Symantec Client Security Administrator's Guide

Transcription

1 Symantec Client Security Administrator's Guide

2 Symantec Client Security Administrator's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 3.1 Legal Notice Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec logo, LiveUpdate, Norton AntiVirus, Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, Symantec Security Response, and Symantec System Center are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections and DFARS Section Symantec Corporation Stevens Creek Blvd. Cupertino, CA USA

3 Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using. Customers with a current maintenance agreement may access Technical Support information at the following URL: Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

4 When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Select your region or language under Global Support, and then select the Licensing and Registration page. Customer service information is available at the following URL: Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program

5 Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: Europe, Middle-East, and Africa: North America and Latin America: Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL:

6 Select your country or language from the site index.

7 Contents Technical Support Section 1 Chapter 1 Managing Symantec Client Security Symantec Client Security basics About Symantec Client Security About the Symantec System Center Symantec System Center console icons Using the Symantec System Center Starting the Symantec System Center Selecting a primary management server for a server group About console views Changing console views Saving console settings Customizing console view columns Showing when clients are offline Showing client Auto-Protect status Showing client infection state About refreshing the console About the Discovery Service How Discovery works Types of Discovery Discovery Service requirement for WINS or Active Directory NetWare computers and the Discovery Service Running the Discovery Service Configuring the Discovery Service to use IP addresses Configuring the Discovery Service Configuring the Discovery Cycle interval Using the Find Computer feature Finding computers using a local cache search Finding computers using a network search Locating found items in the Symantec System Center console Using the Refresh feature Auditing computers... 44

8 8 Contents Configuring login certificates Configuring login certificate lifetime and time tolerance Configuring login certificate key size Chapter 2 Managing Symantec Client Security About servers About primary management servers About secondary management servers About parent management servers About server groups and client groups Deciding whether to use server groups, client groups, or both Client groups and configuration priority How settings propagate Server and client group scenario Using server groups to manage Best practice: installing a secondary management server Creating server groups Locking and unlocking server groups Viewing and filtering server groups Renaming server groups Deleting server groups Changing primary management servers Changing parent management servers Moving a server to a different server group Restoring client communication when a primary server is lost Managing user accounts for server groups Configuring options for Windows Security Center (WSC) Configuring the out-of-date time for definitions Configuring alerts to appear on the host computer Configuring Symantec Client Security to disable Windows Security Center Optimizing server performance Optimizing definitions and configuration rollouts Monitoring clients Using Tamper Protection Enabling, disabling, and configuring Tamper Protection Creating Tamper Protection messages Using client groups to manage Creating client groups Adding clients to a client group... 83

9 Contents 9 Configuring settings and running tasks at the client group level About client group settings Moving a client to a different client group Viewing and filtering client groups Renaming client groups Deleting client groups Using client group settings instead of server group settings Managing clients Managing legacy clients Enabling direct client configuration Handling clients with intermittent connectivity Changing the management mode of a client Chapter 3 Alert Management System About the Alert Management System How Alert Management System works Configuring alert actions Alert configuration tasks Speeding up alert configuration Configuring the Message Box alert action Configuring the Broadcast alert action Configuring the Run Program alert action Configuring the Load An NLM alert action Configuring the Send Internet Mail alert action About paging services Configuring the Send Page alert action Configuring the Send SNMP Trap alert action Configuring the Write To Event Log alert action About configuring alert action messages Configuring a default alert message Working with configured alerts Testing configured alert actions Deleting an alert action from an alert Exporting alert actions to other computers Using the Alert Management System Alert Log Viewing detailed alert information Filtering the Alert Log display list Forwarding alerts from unmanaged clients

10 10 Contents Section 2 Chapter 4 Configuring antivirus protection Scanning for viruses and security risks About viruses and security risks About Symantec Client Security scans About the automatic exclusion of Microsoft Exchange files and directories About the global exclusion of security risks from scans Understanding Auto-Protect scans About manual scans About virus sweep scans About scheduled scans Selecting computers to scan About inclusions and exclusions in scans Configuring file and folder inclusions and exclusions Configuring global security risk exclusions About actions for viruses and security risks that scans detect Configuring Auto-Protect About propagating Auto-Protect settings Locking and unlocking Auto-Protect options Configuring File System Auto-Protect Configuring Auto-Protect scanning for groupware applications Configuring Auto-Protect scanning for Internet Configuring manual scans Configuring actions for manual scans Configuring notifications for manual scans Creating and configuring scheduled scans Creating scheduled scans Configuring scheduled scans Managing the client user experience Enabling users to pause, snooze, or stop scheduled scans Preventing or allowing users to unload Symantec AntiVirus services Changing the password that is required to uninstall Changing the password that is required to scan mapped drives Modifying scanning options for clients Displaying a warning when definitions are out of date or missing Managing warnings and notifications about infected files

11 Contents 11 Chapter 5 Chapter 6 Updating definitions About definitions Ensure that all definitions are current Definitions files update methods Best practice: Using the Virus Definition Transport Method and LiveUpdate together Best practice: Using Continuous LiveUpdate on 64-bit computers Updating definitions files on servers Updating and configuring servers using the Virus Definition Transport Method Updating servers using LiveUpdate Updating servers with Intelligent Updater About using Central Quarantine polling to update servers Minimizing network traffic and handling missed updates Updating definitions files on clients Forcing definitions files on clients to update immediately Configuring managed clients to use an internal LiveUpdate server Enabling and configuring Continuous LiveUpdate for managed clients Setting LiveUpdate usage policies Controlling definitions file deployment Finding computers with outdated definitions files Verifying the version number of definitions files Viewing the risk list Rolling back definitions files Testing definitions files Scenarios for definitions updates About scanning after updating definitions files Responding to virus outbreaks Preparing for virus outbreaks Creating a virus outbreak plan Defining Symantec Client Security actions for handling suspicious files Configuring automatic Quarantine purge options Registry settings for Quarantine Purge options Forwarding items to the Quarantine Server Enabling scan and deliver Configuring actions to take when new definitions arrive Handling a virus outbreak on your network

12 12 Contents Using alerts and messages Running a virus sweep Tracking virus alerts using reporting, Event Logs, and Histories Tracking submissions to Symantec Security Response with Central Quarantine Console Chapter 7 Chapter 8 Managing roaming clients About roaming clients Roaming client components How roaming works Implementing roaming Analyzing and mapping your Symantec Client Security network Identifying servers for each hierarchical level Creating a list of level 0 Symantec Client Security servers Creating a hierarchical list of Symantec Client Security servers Configuring roaming client support options from the Symantec System Center console Configuring additional roaming client support for roam servers Command-line options Registry values Working with Histories and Event Logs About Histories and Event Logs Sorting and filtering History and Event Log data About Event Log icons Viewing Histories Working with Histories Working with Scan Histories Working with Risk Histories Viewing Risk properties Working with Tamper Histories Working with Virus Sweep Histories Forwarding client and server logs Configuring log forwarding options Configuring log events to forward Best practice: configuring events to forward for sometimes-managed clients Reviewing the forwarding status file

13 Contents 13 Deleting Histories and Event Logs Section 3 Chapter 9 Configuring Symantec Client Security firewall protection Managing policies About policies Policy categories Properties Rules prules prule settings Zones Locations IPS signatures IPS settings Macros Client Settings Web Content settings Profiling options File version settings About predefined policies and updates Configuring policies and updates Creating and opening policies and updates Adding and editing policy descriptions Saving policies and updates Importing and exporting policies and updates About importing and exporting About importing and exporting rules and prules About importing and exporting Locations About importing and exporting Location Awareness settings About importing and saving the default client policy file Merging rules and prules in policy files Distributing policies How policy distribution affects Locations, rules, and settings Using Symantec System Center to distribute policy files Using the policy file import/export utility Supporting policies for legacy clients Configuring policies for legacy clients Merging rules in legacy policy files

14 14 Contents Chapter 10 Chapter 11 Using Location Awareness and Zones Using Locations Configuring required Location information Implementing Location Awareness Deleting Locations Editing Locations and NetSpecs Using Network Zones Adding computers to Zones Copying Zones to other Locations About locking Zones Excluding computers from AutoBlock Deleting locked and unlocked Zones when exporting policies Creating and testing rules About rules Rule categories Rule types Rule processing order Elements of a rule About stateful inspection About UDP connections Working with firewall rules Creating rules Displaying rules by Location Adding rules to different Locations Deleting rules Configuring rule lock settings Ignoring inbound and outbound NetBIOS Name rules About updating rulebases on Symantec Client Firewall Using port groups Adding named port groups Deleting named port groups Using address groups Adding named address groups Deleting named address groups Incorporating Secure Port About testing firewall settings Testing firewall rules, prules, and Zones

15 Contents 15 Chapter 12 Chapter 13 Using prules About prules prules and rule lock settings Using a digest value to identify a program Priority of prule evaluation Program rules and prules Guidelines for using prules Viewing Symantec-supplied prules Creating and editing prules Selectively disabling auto-create Configuring Ignore File Name Matching Configuring Ignore Digest Values Specifying the program identity for a prule Adding or editing match names for a prule Configuring match criteria Adding a rule to a prule Configuring prule lock settings About Location-aware prules Creating prule exceptions for Locations Configuring prules to support Active Directory Using Profiling to generate prules and NetSpecs Profiling overview Enabling Profiling in policy files About exporting the policy file to clients Viewing and saving profiled data with Symantec System Center Retrieving profiled information Processing profiled firewall rule exceptions Processing profiled connections Refreshing profiled data About working with.csv files Customizing Intrusion Prevention About the Intrusion Prevention System Supporting different versions of IPS engines and signatures Excluding attack signatures from being blocked Configuring AutoBlock Locking IPS exclusions and IP addresses

16 16 Contents Chapter 14 Chapter 15 Chapter 16 Managing client log data About logging Setting the logging level Viewing Event Logs from the Symantec System Center Displaying logs Filtering log data Sorting log data Understanding Event Log icons Creating network rulebases Choosing an implementation approach Considering implementation options Using the Trusted Zone approach Using the network-level firewall approach Using the program-level firewall approach Implementing network rulebases Implementing Trusted Zones Implementing network-level firewalls Implementing program-level firewalls Configuring an initial network rulebase Fine-tuning and troubleshooting rulebases Configuring a default-permit rulebase Configuring user interaction Configuring Client Settings and Web Content settings About Client Settings General settings Global settings User Interface settings Tray Menu Options settings Windows Integration settings Firewall settings Advanced Firewall Options settings Intrusion Prevention settings Privacy Control settings Ad Blocking settings Alert Customization settings About Configure Alerting How Configure Alerting affects settings Setting Configure Alerting options About Miscellaneous Notifications

17 Contents 17 About permissions General permissions Client Firewall Operation permissions Client Firewall Configuration permissions Intrusion Prevention permissions Miscellaneous permissions Setting user access levels for legacy clients About Protocol Filtering Default Protocol Filtering settings VPN protocols Web Content settings Global Settings User Settings Ad Blocking settings Index

18 18 Contents

19 Section 1 Managing Symantec Client Security Symantec Client Security basics Managing Symantec Client Security Alert Management System

20 20

21 Chapter 1 Symantec Client Security basics This chapter includes the following topics: About Symantec Client Security About the Symantec System Center Using the Symantec System Center About the Discovery Service Running the Discovery Service Using the Find Computer feature Configuring login certificates About Symantec Client Security Symantec Client Security provides scalable, cross-platform firewall protection, intrusion prevention, protection from viruses and security risks, and repair of viral and security risk side effects for workstations. For network servers, it provides protection from viruses and security risks, and repairs their side effects. Symantec Client Security lets you do the following: Establish and enforce antivirus, security risk, and firewall security policies. Retrieve content updates, such as virus and security risk definitions, and intrusion prevention signatures. Quarantine and delete live viruses. Analyze logged events.

22 22 Symantec Client Security basics About the Symantec System Center Create pre-defined and customizable graphical reports that are based on Symantec Client Security security information from your network. Symantec Client Security product components and system requirements, including the protocols and ports that are used for Symantec Client Security, are described in the Symantec Client Security Installation Guide. The Symantec Client Security client software provides antivirus and security risk protection, as well as firewall protection, for networked and non-networked computers. The Symantec AntiVirus client software protects the 32-bit and the supported 64-bit computers that run supported Windows versions. Symantec Client Firewall software is not supported on 64-bit computers. The term, Symantec Client Security, refers to both the Symantec Client Security server and the Symantec Client Security client software. Computers that run Symantec Client Security server software might be required to do so because of system requirements. Computers that run Symantec Client Security server software are not required to act as management servers. The Symantec Client Security server software can manage other computers that run Symantec Client Security and supported legacy versions of Norton AntiVirus Corporate Edition. It can also push configuration updates, as well as virus and security risk definitions file updates, to these clients. The Symantec Client Security server software also provides antivirus and security risk protection for the computers on which it runs. Note: The Symantec AntiVirus server software is not supported on 64-bit computers. About the Symantec System Center By using the Symantec System Center, you can manage network security by performing administrative operations such as the following: Installing antivirus and security risk protection on workstations and network servers. Installing firewall and intrusion protection on workstations. Updating Symantec Client Security definitions. Managing Symantec Client Security servers and clients. Managing content licensing, if you use a content license rather than a site license for your computers. See the Content Licensing chapter in the Symantec Client Security Installation Guide.

23 Symantec Client Security basics About the Symantec System Center 23 In addition to the Symantec System Center, you can also use Grc.dat configuration files to configure Symantec Client Security clients. You can use configuration files if you want to use a third-party tool to remotely configure your network. The following information about the Symantec System Center is not included in this guide: Information about the configuration and use of reporting functionality is in the Reporting User's Guide. Information about the configuration and use of endpoint compliance functionality is in the Endpoint Compliance Implementation Guide. Symantec System Center console icons When the Symantec System Center runs, it displays a system hierarchy of server groups, client groups, and the servers that the icons represent. The icons appear in an expandable hierarchy in the Symantec System Center console. The Symantec System Center uses icons to represent the different states of computers that are running Symantec managed products. For example, if the server group icon in the server group view appears with a padlock icon, the server group must be unlocked with its password before you can configure or run scans for the computers in the server group. Table 1-1 describes the Symantec System Center icons. Table 1-1 Icon Symantec System Center icons Icon descriptions Highest level object representing the system hierarchy, which contains all server groups. Unlocked server group or client group. Compare this icon to the locked server group icon. For security reasons, all server groups default to locked when you start the Symantec System Center. Locked server group. You must enter a password before you can view the computers in the server group to configure and run updates and scans. An issue needs to be resolved in this server group. For example, there may not be a primary management server that is assigned to the server group or a server may have detected a virus or security risk.

24 24 Symantec Client Security basics About the Symantec System Center Table 1-1 Icon Symantec System Center icons (continued) Icon descriptions A security risk, such as adware or spyware, was detected on a computer in this server group. Note: If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears. Symantec Client Security server running on a supported computer. Compare this icon to the next one, which is the primary management server for the server group. Symantec Client Security primary management server running on a supported computer. Unavailable Symantec Client Security server. This icon appears when communication is severed between the Symantec Client Security server and the Symantec System Center console. The communication error may result from one of several different causes. For example, the server system is not running; the Symantec software has been removed; the server, client, and Symantec System Center system times are out of sync; or there could be a network failure between the console and the system. A virus was detected on the computer that is running Symantec Client Security server. A security risk, such as adware or spyware, was detected on the computer that is running Symantec Client Security server. If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears. Symantec Client Security client running on a supported Windows computer. If you use Symantec endpoint compliance, this icon also indicates that this client computer is compliant. When you select this computer, you view options only on that computer. A virus was detected on the computer that is running Symantec Client Security client. Note: Client infection state will not display in the Symantec System Center console unless you enable that option under Tools > SSC Console Options, on the Virus Alert Filter tab.

25 Symantec Client Security basics Using the Symantec System Center 25 Table 1-1 Icon Symantec System Center icons (continued) Icon descriptions A security risk, such as adware or spyware, was detected on the computer that is running Symantec Client Security client. If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears. An issue needs to be resolved with this client. For example, virus and security risk definitions files may be out of date or the client group to which the client was assigned may be no longer valid. The status field in the Symantec System Center console indicates the actual problem. This computer, which runs Symantec Client Security client software, has access to the network, but failed an endpoint compliance audit. You may want to examine why it failed and take action to remediate the problem. The computer, which runs Symantec Client Security client software, failed an endpoint compliance check. The computer, which runs Symantec Client Security client software, is not currently connected to the network. This situation could occur because the server, client, and Symantec System Center system times are out of sync. You must enable a setting for the Symantec System Center console to show when clients are not connected to the network. Using the Symantec System Center The system hierarchy in the Symantec System Center console is the top level that contains all server groups and client groups. Note: The system hierarchy is not populated until you install at least one Symantec Client Security server. Starting the Symantec System Center Start the Symantec System Center when you want to manage Symantec Client Security.

26 26 Symantec Client Security basics Using the Symantec System Center To start the Symantec System Center On the Windows taskbar, click Start > Programs > Symantec System Center Console > Symantec System Center Console. The Symantec System Center opens to the Default Console View. Figure 1-1 The Symantec System Center console Console tree tab Top server group level Contents of object selected in tree appear in right pane Locked server group Unlocked server group Client groups Note: Viewing the Symantec System Center console from a terminal session is not supported. Selecting a primary management server for a server group If you have not already done so, the first thing that you must do to use Symantec System Center is to assign a primary management server for the server group that you created at the time of installation. You must specify a server in the server group as the primary management server; no server is specified as the primary management server by default. Until you specify a primary management server, you cannot perform most Symantec product management operations. After promoting a server to primary and installing additional secondary management servers, you should remove and archive the server group private key from the pki\private-keys directory that is located under the Symantec Client Security directory that you selected at the time of installation.

27 Symantec Client Security basics Using the Symantec System Center 27 For more information, see the Symantec Client Security Reference Guide. When you select a server group object in the Symantec System Center console and set options, the settings are saved to the primary management server in the server group. Other servers in the server group also use the new configuration. Computers that are running any of the following operating systems can be primary management servers: Windows 2000 Server/Advanced Server/Professional Windows Server 2003 Web/Standard/Enterprise/Datacenter Editions Windows XP Professional The primary management server plays an important role, so select a stable server that is always running. To select the primary management server for a server group About console views Changing console views Right-click the server that you want to be the primary management server, and then click Make Server A Primary Server. Each product management snap-in makes a new product view available within the Symantec System Center console. For example, when you install the Symantec AntiVirus management snap-in, the Symantec AntiVirus view is added, which includes the fields that are related to Symantec Client Security, such as Last Scan and Definitions. Unless you change the view, the Symantec System Center console displays the Default Console View. The other views available depend upon which managed Symantec Client Security snap-ins you have installed. To change console views Saving console settings 1 In the left pane, right-click an object, such as System Hierarchy. 2 On the View menu, in the list that appears at the bottom of the menu, click a view. When you close the Symantec System Center, you are prompted to save Microsoft Management Console (MMC) console settings for the Symantec System Center.

28 28 Symantec Client Security basics Using the Symantec System Center This process has no effect on the Symantec Client Security configuration changes that you make when you use the Symantec System Center. To save console settings Do one of the following: Click Yes if you want to see the same console view the next time that you launch the Symantec System Center. Click No if you want to see the last saved view the next time you launch the Symantec System Center. Customizing console view columns The columns that appear in the right pane change based on the selected view. When System Hierarchy is selected, the Default Console View includes the following data columns: Name Status Primary Server Valid State Table 1-2 lists the data columns in the Symantec AntiVirus view. Table 1-2 Data columns in the Symantec AntiVirus view Level selected in left pane Data columns that appear in right pane System hierarchy Server group Server Group Status Definition Sharing Newest Definitions Status of Server Updates Server Type Status Last Scan Definitions Version Scan Engine Address Status of Client Updates

29 Symantec Client Security basics Using the Symantec System Center 29 Table 1-2 Data columns in the Symantec AntiVirus view (continued) Level selected in left pane Data columns that appear in right pane Groups (for client groups) Group Name Configuration Change Date Number of Clients Client group or server Client User, including the domain that authenticated the user Status Last Scan Definitions Version Scan Engine Address Group Server Table 1-3 lists the data columns in the Symantec Client Firewall view. Table 1-3 Data columns in the Symantec Client Firewall view Level selected in left pane Data columns that appear in right pane System hierarchy Server Group Status Server group Server Type Status Version Server Policy File Server Policy Rollout Time Client Policy File Client Policy Rollout Time Address Groups (for client groups) Group Client Policy File Client Policy Rollout Time Number of clients

30 30 Symantec Client Security basics Using the Symantec System Center Table 1-3 Data columns in the Symantec Client Firewall view (continued) Level selected in left pane Data columns that appear in right pane Client group or server Client User, including the domain that authenticated the user Status Version Policy File Policy Rollout Time Address Group Server You can rearrange the order of the columns to better suit your needs. To customize the columns in a view 1 In the left pane, under Symantec System Center, select an object. 2 On the View menu, in the list that appears at the bottom of the menu, select the view that you want to customize. 3 On the View menu at the top of the Symantec System Center window, click Choose Columns. 4 In the Modify Columns dialog box, use the Add, Remove, Move Up, and Move Down buttons to customize your view as needed, or use Reset to return the settings to the last saved state. Showing when clients are offline You can configure the Symantec System Center console to show when computers running Symantec Client Security client software are not currently connected to the network. The icon in the last row of Table 1-1 indicates that the client is offline. To show when clients are offline 1 On the Tools menu, click SSC Console Options. 2 In the SSC Console Options Properties dialog box, on the Client Display tab, under Client Configuration Options, check Indicate when clients are offline. This option is unchecked by default.

31 Symantec Client Security basics Using the Symantec System Center 31 Showing client Auto-Protect status You can configure the Symantec Client Security client or server icon to appear on the Windows system tray. Showing client infection state The icon shows a client or server's Auto-Protect status as follows: When Auto-Protect is enabled, the icon appears as a full shield. When you right-click the icon, a check mark appears before Enable Auto-Protect. When Auto-Protect is disabled, the icon is covered by a universal no sign (a red circle with a diagonal slash). When you right-click the icon, no check mark appears before Enable Auto-Protect. You can configure the Symantec System Center to display client infection state that is based on client check-in data on the Symantec System Center console. This option is disabled by default. To show client infection state on the Symantec System Center console 1 On the Tools menu, click SSC Console Options. 2 In the SSC Console Options Properties dialog box, on the Virus Alert Filter tab, check Display the infected state of each client that is based on client check-in data. 3 To configure how long the information displays, use the arrows or type the number of days you want virus infection data to remain on the Symantec System Center console. By default, the console does not display the infections that occurred more than three days ago. 4 To reset the Symantec System Center to display client infection state from the current time forward, check Don t show virus alerts before:, and then click Set to Current Time. Note: Use the reporting console for more comprehensive and up-to-date infection status. For information about the reporting console, see the Reporting User's Guide. About refreshing the console At the first startup of a newly installed Symantec System Center console, the console pings the network to find all available computers that run Symantec Client Security server software. As soon as the servers respond, they are added to the

32 32 Symantec Client Security basics About the Discovery Service console. Connected workstations running a managed Symantec client product are added when their parent management server is selected in the console tree. If you start the servers that are running a manageable Symantec product while the Symantec System Center is already running, you may need to locate the servers by using the Find Computer feature or by running the Discovery Service so that they appear in the server group view. See Using the Find Computer feature on page 40. You can also use Discovery to locate network computers on which Symantec Client Security is not installed. See About the Discovery Service on page 32. About the Discovery Service How Discovery works The Symantec System Center console runs a single service: the Symantec System Center Discovery Service (Nsctop.exe). This service is responsible for discovering the computers running Symantec Client Security server software that appear in the Symantec System Center console. The Discovery Service also populates the Symantec System Center console with the objects in the hierarchy. From the Symantec System Center console, you can select any object beneath the console root, and then choose Discovery Service from the Tools menu to perform a new Discovery of servers. To discover computers on the network, a computer that runs the Symantec System Center sends several pings to the network. The pings are UDP broadcasts to port The ping program verifies that the remote computer exists and can accept requests. When Symantec Client Security servers and AMS2 servers that run the Ping Discovery Service (Intel PDS) hear a ping, they respond with pong packets. Only antivirus servers are discovered by using this ping and pong mechanism. Symantec Client Security finds client information by querying the server for its client information. Clients ping the server to get the port number that the server's Rtvscan listens on. The client's Rtvscan can then send its keep-alive packet to the parent server's Rtvscan, and communication can begin. The keep-alive packet contains information such as the following: Date of the computer's virus definitions files When the computer was last infected

33 Symantec Client Security basics About the Discovery Service 33 Firewall version Time-stamp of the firewall policy If the firewall is installed, enabled, and whether there was an error importing the last policy sent If the firewall policy on the server and client differ IP pings are sent to the remote computer running Symantec Client Security server software to determine what type of protocol it uses. The data from the computer that runs Symantec Client Security client software is stored on the computer that runs Symantec Client Security server software that is the client's parent management server. The Symantec System Center console reads each parent management server's registry to get the data that it displays in the console. Following the completion of this process, Normal Discovery runs. Types of Discovery Symantec System Center uses the following types of Discovery: Load from cache only (with or without using IP Discovery) Local Discovery (with or without using IP Discovery) Intense Discovery (with or without using IP Discovery) Normal Discovery (not user-initiated) Table 1-4 describes the types of Discovery that Symantec Client Security uses: Table 1-4 Type Discovery types Description What follows Load from cache only Load from cache only offers the most basic type of Discovery. It tries to refresh all of the servers for which the Symantec System Center console address cache contains information. Each server is then sent a series of pings to see if the server checks back in, and to refresh information on the console. Load from cache only reduces traffic on the network when you launch the Symantec System Center. In most cases, you may find that choosing Load from cache only finds all of the servers that you need to add to the Symantec System Center console. Normal Discovery

34 34 Symantec Client Security basics About the Discovery Service Table 1-4 Discovery types (continued) Type Description What follows Local Discovery (default) In Local Discovery, a ping packet is broadcast over the local subnet of the computer that runs the Symantec System Center console. Intel PDS services that run on servers on the local subnet reply with pong data. Load from cache only Normal Discovery Local Discovery generates less ping noise, but is limited to the local subnet. Local Discovery works very well on small subnets. In very large subnets, you might obtain better results by using Intense Discovery. Intense Discovery Intense Discovery walks My Network Places on the local Windows computer and attempts to resolve all computers that it finds into a network address. When it has the network address, it attempts to send ping requests. You can configure whether Intense Discovery walks the NetWare or Microsoft branches of the network tree, or both. Local Discovery Load from cache only Normal Discovery The ability of Intense Discovery to locate computers is limited by several factors: the availability of a Windows Internet Naming Service (WINS) server or Active Directory, network subnet and router configuration, DNS configuration, and Microsoft domain and workgroup configuration. Searching by IP address range in most cases is not affected by these factors. For this reason, you may want to use IP Discovery.

35 Symantec Client Security basics About the Discovery Service 35 Table 1-4 Discovery types (continued) Type Description What follows Normal Discovery The Symantec System Center console broadcasts to all servers that are in unlocked server groups. Normal Discovery queries the primary management server of the server group for the list of secondary management servers in its address cache. Runs automatically after other types of Discovery; not user-initiated. The Symantec System Center console address cache stores information for all servers that have ever reported to it. The primary management server address cache contains information for every server within the server group. The address cache includes the names of all secondary management servers and their IP addresses. The Symantec System Center console compares its own address cache with the address cache sent by the primary management server. When a mismatch is identified, the console pings the associated server. When the pong data returns, it is added to all other servers in the list. In this way, Normal Discovery can identify every server in the server group and attempt to resolve information conflicts between parent management servers. You can configure Load from cache only, Local Discovery, and Intense Discovery to use IP Discovery by using either an IP address or an IP subnet address range. You may want to use IP Discovery only periodically to discover computers across the network. After the computers are in the address cache, you can then use the Load from cache only method. Discovery Service requirement for WINS or Active Directory The Discovery Service requires the use of Windows Internet Naming Service (WINS) or Active Directory name resolution. If you attempt to run the Discovery Service in an environment where WINS or Active Directory is not available, you need to find at least one computer running Symantec Client Security server on your network first. To find the computer, you can use the Find Computer feature or the Importer tool. See Using the Find Computer feature on page 40. See the Symantec Client Security Reference Guide for information about the Importer tool.

36 36 Symantec Client Security basics Running the Discovery Service NetWare computers and the Discovery Service The Discovery Service may not find NetWare computers that are running IP only. To find the computers that are not located by the Discovery Service, you can use the Find Computer feature. See Using the Find Computer feature on page 40. Running the Discovery Service You initiate all types of Discovery in the Symantec System Center console. Note: The Discovery Service uses WINS or Active Directory when it browses for new computers that run Symantec Client Security. If you are trying to discover new computers in an environment in which WINS or Active Directory is unavailable, you may want to run the Find Computer feature or the Importer tool first. See Using the Find Computer feature on page 40. See the Symantec Client Security Reference Guide for information about the Importer tool. Configuring the Discovery Service to use IP addresses You can run the Discovery Service and find servers with or without including IP addresses and subnets. To configure the Discovery Service to use IP addresses 1 In the left pane, select any object below the console root. 2 On the Tools menu, click Discovery Service.

37 Symantec Client Security basics Running the Discovery Service 37 3 In the Discovery Service Properties window, on the Advanced tab, check Enable IP Discovery. Once Enable IP Discovery is checked, an IP Discovery session runs whenever you run an Intense Discovery. To run any type of Discovery without also running IP Discovery, uncheck Enable IP Discovery. You can also access IP Discovery functionality in the Find Computer dialog box. 4 In the Scan Type list, select one of the following: IP Address: The console pings every computer in the range of IP addresses. IP Subnet: The console broadcasts to each subnet. 5 In the Beginning of range and End of range boxes, type the addresses. 6 If you clicked IP Subnet, type the subnet mask to refine the search. IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results are displayed in the Symantec System Center console status bar.

38 38 Symantec Client Security basics Running the Discovery Service Configuring the Discovery Service You can configure and run three types of Discovery. To configure the Discovery Service 1 In the Symantec System Center console, on the Tools menu, click Discovery Service. 2 If you want to run Discovery using IP addresses, configure the settings on the Advanced tab. See To configure the Discovery Service to use IP addresses on page 36.

39 Symantec Client Security basics Running the Discovery Service 39 3 In the Discovery Service Properties window, on the General tab, select one of the following options: Load from cache only Local Discovery Intense Discovery This is the quickest method. The Symantec System Center reads the list of servers and clients stored in the local cache. Broadcasts to the Symantec System Center console's local subnet. Servers respond immediately with information about themselves and their clients. Each server's server group appears in the console unless you have filtered the view by using the View menu. Load from cache only runs as well. This is the most thorough method. If you have a large network, the Discovery process may take a long time. The Symantec System Center serially pings every server in the Network Neighborhood. Server names appear in the message area of the Symantec System Center console as they are found during the Discovery process. Intense Discovery also performs the same local subnet broadcast as Local Discovery. Load from cache only and Local Discovery run as well. See Table 1-4 on page Under Discovery Cycle, select the interval in minutes, if necessary. 5 If you plan to run Intense Discovery, under Intense Discovery Properties, specify the number of Intense Discovery threads, between 2 and 50. Each Discovery thread is an independent search for servers and clients. To maintain the most up-to-date Discovery information, select a lower Discovery interval and a higher number of Discovery threads. 6 If you want to clear all server and client information out of the active memory and address cache, and immediately run Discovery based on the current Discovery settings, under Cache Information, click Clear Cache Now. When you clear the cache, unlocked server groups are locked. 7 Do one of the following: Click OK to save your changes. If you want to immediately run Discovery, click Run Discovery Now, and then click Close. Only one Discovery can run at a time.

40 40 Symantec Client Security basics Using the Find Computer feature Rebuilding a list of servers on a large network during Discovery may take a long time. Configuring the Discovery Cycle interval You can configure the Discovery Cycle time-out interval. By default, the interval is set to 480 minutes (every 8 hours), but you can set the time-out to any value from 1 to 1440 minutes between Discovery attempts. A new Discovery is skipped if the last Discovery is still running. For example, if you have Discovery set to run once a minute, and Discovery takes 20 minutes, 19 Discovery attempts are skipped. Note: Increasing the Discovery Cycle interval can result in a display of outdated information in the Symantec System Center console. To change the Discovery Cycle interval 1 On the Tools menu, click Discovery Service. 2 Change the Interval in minutes setting as necessary. Using the Find Computer feature If you quickly want to find a server without having to expand and browse through the tree, you can use the Find Computer feature. You can search using TCP/IP addresses or computer names. The Find Computer feature is also useful if you install a server and then do not see it in the tree view when you expand a server group or server, which may occur for the following reasons: The Symantec System Center may not automatically discover servers on LAN segments that are separated by routers. Servers may not be visible in the Network Neighborhood. For example, Windows Internet Naming Service (WINS) servers or Active Directory may not be replicated across network segments. If you cannot locate some servers on your LAN, you can locate them manually by using the Find Computer feature in the Symantec System Center console. After you use the Find Computer feature to locate a server, you can manage it from the Symantec System Center console.

41 Symantec Client Security basics Using the Find Computer feature 41 Finding computers using a local cache search Rather than search the entire network for computers, you can restrict the search to those known to be stored already in the local cache. To find computers using a local cache search 1 On the Tools menu, click Find Computer. 2 In the Find Computer window, on the Local Search tab, type the network name of the server that you want to find. 3 Under Match Type, select one of the following: Partial Exact Searches for a server name that is a partial match. Searches for a server name that is an exact match. If you leave the Search For text box empty, and then specify Partial as the match type, all computers in the local cache appear when you run the search. 4 Click Find Now.

42 42 Symantec Client Security basics Using the Find Computer feature Finding computers using a network search You can use a network search to find individual computers running the Symantec Client Security server software. The Symantec System Center console contains the following Find Computer options that search the network: Network Discovery Scan Network Audit Network Finds computers that run the Symantec Client Security server software by computer name or address. Finds the computers that run the Symantec Client Security server software by using an IP address or subnet range. This broad network search allows you to not only locate the computers, but also to determine the protection that is available on them, including whether other antivirus software is installed, and to configure a number of search settings. This option takes the most time and resources. See To run a network audit on page 45. To find computers using an address type 1 On the Tools menu, click Find Computer. 2 In the Find Computer window, on the Network Discovery tab, specify whether you want to use a computer name or an IP address as the search criterion. 3 Type the server address or computer name. 4 Click Find Now. To find computers using an IP address range 1 On the Tools menu, click Find Computer. 2 In the Find Computer window, on the Scan Network tab, select one of the following: IP Subnet IP Address Sends out a broadcast to each subnet. Pings every computer in the range of IP addresses. 3 Type the addresses for Beginning of range and End of range.

43 Symantec Client Security basics Using the Find Computer feature 43 4 If you clicked IP Subnet in step 2, type the subnet mask to refine the search. 5 Click Find Now. IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results appear in the Symantec System Center console status bar. Locating found items in the Symantec System Center console You can use an item in a Find Computer list to locate the same item in the Symantec System Center console tree. This list can be particularly useful if you have a very large number of computers in your network. To match an item, the server group to which the item belongs must be unlocked. To locate found items in the Symantec System Center console 1 On the Tools menu, click Find Computer. 2 In the Find Computer window, select the wanted computer. 3 Click Sync Item. The Symantec System Center console tree view moves to the selected item, which is then highlighted in the right pane. 4 Click Save if you want to save the search results as a comma-delimited file.

44 44 Symantec Client Security basics Using the Find Computer feature Using the Refresh feature In the Symantec System Center console, you can refresh the information in the console at the system hierarchy, server group, or server level to validate active communication with the list of currently displayed servers. If the refresh determines that a server that previously appeared in the server group view is no longer communicating, the unavailable server icon appears. Note: The Refresh feature does not find the servers or the server groups that may have been added since the current session of the Symantec System Center started. To use the Refresh feature In the left pane, right-click the system hierarchy, unlocked server group, server, or client group, and then click Refresh. Auditing computers Computers on your network that do not have Symantec Client Security running leave holes open in your network security. You can run a network audit of remote computers to determine the following: Whether a Symantec Client Security component is installed and running. The type of protection that is installed, such as Symantec Client Security server, client, or unmanaged client software. Whether antivirus software from other vendors or from Symantec (such as a Norton AntiVirus consumer version), including the type and version of that software, is installed on the computer. You must be able to log in as Administrator to the remote computers that you audit. Note: Because Symantec Client Security now uses secure communications over SSL, server and server group information for the clients that run the current version of Symantec Client Security does not appear after a network audit. If a firewall is running on the remote computer, the network audit may not be able to gather information.

45 Symantec Client Security basics Using the Find Computer feature 45 To run a network audit 1 On the Tools menu, click Find Computer. 2 In the Find Computer window, on the Audit Network tab, type the beginning and end of the IP address range that you want to search. 3 Click Options to set custom network audit options. For example, if you want to find the remote computers that have unmanaged Symantec Client Security client software that is installed, you can enable the related option. 4 In the Audit Network Options dialog box, set the number of audit threads to use to a value between 2 and 50. A higher number yields faster results but requires more network resources. 5 Under Ping Options, set the following options: The time-out period in milliseconds for Symantec PDS and Windows ICMP pings. Whether the search should continue even if an ICMP ping fails. This option is useful if you know that a firewall is set up with a rule to block an ICMP ping, because you can still audit the network for the computers that run Symantec Client Security. 6 Under Symantec AntiVirus IP ports, configure the search to ping up to four Symantec AntiVirus IP ports. To support legacy and current clients, both UDP and TCP ports are pinged. Port 1 defaults to 2967, which is the default port number of Rtvscan, the main Symantec Client Security service.

46 46 Symantec Client Security basics Using the Find Computer feature 7 Under Display Options, specify whether you want to display the following: Previously labeled machines. Parent management servers that are discovered through clients even if they are outside the IP address range. 8 Under Search Options, set the following options: Whether to look for the computers that run unmanaged Symantec Client Security client software, and offline servers and clients. This option requires you to specify valid administrator account information, such as a user name and password. Whether to look for the computers that run other vendors' antivirus software. This option requires that you know valid administrator account information, such as a user name and password. Whether or not always to use name resolution. See Setting administrator account options on page 48.

47 Symantec Client Security basics Using the Find Computer feature 47 9 Click OK. 10 Click Find Now to run the audit. You can see the audit progress at the bottom of the Find Computer dialog box. When the audit completes, the following types of information appear: Machine Server Group Server Type Version Address User The name of the remote computer. The name of the server group to which the remote computer belongs. The name of the server that controls the remote computer. The server or client type. Login errors are also reported in this column. The version of the antivirus product running on the computer. The IP address of the computer. The user name that is associated with the compute, including the domain that authenticated the user.

48 48 Symantec Client Security basics Using the Find Computer feature Syncing found computers to locate them After the status of the computers in your audit search is identified, you can locate selected computers by syncing to them. To sync found computers 1 In the Find Computer dialog box, select a computer, and then click Sync Item to locate the selected computer that runs Symantec Client Security client software. 2 If the computer is in a locked server group, type the user name and password of the server group to which the computer belongs. Setting administrator account options When you run a network audit, if you select the following options in the Audit Network Options dialog box, you are required to specify administrator account information: Look for unmanaged clients, offline servers, and offline clients. Look for other AntiVirus software. Figure 1-2 Remote Administrator Account dialog box To set administrator account options 1 In the Remote Administrator Account dialog box, do one of the following: Type the name of the domain that contains the computers that you want to find, followed by valid domain administrator account information.

49 Symantec Client Security basics Configuring login certificates 49 Check Use local accounts to access a specific computer, and then type the Admin user name and password. 2 Click OK. Labeling found items and rerunning the audit You can label the items that an audit finds. It may be useful to label items such as the following: The computers that cannot be located or to which a connection cannot be made. Routers and network drives. Computers that do not have Symantec Client Security software installed. To label a found item and rerun the audit 1 In the Find Computer dialog box, in the Machine column, right-click an item, and then click Label. 2 In the Edit description for dialog box, type a new label for the item. 3 Click OK. 4 Right-click the item again, and then click Audit again. Configuring login certificates Clients and servers use a temporary login certificate to authenticate Symantec System Center users. Because the user's login certificate is chained through the primary management server's login CA certificate back to the Server Group root certificate, the client or server knows that the user is authorized to manage the server group. When servers and clients receive a user's request for configuration changes, they authenticate the user. If authentication succeeds, the clients compare their system clocks to the certificate's time-stamp. If they verify that the user's temporary login certificate has not expired, they accept the user's configuration changes. For more information about certificates and their use in Symantec Client Security, see the Symantec Client Security Reference Guide. The login certificate is time-limited for security purposes, but is valid across all time zones. If a specific user account is deleted in the Symantec System Center, the temporary login certificate that is associated with that user cannot be renewed after it expires, regardless of the time zone. If the login certificate expires after the user authenticates to a server or client, the user is automatically issued another valid login certificate.

50 50 Symantec Client Security basics Configuring login certificates You can use the Symantec System Center to configure the login certificate lifetime. Login certificates are time-stamped, and by default, expire 24 hours after being issued. You can configure a shorter lifetime to increase the level of network security, but this configuration also increases processing overhead. Warning: Unsynchronized computer system clocks in a server group can prohibit servers and clients from authenticating a user's login certificate because of the time difference. Synchronize your computer system clocks to prevent this situation from occurring. For example, suppose that a user has a temporary login certificate that contains a primary management server's time-stamp and is valid for 30 minutes. If that user attempts to authenticate to a client that has a clock setting that is set 45 minutes ahead of the primary management server, then when the client receives the login certificate, it believes that the login certificate expired 15 minutes ago based on its system clock setting, and does not permit configuration changes by that user. Because login certificates are issued by the primary management server in a server group, you can configure login certificate settings only at the server group level. Configuring login certificate lifetime and time tolerance If you do not use some method that automatically synchronizes system clocks in your network, be sure that the time periods that you configure are sufficient to cover any likely time discrepancies between your primary management servers, and the clients and secondary management servers that are managed by the primary management servers. When you configure the login certificate settings, Symantec System Center automatically compensates for time zone differences.

51 Symantec Client Security basics Configuring login certificates 51 To configure login certificate settings 1 Right-click the server group that you want to configure, and then click Configure login certificate settings. 2 In the Login Certificate Settings dialog box, under Length of time login certificate is valid, set the number of hours and days that you want the certificate to last. A Symantec System Center user whose login session exceeds this setting is prompted for a user name and password to obtain a new login certificate. The default is 1 day. All computers in this server group whose system clocks are ahead of the primary management server system clock must be no further ahead than this setting to be managed by the Symantec System Center. 3 Under Tolerate time discrepancy between computers of: <hours> <days>, set the number of hours and days to the amount of backwards time discrepancy that you want to allow between the system clocks of the primary management server, and the system clock of its clients and secondary management servers. The default is 1 day. All computers in this server group whose system clocks are behind the primary management server clock must be no further behind than this setting to be managed by the Symantec System Center.

52 52 Symantec Client Security basics Configuring login certificates Configuring login certificate key size You can configure the size of the keys that the Symantec System Center generates for end-entity login certificates. A larger key provides a greater degree of security. To configure login certificate key size 1 Click Tools > SSC console options. 2 In the SSC Console Options Properties dialog box, click the Certificates tab. 3 Select the number of bits that you want to use for your login certificate key: 1024, 2048, 3072, or 4096.

53 Chapter 2 Managing Symantec Client Security This chapter includes the following topics: About servers About server groups and client groups Using server groups to manage Configuring options for Windows Security Center (WSC) Optimizing server performance Using Tamper Protection Using client groups to manage Managing clients About servers The current version of Symantec Client Security uses the Secure Sockets Layer (SSL) to encrypt communications between its servers and clients. Symantec Client Security versions 9.x and earlier used UDP for such communications. Servers that run the current version of Symantec Client Security can manage most legacy clients by default, but in certain cases, configuration is required. See Optimizing definitions and configuration rollouts on page 73. Warning: Symantec Client Security 9.x and earlier servers cannot be used to manage clients running version 10.0 and later of Symantec Client Security.

54 54 Managing Symantec Client Security About servers When you manage with the Symantec System Center, computers running Symantec Client Security server software can assume the following roles: Primary management server Secondary management server Parent management server About primary management servers Each server group has an administrator-designated primary management server. This primary management server is responsible for configuration functions in the server group. It can also be responsible for updating virus and security risk definitions. From the Symantec System Center console, when you launch a task at the server group level, the task runs on the server group's primary management server. The primary management server also forwards the task to all other servers in the server group. If you use Alert Management System 2, the primary management server also processes all notifications. Computers running any of the supported operating systems for servers can be made primary management servers. How the registry is affected When you modify server options, you directly modify the registries of the selected servers. The modification is made through the transport manager, which handles communications. The primary management server acts as the repository of all server options on a group level. If you modify on a group level, the changes are recorded first in the registry of the primary management server for that group in the HKLM\Software\ Intel\LANDesk\VirusProtect6\CurrentVersion\DomainData key. Then they are recorded in each of the other servers. About secondary management servers Servers that are not assigned the status of primary management server are called secondary management servers. Secondary management servers are children of primary management servers. They retrieve information from the primary management server and share it with clients.

55 Managing Symantec Client Security About server groups and client groups 55 All servers in a server group are secondary management servers until you assign one as the primary management server. You must designate the primary management server before you can perform most tasks at the server group level. About parent management servers A parent management server is a computer running Symantec Client Security server software with which a connected computer running Symantec Client Security client software communicates to obtain configuration updates and to send alerts. Some servers may act as parent management servers. Other servers may act as primary management servers. These two functions are not mutually exclusive. A primary management server may also act as a parent management server. About server groups and client groups Server group members can share a single Symantec Client Security configuration, and you can also run a Symantec Client Security operation on all members of a server group. From the Symantec System Center console, you can create new server groups and manage their membership. Server groups are independent of Windows domains and other products. You can combine NetWare and Windows computers into the same server groups, which allow simultaneous remote configuration of these systems. Client groups are logical groupings of computers running Symantec Client Security client software. Although client groups are always attached to a server group, each client group can be managed individually. By setting up client groups, you can set up and manage different policies under a single parent. Symantec Client Security clients are categorized as follows: Assigned clients are the Symantec clients that have been assigned to a client group. They receive virus and security risk definitions files from the server to which they are physically attached. However, they receive the configuration settings and the updates that are based upon the client group to which the Symantec Client Security policies are applied. Unassigned clients are the Symantec clients that have not been assigned to a client group. They receive configuration settings and updates from their parent management server. Note: The server group level is the highest level at which you can manage Symantec product configuration changes.

56 56 Managing Symantec Client Security About server groups and client groups Deciding whether to use server groups, client groups, or both Each Symantec Client Security server group supports a single configuration for all of the clients it manages. Each additional configuration requires adding an additional server to the server group. Server groups may provide you with all the configuration flexibility you need if all of your clients require the same configuration options. If you need more configuration flexibility, you may benefit from using client groups. When you manage using client groups, clients on the same physical server do not need to share the same configuration as other clients in the same server group. In addition, client groups can also decrease the number of servers that are required to manage Symantec Client Security. While each server group requires at least one server per unique configuration, a server group can contain any number of client groups, each with its own configuration. Client groups and configuration priority When you manage using client groups, clients that are assigned to a group receive their configuration from their group, rather than their parent management server. Configuration changes made at the server level are ignored, and apply only to unassigned clients. Configuration changes that are made at the server group level or system hierarchy level have priority over client group settings, however and override any settings that are made at the client group level. To change this default priority, you can configure client groups to use their own settings instead of inheriting settings from their server group. See Using client group settings instead of server group settings on page 87. Table 2-1 lists each item that you can select in the Symantec System Center and what you can configure when you select it. Table 2-1 Item selected System Hierarchy Server group Configuration item options What you can configure All unlocked server groups and the clients they manage, regardless of their client group membership All servers and clients in the server group, regardless of their client group membership

57 Managing Symantec Client Security About server groups and client groups 57 Table 2-1 Item selected Server Configuration item options (continued) What you can configure The server and its clients, regardless of their client group membership: Virus sweep Update virus and security risk definitions now History configuration The server and/or its unassigned clients: Scheduled and manual scans Virus and security risk definitions updates Quarantine options Client and server Auto-Protect options Client administrator-only options Client roaming options Client and server tamper protection options LiveUpdate Update client policy now Auto-Protect status View risk list Clear risk status Reporting agent configuration Client group Clients that are assigned to the client group: Scheduled scans Virus and security risk definitions updates Quarantine options History configuration Client Auto-Protect options Client tamper protection options Client roaming options Client administrator only options Update client policy now LiveUpdate Client Read-only By default, you cannot use the Symantec System Center to configure individual clients. However, you can use the Allow direct configuration of individual clients option to enable the Symantec System Center to configure individual clients. See Enabling direct client configuration on page 88.

58 58 Managing Symantec Client Security About server groups and client groups How settings propagate The method that Symantec Client Security uses to propagate settings depends upon the item that you choose in the Symantec System Center console. Table 2-2 describes how settings propagate when you choose server groups, servers, client groups, and clients. Table 2-2 Object Server groups How settings propagate from the Symantec System Center console Description When you set options at the server group level, and then click OK, the Symantec System Center communicates directly to every server in the server group. Parent management servers update their clients by rolling out a new Grc.dat file. This file replaces the existing Grc.dat file. Custom settings in the old Grc.dat file are not retained. If you click Cancel, no options change. If you click Reset All, Symantec Client Security overwrites all settings in the dialog box. Servers When you set options at the server level, and then click OK, the Symantec System Center topology service communicates directly with the selected server. Only the selected server is affected. If you click Cancel, no options change. If you click OK without changing options, Symantec Client Security does not overwrite the server's current options. Client groups When you set options at the client group level, and then click OK, the primary management server creates a Grcgrp.dat file and sends it to secondary management servers. The secondary management servers update their clients by rolling out a new Grc.dat file. This file replaces the existing Grc.dat file. Custom settings in the old Grc.dat file are not retained. If you click Cancel, no options change. Clients When you set options at the client level, and then click OK, the System Center Topology service communicates with the client directly and makes the single change in the registry. If you click Cancel, no options change.

59 Managing Symantec Client Security Using server groups to manage 59 Note: Auto-Protect scanning settings must be locked before they are propagated to clients. New Grc.dat values overwrite old Grc.dat values New Grc.dat files are propagated and their values overwrite the values from the old Grc.dat files any time that they are sent to the client. This behavior occurs even when you open a Symantec Client Security window or dialog box that contains options from the Symantec System Center console and then click OK without changing options. If the earlier Grc.dat version contained custom settings that are not in the new Grc.dat, the settings are overwritten. See the Symantec Client Security Installation Guide for additional information on using Grc.dat files for client configuration. Server and client group scenario A company has telemarketing and accounting departments. These departments have staff in the company's Boston, New York, and Newark offices. All computers in both departments have been assigned to the same server group so that they receive virus and security risk definitions updates from the same source. However, IT reports indicate that the telemarketing department is more vulnerable to risks than the accounting department. As a result, the system administrator creates telemarketing and accounting client groups. Telemarketing clients share configuration options that strictly limit how users can interact with their antivirus and security risk protection. Using server groups to manage The installation program groups all of the servers that you select into one server group. This grouping might be adequate if you want all of your managed computers running Symantec Client Security to use the same settings. However, if you want to make global configuration changes for groups of servers, you can create new server groups. You can easily use a drag-and-drop or cut-and-paste operation to move servers from one server group to another. When you move a server, all of its connected client computers move with it. For example, if you have specific servers that require higher levels of protection, you can place all of them in the same server group and set special options to protect the server group.

60 60 Managing Symantec Client Security Using server groups to manage Note: If you prefer to manage by using client groups, you can achieve the same end by setting up a new client group. See About server groups and client groups on page 55. Best practice: installing a secondary management server Creating server groups As a best practice, always install a secondary management server in server groups to assist in recovering from disasters. If you do not add a secondary management server and your primary management server fails, you will not be able to access the server group from the Symantec System Center. You can create as many server groups as you need to manage your servers and clients efficiently. Each server group requires a primary management server. See Selecting a primary management server for a server group on page 26. To create a server group 1 Right-click System Hierarchy, and then click New > Server Group. 2 In the New Server Group dialog box, type the name for the server group. The name cannot have more than 47 characters. 3 In the User name text box, type the user name to use for the new server group. This can be any user name you want to use. The user account is automatically created and assigned to the Administrator role and added to the account management list for this server group.

61 Managing Symantec Client Security Using server groups to manage 61 4 In the Password text box, type a password to use when unlocking the server group. 5 In the Confirm password text box, retype the password. Locking and unlocking server groups You can lock a server group with a password to prevent unauthorized administrators from making configuration changes. The password for the initial server group was created for the admin user during installation. You can change passwords at any time by using the Account Management option for each server group. See Managing user accounts for server groups on page 68. Note: Server group passwords are not used to uninstall clients and servers. By default, the password for permitting a client uninstallation is set to symantec. You can change the password that permits a client user to uninstall Symantec Client Security. See Changing the password that is required to uninstall on page 189. Server groups are automatically locked by default each time that you start the Symantec System Center, unless you configure the Symantec System Center to automatically unlock the server group when you start the Symantec System Center. User names and passwords are not saved unless you explicitly configure the Symantec System Center to do so. You can lock and unlock server groups as necessary. To lock a server group Right-click the server group that you want to lock, and then click Lock Server Group.

62 62 Managing Symantec Client Security Using server groups to manage To unlock a server group 1 In the Symantec System Center console, in the left pane, right-click the server group, and then click Unlock Server Group. 2 In the Unlock Server Group dialog box, type the user account name and password for the server group. 3 If you want these options to be filled in automatically each time that you unlock this server group, check Remember this user name and password. 4 If you enable the Symantec System Center to remember the user name and password for this server group, then you can configure the Symantec System Center to start with this server group unlocked. Click Automatically unlock this server group when Symantec System Center starts. 5 Click OK. To stop saving user name and password or to stop automatic unlocking 1 To stop saving your user name and password, and to stop having the Symantec System Center open with this server group unlocked, right-click the server group, and then click Lock Server Group. 2 Right-click the server group again, and then click Unlock Server Group. 3 In the Unlock Server Group dialog box, uncheck Remember this user name and password and Automatically unlock this server group when Symantec System Center starts. 4 Click OK.

63 Managing Symantec Client Security Using server groups to manage 63 Server groups and server root certificates The first time that you try to unlock a server group that does not have its server group root certificate on the same computer as the Symantec System Center, the following dialog box appears: You can either have the Symantec System Center copy the root certificate to the Symantec System Center computer the first time that you log on to the server group or copy it by using Windows authentication. If you choose to copy the root certificate, you can suppress this message in the future. Select Windows authentication to provide a greater degree of security. Viewing and filtering server groups When you run the Symantec System Center console, you see the servers that are running managed Symantec Client Security products in a tree format. Servers are grouped under server groups. By default, the Symantec System Center console displays all server groups. You can view a single server group and its contents from the Symantec System Center console or you can filter the server group view to show only a subset of your servers. This view is helpful if you have too many servers to manage easily from one window. You can monitor and administer only the server groups that appear in the list.

64 64 Managing Symantec Client Security Using server groups to manage Note: You receive notifications only for displayed server groups. If you filter a server group, you do not receive notifications from that server group. Renaming server groups Deleting server groups To view a single server group Right-click the server group, and then click New Window From Here. To filter the server group view 1 In the left pane, right-click System Hierarchy, and then click View > Filter Server Group View. 2 Uncheck the server groups that you want to filter from the server group list. You can rename server groups as necessary. To rename server groups 1 Unlock the server group that you want to rename, if necessary. 2 Right-click the server group, and then click Rename. 3 Type the new server group name. Before you can delete a server group, you must move its members to a new or existing server group. To delete a server group 1 Right-click the server group that you want to delete, and then click Unlock Server Group, if necessary. 2 In the server group that you want to delete, drag any servers into another server group. You can only delete a server group if it is empty. 3 Right-click the empty server group, and then click Delete. 4 Right-click System Hierarchy, and then click Refresh. Changing primary management servers You can change primary management servers easily at any time. You can promote secondary management servers as necessary, thereby demoting the primary management server in that group. If you did not remove the primary key file from

65 Managing Symantec Client Security Using server groups to manage 65 the primary management server to store it in a safer location, then the primary key file will be copied automatically to the new primary management server. When you change primary management servers, you may lose the AMS 2 alerts that you have set up. You can reconfigure the alerts on the new primary management server, or export the alerts to the new server before you change primary management servers. To change primary management servers 1 Double-click the server group icon. 2 Right-click the secondary management server that you want to designate as a primary management server, and then click Make Server A Primary Server. Changing parent management servers To change the parent management server of a managed client, you can click and drag the client to a new management server or you can copy the Grc.dat client configuration file and the server group certificate from the new parent to the client. Then restart the client. The Grc.dat client configuration file is a text-format file that acts as a repository of changes that are made to a group of clients. The Grc.dat client configuration file facilitates communication between the computers that run Symantec Client Security server software and the computers that run Symantec Client Security client software. They store important information such as parent management server identity and Symantec Client Security product configuration settings. The server group root certificate file, xxx.x.servergroupca.cer, contains the server group root certificate for the server group. If you copy the files from the server that you want to act as the parent server and place them on the client, you distribute all of the client settings for that server and establish communications. You can change the parent management server by using the Symantec System Center or by manually copying files. To change the parent management server of a client by using the Symantec System Center Drag the client from the old server to the new server.

66 66 Managing Symantec Client Security Using server groups to manage To change the parent management server of a client manually when the servers are in the same server group 1 On the intended parent management server, copy the Grc.dat configuration file from the Symantec AntiVirus folder. 2 On the client computer, paste the Grc.dat file into the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 folder. 3 Restart the client. To change the parent management server of a client manually when the servers are not in the same server group 1 On the intended parent management server, copy the Grc.dat configuration file from the Symantec AntiVirus folder. 2 On the client computer, paste the Grc.dat file into the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 folder. 3 On the intended parent management server, open the pki\roots folder and copy the xxx.x.servergroupca.cer file. 4 On the client computer, paste the xxx.x.servergroupca.cer file into the pki\roots directory, which appears under the directory that contains the Symantec Client Security files. 5 Restart the client. Moving a server to a different server group When you move a server, a server configuration file that is named Grcsrv.dat is created on the server automatically. This file synchronizes the new server group settings with the server. The new server group must have a primary management server. The server configuration file is located in the same directory in which Symantec Client Security was installed on the server. It has the same format as a Grc.dat client configuration file. It is created when you synchronize a server to a new server group's settings. Note: If you want to add more servers to a server group, and you have archived the private key for the server group, you must copy the server group private key back to the pki\private-keys directory on the primary management server.

67 Managing Symantec Client Security Using server groups to manage 67 To move a server to a different group Drag the server that you want to move into the new server group. Restoring client communication when a primary server is lost If you lose your primary server and you did not create a secondary management server in your server group, then you must reinstall Symantec AntiVirus on the primary server. To restore communication with managed client computers after reinstalling Symantec AntiVirus server, when you do not have a backup copy of the primary server's pki folder, you must do the following: Delete the old certificates on the server's managed clients computers. Copy the server's new certificates and Grc.dat file to its managed client computers. To restore communication with managed client computers after reinstalling Symantec AntiVirus server 1 On the managed client computer, stop the Symantec AntiVirus service, Rtvscan. 2 Delete all certificates in the pki\roots folder in the client computer's Symantec AntiVirus program folder. The default path to the Symantec AntiVirus program folder is <Drive>:\Program Files\Symantec Client Security\Symantec AntiVirus. 3 On the Windows taskbar, click Start > Run. 4 In the Run dialog box, type the following text: \\<server name>\vphome where <server name> is the name of the Symantec AntiVirus server. 5 Click OK. 6 Copy the Grc.dat file from the server's vphome folder to the following folder on the client computer: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\

68 68 Managing Symantec Client Security Using server groups to manage 7 Copy the <xxx.x>.servergroupca.cer file from the vphome\pki\roots folder on the server to the \pki\roots folder on the client computer. The default location of the \pki\roots folder on the client computer is <Drive>:\Program Files\Symantec Client Security\Symantec AntiVirus\pki\ roots\ 8 Set the DWORD value of the HKLM\Software\Intel\LANdesk\VirusProtect6\ CurrentVersion\ProductControl\ReloadRootCertsNow registry key to one. Rtvscan then picks up the new roots. Managing user accounts for server groups Account management provides the secure user accounts and the passwords that you use to unlock and configure server groups. Symantec Client Security provides several preexisting roles with various levels of privileges for user accounts. You can assign a user to one of these roles when you create user accounts for server groups in the Symantec System Center. Table 2-3 describes the roles and their associated privileges. Table 2-3 Role name Read-only Administrator User account roles and privileges Description This role allows the user to lock and unlock the server group, and to view information about the server group. Users have no write access to the server group, so they cannot make any configuration changes to the server group, or to any of its servers and clients. This role gives the user full access to the server group. The user can lock and unlock the server group, and configure both servers and clients in the server group. Central Quarantine This role allows the user to do the following: Read from and write to virus definitions files. Roll out virus definitions updates to a client or server in the server group. Ping machines in the server group. Users that are assigned to this role are not allowed to lock and unlock the server group by using the Symantec System Center.

69 Managing Symantec Client Security Using server groups to manage 69 Table 2-3 Role name Gateway Security User account roles and privileges (continued) Description This role allows the user to ping computers in the server group. Users that are assigned to this role are not allowed to lock and unlock the server group by using the Symantec System Center. If the Symantec System Center cannot verify the user's role, the user account defaults to Gateway Security, the least privileged of the roles. Symantec Client Security also provides one preexisting user who is named admin, and who is assigned to the Administrator role. You cannot delete the admin user account or change its user name, but you can change its password. The following restrictions apply to user accounts: Passwords that you set must be at least six characters long. Account user names must be unique and are not case-sensitive. Passwords are case-sensitive. User names cannot contain spaces. User names cannot contain the following special characters: " / ; \ -. + ' : = You can assign multiple user accounts with administrative privileges to a server group. You can manage the accounts for only one server group at a time. To create a user account for a server group 1 Right-click the appropriate server group. 2 Click Account Management. 3 In the Configure Server Group Accounts dialog box, click Add. 4 In the Account Setup dialog box, do the following: 5 Click OK. Type the user name. Type the password twice. Under Account Type, select the role that you want to assign to the user: Read-only, Administrator, Central Quarantine, or Gateway Security. 6 Click Finished. The changes are then sent to the secondary management servers in the server group.

70 70 Managing Symantec Client Security Configuring options for Windows Security Center (WSC) To change a user account for a server group 1 Right-click the appropriate server group. 2 Click Account Management. 3 In the Configure Server Group Accounts dialog box, select a user account name. 4 Click Update. 5 In the Account Setup dialog box, type a new password twice. Under Account Type, if you want to change the user's role, select the new role. If you only change the role that is under Account Type, you should leave the password options blank. 6 Click OK. 7 Click Finished. To delete a user account for a server group 1 Right-click the appropriate server group. 2 Click Account Management. 3 In the Configure Server Group Accounts dialog box, select a user account name. 4 Click Delete. 5 Click Yes to confirm the deletion. 6 Click Finished. Configuring options for Windows Security Center (WSC) If you use Windows Security Center running on Windows XP Service Pack 2 to monitor security status, you can use the Symantec System Center to configure the following options for Symantec Client Security: The time period after which WSC considers definitions files to be out of date. Whether WSC displays antivirus and firewall status alerts for Symantec products on the host computer. Note: Symantec product status is always available in the Symantec System Center console, regardless of whether WSC is enabled or disabled.

71 Managing Symantec Client Security Configuring options for Windows Security Center (WSC) 71 Configuring the out-of-date time for definitions By default, WSC considers Symantec AntiVirus definitions to be out of date after 30 days. You can change the number of days that definitions can be out of date during installation in the Windows installer or after installation in the Symantec System Center. Symantec AntiVirus checks every 15 minutes to compare the out-of-date time, the date of the definitions, and the current date. Typically, no out-of-date status is reported to WSC because definitions are usually updated automatically. In the case of a manual update, depending on the out-of-date time that is configured, administrators might have to wait up to 15 minutes to view an accurate status in WSC. To configure the out-of-date time for definitions 1 Right-click the server group that you want to change. 2 Click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 3 If the prompt for Symantec AntiVirus Management Snap-In appears, click Yes. 4 In the Client Administrator Only Options dialog box, under Windows Security Center, next to Definition of AntiVirus up-to-date, type the number of days, or use the up or down arrow to select the number of days that the virus and security risk definitions can be out of date. The value must be in the range from 1 to Click OK. Configuring alerts to appear on the host computer You can configure WSC to display alerts from Symantec AntiVirus by using the Symantec System Center.

72 72 Managing Symantec Client Security Configuring options for Windows Security Center (WSC) To configure alerts to appear on the host computer 1 Right-click the server group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 If the prompt for Symantec AntiVirus Management Snap-In appears, click Yes. 3 In the Client Administrator Only Options dialog box, under Windows Security Center, in the Windows Security Center AntiVirus Alerts drop-down list, select one of the following: Disable Enable No action WSC does not display these alerts on the Windows system tray. WSC displays these alerts on the Windows system tray. WSC uses the existing setting to display these alerts.

73 Managing Symantec Client Security Optimizing server performance 73 4 Click OK. 5 Restart the clients in each server group to make the changes take effect. Configuring Symantec Client Security to disable Windows Security Center You can configure the circumstances under which Symantec Client Security disables WSC. To configure Symantec Client Security to disable WSC 1 Right-click the server group that you want to change. 2 Click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 3 In the Client Administrator Only Options dialog box, under Windows Security Center, in the Disable Windows Security Center drop-down list, select one of the following: Never Once Always Restore if disabled Never disable WSC. Disable WSC only once. If a user re-enables it, Symantec Client Security does not disable it again. Always disable WSC. If a user re-enables it, it will be disabled again immediately. Re-enable WSC only if Symantec Client Security disabled it. 4 Click OK. Optimizing server performance The Symantec System Center allows you to tune server performance in a number of ways. Tuning can be particularly useful in the large deployments that include many servers and managed clients. Optimizing definitions and configuration rollouts The Symantec System Center provides several options for tuning how servers roll out definitions and configuration changes to clients. You might need to experiment with these settings to optimize them for your environment. Table 2-4 describes the options for tuning server rollouts.

74 74 Managing Symantec Client Security Optimizing server performance Table 2-4 Options Server rollout tuning options Description Before attempting rollout, verify that clients have not roamed to another server Symantec Client Security concatenates GUIDs and IP addresses to verify client identity. If you use DHCP and experience parent management server contention for clients with IP addresses that change, and have a highly mobile environment, leave this option checked to reduce parent management server conflict over managed clients. If you have a very static environment in which your clients never or rarely change IP addresses, unchecking this option might result in some improvement in performance. Skip the clients that are late checking in (and are probably offline) By default, clients are configured to check in for configuration updates every 60 minutes. Configuring clients to be skipped if they check in late should result in faster performance during rollouts. If they are not skipped, the thread that is used for each offline client is tied up until it times out. Clients receive the appropriate updates after they check in. Checking this option is not recommended in environments in which multiple clients are offline frequently, such as when many clients use VPN tunnels. Skip the clients that have not checked in since the last failed rollout attempt (and are probably offline) Number of threads to use during rollout Enabling this option should increase performance, but is not recommended in environments in which clients might be offline frequently, for example, as when using VPN tunnels. Each thread represents a rollout to a single client. The valid range is A reasonable number of threads to use for most single-processor computers is 30. Use numbers at the high end only if you tune a very powerful server that manages many clients and you have a network that can support the increased bandwidth. Start a rollout every <number> minutes More frequent rollouts use more network bandwidth and server resources, but result in more frequent updates to the clients. The valid range is (one week).

75 Managing Symantec Client Security Optimizing server performance 75 Monitoring clients For information about the option to manage legacy clients and servers, see Managing legacy clients on page 87. To optimize definitions and configuration rollouts 1 Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tuning Options. 2 Check or uncheck the following options: Before attempting rollout, verify that clients have not roamed to another server. Skip the clients that check in late (and are probably offline). Skip the clients that have not checked in since the last failed rollout attempt (and are probably offline). 3 Set the number of threads to use during rollout to a value that is between 1 and Set the number of minutes to wait between rollouts to a value that is between 1 and Click OK. Symantec Client Security allows you to monitor the following major transitions in the life cycle of a client computer: The client's initial contact with a parent. The times when a client roams from one parent to another. The client's failure to check in after a specified amount of time has elapsed. The uninstallation of Symantec Client Security software from a client. To log whether or not a client checks in with the server that manages it, Symantec Client Security compares the last check-in time for each client to a saved value for that client. If the elapsed time is greater than the configured time, the event is logged in the Event Log as a system event. You can specify how often the Symantec System Center notifies you of these system events. For example, you might want to set the minutes of inactivity before logging a no-check-in event to (one week) before Symantec Client Security logs an initial event that a client has not checked in. You might then set the minutes between no-check-in events to 1440 (one day) and the maximum number of events to log to 7. You are then notified in the Event Log every day for a week if the client does not reappear on the network.

76 76 Managing Symantec Client Security Optimizing server performance For particularly large environments with many thousands of clients managed by a single server, you might want to tune the server parameters to regulate its CPU usage. To set options for monitoring clients 1 Right-click a server or server group, and then click All Tasks > Symantec AntiVirus Server Tuning Options. 2 On the Client Tracking tab, under Processing Parameters, type the following information: The number of minutes that Symantec Client Security should wait for information from the client. The number of clients that Symantec Client Security should process before pausing. The number of seconds that Symantec Client Security should pause when it checks clients. 3 Under Log Client Behavior, type values for the following options: Minutes of inactivity before logging a no-check-in event The number of minutes without client activity that Symantec Client Security should wait before it logs the first instance of a client's failure to check in. Maximum number of no-check-in events per client Minutes between no-check-in events The maximum number of no-check-in events to log per client. The number of minutes without client activity to wait before subsequent no-check-in events are logged. 4 Click OK. Turning off client monitoring You can turn client monitoring off by adding a new DWORD value, HKLM\ Software\Intel\LANDesk\VirusProtect6\CurrentVersion\ClientTrack\ Enabled, to the server's registry. Set its value to 0 to turn off client tracking, Set its value to 1 to turn on client tracking. By default, client tracking is enabled. You must restart the server for a change to take effect.

77 Managing Symantec Client Security Using Tamper Protection 77 Dynamic parent server check-in Some network environments contain the computers that are connected to the network only for brief periods of time. Symantec AntiVirus client computers check in with their parent server at a regular, configurable interval. If the connection time window when the client computer is connected to the network overlaps with the client computer's parent server check-in time, then the client computer checks in. If the connection time windows do not overlap, and the Symantec AntiVirus client computer fails to check in with its parent server during the check-in interval, the client computer begins to monitor IP address changes. If the client computer detects a new IP address, the client computer attempts another connection to the parent server. After a successful connection, configuration files and logs are exchanged as configured and the client computer check-in period is reset. The client computer does not respond to further IP address changes until the check-in period has expired again. If the check-in is unsuccessful, the Symantec AntiVirus client computer continues to respond to IP address changes until it makes a successful connection to the parent server. Note: This functionality is only available on Windows client computers. It is not supported on NetWare or Linux computers. Using Tamper Protection Tamper Protection provides real-time protection for Symantec applications. It prevents Symantec processes and internal objects from being attacked or affected by non-symantec processes such as worms, Trojan horses, viruses, and security risks. Enabling, disabling, and configuring Tamper Protection When Tamper Protection is enabled, you can configure Symantec AntiVirus to block or log attempts to modify the Symantec processes or the internal software objects that synchronize Symantec threads and processes. Internal objects coordinate the activity of programs running on a computer. For example, when you use Microsoft Outlook to send an message, the Symantec AntiVirus Snap-in for Outlook coordinates with the Symantec AntiVirus service to ask that the service scan the message. Windows computers use several different kinds of internal objects. Tamper Protection protects the internal objects that are classified as named mutexes and named events. Mutexes ensure that only one program or thread can use the same

78 78 Managing Symantec Client Security Using Tamper Protection resource, such as file access, at any given time. Mutexes are the synchronization objects that can be owned by only one thread at a time. When the thread that owns the mutex finishes with the resource, the thread releases the mutex object so that another program or thread can use the resource. Processes create named events, which notify another program or a waiting thread that processing is complete. For example, event objects can be used by a master thread to prevent other threads from reading from a shared memory buffer while it writes to that buffer. When the master thread is finished writing to the buffer, it can send a named event to signal the waiting threads that they can resume read operations. On the Windows API level, Tamper Protection intercepts calls to create, open, or modify these objects, such as CreateEvent, SetEvent, CreateMutex, ReleaseMutex, and so on. It then checks the name of the object against its list of protected names, which is called a manifest. If the names match, it next checks to see if the executable backing the process that made this call has a valid Symantec digital signature. If the process has a valid signature, the request is permitted, otherwise, it is denied with an ERROR_ACCESS_DENIED error code. This protection works on both single user systems and terminal servers. You can also configure a message to appear on your computer when Symantec AntiVirus detects a tampering attempt. By default, notification messages appear when Symantec AntiVirus detects tampering with internal objects. If you enable notifications to be sent when Symantec AntiVirus detects tampering with processes, affected machines may receive notifications about Windows processes as well as Symantec processes. To enable, disable, and configure Tamper Protection 1 Do one of the following: Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Client Tamper Protection Options. Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tamper Protection Options.

79 Managing Symantec Client Security Using Tamper Protection 79 2 Check or uncheck Enable tamper protection. 3 If you enabled Tamper Protection, then under Protection, check or uncheck Processes and Internal objects. In the drop-down list for each option, do one of the following: To block unauthorized activity, click Block. To log unauthorized activity but allow the activity to take place, click Log Only. 4 Under Notifications, check or uncheck Displaymessageonaffectedcomputer. 5 Under Notifications, check or uncheck Processes and Internal objects. 6 Under Options, check or uncheck Keep Tamper Protection enabled even if Symantec AntiVirus is shut down.

80 80 Managing Symantec Client Security Using Tamper Protection 7 If you configure Client Tamper Protection Options, lock or unlock each setting as appropriate for your network. 8 If you configure Client Tamper Protection Options, or you configure Server Tamper Protection Options at the server group level, click Reset All if you want to propagate the settings on this tab to every client that is attached to the server or server group. Creating Tamper Protection messages Tamper Protection lets you create a message that appears on clients when Tamper Protection detects attacks against Symantec applications. The message that you create can contain a mix of text that you type and fields that you select. The fields that you select are the variables that are populated with the values that identify characteristics of the attack. Table 2-5 describes the fields for Tamper Protection messages. Table 2-5 Field Filename PathAndFilename Location Computer User DateFound Action Taken System Event Entity Type Actor Process ID Fields for Tamper Protection messages Description The name of the file that attacked protected processes. The complete path and name of the file that attacked protected processes. The area of the computer hardware or software that was protected from tampering. For Tamper Protection messages, this is Symantec applications. The name of the computer that was attacked. The name of the logged on user when the attack occurred. The date on which the attack occurred. The action that Tamper Protection performed to respond to the attack. The type of tampering that occurred. The type of target that the process attacked. The ID number of the process that attacked a Symantec application.

81 Managing Symantec Client Security Using Tamper Protection 81 Table 2-5 Field Fields for Tamper Protection messages (continued) Description Actor Process Name Target Pathname Target Process ID Target Terminal Session ID The name of the process that attacked a Symantec application. The location of the target that the process attacked. The process ID of the target that the process attacked. The ID of the terminal session on which the event occurred. Use the following format to create messages: Text that you type: [Field Name 1] [Field Name 2] (Optional and additional t The following example illustrates a message that tells you which process attempted to take which action and when: Date: [DateFound] Process Located At: [PathAndFilename] (Named: [Actor Process Name]) Attacked: [Target Pathname] [Target Process ID] To create Tamper Protection messages 1 Do one of the following: Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Tamper Protection Options. Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tamper Protection Options. 2 Under Notifications, check Display message on affected computer and click the lock icon to lock this option.

82 82 Managing Symantec Client Security Using client groups to manage 3 Click Message. 4 In the Message box, click to insert a cursor. 5 Use your keyboard to move the cursor, add rows, and type and delete text. 6 Move the cursor to a position in which you want to insert a field, right-click, click Insert Field, and then select the field to insert. See Table 2-5 on page Repeat steps 5 and 6 as necessary. 8 Right-click in the field and use any of the following as necessary: Cut, Copy, Paste, Clear, or Undo. Using client groups to manage Creating client groups You can create as many client groups as you need to manage your clients efficiently. All server groups contain a single Groups folder that contains all of the groups for that server group. When you create a new client group, the client group appears inside the Groups folder. By default, client groups inherit their settings from their server group, but you can change this setting. See Using client group settings instead of server group settings on page 87.

83 Managing Symantec Client Security Using client groups to manage 83 To create a client group 1 Under the server group to which you want to add the client group, right-click the Groups folder, and then click New Group. 2 In the New Client Group dialog box, type the name for the new client group. The name cannot have more than 15 characters. 3 To apply the settings from an existing client group to the new client group, select the name of the existing client group from the drop-down list. 4 Click Create. Adding clients to a client group Computers that are running Symantec Client Security server, client, and legacy versions can be added to client groups. All clients are treated identically. If a legacy antivirus client does not have the feature for which a configuration option setting is set, the setting is ignored. A client can belong to only one client group. To add a client to a client group 1 Click the server that contains the client. 2 In the right pane, drag the client into the client group. Configuring settings and running tasks at the client group level You can set configuration options and run tasks at the client group level. The settings apply to, or the task runs on, all clients in the client group. To configure settings and run tasks at the client group level 1 Right-click the client group. 2 Click All Tasks. About client group settings 3 Select the product for which you want to set options. 4 Make the appropriate changes for the settings that you want to configure or the task that you want to run. Client group settings are stored in the primary management server's registry. They are rolled out to each server in a client group configuration file named Grcgrp.dat. The primary management server packages all client group settings into the client group configuration file and then copies it to each secondary

84 84 Managing Symantec Client Security Using client groups to manage management server in the server group. The secondary management server rolls out the settings to the clients that it manages. Moving a client to a different client group You can move clients easily from one client group to another. To move a client to a different client group Viewing and filtering client groups Drag the client that you want to move into the new client group. Once you move the client, it receives the new client group's configuration settings. When you view client groups, you can do the following: View a single client group. View information about client groups. Filter the client group view to show only the information that interests you. Note: Filtering is disabled by default. When you select a client group in the left pane, all of the clients that are assigned to it appear in the right pane. When the Groups folder is selected in the left pane and Default Console View or a Symantec product view is selected from the View menu, the client groups appear in the right pane along with information specific to the view. For example, when the Default Console View is active, the number of clients in each client group appears. The clients must be enumerated to display the client groups accurately. Client group filtering must be enabled in the SSC Console Options Properties dialog box on the Client Display tab for the clients to be enumerated. When you select the Groups folder, the number of clients that are reported for each client group may not be accurate until a client group is selected. Filtering improves client viewing performance in the Symantec System Center console. However, if there are many clients and servers in the server group, filtering may have a performance impact. See To filter the client group view on page 85.

85 Managing Symantec Client Security Using client groups to manage 85 To view a single client group 1 In the Symantec System Center console, in the left pane, right-click the server group that contains the client group, and then click Unlock Server Group. 2 Double-click the server group. 3 Double-click the Groups folder. The client groups appear nested beneath the Groups folder. To filter the client group view 1 On the Tools menu, click Symantec System Center Console Options. 2 In the Symantec System Center Console Options Properties dialog box, on the Client Display tab, under Client Group Display Options, check Show client computers when viewing client groups. 3 Under Client list cache option, check Build client lists when the server group is unlocked, if appropriate. This option enumerates all of the clients in the server group when it is unlocked. When this option is unchecked, clients are not added to their client groups until the server is selected. The number of clients in a client group is not accurate until all of the servers in the server group have been selected. This option might affect performance if the server group contains many clients and servers.

86 86 Managing Symantec Client Security Using client groups to manage 4 Under Client configuration options, check Indicate when clients are offline to display a unique icon in the Symantec System Center console when a client is not connected to the network. 5 Click OK. Renaming client groups Deleting client groups 6 On the Action menu, click Refresh. If you need to change the client group name, you must complete the following tasks: Create a new client group and import settings from another client group, if appropriate. See Creating client groups on page 82. Move clients from the old client group to the new client group. See Moving a client to a different client group on page 84. Delete the old client group. See Deleting client groups on page 86. When a client group is deleted, the clients that are assigned to it retain the settings of the deleted client group. The clients are not assigned new settings until one of the following actions occurs: The client checks in with its parent management server. The client is then assigned the server's default settings for unassigned clients. The client is assigned to another client group. The client is then assigned the settings of the new client group. If you delete a client group, and then recreate it before the clients check in with their parent management servers or are reassigned, the clients resume membership in the group automatically. They continue to assume the settings of that group. To delete a client group 1 In the Symantec System Center console, in the left pane, unlock the server group from which you want to delete the client group. 2 Double-click the server group. 3 Double-click the Groups folder. 4 Right-click the target client group, and then click Delete Group.

87 Managing Symantec Client Security Managing clients 87 5 Click Yes. 6 Click Delete. Using client group settings instead of server group settings Managing clients Managing legacy clients By default, client groups inherit their settings from the server group that they are in, but you can toggle this setting on or off at the client group level. To configure a client group to use its own settings Right-click the client group, and then uncheck Inherit settings from Server Group. You can perform several client management tasks in the Symantec System Center to manage the clients on your network. The current version of Symantec Client Security uses the Secure Sockets Layer protocol running over TCP to encrypt communications between servers and clients. Symantec Client Security versions 9.x and earlier used UDP for such communications. If you migrate version 9.x and earlier servers that manage legacy clients, UDP communications are permitted by default to support the legacy clients. If you perform a new installation (not a migration) of a Symantec Client Security server that has no clients, the ability to manage legacy clients is disabled by default. In this instance, if you want to manage the clients that run version 9.x or earlier, you must explicitly enable the management of legacy clients on the server. After you enable this option, you need to restart the server that you configured for the change to take effect. To manage legacy clients 1 Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tuning Options. 2 On the Rollout and Management tab, check Allow this server to manage 9.x and earlier clients and servers (requires reboot to take effect). 3 Click OK.

88 88 Managing Symantec Client Security Managing clients Enabling direct client configuration You can permit the direct configuration of Symantec Client Security clients. The options that you set directly remain in force until a new Grc.dat configuration file is copied to the client. To enable direct client configuration 1 Click Tools > SSC Console Options. 2 In the SSC Console Options Properties dialog box, on the Client Display tab, under Client Configuration Options, click Allow direct configuration of individual clients. 3 Click OK. Handling clients with intermittent connectivity Each Symantec Client Security server stores a list of Symantec Client Security clients that it manages and provides this data to the Symantec System Center. By default, clients check in with their parent management servers once an hour. Parent management servers review their lists of clients once an hour. Parent management servers track client check-in times. If a client fails to check in with its parent management server for more than 30 days, the parent management server removes that client from its list of clients and logs that client as deleted. The next time that the Symantec System Center queries the parent management server for a list of its clients, that client will not appear. You can control this behavior by configuring the following settings: The client check-in interval. The client expiration interval. Changing the client check-in interval By default, the client check-in interval is set to 60 minutes. You can change the check-in interval by editing the CheckConfigMinutes registry value or by using the Symantec System Center. To change the client check-in interval 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, under How Clients Retrieve Virus Definitions Updates, check Update virus definitions from parent server. 3 Click Settings.

89 Managing Symantec Client Security Managing clients 89 4 In the Update Settings dialog box, in the Check for updates every box, type the interval in minutes. 5 Click OK until the main Symantec System Center console window appears. Changing the client expiration interval On the parent management server, change the client expiration interval by adding a new DWORD, ClientExpirationTimeout, to the HKEY_LOCAL_MACHINE\ Software\Intel\LANDesk\VirusProtect6\CurrentVersion registry key. Make its value a number greater than 0. Warning: The client expiration interval must be greater than the client check-in interval or the parent management server deletes and adds clients continually. Without the use of the ClientExpirationTimeout value, the default time is 720 hours. Use a smaller value to decrease the number of minutes that it takes for the client to be removed from the console, or use a larger value to increase the time. For example, if a large number of your client computers are removed from the Symantec System Center because people are away from the office and their computers are turned off, you can specify a larger number. If the new client configuration is not immediately received by the parent management server or by the client, the information is updated during the client check-in. Changing the management mode of a client You can change an unmanaged client into a managed client and a managed client into an unmanaged client. When you change an unmanaged client into a managed client, it appears in and can be configured by the Symantec System Center. Similarly, changing a managed client into an unmanaged client causes the client to disappear from the Symantec System Center. To change unmanaged clients into managed clients 1 Open Network Neighborhood or My Network Places. 2 Locate and double-click the computer that you want to act as the parent management server. The Symantec Client Security server software must be installed on the computer that you select. 3 Open the VPHOME\Clt-inst\Win32 folder.

90 90 Managing Symantec Client Security Managing clients 4 Copy the Grc.dat configuration file in that folder to the <volume>:\documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 folder on the unmanaged client. 5 On the intended parent management server, open the pki\roots folder and copy the <xxx.x>.servergroupca.cer file. 6 On the client computer, paste the <xxx.x>.servergroupca.cer file into the pki\roots directory, which appears under the directory that contains the Symantec Client Security files. 7 Restart the client. To change managed clients into unmanaged clients 1 Uninstall Symantec Client Security from the client workstation. See the Symantec Client Security Installation Guide for more information. 2 Using the registry editor, delete the following subkey: HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6 3 Begin to reinstall Symantec Client Security client software, and when you are prompted to select managed or unmanaged, select unmanaged. 4 Finish the installation.

91 Chapter 3 Alert Management System This chapter includes the following topics: About the Alert Management System How Alert Management System works Configuring alert actions About configuring alert action messages Configuring a default alert message Working with configured alerts Using the Alert Management System Alert Log Forwarding alerts from unmanaged clients About the Alert Management System Alert Management System 2 (AMS 2 ) provides emergency management capabilities. AMS 2 supports alerts on any supported NetWare server or Windows server. You must explicitly install AMS 2. It is not installed by default. AMS 2 can generate alerts through the following means: Message box Broadcast Internet mail Page Run a program Write to the Windows Event Log

92 92 Alert Management System How Alert Management System works Send an SNMP trap Load an NLM Note: Alerts that are generated through SNMP traps can be sent to any third-party SNMP management console. To receive SNMP traps from Symantec Client Security, you must have the Symantec System Center and AMS 2 installed. Install AMS 2 on a primary management server if you want SNMP traps that are generated from that system. You must use the Symantec System Center to designate the primary management server. See Configuring the Send SNMP Trap alert action on page 101. How Alert Management System works AMS 2 alerts are transferred from Symantec Client Security into AMS 2 through the Symantec Client Security service. On a computer running the Symantec Client Security client software, the Symantec Client Security service waits for an event thread that requires an alert. These threads can be generated by the following events: Configuration change Default Alert Symantec Client Security startup/shutdown Scan Start/Stop Risk Repair Failed Risk Repaired Virus Definitions File Update Virus Found If you have configured an alert for any of these events, when the event occurs it generates a thread. The thread prompts the Symantec Client Security service to create a risk information block, which it forwards to the client's parent management server. When the parent management server receives the risk information block, it enters it into its AMS 2 log. The risk information is then forwarded to the primary management server, which makes a call to AMS 2. AMS 2 enters the information into the AMS 2 database and acts on it. The action that is taken depends on how you have the alert configured.

93 Alert Management System Configuring alert actions 93 Communication in AMS 2 is carried out through CBA, which is part of the Intel Communication Method. Configuring alert actions Alert configuration tasks AMS 2 lets you configure many different methods of notification, such as pager, SNMP, and , for detected viruses or security risks and configuration changes. AMS 2 alert configuration requires the following related tasks: Select an alert in the Alert Actions dialog box. Select the alert action that you want to configure for that alert. The alert action is the response AMS 2 that sends you when an alert parameter is detected. Configure the alert action that you selected. For example, you can configure the Send Page alert action to notify you if a virus or security risk is detected on a protected server. The pager message can also include information such as virus or security risk name and type, and actions that are taken. There are no default alert actions for any of the alerts. Until you configure AMS 2, no alerts are generated, though virus and security risk events are logged in the AMS 2 log file. You can set up more than one action for each alert. Once you have configured alert actions for an alert, a plus (+) or minus (-) sign appears next to each configured alert, depending on whether the entry is collapsed or expanded. Each AMS 2 alert action has its own configuration wizard. Once you have configured an alert action, the action appears in the Alert Actions dialog box under the alert for which you configured the action. All alert actions execute on the computer that you select when you configure the action. Actions will not execute if you configure them on a computer that does not support that particular action. For example, any computer that you configure the Send Page action on must have a modem. Speeding up alert configuration If you have a large network, you may be able to speed up and simplify your configuration of AMS 2 by only searching a certain segment of your network for AMS 2 computers.

94 94 Alert Management System Configuring alert actions This is especially useful if you manage a large network with many different servers, and you want to confine your search to one section of the network, or one specific subnet mask. The process is faster when you limit your search, and alerts are contained in the defined network segment. You can get a faster response across a large network if you limit the network segments. You can specify whether you want AMS 2 to discover clients only within a certain octet or subnet mask. To speed up alert configuration 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Click Options. 3 In the Options dialog box, in the Add IP address box, type the TCP/IP network broadcast address where you want to search for AMS 2 computers. This is the first three segments of the computer's IP address that is followed by an all-inclusive segment. For example, if you enter a search broadcast address of , any of the 256 computers with AMS 2 in the subnet will receive the broadcast. So if you are searching for an AMS 2 computer that has an IP address of , you will find it.

95 Alert Management System Configuring alert actions 95 4 Click Add to add this net address to the Current discovery broadcast addresses list. Only broadcast networks that are listed here are searched to discover new AMS 2 computers. If you have not specified any broadcast networks, the entire network is searched each time that you start a Discovery. 5 To remove a net address that is no longer needed from the Current discovery broadcast addresses list, select the address, and then click Remove. When you remove a net address from this list, it does not disable that section of the network. Removing a net address only prevents AMS 2 from searching that section of the network for AMS 2 computers. 6 Click OK to save the list and return to the Alert Actions dialog box. Configuring the Message Box alert action The Message Box alert action displays a message box on the computer from which you configure the action. You can select whether the message box sounds a beep when it appears and whether the message box always appears on the screen until cleared. To configure the Message Box alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Message Box, and then click Next. 5 Select a computer to execute the action, and then click Next. 6 Select whether you want an error beep and whether you want the dialog box always to appear on top until it is cleared. 7 Click Next. 8 Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 9 In the Message box, type any message text that you want to display and move available the parameters that you want from Alert Parameters to the Message box. See About configuring alert action messages on page Click Finish.

96 96 Alert Management System Configuring alert actions Configuring the Broadcast alert action The Broadcast alert action sends a message to all computers logged on to the server that generates the alert. To configure the Broadcast alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Broadcast, and then click Next. 5 Select a computer to execute the action, and then click Next. 6 In the Message box, type any message text that you want to display and move available parameters you want from Alert Parameters to the Message box. See About configuring alert action messages on page Type an action name. The action name and the action computer name will appear in the Alert Actions dialog box beside this action. 8 Click Finish. Configuring the Run Program alert action The Run Program alert action runs a program on the computer for which you configure the alert action. You must complete two fields in the Run Program dialog box. The Program box should contain the full path to the program that you want to run. The Command Line box should contain any command-line options for that program. The program that you select should be on the computer's local drive to ensure that AMS 2 can find it. If you are running the program on a remote computer, you must enter the path to the program from that computer. If you are running a Windows program, you can select whether that program runs in a normal, minimized, or maximized state. This option has no effect on MS-DOS programs.

97 Alert Management System Configuring alert actions 97 To configure the Run Program alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Run Program, and then click Next. 5 Select a computer to execute the action, and then click Next. 6 Type the full path name to the program that you want to run, including the program name. 7 Type any command-line options that you want the program to use. 8 Select a Windows execution state of normal or minimized. 9 Click Finish. Configuring the Load An NLM alert action The Load An NLM alert action loads a NetWare Loadable Module (NLM) on a selected NetWare server when the AMS 2 alert occurs. You must configure this alert to determine which NLM is loaded, and the server onto which it loads. This alert action is similar to the Run Program alert action for a Windows computer. For example, if you were running the Symantec Client Security management Snap-in, you could configure the Load An NLM alert action to load an NLM that you or a third party created on a selected NetWare server when Symantec Client Security detects a risk. This NLM could monitor who accesses the server and who uses the infected file. It could also back up files if the server crashes because of the infection. To configure the Load An NLM alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Load An NLM, and then click Next. The first time that you configure this action, AMS 2 needs to search the network for NetWare computers that can perform this action. When you complete this action, the NetWare computers appear in tree format.

98 98 Alert Management System Configuring alert actions 5 If the computer that you look for does not appear in the list, click Options. See Speeding up alert configuration on page Select the computer on which the NLM should load, and then click Next. 7 Type or select the NLM to load. NLMs are usually stored in the SYS:\SYSTEM directory on NetWare servers. 8 Type any command-line options you want the program to use. 9 Click Finish. Configuring the Send Internet Mail alert action The Send Internet Mail alert action sends an Internet mail message to the user that you specify. When you use the Send Internet Mail alert action, you also need to specify the SMTP Internet mail server through which the alert action will send the message. If you specify the mail server by name, you need to have a DNS server that is configured so that the Send Internet Mail alert action can resolve the server's IP address. If you do not have a DNS server, you can enter the mail server's IP address directly. If you do not have access to an SMTP Internet mail server at your site, this alert action does not work. To configure the Send Internet Mail alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Send Internet Mail, and then click Next. 5 Select the computer to execute the action, and then click Next. 6 In the To Internet Mail Address, Return Internet Mail Address, Subject, and SMTP Mail Server boxes, type or select information as appropriate. It is preferable to provide the mail server's IP address rather than its name. The Return Internet Mail Address box must contain a valid Internet address. Most servers will not send a message if the server can't validate the sender's address. 7 Click Next.

99 Alert Management System Configuring alert actions 99 8 In the Message box, type any message text you need and move available parameters you want from Alert Parameters to the Message box. See About configuring alert action messages on page Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 10 Click Finish. About paging services You can access a paging service either directly or indirectly. Direct paging refers to dialing the service provider network access phone number and accessing the service provider's computer network directly to enter the pager identification number. The paging service network then sends the message to the pager. AMS 2 alerting does not work with indirect paging. Indirect paging involves calling a paging service, speaking with an operator, and giving the operator the pager's identification number. The paging service operator enters the information into the paging network, and then sends the message to the pager. The indirect paging method that is often used when contacting the network directly may be a toll call, and the pager service offers toll-free service through the operator. Configuring the Send Page alert action The Send Page alert action sends a pager message to the number that you specify. You need to configure the Pager alert action for your paging service. At a minimum, this information includes the paging service phone number and the name of the paging service that you use. Note: Any computer on which you configure a Send Page action needs to have a modem. See Testing configured alert actions on page 106. To configure the Send Page alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Send Page, and then click Next.

100 100 Alert Management System Configuring alert actions 5 Select a computer to execute the action, and then click Next. 6 Type the access telephone number that you call to reach the paging service. Be sure to include any numbers necessary to access an outside line from your site. 7 Type the pager ID number and password that you use to access the paging service network. If your paging service does not use a password, leave the Password box blank. 8 Select your service type. If your paging service is not in the Service drop-down list in the Send Page dialog box, try to use the Standard Numeric or the Standard Alpha/Numeric service. Select the one that most closely matches the type of pager that you use. If the generic service that you select does not work with your pager, you must configure the communication parameters that the Send Page alert action needs to use. You can get this information from your paging service. If necessary, do the following: Click Settings. In the drop-down lists, select the baud rate, data and stop bits, parity, and the paging protocol that your paging service uses, and then click OK. If your paging service is in the Service drop-down list, these parameters are configured automatically when you select the service.

101 Alert Management System Configuring alert actions Click Next. If you create a message for an alphanumeric pager, in the Message box type any message text you want to display and move available parameters from Alert Parameters to the Message box. If you create a message for a numeric pager, you can only type numbers in the Message box. The Send Page alert action supports both alphanumeric and numeric-only pagers (numeric-only pagers are sometimes called beepers). If you're paging an alphanumeric pager, the message can include any text that you type in and information from the alert that generated the message. This message should not exceed the maximum number of characters that your paging service supports; otherwise, you could get a truncated message. If you're paging a numeric-only pager, you may want to create a system of server numbers and numeric error codes that correspond to alerts that you configure. For instance, you could create a system where 1 refers to your main production server and number 101 means some specific event has occurred. If you received the message 1 101, then you would know that the event had occurred on your main production server. 10 Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 11 Click Finish. Configuring the Send SNMP Trap alert action Simple Network Management Protocol (SNMP) is a message-based protocol based on a manager/agent model consisting of Get, GetNext, and Set messages and responses. SNMP uses traps to report exception conditions such as component failures and threshold violations. AMS 2 can generate an SNMP trap when an alert occurs. You can configure systems generating alerts to send these traps to a management console, such as HP OpenView, Tivoli Enterprise Console, or Computer Associates Unicenter. You must specify the IP address of the computers to which you want SNMP traps sent. To configure the Send SNMP Trap alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions.

102 102 Alert Management System Configuring alert actions 3 Click Configure. 4 Click Send SNMP Trap, and then click Next. 5 Select a computer to execute the action, and then click Next. 6 In the SNMP trap, type any message text that you want to display and move the parameters that you want from Alert Parameters to the Message box. 7 Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 8 Click Finish. Configuring trap destinations for Windows 2000/2003 Server You can configure SNMP traps for Windows 2000/2003 Server. To configure trap destinations for Windows 2000/2003 Server 1 On the Windows taskbar, click Start > Settings > Control Panel. 2 Double-click Administrative Tools. 3 Double-click Computer Management. 4 Click Services and Applications. 5 Click Services. 6 In the right pane, click SNMP Service. 7 On the Action menu, click Properties. 8 On the Traps tab, under Community name, type the case-sensitive community name to which this computer will send trap messages, and then click Add to List. 9 In Trap destinations, click Add. 10 In Host name, IP address, type information for the host, and click Add. 11 Repeat steps 8 through 10 until you have added all the communities and trap destinations you want. Configuring trap destinations for NetWare You can configure SNMP traps for NetWare 5.x and 6.x servers.

103 Alert Management System Configuring alert actions 103 To configure trap destinations for NetWare 1 In the NetWare server console, type: load inetcfg 2 Select Protocols and press Enter. 3 Select TCP/IP and press Enter. 4 Select SNMP Manager Table, and then press Enter to display the SNMP Manager Table. 5 Do one of the following: To modify an existing address, select it, and then press Enter. To add a new address, press Insert, type an IP address, and then press Enter. To delete an address, select it, press Delete, and then press Enter to confirm the deletion. 6 Press the Esc key to close the dialog box. 7 Press Enter to confirm the change to the database. Configuring the Write To Event Log alert action The Write To Event Log alert action creates an entry in the Windows Event Log's Application Log. This entry is logged on the server from which the alert came. This alert action is available only on supported Windows computers. To configure the Write To Event Log alert action 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert for which you want to configure alert actions. 3 Click Configure. 4 Click Write To Event Log, and then click Next. 5 Select a computer to execute the action, and then click Next. 6 In the Message box, type any message text that you want to display and move the parameters that you want from Alert Parameters to the Message box. 7 Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 8 Click Finish.

104 104 Alert Management System About configuring alert action messages About configuring alert action messages For the alert actions that generate messages (for example, Message Box, Broadcast, Send Page, and Send Internet Mail), you can include additional information from the alert that generated the message. The additional types of information available vary, depending on the type of alert action that you configure. Table 3-1 describes the additional types of information. Table 3-1 Alert parameter <Actual Action> <Alert Name> <Computer Name> Alert message parameters Description The actual action that was taken on the threat or security risk. The name of the alert; for example, Symantec Client Security Startup/Shutdown. The name of the computer on which the alert originated. <Corrective Actions> <Date> <Description> <Failed Alert Name> <File Path> <Logger> <Requested Action> <Severity> <Source> <Risk Name> The actions that were taken to correct the risk. The date when the notification was generated. More information about the nature of the notification; for example, Symantec Client Security services shutdown was successful. The name of the alert that failed. This parameter is available for default alerts. The location of the file that was infected by the threat or security risk. The type of scan that found and logged the alert. The primary action that was configured for this threat or security risk. The level of severity that is assigned to the alert; for example, Critical, or Non-Critical. The product source of the notification; for example, Symantec Client Security. The name of the threat or security risk that triggered the alert.

105 Alert Management System Configuring a default alert message 105 Table 3-1 Alert parameter <Time> <User> <Virus Name> Alert message parameters (continued) Description The time when the notification was generated. The name of the user who was logged in when the alert-triggering event occurred. The name of the virus or security risk that triggered the alert. The Message dialog box includes a text box in which you can enter as many as 256 characters to be used as the text of the message that you want to send. You can use the variables in Alert parameters to insert information generated by the alert. Parameters are delimited by < and > characters. Each parameter placeholder that you add to the Message text box is substituted with corresponding alert information when an alert occurs. Figure 3-1 shows the Alerting System Notification dialog box. Figure 3-1 Alerting System Notification Configuring a default alert message If the AMS 2 alerting system detects a message larger than 1 KB, the message will not be delivered. If you have configured a default alert message, it will be delivered instead. You can configure this default alert to notify you when a message exceeds 1 KB.

106 106 Alert Management System Working with configured alerts To configure a default alert message 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Click Default Alert, and then click Configure. 3 Click Message Box, and then click Next. 4 Select a computer on which to execute the action, and then click Next. 5 Select whether you want an error beep and whether you want the dialog box always to appear on top until it is cleared. 6 Click Next. 7 Type the action name that describes the message that you are configuring. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 8 In the Message box, do one of the following: Type custom message text that you want to display and move available the parameters that you want from Alert Parameters to the Message box. Click Default to use the default message information for this alert action, and then type the custom message text that you want to display. 9 Click Finish. Working with configured alerts Once you have configured alert actions, you can do the following: Test them to make sure they work as expected. Delete them. Export them to other computers. Testing configured alert actions After you configure alert actions, you can test them in the Alert Actions dialog box. When you select an alert and then click Test Action, all alert actions that are configured for that alert execute. When you select a specific alert action and click Test Action, only that alert action executes. To test an alert In the Alert Actions dialog box, select an alert, and then click Test Action.

107 Alert Management System Working with configured alerts 107 Deleting an alert action from an alert You can delete actions that are associated with an alert as necessary. To delete an alert action from an alert 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Select the alert action you want to delete, and then click Delete. Exporting alert actions to other computers Each computer that generates AMS 2 alerts stores its alert information in a local AMS 2 database. Typically, the alerts and actions that are stored in one database are not visible to AMS 2 databases on other computers. There may be times when you want to duplicate configurations of AMS 2 alert actions on a computer across multiple computers so you do not have to repeat your work. The AMS 2 export option lets you export alert actions to other computers that generate AMS 2 alerts. Alert actions, such as a Send Page alert action configuration or a Message Box alert action configuration, only export if the alert for which you configured the action exists on both computers. In most cases, you can ensure this is the case by installing the same application on both computers. This way, both applications will register their alerts with their respective AMS 2 databases. When you export alert actions from one computer to another, you have the choice of exporting a single alert action or all alert actions. Once AMS 2 exports alert actions to a computer, AMS 2 displays the Export Status dialog box to let you know the results of the export. If the export option cannot export an alert action because the alert for which the action was configured does not exist on the target computer (or for any other reason), the Export Status dialog box indicates that the alert action could not be exported. Alert actions also may fail to export if the target computer's AMS 2 installation is not working correctly. To export alert actions to other computers 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. 2 Click Symantec AntiVirus Corporate Edition and then click Export. 3 In the Select Actions dialog box, check the actions that you want to export, and then click Next. To select all configured actions, click Symantec AntiVirus Corporate Edition.

108 108 Alert Management System Using the Alert Management System Alert Log 4 In the Select Computers dialog box, check the computers that you want to receive the alert actions that you selected. 5 If the computer you want has AMS 2 active on it and it is not in the Available Computers list, click Options. 6 Click Finish. 7 In the Export Status dialog box, verify that the alert actions were exported successfully, and then click Close. Viewing export status After AMS 2 exports alert actions to the computers that you selected in the Select Computers dialog box, AMS 2 displays the export results in the Export Status dialog box. The Export Status dialog box displays the alert actions that do not export successfully. If the alerts do not export successfully, it may be for the following reasons: AMS 2 is not up or working correctly on the target computer. Verify AMS 2 by testing a configured alert action on that computer from the Alert Actions dialog box. The alert for which the action was configured does not exist on the target computer. Make sure that the application that registered the alert with AMS 2 on the source computer is installed on the target computer. Using the Alert Management System Alert Log You can use the Alert Log to view a list of all alerts generated by network computers running Symantec Client Security. You can configure the Alert Log to do one of the following: Display only the alerts that match the conditions that you specify. Display a specified number of entries. The Alert Log displays a list of alerts with the following information about each alert: Alert Name Source Computer Date

109 Alert Management System Using the Alert Management System Alert Log 109 Time Severity You can view more detailed information about each alert in the Alert Information dialog box. Each server stores its own copy of the Alert Log locally. When you select a server and view its Alert Log, you are retrieving a copy of that server's Alert Log to your local console. Therefore, if that server is not powered on or available, you won't able to retrieve its Alert Log for viewing. You can view the Alert Log and interact with it in the following ways: Change the number of entries that are displayed in the log Delete entries Copy the contents to the clipboard To view the Alert Log Right-click the server group, and then click All Tasks > AMS > View Log. To change the number of entries that are displayed in the Alert Log 1 In the Alert Log window, right-click, and then click Options. 2 On the Settings tab, specify the maximum number of log entries that you want the log to store. You can independently configure the number of entries that an Alert Log stores on each server. To delete a single entry Right-click the log entry, and then click Delete > Selected Entries.

110 110 Alert Management System Using the Alert Management System Alert Log To delete multiple log entries 1 Press Ctrl and select the multiple log entries. 2 In the Alert Log window, right-click, and then click Delete > Selected Entries. To select a range, click the first entry, and then press Shift and click the last entry. To delete all visible log entries In the Alert Log window, right-click, and then click Delete > Filtered Entries. To copy Alert Log contents to the Clipboard 1 Press and hold the Ctrl key, and then select the multiple log entries. 2 In the Alert Log window, right-click, and then click Copy. Viewing detailed alert information Only the alerts visible in the log are copied. If you want to limit the number of entries that the Alert Log copies to the Clipboard, apply filters to limit the number of visible log entries. You can view detailed information about each alert that the Alert Log displays. The Alert Information dialog box displays a list of parameters such as Alert name, Source, Date, Severity, and Description, as well as values for the selected alert action. Table 3-2 describes the status types that appear in the Alert Information dialog box. Table 3-2 Action Status Action Name Action Type Action Host Status Action Status types Description A name that is given to the specific action. The type of action that is generated by the alert, such as Message Box, Pager, Internet Mail, Execute Program, or Broadcast. The name of the computer that generates the alert. The status of the alert. The status type can include Pending, Processing Action, Error, Completed Successfully, and Failed To Complete.

111 Alert Management System Using the Alert Management System Alert Log 111 To view the alert information and Action Status 1 In the Alert Log window, double-click the alert for which you want to display detailed information. 2 When you finish viewing the alert information, click Close. Filtering the Alert Log display list The computer that is listed in the Alert Log is the primary management server that recorded the action because it records all events for the Symantec server group. Look at the Alert Information dialog box to see which computer generated the alert. You can configure the Alert Log to display only those alerts that match specified criteria. Table 3-3 describes the parameters for filtering alerts. Table 3-3 Filter Computer Source Alert Severity Date Alert Log filters Description Displays alerts from a specific computer. Displays alerts from the same type of alert source on one or more computers. Displays all alerts with a specific alert name. Displays only alerts matching the severity levels that you select. You can specify the following severity levels: Monitor, Information, OK, Warning, Critical, and Fatal. Displays only the alerts that occurred between the specified from and to dates and times.

112 112 Alert Management System Forwarding alerts from unmanaged clients To specify which alerts appear in the Alert Log 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > View Log. 2 In the Alert Log window, right-click, and then click Options. 3 Select the filters you want to apply to the Alert Log list. 4 Click OK. Forwarding alerts from unmanaged clients Unmanaged Symantec Client Security clients can be configured to forward their alerts to an AMS 2 server. The AMS 2 client software is not installed as part of the client installation. If you want to use the alerting features that AMS 2 provides for unmanaged clients, you can install the AMS 2 client program that is included on the Symantec Client Security CD. For the alert to be sent, the client computer must be connected to the network and must be able to connect to the AMS 2 server.

113 Alert Management System Forwarding alerts from unmanaged clients 113 To forward the alerts to an AMS 2 server 1 Use a text editor such as Notepad to create a new text file. 2 Add the following lines: [KEYS]!KEY!=$REGROOT$\Common AMSServer=S<AMSServerName> AMS=D1!KEY!=$REGROOT$\ProductControl LoadAMS=D1 3 In the <AMSServerName> line, do one of the following: Type the IP address for the intended AMS 2 server. Be sure to include the S that precedes <AMSServerName>. Do not include the brackets. Type the name of the intended AMS 2 server (make sure that the client can resolve the server name). 4 Save the file as Grc.dat to the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus folder on the client computer. After you create the Grc.dat configuration file, you can copy it to other unmanaged clients. These unmanaged clients then forward alerts to the same AMS 2 server.

114 114 Alert Management System Forwarding alerts from unmanaged clients

115 Section 2 Configuring antivirus protection Scanning for viruses and security risks Updating definitions Responding to virus outbreaks Managing roaming clients Working with Histories and Event Logs

116 116

117 Chapter 4 Scanning for viruses and security risks This chapter includes the following topics: About viruses and security risks About Symantec Client Security scans Configuring Auto-Protect Configuring manual scans Creating and configuring scheduled scans Managing the client user experience About viruses and security risks Symantec Client Security can scan for both viruses and for security risks, such as spyware, adware, and other files that can put a computer, as well as a network, at risk. By default, Symantec Client Security does the following: Detects, removes, and repairs the side effects of viruses, worms, Trojan horses, and blended threats. Detects, removes, and repairs the side effects of security risks such as adware, dialers, hack tools, joke programs, remote access programs, spyware, trackware, and others. Table 4-1 describes the types of risks for which Symantec Client Security scans.

118 118 Scanning for viruses and security risks About viruses and security risks Table 4-1 Risk Viruses Viruses and security risks Description Programs or code that attach a copy of themselves to another computer program or document when it runs. Whenever the infected program runs or a user opens a document containing a macro virus, the attached virus program activates and attaches itself to other programs and documents. Viruses generally deliver a payload, such as displaying a message on a particular date. Some viruses specifically damage data by corrupting programs, deleting files, or reformatting disks. Worms Trojan horses Blended threats Adware Programs that replicate without infecting other programs. Some worms spread by copying themselves from disk to disk, while others replicate only in memory to slow a computer down. Programs that contain code that is disguised as or hiding in something benign, such as a game or utility. Threats that blend the characteristics of viruses, worms, Trojan horses, and code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. Blended threats use multiple methods and techniques to spread rapidly and cause widespread damage throughout the network. Stand-alone or appended programs that secretly gather personal information through the Internet and relay it back to another computer. Adware may track browsing habits for advertising purposes. Adware can also deliver advertising content. Adware can be unknowingly downloaded from Web sites, typically in shareware or freeware, or can arrive through messages or instant messenger programs. Often a user unknowingly downloads adware by accepting an End User License Agreement from a software program. Dialers Programs that use a computer, without the user's permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges.

119 Scanning for viruses and security risks About viruses and security risks 119 Table 4-1 Risk Hack tools Joke programs Other Viruses and security risks (continued) Description Programs used by a hacker to gain unauthorized access to a user's computer. For example, one hack tool is a keystroke logger, which tracks and records individual keystrokes and sends this information back to the hacker. The hacker can then perform port scans or vulnerability scans. Hack tools may also be used to create viruses. Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or frightening. For example, a program can be downloaded from a Web site, message, or instant messenger program. It can then move the Recycle Bin away from the mouse when the user attempts to delete it or cause the mouse to click in reverse. Other security risks that do not conform to the strict definitions of viruses, Trojan horses, worms, or other security risk categories, but that might present a risk to a user's computer and data. Remote access programs Spyware Programs that allow access over the Internet from another computer so that they can gain information or attack or alter a user's computer. For example, a program may be installed by the user, or installed as part of some other process without the user's knowledge. The program can be used for malicious purposes with or without modification of the original remote access program. Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and relay it back to another computer. Spyware can be unknowingly downloaded from Web sites, typically in shareware or freeware, or can arrive through messages or instant messenger programs. Often a user unknowingly downloads spyware by accepting an End User License Agreement from a software program. Trackware Stand-alone or appended applications that trace a user's path on the Internet and send information to the target system. For example, the application can be downloaded from a Web site, message, or instant messenger program. It can then obtain confidential information regarding user behavior.

120 120 Scanning for viruses and security risks About Symantec Client Security scans By default, Auto-Protect scans for viruses, Trojan horses, worms, and security risks when it runs. Some risks, such as Back Orifice, were detected as viruses in earlier versions of Symantec Client Security. They remain detected as viruses so that Symantec Client Security can continue to provide protection for legacy computers. About Symantec Client Security scans You can configure the following types of scans from the Symantec AntiVirus view in the Symantec System Center console: Auto-Protect scans Auto-Protect File System scans Auto-Protect attachment scanning for Lotus Notes, Microsoft Exchange, and Outlook (MAPI and Internet) Auto-Protect scanning for Internet messages and attachments that use the POP3 or SMTP communications protocols; Auto-Protect scanning for Internet also includes outbound heuristics scanning Manual scans Virus sweep scans Scheduled scans By default, all Symantec Client Security scans detect viruses and security risks, such as adware and spyware, and quarantine them and remove or repair their side effects. Note: Sometimes, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec determines that blocking the risk does not harm the computer, Symantec AntiVirus blocks the risk. If blocking the risk might leave the computer in an unstable state, Symantec AntiVirus waits until the application installation is complete before it quarantines the risk. It then repairs the risk's side effects. You can scan the following: Individual and multiple Symantec Client Security servers and clients. Groups of Symantec Client Security servers and clients, using server groups.

121 Scanning for viruses and security risks About Symantec Client Security scans 121 About the automatic exclusion of Microsoft Exchange files and directories If Microsoft Exchange servers, including clustered servers, are installed on the computer where you installed Symantec Client Security, Symantec Client Security automatically detects the presence of Exchange and creates appropriate file and directory exclusions for Auto-Protect and all other scans. Symantec Client Security checks for changes in the location of the appropriate Exchange files and directories at regular intervals. So if you install Exchange on a computer where Symantec Client Security is already installed, the exclusions are created when Symantec Client Security checks for changes. Symantec Client Security excludes both files and directories, so if a single file is moved from an excluded directory, the file remains excluded. Symantec Client Security creates file and directory scan exclusions for the following Microsoft Exchange versions: Exchange 5.5 Exchange 2000 Exchange 2003 Symantec Client Security also creates appropriate file and directory scan exclusions for the following Symantec products when they are detected: Symantec Mail Security 4.0, 4.5, 4.6, and 5.0 for Microsoft Exchange Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange Norton AntiVirus 2.x for Microsoft Exchange Note: To see the exclusions that Symantec Client Security creates for Exchange, you can examine the contents of the HKLM\Software\Intel\LANdesk\ VirusProtect6\CurrentVersion\Exclusions\Exchange Server registry key. Do not edit this registry key directly. Configure any additional exclusions using the Symantec System Center Auto-Protect, manual, and scheduled scan exclusion options. Symantec Client Security does not exclude the system temporary folders from scanning because doing so could create a significant security vulnerability on a computer.

122 122 Scanning for viruses and security risks About Symantec Client Security scans About the global exclusion of security risks from scans If there are certain security risks that your company's security policy allows you to keep on your computers, you can configure Symantec Client Security to exclude these risks from all scans. See Configuring global security risk exclusions on page 132. Understanding Auto-Protect scans Auto-Protect continuously scans files and data for viruses and for security risks, such as spyware and adware, as they are read from or written to a computer. Auto-Protect scans data only on Symantec Client Security clients. Symantec Client Security automatically detects the presence of Microsoft Exchange and creates Auto-Protect scan exclusions for it at the time of installation. Auto-Protect includes the SmartScan feature. When this feature is enabled, it can determine a file's type even when a virus changes the file's extension. You can use Symantec Client Security to set Auto-Protect options for servers at the server group or individual server level, and clients at the server group, individual server, or client group level. When you configure Auto-Protect, the configuration pages look slightly different depending on whether you set options for servers or clients. When you configure Auto-Protect, you can lock Auto-Protect options on clients to enforce a company security policy for viruses and security risks. Users cannot change the options that you lock. Note: You must lock the Auto-Protect client settings that you configure in the Symantec System Center console before the Symantec System Center can propagate them to the clients. If you make a change but do not lock the setting, the change is not propagated to clients. See Configuring Auto-Protect on page 134. Auto-Protect is enabled by default. You can view Auto-Protect status in the Symantec System Center. To view Auto-Protect status Right-click a server or client, and then click All Tasks > Symantec AntiVirus > Auto-Protect Status.

123 Scanning for viruses and security risks About Symantec Client Security scans 123 About manual scans About virus sweep scans Manual or on-demand scans inspect selected files and folders on selected computers. Manual scans provide immediate results from a scan on an area of the network or a local hard drive. Manual scans inspect files for viruses and security risks, such as spyware and adware. See Configuring manual scans on page 168. A virus sweep scan scans at the system hierarchy, server group, or individual server level. A virus sweep scans for both viruses and security risks. You can name a virus sweep and view its history in a Virus Sweep History log. Warning: Virus sweeps do not automatically pick up the exclusions that are set for other types of scans. In addition, you cannot stop a virus sweep. Once the sweep starts, it must complete. About scheduled scans See Running a virus sweep on page 226. From the Symantec System Center console, you can schedule scans to run at certain times on Symantec Client Security servers and clients. Users can also schedule scans for their computers from Symantec Client Security clients, but they cannot change or disable the scans that you schedule for their computers. Symantec Client Security runs one scheduled scan at a time. If more than one scan is scheduled at the same time, they run sequentially. When you create and save a scheduled scan, Symantec Client Security remembers the server group, server, or computer on which to run the scan and the settings that you chose for that scan. If a computer is turned off during a scheduled scan, the scan does not run unless the computer is configured to run missed scan events. Scheduled scans inspect files for viruses and security risks, such as spyware and adware. See Creating and configuring scheduled scans on page 180.

124 124 Scanning for viruses and security risks About Symantec Client Security scans Selecting computers to scan In the Symantec System Center console, you select the computers that you want to scan, determine the types of scans that are available, decide where the scans are performed, and set the scan options. Table 4-2 lists the types of scans that are available for each type of object in the Symantec System Center navigation tree. Table 4-2 Object selected System Hierarchy What you can scan Scans available Virus sweep scanning of all Symantec Client Security servers and clients in the network. A virus sweep also scans for security risks. Multiple server groups Server group Selected servers in a server group Single server Virus sweep scanning of all Symantec Client Security servers and their clients in the selected server groups. Scheduled scanning for the selected Symantec Client Security servers. Virus sweep scanning of all Symantec Client Security servers and their clients in the selected server group. Scheduled scanning for the Symantec Client Security servers in the selected server group. Virus sweep scanning of the selected Symantec Client Security servers. Manual scanning of the selected Symantec Client Security server. Virus sweep scanning of the Symantec Client Security server and all of its Symantec Client Security clients. Manual scanning of the Symantec Client Security server. Scheduled scanning of the Symantec Client Security server or its Symantec Client Security clients. Selected Symantec Client Security clients for a single Symantec Client Security server Manual scanning of the selected Symantec Client Security clients that are managed by the Symantec Client Security server. An individual Symantec Client Security client Manual scanning of the selected Symantec Client Security client. Scheduled scanning of the selected Symantec Client Security client.

125 Scanning for viruses and security risks About Symantec Client Security scans 125 Determining scan options for multiple computers When you view Auto-Protect, virus sweep, or manual scan options for multiple selected computers, the configuration check boxes and options have a tri-state feature that is apparent only when the computers have different options configured. To toggle through an option's available states, click the option repeatedly. Table 4-3 describes the possible states for options. Table 4-3 Symbol Check box and option symbols and their meaning Description A solid black check mark in a check box A solid black bullet in an option Means that the option is selected for all of the computers in that group. Setting an option to a state other than the dimmed state resets that option for selected computers. A blank check box Means that the option is not selected for any computer in that group. Setting an option to a state other than the dimmed state resets that option for selected computers. A dimmed check mark in a dimmed box A blank series of options A blank box Means that some of the computers in the group have that option selected and some do not. Setting an option to a state other than the dimmed state resets that option for selected computers. Note: Some options, such as excluding files and folders, are not available when you select multiple computers because the option applies only to a specific computer. Scan option precedence The scan configuration changes that you make at the server group level override any changes that you make at the client group or server level, unless you configure a client group so that it does not inherit its server group settings. See Using client group settings instead of server group settings on page 87. Note: Auto-Protect options work differently from the other scan options. Auto-Protect options must be locked at the server group or server level before they can be propagated to clients. If you make a change but do not lock the setting, the change is not propagated to clients. See Understanding Auto-Protect scans on page 122.

126 126 Scanning for viruses and security risks About Symantec Client Security scans About inclusions and exclusions in scans Inclusions and exclusions help you to balance the amount of protection that your network requires with the amount of time and resources that are required to provide that protection. For example, if you choose to scan all file types, you might want to exclude certain folders that contain only the data files that are not subject to viruses. Or, you might want to scan only the files with the extensions that are likely to contain a virus or other risk. When you scan only certain extensions, you automatically exclude all files with other extensions from the scan. These choices decrease the overhead that is associated with scanning files. Depending on the type of scan and the objects of your scan, you can exclude by files, folders, or file extensions. You can include only certain extensions in a scan. Warning: Because excluded files and folders are not scanned, they are not protected from viruses and security risks. You can include and exclude items from the scans that you initiate from the Symantec Client Security client or server user interface, or from the Symantec System Center console. Table 4-4 describes the types of exclusions that you can configure by the object type in the Symantec System Center console navigation hierarchy. Table 4-4 Object type Server group Exclusions by object type Exclusions available Server scans: File extensions and named folders. Server Server scans: File extensions, drives, files, and folders. Client scans: File extensions, drives, and named folders. Client group NetWare servers Client scans: File extensions, drives, and named folders. Files by drives and named folders; you cannot exclude files by file extension. Note: If you use the ifolder feature in NetWare 6, you should exclude the ifolder directory from virus scans. The default directory to exclude is sys:\ifolder. Configure this option using the Server Auto-Protect Options dialog box in the Symantec System Center. See Configuring file and folder inclusions and exclusions on page 130.

127 Scanning for viruses and security risks About Symantec Client Security scans 127 About excluding named files and folders You can exclude named files and folders from Auto-Protect, virus sweep, manual (Quick, Full, and Custom), and scheduled scans. For example, you might want to exclude the path C:\Temp\Install or folders that contain an allowable security risk (if your company's security policy allows users to run a particular program that might be a security risk). You might also want to exclude the files that trigger false-positive alerts. For example, if you used another virus scanning program to clean infected files and the program did not completely remove the virus code, the file may be harmless but the disabled virus code might cause Symantec AntiVirus to register a false positive. Check with Symantec Technical Support if you are not sure if a file is infected. The icons in the Symantec Client Security hierarchy reflect the status of the files and folders you choose to exclude. Table 4-5 shows the icons and describes their meaning when configuring exclusions. Table 4-5 Icon Tree view icons and their meaning for exclusions Description Excludes all of the files in this folder and also all of the files in subfolders. Excludes one or more items that you have selected in the folder or one of the subfolders. Excludes the selected file. This is available only from the client or server interface. Scans the folder or subitems. About including and excluding files by file type or extension By default, Symantec Client Security scans all files during a virus scan, but you can configure Symantec Client Security to do the following: Scan only files with specific extensions. Exclude from the scan files with specific extensions. You can use the Symantec System Center to set inclusions and exclusions for specific extensions. Scans by extension are available when you select the following objects and scan types:

128 128 Scanning for viruses and security risks About Symantec Client Security scans Client object: Manual scan, scheduled scan, and client Auto-Protect. Server object: Virus sweep, manual scan, scheduled server scan, and server Auto-Protect (Windows only). When you scan by file extension, Symantec Client Security does not read the file header to determine the file type and scans only files with the extensions that you specify. Table 4-6 describes the recommended extensions for scanning. Table 4-6 File extension 386 ACM ACV ADT AX BAT BTM BIN CLA COM CPL CSC DLL DOC DOT DRV EXE HLP HTA Recommended file extensions for scanning Description Driver Driver; audio compression manager Driver; audio compression/decompression manager ADT file; fax AX file Batch Batch Binary Java Class Executable Applet Control Panel for Microsoft Windows Corel Script Dynamic Link Library Microsoft Word Microsoft Word Driver Executable Help file HTML application

129 Scanning for viruses and security risks About Symantec Client Security scans 129 Table 4-6 File extension HTM HTML HTT INF INI JPEG JPG JS JSE JTD MDB MP? MSO OBD OBT OCX OV? PIF PL PM POT PPT PPS RTF Recommended file extensions for scanning (continued) Description HTML HTML HTML Installation script Initialization file Graphics file Graphics file JavaScript JavaScript Encoded Ichitaro Microsoft Access Microsoft Project Microsoft Office 2000 Microsoft Office binder Microsoft Office binder Microsoft object linking and embedding custom control Overlay Program information file PERL program source code (UNIX ) Presentation Manager Bitmaps Graphics Microsoft PowerPoint Microsoft PowerPoint Microsoft PowerPoint Rich Text Format document

130 130 Scanning for viruses and security risks About Symantec Client Security scans Table 4-6 File extension SCR SH SHB SHS SMM SYS VBE VBS VSD VSS VST VXD WSF WSH XL? Recommended file extensions for scanning (continued) Description Fax/screensaver/snapshot, script for Faxview/Microsoft Windows Shell Script (UNIX) Corel Show Background file Shell scrap file Lotus AmiPro Device driver VESA BIOS (Core Functions) VBScript Microsoft Office Visio Microsoft Office Visio Microsoft Office Visio Virtual device driver Windows Script File Windows Script Host Settings File Microsoft Excel Note: A question mark (?) in a file extension in Table 4-6 means that the letter in the file extension might vary, depending on the version of the program or application that produces it. Configuring file and folder inclusions and exclusions Symantec Client Security exclusions behavior is as follows: When Symantec Client Security applies exclusions, the excluded items are not scanned. If the file is not excluded, it is scanned. For virus sweep, manual, Auto-Protect, and scheduled scans, Symantec Client Security takes no action on excluded files.

131 Scanning for viruses and security risks About Symantec Client Security scans 131 Enabling and disabling exclusions can improve performance depending on the situation. For example, if you copy a large folder that is in the exclusions list and the exclusions setting is enabled, the copying process is faster since the folder's contents are excluded. Files that you exclude appear with various icons in the Symantec Client Security hierarchy. See Table 4-5 on page 127. For all scan types, you can select files to include in a scan by extension or by type. For scheduled and manual scans, you can also select files to scan by extension and type at the folder level. To configure exclusions for scans 1 Open the Scan Options dialog box for the type of scan that you want to configure: Auto-Protect, Manual, Virus Sweep, Scheduled. 2 Click Exclude files and folders. 3 Click Exclusions. 4 Depending on the types and numbers of computers that you configure, you can do the following: Click Extensions and select file extensions to exclude. You can use wildcards when you exclude by extension. Select files to exclude within specific folders by extension or file type. Click Files/Folders or Folders, as available, and select folders to exclude from the scan. 5 Click OK until the Symantec System Center console appears. To select files to include in scans by extension 1 In the Scan Options dialog box for the scan that you want to configure, under File Types, click Selected extensions. 2 Click Extensions. 3 In the Selected Extensions dialog box, you can do any of the following: To add your own extensions, type the extension, and then click Add. To add all document extensions, click Documents. To add all program extensions, click Add. To add all extensions and program types, click Use Defaults. 4 Click OK until the Symantec System Center console appears.

132 132 Scanning for viruses and security risks About Symantec Client Security scans To select files to include in manual scans by folder 1 Right-click the object that you want to scan, and then click All Tasks > Symantec AntiVirus > Start Manual Scan. 2 In the Select Items dialog box, select the folders to scan. 3 Click Options and select the extensions and types to scan for the selected folders. 4 Click OK until the Symantec System Center console appears. To select files to include in a scheduled scan by folder 1 Right-click the object that you want to scan, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. 2 On the Server Scans tab, in the Server scans list, select a scan. 3 Click Edit. 4 In the Scheduled Scan dialog box, click Scan Settings. 5 In the Select Items dialog box, select the folders to scan. 6 Click Options and select the extensions and types to scan for the selected folders. 7 Click OK until the Symantec System Center console appears. Configuring global security risk exclusions If there are one or more security risks that you want to remain on the computers in your network, you may want to create a list of security risks that are excluded from all scans on servers and client computers. Global security risk exclusions can be configured on the server group, client group, server, and client levels. If a user has configured custom actions for a security risk that you have added to the global exclusions list, the user's custom actions are ignored. Note: When you add a security risk to the global exclusions list, Symantec Client Security no longer logs any events that involve that security risk. Users are not notified in any way when the risk is present on their computers.

133 Scanning for viruses and security risks About Symantec Client Security scans 133 To configure global security risk exclusions 1 Right-click the computer, server, or group you want to configure, and then click All Tasks > Symantec AntiVirus > Global Security Risk Exclusions. 2 In the Global Security Risk Exclusions dialog box, click either the Server tab or the Client tab. If you selected a server Use the Server tab to configure exclusions that will apply to scans on the server. Use the Client tab to configure exclusions that will apply to scans on all the unassigned client computers attached to that server. Client computers are unassigned if they are not part of a client group. If you selected a server group Use the Server tab to configure exclusions that will apply to scans on all the servers in the group Use the Client tab to configure exclusions that will apply to scans on all the unassigned client computers attached to the servers in the group. Client computers are unassigned if they are not part of a client group. If you selected a client computer If you selected a client group The Server tab is not available. Use the Client tab to configure exclusions that will apply to all scans on the computer. The Server tab is not available. Use the Client tab to configure exclusions that will apply to all scans on the computers in the client group. 3 Click Add. 4 In the Select Security risks dialog box, click each of the security risks you want to exclude from all scans. You can use the Control and Shift keys to select more than one risk at a time. 5 Click OK. To remove a security risk from global security risk exclusions 1 Right-click the computer, server, or group you want to configure, and then click All Tasks > Symantec AntiVirus > Global Security Risk Exclusions. 2 In the Global Security Risk Exclusions dialog box, click either the Server tab or the Client tab.

134 134 Scanning for viruses and security risks Configuring Auto-Protect 3 In the list of excluded security risks, select each of the risks you want Symantec Client Security to begin scanning for, and then click Remove. You can use the Control and Shift keys to select more than one risk at a time. 4 Click OK. About actions for viruses and security risks that scans detect Many of the same scan options are available in different types of scans. For example, when you configure manual, scheduled, or Auto-Protect scans, you can assign first and second actions for Symantec Client Security to take when it finds viruses and security risks. You can assign individual first and second actions for Symantec Client Security to take when it discovers the following: Macro viruses Non-macro viruses All security risks (adware, spyware, joke programs, dialers, hack tools, remote access programs, trackware, and others) Individual categories of security risks, such as spyware Custom actions for a particular instance of a security risk For viruses, by default, Symantec Client Security first attempts to clean the file. If Symantec Client Security cannot clean the file, it moves the file to the Quarantine on the infected computer, denies access to the file, and logs the event. For security risks, by default, Symantec Client Security moves any infected files to the Quarantine on the infected computer and attempts to remove or repair the risk's side effects. For security risks, by default, Quarantine contains a record of all actions that Symantec Client Security performed so that if needed, the computer can be returned to the state that existed before Symantec Client Security attempted the removal and repair. If it is not possible to quarantine and repair a security risk, the second action is to log the risk. See Table 4-10 on page 149. Configuring Auto-Protect Configuring Auto-Protect consists of the following tasks: Configuring Auto-Protect for files Configuring Auto-Protect scanning

135 Scanning for viruses and security risks Configuring Auto-Protect 135 About propagating Auto-Protect settings Using the Symantec System Center, you can configure Auto-Protect settings at the server group, individual server, and client group levels. When you configure Auto-Protect settings, follow these guidelines to propagate the settings to the computers that you want to receive them: Changing server Auto-Protect settings for an individual server allows you to push a specific configuration to that server, which overrides settings that are made at the server group level. Resetting server Auto-Protect settings at the server group level allows you to reset previous settings made at the individual server level. Changing client Auto-Protect settings at the parent management server or client group level allows you to push a specific configuration to the clients of that parent management server or client group. Resetting client Auto-Protect settings at the server group level resets previous settings made at the parent management server or client group level, for all clients. Changing client Auto-Protect settings at the parent management server level changes the settings for clients not assigned to client groups; clients assigned to a client group retain their settings. Warning: You must lock Auto-Protect options that you want to propagate to clients or the options are not propagated. The buttons in the Auto-Protect Options dialog box affect settings propagation as follows: Clicking OK propagates the settings that you change. Clicking Reset All propagates all settings in the dialog box, regardless of whether you change or visit them. See How settings propagate on page 58. Locking and unlocking Auto-Protect options You can lock or unlock Auto-Protect options for clients to control the user experience in the Symantec AntiVirus user interface. Table 4-7 describes the Auto-Protect lock icons.

136 136 Scanning for viruses and security risks Configuring Auto-Protect Table 4-7 Icon What it means Auto-Protect lock icons Users can change this setting in the Symantec AntiVirus user interface. Users cannot change this setting in the Symantec AntiVirus user interface. To lock or unlock Auto-Protect options 1 In the Symantec System Center console, do one of the following: To change server Auto-Protect settings, right-click a server group or server, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. To change client Auto-Protect settings, right-click a server-group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Auto-Protect Options dialog box, click the lock icon next to the option that you want to lock or unlock to change its current state. 3 Click OK. Configuring File System Auto-Protect When you configure Auto-Protect for files, you select a server group or server, configure scan settings, and configure other settings that define how Auto-Protect and its associated features behave. You specify whether you want to scan floppy disk drives, network drives, or both. Note: When you configure Client Auto-Protect options, you can click the lock icon next to the Auto-Protect settings to lock the settings so that users cannot change them. Table 4-8 describes the Auto-Protect scan options. Table 4-8 Auto-Protect scan options Section or option name Enable Auto-Protect Available options Check to enable Auto-Protect.

137 Scanning for viruses and security risks Configuring Auto-Protect 137 Table 4-8 Auto-Protect scan options (continued) Section or option name File types Available options You can configure Symantec Client Security to scan all file types, to include the files that have only the selected extensions in the scan, or to use SmartScan. The following options are available: All Types Scans all files on the computer, regardless of type. Selected Extensions Scans only the files that have certain extensions. You can add more extensions for programs and documents, if you have the files that use the extensions that are not already in the list. You can also reset this option to its default value. SmartScan Scans a specific, configurable group of file extensions that contain executable code, and all.exe and.doc files. SmartScan reads each file's header to determine its file type. It scans.exe and.doc files even if the file extensions for the.exe and the.doc files are changed by a virus. SmartScan is enabled by default. Options Uncheck Scan for security risks to stop Auto-Protect from scanning for security risks. Scanning for security risks is enabled by default. If Symantec determines that it would not be harmful to a computer to block a security risk, then by default, it blocks the risk. Uncheck Block security risks to stop Auto-Protect from blocking the security risks that it finds. Check Exclude selected files and folders to exclude certain files and folders from being scanned by Auto-Protect. Click Exclusions to select the file extensions and paths for folders to exclude. Drive types Drive types provides the following options: CD-ROM If you enable Auto-Protect on CD-ROM drives, Symantec Client Security can scan files as they are read from or written to CD-ROM disks. Floppy Symantec Client Security can scan files as they are read from or written to floppy disks. Floppy disks are common sources of virus infections because users might bring infected disks from home.

138 138 Scanning for viruses and security risks Configuring Auto-Protect Table 4-8 Auto-Protect scan options (continued) Section or option name Network Scanning Options Available options Uncheck Enable scanning to stop Auto-Protect from scanning network drives. When scanning is enabled on network drives, Symantec Client Security scans files as they are written from a client computer to a server or from one server to another server. When network scanning is enabled, you can also enable Auto-Protect to trust remote versions of Auto-Protect and to use a network cache. For protection, it may not be necessary to check the Enable Scanning option if you have enabled Auto-Protect on all of your servers. For example, if network scanning is enabled on client A and Auto-Protect is also enabled on server B, when client A writes a file to a network drive on server B, Symantec Client Security scans the file on client A and scans the file again on server B. Duplicate scanning is likely to reduce network performance on the client computer, however. To keep Auto-Protect from performing duplicate scanning while network scanning is enabled, you can check Trust files on remote computers running Auto-Protect. If this option is enabled on both the client and the server, the client Auto-Protect checks to see that the server's Auto-Protect settings provide at least as high a level of security as its own Auto-Protect settings. If this is so, the local computer trusts the Auto-Protect scan on the remote computer and does not rescan the file. For example, when client A writes a file to a network drive on server B, Symantec Client Security scans the file on client A but does not repeat the scan on server B. Trust files on remote computers running Auto-Protect is enabled by default when network scanning is enabled. Uncheck Trust files on remote computers running Auto-Protect if you want to disable the trust feature and allow duplicate scanning. Unchecking this option is likely to reduce network performance. Check Network cache on a client computer so that Auto-Protect stores a record of the files it has already scanned from a network server. This option prevents Auto-Protect from scanning the same file more than once and may improve system performance. You can set the number of files (entries) that Auto-Protect scans and remembers; you can also set the timeout before the files are removed from the cache. Once the timeout expires, the files are removed from the cache and network files are scanned again if the client requests them from the network server. Advanced Click this button to set advanced Auto-Protect scan options, including startup, file cache, backup, and so on. See Configuring advanced File System Auto-Protect options on page 141. Actions Click this button to set the kind of actions that you want Symantec Client Security to take when it finds a virus or a security risk. See Configuring actions for File System Auto-Protect on page 148.

139 Scanning for viruses and security risks Configuring Auto-Protect 139 Table 4-8 Auto-Protect scan options (continued) Section or option name Notifications Available options Click this button to set the notifications that you want to appear when Auto-Protect finds a virus or a security risk. See Configuring notifications for File System Auto-Protect on page 156. Reset All This option is available only for server Auto-Protect options at the server group level and client Auto-Protect options at the server level. To ensure that all computers use the same Auto-Protect scanning configuration that you set at a higher level, click Reset All when you set the options. For server Auto-Protect, when you click Reset All at the server group level, the server group settings overwrite any scan options that were previously set at the server level. All options are propagated to all of the servers that belong to the server group. For client Auto-Protect, when you click Reset All at the server group level, the server group settings overwrite any scan options that were previously set at the server and client level. When you click Reset All at the server level, any scan options that were previously set at the client level are overwritten by the server settings. To configure File System Auto-Protect 1 Do one of the following: Right-click the server group or the Symantec Client Security servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group. Right-click an individual server or multiple selected servers, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Right-click the server group or the servers that manage the Symantec Client Security clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. The Symantec System Center configures all of the clients that are associated with the server or the server group. Right-click an individual client or multiple selected clients for a server, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.

140 140 Scanning for viruses and security risks Configuring Auto-Protect 2 In the Auto-Protect Options dialog box, enable Auto-Protect, select all file types or selected extensions to include, enable, or disable scanning for security risks, exclude files by extension and folders, set network scanning options, and set drive types, as needed. See Table 4-8 on page To set advanced scan options, click Advanced. See Table 4-9 on page To set the actions that you want Symantec Client Security to take when it finds macro viruses, non-macro viruses, and individual or categories of security risks, click Actions. See Table 4-10 on page 149.

141 Scanning for viruses and security risks Configuring Auto-Protect To set the notifications (messages) that you want to display on infected computers when risks are found, click Notifications. See Table 4-12 on page If you configure client Auto-Protect options, click the lock icon next to each Auto-Protect option that you want to lock to propagate the option to clients. 7 If you configure Auto-Protect options for a server group, click Reset All to ensure that all of the computers use the Auto-Protect scanning configuration that you set at this level. See About propagating Auto-Protect settings on page Click OK. Configuring advanced File System Auto-Protect options Table 4-9 describes the advanced scan options for File System Auto-Protect. Table 4-9 Section or option name Startup options Advanced scan options for File System Auto-Protect Available options Options include the following: System start Loads Auto-Protect when the computer's operating system starts and unloads it when the computer shuts down. This option can help protect against some viruses, such as Fun Love. If Auto-Protect detects a virus during shutdown, it places the infected file in a temporary Quarantine directory. Auto-Protect then detects the virus on startup and creates an alert notification. Symantec AntiVirus start Loads Auto-Protect when Symantec Client Security starts. Note: If you disable Auto-Protect on a computer that has this option set to System start, Auto-Protect still functions briefly each time that the computer restarts until the main Symantec Client Security service starts and disables Auto-Protect. Changes requiring Auto-Protect reload Options include the following: Wait until system restart Stops and reloads Auto-Protect when the computer restarts. Stop and reload Auto-Protect Stops and reloads Auto-Protect immediately.

142 142 Scanning for viruses and security risks Configuring Auto-Protect Table 4-9 Advanced scan options for File System Auto-Protect (continued) Section or option name Scan files when Available options Scan files when provides the following file system protection options for monitoring and acting on files: Modified (scan on create) Scans files when they are written, modified, or copied. Use this option for slightly faster performance, because Auto-Protect scans files only when they are written, modified, or copied. Accessed or modified (scan on create, open, move, copy, or run) Scans files when they are written, opened, moved, copied, or run. Use this option for more complete file system protection. This option might have a performance impact, because Auto-Protect scans files during all types of file operations. Opened for backup (not applicable to Windows 9x or NetWare) Scans files when they are accessed during a backup operation. Use this option if you haven't run a virus check on the files that you want to back up. Do not enable this option if you want to bypass Auto-Protect for the files that are being backed up. By using this option, you can significantly slow backup operations, because Auto-Protect scans each file that is included in the backup. The setting applies only to files that are backed up. Files that are being restored from a backup are scanned regardless of this setting. For Leave Alone (Log only), delete infected files on creation Enable this option if you want the Modified option or the Accessed or modified option to delete a newly created infected file when you configure Leave alone (log only) as the action. For an existing infected file, Scan on Access and Modify detects the infected file and the Leave alone action applies. The file is denied access and logged, but it is not deleted. When you disable this option, Symantec Client Security permits the infected file to be created. Preserve file times Enable this option if you do not want the file system to change the last access time. Preserving the last access time prevents backup software from backing up unchanged files.

143 Scanning for viruses and security risks Configuring Auto-Protect 143 Table 4-9 Advanced scan options for File System Auto-Protect (continued) Section or option name File cache Available options File caching decreases Auto-Protect's memory usage and can help you to track problems. The file cache includes an index of files that were scanned and determined to be clean. Symantec Client Security adds a 16-byte ID to the cache index, which remains until Symantec Client Security detects a change to the file. The following options are available: Disable file cache Disable the file cache. This option is useful during troubleshooting. Use default file cache size Use the default file cache size setting for desktop computers and use as close to the maximum setting as possible for servers. The default file cache size is based on the computer's operating system and the amount of available disk space. Custom file cache entries Select the number of custom file cache entries to include. This option is useful for file servers or Web servers on which you want to cache a large number of files. Risk Tracer Risk Tracer provides the following options for identifying the source of network share-based virus infections from the computers that run supported Windows operating systems: Enable Risk Tracer Ensure that this option is checked to use Risk Tracer. Resolve source computer IP address If this option is checked, Symantec Client Security looks up and records only the computer's NetBIOS name. When it is checked, it also reports who was logged on to the computer at delivery time. This feature is supported on Windows XP systems only. Poll for network sessions every <number> milliseconds Symantec Client Security polls once every second (1000 milliseconds) by default. Lower values use greater amounts of CPU and memory, but also increase the possibility that Symantec AntiVirus can record the network session information before the risk can shut down network shares. Higher values decrease system overhead, but also decrease Risk Tracer's ability to detect infections. See About Risk Tracer on page 147. Client firewall auto blocks IP address of the source computer Enable this option if you use Symantec Client Firewall and want the firewall automatically to block the IP addresses of computers that transmit infected files. Symantec Client Firewall automatically blocks all IP traffic to the IP address for 30 minutes by default.

144 144 Scanning for viruses and security risks Configuring Auto-Protect Table 4-9 Advanced scan options for File System Auto-Protect (continued) Section or option name Automatic enabler Available options Check this option to re-enable Auto-Protect automatically after <number> number of minutes. Valid values range from 3 to 60. This option is useful if your end users need to disable Auto-Protect on occasion. When scanning compressed files This option is available when you configure Server Auto-Protect Options. If you check this option, Symantec Client Security scans the container, such as Files.zip, and the contents of the container, which are the individual compressed files. Symantec Client Security supports a maximum depth of eight levels of nested compressed files for NetWare servers. Symantec Client Security scans compressed files during Auto-Protect and scheduled scans. To scan the contents of a compressed file, Symantec Client Security extracts each file, one file at a time, from the container and copies it to the SYS volume where it is scanned. The SYS volume must have enough space available to accommodate the largest file in the container. Note: You cannot stop a scan that is in progress on a compressed file. If you click Stop Scan, Symantec Client Security stops the scan only after it has finished scanning the compressed file. Backup options As a data safety precaution, before you attempt to repair a file, check Back up file before attempting repair. This option is checked by default. The original virus-infected file is encrypted and then copied into the Quarantine directory. If you need, you can use this unrepaired backup file to return the file to its original, but infected state. Note: Uncheck this option with caution, since it means that files containing viruses are not going to be backed up before repairs are attempted. Additional advanced options: Heuristics This setting applies only to virus-infected files. For security risks, if the action you have configured is Delete risk, no backup files are created. If the action you have configured is Quarantine risk, the security risk files are always backed up in the Quarantine before repair is attempted, regardless of this setting. Change the level of protection that Bloodhound Heuristic Scanning provides. Select the Minimum, Default, or Maximum level of protection. Bloodhound can detect a high percentage of unknown viruses by isolating and locating the logical regions of a file. Bloodhound then analyzes the program logic for virus-like behavior.

145 Scanning for viruses and security risks Configuring Auto-Protect 145 Table 4-9 Advanced scan options for File System Auto-Protect (continued) Section or option name Additional advanced options: Floppies Available options The following options are available for floppy disk scans: Check floppies for boot viruses upon access Symantec Client Security scans the floppy disk in the floppy drive for boot viruses when the drive is first accessed. When Symantec Client Security finds a boot virus, select whether to clean a virus from the boot record or leave it alone. If you click Leave alone (log only), an alert is sent when a virus is detected but no action is taken. Use this option if you want to control the virus cleaning and handling process. Do not check floppies upon system shutdown Symantec Client Security skips the scan of any floppy disk in the floppy drive when the computer is shut down normally. Additional advanced options: Monitor These options are available when you configure Client Auto-Protect Options. You might want to monitor virus-like activities, which are the activities that viruses perform when they attempt to infect your files. The listed activities might be legitimate, depending on the work context. You can set each activity to be allowed, not allowed, or to alert the user before the activity is performed. Low-Level Format Of Hard Disk All information on the drive is erased and cannot be recovered. This type of formatting is generally performed at the factory only. If this activity is detected, it usually indicates an unknown virus at work. This is not an option for NEC PC98xx computers. Write To Hard Disk Boot Records Very few programs write to hard disk boot records. If this activity is detected, it could indicate an unknown virus at work. Write To Floppy Disk Boot Records Only a few programs, such as the operating system Format command, write to floppy disk boot records. If this activity is detected, it could indicate an unknown virus at work. Remove the alert dialog after <number> seconds If you selected Prompt to alert the user for any of the activities, you can set the number of seconds that you want the alert to appear. To configure advanced File System Auto-Protect options 1 Do one of the following: Right-click the server group or the Symantec Client Security servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group.

146 146 Scanning for viruses and security risks Configuring Auto-Protect Right-click an individual server or multiple selected servers, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Right-click the server group or the servers that manage the Symantec Client Security clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. The Symantec System Center configures all of the clients that are associated with the server or the server group. 2 In the Auto-Protect Options dialog box, on the File System tab, click Advanced. 3 In the Auto-Protect Advanced Options dialog box, set the following options: Startup options Changes requiring Auto-Protect reload Scan files when File cache Risk Tracer Automatic enabler When scanning compressed files (if configuring Server Auto-Protect Options) Backup options, and additional advanced options, if needed

147 Scanning for viruses and security risks Configuring Auto-Protect 147 See Table 4-9 on page If you configure Client Auto-Protect Options, in the Monitor dialog box, set one or more of the following options for virus-like activities: Low-Level Format Of Hard Disk Write To Hard Disk Boot Records Write To Floppy Disk Boot Records Allow, Prompt, or Don't Allow Allow, Prompt, or Don't Allow Allow, Prompt, or Don't Allow 5 If you selected Prompt for any of the options, check Remove the alert dialog after <number> seconds and type the number of seconds that you want the alert to last. 6 In the Auto-Protect Advanced Options dialog box, when you have finished configuring Auto-Protect Advanced Options, click OK. 7 If you want to propagate all the settings in the dialog box, regardless of whether you changed or visited them, click Reset All. 8 In the Auto-Protect Options dialog box, click OK. About Risk Tracer Risk Tracer identifies the source of network share-based virus infections on the computers that run Windows XP operating systems. When Auto-Protect detects an infection, it sends information to Rtvscan, the main Symantec Client Security service. Rtvscan determines if the infection originated locally or remotely. If the infection came from a remote computer, Rtvscan can look up and record the computer's NetBIOS computer name and its IP address, and who was logged on to the computer at delivery time, and then display this information in the Risk properties dialog box. Rtvscan polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information, which you can configure in the Auto-Protect Advanced Options dialog box, maximizes the frequency with which Risk Tracer can successfully identify the infected remote computer. For example, a risk may close the network share before Rtvscan can record the network session. Risk Tracer then uses the secondary source list to try to identify the remote computer. Risk Tracer information appears in the Risk properties dialog box, and is available only for the risk entries that the infected files cause. When Risk Tracer determines that the infection came from local host activity, it lists the source as the local host.

148 148 Scanning for viruses and security risks Configuring Auto-Protect Risk Tracer lists a source as unknown in the Risk properties dialog box when the following conditions are true: It cannot identify the remote computer. The authenticated user for a file share refers to multiple computers. This condition can occur when a user ID is associated with multiple network sessions. For example, multiple computers might be logged on to a file sharing server with the same server user ID. To record the full list of multiple remote computers that are infecting the current computer, set the HKEY_LOCAL_MACHINE\Software\Intel\LANDesk \ VirusProtect6\CurrentVersion\ProtectControl\Debug string value to THREATTRACER X on the current computer. The THREATTRACER value turns on the debug output and the X ensures th at only debug output that is related to Risk Tracer appears. You can also add an L to ensure that the logging goes to the <SAV_Program_Folder>\vpdebug.log log file. To ensure that the debug window does not appear, add XW. If you want to experiment with this feature, use the test virus file Eicar.com available from the following URL: Configuring actions for File System Auto-Protect Actions allow you to set how Symantec Client Security responds when it detects a virus or a security risk. You can assign a first action and, in case the first action is not possible, a second action for Symantec Client Security to take when it discovers a virus or a security risk such as adware or spyware. Types of viruses and security risks are listed in the hierarchy. You can configure options on the tabs to the right. Note: For security risks, use the delete action with caution. In some cases, deleting security risks causes applications to lose functionality. Table 4-10 describes the options that you can configure for File System Auto-Protect and manual scan actions.

149 Scanning for viruses and security risks Configuring Auto-Protect 149 Table 4-10 Actions for File System Auto-Protect and manual scans Tab Actions tab Type of risk Macro virus Non-macro virus Options You can configure a first action to take and a second action to take if the first action fails. Actions for viruses include the following: Clean risk (default first action): Attempts to clean the infected file when a virus is found. Quarantine risk (default second action): Attempts to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, no user can execute it until you take an action, such as clean, and move the file back to its original location. Delete risk: Attempts to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy because the file is permanently deleted and cannot be recovered from the Recycle Bin. If Symantec Client Security cannot delete the file, detailed information about the action that Symantec Client Security took appears in the Notification dialog box and the Symantec Client Security Event Log. Leave alone (log only): Denies the access to the file, displays a notification, and logs the event. Use this option to take manual control of how Symantec Client Security handles a virus. When you are notified of a virus, open the Risk History for the computer, right-click the name of the file, and select one of the following actions: Clean (viruses only), Delete Permanently, or Move To Quarantine.

150 150 Scanning for viruses and security risks Configuring Auto-Protect Tab Actions tab Table 4-10 Type of risk Security risks Actions for File System Auto-Protect and manual scans (continued) Options Adware Dialers Hack Tools Joke Programs Other (programs that might pose a security risk but do not fit into other security risk categories) Remote Access Spyware Trackware

151 Scanning for viruses and security risks Configuring Auto-Protect 151 Tab Table 4-10 Type of risk Actions for File System Auto-Protect and manual scans (continued) Options You can configure Symantec Client Security security risk actions as follows: Configure the same actions to take for all security risks. Configure the same actions for a whole category of security risks. Configure individual security risk exceptions to the actions that you set for specific categories. You can configure a first action to take and a second action to take if the first action fails. Actions for security risks include the following: Quarantine risk (default first action): Attempts to move any infected files to the Quarantine on the infected computer as soon as the security risk is detected or completes its installation. Symantec Client Security removes or repairs any side effects of the risk, such as deleting registry keys that were added, reverting the registry key values that were changed, deleting additions to.ini or.bat files, deleting entries in host files, repairing a Layered Service Provider (LSP) system driver, or the effects of a rootkit. You can restore the security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair. Delete risk: Attempts to delete security risk files. Use this option only if you can replace the files with a security risk-free backup copy because files are permanently deleted and cannot be recovered from the Recycle Bin. Use this action with caution, because in some cases, deleting security risks can cause applications to lose functionality. If Symantec Client Security cannot delete files, detailed information about the actions that Symantec Client Security took appear in the Notification dialog box and the Symantec Client Security Event Log. Leave alone (log only) (default second action): The risk is left alone and its detection is logged. Use this option to take manual control of how Symantec Client Security handles a security risk. When you are notified of a security risk, open the Risk History for the computer, right-click the name of the infected file or files, and select one of the following actions: Delete Permanently or Move To Quarantine. You can also lock exceptions on the Actions tab for Client File System Auto-Protect so that users cannot create their own security

152 152 Scanning for viruses and security risks Configuring Auto-Protect Tab Table 4-10 Type of risk Actions for File System Auto-Protect and manual scans (continued) Options risk exceptions for Auto-Protect scans. Note: In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that blocking the risk will not harm the computer, then by default Symantec Client Security blocks the risk. If blocking the risk might leave the computer in an unstable state, Symantec Client Security waits until that application installation is complete before it performs the configured action on the security risk so that it does not leave the computer in an unstable state. Exceptions tab Available only for security risks You can configure exceptions to the actions that you set for security risk categories. You can select specific instances of a category and assign actions to those instances that are different from the actions that you assigned to the category as a whole. In each category list, you can select and add the security risks for which you want to configure custom actions, or edit or remove the risks that are already in the list. To see the whole list and assign a custom action to several different types of security risks at once, you can select Security Risks in the tree instead of selecting each category of security risk separately. An additional custom action, Exclude, is available for the security risks that you want to exclude from Auto-Protect scans. Note: Exclusions that you configure for Auto-Protect scans are not recognized by manual and scheduled scans and vice versa. Exclusions are configured separately for manual, scheduled, and Auto-Protect scans. You can only exclude a security risk from all scans on client computers by configuring it globally. See Configuring global security risk exclusions on page 132. You can lock exceptions on the Actions tab for Client File System Auto-Protect to keep users from making any Auto-Protect scan exceptions for security risks. Note: When you exclude a security risk from scans, that risk is not logged or reported.

153 Scanning for viruses and security risks Configuring Auto-Protect 153 Warning: If you configure Symantec Client Security to delete the files that are infected by a security risk such as adware or spyware, it cannot restore those files. To back up the files that are affected by security risks such as adware or spyware, configure Symantec Client Security to quarantine them. About risk impact ratings Symantec assesses security risks to determine how much effect they have on a computer. The following factors are rated low, medium, or high: privacy impact, performance impact, stealth, and removal difficulty. A factor that is rated low has been assessed as having a minimal impact. A factor that is rated medium has been assessed as having some impact. A factor that is rated high has been assessed as having a significant impact in that area. If a particular security risk has not been assessed yet, a default rating is displayed. If a particular security risk has been assessed but the factor being rated does not apply to that particular risk, a rating of None displays for that factor. These ratings appear in the Symantec System Center when you use the Exceptions tab to assign custom actions to particular security risks. Exceptions to standard actions are available from the Actions button when configuring Client and Server Auto-Protect options, as well as when configuring any type of scan. They are also available to end users from the Symantec AntiVirus user interface when configuring any type of scan. You can use these ratings to help to determine which security risks you want to exclude from scans and allow to remain on computers. Clicking a factor name sorts that column beginning with all low risks; clicking the factor name again sorts the column beginning with high ratings. Table 4-11 describes the rating factors and what a high rating means for each of them. Table 4-11 Rating factor Privacy Impact Performance Impact Stealth Rating Risk impact rating factors Description Privacy measures the level of privacy that is lost due to the security risk's presence on the computer. A high rating indicates that personal or other sensitive information may be stolen. Performance measures the extent to which a security risk degrades a computer's performance. A high rating indicates that performance is seriously degraded. Stealth measures how easy it is to determine if the security risk is present on a computer. A high rating indicates that the security risk attempts to hide its presence, which may make it difficult to determine if the security risk is present on the computer.

154 154 Scanning for viruses and security risks Configuring Auto-Protect Table 4-11 Rating factor Removal Rating Overall Rating Dependent Program Risk impact rating factors (continued) Description Removal measures the degree of difficulty in removing a security risk from a computer. A high rating indicates that the risk is difficult to remove. Overall rating is an average of the other factors. Dependent Program indicates whether or not there is another application that depends on the presence of this security risk to function properly. To configure actions for File System Auto-Protect 1 Do one of the following: Right-click the server group or the Symantec Client Security servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group. Right-click an individual server or multiple selected servers, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Right-click the server group or the servers that manage the Symantec Client Security clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. The Symantec System Center configures all of the clients that are associated with the server or the server group. 2 In the Auto-Protect Options dialog box, on the File System tab, click Actions.

155 Scanning for viruses and security risks Configuring Auto-Protect In the Actions dialog box, in the hierarchy, select a type of virus or security risk. By default, each security risk subcategory, such as Spyware, is automatically configured to use the actions that are set at the top level for the entire Security Risks category. To configure a category or specific instances of a category to use different actions, check Override actions configured for Security risks, and then set the actions for that category only. See Table 4-10 on page Select the first and second actions that you want Symantec Client Security to take when it detects that category of virus or security risk. For security risks, use the delete action with caution. In some cases, deleting security risks causes applications to lose functionality. 5 If you selected Security Risks as a whole or an individual security risk category, click the Exceptions tab to configure custom actions for one or more specific instances of that security risk category. An additional action, Exclude, is available for Exceptions that you configure. If you assign the same actions, you can select multiple security risks and assign the actions to them at the same time. If you are configuring Client Auto-Protect Options, you can lock Exceptions that you configure on the Actions tab, so that users cannot make any security risk exceptions for Auto-Protect scans. 6 Click Add.

156 156 Scanning for viruses and security risks Configuring Auto-Protect 7 In the Select Security Risks dialog box, check the specific risks in the list for which you want to configure custom actions, and then click Next. 8 In the Configure Security Risks dialog box, select the first and second actions that you want Symantec Client Security to take when it detects the specific risks that you selected, and then click Finish. 9 Repeat step 4 for each category for which you want to set actions (viruses and security risks). 10 Repeat steps 5 through 8 for all security risk categories in which you want to set custom actions for individual risks. 11 Click OK. Configuring notifications for File System Auto-Protect When you configure notifications, you set how Symantec Client Security notifies users when the following occurs: Symantec Client Security finds a virus or a security risk. Symantec Client Security needs to stop a process or service to remove or repair the effects of a virus or security risk. You can suppress all or some user notifications. On unmanaged clients, users are notified and processes and services are not terminated automatically by default. This option allows users to save data before Symantec Client Security initiates actions to remove or repair a virus or security risk. On servers and managed clients, notifications are turned off and processes and services are terminated automatically by default.

157 Scanning for viruses and security risks Configuring Auto-Protect 157 Note: Notifications options are the same for File System Auto-Protect and for all types of manual scans with one exception. The Display Auto-Protect results dialog on infected computer option is available only for File System Auto-Protect. Table 4-12 describes the notifications options for File System Auto-Protect and manual scans. Table 4-12 Option Detection options Notifications options for File System Auto-Protect and manual scans Description Check Display notification message on infected computer to display a message on the computer when a virus or security risk is found. Right-click in the text field to insert new fields or type or edit directly in the field to alter the message. See Table 4-13 on page 157. Uncheck Display Auto-Protect results dialog on infected computer to suppress the dialog box that displays the results on the infected computer when Auto-Protect finds viruses and security risks. This option is available only when you configure File System Auto-Protect. Remediation options If you check both remediation options, then users are not notified when Symantec Client Security needs to terminate a process or application, such as a Web browser, or stop a service on the user's computer to complete the removal or repair of a risk. Symantec Client Security automatically takes the necessary action without notifying users. Automatically terminate processes Check this option if you do not want users to be notified when Symantec Client Security must terminate a process to remove or repair a risk. Automatically stop services Check this option if you do not want users to be notified when Symantec Client Security must stop a service to remove or repair a risk. Note: Users are always notified when a restart is required. They are allowed to save data and close open applications or to opt out of restarting. You can construct a custom message to appear on infected computers when a virus or a security risk is found. You can type directly in the message field to add your own text, and you can right-click in the field to select variables. Table 4-13 describes the variable fields that are available for File System Auto-Protect and manual scan notification messages. Table 4-13 Field SecurityRiskName File System Auto-Protect and manual scan message fields Description The name of the virus or security risk that was found.

158 158 Scanning for viruses and security risks Configuring Auto-Protect Table 4-13 Field ActionTaken Status File System Auto-Protect and manual scan message fields (continued) Description The action that was taken in response to detecting the virus or security risk. This action can be either the first action or second action that was configured. The state of the file: Infected, Not Infected, or Deleted. This message variable is not used by default. To display this information, manually add this variable to the message. Filename PathAndFilename Location Computer User Event LoggedBy DateFound StorageName ActionDescription The name of the file that the virus or the security risk has infected. The complete path and name of the file that the virus or the security risk has infected. The drive on the computer on which the virus or security risk was located. The name of the computer on which the virus or security risk was found. The name of the user who was logged on when the virus or security risk occurred. The type of event, such as Risk Found. The type of scan, manual, scheduled, and so on, that detected the virus or security risk. The date on which the virus or security risk was found. The affected area of the application, for example, File System Auto-Protect or Lotus Notes Auto-Protect. A full description of the actions that were taken in response to detecting the virus or security risk. To configure notifications for File System Auto-Protect 1 Do one of the following: Right-click the server group or the Symantec Client Security servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group.

159 Scanning for viruses and security risks Configuring Auto-Protect 159 Right-click a server group, an individual server, or multiple selected servers that manage the Symantec Client Security clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client or Server Auto-Protect Options dialog box, on the File System tab, click Notifications. 3 In the Notification Options window, under Detection Options, check Display notification message on infected computer if you want a message to appear on the infected computer when a virus or security risk is found. 4 In the message box, do any or all of the following to construct the message that you want: Click to type or edit text. Right-click, click Insert Field, and then select the variable field that you want to insert. See Table 4-13 on page 157. Right-click, and then select Cut, Copy, Paste, Clear, or Undo. 5 Under the message box, uncheck Display Auto-Protect results dialog on infected computer if you want to suppress the dialog box that displays results when Auto-Protect finds viruses and security risks.

160 160 Scanning for viruses and security risks Configuring Auto-Protect 6 Under Remediation Options, check each option that you want to set. Your options are as follows: Automatically terminate processes Automatically stop services If checked, Symantec Client Security automatically terminates processes when it needs to do so to remove or repair a virus or security risk. Users are not prompted to save data before Symantec Client Security terminates the processes. If checked, Symantec Client Security automatically stops services when it needs to do so to remove or repair a virus or security risk. Users are not prompted to save data before Symantec Client Security stops the services. Use these options with caution on clients, because users can potentially lose data when Symantec Client Security terminates processes or applications or stops services. 7 Click OK. User interaction with scan results If you allow users to be notified when Symantec Client Security finds a virus or a security risk, the Auto-Protect Results dialog box appears. Figure 4-1 Auto-Protect Results dialog box

161 Scanning for viruses and security risks Configuring Auto-Protect 161 Note: If a scan finds a security risk on an unmanaged client computer, a user can use the Exclude column checkbox in the Auto-Protect or Scan Results dialog box to exclude that risk from all future scans of the type that detected the risk. On managed client computers, users are not allowed to exclude risks from these dialog boxes. If Symantec Client Security needs to terminate a process or application or stop a service to clean up a risk that is found by the scan, the Remove Risks Now button is active. Table 4-14 Button Remove Risks Now Buttons in the Results dialog box Description When users click Remove Risks Now, the Remove Risk dialog box appears. The following actions are possible: If users click Yes, the risk is removed and if the removal of this risk requires a restart, the information in the risk's row in the dialog box updates to indicate that a restart is required. If users click No, when they close the results dialog box, a dialog box appears again to remind them that action is still needed. Close If no action must be taken, when users click Close, the results dialog box closes. If an action must be taken, when users click Close, one of the following notifications appears: Remove Risk Required Appears when there is a risk that requires process termination. If users remove the risk, they will be returned to the results dialog box. If a restart is also required, the information in the risk's row in the dialog box updates to indicate that. Reboot Required Appears when there is a risk that requires a restart. Remove Risk and Reboot Required Appears when a there is a risk that requires process termination and another risk that requires a restart. If a restart is required, and the user does not choose to restart the computer, the removal or repair will not be complete until the computer is restarted the next time. Some of the possible reasons include the following: The repair involves running the processes that cannot be terminated, causing their binaries to be locked on the disk.

162 162 Scanning for viruses and security risks Configuring Auto-Protect The risk has files open for exclusive read, write, or delete the privileges that cannot be deleted without a restart. The repair affects a Layered Service Provider (LSP). An LSP is a system driver that is typically integrated directly into the TCP/IP layer and manipulates the data that is transmitted in some way. For example, an LSP could be used to encrypt the data. Results of the repairs are logged to the Event log. Users can see the results of the repairs in the scan status window or the Risk History window and can right-click risks to see repair details. If users need to take action on a risk but choose not to take action right now, the risk can be removed or repaired at a later time in the following ways: The user can open the Risk History, right-click the risk, and then take an action. The user can run a scan to redetect the risk and reopen the results dialog box. The actions that users can take depend on the actions that are configured for the particular type of virus or security risk that was found. Note: User interactions with scan result notifications are the same for manual and scheduled scans as they are for Auto-Protect scan results. Disabling security risk scanning in File System Auto-Protect By default, Auto-Protect and all types of scans check for security risks. At times, you might need to disable scanning for security risks in File System Auto-Protect temporarily, and then reenable it. Note: You cannot disable security risk scanning for other types of scans. However, you can configure Symantec Client Security to leave the security risk alone and only log the detection or you can exclude specific risks globally from all types of scans by adding them to the global exclusions list. See Configuring global security risk exclusions on page 132. To disable security risk scanning in File System Auto-Protect 1 Right-click a server, a server group, or a client group. 2 Do one of the following: Click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Click All Tasks > Symantec AntiVirus > Server Auto-Protect Options.

163 Scanning for viruses and security risks Configuring Auto-Protect In the Auto-Protect Options dialog box, under Options, uncheck Scan for security risks. 4 If you selected Client Auto-Protect Options, then lock the option if you want this setting to propagate to clients. Configuring Auto-Protect scanning for groupware applications Auto-Protect scans can scan attachments for the following applications: Lotus Notes 4.5x, 4.6, 5.0, and 6.x Microsoft Outlook 98/2000/2002/2003 (MAPI and Internet) Microsoft Exchange client 5.0 and 5.5 If you use Microsoft Outlook over MAPI or Microsoft Exchange and you have Auto-Protect enabled for , attachments are immediately downloaded to the computer that is running the client and scanned when the user opens the message. If you download a large attachment over a slow connection, mail performance is affected. You may want to disable this feature for users who regularly receive large attachments. Symantec Client Security supports scanning only for Symantec Client Security clients. It can coexist on Microsoft Exchange Server 5.0 and 5.5, but does not scan the Exchange Server files. See the Symantec Client Security Reference Guide. Note: If Lotus Notes or Microsoft Outlook is already installed on the computer when you perform a client software installation from the Symantec System Center, then Symantec Client Security detects the application and automatically installs the correct Auto-Protect plug-in for it. Both plug-ins are installed if you select a complete installation when you perform a manual Symantec AntiVirus installation. To configure scanning 1 Right-click the server group or the servers to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Lotus Notes or Microsoft Exchange tab, check Enable Auto-Protect. You can use the Microsoft Exchange tab to configure Auto-Protect options for both Microsoft Exchange and Microsoft Outlook. 3 To set Auto-Protect options, do any of the following:

164 164 Scanning for viruses and security risks Configuring Auto-Protect Select all types or extensions to scan. Insert a warning into an message. Send an message to the sender of an infected attachment. Send an message to selected recipients when a virus is detected. 4 Click Advanced to disable the scanning of compressed files or to change the number of levels of compression to scan when compressed files exist within compressed files, and then click OK. 5 Click Actions to configure the detection and remediation actions you want Symantec Client Security to take when it finds a virus or security risk, and then click OK. Actions options are the same as those for File System Auto-Protect. For security risks, use the delete action with caution, because in some cases, deleting security risks can cause applications to lose functionality. See Configuring actions for File System Auto-Protect on page Click Notifications to configure the type of notification you want Symantec Client Security to provide users when it finds a virus or security risk, and then click OK. Notifications options are the same as those for File System Auto-Protect, except that the Display Auto-Protect results dialog on infected computer option is not available. See Configuring notifications for File System Auto-Protect on page Lock or unlock options as needed. 8 Click Reset All to ensure that all of the computers immediately use the Auto-Protect scanning configuration that you have specified. See About propagating Auto-Protect settings on page 135. If your program is not supported If your program is not one of the supported data formats, you can still protect your network by enabling Auto-Protect on your file system. For example, if you are running a Novell GroupWise system and one of your users receives a message with an infected attachment, Symantec Client Security can detect the virus as soon as the user tries to open the attachment. This outcome is because most programs, such as GroupWise, save attachments to a temporary directory when users launch attachments from the program. If you enable Auto-Protect on your file system, Symantec Client Security detects the virus as it is written to the temporary directory. Symantec Client Security also

165 Scanning for viruses and security risks Configuring Auto-Protect 165 detects the virus if the user tries to save the infected attachment to a local drive or network drive. Configuring Auto-Protect scanning for Internet Auto-Protect scanning for Internet protects both incoming and outgoing messages that use the POP3 or SMTP communications protocol. When Auto-Protect scanning for Internet is enabled, Symantec Client Security scans both the body text of the and any attachments that are included. If you enable Auto-Protect to support the handling of encrypted over POP3 and SMTP connections, then secure connections are detected and the encrypted messages are passed through without scanning. Although Auto-Protect does not scan that uses POP3 or SMTP over the Secure Sockets Layer (SSL), File System Auto-Protect continues to protect computers from viruses and security risks in attachments. File System Auto-Protect scans attachments when you save the attachment to the hard drive. Note: Internet scanning is not supported for 64-bit computers. Symantec Client Security also provides outbound heuristics scanning that uses Bloodhound Virus Detection to identify the risks that may be contained in outgoing messages. Scanning outgoing messages helps to prevent the spread of risks such as worms that can use clients to replicate and distribute themselves across a network. scanning does not support the following clients: IMAP clients AOL clients HTTP-based such as Hotmail and Yahoo! Mail To configure Auto-Protect scanning for Internet 1 Right-click the server group or the servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Internet tab, check Enable Internet Auto-Protect. The settings that you choose apply to both the POP3 and SMTP protocols. 3 To set Auto-Protect options, do any of the following: Select all types or extensions to scan.

166 166 Scanning for viruses and security risks Configuring Auto-Protect Insert a warning into an message. Send an message to the sender of an infected attachment. Send an message to selected recipients when a virus is detected. 4 Click Advanced to set options for the following: Enable the scanning of compressed files. Change the number of levels of compression that you want to scan when compressed files exist within compressed files. Change the POP3 and SMTP ports that are scanned. See Changing the POP3 and SMTP ports that are scanned on page 167. Enable or disable the handling of encrypted POP3 or SMTP connections. Set outbound mail heuristics. See Enabling outbound heuristics scanning on page 167. Set options to display a progress notification window when you send , and to display a tray icon. 5 When you have finished setting advanced options, click OK. 6 Click Actions to configure the detection and remediation actions you want Symantec Client Security to take when it finds a virus or security risk, and then click OK. Actions options are the same as those for File System Auto-Protect. See Configuring actions for File System Auto-Protect on page Click Notifications to configure the type of notification you want Symantec Client Security to provide users when it finds a virus or security risk, and then click OK. Notifications options are the same as those for File System Auto-Protect, except that the Display Auto-Protect results dialog on infected computer option is not available. See Configuring notifications for File System Auto-Protect on page On the Internet tab, lock or unlock options as needed. 9 Click Reset All to ensure that all of the computers use the Auto-Protect scanning configuration that you have specified immediately. See About propagating Auto-Protect settings on page 135.

167 Scanning for viruses and security risks Configuring Auto-Protect 167 Changing the POP3 and SMTP ports that are scanned Auto-Protect scanning for Internet uses the standard POP3 and SMTP ports by default. However, if you have configured your network to use a different port for either protocol, you must change the port setting in Symantec Client Security to match the port that you have selected. To change the POP3 and SMTP ports that are scanned 1 Right-click the server group or the servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Internet tab, check Enable Internet Auto-Protect. 3 Click Advanced. 4 In the Internet Advanced Options dialog box, under Connection settings, change the port number to match the port that you use for each protocol. 5 If you want to reset the port numbers to the default setting, click UseDefaults. 6 Click OK. 7 Click Reset All to ensure that all of the computers use the Auto-Protect scanning configuration that you have specified. See About propagating Auto-Protect settings on page 135. Enabling outbound heuristics scanning Auto-Protect scanning for Internet provides outbound protection against risks such as worms that can distribute themselves using applications. Symantec Client Security uses Bloodhound Virus Detection technology successfully to identify risks in outbound messages. To enable outbound heuristics scanning 1 Right-click the server group or the servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Internet tab, check Enable Internet Auto-Protect. 3 Click Advanced. 4 In the Internet Advanced Options dialog box, check Outbound worm heuristics, and then set a first and second action for Symantec Client Security to take, or leave the default settings.

168 168 Scanning for viruses and security risks Configuring manual scans 5 Click OK. 6 Click Reset All to ensure that all of the computers use the Auto-Protect scanning configuration that you have specified. Configuring manual scans See About propagating Auto-Protect settings on page 135. You can configure a manual scan on a Symantec Client Security server or client. Table 4-15 describes the types of manual scans that you can configure. Table 4-15 Type Quick Scan Full Custom Types of manual scans Description Scans system memory and all the common virus and security risk locations on the computer very quickly. Scans the entire computer for viruses and security risks, including the boot sector and system memory. Scans the files and folders that you select for viruses and security risks. Note: If you want to scan all servers and clients in a server group, run a virus sweep or create a scheduled scan instead. See Running a virus sweep on page 226. See Creating and configuring scheduled scans on page 180. Some of the manual scan options are the same as the scan options for Auto-Protect scans. Table 4-16 describes the options for manual scans.

169 Scanning for viruses and security risks Configuring manual scans 169 Table 4-16 Section or option File types Manual scan options Available options You can configure Symantec Client Security to scan all file types or to scan by selected file types. The following options are available: All types Select this option to scan all files that are found on the computer, regardless of type. Selected extensions Select this option to scan only the files that have certain extensions. You can add more extensions for programs and documents if you have files that use extensions that are not already in the list. You can also reset this option to its default value. Scan Enhancements Select the following options to find viruses and security risks more quickly. These commonly infected locations are scanned before the files and folders that you have selected are scanned. The following options are available: Scanning program files loaded into memory Scanning common infection locations (load points) Scanning for traces of well-known viruses and security risks Enable detection of security risks This option applies only to detecting security risks on version 9.x legacy clients. Note: Risks on legacy clients are detected, not repaired. Exclude files and folders Check this option to exclude certain files or folders from being scanned by Auto-Protect. Click Exclusions, and then select one of the following: Extensions: Exclude files by their extensions. Files/Folders: Exclude folders by their paths. For multiple clients or servers, you will need to type in the paths to the directories and files you want to exclude. Note: When you exclude a folder, Symantec Client Security cannot protect an infected computer from infected files in the folder.

170 170 Scanning for viruses and security risks Configuring manual scans Table 4-16 Section or option Advanced Manual scan options (continued) Available options Click this button to set advanced scan options, including backup, remote, compressed files, and so on. See Table 4-17 on page 171. Actions Click this button to configure the actions that you want Symantec Client Security to take when it detects macro viruses, non-macro viruses, and security risks. See Table 4-10 on page 149. Throttling Click this button to set CPU utilization options. Set the sliders to configure the scan priority when the computers are idle and not idle. Check Throttle NetWare Load and set its slider, if applicable. For scheduled and manual scans, Symantec Client Security allows you to control the scan's CPU priority. Giving a scan a lower priority means that the scan takes longer to complete, but also frees the CPU to work on other tasks. You may want to set a lower priority in some situations. For example, if you have scans running at lunch time during the work week, you might want to lower the scan priority to minimize the impact on user productivity. You can specify a scan priority for the following: Windows computers: Priority differs depending on whether the computer is idle or not idle. The idle setting specifies the priority that is assigned to scans when the computer is idle. The not idle setting specifies the priority that is assigned to scans when the computer is actively working. NetWare computers: Symantec Client Security can throttle its load on NetWare servers. A lower load setting means that the server scan takes longer to complete. Notifications Click this button to set the detection and remediation options for notifications that you want to appear on the infected computer when this manual scan finds a virus or a security risk. See Table 4-12 on page 157. Table 4-17 describes advanced options for manual scans.

171 Scanning for viruses and security risks Configuring manual scans 171 Table 4-17 Section or option Advanced manual scan options Available options When scanning compressed files Scan files inside compressed files If you check this option, Symantec Client Security scans the container, such as Files.zip, and the contents of the container, which are the individual compressed files. If there is a compressed file within a compressed file, expand N levels deep Symantec Client Security supports a maximum depth of ten levels of nested compressed files for Window computers. NetWare servers are limited to eight levels. Compressed files are scanned as follows: Windows Symantec Client Security scans compressed files during manual, , and scheduled scans. Because of the significant processing overhead, Auto-Protect does not scan files that are within compressed files on Windows computers. However, the files are scanned as they are extracted from compressed files. NetWare Symantec Client Security scans compressed files during Auto-Protect and scheduled scans. To scan the contents of a compressed file, Symantec Client Security extracts each file, one file at a time, from the container and copies it to the SYS volume where it is scanned. The SYS volume must have enough space available on the volume to accommodate the largest file in the container. Note: You cannot stop a scan that is in progress on a compressed file. If you click Stop Scan, Symantec Client Security stops the scan only after it has finished scanning the compressed file.

172 172 Scanning for viruses and security risks Configuring manual scans Table 4-17 Section or option Backup options Advanced manual scan options (continued) Available options As a data safety precaution, before you attempt to repair a virus-infected file, check Back up file before attempting repair. This is checked by default. The original virus-infected file is encrypted and then copied into the Quarantine directory. If needed, you can use this unrepaired backup file to return the file to its original, but infected state. Uncheck this option with caution, since it means that files containing viruses are not going to be backed up before repairs are attempted. You might want to turn it off if performance is an issue, for example on a file server, where the files are backed up regularly by other means. Note: This setting applies only to virus-infected files. For security risks, if the action you have configured is Delete risk, no backup files are created. If the action you have configured is Quarantine risk, the security risk files are always backed up in the Quarantine before repair is attempted, regardless of this setting. Dialog options Use this option to display a progress dialog box on the computer while the scan runs, to display a progress dialog box on the computer while the scan runs only if a risk is detected, or to not display a progress dialog box on the computer at all. You can also do the following: Configure the progress dialog box to close automatically when the scan has completed. Allow a user to stop the scan. When this option is enabled, a Stop button appears on the remote computer. When this option is disabled, the scan cannot be stopped from the remote computer.

173 Scanning for viruses and security risks Configuring manual scans 173 Table 4-17 Section or option Advanced manual scan options (continued) Available options Storage migration options Note: Does not apply to Windows 2000 and later. For those systems, consult your HSM vendor.

174 174 Scanning for viruses and security risks Configuring manual scans Table 4-17 Section or option Advanced manual scan options (continued) Available options Fine-tune scans of the files that Hierarchical Storage Management (HSM) and offline backup systems maintain. An HSM system migrates files to secondary storage such as CD-ROM, tape jukebox, SAN storage, and so on, but might leave parts of the original file on the disk. Performance and disk space issues arise during scans if Symantec Client Security opens all of the stubs and the HSM system places the files back on the original disk. For all these options, consult your HSM or backup vendor to select appropriate settings. Storage migration options are as follows: Open files using backup semantics. Skip offline files: If the offline bit is set, Symantec Client Security skips the file. A small clock over a file's icon in Windows Explorer indicates that the offline bit is set. Any application can set the offline bit without actually placing the file offline. Skip offline and sparse files (default): Some applications set the file sparse bit to indicate that part of the file is not present on the disk. Some HSM products set this bit and others don't. With a sparse file, a stub of the file remains on the disk, and the majority of the file is moved to offline storage. Skip offline and sparse files with a reparse point: Some vendors use reparse points. Applications that use reparse points also use an appropriate device driver to manage reparse points in the files. With a reparse point, a portion of the file remains on disk, and the remainder is transparently accessed through the device driver. Scan resident portions of offline and sparse files: Symantec Client Security identifies resident portions of a file. If the file is sparse, Symantec Client Security scans only the resident portion. The nonresident portion remains in secondary storage. Some vendors support this capability. Scan all files, forcing demigration (fills drive): Symantec Client Security scans the entire file, which forces demigration from secondary storage if necessary. Because the size of the secondary storage is usually greater than the size of the local volume, this setting might fill the local volume and cause

175 Scanning for viruses and security risks Configuring manual scans 175 Table 4-17 Section or option Advanced manual scan options (continued) Available options further files that are opened for scanning to fail. Scan all files without forcing demigration (slow): Symantec Client Security copies a file from secondary storage to the local hard drive as a temp file for scanning, but the HSM application leaves the original file on the secondary storage. This method is slow and is not supported by all HSM vendors. Because a file is copied from secondary storage to a disk for scanning, resource demand is high. Processor and network performance might further degrade as Symantec Client Security detects infected content when a repair or deletion is returned to secondary storage. Scan all files recently touched without forcing demigration: To reduce some of the resource demand issues with the Scan all files without forcing demigration option, this option lets you specify that only files that have been migrated recently and might still reside on faster secondary storage are scanned. You might want to scan files if they still reside on the faster secondary disk, and skip demigration and scanning if the files reside on the slow, long-term storage. For example, files might be migrated to a remote disk after 30 days of no access. After 60 days of no access, the file is migrated to CD-ROM or remote SAN storage. In many cases, this method might still be slow because accessing files without forcing demigration is a relatively slow operation. Select the type of access and the number of days to define recently touched. Storage migration options (NetWare) Check Scan NetWare compressed or migrated files to scan NetWare compressed or migrated files. To configure manual scans 1 Do one of the following: Right-click a server or client computer. Select one or more servers that are in the same server group, and then right-click the servers.

176 176 Scanning for viruses and security risks Configuring manual scans Select one or more clients that are managed by the same server, and then right-click the clients. 2 Click All Tasks > Symantec AntiVirus > Start Manual Scan. 3 In the Select Items dialog box, select the type of manual scan that you want to perform: Quick scan, Full scan, or Custom scan. See Table 4-15 on page If you selected a single computer to scan and select Custom Scan, you can select the drives and folders that you want to scan. If you are scanning multiple computers, this option is not available. Skip to step 6. 5 Click Save Settings if you want Symantec Client Security to remember your selections for future manual scans on this computer. This button is not available if you selected multiple computers. Symantec Client Security also remembers the settings of the other options for future scans when multiple computers are selected. 6 Click Options. In the Scan Options dialog box, you can select extensions to scan, enable scan enhancements, enable security risk scanning for legacy clients, and exclude files and folders from the scan. See Table 4-16 on page 169.

177 Scanning for viruses and security risks Configuring manual scans Click Advanced. In the Scan Advanced Options dialog box, you can set options for scanning compressed files, back up files infected by viruses or blended threats before attempting to repair them, set options on the remote computer, set storage migration options for Windows computers, and enable scans of compressed or migrated files on NetWare servers. See Table 4-17 on page Set the options you that you want, and then click OK to save advanced options. 9 In the Scan Options dialog box, click Save Settings if you want Symantec Client Security to remember these options for future manual scans on this computer. This button is not available if you selected multiple computers. Symantec Client Security also remembers these settings for future scans when you select multiple computers. 10 Click OK. 11 Click Start. Configuring actions for manual scans The action options for manual scans are the same as those for File System Auto-Protect. Table 4-10 describes the action options for manual scans and for File System Auto-Protect. Note: For security risks, use the delete action with caution, because in some cases, deleting security risks can cause applications to lose functionality. To configure actions for manual scans 1 Do one of the following: Right-click a server or client computer. Select one or more servers that are in the same server group, and then right-click the servers. Select one or more clients that are managed by the same server, and then right-click the clients. 2 Click All Tasks > Symantec AntiVirus > Start Manual Scan.

178 178 Scanning for viruses and security risks Configuring manual scans 3 In the Select Items dialog box, select the type of manual scan that you want to perform: Quick, Full, or Custom. See Table 4-15 on page Click Options. 5 In the Scan Options dialog box, click Actions. 6 In the Actions dialog box, in the tree, select a type of virus or security risk. By default, each security risk subcategory, such as Spyware, is automatically configured to use the actions that are set at the top level for the entire Security Risks category. To configure a category or specific instances of a category to use different actions, check Override actions configured for Security Risks, and then set the actions for that category only. See Table 4-10 on page Select each category of virus and security risk that you want to configure, and repeat step 6 for each. 8 If you selected Security Risks as a whole or an individual security risk category, click the Exceptions tab to configure custom actions for one or more specific instances of that security risk category. If you are assigning the same actions, you can select multiple security risks and assign the actions to them at the same time. 9 Click Add. 10 In the Select risks dialog box, select the specific risks in the list for which you want to configure custom actions, and then click Next. 11 In the Configure risks dialog box, select the first and second actions that you want Symantec Client Security to take when it detects the specific risks that you selected, and then click Finish. 12 Repeat steps 8 through 11 for each individual security risk for which you want to set different actions. 13 Click OK, and then click Start. Configuring notifications for manual scans The notifications options and user interactions with notifications for manual scans are the same as those for File System Auto-Protect. Table 4-12 describes the notifications options for manual scans and for File System Auto-Protect.

179 Scanning for viruses and security risks Configuring manual scans 179 To configure notifications for manual scans 1 Do one of the following: Right-click a server or client computer. Select one or more servers that are in the same server group, and then right-click the servers. Select one or more clients that are managed by the same server, and then right-click the clients. 2 Click All Tasks > Symantec AntiVirus > Start Manual Scan. 3 In the Select Items dialog box, select the type of manual scan that you want to perform: Quick, Full, or Custom. See Table 4-15 on page Click Options. 5 In the Scan Options dialog box, click Notifications. 6 In the Notifications Options window, under Detection Options, check Display notification message on infected computer if you want a message to appear on the infected computer when a virus or security risk is found. 7 In the message box, do any or all of the following to construct the message that you want: Click to type or edit text. Right-click, click Insert Field, and then select the variable field that you want to insert. See Table 4-13 on page 157. Right-click, and then select Cut, Copy, Paste, Clear, or Undo.

180 180 Scanning for viruses and security risks Creating and configuring scheduled scans 8 To set Remediation Options, check each option that you want to set. Your options are as follows: Automatically terminate processes Automatically stop services Check this if you do not want users to be notified when Symantec Client Security must terminate a process to remove or repair a risk. Users are not prompted to save data before Symantec Client Security terminates the processes. Check this if you do not want users to be notified when Symantec Client Security must stop a service to remove or repair a risk. Users are not prompted to save data before Symantec Client Security stops the services. 9 Click OK until you return to the Select Items dialog box, and then click Start. Creating and configuring scheduled scans Creating scheduled scans You can schedule scans for one or more server groups as well as for individual Symantec Client Security servers. You can also schedule scans for individual servers or for clients. You can schedule Symantec Client Security client scans at the Symantec Client Security server or client level. Scheduled scans have settings that are similar to Auto-Protect scan settings, but each type of scan is configured separately. Exclusions that are set for Auto-Protect scanning only affect Auto-Protect scanning. They do not affect scheduled scanning. Scheduled scans do exclude security risks that have been configured globally. See Configuring global security risk exclusions on page 132. Table 4-18 describes the options for scheduled scans. Table 4-18 Option category Name Scheduled scan options Available options Type a name for the scan.

181 Scanning for viruses and security risks Creating and configuring scheduled scans 181 Table 4-18 Option category Scan Settings Scheduled scan options (continued) Available options Click Scan Settings to set one of the following types of scan that you want to schedule: A Quick Scan is a fast scan of system memory and all the common virus and security risk locations on the computer. A Full Scan scans the entire computer for viruses and security risks, including the boot sector and system memory. A Custom Scan scans the drives and folders that you select. When you configure client scans, you cannot select individual files and folders to include in the scan. Enable scan Frequency When Make sure that this option is checked so that the scan occurs as you configured it. Determines how often the scan runs. Select Daily, Weekly, or Monthly. Determines the time at which the scan runs. You can type any time in increments of one minute, or use the drop-down list to select a time in increments of 15 minutes. If Frequency is weekly, use the drop-down list to select a day of the week; if monthly, use the drop-down list to select a day of the month. Advanced Click Advanced to set Advanced scan options. Under Missed Event Options, enable Retry the scheduled scan within <number> <hours or days> of the scheduled time. Then, set the number of hours within which you want the scan to run. For example, you might want a daily scan to run only if it is within eight hours of the scheduled time for the missed event. Note: If the scan is weekly or monthly, the time interval that you set is days rather than hours. See Configuring scheduled scans on page 183. To create scheduled scans 1 Select one or more servers, groups, or clients. 2 Do one of the following:

182 182 Scanning for viruses and security risks Creating and configuring scheduled scans If you right-clicked a server group or multiple server groups, click All Tasks > Symantec AntiVirus > Server Scheduled Scans. If you right-clicked an individual server or client, click All Tasks > Symantec AntiVirus > Scheduled Scans. 3 Do one of the following: In the <Servername> Scheduled Scans dialog box, on the Server Group Scans tab, click New. In the <Servername> Scheduled Scans dialog box, on either the Server Scans or the Client Scans tab, click New. 4 In the <Servername> Scheduled Scan dialog box, type a name for the scan, ensure that Enable scan is checked, and then set the frequency and time at which the scan should run. See Table 4-18 on page Click Advanced to set how to handle missed events, and then click OK. See Table 4-18 on page In the <Servername> Scheduled Scan dialog box, click Scan Settings. 7 Select the type of scan that you want to schedule: Quick, Full, or Custom. 8 In the Select Items dialog box, do one of the following: If you selected multiple servers, clients, or a server group, click Options. If you selected an individual server, select the drives or folders that you want to scan, and then click Options. In the tree view, files and folders appear with various icons.

183 Scanning for viruses and security risks Creating and configuring scheduled scans In the Scheduled Scan Options dialog box, you can select all types or extensions to scan, enable and disable scanning enhancements, enable security risk scanning on legacy clients, and exclude files and folders from the scan. If you selected an object that contains multiple computers, you can exclude files and folders from the scan by typing the full path names. The scheduled scan options are the same as the scan options for manual scans. See Table 4-16 on page Click Advanced. In the Scan Advanced Options dialog box, you can set options for scanning compressed files, back up files that are infected by viruses or blended threats before you attempt to repair them, set options on the remote computer, set storage migration options for Windows computers, and enable scans of compressed or migrated files on NetWare servers. The Advanced scan options are the same as the Advanced scan options for manual scans. See Table 4-17 on page Under Scheduled Scan Options, click Actions. You can configure the same actions as for File System Auto-Protect and manual scans. See Table 4-10 on page Under Scheduled Scan Options, click Throttling. You can configure the same throttling options as for manual scans. See Table 4-16 on page Under Scheduled Scan Options, click Notifications. You can configure the same notifications as for File System Auto-Protect and manual scans. See Table 4-12 on page 157. Configuring scheduled scans 14 Click OK until you return to the main window in the Symantec System Center console. To configure scheduled scans, you can do the following: If a computer does not run a scheduled scan for some reason, you can set options for how Symantec Client Security handles this situation.

184 184 Scanning for viruses and security risks Creating and configuring scheduled scans See Setting options for missed scheduled scans on page 184. You can edit, delete, or disable scheduled scans. See Editing, deleting, or disabling scheduled scans on page 185. For convenience, you can run a scheduled scan on demand. This can save you from having to configure a manual scan. See Running scheduled scans on demand on page 186. Setting options for missed scheduled scans If a computer misses a scheduled scan for some reason, Symantec Client Security attempts to perform the scan for a specific time interval. If Symantec Client Security cannot start the scan within the time interval, it does not run the scan. If the user who defined a scan is not logged in, Symantec Client Security runs the scan anyway. You can specify that Symantec Client Security does not run the scan if the user is logged out. Table 4-19 lists the default time intervals for missed scheduled scans. Table 4-19 Default time intervals Scan frequency Daily scans Weekly scans Monthly scans Default interval 8 hours 3 days 11 days If you do not want to use the default setting, you can specify a different time interval in which to attempt a scheduled scan. To set options for missed scheduled scans 1 Right-click a Symantec Client Security server, server group, client group, or client, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. 2 In the <Servername> Scheduled Scans dialog box, select a scan in the list of scans, and then click Edit. 3 In the <Servername> Scheduled Scan dialog box, under Scan Settings, click Advanced. 4 In the Advanced Schedule Options dialog box, check Retry the scheduled scan within <number> <hours or days> of the scheduled time, and then type the number or use the arrows to specify the time interval for reattempting the scheduled scan. 5 Click OK until the main Symantec System Center console window appears.

185 Scanning for viruses and security risks Creating and configuring scheduled scans 185 Editing, deleting, or disabling scheduled scans If you want to modify the properties of an existing scheduled scan, you can edit it. If you want to stop a scheduled scan from occurring, you can delete or disable it. To edit or delete scheduled scans 1 Right-click one or more server groups, a server, or a client for which you want to edit or delete the scheduled scan, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. 2 In the Scheduled Scans dialog box, select one of the following: Server Scans Client Scans Edit or delete scans for servers. This option is not available if you selected a client computer. Edit or delete scans for clients. This option is not available if you selected a server group. 3 Do one of the following: Select an existing scan, and then click Edit. Change any properties that you want. Select an existing scan, and then click Delete. 4 Click OK until you return to the Symantec System Center main window. To disable scheduled scans 1 Right-click one or more server groups, a server, or a client for which you want to disable the scheduled scan, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. The scans that you can disable depend on the object that you select. 2 In the Scheduled Scans dialog box, select one of the following: Server Scans Client Scans Disable scans for servers. This option is not available if you selected a client computer. Disable scans for clients. This option is not available if you selected a server group. 3 Uncheck the previously scheduled scan. 4 Click OK.

186 186 Scanning for viruses and security risks Managing the client user experience Running scheduled scans on demand When you create and save a scheduled scan, Symantec Client Security remembers the server group, server, or computer on which to run the scan and also remembers all of the settings that you chose for that specific scan. After you configure a scheduled scan and all of its scan properties, you might want to run it on demand at some time other than when you originally scheduled it. This can save you the effort of configuring and running a manual scan with similar properties. To run scheduled scans on demand 1 Right-click a server group or a server, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. 2 In the Scheduled Scans dialog box, select an existing scheduled scan. 3 Click Start Scan. Managing the client user experience Symantec Client Security allows you to control several aspects of the Symantec Client Security client user experience. You can do any of the following: Allow users to pause or stop a scheduled scan. Display a scan progress window and allow users to stop scans. See To enable users to stop scans on page 188. Prevent or allow users to unload Symantec AntiVirus services. Change the password that is required before users can uninstall Symantec AntiVirus. Set scanning options for users. Display and customize warning messages that appear on computers when their virus and security risk definitions are outdated or missing. Display and customize a warning message on an infected computer. For example, if users have a spyware program installed on their computers, you can notify them that they have violated your corporate policy and must uninstall the application immediately. Add an infection warning to an infected message. Notify the sender of an infected message. Notify others about the receipt of an infected message.

187 Scanning for viruses and security risks Managing the client user experience 187 Enabling users to pause, snooze, or stop scheduled scans You can allow users to pause or snooze a scheduled scan temporarily, as well as stop the scan entirely. The results are as follows: Paused scan Snoozed scan Stopped scan When a user pauses a scan, the Scan Results dialog box remains open, waiting for the user to either continue or abort the scan. If the computer is shut off, the paused scan does not continue. When a user snoozes a scheduled scan, the user has the option of snoozing the scan for one hour, or depending on the configuration, for three hours. In addition, the number of snoozes is configurable. When a scan is snoozing, the Scan Results dialog box closes, and reappears when the snooze period ends and the scan resumes. When a user stops a scan, the scan stops immediately, unless Symantec AntiVirus is scanning a compressed file. In this case, the scan stops as soon as the compressed file in progress has been scanned. A stopped scan does not restart. A paused scan automatically restarts after a specified time interval elapses. To enable users to pause or snooze scans 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. 2 In the Scheduled Scans dialog box, do one of the following: Select a scheduled scan, and then click Edit. Click New to create a new scan. 3 In the Scheduled Scan dialog box, click Scan Settings. 4 In the Select Items dialog box, click Options. 5 In the Scheduled Scan Options dialog box, click Advanced. 6 In the Scan Advanced Options dialog box, under Remote options, click Show scan progress. 7 Uncheck Allow user to stop scan. 8 Check Allow user to pause/snooze scan. 9 Click Pause Options.

188 188 Scanning for viruses and security risks Managing the client user experience 10 In the Pause Options dialog box, do one of the following: To limit the number of minutes that a user may pause a scan, check Limit the time this scan may be paused and type a number of minutes. To limit the number of times a user may pause a scan, in the Number of times it can snooze box, type a number between 1 and 8. To display a three-hour snooze button, check Enable the 3 hour snooze button. By default, a user can pause a scan for one hour. You must enable this option to allow a user to pause a scan for three hours. 11 Click OK until the main Symantec System Center console window appears. To enable users to stop scans 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. 2 In the Scheduled Scans dialog box, do one of the following: Select a scheduled scan, and then click Edit. Click New to create a new scan. 3 In the Scheduled Scan dialog box, click Scan Settings. 4 In the Select Items dialog box, click Options. 5 In the Scheduled Scan Options dialog box, click Advanced. 6 In the Scan Advanced Options dialog box, in the drop-down list, select Show scan progress. 7 Check Allow user to stop scan. 8 If you want to automatically close the scan progress indicator after the scan completes, check Close scan progress when done. 9 Click OK until the main Symantec System Center console window appears. Preventing or allowing users to unload Symantec AntiVirus services You can prevent or allow users to unload (uninstall) Symantec AntiVirus services. To prevent or allow users to unload Symantec AntiVirus services 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 Click the Security tab.

189 Scanning for viruses and security risks Managing the client user experience Change the setting for LocktheabilityofuserstounloadSymantecAntiVirus Services. 4 Click OK. Changing the password that is required to uninstall Symantec Client Security requires client users to provide a password before they can uninstall Symantec Client Security. By default, this password is set to symantec. To change the password that is required to uninstall 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 Click the Security tab. 3 Under User disable/uninstall, click Change. 4 In the Configure Password dialog box, type a new password, and then confirm by typing the password again. 5 Click OK until the main window in the Symantec System Center console appears. Changing the password that is required to scan mapped drives Symantec Client Security requires client users to provide a password before they can scan a mapped drive. By default, this password is set to symantec. To change the password that is required to scan mapped drives 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 On the Security tab, under Scan network drive, click Change. 3 In the Configure Password dialog box, type a new password, and then confirm by typing the password again. 4 Click OK until the main window in the Symantec System Center console appears. Modifying scanning options for clients You can set scanning options for connected clients, including options for scheduled scans, startup scans, and user-defined scheduled scans. Table 4-20 describes the scanning options for clients.

190 190 Scanning for viruses and security risks Managing the client user experience Table 4-20 Scan type Scheduled Scans Scan tab options for Client Administrator Only settings Options Snooze scheduled scans when running on batteries. By default, this option is enabled so that scheduled scans are delayed when a computer is running on batteries. Disable this option to allow scheduled scans to run as scheduled, even when a computer is running on batteries. Startup Scans You can change the following options for startup scans: Run startup scans when the user logs in Allow users to modify the startup scans You can only disable startup scans on a global basis. If you uncheck the Run startup scans when the user logs in check box, this disables all startup scans for all users on all client computers, including any custom startup scans that users have configured. If you do not allow startup scans to run, the Allow users to modify the startup scans check box becomes unavailable. Note: These options apply to the Auto-Generated Quick Scan on managed client computers, but not to the Auto-Generated Quick Scan on unmanaged client computers. The Auto-Generated Quick Scan on unmanaged client computers cannot be configured; it can only be deleted by a user on the unmanaged computer. Triggered Scans Run a Quick Scan when new definitions arrive. By default, a Quick Scan is run when new definitions arrive to check for any risks that are currently running on the computer that are now detectable by Symantec AntiVirus using the new definitions. You can prevent a Quick Scan from running when new definitions arrive by unchecking this check box, but your protection will not be as strong if you do so. You should only disable this option if you have special configuration or exclusion needs that conflict with this automatically triggered scan.

191 Scanning for viruses and security risks Managing the client user experience 191 Table 4-20 Scan type Scan tab options for Client Administrator Only settings (continued) Options User-defined Scheduled Scans Allow user-defined scheduled scans to execute when the users who created the scans is not logged in. By default, user-defined scheduled scans are always run at the scheduled time, regardless of whether or not the user who created the scan is logged in at the time the scan is scheduled to run. This option can be particularly useful in the case of unmanaged client computers that do not use administrator-defined scheduled scans. Disable this option to prevent user-defined scheduled scans from running when the user who created the scan is not logged in. You may want to do this for multi-user computers. Note: If this option is enabled and the user is logged out when the scan begins, the scan progress dialog box does not display. You can check scan status in this instance by looking in the Event log. On multi-user workstations, when this option is enabled, scan progress is displayed as follows: On multi-user workstations, if no users are logged in and a user-defined scheduled scan starts, a scan progress dialog box does not display for any user, even if a user logs in during the middle of the scan. If a user is the first user to log into the workstation, and a scheduled scan defined by another user starts, the scan progress dialog box does not display to the first user. If a user is the first user to log into the workstation, and a scheduled scan that the user defined starts, a scan progress dialog box displays, if the administrator has configured Symantec Client Security to allow it. When there are no users logged in, the scan progress dialog box does not display when an administrator-defined scheduled scan runs, but a scan progress dialog box will display to the first user who logs in to the workstation during the scan or after it has completed. Users not logged in at the time the scan runs will have to look at the Scan History to see the results of their user-scheduled scans. Note: This option does not apply to administrator-defined scans.

192 192 Scanning for viruses and security risks Managing the client user experience To set scanning options for connected clients 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 Click the Scans tab. 3 Change any of the settings for scheduled scans, startup scans, or user-defined scheduled scans. 4 Click OK. Displaying a warning when definitions are out of date or missing You can display and customize warning messages to appear on client computers when their virus and security risk definitions are outdated or missing. To display a warning about definitions 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. 2 On the General tab, under Actions, select one or both of the following: Display message when definitions are outdated Display message when Symantec AntiVirus is running without virus definitions 3 For outdated virus and security risk definitions, set the number of days that definitions can be outdated before the warning is displayed. 4 For missing virus and security risk definitions, set the number of attempts that Symantec Client Security can make to retrieve definitions after the computer is restarted, before the warning is displayed. 5 Click Warning Message for each option that you checked, and then customize the default message. 6 Click OK until the main Symantec System Center console window appears. Managing warnings and notifications about infected files You have several user options related to infected files. Customizing and displaying warnings on infected computers When you run a remote scan on a user's computer, you can immediately notify the user of a problem by displaying a warning message on the infected computer's screen. You can customize the warning message by including information such

193 Scanning for viruses and security risks Managing the client user experience 193 as the name of the risk, the name of an infected file, the status of the risk, and so on. For example, a warning message might look as follows: Scan type: Scheduled Scan Event: Risk Found SecurityRiskName: Stoned-C File: C:\Autoexec.bat Location: C: Computer: ACCTG-2 User: JSmith Action taken: Cleaned Customizing messages for manual scans is covered under manual scans. See Configuring notifications for manual scans on page 178. Adding warnings to infected messages For supported software, you can configure Auto-Protect to automatically insert a warning into the body of an infected message. This type of warning can be important if Symantec Client Security is unable to clean the virus from the message, and if an infected attachment file is moved, left alone, deleted, or renamed. The warning message tells you which virus was found and explains the action that was taken. Symantec Client Security appends the following text to the top of the message that is associated with the infected attachment: Symantec Client Security found a virus in an attachment from [ Sender]. For each infected file, the following information is also added to the message: Name of the file attachment Name of the virus Action taken: cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected You can customize the subject and body of the message. The message contains a field called [ Sender]. All fields in brackets contain variable information. You can customize the default message by right-clicking the body of the message and selecting a field to insert into the message. The message would look as follows to the recipient: Symantec Client Security found a virus in an attachment from John.Smith@ mycompany.com.

194 194 Scanning for viruses and security risks Managing the client user experience To add warnings to infected messages 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on either the Internet , Lotus Notes, or Microsoft Exchange tab, click Insert warning into message. 3 Do one of the following: Click OK to accept the default message. Click Warning and customize the text. 4 Click OK until the Client Auto-Protect Options dialog box disappears. Notifying senders of infected messages For supported software, you can configure Auto-Protect to respond automatically to the sender of an message that contains an infected attachment. For groupware applications, Symantec Client Security can be configured to send a default reply message with the following subject: Virus Found in message [ Subject] The body of the message informs the sender of the infected attachment: Symantec Client Security found a virus in an attachment you ([ Sender]) sent to [ RecipientList]. For each infected file, the following information is also added to the message: Name of the file attachment Name of the virus Action taken: such as cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected You can also customize this message. To notify senders of infected messages in groupware applications 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Enable Lotus Notes (Microsoft Exchange) Auto-Protect. 3 Click Send to sender.

195 Scanning for viruses and security risks Managing the client user experience Click Compose. 5 Do one of the following: Click OK to accept the default message. Click Message and customize the text. 6 Click OK until the Client Auto-Protect Options dialog box disappears. To notify senders of infected messages in Internet applications 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Internet tab, click Enable Internet Auto-Protect. 3 Click Send to sender. 4 Click Settings. 5 In the Notifications Settings dialog box, on the Server tab, type the mail server name and port, the user name and password, and the reverse path for the mail. 6 Click the Message tab and type a subject line, message body, and infection information to appear in each message, and then click OK. 7 Click OK until the Client Auto-Protect Options dialog box disappears. Notifying users of infected messages For supported software, you can configure Auto-Protect to notify users whenever an message that contains an infected attachment is opened. For groupware applications, Symantec Client Security sends an message to the selected recipients with the following subject: Virus Found in message [ Subject] The body of the message includes information on the sender of the infected attachment: Symantec Client Security found a virus in an attachment from [ Sender]. For each infected file, the following information is also added to the message: Name of the file attachment Name of the virus Action taken: such as cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected

196 196 Scanning for viruses and security risks Managing the client user experience You can also customize this message. To notify others of infected messages in groupware applications 1 Right-click a server group, Symantec Client Security server, or client group, and then click AllTasks>SymantecAntiVirus>ClientAuto-ProtectOptions. 2 In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Enable Lotus Notes (Microsoft Exchange) Auto-Protect. 3 Click Send to selected. 4 Click Settings. 5 In the Notifications Settings dialog box, on the Addresses tab, provide one or more addresses to which notification should be sent. 6 Click the Message tab and type a subject line, message body, and infection information to appear in each message. 7 Click OK until the Client Auto-Protect Options dialog box disappears. To notify others of infected messages in Internet applications 1 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. 2 In the Client Auto-Protect Options dialog box, on the Internet tab, click Enable Internet Auto-Protect. 3 Click Send to selected. 4 Click Settings. 5 In the Notifications Settings dialog box, on the Server tab, type the mail server name and port, the user name and password, and the reverse path for the mail. 6 Click the Addresses tab and provide one or more addresses to which notification should be sent. 7 Click the Message tab and type a subject line, message body, and infection information to appear in each message. 8 Click OK until the Client Auto-Protect Options dialog box disappears.

197 Chapter 5 Updating definitions This chapter includes the following topics: About definitions Ensure that all definitions are current Definitions files update methods Updating definitions files on servers Updating definitions files on clients Controlling definitions file deployment Testing definitions files Scenarios for definitions updates About scanning after updating definitions files About definitions Virus and security risks definitions contain sample code for thousands of threats and security risks. When Symantec Client Security scans for threats and security risks, it attempts to find matches between your files and sample code that is inside of the definitions. If Symantec Client Security finds a match, one or more files might be infected by threats or security risks. Every server and client that runs Symantec Client Security has a copy of the definitions. These definitions can become outdated as new viruses and security risks are discovered. Symantec updates definitions daily on its LiveUpdate and FTP servers, or more frequently if needed. It is important to keep definitions current to maintain the highest level of protection for your network.

198 198 Updating definitions Ensure that all definitions are current Ensure that all definitions are current In 9.x and earlier versions of Symantec Client Security, the definitions files contained only the information that was needed to detect and eliminate viruses, and to detect security risks. The definitions updates for the current version contain detection and repair information for viruses as well as security risks. Management servers that run legacy versions of Symantec Client Security can update their clients only with the definitions files that the legacy release supports. Thus, management servers that run 9.x versions of Symantec Client Security download and distribute updates that provide detection and elimination of viruses, and detection of security risks, but do not contain the information that is needed to repair the side effects of either viruses or security risks. Management servers that run the current version of Symantec Client Security can distribute the proper definitions files to clients that run either legacy or current software. Definitions files update methods There are several methods that are available for downloading definitions and setting up servers and clients to retrieve them. Note: All the methods that are described update both virus and security risk definitions simultaneously in the current version of Symantec Client Security. Table 5-1 describes the definitions update methods. Table 5-1 Method Definitions update methods Description When to use it Virus Definition Transport Method A push operation starts when new virus and security risk definitions are received via the Symantec FTP site or LiveUpdate server by a primary management server on your network. The primary management server passes a definitions package to all of the secondary management servers in the server group. Secondary management servers extract the definitions and place them in the appropriate directory. Clients receive the package from their parent management servers. Clients extract the definitions and place them in the appropriate directory. Use the Virus Definition Transport Method when you want to control the virus and security risk definitions updates from the Symantec System Center. In addition, use this method during a virus outbreak to push the latest definitions files to the computers on your network immediately.

199 Updating definitions Definitions files update methods 199 Method Table 5-1 Description Definitions update methods (continued) When to use it LiveUpdate A scheduled pull operation starts when a client or server that runs LiveUpdate requests new virus and security risk definitions. LiveUpdate may be configured on each computer to request the update from a designated internal LiveUpdate server or directly from the Symantec LiveUpdate server. Use LiveUpdate when you want protected computers to pull virus and security risk definitions updates from an internal LiveUpdate server, or directly from Symantec. Intelligent Updater Intelligent Updater is a self-extracting executable file that contains virus and security risk definitions files. Use Intelligent Updater when you need to distribute virus and security risk definitions updates to users who do not have active network connections. Central Quarantine polling The Central Quarantine Server periodically polls the Digital Immune System gateway for new virus and security risk definitions files. When new definitions are available, the Central Quarantine Server can push the new definitions to the computers that need it automatically. Use Central Quarantine when you want to automate the distribution of definitions file updates across your network. For information about using Central Quarantine, see the Symantec Central Quarantine Administrator's Guide. Note: 64-bit computers receive definitions files using LiveUpdate. All other methods of updating these files are not supported. Best practice: Using the Virus Definition Transport Method and LiveUpdate together You can use the Virus Definition Transport Method and LiveUpdate together. Using the Virus Definition Transport Method allows you to schedule and push virus and security risk definitions updates from the Symantec System Center. In addition, you can use the Virus Definition Transport Method as an emergency system for distributing new virus definitions quickly when the network is threatened by a new virus. Although the Virus Definition Transport Method is used more often, some large networks depend on LiveUpdate. These installations do not permit direct access

200 200 Updating definitions Updating definitions files on servers to the Symantec site by a large number of servers and clients. One or more servers act as an internal LiveUpdate server to all of the other servers on the network, and in some installations, to all clients. Best practice: Using Continuous LiveUpdate on 64-bit computers To ensure that each managed 64-bit computer maintains the latest virus and security risk definitions, you can use Continuous LiveUpdate to require each computer to check for updates after a specified interval has expired. If you have more than one 64-bit computer on your network and you are using the Symantec System Center console, you can group these computers into a client or server group and manage the definitions from the console. If you are not using the console, you can enable this feature and set the interval on the client computer. See Enabling and configuring Continuous LiveUpdate for managed clients on page 213. Updating definitions files on servers You can update the virus and security risk definitions files on Symantec Client Security servers by using the following methods: Virus Definition Transport Method LiveUpdate Intelligent Updater Central Quarantine polling See Table 5-1 on page 198. Updating and configuring servers using the Virus Definition Transport Method Update Symantec Client Security servers manually when you need to force an immediate update. Schedule automatic updates to handle routine definitions files updating without requiring further interaction. You can update servers manually or automatically. Updates occur only when the virus and security risk definitions files on a server are older than the definitions that are available on the LiveUpdate server.

201 Updating definitions Updating definitions files on servers 201 To update all unlocked servers in the system 1 In the Symantec System Center console, right-click System Hierarchy, and then click Symantec AntiVirus > Update Virus Defs Now. 2 In the confirmation dialog box, click Yes. 3 In the status dialog box, click OK. To update servers manually 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 Select one of the following: Update The Primary Server Of This Server Group Only Updates all servers in the group from the primary management server Update Each Server In This Server Group Individually Updates servers individually The option that you select affects all of the servers in the server group, whether you right-click a server group or an individual server. 3 Click Configure. 4 Click Update Now. A message appears with information about how you can view the date of the new virus and security risks definitions file. 5 Read the information that appears, and then click OK until the Symantec System Center console reappears. To update servers automatically 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 Select one of the following: Update The Primary Server Of This Server Group Only Updates all servers in the group automatically from the primary management server Update Each Server In This Server Group Individually Updates servers individually The option that you select affects all servers in the server group, whether you right-click a server group or an individual server.

202 202 Updating definitions Updating definitions files on servers 3 Click Configure. 4 Ensure that Schedule For Automatic Updates is checked, and then click Schedule. 5 Select options to determine when the definitions file updates (for example, every Tuesday at 10:00 P.M.). 6 Click OK until you return to the Symantec System Center main window. Configuring a master primary management server Configure a master primary management server to limit your network's exposure to the Internet. To configure a master primary management server 1 In the Symantec System Center console, right-click a server, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Update the Primary Server of this Server Group only. 3 Click Configure. 4 In the Configure Primary Server Updates dialog box, click Source. 5 In the Setup Connection dialog box, in the Update definition file by list, click Another Protected Server, and then click Configure. 6 In the Configure Update From Server dialog box, select the server that you want to use as the master primary management server from the list of servers that appears. 7 Click OK until you return to the Configure Primary Server Updates dialog box. 8 In the Configure Primary Server Updates dialog box, do one of the following: Click Update Now to retrieve the definitions file from the master primary management server immediately. Click Schedule For Automatic Updates, and then click Schedule. Set a frequency and time when the server checks for updates on the master primary management server. 9 Click OK until you return to the Symantec System Center main window.

203 Updating definitions Updating definitions files on servers 203 About updating NetWare servers using the Virus Definition Transport Method Updating a NetWare server is similar to updating other types of servers, except that NetWare servers do not store the addresses of supported Windows servers in their address caches. As a result, if your NetWare server does not use a domain naming system (DNS) server, you might have difficulty updating a NetWare server from a Windows server that resides in a different server group. Updating servers using LiveUpdate Depending on the size of your network, you can use LiveUpdate to update virus and security risk definitions files in the following ways: For smaller networks (less than 1000 nodes), configure managed servers to directly retrieve updates from the Symantec FTP site, Symantec LiveUpdate server, or an internal LiveUpdate server. For larger networks (greater than 1000 nodes), set up an internal LiveUpdate server, download updates to that server, and have your managed servers retrieve updates from the internal LiveUpdate server. Updating servers from the Symantec FTP site or LiveUpdate server You need to configure updating for the Symantec Client Security primary management server in each server group to ensure that its virus and security risk definitions files are current. You can also configure individual servers to update directly from Symantec. You can update all of the Symantec Client Security servers in a server group from a primary management server, or update each server in the group individually. To update primary management servers 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Update The Primary Server Of This Server Group Only. 3 Click Configure. 4 In the Configure Primary Server Updates dialog box, do one of the following: Click Update Now to launch a LiveUpdate session immediately. Click Schedule For Automatic Updates, and then click Schedule to set a frequency and time when the server runs a LiveUpdate session.

204 204 Updating definitions Updating definitions files on servers 5 Click OK. 6 In the Configure Primary Server Updates dialog box, click Source. 7 In the Update definition file via list, click LiveUpdate(Win32)/FTP(NetWare). 8 Click OK until you return to the Symantec System Center main window. To update individual servers 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Update Each Server In This Server Group Individually. 3 Click Configure. 4 In the Configure Server Updates dialog box, click Source. 5 Click LiveUpdate (Win32)/FTP (NetWare). 6 Click OK. If you are configuring a NetWare server, make sure that the server is running FTP. 7 Do one of the following: Click Update Now to launch a LiveUpdate session immediately. Click Schedule For Automatic Updates, and then click Schedule to set a frequency and time when the server runs a LiveUpdate session. 8 Click OK until you return to the Symantec System Center main window. Updating servers from an internal LiveUpdate server You can set up an internal LiveUpdate server on a computer whether Symantec Client Security server software is installed or not. In either case, you should use the LUAdmin Utility to update the LiveUpdate server. The LUAdmin Utility pulls the definitions updates down from a Symantec LiveUpdate server, then places the packages on a Web server, an FTP site, or a location that is designated by a UNC path. You must then configure your Symantec Client Security servers to pull their definitions updates from this location. For more information, see the LiveUpdate Administrator's Guide, which is available on the product CD or on the Symantec Support Web site. Note: To compensate for unavailable internal LiveUpdate servers, Symantec Client Security supports multiple internal LiveUpdate servers for failover support.

205 Updating definitions Updating definitions files on servers 205 To update servers from an internal LiveUpdate server 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > LiveUpdate > Configure. 2 In the Configure LiveUpdate dialog box, click Internal LiveUpdate Server. 3 Set the following internal LiveUpdate server options: Name Location Login Name Login Password The name of the server. This name will appear when you run LiveUpdate. This box is optional. You can type descriptive information that is related to the server. For example, you can type the name of the site. The logon name that is associated with the server. Leave this box blank so that users can log on and retrieve the files without typing information. The logon password that is associated with the server. Leave this box blank so that users can log on and retrieve the files without typing information. URL or IP Address If you are using the FTP method (recommended), under Type, you can click FTP, and then type the FTP address for the server. For example: ftp.myliveupdateserver.com If you are using the HTTP method, under Type, you can click HTTP, and then type the URL for the server. For example: or \Export\Home\LUDepot If you are using the LAN method, under Type, you can click LAN, and then type the server UNC path name. For example: \\Myserver\LUDepot In the Login box, type the name and password to access the server. If you leave the Login Name and Login Password boxes empty, an anonymous logon is used. This requires that anonymous logons be enabled on the FTP server. If your policy prohibits anonymous logons on FTP servers, type the logon name and password for the FTP server and directory to be accessed. 4 Click OK until you return to the Symantec System Center main window.

206 206 Updating definitions Updating definitions files on servers Updating servers with Intelligent Updater To distribute updated virus and security risk definitions, download a new Intelligent Updater, and then use your preferred distribution method to deliver the updates to your managed servers and clients. Intelligent Updater is available as a single file or as a split package, which is distributed across several smaller files. The single file is for computers with network connections. The split package can be copied to floppy disks and used to update computers that do not have network connections, Internet access, or a CD-ROM drive. Note: Make sure to use Intelligent Updater files for Symantec Client Security rather than the consumer version of the product. To download Intelligent Updater 1 Using your Web browser, go to: 2 Under Virus Definitions, click Download Virus Definitions Manually. 3 Click Download Virus Definitions (Intelligent Updater Only). 4 Select the appropriate language and product. 5 Click Download Updates. 6 Click the file with the.exe extension. 7 When you are prompted for a location in which to save the files, select a folder on your hard drive. To install the virus and security risk definitions files 1 Locate the Intelligent Updater file that you downloaded from Symantec. 2 Double-click the file and follow the on-screen instructions. About using Central Quarantine polling to update servers If you use Symantec Central Quarantine, you can configure the Central Quarantine Server to periodically poll the Digital Immune System gateway for new virus and security risk definitions files. When new definitions are available, the Central Quarantine Server can automatically push the new definitions to the computers that need it, using the Virus Definition Update Method. For more information, see the Symantec Central Quarantine Administrator's Guide.

207 Updating definitions Updating definitions files on servers 207 Minimizing network traffic and handling missed updates LiveUpdate provides advanced scheduling options for minimizing network traffic and handling missed updates. Table 5-2 describes LiveUpdate scheduling options. Table 5-2 Option Randomization options LiveUpdate scheduling options Description Randomizes updates: Plus or minus a specified number of minutes of the scheduled time Any day of the week within a specified time interval Any day of the month plus or minus a specified number of days of the scheduled date When to use Use when you want to stagger updates for multiple computers to minimize the impact on network traffic. By default, Symantec Client Security randomizes LiveUpdate sessions to minimize bandwidth spikes. Missed Event options Determines how missed LiveUpdate events are handled. An event might be missed if a computer is turned off when the LiveUpdate session is scheduled to run. You can set options so that scheduled LiveUpdate events that were missed run at a later time. Use to ensure that computers that are unavailable for a regularly scheduled LiveUpdate event attempt to pull definitions at a later time. You can set separate randomization schedules for Symantec Client Security servers and clients on your network to minimize the impact on network traffic. You can specify separate policies for handling missed LiveUpdate events for Symantec Client Security servers and clients. To randomize the LiveUpdate schedule for servers 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Configure. 3 In the Configure Primary Server Updates dialog box, check Schedule For Automatic Updates. 4 Click Schedule. 5 Set the frequency and time when the server checks for updates.

208 208 Updating definitions Updating definitions files on servers 6 In the Virus Definition Update Schedule dialog box, click Advanced. 7 In the Advanced Scheduled Options dialog box, under Randomization Options, check the options that you want, and then set the minutes, day of the week, or day of the month options. 8 Click OK until you return to the Symantec System Center main window. To randomize the LiveUpdate schedule for clients 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, check Schedule Client For Automatic Virus Definition Updates Using LiveUpdate. 3 Click Schedule. 4 Set the frequency and time when the clients will check for updates. 5 Click Advanced. 6 In the Advanced Schedule Options dialog box, under Randomization Options, check the options that you want, and then set the minutes, day of the week, or day of the month options. 7 Click OK until you return to the Symantec System Center main window. To handle missed LiveUpdate events for servers 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Configure. 3 Click Schedule for Automatic Updates. 4 In the Configure Primary Server Updates dialog box or the Configure Server Updates dialog box, click Schedule. 5 In the Virus Definition Update Schedule dialog box, click Advanced. 6 In the Advanced Schedule Options dialog box, check Handle Missed Events Within. 7 Set the time limit within which you want the scan to run. For example, you might want a weekly LiveUpdate event to run only if it is within three days after the scheduled time for the missed event. 8 Click OK until you return to the Symantec System Center main window.

209 Updating definitions Updating definitions files on clients 209 To handle missed LiveUpdate events for clients 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, click Schedule Client For Automatic Virus Definition Updates Using LiveUpdate. 3 Click Schedule. 4 In the Virus Definition Update Schedule dialog box, click Advanced. 5 In the Advanced Schedule Options dialog box, check Handle Missed Events Within. 6 Set the time limit within which you want the scan to run. For example, you may want a weekly LiveUpdate event to run only if it is within three days after the scheduled time for the missed event. 7 Click OK until you return to the Symantec System Center main window. Updating definitions files on clients You can update the virus and security risk definitions files on Symantec Client Security clients by using the following methods: Virus Definition Transport Method LiveUpdate Intelligent Updater See Updating servers with Intelligent Updater on page 206. Central Quarantine polling See About using Central Quarantine polling to update servers on page 206. See Table 5-1 on page 198. You can update Symantec Client Security clients using the Virus Definition Transport Method, LiveUpdate, or both. Note: LiveUpdate is the only method for updating definitions files that is supported on 64-bit computers.

210 210 Updating definitions Updating definitions files on clients To update clients using the Virus Definition Transport Method 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, check Update Virus Definitions From Parent Server. 3 Click Settings. 4 In the Update Settings dialog box, set the frequency with which the parent management server will push updates. 5 Click OK. 6 In the Virus Definition Manager dialog box, uncheck Schedule Client for Automatic Updates using LiveUpdate. 7 Click OK until you return to the Symantec System Center main window. To update clients using LiveUpdate 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, check Schedule Client For Automatic Updates Using LiveUpdate. 3 Click Schedule. 4 In the Virus Definition Update Schedule dialog box, select the frequency, day, and time that you want the update to occur. 5 Click OK until you return to the Symantec System Center main window. To update clients using both the Virus Definition Transport Method and LiveUpdate 1 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, check Update Virus Definitions from Parent Server. 3 Check Schedule Client For Automatic Updates Using LiveUpdate. 4 Click Schedule. 5 In the Virus Definition Update Schedule dialog box, select the frequency, day, and time that you want the update to occur. 6 Click OK. 7 Click Settings.

211 Updating definitions Updating definitions files on clients In the Update Settings dialog box, set the frequency with which the parent management server pushes updates. 9 Click OK until you return to the Symantec System Center main window. Forcing definitions files on clients to update immediately You can force clients to update virus and security risk definitions files immediately using LiveUpdate. This feature is available for clients that normally receive updates using LiveUpdate or the Virus Definition Transport Method. This feature provides a good way to update definitions files when one or more clients on which LiveUpdate is installed are using outdated files for some reason, for example, when an update operation that was performed at the server group level succeeded on all but several clients. Warning: Updating a large number of clients immediately can result in slow performance. Once you start this operation, you cannot cancel it. Do not use this feature to update definitions files during a virus outbreak. See Handling a virus outbreak on your network on page 225. Before you can update virus and security risk definitions files, you must specify the number of clients to update. When the number of selected clients exceeds this number, a confirmation dialog box appears to verify that you want to exceed the administrator-specified number. To specify the number of clients to update immediately 1 In the Symantec System Center console, on the Tools menu, click SSC Console Options. 2 In the SSC Console Options Properties window, on the Client Display tab, select the number of clients that you want to update before you see a confirmation dialog box. 3 Click OK. To update one or more clients immediately with LiveUpdate 1 In the Symantec System Center console, right-click one or more clients in the right pane, and then click All Tasks > Symantec AntiVirus > Update Virus Defs Now. 2 If you selected more than the administrator-specified number of clients, in the confirmation dialog box, select one of the following: Yes

212 212 Updating definitions Updating definitions files on clients Cancel If a client is configured to update using the Virus Definition Transport Method, Symantec Client Security prompts you to allow LiveUpdate to run. 3 Click OK in the status dialog box. Configuring managed clients to use an internal LiveUpdate server You can configure LiveUpdate settings for managed computers running Symantec Client Security client from the Symantec System Center. For unmanaged Symantec Client Security clients, use the LiveUpdate Administration Utility to create a custom.hst file. For information on configuring LiveUpdate for unmanaged Symantec Client Security clients, see the LiveUpdate Administrator's Guide. To configure a managed Symantec Client Security client to use an internal LiveUpdate server 1 Right-click a parent management server or a server group, and then click All Tasks > LiveUpdate > Configure. 2 In the Configure LiveUpdate dialog box, click Internal LiveUpdate Server. 3 If you are using an FTP or HTTP server, type the appropriate data in the Login Name and Password boxes. 4 In the Connection box, type one of the following: The Universal Naming Convention (UNC) path to your shared folder The URL or IP address for your FTP or HTTP server 5 In the Type list, select one of the following: LAN FTP HTTP 6 To configure individual clients to use an internal LiveUpdate server as well, check Apply settings to clients not in Groups. 7 Click OK until you return to the Symantec System Center main window. If you are using multiple parent management servers, repeat steps 1 through 7 for each parent management server so that all Symantec Client Security clients and servers receive the changes.

213 Updating definitions Updating definitions files on clients 213 Enabling and configuring Continuous LiveUpdate for managed clients If a managed Symantec Client Security client infrequently connects to its parent management server (for example, a laptop computer that is used remotely), it might not receive the most current virus and security risk definitions updates. For these computers, Continuous LiveUpdate offers a backup option for receiving updates directly from Symantec whenever the computer connects to the Internet. With Continuous LiveUpdate, you can specify a maximum number of days that the definitions files on a Symantec Client Security computer can be out of date before an update is forced. When the Symantec Client Security client determines that its definitions files exceed the maximum age, it initiates a silent (no user interaction required) LiveUpdate session. You can enable Continuous LiveUpdate by using the Symantec System Center. You can also enable Continuous LiveUpdate by changing the client registry. Enabling Continuous LiveUpdate by using the Symantec System Center You can enable Continuous LiveUpdate by using the Symantec System Center. To enable Continuous LiveUpdate 1 In the Symantec System Center console, right-click a server group, a Symantec Client Security server, a client group, or an individual Symantec Client Security client, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, check Enable Continuous LiveUpdate. 3 Click OK until you return to the Symantec System Center main window. Enabling and configuring Continuous LiveUpdate by changing the client registry You can enable Continuous LiveUpdate through the client registry by adding a new subkey, EnableAdminForcedLU, to HKEY_LOCAL_MACHINE\SOFTWARE\ INTEL\LANDesk\VirusProtect6\CurrentVersion\PatternManager. Set its value to 1 to enable Continuous LiveUpdate. You can configure additional Continuous LiveUpdate options by adding other values to the client's registry. Table 5-3 describes the registry subkeys that you use to configure Continuous LiveUpdate.

214 214 Updating definitions Updating definitions files on clients Table 5-3 Configuration values for Continuous LiveUpdate Subkey name EnableAdminForcedLU MaxDefsDaysOldAllowed AdminForcedLUCheckInterval AFLUDelay Data value 0/1 n n n Description Disable or enable Continuous LiveUpdate. Specify the age (in days) that the definitions can be before Symantec Client Security runs a silent LiveUpdate. Specify the interval (in minutes) to check for old definitions. Set the startup delay time (between 10 and 180 minutes) of the Continuous LiveUpdate feature. This delay time is valid only if the feature is enabled. The actual delay time is a random number between 8 and n+8 where n is the value in the registry key. The default value is 30 minutes. Note: Set the MaxDefsDaysOldAllowed value to 8 days or higher. Lower settings may cause problems if you need to perform a definitions rollback, since the age of the definitions files that you want to roll back to may exceed the maximum number of days that Continuous LiveUpdate allows before forcing an update. Setting LiveUpdate usage policies You can set LiveUpdate usage policies for managed clients. When these policies are enabled, they are dimmed on the client. The policies determine whether the following activities can be performed at the client level: Change the LiveUpdate schedule. Manually launch LiveUpdate. To set LiveUpdate usage policies 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, do one of the following:

215 Updating definitions Controlling definitions file deployment 215 Check Do Not Allow Client To Modify LiveUpdate Schedule to prevent the LiveUpdate schedule from being modified on the client. (Schedule Client For Automatic Updates Using LiveUpdate must be checked or this box is dimmed.) When this option is unchecked, LiveUpdate can run on the client at any time. Uncheck DoNotAllowClientToManuallyLaunchLiveUpdate to prevent LiveUpdate from being manually launched on the client. When this option is unchecked, LiveUpdate can run on the client at any time. Uncheck Download Product Updates Using LiveUpdate to prevent application updates. Controlling definitions file deployment The Symantec System Center console provides a set of tools for controlling the deployment of virus and security risk definitions files on your network. Use these tools to do the following: Verify the version numbers of definitions files on servers. See Verifying the version number of definitions files on page 216. View the risk lists on servers and clients. See Viewing the risk list on page 216. Roll back to a previous definitions file (network-wide). See Rolling back definitions files on page 216. If new definitions files are causing false positives or other problems for a server, you can verify the version number of the definitions file on that computer and then deploy an earlier definitions set from the Symantec System Center console. All servers and clients in that server group will roll back to the specified definitions file. You can also control the version of the definitions file that is used on all servers and clients in a server group. Users who download a definitions file that was not approved for company use can be forced to use the virus and security risks definitions file that you specify. Because you can easily undo a definitions file rollout, you can release new definitions files in less time. Finding computers with outdated definitions files The Symantec System Center displays a warning icon if a definitions file is out-of-date on one or more computers that are managed by a parent management server, server group, or client group.

216 216 Updating definitions Controlling definitions file deployment To find computers with outdated definitions files Expand the server, server group, or client group and look for warning icons. Verifying the version number of definitions files Using the Symantec System Center console, you can view the version number of the definitions files at the Symantec Client Security server, server group, client group, and individual Symantec Client Security client level. To verify the version number of definitions files Viewing the risk list In the Symantec System Center console, right-click a server group, client group, Symantec Client Security server, or client, and then click Properties. On the Symantec AntiVirus tab, in the Virus Definitions box, the file version is listed as a numerical date, followed by a version number. After a definitions file is updated on a computer, it might take several minutes before the information is available from the console. You can view a list of the viruses and security risks, such as adware and spyware, that are detectable on a selected server or client. The risk list ensures that the selected computer is protected from a specific virus or security risk. To view the risk list 1 In the Symantec System Center console, right-click a server or client, and then click All Tasks > Symantec AntiVirus > View Risk List. 2 Click Close. Rolling back definitions files You can roll back a virus and security risk definitions file for a server group. For example, if the most recent file generated false positive virus or security risks detections, you might want to roll back to a previous file. Before you attempt to roll back definitions, make sure that you restart all of the computers that run the antivirus client and server programs after the initial installation. If you do not do this, some clients might not roll back to the earlier definitions. Note: When you roll back definitions files, virus and security risks definitions that are newer than those in the rolled back version are deleted.

217 Updating definitions Testing definitions files 217 To roll back definitions files 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. 2 In the Virus Definition Manager dialog box, ensure that Update The Primary Server Of This Server Group Only is selected, and then click Configure. 3 In the Configure Primary Server Updates dialog box, click Definition File. 4 In the Select Virus Definition File dialog box, select the definitions file that you want to roll back to, and then click Apply. 5 Click Yes to change the current file. 6 Click OK until you return to the Symantec System Center main window. Testing definitions files Many administrators prefer to test virus and security risk definitions files on a test network before making them available on a production server. To test definitions files 1 Install Symantec Client Security server to a primary management server on the test network. 2 From the primary management server on your test network, run LiveUpdate to download the definitions file. To test the operation of the definitions file, using your web browser, go to: and download the antivirus test file available there. 3 Once testing is complete, copy the definitions file from the \Program files\sav folder on the test server to a folder with the same name on the primary management servers on your production network. Once the definitions files are on the primary management servers, they flow to other servers in the server group. Clients are configured to automatically retrieve definitions from their parent management servers if Update Virus Definitions From Parent Server in the Virus Definition Manager dialog box is checked. Scenarios for definitions updates The following scenarios show how administrators at two different companies perform updates:

218 218 Updating definitions About scanning after updating definitions files At Company A, the administrator downloads the new virus and security risk definitions file from the Symantec FTP site or Symantec LiveUpdate server to a primary management server on the test network. He tests the definitions file. When testing is completed, he copies the definitions file to the master primary management server on his production network. He has configured other primary management servers so that they retrieve the update from the master primary management server. All of the other connected computers use the Virus Definition Transport Method. Secondary management servers retrieve the update from their primary management server. Clients retrieve the update from their parent management server. At Company B, the administrator downloads the virus and security risk definitions file from the Symantec FTP site or Symantec LiveUpdate server to a test network. She tests the definitions file. When testing is completed, she downloads the new definitions file from the Symantec FTP site or Symantec LiveUpdate server to the internal LiveUpdate server on her production network. Some low-risk users are allowed to go outside of the firewall. When LiveUpdate runs on their computers, the definitions file is downloaded directly from the Symantec FTP site or Symantec LiveUpdate server. About scanning after updating definitions files If Auto-Protect is enabled, Symantec Client Security begins scanning with the updated definitions files immediately. Once definitions files are updated, Symantec Client Security offers to attempt to repair files that are stored in Quarantine.

219 Chapter 6 Responding to virus outbreaks This chapter includes the following topics: Preparing for virus outbreaks Handling a virus outbreak on your network Preparing for virus outbreaks Responding to virus outbreaks requires preparing before an outbreak occurs, and having a strategy in place for handling an outbreak should one occur. In addition to installing Symantec Client Security on the servers and workstations in your network, preparing for a virus outbreak consists of the following tasks: Creating and reviewing a virus outbreak plan. See Creating a virus outbreak plan on page 220. Defining Symantec Client Security actions for handling viruses. See Defining Symantec Client Security actions for handling suspicious files on page 221. Protecting your network from blended threats. A blended threat uses multiple exploits to attack computers. If you are using Symantec Client Security, install the Symantec Client Firewall client on the workstations in your network. A strategy for handling virus outbreaks includes the following: Enable virus alerts and messages. See Using alerts and messages on page 226. Run a virus sweep of your network. See Running a virus sweep on page 226.

220 220 Responding to virus outbreaks Preparing for virus outbreaks Track viruses using reports and logs. See Tracking virus alerts using reporting, Event Logs, and Histories on page 227. Use the Central Quarantine Console to track infected computers on your network, and submit suspicious file samples to Symantec Security Response for analysis and cure. See Tracking submissions to Symantec Security Response with Central Quarantine Console on page 227. Note: Symantec Client Security now includes standard reporting functionality that can be installed and is accessible from the Symantec System Center. You can use reporting to monitor events, generate reports, and send alerts in response to virus outbreaks. Reporting provides functionality similar to that of AMS 2. We recommend that you use reporting rather than AMS 2, although you still have the option to install AMS 2. Creating a virus outbreak plan An effective response to a virus outbreak on your network requires a plan that allows you to respond quickly and efficiently. You should create a virus outbreak plan and define actions for handling suspicious files. Table 6-1 outlines the tasks for creating a virus outbreak plan. Table 6-1 Task A model virus outbreak plan Description Ensure that definitions files are current. Verify that infected computers have the latest definitions files, and use the Virus Definition Transport Method to push new definitions if needed. See Updating definitions files on servers on page 200. Map your network topology. Prepare a network topology map so that you can systematically isolate and clean computers by segment before you reconnect them to your local network. Your map should contain the following information: Server names and addresses Client names and addresses Network protocols Shared resources

221 Responding to virus outbreaks Preparing for virus outbreaks 221 Table 6-1 Task A model virus outbreak plan (continued) Description Understand security solutions. In addition to understanding your network topology, you need to understand your implementation of Symantec Client Security as well as the implementation of any other security products that are used on your network. Consider the following questions: What security programs are protecting network servers and workstations? What is the schedule for updating definitions? What alternative methods of obtaining updates are available if the normal channels are under attack? What log files are available for tracking viruses on your network? Have a backup plan. Isolate the infected computers. Identify the virus. Respond to unknown viruses. In the event of a catastrophic virus infection, you may need to restore servers and clients to be sure that your network has not been compromised. Having a backup plan in place to restore critical computers is essential. Blended threats such as worms can travel via shared resources without user interaction. When you respond to an infection by a computer worm, it can be critical to isolate the infected computers by disconnecting them from the network. Symantec Client Security reports and logs are a good source of information about viruses on your network. If you can identify a virus from the reports or logs, you can use the Symantec Security Response Virus Encyclopedia to learn how to remove the virus. If you cannot identify a suspicious file as a virus by examining the logs, and the latest virus definitions files do not clean the file, go to and look at the Latest Virus Threats and Security Advisories areas for news. Defining Symantec Client Security actions for handling suspicious files By default, Symantec Client Security performs the following actions when it identifies a file that it suspects is infected by a virus:

222 222 Responding to virus outbreaks Preparing for virus outbreaks Symantec Client Security attempts to repair the file. If the file cannot be repaired with the current set of definitions files, the infected file is moved to the Quarantine on the local computer. In addition, the Symantec Client Security client makes a log entry of the risk event in its log. The Symantec Client Security client data is forwarded to a primary management server. You can view log data from the Symantec System Center console. You can perform the following additional actions to complete your virus handling strategy: Configure reporting to notify you when viruses are found. Define different repair actions based on virus type. For example, you can have Symantec Client Security automatically fix macro viruses, but ask what action to take when a program file virus is detected. Assign a backup action for files that Symantec Client Security cannot repair, such as deleting the infected file. See About actions for viruses and security risks that scans detect on page 134. See Configuring actions for File System Auto-Protect on page 148. Configure the local Quarantine to forward infected files to the Central Quarantine. You can configure the Central Quarantine to attempt a repair based on its set of virus definitions (which may be more up-to-date than the definitions on the local computer), or automatically forward samples of infected files to Symantec Security Response for analysis. For more information, see the Symantec Central Quarantine Administrator's Guide. Configuring automatic Quarantine purge options When Symantec Client Security scans a suspicious file, it places the file in the local Quarantine folder on the infected computer. The Quarantine purge feature automatically deletes files in the Quarantine that exceed a specified age. You can configure these options using the Symantec System Center on the server, server group, and client group level. You can individually configure the number of days, months, or years to keep repaired, backup, and quarantined files before they are automatically removed from the computer. To configure automatic Quarantine purge options 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. 2 Click Purge Options.

223 Responding to virus outbreaks Preparing for virus outbreaks In the Purge Options dialog box, check Enable automatic purging of repaired files, and then select the number of days, months, or years that you want to keep repaired files in the local Quarantine. 4 Check Enable automatic purging of backup files, and then select the number of days, months, or years that you want to keep backup files in the local Quarantine. 5 Check Enable automatic purging of quarantined files, and then select the number of days, months, or years that you want to keep repaired files in the local Quarantine. 6 Click OK to return to the Quarantine Options dialog box. Registry settings for Quarantine Purge options Registry settings for Quarantine purge options are located in the \HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Quarantine registry key. Table 6-2 lists the possible Quarantine purge settings. Table 6-2 Subkey name Quarantine purge settings Data value Description QuarantinePurgeEnabled QuarantinePurgeAgeLimit QuarantinePurgeFrequency BackupItemPurgeEnabled BackupItemPurgeAgeLimit BackupItemPurgeFrequency RepairedItemPurgeEnabled RepairedItemPurgeAgeLimit 0/1 n n 0/1 n n 0/1 n Disables/enables purge Specifies the maximum number of days to keep a file in the Quarantine directory Sets the frequency value for purging: 0=Days, 1=Months, 2=Years Disables/enables purging backup files Specifies the maximum number of days to keep a backup file in Quarantine Sets the frequency value for purging backup files: 0=Days, 1=Months, 2=Years Disables/enables purging repaired files Specifies the maximum number of days to keep a repaired item in Quarantine

224 224 Responding to virus outbreaks Preparing for virus outbreaks Table 6-2 Quarantine purge settings (continued) Subkey name RepairedItemPurgeFrequency Data value n Description Sets the frequency value for purging repaired files: 0=Days, 1=Months, 2=Years Forwarding items to the Quarantine Server You can enable items in Quarantine on a client or server to be forwarded to the Quarantine Server. You can also apply these settings to the selected clients that are not members of client groups. These clients appear under the selected server or server group. To enable forwarding items to the Quarantine Server 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. 2 In the Quarantine Options dialog box, check Enable Quarantine or Scan and Deliver. 3 Type the name of the Quarantine Server or click the network icon to browse, and then select a server in the network. 4 Type the port number to use, select the number of seconds to retry connecting, and then select the protocol to use. 5 Click Apply settings to clients not in Groups. 6 Click OK. Enabling scan and deliver You can enable Symantec Client Security to allow users to submit infected or suspicious files and likely related side effects to Symantec Security Response for further analysis. Submitting items allows Symantec to better refine its detection and repair. Files submitted to Symantec Security Response become the property of Symantec Corporation. In some cases, files may be shared with the antivirus community. When this occurs, Symantec uses industry-standard encryption and may anonymize data to help protect the integrity of the content and your privacy. In some cases, Symantec might reject a file for some reason, for example, because the file does not seem to be infected. If you have reason to believe that there is a

225 Responding to virus outbreaks Handling a virus outbreak on your network 225 problem with the file, you can resubmit one such file per day. Enable the resubmission of files if you want users to be able to resubmit selected files. You can apply these same settings to the selected clients that are not members of client groups. These clients appear under the selected server or server group. To enable scan and deliver 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. 2 In the Quarantine Options dialog box, check Enable Quarantine or Scan and Deliver. 3 Click Allow submissions via scan and deliver. 4 Click Allow files to be resubmitted to Symantec Security Response. 5 Click Apply settings to clients not in Groups, if appropriate. 6 Click OK. Configuring actions to take when new definitions arrive You can configure the actions that you want to take on servers and client computers when new definitions arrive on the computer. You can apply these same settings to the selected clients that are not members of client groups. These clients appear under the selected server or server group. To configure actions for new definitions 1 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. 2 Under When new virus definitions arrive, select one of the following actions: Automatically repair and restore silently Repair silently without restoring Prompt user Do nothing 3 Click Apply settings to clients not in Groups, if appropriate. 4 Click OK. Handling a virus outbreak on your network Symantec Client Security provides the following tools for handling a virus outbreak on your network:

226 226 Responding to virus outbreaks Handling a virus outbreak on your network Alerts Virus sweep Event Logs and Histories Central Quarantine Console Sends reporting alerts and built-in alerts from Symantec AntiVirus Forces a virus scan at the system hierarchy, server group, or individual server level Tracks viruses and Central Quarantine submissions at the server group, individual server, or client level Tracks submissions to Symantec Security Response Using alerts and messages You can use alerts and messages to learn about suspicious files that Symantec Client Security discovers on your network. Symantec Client Security offers the following notification mechanisms: Reporting (recommended alert method): If reporting is configured, clients can send events to a reporting server. You can configure a reporting server to send alerts to an address and to execute batch files that you create to perform custom actions, such as sending a page or an SNMP trap when a risk event occurs. You can also acknowledge and unacknowledge your alerts. For information about using reporting, see the Reporting User's Guide. AMS 2 : If configured, Symantec Client Security clients can send risk events to an AMS 2 server. You can also configure AMS 2 servers to send alerts. See About the Alert Management System on page 91. Custom messages: From the Symantec System Center console, you can have a custom message appear on Symantec Client Security clients when they encounter a suspicious file. See Customizing and displaying warnings on infected computers on page 192. Running a virus sweep If you discover several suspicious files, you might not know if the problem is on the computer or server on which the suspicious files were detected, or if the problem has spread to other areas of the network. You might want to begin a virus sweep using the Symantec System Center. The number of computers that you scan depends on how you start the sweep. If a Symantec Client Security client is not accessible during a virus sweep, it scans the computer as soon as it is turned on. The computer does not have to log on to the network.

227 Responding to virus outbreaks Handling a virus outbreak on your network 227 Depending on the object that you select in the Symantec System Center console, you can run a virus sweep on your entire network, a server group, or an individual server. A virus sweep scans for viruses and security risks. Warning: A virus sweep can create considerable network traffic, the amount and duration of which depend on the size of your network. Once you start a virus sweep it must complete; you cannot stop it. To run a virus sweep 1 In the Symantec System Center console, right-click the network, a server group, or a server, and then click All Tasks > Symantec AntiVirus > Start Virus Sweep. 2 In the Name box, type a name for the sweep. 3 If appropriate, click Options and set Scan Options, Advanced Scan Options, Actions, Throttling, and Notifications Options. The same configuration options are available for running a virus sweep as are available for manual scans. See Configuring manual scans on page Click Start. Tracking virus alerts using reporting, Event Logs, and Histories You can use reporting to set the conditions that will trigger alerts to be sent and you can configure how the notifications are sent out. For example, you can have reporting send alerts to the reporting database so that the alerts appear in the alert events log, you can have it execute a custom batch file, and you can have an alert sent to an address when a virus is detected. For information about using reporting, see the Reporting User's Guide. You can also track Risk Found alerts from the Symantec System Center console. By default, Risk Found alerts appear in the Risk History for three days. You can change the number of days for which Risk Found alerts appear. Tracking submissions to Symantec Security Response with Central Quarantine Console The Symantec System Center logs an event when a Symantec Client Security client submits a suspicious file to Symantec Security Response. In addition to the logged event, you can track the Auto-Protect status of submissions to Symantec Security Response from the Central Quarantine Console.

228 228 Responding to virus outbreaks Handling a virus outbreak on your network For information on using the Central Quarantine Console, see the Symantec Central Quarantine Administrator's Guide.

229 Chapter 7 Managing roaming clients This chapter includes the following topics: About roaming clients Roaming client components How roaming works Implementing roaming Command-line options Registry values About roaming clients A roaming client can do the following: Automatically identify its best parent management server, based on speed and proximity, and become a managed client of that parent management server. For example, when a mobile user who is based in New York travels to California, the roaming client detects the new network address and reassigns the user's laptop to the best parent management server. Connect to the nearest appropriate parent management server whenever its network address changes. Connect to a different parent management server if the current parent management server becomes unavailable. Periodically recheck for the nearest parent management server to adjust for changes in servers and server load. Attempt to balance the load among a pool of equivalent servers when selecting a parent management server.

230 230 Managing roaming clients Roaming client components Automatically identify the best parent management server when the client connects to the network (for unmanaged clients that are converted to managed clients). For example, a corporation may have a distribution center for new computers. Administrators enable roaming on the computers before they are sent to branch offices. This entails specifying all of the possible roam servers for the new computers. When end users connect the new computers to the network, Symantec Client Security automatically assigns the best parent management server. Roaming client components Table 7-1 lists roaming client components. Table 7-1 Component Roaming client components Description List of level 0 servers Lists the level 0 of servers that are available as possible roam servers for a specific roaming client. Roaming clients store this data in their registries. See Analyzing and mapping your Symantec Client Security network on page 232. See Creating a list of level 0 Symantec Client Security servers on page 233. Hierarchical list of servers Lists all roam servers, grouped by hierarchical level. Roaming servers store this data in their registries. See Analyzing and mapping your Symantec Client Security network on page 232. See Creating a hierarchical list of Symantec Client Security servers on page 233. Roamadmn.exe Sets up Symantec Client Security servers for roaming access. See Configuring additional roaming client support for roam servers on page 237. SavRoam.exe Provides roam server data to roaming clients. See Configuring roaming client support options from the Symantec System Center console on page 234.

231 Managing roaming clients How roaming works 231 How roaming works Roaming client support employs the following types of lists: One or more lists of level 0 servers A hierarchical list of the servers that you want to support roaming clients Roaming clients store the level 0 list in their registries, and use it to identify the servers to which they should attempt to connect. To implement roaming on your network, start by preparing one or more lists of level 0 servers, and the hierarchical list of servers. After you roll out this data, roaming clients work in the following manner: Implementing roaming SavRoam.exe launches on the Symantec Client Security client during startup, and selects the best Symantec Client Security server, based on registry values and server feedback. The selected server provides the client with a list of servers at the next level in the network hierarchy. SavRoam loops through the network hierarchy until no lower level exists. The final server becomes the client's new parent management server, and immediately pushes a full configuration to the roaming client. SavRoam runs the following checks at regular intervals: Checks for the availability and response time of its parent management server. If its parent management server is unavailable or another parent management server can provide better performance, SavRoam connects the client with a new best parent management server on the network. Checks for the computer's network address. If the address has changed, it connects to the new best parent management server. If the client was previously assigned to a different parent management server, SavRoam attempts to delete itself from the old parent after it checks in with the new parent. To implement roaming, you must complete the following tasks: Analyze and map your Symantec Client Security network. Identify servers in each region that point roaming clients to the next level of roam servers. Create a list of level 0 servers for roaming clients.

232 232 Managing roaming clients Implementing roaming Create a hierarchical list of all roam servers, layered hierarchically. Configure roaming client support for roaming clients and servers from the Symantec System Center console. Configure additional roaming client options for roaming clients in the registry. This task is optional. Configure additional roaming client options for roam servers in the registry. This task is optional. Analyzing and mapping your Symantec Client Security network While you may have many servers in your network, you may want to identify only some of them as roam servers. Creating a hierarchical map of your network lets you quickly identify roam servers for your network. Figure 7-1 illustrates a map of an enterprise network that spans three continents. While this organization has more Symantec Client Security servers than appear in the map, only the mapped servers are identified as regional pointer servers. Figure 7-1 Sample enterprise map USAEastSvr USASvr USAWestSvr EUROWestSvr Level 0 EuropeSvr EUROEastSvr Level 1 JapanSvr AsiaSvr KoreaSvr

233 Managing roaming clients Implementing roaming 233 Identifying servers for each hierarchical level To identify servers for each hierarchical level, you must analyze the needs of your roaming users. For example, you may need to identify mobile users based on whether they travel internationally, throughout the country, or within a smaller geographic area. If a user travels internationally, his server list could contain the names of the main country servers as its level 0 entry and the level 0 servers would contain the list of level 1 servers. If a user travels within one country only, his server list would need to contain only the level 1 servers as its level 0 entry. No additional levels are needed in the hierarchy. Depending on network speeds, the server list could contain only the top level servers (level 0 in Figure 7-1). This simplifies building the clients' server list. The only limit to the number of levels that you can define is the text file size limit of 512 characters for each file entry. Creating a list of level 0 Symantec Client Security servers You can create the clients' server list text file using a text editor such as Notepad. The server list text file must contain lines in the following format: <local><type of server><level><server list> where: <local> indicates to the client that this is the level 0 of servers that the client should attempt to contact when searching for a roam server. <type of server> is the server type, such as parent server. <level> is 0. <server list> is the list of servers, which are separated by commas. (Spaces between the commas are optional.) For example, the clients' server list text file that corresponds to Figure 7-1 is as follows: <local> Parent 0 USASvr,EuropeSvr,AsiaSvr This is the only line in the server list for the roaming clients in this example. The list tells the clients to contact and compare response time from these three servers only. Depending on which server is best, the client continues its search down the list into one of the three continents. Creating a hierarchical list of Symantec Client Security servers You can create the hierarchical list using a text editor such as Notepad. It must contain lines in the following format:

234 234 Managing roaming clients Implementing roaming <computer> <type of server> <level> <server list> where: <computer> is the host name of the server. <type of server> is the server type such as parent server. <level> is the level that is specified in the server list text file. <server list> is the list of servers, which are separated by commas. (Spaces between the commas are optional.) For example, in the enterprise map in Figure 7-1, the USA branch would have the following server list: USASvr Parent 1 USAWestSvr,USAEastSvr Configuring roaming client support options from the Symantec System Center console You can configure roaming client support options from the Symantec System Center console. You can configure options at the following levels: Server group Client group Server Client Once you set the options, Symantec Client Security pushes them to the Symantec Client Security clients based on the selected level.

235 Managing roaming clients Implementing roaming 235 To configure roaming client support options from the Symantec System Center console 1 In the Symantec System Center console, right-click the server group, Symantec Client Security servers, client group, or Symantec Client Security clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Roaming Options. If you select a server group, the Symantec System Center will configure all of the clients that are in the server group. If you select a client group, the Symantec System Center will configure all of the clients that are in the client group. 2 In the Client Roaming Options dialog box, do the following: Enable roaming on clients on which the Symantec Client Security roam service is installed. Set the number of minutes that a client waits before it validates that its parent management server is available. The default setting is 120 minutes. Set the number of minutes that a client waits before it checks for a closer parent management server. The default setting is 60 minutes. Set the number of times that a client checks each server to determine the average number of seconds required to contact it. The client then uses this sampling to determine how close a server is to the client. The default setting is 7 times.

236 236 Managing roaming clients Implementing roaming Set the number of seconds that a client that cannot find a new parent management server waits before retrying to connect to a new parent management server. The default setting is 30 seconds. 3 Under Use These Servers, select one of the following: Roaming Failover Loadbalance You can set up level 0 parent management servers. You can set up a fault tolerance system by specifying backup servers to handle clients when roam servers are unavailable. A roaming client checks the response time for the first server in the list that answers. If the first backup server fails, the roaming clients that it manages migrate to the next available backup server in the list when they check their parent management server availability. Backup servers do not load balance. If you have multiple servers and want to distribute roaming clients among them, you can load balance by treating roam servers as equals regardless of how long it takes clients to contact them. A roaming client will contact each server in the list. Roaming servers keep a count of the Symantec Client Security clients that they manage, and return this value to the roaming client. The roaming client selects the server with the fewest clients. This server becomes the roaming client's new parent management server. Load balancing has a higher priority than finding the closest parent. 4 To specify load balancing among servers, use an equal sign (=) between the servers. For example: MiamiSvr=AtlantaSvr=RichmondSvr 5 To specify failover servers, Use a greater than symbol (>) in the hierarchical list of servers. For example: MiamiSvr>AtlantaSvr>RichmondSvr 6 Click OK.

237 Managing roaming clients Implementing roaming 237 Configuring additional roaming client support for roaming clients Configuring additional roaming client support for roaming clients consists of the following tasks: Configuring roaming on each roaming client Adding level 0 server data to the registry of each roaming client Configuring additional roaming on each roaming client You can configure additional roaming on Symantec Client Security clients by setting the required values in a configurations file (Grc.dat), or by directly editing each roaming client's registry. The registry value RoamManagingParentLevel0 lists the parent management servers that roaming checks for proximity. Type this registry value under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\ProductControl Configuring additional roaming client support for roam servers To configure a Symantec Client Security server for additional roaming options, you must complete the following tasks: Optionally configure additional load balancing, failover, and alternate Symantec Client Security servers. For legacy servers, roll out the hierarchical list of servers to each roam server using RoamAdmn.exe, which is located on Disk 1 in the Tools folder. See Configuring roaming client support options from the Symantec System Center console on page 234. Rolling out the hierarchical list of servers When you run RoamAdmn, it communicates with each server named at the beginning of each line in the hierarchical list of servers. On each server, RoamAdmn adds a registry value that contains the servers at the next level down in the hierarchy. If the server cannot be reached, that server is bypassed. For legacy servers, you must roll out the hierarchical list of servers.

238 238 Managing roaming clients Command-line options To roll out the hierarchical list of servers 1 Copy RoamAdmn to the computer from which you want to work while rolling out the hierarchical list of servers to the roaming servers. 2 At the command prompt, type the following: RoamAdmn /import <serverlist.txt> where <serverlist.txt> is the name of the hierarchical server list that you created. Roaming server example A corporation has a computer from which all roam servers are visible. The Serverlist.txt file includes the following lines: USASvr Parent 1 USAWestSvr,USAEastSvr EuropeSvr Parent 1 EUROEastSvr,EUROWestSvr AsiaSvr Parent 1 JapanSvr,KoreaSvr Table 7-2 describes the ServerList.txt data as it appears in each roam server's registry. Table 7-2 Server name USASvr EuropeSvr AsiaSvr Sample registry values Registry value RoamManagingParentLevel1 RoamManagingParentLevel1 RoamManagingParentLevel1 Data USAWestSvr,USAEastSvr EUROEastSvr,EUROWestSvr JapanSvr,KoreaSvr Command-line options You must have local Administrator rights to use command-line options. Table 7-3 describes the command-line options that can be used with SavRoam.exe and RoamAdmn.exe. Table 7-3 Option /h Command-line options Description Displays a list of the options with descriptions of their usages.

239 Managing roaming clients Command-line options 239 Table 7-3 Option Command-line options (continued) Description /import <server list> Sets up client or server registry keys. When you use RoamAdmn.exe, you can import the server list to remote servers. When you use SavRoam.exe, you can import the server list to the registry of the local computer. <server list> is the text file that contains the list of potential parent management servers. /export > <file> Reports all of the roam servers that the client can find at all levels. <file> is the name of the file to which the information is written. You can use the file that is created with the export command as the server list for import. /install <path> <new service name> <new exe name> Registers and starts the roaming client service. The service runs until the computer is turned off. <path> is the path to the folder in which you want to copy SavRoam.exe. <new service name> is SavRoam.exe. <new exe name> is SavRoam.exe. /remove <new service name> /nearest /check_parent /shutdown Stops and removes SavRoam.exe. Finds and sets the nearest appropriate parent for the parent server. Verifies that the parent management server is running. Disconnects the client from the parent management server.

240 240 Managing roaming clients Registry values Table 7-3 Option Command-line options (continued) Description /time-network <elapsed-time-in-seconds> <delta-time-in-milliseconds> <servers> Provides the average amount of time that it takes to contact each specified server. <elapsed-time-in-seconds> is the number of seconds to allow the process to run. <delta-time-in-milliseconds> is how often to contact the server in milliseconds. For example, 10,000 would cause the client to contact the server every ten seconds. <servers> is the list of servers to be contacted. Separate server names with commas. Do not include spaces between server names or commas. Registry values You can edit the roaming registry values using a registry editor such as Regedit or Regedt32. The agent behavior is controlled by the registry keys under the following path: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\ProductControl Table 7-4 describes the registry values for roaming clients. Table 7-4 Registry value Registry values for roaming clients Description CheckForNewParentIntervalInSeconds CheckParentIntervalInMinutes Checks periodically to see if the network is up if a computer cannot find the nearest parent when it first starts. The interval is set by this registry key. The default value is 30 seconds. Determines how often a computer checks to see if its parent is available. If the parent is not available, it tries to find a new parent. The default value is 120 minutes.

241 Managing roaming clients Registry values 241 Table 7-4 Registry value RoamClient Registry values for roaming clients (continued) Description Instructs the agent to make this computer a child of the nearest parent. The default value is 0. Set this value to 1 if you want the computer to become a child of the nearest parent.

242 242 Managing roaming clients Registry values

243 Chapter 8 Working with Histories and Event Logs This chapter includes the following topics: About Histories and Event Logs Working with Histories Forwarding client and server logs Deleting Histories and Event Logs About Histories and Event Logs Histories and Event Logs offer a central view of virus, security risk, and scanning activity on your network. Using the Symantec System Center, you can do the following: View data at the server group, server, or individual managed workstation level. In addition, each Symantec Client Security client stores its own Event Log data locally. The data is viewable from the Symantec Client Security client user interface. Sort and filter History and Event Log data. Perform actions that are based on History and Event Log data. For example, if a Risk History displays a found virus, you can perform actions such as repairing the infected file or moving it to the Central Quarantine. Export data to Microsoft Access (as an.mdb file) or in comma-separated value (.csv) format. Remove History and Event Log data.

244 244 Working with Histories and Event Logs About Histories and Event Logs Table 8-1 describes the Histories and Event Logs that Symantec Client Security provides. Table 8-1 Name History and Event Log types Description Available for Event Log Provides the following information: Server groups Symantec Client Security startups and shutdowns Scans that were started, stopped, or aborted Individual servers Individual clients Configuration changes User name and domain that authenticated the user Virus and security risk definitions updates Viruses and security risks that were found and repaired Items that were forwarded to the Central Quarantine Items that were forwarded to Symantec Security Response Scan History Provides information about scans that have run or are running on Symantec Client Security clients at the server group, server, or individual workstation level. Specify a time range to filter the view. For example, you might want to view only those scans that ran within the last seven days. Server groups Individual servers Individual clients

245 Working with Histories and Event Logs About Histories and Event Logs 245 Name Table 8-1 Description History and Event Log types (continued) Available for Risk History Lists all viruses and security risks that were detected for selected computers or server groups. You can select a virus or security risk item in the list and perform additional actions, such as Delete or Move To Quarantine. Server groups Individual servers Individual clients Risk History shows many details about each virus and security risk that was detected, including the following: The name and location of the infected files The name of the infected computer The first and second actions that were configured for the detected virus or security risk The action that was taken on the virus or security risk User name and domain that authenticated the user You can click on the link in the security risk item to access detailed information about it at the Symantec Security Response Web site. Since security risks often involve many types of objects and files, this log contains a summary line for security risks. You can view more details by looking at the Risk properties. See Viewing Risk properties on page 256. Tamper History Provides information about the attempts to tamper with Symantec applications that Tamper Protection thwarted for servers and clients. Tamper History shows details about each attack, including the name of the user and the domain that authenticated the user. Server groups Individual servers Individual clients Virus Sweep History Includes information about previous virus sweeps for servers or server groups. Server groups Individual servers When a Symantec Client Security parent management server receives client Event Logs from different time zones, the server adjusts the client time stamps to correspond to the Symantec Client Security server's local time. Note: When you add a security risk to the global exclusions list, Symantec Client Security no longer logs any events that involve that security risk. Users are not notified in any way when the risk is present on their computers.

246 246 Working with Histories and Event Logs About Histories and Event Logs Sorting and filtering History and Event Log data When you view the Event Log, Scan History, Risk History, Tamper History, or Virus Sweep History, you can filter items in the following ways: Today Past 7 days This month All items A selected range of days When you view Histories and Event logs, you can sort the data in any column and you can filter event types by selecting just the events that you want to view. You can also filter Event Log data by event type. To sort the data Click the column header. The ascending sort icon appears within a column header the first time that you click it. The descending sort icon appears the next time that you click the column header. To filter History and Event Log data by date 1 In the Symantec System Center console, right-click a server or server group, click All Tasks > Symantec AntiVirus > Logs, and then select one of the following: Event Log Scan History Risk History Tamper History Virus Sweep History 2 In the list, select one of the following: Today Past 7 Days This Month All Items Selected Range If you select Selected Range, select start and end dates, and then click OK.

247 Working with Histories and Event Logs About Histories and Event Logs 247 To filter Event Log data by event type 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs > Event Log. 2 In the Event Log dialog box, click the filter icon. 3 In the Filter Event Log dialog box, select the events that you want to display: Configuration change Symantec AntiVirus startup and shutdown Virus definition file Scan omissions Forward to the Quarantine Server Deliver to Symantec Security Response Auto-Protect load/unload Licensing 4 Click OK. About Event Log icons Client management and roaming Log Forwarding Unauthorized communication (access denied) warnings Login and certificate management Endpoint Compliance In the Event Log window, icons display information about any viruses or security risks that were found, and allow you to perform actions such as saving the data as a comma-separated value (.csv) file. Table 8-2 describes Event Log icons. Table 8-2 Icon Description Event Log icons Get information about an event. Indicates an error occurred in association with this event.

248 248 Working with Histories and Event Logs About Histories and Event Logs Table 8-2 Icon Description Event Log icons (continued) Closes the Event Log window. Displays item properties. Saves the data shown in the Event Log window as a.csv file or as a Microsoft Access database (.mdb) file. Filters the Event Log by the following categories: Configuration change Symantec Client Security startup/shutdown Definitions file Scan Omissions Forward to Quarantine Deliver to Symantec Security Response Auto-Protect load/unload Licensing Client management and roaming Log Forwarding Unauthorized communication (access denied) warnings Login and certificate management Endpoint Compliance Displays Help for the Event Log. Viewing Histories Table 8-3 describes the Histories that you can view in the Symantec System Center console.

249 Working with Histories and Event Logs About Histories and Event Logs 249 Table 8-3 History What the Histories show Description Scan History (current and scheduled) Risk History The Scan History displays the following: At the server group level, displays all of the scans for that server group At the server level, displays all of the scans for that server and the clients that are managed by that server At the client level, displays all of the scans for that client The Risk History displays the following: At the server group level, displays all of the viruses and security risks that were found in that server group At the server level, displays all of the viruses and security risks that were found on that server and on clients that are managed by that server At the client level, displays all of the viruses and security risks that were found for the client Tamper History The Tamper History displays the following: At the server group level, displays all of the attempts to tamper with Symantec processes for that server group At the server level, displays all of the attempts to tamper with Symantec processes on that server and on clients that are managed by that server At the client level, displays all of the attempts to tamper with Symantec processes on that client Virus Sweep History The Virus Sweep History displays the following: At the server group and server level, displays all of the virus sweeps for all servers in a server group or a server You can view Scan Histories, Risk Histories, Tamper Histories, and Virus Sweep Histories. To view a Scan History In the Symantec System Center console, right-click a server group, server, or client, and then click All Tasks > Symantec AntiVirus > Logs > Scan History.

250 250 Working with Histories and Event Logs Working with Histories To view a Risk History In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Risk History. To view a Tamper History In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Tamper History. To view a Virus Sweep History 1 In the Symantec System Center console, right-click a server or server group, and then click AllTasks>SymantecAntiVirus>Logs>VirusSweepHistory. 2 In the Virus Sweep History dialog box, click View Results to examine the results of previous sweeps. Working with Histories Working with Scan Histories You can view history information and save the history data as a.csv or.mdb file. You can perform additional actions in the Scan History and the Risk History. In the Scan History window, icons display information about any viruses or security risks that were found. You can also perform certain actions on viruses and security risks in the Scan History. Note: You cannot perform actions on data. You can perform only limited actions on compressed files. Table 8-4 describes the Scan History icons. Table 8-4 Icon Description Scan History icons The file is infected. The file is not infected. The file was never infected, or it has been cleaned. See the action taken on the file for more information.

251 Working with Histories and Event Logs Working with Histories 251 Table 8-4 Icon Description Scan History icons (continued) Close the Scan History window. Display item properties. Save the data that is shown in the Scan History as a comma-separated value (.csv) file or as a Microsoft Access database file (.mdb). Display Help for the Scan History. Table 8-5 describes the actions available in the Scan History window. Table 8-5 Action Undo Action Taken Scan History actions Description Symantec Client Security can undo the last action that was taken on a file. This includes returning a file to its original location and state. Symantec Client Security cannot restore a file or a risk item that has been permanently deleted. You cannot undo actions on compressed files. Clean (viruses only) Symantec Client Security definitions files are frequently updated. A file that you could not clean previously might be able to be cleaned when the definitions file is updated. You cannot perform this action on compressed files or items that are affected by security risks. Delete Permanently You can permanently delete an infected file (including a compressed file) that is stored in the Quarantine or Scan History. Permanently deleted items cannot be recovered. Note: For security risks, use this action with caution, because in some cases, deleting security risks can cause applications to lose functionality.

252 252 Working with Histories and Event Logs Working with Histories Table 8-5 Action Scan History actions (continued) Description Move To Quarantine Export Properties If you determine that Symantec Client Security has left a file that is infected by a virus alone, you should move the file to the Quarantine so that the virus cannot spread. You can move compressed files and files that are affected by a security risk to the Quarantine. Security risks that are moved to the Quarantine are no longer active on your computer. You can export information about a specific Scan History or Event Log item as a comma-separated value (.csv) file or as a Microsoft Access database (.mdb) file. You can view additional information about a specific Scan History or Event Log item. In a Scan History, you can undo the last action that was taken on a file or risk, clean a file (viruses only), delete it permanently, or move the file to the Quarantine. You can also export Scan History data. To undo the last action that was taken 1 Double-click the entry. 2 In the new dialog box that opens, right-click the file, and then click Undo Action Taken. 3 In the Take Action dialog box, click Start Undo. To clean an infected file 1 Double-click the entry. 2 In the new dialog box that opens, right-click a file, and then click Clean. 3 In the Take Action dialog box, click Start Clean. To delete an infected file permanently 1 Double-click the entry. 2 In the new dialog box that opens, right-click a file, and then click Delete Permanently. 3 In the Take Action dialog box, click Start Delete. Permanently deleted files cannot be recovered.

253 Working with Histories and Event Logs Working with Histories 253 To move a file to the Quarantine 1 Double-click the entry. 2 In the new dialog box that opens, right-click a file, and then click Move To Quarantine. 3 In the Take Action dialog box, click Quarantine. To export the Scan History data 1 Double-click the entry. 2 Right-click the file, and then click Export. 3 In the Save as type list, select one of the following: CSV (Comma Delimited) (*.csv) Access Database (*.mdb) 4 In the File name box, type a file name. 5 Click OK. Working with Risk Histories In the Risk History window, icons display information about the viruses and security risks that were found. You can also perform certain actions on viruses and security risks in the Risk History. Figure 8-1 shows a Risk History with one risk entry.

254 254 Working with Histories and Event Logs Working with Histories Figure 8-1 Risk History Note: You cannot perform actions on data. You can perform only limited actions on compressed files. Table 8-6 describes the Risk History icons. Table 8-6 Icon Risk History icons Description This file has been infected with a virus or security risk. This file is not infected by a virus. The file was never infected, or it has been cleaned. See the action that was taken on the file for more information. An error occurred in association with this file. Close the Risk History window. Table 8-7 describes the actions that are available in the Risk History window.

255 Working with Histories and Event Logs Working with Histories 255 Table 8-7 Action Undo Action Taken Risk History actions Description Symantec Client Security can undo the last action that was taken on a file or risk. This includes returning a file to its original location and state. Symantec Client Security cannot restore a file that has been permanently deleted. You cannot undo actions on compressed files. Clean (viruses only) Delete Permanently Move To Quarantine Export Properties Symantec Client Security definitions files are frequently updated. A file that you could not clean yesterday or a few weeks ago might be able to be cleaned when the definitions file is updated. You cannot perform this action on compressed files or security risks. You can permanently delete any infected file (including a compressed file) that is stored in the Quarantine or Risk History. Permanently deleted files cannot be recovered. Note: For security risks, use this action with caution, because in some cases, deleting security risks can cause applications to lose functionality. If you determine that Symantec Client Security has left an infected file alone, you should move the file to the Quarantine, so that the virus is unable to spread. You can move compressed files and files that are affected by a security risk to the Quarantine. Security risks that are moved to the Quarantine are no longer active on your computer. You can export information about a specific Risk History or Event Log item as a comma-separated value (.csv) file or as a Microsoft Access database (.mdb) file. You can view additional information about a specific Risk History item. You can undo the last action that was taken on a risk, clean a file (viruses only), delete it permanently, or move a file to the Quarantine. For security risks, you can access a Symantec Security Response Web page for more information about the security risk. You can also export the Risk History data. To undo the last action that was taken 1 Right-click a file, and then click Undo Action Taken. 2 In the Take Action dialog box, click Start Undo.

256 256 Working with Histories and Event Logs Working with Histories To clean a virus-infected file 1 Right-click a file, and then click Clean. 2 In the Take Action dialog box, click Start Clean. To delete a file permanently 1 Right-click the file, and then click Delete Permanently. 2 In the Take Action dialog box, click Start Delete. Permanently deleted files cannot be recovered. To move a file to the Quarantine 1 Right-click the file, and then click Move To Quarantine. 2 In the Take Action dialog box, click Quarantine. To see more information about a security risk 1 Double-click the entry to view its properties. 2 Click the link in the entry to view a Symantec Security Response Web page, which describes the security risk in detail and provides information about removal. To export Risk History data 1 Right-click the file, and then click Export. 2 In the Save as type list, select one of the following: CSV (Comma Delimited) (*.csv) Access Database (*.mdb) 3 In the File name box, type a file name. 4 Click OK. Viewing Risk properties The Risk properties dialog box displays more information about a particular threat or security risk. Risk properties include all the actions that are taken to repair or remove a risk. Table 8-8 lists the Risk properties icons.

257 Working with Histories and Event Logs Working with Histories 257 Table 8-8 Icon Risk properties icons Description Represents a file infected by a virus. Represents a file or a COM object. Represents a registry object. Represents a process. Represents a batch file. Represents a.ini file. Represents a service.

258 258 Working with Histories and Event Logs Working with Histories To view Risk properties 1 Right-click a computer. 2 Click All Tasks > Symantec AntiVirus > Logs > Risk History. 3 In the Risk History dialog box, right-click a risk entry, and then click Properties. Working with Tamper Histories The Tamper History window displays information about the tampering problems that were found. You can view this information and save the data as a.csv or.mdb file. Table 8-9 describes the Tamper History icon. Table 8-9 Icon Description Tamper History icon Represents an attempt to tamper with a Symantec application.

259 Working with Histories and Event Logs Forwarding client and server logs 259 To export the Tamper History data 1 Right-click the file, and then click Export. 2 In the Save as type list, select one of the following: CSV (Comma Delimited) (*.csv) Access Database (*.mdb) 3 In the File name box, type a file name. 4 Click OK. Working with Virus Sweep Histories In the Virus Sweep History window, you can view and delete the results of previous virus sweeps, and start a new virus sweep. Note: Virus sweeps also scan for security risks. To run a virus sweep from the Virus Sweep History 1 Click New Sweep. 2 In the Name box, type a name for the sweep. 3 If appropriate, click Options and set configuration options. The same configuration options are available for running a virus sweep as for running a manual scan. See Table 4-16 on page To find viruses and security risks more quickly, select the options under Scan Enhancements. 5 Click Start. Forwarding client and server logs Symantec Client Security managed clients forward log data to their parent management servers. On managed clients, log forwarding runs continually. On sometimes-managed clients, log data accumulates in between connections to their parent management servers. Symantec Client Security monitors and provides fault tolerant forwarding of the client logs. The client logs are located in the following directory: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus\7.5\Logs

260 260 Working with Histories and Event Logs Forwarding client and server logs Symantec Client Security tracks a client log throughout the forwarding process and handles delivery failures by resending the log when necessary. You can configure events to forward from a client to its parent management server, or from a secondary management server to its primary management server. Configuring log forwarding options You can configure log forwarding options by editing the client log forwarding registry values. You can reset values to achieve a balance between the log delivery speed and network performance. You can also set the amount of data that Symantec Client Security forwards from clients. Log forwarding behavior is controlled by the values in the HKLM\SOFTWARE\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Common\ForwardEvents registry key. Table 8-10 describes the registry values for client log forwarding. Table 8-10 Client log forwarding registry key values Subkey name Interval Count Data value n n Description Number of seconds between log record processing intervals. There is no minimum or maximum number. The number of records to process in each polling interval. There is no minimum or maximum number. The default is 10 records. Configuring log events to forward You can configure the events that you want Symantec Client Security to forward. Table 8-11 lists the client and server events in the order in which they appear in the Log Event Forwarding dialog box. Table 8-11 Event name Scan stopped Client and server events Forwarding required Forwarded by default Scan started Virus definition update information

261 Working with Histories and Event Logs Forwarding client and server logs 261 Table 8-11 Event name Virus infections Client and server events (continued) Forwarding required Forwarded by default File not scanned New virus definitions applied Configuration change Service shutdown Service startup Virus definitions downloaded from parent File forwarded to Quarantine Server File forwarded to Symantec File backed-up/restored to/from Quarantine Scan aborted Error loading services Services loaded Services unloaded Scan delayed Scan restarted License in warning period License expired, invalid or does not exist License in grace period Unauthorized communication Log forwarding error License installed

262 262 Working with Histories and Event Logs Forwarding client and server logs Table 8-11 Event name License valid Client and server events (continued) Forwarding required Forwarded by default Virus definition rollback Client running without virus definitions Tamper protection alert Login failed Login succeeded Unauthorized communication (with certificate info) AntiVirus installed Firewall installed Uninstall Uninstall rolled-back Primary Server created (root certificate created) Server added to Server Group (certificates issued) Trusted root certificate added or removed Server startup failed due to certificate problem Scan suspended Scan resumed Security risk detection started Security Risk detection operation Security Risk side effect repair pending

263 Working with Histories and Event Logs Forwarding client and server logs 263 Table 8-11 Event name Client and server events (continued) Forwarding required Forwarded by default Security Risk side effect repair failed Security Risk side effect repaired successfully Security Risk detection completed You can configure the events that are forwarded from a client to its parent management server, or from a secondary management server to its primary management server. Note: If you change primary management servers, the log from the former primary management server is not forwarded to the new primary management server. To configure events to forward from clients to their parent management servers 1 In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Client Log Forwarding. 2 In the Log Event Forwarding dialog box, for quicker configuration, you can display only certain items in the list by selecting one of the following pre-configured options from the drop-down list: All events (default) Scanning and infection events Virus definition events Management and configuration events Startup and shutdown events Licensing events Security related events 3 Check the events that you want the clients to forward to their parent management servers. 4 Click OK.

264 264 Working with Histories and Event Logs Forwarding client and server logs To configure events to forward from secondary management servers to their primary management servers 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs > Server Log Forwarding. 2 In the Log Event Forwarding dialog box, for quicker configuration, you can display only certain items in the list by selecting one of the following pre-configured options from the drop-down list: All events (default) Scanning and infection events Virus definition events Management and configuration events Startup and shutdown events Licensing events Security related events 3 Check the events that you want the secondary management servers to forward to their primary management server. 4 Click OK. Best practice: configuring events to forward for sometimes-managed clients For sometimes-managed clients, as a best practice, you can create a separate client group. See Creating client groups on page 82. After you create the client group for sometimes-managed clients, you can set log forwarding Windows registry values to do the following: Forward the Virus definitions update information event only. Poll at a high interval. Count at a low value. See Table 8-10 on page 260.

265 Working with Histories and Event Logs Deleting Histories and Event Logs 265 Reviewing the forwarding status file You can verify that a client log was forwarded and received by reviewing the default status log. To verify that a client log was forwarded and received 1 Open the following folder: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus\7.5 2 Use a text editor to open Fwdstat.log. Deleting Histories and Event Logs You can configure Symantec Client Security to automatically remove data that is older than a specified date from the Scan, Risk, Virus Sweep, and Tamper Histories, and from the Event Logs. To set the delete frequency 1 In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Configure History. 2 In the History Options dialog box, select the time period after which the Histories or Event Logs are deleted. 3 Check Apply settings to clients not in Groups to apply the settings to the selected client or clients under the selected server or server group that are not members of client groups. 4 Click OK. This does not permanently remove data, but hides it in the History and Event Log views. To permanently delete History or Event Log records, delete the.log files that contain the event records. Events are recorded in.log files for each day of the week in a Logs directory. These files are named according to the day on which they were created.

266 266 Working with Histories and Event Logs Deleting Histories and Event Logs

267 Section 3 Configuring Symantec Client Security firewall protection Managing policies Using Location Awareness and Zones Creating and testing rules Using prules Customizing Intrusion Prevention Managing client log data Creating network rulebases Configuring Client Settings and Web Content settings

268 268

269 Chapter 9 Managing policies This chapter includes the following topics: About policies Policy categories About predefined policies and updates Configuring policies and updates Importing and exporting policies and updates About importing and exporting Merging rules and prules in policy files Distributing policies Supporting policies for legacy clients About policies Centralized firewall management lets you provide the maximum amount of firewall protection while minimizing maintenance and client user involvement. This is achieved by rolling out Symantec Client Firewall policies, which are sets of configured firewall rules and settings to govern firewall operation. Policy management lets you do the following: Customize Symantec Client Firewall to better accommodate your organization's needs. Configure Symantec Client Security clients differently for different groups, departments, or users in your organization.

270 270 Managing policies Policy categories Configure Symantec Client Security clients differently, depending on client location and network connection information, by using one policy file. Update firewall rules to accommodate changing conditions on your corporate intranet and threats on the Internet. Policies that are saved as compressed.cfp (Client Firewall Policy) files contain all of the firewall rules, Intrusion Prevention signatures, and configuration settings for a given policy. Policies that are saved as.xml files contain all of the configuration data that is in.cfp files, except Intrusion Prevention signatures. Updates, which are compressed.cfu (Client Firewall Update) files, contain firewall rules and Zones to add to policy files that are installed on Symantec Client Firewall. Also, you can save updates as uncompressed.xml files. Policy categories A policy file's configuration data is organized into policy categories. Each setting that you configure in Symantec Client Firewall Administrator or import from Symantec Client Firewall and save to a policy file is associated with a single policy category. A policy category consists of related configuration data that determines the actions that Symantec Client Firewall takes for a specific feature, rulebase, or collection of settings. Dividing the policy file into logical categories lets you control what information is saved to a policy, imported to Symantec Client Firewall Administrator, and processed by Symantec Client Firewall. See Saving policies and updates on page 282. See Importing and exporting policies and updates on page 283. Key categories of a firewall policy include the following: Properties Rules prules prule settings Zones Locations IPS signatures IPS settings Macros Client Settings

271 Managing policies Policy categories 271 Web Content settings Profiling settings File type settings Properties Rules prules Properties are text that you add to identify the policy. Firewall rules include General, Program, and Trojan rules. General firewall rules apply to all network traffic that uses TCP, UDP, and ICMP protocols. These rules are based on port numbers and IP addresses rather than specific programs or Trojan horses, which are handled separately. Program rules apply to specific client program traffic. You can configure a Program rule that is specific to traffic on a particular port or IP address, or one that applies to multiple ports and IP addresses. Trojan horses are malicious programs that are disguised as useful programs. Symantec Client Firewall Administrator Trojan rules examine the network traffic of Symantec Client Firewall that access the Internet, looking for signs of these malicious programs. If one is detected, the firewall rule takes immediate action against this type of threat. See About rules on page 317. Program rules are created when the firewall policy is rolled out. If all clients are similarly configured, this is an efficient method of providing uniform protection. If client computers use widely divergent sets of programs, prules are appropriate. With prules, or potential rules, data about programs is installed on the client computer, but the rules themselves are not created. When a program first attempts to access the Internet, the prule is invoked. If the program matches the prule criteria, then a new Program rule is created from the prule data on the client computer. See About prules on page 345. prule settings With prule settings, administrators can customize the active list of prules that is associated with each configured Location. Network traffic of programs that

272 272 Managing policies Policy categories match the inactive prules for a Location is automatically blocked by Symantec Client Firewall. See About Location-aware prules on page 359. Zones Locations With Zones, you can identify computers that you trust, and those that you want to restrict from accessing a client computer. Also, you can exclude computers from being blocked by IPS AutoBlock. You identify computers by their IP addresses. Following are some rules and guidelines for using Zones: Computers that are in the Trusted Zone are not regulated by Symantec Client Firewall, and have general access to the client computer. Computers that are in the Restricted Zone are prevented from accessing client computers. Computers that are in the AutoBlock Exclusions are permitted to communicate with the client computer, but are still regulated by all other settings of the firewall policy. Computers that are not placed in any Zone are regulated by all other settings of the firewall policy. Use the Trusted Zone to list computers on your local network with which you need to share files and printers. Add computers to the Restricted Zone that have attempted to attack computers in your organization. The Restricted Zone provides the highest level of protection provided by Symantec Client Security. Clients cannot interact with any computers that are in the Restricted Zone. Place computers in the AutoBlock Exclusions if communication between the client and the attacking computer is critical to your business. Recognized attacks from computers that are listed in the AutoBlock Exclusions are still blocked by Symantec Client Firewall. Settings for Rules, IPS monitoring, Web Content, Privacy Control, and Ad Blocking are ignored for Web sites with IP addresses that fall into Trusted Zones. See Using Network Zones on page 312. Locations are named collections of rules, prules, Zones, and settings. One Location is associated with one or more network connection specifications. Network specifications include the following: Symantec AntiVirus parent management server for managed Symantec Client Security clients

273 Managing policies Policy categories 273 Gateway IP addresses for Ethernet connections Dial-up phone numbers for modem connections Service set identifiers (SSIDs) for wireless connections When a client computer accesses a network in a way that matches a specified network connection, Symantec Client Firewall immediately enforces the Location rules, prules, Zones, and settings associated with that connection. For example, many corporate computer users travel with laptop computers. They access networks locally when they are in the office, and they access networks remotely over VPNs when they travel. Typically, a policy for remote access is fairly restrictive for security reasons, and a policy for local access is relatively permissive because users need access to a variety of servers, printers, and so forth. To support traveling users who access corporate networks both locally and remotely over VPNs, you can configure two Locations in one policy file, and name them, for example, Local and Remote VPN. When the client connects to the network locally, Symantec Client Firewall detects the network activity specified for that access point and filters traffic by using the Local rules, prules, Zones, and settings. When the client connects to the network over a VPN, Symantec Client Firewall detects the network activity specified for that access point, and filters traffic by using the Remote VPN rules, prules, Zones, and settings. See Using Locations on page 297. IPS signatures Symantec Client Firewall Intrusion Prevention is based on signatures. A signature defines or describes a network traffic pattern. Intrusion Prevention System (IPS) signatures detect traffic patterns that are derived from previously detected exploits or attacks, or an anomalous pattern that is outside of the realm of expected traffic patterns and could be destructive. Symantec Client Firewall includes a new IPS engine and corresponding set of IPS signatures that contain improvements to the intrusion prevention technology. To support earlier versions of Symantec Client Firewall, Symantec Client Firewall Administrator supports the following versions of IPS signatures: v1.x signatures: Support earlier Symantec Client Firewall versions that have not been upgraded to the new IPS engine. v2.x signatures: Support Symantec Client Firewall v8.6x by default. Earlier Symantec Client Firewall versions can use v2.x signatures by upgrading to the new IPS engine. See About the Intrusion Prevention System on page 377.

274 274 Managing policies Policy categories See Supporting different versions of IPS engines and signatures on page 378. IPS settings Macros You can exclude specified signatures from being processed. For example, you may not need protection against certain attack signatures because your environment does not contain the systems or components that they are known to attack. After you exclude an IPS attack signature, the signature can cross the firewall and is not logged. You can also exclude specific IP addresses for a signature. For example, the addresses may already be specified for automatic blocking by the firewall or it is possible that the threat from an IP address has been eliminated, and you want information from the IP to flow across the firewall. See About the Intrusion Prevention System on page 377. The term macros is used to identify named port groups and named IP address groups that can be used for rules, prules, Zones, and IPS AutoBlock exclusions. Symantec Client Firewall Administrator lets you create a group, name it, and then add a list of ports or IP addresses. You can select this group when you configure rules or Zones to add ports or IP addresses quickly without having to retype numbers for ports and IP addresses. See Using port groups on page 333. See Using address groups on page 336. Client Settings You can customize Client Settings for each firewall policy to enable or disable specific components of firewall protection. See About Client Settings on page 407. Table 9-1 describes the Client Settings. Table 9-1 Client Settings Setting Permissions Description Determines the level of user interaction with Symantec Client Firewall by permitting or blocking the user's ability to modify firewall rules and settings, configure firewall behavior outside of administrator control, and view firewall data.

275 Managing policies Policy categories 275 Table 9-1 Setting Client Settings (continued) Description Degree of firewall protection Intrusion Prevention Protocol Filtering Configure Alerting Privacy Control Ad Blocking Custom alerts Protects against potential Internet threats, such as ActiveX controls, Java applets, and traffic aimed at unused ports. Monitors inbound and outbound network traffic for packet patterns that are characteristic of an attack. Extends Symantec Client Firewall protection by blocking the network traffic of less common IP protocols. Simplifies client alerting configuration by enabling administrators to choose from three predefined alerting options that determine which alerts, notifications, and messages can be viewed and acted on from Symantec Client Firewall. Protects confidential information, blocks cookies, enforces browser privacy, and forces secure traffic (HTTPS). Stops ads from appearing in Web browsers based on originating source HTML strings. Supports customizable text that appears in alert messages for IPS events, cookies, and so forth. Web Content settings You can customize Web Content settings for each firewall policy to control how the client handles interactive online content, ads, and possible privacy intrusions. Web Content options are arranged on the following tabs: Global Settings User Settings Ad Blocking

276 276 Managing policies About predefined policies and updates Note: All Web Content filtering is performed on ports that are specified in the HTTP Port List on the Client Settings tab. If this list is blank, the firewall does not enforce Web Content settings because all Web Content filtering is performed on ports that are specified in this list. Further, Web Content settings are ignored for computers placed in Trusted Zones. Profiling options File version settings See Web Content settings on page 439. Symantec Client Firewall Administrator lets you export a policy file that causes Symantec Client Firewall to permit and log, or block and log, traffic that does not match a rule. You can then import these logs and create prules with data that you select. See Using Profiling to generate prules and NetSpecs on page 365. Symantec Client Firewall Administrator lets you save policy files in.cfp and.xml formats to support the following firewall versions: Symantec Client Firewall 5.x Symantec Client Firewall 7.x and 8.x Note: Location Awareness is not supported in versions earlier than 7.0. If you are creating policy files for use in versions earlier than 7.0, save them using the version 5.x option, do not enable Location Awareness, use the Default Location only, and configure required Location information only. See Configuring required Location information on page 297. About predefined policies and updates Symantec Client Security supplies administrators with predefined firewall policies and updates that provide various levels of access and protection to your firewall clients. The policies and updates are located in the Symantec Client Security CD under Tools\PolicyFiles. The policy files are.xml files that contain all firewall configuration settings except prules and IPS signatures and settings. You can modify the predefined policies from Symantec Client Firewall Administrator before you update your clients.

277 Managing policies About predefined policies and updates 277 Table 9-2 describes the available predefined firewall policies. Table 9-2 Policy name LowSecurity.xml Predefined firewall policies Description Provides the following protection and access: Blocks Trojan horse and intrusion attacks. Permits the inbound and outbound network traffic that is not specifically blocked by a firewall rule. Permits the users to view and configure all Symantec Client Firewall settings. Provides the legacy Symantec Client Firewall clients (5.x and 7.x) with administrator privileges. See Setting user access levels for legacy clients on page 435. MediumSecurity.xml Provides the following protection and access: Blocks Trojan horse and intrusion attacks. Prompts the user whether to permit or block the network traffic that is not specifically blocked by a firewall rule. Protects user privacy by alerting when private information is sent to the Web and by preventing Web sites from accessing personal information. Permits users to view and configure all Symantec Client Firewall settings. Provides the legacy Symantec Client Firewall clients (5.x and 7.x) with normal privileges. See Setting user access levels for legacy clients on page 435.

278 278 Managing policies About predefined policies and updates Table 9-2 Policy name HighSecurity.xml Predefined firewall policies (continued) Description Provides the following protection and access: Blocks Trojan horse and intrusion attacks. Blocks the inbound and outbound network traffic that is not specifically permitted by the firewall. Protects user privacy by alerting when private information is sent to the Web and by preventing Web sites from accessing personal information. Permits users to view and configure all Symantec Client Firewall settings, except to clear firewall logs and reset statistics. Provides the legacy Symantec Client Firewall clients (5.x and 7.x) with normal privileges. See Setting user access levels for legacy clients on page 435. VeryHighSecurity.xml Provides the following protection and access: Blocks Trojan horse and intrusion attacks. Blocks the inbound and outbound network traffic that is not specifically permitted by the firewall. Blocks ActiveX Controls and Java Applets. Prevents user intervention by blocking all alerts and notifications. Permits users to view all Symantec Client Firewall settings, but restricts users from modifying the settings. Provides legacy Symantec Client Firewall clients (5.x and 7.x) with restricted privileges. See Setting user access levels for legacy clients on page 435. Symantec-supplied policy updates are.cfu files that contain firewall rules and prules that permit traffic specific to a network environment. Table 9-3 describes the available predefined policy updates.

279 Managing policies Configuring policies and updates 279 Table 9-3 Update name ad_ipsec.cfu ad_rpc.cfu outbound.cfu Predefined policy updates Description Contains rules and prules that are necessary for Symantec Client Firewall clients to function in an IPSec environment. This update is specifically helpful for the firewall clients that connect to your internal network through a VPN. Contains rules and prules that are necessary for Symantec Client Firewall clients to function in an Active Directory environment. This update lets firewall clients access network resources freely and securely. Contains a firewall rule that allows all outbound TCP and UDP traffic from Symantec Client Firewall clients. Because Symantec Client Firewall implements stateful inspection of network traffic, the inbound traffic that replies to permitted outbound traffic is also permitted. See About stateful inspection on page 325. outbound.cfu Contains a firewall rule that allows all outbound TCP and UDP traffic from Symantec Client Firewall clients. Because Symantec Client Firewall implements stateful inspection of network traffic, the inbound traffic that replies to permitted outbound traffic is also permitted. Configuring policies and updates Symantec Client Firewall Administrator is a policy configuration tool that tunes, customizes, and sets user-level settings. It is a separate program with its own user interface for firewall and system administrators to use. You use Symantec Client Firewall Administrator to create or import policy files for modification, and then save the policy files for distribution to Symantec Client Firewall. The most efficient method to create firewall policies is to install both Symantec Client Firewall and Symantec Client Firewall Administrator on the same computer. Typically, to prepare a policy, you install the software on a computer used by a specific user group or used at different locations. Different user groups and locations generally require different protection settings. For example, members of the accounting group may require different protection settings than members of the administrators group, and computers accessing the network remotely may require different protection settings than computers accessing the network locally.

280 280 Managing policies Configuring policies and updates To create a new policy, you can begin by creating a policy in Symantec Client Firewall Administrator and exporting it to Symantec Client Firewall, which overwrites the default policy file. Be sure to import and save the default policy file before you overwrite it. You can create different policies for rollout as necessary. Note: Use a computer that reflects your typical network workstation as the basis for creating a policy. Do not use a computer with Symantec System Center installed because it requires firewall rules that are not appropriate for client workstations. In Symantec Client Firewall Administrator, you can save a policy for distribution in the following formats:.cfp.xml.cfu Stores all configuration information in a compressed policy file. If a policy contains IPS signatures, use the.cfp format only. Stores all configuration information except IPS signatures in an.xml format file. If you create custom policies that are integrated during installation, use the.xml format. Also, you can create uncompressed update files with the.xml format. Stores configuration information about prules, General rules, and Trojan rules in a compressed update file. You can export this file to Symantec Client Firewall to insert new rules and prules without affecting other settings. Note: You cannot include prule settings information in update files. If you customize prules for configured Locations, save your configuration information to a full policy file. See Supporting different versions of IPS engines and signatures on page 378. Creating and opening policies and updates Customizing a policy with Symantec Client Firewall Administrator involves the following tasks: Opening an existing policy for modification or creating an entirely new policy in Symantec Client Firewall Administrator.

281 Managing policies Configuring policies and updates 281 Customizing the policy within Symantec Client Firewall Administrator to add, modify, or delete rules, prules, prule settings, Zones, Locations, IPS settings, Client Settings, and Web Content settings. Saving the modified policy as a.cfp,.xml, or.cfu file for distribution to firewall installations. The Active Client is the local instance of Symantec Client Firewall that is installed on the same computer as Symantec Client Firewall Administrator. You can use the Active Client to help develop, test, and clarify the rules and configuration settings of a policy package. Note: You can import and export locked rules, unlocked rules, or a combination of locked and unlocked rules by creating rules on the Active Client and importing them into Symantec Client Firewall Administrator.See About importing and exporting on page 285. New policies and updates are created from the template, ScfaDefaultPolicy.cfp, which is installed in the \Program Files\Symantec\Symantec Client Firewall Administrator\Policies folder. The template contains IPS signatures and default firewall settings, but does not include rules or prules. Updates support only General rules, Trojan rules, and prules. Therefore, update files are empty by default. Updates are applied to all Locations, and provide a quick way to ensure protection against an active threat. After you export an update, you should add the updated information to your regular policy files that Symantec Client Firewall Administrator maintains. ScfaDefaultPolifcy.cfp is installed as a read-only file. If you remove the read-only attribute, you can save changes to the template that Symantec Client Firewall Administrator then applies to newly created policies and updates. For example, if General rules and prules are saved to ScfaDefaultPolicy.cfp, a new policy update is no longer empty, but is instead populated with the General rules and prules from the default policy. General settings changes that are saved to ScfaDefaultPolicy.cfp do not affect the default values when you reset General settings. See Saving policies and updates on page 282. Note: When viewing your file system directories in Symantec Client Firewall Administrator, you cannot select hidden files and folders. If you need to access a file or folder, make sure that the file or folder's hidden attribute is not selected.

282 282 Managing policies Configuring policies and updates To create a new policy In Symantec Client Firewall Administrator, on the File menu, click New Policy. To create a new update In Symantec Client Firewall Administrator, on the File menu, click New Update. To open an existing policy or update 1 In Symantec Client Firewall Administrator, on the File menu, click Open. 2 Navigate to the.xml,.cfp, or.cfu file. 3 Click Open. Adding and editing policy descriptions Symantec Client Firewall Administrator lets you describe policy files and display the description in the About Symantec Client Firewall Help dialog box on the client. The description is limited to 250 characters, and supports ASCII characters only. If you enable Location Awareness, the description includes the client computer's Active Location. If Location Awareness is disabled, the Active Location is listed as Default. Note: Policy descriptions are disabled for.cfu policy update files. After an update, the text (Update) is appended to the policy description on the client. To add or edit a policy description 1 In Symantec Client Firewall Administrator, on the File menu, click Policy Properties. 2 In the Properties window, under Description, do one of the following: 3 Click OK. Saving policies and updates Type a policy description. Edit the existing policy description. After you finish configuring a policy or update file, save it for later distribution to Symantec Client Firewall. By default, policy files are saved to the \Program Files\Symantec\Symantec Client Firewall Administrator\Policies folder on the computer on which Symantec Client Firewall Administrator is installed. You can, however, save policy files in any

283 Managing policies Importing and exporting policies and updates 283 location. By using the Save As option, you can specify whether to save the policy as an.xml or.cfp policy file. The procedure for saving update files is the same as for saving policy files. You can save update files as compressed.cfu files or uncompressed.xml files. Note: When saving policy files, you can selectively include prules and IPS signatures settings only. To save all other policy configuration data, check Policy in the File Save Data Selection dialog box. To save a policy to the same policy file name 1 In Symantec Client Firewall Administrator, on the File menu, click Save. 2 In the File Save Data Selection dialog box, select the configuration data categories that you want the policy to contain. 3 Click OK. Only the selected categories are saved. To save a policy to a new policy file name 1 In Symantec Client Firewall Administrator, on the File menu, click Save As. 2 In the File Save Data Selection dialog box, select the configuration data categories that you want the policy to contain. 3 Click OK. Only the selected categories are saved. 4 In the Save dialog box, type the location and file name for the policy. 5 In the Files of Type drop-down list, select one of the following file types: 6 Click Save. Policy Packages (*.cfp) XML files (*.xml) Updated Packages (*.cfu) Importing and exporting policies and updates When you import settings from an existing policy, you have the option of importing all settings categories or selected settings categories. This convenience lets you build a new policy that uses existing settings that do not require change and configure only those categories that do require change. If you want to use Symantec

284 284 Managing policies Importing and exporting policies and updates Client Firewall to test and customize a policy or update that was created in Symantec Client Firewall Administrator, you must export the policy data. Note: After exporting an update, you should add the updated information to your regular policy files that Symantec Client Firewall Administrator maintains. Make sure that you install Symantec Client Firewall on the same computer as Symantec Client Firewall Administrator before you use the Export to Active Client option. When importing rules created on Symantec Client Firewall, rules associated with two or more Locations are identified on the Rules tab as being associated with Multiple Locations. This is also true for rules associated with all Locations on Symantec Client Firewall. Note: When you import settings from the Active Client, IPS signatures are not available. Also, you can selectively include prules only. To import all other policy configuration data, check Policy in the File Import Data Selection dialog box. When exporting settings to the Active Client, you can selectively include prules and IPS signatures only. To export all other policy configuration data, check Policy in the Export Data Selection dialog box. To import data from an existing policy into Symantec Client Firewall Administrator 1 In Symantec Client Firewall Administrator, on the File menu, click Import. 2 In the File Import Data Selection dialog box, select the categories of configuration data that you want to import. 3 Click OK. 4 In the File Import dialog box, select the policy file that contains the data you want to import. 5 Click Import. 6 If locked and unlocked rules are detected in the policy file that you want to import, in the Select Rule Set Content for Import dialog box, select one of the following: Locked Only Unlocked Only Both 7 Click OK.

285 Managing policies About importing and exporting 285 To import policy data from the Active Client 1 In Symantec Client Firewall Administrator, on the File menu, click Import from Active Client. 2 In the File Import Data Selection dialog box, select the categories of configuration data that you want to import. 3 Click OK. 4 If locked and unlocked rules are detected in the policy file that you want to import, in the Select Rule Set Content for Import dialog box, select one of the following: Locked Only Unlocked Only Both 5 Click OK. To export policy data to the Active Client 1 In Symantec Client Firewall Administrator, on the File menu, click Export to Active Client. 2 In the Export Data Selection dialog box, select the categories of configuration data that you want to export. 3 Click OK. About importing and exporting Note: The information about importing and exporting focuses on locked and unlocked rules, prules, Zones, and Locations, and assumes that you are proficient in creating rules, prules, Zones, and Locations. If you are not proficient, you may want to skip this information for now and refer back to it later. Symantec Client Firewall Administrator is designed to manage administrative policies. If you give permissions that allow Symantec Client Firewall users to create rules, Zones, or Locations, the policy files that you import might contain both administrative and user content. When Symantec Client Firewall Administrator opens a policy file and imports content, it saves the content into a single policy file. See About permissions on page 425.

286 286 Managing policies About importing and exporting Symantec Client Firewall Administrator lets you create locked or unlocked rules and prules, and locked and unlocked Zones. Symantec Client Firewall users, if permitted, can create only unlocked rules, Zones, and Locations. When you save a policy file in Symantec Client Firewall Administrator, the file contains the following: Administrative content Locked or unlocked rules Locked and unlocked Zones Locked Locations only If you import a policy file from Symantec Client Firewall, the file might contain both administrative and user content. When Symantec Client Firewall Administrator imports policy files, it distinguishes between administrative and user content, then must determine what content to import into Symantec Client Firewall Administrator. To successfully use importing and exporting, you need to understand the logic behind locked and unlocked settings. Specifically, you must understand when rules and Locations are deleted and preserved, what type of Location information gets imported under certain conditions, what Location configuration settings allow users to select or create Locations, and the processing order of locked and unlocked Zones. About importing and exporting rules and prules If you permit Symantec Client Firewall users to create rules by giving them the relevant permissions on the Permissions tab, these rules are unlocked. A policy file that contains administrative and user content can have a combination of locked and unlocked rules. When Symantec Client Firewall Administrator imports the rulebase, it uses the following logic: If it detects one or more locked rules and doesn't detect any unlocked rules, it assumes that a locked administrative rulebase is configured in this policy. Symantec Client Firewall Administrator then imports the locked rulebase. If it doesn't detect one or more locked rules but does detect unlocked rules, it assumes that an unlocked administrative rulebase is configured in this policy. Symantec Client Firewall Administrator then imports the unlocked rulebase. If it detects locked and unlocked rules, it assumes that a locked administrative rulebase and user-created rules are configured in this policy. Symantec Client Firewall Administrator then gives the administrator the option to import only

287 Managing policies About importing and exporting 287 locked or unlocked rules, or to merge the locked and unlocked rules and import them into a single locked rulebase. Note: If you are viewing a policy file in Symantec Client Firewall Administrator and you import settings, you overwrite the viewed policy. Typically, you should create a new policy, and then import policy items from other files or computers. Table 9-4 shows possible client configurations for rules and prules, and the results of importing these configurations to Symantec Client Firewall Administrator. Table 9-4 Importing rules and prules Client configuration Contains locked rules only Contains locked and unlocked rules Contains unlocked rules only Contains prules Administrator result Imports all rules Gives you the option to import only locked or unlocked rules, or to merge the locked and unlocked rules and import them into a single locked rulebase Imports all rules Imports all prules When you import unlocked rules, or choose to import locked and unlocked rules from Symantec Client Firewall, the rule setting for Delete unlocked rules on policy integration is always enabled when importing completes. Be sure to verify that this setting is what you want before exporting the imported rulebase. If you subsequently create a locked rulebase, you can disable this function. See Configuring rule lock settings on page 331. Table 9-5 shows possible administrator configurations for rules and prules, and shows the results of exporting these configurations to Symantec Client Firewall. Table 9-5 Exporting rules and prules Administrator configuration One or more prules One or more unlocked rules One or more locked rules Client result Deletes all existing prules and adds the new prules. Deletes all existing locked and unlocked rules and adds the new unlocked rules. Deletes all existing locked rules and adds the new rules. Administrators can enable or disable the setting for Delete unlocked rules on policy integration.

288 288 Managing policies About importing and exporting Table 9-5 Exporting rules and prules (continued) Administrator configuration Locked rules that match unlocked rules on the client Client result Merges the locked rules with the unlocked rules and creates duplicates. Locked rules are processed first. Note: A setting exists for rules that deletes unlocked rules when exporting (policy integration). About importing and exporting Locations All Locations that were created in Symantec Client Firewall Administrator are locked after they are exported to Symantec Client Firewall. Symantec Client Firewall users cannot delete locked Locations. If you permit client users to create Locations, these Locations are unlocked when they are created in Symantec Client Firewall. You can delete these Locations during export by using a setting on the Locations Settings tab. Table 9-6 shows possible client configurations for locked and unlocked Locations and the results of importing these configurations to Symantec Client Firewall Administrator. Table 9-6 Importing Locations Client configuration Contains locked Locations only Contains locked and unlocked Locations Administrator result Imports all Locations, associated network connections, and Zones. Imports locked Locations, associated network connections, and Zones only. Imports network connections associated with unlocked Locations and places them in the Unassigned Connections Location. About importing and exporting Location Awareness settings You use Location Awareness to cause client computers to use different rulebases and Zones when they connect to networks from different locations. However, if you do not set a Primary Location and if you do not correctly set other Location settings, Symantec Client Firewall prompts users to select a Location when it detects a new network connection. As a result, users must be trusted to select the correct Location. The Location-specific setting Allow New Connections affects whether users are prompted to select a Location. When you set a Primary Location, the Allow New

289 Managing policies About importing and exporting 289 Connections setting is disabled for all existing Locations. When you create a Location and enable this setting, the Primary Location disappears. The following global settings affect whether users are prompted to create or select an unlocked Location that allows new connections: Allow user to create locations. Delete unlocked locations on policy integration. If you want to ensure that users cannot select or create Locations, there are several configuration possibilities that can provide this result. Table 9-7 shows a few setting combinations and what happens on the client when Symantec Client Firewall detects unrecognized network connections. Table 9-7 Exporting Locations Administrator configuration Client result Allow New Connections: Yes (Location Specific) Allow user to create locations: Yes (Global) Delete unlocked locations: Yes (Global) Allow New Connections: Yes (Location Specific) Allow user to create locations: Yes (Global) Delete unlocked locations: No (Global) Allow New Connections: No (Location Specific) Allow user to create locations: Yes (Global) Delete unlocked locations: Yes (Global) Allow New Connections: No (Location Specific) Allow user to create locations: No (Global) Delete unlocked locations: Yes (Global) Prompts users to select locked Locations that allow new connections or create a new Location to associate with unrecognized network connections. Prompts users to select locked or unlocked Locations that allow new connections or create a new Location to associate with unrecognized network connections. Prompts users to create a new Location to associate with unrecognized network connections. Does not prompt users to select or create Locations. Uses the Location associated with recognized network connections or the Default Location or Primary Location for unrecognized network connections. About importing and saving the default client policy file The default Symantec Client Firewall Administrator policy file does not contain rules, prules, or Locations like the default Symantec Client Firewall policy file. After you export a policy file that includes a locked rule or Location to Symantec Client Firewall, you lose the ability to import the default client policy information into Symantec Client Firewall Administrator. The first action that you should

290 290 Managing policies Merging rules and prules in policy files take with Symantec Client Firewall Administrator after installing Symantec Client Firewall is to import the client policy file and save it. Merging rules and prules in policy files Symantec Client Firewall Administrator lets you merge rules and prules that are contained in two policy files. The purpose of the merge feature is to let you modify rather than overwrite a rulebase. Specifically, merging modifies existing rules and inserts new rules. The act of merging affects General rules, Program rules, Trojan rules, and prules only. No other policy settings are affected. Merging rules does not create a third policy file. Instead, it updates the currently viewed file using the contents of a second file. For example, two policy files, A and B, both contain five identical rules. You modify two of the five rules in B, add three rules to B, and then merge B into A. The merge modifies policy file A by changing two rules and adding three rules, reflecting the changes made to policy file B. Furthermore, rules are never deleted during a merge. So if policy file A in this example had contained an additional 15 rules not contained in B, the merge would have modified file A the same way by changing two rules and adding three rules only. Note: During a merge, confirmation prompts appear before rules are added and modified. To modify rules, you must understand how the merge utility determines rule identity, which differs across the rule types. If you change rule identity, the rule is considered new and is not modified in the destination file during a merge. For example, suppose that policy files A and B contain one identical General rule. You modify the rule in B by changing the description field, and then merge B into A. The merge modifies policy file A by inserting the rule contained in B, and A now contains two rules. Table 9-8 shows the identifiers for the four rule types. Table 9-8 Rule identifiers Rule type General Identifiers Description

291 Managing policies Merging rules and prules in policy files 291 Table 9-8 Rule type Program Rule identifiers (continued) Identifiers The following identifies a Program Rule: File name and associated file location File MD5 hash, which changes with different versions Trojan prule Description The following identifies a prule: File name Description If you do not use different Locations and use the Default Location only, you do not need to understand how rules are merged for different Locations. If you do use different Locations, you need to understand this information. Symantec Client Firewall Administrator handles rules and Locations in the following ways (the source policy file contains the rules that are merged with the target policy file): The target file's Locations settings are preserved during the merge process. If a Location exists in the source file, but does not exist in the target file, the Location is not incorporated into the target file's Locations settings. When modifying an existing rule, the target rule's active Locations are preserved. Locations that are common to the source and target files, and are activated in the source rule only, are applied to the corresponding target rule when the files are merged. Locations that are unique to the source file are ignored. If you are adding a new rule, the rule is applied to the active source rule Locations that are common to the source and target files. If source rules have no matching Location assignments or no Location assignments at all, such as rules merged in from older versions, they are copied to the target file, but are disabled until they are assigned a Location. If the source rule specifies All Locations, that setting is preserved in the target rule only when the source file's Locations settings contain at least all the Locations that are configured in the target file. If one or more Locations are configured in the target policy file that are not included in the source rule, the Locations for the target rule are applied individually. You can use the merge utility to manage the policy files that Symantec distributes. For example, if you customize the default policy file, receive an updated policy

292 292 Managing policies Distributing policies file, and then want to incorporate your customizations into the updated policy file, you can use the merge utility to accomplish this task. A good way to explore how this utility works is to open two instances of Symantec Client Firewall Administrator, and then create, save, and modify policy files in both instances and practice merging. To merge rules and prules in policy files 1 In Symantec Client Firewall Administrator, click File > Open. 2 In the File Open dialog box, navigate to and select the policy file to modify, and then click Open. 3 Click File > Merge. 4 In the File Open dialog box, navigate to and select the policy file to merge into the displayed file. 5 Click Open. 6 In the Merge Options window, select one of the following: All Rules Distributing policies Modified Rules Only 7 In the Confirmation window, respond to the provided information as appropriate. Policy distribution is the process of rolling out a new policy to one or more groups of Symantec Client Firewall. You can create a new policy, use an existing or predefined policy, or further customize a predefined policy to distribute to your client computers. See About predefined policies and updates on page 276. Distribution mechanisms include the following: Symantec System Center Fio.exe policy import/export tool Web-based policy package distribution Third-party distribution tools

293 Managing policies Distributing policies 293 How policy distribution affects Locations, rules, and settings When a policy file is distributed to Symantec Client Firewall, the previous settings used by clients are modified by those in the new policy according to the following precedence rules: All Client and Web settings are replaced. All Intrusion Prevention System exclusion data is replaced. All prules are replaced. Rules, Zones, and Locations may or may not be deleted depending on their deletion settings on the associated Settings tabs. See About importing and exporting on page 285. A policy may include only subsets of data from one or more of the policy categories. If a category is not included in the policy update, the existing client data for that category or group of categories is preserved. Using Symantec System Center to distribute policy files Symantec System Center lets you distribute policy files to client computers that run Symantec Client Firewall. To use Symantec System Center to distribute policy files 1 On the Windows taskbar, click Start > Programs > Symantec System Center Console > Symantec System Center Console. 2 Unlock the server group that contains the firewall clients that you want to update. 3 Right-click the server group, client group, or parent management server to which you want to distribute the policy file, click All Tasks > Symantec Client Firewall, and then do one of the following: If you right-clicked a server group, click Update All Policy Now to update all the firewall clients in the server group. If you right-clicked a client group, click Update Client Policy Now to update all the firewall clients in the client group. If you right-clicked a parent server, click Update Client Policy Now to update all the firewall clients that are managed by the parent server, but are not assigned to a client group. 4 In the File Open dialog box, select the policy file that you want to distribute, and click Open. 5 In the Symantec Client Firewall Management Snap-In dialog box, click OK.

294 294 Managing policies Distributing policies Using the policy file import/export utility Fio.exe is a command-line utility that is installed with Symantec Client Firewall. You must have system administrator rights to run Fio.exe. You can use it to import.cfp,.xml, and.cfu files. Additionally, you can use Fio.exe to export the policy to an.xml file only. Fio.exe must be run on the client computer. Policies exported to.xml files do not include IPS signatures. Generally, you want to use the Symantec System Center as the distribution mechanism for updating policies. Use of the file import/export utility is usually restricted to special situations, such as when you want to save a policy and Symantec Client Firewall Administrator is not available, or when a policy needs to be updated and Symantec Client Firewall is either unmanaged or the Symantec System Center is not currently managing that Symantec Client Firewall. The command syntax for the file import/export utility is as follows (parameters in brackets are optional): fio.exe I O filename [/DisplayProgress] [/Log] When Fio.exe runs, it updates Symantec Client Firewall automatically. Table 9-9 describes the parameters. Table 9-9 Parameter I O filename /DisplayProgress /Log File import/export utility parameters Description Imports the specified.cfp,.xml, or.cfu file. Exports the rules and configuration settings from the current Symantec Client Firewall to an.xml file. Name of the.xml,.cfp, or.cfu file. Export supports.xml files only. If the policy file does not reside in the same directory as Fio.exe, you must specify the fully qualified path to the policy file. If any directory or filename contains spaces, enclose the path in quotations marks. Displays the Progress dialog box. Creates a log file named Fio.log in the directory from which Fio.exe is run. For example, to import all properties from a file named NewAdminPkg.cfp and display the Progress dialog box, you would type the following at a command prompt:

295 Managing policies Supporting policies for legacy clients 295 fio I c:\admin\packages\newadminpkg.cfp /DisplayProgress To export all properties except IPS signatures to a file named NewAdminPkg.xml and not display the Progress dialog box, you would type the following at a command prompt: fio O c:\admin\packages\newadminpkg.xml Note: Use the latest version of Fio.exe to import and export policies to all versions of Symantec Client Firewall. You cannot update the latest version of Symantec Client Firewall with an earlier version of Fio.exe. Supporting policies for legacy clients If your environment contains multiple versions of Symantec Client Firewall, your policy file might contain settings that cannot be imported or merged to versions older than Symantec Client Firewall 7.x. As the firewall administrator, you might need to configure and manage separate policy files for these clients until they are upgraded to a later version. See Supporting different versions of IPS engines and signatures on page 378. See Setting user access levels for legacy clients on page 435. Configuring policies for legacy clients Symantec Client Firewall legacy clients that are earlier than version 7.x do not support policy files that contain multiple Locations, Web Content, or macros. By default, Symantec Client Firewall Administrator does not save Web Content settings to legacy policy files. To configure and save policy files for legacy clients 1 In Symantec Client Firewall Administrator, on the File menu, click Open. 2 In the File Open dialog box, select the policy file to modify, and then click Open. 3 In Symantec Client Firewall Administrator, on the Locations tab, configure the settings that are associated with the Default Location only. 4 Delete all address and port groups on the following tabs: Zones Rules prules

296 296 Managing policies Supporting policies for legacy clients 5 In Symantec Client Firewall Administrator, on the Rules tab, on the Settings tab, next to Rule set is, click Locked. 6 On the File menu, click Save. 7 In the File Save Data Selection dialog box, select the configuration data categories that you want the policy to contain, and then click Symantec Client Firewall v5.x. 8 Click OK. The selected categories are saved. Merging rules in legacy policy files Legacy policy files support merging all rules in the policy. You cannot merge modified rules from legacy policy files. To merge legacy policy file rules 1 In Symantec Client Firewall Administrator, on the File menu, click Open. 2 In the File Open dialog box, select the policy file to modify, and then click Open. 3 On the File menu, click Merge. 4 In the File Open dialog box, select the legacy policy file to merge into the displayed file. 5 Click Open. 6 In the Merge Options dialog box, click All Rules. 7 In the Confirmation dialog box, respond to the provided information as appropriate.

297 Chapter 10 Using Location Awareness and Zones This chapter includes the following topics: Using Locations Using Network Zones Using Locations Locations let you configure rules, prules, Zones, and Location settings for specific network connections made by Symantec Client Firewall. For example, you might have a specific collection of rules, prules, Zones, and Location settings that you want Symantec Client Firewall to enforce when a client connects to a network using a remote wireless connection, and you may have another collection that you want Symantec Client Firewall to enforce when a client connects to a network using a local Ethernet connection. One policy file can be configured with different information for up to 32 Locations. The following two primary activities are associated with using Locations: Configuring required Location information Implementing Location Awareness Configuring required Location information Location Awareness is the term used to describe the feature that lets you install different collections of rules, prules, and Zones automatically based on client network connection activity. All Symantec Client Firewall Administrator users must understand how to configure required Location information, even if Location Awareness is disabled.

298 298 Using Location Awareness and Zones Using Locations One Location exists after initial Symantec Client Firewall Administrator installation and is called Default. The Default Location is used when Location Awareness is disabled, and certain Global and specific settings for the Default Location are enforced on Symantec Client Firewall. The Default Location also plays a role when Location Awareness is enabled. Furthermore, if you permit client users to create Locations, all rules, prules, and Zones associated with the Default Location are automatically created in the user-created Locations. Note: If you are a new user of Symantec Client Firewall Administrator, do not enable Location Awareness until you are comfortable with configuring and testing rules, prules, and Zones. Location Awareness is disabled upon initial installation. If you do not enable Location Awareness, the information for configuring required Location information is all that you need to configure the Default Location for use with Symantec Client Firewall Administrator. Configuring required Location information involves the following tasks: Specifying global settings for Locations Specifying default settings for Locations Specifying Location-specific settings Specifying global settings for Locations Global Location settings specify whether Location Awareness is enabled or disabled, and specify if Locations can be created by users, and whether the Locations persist after importing a new policy. You use the Enable Network Detector check box on the Settings tab to enable and disable Location Awareness. Figure 10-1 shows the global settings for Locations.

299 Using Location Awareness and Zones Using Locations 299 Figure 10-1 Global settings for Locations When Location Awareness is enabled, all rules, prules, Zones, and settings that are configured for Locations are enforced on Symantec Client Firewall. When Location Awareness is disabled, all rules, prules, Zones, and settings that are configured for the Default Location are enforced on Symantec Client Firewall. If you enable Location Awareness and disable Symantec Client Firewall, Location Awareness remains enabled. If you are not going to use Location Awareness, configure all rules, prules, Zones, and Location settings for the Default Location. Additionally, the Default Location rules, prules, and Zones are copied to new Locations that the Symantec Client Firewall user creates. You can disable this feature on the Settings tab with the Allow user to create locations check box. All Locations exported to Symantec Client Firewall are locked. The client user cannot delete the exported Locations. See About importing and exporting on page 285. Table 10-1 describes the global settings for Locations.

300 300 Using Location Awareness and Zones Using Locations Table 10-1 Setting Global settings for Locations Description Enable Network Detector Checked: Enables Location Awareness, and the Location configuration installed in Symantec Client Firewall is based on network connectivity. Unchecked: Disables Location Awareness, and the Default Location configuration is enforced on Symantec Client Firewall. Allow user to create locations Checked: Allows users to create new Locations. New Locations that they create are created as copies of the Default Location configuration. Unchecked: Does not allow any user to create new Locations. Delete unlocked locations on policy integration Checked: Deletes user-created Locations on Symantec Client Firewall when the new policy is installed. User-created Locations are always unlocked. Unchecked: Does not delete user-created Locations on Symantec Client Firewall when the new policy is installed. To specify global settings for Locations In Symantec Client Firewall Administrator, on the Locations tab, on the Settings tab, check or uncheck the following options: Enable Network Detector Allow user to create locations Delete unlocked locations on policy integration Specifying default settings for Locations The default settings for Locations populate a Location-specific setting that you can select for any Location that is created with Symantec Client Firewall Administrator. The setting that you select as a default appears in parentheses next to the words Use Default. For example, if you set Allow New Zones to No, the option Use Default (No) appears as a selection. When you change a Default Setting, the setting is automatically changed for all Locations that specify Use Default. Table 10-2 describes the default settings for Locations.

301 Using Location Awareness and Zones Using Locations 301 Table 10-2 Setting Default settings for Locations Options Rule Exception Handling Prompt: Prompts the user to decide whether to permit or block network activity that is not covered with a rule or prule. Block: Blocks network activity that is not covered with a rule or prule without prompting the user and without creating a rule. Permit: Permits network activity that is not covered with a rule or prule without prompting the user and without creating a rule. Note: If the active Location contains Location-aware prules, network activity that matches a prule that is not associated with the active Location is blocked. If a prule does not exist for a certain program, the Rule Exception Handling setting determines Symantec Client Firewall actions. See Creating prule exceptions for Locations on page 360. Auto Rule Creation Enabled: Creates a Program rule from a prule when network activity is defined by a prule but not covered with a rule. Disabled: Does not create a rule from a prule when network activity is defined by a prule but not covered with a rule. Enable Firewall Yes: Enables the firewall when the settings for this Location are applied if the firewall is currently disabled. No: Leaves the firewall in its current state, either enabled or disabled, when the settings for this Location are applied. Allow New Connections Yes: Lets users add and clear connections for this Location. No: Does not let users add or clear connections for this Location.

302 302 Using Location Awareness and Zones Using Locations Table 10-2 Setting Allow New Zones Default settings for Locations (continued) Options Yes: Lets users with proper Permissions add and delete Zones for this Location. No: Does not let users add or delete Zones for this Location. Note: When you set Rule Exception Handling to permit, processing overhead on Symantec Client Firewall may be unacceptable on computers that are slower than 1 GHz. Generally, you use this feature when Profiling only. See Using Profiling to generate prules and NetSpecs on page 365. To specify default settings for Locations 1 In Symantec Client Firewall Administrator, on the Locations tab, on the Connection Management tab, under Locations and Connections, click (Default). 2 Click Edit. 3 In the Edit Location window, click Edit Defaults. 4 In the Edit Defaults window, select the settings to apply to all Locations that use the Use Default setting. 5 Click OK. Specifying Location-specific settings Individual settings exist for each Location. Whether or not Location Awareness is enabled or disabled, you should specify settings for the Default Location because all Locations that are created with Symantec Client Firewall receive Default Location settings. To specify Location-specific settings 1 In Symantec Client Firewall Administrator, on the Locations tab, on the Connection Management tab, under Locations and Connections, select a Location, and then click Edit. 2 In the Edit Location window, under Location-specific Settings, select the settings to apply to this Location, and then click OK. If you select Use Default for any setting, the setting is changed whenever the default is changed in the Edit Defaults window.

303 Using Location Awareness and Zones Using Locations 303 Implementing Location Awareness To implement Location Awareness, you associate rules, prules, and Zones with one or more Locations. Implementing and managing Location Awareness involves the following tasks: Understanding NetSpecs Discovering NetSpecs Prioritizing NetSpecs Profiling NetSpecs Adding new Locations Adding NetSpecs to Locations Moving NetSpecs between Locations Selecting a Primary Location Enabling the Network Detector Deleting Locations Symantec Client Firewall Administrator supports versions of Symantec Client Firewall earlier than version 7.x that do not support Location Awareness and that use Default Location information only. About NetSpecs To activate the rules, prules, Zones, and settings that are associated with new Locations, you must understand how the clients access the network from the Locations. After you understand how the clients access the network, you must associate network connection information with the Location, which acts as a triggering mechanism for loading the associated rules, prules, and Zones. Table 10-3 lists and describes the connection options that you can associate with a Location. Table 10-3 Connection options NetSpec Target Format Description Gateway MAC Address Gateway MAC address MAC address of the default gateway. Display using the command arp -a. For example: ac-de-48-0e-c6-ab

304 304 Using Location Awareness and Zones Using Locations Table 10-3 Connection options (continued) NetSpec Target Format Description Gateway IP Address Gateway IP address IP address of the default gateway. Display using the command ipconfig /all. For example: Note: Private IP addresses are not valid for this NetSpec and do not trigger Location Awareness if they are associated with a Location. (The IP address example of is a private IP address.) Private addresses are not routable on the Internet, and fall into the following ranges: to to to Subnet Address Client IP address: subnet mask Network address and subnet mask. Display current IP addresses and subnet mask using the command ipconfig /all. For example: : This network address is the first address in the subnet. For example, the network address for IP address with subnet mask is The network address for IP address with subnet mask is Domain Client String Connection-specific DNS suffix. Display using the command ipconfig /all. For example: symantec.com A wildcard, specified by an asterisk, can replace the beginning of the domain name to specify multiple domains. For example, *.symantec.com would include security.symantec.com, sales.symantec.com, and so forth. SSID Gateway, Client String 32 character maximum Identifier used for wireless networking. Display using Network Adapter Properties. For example: wireless Dialup Number Gateway String Phone number used for remote access. Display using Adapter Properties. For example:

305 Using Location Awareness and Zones Using Locations 305 Table 10-3 Connection options (continued) NetSpec Target Format Description Dialup Entry Description Client String Description of the remote access point. Display using Adapter Properties. For example: Dialup Remote Access Note: Typically, Dialup Entry Descriptions are detected after the Interface Type connection, which is PPP. If you associate a Dialup Entry Description with a Location, also associate a PPP Interface Type, and prioritize the PPP type above the Dialup Entry Description. Interface Description Client String Description of the interface. Display using the command netstat -r. For example: 3Com Etherlink PCI Interface Type Client Options are the following: Type of network interface. Ethernet PPP Interface Index Client Hexadecimal (8 character maximum) Index of the interface. Display using the command netstat -r. For example: For example: 1 SAV Parent Server Symantec AntiVirusServer N/A Symantec AntiVirus parent management server stored in the client's registry. Unlike other NetSpec values that the administrator enters, the SAV Parent Server value is populated by information that is retrieved from the client's registry. About the SAV Parent Server NetSpec The SAV Parent Server NetSpec allows you to define a Location based on the availability of Symantec Client Security's Symantec AntiVirus parent management server. This NetSpec is valid only for managed clients that can communicate with their parent management server. When a network detection event occurs, such as a network adapter or routing table change, Symantec Client Firewall contacts its parent management server to verify communication between the client and server. If the parent management server is available, the Location that is associated with the SAV Parent Server NetSpec is activated. You do not specify a Symantec AntiVirus parent management server value when you use the SAV Parent Server NetSpec. Symantec Client Firewall retrieves the

306 306 Using Location Awareness and Zones Using Locations parent management server information from a registry setting, which simplifies the configuration of the Location that is associated with this NetSpec. If you have multiple Symantec AntiVirus parent management servers that support Symantec Client Security in your network, you do not need to associate a specific parent management server with each client. Depending on your network configuration, using other NetSpecs could involve more time retrieving client network information. Also, the information that you collect could potentially change based on your network. Because you cannot associate the same NetSpec value for multiple Locations, only one Location can be associated with the SAV Parent Server NetSpec. Note: Associating the SAV Parent Server NetSpec with a Location can cause unusual behavior in Symantec Client Firewall. When Network Detector is turned on, it might not recognize the SAV Parent Server Location immediately. You might be asked to join the newly detected network by selecting a Location or you might automatically join a Location that is associated with other network connection information. When communication is established with the SAV parent server, Symantec Client Firewall sets the Location that is associated with the SAV Parent Server setting as the active Location. How to discover NetSpecs You can display network information using a variety of Windows commands that are executable from the command prompt. The following list contains some of the more useful commands and options: arp -a netstat -r route show netsh Netsh is an interactive shell. Microsoft also provides a useful tool that you can run on Windows 2000 computers called netdiag.exe. When run in verbose, log mode, the tool creates a report file that lists extensive information about networking and network interface cards (NICs). If you use this command, be aware that this utility provides decimal Interface Index values that you must convert to hexadecimal values before you can use them as NetSpecs if the value is greater than 10. Many Ethernet PCI NICs have Interface Indexes of decimal , which you must convert to hexadecimal

307 Using Location Awareness and Zones Using Locations 307 Additionally, a variety of subnet calculators exist that can help identify network addresses for IP address and subnet mask associations, which are used in the Subnet Address network specification. Prioritizing NetSpecs Symantec Client Firewall Administrator lets you associate multiple connection assignments with Locations. However, Location Awareness is activated when the current connection matches the first valid NetSpec from a prioritized list. If a Location is not associated with the first valid NetSpec, Location Awareness prompts the user to select an existing Location. The list appears on the Location tab's Settings tab. The NetSpec list is prioritized from top to bottom by default. See Table 10-3 on page 303. The Gateway MAC Address has first priority, and the SAV Parent Server has last priority. For example, suppose you associate two NetSpecs with a Location: gateway IP address and client subnet address. When Symantec Client Firewall makes a connection, it first checks the gateway MAC address. If Symantec Client Firewall finds the gateway MAC address, since it doesn't match the configured NetSpecs, Location Awareness prompts the user to select a Location. To ensure that the configured NetSpecs take priority over NetSpecs that are not associated with a Location, you must prioritize the NetSpec list accordingly. The prioritized list affects all Locations. Again, associating the gateway IP address and client subnet address NetSpecs with a Location, suppose you prioritize the NetSpec list with gateway IP address having first priority and client subnet address having second priority. When Symantec Client Firewall makes a connection, it first checks the gateway IP address for a match in the Location. If a match is found, the Location is activated. If it doesn't find a match, Location Awareness prompts the user to select a Location. Symantec Client Firewall checks the client subnet address only if it does not find a gateway IP address. You cannot type duplicate entries for NetSpecs. For example, you cannot type a gateway IP address of for more than one Location. Note: When the SAV Parent Server NetSpec is associated with a Location, the NetSpec is automatically elevated to the first position and cannot be moved. To prioritize NetSpecs 1 In Symantec Client Firewall Administrator, on the Locations tab, on the Settings tab, under NetSpec Priority List, select the NetSpec to reprioritize. 2 Do one of the following:

308 308 Using Location Awareness and Zones Using Locations To set the NetSpec to a higher priority, click Move Up. To set the NetSpec to a lower priority, click Move Down. To set the NetSpec to the default priority, click Reset. About profiling NetSpecs Symantec Client Firewall Administrator lets you generate a list of NetSpecs used by client computers running Symantec Client Firewall, and then add them to Unassigned Connections on the Profiling tab. This tab also allows you to create prules using the same technique. See Using Profiling to generate prules and NetSpecs on page 365. Adding new Locations If you allow client computers to connect to your network from different access points, you can create rules and settings that are installed on the clients before they gain access to your network from these different access points. Symantec Client Firewall Administrator supports 32 Locations, and Symantec Client Firewall supports 64 Locations. See Table 10-2 on page 301. To add a new Location 1 In Symantec Client Firewall Administrator, on the Locations tab, on the Connection Management tab, click Add Location. 2 In the Add Location dialog box, in the Description box, type a Location description. The description is limited to 16 characters. 3 Under Location-specific Settings, select the settings to apply to this Location, and then click OK. Adding NetSpecs to Locations To trigger the installation of Location rules and Zones, you must add at least one NetSpec to the Location. To add a NetSpec to a Location 1 In Symantec Client Firewall Administrator, on the Locations tab, on the Connection Management tab, select a Location. 2 Click Add Connection.

309 Using Location Awareness and Zones Using Locations In the Add Connection dialog box, in the Description box, type a connection description. 4 In the Select column, select the NetSpec to add. 5 In the Value column, type the value associated with the NetSpec. See Table 10-3 on page Click OK. Moving NetSpecs to Locations You can add NetSpecs at any time, and you can move NetSpecs from one Location to another. Symantec Client Firewall Administrator lets you add NetSpecs to the Unassigned Connections Location, and then when you want to use the NetSpec, you can move it to the desired Location. If you have multiple NetSpecs for one Location, their priority is governed by the list shown on the Settings tab, not the order in which they appear under a Location. To move NetSpecs to Locations 1 In Symantec Client Firewall Administrator, on the Locations tab, on the Connection Management tab, select the NetSpec to move. 2 Select one of the following: Move Up Move Down Selecting a Primary Location The Primary Location is a Location in which new connection assignments are placed when Symantec Client Firewall users are not allowed to make connection assignments. The Location setting for Allow New Connections controls whether or not users can make connection assignments. If you disable Location Awareness, you should make the Default Location the Primary Location. When Location Awareness is enabled, users can only add connections to the Default Location when it is configured as the Primary Location. If you configure a Location as the Primary Location and then add a new Location that allows new connections, or if you enable Allow User to Create Locations, the Primary Location disappears, forcing you to reset the Primary Location if you still require one. See Specifying global settings for Locations on page 298.

310 310 Using Location Awareness and Zones Using Locations If you export policies that do not specify a Primary Location, you may allow Symantec Client Firewall users to select Locations that are not appropriate for new network connections. See About importing and exporting on page 285. To select a Primary Location 1 In Symantec Client Firewall Administrator, on the Locations tab, on the Connection Management tab, under Locations and Connections, select the Location to make Primary. 2 Click Set Primary Location. 3 In the Confirmation dialog box, click Yes. Enabling the Network Detector The Network Detector, when enabled, allows the implementation of different rules, prules, and Zones for different Locations on Symantec Client Firewall. To enable the Network Detector Deleting Locations In Symantec Client Firewall Administrator, on the Locations tab, on the Settings tab, check Enable Network Detector. When you delete a Location, you need to decide what to do with connections and rules associated with the Location. For example, you can move connections associated with the Location to Unassigned Connections, or you can delete them. You can delete rules associated with only one Location, or you can keep these rules in an unassigned state. Deleting Locations always deletes the associated prules and Zones. Table 10-4 describes the Location deletion options. Table 10-4 Setting Connections Location deletion options Options Move Connections to Unassigned Connections: Moves the connection specifications associated with the Location to the Unassigned Connections on the Connection Management tab. Delete Connections: Deletes the connection specifications associated with the Location.

311 Using Location Awareness and Zones Using Locations 311 Table 10-4 Setting Rules Location deletion options (continued) Options Keep Orphaned (Unassigned) Rules: Keeps rules associated with the Location in an unassigned state. Delete Orphaned (Unassigned) Rules: Deletes rules associated with the Location. To delete a Location 1 In Symantec Client Firewall Administrator, on the Locations tab, on the Connection Management tab, select the Location to delete. 2 Click Delete. 3 In the Confirmation dialog box, next to Connections, select one of the following: Move Connections to Unassigned Connections Delete Connections 4 Next to Rules, select one of the following: 5 Click Yes. Editing Locations and NetSpecs Keep Orphaned (Unassigned) Rules Delete Orphaned (Unassigned) Rules You can edit Locations and NetSpecs at any time. To edit a Location or NetSpec 1 In Symantec Client Firewall Administrator, on the Locations tab, on the Connection Management tab, select one of the following: Location Connection 2 Click Edit. 3 Edit the settings. 4 When you are finished editing the settings, click OK.

312 312 Using Location Awareness and Zones Using Network Zones Using Network Zones Adding computers to Zones Symantec Client Firewall lets you organize computers on your network and the Internet into two Zones: Trusted and Restricted. The firewall permits all traffic to and from computers that are listed in the Trusted Zone. The firewall blocks all traffic to and from computers that are listed in the Restricted Zone. The firewall does not block traffic to and from a computer in the Restricted Zone if the computer is the default gateway. The client can still access the Internet. Settings for rules, IPS monitoring, Web Content, Privacy Control, and Ad Blocking are ignored for Web sites that fall into Trusted Zones. Additionally, Zones are attributes of individual Locations only. You cannot create a Zone and make it an attribute of multiple Locations. You can, however, copy Zones to other Locations. See Copying Zones to other Locations on page 313. Network Zones monitor common Internet Protocol (IP) network traffic, which is a mixture of TCP, UDP, and ICMP protocols. Network Zones do not affect Protocol Filtering, which lets you permit or block extended IP protocols. For example, if Protocol Filtering is set to block VPN protocols that are transported over IP, these protocols are blocked for computers in the Trusted Zone. Also, if Protocol Filtering is set to permit the VPN protocols, these protocols are permitted for computers in the Restricted Zone. See About Protocol Filtering on page 437. If you trust your network completely and do not want to create a Program or General rulebase that supports network activity, you can create a Trusted Zone of computers. All computers that are in the Trusted Zone are free to conduct all client/server communications without being blocked at the firewall. It is not possible to create overlapping Trusted and Restricted Zones using network addresses and ranges. If you attempt to create overlapping Zones, the system prompts you to decide whether to delete the previously entered Zone. To add one or more computers to a Zone 1 In Symantec Client Firewall Administrator, on the Zones tab, next to Location, select the Location in which to add the Zone. 2 On the Trusted or Restricted Zone tab, click Add.

313 Using Location Awareness and Zones Using Network Zones In the Add Computer dialog box, select one of the following: Single address Host name Network address Address range Named address group An IP address that identifies the computer. A host name that identifies the computer. A range of IP addresses, created by typing one IP address and a subnet mask. A range of IP addresses, created by typing a beginning and ending IP address. A collection of IP addresses that may contain single addresses as well as ranges. 4 Do one of the following: 5 Click OK. Copying Zones to other Locations In the Address boxes, type the necessary information. From the drop-down list, select a Named address group. Symantec Client Firewall Administrator lets you copy Zones to other Locations. You can copy Zones to the Default Location. To copy Zones to other Locations 1 In Symantec Client Firewall Administrator, on the Zones tab, do one of the following: On the Trusted Zone tab, select the Zone to copy. On the Restricted Zone tab, select the Zone to copy. 2 In the Copy Zone Address window, do one of the following: Select one or more Locations in which to copy the Zone. Click All. 3 Click OK. About locking Zones Unless you lock a Zone, Symantec Client Firewall users can delete the Zone. Padlock icons in the Lock column identify locked settings. No icons in the Lock column identify unlocked settings. You can toggle the setting.

314 314 Using Location Awareness and Zones Using Network Zones Table 10-5 lists the tabs that contain lockable items and describes the functionality when locked and unlocked. Table 10-5 Tab Trusted Zone Tabs that contain lockable items Description Locked: Client users cannot delete the IP address. Unlocked: Client users can delete the IP address. Restricted Zone Locked: Client users cannot delete the IP address. Unlocked: Client users can delete the IP address. To verify that Restricted Zones are always processed, be sure to create locked Restricted Zones. Table 10-6 shows the processing order for locked and unlocked Trusted and Restricted Zones. Table 10-6 Zone Locked Restricted Locked Trusted Processing order Processing order First Second Unlocked Restricted Unlocked Trusted Third Fourth Excluding computers from AutoBlock Symantec Client Firewall repeatedly recognizes some normal Internet activities as attacks. For example, some Internet service providers scan the ports of your computer to ensure that you are within their service agreements. If client computers can't communicate with computers that they should be able to connect to, the destination computers might be blocked by AutoBlock. Depending on the circumstances, you can disable the AutoBlock setting on clients, which prevents the attacking computers from being added to the AutoBlock list, or you can exclude specific computers from AutoBlock. If Risk Tracer option Client firewall auto blocks IP Address of the source computer is enabled in Symantec AntiVirus, Symantec Client Firewall blocks the IP address of an attacking computer even if the IP address is located in the Trusted Zone or AutoBlock Exclusions list.

315 Using Location Awareness and Zones Using Network Zones 315 Note: Zone settings lets you delete locked and unlocked Zones when you export policy files. If you decide to delete locked Zones, locked computers that are excluded from AutoBlock are also deleted. If you decide to delete unlocked Zones, unlocked computers that are excluded from AutoBlock are also deleted. See Deleting locked and unlocked Zones when exporting policies on page 315. To exclude computers from AutoBlock 1 In Symantec Client Firewall Administrator, on the Zones tab, on the AutoBlock Exclusions tab, click Add. 2 In the Add Computer dialog box, specify whether the rule applies to one IP address, a host name, a network address, a range of IP addresses, or a named address group. 3 Click OK. 4 The addresses that you added appear on the AutoBlock tab, under Internet Addresses to be Excluded from IPS AutoBlock. Deleting locked and unlocked Zones when exporting policies Symantec Client Firewall Administrator lets you delete locked and unlocked Zones on Symantec Client Firewall when exporting policies. This feature allows you to delete user-created Zones, along with any locked and unlocked Zones that you previously exported to clients. If you allow users to create Zones, these Zones are unlocked. These settings affect all Locations. Deleting unlocked Zones also deletes unlocked IP addresses from the IPS AutoBlock Exclusions list, and deleting locked Zones deletes locked IP addresses from the IPS AutoBlock Exclusions list. See Locking IPS exclusions and IP addresses on page 381. Warning: Users who can create Zones may decide to create a Trusted Zone range of IP addresses from to , where the firewall would permit all traffic to and from all computers on the Internet. This Trusted Zone, however, would not override IP addresses in a Restricted Zone. To delete locked and unlocked Zones when exporting policies 1 In Symantec Client Firewall Administrator, on the Zones tab, on the Settings tab, do one of the following: Check Delete locked Zone address on policy integration.

316 316 Using Location Awareness and Zones Using Network Zones Uncheck Delete locked Zone addresses on policy integration. 2 Do one of the following: Check Delete unlocked Zone address on policy integration. Uncheck Delete unlocked Zone addresses on policy integration.

317 Chapter 11 Creating and testing rules This chapter includes the following topics: About rules Working with firewall rules Using port groups Using address groups Incorporating Secure Port About testing firewall settings About rules Rules are policy components that control how Symantec Client Firewall protects computers from malicious incoming traffic, programs, and Trojan horses. The firewall automatically checks all incoming and outgoing packets against these rules, and permits or blocks the packets based on information specified in rules. Rules are ordered sequentially, from highest to lowest priority, and are inspected in this order. For example, if the first rule does not specify how to handle a packet, the second rule is inspected for information on how to handle a packet. This process continues until a match is found. Once a rule is invoked, the firewall takes the action that the rule specifies, and subsequent lower priority rules are not inspected. If no match is found, the firewall blocks the packet by default. Symantec Client Firewall automatically creates rules for a client computer as it communicates over the Internet, either silently (with the Automatic Program Control setting enabled) or by prompting the user. Firewall administrators can also create new firewall rules manually using Symantec Client Firewall Administrator.

318 318 Creating and testing rules About rules Rule categories Table 11-1 describes how rules are classified. Table 11-1 Rule categories Rule type General rules Program rules Trojan rules Description Apply to all client traffic. These rules inspect every inbound and outbound packet for protocols, ports, and source and destination IP addresses. Apply to specific client program traffic. These rules are essentially General rules tailored to specific program executable files. Apply to malicious applications disguised as useful applications. These rules typically block traffic on ports associated with Trojan horses. Symantec Client Firewall supplies a set of Trojan rules that apply to the characteristics of known Trojan horse threats. Rule types Rules are categorized as either locked rules or unlocked rules. Table 11-2 describes the characteristics of both categories. Table 11-2 Rule type Locked Rule types and descriptions Description Symantec Client Firewall users cannot modify or delete locked rules. You can select whether to lock or unlock rules created with Symantec Client Firewall Administrator. Unlocked Symantec Client Firewall users with the relevant permissions can create unlocked rules if permitted with the Global Location setting. prules that are created with Symantec Client Firewall Administrator become locked or unlocked rules, depending on how the prules are configured.

319 Creating and testing rules About rules 319 Rule processing order Rules are processed using a priority that is based on category and type. Packets are inspected with rules until the conditions that are specified in a rule are met. When the first match occurs, the action that is specified by the rule is triggered and all further rule evaluation stops, unless the rule is configured to monitor traffic. Table 11-3 shows how rules are prioritized. Table 11-3 Priority First Second Third Fourth Fifth Sixth Seventh Rule processing priority Rule category Firewall state table General Program General Program Trojan Trojan Rule type Not applicable Locked Locked Unlocked Unlocked Locked Unlocked Symantec Client Firewall implements stateful inspection, which automatically permits the inbound TCP traffic and the NetBIOS packets that reply to permitted outbound TCP and NetBIOS traffic. Information about the outbound traffic is maintained in the firewall state table. See About stateful inspection on page 325. See Stateful inspection for NetBIOS traffic on page 326. The firewall administrator may want to order rules within priority categories so that evaluation occurs in a logical sequence. Order rules so that they are evaluated according to exclusivity, with the most restrictive rules evaluated first and the most general rules evaluated last. For example, if you decide to create rules that block traffic, you should place these rules near the top because other rules may permit the traffic. The Secure Port utility secures ports that are defined with Trojan rules so completely that all Trojan rules that are configured as Block take first priority for outbound traffic only. See Incorporating Secure Port on page 338.

320 320 Creating and testing rules About rules Elements of a rule A rule is a collection of settings that characterize network traffic and specify what to do with the traffic when it appears at the firewall. The following list summarizes the settings that you specify when creating a rule: Description Action to take when matched, such as permit, block, or monitor Protocols of TCP, UDP, and ICMP Position of client rulebase insertion after exporting (available for policy updates only) Inbound and outbound port numbers Source and destination computers Tracking options, if any Locations See About updating rulebases on Symantec Client Firewall on page 332. General and Trojan rules apply these settings to all traffic. Program rules and prules apply these settings to traffic that is generated by a specific executable file. Configure the rule settings with the Edit Firewall Rule dialog box. Figure 11-1 shows the dialog box that you use to configure the rule settings.

321 Creating and testing rules About rules 321 Figure 11-1 Edit Firewall Rule dialog box Description Description lets you specify the name of the rule so that you can distinguish it from other rules. Action options Action options let you specify whether the rule permits, blocks, or monitors the type of network communication defined within the rule. Table 11-4 describes the available Action options. Table 11-4 Action options Option Permit Block Description Allows communication of this type to take place. Prevents communication of this type from taking place.

322 322 Creating and testing rules About rules Table 11-4 Option Monitor Action options (continued) Description Updates the Firewall tab in the Symantec Client Firewall Event Log. Rule processing then continues until a match is found. If there is no match, the communication is either blocked by default or an Automatic Program Control alert appears. Connection options Connection options let you specify whether the rule applies to inbound network traffic, outbound network traffic, or network traffic in both directions. Table 11-5 describes the available Connection options. Table 11-5 Option Outbound Inbound Both Connection options Description The rule applies to outbound traffic from your computer to other computers. The rule applies to inbound traffic from other computers to your computer. The rule applies to both inbound and outbound traffic. To simplify rulebase management, specify both inbound and outbound traffic in a rule whenever possible. Protocol options Protocol options let you specify the protocols that a rule controls. Table 11-6 describes the available Protocol options. Table 11-6 Option TCP UDP TCP and UDP Protocol options Description The rule applies to Transmission Control Protocol (TCP) traffic. The rule applies to User Datagram Protocol (UDP) traffic. The rule applies to both TCP and UDP traffic.

323 Creating and testing rules About rules 323 Table 11-6 Option ICMP Protocol options (continued) Description The rule applies to Internet Control Message Protocol (ICMP) traffic. ICMP applies to General rules and Trojan rules only. Ports options Ports options let you specify the ports that are controlled by a rule. Typically, specific types of traffic occur on specific ports. For example, Web traffic generally occurs on ports 80 and 443. Table 11-7 describes the available Ports options. Table 11-7 Ports options Option List of ports Named ports Description The rule applies to traffic on a list of ports. Requires you to type a single port or port range. The rule applies to traffic on all ports listed in a named port group. Requires you to select a named port. See Using port groups on page 333. Any port The rule applies to traffic on all ports. Computers options Computers options let you specify the computers and network adapters to which a rule applies. Table 11-8 describes the available Computers options. Table 11-8 Option Computers options Description Remote Computers: Any computer Remote Computers: Computer list The rule applies to all remote computers. The rule applies to one IP address, a range of IP addresses, or to IP addresses in a named IP address group.

324 324 Creating and testing rules About rules Table 11-8 Option Computers options (continued) Description Network Adapters: Any adapter Network Adapters: Adapter list The rule applies to all network adapters in the local computer. An Ethernet card is a network adapter. The rule applies to one or more network adapters in the local computer, which are specified using IP addresses. IP addressing options IP addressing options let you specify the IP addresses of remote and local computers when you do not specify all computers. Table 11-9 describes the available IP addressing options. Table 11-9 Option Single address Host name Network Address Address Range IP addressing options Description The rule applies to one IP address. Requires you to type one IP address only. The rule applies to one host name. Requires you to type one host name only. Adding a host name generates a DNS query, so you must have a rule that permits DNS queries. The rule applies to a range of IP addresses. Requires you to type one IP address and a subnet mask. For example, typing an IP address of and a subnet mask of creates a range of IP addresses from Using a subnet mask, you can define a range as small as two IP addresses, or as large as all IP addresses in the class C network. The rule applies to a range of IP addresses. Requires you to type a beginning IP address and an ending IP address. Named address group This rule applies to IP addresses in a named address group. See Using address groups on page 336.

325 Creating and testing rules About rules 325 Tracking options Tracking options let you specify whether the program should notify you or create an Event Log entry when a network traffic event matches the criteria set for this rule. Table describes the available Tracking options. Table Option Tracking options Description Write an event log entry when this rule is matched An entry is written in the firewall Event Log when this rule is matched. An event log entry can be throttled to log after a certain number of matches. Create Security Alert when this rule is logged A Security Alert dialog box appears when this rule is matched. Location options About stateful inspection Location options let you specify Locations to which this rule applies. Rules are not used unless they are assigned to a Location. You can assign rules to one, many, or all Locations. Symantec Client Firewall uses stateful inspection for TCP connections, which creates a connection state table that tracks information about current connections such as IP addresses, ports, applications, and so forth. Symantec Client Firewall makes traffic flow decisions using this connection information before inspecting General and Program rules. For example, if a firewall rule permits a client to connect to a Web server, the firewall logs connection information in the state table. When the server replies, the firewall checks the state table, discovers that a response from the Web server to the client is expected, and permits the Web server traffic to flow to the initiating client without inspecting the rulebase. Note: A rule must permit the initial traffic before the firewall logs the connection in the state table. Stateful inspection allows you to simplify rulebases because you don't have to create the rules that permit traffic in both directions for traffic typically initiated

326 326 Creating and testing rules About rules in one direction. Client traffic typically initiated in one direction includes Telnet (port 23), FTP (ports 20 and 21), HTTP (port 80), and HTTPS (port 443). Clients initiate this traffic outbound so you only have to create a rule that permits outbound traffic for these protocols. The firewall permits the return traffic when it inspects the state table. By configuring outbound rules only, when possible, you increase client security in the following two ways: You reduce rulebase complexity. You eliminate the possibility that a worm or other malicious program can initiate connections to a client on ports that are configured for outbound traffic only. You can also configure inbound rules only, for traffic to clients that clients do not initiate. Stateful inspection supports all rules that filter TCP traffic, but does not support the rules that filter UDP or ICMP traffic. For ICMP traffic, you must create the rules that permit traffic in both directions when necessary. For example, if you want clients to use the ping command and receive replies, you must create a rule that permits ICMP traffic in both directions. Stateful inspection for NetBIOS traffic NetBIOS is a Windows feature that allows users to easily share files and folders. The traffic that is generated by NetBIOS can be significant depending on the level of file sharing that is performed in your network. To increase network performance without sacrificing security, Symantec Client Firewall includes stateful NetBIOS inspection. Stateful NetBIOS tracks NetBIOS packets and matches inbound responses to previous outbound requests. The firewall then permits the return inbound traffic without having to inspect the firewall's General and Program rules. Stateful NetBIOS requires that the following default General rules are disabled: Default Inbound NetBIOS Name Default Outbound NetBIOS Name If you enable either of these rules, Stateful NetBIOS inspection does not function correctly, and any network performance improvements that are gained from Stateful NetBIOS inspection are lost. See Ignoring inbound and outbound NetBIOS Name rules on page 331.

327 Creating and testing rules Working with firewall rules 327 About UDP connections For UDP communications, Symantec Client Firewall analyzes the first UDP datagram, and applies the action that is taken on the initial datagram to all subsequent UDP datagrams for the current program session. Inbound or outbound traffic between the same endpoints is considered part of the UDP connection. Once a UDP connection is made, existing firewall rules are ignored. For example, if there is a rule that blocks incoming UDP communications for a specific program, but you choose to allow an outgoing UDP datagram, all incoming UDP communications will be allowed for the current program session. Working with firewall rules Creating rules Firewall rules are created using Symantec Client Firewall Administrator, saved to a new policy, and distributed to firewalls. Firewall rules can also be created on Symantec Client Firewall, if the user has the proper permissions. To simplify rulebase management, specify both inbound and outbound traffic in one rule whenever possible. Additionally, you do not need to create inbound rules for traffic such as HTTP and FTP because Symantec Client Firewall uses stateful inspection for TCP traffic and does not need a rule to filter return traffic initiated by clients. See About stateful inspection on page 325. If you are not yet familiar with Locations, or if you do not want to use Location Awareness, you can apply the rule to the Default Location only. Another option is to assign the rule to All Locations. See Using Locations on page 297. Note: The ICMP protocol is available for General and Trojan rules only. To create a rule 1 Do one of the following: If you are creating a Program rule, begin with step 2. If you are creating a General or Trojan rule, select the appropriate tab, and begin with step 7. 2 In Symantec Client Firewall Administrator, on the Rules tab, on the Program Rules tab, under Program, click Add.

328 328 Creating and testing rules Working with firewall rules 3 In the Add Program dialog box, on the Program tab, in the Description box, type a rule description. 4 Do one of the following: In the File Name box, type the path to a program executable file. Click Browse, and then locate and select an executable file. 5 On the Locations tab, do one of the following: 6 Click OK. Click Apply rule to all locations. Click Apply rule to the following selected locations, and then select the Locations to associate with this Program rule. 7 Under Rules, click Add. 8 In the Add Firewall Rule dialog box, in the Action list, select one of the following: Block Permit Monitor 9 In the Connection list, select one of the following: Inbound

329 Creating and testing rules Working with firewall rules 329 Outbound Both 10 In the Protocol list, select one of the following: TCP UDP ICMP TCP and UDP 11 On the Ports tab, under Remote Ports and Local Ports, select one of the following: List of ports Named ports Any ports 12 On the Computers tab, under Remote Computers, select one of the following: Any computer Computer list 13 Under Network Adapters (on the local computer), select one of the following: Any computer Computer list 14 On the Tracking tab, specify none, one, or both of the following: Write an event log entry when this rule is matched Create Security Alert when this rule is logged 15 On the Locations tab, select one of the following: Apply rule to all locations Apply rule to the following selected locations, and then select the Locations to associate with this rule If you are creating a Program rule, these Locations can be a subset of the Locations that you selected for the Program executable file in step 4. You can use this subset to enable and disable certain program features at different Locations that permit the program to execute. 16 Click OK.

330 330 Creating and testing rules Working with firewall rules Displaying rules by Location Symantec Client Firewall Administrator lets you display the rules configured for specific Locations. To display rules used at all Locations, select the Master list Location. To display rules for specific Locations 1 In Symantec Client Firewall Administrator, on the Rules tab, in the Locations list, select the Location for which to display rules. 2 Click the General Rules, Program Rules, and Trojan Rules tabs. Adding rules to different Locations Symantec Client Firewall Administrator lets you add existing rules to Locations. To add a rule to a Location 1 In Symantec Client Firewall Administrator, on the Rules tab, select one of the following rule types: General Rules Program Rules Trojan Rules 2 Select the rule to add to a Location, and then click Edit. 3 On the Locations tab, select one of the following: 4 Click OK. Apply rule to all locations: To select all Locations. Apply rule to the following selected locations, and then select the Locations to associate with this rule. Deleting rules Symantec Client Firewall Administrator lets you delete rules from one Location or all Locations. To delete a rule 1 In Symantec Client Firewall Administrator, on the Rules tab, next to Location, do one of the following: Select a Location that contains the rule to delete.

331 Creating and testing rules Working with firewall rules 331 To delete rules from all Locations, click Master list. 2 On one of the following tabs, select the rule to delete: General Rules Program Rules Trojan Rules 3 Click Delete. 4 If you did not click Master list, in the Delete Rule window, select one of the following: 5 Click OK. Configuring rule lock settings Remove selected rules from the <selected> location Delete selected rules from all locations Symantec Client Firewall Administrator lets you lock and unlock all rules before you export the policy to Symantec Client Firewall. You can also delete all unlocked rules on Symantec Client Firewall when you export locked rules. After you import an unlocked rulebase from Symantec Client Firewall, the setting for Delete unlocked rules on policy integration is always enabled. Be sure to verify that this setting is what you want before you export the imported rulebase. See About importing and exporting rules and prules on page 286. To lock or unlock rules 1 In Symantec Client Firewall Administrator, on the Rules tab, on the Settings tab, next to Rule set is, select one of the following: Locked Unlocked 2 If you selected Locked, to delete unlocked client rules during export, check Delete unlocked rules on policy integration. Ignoring inbound and outbound NetBIOS Name rules Symantec Client Firewall Administrator lets you ignore the Default Inbound NetBIOS Name and Default Outbound NetBIOS Name rules settings for Symantec Client Firewall clients version 8.7 and above. These rules are disabled by default for Symantec Client Firewall clients version 8.7 and above to support stateful NetBIOS inspection, which helps improve performance in your network. You can

332 332 Creating and testing rules Working with firewall rules import the default rules into Symantec Client Firewall Administrator from a predefined policy file or from a Symantec Client Firewall client. Note: The Ignore (Disable) Inbound and Outbound NetBios Name rules on SCF v8.7 clients and above setting disables the inbound and outbound NetBIOS Name rules if the rules specify only one port. If the client's inbound or outbound NetBIOS Name rule specifies more than one port (For example: 137, 138, and 139), enabling this setting does not disable those rules. Legacy Symantec Client Firewall clients have the NetBIOS Name rules that are enabled by default because the clients do not contain the stateful NetBIOS inspection feature. To support legacy clients, Symantec Client Firewall Administrator lets you enable the NetBIOS Name rules for legacy clients, and then ignore these rules for Symantec Client Firewall clients version 8.7 and above. See Stateful inspection for NetBIOS traffic on page 326. To ignore inbound and outbound NetBIOS Name rules In Symantec Client Firewall Administrator, on the Rules tab, on the Settings tab, check Ignore (Disable) Inbound and Outbound NetBios Name rules on SCF v8.7 clients and above. About updating rulebases on Symantec Client Firewall Symantec Client Firewall Administrator lets you update rules for All Locations on Symantec Client Firewall. This feature is useful if you have client ports that may be transmitting or receiving worms and you want to restrict all network traffic from those subnets that are attacking your clients. You can only add rules and prules to update files, and you can only update All Locations. When you create rules for updates, you can select whether updated rules are positioned at the top or bottom of the rulebase. If you position them at the top, the ordering in Symantec Client Firewall is the reverse of what you see in Symantec Client Firewall Administrator. If you position them at the bottom, the ordering in Symantec Client Firewall does not change. If you are exporting an update to block traffic, you should insert the rules at the top of the rulebase. See Configuring policies and updates on page 279. See About importing and exporting on page 285.

333 Creating and testing rules Using port groups 333 Using port groups Symantec Client Firewall Administrator supports using port groups. A port group is a collection of port numbers grouped under one name. The purpose of port groups is to eliminate the retyping of port numbers. Table shows three prules that support Windows 2000 networking in an Active Directory environment, in which the created rules are permitted, bidirectional rules. Table Sample program rulebase prule executable Description Protocol Remote ports Local ports Lsass.exe Kerberos UDP EPmap TCP LDAP TCP, UDP Nterm TCP Explorer.exe LDAP TCP, UDP Winlogon.exe LDAP TCP, UDP An LDAP rule is required for each prule executable. To create each rule without using port groups, you must type the LDAP port numbers for remote and local ports three times, once for each prule executable. Using port groups, you could configure two groups for LDAP ports, and then select them from a drop-down list. Table shows two groups that support this operation. Table Sample port groups Group name LDAP Remote Range Ports Adding named port groups The group named Range can also be selected for each prule shown in Table You can add port groups in all windows that let you create firewall rules. You cannot use port groups for rules that are configured to monitor ICMP traffic. Port groups do not support mixed lists of ports, such as two specific ports along with

334 334 Creating and testing rules Using port groups a port range. You can enter one port, multiple ports, or a port range only. As you incorporate port groups into rules, you should consider documenting the rules and the group names. If you decide later to delete a port group, you must first remove the port group from all rules that reference the group. Having the documentation makes deleting groups easier. You can add a named port group from either the Rules or prules tab. To add a named port group 1 In Symantec Client Firewall Administrator, on the Rules tab, select a rule on one of the following tabs: General Rules Program Rules Trojan Rules 2 Click Edit. 3 In the Edit Firewall Rule window, on the Ports tab, do one of the following: Under Remote Ports, check Named ports, and then click Edit. Under Local Ports, check Named ports, and then click Edit.

335 Creating and testing rules Using port groups 335 Deleting named port groups 4 In the Edit Named Ports window, click New. 5 In the New Port Group window, in the Named port box, type a name for the port group, and then click OK. 6 In the Edit Named Ports window, add one or more ports to the new group, and then click Close. 7 In the Edit Firewall Rule window, click OK. You can delete port groups from all windows that let you create firewall rules. However, before you can delete a port group, you must remove the port group from all rules that reference the group. You can delete a named port group from either the Rules or prules tab. To delete a named port group 1 In Symantec Client Firewall Administrator, on the Rules tab, select a rule on one of the following tabs: General Rules Program Rules

336 336 Creating and testing rules Using address groups Trojan Rules 2 Click Edit. Using address groups 3 In the Edit Firewall Rule window, on the Ports tab, do one of the following: Under Remote Ports, check Named ports, and then click Edit. Under Local Ports, check Named ports, and then click Edit. 4 In the Edit Named Ports window, in the Named port(s) drop-down list, select the group to delete, and then click Delete. 5 If the named group is referenced by one or more rules or prules, in the Message window, click OK. 6 In the Edit Named Ports window, click Close. 7 In the Edit Firewall Rule window, click OK. 8 If you completed step 5, locate the rules or prules that reference the port group that you tried to delete, deselect the port group, then repeat steps 1 through 7. Symantec Client Firewall Administrator supports using address groups. An address group is a collection of IP addresses or host names grouped under one name. For example, if you have multiple IP addresses configured for the Trusted Zone, you can add these IP addresses to an address group, and then select the group from a drop-down list. The purpose of address groups is to eliminate the retyping of IP addresses. Address groups are available for the following: Rules Zones IPS AutoBlock Exclusions Adding named address groups Address groups support mixed lists of addresses or host names. As a result, you can add two specific IP addresses, an IP address range, and a network address to the same group. As you incorporate address groups, you should consider documenting where the groups are used. If you decide later to delete an address group, you must first

337 Creating and testing rules Using address groups 337 remove the address group from all rules, Zones, and IPS AutoBlock Exclusions that reference the group. Having the documentation makes deleting groups easier. When you add a named address group, you can use the user interface for Zones or any other interface that supports adding IP addresses for rules and IPS AutoBlock Exclusions. To add a named address group 1 In Symantec Client Firewall Administrator, on the Zones tab, click Add. 2 In the Add Computer window, click Named address group, and then click Edit. 3 In the Edit Address Groups window, click New. 4 In the New Address Group window, in the Group name box, type a name for the address group, and then click OK. 5 In the Edit Address Groups window, in the Address group drop-down list, select the new group, and then click Add. 6 In the Add Computer window, add the appropriate IP addresses, and then click OK. 7 Repeat step 6 until you finish adding IP addresses to the group, and then click Close. Deleting named address groups You can delete address groups from all windows that let you create rules, Zones, and IPS AutoBlock Exclusions. However, before you can delete an address group, you must remove the address group from all rules, Zones, and IPS AutoBlock Exclusions that reference the group. When you delete a named address group, you can use the user interface for Zones or any other interface that supports adding IP addresses for rules and IPS AutoBlock Exclusions. To delete a named address group 1 In Symantec Client Firewall Administrator, on the Zones tab, click Add. 2 In the Add Computer window, click Named address group, and then click Edit. 3 In the Edit Address Groups window, in the Address group drop-down list, select the address group to delete, and then click Delete. 4 If the named group is referenced by one or more rules, prules, Zones, or AutoBlock Exclusions, in the Message window, click OK.

338 338 Creating and testing rules Incorporating Secure Port 5 In the Edit Address Groups window, click Close. 6 In the Edit Computer window, click OK. 7 If you completed step 4, locate the rules, Zones, or IPS AutoBlock Exclusions that reference the address group that you tried to delete, deselect the address group, and then repeat steps 1 through 6. Incorporating Secure Port Secure Port blocks TCP and UDP outbound traffic on local ports defined in Trojan rules and ports defined by users running Symantec Client Firewall. Secure Port secures the ports so completely that outbound traffic originating from these ports never triggers firewall rulebase inspection. Because the rulebase is not inspected for these ports for outbound traffic, firewall alert messages for outbound traffic never appear for these ports even when the Always Display Security Alerts feature is enabled. The rulebase is inspected for inbound traffic destined for these ports. You can enable and disable Secure Port on the Client Settings tab. See Global settings on page 409. Secure Port secures all local ports configured as Block in Trojan rules. If the local ports are also configured as Permit in General rules, the ports are still secured and override the General rule setting. Table lists examples of General rules that support Windows networking. Table Sample bidirectional, permitted, General rules Description Protocol Remote ports Local ports Remote addresses HTTP TCP /24 Kerberos UDP /24 EPmap TCP /24 NetBIOS TCP, UDP 137, 138, /24 LDAP TCP, UDP /24 Notice that the rules permit local clients to transmit and receive traffic with local ports , which is necessary because these protocols communicate with clients using random ports beginning with The rules limit this traffic to IP addresses between and (/24 is shorthand for subnet mask ).

339 Creating and testing rules Incorporating Secure Port 339 Because these rules are General and permitted, Trojan rules that are configured to block ports inside this range never get enforced. As a result, clients are exposed to attacks across local ports from remote ports 80, 88, 135, 137, 138, 139, and 389 in the x network. Note: Port 5000 may not be an appropriate upper limit for client computers that are rarely restarted. Use packet capturing tools to discover appropriate upper limits for your organization. To mitigate this exposure, Secure Port secures ports for outbound traffic so that Windows programs do not attempt to use the secured ports. When Secure Port is enabled, Windows programs that use random ports know that the ports are secured and skip them during random port sequencing. As a result, Secure Port protects clients against Trojan horses that use ports inside General permitted port ranges without interrupting networking traffic. For example, the following traffic capture shows client/server HTTP traffic, where local client ports are randomly sequencing upwards beginning with port The remote server port 80 remains static. Before this packet capture, ports 1680 to 1720 were configured as blocked with a Trojan rule, and Secure Port was enabled. TCP: Port (1676 => 80) Data (SN , ACK , WIN 16271) HTTP: Client Request TCP: Port (1678 => 80) Data (SN , ACK , WIN HTTP: Client Request TCP: Port (80 => 1676) Data (SN , ACK , WIN 32120) HTTP: Server Reply TCP: Port (80 => 1678) Data (SN , ACK , WIN 32120) HTTP: Server Reply TCP: Port (1676 => 80) Data (SN , ACK , WIN 0 HTTP: Client Request TCP: Port (80 => 1678) Data (SN , ACK , WIN 32120) HTTP: Server Reply TCP: Port (1678 => 80) Data (SN , ACK , WIN 0 HTTP: Client Request TCP: Port (80 => 1678) Data (SN , ACK , WIN 32120) HTTP: Server Reply TCP: Port (1678 => 80) Data (SN , ACK , WIN 0 HTTP: Client Request TCP: Port (80 => 1676) Data (SN , ACK , WIN 32120) HTTP: Server Reply TCP: Port (1676 => 80) Data (SN , ACK , WIN 0 HTTP: Client Request

340 340 Creating and testing rules About testing firewall settings TCP: Port (80 => 1676) Data (SN , ACK , WIN 32120) HTTP: Server Reply TCP: Port (1721 => 80) Data (SN , ACK 0, WIN 16384) HTTP: Client Request TCP: Port (1721 => 80) Data (SN , ACK , WIN 17520) HTTP: Client Request TCP: Port (1721 => 80) Data (SN , ACK , WIN 17520) HTTP: Client Request TCP: Port (80 => 1721) Data (SN , ACK , WIN 31761) HTTP: Server Reply TCP: Port (80 => 1721) Data (SN , ACK , WIN 32120) HTTP: Server Reply TCP: Port (80 => 1721) Data (SN , ACK , WIN 32120) HTTP: Server Reply TCP: Port (1721 => 80) Data (SN , ACK , WIN 17520) HTTP: Client Request TCP: Port (80 => 1721) Data (SN , ACK , WIN 32120) HTTP: Server Reply TCP: Port (80 => 1721) Data (SN , ACK , WIN 32120) HTTP: Server Reply Notice in the middle of the capture that the local ports jumped from 1676 to 1721, indicating that the local Web browser never attempted to use ports in the 1680 to 1720 range. Note: Secure Port secures ports defined as Local Block in Trojan rules only, and also secures these ports in Trusted Zones. About testing firewall settings After you run a program several times and use all of its features on a Symantec Client Firewall, many rules are created. It is important to exercise every possible use, connection, port, and operation of the program to get the most complete characterization of the program. It is helpful if you can determine in advance how a program is accessing the Internet. For example, some programs call for the use of consecutive ports, while others use random ports. When you first hear of a malicious worm infecting corporate networks worldwide, it is important that you take proactive measures to secure your network. After gathering information about the attack, including the ports used and the programs impersonated, you can determine if your network is vulnerable by testing your firewall settings against the threat's method of attack.

341 Creating and testing rules About testing firewall settings 341 Testing firewall rules, prules, and Zones The Test Firewall dialog box lets Symantec Client Security administrators test firewall rules, prules, and Zones for every Location and for all policy file types, including updates. Testing does not involve sending or receiving packets. The procedure for testing TCP and UDP rules is not same as the procedure for testing ICMP rules. Because Symantec Client Firewall is stateful, some rules may permit traffic even though they test negative. For example, if you configure an HTTP outbound rule only, the firewall permits inbound HTTP traffic, as long as the traffic is a reply to outbound traffic that the client initiated. If you have an HTTP rule configured for outbound traffic only, the test for inbound HTTP traffic fails, indicating that Web servers cannot initiate inbound traffic to Web clients. When testing inbound rules, you must type a port number for Local Port and an IP address for Local Adapter. When testing outbound rules, you must type a port number for Remote Port and a remote IP address. Additionally, ICMP uses command numbers, not port numbers. Common command numbers are 0 for echo reply, 3 for destination unreachable, 8 for echo request, and so forth. Note: Test Firewall validates only the executable file name and digest value for prules. It does not test for file version, file size, and so on.

342 342 Creating and testing rules About testing firewall settings To test an outbound rule for TCP or UDP 1 In Symantec Client Firewall Administrator, on the File menu, click Test Firewall. 2 In the Test Firewall dialog box, under Direction, click Outbound. 3 Under Protocol, select one of the following: TCP UDP 4 Under Remote Port, type a port number. 5 Under Remote Address, type the IP address or host name of a remote computer. 6 Under Local Port, do one of the following: Check Any local port. Uncheck Any local port and type a port number. 7 Under Local Adapter, do one of the following: Check Any adapter. Uncheck Any adapter, and then type an IP address. 8 Under Program, do one of the following: Check Any program.

343 Creating and testing rules About testing firewall settings 343 Uncheck Any program, and then type the fully qualified path to the program including the name of the executable. Uncheck Any program, click Browse, and then navigate to and open the target executable. 9 Click Test. 10 In the Test Results dialog box, click Close. To test an inbound rule for TCP or UDP 1 In Symantec Client Firewall Administrator, on the File menu, click Test Firewall. 2 In the Test Firewall dialog box, under Direction, click Inbound. 3 Under Protocol, select one of the following: TCP UDP 4 Under Remote Port, do one of the following: Check Any remote port. Uncheck Any remote port, and then type a port number. 5 Under Remote Address, do one of the following: Check Any address. Uncheck Any address, and then type an IP address or host name of a remote computer. 6 Under Local Port, type a port number. 7 Under Local Adapter, type an IP address. 8 Under Program, do one of the following: Check Any program. Uncheck Any program, and then type the fully qualified path to the program including the name of the executable. Uncheck Any program, click Browse, and then navigate to and open the target executable. 9 Click Test. 10 In the Test Results dialog box, click Close.

344 344 Creating and testing rules About testing firewall settings To test an inbound rule for ICMP 1 In Symantec Client Firewall Administrator, on the File menu, click Test Firewall. 2 In the Test Firewall dialog box, under Direction, click Inbound. 3 Under Protocol, click ICMP. 4 Under ICMP Command, type an ICMP command number. 5 Under Remote Address, do one of the following: Check Any address. Uncheck Any address, and then type an IP address or host name of a remote computer. 6 Under Local Adapter, type an IP address. 7 Click Test. 8 In the Test Results dialog box, click Close. To test an outbound rule for ICMP 1 In Symantec Client Firewall Administrator window, on the File menu, click Test Firewall. 2 In the Test Firewall dialog box, under Direction, click Outbound. 3 Under Protocol, click ICMP. 4 Under ICMP Command, type an ICMP command number. 5 Under Remote Address, type an IP address or host name of a remote computer. 6 Under Local Adapter, do one of the following: 7 Click Test. Check Any adapter. Uncheck Any adapter and type an IP address. 8 In the Test Results dialog box, click Close.

345 Chapter 12 Using prules This chapter includes the following topics: About prules Viewing Symantec-supplied prules Creating and editing prules About Location-aware prules Configuring prules to support Active Directory Using Profiling to generate prules and NetSpecs About prules A prule, or potential rule, contains the data required to validate an Internet-enabled program and then create a Program rule in Symantec Client Firewall. The first time that a program is run, its corresponding prule is processed. If the program matches the prule criteria, Symantec Client Firewall creates a Program rule using information that is contained in the prule. Once a Program rule is generated from a prule on a client computer, the prule is never applied again because the Program rule has a higher processing priority than the prule. If the Program rule is deleted, the prule may be applied again. Using prules lets Symantec Client Firewall generate Program rules as they are needed rather than creating a large number of Program rules that may never be used. No Program rule for the program is in place. No General or Trojan rule that covers the communication that the program requires is in place.

346 346 Using prules About prules Note: If a rule is in place, but the rule does not cover all the access that a program needs; for example, the rule allows only outbound TCP access on remote port 80 for Internet Explorer, but the program needs access to remote port 443, then a prule is used when the program attempts to access remote port 443. prules and rule lock settings A set of Symantec-supplied prules that correspond to many commonly used Internet-enabled programs is installed by default on Symantec Client Firewall. Symantec Client Firewall Administrator lets you customize the default set of prules. For example, you can create custom prules for additional internal corporate or external programs that your users run, or you can remove prules for programs that are restricted by your security policy. Also, if Location Awareness is enabled, you can configure which prules are applied to a Location. After customizing the default set of prules, you can roll out the newly-configured prules and related settings to clients as part of a policy package. By default, most prules are configured to create unlocked Program rules, but you can modify them to create locked Program rules. To ensure client manageability, several Symantec Client Firewall prules associated with Symantec components create locked rules. Any Program rule generated from a prule on the client is, by default, also of rule type unlocked. Unlike locked rules, unlocked rules are not replaced when a policy package is rolled out to a client. Any Program rules generated from prules that are of type unlocked remain in force on the client. Using a digest value to identify a program A prule can include a digest, or program signature, that Symantec Client Firewall uses to validate the program's executable file before applying any rule criteria. The digest is a hash value based on unique internal information about the program's executable file. For the set of prules supplied with Symantec Client Firewall, the program digests are guaranteed to identify authentic copies of the program. For prules that you create for new programs with Symantec Client Firewall Administrator, you generate the digests, or program signatures, based on the executable files that you specify. Before creating a new prule, make certain that the executable file referred to is the genuine program and has not been replaced or altered by a Trojan horse.

347 Using prules About prules 347 The digest is the most stringent means with which to securely identify a program. This capability is useful for preventing threats, such as malicious programs impersonating genuine programs from executing on the network. Priority of prule evaluation A prule is evaluated after all Zones, AutoBlock lists, and rules are evaluated. Table 12-1 shows the client program evaluation order. Table 12-1 Client program evaluation order Order Process Result 1 Match the IP address associated with the program against IP addresses in the Zones and AutoBlock lists. If a match occurs, perform the action (permit or block) and stop any further processing. 2 3 Check all rules in the following order of priority: General locked rules Program locked rules General unlocked rules Program unlocked rules Trojan locked rules Trojan unlocked rules Check prules. If no match occurs, continue with rule processing. The first time that a match occurs, perform the action (permit, block, or monitor) and stop any further rule processing. If monitor or no match occurs, continue with prule processing. If a matching prule exists for the program, check to see if the prule is active for the current Location. If the prule is not active, then do not create the Program rule and complete rule processing by blocking the program. If the prule is active for the current Location, then create the Program rule defined from the prule data on the client and perform the specified action (permit, block, or monitor). Program rules and prules A prule also contains information about the rules that determines the conditions under which a program is permitted to connect to the Internet.

348 348 Using prules About prules Guidelines for using prules In most cases, rule sets for prules are designed to permit, rather than block, Internet access. The rule sets defined when creating a prule are usually such that only expected behaviors by the program, such as communicating through the program's default port, are permitted. If a prule exists for a program and the program is executed on a client, the following possible courses of events can take place: If the Automatic Program Control setting is enabled on the client, Symantec Client Firewall silently creates a Program rule and a corresponding rule set that includes permitting the program to communicate over the Internet using the program's designated ports. In most cases, using the Automatic Program Control setting for firewalls is recommended. This minimizes the number of firewall alerts and firewall configuration requests that users receive. You can selectively override automatic rule creation for single prules in the Add and Edit prule dialog boxes. If the Automatic Program Control setting is not enabled on the client, a sequence of alerts and messages is displayed on the client that require user input for configuring the program. The client is queried as to whether to create a Program rule, and which rule settings to use when the program is executed. See Specifying default settings for Locations on page 300. See Firewall settings on page 413. Following are some guidelines and recommendations for using prules: prules are most useful when there are many computers in an organization using a divergent set of programs. When many clients in an organization are using the same small set of programs installed in the same volume and directory, using Program rules instead of prules is simpler. When deciding whether to create a Program rule or a prule, consider that in a Program rule you must specify the fully qualified path. Therefore, the location of the executable file must be correct on all the client computers that use the information. A prule is path independent; that is, you only have to specify the executable file name. If a client user has the relevant permissions to create local rules on Symantec Client Firewall, and creates a rule for a program before its prule is executed, the prule is never triggered. When the program runs on the client, the Program rule, being of a higher priority, is always applied before the prule can be used. In cases such as these, make certain there is no conflict of intent between the Program rule and the prule. For example, the prule specifying to block a

349 Using prules Viewing Symantec-supplied prules 349 communication and the Program rule created by the user specifying to permit a communication. Any time that a version update is made to a program with a prule, the prule must be reconfigured through Symantec Client Firewall Administrator. If the prule is not reconfigured, Symantec Client Firewall cannot match the prule against the program executable. The firewall blocks the program from running and posts alerts. Users may not receive alerts. When you update a program version, it is possible to retain information about earlier versions so that they can still execute. If clients are using programs that are updated frequently, consider not creating a prule digest entry for the program to simplify administration. If the program is updated occasionally, consider creating a prule that applies to different program versions. If you use a digest match criterion in the prule for the program, you can optionally use other rules along with the match criterion to regulate the program's Internet connection behavior. See Digest match criteria on page 358. prules are most useful for clients with restrictive permissions that cannot create their own rules. They are less useful for clients with permissions that allow them to create rules, because user-created rules can render prules unnecessary under some circumstances. If a user creates, for example, a local Program rule that blocks or permits all traffic for a program that is covered by a prule, the Program rule always executes before the prule, rendering the prule irrelevant. Note: If a Symantec Client Firewall user creates a customized Program rule for a program that is covered by a prule, but the user-created Program rule contains different traffic rules for the program, the prule can potentially delete all user-created rules and replace them with the rules that are contained in the prule. Viewing Symantec-supplied prules The default policy package for firewalls contains a set of prules that provide coverage for many commonly used commercially available programs, as well as Windows Subsystem executables. You can view the list of prules in the current policy package loaded into Symantec Client Firewall by importing them to Symantec Client Firewall Administrator. You can create customized prules for programs that are unique to your network. When you update your set of prules by using patches or product upgrades, custom prules that you added are deleted. Therefore, it is good practice to create new

350 350 Using prules Creating and editing prules prules in a separate policy file, and then merge that policy file with the newly updated policy file. See Merging rules and prules in policy files on page 290. Note: You should import prules from Symantec Client Firewall immediately after client installation and save them in a policy file. If you export a policy file to a Symantec Client Firewall that contains one prule, you will delete all prules on the client. To view the prules in the current policy package 1 In Symantec Client Firewall Administrator, on the File menu, click Import from Active Client. 2 In the File Import Data Selection dialog box, check prules. 3 Click OK. 4 On the prules tab, scroll through the list to view the current prules or to see if a specific executable file for a program is secured by a prule. Creating and editing prules In addition to the Symantec-supplied set of prules, you can create new prules using Symantec Client Firewall Administrator. This capability lets you add

351 Using prules Creating and editing prules 351 protection for commercially available programs for which prules are not supplied and for internal corporate programs. You create or modify a prule for distribution to firewalls by configuring the following sets of options for the prule: Program identity: Specify the program's executable file and supply a brief description of the program. Match names: Generate program match names, which label sets of match criteria that are used to authenticate a program's executable file. Each match name for the prule has separate associated match criteria. Match criteria: Configure the values the prule uses to verify the program before allowing it to communicate. You can configure one or more sets of match criteria for an individual prule, with each match set containing one or more match criteria. You select from among the following match criteria: File Version Version Data Required Digest Specify a version number or range of version numbers for the program to use as a match. Specify file resource property values to use as match criteria. After you select this option, you can select one of the following: Comments, Company name, File description, Internal name, Original file name, Product name, Product version, Legal copyright, or Legal trademarks. Specify a prule digest value to use for matching the Internet-enabled program. Using a required digest match means that the program executable must be authenticated by the digest or a security alert is triggered. It is the strongest method of verifying the authenticity of a program. File Size Specify a program executable file size or a range of possible file sizes to use for matching the program. Rules: Configure the Program rule that is created on Symantec Client Firewall after the executable file specified by the prule has been validated. Locations: Apply Location-specific settings to the prule. If the prule should not apply to a Location, add the prule to the Location's prule block exception list.

352 352 Using prules Creating and editing prules To create a new prule In Symantec Client Firewall Administrator, on the prules tab, click Add. To edit an existing prule In Symantec Client Firewall Administrator, on the prules tab, select an existing prule, and then click Edit. Program Identity Optional switches Match names Match criteria Rules Selectively disabling auto-create Symantec Client Firewall Administrator includes a prule option never to auto-create Program rules from prules without user intervention. Enable or disable this option under the Description field in the Add prule and Edit prule windows. See Specifying default settings for Locations on page 300. Configuring Ignore File Name Matching By default, Symantec Client Firewall Administrator verifies that the executable file name matches the internal name and original file name as match criteria for the program when a prule is added. Enable or disable this option under the Description field in the Add prule and Edit prule windows. Most executable files have internal names and original file names in headers. You can view these names by looking at file version properties. For security reasons, when you use the default Any Version match criteria, Symantec Client Firewall

353 Using prules Creating and editing prules 353 requires executable file headers to contain this information. The file name matching feature prevents malicious code from overwriting a permitted prule program file and executing on client computers, which would happen if the firewall checked for the correct.exe name only. Configuring Ignore Digest Values Symantec Client Firewall Administrator lets you decide whether digest values are used to match prules to specific executable versions of a program. You can determine whether digest values are ignored for each individual prule. When Ignore Digest Values is checked, the digest values that are included in a prule are ignored and the application is identified by name, version, date, and size data. When Ignore Digest Values is not checked, an application must match precisely one of the digest values that is included in the prule. Otherwise, a Program rule is not created for the application. Legacy Symantec Client Firewall clients do not have the option to ignore digest values for individual prules. Legacy clients rely on the client setting Ignore prule Digest Values to determine how all prules are processed. You can also apply this setting to the prules that exist in the current policy file in Symantec Client Firewall Administrator. See Global settings on page 409. To configure Ignore Digest Values for individual prules 1 In Symantec Client Firewall Administrator, on the prules tab, select one of the following: Add Edit Creates a new prule. Opens an existing prule. 2 Under the Description text box, do one of the following: Check Ignore Digest Values to ignore digest settings in the prule. Uncheck Ignore Digest Values to activate digest settings in the prule. To configure Ignore Digest Values for prule sets and legacy clients 1 In Symantec Client Firewall Administrator, on the Client Settings tab, on the General tab, under Global, next to Ignore prule Digest Values, do one of the following: Click Yes to have legacy clients ignore digest values when creating Program rules from prules.

354 354 Using prules Creating and editing prules Click No to have legacy clients use digest values when creating Program rules from prules. Click Keep Existing Selection: Do Not Change to leave the existing configuration on the clients. 2 In the Apply Configuration to prules dialog box, do one of the following: Click Yes to apply the configuration to the individual prules in the policy file. Click No to leave the individual prule settings in the policy file alone. Specifying the program identity for a prule The program identity is the executable name of the program. To specify the program identity for a prule 1 In Symantec Client Firewall Administrator, on the prules tab, select one of the following: Add Edit Creates a new prule. Opens an existing prule. 2 In the Add or Edit prule dialog box, in the File name text box, type or confirm the executable name of the program. Do not type the path to the executable file (for example, NewApp.exe). 3 In the Description text box, type a description of the program. 4 Click OK. Adding or editing match names for a prule Each match name for the prule is associated with a set of match criteria that the prule uses to validate the executable file including file size, file version, version information, and digest value.

355 Using prules Creating and editing prules 355 To add or edit match names for a prule 1 In Symantec Client Firewall Administrator, on the prules tab, select one of the following: Add Edit Creates a new prule. Opens an existing prule. 2 In the Add or Edit prule dialog box, under Matches, do one of the following: 3 Click OK. Configuring match criteria To add a match name, click Add. By default, the Match name is the file name with a sequential number appended (for example, NewApp.exe-0). You can rename the Match name by clicking Edit and changing the name in the Edit Match Name dialog box. By default, the associated match criteria is set to Any Version. This value is overwritten when a new value is set. To modify an existing match name, select the match name, and then click Edit. Match criteria are the types of information that are used to validate a program and their values. You begin working with match criteria by selecting from among five types of available criteria. Each of the match criteria types has a dialog box that requests appropriate information. For example, File Size allows you to enter one or more file sizes or a size range that the program must match when the prule is processed on Symantec Client Firewall. To specify new match criteria 1 In Symantec Client Firewall Administrator, on the prules tab, select one of the following: Add Edit Creates a new prule. Opens an existing prule. 2 In the Add prule or Edit prule dialog box, under Matches, select a match name.

356 356 Using prules Creating and editing prules 3 Under Match Criteria, click Add. 4 In the Add Match Criteria dialog box, select one of the five match criteria, and then click OK. To modify existing match criteria 1 In Symantec Client Firewall Administrator, on the prules tab, select one of the following: Add Edit Creates a new prule. Opens an existing prule. 2 In the Add prule or Edit prule dialog box, under Matches, select a match name. 3 Under Match Criteria, select the item, and then click Edit. To specify the match criteria 1 In the Add or Edit prule Match Criteria dialog box, type the requested information, and then click Add. 2 Do one of the following: If this value is the only value that you want validated, click OK to close the Add prule Match Criteria dialog box. To add additional values, in the Add or Edit prule Match Criteria dialog box, type the information, and then click Add after each value. 3 When finished, click OK to close the Add prule Match Criteria dialog box. File version match criteria File version match criteria can include specific file versions for the program as well as file version ranges. When you configure version match criteria, you can specify one of the following for file matching: A single version number A list of nonconsecutive version numbers A range of version numbers You can use either the standard four-part version naming convention for version data (four numbers that are separated by three periods, for example, ) or as few digits as are necessary to specify the version or versions that you want.

357 Using prules Creating and editing prules 357 If you specify fewer than four digits, the remaining digits are wildcards. For example, if you specify a value of 2.0, it matches any value from to It does not match versions or Version data match criteria Table 12-2 describes the resource properties that are associated with the program. Table 12-2 Property Comments Company name File description Internal name Original file name Product name Product version Legal copyright Legal trademarks Version data match criteria Description Use the value of the comments property that is associated with the program's executable file. Use the value of the company name property that is associated with the program executable, if one exists. Use the value for the description property of the program's executable file. Use the value of the internal name property of the program executable, if one exists. If no internal file name value was specified before the program was compiled, this value defaults to the program file name without the file suffix. Use the name with which the program executable was created, before any renaming of the file happened. Use the product name that was distributed with this version of the program's executable file. Use the version of the product with which the program's executable file is distributed. A product version number is a 64-bit number displayed according to the format major number.minor number.build number.private part number, such as the value Use the property value that represents the legal copyright of the program. Use the property value that represents the trademarks of the program. A file property that is listed under Resource Name may or may not exist for a given executable file. Examine the Version page of a program's property box, viewable in Windows Explorer, to check which file properties are available.

358 358 Using prules Creating and editing prules Digest match criteria A prule digest is a program signature that is derived from a scan of the code sections of a program's executable file. A digest value uniquely identifies a program's executable file. When the prule is invoked on Symantec Client Firewall, the program's digest value is recomputed and compared to the stored digest value of the prule. For a match to occur, the digest of the executed program on Symantec Client Firewall must exactly match that of its digest entry. Using a digest as a match criterion provides high-level security for verifying the authenticity of a program. A required digest provides the maximum level of security possible. To enable rules to be automatically generated on a client computer the first time that a program is run, you need to have already defined a prule for the program with a digest. The executable file name that is used in a prule can be associated with more than one program. The same file name can correspond to different programs on a client (for example, Setup.exe) or different versions of a program (for example, Internet Explorer). In this case, you can create several match names, each with a required digest value corresponding to a different executable. Note: Whenever a program is updated, either the prule digest value must also be updated or a new digest must be added to the prule. If this step is not done, the new version of the program is blocked from executing. Required digest match criteria When you use the required digest match selection, and the program that is associated with the prule is run, Symantec Client Firewall checks the required digest value for each match name according to the following match name order: If a match occurs with a required digest value the first time that a program is executed on a client, the Program rule is created automatically on the client computer. If Symantec Client Firewall is unable to match the program against any required digest value in the prule, a security alert is posted and a sequence of dialog boxes prompts the user to configure rules for the program. Note: Users need the proper permissions to configure Program rules. Note that once a prule becomes a Program rule, the path locations for the executable files that are associated with the prule cannot be changed, or the Program rule will not work.

359 Using prules About Location-aware prules 359 Adding a rule to a prule File size match criteria You can specify either a list of nonconsecutive file size values or a range of file sizes to use for matching. After a prule is triggered and the corresponding program runs, the prule becomes a Program rule and it is governed by the rules that are associated with the program. You can selectively lock and unlock the rules that you associate with the prule. See Configuring rule lock settings on page 331. To add a rule to a prule 1 In Symantec Client Firewall Administrator, on the prules tab, select a rule, and then click Edit. 2 In the Add prules dialog box, under Rules, click Add. 3 In the Add Firewall Rule dialog box, enter the necessary information to create the rule. 4 Click OK. 5 In the Edit prule dialog box, click OK. Configuring prule lock settings Symantec Client Firewall Administrator lets you lock and unlock all prules before you export the policy to Symantec Client Firewall. By locking a prule, all the Program rules that are created when the prule is matched inherit the locked setting. When you lock a prule, a user cannot delete the Program rules that are associated with the prule. See About importing and exporting rules and prules on page 286. To lock or unlock prules In Symantec Client Firewall Administrator, on the prules tab, select a prule or group of prules, and then select one of the following: Lock Unlock About Location-aware prules Symantec Client Firewall Administrator lets you customize prules for each Location that you configure. By default, Locations contain the entire set of prules

360 360 Using prules About Location-aware prules that are included in a policy file. For certain Locations, you might need to restrict programs from running. If prules for these programs exist in the set of prules, you can block the prules for the Locations. Blocking a prule restricts the creation of a Program rule and does not allow the program to access the Internet. Creating prule exceptions for Locations To configure Location-aware prules, you must identify prule exceptions. You can create prule exceptions either by blocking selected prules from a Location or by permitting selected prules that apply only to a certain Location. When you create a prule block exception list, populate the list with prules that you don't want to monitor for the Location. The prules in the policy file that are not listed in the prule block exception list remain active for the Location. If you create a prule permit exception list, only the prules in the exception list are active. The prules in the policy file that are not listed in the prule permit exception list are not active for the Location. For example, you might have a specific set of prules that covers VPN programs that are required for clients that access your network from home. These prules are not necessary for clients that access your network by using a local Ethernet connection and can be added to the prule block exception list for this Location. If the VPN prules are the only prules that you require when users connect from home, you can add the prules to the prule permit exception list for your Home Location. Programs that match prules that are not associated with the active Location are blocked when they attempt to access the Internet. If prules do not exist for a certain program, the Rule Exception Handling setting determines Symantec Client Firewall actions. If Location Awareness is turned off, prule settings for the Default Location are applied to Symantec Client Firewall. If a prule exception list exists for the Default Location, network traffic that matches the inactive prules is blocked. Locations that are created from Symantec Client Firewall inherit the prule settings of the Default Location. See Specifying Location-specific settings on page 302. You can add and delete prule exceptions for each configured Location. When you add a prule exception that does not match an existing prule, the prule exception is not recognized until a corresponding prule is added to the policy's configuration.

361 Using prules About Location-aware prules 361 Note: Software programs often share the same application executable name. For example, setup.exe is associated with many software installation applications. If you create a prule block exception for a common application name, the prule block exception applies to all applications with the same name. In the example, if you create a prule block exception for setup.exe, prules for any application that uses setup.exe to start its install program are blocked from automatically creating Program rules. Also, any attempts that setup.exe makes to access the Internet are blocked. To add prule block exceptions for a Location 1 In Symantec Client Firewall Administrator, on the prules tab, on the Settings tab, under Location Configurations, select a Location to configure. 2 In the Configuration drop-down list, click Block selected - Permit all except those Blocked below. 3 Under Blocked prules, click Add. 4 In the Add Blocked prules dialog box, do one of the following: Select Specify a prule manually by File Name, and then type the file name that you want to block. Select Select prule(s) from list. and then check the prules that you want to block. Note: You can use the Import button to import a prule list from another policy file that will populate the list of prules that you can block. This action does not merge the actual prules to your policy file. If the prules do not exist in your current policy file, the prule block exceptions remain inactive until you merge the actual prules into your policy file. See Merging rules and prules in policy files on page Click OK. To add prule permit exceptions for a Location 1 In Symantec Client Firewall Administrator, on the prules tab, on the Settings tab, under Location Configurations, select a Location to configure. 2 In the Configuration drop-down list, click Permit selected - Block all except those Permitted below. 3 Under Permitted prules, click Add. 4 In the Add Permitted prules dialog box, do one of the following:

362 362 Using prules About Location-aware prules Select Specify a prule manually by File Name, and then type the file name that you want to permit. Select Select prule(s) from list, and then check the prules that you want to permit. Note: You can use the Import button to import a prule list from another policy file that will populate the list of prules that you can permit. This action does not merge the actual prules to your policy file. If the prules do not exist in your current policy file, the prule permit exceptions remain inactive until you merge the actual prules into your policy file. See Merging rules and prules in policy files on page Click OK. To delete prule block exceptions from a Location 1 In Symantec Client Firewall Administrator, on the prules tab, on the Settings tab, under Location Configurations, select a Location to configure. 2 Under Blocked prules, select the prule exception that you want to delete. 3 Click Delete. 4 In the Confirmation dialog box, click Yes. To delete prule permit exceptions from a Location 1 In Symantec Client Firewall Administrator, on the prules tab, on the Settings tab, under Location Configurations, select a Location to configure. 2 Under Permitted prules, select the prule exception that you want to delete. 3 Click Delete. 4 In the Confirmation dialog box, click Yes. Resetting prule exceptions for a Location You can unintentionally block software applications from accessing the Internet by creating prule exceptions. Symantec Client Firewall blocks any application name that matches a prule block exception or that is not included in a prule Permit exception. Before you create prule exceptions for common application names, make sure that Symantec Client Firewall gives necessary applications in your network access by using General or Program rules. If you find that too many applications are being blocked because of the prule exceptions that you configured for a Location, you can reset prule exceptions to permit all prules for that Location.

363 Using prules About Location-aware prules 363 To reset prule exceptions for a Location 1 In Symantec Client Firewall Administrator, on the prules tab, on the Settings tab, under Location Configurations, select a Location to reset. 2 Click Reset. 3 In the Confirmation dialog box, click Yes. Copying multiple prule exceptions to other Locations If you need identical prule exceptions for two or more Locations, you can copy prule exception configurations from one Location to other Locations. After you configure a Location with the required prule exceptions, you can copy this configuration to other Locations. To copy multiple prule exceptions to other Locations 1 In Symantec Client Firewall Administrator, on the prules tab, on the Settings tab, under Location Configurations, select a Location to copy. 2 Click Copy. 3 In the Copy prule Location Configuration dialog box, click the Locations to which you want the prule exceptions to apply. 4 Click OK. Copying individual prule exceptions to another Location If you have multiple Locations that require a prule permit or block exception, you can copy the prule exception to other Locations that have the same Location configuration. For example, if two Locations are configured to block selected prules, you can copy a prule block exception from one Location to the other Location. To copy individual prule block exceptions to another Location 1 In Symantec Client Firewall Administrator, on the prules tab, on the Settings tab, under Blocked prules, select a prule to copy. 2 Click Copy. 3 In the Copy prule Blocks dialog box, select the Locations to which you want to copy the prule block exception. 4 Click OK.

364 364 Using prules Configuring prules to support Active Directory To copy individual prule permit exceptions to another Location 1 In Symantec Client Firewall Administrator, on the prules tab, on the Settings tab, under Permitted prules, select a prule to copy. 2 Click Copy. 3 In the Copy prule Permits dialog box, select the Locations to which you want to copy the prule permit exception. 4 Click OK. Configuring prules to support Active Directory Typically, a Windows 2000 client in a Windows 2000 network uses the following processes for networking in an Active Directory environment: C:\Winnt\System32\Lsass.exe C:\Winnt\System32\Services.exe C:\Winnt\Explorer.exe C:\Winnt\System32\Winlogon.exe Windows Subsystem Supports Kerberos, LDAP, EPmap, and Nterm Supports NTP, Bootp, Kerberos, DNS, and EPmap Supports LDAP Supports LDAP Supports NetBIOS and SMB Table 12-3 shows a rulebase that supports Windows 2000 networking in an Active Directory environment, in which all rules are permitted bidirectional rules unless indicated in the Description column. Table 12-3 Sample program rulebase Executable Description Protocol Remote ports Local ports Lsass.exe Kerberos UDP EPmap TCP LDAP TCP, UDP Nterm TCP

365 Using prules Using Profiling to generate prules and NetSpecs 365 Table 12-3 Sample program rulebase (continued) Executable Description Protocol Remote ports Local ports Services.exe DNS TCP, UDP Bootp UDP 67,68 67, 68 Kerberos UDP NTP UDP EPmap TCP Explorer.exe LDAP TCP, UDP Winlogon.exe LDAP TCP, UDP System NetBIOS NetBIOS to 139 (inbound only) SMB (microsoft-ds) TCP, UDP TCP TCP 137, 138, , Additionally, be sure to verify that locked, General rules are not blocking protocols, such as SMB and EPmap, and that the upper port range of 5000 is satisfactory in your environment. Using Profiling to generate prules and NetSpecs Profiling overview Symantec Client Firewall Administrator lets you gather information about network traffic and connections that occur on managed Symantec Client Firewall. You can then use the Profiling feature to view the traffic generated and received by clients and quickly create prules and NetSpecs to support the traffic. Profiled network connections are used with Location Awareness. See About NetSpecs on page 303. To retrieve the information from Symantec Client Firewall, you must use Symantec System Center. You retrieve the information in the same way that you retrieve firewall logs. Profiling prules and NetSpecs involves using several Symantec Client Security components in a specific order. Table 12-4 provides an overview of the components, settings, and activities used in Profiling.

366 366 Using prules Using Profiling to generate prules and NetSpecs Table 12-4 Component Profiling overview Settings and activities Symantec Client Firewall Administrator Select one of the following components: Configure the following settings: Enable Profiling for programs. Enable Profiling for connections. Specify the amount of time to profile. For Locations, set Rule Exception Handling to Permit, Block, or Prompt. Export the policy file to Symantec Client Firewall. Symantec Client Firewall Administrator Symantec System Center Symantec Client Firewall Perform a variety of networking activity such as the following: Display network servers in a window. Connect to the Internet. Connect to an Internet account or secure Web site over HTTPS. Perform LiveUpdate from Symantec Client Firewall. Print. Execute the following DHCP commands from the MS-DOS command line: ipconfig /release ipconfig /renew Restart your computer, log on and then authenticate to a domain. Send and receive . Symantec System Center Perform the following activities: Right-click the client computer. Using All Tasks, view the profiled firewall exceptions and then the profiled firewall connections. Save each profile as a.csv comma-delimited file.

367 Using prules Using Profiling to generate prules and NetSpecs 367 Table 12-4 Component Profiling overview (continued) Settings and activities Symantec Client Firewall Administrator Select one of the following components: Perform the following activities: Retrieve the.csv file that contains the profiled firewall exceptions. Select an exception and process it. A prule either gets created or updated. Open the.csv file that contains the profiled connections. Select a connection and process it. A NetSpec is added to the user-specified Location. Export the policy file to Symantec Client Firewall. Symantec Client Firewall Administrator Symantec System Center Fio.exe If you have prules in the policy, traffic matching these rules is not profiled. The Program rule is created and is not treated as an exception. Enabling Profiling in policy files Symantec Client Firewall Administrator lets you enable Profiling in policy files. To enable Profiling in policy files 1 In Symantec Client Firewall Administrator, on the Locations tab, on the Connection Management tab, select a Location that may be used during Profiling. 2 Click Edit. 3 In the Edit Location window, next to Rule Exception Handling, click Permit, and then click OK. 4 Repeat steps 1 through 3 for each Location that may be used during Profiling. 5 On the Profiling tab, click Options. 6 In the Profiling Options window, check one or both of the following: Enable program profiling Enable connection profiling

368 368 Using prules Using Profiling to generate prules and NetSpecs 7 In the Profiling Options window, do one of the following: 8 Click OK. Check Continuous profiling. Check Suspend profiling after, and then type the number of days. 9 Click File > Save. About exporting the policy file to clients To enable Symantec Client Firewall to save profiled data, you must export the policy file to one or more clients. You can use a variety of tools and ways to export the policy file, including Symantec System Center and Symantec Client Firewall Administrator. See Importing and exporting policies and updates on page 283. See Distributing policies on page 292. Viewing and saving profiled data with Symantec System Center Symantec System Center lets you view and save profiled data from Symantec Client Firewall to files with.csv extensions. Also, consider using Symantec System Center to sort large amounts of data because Symantec Client Firewall Administrator does not support sorting. See About sorting with Symantec System Center on page 374. To view and save profiled data with Symantec System Center 1 In Symantec System Center, in the right pane, right-click the client that contains profiled information, and then do one of the following: Click All Tasks > Symantec Client Firewall > View Profiled Firewall Exceptions. Click All Tasks > Symantec Client Firewall > View Profiled Connections.

369 Using prules Using Profiling to generate prules and NetSpecs In the Environmental Profiling Firewall Exceptions window, drag the window edges sideways to enlarge it and inspect the data, and click column headings to sort the data. Most likely you will want to sort the File Information column. 3 To save the sorted data, do the following: Click the floppy disk icon. In the Save As window, next to File name, type a file name. Click Save. Retrieving profiled information You should open a policy file to update before retrieving (opening).csv files, which contain update information to integrate with a policy file.

370 370 Using prules Using Profiling to generate prules and NetSpecs To retrieve profiled information 1 In Symantec Client Firewall Administrator, on the Profiling tab, click Retrieve. 2 In the File Open window, browse to and select the.csv file to open. 3 Click Open. Processing profiled firewall rule exceptions You process profiled firewall rule exceptions to create prules or update existing prules with the same digest. When you begin processing information, Symantec Client Firewall Administrator prompts you to decide whether to update the existing policy file or open a new one. Table 12-5 lists and describes the options. Table 12-5 Policy file choices Option Close/save the current policy file and open the <profiled policy> policy file before processing <profiled policy> events. Process <profiled policy> events using the current <currently opened> policy file. Close/save the current policy file and create a new, empty policy file before processing <profiled policy> events. Description Gives you the option to open and update the policy file that you pushed to Symantec Client Firewall for Profiling Gives you the option to update the policy file that you are currently viewing Gives you the option to update a new, default policy file If you are unfamiliar with Profiling, select the last option to create a new policy file so that you can become familiar with creating and updating prules. Then, process an exception to create a prule, and then reprocess the exception but add a different port number when prompted to see how the prule that you created the first time was updated with the additional port number. After processing one entry, Symantec Client Firewall Administrator compares all entries against the prules. If a prule does not match the executable file, a new prule is created. If a prule is matched but the program digest is different, a new program digest is added to the prule. If a prule is matched but does not contain the rule for the port number and IP addresses processed, a new rule is added to the prule. Furthermore, all profiled exceptions that match prule entries are marked as processed so you do not waste time processing those entries. See Refreshing profiled data on page 373.

371 Using prules Using Profiling to generate prules and NetSpecs 371 When you use the Processing Wizard, you can specify the local and remote ports on the Profiling tab for inbound and outbound traffic. You can specify ports for both directions. You can also specify Any for both local and remote ports. Local and remote port settings default to Any regardless of the Connection type that you select. Note: The buttons for Mark Processed, Mark Unprocessed, and Show/Hide Processed are used as visual indicators only. They do not provide processing functionality. To process profiled firewall rule exceptions 1 In Symantec Client Firewall Administrator, on the Profiling tab, select an exception to process. 2 Click Process. 3 In the Select Policy for Profile Event Processing window, select one of the options, and then click OK. See Table 12-5 on page In the Add Rule window, select one of the following rule actions, and then click Next: Permit Block Monitor 5 To log when this rule is matched, under Do you want to track new connections, check Write an event log entry when a connection matches this rule. 6 Click Next. 7 Select one of the following connection options, and then click Next: Connections to other computers Connections from other computers Connections to and from other computers 8 Select the computers and adapters to permit, block, or monitor, and then click Next. If you select a specific adapter IP address that conflicts with Location connection specifications, the rule may never be enforced. 9 Select the ports to permit, block, or monitor, and then click Next.

372 372 Using prules Using Profiling to generate prules and NetSpecs 10 Select the protocols to permit, block, or monitor. 11 Type a description for the rule, and then click Finish. A check appears on the left side of the profiled selection, indicating that it was processed. 12 On the prule tab, verify that the prule was created, and edit as necessary. Processing profiled connections The purpose of processing profiled firewall connections is to add them to Unassigned Connections on the Location tab's Connection Management tab, where you can move and associate the profiled connections with Locations. When you begin processing connections, Symantec Client Firewall Administrator prompts you to decide whether to update the existing policy file or open a new one. Table 12-5 lists and describes the options in the prompt. If you are unfamiliar with Profiling, select the last option to create a new policy file so that you can become familiar with how processing works to create connections for Locations. Note: The buttons for Mark Processed and Mark Unprocessed are used as visual indicators only. They do not provide processing functionality. To process profiled connections 1 In Symantec Client Firewall Administrator, on the Profiling tab, select an exception to process. 2 Click Process. 3 In the Select Policy for Profile Event Processing window, select one of the options, and then click OK. See Table 12-5 on page In the Edit Connection window, next to Description, type a description. 5 Next to Location, select a Location. 6 Click OK. 7 On the Locations tab, on the Connection Management tab, verify that the connection was assigned to the desired Location. 8 To move the connection to a Location, click Move Up until the connection is associated with the desired Location.

373 Using prules Using Profiling to generate prules and NetSpecs 373 Refreshing profiled data You can refresh profiled data to display the profiled data that is and is not contained in prules, rules, Zones, or NetSpecs. The Refresh feature allows you to quickly reveal which profiled data to work with. After you refresh data, entries that are contained in prules, rules, Zones, or NetSpecs contain a check mark in the left column. Data entries that are not contained in prules, rules, Zones, or NetSpecs do not contain a check mark in the left column. To refresh profiled data About working with.csv files In Symantec Client Firewall Administrator, on the Profiling tab, click Refresh Status. To better understand the Profiling process, you may want to export a core set of rules and prules that support corporate networking, and then profile the exceptions. Profiled data viewed with Symantec System Center may also grow quite large after a few days, so you need to know how to extract relevant information and manage growth. The purpose of Profiling firewall exceptions is to generate a list of connection activity with which to create prules. Exporting a policy file full of rules may defeat this purpose, depending on your situation. Additionally, you typically do not want to profile programs performing loopback operations because loopback operations are internal communications only. Local Ethernet adapters have an internal IP address of , which is not routable. When you see both local and remote IP addresses as in profiled data, the program is performing a loopback operation, which is common for some programs. You do not want to create prules for specific executable files that support traffic to or from any address of Rather, you should create a loopback General rule that permits all TCP/UDP traffic to and from local remote address A good starting point is to create a policy file with the Program rules that support Symantec client products, and a few General rules. To get the Program rules, import a recently installed Symantec Client Firewall policy, and then delete all rules and prules with the exception of Program rules. After importing, be sure to set Firewall Exception handling to Permit for all Locations. Then, create three General rules, one for loopback, one for ICMP, and one for Rtvscan.exe to support Symantec System Center communications. Be sure to set the local address for Loopback to to prevent attacks from spoofed remote addresses

374 374 Using prules Using Profiling to generate prules and NetSpecs Table 12-6 shows information necessary to create these rules. Table 12-6 Sample Profiling General rulebase Description Protocol Remote ports Local ports Remote addresses Loopback TCP, UDP Any Any ICMP ICMP Any Any Any Rtvscan.exe UDP 2967, Any Next, on the Client Settings tab, disable as many features as possible to increase performance if performance is an issue. Be sure to disable stealth blocked ports. Finally, you may also want to create prules to support Active Directory. The resulting rulebase should allow your client computer to operate in a relatively normal manner, while generating exception data for a small number of programs in a strict corporate environment. prules that become Program rules do not appear in profiled data. See Configuring prules to support Active Directory on page 364. About sorting with Symantec System Center For programs that use random ports, such as Web browsers, your profiled firewall exception list may contain several entries for a single application. Each time that the program uses a new random port, the firewall profiles the exception. In these cases, you may find that you need to sort data. Two of the more beneficial attributes to sort on are IP destination address and file information. Sorting on IP destination address is useful because it allows you to separate exceptions that are performing loopback operations to address Sorting on file information is useful because it allows you to separate exceptions that are using random ports for a single executable file. If you find it necessary to sort data, you can use Symantec System Center before saving and importing the.csv file into Symantec Client Firewall Administrator. Reducing the amount of profiled data The data profiled on Symantec Client Firewall is logged by the Symantec AntiVirus client. Each time that you view the profiled data with Symantec System Center, the data that appears may be as old as the oldest log file, which is typically configured to remain on clients for 31 days. If you have a large amount of profiled data, you may want to delete it and start over.

375 Using prules Using Profiling to generate prules and NetSpecs 375 Warning: When you delete logs, you delete information generated by Symantec AntiVirus client, including infection and scanning histories. You have the following two options for reducing the amount of profiled data: Filter the logs when viewing them with Symantec System Center. Reduce the antivirus client history configuration time, which actually deletes log files. To filter the logs 1 In Symantec System Center, in the right pane, right-click the client that contains profiled information, and then click All Tasks > Symantec Client Firewall > View Profiled Firewall Exceptions. 2 In the Environmental Profiling Firewall Exceptions window, in the drop-down list, select a time value that is smaller than the current setting. To reduce the history configuration time 1 On the client computer, on the Windows taskbar, click Start > Programs > Symantec Client Security > Symantec AntiVirus client. 2 In the Symantec AntiVirus window, on the File menu, click Configure Histories. 3 Next to Delete After, do one of the following: 4 Click OK. Select a lesser number of days to keep log data. To purge all logs, select 1 day.

376 376 Using prules Using Profiling to generate prules and NetSpecs

377 Chapter 13 Customizing Intrusion Prevention This chapter includes the following topics: About the Intrusion Prevention System Supporting different versions of IPS engines and signatures Excluding attack signatures from being blocked Configuring AutoBlock Locking IPS exclusions and IP addresses About the Intrusion Prevention System The Intrusion Prevention System (IPS) that Symantec Client Firewall uses scans each packet that enters and exits its host computer for attack signatures, packet sequences that identify an attacker's attempt to exploit a known operating system or program vulnerability. The IPS examines packets in two different ways. It scans each packet individually, looking for patterns that do not adhere to specifications and that can crash the TCP/IP stack. It also monitors the packets as a stream of information, looking for commands directed at a particular service to exploit or crash the system. The IPS can remember the list of patterns or partial patterns from previous packets, and can apply this information to subsequent packet inspections. If the information matches a known attack, the IPS automatically discards the packet and severs the connection with the computer that sent the data. This feature is called AutoBlock, and protects computers on your network from being affected in any way. AutoBlock does not use Location Awareness, so the IP address of the attacking computer is blocked for all Locations.

378 378 Customizing Intrusion Prevention Supporting different versions of IPS engines and signatures The IPS relies on an extensive list of attack signatures to detect and block suspicious network activity. You can control whether or not to exclude attack signatures from blocking, and whether or not to lock signatures to prevent users from changing the signatures. Symantec supplies the known threat list, which you can update on Symantec Client Firewall using Symantec LiveUpdate. You can also exclude and lock specific IP addresses from IPS AutoBlock, which also affects all Locations. See Excluding computers from AutoBlock on page 314. The default IPS settings should provide your Symantec Client Firewall computers with adequate protection against a wide variety of threats. If the default settings do not completely address the needs of your network, or if you want to prevent users from excluding particular signatures, you can customize IPS settings in one or more of the following ways: Enable and disable. Exclude specific attack signatures from being monitored. Enable and disable AutoBlock. Lock attack signatures and excluded computers to prevent user modification. Supporting different versions of IPS engines and signatures Symantec Client Firewall contains major improvements to the IPS technology, which include smarter IPS signatures that better protect client computers from an intrusion attack and a stateful engine that keeps track of all incoming and outgoing traffic. A new IPS engine and corresponding set of IPS signatures contain these improvements, and are installed on Symantec Client Firewall by default. To support earlier versions of Symantec Client Firewall, Symantec Client Firewall Administrator contains two sets of IPS signatures. Symantec Client Firewall uses only one set of IPS signatures, which is determined by the version of the IPS engine that is installed. Symantec Client Firewall Administrator supports the following versions of IPS signatures: v1.x signatures v2.x signatures The current version of Symantec Client Firewall contains the new IPS engine that uses only v2.x signatures. Earlier versions use v1.x signatures by default, but can use v2.x signatures if you upgrade their IPS engines.

379 Customizing Intrusion Prevention Excluding attack signatures from being blocked 379 Before you configure IPS settings, you should determine whether your network requires both versions of IPS signatures. If possible, you should migrate all of the client computers in your network to the current version of Symantec Client Firewall. If that is not possible, you can upgrade the IPS engines of earlier Symantec Client Firewall versions to support v2.x signatures. By upgrading legacy clients, you can decrease the size of your policy file by configuring only v2.x signatures, and unchecking v1.x signatures when you save and import the policy file. If you require both IPS signature versions in your network environment, you must consider the best method of managing your firewall policy. If convenience outweighs policy file size, you can save both sets of IPS signatures in a single policy file. If you update Symantec Client Firewall with a policy that includes both sets of IPS signatures, Symantec Client Firewall identifies the IPS engine and applies only the appropriate IPS signature settings. If minimizing policy file size is more important, you can configure two policy files with different IPS signature versions. You can then update client computers with the policy file that matches their IPS engine version. Note: If your network environment contains Symantec Client Firewall legacy clients earlier than v7.x, you must create a separate policy file for these clients that contain the appropriate IPS signature versions. See Supporting policies for legacy clients on page 295. See Setting user access levels for legacy clients on page 435. Excluding attack signatures from being blocked You might want to disable IPS protection for the following reasons: In some cases, benign network activity may appear similar to a Symantec Client Firewall attack signature. If you receive repeated warnings about possible attacks, and you know that these attacks are being triggered by safe behavior, you can exclude the attack signature that matches the benign activity. Lowering the number of attack signatures checked for by Symantec Client Firewall lowers the amount of resource consumption by the firewall. However, you must be certain that an attack signature poses no threat before excluding it from blocking.

380 380 Customizing Intrusion Prevention Configuring AutoBlock To exclude an IPS attack signature from being blocked 1 In Symantec Client Firewall Administrator, on the IPS tab, select the tab that corresponds to the IPS signatures that you want to configure. 2 Under Exclude, check the attack signatures that you want to exclude from firewall blocking. Configuring AutoBlock When Symantec Client Firewall detects an attack, it automatically blocks the connection to ensure that your computer is safe. The program can also activate AutoBlock, which automatically discards all incoming communication from the attacking computer for a set period of time, even if the incoming communication does not match an attack signature. By default, AutoBlock stops all inbound traffic from the attacking computer and outbound traffic to the attacking computer for 30 minutes. Symantec Client Firewall users that have the necessary permissions can extend this time up to 48 hours. See Excluding computers from AutoBlock on page 314. To configure AutoBlock 1 In Symantec Client Firewall Administrator, on the Client Settings tab, under Intrusion Prevention, next to Intrusion Prevention - AutoBlock, click the cell. 2 In the drop-down list, select one of the following:

381 Customizing Intrusion Prevention Locking IPS exclusions and IP addresses 381 Enable Disable Keep Existing Selection: Do Not Change Locking IPS exclusions and IP addresses Unless you lock IPS attack signatures, Symantec Client Firewall users can possibly modify the settings. Padlock icons in the Lock column identify locked settings. Table 13-1 describes the lockable items that are available on the Signatures tab. Table 13-1 Option Signatures tab options Description Locked and Excluded Unlocked and Excluded Locked and Included Unlocked and Included Client users cannot include the signature in the monitored signature list. Client users can include the signature in the monitored signature list. Client users cannot exclude the signature from being monitored. Client users can exclude the signature from being monitored. To lock IPS exclusions 1 In Symantec Client Firewall Administrator, on the IPS tab, select one of the following IPS signature sets to configure: v1.x Signatures v2.x Signatures 2 In the Lock column, click next to the signature that you want to lock. 3 Click Locked.

382 382 Customizing Intrusion Prevention Locking IPS exclusions and IP addresses

383 Chapter 14 Managing client log data This chapter includes the following topics: About logging Setting the logging level Viewing Event Logs from the Symantec System Center About logging The Symantec Client Firewall Log Viewer contains information about activity permitted and blocked by the firewall for each client and data on various aspects of firewall functioning. You can examine the specifics of problem traffic, or assess patterns of overall firewall activity. Data for the Log Viewer is organized into categories. Table 14-1 lists the Log Viewer tabs and their descriptions. Table 14-1 Event Log tabs Tab Content Blocking Connections Firewall Information Details about Java applets and ActiveX controls that Symantec Client Firewall monitors. A history of all TCP/IP network connections made with the Symantec Client Firewall computer. Connections are logged when the connection is closed. Traffic intercepted by the firewall, including rules that were processed, alerts displayed, unused ports blocked, and AutoBlock events.

384 384 Managing client log data Setting the logging level Table 14-1 Tab Event Log tabs (continued) Information Intrusion Prevention Privacy The state of Intrusion Prevention, the attack signatures that are monitored, and the number of intrusions that are blocked. Also lists any IPS attacks that were blocked. The cookies that have been permitted or blocked, including the name of the cookie and the Web site that requested the cookie. The information listed is dependent on the cookie settings. Web sites that try to retrieve system information or the address of the Web site last visited. The information listed is dependent on the Enable Browser Privacy setting. Private Information System Web History Alerts Configuration Private information sent or blocked. When Symantec Client Firewall has been enabled or disabled, connection activity, and administrator updates to rules, prules, and IPS settings. URLs visited by the computer, providing a history of Web activity. All alert activity, including normal Internet Access Control alerts and security alerts triggered by possible attacks on the Symantec Client Firewall computer. Information regarding configuration changes and updates to rules and IPS signatures. Setting the logging level Symantec Client Firewall logs events that signify a change in configuration settings and that detail the client's network activities and any actions that the firewall takes in response to the network activities. The logging level lets you determine the type of information that Symantec Client Firewall logs. Table 14-2 lists and describes the Symantec Client Firewall logging levels.

385 Managing client log data Viewing Event Logs from the Symantec System Center 385 Table 14-2 Logging level Default Verbose Symantec Client Firewall logging levels Description Provides details about network connections, configuration and system changes, and security alerts, including Intrusion Prevention and Trojan horse attacks. Web sites, private information, and ads that are blocked are also logged. Provides details about all the events that are logged with the default setting. Logs user agent, information about visited sites, and cookies. Additionally, private information, Java applets, ActiveX controls, ads, and Web sites that are allowed are also logged. To set the logging level In Symantec Client Firewall Administrator, on the Client Settings tab, on the General tab, under Global, next to Logging Level, select one of the following: Default Verbose Viewing Event Logs from the Symantec System Center The Symantec System Center allows you to display log data for one or more Symantec Client Firewall. Using the Symantec System Center, you can do the following: View data at the server group, individual server, and individual managed workstation levels. Sort and filter Event Log data. Export data to Microsoft Access (as an.mdb file) or in comma-separated value (.csv) format. Table 14-3 lists and describes the five types of Event Logs available with the Symantec System Center, reveals the data that appears in the Event Log columns, and indicates where in the console system hierarchy you can display Event Log data.

386 386 Managing client log data Viewing Event Logs from the Symantec System Center Table 14-3 Name Event Log types Description Data columns Update Event Log Provides information about Symantec Client Firewall configuration changes. Date Event Description Previous Version Current Version Computer User Configuration Change Log Provides information about Symantec Client Firewall services that are started, stopped, enabled, and disabled. Date Description Configuration Type Data Computer User Firewall Violation Event Log Provides information about Symantec Client Firewall events that are treated as security violations. Date Description Network Protocol IP Type Computer User IP Source Address IP Source Port IP Destination Address IP Destination Port Violation Action Direction Process Name Intrusion Prevention Status Log Provides information about the Intrusion Prevention engine, including version numbers and the number of monitored signatures. Date Description IPS Version Signature Count Error Code Computer User

387 Managing client log data Viewing Event Logs from the Symantec System Center 387 Table 14-3 Name Event Log types (continued) Description Data columns Intrusion Prevention Violation Log Provides information about Intrusion Prevention events that are treated as attempted attacks. Date Description Network Protocol IP Type Computer User IP Source Address IP Source Port IP Destination Address IP Destination Port Intruder ID Intruder Name Blocked Duration Port Count Displaying logs You can display logs from the tree hierarchy in the Symantec System Center. To display logs 1 In the Symantec System Center, in the right pane, right-click a server group, server, or client, and then click All Tasks > Symantec Client Firewall > Logs. 2 On the menu, select one of the following options: Update Event Log Configuration Change Log Firewall Violation Event Log

388 388 Managing client log data Viewing Event Logs from the Symantec System Center Intrusion Prevention Status Log Intrusion Prevention Violation Log Filtering log data When viewing logs, you can filter data based on time. To filter log data Sorting log data In the Event Log window, click the drop-down box, and select one of the following: Today Past 7 days This month All items A selected range of days When viewing logs, you can sort the data by column. To sort the data Understanding Event Log icons In the Event Log window, click a column header. The ascending sort icon appears within a column header the first time that you click it. The descending sort icon appears the next time that you click the column header. In all Event Log windows, icons allow you to perform actions, such as saving the data as a.csv file. Table 14-4 lists and describes Event Log icons. Table 14-4 Icon Event Log icons Description Close the Event Log window. View item properties.

389 Managing client log data Viewing Event Logs from the Symantec System Center 389 Table 14-4 Icon Event Log icons (continued) Description Save the data shown in the Event Log window as a.csv or Microsoft Access database file. Display Help for the Event Log.

390 390 Managing client log data Viewing Event Logs from the Symantec System Center

391 Chapter 15 Creating network rulebases This chapter includes the following topics: Choosing an implementation approach Considering implementation options Implementing network rulebases Configuring an initial network rulebase Fine-tuning and troubleshooting rulebases Configuring a default-permit rulebase Configuring user interaction Choosing an implementation approach Network rulebases allow client/server traffic in computer networks, and support dynamic IP addressing, domain name resolution, printing, and so on. To create a network rulebase, you can either allow Symantec Client Firewall to create rules automatically on an as-needed basis, or you can create rules manually. The benefit of creating rules manually is that you gain a greater understanding of the protocols and programs that support network activity, which will make troubleshooting firewall problems easier. How you configure a firewall to support networking depends on the diversity and size of your computer network, as well as the level of trust you place in the internal network components down to the client level. Several approaches exist for configuring Symantec Client Firewall to support network activity, which include the following: Create a Trusted Zone of specific server IP addresses.

392 392 Creating network rulebases Considering implementation options Create a General rulebase that specifies the protocols and port numbers over which local and remote computers can communicate, and restrict the communications to specific, remote IP addresses. Create a combination Program and General rulebase that specifies protocols and port numbers for the programs that the client uses for remote communications, and restrict the communications to specific, remote IP addresses. Ultimately, you must decide which approach to use. Considering implementation options Each implementation option offers advantages and disadvantages that relate to your network size, configuration, and security features, as well as the workload shared by your technical support staff. Using the Trusted Zone approach If you trust your network completely and do not want to create a Program or General rulebase that supports network activity, you can create a Trusted Zone of IP addresses or domain names. All computers that fall into this Zone are Trusted in that they are free to conduct all client/server communications without being blocked at the firewall. The advantage of this approach is that you can quickly configure Symantec Client Firewall to support network activity and your support calls will be minimal. A disadvantage is that if a blended threat or other virus attacks the trusted network devices, client computers may be at risk of infection. Another disadvantage is that client computers may be compromised if the domain is hijacked through DNS cache poisoning, or if an IP address in the address range is spoofed. Nevertheless, if your confidence is high that your perimeter firewalls and antivirus software will detect and mitigate blended threats, and if you have a small number of servers that perform network activity and you know their IP addresses, creating Trusted Zones may be the approach to take. Using the network-level firewall approach If you do not trust your network completely, you can create a General rulebase that supports networking with specific IP addresses. This rulebase essentially creates a network-level firewall. This firewall inspects each inbound and outbound packet and makes decisions based on the local and remote ports, as well as the remote IP addresses.

393 Creating network rulebases Considering implementation options 393 The advantage of using network-level rules is that you can push a common rulebase onto a variety of clients running various operating systems. The disadvantage of using network-level rules is that Trojan horses and worms are free to use the permitted ports, potentially exposing your clients to infection. If, however, you know the IP addresses of your network devices that communicate with clients, and if these servers are hardened and secured, you can restrict the client ports to communicate with those IP addresses only. Using the program-level firewall approach To further harden the firewall, you can create Program rules and supplement these rules with two General rules for Loopback and ICMP. The resulting rulebase essentially combines a program-level firewall with a network-level firewall. The advantage of using Program rules is that you can specify the protocols, ports, and IP addresses with which these programs are allowed to communicate, greatly reducing the threat of unknown programs communicating over a permitted port. Unless permitted with a rule, no other program can use the protocol and port to access the network. The disadvantage of using Program rules is that you have to make an assumption about clients that may not be true in large organizations. The assumption is that all program locations and versions are identical on all clients. For example, if you create a rule that specifies a program that resides on drive C, install the rule on a client, and the client runs the program from drive D, the rule blocks the program from accessing the network. Nevertheless, if you have a tightly controlled network with program and version control, creating Program rules may be the approach to take. An alternative to creating Program rules is to create prules for the programs. While prules are essentially Program rules that get generated automatically on clients, prules allow you to tailor the degree with which the program executables must conform. If desired, you can require the executables to match a specific file version, or digest, which blocks program execution if a virus overwrites the file. On the other hand, you can create prules with no file requirements other than that the file name must match. The advantage of using this approach is that you can implement Program rules on clients running different operating systems, program versions, and executable file locations. The disadvantage of using this approach is that you cannot tailor the programs to communicate with IP address ranges. You can select one IP address, all IP addresses, or a domain name only. The workaround is to add an IP address range using Symantec Client Firewall for the rules that support networking.

394 394 Creating network rulebases Implementing network rulebases Implementing network rulebases Implementing Trusted Zones After you have chosen the best approach for creating network rulebases, you need to implement the approach. Implementing network rulebases requires knowledge of networking concepts such as IP addressing, protocol functionality, port numbers, and so on. If you decide to support networking with Trusted Zones, you need to decide whether to use specific IP addresses, a range of IP addresses, or a domain name. If you have a small number of servers that support network activity, enter their IP addresses one at a time. If you have a relatively large number of servers and still decide to use Trusted Zones, decide whether to use a range of IP addresses or a domain name. Using a domain name is the least secure approach to enabling network traffic as any computer that authenticates to the domain is trusted. If network operations policies and procedures are in place for assigning IP addresses to critical servers, consider using address ranges. Many times server network interface cards (NICs) are, for example, assigned static IP addresses that end in.1 through.50, reserving.51 to.254 for DHCP client addressing. In this case, you can trust IP addresses that end in.1 though.50, and implement the range by entering a beginning IP address of and an ending IP address of You can also establish a range using a subnet mask. For example, assume that server NICs are assigned static IP addresses that end in.1 through.30. In this case, you can trust IP addresses that end in.1 through.30 by entering IP address with a subnet mask of This subnet mask creates the subnet, which contains 30 assignable addresses from to , reserving as the broadcast address. Note: You can enter any IP address between and to create the subnet as long as you use subnet mask Implementing network-level firewalls Symantec Client Firewall is a traditional packet filtering firewall in that it inspects all packets both inbound and outbound, looks for a rule that permits the packets to pass, and blocks packets that do not match rules the default. As a result, rules must exist for both inbound and outbound packets. To configure a network-level firewall, you create General rules only.

395 Creating network rulebases Implementing network rulebases 395 When possible, try to configure inbound and outbound permissions for the same protocol and port combinations with one rule. As a firewall rulebase grows, it reaches a point where security diminishes because the rulebase gets increasingly complex and hard to understand. Combining inbound and outbound permissions reduces this growth. After creating rules, consider ordering them so that commonly matched rules appear near the top of the rulebase, and rarely matched rules appear near the bottom. Placing commonly matched rules near the top maximizes performance. Two of the most commonly matched rules are for loopback and NetBIOS communications. To increase the security of a network rulebase, also consider limiting the number of IP addresses allowed for remote communications. Note: Some programs perform loopback during execution, which is an internal diagnostic test. Making loopback the first General locked rule is a best practice and ensures optimum performance for programs that perform loopback. Windows 2000 sample network-level rulebase Table shows a sample rulebase that supports Windows 2000 networking in an Active Directory environment, in which all rules are permitted, bidirectional rules unless noted under the Description column. Table 15-1 Sample network rulebase Description Protocol Remote ports Local ports Remote addresses Loopback TCP, UDP Any Any ICMP ICMP Any Any Any Internal Symantec server Discovery UDP Any ( ) Internal Symantec console, server, and client network communications TCP ( ) FTP TCP 20, ( ) Telnet TCP ( )

396 396 Creating network rulebases Implementing network rulebases Table 15-1 Sample network rulebase (continued) Description Protocol Remote ports Local ports Remote addresses DNS TCP, UDP ( ) Bootp UDP 67, 68 67, ( ) HTTP TCP 80, Any Kerberos UDP ( ) NTP UDP ( ) EPmap TCP ( ) NetBIOS TCP, UDP 137, 138, 139 0, ( ) NetBIOS to 139 (inbound only) TCP ( ) LDAP TCP, UDP ( ) SrvLoc UDP ( ) SMB (microsoft-ds) TCP ( ) Nterm TCP ( ) In the sample rulebase, many rules restrict communications to a remote address range using IP address and subnet mask This parameter restricts communications to remote computers with IP addresses between and only. The rulebase also reveals many rules with a local port range that falls between 1024 and These rules typically indicate protocols such as HTTP where clients transmit information on many

397 Creating network rulebases Implementing network rulebases 397 different ports. For example, as clients communicate with remote port 80 on Web servers, client port numbers change over time and generally range between 1024 and If you have a Windows 2000 network and decide to implement a network-level firewall only, this sample rulebase is a good place to start. The rulebase does not, however, contain a rule that supports , but does support Web browsing and Symantec LiveUpdate operations. Implementing program-level firewalls Implementing a program-level rulebase is similar to implementing a network-level rulebase in that you still create network-level rules, and all information provided about implementing network-level rules applies to implementing program-level rules. The difference is that you create network-level rules for programs. When implementing Program rules, you have the following choices: Create one rule that permits all program traffic. Create one or more rules that permit specific program traffic only. Note: Information for implementing program-level rules also applies to prules. The first approach is not as secure as the second approach. Nevertheless, if you tailor the Program rule so the program can communicate with specific internal IP addresses only, the approach may create a strong enough security posture to protect your internal network. The advantage of using this approach is that you can create a rulebase quickly. The disadvantage is that a Trojan horse or worm may overwrite trusted executable files, and if successful, potentially gain access to the internal network using any port and protocol. Using prules with digest matching, however, mitigates this vulnerability. The second approach creates the highest security posture possible. The advantage of using this approach is that if a Trojan horse or worm overwrites an executable file, the threat is restricted to communications over a limited number of ports and protocols. The disadvantage is that it takes time to discover all ports and protocols that a particular program uses. Also, using this approach with prule digest matching creates the highest level of security. Finally, you must create at least two network-level rules to support ICMP and loopback. Program-level rules do not support ICMP, and configuring loopback rules for all programs that use loopback adds additional complexity to the rulebase.

398 398 Creating network rulebases Implementing network rulebases Windows 2000 sample program-level rulebase Typically, a Windows 2000/NT client in a Windows 2000 network uses the following processes for networking in an Active Directory environment: C:\Winnt\System32\Lsass.exe Supports Kerberos, LDAP, Epmap, and Nterm C:\Winnt\System32\services.exe Supports NTP, Bootp, DNS, and Epmap C:\Winnt\Explorer.exe Supports LDAP C:\Winnt\System32\Winlogon.exe Supports LDAP Windows Subsystem Supports NetBIOS and SMB In a Windows 2000 environment, you need to create rules for these processes. To support Web browsing, Symantec network communications, and LiveUpdate in a Windows 2000 networking environment, you also need to configure the firewall to support the following additional processes: C:\Program Files\Internet Explorer\Iexplore.exe Supports Internet Explorer C:\Program Files\Symantec\LiveUpdate\Lucomserver.exe Supports Symantec LiveUpdate C:\Program Files\Symantec Client Security\Symantec Client Firewall\Sympxsvc.exe Supports Symantec Client Firewall proxy server C:\Winnt\System32\cba\pds.exe Supports server Discovery C:\Program Files\SAV\Rtvscan.exe Supports Symantec network communications You can create either Program rules or prules for these processes. Table 15-2 shows a rulebase that supports Windows 2000 networking, in which all rules are permitted, bidirectional rules.

399 Creating network rulebases Implementing network rulebases 399 Table 15-2 Sample program rulebase Executable Description Protocol Remote ports Local ports Lsass.exe Kerberos UDP EPmap TCP LDAP TCP, UDP Nterm TCP Services.exe DNS TCP, UDP Bootp UDP 67, 68 67, 68 Kerberos UDP NTP UDP EPmap TCP Explorer.exe LDAP TCP, UDP Winlogon.exe LDAP TCP, UDP Lucomserver.exe Internal Symantec AntiVirus Discovery UDP Any HTTP TCP Pds.exe Discovery UDP Any Rtvscan.exe Communication TCP Sympxsvc.exe HTTP TCP Iexplore.exe HTTP TCP 80, Using a prule to configure the Windows Subsystem simplifies the program rulebase. Table 15-3 shows a prule that typically supplements a program rulebase, in which all rules are permitted, bidirectional rules unless indicated in the Description column.

400 400 Creating network rulebases Configuring an initial network rulebase Table 15-3 Sample prule to supplement program rulebase Executable Description Protocol Remote ports Local ports System NetBIOS TCP, UDP 137, 138, 139 0, NetBIOS to 139 (inbound only) TCP SMB (microsoft-ds) TCP Finally, Table 15-4 shows General rules that typically supplement a program rulebase, in which all rules are permitted, bidirectional rules. Table 15-4 Sample network rules to supplement a program rulebase Description Protocol Remote ports Local ports Remote addresses Loopback TCP, UDP Any Any ICMP ICMP Any Any Any FTP TCP 20, ( ) Telnet TCP ( ) Configuring an initial network rulebase To configure an initial firewall rulebase that supports Microsoft networking, you can start with one of the sample rulebases, or you can use various tools to discover the networking protocols that your network uses, and then begin implementing firewall rules based on your discoveries. See Table 15-2 on page 399. See Table 15-1 on page 395. Symantec Client Firewall includes several tools that reveal network activity. The Connections tab in the Log Viewer window and the Statistics window reveal port numbers and local/remote IP addresses. The Firewall tab in the Log Viewer window and the Internet Access Control alert window, which you enable and disable under Client Firewall Settings, reveal the processes that the firewall blocks from initiating

401 Creating network rulebases Configuring an initial network rulebase 401 outbound connections, along with protocols, port numbers, and local/remote IP addresses. Other tools such as network protocol analyzers may also prove valuable when profiling network traffic, as well as shareware and freeware tools that show processes, connections, and protocols. Additionally, Windows includes a few MS-DOS commands that may help, such as netstat and nbtstat. Various netstat and nbtstat command switches allow you to display local and remote connections, protocol statistics, and the route table. The rule-creation process is a repetitive series of performing network activity, discovering and understanding network activity, and creating rules to support network activity. Then, after creating rules, you test the rules by performing the network activity that prompted you to create the rules. The following list details network activity that you should perform, in no particular order, and then create rules to support this activity: Display network servers in a window. Display a network Directory in a window. Connect to the Internet. Connect to an Internet account or secure Web site over HTTPS. Perform LiveUpdate from Symantec Client Firewall. Print. Execute the following DHCP commands from the MS-DOS command line: Restart your computer, and log on and authenticate to a domain. If you are setting up a network-level firewall, you should not initially enable access control alerts because you may end up spending a large amount of time responding to access alert prompts. Rather, enable the firewall, and then in the Client Firewall Settings window, deselect Enable Security. This configuration causes the firewall to permit all traffic, which you can view on the Connections tab in the Event Log and in the Network Connection pane in the Statistics window. These windows show remote and local connections, IP addresses, protocols, ports, and bytes sent and received. You can create an initial set of General rules based on this information. If you are setting up a program-level firewall, first create two General rules for loopback and ICMP traffic. Then, one of the fastest ways to discover which programs to create rules for is to display Client Firewall Settings and enable the Internet Access Control Alert window. When the alert window appears, gather the detailed information from the alert, disable the firewall (which stops further

402 402 Creating network rulebases Fine-tuning and troubleshooting rulebases alert windows), create or modify a Program rule based on the details, enable the firewall, and repeat the sequence until the alert frequency drops significantly. Fine-tuning and troubleshooting rulebases Once you can perform network activity without the firewall blocking it, let the firewall run for a few days and look for traffic that the firewall may be mishandling. To see how the firewall is performing, use the Statistics window. The Firewall Rules pane shows permitted and blocked packets by rule, as well as unmatched packets. See Figure 15-1 on page 402. shows the Firewall Rules pane that shows permitted and blocked packets by rule, as well as unmatched packets. Figure 15-1 Firewall Rules pane This pane first shows locked, General rules in the order inspected, and then shows locked, Program rules in the order inspected. The firewall rules continue with unlocked, General and Program rules. The No Match column shows packets that did not match a rule. If your network uses NetBIOS, and if your NetBIOS rule is not close to being the first rule in the list, you will see a large volume of No Match packets for the rules above the NetBIOS rule, and then notice that the numbers significantly drop after the

403 Creating network rulebases Configuring a default-permit rulebase 403 NetBIOS rule. The reason for this drop is because NetBIOS is very chatty (provides functionality using a large number of packets). Placing the NetBIOS rule near the top of the inspection order optimizes firewall processing, and is generally a best practice. If you do not see a zero value for the last rule in the No Match column, the firewall is silently blocking packets and you may need to investigate what packets the firewall is blocking. You can find details about the blocked packets on the Firewall tab in the Event Log. Another way to investigate blocked packets is to create an unlocked General Cleanup rule that blocks all TCP and UDP traffic to and from all computers, tracks the rule with an Event Log entry and security alert, and is the last rule inspected. When properly configured as the last rule inspected, this Cleanup rule logs information about all blocked packets on the Alert tab in the Event Log, and reveals the number of blocked packets on the Firewall Rules pane in the Statistics window. Note: By default, the firewall blocks all packets not matching a rule and logs the information on the Firewall tab in the Event Log, but mixes this information with other firewall information. The Cleanup rule tracked with an Event Log entry and security alert isolates information about blocked packets only, on the Alert tab. The key to using this technique is to configure the Cleanup rule as the last rule listed in the General rule list at the unlocked level, which means that you must create the rule with Symantec Client Firewall, and to configure all other General and Program rules at the locked level, meaning that you must export them using Symantec Client Firewall Administrator. The Cleanup rule must be the last rule inspected, which you can verify in the Statistics window. If Program rules are configured at the unlocked level, these rules can never be matched as the Cleanup rule blocks packets before they get inspected by the Program rules. Additionally, the Cleanup rule disables all prule implementation, and disables all security alert prompts, which may or may not be beneficial. As a result, the Cleanup rule is best used when creating and fine-tuning rulebases to push to clients, and not for general client implementation. Using Profiling is another useful way to fine-tune network rulebases as it allows you to capture traffic information and convert it to prules. See Using Profiling to generate prules and NetSpecs on page 365. Configuring a default-permit rulebase By default, Symantec Client Firewall uses a default-deny rulebase. If traffic is not permitted with a rule, either the traffic is dropped, a prule becomes a Program

404 404 Creating network rulebases Configuring user interaction rule, or the user is prompted to create a rule depending on Client Settings. Some organizations, however, are only interested in blocking certain ports while permitting all other traffic. To support this configuration, you need to create a default-permit rulebase that supports selective port blocking. To create a default-permit rulebase, create three General rules to permit loopback, ICMP, and TCP/UDP traffic. Then, after the Loopback rule but before the other two rules, insert the rules that block the desired ports. All permit rules are bidirectional. Be sure that the Loopback rule uses local address to prevent IP address spoofing. Table 15-5 shows a sample default-permit rulebase. Table 15-5 Sample default-permit rulebase Description Protocol Remote ports Local ports Remote addresses Loopback TCP, UDP Any Any <Insert Blocking Rules Here> ICMP Permit All ICMP Any Any Any TCP/UDP Permit All TCP, UDP Any Any Any The logic is that rules that block ports are inspected after the Loopback rule to remove the potential that they might interfere with loopback operations. Then, the Blocking rules are inspected, and if there is no match, the traffic is permitted. Because this configuration is not inherently secure, the best way to implement it is to use Secure Port to block all local ports defined with Trojan rules, and to only add remote ports to the General rules. The Permit All General rules stop Trojan rules from being inspected, so you need to use Secure Port to secure the local ports defined with Trojan rules, and add remote ports defined with Trojan rules to the General rule list. Configuring user interaction After you fine-tune and troubleshoot your rulebases, you have some decisions to make regarding user interaction with the firewall. One way to think about user interaction is to start with the configuration that offers the least user interaction, and then implement the exceptions that you want to allow. User permissions lets you decide from a feature or component level, the level of interaction the user is

405 Creating network rulebases Configuring user interaction 405 permitted. Also, Configure Alerting lets you quickly configure what type of alerts are displayed and can be acted on by the user. Table 15-6 lists and describes the various settings that limit user interaction with the firewall. Table 15-6 Settings that limit user interaction Location Setting Value Description Client Settings tab Permissions Block All Users cannot open Symantec Client Firewall, or view or configure any settings. Client Settings tab Error Messages Disable Does not display alerts when errors occur while importing, exporting, and saving files, or for general errors. Client Settings tab Miscellaneous Notifications Disable Does not display messages regarding rule processing and policy configuration. Client Settings tab Custom Security Level - Access Control Alerts Disable Does not display the alert. Client Settings tab Custom Security Level - Unused port Access Alert Disable Does not display the alert. Client Settings tab Display alerts for Intrusion Prevention Disable Does not display the alert. Client Settings tab Symantec Secure Port Enable Reduces alerts for Trojan rules and IPS signatures. Edit Location window Rule Exception Handling Permit or block Does not prompt users to create rules for unknown traffic. Selecting permit is like creating a default-permit rulebase and is designed for use with Profiling. Use with caution.

406 406 Creating network rulebases Configuring user interaction Table 15-6 Settings that limit user interaction (continued) Location Setting Value Description Edit Location window Auto Rule Creation Enable Does not prompt users to create Program rules from prules. If you disable Auto Rule Creation, the firewall prompts users for unknown traffic handling selections. Edit Location window Allow New Connections No Does not prompt users to select a Location for an unrecognized network connection. If you enable Location Awareness and do not allow new connections, be sure that you have configured a Primary Location. Client Settings tab User Type (5.x and 7.x clients only) Normal Legacy users cannot create rules, Zones, or Locations, and have limited access to most functionality. Client Settings tab Disable Windows Firewall Disable always For clients that run Windows XP SP2, disables Windows Firewall at system startup. Client Settings tab Windows Firewall Disabled Message Disable Suppresses the Windows notification that indicates that Windows Firewall was disabled. Client Settings tab Windows Security Center Firewall Alert Disable Windows Security Center does not display security alerts in Symantec Client Firewall. See About permissions on page 425. See About Configure Alerting on page 421. Generally, the appropriate level of user interaction is between complete freedom and no freedom. If you give users complete freedom, they might effectively disable Symantec Client Firewall. If you give users no freedom, you might experience an excessive number of support calls.

407 Chapter 16 Configuring Client Settings and Web Content settings This chapter includes the following topics: About Client Settings General settings About Configure Alerting Setting Configure Alerting options About Miscellaneous Notifications About permissions About Protocol Filtering Web Content settings About Client Settings Symantec Client Firewall Administrator includes settings for the overall operation of Symantec Client Firewall. These settings let you specify which firewall features are accessible to your users, determine which alerts are displayed, enable or disable automatic rule generation, control security levels for various types of Internet traffic, control access of all Internet protocols, and so on. Client Settings are arranged on the following tabs: General settings Permissions Protocol Filtering

408 408 Configuring Client Settings and Web Content settings General settings General settings General settings lets you specify settings that affect many aspects of Symantec Client Firewall. Figure 16-1 shows the General tab. Figure 16-1 General tab A subset of the General settings has a relationship with the Web Content settings. Web Content settings may override some General settings on a URL basis. For example, if the General setting for Java Applet Security is set to High, which prevents all Java applets from running, and if a Web Content setting exists that permits Java applets to run from the site the firewall permits to run Java applets on the client computer. See Web Content settings on page 439. Web Content settings may override the following Client Settings:

409 Configuring Client Settings and Web Content settings General settings 409 Custom Security Level - Java Applet Security Custom Security Level - ActiveX Control Security Custom Privacy Level - Confidential Information Level Custom Privacy Level- Cookie Blocking Level Custom Privacy Level - Browser Privacy Ad Blocking Popup Window Blocking The HTTP Port List Client Setting under Options - Advanced affects all Web Content settings. If the Value for HTTP Port List is blank, the firewall does not enforce Web Content settings, and does not enforce Client Settings that may be overridden by Web Content settings. Note: The selection Keep Existing Selection: Do Not Change is available for many General settings. This selection retains whatever value (for example, Enabled or Disabled) is already selected in the client user interface. Global settings Table 16-1 describes the Global settings. Table 16-1 Global settings Setting Symantec Client Firewall Symantec Secure Port Description Enables and disables the firewall, IPS, Privacy Control, and Ad Blocking. Enable: Secures all local ports that are defined in Trojan rules so that no program can use the ports for outbound traffic even if permitted with rules. Disables all pop-up messages that are related to outbound traffic access alerts. Does not affect inbound traffic. Disable: Removes the Secure Port override and permits the firewall to process Trojan rules normally. Note: Secure Port is active only if Symantec Client Firewall and Secure Port are enabled. Enabling Symantec Client Firewall does not enable Secure Port if it is disabled. See Incorporating Secure Port on page 338.

410 410 Configuring Client Settings and Web Content settings General settings Table 16-1 Setting Global settings (continued) Description Ignore prule Digest Values (legacy clients only) Yes: Ignores all digest settings when creating Program rules from prule data. No: Requires digest matching when creating Program rules from prule data (all prules do not necessarily require digest matching). Note: When you configure the Ignore prule Digest Values setting, Symantec Client Firewall Administrator gives you the option to apply your configuration to the prules that exist in the current policy. See Configuring Ignore Digest Values on page 353. Run at System Startup Yes: Symantec Client Firewall runs when the computer is started. No: Symantec Client Firewall must be started manually. Logging Level Default: Provides the detailed information about network connections, system and configuration changes, and security alerts, including Intrusion Prevention and Trojan horse attacks. Web sites, Private information and ads that are blocked are also logged. Verbose: Logs all information that is available to Symantec Client Firewall, including allowed Java applets, ActiveX controls, ads, Web sites, and private information. User Interface settings Table 16-2 describes the User Interface settings. Table 16-2 Setting Error Messages User Interface settings Description Enable: Displays the critical application errors to the Symantec Client Firewall user. Disable: Does not display critical application errors to the Symantec Client Firewall user.

411 Configuring Client Settings and Web Content settings General settings 411 Table 16-2 Setting User Interface settings (continued) Description Miscellaneous Notifications Enable: Generates the notifications for miscellaneous firewall events, including policy file importing, automatic rule creation from prules, and General and Trojan rule security alerts. Disabled: Does not generate notifications for these events. Note: This setting does not affect the notifications that the user receives when importing or exporting from the Settings Manager. User Type (5.x and 7.x clients only) Sets the permissions for the legacy Symantec Client Firewall clients that run 5.x and 7.x versions. Admin: Makes all Symantec Client Firewall product features and configuration options available to users. Normal: Users have a limited subset of permissions that includes viewing firewall data and modifying privacy control settings. Restricted: Users cannot configure rules or change settings. For the most part, the firewall is invisible to a user with this setting. Tray Menu Options settings See About Configure Alerting on page 421. See About Miscellaneous Notifications on page 424. See Setting user access levels for legacy clients on page 435. Tray Menu Options are menu selections that become available when a client user right-clicks the Symantec Client Firewall icon on the Windows system tray. Table 16-3 describes the Tray Menu Options settings.

412 412 Configuring Client Settings and Web Content settings General settings Table 16-3 Setting Show Taskbar Icon Tray Menu Options settings Description Yes: Displays the Symantec Client Firewall icon in the Windows system tray, which can be right-clicked to log on and off, exit the program, or perform other tasks. No: The Symantec Client Firewall icon is not displayed in the Windows system tray. Display Options Yes: Displays the Options selection on the Windows system tray menu, which allows you to display the Symantec Client Firewall Options dialog box for access to General, Firewall, Secure Port, and Protocol Filtering settings, as well as, Settings Manager. No: Does not display the Options selection on the Windows system tray menu. Display Log Viewer Yes: Displays the Log Viewer selection on the Windows system tray menu, which allows you to view the Log Viewer. The Log Viewer contains information about content blocking, connections, firewall activity, and other events. No: Does not display the Log Viewer selection on the Windows system tray menu. Display View Statistics Yes: Displays the View Statistics selection on the Windows system tray menu, which allows you to view real-time, detailed protection statistics. No: Does not display the View Statistics selection on the Windows system tray menu. Windows Integration settings Table 16-4 describes the Windows Integration settings.

413 Configuring Client Settings and Web Content settings General settings 413 Table 16-4 Setting Windows Integration settings Description Disable Windows Firewall Determines the actions that Symantec Client Firewall can take when it detects Windows Firewall on the system. If Symantec Client Firewall is uninstalled, Windows Firewall is re-enabled automatically. Disable once only: Disables Windows Firewall at system startup the first time that Windows Firewall is detected. If Windows Firewall is enabled on subsequent system startups, Symantec Client Firewall does not disable Windows Firewall. Disable always: Disables Windows Firewall at system startup and all subsequent system startups. Restore if disabled: Enables Windows Firewall at system startup if it was previously disabled. Windows Firewall Disabled Message Enabled: Allows the Windows message that notifies the Symantec Client Firewall user that Windows Firewall is disabled to appear at system startup. Disabled: Suppresses the Windows message from appearing at system startup. Windows Security Center Firewall Alert Disable: Windows Security Center does not display alerts that come from Symantec Client Firewall on the Windows system tray. Enable: Windows Security Center displays alerts that come from Symantec Client Firewall on the Windows system tray. Firewall settings Table 16-5 describes the Firewall settings.

414 414 Configuring Client Settings and Web Content settings General settings Table 16-5 Setting Firewall Firewall settings Description Enables and disables the firewall component of Symantec Client Firewall and uses the Default Location only. Note: If the Firewall setting is disabled, Custom Security Level settings are not enforced. See Implementing Location Awareness on page 303. Custom Security Level - Firewall Level Medium: Blocks many ports that are used by harmful programs. However, it can also block useful programs when they use the same ports. High: Blocks all traffic that is not specifically allowed. Firewall rules for every program that requests Internet access must be created. Rules often are created by a Symantec Client Firewall program scan. Custom Security Level - Java Applet Security None: Lets all Java applets run. Medium: Prompts for permission each time that a Java applet attempts to run. High: Prevents all Java applets from running. Note: If you configure this setting to Medium, you must enable Access Control Alerts. If Access Control Alerts is disabled, Symantec Client Firewall blocks the action without prompting or alerting your clients of the action this is taken. Custom Security Level - ActiveX Control Security None: Lets all ActiveX controls run. Medium: Prompts for permission each time that an ActiveX control attempts to run. High: Prevents all ActiveX controls from running. Note: If you configure this setting to Medium, you must enable Access Control Alerts. If Access Control Alerts is disabled, Symantec Client Firewall blocks the action without prompting or alerting your clients of the action that is taken.

415 Configuring Client Settings and Web Content settings General settings 415 Table 16-5 Setting Firewall settings (continued) Description Custom Security Level - Access Control Alerts Enable: Prompts to permit or block a program from accessing the Internet when no firewall rule exists for it. Disable: Blocks programs from accessing the network when there are no specific firewall rules in place for them. Note: The Access Control Alerts setting affects other alerting components, which include Privacy Control, cookie, Java, ActiveX, Program Component, and Program Launch alerts. If you configure these alerting components to prompt or alert your clients, you must enable Access Control Alerts. If Access Control Alerts is disabled, Symantec Client Firewall blocks the action without prompting or alerting your clients of the action that is taken. Custom Security Level - Unused port Access Alert Enable: Alerts are generated when an attempt is made to access an unused port. Enabling this option significantly increases the number of alerts displayed. Disable: Alerts are not generated for unsolicited connection attempts. Advanced Firewall Options settings Table 16-6 describes the Advanced Firewall Options settings. Table 16-6 Setting HTTP Port List Advanced Firewall Options settings Description Specifies the list of ports to filter for Java and ActiveX blocking, script blocking, confidential information, cookies, and so on. Note: When this option is selected, all ports that are listed here overwrite any ports that are listed on a client through the Symantec Client Firewall user interface. Stealth Blocked Ports Enable: Blocked ports do not respond to inquiries from the Internet. Disable: Blocked ports respond that they are closed.

416 416 Configuring Client Settings and Web Content settings General settings Table 16-6 Setting Advanced Firewall Options settings (continued) Description Block Fragmented IP Packets (Win 9x only) Block All: Blocks IP packets that have severely fragmented headers and that contain the data areas that are too small to be useful for legitimate network communication. Permit All Except Suspected Attacks: Permits all fragmented IP packets except those that are associated with suspected attacks. Program Component Monitoring Enable: Checks the access settings for the external modules that programs use to connect to the Internet. Disable: Does not check access settings for external modules. Note: If you enable this setting and configure the firewall setting to Medium, you must enable Access Control Alerts. If Access Control Alerts is disabled, Symantec Client Firewall blocks the program without prompting or alerting your clients of the action that is taken. Program Launch Monitoring Enable: Checks the Internet access settings for each program that is launched by another program. Disable: Does not check access settings for each program. Note: If you enable this setting and configure the firewall setting to Medium, you must enable Access Control Alerts. If Access Control Alerts is disabled, Symantec Client Firewall blocks the program without prompting or alerting your clients of the action that is taken. Intrusion Prevention settings Table 16-7 describes the Intrusion Prevention settings.

417 Configuring Client Settings and Web Content settings General settings 417 Table 16-7 Setting Intrusion Prevention settings Description Intrusion Prevention Enable: Monitors Internet traffic for patterns that are typical of a hacker attack, such as a port scan or attempts to connect to ports used by remote-access Trojan horse programs. Disable: Does not scan packets for intrusion behavior. Intrusion Prevention - AutoBlock Enable: Stops all inbound traffic from attacking computers and outbound traffic to attacking computers for 30 minutes. Disable: Does not use AutoBlock. In some cases, normal activity might be recognized as an attack. For example, some Internet service providers scan the ports of client computers to ensure that they are within their service agreements. To prevent normal activities from interrupting your Internet use, you can exclude specific computers from AutoBlock. See Excluding computers from AutoBlock on page 314. If a computer is listed in the Trusted Zone and AutoBlock list, traffic from the computer is blocked until it is removed from the AutoBlock list. AutoBlock is disabled if the firewall is disabled. Display alerts for Intrusion Prevention Enable: Displays pop-up alerts for all Intrusion Prevention events. Disable: Does not display pop-up alerts for Intrusion Prevention events. Privacy Control settings Table 16-8 describes the Privacy Control settings. Table 16-8 Setting Privacy Control Privacy Control settings Description Enables or disables Privacy Control.

418 418 Configuring Client Settings and Web Content settings General settings Table 16-8 Setting Privacy Control settings (continued) Description Custom Privacy Level - Confidential Info High: Blocks all specified private information that is entered in a Web page from being sent to nonsecured (HTTP) Web sites. Medium: Prompts each time that specified private information that is entered in a Web page is sent to a nonsecured (HTTP) Web site. None: Disables the monitoring of confidential information that is sent to Web sites. Note: When the Custom Privacy Level - Confidential Info setting is set to Medium, you must enable the Custom Security Level - Access Control Alerts setting to prompt your users when private information is sent to a nonsecured Web site. If this setting is disabled, private information is blocked without notifying the user of the firewall's actions. Custom Privacy Level - Cookie Blocking Level High: Blocks all cookies. Medium: Prompts each time that a Web site requests a cookie. None: Allows all cookies. Note: When the Custom Privacy Level - Cookie Blocking Level setting is set to Medium, you must enable the Custom Security Level - Access Control Alerts setting to prompt your users when a Web site requests a cookie. If this setting is disabled, cookie requests are blocked without notifying the user of the firewall's actions. Custom Privacy Level - Browser Privacy Enable: Prevents a Web site from retrieving the user's system information or the address of the last Web site visited. Disable: Permits the sending of the user's system information or address of the last Web site visited. Custom Privacy Level - Secure Connections (https) Enable: Permits communication using the HTTPS protocol. If option is enabled, confidential information is sent. Disable: Blocks the HTTPS traffic, including most credit card and financial transactions.

419 Configuring Client Settings and Web Content settings General settings 419 Ad Blocking settings Symantec Client Firewall Administrator includes a Client Settings category called Ad Blocking. Table 16-9 describes the Ad Blocking settings. Table 16-9 Setting Ad Blocking Ad Blocking settings Description Enable: Blocks ads using the Ad Blocking settings on the Web Content tab. Disable: Permits all Web pages to display all banner ads, and disables the Ad Blocking settings on the Web Content tab. Popup Window Blocking Enable: Blocks Web pages from displaying pop-up ads unless the URL is permitted to display pop-up ads by the Pop-up Ad User Settings feature on the Web Content tab. Disable: Permits all Web pages to display all pop-up ads unless the URL is blocked from displaying pop-up ads by the Popup Ad User Settings feature on the Web Content tab. Alert Customization settings Alert Customization settings let you customize the text that appears in Alert prompts. The customized text is added to the default text, and the limit is 250 characters. Table describes the Alert Customization settings. Table Setting Alert Customization settings Description Expand Alert Details Yes: Automatically displays details for program and security alerts such as protocol, remote address, and so forth. No: Does not automatically display details for all alerts. Allow User To Configure: Lets the user display or hide details about the alert.

420 420 Configuring Client Settings and Web Content settings General settings Table Setting Alert Customization settings (continued) Description Custom Alert Text - ActiveX Custom Alert Text - Privacy Control Custom Alert Text - Cookie Custom Alert Text - IPS Custom Alert Text - IP Custom Alert Text - Java Custom Alert Text - Launcher Custom Alert Text - Listen Custom Alert Text - Location Custom Alert Text - Module Custom Alert Text - Security Custom Alert Text - Service Monitor Appears when Web pages contain ActiveX controls. Appears when users attempt to send confidential information to a Web site. Appears when a Web site attempts to create or read a cookie on a computer. Appears when the IPS engine detects an intrusion attempt. Appears when an unknown program attempts to access the Internet. Appears when a Web site attempts to run a Java applet. Appears when one program attempts to access the Internet using another program. Appears when a new program, such as a Trojan horse, begins listening for connections from other computers. Appears when Location Awareness is enabled and Symantec Client Firewall prompts users to select a Location. Appears when a known program attempts to access the Internet with an unknown module. Appears when security alerts are enabled with rule tracking. Appears when certain Symantec Client Firewall services are disabled, such as Symantec Event Manager, Symantec Secure Port, and Symantec Proxy Service. Various Client Settings control whether alerts appear. For example, if Custom Security Level - ActiveX Control Security is set to None, the alert for ActiveX would never appear, even if you created custom alert text for this alert.

421 Configuring Client Settings and Web Content settings About Configure Alerting 421 About Configure Alerting In Symantec Client Firewall Administrator, Configure Alerting lets the firewall administrator configure all alerts, messages, and notifications from a single setting that offers three alerting options. The alerting options let you disable all alerting, reset alert settings to the default values, and disable informational alerts for Symantec Client Firewall. Table lists and describes Symantec Client Firewall alerting options. Table Symantec Client Firewall alerting options Configure Alerting option Reset to default values Description Alert settings are restored to their default values. The user sees informational alerts and the alerts that require user input. When you reset default values, the following settings on the Locations tab are not affected, even if the settings were modified by Disable all alerting: Rule Exception Handling: For configured Locations and the default Location-specific settings. Allow user to create locations. Disable informational alerting Disable all alerting Informational alerts and critical application errors are disabled, including Windows Security Center alerts. Also, the Show Taskbar Icon setting is disabled. All informational alerts and the alerts that require user input are disabled. Features that are configured to request user input are disabled or modified to act silently. Locations settings are modified to prevent users from creating Locations and to permit the network traffic that does not match any rule or configuration setting. This setting is recommended for users with minimal permissions. How Configure Alerting affects settings Individual alert settings are associated with one or more alerting options. When you use Configure Alerting to determine which alerts appear on the client computer, only the settings that are associated with the selected alerting option are affected. For example, if you select Disable informational alerting, Configure Alerting disables the six associated alert settings in the policy if they are not

422 422 Configuring Client Settings and Web Content settings About Configure Alerting already disabled. The alert settings that are not associated with the selected alerting option are ignored and preserve their configuration. Before the alerting option is applied to the policy, Configure Alerting displays a summary of the affected alert settings and their new configurations. After the alerting option is applied, you can modify individual alert settings further to customize the user's alerting experience. Note: The Access Control Alerts setting affects other alerting components, which include Privacy Control, cookie, Java, ActiveX, Program Component, and Program Launch alerts. If you configure these alerting components to prompt or alert your clients, you must enable Access Control Alerts. If Access Control Alerts is disabled, Symantec Client Firewall blocks the action without prompting or alerting your clients of the action this is taken. Table describes the alert settings that you can configure in Symantec Client Firewall Administrator and how Configure Alerting affects them. Table How Configure Alerting affects settings Alert setting Reset to default values Disable informational alerting Disable all alerting Error Messages Enable Disable Disable Miscellaneous Notifications Enable Disable Disable Windows Firewall Disabled Message Enable Disable Disable Windows Security Center Firewall Alert Disable Disable Disable Java Applet Security None Not Applicable If set to Medium or Keep Existing Selection, changed to None ActiveX Control Security None Not Applicable If set to Medium or Keep Existing Selection, changed to None Access Control Alerts Enable Not Applicable Disable

423 Configuring Client Settings and Web Content settings Setting Configure Alerting options 423 Table How Configure Alerting affects settings (continued) Alert setting Reset to default values Disable informational alerting Disable all alerting Unused port Access Alert Disable Not Applicable Disable Display alerts for Intrusion Prevention Disable Disable Disable Custom Privacy Level -Confidential Info Medium Not Applicable If set to Medium or Keep Existing Selection, changed to None Custom Privacy Level -Cookie Blocking Level None Not Applicable If set to Medium or Keep Existing Selection, changed to None Show Taskbar Icon Yes No No Program Component Monitoring Disable Not Applicable Disable Program Launch Monitoring Disable Not Applicable Disable Locations - Allow user to create locations Not Applicable Not Applicable Disable Locations - Rule Exception Handling Not Applicable Not Applicable Permit Setting Configure Alerting options Configure Alerting lets you set alerting options in Symantec Client Firewall Administrator. Setting the alerting options can potentially modify several alert settings in the policy file.

424 424 Configuring Client Settings and Web Content settings About Miscellaneous Notifications Note: Before you use Configure Alerting, become familiar with all the alert settings and how each alerting option affects them. For example, Disable informational alerts affects only six alert settings. If you use this alerting option, many alerts are ignored, and their settings are not immediately known. If the policy was previously configured to disable all alerting, the ignored alerts might be disabled. To set Configure Alerting options 1 In Symantec Client Firewall Administrator, on the Client Settings tab, on the General tab, click Configure Alerting. 2 In the Configure Alerting dialog box, select one of the following: 3 Click OK. Reset to default values Disable informational alerting Disable all alerting 4 In the Change Summary dialog box, review the required configuration changes, then click OK. About Miscellaneous Notifications In Symantec Client Firewall Administrator, you cannot configure all informational alerts individually. As the firewall administrator, you can manage these alerts by enabling or disabling the Miscellaneous Notifications setting. When you import a policy file, Symantec Client Firewall uses the Miscellaneous Notifications setting to determine whether to display these informational alerts. Note: Miscellaneous Notifications settings do not control the notifications that appear when users import or export policies through the Settings Manager. Table lists and describes the Miscellaneous Notifications.

425 Configuring Client Settings and Web Content settings About permissions 425 Table Notification Policy Import Miscellaneous Notifications Description Notifies the user when Symantec Client Firewall's policy settings are updated. The Fio.exe command-line utility displays a notification on the client if you use the DisplayProgress parameter when you import or export a policy. Program Control Rule Security Alert Notifies the user when a program matches a configured prule and creates a Program rule. Notifies the user with a security alert when a rule matches network traffic. About permissions Permissions replace user access levels and provide a more granular method for the firewall administrator to permit or block features and functionality from Symantec Client Firewall users. You can use the Permissions tab to specify the level of interaction that users can have with Symantec Client Firewall. Figure 16-2 shows the Permissions tab.

426 426 Configuring Client Settings and Web Content settings About permissions Figure 16-2 Permissions tab Note: Certain permissions depend on other permissions. For example, many Symantec Client Firewall features depend on the permission to access the user interface. If you block this permission, users cannot access other features that they might have permissions to configure. General permissions Table describes the General permissions.

427 Configuring Client Settings and Web Content settings About permissions 427 Table Permission General permissions Description Open User Interface Permit: Users can access the Symantec Client Firewall user interface. Block: The users cannot access the Symantec Client Firewall user interface from the Start menu or from the Symantec Client Firewall icon menu on the Windows system tray. If you set the Show Taskbar Icon General setting to display the Symantec Client Firewall tray icon, users who have Open User Interface permissions blocked can still potentially access and configure the following: Block Traffic Log Viewer View Statistics Symantec Client Firewall Options dialog box that includes General and Firewall options, Secure Port, Protocol Filtering, and Settings Manager To prevent users from accessing any part of Symantec Client Firewall, block the Open User Interface permissions and disable the Show Taskbar Icon General setting. View Logs Permit: Users can view logs. Block: Prevents the users from viewing logs in the following ways: Dims the View Logs button in the Statistics window. Removes the Log Viewer menu item from the Symantec Client Firewall tray icon menu, regardless of its configuration. Clear Logs Permit: Users can clear individual or all logs. Block: Users who attempt to clear logs receive a Log Viewer error notification that explains that they do not have the required permissions. Note: If you disable the Miscellaneous Notifications General setting, users do not receive the error notification.

428 428 Configuring Client Settings and Web Content settings About permissions Table Permission View Statistics General permissions (continued) Description Permit: Users can view statistics. Block: Prevents the users from viewing statistics in the following ways: Dims the More Details button in the Statistics window. Removes the View Statistics menu item from the Symantec Client Firewall tray icon menu, regardless of its configuration. Note: Users who have View Statistics blocked can still view recent statistics in the Statistics window. Reset Statistics Permit: Users can reset statistics. Block: Prevents the users from resetting statistics in the following ways: Dims the Reset Now setting in the Statistics window. Dims the Reset Values menu item on the View menu in the Symantec Client Firewall Statistics window. Client Firewall Operation permissions Table describes the Client Firewall Operation permissions. Table Permission Block Traffic Client Firewall Operation permissions Description Permit: Users can block or permit traffic to their computer. Block: Prevents the users from blocking or permitting traffic in the following ways: Removes the Block Traffic menu item from the Symantec Client Firewall tray icon menu, regardless of its configuration. Generates an error notification when users try to block or permit traffic in the Symantec Client Firewall window.

429 Configuring Client Settings and Web Content settings About permissions 429 Table Permission Client Firewall Operation permissions (continued) Description Enable/Disable entire product Permit: Users can enable and disable Symantec Client Firewall. Block: Prevents the users from enabling and disabling Symantec Client Firewall in the following ways: Removes the Security Turn Off button from the Symantec Client Firewall System Status window. Removes the Enable or Disable Symantec Client Firewall menu item from the Symantec Client Firewall tray icon menu. Restore a Policy Permit: Users can restore policy configurations. Block: Prevents the users from restoring policies by dimming the Import Settings button on the Settings Manager tab in the Symantec Client Firewall Options dialog box. Configure General Options Permit: Users can determine when Symantec Client Firewall runs, which options appear on the tray icon menu, and the logging level. Block: Prevents the users from configuring general options by dimming the tray icon and logging level settings. Client Firewall Configuration permissions Table describes the Client Firewall Configuration permissions. Table Permission Client Firewall Configuration permissions Description Enable/Disable Firewall Permit: Users can enable and disable the firewall component of Symantec Client Firewall. Block: Prevents the users from enabling and disabling the client firewall by removing the Client Firewall Turn Off button from the Symantec Client Firewall System Status window.

430 430 Configuring Client Settings and Web Content settings About permissions Table Permission Configure Firewall Client Firewall Configuration permissions (continued) Description Permit: Users can access the Client Firewall configuration dialog boxes. Block: Prevents the users from configuring firewall settings by removing the Client Firewall Configure button from the Symantec Client Firewall System Status window. Configure Firewall Level Permit: Users can configure the Firewall Level slider and the firewall custom level security settings, including the following: Client Firewall Java Applet Security ActiveX Control Security Enable Access Control Alerts Alert when unused ports are accessed Block: Prevents the users from configuring firewall settings by dimming the firewall level slider, and Custom Level and Default Level buttons. Configure General Rules Permit: Users can add and modify unlocked General rules. Block: Prevents the users from configuring General rules by dimming the General button on the Advanced tab in the Symantec Client Firewall dialog cannot configure locked rules, even if this permission is enabled. Configure Trojan Horse Rules Permit: Users can add and modify unlocked Trojan rules. Block: Prevents the users from configuring Trojan rules by dimming the Trojan Horse button on the Advanced tab in the Symantec Client Firewall dialog box. Users cannot configure locked rules, even if this permission is enabled.

431 Configuring Client Settings and Web Content settings About permissions 431 Table Permission Client Firewall Configuration permissions (continued) Description Configure Program Rules Permit: Users can add and modify unlocked Program rules. Block: Prevents the users from configuring Program rules by dimming the Add, Modify, and Remove buttons on the Programs tab in the Symantec Client Firewall dialog box. Also, users cannot scroll down the Program Control list. Users cannot configure locked rules, even if this permission is enabled. Configure Auto Rule Creation Permit: Users can enable and disable Automatic Program Control. Block: Prevents the users from configuring Auto Rule Creation by dimming the Turn on Automatic Program Control setting and Program Scan button on the Programs tab in the Symantec Client Firewall dialog box. Configure Zones Permit: Users can configure the Trusted Zone, Restricted Zone, and IPS AutoBlock. This option includes the ability to enable and disable AutoBlock, to move a computer from the AutoBlock list to the Restricted Zone, to remove a computer from the AutoBlock list, to change the AutoBlock time, and to configure AutoBlock exclusions. Block: Prevents the users from configuring Zones or AutoBlock in the following ways: Dims the Add and Remove buttons for Trusted and Restricted Zones on the Networking tab in the Symantec Client Firewall dialog box. Dims the settings and buttons on the AutoBlock tab from the Symantec Client Firewall dialog box.

432 432 Configuring Client Settings and Web Content settings About permissions Table Permission Client Firewall Configuration permissions (continued) Description Configure Advanced Options Permit: Users can configure advanced firewall options, including the following: Protocol Filtering Program component monitoring Program launch monitoring HTTP port list Stealth blocked ports Block: Prevents the users from configuring advanced options by removing the Firewall and Protocol Filtering tabs from the Symantec Client Firewall Options dialog box. Intrusion Prevention permissions Table describes the Intrusion Prevention permissions. Table Permission Intrusion Prevention permissions Description Enable/Disable Intrusion Prevention Permit: Users can enable and disable Intrusion Prevention System (IPS). Block: Prevents the users from enabling and disabling IPS in the following ways: Removes the Intrusion Prevention Turn Off button from the Symantec Client Firewall System Status window. Dims the Turn on Intrusion Prevention setting on the Intrusion Prevention tab in the Symantec Client Firewall dialog box. Note: Users who have permitted Configure Intrusion Prevention can still, in effect, disable IPS by unchecking all IPS signatures. You can lock IPS signatures that you do not want users to configure.

433 Configuring Client Settings and Web Content settings About permissions 433 Table Permission Intrusion Prevention permissions (continued) Description Configure Intrusion Prevention Permit: Users can configure IPS exclusions and alerting. Block: Prevents the users from configuring IPS signatures by dimming the Advanced button and the Display alerts when Intrusion Prevention blocks connections setting on the Intrusion Prevention tab. Users cannot configure locked IPS signatures, even if this permission is enabled. Miscellaneous permissions Table describes the Miscellaneous permissions. Table Permission Miscellaneous permissions Description Enable/Disable Location Awareness Permit: Users can enable and disable the Network Detector, which activates Location Awareness. Block: Prevents users from configuring Location Awareness by dimming the settings on the Locations tab in the Symantec Client Firewall dialog box. Configure Privacy Control Permit: Users can configure Privacy Control options, including the following: Turn on Privacy Control Move the slider to set the Privacy Control level Private Information Cookie Blocking Enable Browser Privacy Enable Secure Connections (https) Block: Prevents the users from configuring Privacy Control options by removing the Privacy Control Turn Off and Configure buttons from the Symantec Client Firewall System Status window. Note: the users who have Access Advanced Web Content Options permitted can still modify Privacy Control settings on the Global Settings tab in the Advanced Web Content Options dialog box.

434 434 Configuring Client Settings and Web Content settings About permissions Table Permission Miscellaneous permissions (continued) Description Configure Private Info Permit: Users can add and modify private information. Block: Prevents the users from configuring private information by dimming the Private Information button in the Symantec Client Firewall Privacy Control dialog box. Note: Users who have Configure Privacy Control permitted can disable Private Information by modifying custom level settings. Configure Ad Blocking Permit: Users can enable and disable Ad Blocking, and enable and disable pop-up window blocking. Block: Prevents the users from configuring Ad Blocking by removing the Ad Blocking Turn Off and Configure buttons from the Symantec Client Firewall System Status window. Note: Users who have Configure Ad Blocking blocked can still modify Ad Blocking settings if Access Advanced Web Content Options is permitted. Configure Secure Port Permit: Users can enable and disable Secure Port, and configure the ports that are blocked by Secure Port. Block: Prevents the users from configuring Secure Port by removing the Secure Port tab from the Symantec Client Firewall Options dialog box. Access Advanced Web Content Options Permit: Users can configure settings on the Advanced Web Content tab, including the following: Global Settings User Settings Ad Blocking HTML string list Block: Prevents the users from configuring Advanced Web Content Options by dimming the Advanced buttons in the Ad Blocking and Privacy Control dialog boxes. Note: Users must have Configure Ad Blocking or Configure Privacy Control permitted to access Advanced Web Content Options.

435 Configuring Client Settings and Web Content settings About permissions 435 Setting user access levels for legacy clients For previous versions of Symantec Client Firewall, a user's interaction with Symantec Client Firewall's rulebase, settings, and alerts depended on the user's access level. As the firewall administrator, you can set the user access level for previous versions of Symantec Client Firewall in Symantec Client Firewall Administrator. The user access level setting is viable only for legacy versions of Symantec Client Firewall. You cannot forego configuring user permissions and alerting by importing this setting to a new Symantec Client Firewall. Admin users have all the permissions that are associated with Normal and Restricted users. Normal users have all the permissions that are associated with Restricted users. See Supporting policies for legacy clients on page 295. See Supporting different versions of IPS engines and signatures on page 378. Table lists and describes Symantec Client Firewall user access levels. Table User level Admin Symantec Client Firewall user access levels Description Users with the Admin user level have access to all permissions, including the following: Reset Statistics Enable and Disable Symantec Client Firewall Restore a Policy Configure General Options Enable and Disable Firewall Setting Configure Firewall Configure General Rules Configure Trojan Horse Rules Configure Program Rules Configure Auto Rule Creation Configure Zones Configure Advanced Options Enable and Disable Location Awareness Configure Intrusion Prevention Configure Secure Port

436 436 Configuring Client Settings and Web Content settings About permissions Table User level Normal Symantec Client Firewall user access levels (continued) Description Users with the Normal user level have the following permissions: Open User Interface View Logs Clear Logs View Statistics Block Traffic Configure Privacy Control Configure Private Info Configure Ad Blocking Access Advanced Web Content Options Restricted Users with the Restricted user level have only the View Logs permission. When a user is classified as Restricted, that user cannot run any Internet programs unless there are the specific rules that permit access to Internet programs in the same policy file. When you assign a user level of Restricted, you need to configure the following client configuration settings: Use a setting other than Medium for the Symantec Client Firewall or Privacy Control settings. A setting of Medium means that the user is prompted to allow or block communication each time that there is a cookie, Java applet, ActiveX control, and so forth, on a Web site. Since Restricted users do not have permission to respond to alerts, and do not see the alerts, the Medium setting is not applicable. Disable the Access Control Alerts setting, because Restricted users are not able to receive or respond to alerts. To set Symantec Client Firewall user levels In Symantec Client Firewall Administrator, on the Client Settings tab, on the General tab, under User Interface, next to User Type (5.x and 7.x clients only), select one of the following: Admin Normal Restricted

437 Configuring Client Settings and Web Content settings About Protocol Filtering 437 About Protocol Filtering Protocol Filtering extends the security of Symantec Client Firewall by blocking incoming and outgoing traffic that uses less common IP protocols. Most network traffic uses the more common TCP, UDP, and ICMP protocols, which are configured every time that you create rules and prules. You can permit or block all other IP protocols based on your network needs. Because many products, including VPN solutions, use extended IP protocols to communicate, you should permit all extended protocols until you are ready to research the software and devices that are used in your network, and identify specific protocols to permit into your network. See Figure 16-3 on page 437. shows the Protocol Filtering tab. Figure 16-3 Protocol Filtering tab The Internet protocol list is updated at: Default Protocol Filtering settings In new policy files, Protocol Filtering blocks all extended protocols. If you import settings from a new installation of Symantec Client Firewall, all extended IP protocols are blocked by default except for Internet Group Management Protocol (IGMP). IGMP is a standard protocol that is used for IP multicasting on the Internet. When you import an earlier policy file that does not include the Protocol Filtering

438 438 Configuring Client Settings and Web Content settings About Protocol Filtering settings, all extended IP protocols are automatically permitted except for IGMP. IGMP is permitted or blocked based on the setting in previous versions of Symantec Client Firewall Administrator, located in Client Settings on the General tab. Table describes how Protocol Filtering settings are imported into new and legacy policy files. Table Policy Type New policy Importing Protocol Filtering settings Action Blocks all extended protocols. Earlier policy in which IGMP is blocked Earlier policy in which IGMP is permitted Permits all extended protocols except for IGMP, which is blocked. Permits all extended protocols. VPN protocols Virtual Private Networks (VPN) use additional IP protocols to communicate with other computers. The protocols that VPNs use vary depending on their implementation method and what type of security they use to secure the communication tunnels. If users have problems connecting to your network with their VPN client, then Symantec Client Firewall might be blocking the IP protocols that are necessary for communication. For increased security, if you know which protocols your VPN solution needs, you can individually permit them. Also, you can permit the more common VPN-related protocols if you are uncertain of which ones are needed in your network. Table lists and describes common VPN protocols. Table IP protocol 47 - GRE 50 - ESP 51 - AH Common VPN protocols Description The Generic Routing Encapsulation protocol is used with VPNs that use the Microsoft Point-to-Point Tunneling Protocol (PPTP). The Encapsulation Security Payload protocol is used with VPNs that use the IPSec protocol. The Authentication Header protocol is used with VPNs that use the IPSec protocol.

439 Configuring Client Settings and Web Content settings Web Content settings 439 Table IP protocol 56 - TLSP 57 - SKIP L2TP Common VPN protocols (continued) Description The Transport Layer Security Protocol uses Kryptonet key management to provide privacy and data integrity between two applications that communicate over the Internet. The Simple Key-Management for Internet Protocol is used with VPNs that use Secure Socket Layers (SSL) or IPSec protocols. The Level 2 Tunneling Protocol is used with VPNs that use the IPSec protocol. Also, L2TP is Microsoft's main authentication and encryption protocol. Permitting and blocking extended protocols Protocol Filtering lets you selectively permit or block less common IP protocols that can be used to infiltrate your network. To permit or block extended protocols Web Content settings In Symantec Client Firewall Administrator, on the Client Settings tab, on the Protocol Filtering tab, select one of the following: Block all extended protocols Permit all extended protocols Permit selected extended protocols Check the protocols that you want to permit in the list. Web Content settings let you control how Symantec Client Firewall handles interactive online content, ads, and possible privacy intrusions. When you export these settings to Symantec Client Firewall, all Client Settings are deleted and overwritten. Web Content options are arranged on the following tabs: Global Settings User Settings Ad Blocking

440 440 Configuring Client Settings and Web Content settings Web Content settings Note: All Web Content filtering is performed on ports that are specified in the HTTP Port List on the Client Settings tab. If this list is blank, the firewall does not enforce Web Content settings because all Web Content filtering is performed on ports that are specified in this list. Further, Web Content settings are ignored for computers placed in Trusted Zones. Global Settings Global Settings let you control the default and individual Web site actions that Symantec Client Firewall takes when Web sites attempt to get information about your browser and browsing history, or use animated images, JavaScripts, and other active content. Note: If the Privacy Control Client Setting is disabled, the Global Settings for Information about your browser and Information about visited sites are ignored. Table describes the Global Settings. Table Global Settings Setting Information about your browser Information about visited sites Description Block or allow Web sites from requesting information about your computer and Web browser. Select one of the following actions to take when Web sites request information about the last Web site that you visited during this session: Block Permit Permit Same Site (Default) Requests for information are allowed when the requests originate from the same domain. All other requests are blocked. Animated images Scripts Flash Animation Block or allow animated images from running. The images still appear but are not animated. Block or allow Java and Visual Basic scripts. Some scripts write cookies. Block or allow content created with Macromedia Flash.

441 Configuring Client Settings and Web Content settings Web Content settings 441 User Settings User Settings let you customize Cookie Blocking, Popup Window Blocking, and ActiveX and Java settings for individual sites. Table describes the User Settings. Table User Settings Setting Cookies Java Applets ActiveX Controls Popup Ads Description Block or allow Web sites from creating and reading cookie files on your computer. Block or allow Java applets from running. Block or allow ActiveX controls from running. Block or allow pop-up ads. Note: Two types of cookies exist, persistent and nonpersistent. Symantec Client Firewall treats both types the same way. Ad Blocking settings Ad Blocking settings let you specify default and individual ad banners that you want to block or allow on individual sites. Symantec Client Firewall detects and blocks ads based on two criteria: their dimensions and their locations. Note: If the Banner Blocking Client Setting is disabled, Ad Blocking is disabled. Blocking by dimensions Most online advertisers use one or more standard sizes for their ads. Symantec Client Firewall now includes the ability to block images, Flash animations, and other HTML elements that have the same dimensions as these common ad sizes. Blocking by location Every file on the Internet has a unique address or URL. When you view a Web page, your computer connects to a URL and displays the file that is stored there. If the page points to graphics, audio files, and other multimedia content, your browser displays the files as part of the page.

442 442 Configuring Client Settings and Web Content settings Web Content settings When Ad Blocking is enabled and you connect to a Web site, Symantec Client Firewall scans Web pages and compares their contents to the following lists: A default list of ads that Symantec Client Firewall blocks automatically. You can add to and change this list with ads that you want to block only. The default list applies to all Web sites that are visited. A list of Web sites that contain specific ads that Symantec Client Firewall permits or blocks. You can add to and change this list with Web sites that contain ads that you want to permit or block. If the page includes files from a blocked domain, Symantec Client Firewall removes the link and downloads the rest of the page. Creating text strings to identify ads to block or permit You can control whether Symantec Client Firewall displays specific ads by creating a list of text strings that identify individual ad banners. Ad Blocking strings are sections of HTML addresses. If any part of a file's address matches the text string, Symantec Client Firewall automatically blocks the file. Symantec Client Firewall provides an Ad Blocking list (Default) that is used to determine which images should be blocked when displaying Web pages. You can also create permit strings that allow Web sites to display images that match the string. This allows you to override the blocking effect of any string in the (Default) block list for individual sites. Permit rules take precedence over Block rules on any site. When Ad Blocking is enabled, all Web pages are scanned for the HTML strings that are specified in the (Default) list. Symantec Client Firewall looks for the blocked strings within HTML tags that are used to present advertising. Symantec Client Firewall removes the HTML structures that contain matching strings from the page before the page appears in the Web browser. Make sure that the strings that you place in the (Default) block list are not too general. For example, www by itself is not a good string to block because almost every URL includes www. A string like is more effective because it only blocks graphics from the slowads domain without affecting other sites. The way that you define Ad Blocking strings affects how restrictive or unrestrictive Symantec Client Firewall is when it filters data. For example, if you add the string spammersrus.com to the (Default) block list, you block everything in the spammersrus.com domain. If you are more specific and add the string /images/image7.gif to the site-specific block list maintained for you block only that particular image.

443 Configuring Client Settings and Web Content settings Web Content settings 443 Note: When you export policy files to Symantec Client Firewall, all user-defined strings are deleted. Adding Ad Blocking strings You can add strings to the Ad Blocking list for all sites or for individual sites. Ad Blocking supports lowercase characters only. To add an Ad Blocking string 1 In Symantec Client Firewall Administrator, on the Web Content tab, on the Ad Blocking tab, do one of the following: To block a string on all Web sites, click (Default). To block a string on a Web site in the list, select the site's name. To block a string on a Web site not in the list, click Add Site, and then in the New Site/Domain dialog box, type the site's address. 2 On the Ad Blocking tab, click Add. 3 In the Add New HTML String dialog box, select one of the following: Block Permit Block ads matching this string. Allow ads matching this string. 4 Type an HTML string to block or permit. 5 Click OK. Modifying or removing Ad Blocking strings If you later decide that an Ad Blocking string is too restrictive, not broad enough, or not appropriate, you can change or remove it. To modify or remove an Ad Blocking string 1 In Symantec Client Firewall Administrator, on the Web Content tab, on the Ad Blocking tab, do one of the following: To modify or remove a string in the (Default) list, click (Default). To modify or remove a site-specific string, select the site's name. 2 In the HTML string list, select the string that you want to change. 3 Do one of the following: To modify a string, click Modify, and then type your changes.

444 444 Configuring Client Settings and Web Content settings Web Content settings To remove a string, click Remove. 4 Click OK.

445 Index Numerics 64-bit operating systems definitions files 199 Internet support 165 using Continuous LiveUpdate 200 A Action Status for alerts 111 actions configuring 154 File System Auto-Protect 148, 156 for firewall rules 321 security risks 150 viruses 149 Active Client defined 281 exporting policies to 284 importing policies from 284 Active Directory configuring prules to support 364 requirement for Discovery 35 sample network-level rulebase 400 sample program-level rulebase 398 Ad Blocking adding strings to 443 creating text strings to filter 442 setting in Web Content settings 441 setting levels 419 address groups adding 336 deleting 337 using 336 Advanced Firewall Options settings for clients 415 adware 118 Alert Log Action Status 111 copying contents to Clipboard 110 deleting entries 109 displaying alerts in 108 filtering display list 111 viewing detailed information 110 Alert Management System about 91 alert forwarding for unmanaged clients 112 Alert Log 108 alert notification methods 91 configuring alert action messages 105 event threads 92 forwarding alerts to servers 113 limiting alert configuration network segments 94 alerts about Miscellaneous Notifications 424 actions configuring 93 configuring messages 105 deleting actions from alerts 107 export status 108 exporting to other computers 107 testing 106 viewing export status 108 alert options about 421 setting 423 settings affected by 421 configuring 421 Broadcast 96 default messages 106 paging services 99 SNMP traps 101 forwarding to AMS2 servers 113 message parameters 105 size limitation 105 antivirus and security risk protection 22 antivirus client configuration using Grc.dat 23 attack signatures about 379 excluding from firewall protection 379 versions 378 audits determining network security 44 labeling items and rerunning audits 49

446 446 Index Auto-Protect about 122 advanced options 141 configuring 134 scanning 163 resetting options at different levels 135 scanning about 122 configuring for mail applications 134 options 125 SmartScan 137 AutoBlock configuring 380 excluding computers from 314 Automatic enabler 144 B backup files 144 blended threats 118 Block action for rules 321 Bloodhound scanning 144 Broadcast alert configuration 96 C cache discovering computers from 39 Discovery Clear Cache Now setting 39 file options 143 finding computers in local cache 41 Normal Discovery address cache comparisons 35 server names and IP addresses in Symantec System Center console 35 client configuration, enabling direct 88 client data configuring policies by using 279 client groups adding clients to 83 configuration change priority 56 configuring settings for 83 creating 82 deciding whether to manage with 56 deleting 86 dragging and dropping clients to move them 84 filtering client group view 85 finding settings 83 in Symantec AntiVirus console view 29 moving clients between 84 renaming 86 client groups (continued) running tasks 83 scenario 59 settings 83 viewing 84 Client Settings about 274 Ad Blocking settings 419 Advanced Firewall Options settings 415 advanced options settings 415 Alert Customization settings 419 configuring 407 Firewall settings 413 General settings 408 Global settings 409 in policies 274 IPS settings 416 overriding with Web Content settings 408 Privacy Control settings 417 relationship with Web Content settings 408 status settings 411 Tray Menu Options settings 411 User Interface settings 410 Windows Integration settings 412 clients about antivirus protection for 22 adding to client groups 83 assigned and unassigned 55 Auto-Protect options for 139, 146, 154, 159 changing between unmanaged and managed 89 check-in time 88 configuring Advanced Firewall Options settings 415 Firewall settings 413 General settings 408 Global settings 409 IPS 416 Privacy Control 417 Tray Menu Options settings 411 user access levels 436 User Interface settings 410 Windows Integration settings 412 configuring check-in intervals 88 configuring expiration disabling scheduled scans 185 editing or deleting scheduled scans 185 forcing definitions file updates 211 log forwarding registry values 260 moving between client groups 84

447 Index 447 clients (continued) settings when the client group is deleted 86 viewing virus list 216 with intermittent connectivity 88 compressed files scanning configuration 171 computers excluding from AutoBlock 314 finding by using an IP address range 42 by using computer names 40 by using network search 42 by using TCP/IP 40 computers that run antivirus software from other vendors 46 computers that run unmanaged antivirus client or server software 48 in local cache 41 syncing to 48 unprotected 44 with outdated definitions 216 configuration change priority 56 roaming client support for servers 237 scan options about 120 on multiple selected computers 125 settings for clients 407 sharing in server and client groups 55 console refreshing 44 starting 26 Continuous LiveUpdate changing registry values to enable 213 configuring for managed clients 213 CPU utilization options for scheduled and manual scans 170 D data columns Symantec AntiVirus view 29 Symantec Client Firewall view 30 definitions files controlling deployment 215 displaying out-of-date or missing warning 192 finding computers with outdated definitions 216 forcing updates on all unlocked servers 201 on clients 211 on servers 201 definitions files (continued) Intelligent Updater 206 legacy clients 198 LiveUpdate 203 rolling back 216 rollouts 215 update methods 198 verifying dates 216 verifying version numbers 216 delete frequency setting for Histories and Event Logs 265 dialers 118 digest values match criteria 358 using with prules 346 Discovery about Discovery types 33 Intense 34 Load from cache only 33 Local 34 Normal 35 Discovery Service changing the Discovery Cycle interval 40 configuring 38 Discovery Cycle configuration 40 how it works 32 how to find NetWare computers 36 Intense Discovery limitations 34 IP Discovery 34 running 36 why Discovery may not find computers 40 WINS or Active Directory requirement 35 within octets or subnet masks 94 drag-and-drop operation adding a client to a client group 83 moving a client from one client group to another 84 moving a server between server groups 59, 65 E scan configuration for Lotus Notes 134 Event Logs deleting 265 filtering data 246, 388 forwarding 260 icons 248, 388 setting delete frequency 265 sorting data 246, 388 types 245, 387

448 448 Index event threads 92 events forwarding from clients and servers 260 exceptions for security risks 152 exclusions from scanning 130 export command for roaming client support 239 export status viewing of alert actions 108 F failover servers for roaming clients 236 files backing up before repairing 144 cache options 143 cleaning infected 252, 256 deleting infected 252, 256 excluding from scanning 127 exclusions and inclusions 130 exclusions for NetWare 126 moving to Quarantine 253, 256 undoing action taken 252, 255 firewall rules about 271, 317 actions for 321 adding to different Locations 330 categories of 318 computer options 323 configuring rule lock settings 331 connection options 322 creating Program rules 327 deleting from Locations 330 displaying by Location 330 elements of 320 for ICMP protocol 323 for TCP protocol 322 for UDP protocol 322 General rules 318 importing and exporting 285 in policies 271 IP addressing options 324 Locations 325 locked and unlocked 318 manually creating 327 ordering 317 port options 323 processing order 319 Program rules 318 protocol options 322 testing 340 tracking options 325 firewall rules (continued) Trojan rules 318 Firewall settings for clients 413 G General rules about 318 processing order 319 Global settings for clients 409 for Locations 298 Grc.dat 66 changing parent management servers 65 configuring antivirus clients 23 enabling and configuring roaming clients 237 forwarding alerts to AMS2 servers 113 H hack tools 119 heuristic scanning 144 Hierarchical Storage Management (HSM) settings configuration 174 Histories about 243 deleting 265 filtering data 246 Risk History actions 255 Risk History icons 254 Scan Histories 250 Scan History actions 252 Scan History icons 251 setting delete frequency 265 sorting data 246 Tamper Histories 258 types 245 viewing 248 Virus Sweep Histories 259 History and Event Log data exporting to Microsoft Access 255 filtering 246 HTTP port list affecting Web Content settings 409 I ICMP setting rules for 323 icons Risk History 253

449 Index 449 icons (continued) Risk properties 257 Scan History 250 Symantec System Center 23 Tamper History 258 inbound connections 322 inclusions for scanning 130 infected message notifications to senders 194 infected files cleaning 256 deleting 256 infections, managing 219 Intense Discovery 39 Intense Discovery, about 34 Intrusion Prevention System. See IPS IP address range 42 IP Discovery 34 IPS about 273, 377 configuring 416 excluding attack signatures 379 exclusions in policies 274 locking exclusions 381 permissions 432 signatures in policies 273 supporting different IPS engines and signatures 378 J joke programs 119 L legacy client update definitions files 198 legacy clients configuring 295 IPS engine and signatures 378 managing 87 setting user access levels for 435 supporting 295 user access levels 411 LiveUpdate configuring servers to retrieve from Symantec FTP site 203 setting client policy for 214 using with internal LiveUpdate server 204 LiveUpdate servers configuring internally for managed clients 212 Load an NLM alert configuration 97 load balancing for roam servers 236 Load from cache only Discovery 33 Local Discovery 34, 39 locating found items in the Symantec System Center console 43 Location Awareness about 297 implementing 303 importing and exporting settings 288 Locations about 272, 297 adding 308 adding NetSpecs to 308 configuring required information for 297 copying prule configurations to 363 copying Zones to 313 customizing prules for 360 default settings 300 deleting 310 editing 311 global settings 298 importing and exporting 288 Location-specific settings 302 moving NetSpecs to 309 resetting prules for 362 selecting a Primary 309 used in firewall rules 325 lock options using with IPS 381 locked rules about 318 processing order for 319 log event forwarding 260 logging about 383 levels 384 setting level for 385 login certificate configuring key size 52 lifetime about 49 configuring 50 Lotus Notes scan configuration 134 M macros about 274 managed clients changing to unmanaged clients 89

450 450 Index managed clients (continued) configuring Continuous LiveUpdate for 213 configuring for internal LiveUpdate servers 212 mobile clients 88 management server configuration for the Virus Definition Transport Method 200 manual scans 168 Message Box alert configuration 95 mobile client management 88 Monitor action for rules 322 N NetSpecs about the SAV Parent Server NetSpec 305 discovering 306 moving to Locations 309 prioritizing 307 Profiling 308 Profiling to generate 365 understanding 303 NetWare excluding ifolder 126 finding NetWare servers 36 network auditing options 45 Network detector enabling 310 Normal Discovery 35 Normal user level 436 notifications Configure Alerting settings 421 configuring 158 customization settings 419 detection options 157 File System Auto-Protect 156 firewall 405 remediation options 157 user interaction with 160 Nsctop.exe 32 O Other risk category 119 outbound traffic 322 P pager message configuration 101 paging services configuring alerting 99 paging services (continued) configuring (continued) for AMS2 101 parent management server 65 See also servers 65 passwords scanning mapped drives 189 uninstallation 189 permissions about 425 Client Firewall Configuration 429 Client Firewall Operation 428 General 426 IPS 432 Location Awareness 433 Miscellaneous 433 Permit action for rules 321 Ping Discovery Service 32 policies about 269 adding and editing descriptions 282 categories 270 Client Settings in 274 configuring by using client data 279 configuring for legacy clients 295 creating in Symantec Client Firewall Administrator 280 distributing 292 exporting from Symantec Client Firewall Administrator 283 exporting to the Active Client 284 file type settings 276 importing from the Active Client 284 importing into Symantec Client Firewall Administrator 283 IPS exclusions in 274 IPS signatures in 273 macros in 274 merging rules and prules in 290 opening in Symantec Client Firewall Administrator 280 predefined about 276 high security 278 low security 277 medium security 277 updates 278 very high security 278 Profiling options in 276

451 Index 451 policies (continued) prule settings in 271 prules in 271 rules as components of 317 rules in 271 saving 282 supporting legacy clients 295 Web Content settings in 275 Zones in 272 port groups adding 333 deleting 335 using 333 ports 323 predefined policies and updates 276 Primary Location selecting 309 primary management servers 54, 65 Privacy Control configuring 417 Profiling about options 276 enabling in policy files 367 NetSpecs 308 overview 365 processing profiled connections 372 profiled information 370 reducing the amount of profiled data 374 refreshing profiled data 373 retrieving profiled information 369 sorting data 374 using to generate prules and NetSpecs 365 viewing and saving data 368 working with.csv files 373 Program rules about 318 and prules 347 processing order 319 Protocol Filtering about 437 default settings 438 permitting and blocking protocols 439 VPN protocols 438 protocols controlling communications with rules 322 prule settings in policies 271 prules about 271, 345 prules (continued) about digest match criteria 358 adding a rule to 359 and Program rules 347 configuring match criteria 355 to support Active Directory 364 copying configurations to Locations 363 creating and editing 351 customizing for Locations 360 disabling auto-create 352 evaluation priority 347 guidelines for using 348 ignore digest values 353 ignore file name matching 352 ignoring the Digest Value 410 importing and exporting 285 in policies 271 locking and unlocking 359 merging in policy files 290 Profiling to generate 365 resetting for Locations 362 rule lock settings 346 silent creation 348 specifying match criteria 356 Symantec-supplied 349 using digest values 346 Q Quarantine moving files to 253, 256 purging suspicious files from 222 R Refresh feature 44 registry values changing to enable Continuous LiveUpdate 213 for client log forwarding 260 for roaming clients 240 remote access programs 119 Restricted user level 436 risk detection 117 Risk History about 245 icons and actions 253 sorting columns 246

452 452 Index Risk History data exporting 256 Risk properties icons 257 Risk Tracer 143, 147 Risks tracing 147 RoamAdmn.exe about 230 command-line options 238 roaming client support configuring for clients 237 from Symantec System Center console 234 how it works 231 roaming clients about 229 analyzing and mapping antivirus network 232 components 230 creating hierarchical server list 233 enabling and configuring with Grc.dat 237 export command 239 failover servers for 236 implementing 231 registry values 240 server list 230 roaming servers configuring roaming support 237 example 238 identifying 232 level sample registry values 238 rulebases about network 391 about updating 332 choosing a network implementation approach 391 configuring a default-permit 404 an initial network 400 user interaction 405 fine-tuning and troubleshooting 402 implementing network 394 network-level firewalls 394 program-level firewalls 397 Trusted Zones 394 using the network-level firewall approach 392 the program-level firewall approach 393 rulebases (continued) using (continued) the Trusted Zone approach 392 Windows 2000 sample network-level 400 sample program-level 398 rules. See firewall rules Run Program alert configuration 96 S SavRoam.exe about command-line options 238 Scan History icons 250 sorting columns 246 Scan History data exporting 252 scan results user interaction with 160 scans assigning actions 134 Bloodhound 144 configuring Auto-Protect scans 134 exclusions 130 for compressed files 171 inclusions 130 manual scans 168 dimmed or missing options 125 displaying warning message on client options File System Auto-Protect 134 manual scans 168 precedence 125 scheduled scans 180 to exclude files from scanning 127 options for connected clients 189 paused 187 recommended file extensions 130 scheduled scans allowing user to pause or stop 187 configuring 183 deleting 185 disabling 185 editing 185 running on demand 186 selecting files and folders to scan 131

453 Index 453 scans (continued) setting Auto-Protect for files 134 CPU utilization options 170 options on multiple selected computers 125 snoozed 187 startup 190 stopped 187 triggered 190 user-defined scheduled 191 scheduled scans configuring 180 deleting 185 secondary management servers 54 Secure Port securing ports in a random range 339 using 338 security risks 117 Send Internet Mail alert configuration 98 Send Page alert configuring 99 paging service 99 server groups configuration change priority 56 creating 60 deciding whether to manage with 56 deleting 64 filtering views 64 how to view 63 locking and unlocking 61 moving servers to a new server group 66 refreshing the console 44 renaming 64 scenario 59 selecting primary management server for 26 viewing 63 servers Auto-Protect options 139, 145, 154, 158 changing parent management servers 65 changing primary management servers 65 configuring management servers by using the Virus Definition Transport Method 200 disabling scheduled scans 185 dragging and dropping to move between server groups 59, 67 editing or deleting scheduled scans 185 grouping into server groups 60 identifying best parent for roaming clients 229 moving to a new server group 66 servers (continued) parent management servers 55 primary management servers 54 secondary management servers 54 viewing in console 44 risk list for 216 SmartScan 137 spyware 119 stateful inspection about 325 NetBIOS 326 Status settings configuring for clients 411 subnet, IP Discovery for 34 Symantec Client Firewall Administrator creating policies in 280 exporting policies 283 importing policies into 283 opening policies in 280 Symantec System Center changing views 27 console views 27 displaying logs 387 filtering log data 388 icons 23 locating found items 43 populating the console 32 product management snap-ins 27 refreshing the console 44 saving console settings 27 sorting log data 388 starting 26 System Hierarchy display 23 viewing Event Logs 385 System Hierarchy configuration change priority 56 data columns in Default Console View 28 description 25 icon 23 T Tamper History about 245 exporting data 259 icon 258 Tamper Protection about 77 management 77

454 454 Index Tamper Protection (continued) message fields 81 messages 80 TCP setting rules for 322 threats blended 118 throttling options 170 time discrepancy tolerance configuration between clients and servers 50 tracking submissions Symantec Security Response 227 Trackware 119 traffic controlling inbound and outbound 322 Tray Menu Options settings for clients 411 Trojan horses 118 Trojan rules about 318 processing order 319 using Secure Port with 339 Trusted Zones Web Content settings not enforced in 440 U UDP setting rules for 322 UDP connections about 327 uninstallation password 189 unlocked rules about 318 processing order for 319 unmanaged clients alert forwarding 112 changing to managed clients 89 creating a custom.hst file for LiveUpdate 212 finding with network audits 44 update definitions files for legacy clients 198 user access levels Admin 435 configuring 436 corresponding permissions for 435 legacy client settings 411 Normal 436 Restricted 436 setting for legacy clients 435 user account management 68 User Interface settings for clients 410 V viewing Alert Log 108 client groups 84 Histories 248 server groups 63 virus list 216 views changing 27 filtering server group 64 Symantec System Center console 27 virus alerts 227 Virus Definition Transport Method configuring management servers by using 200 updating NetWare servers 203 virus list 216 virus sweep History 245, 249 running in response to outbreaks 219 viruses W warning message adding to infected message 194 displaying on infected computer 192 example 193 for scanning 163, 165 Web Content settings about 275, 439 Ad Blocking settings 441 conditions when not enforced 440 Global settings 440 in policies 275 overriding Client Settings 408 user settings 441 Windows Firewall configuring 413 disabled message 413 Windows Security Center Firewall Alert 413 Windows Integration settings for clients 412 WINS requirement for Discovery 35 worms 118 Z Zones about 272, 312 adding computers to 312 copying to Locations 313

455 Index 455 Zones (continued) deleting when exporting policies 315 in policies 272 locking 313 Restricted 312 Trusted 312 using Network 312