Symantec AntiVirus Corporate Edition Reference guide

Brand: Symantec

Model: AntiVirus Corporate Edition

Category: Software

Type: Reference guide

This manual is also suitable for

10551441 - AntiVirus Corporate Edition

Symantec AntiVirus™

Corporate Edition

Reference Guide

Symantec AntiVirus™ Corporate Edition

Reference Guide

The software described in this book is furnished under a license agreement and may be

used only in accordance with the terms of the agreement.

Documentation version 10.0

Any technical documentation that is made available by Symantec Corporation is the

copyrighted work of Symantec Corporation and is owned by Symantec Corporation.

NO WARRANTY. The technical documentation is being delivered to you AS-IS, and

Symantec Corporation makes no warranty as to its accuracy or use. Any use of the

technical documentation or the information contained therein is at the risk of the user.

Documentation may include technical or other inaccuracies or typographical errors.

Symantec reserves the right to make changes without prior notice.

No part of this publication may be copied without the express written permission of

Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

Trademarks

Symantec, the Symantec logo, LiveUpdate, and Norton AntiVirus are U.S. registered

trademarks of Symantec Corporation. Norton Internet Security, Norton Personal Firewall,

Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, and Symantec

Security Response are trademarks of Symantec Corporation.

Other brands and product names mentioned in this manual may be trademarks or

registered trademarks of their respective companies and are hereby acknowledged.

Printed in the United States of America.

10987654321

Technical support

As part of Symantec Security Response, the Symantec global Technical Support

group maintains support centers throughout the world. The Technical Support

group’s primary role is to respond to specific questions on product feature/

function, installation, and configuration, as well as to author content for our

Web-accessible Knowledge Base. The Technical Support group works

collaboratively with the other functional areas within Symantec to answer your

questions in a timely fashion. For example, the Technical Support group works

with Product Engineering as well as Symantec Security Response to provide

Alerting Services and virus definitions updates for virus outbreaks and security

alerts.

Symantec technical support offerings include:

■ A range of support options that give you the flexibility to select the right

amount of service for any size organization

■ Telephone and Web support components that provide rapid response and

up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Content Updates for virus definitions and security signatures that ensure

the highest level of protection

■ Global support from Symantec Security Response experts, which is

available 24 hours a day, 7 days a week worldwide in a variety of languages

for those customers enrolled in the Platinum Support Program

■ Advanced features, such as the Symantec Alerting Service and Technical

Account Manager role, offer enhanced response and proactive security

support

Please visit our Web site for current information on Support Programs. The

specific features available may vary based on the level of support purchased and

the specific product that you are using.

Licensing and registration

If the product that you are implementing requires registration and/or a license

key, the fastest and easiest way to register your service is to access the

Symantec licensing and registration site at www.symantec.com/certificate.

Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html,

select the product that you wish to register, and from the Product Home Page,

select the Licensing and Registration link.

Contacting Technical Support

Customers with a current support agreement may contact the Technical

Support group via phone or online at www.symantec.com/techsupp.

Customers with Platinum support agreements may contact Platinum Technical

Support via the Platinum Web site at www-secure.symantec.com/platinum/.

When contacting the Technical Support group, please have the following:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec

■ Recent software configuration changes and/or network changes

Customer Service

To contact Enterprise Customer Service online, go to www.symantec.com, select

the appropriate Global Site for your country, then choose Service and Support.

Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts

■ Information on Symantec Value License Program

■ Advice on Symantec's technical support options

■ Nontechnical presales questions

■ Missing or defective CD-ROMs or manuals

Contents

Technical support

Chapter 1 Introducing the reference guide

What is in the reference guide ............................................................................. 7

Chapter 2 Antivirus protection and email servers

About configuring Symantec AntiVirus on email servers .............................. 9

Stand-alone server configuration ............................................................. 10

Managed client configuration .................................................................... 11

Unmanaged client configuration .............................................................. 11

File scanning on Exchange servers ................................................................... 12

Directories to include ..................................................................................13

Directories and files to exclude ................................................................. 13

Extensions to exclude .................................................................................. 15

Directories to exclude when other Symantec products are

installed .................................................................................................16

Chapter 3 Reset ACL tool

About the Reset ACL tool .................................................................................... 17

Restricting registry access with the Reset ACL tool ...................................... 17

Chapter 4 Importer tool

About the Importer tool ...................................................................................... 19

How the Importer tool works .....................................................................20

Where the Importer tool is located ...........................................................20

Importing addresses using the Importer tool .................................................20

Deleting entries from the address cache .......................................................... 21

Advanced usage ................................................................................................... 22

Getting Help while using the Importer tool .................................................... 23

Known problems ..........................................................................................24

6 Contents

Chapter 5 Windows services

Symantec AntiVirus services ............................................................................ 25

Symantec System Center services .................................................................... 28

Chapter 6 Cryptography basics

Overview ............................................................................................................... 29

About cryptographic keys and algorithms ...................................................... 30

About one-way hashes and digital signatures ................................................ 31

About digital certificates and PKIs ................................................................... 32

About SSL .............................................................................................................. 35

Chapter 7 Event Log entries

Symantec AntiVirus events ............................................................................... 37

Chapter 8 How certificates are implemented

How certificates establish a chain of trust ...................................................... 43

How clients and servers authenticate certificates ......................................... 45

Authentication paths and methods .................................................................. 46

Certificate store directories ............................................................................... 47

File naming conventions .................................................................................... 48

Server group root certificates and private keys ..................................... 48

Server certificates and private keys ......................................................... 49

Certificate signing requests ....................................................................... 49

Other certificate details ...................................................................................... 50

Certificate and CSR counters ..................................................................... 50

Certificate and key file formats ................................................................. 50

Server group root key archival .................................................................. 51

About promoting secondary servers to primary servers ...................... 51

About viewing certificates .......................................................................... 51

About preserving certificates and issue time .......................................... 52

Install a primary server and secondary server in each

server group .......................................................................................... 52

Index

Chapter

Introducing the reference

guide

This chapter includes the following topics:

■ What is in the reference guide

This reference guide contains technical product information for Symantec

AntiVirus, including information on tools that are on the Symantec AntiVirus

CD. It is intended for system administrators and others who install and maintain

this product in a networked, corporate environment.

What is in the reference guide

Table 1-1 lists and describes the topics in this reference guide.

Table 1-1 Reference guide topics

Topic Description

Antivirus protection

and email servers

This chapter provides examples of how you should implement

antivirus protection on email servers.

Reset ACL tool Many of the configuration settings for Symantec AntiVirus are

stored in the Windows® registry. Reset ACL lets you restrict access

to these registry settings on Windows®

XP/2000 operating systems to prevent unauthorized users from

making changes.

Importer tool The Importer tool is a command-line utility specifically for use

with the Symantec System Center™. The Importer tool lets you

import as many sets of computer names and IP addresses into a

special address cache as you need. Symantec AntiVirus can then

locate computers during the Discovery process in situations where

the computer names cannot be resolved using WINS/DNS.

8 Introducing the reference guide

What is in the reference guide

Windows services This chapter lists the names of services run automatically by

Symantec AntiVirus and the Symantec System Center. Those

names appear in the Windows Services control panel.

Event Log entries This chapter lists the events written by Symantec AntiVirus to the

Windows Event Log.

Cryptography basics This chapter provides an overview of the cryptography concepts

that administrators need to understand if they do not know the

difference between a digital signature and a digital certificate.

Administrators need this knowledge to understand how Symantec

AntiVirus uses certificates.

How certificates are

implemented

This chapter provides an overview of how Symantec AntiVirus

implements digital certificates to secure communications between

the Symantec System Center, servers, and clients by using SSL.

Table 1-1 Reference guide topics

Topic Description

Chapter

Antivirus protection and

email servers

This chapter includes the following topics:

■ About configuring Symantec AntiVirus on email servers

■ File scanning on Exchange servers

About configuring Symantec AntiVirus on email

servers

Symantec AntiVirus antivirus software is a file system scanner, and is not

designed to handle server functions. Products that are specifically designed to

protect Microsoft® Exchange, Domino®, and other gateway servers handle

server functions. Allowing Symantec AntiVirus™ to scan certain parts of a mail

server can cause unexpected behavior, problems, or even total data loss. If you

install Symantec AntiVirus antivirus software on an email server, you need to

take some precaution to prevent damage to the data on the server.

One precaution that you must take is to exclude certain directories and files

from scanning. How you make these exclusions depends on the following

circumstances:

■ Whether you install Symantec AntiVirus server or client on email servers

■ Whether you want to manage email servers from the Symantec System

Center

Note: For the latest details on which directories and files to exclude from

scanning, consult the Symantec Knowledge Base on the Symantec Web site.

10 Antivirus protection and email servers

About configuring Symantec AntiVirus on email servers

Symantec AntiVirus client software also has Auto-Protect for email, which

monitors the standard email ports. Auto-Protect can cause performance

degradation or failure if it is installed and enabled on an email server. Therefore,

you must disable this feature if you install the client software on an email

server.

You can install Symantec AntiVirus software in the following configurations:

■ Stand-alone server configuration

■ Managed client configuration

■ Unmanaged client configuration

Stand-alone server configuration

In the stand-alone server configuration, you install antivirus server software on

an email server, and then place the server in a separate server group that is

dedicated to email servers. This configuration is the preferred one because it

generates the smallest exposure for error. Be sure to name the server group in a

way that indicates that it contains email servers.

Configure the File System Auto-Protect options, Scheduled Scan options, and

Manual Scan options for the server group to exclude the email server software

directory structure and the temporary processing directory for the email server.

The Symantec AntiVirus antivirus server does not include email Auto-Protect

options that are provided by the antivirus client, so you do not have to disable it.

Configure the servers in the server group to receive virus definitions updates

from the primary server by using the Virus Definition Transport Manager

(VDTM). If a Symantec antivirus product for the email server is also installed,

disable the LiveUpdate™ schedule for that product. The virus definitions

downloads are exactly the same. Therefore, only one application should run

LiveUpdate. All installed Symantec antivirus products share the same virus

definitions.

11Antivirus protection and email servers

About configuring Symantec AntiVirus on email servers

Managed client configuration

In the managed client configuration, you install Symantec AntiVirus antivirus

client software on an Exchange server, and then place the server in a separate

client group that is dedicated to Exchange servers. Be sure to name the client

group in a way that indicates that it contains Exchange servers.

Configure the File System Auto-Protect options, Scheduled Scan options, and

Manual Scan options for the client group to exclude the email server software

directory structure and the temporary processing directory for the antivirus

scanner. Be sure to disable all email Auto-Protect options if they are installed

and enabled.

Warning: If you configure Symantec AntiVirus as a client on an email server, be

sure to disable email Auto-Protect if it is installed. This feature monitors the

standard mail ports, and can cause performance degradation or failure if it is

installed on email servers.

Configure the clients in the client group to receive virus definitions updates

from the parent server by using VDTM. If a Symantec antivirus product for the

email server is also installed, disable the LiveUpdate schedule for that product.

The virus definitions that Symantec AntiVirus and the antivirus products for

email servers download are exactly the same. Therefore, only one application

should run LiveUpdate. All installed Symantec antivirus products share the

same virus definitions.

Unmanaged client configuration

In the unmanaged client configuration, you install Symantec AntiVirus client

software from the installation CD and execute the Setup.exe file in the SAV

directory. If you use the installation files from an installed Symantec AntiVirus

server or use the client rollout installers, the client will automatically retrieve

configuration information from the selected parent server and become a

managed client.

Configure the File System Auto-Protect options, Scheduled Scan options, and

Manual Scan options for the client to exclude the email server software

directory structure and the temporary processing directory for the antivirus

scanner. Be sure to disable all email Auto-Protect options if they are installed

and enabled.

12 Antivirus protection and email servers

File scanning on Exchange servers

Warning: If you configure Symantec AntiVirus as a client on an email server, be

sure to disable email Auto-Protect if it is installed. This feature monitors the

standard mail ports, and can cause performance degradation or failure if it is

installed on mail servers.

Configure the client software to use LiveUpdate to retrieve updates from

Symantec on a regular schedule. If a Symantec antivirus product for the email

server is also installed, disable the LiveUpdate schedule for that product, and

configure Symantec AntiVirus to run LiveUpdate. The virus definitions that

Symantec AntiVirus and the antivirus products for email servers download are

exactly the same. Therefore, only one application should run LiveUpdate. All

installed Symantec antivirus products share the same virus definitions.

File scanning on Exchange servers

Symantec AntiVirus protects the file system on an Exchange server, not the

Exchange server. Products such as Symantec Mail Security™ for Microsoft

Exchange protect Exchange servers. Certain directories must be excluded from

scanning by Symantec AntiVirus to prevent problems with the Internet Mail

Connector (IMC) or Information Store (IS). If Auto-Protect scans the Exchange

directory structure or the Symantec Mail Security processing directory, it can

cause the following:

■ False positive virus detections

■ Unexpected behavior on the Exchange server

■ Damage to the Exchange databases

To correctly configure file scanning, you need to understand the following

information:

■ Directories to include

■ Directories and files to exclude

■ Extensions to exclude

■ Directories to exclude when other Symantec products are installed

Note: For the latest details on which directories and files to exclude from

scanning, consult the Symantec Knowledge Base on the Symantec Web site.

13Antivirus protection and email servers

File scanning on Exchange servers

Directories to include

You can safely include the following directories and files in scans on all versions

of Microsoft Exchange Server:

■ Exchsrvr\Address

■ Exchsrvr\Bin

■ Exchsrvr\Conndata

■ Exchsrvr\Exchweb

■ Exchsrvr\Res

■ Exchsrvr\Schema

Any additional directories that are not a part of a standard Exchange

installation, and that are not included in the list of directories and files to

exclude, are safe to include.

Directories and files to exclude

The directories and files to exclude depend on the version of Microsoft

Exchange Server that you have installed. Add all listed directories and files to

the exclusion lists for File System Auto-Protect, Scheduled Scans, and Manual

Scans.

Note: The Tmp.edb file might be in multiple locations. Search for the file, and

exclude it in any found locations. You can exclude single files by using the client

and server software that is installed on the Exchange server. You cannot exclude

single files by using the Symantec System Center with server and client group

configurations. Therefore, for all three configurations, you must exclude

Tmp.edb by using the Symantec AntiVirus user interface on the Exchange

server.

14 Antivirus protection and email servers

File scanning on Exchange servers

Microsoft Exchange Server 5.5

Table 2-1 lists the directories and files to exclude for Microsoft Exchange Server

5.5.

Microsoft Exchange Server 2000

Table 2-2 lists the directories and files to exclude for Microsoft Exchange Server

2000.

Table 2-1 Files to exclude for Microsoft Exchange Server 5.5

Directory and files Default file location

Exchange databases Default location: Exchsrvr\Mdbdata

Exchange MTA files Default location: Exchsrvr\Mtadata

Exchange temporary files Tmp.edb

Additional log files Default location and name:

Exchsrvr\server_name.log

Site Replication Service (SRS) files Default location: Exchsrvr\Srsdata

Inbox for Internet Mail Connector Default location: Exchsrvr\IMCDATA

Microsoft® Internet Information

Service (IIS) system files

<Drive>:\Winnt\System32\Inetsrv

Outbox for Internet Mail Connector Exchsrvr\IMCDATA\OUT director

Table 2-2 Files to exclude for Microsoft Exchange Server 2000

Directory and files Default file location

The Installable File System (IFS) Default location: Drive M

Exchange databases Default location: Exchsrvr\Mdbdata

Exchange MTA files Default location: Exchsrvr\Mtadata

Exchange temporary files Tmp.edb

Additional log files Default location: Exchsrvr\server_name.log

Virtual server directory Default location: Exchsrvr\Mailroot

Site Replication Service (SRS) files Default location: Exchsrvr\Srsdata

Internet Information Service (IIS)

system files

<Drive>:\Winnt\System32\Inetsrv

15Antivirus protection and email servers

File scanning on Exchange servers

Microsoft Exchange Server 2003

Table 2-3 lists the directories and files to exclude for Microsoft Exchange Server

2003.

Extensions to exclude

Because certain files are not always saved in the expected locations, exclude the

following file extensions on all versions of Microsoft Exchange Server:

■ .log

■ .edb

Table 2-3 Files to exclude for Microsoft Exchange Server 2003

Directory and files Default file location

Exchange databases Default location: Exchsrvr\Mdbdata

Exchange MTA files Default location: Exchsrvr\Mtadata

Exchange temporary files Tmp.edb

Additional log files Default location: Exchsrvr\server_name.log

Virtual server directory Default location: Exchsrvr\Mailroot

Site Replication Service (SRS) files Default location: Exchsrvr\Srsdata

Internet Information Service (IIS)

system files

Default location: Exchsrvr\Srsdata

Working directory for message

conversion .tmp files

Default location: Exchsrvr\Mdbdata

You can change the location of this directory. For

additional information, consult the Microsoft

Knowledge Base.

The temporary directory that is used

with offline maintenance utilities

such as Eeseutil.exe

By default, this directory is the location from

which you run the executable, but you can

specify where you run the file from when you

run the utility.

The directory that contains the

checkpoint (.chk) file

For information on the location of this file,

consult the Microsoft Knowledge Base.

16 Antivirus protection and email servers

File scanning on Exchange servers

Directories to exclude when other Symantec products are installed

Excluding these directories is critical to product operation. Each product uses its

temp directory as a processing directory. If the temp directories are not

excluded from file system scanning, the antivirus programs might conflict and

cause unexpected behavior, including potential data loss.

Norton AntiVirus 2.x for Microsoft Exchange

Exclude the following directories when you use this product:

■ <drive>:\Program Files\NAVMSE\Temp

■ <drive>:\Program Files\NAVMSE\Quarantine

■ <drive>:\Program Files\NAVMSE\Backup

Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange

Exclude the following directories when you use this product:

■ <drive>:\Program Files\Symantec\SAVFMSE\Temp

■ <drive>:\Program Files\Symantec\SAVFMSE\Quarantine

Symantec Mail Security 4.0 for Microsoft Exchange

Exclude the following directories when you use this product:

■ <drive>:\Program Files\Symantec\SMSMSE\4.0\Server\Temp

■ <drive>:\Program Files\Symantec\SMSMSE\4.0\Server\Quarantine

Symantec Mail Security 4.5 for Microsoft Exchange

Exclude the following directories when you use this product:

■ <drive>:\Program Files\Symantec\SMSMSE\4.5\Server\Temp

■ <drive>:\Program Files\Symantec\SMSMSE\4.5\Server\Quarantine

Chapter

Reset ACL tool

This chapter includes the following topics:

■ About the Reset ACL tool

■ Restricting registry access with the Reset ACL tool

About the Reset ACL tool

Reset ACL (Resetacl.exe) lets you limit access to the Symantec AntiVirus registry

key on Windows XP/2000 computers.

By default, these computers allow all users to modify the data stored in the

registry for any application, including Symantec AntiVirus. Reset ACL removes

the permissions that allow full access by all users to the following Symantec

AntiVirus registry key and its subkeys:

HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion

Restricting registry access with the Reset ACL tool

You can use the Reset ACL tool to restrict registry access.

To restrict registry access with the Reset ACL tool

1 Roll out Resetacl.exe, located on the Symantec AntiVirus CD in the Tools

folder, to unsecured computers.

2 Run Resetacl.exe on each of these computers.

After you have run Resetacl.exe, only users with Administrator rights can

change the registry key values.

While the Reset ACL tool boosts security for Symantec AntiVirus on these

computers, administrators should be aware that there are several trade-off

considerations.

18 Reset ACL tool

Restricting registry access with the Reset ACL tool

In addition to losing access to the registry, users without Administrator rights

will not be able to do the following:

■ Start or stop the Symantec AntiVirus service.

■ Run LiveUpdate.

■ Schedule LiveUpdate.

■ Configure Symantec AntiVirus.

For example, users cannot set Auto-Protect or email scanning options.

The options associated with these operations appear dimmed in the Symantec

AntiVirus interface.

In addition, the user can modify scan options, but the changes are not saved in

the registry or processed. The user can also save manual scan options as the

default set, but the options are not written to the registry.

Chapter

Importer tool

This chapter includes the following topics:

■ About the Importer tool

■ Importing addresses using the Importer tool

■ Deleting entries from the address cache

■ Advanced usage

■ Getting Help while using the Importer tool

About the Importer tool

The Importer tool (Importer.exe) identifies computers in a non-WINS

environment to the Symantec System Center console. This lets Symantec

AntiVirus locate computers during the network discovery process, when the

names cannot be browsed using WINS/DNS. It is a command-line utility.

In addition to importing the paired names and IP addresses of computers

located in non-WINS environments, you can add any other computer name and

IP address pairing to the text file so that the computer is discovered in the

future. For example, you may want to add the name and address of a computer

that has not been discovered successfully for an unknown reason.

Note: In most cases, you should not need the Importer tool. The Find Computer

feature of the Symantec System Center can usually find and identify Symantec

AntiVirus servers on the network by means of address caching and the normal

Discovery process.

20 Importer tool

Importing addresses using the Importer tool

How the Importer tool works

The Importer tool runs on any computer on which the Symantec System Center

is installed. You can use it to import pairs of computer names and IP addresses

from a text file into the address cache registry entries used by the Symantec

System Center.

Once the computer name and address pairs are imported, entries are created in

the registry under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\

CurrentVersion\AddressCache

You must run a Local Discovery or Intense Discovery after importing the data

file. The Discovery queries the addresses of the computers. The computers

running the Symantec AntiVirus server are added to the Discovery Service in

memory and have complete entries created in the registry. The Discovery

Service can then find the computers each time that the Discovery Service is run.

Where the Importer tool is located

The Importer tool consists of a single file, Importer.exe. Importer.exe is located

on the Symantec AntiVirus CD in the Tools folder.

You can copy Importer.exe to any folder on a computer on which the Symantec

System Center is installed, and then run it.

Importing addresses using the Importer tool

To import addresses to the address cache, you must be logged on with

Administrator rights. This is necessary so that you have write access to

HKEY_LOCAL_MACHINE.

Import addresses using the Importer tool

To import addresses using the Importer tool, you must complete the following

tasks:

■ Create a data file containing paired computer names and IP addresses.

■ Run the Importer tool.

Note: You must run the Importer tool from a command prompt.

■ Run the Discovery Service.

Page is loading ...

Symantec AntiVirus Corporate Edition Reference guide

Brand: Symantec

Model: AntiVirus Corporate Edition

Category: Software

Type: Reference guide

This manual is also suitable for

10551441 - AntiVirus Corporate Edition

Download PDF

report

Symantec AntiVirus Corporate Edition Reference guide

This manual is also suitable for

Symantec AntiVirus Corporate Edition Reference guide

Related papers

Other documents