Symantec Client Security Administrator's Guide

Transcription

1 Symantec Client Security Administrator's Guide

2 Symantec Client Security Administrator's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 3.1 Legal Notice Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec logo, LiveUpdate, Norton AntiVirus, Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, Symantec Security Response, and Symantec System Center are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections and DFARS Section Symantec Corporation Stevens Creek Blvd. Cupertino, CA USA

3 Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using. Customers with a current maintenance agreement may access Technical Support information at the following URL: Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

4 When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Select your region or language under Global Support, and then select the Licensing and Registration page. Customer service information is available at the following URL: Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program

5 Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: Europe, Middle-East, and Africa: North America and Latin America: Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL:

6 Select your country or language from the site index.

7 Contents Technical Support Section 1 Chapter 1 Managing Symantec Client Security Symantec Client Security basics About Symantec Client Security About the Symantec System Center Symantec System Center console icons Using the Symantec System Center Starting the Symantec System Center Selecting a primary management server for a server group About console views Changing console views Saving console settings Customizing console view columns Showing when clients are offline Showing client Auto-Protect status Showing client infection state About refreshing the console About the Discovery Service How Discovery works Types of Discovery Discovery Service requirement for WINS or Active Directory NetWare computers and the Discovery Service Running the Discovery Service Configuring the Discovery Service to use IP addresses Configuring the Discovery Service Configuring the Discovery Cycle interval Using the Find Computer feature Finding computers using a local cache search Finding computers using a network search Locating found items in the Symantec System Center console Using the Refresh feature Auditing computers... 44

8 8 Contents Configuring login certificates Configuring login certificate lifetime and time tolerance Configuring login certificate key size Chapter 2 Managing Symantec Client Security About servers About primary management servers About secondary management servers About parent management servers About server groups and client groups Deciding whether to use server groups, client groups, or both Client groups and configuration priority How settings propagate Server and client group scenario Using server groups to manage Best practice: installing a secondary management server Creating server groups Locking and unlocking server groups Viewing and filtering server groups Renaming server groups Deleting server groups Changing primary management servers Changing parent management servers Moving a server to a different server group Restoring client communication when a primary server is lost Managing user accounts for server groups Configuring options for Windows Security Center (WSC) Configuring the out-of-date time for definitions Configuring alerts to appear on the host computer Configuring Symantec Client Security to disable Windows Security Center Optimizing server performance Optimizing definitions and configuration rollouts Monitoring clients Using Tamper Protection Enabling, disabling, and configuring Tamper Protection Creating Tamper Protection messages Using client groups to manage Creating client groups Adding clients to a client group... 83

9 Contents 9 Configuring settings and running tasks at the client group level About client group settings Moving a client to a different client group Viewing and filtering client groups Renaming client groups Deleting client groups Using client group settings instead of server group settings Managing clients Managing legacy clients Enabling direct client configuration Handling clients with intermittent connectivity Changing the management mode of a client Chapter 3 Alert Management System About the Alert Management System How Alert Management System works Configuring alert actions Alert configuration tasks Speeding up alert configuration Configuring the Message Box alert action Configuring the Broadcast alert action Configuring the Run Program alert action Configuring the Load An NLM alert action Configuring the Send Internet Mail alert action About paging services Configuring the Send Page alert action Configuring the Send SNMP Trap alert action Configuring the Write To Event Log alert action About configuring alert action messages Configuring a default alert message Working with configured alerts Testing configured alert actions Deleting an alert action from an alert Exporting alert actions to other computers Using the Alert Management System Alert Log Viewing detailed alert information Filtering the Alert Log display list Forwarding alerts from unmanaged clients

10 10 Contents Section 2 Chapter 4 Configuring antivirus protection Scanning for viruses and security risks About viruses and security risks About Symantec Client Security scans About the automatic exclusion of Microsoft Exchange files and directories About the global exclusion of security risks from scans Understanding Auto-Protect scans About manual scans About virus sweep scans About scheduled scans Selecting computers to scan About inclusions and exclusions in scans Configuring file and folder inclusions and exclusions Configuring global security risk exclusions About actions for viruses and security risks that scans detect Configuring Auto-Protect About propagating Auto-Protect settings Locking and unlocking Auto-Protect options Configuring File System Auto-Protect Configuring Auto-Protect scanning for groupware applications Configuring Auto-Protect scanning for Internet Configuring manual scans Configuring actions for manual scans Configuring notifications for manual scans Creating and configuring scheduled scans Creating scheduled scans Configuring scheduled scans Managing the client user experience Enabling users to pause, snooze, or stop scheduled scans Preventing or allowing users to unload Symantec AntiVirus services Changing the password that is required to uninstall Changing the password that is required to scan mapped drives Modifying scanning options for clients Displaying a warning when definitions are out of date or missing Managing warnings and notifications about infected files

11 Contents 11 Chapter 5 Chapter 6 Updating definitions About definitions Ensure that all definitions are current Definitions files update methods Best practice: Using the Virus Definition Transport Method and LiveUpdate together Best practice: Using Continuous LiveUpdate on 64-bit computers Updating definitions files on servers Updating and configuring servers using the Virus Definition Transport Method Updating servers using LiveUpdate Updating servers with Intelligent Updater About using Central Quarantine polling to update servers Minimizing network traffic and handling missed updates Updating definitions files on clients Forcing definitions files on clients to update immediately Configuring managed clients to use an internal LiveUpdate server Enabling and configuring Continuous LiveUpdate for managed clients Setting LiveUpdate usage policies Controlling definitions file deployment Finding computers with outdated definitions files Verifying the version number of definitions files Viewing the risk list Rolling back definitions files Testing definitions files Scenarios for definitions updates About scanning after updating definitions files Responding to virus outbreaks Preparing for virus outbreaks Creating a virus outbreak plan Defining Symantec Client Security actions for handling suspicious files Configuring automatic Quarantine purge options Registry settings for Quarantine Purge options Forwarding items to the Quarantine Server Enabling scan and deliver Configuring actions to take when new definitions arrive Handling a virus outbreak on your network

12 12 Contents Using alerts and messages Running a virus sweep Tracking virus alerts using reporting, Event Logs, and Histories Tracking submissions to Symantec Security Response with Central Quarantine Console Chapter 7 Chapter 8 Managing roaming clients About roaming clients Roaming client components How roaming works Implementing roaming Analyzing and mapping your Symantec Client Security network Identifying servers for each hierarchical level Creating a list of level 0 Symantec Client Security servers Creating a hierarchical list of Symantec Client Security servers Configuring roaming client support options from the Symantec System Center console Configuring additional roaming client support for roam servers Command-line options Registry values Working with Histories and Event Logs About Histories and Event Logs Sorting and filtering History and Event Log data About Event Log icons Viewing Histories Working with Histories Working with Scan Histories Working with Risk Histories Viewing Risk properties Working with Tamper Histories Working with Virus Sweep Histories Forwarding client and server logs Configuring log forwarding options Configuring log events to forward Best practice: configuring events to forward for sometimes-managed clients Reviewing the forwarding status file

13 Contents 13 Deleting Histories and Event Logs Section 3 Chapter 9 Configuring Symantec Client Security firewall protection Managing policies About policies Policy categories Properties Rules prules prule settings Zones Locations IPS signatures IPS settings Macros Client Settings Web Content settings Profiling options File version settings About predefined policies and updates Configuring policies and updates Creating and opening policies and updates Adding and editing policy descriptions Saving policies and updates Importing and exporting policies and updates About importing and exporting About importing and exporting rules and prules About importing and exporting Locations About importing and exporting Location Awareness settings About importing and saving the default client policy file Merging rules and prules in policy files Distributing policies How policy distribution affects Locations, rules, and settings Using Symantec System Center to distribute policy files Using the policy file import/export utility Supporting policies for legacy clients Configuring policies for legacy clients Merging rules in legacy policy files

14 14 Contents Chapter 10 Chapter 11 Using Location Awareness and Zones Using Locations Configuring required Location information Implementing Location Awareness Deleting Locations Editing Locations and NetSpecs Using Network Zones Adding computers to Zones Copying Zones to other Locations About locking Zones Excluding computers from AutoBlock Deleting locked and unlocked Zones when exporting policies Creating and testing rules About rules Rule categories Rule types Rule processing order Elements of a rule About stateful inspection About UDP connections Working with firewall rules Creating rules Displaying rules by Location Adding rules to different Locations Deleting rules Configuring rule lock settings Ignoring inbound and outbound NetBIOS Name rules About updating rulebases on Symantec Client Firewall Using port groups Adding named port groups Deleting named port groups Using address groups Adding named address groups Deleting named address groups Incorporating Secure Port About testing firewall settings Testing firewall rules, prules, and Zones

15 Contents 15 Chapter 12 Chapter 13 Using prules About prules prules and rule lock settings Using a digest value to identify a program Priority of prule evaluation Program rules and prules Guidelines for using prules Viewing Symantec-supplied prules Creating and editing prules Selectively disabling auto-create Configuring Ignore File Name Matching Configuring Ignore Digest Values Specifying the program identity for a prule Adding or editing match names for a prule Configuring match criteria Adding a rule to a prule Configuring prule lock settings About Location-aware prules Creating prule exceptions for Locations Configuring prules to support Active Directory Using Profiling to generate prules and NetSpecs Profiling overview Enabling Profiling in policy files About exporting the policy file to clients Viewing and saving profiled data with Symantec System Center Retrieving profiled information Processing profiled firewall rule exceptions Processing profiled connections Refreshing profiled data About working with.csv files Customizing Intrusion Prevention About the Intrusion Prevention System Supporting different versions of IPS engines and signatures Excluding attack signatures from being blocked Configuring AutoBlock Locking IPS exclusions and IP addresses

16 16 Contents Chapter 14 Chapter 15 Chapter 16 Managing client log data About logging Setting the logging level Viewing Event Logs from the Symantec System Center Displaying logs Filtering log data Sorting log data Understanding Event Log icons Creating network rulebases Choosing an implementation approach Considering implementation options Using the Trusted Zone approach Using the network-level firewall approach Using the program-level firewall approach Implementing network rulebases Implementing Trusted Zones Implementing network-level firewalls Implementing program-level firewalls Configuring an initial network rulebase Fine-tuning and troubleshooting rulebases Configuring a default-permit rulebase Configuring user interaction Configuring Client Settings and Web Content settings About Client Settings General settings Global settings User Interface settings Tray Menu Options settings Windows Integration settings Firewall settings Advanced Firewall Options settings Intrusion Prevention settings Privacy Control settings Ad Blocking settings Alert Customization settings About Configure Alerting How Configure Alerting affects settings Setting Configure Alerting options About Miscellaneous Notifications

17 Contents 17 About permissions General permissions Client Firewall Operation permissions Client Firewall Configuration permissions Intrusion Prevention permissions Miscellaneous permissions Setting user access levels for legacy clients About Protocol Filtering Default Protocol Filtering settings VPN protocols Web Content settings Global Settings User Settings Ad Blocking settings Index

18 18 Contents

19 Section 1 Managing Symantec Client Security Symantec Client Security basics Managing Symantec Client Security Alert Management System

20 20

21 Chapter 1 Symantec Client Security basics This chapter includes the following topics: About Symantec Client Security About the Symantec System Center Using the Symantec System Center About the Discovery Service Running the Discovery Service Using the Find Computer feature Configuring login certificates About Symantec Client Security Symantec Client Security provides scalable, cross-platform firewall protection, intrusion prevention, protection from viruses and security risks, and repair of viral and security risk side effects for workstations. For network servers, it provides protection from viruses and security risks, and repairs their side effects. Symantec Client Security lets you do the following: Establish and enforce antivirus, security risk, and firewall security policies. Retrieve content updates, such as virus and security risk definitions, and intrusion prevention signatures. Quarantine and delete live viruses. Analyze logged events.

22 22 Symantec Client Security basics About the Symantec System Center Create pre-defined and customizable graphical reports that are based on Symantec Client Security security information from your network. Symantec Client Security product components and system requirements, including the protocols and ports that are used for Symantec Client Security, are described in the Symantec Client Security Installation Guide. The Symantec Client Security client software provides antivirus and security risk protection, as well as firewall protection, for networked and non-networked computers. The Symantec AntiVirus client software protects the 32-bit and the supported 64-bit computers that run supported Windows versions. Symantec Client Firewall software is not supported on 64-bit computers. The term, Symantec Client Security, refers to both the Symantec Client Security server and the Symantec Client Security client software. Computers that run Symantec Client Security server software might be required to do so because of system requirements. Computers that run Symantec Client Security server software are not required to act as management servers. The Symantec Client Security server software can manage other computers that run Symantec Client Security and supported legacy versions of Norton AntiVirus Corporate Edition. It can also push configuration updates, as well as virus and security risk definitions file updates, to these clients. The Symantec Client Security server software also provides antivirus and security risk protection for the computers on which it runs. Note: The Symantec AntiVirus server software is not supported on 64-bit computers. About the Symantec System Center By using the Symantec System Center, you can manage network security by performing administrative operations such as the following: Installing antivirus and security risk protection on workstations and network servers. Installing firewall and intrusion protection on workstations. Updating Symantec Client Security definitions. Managing Symantec Client Security servers and clients. Managing content licensing, if you use a content license rather than a site license for your computers. See the Content Licensing chapter in the Symantec Client Security Installation Guide.

23 Symantec Client Security basics About the Symantec System Center 23 In addition to the Symantec System Center, you can also use Grc.dat configuration files to configure Symantec Client Security clients. You can use configuration files if you want to use a third-party tool to remotely configure your network. The following information about the Symantec System Center is not included in this guide: Information about the configuration and use of reporting functionality is in the Reporting User's Guide. Information about the configuration and use of endpoint compliance functionality is in the Endpoint Compliance Implementation Guide. Symantec System Center console icons When the Symantec System Center runs, it displays a system hierarchy of server groups, client groups, and the servers that the icons represent. The icons appear in an expandable hierarchy in the Symantec System Center console. The Symantec System Center uses icons to represent the different states of computers that are running Symantec managed products. For example, if the server group icon in the server group view appears with a padlock icon, the server group must be unlocked with its password before you can configure or run scans for the computers in the server group. Table 1-1 describes the Symantec System Center icons. Table 1-1 Icon Symantec System Center icons Icon descriptions Highest level object representing the system hierarchy, which contains all server groups. Unlocked server group or client group. Compare this icon to the locked server group icon. For security reasons, all server groups default to locked when you start the Symantec System Center. Locked server group. You must enter a password before you can view the computers in the server group to configure and run updates and scans. An issue needs to be resolved in this server group. For example, there may not be a primary management server that is assigned to the server group or a server may have detected a virus or security risk.

24 24 Symantec Client Security basics About the Symantec System Center Table 1-1 Icon Symantec System Center icons (continued) Icon descriptions A security risk, such as adware or spyware, was detected on a computer in this server group. Note: If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears. Symantec Client Security server running on a supported computer. Compare this icon to the next one, which is the primary management server for the server group. Symantec Client Security primary management server running on a supported computer. Unavailable Symantec Client Security server. This icon appears when communication is severed between the Symantec Client Security server and the Symantec System Center console. The communication error may result from one of several different causes. For example, the server system is not running; the Symantec software has been removed; the server, client, and Symantec System Center system times are out of sync; or there could be a network failure between the console and the system. A virus was detected on the computer that is running Symantec Client Security server. A security risk, such as adware or spyware, was detected on the computer that is running Symantec Client Security server. If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears. Symantec Client Security client running on a supported Windows computer. If you use Symantec endpoint compliance, this icon also indicates that this client computer is compliant. When you select this computer, you view options only on that computer. A virus was detected on the computer that is running Symantec Client Security client. Note: Client infection state will not display in the Symantec System Center console unless you enable that option under Tools > SSC Console Options, on the Virus Alert Filter tab.

25 Symantec Client Security basics Using the Symantec System Center 25 Table 1-1 Icon Symantec System Center icons (continued) Icon descriptions A security risk, such as adware or spyware, was detected on the computer that is running Symantec Client Security client. If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears. An issue needs to be resolved with this client. For example, virus and security risk definitions files may be out of date or the client group to which the client was assigned may be no longer valid. The status field in the Symantec System Center console indicates the actual problem. This computer, which runs Symantec Client Security client software, has access to the network, but failed an endpoint compliance audit. You may want to examine why it failed and take action to remediate the problem. The computer, which runs Symantec Client Security client software, failed an endpoint compliance check. The computer, which runs Symantec Client Security client software, is not currently connected to the network. This situation could occur because the server, client, and Symantec System Center system times are out of sync. You must enable a setting for the Symantec System Center console to show when clients are not connected to the network. Using the Symantec System Center The system hierarchy in the Symantec System Center console is the top level that contains all server groups and client groups. Note: The system hierarchy is not populated until you install at least one Symantec Client Security server. Starting the Symantec System Center Start the Symantec System Center when you want to manage Symantec Client Security.

26 26 Symantec Client Security basics Using the Symantec System Center To start the Symantec System Center On the Windows taskbar, click Start > Programs > Symantec System Center Console > Symantec System Center Console. The Symantec System Center opens to the Default Console View. Figure 1-1 The Symantec System Center console Console tree tab Top server group level Contents of object selected in tree appear in right pane Locked server group Unlocked server group Client groups Note: Viewing the Symantec System Center console from a terminal session is not supported. Selecting a primary management server for a server group If you have not already done so, the first thing that you must do to use Symantec System Center is to assign a primary management server for the server group that you created at the time of installation. You must specify a server in the server group as the primary management server; no server is specified as the primary management server by default. Until you specify a primary management server, you cannot perform most Symantec product management operations. After promoting a server to primary and installing additional secondary management servers, you should remove and archive the server group private key from the pki\private-keys directory that is located under the Symantec Client Security directory that you selected at the time of installation.

27 Symantec Client Security basics Using the Symantec System Center 27 For more information, see the Symantec Client Security Reference Guide. When you select a server group object in the Symantec System Center console and set options, the settings are saved to the primary management server in the server group. Other servers in the server group also use the new configuration. Computers that are running any of the following operating systems can be primary management servers: Windows 2000 Server/Advanced Server/Professional Windows Server 2003 Web/Standard/Enterprise/Datacenter Editions Windows XP Professional The primary management server plays an important role, so select a stable server that is always running. To select the primary management server for a server group About console views Changing console views Right-click the server that you want to be the primary management server, and then click Make Server A Primary Server. Each product management snap-in makes a new product view available within the Symantec System Center console. For example, when you install the Symantec AntiVirus management snap-in, the Symantec AntiVirus view is added, which includes the fields that are related to Symantec Client Security, such as Last Scan and Definitions. Unless you change the view, the Symantec System Center console displays the Default Console View. The other views available depend upon which managed Symantec Client Security snap-ins you have installed. To change console views Saving console settings 1 In the left pane, right-click an object, such as System Hierarchy. 2 On the View menu, in the list that appears at the bottom of the menu, click a view. When you close the Symantec System Center, you are prompted to save Microsoft Management Console (MMC) console settings for the Symantec System Center.

28 28 Symantec Client Security basics Using the Symantec System Center This process has no effect on the Symantec Client Security configuration changes that you make when you use the Symantec System Center. To save console settings Do one of the following: Click Yes if you want to see the same console view the next time that you launch the Symantec System Center. Click No if you want to see the last saved view the next time you launch the Symantec System Center. Customizing console view columns The columns that appear in the right pane change based on the selected view. When System Hierarchy is selected, the Default Console View includes the following data columns: Name Status Primary Server Valid State Table 1-2 lists the data columns in the Symantec AntiVirus view. Table 1-2 Data columns in the Symantec AntiVirus view Level selected in left pane Data columns that appear in right pane System hierarchy Server group Server Group Status Definition Sharing Newest Definitions Status of Server Updates Server Type Status Last Scan Definitions Version Scan Engine Address Status of Client Updates

29 Symantec Client Security basics Using the Symantec System Center 29 Table 1-2 Data columns in the Symantec AntiVirus view (continued) Level selected in left pane Data columns that appear in right pane Groups (for client groups) Group Name Configuration Change Date Number of Clients Client group or server Client User, including the domain that authenticated the user Status Last Scan Definitions Version Scan Engine Address Group Server Table 1-3 lists the data columns in the Symantec Client Firewall view. Table 1-3 Data columns in the Symantec Client Firewall view Level selected in left pane Data columns that appear in right pane System hierarchy Server Group Status Server group Server Type Status Version Server Policy File Server Policy Rollout Time Client Policy File Client Policy Rollout Time Address Groups (for client groups) Group Client Policy File Client Policy Rollout Time Number of clients

30 30 Symantec Client Security basics Using the Symantec System Center Table 1-3 Data columns in the Symantec Client Firewall view (continued) Level selected in left pane Data columns that appear in right pane Client group or server Client User, including the domain that authenticated the user Status Version Policy File Policy Rollout Time Address Group Server You can rearrange the order of the columns to better suit your needs. To customize the columns in a view 1 In the left pane, under Symantec System Center, select an object. 2 On the View menu, in the list that appears at the bottom of the menu, select the view that you want to customize. 3 On the View menu at the top of the Symantec System Center window, click Choose Columns. 4 In the Modify Columns dialog box, use the Add, Remove, Move Up, and Move Down buttons to customize your view as needed, or use Reset to return the settings to the last saved state. Showing when clients are offline You can configure the Symantec System Center console to show when computers running Symantec Client Security client software are not currently connected to the network. The icon in the last row of Table 1-1 indicates that the client is offline. To show when clients are offline 1 On the Tools menu, click SSC Console Options. 2 In the SSC Console Options Properties dialog box, on the Client Display tab, under Client Configuration Options, check Indicate when clients are offline. This option is unchecked by default.

31 Symantec Client Security basics Using the Symantec System Center 31 Showing client Auto-Protect status You can configure the Symantec Client Security client or server icon to appear on the Windows system tray. Showing client infection state The icon shows a client or server's Auto-Protect status as follows: When Auto-Protect is enabled, the icon appears as a full shield. When you right-click the icon, a check mark appears before Enable Auto-Protect. When Auto-Protect is disabled, the icon is covered by a universal no sign (a red circle with a diagonal slash). When you right-click the icon, no check mark appears before Enable Auto-Protect. You can configure the Symantec System Center to display client infection state that is based on client check-in data on the Symantec System Center console. This option is disabled by default. To show client infection state on the Symantec System Center console 1 On the Tools menu, click SSC Console Options. 2 In the SSC Console Options Properties dialog box, on the Virus Alert Filter tab, check Display the infected state of each client that is based on client check-in data. 3 To configure how long the information displays, use the arrows or type the number of days you want virus infection data to remain on the Symantec System Center console. By default, the console does not display the infections that occurred more than three days ago. 4 To reset the Symantec System Center to display client infection state from the current time forward, check Don t show virus alerts before:, and then click Set to Current Time. Note: Use the reporting console for more comprehensive and up-to-date infection status. For information about the reporting console, see the Reporting User's Guide. About refreshing the console At the first startup of a newly installed Symantec System Center console, the console pings the network to find all available computers that run Symantec Client Security server software. As soon as the servers respond, they are added to the

32 32 Symantec Client Security basics About the Discovery Service console. Connected workstations running a managed Symantec client product are added when their parent management server is selected in the console tree. If you start the servers that are running a manageable Symantec product while the Symantec System Center is already running, you may need to locate the servers by using the Find Computer feature or by running the Discovery Service so that they appear in the server group view. See Using the Find Computer feature on page 40. You can also use Discovery to locate network computers on which Symantec Client Security is not installed. See About the Discovery Service on page 32. About the Discovery Service How Discovery works The Symantec System Center console runs a single service: the Symantec System Center Discovery Service (Nsctop.exe). This service is responsible for discovering the computers running Symantec Client Security server software that appear in the Symantec System Center console. The Discovery Service also populates the Symantec System Center console with the objects in the hierarchy. From the Symantec System Center console, you can select any object beneath the console root, and then choose Discovery Service from the Tools menu to perform a new Discovery of servers. To discover computers on the network, a computer that runs the Symantec System Center sends several pings to the network. The pings are UDP broadcasts to port The ping program verifies that the remote computer exists and can accept requests. When Symantec Client Security servers and AMS2 servers that run the Ping Discovery Service (Intel PDS) hear a ping, they respond with pong packets. Only antivirus servers are discovered by using this ping and pong mechanism. Symantec Client Security finds client information by querying the server for its client information. Clients ping the server to get the port number that the server's Rtvscan listens on. The client's Rtvscan can then send its keep-alive packet to the parent server's Rtvscan, and communication can begin. The keep-alive packet contains information such as the following: Date of the computer's virus definitions files When the computer was last infected

33 Symantec Client Security basics About the Discovery Service 33 Firewall version Time-stamp of the firewall policy If the firewall is installed, enabled, and whether there was an error importing the last policy sent If the firewall policy on the server and client differ IP pings are sent to the remote computer running Symantec Client Security server software to determine what type of protocol it uses. The data from the computer that runs Symantec Client Security client software is stored on the computer that runs Symantec Client Security server software that is the client's parent management server. The Symantec System Center console reads each parent management server's registry to get the data that it displays in the console. Following the completion of this process, Normal Discovery runs. Types of Discovery Symantec System Center uses the following types of Discovery: Load from cache only (with or without using IP Discovery) Local Discovery (with or without using IP Discovery) Intense Discovery (with or without using IP Discovery) Normal Discovery (not user-initiated) Table 1-4 describes the types of Discovery that Symantec Client Security uses: Table 1-4 Type Discovery types Description What follows Load from cache only Load from cache only offers the most basic type of Discovery. It tries to refresh all of the servers for which the Symantec System Center console address cache contains information. Each server is then sent a series of pings to see if the server checks back in, and to refresh information on the console. Load from cache only reduces traffic on the network when you launch the Symantec System Center. In most cases, you may find that choosing Load from cache only finds all of the servers that you need to add to the Symantec System Center console. Normal Discovery

34 34 Symantec Client Security basics About the Discovery Service Table 1-4 Discovery types (continued) Type Description What follows Local Discovery (default) In Local Discovery, a ping packet is broadcast over the local subnet of the computer that runs the Symantec System Center console. Intel PDS services that run on servers on the local subnet reply with pong data. Load from cache only Normal Discovery Local Discovery generates less ping noise, but is limited to the local subnet. Local Discovery works very well on small subnets. In very large subnets, you might obtain better results by using Intense Discovery. Intense Discovery Intense Discovery walks My Network Places on the local Windows computer and attempts to resolve all computers that it finds into a network address. When it has the network address, it attempts to send ping requests. You can configure whether Intense Discovery walks the NetWare or Microsoft branches of the network tree, or both. Local Discovery Load from cache only Normal Discovery The ability of Intense Discovery to locate computers is limited by several factors: the availability of a Windows Internet Naming Service (WINS) server or Active Directory, network subnet and router configuration, DNS configuration, and Microsoft domain and workgroup configuration. Searching by IP address range in most cases is not affected by these factors. For this reason, you may want to use IP Discovery.

35 Symantec Client Security basics About the Discovery Service 35 Table 1-4 Discovery types (continued) Type Description What follows Normal Discovery The Symantec System Center console broadcasts to all servers that are in unlocked server groups. Normal Discovery queries the primary management server of the server group for the list of secondary management servers in its address cache. Runs automatically after other types of Discovery; not user-initiated. The Symantec System Center console address cache stores information for all servers that have ever reported to it. The primary management server address cache contains information for every server within the server group. The address cache includes the names of all secondary management servers and their IP addresses. The Symantec System Center console compares its own address cache with the address cache sent by the primary management server. When a mismatch is identified, the console pings the associated server. When the pong data returns, it is added to all other servers in the list. In this way, Normal Discovery can identify every server in the server group and attempt to resolve information conflicts between parent management servers. You can configure Load from cache only, Local Discovery, and Intense Discovery to use IP Discovery by using either an IP address or an IP subnet address range. You may want to use IP Discovery only periodically to discover computers across the network. After the computers are in the address cache, you can then use the Load from cache only method. Discovery Service requirement for WINS or Active Directory The Discovery Service requires the use of Windows Internet Naming Service (WINS) or Active Directory name resolution. If you attempt to run the Discovery Service in an environment where WINS or Active Directory is not available, you need to find at least one computer running Symantec Client Security server on your network first. To find the computer, you can use the Find Computer feature or the Importer tool. See Using the Find Computer feature on page 40. See the Symantec Client Security Reference Guide for information about the Importer tool.

36 36 Symantec Client Security basics Running the Discovery Service NetWare computers and the Discovery Service The Discovery Service may not find NetWare computers that are running IP only. To find the computers that are not located by the Discovery Service, you can use the Find Computer feature. See Using the Find Computer feature on page 40. Running the Discovery Service You initiate all types of Discovery in the Symantec System Center console. Note: The Discovery Service uses WINS or Active Directory when it browses for new computers that run Symantec Client Security. If you are trying to discover new computers in an environment in which WINS or Active Directory is unavailable, you may want to run the Find Computer feature or the Importer tool first. See Using the Find Computer feature on page 40. See the Symantec Client Security Reference Guide for information about the Importer tool. Configuring the Discovery Service to use IP addresses You can run the Discovery Service and find servers with or without including IP addresses and subnets. To configure the Discovery Service to use IP addresses 1 In the left pane, select any object below the console root. 2 On the Tools menu, click Discovery Service.

37 Symantec Client Security basics Running the Discovery Service 37 3 In the Discovery Service Properties window, on the Advanced tab, check Enable IP Discovery. Once Enable IP Discovery is checked, an IP Discovery session runs whenever you run an Intense Discovery. To run any type of Discovery without also running IP Discovery, uncheck Enable IP Discovery. You can also access IP Discovery functionality in the Find Computer dialog box. 4 In the Scan Type list, select one of the following: IP Address: The console pings every computer in the range of IP addresses. IP Subnet: The console broadcasts to each subnet. 5 In the Beginning of range and End of range boxes, type the addresses. 6 If you clicked IP Subnet, type the subnet mask to refine the search. IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results are displayed in the Symantec System Center console status bar.