Symantec Client Security Administrator's Guide

Symantec Client Security Administrator's Guide

Symantec Client Security Administrator's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 3.1 Legal Notice Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec logo, LiveUpdate, Norton AntiVirus, Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, Symantec Security Response, and Symantec System Center are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections 12.212 and DFARS Section 227.7202. Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA http://www.symantec.com

Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ent/enterprise.html Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using. Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ent/enterprise.html Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ent/enterprise.html Select your region or language under Global Support, and then select the Licensing and Registration page. Customer service information is available at the following URL: www.symantec.com/techsupp/ent/enterprise.html Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program

Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com

Select your country or language from the site index.

Contents Technical Support Section 1 Chapter 1 Managing Symantec Client Security Symantec Client Security basics About Symantec Client Security... 21 About the Symantec System Center... 22 Symantec System Center console icons... 23 Using the Symantec System Center... 25 Starting the Symantec System Center... 25 Selecting a primary management server for a server group... 26 About console views... 27 Changing console views... 27 Saving console settings... 27 Customizing console view columns... 28 Showing when clients are offline... 30 Showing client Auto-Protect status... 31 Showing client infection state... 31 About refreshing the console... 31 About the Discovery Service... 32 How Discovery works... 32 Types of Discovery... 33 Discovery Service requirement for WINS or Active Directory... 35 NetWare computers and the Discovery Service... 36 Running the Discovery Service... 36 Configuring the Discovery Service to use IP addresses... 36 Configuring the Discovery Service... 38 Configuring the Discovery Cycle interval... 40 Using the Find Computer feature... 40 Finding computers using a local cache search... 41 Finding computers using a network search... 42 Locating found items in the Symantec System Center console... 43 Using the Refresh feature... 44 Auditing computers... 44

8 Contents Configuring login certificates... 49 Configuring login certificate lifetime and time tolerance... 50 Configuring login certificate key size... 52 Chapter 2 Managing Symantec Client Security About servers... 53 About primary management servers... 54 About secondary management servers... 54 About parent management servers... 55 About server groups and client groups... 55 Deciding whether to use server groups, client groups, or both... 56 Client groups and configuration priority... 56 How settings propagate... 58 Server and client group scenario... 59 Using server groups to manage... 59 Best practice: installing a secondary management server... 60 Creating server groups... 60 Locking and unlocking server groups... 61 Viewing and filtering server groups... 63 Renaming server groups... 64 Deleting server groups... 64 Changing primary management servers... 64 Changing parent management servers... 65 Moving a server to a different server group... 66 Restoring client communication when a primary server is lost... 67 Managing user accounts for server groups... 68 Configuring options for Windows Security Center (WSC)... 70 Configuring the out-of-date time for definitions... 71 Configuring alerts to appear on the host computer... 71 Configuring Symantec Client Security to disable Windows Security Center... 73 Optimizing server performance... 73 Optimizing definitions and configuration rollouts... 73 Monitoring clients... 75 Using Tamper Protection... 77 Enabling, disabling, and configuring Tamper Protection... 77 Creating Tamper Protection messages... 80 Using client groups to manage... 82 Creating client groups... 82 Adding clients to a client group... 83

Contents 9 Configuring settings and running tasks at the client group level... 83 About client group settings... 83 Moving a client to a different client group... 84 Viewing and filtering client groups... 84 Renaming client groups... 86 Deleting client groups... 86 Using client group settings instead of server group settings... 87 Managing clients... 87 Managing legacy clients... 87 Enabling direct client configuration... 88 Handling clients with intermittent connectivity... 88 Changing the management mode of a client... 89 Chapter 3 Alert Management System About the Alert Management System... 91 How Alert Management System works... 92 Configuring alert actions... 93 Alert configuration tasks... 93 Speeding up alert configuration... 93 Configuring the Message Box alert action... 95 Configuring the Broadcast alert action... 96 Configuring the Run Program alert action... 96 Configuring the Load An NLM alert action... 97 Configuring the Send Internet Mail alert action... 98 About paging services... 99 Configuring the Send Page alert action... 99 Configuring the Send SNMP Trap alert action... 101 Configuring the Write To Event Log alert action... 103 About configuring alert action messages... 104 Configuring a default alert message... 105 Working with configured alerts... 106 Testing configured alert actions... 106 Deleting an alert action from an alert... 107 Exporting alert actions to other computers... 107 Using the Alert Management System Alert Log... 108 Viewing detailed alert information... 110 Filtering the Alert Log display list... 111 Forwarding alerts from unmanaged clients... 112

10 Contents Section 2 Chapter 4 Configuring antivirus protection Scanning for viruses and security risks About viruses and security risks... 117 About Symantec Client Security scans... 120 About the automatic exclusion of Microsoft Exchange files and directories... 121 About the global exclusion of security risks from scans... 122 Understanding Auto-Protect scans... 122 About manual scans... 123 About virus sweep scans... 123 About scheduled scans... 123 Selecting computers to scan... 124 About inclusions and exclusions in scans... 126 Configuring file and folder inclusions and exclusions... 130 Configuring global security risk exclusions... 132 About actions for viruses and security risks that scans detect... 134 Configuring Auto-Protect... 134 About propagating Auto-Protect settings... 135 Locking and unlocking Auto-Protect options... 135 Configuring File System Auto-Protect... 136 Configuring Auto-Protect email scanning for groupware applications... 163 Configuring Auto-Protect scanning for Internet email... 165 Configuring manual scans... 168 Configuring actions for manual scans... 177 Configuring notifications for manual scans... 178 Creating and configuring scheduled scans... 180 Creating scheduled scans... 180 Configuring scheduled scans... 183 Managing the client user experience... 186 Enabling users to pause, snooze, or stop scheduled scans... 187 Preventing or allowing users to unload Symantec AntiVirus services... 188 Changing the password that is required to uninstall... 189 Changing the password that is required to scan mapped drives... 189 Modifying scanning options for clients... 189 Displaying a warning when definitions are out of date or missing... 192 Managing warnings and notifications about infected files... 192

Contents 11 Chapter 5 Chapter 6 Updating definitions About definitions... 197 Ensure that all definitions are current... 198 Definitions files update methods... 198 Best practice: Using the Virus Definition Transport Method and LiveUpdate together... 199 Best practice: Using Continuous LiveUpdate on 64-bit computers... 200 Updating definitions files on servers... 200 Updating and configuring servers using the Virus Definition Transport Method... 200 Updating servers using LiveUpdate... 203 Updating servers with Intelligent Updater... 206 About using Central Quarantine polling to update servers... 206 Minimizing network traffic and handling missed updates... 207 Updating definitions files on clients... 209 Forcing definitions files on clients to update immediately... 211 Configuring managed clients to use an internal LiveUpdate server... 212 Enabling and configuring Continuous LiveUpdate for managed clients... 213 Setting LiveUpdate usage policies... 214 Controlling definitions file deployment... 215 Finding computers with outdated definitions files... 215 Verifying the version number of definitions files... 216 Viewing the risk list... 216 Rolling back definitions files... 216 Testing definitions files... 217 Scenarios for definitions updates... 217 About scanning after updating definitions files... 218 Responding to virus outbreaks Preparing for virus outbreaks... 219 Creating a virus outbreak plan... 220 Defining Symantec Client Security actions for handling suspicious files... 221 Configuring automatic Quarantine purge options... 222 Registry settings for Quarantine Purge options... 223 Forwarding items to the Quarantine Server... 224 Enabling scan and deliver... 224 Configuring actions to take when new definitions arrive... 225 Handling a virus outbreak on your network... 225

12 Contents Using alerts and messages... 226 Running a virus sweep... 226 Tracking virus alerts using reporting, Event Logs, and Histories... 227 Tracking submissions to Symantec Security Response with Central Quarantine Console... 227 Chapter 7 Chapter 8 Managing roaming clients About roaming clients... 229 Roaming client components... 230 How roaming works... 231 Implementing roaming... 231 Analyzing and mapping your Symantec Client Security network... 232 Identifying servers for each hierarchical level... 233 Creating a list of level 0 Symantec Client Security servers... 233 Creating a hierarchical list of Symantec Client Security servers... 233 Configuring roaming client support options from the Symantec System Center console... 234 Configuring additional roaming client support for roam servers... 237 Command-line options... 238 Registry values... 240 Working with Histories and Event Logs About Histories and Event Logs... 243 Sorting and filtering History and Event Log data... 246 About Event Log icons... 247 Viewing Histories... 248 Working with Histories... 250 Working with Scan Histories... 250 Working with Risk Histories... 253 Viewing Risk properties... 256 Working with Tamper Histories... 258 Working with Virus Sweep Histories... 259 Forwarding client and server logs... 259 Configuring log forwarding options... 260 Configuring log events to forward... 260 Best practice: configuring events to forward for sometimes-managed clients... 264 Reviewing the forwarding status file... 265

Contents 13 Deleting Histories and Event Logs... 265 Section 3 Chapter 9 Configuring Symantec Client Security firewall protection Managing policies About policies... 269 Policy categories... 270 Properties... 271 Rules... 271 prules... 271 prule settings... 271 Zones... 272 Locations... 272 IPS signatures... 273 IPS settings... 274 Macros... 274 Client Settings... 274 Web Content settings... 275 Profiling options... 276 File version settings... 276 About predefined policies and updates... 276 Configuring policies and updates... 279 Creating and opening policies and updates... 280 Adding and editing policy descriptions... 282 Saving policies and updates... 282 Importing and exporting policies and updates... 283 About importing and exporting... 285 About importing and exporting rules and prules... 286 About importing and exporting Locations... 288 About importing and exporting Location Awareness settings... 288 About importing and saving the default client policy file... 289 Merging rules and prules in policy files... 290 Distributing policies... 292 How policy distribution affects Locations, rules, and settings... 293 Using Symantec System Center to distribute policy files... 293 Using the policy file import/export utility... 294 Supporting policies for legacy clients... 295 Configuring policies for legacy clients... 295 Merging rules in legacy policy files... 296

14 Contents Chapter 10 Chapter 11 Using Location Awareness and Zones Using Locations... 297 Configuring required Location information... 297 Implementing Location Awareness... 303 Deleting Locations... 310 Editing Locations and NetSpecs... 311 Using Network Zones... 312 Adding computers to Zones... 312 Copying Zones to other Locations... 313 About locking Zones... 313 Excluding computers from AutoBlock... 314 Deleting locked and unlocked Zones when exporting policies... 315 Creating and testing rules About rules... 317 Rule categories... 318 Rule types... 318 Rule processing order... 319 Elements of a rule... 320 About stateful inspection... 325 About UDP connections... 327 Working with firewall rules... 327 Creating rules... 327 Displaying rules by Location... 330 Adding rules to different Locations... 330 Deleting rules... 330 Configuring rule lock settings... 331 Ignoring inbound and outbound NetBIOS Name rules... 331 About updating rulebases on Symantec Client Firewall... 332 Using port groups... 333 Adding named port groups... 333 Deleting named port groups... 335 Using address groups... 336 Adding named address groups... 336 Deleting named address groups... 337 Incorporating Secure Port... 338 About testing firewall settings... 340 Testing firewall rules, prules, and Zones... 341

Contents 15 Chapter 12 Chapter 13 Using prules About prules... 345 prules and rule lock settings... 346 Using a digest value to identify a program... 346 Priority of prule evaluation... 347 Program rules and prules... 347 Guidelines for using prules... 348 Viewing Symantec-supplied prules... 349 Creating and editing prules... 350 Selectively disabling auto-create... 352 Configuring Ignore File Name Matching... 352 Configuring Ignore Digest Values... 353 Specifying the program identity for a prule... 354 Adding or editing match names for a prule... 354 Configuring match criteria... 355 Adding a rule to a prule... 359 Configuring prule lock settings... 359 About Location-aware prules... 359 Creating prule exceptions for Locations... 360 Configuring prules to support Active Directory... 364 Using Profiling to generate prules and NetSpecs... 365 Profiling overview... 365 Enabling Profiling in policy files... 367 About exporting the policy file to clients... 368 Viewing and saving profiled data with Symantec System Center... 368 Retrieving profiled information... 369 Processing profiled firewall rule exceptions... 370 Processing profiled connections... 372 Refreshing profiled data... 373 About working with.csv files... 373 Customizing Intrusion Prevention About the Intrusion Prevention System... 377 Supporting different versions of IPS engines and signatures... 378 Excluding attack signatures from being blocked... 379 Configuring AutoBlock... 380 Locking IPS exclusions and IP addresses... 381

16 Contents Chapter 14 Chapter 15 Chapter 16 Managing client log data About logging... 383 Setting the logging level... 384 Viewing Event Logs from the Symantec System Center... 385 Displaying logs... 387 Filtering log data... 388 Sorting log data... 388 Understanding Event Log icons... 388 Creating network rulebases Choosing an implementation approach... 391 Considering implementation options... 392 Using the Trusted Zone approach... 392 Using the network-level firewall approach... 392 Using the program-level firewall approach... 393 Implementing network rulebases... 394 Implementing Trusted Zones... 394 Implementing network-level firewalls... 394 Implementing program-level firewalls... 397 Configuring an initial network rulebase... 400 Fine-tuning and troubleshooting rulebases... 402 Configuring a default-permit rulebase... 403 Configuring user interaction... 404 Configuring Client Settings and Web Content settings About Client Settings... 407 General settings... 408 Global settings... 409 User Interface settings... 410 Tray Menu Options settings... 411 Windows Integration settings... 412 Firewall settings... 413 Advanced Firewall Options settings... 415 Intrusion Prevention settings... 416 Privacy Control settings... 417 Ad Blocking settings... 419 Alert Customization settings... 419 About Configure Alerting... 421 How Configure Alerting affects settings... 421 Setting Configure Alerting options... 423 About Miscellaneous Notifications... 424

Contents 17 About permissions... 425 General permissions... 426 Client Firewall Operation permissions... 428 Client Firewall Configuration permissions... 429 Intrusion Prevention permissions... 432 Miscellaneous permissions... 433 Setting user access levels for legacy clients... 435 About Protocol Filtering... 437 Default Protocol Filtering settings... 437 VPN protocols... 438 Web Content settings... 439 Global Settings... 440 User Settings... 441 Ad Blocking settings... 441 Index

18 Contents

Section 1 Managing Symantec Client Security Symantec Client Security basics Managing Symantec Client Security Alert Management System

20

Chapter 1 Symantec Client Security basics This chapter includes the following topics: About Symantec Client Security About the Symantec System Center Using the Symantec System Center About the Discovery Service Running the Discovery Service Using the Find Computer feature Configuring login certificates About Symantec Client Security Symantec Client Security provides scalable, cross-platform firewall protection, intrusion prevention, protection from viruses and security risks, and repair of viral and security risk side effects for workstations. For network servers, it provides protection from viruses and security risks, and repairs their side effects. Symantec Client Security lets you do the following: Establish and enforce antivirus, security risk, and firewall security policies. Retrieve content updates, such as virus and security risk definitions, and intrusion prevention signatures. Quarantine and delete live viruses. Analyze logged events.

22 Symantec Client Security basics About the Symantec System Center Create pre-defined and customizable graphical reports that are based on Symantec Client Security security information from your network. Symantec Client Security product components and system requirements, including the protocols and ports that are used for Symantec Client Security, are described in the Symantec Client Security Installation Guide. The Symantec Client Security client software provides antivirus and security risk protection, as well as firewall protection, for networked and non-networked computers. The Symantec AntiVirus client software protects the 32-bit and the supported 64-bit computers that run supported Windows versions. Symantec Client Firewall software is not supported on 64-bit computers. The term, Symantec Client Security, refers to both the Symantec Client Security server and the Symantec Client Security client software. Computers that run Symantec Client Security server software might be required to do so because of system requirements. Computers that run Symantec Client Security server software are not required to act as management servers. The Symantec Client Security server software can manage other computers that run Symantec Client Security and supported legacy versions of Norton AntiVirus Corporate Edition. It can also push configuration updates, as well as virus and security risk definitions file updates, to these clients. The Symantec Client Security server software also provides antivirus and security risk protection for the computers on which it runs. Note: The Symantec AntiVirus server software is not supported on 64-bit computers. About the Symantec System Center By using the Symantec System Center, you can manage network security by performing administrative operations such as the following: Installing antivirus and security risk protection on workstations and network servers. Installing firewall and intrusion protection on workstations. Updating Symantec Client Security definitions. Managing Symantec Client Security servers and clients. Managing content licensing, if you use a content license rather than a site license for your computers. See the Content Licensing chapter in the Symantec Client Security Installation Guide.

Symantec Client Security basics About the Symantec System Center 23 In addition to the Symantec System Center, you can also use Grc.dat configuration files to configure Symantec Client Security clients. You can use configuration files if you want to use a third-party tool to remotely configure your network. The following information about the Symantec System Center is not included in this guide: Information about the configuration and use of reporting functionality is in the Reporting User's Guide. Information about the configuration and use of endpoint compliance functionality is in the Endpoint Compliance Implementation Guide. Symantec System Center console icons When the Symantec System Center runs, it displays a system hierarchy of server groups, client groups, and the servers that the icons represent. The icons appear in an expandable hierarchy in the Symantec System Center console. The Symantec System Center uses icons to represent the different states of computers that are running Symantec managed products. For example, if the server group icon in the server group view appears with a padlock icon, the server group must be unlocked with its password before you can configure or run scans for the computers in the server group. Table 1-1 describes the Symantec System Center icons. Table 1-1 Icon Symantec System Center icons Icon descriptions Highest level object representing the system hierarchy, which contains all server groups. Unlocked server group or client group. Compare this icon to the locked server group icon. For security reasons, all server groups default to locked when you start the Symantec System Center. Locked server group. You must enter a password before you can view the computers in the server group to configure and run updates and scans. An issue needs to be resolved in this server group. For example, there may not be a primary management server that is assigned to the server group or a server may have detected a virus or security risk.

24 Symantec Client Security basics About the Symantec System Center Table 1-1 Icon Symantec System Center icons (continued) Icon descriptions A security risk, such as adware or spyware, was detected on a computer in this server group. Note: If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears. Symantec Client Security server running on a supported computer. Compare this icon to the next one, which is the primary management server for the server group. Symantec Client Security primary management server running on a supported computer. Unavailable Symantec Client Security server. This icon appears when communication is severed between the Symantec Client Security server and the Symantec System Center console. The communication error may result from one of several different causes. For example, the server system is not running; the Symantec software has been removed; the server, client, and Symantec System Center system times are out of sync; or there could be a network failure between the console and the system. A virus was detected on the computer that is running Symantec Client Security server. A security risk, such as adware or spyware, was detected on the computer that is running Symantec Client Security server. If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears. Symantec Client Security client running on a supported Windows computer. If you use Symantec endpoint compliance, this icon also indicates that this client computer is compliant. When you select this computer, you view options only on that computer. A virus was detected on the computer that is running Symantec Client Security client. Note: Client infection state will not display in the Symantec System Center console unless you enable that option under Tools > SSC Console Options, on the Virus Alert Filter tab.

Symantec Client Security basics Using the Symantec System Center 25 Table 1-1 Icon Symantec System Center icons (continued) Icon descriptions A security risk, such as adware or spyware, was detected on the computer that is running Symantec Client Security client. If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears. An issue needs to be resolved with this client. For example, virus and security risk definitions files may be out of date or the client group to which the client was assigned may be no longer valid. The status field in the Symantec System Center console indicates the actual problem. This computer, which runs Symantec Client Security client software, has access to the network, but failed an endpoint compliance audit. You may want to examine why it failed and take action to remediate the problem. The computer, which runs Symantec Client Security client software, failed an endpoint compliance check. The computer, which runs Symantec Client Security client software, is not currently connected to the network. This situation could occur because the server, client, and Symantec System Center system times are out of sync. You must enable a setting for the Symantec System Center console to show when clients are not connected to the network. Using the Symantec System Center The system hierarchy in the Symantec System Center console is the top level that contains all server groups and client groups. Note: The system hierarchy is not populated until you install at least one Symantec Client Security server. Starting the Symantec System Center Start the Symantec System Center when you want to manage Symantec Client Security.

26 Symantec Client Security basics Using the Symantec System Center To start the Symantec System Center On the Windows taskbar, click Start > Programs > Symantec System Center Console > Symantec System Center Console. The Symantec System Center opens to the Default Console View. Figure 1-1 The Symantec System Center console Console tree tab Top server group level Contents of object selected in tree appear in right pane Locked server group Unlocked server group Client groups Note: Viewing the Symantec System Center console from a terminal session is not supported. Selecting a primary management server for a server group If you have not already done so, the first thing that you must do to use Symantec System Center is to assign a primary management server for the server group that you created at the time of installation. You must specify a server in the server group as the primary management server; no server is specified as the primary management server by default. Until you specify a primary management server, you cannot perform most Symantec product management operations. After promoting a server to primary and installing additional secondary management servers, you should remove and archive the server group private key from the pki\private-keys directory that is located under the Symantec Client Security directory that you selected at the time of installation.

Symantec Client Security basics Using the Symantec System Center 27 For more information, see the Symantec Client Security Reference Guide. When you select a server group object in the Symantec System Center console and set options, the settings are saved to the primary management server in the server group. Other servers in the server group also use the new configuration. Computers that are running any of the following operating systems can be primary management servers: Windows 2000 Server/Advanced Server/Professional Windows Server 2003 Web/Standard/Enterprise/Datacenter Editions Windows XP Professional The primary management server plays an important role, so select a stable server that is always running. To select the primary management server for a server group About console views Changing console views Right-click the server that you want to be the primary management server, and then click Make Server A Primary Server. Each product management snap-in makes a new product view available within the Symantec System Center console. For example, when you install the Symantec AntiVirus management snap-in, the Symantec AntiVirus view is added, which includes the fields that are related to Symantec Client Security, such as Last Scan and Definitions. Unless you change the view, the Symantec System Center console displays the Default Console View. The other views available depend upon which managed Symantec Client Security snap-ins you have installed. To change console views Saving console settings 1 In the left pane, right-click an object, such as System Hierarchy. 2 On the View menu, in the list that appears at the bottom of the menu, click a view. When you close the Symantec System Center, you are prompted to save Microsoft Management Console (MMC) console settings for the Symantec System Center.

28 Symantec Client Security basics Using the Symantec System Center This process has no effect on the Symantec Client Security configuration changes that you make when you use the Symantec System Center. To save console settings Do one of the following: Click Yes if you want to see the same console view the next time that you launch the Symantec System Center. Click No if you want to see the last saved view the next time you launch the Symantec System Center. Customizing console view columns The columns that appear in the right pane change based on the selected view. When System Hierarchy is selected, the Default Console View includes the following data columns: Name Status Primary Server Valid State Table 1-2 lists the data columns in the Symantec AntiVirus view. Table 1-2 Data columns in the Symantec AntiVirus view Level selected in left pane Data columns that appear in right pane System hierarchy Server group Server Group Status Definition Sharing Newest Definitions Status of Server Updates Server Type Status Last Scan Definitions Version Scan Engine Address Status of Client Updates

Symantec Client Security basics Using the Symantec System Center 29 Table 1-2 Data columns in the Symantec AntiVirus view (continued) Level selected in left pane Data columns that appear in right pane Groups (for client groups) Group Name Configuration Change Date Number of Clients Client group or server Client User, including the domain that authenticated the user Status Last Scan Definitions Version Scan Engine Address Group Server Table 1-3 lists the data columns in the Symantec Client Firewall view. Table 1-3 Data columns in the Symantec Client Firewall view Level selected in left pane Data columns that appear in right pane System hierarchy Server Group Status Server group Server Type Status Version Server Policy File Server Policy Rollout Time Client Policy File Client Policy Rollout Time Address Groups (for client groups) Group Client Policy File Client Policy Rollout Time Number of clients

30 Symantec Client Security basics Using the Symantec System Center Table 1-3 Data columns in the Symantec Client Firewall view (continued) Level selected in left pane Data columns that appear in right pane Client group or server Client User, including the domain that authenticated the user Status Version Policy File Policy Rollout Time Address Group Server You can rearrange the order of the columns to better suit your needs. To customize the columns in a view 1 In the left pane, under Symantec System Center, select an object. 2 On the View menu, in the list that appears at the bottom of the menu, select the view that you want to customize. 3 On the View menu at the top of the Symantec System Center window, click Choose Columns. 4 In the Modify Columns dialog box, use the Add, Remove, Move Up, and Move Down buttons to customize your view as needed, or use Reset to return the settings to the last saved state. Showing when clients are offline You can configure the Symantec System Center console to show when computers running Symantec Client Security client software are not currently connected to the network. The icon in the last row of Table 1-1 indicates that the client is offline. To show when clients are offline 1 On the Tools menu, click SSC Console Options. 2 In the SSC Console Options Properties dialog box, on the Client Display tab, under Client Configuration Options, check Indicate when clients are offline. This option is unchecked by default.

Symantec Client Security basics Using the Symantec System Center 31 Showing client Auto-Protect status You can configure the Symantec Client Security client or server icon to appear on the Windows system tray. Showing client infection state The icon shows a client or server's Auto-Protect status as follows: When Auto-Protect is enabled, the icon appears as a full shield. When you right-click the icon, a check mark appears before Enable Auto-Protect. When Auto-Protect is disabled, the icon is covered by a universal no sign (a red circle with a diagonal slash). When you right-click the icon, no check mark appears before Enable Auto-Protect. You can configure the Symantec System Center to display client infection state that is based on client check-in data on the Symantec System Center console. This option is disabled by default. To show client infection state on the Symantec System Center console 1 On the Tools menu, click SSC Console Options. 2 In the SSC Console Options Properties dialog box, on the Virus Alert Filter tab, check Display the infected state of each client that is based on client check-in data. 3 To configure how long the information displays, use the arrows or type the number of days you want virus infection data to remain on the Symantec System Center console. By default, the console does not display the infections that occurred more than three days ago. 4 To reset the Symantec System Center to display client infection state from the current time forward, check Don t show virus alerts before:, and then click Set to Current Time. Note: Use the reporting console for more comprehensive and up-to-date infection status. For information about the reporting console, see the Reporting User's Guide. About refreshing the console At the first startup of a newly installed Symantec System Center console, the console pings the network to find all available computers that run Symantec Client Security server software. As soon as the servers respond, they are added to the

32 Symantec Client Security basics About the Discovery Service console. Connected workstations running a managed Symantec client product are added when their parent management server is selected in the console tree. If you start the servers that are running a manageable Symantec product while the Symantec System Center is already running, you may need to locate the servers by using the Find Computer feature or by running the Discovery Service so that they appear in the server group view. See Using the Find Computer feature on page 40. You can also use Discovery to locate network computers on which Symantec Client Security is not installed. See About the Discovery Service on page 32. About the Discovery Service How Discovery works The Symantec System Center console runs a single service: the Symantec System Center Discovery Service (Nsctop.exe). This service is responsible for discovering the computers running Symantec Client Security server software that appear in the Symantec System Center console. The Discovery Service also populates the Symantec System Center console with the objects in the hierarchy. From the Symantec System Center console, you can select any object beneath the console root, and then choose Discovery Service from the Tools menu to perform a new Discovery of servers. To discover computers on the network, a computer that runs the Symantec System Center sends several pings to the network. The pings are UDP broadcasts to port 38293. The ping program verifies that the remote computer exists and can accept requests. When Symantec Client Security servers and AMS2 servers that run the Ping Discovery Service (Intel PDS) hear a ping, they respond with pong packets. Only antivirus servers are discovered by using this ping and pong mechanism. Symantec Client Security finds client information by querying the server for its client information. Clients ping the server to get the port number that the server's Rtvscan listens on. The client's Rtvscan can then send its keep-alive packet to the parent server's Rtvscan, and communication can begin. The keep-alive packet contains information such as the following: Date of the computer's virus definitions files When the computer was last infected

Symantec Client Security basics About the Discovery Service 33 Firewall version Time-stamp of the firewall policy If the firewall is installed, enabled, and whether there was an error importing the last policy sent If the firewall policy on the server and client differ IP pings are sent to the remote computer running Symantec Client Security server software to determine what type of protocol it uses. The data from the computer that runs Symantec Client Security client software is stored on the computer that runs Symantec Client Security server software that is the client's parent management server. The Symantec System Center console reads each parent management server's registry to get the data that it displays in the console. Following the completion of this process, Normal Discovery runs. Types of Discovery Symantec System Center uses the following types of Discovery: Load from cache only (with or without using IP Discovery) Local Discovery (with or without using IP Discovery) Intense Discovery (with or without using IP Discovery) Normal Discovery (not user-initiated) Table 1-4 describes the types of Discovery that Symantec Client Security uses: Table 1-4 Type Discovery types Description What follows Load from cache only Load from cache only offers the most basic type of Discovery. It tries to refresh all of the servers for which the Symantec System Center console address cache contains information. Each server is then sent a series of pings to see if the server checks back in, and to refresh information on the console. Load from cache only reduces traffic on the network when you launch the Symantec System Center. In most cases, you may find that choosing Load from cache only finds all of the servers that you need to add to the Symantec System Center console. Normal Discovery

34 Symantec Client Security basics About the Discovery Service Table 1-4 Discovery types (continued) Type Description What follows Local Discovery (default) In Local Discovery, a ping packet is broadcast over the local subnet of the computer that runs the Symantec System Center console. Intel PDS services that run on servers on the local subnet reply with pong data. Load from cache only Normal Discovery Local Discovery generates less ping noise, but is limited to the local subnet. Local Discovery works very well on small subnets. In very large subnets, you might obtain better results by using Intense Discovery. Intense Discovery Intense Discovery walks My Network Places on the local Windows computer and attempts to resolve all computers that it finds into a network address. When it has the network address, it attempts to send ping requests. You can configure whether Intense Discovery walks the NetWare or Microsoft branches of the network tree, or both. Local Discovery Load from cache only Normal Discovery The ability of Intense Discovery to locate computers is limited by several factors: the availability of a Windows Internet Naming Service (WINS) server or Active Directory, network subnet and router configuration, DNS configuration, and Microsoft domain and workgroup configuration. Searching by IP address range in most cases is not affected by these factors. For this reason, you may want to use IP Discovery.

Symantec Client Security basics About the Discovery Service 35 Table 1-4 Discovery types (continued) Type Description What follows Normal Discovery The Symantec System Center console broadcasts to all servers that are in unlocked server groups. Normal Discovery queries the primary management server of the server group for the list of secondary management servers in its address cache. Runs automatically after other types of Discovery; not user-initiated. The Symantec System Center console address cache stores information for all servers that have ever reported to it. The primary management server address cache contains information for every server within the server group. The address cache includes the names of all secondary management servers and their IP addresses. The Symantec System Center console compares its own address cache with the address cache sent by the primary management server. When a mismatch is identified, the console pings the associated server. When the pong data returns, it is added to all other servers in the list. In this way, Normal Discovery can identify every server in the server group and attempt to resolve information conflicts between parent management servers. You can configure Load from cache only, Local Discovery, and Intense Discovery to use IP Discovery by using either an IP address or an IP subnet address range. You may want to use IP Discovery only periodically to discover computers across the network. After the computers are in the address cache, you can then use the Load from cache only method. Discovery Service requirement for WINS or Active Directory The Discovery Service requires the use of Windows Internet Naming Service (WINS) or Active Directory name resolution. If you attempt to run the Discovery Service in an environment where WINS or Active Directory is not available, you need to find at least one computer running Symantec Client Security server on your network first. To find the computer, you can use the Find Computer feature or the Importer tool. See Using the Find Computer feature on page 40. See the Symantec Client Security Reference Guide for information about the Importer tool.

36 Symantec Client Security basics Running the Discovery Service NetWare computers and the Discovery Service The Discovery Service may not find NetWare computers that are running IP only. To find the computers that are not located by the Discovery Service, you can use the Find Computer feature. See Using the Find Computer feature on page 40. Running the Discovery Service You initiate all types of Discovery in the Symantec System Center console. Note: The Discovery Service uses WINS or Active Directory when it browses for new computers that run Symantec Client Security. If you are trying to discover new computers in an environment in which WINS or Active Directory is unavailable, you may want to run the Find Computer feature or the Importer tool first. See Using the Find Computer feature on page 40. See the Symantec Client Security Reference Guide for information about the Importer tool. Configuring the Discovery Service to use IP addresses You can run the Discovery Service and find servers with or without including IP addresses and subnets. To configure the Discovery Service to use IP addresses 1 In the left pane, select any object below the console root. 2 On the Tools menu, click Discovery Service.

Symantec Client Security basics Running the Discovery Service 37 3 In the Discovery Service Properties window, on the Advanced tab, check Enable IP Discovery. Once Enable IP Discovery is checked, an IP Discovery session runs whenever you run an Intense Discovery. To run any type of Discovery without also running IP Discovery, uncheck Enable IP Discovery. You can also access IP Discovery functionality in the Find Computer dialog box. 4 In the Scan Type list, select one of the following: IP Address: The console pings every computer in the range of IP addresses. IP Subnet: The console broadcasts to each subnet. 5 In the Beginning of range and End of range boxes, type the addresses. 6 If you clicked IP Subnet, type the subnet mask to refine the search. IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results are displayed in the Symantec System Center console status bar.