. User interaction with scan results If you allow users to be notified when Symantec AntiVirus finds a virus or a security risk, the Auto-Protect Results dialog box appears. Figure 4-1 Auto-Protect Results dialog box

173 Scanning for viruses and security risks Configuring Auto-Protect 173 Note: If a scan finds a security risk on an unmanaged client computer, a user can use the Exclude column checkbox in the Auto-Protect or Scan Results dialog box to exclude that risk from all future scans of the type that detected the risk. On managed client computers, users are not allowed to exclude risks from these dialog boxes. If Symantec AntiVirus needs to terminate a process or application or stop a service to clean up a risk that is found by the scan, the RemoveRisksNow button is active. Table 4-14 Button Remove Risks Now Buttons in the Results dialog box Description When users click Remove Risks Now, the Remove Risk dialog box appears. The following actions are possible: If users click Yes, the risk is removed and if the removal of this risk requires a restart, the information in the risk's row in the dialog box updates to indicate that a restart is required. If users click No, when they close the results dialog box, a dialog box appears again to remind them that action is still needed. Close If no action must be taken, when users click Close, the results dialog box closes. If an action must be taken, when users click Close, one of the following notifications appears: Remove Risk Required Appears when there is a risk that requires process termination. If users remove the risk, they will be returned to the results dialog box. If a restart is also required, the information in the risk's row in the dialog box updates to indicate that. Reboot Required Appears when there is a risk that requires a restart. Remove Risk and Reboot Required Appears when a there is a risk that requires process termination and another risk that requires a restart. If a restart is required, and the user does not choose to restart the computer, the removal or repair will not be complete until the computer is restarted the next time. Some of the possible reasons include the following: The repair involves running the processes that cannot be terminated, causing their binaries to be locked on the disk. The risk has files open for exclusive read, write, or delete the privileges that cannot be deleted without a restart.

174 174 Scanning for viruses and security risks Configuring Auto-Protect The repair affects a Layered Service Provider (LSP). An LSP is a system driver that is typically integrated directly into the TCP/IP layer and manipulates the data that is transmitted in some way. For example, an LSP could be used to encrypt the data. Results of the repairs are logged to the Event log. Users can see the results of the repairs in the scan status window or the Risk History window and can right-click risks to see repair details. If users need to take action on a risk but choose not to take action right now, the risk can be removed or repaired at a later time in the following ways: The user can open the Risk History, right-click the risk, and then take an action. The user can run a scan to redetect the risk and reopen the results dialog box. The actions that users can take depend on the actions that are configured for the particular type of virus or security risk that was found. Note: User interactions with scan result notifications are the same for manual and scheduled scans as they are for Auto-Protect scan results. Disabling security risk scanning in File System Auto-Protect By default, Auto-Protect and all types of scans check for security risks. At times, you might need to disable scanning for security risks in File System Auto-Protect temporarily, and then reenable it. Note: You cannot disable security risk scanning for other types of scans. However, you can configure Symantec AntiVirus to leave the security risk alone and only log the detection or you can exclude specific risks globally from all types of scans by adding them to the global exclusions list. See Configuring global security risk exclusions on page 140. To disable security risk scanning in File System Auto-Protect 1 Right-click a server, a server group, or a client group. 2 Do one of the following: Click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Click All Tasks > Symantec AntiVirus > Server Auto-Protect Options.

175 Scanning for viruses and security risks Configuring Auto-Protect In the Auto-Protect Options dialog box, under Options, uncheck Scan for security risks. 4 If you selected Client Auto-Protect Options, then lock the option if you want this setting to propagate to clients. Configuring Auto-Protect scanning for groupware applications Auto-Protect scans can scan attachments for the following applications: Lotus Notes 4.5x, 4.6, 5.0, and 6.x Microsoft Outlook 98/2000/2002/2003 (MAPI and Internet) Microsoft Exchange client 5.0 and 5.5 If you use Microsoft Outlook over MAPI or Microsoft Exchange and you have Auto-Protect enabled for , attachments are immediately downloaded to the computer that is running the client and scanned when the user opens the message. If you download a large attachment over a slow connection, mail performance is affected. You may want to disable this feature for users who regularly receive large attachments. Symantec AntiVirus supports scanning only for Symantec AntiVirus clients. It can coexist on Microsoft Exchange Server 5.0 and 5.5, but does not scan the Exchange Server files. See the Symantec AntiVirus Reference Guide. Note: If Lotus Notes or Microsoft Outlook is already installed on the computer when you perform a client software installation from the Symantec System Center, then Symantec AntiVirus detects the application and automatically installs the correct Auto-Protect plug-in for it. Both plug-ins are installed if you select a complete installation when you perform a manual Symantec AntiVirus installation. To configure scanning 1 Right-click the server group or the servers to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Lotus Notes or Microsoft Exchange tab, check Enable Auto-Protect. You can use the Microsoft Exchange tab to configure Auto-Protect options for both Microsoft Exchange and Microsoft Outlook. 3 To set Auto-Protect options, do any of the following:

176 176 Scanning for viruses and security risks Configuring Auto-Protect Select all types or extensions to scan. Insert a warning into an message. Send an message to the sender of an infected attachment. Send an message to selected recipients when a virus is detected. 4 Click Advanced to disable the scanning of compressed files or to change the number of levels of compression to scan when compressed files exist within compressed files, and then click OK. 5 Click Actions to configure the detection and remediation actions you want Symantec AntiVirus to take when it finds a virus or security risk, and then click OK. Actions options are the same as those for File System Auto-Protect. For security risks, use the delete action with caution, because in some cases, deleting security risks can cause applications to lose functionality. See Configuring actions for File System Auto-Protect on page Click Notifications to configure the type of notification you want Symantec AntiVirus to provide users when it finds a virus or security risk, and then click OK. Notifications options are the same as those for File System Auto-Protect, except that the Display Auto-Protect results dialog on infected computer option is not available. See Configuring notifications for File System Auto-Protect on page Lock or unlock options as needed. 8 Click Reset All to ensure that all of the computers immediately use the Auto-Protect scanning configuration that you have specified. See About propagating Auto-Protect settings on page 143. If your program is not supported If your program is not one of the supported data formats, you can still protect your network by enabling Auto-Protect on your file system. For example, if you are running a Novell GroupWise system and one of your users receives a message with an infected attachment, Symantec AntiVirus can detect the virus as soon as the user tries to open the attachment. This outcome is because most programs, such as GroupWise, save attachments to a temporary directory when users launch attachments from the program. If you enable Auto-Protect on your file system, Symantec AntiVirus detects the virus as it is

177 Scanning for viruses and security risks Configuring Auto-Protect 177 written to the temporary directory. Symantec AntiVirus also detects the virus if the user tries to save the infected attachment to a local drive or network drive. Configuring Auto-Protect scanning for Internet Auto-Protect scanning for Internet protects both incoming and outgoing messages that use the POP3 or SMTP communications protocol. When Auto-Protect scanning for Internet is enabled, Symantec AntiVirus scans both the body text of the and any attachments that are included. If you enable Auto-Protect to support the handling of encrypted over POP3 and SMTP connections, then secure connections are detected and the encrypted messages are passed through without scanning. Although Auto-Protect does not scan that uses POP3 or SMTP over the Secure Sockets Layer (SSL), File System Auto-Protect continues to protect computers from viruses and security risks in attachments. File System Auto-Protect scans attachments when you save the attachment to the hard drive. Note: Internet scanning is not supported for 64-bit computers. Symantec AntiVirus also provides outbound heuristics scanning that uses Bloodhound Virus Detection to identify the risks that may be contained in outgoing messages. Scanning outgoing messages helps to prevent the spread of risks such as worms that can use clients to replicate and distribute themselves across a network. scanning does not support the following clients: IMAP clients AOL clients HTTP-based such as Hotmail and Yahoo! Mail To configure Auto-Protect scanning for Internet 1 Right-click the server group or the servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Internet tab, check Enable Internet Auto-Protect. The settings that you choose apply to both the POP3 and SMTP protocols. 3 To set Auto-Protect options, do any of the following: Select all types or extensions to scan.

178 178 Scanning for viruses and security risks Configuring Auto-Protect Insert a warning into an message. Send an message to the sender of an infected attachment. Send an message to selected recipients when a virus is detected. 4 Click Advanced to set options for the following: Enable the scanning of compressed files. Change the number of levels of compression that you want to scan when compressed files exist within compressed files. Change the POP3 and SMTP ports that are scanned. See Changing the POP3 and SMTP ports that are scanned on page 179. Enable or disable the handling of encrypted POP3 or SMTP connections. Set outbound mail heuristics. See Enabling outbound heuristics scanning on page 179. Set options to display a progress notification window when you send , and to display a tray icon. 5 When you have finished setting advanced options, click OK. 6 Click Actions to configure the detection and remediation actions you want Symantec AntiVirus to take when it finds a virus or security risk, and then click OK. Actions options are the same as those for File System Auto-Protect. See Configuring actions for File System Auto-Protect on page Click Notifications to configure the type of notification you want Symantec AntiVirus to provide users when it finds a virus or security risk, and then click OK. Notifications options are the same as those for File System Auto-Protect, except that the Display Auto-Protect results dialog on infected computer option is not available. See Configuring notifications for File System Auto-Protect on page On the Internet tab, lock or unlock options as needed. 9 Click Reset All to ensure that all of the computers use the Auto-Protect scanning configuration that you have specified immediately. See About propagating Auto-Protect settings on page 143.

179 Scanning for viruses and security risks Configuring Auto-Protect 179 Changing the POP3 and SMTP ports that are scanned Auto-Protect scanning for Internet uses the standard POP3 and SMTP ports by default. However, if you have configured your network to use a different port for either protocol, you must change the port setting in Symantec AntiVirus to match the port that you have selected. To change the POP3 and SMTP ports that are scanned 1 Right-click the server group or the servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Internet tab, check Enable Internet Auto-Protect. 3 Click Advanced. 4 In the Internet Advanced Options dialog box, under Connection settings, change the port number to match the port that you use for each protocol. 5 If you want to reset the port numbers to the default setting, click UseDefaults. 6 Click OK. 7 Click Reset All to ensure that all of the computers use the Auto-Protect scanning configuration that you have specified. See About propagating Auto-Protect settings on page 143. Enabling outbound heuristics scanning Auto-Protect scanning for Internet provides outbound protection against risks such as worms that can distribute themselves using applications. Symantec AntiVirus uses Bloodhound Virus Detection technology successfully to identify risks in outbound messages. To enable outbound heuristics scanning 1 Right-click the server group or the servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Internet tab, check Enable Internet Auto-Protect. 3 Click Advanced. 4 In the Internet Advanced Options dialog box, check Outbound worm heuristics, and then set a first and second action for Symantec AntiVirus to take, or leave the default settings.

180 180 Scanning for viruses and security risks Configuring manual scans 5 Click OK. 6 Click Reset All to ensure that all of the computers use the Auto-Protect scanning configuration that you have specified. Configuring manual scans See About propagating Auto-Protect settings on page 143. You can configure a manual scan on a Symantec AntiVirus server or client. Table 4-15 describes the types of manual scans that you can configure. Table 4-15 Type Quick Scan Full Custom Types of manual scans Description Scans system memory and all the common virus and security risk locations on the computer very quickly. Note: Quick scans are not supported on NetWare servers. Scans the entire computer for viruses and security risks, including the boot sector and system memory. Scans the files and folders that you select for viruses and security risks. Note: If you want to scan all servers and clients in a server group, run a virus sweep or create a scheduled scan instead. See Running a virus sweep on page 244. See Creating and configuring scheduled scans on page 192. Some of the manual scan options are the same as the scan options for Auto-Protect scans. Table 4-16 describes the options for manual scans.

181 Scanning for viruses and security risks Configuring manual scans 181 Table 4-16 Section or option File types Manual scan options Available options You can configure Symantec AntiVirus to scan all file types or to scan by selected file types. The following options are available: All types Select this option to scan all files that are found on the computer, regardless of type. Selected extensions Select this option to scan only the files that have certain extensions. You can add more extensions for programs and documents if you have files that use extensions that are not already in the list. You can also reset this option to its default value. Scan Enhancements Select the following options to find viruses and security risks more quickly. These commonly infected locations are scanned before the files and folders that you have selected are scanned. The following options are available: Scanning program files loaded into memory Scanning common infection locations (load points) Scanning for traces of well-known viruses and security risks Enable detection of security risks This option applies only to detecting security risks on version 9.x legacy clients. Note: Risks on legacy clients are detected, not repaired. Exclude files and folders Check this option to exclude certain files or folders from being scanned by Auto-Protect. Click Exclusions, and then select one of the following: Extensions: Exclude files by their extensions. Files/Folders: Exclude folders by their paths. For multiple clients or servers, you will need to type in the paths to the directories and files you want to exclude. Note: When you exclude a folder, Symantec AntiVirus cannot protect an infected computer from infected files in the folder.

182 182 Scanning for viruses and security risks Configuring manual scans Table 4-16 Section or option Advanced Manual scan options (continued) Available options Click this button to set advanced scan options, including backup, remote, compressed files, and so on. See Table 4-17 on page 183. Actions Click this button to configure the actions that you want Symantec AntiVirus to take when it detects macro viruses, non-macro viruses, and security risks. See Table 4-10 on page 161. Throttling Click this button to set CPU utilization options. Set the sliders to configure the scan priority when the computers are idle and not idle. Check Throttle NetWare Load and set its slider, if applicable. For scheduled and manual scans, Symantec AntiVirus allows you to control the scan's CPU priority. Giving a scan a lower priority means that the scan takes longer to complete, but also frees the CPU to work on other tasks. You may want to set a lower priority in some situations. For example, if you have scans running at lunch time during the work week, you might want to lower the scan priority to minimize the impact on user productivity. You can specify a scan priority for the following: Windows computers: Priority differs depending on whether the computer is idle or not idle. The idle setting specifies the priority that is assigned to scans when the computer is idle. The not idle setting specifies the priority that is assigned to scans when the computer is actively working. NetWare computers: Symantec AntiVirus can throttle its load on NetWare servers. A lower load setting means that the server scan takes longer to complete. Notifications Click this button to set the detection and remediation options for notifications that you want to appear on the infected computer when this manual scan finds a virus or a security risk. See Table 4-12 on page 169. Table 4-17 describes advanced options for manual scans.

183 Scanning for viruses and security risks Configuring manual scans 183 Table 4-17 Section or option Advanced manual scan options Available options When scanning compressed files Scan files inside compressed files If you check this option, Symantec AntiVirus scans the container, such as Files.zip, and the contents of the container, which are the individual compressed files. If there is a compressed file within a compressed file, expand N levels deep Symantec AntiVirus supports a maximum depth of ten levels of nested compressed files for Window computers. NetWare servers are limited to eight levels. Compressed files are scanned as follows: Windows Symantec AntiVirus scans compressed files during manual, , and scheduled scans. Because of the significant processing overhead, Auto-Protect does not scan files that are within compressed files on Windows computers. However, the files are scanned as they are extracted from compressed files. NetWare Symantec AntiVirus scans compressed files during Auto-Protect and scheduled scans. To scan the contents of a compressed file, Symantec AntiVirus extracts each file, one file at a time, from the container and copies it to the SYS volume where it is scanned. The SYS volume must have enough space available on the volume to accommodate the largest file in the container. Note: You cannot stop a scan that is in progress on a compressed file. If you click Stop Scan, Symantec AntiVirus stops the scan only after it has finished scanning the compressed file.

184 184 Scanning for viruses and security risks Configuring manual scans Table 4-17 Section or option Backup options Advanced manual scan options (continued) Available options As a data safety precaution, before you attempt to repair a virus-infected file, check Back up file before attempting repair. This is checked by default. The original virus-infected file is encrypted and then copied into the Quarantine directory. If needed, you can use this unrepaired backup file to return the file to its original, but infected state. Uncheck this option with caution, since it means that files containing viruses are not going to be backed up before repairs are attempted. You might want to turn it off if performance is an issue, for example on a file server, where the files are backed up regularly by other means. Note: This setting applies only to virus-infected files. For security risks, if the action you have configured is Delete risk, no backup files are created. If the action you have configured is Quarantine risk, the security risk files are always backed up in the Quarantine before repair is attempted, regardless of this setting. Dialog options Use this option to display a progress dialog box on the computer while the scan runs, to display a progress dialog box on the computer while the scan runs only if a risk is detected, or to not display a progress dialog box on the computer at all. You can also do the following: Configure the progress dialog box to close automatically when the scan has completed. Allow a user to stop the scan. When this option is enabled, a Stop button appears on the remote computer. When this option is disabled, the scan cannot be stopped from the remote computer.

185 Scanning for viruses and security risks Configuring manual scans 185 Table 4-17 Section or option Advanced manual scan options (continued) Available options Storage migration options Note: Does not apply to Windows 2000 and later. For those systems, consult your HSM vendor.

186 186 Scanning for viruses and security risks Configuring manual scans Table 4-17 Section or option Advanced manual scan options (continued) Available options Fine-tune scans of the files that Hierarchical Storage Management (HSM) and offline backup systems maintain. An HSM system migrates files to secondary storage such as CD-ROM, tape jukebox, SAN storage, and so on, but might leave parts of the original file on the disk. Performance and disk space issues arise during scans if Symantec AntiVirus opens all of the stubs and the HSM system places the files back on the original disk. For all these options, consult your HSM or backup vendor to select appropriate settings. Storage migration options are as follows: Open files using backup semantics. Skip offline files: If the offline bit is set, Symantec AntiVirus skips the file. A small clock over a file's icon in Windows Explorer indicates that the offline bit is set. Any application can set the offline bit without actually placing the file offline. Skip offline and sparse files (default): Some applications set the file sparse bit to indicate that part of the file is not present on the disk. Some HSM products set this bit and others don't. With a sparse file, a stub of the file remains on the disk, and the majority of the file is moved to offline storage. Skip offline and sparse files with a reparse point: Some vendors use reparse points. Applications that use reparse points also use an appropriate device driver to manage reparse points in the files. With a reparse point, a portion of the file remains on disk, and the remainder is transparently accessed through the device driver. Scan resident portions of offline and sparse files: Symantec AntiVirus identifies resident portions of a file. If the file is sparse, Symantec AntiVirus scans only the resident portion. The nonresident portion remains in secondary storage. Some vendors support this capability. Scan all files, forcing demigration (fills drive): Symantec AntiVirus scans the entire file, which forces demigration from secondary storage if necessary. Because the size of the secondary storage is usually greater than the size of the local volume, this setting might fill the local volume and cause further files that

187 Scanning for viruses and security risks Configuring manual scans 187 Table 4-17 Section or option Advanced manual scan options (continued) Available options are opened for scanning to fail. Scan all files without forcing demigration (slow): Symantec AntiVirus copies a file from secondary storage to the local hard drive as a temp file for scanning, but the HSM application leaves the original file on the secondary storage. This method is slow and is not supported by all HSM vendors. Because a file is copied from secondary storage to a disk for scanning, resource demand is high. Processor and network performance might further degrade as Symantec AntiVirus detects infected content when a repair or deletion is returned to secondary storage. Scan all files recently touched without forcing demigration: To reduce some of the resource demand issues with the Scan all files without forcing demigration option, this option lets you specify that only files that have been migrated recently and might still reside on faster secondary storage are scanned. You might want to scan files if they still reside on the faster secondary disk, and skip demigration and scanning if the files reside on the slow, long-term storage. For example, files might be migrated to a remote disk after 30 days of no access. After 60 days of no access, the file is migrated to CD-ROM or remote SAN storage. In many cases, this method might still be slow because accessing files without forcing demigration is a relatively slow operation. Select the type of access and the number of days to define recently touched. Storage migration options (NetWare) Check Scan NetWare compressed or migrated files to scan NetWare compressed or migrated files. To configure manual scans 1 Do one of the following: Right-click a server or client computer. Select one or more servers that are in the same server group, and then right-click the servers.

188 188 Scanning for viruses and security risks Configuring manual scans Select one or more clients that are managed by the same server, and then right-click the clients. 2 Click All Tasks > Symantec AntiVirus > Start Manual Scan. 3 In the Select Items dialog box, select the type of manual scan that you want to perform: Quick scan, Full scan, or Custom scan. See Table 4-15 on page If you selected a single computer to scan and select Custom Scan, you can select the drives and folders that you want to scan. If you are scanning multiple computers, this option is not available. Skip to step 6. 5 Click Save Settings if you want Symantec AntiVirus to remember your selections for future manual scans on this computer. This button is not available if you selected multiple computers. Symantec AntiVirus also remembers the settings of the other options for future scans when multiple computers are selected. 6 Click Options. In the Scan Options dialog box, you can select extensions to scan, enable scan enhancements, enable security risk scanning for legacy clients, and exclude files and folders from the scan. See Table 4-16 on page 181.

189 Scanning for viruses and security risks Configuring manual scans Click Advanced. In the Scan Advanced Options dialog box, you can set options for scanning compressed files, back up files infected by viruses or blended threats before attempting to repair them, set options on the remote computer, set storage migration options for Windows computers, and enable scans of compressed or migrated files on NetWare servers. See Table 4-17 on page Set the options you that you want, and then click OK to save advanced options. 9 In the Scan Options dialog box, click Save Settings if you want Symantec AntiVirus to remember these options for future manual scans on this computer. This button is not available if you selected multiple computers. Symantec AntiVirus also remembers these settings for future scans when you select multiple computers. 10 Click OK. 11 Click Start. Configuring actions for manual scans The action options for manual scans are the same as those for File System Auto-Protect. Table 4-10 describes the action options for manual scans and for File System Auto-Protect. Note: For security risks, use the delete action with caution, because in some cases, deleting security risks can cause applications to lose functionality. To configure actions for manual scans 1 Do one of the following: Right-click a server or client computer. Select one or more servers that are in the same server group, and then right-click the servers. Select one or more clients that are managed by the same server, and then right-click the clients. 2 Click All Tasks > Symantec AntiVirus > Start Manual Scan.

190 190 Scanning for viruses and security risks Configuring manual scans 3 In the Select Items dialog box, select the type of manual scan that you want to perform: Quick, Full, or Custom. See Table 4-15 on page Click Options. 5 In the Scan Options dialog box, click Actions. 6 In the Actions dialog box, in the tree, select a type of virus or security risk. By default, each security risk subcategory, such as Spyware, is automatically configured to use the actions that are set at the top level for the entire Security Risks category. To configure a category or specific instances of a category to use different actions, check Override actions configured for Security Risks, and then set the actions for that category only. See Table 4-10 on page Select each category of virus and security risk that you want to configure, and repeat step 6 for each. 8 If you selected Security Risks as a whole or an individual security risk category, click the Exceptions tab to configure custom actions for one or more specific instances of that security risk category. If you are assigning the same actions, you can select multiple security risks and assign the actions to them at the same time. 9 Click Add. 10 In the Select risks dialog box, select the specific risks in the list for which you want to configure custom actions, and then click Next. 11 In the Configure risks dialog box, select the first and second actions that you want Symantec AntiVirus to take when it detects the specific risks that you selected, and then click Finish. 12 Repeat steps 8 through 11 for each individual security risk for which you want to set different actions. 13 Click OK, and then click Start. Configuring notifications for manual scans The notifications options and user interactions with notifications for manual scans are the same as those for File System Auto-Protect. Table 4-12 describes the notifications options for manual scans and for File System Auto-Protect.

191 Scanning for viruses and security risks Configuring manual scans 191 To configure notifications for manual scans 1 Do one of the following: Right-click a server or client computer. Select one or more servers that are in the same server group, and then right-click the servers. Select one or more clients that are managed by the same server, and then right-click the clients. 2 Click All Tasks > Symantec AntiVirus > Start Manual Scan. 3 In the Select Items dialog box, select the type of manual scan that you want to perform: Quick, Full, or Custom. See Table 4-15 on page Click Options. 5 In the Scan Options dialog box, click Notifications. 6 In the Notifications Options window, under Detection Options, check Display notification message on infected computer if you want a message to appear on the infected computer when a virus or security risk is found. 7 In the message box, do any or all of the following to construct the message that you want: Click to type or edit text. Right-click, click Insert Field, and then select the variable field that you want to insert. See Table 4-13 on page 170. Right-click, and then select Cut, Copy, Paste, Clear, or Undo.

192 192 Scanning for viruses and security risks Creating and configuring scheduled scans 8 To set Remediation Options, check each option that you want to set. Your options are as follows: Automatically terminate processes Automatically stop services Check this if you do not want users to be notified when Symantec AntiVirus must terminate a process to remove or repair a risk. Users are not prompted to save data before Symantec AntiVirus terminates the processes. Check this if you do not want users to be notified when Symantec AntiVirus must stop a service to remove or repair a risk. Users are not prompted to save data before Symantec AntiVirus stops the services. 9 Click OK until you return to the Select Items dialog box, and then click Start. Creating and configuring scheduled scans Creating scheduled scans You can schedule scans for one or more server groups as well as for individual Symantec AntiVirus servers. You can also schedule scans for individual servers or for clients. You can schedule Symantec AntiVirus client scans at the Symantec AntiVirus server or client level. Scheduled scans have settings that are similar to Auto-Protect scan settings, but each type of scan is configured separately. Exclusions that are set for Auto-Protect scanning only affect Auto-Protect scanning. They do not affect scheduled scanning. Scheduled scans do exclude security risks that have been configured globally. See Configuring global security risk exclusions on page 140. Table 4-18 describes the options for scheduled scans. Table 4-18 Option category Name Scheduled scan options Available options Type a name for the scan.

193 Scanning for viruses and security risks Creating and configuring scheduled scans 193 Table 4-18 Option category Scan Settings Scheduled scan options (continued) Available options Click Scan Settings to set one of the following types of scan that you want to schedule: A Quick Scan is a fast scan of system memory and all the common virus and security risk locations on the computer. A Full Scan scans the entire computer for viruses and security risks, including the boot sector and system memory. A Custom Scan scans the drives and folders that you select. When you configure client scans, you cannot select individual files and folders to include in the scan. Enable scan Frequency When Make sure that this option is checked so that the scan occurs as you configured it. Determines how often the scan runs. Select Daily, Weekly, or Monthly. Determines the time at which the scan runs. You can type any time in increments of one minute, or use the drop-down list to select a time in increments of 15 minutes. If Frequency is weekly, use the drop-down list to select a day of the week; if monthly, use the drop-down list to select a day of the month. Advanced Click Advanced to set Advanced scan options. Under Missed Event Options, enable Retry the scheduled scan within <number> <hours or days> of the scheduled time. Then, set the number of hours within which you want the scan to run. For example, you might want a daily scan to run only if it is within eight hours of the scheduled time for the missed event. Note: If the scan is weekly or monthly, the time interval that you set is days rather than hours. See Configuring scheduled scans on page 195. To create scheduled scans 1 Select one or more servers, groups, or clients. 2 Do one of the following:

194 194 Scanning for viruses and security risks Creating and configuring scheduled scans If you right-clicked a server group or multiple server groups, click All Tasks > Symantec AntiVirus > Server Scheduled Scans. If you right-clicked an individual server or client, click All Tasks > Symantec AntiVirus > Scheduled Scans. 3 Do one of the following: In the <Servername> Scheduled Scans dialog box, on the Server Group Scans tab, click New. In the <Servername> Scheduled Scans dialog box, on either the Server Scans or the Client Scans tab, click New. 4 In the <Servername> Scheduled Scan dialog box, type a name for the scan, ensure that Enable scan is checked, and then set the frequency and time at which the scan should run. See Table 4-18 on page Click Advanced to set how to handle missed events, and then click OK. See Table 4-18 on page In the <Servername> Scheduled Scan dialog box, click Scan Settings. 7 Select the type of scan that you want to schedule: Quick, Full, or Custom. 8 In the Select Items dialog box, do one of the following: If you selected multiple servers, clients, or a server group, click Options. If you selected an individual server, select the drives or folders that you want to scan, and then click Options. In the tree view, files and folders appear with various icons.

195 Scanning for viruses and security risks Creating and configuring scheduled scans In the Scheduled Scan Options dialog box, you can select all types or extensions to scan, enable and disable scanning enhancements, enable security risk scanning on legacy clients, and exclude files and folders from the scan. If you selected an object that contains multiple computers, you can exclude files and folders from the scan by typing the full path names. The scheduled scan options are the same as the scan options for manual scans. See Table 4-16 on page Click Advanced. In the Scan Advanced Options dialog box, you can set options for scanning compressed files, back up files that are infected by viruses or blended threats before you attempt to repair them, set options on the remote computer, set storage migration options for Windows computers, and enable scans of compressed or migrated files on NetWare servers. The Advanced scan options are the same as the Advanced scan options for manual scans. See Table 4-17 on page Under Scheduled Scan Options, click Actions. You can configure the same actions as for File System Auto-Protect and manual scans. See Table 4-10 on page Under Scheduled Scan Options, click Throttling. You can configure the same throttling options as for manual scans. See Table 4-16 on page Under Scheduled Scan Options, click Notifications. You can configure the same notifications as for File System Auto-Protect and manual scans. See Table 4-12 on page 169. Configuring scheduled scans 14 Click OK until you return to the main window in the Symantec System Center console. To configure scheduled scans, you can do the following: If a computer does not run a scheduled scan for some reason, you can set options for how Symantec AntiVirus handles this situation.

196 196 Scanning for viruses and security risks Creating and configuring scheduled scans See Setting options for missed scheduled scans on page 196. You can edit, delete, or disable scheduled scans. See Editing, deleting, or disabling scheduled scans on page 197. For convenience, you can run a scheduled scan on demand. This can save you from having to configure a manual scan. See Running scheduled scans on demand on page 198. Setting options for missed scheduled scans If a computer misses a scheduled scan for some reason, Symantec AntiVirus attempts to perform the scan for a specific time interval. If Symantec AntiVirus cannot start the scan within the time interval, it does not run the scan. If the user who defined a scan is not logged in, Symantec AntiVirus runs the scan anyway. You can specify that Symantec AntiVirus does not run the scan if the user is logged out. Table 4-19 lists the default time intervals for missed scheduled scans. Table 4-19 Default time intervals Scan frequency Daily scans Weekly scans Monthly scans Default interval 8 hours 3 days 11 days If you do not want to use the default setting, you can specify a different time interval in which to attempt a scheduled scan. To set options for missed scheduled scans 1 Right-click a Symantec AntiVirus server, server group, client group, or client, and then click AllTasks > Symantec AntiVirus > Scheduled Scans. 2 In the <Servername> Scheduled Scans dialog box, select a scan in the list of scans, and then click Edit. 3 In the <Servername> Scheduled Scan dialog box, under Scan Settings, click Advanced. 4 In the Advanced Schedule Options dialog box, check Retry the scheduled scan within <number> <hours or days> of the scheduled time, and then type the number or use the arrows to specify the time interval for reattempting the scheduled scan. 5 Click OK until the main Symantec System Center console window appears.

197 Scanning for viruses and security risks Creating and configuring scheduled scans 197 Editing, deleting, or disabling scheduled scans If you want to modify the properties of an existing scheduled scan, you can edit it. If you want to stop a scheduled scan from occurring, you can delete or disable it. To edit or delete scheduled scans 1 Right-click one or more server groups, a server, or a client for which you want to edit or delete the scheduled scan, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. 2 In the Scheduled Scans dialog box, select one of the following: Server Scans Client Scans Edit or delete scans for servers. This option is not available if you selected a client computer. Edit or delete scans for clients. This option is not available if you selected a server group. 3 Do one of the following: Select an existing scan, and then click Edit. Change any properties that you want. Select an existing scan, and then click Delete. 4 Click OK until you return to the Symantec System Center main window. To disable scheduled scans 1 Right-click one or more server groups, a server, or a client for which you want to disable the scheduled scan, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. The scans that you can disable depend on the object that you select. 2 In the Scheduled Scans dialog box, select one of the following: Server Scans Client Scans Disable scans for servers. This option is not available if you selected a client computer. Disable scans for clients. This option is not available if you selected a server group. 3 Uncheck the previously scheduled scan. 4 Click OK.

198 198 Scanning for viruses and security risks Managing the client user experience Running scheduled scans on demand When you create and save a scheduled scan, Symantec AntiVirus remembers the server group, server, or computer on which to run the scan and also remembers all of the settings that you chose for that specific scan. After you configure a scheduled scan and all of its scan properties, you might want to run it on demand at some time other than when you originally scheduled it. This can save you the effort of configuring and running a manual scan with similar properties. To run scheduled scans on demand 1 Right-click a server group or a server, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. 2 In the Scheduled Scans dialog box, select an existing scheduled scan. 3 Click Start Scan. Managing the client user experience Symantec AntiVirus allows you to control several aspects of the Symantec AntiVirus client user experience. You can do any of the following: Allow users to pause or stop a scheduled scan. Display a scan progress window and allow users to stop scans. See To enable users to stop scans on page 200. Prevent or allow users to unload Symantec AntiVirus services. Change the password that is required before users can uninstall Symantec AntiVirus. Set scanning options for users. Display and customize warning messages that appear on computers when their virus and security risk definitions are outdated or missing. Display and customize a warning message on an infected computer. For example, if users have a spyware program installed on their computers, you can notify them that they have violated your corporate policy and must uninstall the application immediately. Add an infection warning to an infected message. Notify the sender of an infected message. Notify others about the receipt of an infected message.

199 Scanning for viruses and security risks Managing the client user experience 199 Enabling users to pause, snooze, or stop scheduled scans You can allow users to pause or snooze a scheduled scan temporarily, as well as stop the scan entirely. The results are as follows: Paused scan Snoozed scan Stopped scan When a user pauses a scan, the Scan Results dialog box remains open, waiting for the user to either continue or abort the scan. If the computer is shut off, the paused scan does not continue. When a user snoozes a scheduled scan, the user has the option of snoozing the scan for one hour, or depending on the configuration, for three hours. In addition, the number of snoozes is configurable. When a scan is snoozing, the Scan Results dialog box closes, and reappears when the snooze period ends and the scan resumes. When a user stops a scan, the scan stops immediately, unless Symantec AntiVirus is scanning a compressed file. In this case, the scan stops as soon as the compressed file in progress has been scanned. A stopped scan does not restart. A paused scan automatically restarts after a specified time interval elapses. To enable users to pause or snooze scans 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. 2 In the Scheduled Scans dialog box, do one of the following: Select a scheduled scan, and then click Edit. Click New to create a new scan. 3 In the Scheduled Scan dialog box, click Scan Settings. 4 In the Select Items dialog box, click Options. 5 In the Scheduled Scan Options dialog box, click Advanced. 6 In the Scan Advanced Options dialog box, under Remote options, click Show scan progress. 7 Uncheck Allow user to stop scan. 8 Check Allow user to pause/snooze scan. 9 Click Pause Options.

200 200 Scanning for viruses and security risks Managing the client user experience 10 In the Pause Options dialog box, do one of the following: To limit the number of minutes that a user may pause a scan, check Limit the time this scan may be paused and type a number of minutes. To limit the number of times a user may pause a scan, in the Number of times it can snooze box, type a number between 1 and 8. To display a three-hour snooze button, check Enable the 3 hour snooze button. By default, a user can pause a scan for one hour. You must enable this option to allow a user to pause a scan for three hours. 11 Click OK until the main Symantec System Center console window appears. To enable users to stop scans 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. 2 In the Scheduled Scans dialog box, do one of the following: Select a scheduled scan, and then click Edit. Click New to create a new scan. 3 In the Scheduled Scan dialog box, click Scan Settings. 4 In the Select Items dialog box, click Options. 5 In the Scheduled Scan Options dialog box, click Advanced. 6 In the Scan Advanced Options dialog box, in the drop-down list, select Show scan progress. 7 Check Allow user to stop scan. 8 If you want to automatically close the scan progress indicator after the scan completes, check Close scan progress when done. 9 Click OK until the main Symantec System Center console window appears. Preventing or allowing users to unload Symantec AntiVirus services You can prevent or allow users to unload (uninstall) Symantec AntiVirus services. To prevent or allow users to unload Symantec AntiVirus services 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 Click the Security tab.

201 Scanning for viruses and security risks Managing the client user experience Change the setting for LocktheabilityofuserstounloadSymantecAntiVirus Services. 4 Click OK. Changing the password that is required to uninstall Symantec AntiVirus requires client users to provide a password before they can uninstall Symantec AntiVirus. By default, this password is set to symantec. To change the password that is required to uninstall 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 Click the Security tab. 3 Under User disable/uninstall, click Change. 4 In the Configure Password dialog box, type a new password, and then confirm by typing the password again. 5 Click OK until the main window in the Symantec System Center console appears. Changing the password that is required to scan mapped drives Symantec AntiVirus requires client users to provide a password before they can scan a mapped drive. By default, this password is set to symantec. To change the password that is required to scan mapped drives 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 On the Security tab, under Scan network drive, click Change. 3 In the Configure Password dialog box, type a new password, and then confirm by typing the password again. 4 Click OK until the main window in the Symantec System Center console appears. Modifying scanning options for clients You can set scanning options for connected clients, including options for scheduled scans, startup scans, and user-defined scheduled scans. Table 4-20 describes the scanning options for clients.

202 202 Scanning for viruses and security risks Managing the client user experience Table 4-20 Scan type Scheduled Scans Scan tab options for Client Administrator Only settings Options Snooze scheduled scans when running on batteries. By default, this option is enabled so that scheduled scans are delayed when a computer is running on batteries. Disable this option to allow scheduled scans to run as scheduled, even when a computer is running on batteries. Startup Scans You can change the following options for startup scans: Run startup scans when the user logs in Allow users to modify the startup scans You can only disable startup scans on a global basis. If you uncheck the Run startup scans when the user logs in check box, this disables all startup scans for all users on all client computers, including any custom startup scans that users have configured. If you do not allow startup scans to run, the Allow users to modify the startup scans check box becomes unavailable. Note: These options apply to the Auto-Generated Quick Scan on managed client computers, but not to the Auto-Generated Quick Scan on unmanaged client computers. The Auto-Generated Quick Scan on unmanaged client computers cannot be configured; it can only be deleted by a user on the unmanaged computer. Triggered Scans Run a Quick Scan when new definitions arrive. By default, a Quick Scan is run when new definitions arrive to check for any risks that are currently running on the computer that are now detectable by Symantec AntiVirus using the new definitions. You can prevent a Quick Scan from running when new definitions arrive by unchecking this check box, but your protection will not be as strong if you do so. You should only disable this option if you have special configuration or exclusion needs that conflict with this automatically triggered scan.

203 Scanning for viruses and security risks Managing the client user experience 203 Table 4-20 Scan type Scan tab options for Client Administrator Only settings (continued) Options User-defined Scheduled Scans Allow user-defined scheduled scans to execute when the users who created the scans is not logged in. By default, user-defined scheduled scans are always run at the scheduled time, regardless of whether or not the user who created the scan is logged in at the time the scan is scheduled to run. This option can be particularly useful in the case of unmanaged client computers that do not use administrator-defined scheduled scans. Disable this option to prevent user-defined scheduled scans from running when the user who created the scan is not logged in. You may want to do this for multi-user computers. Note: If this option is enabled and the user is logged out when the scan begins, the scan progress dialog box does not display. You can check scan status in this instance by looking in the Event log. On multi-user workstations, when this option is enabled, scan progress is displayed as follows: On multi-user workstations, if no users are logged in and a user-defined scheduled scan starts, a scan progress dialog box does not display for any user, even if a user logs in during the middle of the scan. If a user is the first user to log into the workstation, and a scheduled scan defined by another user starts, the scan progress dialog box does not display to the first user. If a user is the first user to log into the workstation, and a scheduled scan that the user defined starts, a scan progress dialog box displays, if the administrator has configured Symantec AntiVirus to allow it. When there are no users logged in, the scan progress dialog box does not display when an administrator-defined scheduled scan runs, but a scan progress dialog box will display to the first user who logs in to the workstation during the scan or after it has completed. Users not logged in at the time the scan runs will have to look at the Scan History to see the results of their user-scheduled scans. Note: This option does not apply to administrator-defined scans.

204 204 Scanning for viruses and security risks Managing the client user experience To set scanning options for connected clients 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 Click the Scans tab. 3 Change any of the settings for scheduled scans, startup scans, or user-defined scheduled scans. 4 Click OK. Displaying a warning when definitions are out of date or missing You can display and customize warning messages to appear on client computers when their virus and security risk definitions are outdated or missing. To display a warning about definitions 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 On the General tab, under Actions, select one or both of the following: Display message when definitions are outdated Display message when Symantec AntiVirus is running without virus definitions 3 For outdated virus and security risk definitions, set the number of days that definitions can be outdated before the warning is displayed. 4 For missing virus and security risk definitions, set the number of attempts that Symantec AntiVirus can make to retrieve definitions after the computer is restarted, before the warning is displayed. 5 Click Warning Message for each option that you checked, and then customize the default message. 6 Click OK until the main Symantec System Center console window appears. Managing warnings and notifications about infected files You have several user options related to infected files. Customizing and displaying warnings on infected computers When you run a remote scan on a user's computer, you can immediately notify the user of a problem by displaying a warning message on the infected computer's screen. You can customize the warning message by including information such

205 Scanning for viruses and security risks Managing the client user experience 205 as the name of the risk, the name of an infected file, the status of the risk, and so on. For example, a warning message might look as follows: Scan type: Scheduled Scan Event: Risk Found SecurityRiskName: Stoned-C File: C:\Autoexec.bat Location: C: Computer: ACCTG-2 User: JSmith Action taken: Cleaned Customizing messages for manual scans is covered under manual scans. See Configuring notifications for manual scans on page 190. Adding warnings to infected messages For supported software, you can configure Auto-Protect to automatically insert a warning into the body of an infected message. This type of warning can be important if Symantec AntiVirus is unable to clean the virus from the message, and if an infected attachment file is moved, left alone, deleted, or renamed. The warning message tells you which virus was found and explains the action that was taken. Symantec AntiVirus appends the following text to the top of the message that is associated with the infected attachment: Symantec AntiVirus found a virus in an attachment from [ Sender]. For each infected file, the following information is also added to the message: Name of the file attachment Name of the virus Action taken: cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected You can customize the subject and body of the message. The message contains a field called [ Sender]. All fields in brackets contain variable information. You can customize the default message by right-clicking the body of the message and selecting a field to insert into the message. The message would look as follows to the recipient: Symantec AntiVirus found a virus in an attachment from John.Smith@ mycompany.com.

206 206 Scanning for viruses and security risks Managing the client user experience To add warnings to infected messages 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on either the Internet , Lotus Notes, or Microsoft Exchange tab, click Insert warning into message. 3 Do one of the following: Click OK to accept the default message. Click Warning and customize the text. 4 Click OK until the Client Auto-Protect Options dialog box disappears. Notifying senders of infected messages For supported software, you can configure Auto-Protect to respond automatically to the sender of an message that contains an infected attachment. For groupware applications, Symantec AntiVirus can be configured to send a default reply message with the following subject: Virus Found in message [ Subject] The body of the message informs the sender of the infected attachment: Symantec AntiVirus found a virus in an attachment you ([ Sender]) sent to [ RecipientList]. For each infected file, the following information is also added to the message: Name of the file attachment Name of the virus Action taken: such as cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected You can also customize this message. To notify senders of infected messages in groupware applications 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Enable Lotus Notes (Microsoft Exchange) Auto-Protect. 3 Click Send to sender.

207 Scanning for viruses and security risks Managing the client user experience Click Compose. 5 Do one of the following: Click OK to accept the default message. Click Message and customize the text. 6 Click OK until the Client Auto-Protect Options dialog box disappears. To notify senders of infected messages in Internet applications 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Internet tab, click Enable Internet Auto-Protect. 3 Click Send to sender. 4 Click Settings. 5 In the Notifications Settings dialog box, on the Server tab, type the mail server name and port, the user name and password, and the reverse path for the mail. 6 Click the Message tab and type a subject line, message body, and infection information to appear in each message, and then click OK. 7 Click OK until the Client Auto-Protect Options dialog box disappears. Notifying users of infected messages For supported software, you can configure Auto-Protect to notify users whenever an message that contains an infected attachment is opened. For groupware applications, Symantec AntiVirus sends an message to the selected recipients with the following subject: Virus Found in message [ Subject] The body of the message includes information on the sender of the infected attachment: Symantec AntiVirus found a virus in an attachment from [ Sender]. For each infected file, the following information is also added to the message: Name of the file attachment Name of the virus Action taken: such as cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected

208 208 Scanning for viruses and security risks Managing the client user experience You can also customize this message. To notify others of infected messages in groupware applications 1 Right-click a server group, Symantec AntiVirus server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Enable Lotus Notes (Microsoft Exchange) Auto-Protect. 3 Click Send to selected. 4 Click Settings. 5 In the Notifications Settings dialog box, on the Addresses tab, provide one or more addresses to which notification should be sent. 6 Click the Message tab and type a subject line, message body, and infection information to appear in each message. 7 Click OK until the Client Auto-Protect Options dialog box disappears. To notify others of infected messages in Internet applications 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Internet tab, click Enable Internet Auto-Protect. 3 Click Send to selected. 4 Click Settings. 5 In the Notifications Settings dialog box, on the Server tab, type the mail server name and port, the user name and password, and the reverse path for the mail. 6 Click the Addresses tab and provide one or more addresses to which notification should be sent. 7 Click the Message tab and type a subject line, message body, and infection information to appear in each message. 8 Click OK until the Client Auto-Protect Options dialog box disappears.

209 Chapter 5 Updating definitions This chapter includes the following topics: About definitions About legacy client definitions Definitions files update methods Updating definitions files on servers Updating definitions files on clients Controlling definitions file deployment Testing definitions files Scenarios for definitions updates About scanning after updating definitions files About definitions Virus and security risks definitions contain sample code for thousands of threats and security risks. When Symantec AntiVirus scans for threats and security risks, it attempts to find matches between your files and sample code that is inside of the definitions. If Symantec AntiVirus finds a match, one or more files might be infected by threats or security risks. Every server and client that runs Symantec AntiVirus has a copy of the definitions. These definitions can become outdated as new viruses and security risks are discovered. Symantec currently updates virus and security risk definitions daily on its LiveUpdate and FTP servers, or more frequently if needed. After an organization uses the Symantec LiveUpdate server or Symantec FTP site to download these definitions to a central LiveUpdate server in the organization,

210 210 Updating definitions About legacy client definitions the definitions can be deployed to and run on any computer that has a currently supported version of Symantec Client Security installed on it. It is important to keep definitions current to maintain the highest level of protection for your network. About legacy client definitions In 9.x and earlier versions of Symantec AntiVirus, the definitions files contained only the information that was needed to detect and eliminate viruses, and to detect security risks. The definitions updates for the current version contain detection and repair information for viruses as well as security risks. Management servers that run legacy versions of Symantec AntiVirus can update their client computers only with the definitions files that the legacy release supports. Thus, management servers that run 9.x versions of Symantec AntiVirus download and distribute updates that provide detection and elimination of viruses, and detection of security risks, but do not contain the information that is needed to repair the side effects of either viruses or security risks. Management servers that run the current version of Symantec AntiVirus can distribute the proper definitions files to clients that run either legacy or current software. Definitions files update methods There are several methods that are available for downloading definitions and setting up servers and clients to retrieve them. Note: All the methods that are described update both virus and security risk definitions simultaneously in the current version of Symantec AntiVirus. Table 5-1 describes the definitions update methods.

211 Updating definitions Definitions files update methods 211 Table 5-1 Definitions update methods Method Description When to use it Virus Definition Transport Method LiveUpdate The Virus Definition Transport Method is a fully automated solution that is enabled by default between servers and their managed clients. It is only necessary to update one server in order to update all computers in the network. A push operation starts when a primary management server on your network receives new virus and security risk definitions via the Symantec FTP site or LiveUpdate server. The primary management server passes a definitions package to all of the secondary management servers in the server group. Secondary management servers extract the definitions and place them in the appropriate directory. Clients receive the package from their parent management servers. Clients extract the definitions and place them in the appropriate directory. A scheduled pull operation starts when a client or server that runs LiveUpdate requests new virus and security risk definitions. LiveUpdate may be configured on each computer to request the update from a designated internal LiveUpdate server or directly from the Symantec LiveUpdate server. Use the Virus Definition Transport Method when you want to control the virus and security risk definitions updates from the Symantec System Center. In addition, use this method during a virus outbreak to push the latest definitions files to the computers on your network immediately. Use LiveUpdate when you want protected computers to pull virus and security risk definitions updates from an internal LiveUpdate server, or directly from Symantec. Intelligent Updater.xdb file Intelligent Updater is a self-extracting executable file that contains virus and security risk definitions files. You can update any server or client directly by downloading the.xdb file from the Symantec Web site or by copying an.xdb file from the VPHOME share on any Symantec AntiVirus server. Use Intelligent Updater when you need to distribute virus and security risk definitions updates to users who do not have active network connections. Use an.xdb file when you are in a situation that does not allow you to use LiveUpdate to update your Symantec AntiVirus server.

212 212 Updating definitions Definitions files update methods Method Table 5-1 Description Definitions update methods (continued) When to use it Central Quarantine polling The Central Quarantine Server periodically polls the Digital Immune System gateway for new virus and security risk definitions files. When new definitions are available, the Central Quarantine Server can push the new definitions to the computers that need it automatically. Use Central Quarantine when you want to automate the distribution of definitions file updates across your network. For information about using Central Quarantine, see the Symantec Central Quarantine Administrator's Guide. Note: 64-bit computers receive definitions files using LiveUpdate. All other methods of updating these files are not supported. Best practice: Using the Virus Definition Transport Method and LiveUpdate together You can use the Virus Definition Transport Method and LiveUpdate together. Using the Virus Definition Transport Method allows you to schedule and push virus and security risk definitions updates from the Symantec System Center. In addition, you can use the Virus Definition Transport Method as an emergency system for distributing new virus definitions quickly when the network is threatened by a new virus. Although the Virus Definition Transport Method is used more often, some large networks depend on LiveUpdate. These installations do not permit direct access to the Symantec site by a large number of servers and clients. One or more servers act as an internal LiveUpdate server to all of the other servers on the network, and in some installations, to all clients. Best practice: Using Continuous LiveUpdate on 64-bit computers To ensure that each managed 64-bit computer maintains the latest virus and security risk definitions, you can use Continuous LiveUpdate to require each computer to check for updates after a specified interval has expired. If you have more than one 64-bit computer on your network and you are using the Symantec System Center console, you can group these computers into a client or server group and manage the definitions from the console. If you are not using the console, you can enable this feature and set the interval on the client computer.

213 Updating definitions Updating definitions files on servers 213 See Enabling and configuring Continuous LiveUpdate for managed clients on page 227. Updating definitions files on servers You can update the virus and security risk definitions files on Symantec AntiVirus servers by using the following methods: Virus Definition Transport Method LiveUpdate Intelligent Updater.xdb file Central Quarantine polling See Table 5-1 on page 211. Updating and configuring servers using the Virus Definition Transport Method Update Symantec AntiVirus servers manually when you need to force an immediate update. Schedule automatic updates to handle routine definitions files updating without requiring further interaction. You can update servers manually or automatically. Updates occur only when the virus and security risk definitions files on a server are older than the definitions that are available on the LiveUpdate server. To update all unlocked servers in the system 1 In the Symantec System Center console, right-click System Hierarchy, and then click Symantec AntiVirus > Update Virus Defs Now. 2 In the confirmation dialog box, click Yes. 3 In the status dialog box, click OK.

214 214 Updating definitions Updating definitions files on servers To update servers manually 1 In the Symantec System Center console, right-click a server or servergroup, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 Select one of the following: Update The Primary Server Of This Server Group Only Updates all servers in the group from the primary management server Update Each Server In This Server Group Individually Updates servers individually The option that you select affects all of the servers in the server group, whether you right-click a server group or an individual server. 3 Click Configure. 4 Click Update Now. A message appears with information about how you can view the date of the new virus and security risks definitions file. 5 Read the information that appears, and then click OK until the Symantec System Center console reappears. To update servers automatically 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 Select one of the following: Update The Primary Server Of This Server Group Only Updates all servers in the group automatically from the primary management server Update Each Server In This Server Group Individually Updates servers individually The option that you select affects all servers in the server group, whether you right-click a server group or an individual server. 3 Click Configure. 4 Ensure that Schedule For Automatic Updates is checked, and then click Schedule. 5 Select options to determine when the definitions file updates (for example, every Tuesday at 10:00 P.M.). 6 Click OK until you return to the Symantec System Center main window.

215 Updating definitions Updating definitions files on servers 215 Configuring a master primary management server Configure a master primary management server to limit your network's exposure to the Internet. To configure a master primary management server 1 In the Symantec System Center console, right-click a server, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Update the Primary Server of this Server Group only. 3 Click Configure. 4 In the Configure Primary Server Updates dialog box, click Source. 5 In the Setup Connection dialog box, in the Update definition file by list, click Another Protected Server, and then click Configure. 6 In the Configure Update From Server dialog box, select the server that you want to use as the master primary management server from the list of servers that appears. 7 Click OK until you return to the Configure Primary Server Updates dialog box. 8 In the Configure Primary Server Updates dialog box, do one of the following: Click Update Now to retrieve the definitions file from the master primary management server immediately. Click Schedule For Automatic Updates, and then click Schedule. Set a frequency and time when the server checks for updates on the master primary management server. 9 Click OK until you return to the Symantec System Center main window. About updating NetWare servers using the Virus Definition Transport Method Updating a NetWare server is similar to updating other types of servers, except that NetWare servers do not store the addresses of supported Windows servers in their address caches. As a result, if your NetWare server does not use a domain naming system (DNS) server, you might have difficulty updating a NetWare server from a Windows server that resides in a different server group. Updating servers using LiveUpdate Depending on the size of your network, you can use LiveUpdate to update virus and security risk definitions files in the following ways:

216 216 Updating definitions Updating definitions files on servers For smaller networks (less than 1000 nodes), configure managed servers to directly retrieve updates from the Symantec FTP site, Symantec LiveUpdate server, or an internal LiveUpdate server. For larger networks (greater than 1000 nodes), set up an internal LiveUpdate server, download updates to that server, and have your managed servers retrieve updates from the internal LiveUpdate server. Updating servers from the Symantec FTP site or LiveUpdate server You need to configure updating for the Symantec AntiVirus primary management server in each server group to ensure that its virus and security risk definitions files are current. You can also configure individual servers to update directly from Symantec. You can update all of the Symantec AntiVirus servers in a server group from a primary management server, or update each server in the group individually. To update primary management servers 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Update The Primary Server Of This Server Group Only. 3 Click Configure. 4 In the Configure Primary Server Updates dialog box, do one of the following: 5 Click OK. Click Update Now to launch a LiveUpdate session immediately. Click Schedule For Automatic Updates, and then click Schedule to set a frequency and time when the server runs a LiveUpdate session. 6 In the Configure Primary Server Updates dialog box, click Source. 7 In the Update definition file via list, click LiveUpdate(Win32)/FTP(NetWare). 8 Click OK until you return to the Symantec System Center main window. To update individual servers 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Update Each Server In This Server Group Individually. 3 Click Configure.

217 Updating definitions Updating definitions files on servers In the Configure Server Updates dialog box, click Source. 5 Click LiveUpdate (Win32)/FTP (NetWare). 6 Click OK. If you are configuring a NetWare server, make sure that the server is running FTP. 7 Do one of the following: Click Update Now to launch a LiveUpdate session immediately. Click Schedule For Automatic Updates, and then click Schedule to set a frequency and time when the server runs a LiveUpdate session. 8 Click OK until you return to the Symantec System Center main window. Updating servers from an internal LiveUpdate server You can set up an internal LiveUpdate server on a computer whether Symantec AntiVirus server software is installed or not. In either case, you should use the LUAdmin Utility to update the LiveUpdate server. The LUAdmin Utility pulls the definitions updates down from a Symantec LiveUpdate server, then places the packages on a Web server, an FTP site, or a location that is designated by a UNC path. You must then configure your Symantec AntiVirus servers to pull their definitions updates from this location. For more information, see the LiveUpdate Administrator's Guide, which is available on the product CD or on the Symantec Support Web site. Note: To compensate for unavailable internal LiveUpdate servers, Symantec AntiVirus supports multiple internal LiveUpdate servers for failover support. To update servers from an internal LiveUpdate server 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > LiveUpdate > Configure. 2 In the Configure LiveUpdate dialog box, click Internal LiveUpdate Server. 3 Set the following internal LiveUpdate server options: Name Location The name of the server. This name will appear when you run LiveUpdate. This box is optional. You can type descriptive information that is related to the server. For example, you can type the name of the site.

218 218 Updating definitions Updating definitions files on servers Login Name Login Password The logon name that is associated with the server. Leave this box blank so that users can log on and retrieve the files without typing information. The logon password that is associated with the server. Leave this box blank so that users can log on and retrieve the files without typing information. URL or IP Address If you are using the FTP method (recommended), under Type, you can click FTP, and then type the FTP address for the server. For example: ftp.myliveupdateserver.com If you are using the HTTP method, under Type, you can click HTTP, and then type the URL for the server. For example: or \Export\Home\LUDepot If you are using the LAN method, under Type, you can click LAN, and then type the server UNC path name. For example: \\Myserver\LUDepot In the Login box, type the name and password to access the server. If you leave the Login Name and Login Password boxes empty, an anonymous logon is used. This requires that anonymous logons be enabled on the FTP server. If your policy prohibits anonymous logons on FTP servers, type the logon name and password for the FTP server and directory to be accessed. 4 Click OK until you return to the Symantec System Center main window. Updating servers with Intelligent Updater To distribute updated virus and security risk definitions, download a new Intelligent Updater, and then use your preferred distribution method to deliver the updates to your managed servers and clients. Intelligent Updater is available as a single file or as a split package, which is distributed across several smaller files. The single file is for computers with network connections. The split package can be copied to floppy disks and used to update computers that do not have network connections, Internet access, or a CD-ROM drive. Note: Make sure to use Intelligent Updater files for Symantec AntiVirus rather than the consumer version of the product.

219 Updating definitions Updating definitions files on servers 219 To download Intelligent Updater 1 Using your Web browser, go to: 2 Under Virus Definitions, click Download Virus Definitions Manually. 3 Click Download Virus Definitions (Intelligent Updater Only). 4 Select the appropriate language and product. 5 Click Download Updates. 6 Click the file with the.exe extension. 7 When you are prompted for a location in which to save the files, select a folder on your hard drive. To install the virus and security risk definitions files 1 Locate the Intelligent Updater file that you downloaded from Symantec. 2 Double-click the file and follow the on-screen instructions. Updating virus definitions by using an.xdb file You can update any Symantec AntiVirus server or client by downloading the.xdb file from the Symantec Web site. You can also copy an.xdb file from the VPHOME share on any Symantec AntiVirus server. The modified date of the.xdb file matches the date of the virus definitions. When using this method, Rtvscan.exe checks for new.xdb files, and then initiates the update process. Rtvscan.exe checks for new.xdb files about every ten minutes by default. You can stop and then restart the Symantec AntiVirus server process to manually initiate the update process if you do not want to wait. If you have managed client computers and secondary servers that are not receiving virus definitions updates from the primary server in the server group, you can download an.xdb file and replace the virus definitions that the primary server distributes to its client computers and secondary servers. For more information, about how to do this, see To replace the virus definitions that are used by the primary server for distribution For more information, see the Symantec Knowledge Base.

220 220 Updating definitions Updating definitions files on servers To download an.xdb file 1 Go to the xdb folder on the Symantec FTP site: ftp://ftp.symantec.com/avdefs/symantec_antivirus_corp/xdb/ You can also find the file by following the download links on the Symantec Security Response Virus Definitions Download Page. 2 Click the.xdb file with the latest date, and in the dialog box, click Save to disk. 3 If the.xdb file downloads with a.zip extension, remove the.zip extension by renaming the file. The file name should be similar to vd219a31.xdb. 4 Copy the.xdb file to one of the following locations, depending on which type of installation you are updating: For NetWare servers, the default location is SYS:SAV. For Windows computers, the default location is C:\Program Files\SAV or C:\Program Files\SAV\Symantec AntiVirus. For client computers, the default location is C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\. For information about finding the location of the Symantec AntiVirus program folder, see Locating the Symantec AntiVirus program folder. To replace the virus definitions that are used by the primary server for distribution 1 Download the latest.xdb file from the Symantec Security Response Web site. 2 If the file name has a.zip extension, rename the file extension to xdb. 3 Perform one of the following tasks: On a Windows server, stop the Symantec AntiVirus service. On a NetWare server, go to the Symantec AntiVirus screen, press Alt+F10, and then type your password. 4 Perform one of the following tasks: On a Windows server, open the Symantec AntiVirus program folder. For information about finding the location of the Symantec AntiVirus program folder, see Locating the Symantec AntiVirus program folder. On a NetWare server, open the SYS:SAV folder. 5 Delete any.vdb files and any.xdb files in the folder.

221 Updating definitions Updating definitions files on servers Open the I2_LDVP.VDB folder. 7 Delete the Vdb and Xdb subfolders. 8 Copy the.xdb file that you downloaded to the Symantec AntiVirus program folder. For information about finding the location of the Symantec AntiVirus program folder, see Locating the Symantec AntiVirus program folder. 9 Perform one of the following tasks: On a Windows server, start the Symantec AntiVirus service. For information about how to start the Symantec AntiVirus service, see to To restart the Symantec AntiVirus service. On a NetWare server, at the NetWare console, type the following command: LOAD SYS:SAV\VPSTART About using Central Quarantine polling to update servers If you use Symantec Central Quarantine, you can configure the Central Quarantine Server to periodically poll the Digital Immune System gateway for new virus and security risk definitions files. When new definitions are available, the Central Quarantine Server can automatically push the new definitions to the computers that need it, using the Virus Definition Update Method. For more information, see the Symantec Central Quarantine Administrator's Guide. Minimizing network traffic and handling missed updates LiveUpdate provides advanced scheduling options for minimizing network traffic and handling missed updates. Table 5-2 describes LiveUpdate scheduling options.

222 222 Updating definitions Updating definitions files on servers Table 5-2 Option Randomization options LiveUpdate scheduling options Description Randomizes updates: Plus or minus a specified number of minutes of the scheduled time Any day of the week within a specified time interval Any day of the month plus or minus a specified number of days of the scheduled date When to use Use when you want to stagger updates for multiple computers to minimize the impact on network traffic. By default, Symantec AntiVirus randomizes LiveUpdate sessions to minimize bandwidth spikes. Missed Event options Determines how missed LiveUpdate events are handled. An event might be missed if a computer is turned off when the LiveUpdate session is scheduled to run. You can set options so that scheduled LiveUpdate events that were missed run at a later time. Use to ensure that computers that are unavailable for a regularly scheduled LiveUpdate event attempt to pull definitions at a later time. You can set separate randomization schedules for Symantec AntiVirus servers and clients on your network to minimize the impact on network traffic. You can specify separate policies for handling missed LiveUpdate events for Symantec AntiVirus servers and clients. To randomize the LiveUpdate schedule for servers 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Configure. 3 In the Configure Primary Server Updates dialog box, check Schedule For Automatic Updates. 4 Click Schedule. 5 Set the frequency and time when the server checks for updates. 6 In the Virus Definition Update Schedule dialog box, click Advanced. 7 In the Advanced Scheduled Options dialog box, under Randomization Options, check the options that you want, and then set the minutes, day of the week, or day of the month options. 8 Click OK until you return to the Symantec System Center main window.

223 Updating definitions Updating definitions files on servers 223 To randomize the LiveUpdate schedule for clients 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, check Schedule Client For Automatic Virus Definition Updates Using LiveUpdate. 3 Click Schedule. 4 Set the frequency and time when the clients will check for updates. 5 Click Advanced. 6 In the Advanced Schedule Options dialog box, under Randomization Options, check the options that you want, and then set the minutes, day of the week, or day of the month options. 7 Click OK until you return to the Symantec System Center main window. To handle missed LiveUpdate events for servers 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Configure. 3 Click Schedule for Automatic Updates. 4 In the Configure Primary Server Updates dialog box or the Configure Server Updates dialog box, click Schedule. 5 In the Virus Definition Update Schedule dialog box, click Advanced. 6 In the Advanced Schedule Options dialog box, check Handle Missed Events Within. 7 Set the time limit within which you want the scan to run. For example, you might want a weekly LiveUpdate event to run only if it is within three days after the scheduled time for the missed event. 8 Click OK until you return to the Symantec System Center main window. To handle missed LiveUpdate events for clients 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Schedule Client For Automatic Virus Definition Updates Using LiveUpdate. 3 Click Schedule. 4 In the Virus Definition Update Schedule dialog box, click Advanced.

224 224 Updating definitions Updating definitions files on clients 5 In the Advanced Schedule Options dialog box, check Handle Missed Events Within. 6 Set the time limit within which you want the scan to run. For example, you may want a weekly LiveUpdate event to run only if it is within three days after the scheduled time for the missed event. 7 Click OK until you return to the Symantec System Center main window. Updating definitions files on clients You can update the virus and security risk definitions files on Symantec AntiVirus clients by using the following methods: Virus Definition Transport Method LiveUpdate Intelligent Updater See Updating servers with Intelligent Updater on page 218. Central Quarantine polling See About using Central Quarantine polling to update servers on page 221. See Table 5-1 on page 211. You can update Symantec AntiVirus clients using the Virus Definition Transport Method, LiveUpdate, or both. Note: LiveUpdate is the only method for updating definitions files that is supported on 64-bit computers. To update clients using the Virus Definition Transport Method 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, check Update Virus Definitions From Parent Server. 3 Click Settings. 4 In the Update Settings dialog box, set the frequency with which the parent management server will push updates. 5 Click OK.

225 Updating definitions Updating definitions files on clients In the Virus Definition Manager dialog box, uncheck Schedule Client for Automatic Updates using LiveUpdate. 7 Click OK until you return to the Symantec System Center main window. To update clients using LiveUpdate 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, check Schedule Client For Automatic Updates Using LiveUpdate. 3 Click Schedule. 4 In the Virus Definition Update Schedule dialog box, select the frequency, day, and time that you want the update to occur. 5 Click OK until you return to the Symantec System Center main window. To update clients using both the Virus Definition Transport Method and LiveUpdate 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, check Update Virus Definitions from Parent Server. 3 Check Schedule Client For Automatic Updates Using LiveUpdate. 4 Click Schedule. 5 In the Virus Definition Update Schedule dialog box, select the frequency, day, and time that you want the update to occur. 6 Click OK. 7 Click Settings. 8 In the Update Settings dialog box, set the frequency with which the parent management server pushes updates. 9 Click OK until you return to the Symantec System Center main window. Forcing definitions files on clients to update immediately You can force clients to update virus and security risk definitions files immediately using LiveUpdate. This feature is available for clients that normally receive updates using LiveUpdate or the Virus Definition Transport Method. This feature provides a good way to update definitions files when one or more clients on which LiveUpdate is installed are using outdated files for some reason, for example, when an update operation that was performed at the server group level succeeded on all but several clients.

226 226 Updating definitions Updating definitions files on clients Warning: Updating a large number of clients immediately can result in slow performance. Once you start this operation, you cannot cancel it. Do not use this feature to update definitions files during a virus outbreak. See Handling a virus outbreak on your network on page 243. Before you can update virus and security risk definitions files, you must specify the number of clients to update. When the number of selected clients exceeds this number, a confirmation dialog box appears to verify that you want to exceed the administrator-specified number. To specify the number of clients to update immediately 1 In the Symantec System Center console, on the Tools menu, click SSC Console Options. 2 In the SSC Console Options Properties window, on the Client Display tab, select the number of clients that you want to update before you see a confirmation dialog box. 3 Click OK. To update one or more clients immediately with LiveUpdate 1 In the Symantec System Center console, right-click one or more clients in the right pane, and then click All Tasks > Symantec AntiVirus > Update Virus Defs Now. 2 If you selected more than the administrator-specified number of clients, in the confirmation dialog box, select one of the following: Yes Cancel If a client is configured to update using the Virus Definition Transport Method, Symantec AntiVirus prompts you to allow LiveUpdate to run. 3 Click OK in the status dialog box. Configuring managed clients to use an internal LiveUpdate server You can configure LiveUpdate settings for managed computers running Symantec AntiVirus client from the Symantec System Center. For unmanaged Symantec AntiVirus clients, use the LiveUpdate Administration Utility to create a custom.hst file. For information on configuring LiveUpdate for unmanaged Symantec AntiVirus clients, see the LiveUpdate Administrator's Guide.

227 Updating definitions Updating definitions files on clients 227 To configure a managed Symantec AntiVirus client to use an internal LiveUpdate server 1 Right-click a parent management server or a server group, and then click All Tasks > LiveUpdate > Configure. 2 In the Configure LiveUpdate dialog box, click Internal LiveUpdate Server. 3 If you are using an FTP or HTTP server, type the appropriate data in the Login Name and Password boxes. 4 In the Connection box, type one of the following: The Universal Naming Convention (UNC) path to your shared folder The URL or IP address for your FTP or HTTP server 5 In the Type list, select one of the following: LAN FTP HTTP 6 To configure individual clients to use an internal LiveUpdate server as well, check Apply settings to clients not in Groups. 7 Click OK until you return to the Symantec System Center main window. If you are using multiple parent management servers, repeat steps 1 through 7 for each parent management server so that all Symantec AntiVirus clients and servers receive the changes. Enabling and configuring Continuous LiveUpdate for managed clients If a managed Symantec AntiVirus client infrequently connects to its parent management server (for example, a laptop computer that is used remotely), it might not receive the most current virus and security risk definitions updates. For these computers, Continuous LiveUpdate offers a backup option for receiving updates directly from Symantec whenever the computer connects to the Internet. With Continuous LiveUpdate, you can specify a maximum number of days that the definitions files on a Symantec AntiVirus computer can be out of date before an update is forced. When the Symantec AntiVirus client determines that its definitions files exceed the maximum age, it initiates a silent (no user interaction required) LiveUpdate session. You can enable Continuous LiveUpdate by using the Symantec System Center. You can also enable Continuous LiveUpdate by changing the client registry.

228 228 Updating definitions Updating definitions files on clients Enabling Continuous LiveUpdate by using the Symantec System Center You can enable Continuous LiveUpdate by using the Symantec System Center. To enable Continuous LiveUpdate 1 In the Symantec System Center console, right-click a server group, a Symantec AntiVirus server, a client group, or an individual Symantec AntiVirus client, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, check Enable Continuous LiveUpdate. 3 Click OK until you return to the Symantec System Center main window. Enabling and configuring Continuous LiveUpdate by changing the client registry You can enable Continuous LiveUpdate through the client registry by adding a new subkey, EnableAdminForcedLU, to HKEY_LOCAL_MACHINE\SOFTWARE\ INTEL\LANDesk\VirusProtect6\CurrentVersion\PatternManager. Set its value to 1 to enable Continuous LiveUpdate. You can configure additional Continuous LiveUpdate options by adding other values to the client's registry. Table 5-3 describes the registry subkeys that you use to configure Continuous LiveUpdate. Table 5-3 Configuration values for Continuous LiveUpdate Subkey name EnableAdminForcedLU MaxDefsDaysOldAllowed AdminForcedLUCheckInterval Data value 0/1 n n Description Disable or enable Continuous LiveUpdate. Specify the age (in days) that the definitions can be before Symantec AntiVirus runs a silent LiveUpdate. Specify the interval (in minutes) to check for old definitions.

229 Updating definitions Updating definitions files on clients 229 Table 5-3 Configuration values for Continuous LiveUpdate (continued) Subkey name AFLUDelay Data value n Description Set the startup delay time (between 0 and 180 minutes) of the Continuous LiveUpdate feature. This delay time is valid only if the feature is enabled. The actual delay time is a random number between 0 and n where n is the value in the registry key. The default value is 30 minutes. Note: Set the MaxDefsDaysOldAllowed value to 8 days or higher. Lower settings may cause problems if you need to perform a definitions rollback, since the age of the definitions files that you want to roll back to may exceed the maximum number of days that Continuous LiveUpdate allows before forcing an update. Setting LiveUpdate usage policies You can set LiveUpdate usage policies for managed clients. When these policies are enabled, they are dimmed on the client. The policies determine whether the following activities can be performed at the client level: Change the LiveUpdate schedule. Manually launch LiveUpdate. The Do not allow client to modify LiveUpdate schedule setting in the Symantec System Center Virus Definition Manager dialog box is locked and dimmed. When both of the following settings are disabled, the locked setting is automatically unchecked and disabled: Schedule client for automatic updates using LiveUpdate Do not allow client to manually launch LiveUpdate When one or both of these settings are checked and enabled, the locked setting is automatically checked and enabled. This automatic locking ensures that LiveUpdates that administrators schedule are always propagated to clients and cannot be modified by users.

230 230 Updating definitions Controlling definitions file deployment To set LiveUpdate usage policies 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, do one of the following: Check Do Not Allow Client To Modify LiveUpdate Schedule to prevent the LiveUpdate schedule from being modified on the client. (Schedule Client For Automatic Updates Using LiveUpdate must be checked or this box is dimmed.) When this option is unchecked, LiveUpdate can run on the client at any time. Uncheck DoNotAllowClientToManuallyLaunchLiveUpdate to prevent LiveUpdate from being manually launched on the client. When this option is unchecked, LiveUpdate can run on the client at any time. Uncheck Download Product Updates Using LiveUpdate to prevent application updates. Controlling definitions file deployment The Symantec System Center console provides a set of tools for controlling the deployment of virus and security risk definitions files on your network. Use these tools to do the following: Verify the version numbers of definitions files on servers. See Verifying the version number of definitions files on page 231. View the risk lists on servers and clients. See Viewing the risk list on page 231. Roll back to a previous definitions file (network-wide). See Rolling back definitions files on page 231. If new definitions files are causing false positives or other problems for a server, you can verify the version number of the definitions file on that computer and then deploy an earlier definitions set from the Symantec System Center console. All servers and clients in that server group will roll back to the specified definitions file. You can also control the version of the definitions file that is used on all servers and clients in a server group. Users who download a definitions file that was not approved for company use can be forced to use the virus and security risks definitions file that you specify. Because you can easily undo a definitions file rollout, you can release new definitions files in less time.

231 Updating definitions Controlling definitions file deployment 231 Finding computers with outdated definitions files The Symantec System Center displays a warning icon if a definitions file is out-of-date on one or more computers that are managed by a parent management server, server group, or client group. To find computers with outdated definitions files Expand the server, server group, or client group and look for warning icons. Verifying the version number of definitions files Using the Symantec System Center console, you can view the version number of the definitions files at the Symantec AntiVirus server, server group, client group, and individual Symantec AntiVirus client level. To verify the version number of definitions files Viewing the risk list In the Symantec System Center console, right-click a server group, client group, Symantec AntiVirus server, or client, and then click Properties. On the Symantec AntiVirus tab, in the Virus Definitions box, the file version is listed as a numerical date, followed by a version number. After a definitions file is updated on a computer, it might take several minutes before the information is available from the console. You can view a list of the viruses and security risks, such as adware and spyware, that are detectable on a selected server or client. The risk list ensures that the selected computer is protected from a specific virus or security risk. To view the risk list 1 In the Symantec System Center console, right-click a server or client, and then click All Tasks > Symantec AntiVirus > View Risk List. 2 Click Close. Rolling back definitions files You can roll back a virus and security risk definitions file for a server group. For example, if the most recent file generated false positive virus or security risks detections, you might want to roll back to a previous file. Before you attempt to roll back definitions, make sure that you restart all of the computers that run the antivirus client and server programs after the initial installation. If you do not do this, some clients might not roll back to the earlier definitions.

232 232 Updating definitions Testing definitions files Note: When you roll back definitions files, virus and security risks definitions that are newer than those in the rolled back version are deleted. To roll back definitions files 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, ensure that Update The Primary Server Of This Server Group Only is selected, and then click Configure. 3 In the Configure Primary Server Updates dialog box, click Definition File. 4 In the Select Virus Definition File dialog box, select the definitions file that you want to roll back to, and then click Apply. 5 Click Yes to change the current file. 6 Click OK until you return to the Symantec System Center main window. Testing definitions files Many administrators prefer to test virus and security risk definitions files on a test network before making them available on a production server. To test definitions files 1 Install Symantec AntiVirus server to a primary management server on the test network. 2 From the primary management server on your test network, run LiveUpdate to download the definitions file. To test the operation of the definitions file, using your web browser, go to: and download the antivirus test file available there. 3 Once testing is complete, copy the definitions file from the \Program files\sav folder on the test server to a folder with the same name on the primary management servers on your production network. Once the definitions files are on the primary management servers, they flow to other servers in the server group. Clients are configured to automatically retrieve definitions from their parent management servers if Update Virus Definitions From Parent Server in the Virus Definition Manager dialog box is checked.

233 Updating definitions Scenarios for definitions updates 233 Scenarios for definitions updates The following scenarios show how administrators at two different companies perform updates: At Company A, the administrator downloads the new virus and security risk definitions file from the Symantec FTP site or Symantec LiveUpdate server to a primary management server on the test network. He tests the definitions file. When testing is completed, he copies the definitions file to the master primary management server on his production network. He has configured other primary management servers so that they retrieve the update from the master primary management server. All of the other connected computers use the Virus Definition Transport Method. Secondary management servers retrieve the update from their primary management server. Clients retrieve the update from their parent management server. At Company B, the administrator downloads the virus and security risk definitions file from the Symantec FTP site or Symantec LiveUpdate server to a test network. She tests the definitions file. When testing is completed, she downloads the new definitions file from the Symantec FTP site or Symantec LiveUpdate server to the internal LiveUpdate server on her production network. Some low-risk users are allowed to go outside of the firewall. When LiveUpdate runs on their computers, the definitions file is downloaded directly from the Symantec FTP site or Symantec LiveUpdate server. About scanning after updating definitions files If Auto-Protect is enabled, Symantec AntiVirus begins scanning with the updated definitions files immediately. Once definitions files are updated, Symantec AntiVirus offers to attempt to repair files that are stored in Quarantine.

234 234 Updating definitions About scanning after updating definitions files

235 Chapter 6 Responding to virus outbreaks This chapter includes the following topics: Preparing for virus outbreaks Handling a virus outbreak on your network Preparing for virus outbreaks Responding to virus outbreaks requires preparing before an outbreak occurs, and having a strategy in place for handling an outbreak should one occur. In addition to installing Symantec AntiVirus on the servers and workstations in your network, preparing for a virus outbreak consists of the following tasks: Creating and reviewing a virus outbreak plan. See Creating a virus outbreak plan on page 236. Defining Symantec AntiVirus actions for handling viruses. See Defining Symantec AntiVirus actions for handling suspicious files on page 237. A strategy for handling virus outbreaks includes the following: Enable virus alerts and messages. See Using alerts and messages on page 244. Run a virus sweep of your network. See Running a virus sweep on page 244. Track viruses using reports and logs. See Tracking virus alerts using reporting, Event Logs, and Histories on page 245.

236 236 Responding to virus outbreaks Preparing for virus outbreaks Use the Central Quarantine Console to track infected computers on your network, and submit suspicious file samples to Symantec Security Response for analysis and cure. See Tracking submissions to Symantec Security Response with Central Quarantine Console on page 245. Note: Symantec AntiVirus now includes standard reporting functionality that can be installed and is accessible from the Symantec System Center. You can use reporting to monitor events, generate reports, and send alerts in response to virus outbreaks. Reporting provides functionality similar to that of AMS 2. We recommend that you use reporting rather than AMS 2, although you still have the option to install AMS 2. Creating a virus outbreak plan An effective response to a virus outbreak on your network requires a plan that allows you to respond quickly and efficiently. You should create a virus outbreak plan and define actions for handling suspicious files. Table 6-1 outlines the tasks for creating a virus outbreak plan. Table 6-1 Task A model virus outbreak plan Description Ensure that definitions files are current. Verify that infected computers have the latest definitions files, and use the Virus Definition Transport Method to push new definitions if needed. See Updating definitions files on servers on page 213. Map your network topology. Prepare a network topology map so that you can systematically isolate and clean computers by segment before you reconnect them to your local network. Your map should contain the following information: Server names and addresses Client names and addresses Network protocols Shared resources

237 Responding to virus outbreaks Preparing for virus outbreaks 237 Table 6-1 Task A model virus outbreak plan (continued) Description Understand security solutions. In addition to understanding your network topology, you need to understand your implementation of Symantec AntiVirus as well as the implementation of any other security products that are used on your network. Consider the following questions: What security programs are protecting network servers and workstations? What is the schedule for updating definitions? What alternative methods of obtaining updates are available if the normal channels are under attack? What log files are available for tracking viruses on your network? Have a backup plan. Isolate the infected computers. Identify the virus. Respond to unknown viruses. In the event of a catastrophic virus infection, you may need to restore servers and clients to be sure that your network has not been compromised. Having a backup plan in place to restore critical computers is essential. Blended threats such as worms can travel via shared resources without user interaction. When you respond to an infection by a computer worm, it can be critical to isolate the infected computers by disconnecting them from the network. Symantec AntiVirus reports and logs are a good source of information about viruses on your network. If you can identify a virus from the reports or logs, you can use the Symantec Security Response Virus Encyclopedia to learn how to remove the virus. If you cannot identify a suspicious file as a virus by examining the logs, and the latest virus definitions files do not clean the file, go to and look at the Latest Virus Threats and Security Advisories areas for news. Defining Symantec AntiVirus actions for handling suspicious files By default, Symantec AntiVirus performs the following actions when it identifies a file that it suspects is infected by a virus:

238 238 Responding to virus outbreaks Preparing for virus outbreaks Symantec AntiVirus attempts to repair the file. If the file cannot be repaired with the current set of definitions files, the infected file is moved to the Quarantine on the local computer. In addition, the Symantec AntiVirus client makes a log entry of the risk event in its log. The Symantec AntiVirus client data is forwarded to a primary management server. You can view log data from the Symantec System Center console. You can perform the following additional actions to complete your virus handling strategy: Configure reporting to notify you when viruses are found. Define different repair actions based on virus type. For example, you can have Symantec AntiVirus automatically fix macro viruses, but ask what action to take when a program file virus is detected. Assign a backup action for files that Symantec AntiVirus cannot repair, such as deleting the infected file. See About actions for viruses and security risks that scans detect on page 142. See Configuring actions for File System Auto-Protect on page 160. Configure the local Quarantine to forward infected files to the Central Quarantine. You can configure the Central Quarantine to attempt a repair based on its set of virus definitions (which may be more up-to-date than the definitions on the local computer), or automatically forward samples of infected files to Symantec Security Response for analysis. For more information, see the Symantec Central Quarantine Administrator's Guide. Specifying a local quarantine directory If you don't want to use the default quarantine directory to store quarantined files on client computers, you can specify a different local directory on the Quarantine Options dialog box. You can use path expansion by using the percent sign when typing in the path, for example, %COMMON_APPDATA%, but relative paths are not allowed. The software supports the following expansion parameters: %COMMON_APPDATA% %PROGRAM_FILES% %PROGRAM_FILES_COMMON% This is typically C:\Documents and Settings\All Users\Application Data This is typically C:\Program Files This is typically C:\Program Files\Common

239 Responding to virus outbreaks Preparing for virus outbreaks 239 %COMMON_DESKTOPDIRECTORY% %COMMON_DOCUMENT% %SYSTEM% %WINDOWS% This is typically C:\Documents and Settings\All Users\Desktop This is typically C:\Documents and Settings\All Users\Documents This is typically C:\Windows\System32 This is typically C:\Windows Note: If you change the directory after some files have already been quarantined in the default directory, the old files in quarantine are not moved to the new directory. To specify a local quarantine directory 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. 2 In the Local Quarantine Options group box, click Specify Quarantine Directory. 3 Type in the name of a local directory on the client computers. You can use path expansion by using the percent sign when typing in the path, for example, %COMMON_APPDATA%, but relative paths are not allowed. 4 Click OK. Configuring automatic Quarantine purge options When Symantec AntiVirus scans a suspicious file, it places the file in the local Quarantine folder on the infected computer. The Quarantine purge feature automatically deletes files in the Quarantine when they exceed a specified age or when the directory where they are stored reaches a certain size. You can configure these options using the Symantec System Center on the server, server group, and client group level. You can individually configure the number of days, months, or years to keep repaired, backup, and quarantined files and you can set the maximum directory size allowed before files are automatically removed from the client computer. You can use just one of the settings, or you can use both together. If you set both types of limits, then all files older than the time you have set are purged first. If the size of the directory still exceeds the size limit that you set, then the oldest files are deleted one by one until the directory size falls below the limit. By default, these options are not enabled.

240 240 Responding to virus outbreaks Preparing for virus outbreaks To configure automatic Quarantine purge options 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. 2 Click Purge Options. 3 In the Purge Options dialog box, in the Repaired Files group box, check Purge after, type or click an arrow to select the time interval, and then select the unit of time from the drop-down list. The default is 90 days. 4 Check the Purge oldest files to fit directory size limit check box, and then type in the maximum directory size, in megabytes. The defaut is 50 megabytes. 5 In the Backup Files group box, check Purge after, type or click an arrow to select the time interval, and then select the unit of time from the drop-down list. The default is 90 days. 6 Check the Purge oldest files to fit directory size limit check box, and then type in the maximum directory size, in megabytes. The default is 50 megabytes. 7 In the Quarantined Files group box, check Purge after, type or click an arrow to select the time interval, and then select the unit of time from the drop-down list. The default is 90 days. 8 Check the Purge oldest files to fit directory size limit check box, and then type in the maximum directory size, in megabytes. The default is 50 megabytes. 9 Click OK to return to the Quarantine Options dialog box. Registry settings for Quarantine Purge options Registry settings for Quarantine purge options are located in the \HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Quarantine registry key. Table 6-2 lists the possible Quarantine purge settings. Table 6-2 Subkey name Quarantine purge settings Data value Description QuarantinePurgeEnabled QuarantinePurgeAgeLimit 0/1 n Disables/enables purge Specifies the maximum number of days to keep a file in the Quarantine directory

241 Responding to virus outbreaks Preparing for virus outbreaks 241 Table 6-2 Quarantine purge settings (continued) Subkey name QuarantinePurgeFrequency QuarantinePurgeBySizeEnabled QuarantinePurgeBySizeDirLimit BackupItemPurgeEnabled BackupItemPurgeAgeLimit BackupItemPurgeFrequency BackupPurgeBySizeEnabled BackupPurgeBySizeDirLimit RepairedItemPurgeEnabled RepairedItemPurgeAgeLimit RepairedItemPurgeFrequency RepairedPurgeBySizeEnabled RepairedPurgeBySizeDirLimit Data value n 0/1 n 0/1 n n 0/1 n 0/1 n n 0/1 n Description Sets the frequency value for purging: 0=Days, 1=Months, 2=Years Disables/enables purging by size Specifies the maximum size allowed for the directory, in megabytes. Disables/enables purging backup files Specifies the maximum number of days to keep a backup file in Quarantine Sets the frequency value for purging backup files: 0=Days, 1=Months, 2=Years Disables/enables purging by size Specifies the maximum size allowed for the directory, in megabytes. Disables/enables purging repaired files Specifies the maximum number of days to keep a repaired item in Quarantine Sets the frequency value for purging repaired files: 0=Days, 1=Months, 2=Years Disables/enables purging by size Specifies the maximum size allowed for the directory, in megabytes. Forwarding items to the Quarantine Server You can enable items in Quarantine on a client or server to be forwarded to the Quarantine Server. You can also apply these settings to the selected clients that are not members of client groups. These clients appear under the selected server or server group.

242 242 Responding to virus outbreaks Preparing for virus outbreaks To enable forwarding items to the Quarantine Server 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. 2 In the Quarantine Options dialog box, check Enable Quarantine or Scan and Deliver. 3 Type the name of the Quarantine Server or click the network icon to browse, and then select a server in the network. 4 Type the port number to use, select the number of seconds to retry connecting, and then select the protocol to use. 5 Click Apply settings to clients not in Groups. 6 Click OK. Enabling scan and deliver You can enable Symantec AntiVirus to allow users to submit infected or suspicious files and likely related side effects to Symantec Security Response for further analysis. Submitting items allows Symantec to better refine its detection and repair. Files submitted to Symantec Security Response become the property of Symantec Corporation. In some cases, files may be shared with the antivirus community. When this occurs, Symantec uses industry-standard encryption and may anonymize data to help protect the integrity of the content and your privacy. In some cases, Symantec might reject a file for some reason, for example, because the file does not seem to be infected. If you have reason to believe that there is a problem with the file, you can resubmit one such file per day. Enable the resubmission of files if you want users to be able to resubmit selected files. You can apply these same settings to the selected clients that are not members of client groups. These clients appear under the selected server or server group. To enable scan and deliver 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. 2 In the Quarantine Options dialog box, check Enable Quarantine or Scan and Deliver. 3 Click Allow submissions via scan and deliver. 4 Click Allow files to be resubmitted to Symantec Security Response.

243 Responding to virus outbreaks Handling a virus outbreak on your network Click Apply settings to clients not in Groups, if appropriate. 6 Click OK. Configuring actions to take when new definitions arrive You can configure the actions that you want to take on servers and client computers when new definitions arrive on the computer. You can apply these same settings to the selected clients that are not members of client groups. These clients appear under the selected server or server group. To configure actions for new definitions 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. 2 Under When new virus definitions arrive, select one of the following actions: Automatically repair and restore silently Repair silently without restoring Prompt user Do nothing 3 Click Apply settings to clients not in Groups, if appropriate. 4 Click OK. Handling a virus outbreak on your network Symantec AntiVirus provides the following tools for handling a virus outbreak on your network: Alerts Virus sweep Event Logs and Histories Central Quarantine Console Sends reporting alerts and built-in alerts from Symantec AntiVirus Forces a virus scan at the system hierarchy, server group, or individual server level Tracks viruses and Central Quarantine submissions at the server group, individual server, or client level Tracks submissions to Symantec Security Response

244 244 Responding to virus outbreaks Handling a virus outbreak on your network Using alerts and messages You can use alerts and messages to learn about suspicious files that Symantec AntiVirus discovers on your network. Symantec AntiVirus offers the following notification mechanisms: Reporting (recommended alert method): If reporting is configured, clients can send events to a reporting server. You can configure a reporting server to send alerts to an address and to execute batch files that you create to perform custom actions, such as sending a page or an SNMP trap when a risk event occurs. You can also acknowledge and unacknowledge your alerts. For information about using reporting, see the Reporting User's Guide. AMS 2 : If configured, Symantec AntiVirus clients can send risk events to an AMS 2 server. You can also configure AMS 2 servers to send alerts. See About the Alert Management System on page 99. Custom messages: From the Symantec System Center console, you can have a custom message appear on Symantec AntiVirus clients when they encounter a suspicious file. See Customizing and displaying warnings on infected computers on page 204. Running a virus sweep If you discover several suspicious files, you might not know if the problem is on the computer or server on which the suspicious files were detected, or if the problem has spread to other areas of the network. You might want to begin a virus sweep using the Symantec System Center. The number of computers that you scan depends on how you start the sweep. If a Symantec AntiVirus client is not accessible during a virus sweep, it scans the computer as soon as it is turned on. The computer does not have to log on to the network. Depending on the object that you select in the Symantec System Center console, you can run a virus sweep on your entire network, a server group, or an individual server. A virus sweep scans for viruses and security risks. Warning: A virus sweep can create considerable network traffic, the amount and duration of which depend on the size of your network. Once you start a virus sweep it must complete; you cannot stop it.

245 Responding to virus outbreaks Handling a virus outbreak on your network 245 To run a virus sweep 1 In the Symantec System Center console, right-click the network, a server group, or a server, and then click All Tasks > Symantec AntiVirus > Start Virus Sweep. 2 In the Name box, type a name for the sweep. 3 If appropriate, click Options and set Scan Options, Advanced Scan Options, Actions, Throttling, and Notifications Options. The same configuration options are available for running a virus sweep as are available for manual scans. See Configuring manual scans on page Click Start. Tracking virus alerts using reporting, Event Logs, and Histories You can use reporting to set the conditions that will trigger alerts to be sent and you can configure how the notifications are sent out. For example, you can have reporting send alerts to the reporting database so that the alerts appear in the alert events log, you can have it execute a custom batch file, and you can have an alert sent to an address when a virus is detected. For information about using reporting, see the Reporting User's Guide. You can also track Risk Found alerts from the Symantec System Center console. By default, Risk Found alerts appear in the Risk History for three days. You can change the number of days for which Risk Found alerts appear. Tracking submissions to Symantec Security Response with Central Quarantine Console The Symantec System Center logs an event when a Symantec AntiVirus client submits a suspicious file to Symantec Security Response. In addition to the logged event, you can track the Auto-Protect status of submissions to Symantec Security Response from the Central Quarantine Console. For information on using the Central Quarantine Console, see the Symantec Central Quarantine Administrator's Guide.

246 246 Responding to virus outbreaks Handling a virus outbreak on your network

247 Chapter 7 Managing roaming clients This chapter includes the following topics: About roaming clients Roaming client components How roaming works Implementing roaming Command-line options Registry values About roaming clients A roaming client can do the following: Automatically identify its best parent management server, based on speed and proximity, and become a managed client of that parent management server. For example, when a mobile user who is based in New York travels to California, the roaming client detects the new network address and reassigns the user's laptop to the best parent management server. Connect to the nearest appropriate parent management server whenever its network address changes. Connect to a different parent management server if the current parent management server becomes unavailable. Periodically recheck for the nearest parent management server to adjust for changes in servers and server load. Attempt to balance the load among a pool of equivalent servers when selecting a parent management server.

248 248 Managing roaming clients Roaming client components Automatically identify the best parent management server when the client connects to the network (for unmanaged clients that are converted to managed clients). For example, a corporation may have a distribution center for new computers. Administrators enable roaming on the computers before they are sent to branch offices. This entails specifying all of the possible roam servers for the new computers. When end users connect the new computers to the network, Symantec AntiVirus automatically assigns the best parent management server. Roaming client components Table 7-1 lists roaming client components. Table 7-1 Component Roaming client components Description List of level 0 servers Lists the level 0 of servers that are available as possible roam servers for a specific roaming client. Roaming clients store this data in their registries. See Analyzing and mapping your Symantec AntiVirus network on page 250. See Creating a list of level 0 Symantec AntiVirus servers on page 251. Hierarchical list of servers Lists all roam servers, grouped by hierarchical level. Roaming servers store this data in their registries. See Analyzing and mapping your Symantec AntiVirus network on page 250. See Creating a hierarchical list of Symantec AntiVirus servers on page 251. Roamadmn.exe SavRoam.exe Sets up Symantec AntiVirus servers for roaming access. Provides roam server data to roaming clients. See Configuring roaming client support options from the Symantec System Center console on page 252. How roaming works Roaming client support employs the following types of lists: One or more lists of level 0 servers

249 Managing roaming clients Implementing roaming 249 A hierarchical list of the servers that you want to support roaming clients Roaming clients store the level 0 list in their registries, and use it to identify the servers to which they should attempt to connect. To implement roaming on your network, start by preparing one or more lists of level 0 servers, and the hierarchical list of servers. After you roll out this data, roaming clients work in the following manner: SavRoam.exe launches on the Symantec AntiVirus client during startup, and selects the best Symantec AntiVirus server, based on registry values and server feedback. The selected server provides the client with a list of servers at the next level in the network hierarchy. SavRoam loops through the network hierarchy until no lower level exists. The final server becomes the client's new parent management server, and immediately pushes a full configuration to the roaming client. SavRoam runs the following checks at regular intervals: Checks for the availability and response time of its parent management server. If its parent management server is unavailable or another parent management server can provide better performance, SavRoam connects the client with a new best parent management server on the network. Checks for the computer's network address. If the address has changed, it connects to the new best parent management server. If the client was previously assigned to a different parent management server, SavRoam attempts to delete itself from the old parent after it checks in with the new parent. Implementing roaming To implement roaming, you must complete the following tasks: Analyze and map your Symantec AntiVirus network. Identify servers in each region that point roaming clients to the next level of roam servers. Create a list of level 0 servers for roaming clients. Create a hierarchical list of all roam servers, layered hierarchically. Configure roaming client support for roaming clients and servers from the Symantec System Center console.

250 250 Managing roaming clients Implementing roaming Configure additional roaming client options for roaming clients in the registry. This task is optional. Configure additional roaming client options for roam servers in the registry. This task is optional. Analyzing and mapping your Symantec AntiVirus network While you may have many servers in your network, you may want to identify only some of them as roam servers. Creating a hierarchical map of your network lets you quickly identify roam servers for your network. Figure 7-1 illustrates a map of an enterprise network that spans three continents. While this organization has more Symantec AntiVirus servers than appear in the map, only the mapped servers are identified as regional pointer servers. Figure 7-1 Sample enterprise map USAEastSvr USASvr USAWestSvr EUROWestSvr Level 0 EuropeSvr EUROEastSvr Level 1 JapanSvr AsiaSvr KoreaSvr

251 Managing roaming clients Implementing roaming 251 Identifying servers for each hierarchical level To identify servers for each hierarchical level, you must analyze the needs of your roaming users. For example, you may need to identify mobile users based on whether they travel internationally, throughout the country, or within a smaller geographic area. If a user travels internationally, his server list could contain the names of the main country servers as its level 0 entry and the level 0 servers would contain the list of level 1 servers. If a user travels within one country only, his server list would need to contain only the level 1 servers as its level 0 entry. No additional levels are needed in the hierarchy. Depending on network speeds, the server list could contain only the top level servers (level 0 in Figure 7-1). This simplifies building the clients' server list. The only limit to the number of levels that you can define is the text file size limit of 512 characters for each file entry. Creating a list of level 0 Symantec AntiVirus servers You can create the clients' server list text file using a text editor such as Notepad. The server list text file must contain lines in the following format: <local><type of server><level><server list> where: <local> indicates to the client that this is the level 0 of servers that the client should attempt to contact when searching for a roam server. <type of server> is the server type, such as parent server. <level> is 0. <server list> is the list of servers, which are separated by commas. (Spaces between the commas are optional.) For example, the clients' server list text file that corresponds to Figure 7-1 is as follows: <local> Parent 0 USASvr,EuropeSvr,AsiaSvr This is the only line in the server list for the roaming clients in this example. The list tells the clients to contact and compare response time from these three servers only. Depending on which server is best, the client continues its search down the list into one of the three continents. Creating a hierarchical list of Symantec AntiVirus servers You can create the hierarchical list using a text editor such as Notepad. It must contain lines in the following format:

252 252 Managing roaming clients Implementing roaming <computer> <type of server> <level> <server list> where: <computer> is the host name of the server. <type of server> is the server type such as parent server. <level> is the level that is specified in the server list text file. <server list> is the list of servers, which are separated by commas. (Spaces between the commas are optional.) For example, in the enterprise map in Figure 7-1, the USA branch would have the following server list: USASvr Parent 1 USAWestSvr,USAEastSvr Configuring roaming client support options from the Symantec System Center console You can configure roaming client support options from the Symantec System Center console. You can configure options at the following levels: Server group Client group Server Client You can use Fully Qualified Domain Names or NetBIOS hostnames when typing the server names. If NetBIOS names are not unique among domains, however, using Fully Qualified Domain Names can result in collisions in the address cache. Once you set the options, Symantec AntiVirus pushes them to the Symantec AntiVirus clients based on the selected level.

253 Managing roaming clients Implementing roaming 253 To configure roaming client support options from the Symantec System Center console 1 In the Symantec System Center console, right-click the server group, Symantec AntiVirus servers, client group, or Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Roaming Options. If you select a server group, the Symantec System Center will configure all of the clients that are in the server group. If you select a client group, the Symantec System Center will configure all of the clients that are in the client group. 2 In the Client Roaming Options dialog box, do the following: Enable roaming on clients on which the Symantec AntiVirus roam service is installed. Set the number of minutes that a client waits before it validates that its parent management server is available. The default setting is 120 minutes. Set the number of minutes that a client waits before it checks for a closer parent management server. The default setting is 60 minutes. Set the number of times that a client checks each server to determine the average number of seconds required to contact it. The client then uses this sampling to determine how close a server is to the client. The default setting is 7 times.

254 254 Managing roaming clients Implementing roaming Set the number of seconds that a client that cannot find a new parent management server waits before retrying to connect to a new parent management server. The default setting is 30 seconds. 3 Under Use These Servers, select one of the following: Roaming Failover Loadbalance You can set up level 0 parent management servers. You can set up a fault tolerance system by specifying backup servers to handle clients when roam servers are unavailable. A roaming client checks the response time for the first server in the list that answers. If the first backup server fails, the roaming clients that it manages migrate to the next available backup server in the list when they check their parent management server availability. Backup servers do not load balance. If you have multiple servers and want to distribute roaming clients among them, you can load balance by treating roam servers as equals regardless of how long it takes clients to contact them. A roaming client will contact each server in the list. Roaming servers keep a count of the Symantec AntiVirus clients that they manage, and return this value to the roaming client. The roaming client selects the server with the fewest clients. This server becomes the roaming client's new parent management server. Load balancing has a higher priority than finding the closest parent. 4 To specify load balancing among servers, use an equal sign (=) between the servers. For example: MiamiSvr=AtlantaSvr=RichmondSvr 5 To specify failover servers, Use a greater than symbol (>) in the hierarchical list of servers. For example: MiamiSvr>AtlantaSvr>RichmondSvr 6 Click OK. Configuring additional roaming client support for roaming clients Configuring additional roaming client support for roaming clients consists of the following tasks:

255 Managing roaming clients Command-line options 255 Configuring roaming on each roaming client Adding level 0 server data to the registry of each roaming client Roaming server example Configuring additional roaming on each roaming client You can configure additional roaming on Symantec AntiVirus clients by setting the required values in a configurations file (Grc.dat), or by directly editing each roaming client's registry. The registry value RoamManagingParentLevel0 lists the parent management servers that roaming checks for proximity. Type this registry value under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\ProductControl A corporation has a computer from which all roam servers are visible. The Serverlist.txt file includes the following lines: USASvr Parent 1 USAWestSvr,USAEastSvr EuropeSvr Parent 1 EUROEastSvr,EUROWestSvr AsiaSvr Parent 1 JapanSvr,KoreaSvr Table 7-2 describes the Serverlist.txt data as it appears in each roam server's registry. Table 7-2 Server name USASvr EuropeSvr AsiaSvr Sample registry values Registry value RoamManagingParentLevel1 RoamManagingParentLevel1 RoamManagingParentLevel1 Data USAWestSvr, USAEastSvr EUROEastSvr, EUROWestSvr JapanSvr, KoreaSvr To configure additional roaming options, you can configure additional load balancing, failover, and alternate servers. See Configuring roaming client support options from the Symantec System Center console on page 252. Command-line options You must have local Administrator rights to use command-line options.

256 256 Managing roaming clients Command-line options Table 7-3 describes the command-line options that can be used with SavRoam.exe and RoamAdmn.exe. Table 7-3 Option /h Command-line options Description Displays a list of the options with descriptions of their usages. /import <server list> Sets up client or server registry keys. When you use RoamAdmn.exe, you can import the server list to remote servers. When you use SavRoam.exe, you can import the server list to the registry of the local computer. <server list> is the text file that contains the list of potential parent management servers. /export > <file> Reports all of the roam servers that the client can find at all levels. <file> is the name of the file to which the information is written. You can use the file that is created with the export command as the server list for import. /install <path> <new service name> <new exe name> Registers and starts the roaming client service. The service runs until the computer is turned off. <path> is the path to the folder in which you want to copy SavRoam.exe. <new service name> is SavRoam.exe. <new exe name> is SavRoam.exe. /remove <new service name> /nearest /check_parent /shutdown Stops and removes SavRoam.exe. Finds and sets the nearest appropriate parent for the parent server. Verifies that the parent management server is running. Disconnects the client from the parent management server.

257 Managing roaming clients Registry values 257 Table 7-3 Option Command-line options (continued) Description /time-network <elapsed-time-in-seconds> <delta-time-in-milliseconds> <servers> Provides the average amount of time that it takes to contact each specified server. <elapsed-time-in-seconds> is the number of seconds to allow the process to run. <delta-time-in-milliseconds> is how often to contact the server in milliseconds. For example, 10,000 would cause the client to contact the server every ten seconds. <servers> is the list of servers to be contacted. Separate server names with commas. Do not include spaces between server names or commas. Registry values You can edit the roaming registry values using a registry editor such as Regedit or Regedt32. The agent behavior is controlled by the registry keys under the following path: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\ProductControl Table 7-4 describes the registry values for roaming clients. Table 7-4 Registry value Registry values for roaming clients Description CheckForNewParentIntervalInSeconds CheckParentIntervalInMinutes Checks periodically to see if the network is up if a computer cannot find the nearest parent when it first starts. The interval is set by this registry key. The default value is 30 seconds. Determines how often a computer checks to see if its parent is available. If the parent is not available, it tries to find a new parent. The default value is 120 minutes.

258 258 Managing roaming clients Registry values Table 7-4 Registry value RoamClient Registry values for roaming clients (continued) Description Instructs the agent to make this computer a child of the nearest parent. The default value is 0. Set this value to 1 if you want the computer to become a child of the nearest parent.

259 Chapter 8 Working with Histories and Event Logs This chapter includes the following topics: About Histories and Event Logs Working with Histories Forwarding client and server logs Deleting Histories and Event Logs About Histories and Event Logs Histories and Event Logs offer a central view of virus, security risk, and scanning activity on your network. Using the Symantec System Center, you can do the following: View data at the server group, server, or individual managed workstation level. In addition, each Symantec AntiVirus client stores its own Event Log data locally. The data is viewable from the Symantec AntiVirus client user interface. Sort and filter History and Event Log data. Perform actions that are based on History and Event Log data. For example, if a Risk History displays a found virus, you can perform actions such as repairing the infected file or moving it to the Central Quarantine. Export data to Microsoft Access (as an.mdb file) or in comma-separated value (.csv) format. Remove History and Event Log data. Table 8-1 describes the Histories and Event Logs that Symantec AntiVirus provides.

260 260 Working with Histories and Event Logs About Histories and Event Logs Table 8-1 History and Event Log types Name Description Available for Event Log Provides the following information: Server groups Symantec AntiVirus startups and shutdowns Scans that were started, stopped, or aborted Individual servers Individual clients Configuration changes User name and domain that authenticated the user Virus and security risk definitions updates Viruses and security risks that were found and repaired Items that were forwarded to the Central Quarantine Items that were forwarded to Symantec Security Response Scan History Provides information about scans that have run or are running on Symantec AntiVirus clients at the server group, server, or individual workstation level. Specify a time range to filter the view. For example, you might want to view only those scans that ran within the last seven days. Server groups Individual servers Individual clients

261 Working with Histories and Event Logs About Histories and Event Logs 261 Name Table 8-1 Description History and Event Log types (continued) Available for Risk History Lists all viruses and security risks that were detected for selected computers or server groups. You can select a virus or security risk item in the list and perform additional actions, such as Delete or Move To Quarantine. Server groups Individual servers Individual clients Risk History shows many details about each virus and security risk that was detected, including the following: The name and location of the infected files The name of the infected computer The first and second actions that were configured for the detected virus or security risk The action that was taken on the virus or security risk User name and domain that authenticated the user You can click on the link in the security risk item to access detailed information about it at the Symantec Security Response Web site. Since security risks often involve many types of objects and files, this log contains a summary line for security risks. You can view more details by looking at the Risk properties. See Viewing Risk properties on page 272. Tamper History Provides information about the attempts to tamper with Symantec applications that Tamper Protection thwarted for servers and clients. Tamper History shows details about each attack, including the name of the user and the domain that authenticated the user. Server groups Individual servers Individual clients Virus Sweep History Includes information about previous virus sweeps for servers or server groups. Server groups Individual servers When a Symantec AntiVirus parent management server receives client Event Logs from different time zones, the server adjusts the client time stamps to correspond to the Symantec AntiVirus server's local time. Note: When you add a security risk to the global exclusions list, Symantec AntiVirus no longer logs any events that involve that security risk. Users are not notified in any way when the risk is present on their computers.

262 262 Working with Histories and Event Logs About Histories and Event Logs Sorting and filtering History and Event Log data When you view the Event Log, Scan History, Risk History, Tamper History, or Virus Sweep History, you can filter items in the following ways: Today Past 7 days This month All items A selected range of days When you view Histories and Event logs, you can sort the data in any column and you can filter event types by selecting just the events that you want to view. You can also filter Event Log data by event type. To sort the data Click the column header. The ascending sort icon appears within a column header the first time that you click it. The descending sort icon appears the next time that you click the column header. To filter History and Event Log data by date 1 In the Symantec System Center console, right-click a server or server group, click All Tasks > Symantec AntiVirus > Logs, and then select one of the following: Event Log Scan History Risk History Tamper History Virus Sweep History 2 In the list, select one of the following: Today Past 7 Days This Month All Items Selected Range If you select Selected Range, select start and end dates, and then click OK.

263 Working with Histories and Event Logs About Histories and Event Logs 263 To filter Event Log data by event type 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs > Event Log. 2 In the Event Log dialog box, click the filter icon. 3 In the Filter Event Log dialog box, select the events that you want to display: Configuration change Symantec AntiVirus startup and shutdown Virus definition file Scan omissions Forward to the Quarantine Server Deliver to Symantec Security Response Auto-Protect load/unload Licensing 4 Click OK. About Event Log icons Client management and roaming Log Forwarding Unauthorized communication (access denied) warnings Login and certificate management Endpoint Compliance In the Event Log window, icons display information about any viruses or security risks that were found, and allow you to perform actions such as saving the data as a comma-separated value (.csv) file. Table 8-2 describes Event Log icons. Table 8-2 Icon Description Event Log icons Get information about an event. Indicates an error occurred in association with this event.

264 264 Working with Histories and Event Logs About Histories and Event Logs Table 8-2 Icon Description Event Log icons (continued) Closes the Event Log window. Displays item properties. Saves the data shown in the Event Log window as a.csv file or as a Microsoft Access database (.mdb) file. Filters the Event Log by the following categories: Configuration change Symantec AntiVirus startup/shutdown Definitions file Scan Omissions Forward to Quarantine Deliver to Symantec Security Response Auto-Protect load/unload Licensing Client management and roaming Log Forwarding Unauthorized communication (access denied) warnings Login and certificate management Endpoint Compliance Displays Help for the Event Log. Viewing Histories Table 8-3 describes the Histories that you can view in the Symantec System Center console.

265 Working with Histories and Event Logs About Histories and Event Logs 265 Table 8-3 History What the Histories show Description Scan History (current and scheduled) Risk History The Scan History displays the following: At the server group level, displays all of the scans for that server group At the server level, displays all of the scans for that server and the clients that are managed by that server At the client level, displays all of the scans for that client The Risk History displays the following: At the server group level, displays all of the viruses and security risks that were found in that server group At the server level, displays all of the viruses and security risks that were found on that server and on clients that are managed by that server At the client level, displays all of the viruses and security risks that were found for the client Tamper History The Tamper History displays the following: At the server group level, displays all of the attempts to tamper with Symantec processes for that server group At the server level, displays all of the attempts to tamper with Symantec processes on that server and on clients that are managed by that server At the client level, displays all of the attempts to tamper with Symantec processes on that client Virus Sweep History The Virus Sweep History displays the following: At the server group and server level, displays all of the virus sweeps for all servers in a server group or a server You can view Scan Histories, Risk Histories, Tamper Histories, and Virus Sweep Histories. To view a Scan History In the Symantec System Center console, right-click a server group, server, or client, and then click All Tasks > Symantec AntiVirus > Logs > Scan History.

266 266 Working with Histories and Event Logs Working with Histories To view a Risk History In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Risk History. To view a Tamper History In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Tamper History. To view a Virus Sweep History 1 In the Symantec System Center console, right-click a server or server group, and then click AllTasks>SymantecAntiVirus>Logs>VirusSweepHistory. 2 In the Virus Sweep History dialog box, click View Results to examine the results of previous sweeps. Working with Histories Working with Scan Histories You can view history information and save the history data as a.csv or.mdb file. You can perform additional actions in the Scan History and the Risk History. In the Scan History window, icons display information about any viruses or security risks that were found. You can also perform certain actions on viruses and security risks in the Scan History. Note: You cannot perform actions on data. You can perform only limited actions on compressed files. Table 8-4 describes the Scan History icons. Table 8-4 Icon Description Scan History icons The file is infected. The file is not infected. The file was never infected, or it has been cleaned. See the action taken on the file for more information.

267 Working with Histories and Event Logs Working with Histories 267 Table 8-4 Icon Description Scan History icons (continued) Close the Scan History window. Display item properties. Save the data that is shown in the Scan History as a comma-separated value (.csv) file or as a Microsoft Access database file (.mdb). Display Help for the Scan History. Table 8-5 describes the actions available in the Scan History window. Table 8-5 Action Undo Action Taken Scan History actions Description Symantec AntiVirus can undo the last action that was taken on a file. This includes returning a file to its original location and state. Symantec AntiVirus cannot restore a file or a risk item that has been permanently deleted. You cannot undo actions on compressed files. Clean (viruses only) Symantec AntiVirus definitions files are frequently updated. A file that you could not clean previously might be able to be cleaned when the definitions file is updated. You cannot perform this action on compressed files or items that are affected by security risks. Delete Permanently You can permanently delete an infected file (including a compressed file) that is stored in the Quarantine or Scan History. Permanently deleted items cannot be recovered. Note: For security risks, use this action with caution, because in some cases, deleting security risks can cause applications to lose functionality.

268 268 Working with Histories and Event Logs Working with Histories Table 8-5 Action Scan History actions (continued) Description Move To Quarantine Export Properties If you determine that Symantec AntiVirus has left a file that is infected by a virus alone, you should move the file to the Quarantine so that the virus cannot spread. You can move compressed files and files that are affected by a security risk to the Quarantine. Security risks that are moved to the Quarantine are no longer active on your computer. You can export information about a specific Scan History or Event Log item as a comma-separated value (.csv) file or as a Microsoft Access database (.mdb) file. You can view additional information about a specific Scan History or Event Log item. In a Scan History, you can undo the last action that was taken on a file or risk, clean a file (viruses only), delete it permanently, or move the file to the Quarantine. You can also export Scan History data. To undo the last action that was taken 1 Double-click the entry. 2 In the new dialog box that opens, right-click the file, and then click Undo Action Taken. 3 In the Take Action dialog box, click Start Undo. To clean an infected file 1 Double-click the entry. 2 In the new dialog box that opens, right-click a file, and then click Clean. 3 In the Take Action dialog box, click Start Clean. To delete an infected file permanently 1 Double-click the entry. 2 In the new dialog box that opens, right-click a file, and then click Delete Permanently. 3 In the Take Action dialog box, click Start Delete. Permanently deleted files cannot be recovered.

269 Working with Histories and Event Logs Working with Histories 269 To move a file to the Quarantine 1 Double-click the entry. 2 In the new dialog box that opens, right-click a file, and then click Move To Quarantine. 3 In the Take Action dialog box, click Quarantine. To export the Scan History data 1 Double-click the entry. 2 Right-click the file, and then click Export. 3 In the Save as type list, select one of the following: CSV (Comma Delimited) (*.csv) Access Database (*.mdb) 4 In the File name box, type a file name. 5 Click OK. Working with Risk Histories In the Risk History window, icons display information about the viruses and security risks that were found. You can also perform certain actions on viruses and security risks in the Risk History. Figure 8-1 shows a Risk History with one risk entry.

270 270 Working with Histories and Event Logs Working with Histories Figure 8-1 Risk History Note: You cannot perform actions on data. You can perform only limited actions on compressed files. Table 8-6 describes the Risk History icons. Table 8-6 Icon Risk History icons Description This file has been infected with a virus or security risk. This file is not infected by a virus. The file was never infected, or it has been cleaned. See the action that was taken on the file for more information. An error occurred in association with this file. Close the Risk History window. Table 8-7 describes the actions that are available in the Risk History window.

271 Working with Histories and Event Logs Working with Histories 271 Table 8-7 Action Undo Action Taken Risk History actions Description Symantec AntiVirus can undo the last action that was taken on a file or risk. This includes returning a file to its original location and state. Symantec AntiVirus cannot restore a file that has been permanently deleted. You cannot undo actions on compressed files. Clean (viruses only) Delete Permanently Move To Quarantine Export Properties Symantec AntiVirus definitions files are frequently updated. A file that you could not clean yesterday or a few weeks ago might be able to be cleaned when the definitions file is updated. You cannot perform this action on compressed files or security risks. You can permanently delete any infected file (including a compressed file) that is stored in the Quarantine or Risk History. Permanently deleted files cannot be recovered. Note: For security risks, use this action with caution, because in some cases, deleting security risks can cause applications to lose functionality. If you determine that Symantec AntiVirus has left an infected file alone, you should move the file to the Quarantine, so that the virus is unable to spread. You can move compressed files and files that are affected by a security risk to the Quarantine. Security risks that are moved to the Quarantine are no longer active on your computer. You can export information about a specific Risk History or Event Log item as a comma-separated value (.csv) file or as a Microsoft Access database (.mdb) file. You can view additional information about a specific Risk History item. You can undo the last action that was taken on a risk, clean a file (viruses only), delete it permanently, or move a file to the Quarantine. For security risks, you can access a Symantec Security Response Web page for more information about the security risk. You can also export the Risk History data. To undo the last action that was taken 1 Right-click a file, and then click Undo Action Taken. 2 In the Take Action dialog box, click Start Undo.

272 272 Working with Histories and Event Logs Working with Histories To clean a virus-infected file 1 Right-click a file, and then click Clean. 2 In the Take Action dialog box, click Start Clean. To delete a file permanently 1 Right-click the file, and then click Delete Permanently. 2 In the Take Action dialog box, click Start Delete. Permanently deleted files cannot be recovered. To move a file to the Quarantine 1 Right-click the file, and then click Move To Quarantine. 2 In the Take Action dialog box, click Quarantine. To see more information about a security risk 1 Double-click the entry to view its properties. 2 Click the link in the entry to view a Symantec Security Response Web page, which describes the security risk in detail and provides information about removal. To export Risk History data 1 Right-click the file, and then click Export. 2 In the Save as type list, select one of the following: CSV (Comma Delimited) (*.csv) Access Database (*.mdb) 3 In the File name box, type a file name. 4 Click OK. Viewing Risk properties The Risk properties dialog box displays more information about a particular threat or security risk. Risk properties include all the actions that are taken to repair or remove a risk. Table 8-8 lists the Risk properties icons.

273 Working with Histories and Event Logs Working with Histories 273 Table 8-8 Icon Risk properties icons Description Represents a file infected by a virus. Represents a file or a COM object. Represents a registry object. Represents a process. Represents a batch file. Represents a.ini file. Represents a service.

274 274 Working with Histories and Event Logs Working with Histories To view Risk properties 1 Right-click a computer. 2 Click All Tasks > Symantec AntiVirus > Logs > Risk History. 3 In the Risk History dialog box, right-click a risk entry, and then click Properties. Working with Tamper Histories The Tamper History window displays information about the tampering problems that were found. You can view this information and save the data as a.csv or.mdb file. Table 8-9 describes the Tamper History icon. Table 8-9 Icon Description Tamper History icon Represents an attempt to tamper with a Symantec application.

275 Working with Histories and Event Logs Forwarding client and server logs 275 To export the Tamper History data 1 Right-click the file, and then click Export. 2 In the Save as type list, select one of the following: CSV (Comma Delimited) (*.csv) Access Database (*.mdb) 3 In the File name box, type a file name. 4 Click OK. Working with Virus Sweep Histories In the Virus Sweep History window, you can view and delete the results of previous virus sweeps, and start a new virus sweep. Note: Virus sweeps also scan for security risks. To run a virus sweep from the Virus Sweep History 1 Click New Sweep. 2 In the Name box, type a name for the sweep. 3 If appropriate, click Options and set configuration options. The same configuration options are available for running a virus sweep as for running a manual scan. See Table 4-16 on page To find viruses and security risks more quickly, select the options under Scan Enhancements. 5 Click Start. Forwarding client and server logs Symantec AntiVirus managed clients forward log data to their parent management servers. On managed clients, log forwarding runs continually. On sometimes-managed clients, log data accumulates in between connections to their parent management servers. Symantec AntiVirus monitors and provides fault tolerant forwarding of the client logs. The client logs are located in the following directory: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus\7.5\Logs

276 276 Working with Histories and Event Logs Forwarding client and server logs Symantec AntiVirus tracks a client log throughout the forwarding process and handles delivery failures by resending the log when necessary. You can configure events to forward from a client to its parent management server, or from a secondary management server to its primary management server. Configuring log forwarding options You can configure log forwarding options by editing the client log forwarding registry values. You can reset values to achieve a balance between the log delivery speed and network performance. You can also set the amount of data that Symantec AntiVirus forwards from clients. Log forwarding behavior is controlled by the values in the HKLM\SOFTWARE\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Common\ForwardEvents registry key. Table 8-10 describes the registry values for client log forwarding. Table 8-10 Client log forwarding registry key values Subkey name Interval Count Data value n n Description Number of seconds between log record processing intervals. There is no minimum or maximum number. The number of records to process in each polling interval. There is no minimum or maximum number. The default is 10 records. Configuring log events to forward You can configure the events that you want Symantec AntiVirus to forward. Table 8-11 lists the client and server events in the order in which they appear in the Log Event Forwarding dialog box. Table 8-11 Event name Scan stopped Client and server events Forwarding required Forwarded by default Scan started Virus definition update information

277 Working with Histories and Event Logs Forwarding client and server logs 277 Table 8-11 Event name Virus infections Client and server events (continued) Forwarding required Forwarded by default File not scanned New virus definitions applied Configuration change Service shutdown Service startup Virus definitions downloaded from parent File forwarded to Quarantine Server File forwarded to Symantec File backed-up/restored to/from Quarantine Scan aborted Error loading services Services loaded Services unloaded Scan delayed Scan restarted License in warning period License expired, invalid or does not exist License in grace period Unauthorized communication Log forwarding error License installed

278 278 Working with Histories and Event Logs Forwarding client and server logs Table 8-11 Event name License valid Client and server events (continued) Forwarding required Forwarded by default Virus definition rollback Client running without virus definitions Tamper protection alert Login failed Login succeeded Unauthorized communication (with certificate info) AntiVirus installed Firewall installed Uninstall Uninstall rolled-back Primary Server created (root certificate created) Server added to Server Group (certificates issued) Trusted root certificate added or removed Server startup failed due to certificate problem Scan suspended Scan resumed Security risk detection started Security Risk detection operation Security Risk side effect repair pending

279 Working with Histories and Event Logs Forwarding client and server logs 279 Table 8-11 Event name Client and server events (continued) Forwarding required Forwarded by default Security Risk side effect repair failed Security Risk side effect repaired successfully Security Risk detection completed You can configure the events that are forwarded from a client to its parent management server, or from a secondary management server to its primary management server. Note: If you change primary management servers, the log from the former primary management server is not forwarded to the new primary management server. To configure events to forward from clients to their parent management servers 1 In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Client Log Forwarding. 2 In the Log Event Forwarding dialog box, for quicker configuration, you can display only certain items in the list by selecting one of the following pre-configured options from the drop-down list: All events (default) Scanning and infection events Virus definition events Management and configuration events Startup and shutdown events Licensing events Security related events 3 Check the events that you want the clients to forward to their parent management servers. 4 Click OK.

280 280 Working with Histories and Event Logs Forwarding client and server logs To configure events to forward from secondary management servers to their primary management servers 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs > Server Log Forwarding. 2 In the Log Event Forwarding dialog box, for quicker configuration, you can display only certain items in the list by selecting one of the following pre-configured options from the drop-down list: All events (default) Scanning and infection events Virus definition events Management and configuration events Startup and shutdown events Licensing events Security related events 3 Check the events that you want the secondary management servers to forward to their primary management server. 4 Click OK. Best practice: configuring events to forward for sometimes-managed clients For sometimes-managed clients, as a best practice, you can create a separate client group. See Creating client groups on page 83. After you create the client group for sometimes-managed clients, you can set log forwarding Windows registry values to do the following: Forward the Virus definitions update information event only. Poll at a high interval. Count at a low value. See Table 8-10 on page 276.

281 Working with Histories and Event Logs Deleting Histories and Event Logs 281 Reviewing the forwarding status file You can verify that a client log was forwarded and received by reviewing the default status log. To verify that a client log was forwarded and received 1 Open the following folder: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus\7.5 2 Use a text editor to open Fwdstat.log. Deleting Histories and Event Logs You can configure Symantec AntiVirus to automatically remove data that is older than a specified date from the Scan, Risk, Virus Sweep, and Tamper Histories, and from the Event Logs. To set the delete frequency 1 In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Configure History. 2 In the History Options dialog box, select the time period after which the Histories or Event Logs are deleted. 3 Check Apply settings to clients not in Groups to apply the settings to the selected client or clients under the selected server or server group that are not members of client groups. 4 Click OK. This does not permanently remove data, but hides it in the History and Event Log views. To permanently delete History or Event Log records, delete the.log files that contain the event records. Events are recorded in.log files for each day of the week in a Logs directory. These files are named according to the day on which they were created.

282 282 Working with Histories and Event Logs Deleting Histories and Event Logs

283 Index Numerics 64-bit operating systems definitions files 212 Internet support 177 using Continuous LiveUpdate 212 A Action Status for alerts 119 actions configuring 166 File System Auto-Protect 160, 168 security risks 162 viruses 161 Active Directory requirement for Discovery 30 adware 126 Alert Log Action Status 119 copying contents to Clipboard 118 deleting entries 117 displaying alerts in 116 filtering display list 119 viewing detailed information 118 Alert Management System about 99 alert forwarding for unmanaged clients 120 Alert Log 116 alert notification methods 99 configuring alert action messages 113 event threads 100 forwarding alerts to servers 121 limiting alert configuration network segments 102 alerts actions configuring 101 configuring messages 113 deleting actions from alerts 115 export status 116 exporting to other computers 115 testing 114 alerts (continued) actions (continued) viewing export status 116 configuring Broadcast 104 default messages 114 paging services 107 SNMP traps 109 forwarding to AMS2 servers 121 message parameters 113 size limitation 113 antivirus and security risk protection 18 antivirus client configuration using Grc.dat 18 audits determining network security 39 labeling items and rerunning audits 44 Auto-Protect about 130 advanced options 152 configuring 143 scanning 175 resetting options at different levels 143 scanning about 130 configuring for mail applications 143 options 133 SmartScan 145 Automatic enabler 155 B backup files 155 blended threats 126 Bloodhound scanning 156 Broadcast alert configuration 104 C cache discovering computers from 34 Discovery Clear Cache Now setting 34 file options 154

284 284 Index cache (continued) finding computers in local cache 36 Normal Discovery address cache comparisons 30 server names and IP addresses in Symantec System Center console 30 client communication 91 client configuration, enabling direct 89 client groups adding clients to 84 configuration change priority 54 configuring settings for 84 creating 83 deciding whether to manage with 52 deleting 87 dragging and dropping clients to move them 85 filtering client group view 86 finding settings 84 in Symantec AntiVirus console view 25 moving clients between 85 renaming 87 running tasks 84 scenario 57 settings 84 viewing 85 ClientRemote tool 56 clients about antivirus protection for 18 adding to client groups 84 assigned and unassigned 51 Auto-Protect options for 150, 157, 166, 171 changing between unmanaged and managed 90 check-in time 89 configuring check-in intervals 89 configuring expiration disabling scheduled scans 197 editing or deleting scheduled scans 197 forcing definitions file updates 225 log forwarding registry values 276 moving between client groups 85 settings when the client group is deleted 87 viewing virus list 231 with intermittent connectivity 89 compressed files scanning configuration 183 computers finding by using an IP address range 37 by using computer names 35 by using network search 37 by using TCP/IP 35 computers (continued) finding (continued) computers that run antivirus software from other vendors 41 computers that run unmanaged antivirus client or server software 43 in local cache 36 syncing to 43 unprotected 39 with outdated definitions 231 configuration change priority 54 scan options about 128 on multiple selected computers 132 sharing in server and client groups 51 console refreshing 39 starting 22 Continuous LiveUpdate changing registry values to enable 228 configuring for managed clients 227 CPU utilization options for scheduled and manual scans 182 D data columns Symantec AntiVirus view 25 definitions files controlling deployment 230 displaying out-of-date or missing warning 204 finding computers with outdated definitions 231 forcing updates on all unlocked servers 213 on clients 226 on servers 214 Intelligent Updater 218 legacy clients 210 LiveUpdate 215 rolling back 231 rollouts 230 update methods 210 verifying dates 231 verifying version numbers 231 delete frequency setting for Histories and Event Logs 281 dialers 126 Discovery about Discovery types 28

285 Index 285 Discovery (continued) Intense 29 Load from cache only 29 Local 29 Normal 30 Discovery Service changing the Discovery Cycle interval 35 configuring 33 Discovery Cycle configuration 35 how it works 28 how to find NetWare computers 31 Intense Discovery limitations 29 IP Discovery 29 running 31 why Discovery may not find computers 35 WINS or Active Directory requirement 30 within octets or subnet masks 102 drag-and-drop operation adding a client to a client group 84 moving a client from one client group to another 85 moving a server between server groups 58, 64 E scan configuration for Lotus Notes 143 Event Logs deleting 281 filtering data 262 forwarding 276 icons 264 setting delete frequency 281 sorting data 262 types 261 event threads 100 events forwarding from clients and servers 276 exceptions for security risks 164 exclusions from scanning 138 export command for roaming client support 256 export status viewing of alert actions 116 F failover servers for roaming clients 254 files backing up before repairing 155 cache options 154 cleaning infected 268, 272 deleting infected 268, 272 files (continued) excluding from scanning 135 exclusions and inclusions 138 exclusions for NetWare 134 moving to Quarantine 269, 272 undoing action taken 268, 271 G Grc.dat 64 changing parent management servers 64 configuring antivirus clients 18 copying to a client computer 91 enabling and configuring roaming clients 255 forwarding alerts to AMS2 servers 121 Grc.dat files 52 group settings 57 H hack tools 127 heuristic scanning 156 Hierarchical Storage Management (HSM) settings configuration 186 Histories about 259 deleting 281 filtering data 262 Risk History actions 271 Risk History icons 270 Scan Histories 266 Scan History actions 268 Scan History icons 267 setting delete frequency 281 sorting data 262 Tamper Histories 274 types 261 viewing 264 Virus Sweep Histories 275 History and Event Log data exporting to Microsoft Access 271 filtering 262 host name resolution I icons Risk History 269 Risk properties 273 Scan History 266 Symantec System Center 19

286 286 Index icons (continued) Tamper History 274 inclusions for scanning 138 infected message notifications to senders 206 infected files cleaning 272 deleting 272 infections, managing 235 Intense Discovery 34 Intense Discovery, about 29 IP address range 37 IP Discovery 29 J joke programs 127 L legacy client update definitions files 210 legacy clients managing 88 LiveUpdate configuring servers to retrieve from Symantec FTP site 216 setting client policy for 229 using with internal LiveUpdate server 217 LiveUpdate servers configuring internally for managed clients 226 Load an NLM alert configuration 105 load balancing for roam servers 254 Load from cache only Discovery 29 Local Discovery 29, 34 locating found items in the Symantec System Center console 38 log event forwarding 276 login certificate configuring key size 47 lifetime about 44 configuring 45 Lotus Notes scan configuration 143 M managed clients changing to unmanaged clients 90 configuring Continuous LiveUpdate for 227 configuring for internal LiveUpdate servers 226 mobile clients 89 management server configuration for the Virus Definition Transport Method 213 manual scans 180 Message Box alert configuration 103 mobile client management 89 N NetWare excluding ifolder 134 finding NetWare servers 31 network auditing options 40 Normal Discovery 30 notifications configuring 170 detection options 169 File System Auto-Protect 168 remediation options 169 user interaction with 172 Nsctop.exe 27 O Other risk category 127 P pager message configuration 109 paging services configuring alerting 107 for AMS2 109 parent management server 64 See also servers 64 passwords scanning mapped drives 201 uninstallation 201 Ping Discovery Service 28 primary management servers 50, 64 program folder 54 Q Quarantine moving files to 269, 272 purging suspicious files from 239 R Refresh feature 39 registry values changing to enable Continuous LiveUpdate 228

287 Index 287 registry values (continued) for client log forwarding 276 for roaming clients 257 remote access programs 127 restore communication 67, 91 risk detection 125 Risk History about 261 icons and actions 269 sorting columns 262 Risk History data exporting 272 Risk properties icons 273 Risk Tracer 154, 159 Risks tracing 159 RoamAdmn.exe about 248 command-line options 256 roaming client support configuring for clients 254 from Symantec System Center console 252 how it works 248 roaming clients about 247 analyzing and mapping antivirus network 250 components 248 creating hierarchical server list 251 enabling and configuring with Grc.dat 255 export command 256 failover servers for 254 implementing 249 registry values 257 server list 248 roaming servers example 255 identifying 250 level Run Program alert configuration 104 S SavRoam.exe about command-line options 256 Scan History icons 266 sorting columns 262 Scan History data exporting 268 scan results user interaction with 172 scans assigning actions 142 Bloodhound 156 configuring Auto-Protect scans 143 exclusions 138 for compressed files 183 inclusions 138 manual scans 180 dimmed or missing options 133 displaying warning message on client options File System Auto-Protect 143 manual scans 180 precedence 133 scheduled scans 192 to exclude files from scanning 135 options for connected clients 201 paused 199 recommended file extensions 138 scheduled scans allowing user to pause or stop 199 configuring 195 deleting 197 disabling 197 editing 197 running on demand 198 selecting files and folders to scan 139 setting Auto-Protect for files 143 CPU utilization options 182 options on multiple selected computers 132 snoozed 199 startup 202 stopped 199 triggered 202 user-defined scheduled 203 scheduled scans configuring 192 deleting 197 secondary management servers 50 security risks 125 Send Internet Mail alert configuration 106

288 288 Index Send Page alert configuring 107 paging service 107 server groups configuration change priority 54 creating 59 deciding whether to manage with 52 deleting 63 filtering views 63 how to view 62 locking and unlocking 59 moving servers to a new server group 65 refreshing the console 39 renaming 63 resetting the admin password 59 restoring communcation with 67 scenario 57 selecting primary management server for 22 viewing 62 servers Auto-Protect options 150, 157, 166, 170 changing parent management servers 64 changing primary management servers 64 configuring management servers by using the Virus Definition Transport Method 213 disabling scheduled scans 197 dragging and dropping to move between server groups 58, 65 editing or deleting scheduled scans 197 grouping into server groups 58 identifying best parent for roaming clients 247 moving to a new server group 65 parent management servers 51 primary management servers 50 secondary management servers 50 viewing in console 39 risk list for 231 SmartScan 145 spyware 127 subnet, IP Discovery for 29 Symantec System Center changing views 23 console views 23 icons 19 locating found items 38 populating the console 27 product management snap-ins 23 refreshing the console 39 Symantec System Center (continued) saving console settings 24 starting 22 System Hierarchy display 19 System Hierarchy configuration change priority 54 data columns in Default Console View 24 description 21 icon 19 T Tamper History about 261 exporting data 275 icon 274 Tamper Protection about 78 management 78 message fields 82 messages 81 threats blended 126 throttling options 182 time discrepancy tolerance configuration between clients and servers 45 tracking submissions Symantec Security Response 245 Trackware 127 Trojan horses 126 U uninstallation password 201 unmanaged clients alert forwarding 120 changing to managed clients 90 creating a custom.hst file for LiveUpdate 226 finding with network audits 39 update definitions files for distribution 219 update definitions files for legacy clients 210 user access levels user account management 68 V viewing Alert Log 116 client groups 85 Histories 264 server groups 62

289 Index 289 viewing (continued) virus list 231 views changing 24 filtering server group 63 Symantec System Center console 23 virus alerts 245 Virus Definition Transport Method configuring management servers by using 213 updating NetWare servers 215 virus list 231 virus sweep History 261, 265 running in response to outbreaks 235 viruses W warning message adding to infected message 206 displaying on infected computer 204 example 205 for scanning 175, 177 WINS requirement for Discovery 30 worms 126