Configuring Symantec AntiVirus: Corporate Edition 1928994237, 1928994342, 1928994741, 1931836698

This is the only book that will teach system administrators how to configure, deploy, and troubleshoot Symantec Enterpri

239 39 7MB

English Pages 753 Year 2003

Report DMCA / Copyright

DOWNLOAD PDF FILE

Recommend Papers

Configuring Symantec AntiVirus: Corporate Edition
 1928994237, 1928994342, 1928994741, 1931836698

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

[email protected] With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. [email protected] is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.

www.syngress.com/solutions

Configuring

Symantec AntiVirus Laura E. Hunter Athar A. Khan JayCee Taylor James Stanger, Ph.D. Robert J. Shimonski, Technical Editor

Corporate Edition

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress: The Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010

SERIAL NUMBER PK9EV4NV43 TQMM7T6CVF 8J9H4NDREA ZMATTNH89Y U8MPTST3V3 KA7HYC4ES6 G8JA5QNCAK 9J3NNY6RD7 T3QULAV6FH 5BVF7TNZEL

PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Configuring Symantec AntiVirus Enterprise Edition

Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-931836-81-7 Technical Editor: Robert J. Shimonski Cover Designer: Michael Kavish Acquisitions Editors: Catherine B. Nolan, Page Layout and Art by: Patricia Lupien Andrew Williams Copy Editor: Mike McGee Indexer: J. Edmund Rush Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.

Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Kristin Keith, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing their incredible marketing experience and expertise. The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope. David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines. A special thanks to Robert J. Shimonski for his continuing help and dedication to so many Syngress titles.

Contributors James Stanger (Ph.D., Symantec Technology Architect, Convergence Technology Professional, CIW Master Administrator, MCP, Linux+, A+) is co-author of Syngress Publishing’s E-mail Virus Protection Handbook (ISBN: 1-928994-23-7) and Hack Proofing Linux: A Guide to Open Source Security (ISBN: 1-928994-34-2). A network security consultant and writer, James’ specialties include virus management, mail server administration, intrusion detection, and network auditing. Currently Senior Course Director for ProsoftTraining, James consults with Symantec to enable security professionals to deploy virus protection, vulnerability management, and firewall/VPN solutions in enterprise networks. James has also consulted for companies and organizations such as IBM, Securify, Brigham Young University, ITM Technology, and the William Blake Archive. James is the Chairperson of the Linux Professional Institute (LPI) Advisory Council and sits on the CompTIA Linux+ and Server+ cornerstone committees. In addition to authoring books for Syngress, James has also authored security books and courses for Sybex, Osborne/McGrawHill, and ComputerPREP. James resides in Washington. Chris Mosby (Symantec Product Specialist) is a Senior Network Specialist at Bechtel Hanford, Inc. He currently manages the System Management Server and Virus Protection systems for the Environmental Restoration Contract at the United States Department of Energy’s Hanford Nuclear Reservation. At the time of this writing, Chris’ implementation of Symantec AntiVirus Corporate Edition, and the use of other antivirus methods, has allowed his company to have zero network downtime due to virus infection, since January of 2000. He was also awarded a Gold Award Certificate by Bechtel Hanford, Inc. for his efforts during the Nimda virus outbreak, where it was calculated that the company was saved one million dollars in potential lost work. Chris is also a columnist for the myITforum.com Web site, where he has written articles on Systems Management Server and antivirus topics. Chris holds an associate’s degree in Physics, and lives in Kennewick, WA with his wife, Debbie.

Athar A. Khan (Symantec Product Specialist NAVCE, MCSE, MCSA,CCA) is a Wintel (Windows Systems on Intel Platforms) Systems Engineer at a high tech company in southern California. Athar solely architected, implemented and supported a global, enterprise-wide Norton AntiVirus Corporate Edition solution using 10 NAVCE servers for 4,000+ systems in over 30 office locations and numerous home offices. As the NAVCE Administrator, Athar devised incident response strategies to prevent, contain, and counter virus threats and outbreaks including Nimda and Code Red. Currently, Athar is architecting, implementing, and supporting an enterprise-wide data backup and disaster recovery solution that will ultimately protect over 10 Terabytes of data using Connected TLM software. In addition to these responsibilities, Athar performs advanced technical support and Windows domain administration with a scope of responsibility that encompasses 500+ servers and 3,500+ clients in over 60 locations worldwide. Athar holds a bachelor’s degree in Electrical Engineering from the Illinois Institute of Technology. Scott Dentler (CISSP, CCSE, CCSA, MCSE, CCNA) is an IT consultant who has served with companies such as Sprint and H&R Block, giving him exposure to large enterprise networks. Scott’s background includes a broad range of IT facets, including Cisco routers and switches, Microsoft NT/2000, Check Point firewalls and VPNs, Red Hat Linux, network analysis and enhancement, network design and architecture, and network IP allocation and addressing. He has also prepared risk assessments and used that information to prepare business continuity and disaster recovery plans for knowledge-based systems. Scott is a contributor to Snort 2.0 Intrusion Detection (Syngress Publishing, ISBN: 1-931836-74-4). Jay Cee Taylor (CNA/CNE-4.11, CNA/CNE-5.0, CNA/CNE-6.0, CNS, MCP) is the Senior Network Administrator for Thomson Industries, a branch of the Danaher Corporation’s Motion Group. Danaher is a leading industrial company, which designs, manufactures, and markets innovative products.Thomson is a leading manufacturer and provider of linear motion products and engineering. Jay Cee currently supports a large Novell NetWare and Windows environment, managing enterprise-wide accounts, file systems, backup solutions, and virus

protection. His specialties include Novell/Microsoft administration, design, implementation, upgrades and migrations, Computer Associate’s ARCserve/BrightStor products, and Symantec’s NAVCE. Jay Cee has successfully performed a migration to NAVCE 7.6, and he will soon begin a NetWare 6.0 upgrade and a full migration to SAVCE 8.0. Jay Cee is a Licensed Technical Instructor who worked for several years as a Senior Instructor and Training Coordinator for Computer Career Center of Garden City, NY teaching NetWare administration and engineering, and Windows-based courses. Jay Cee is a member of NUI and currently resides in Hempstead, NY with his two best friends: his younger brother, Peter Schork, and his fiancée, Jennifer Caffiero. Laura E. Hunter (MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+, Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for various business units and schools within the University. Her specialties include Microsoft Windows NT/2000 design and implementation, troubleshooting, and security topics. As an “MCSE Early Achiever” on Windows 2000, Laura was one of the first in the country to renew her Microsoft credentials under the Windows 2000 certification structure. Laura’s previous experience includes a position as the Director of Computer Services for the Salvation Army and as the LAN Administrator for a medical supply firm. She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of Web sites. Laura holds a bachelor’s degree from the University of Pennsylvania and is a member of the Network of Women in Computer Technology, the Information Systems Security Association, and InfraGard, a cooperative undertaking between the United States Government and other participants dedicated to increasing the security of United States critical infrastructures. Jason E. Genser (MCP, A+) is a computer consultant specializing in systems management, antivirus and software deployment solutions, and technologies for small- and medium-sized businesses. Jason has more than ten years of extensive hands-on experience with personal computers and net-

works and has designed and implemented the infrastructure of a multisite, Microsoft SMS 2.0 environment for a subsidiary of Cingular Wireless. Jason is a columnist on www.myitforum.com, a leading Web site for IT professionals and system administrators. He is the technical editor of TCP/IP Unleashed, Second Edition, Microsoft Windows 2000 Professional Unleashed, and Microsoft Windows 2000 Server Unleashed. He is also a contributing author and editor on Peter Norton’s Complete Guide to Windows 2000 Server. A native and life-long resident of central New Jersey, Jason is a member of the Internet Society and the North American Association of Technology Professionals.

Technical Editor and Contributor Robert J. Shimonski (TruSecure TICSA, Cisco CCDP, CCNP, Symantec SPS, NAI Sniffer SCP, Nortel NNCSS, Microsoft MCSE, MCP+I, Novell Master CNE, CIP, CIBS, IWA CWP, DCSE, Prosoft MCIW, SANS.org GSEC, GCIH, CompTIA Server+, Network+, Inet+, A+, e-Biz+, Security+, HTI+) is a Lead Network and Security Engineer for the leading manufacturing company, Danaher Corporation. At Danaher, Robert is responsible for leading the IT department within his division into implementing new technologies, standardization, upgrades, migrations, high-end project planning, and designing infrastructure architecture. Robert is also part of the corporate security team responsible for setting guidelines and policy for the entire corporation worldwide. In his role as a Lead Network Engineer, Robert has designed, migrated, and implemented very large scale Cisco and Nortel based networks. Robert has held positions as a Network Architect for Cendant Information Technology and worked on accounts ranging from the IRS, to AVIS Rent a Car, and was part of the team that rebuilt the entire Avis worldwide network infrastructure to include the Core, and all remote locations. Robert maintains a role as a part time technical trainer at a local computer school to deliver classes on networking and systems administration whenever possible. Robert is also a part-time author who has worked on over 20 book projects as an author and editor. He has written and edited books on a plethora of topics with a strong emphasis on network security. Robert has designed and worked on some brand new topics for Syngress Publishing to include the only book dedicated to the Sniffer Pro protocol analyzer. Robert has worked on the following Syngress Publishing titles: Security+ Study Guide & DVD Training System (ISBN: 1-931836-72-8); Sniffer Pro Network Optimization & Troubleshooting Handbook (ISBN: 1-931836-57-4); Configuring and Troubleshooting Windows XP Professional (ISBN: 1-92899480-6); BizTalk Server 2000 Developer’s Guide for .NET

(ISBN: 1-928994-40-7); SSCP Study Guide & DVD Training System (ISBN: 1-931836-80-9); Nokia Network Security Solutions Handbook (ISBN: 1-931836-70-1); and MCSE Implementing and Administering Security in a Windows 2000 Network Study Guide & DVD Training System (ISBN: 1-931836-84-1). Robert is also a contributor to the forthcoming Building DMZs for Enterprise Networks (ISBN: 1-931836-88-4) and MCSA/MCSE Exam 70-292 Study Guide & DVD Training System: Managing and Maintaining a Windows Server 2003 Environment for an MCSA Certified on Windows 2000 (ISBN: 1-932266-56-9). Robert's specialties include network infrastructure design with the Cisco product line, systems engineering with Windows 2000/2003 Server, NetWare 6, Red Hat Linux and Apple OSX. Robert’s true love is in network security design and management utilizing products from the Nokia, Cisco, and Check Point arsenal. Robert is also an advocate of Network Management and loves to ‘sniff ’ networks with Sniffer-based technologies. When not doing something with computer related technology, Robert enjoys spending time with Erika and snowboarding wherever the snow may fall and stick.

Contents

Foreword Chapter 1 Introduction To Norton AntiVirus Corporate Edition (NAVCE) Introduction A Brief History of Computer Viruses Malware Viruses Worms Macro Viruses Trojan Horses Other Miscellaneous Malicious Programs Fighting Back with Antivirus Programs Commercial Antivirus Programs Computer Associates Network Associates Panda Software Freeware Antivirus Programs Antivirus Solutions and the Enterprise What’s New in NAVCE v7.6 Introducing Norton Antivirus Extensible (NAVEX) Engine Technology Centralizing Antivirus Administration The NAVCE Client/Server Architecture NAVCE Communication Methods Server-to-Server Communication Server-to-Client Communication Introducing Symantec Security Response Symantec Scan and Deliver

xxxi 1 2 2 3 3 5 5 6 7 9 10 11 11 11 11 13 15 16 16 17 18 19 19 20 22 xiii

xiv

Contents

Symantec AntiVirus Research Automation (SARA) Symantec Support for Operating Systems and Networks Supported Operating Systems for Clients DOS PCs Windows 3.x The Remaining Windows Family Supported Operating Systems for Servers Windows NT 4.0 and Windows 2000 Novell NetWare Support for Cluster Servers,Terminal Servers, and More… Windows NT 4.0/2000 Cluster Servers Novell NetWare Cluster Servers Windows NT 4.0/2000 Terminal Servers Citrix MetaFrame 1.8 Supported Networking Protocols Symantec AntiVirus Corporate Edition 8.0 Windows Client Support Windows Server Support NetWare Server Support Symantec Product Specialist Certification Information Exam Objectives Topic 1: Symantec AntiVirus Solution Topic 2: Installation Topic 3:The Discovery Process Topic 4: Updating Virus Definitions Topic 5: Scanning and Configuring Client E-mail Topic 6: Virus Scans Topic 7: Client/Server Communication Topic 8: Central Quarantine and Quarantine Server Topic 9: Alert Management System (AMS2) Summary Solutions Fast Track Frequently Asked Questions

22 23 23 23 24 24 25 25 26 26 27 27 27 28 28 29 30 30 31 31 32 33 33 33 33 34 34 34 34 35 36 37 39

Contents

xv

Chapter 2 Designing a Managed Antivirus Infrastructure Introduction Understanding NAVCE Server Groups Server Group Planning Considerations Choosing Servers to Be Part of a Group NAVCE for Windows NT/2000 NAVCE for NetWare Creating a NAVCE Server Group Creating or Changing a Server Group Password Planning NAVCE Server Roles Primary Servers Secondary Servers Master Primary Server Parent Servers Determining NAVCE Client Configurations Managed Clients Sometime Managed Lightly Managed Unmanaged NAVCE Licensing The Symantec Value Program Symantec Elite Program The Commit Option The Forecast Option Support for Decentralized Purchasing Product Offerings Summary Solutions Fast Track Frequently Asked Questions

41 42 44 45 46 47 47 48 49 52 52 53 54 57 57 58 59 59 60 61 64 66 67 67 67 68 70 71 72

Chapter 3 Implementing Symantec System Center and Alert Management System2 (AMS2) Introduction Understanding the Symantec System Center SSC Minimum Requirements Additional Requirements for SSC Snap-ins Recommended Configurations

77 78 79 81 83 83

xvi

Contents

Exploring SSC Features Discovery Services Server Groups Administration Task Initiation Managing Alerts Remote Capabilities Symantec Snap-ins for SCC AMS2 Snap-in The Norton AntiVirus Corporate Edition Management Snap-in Symantec System Center Console Add-ons Implementing SSC Uninstalling Legacy NAVCE and LANDesk Products Installing SSC Installing the AMS2 Snap-in Installing the Norton AntiVirus Corporate Edition Management Snap-in Installing Symantec System Center Console Add-ons Understanding SSC Services Running on Windows NT/2000 Servers Troubleshooting:The SSC Does Not Retain Configuration Settings Troubleshooting: If You Don’t See Clients in the SSC Uninstalling SSC Uninstalling the Norton AntiVirus Corporate Edition Management Snap-in Manually Uninstalling the SSC and Its Snap-ins The SSC Discovery Process The Discovery Cycle Load from Cache Only Local Discovery Intense Discovery IP Discovery Adding Clients on LANs without WINS Considering Network Bandwidth Utilization SSC Console Traffic

85 86 86 87 87 88 88 88 89 89 90 90 91 93 93 94 95 95 96 96 97 97 112 113 114 114 114 115 116 119 119

Contents

Server-to-Server Traffic Discovery Cycle Traffic NAVCE Client/Server Traffic NAVCE Server/Client Traffic Manually Generated Traffic: NAVCE Client Enumeration Manually Generated Traffic: Server Role Reassignment Manually Generated Traffic: Moving NAVCE Servers between Groups Manually Generated Traffic: Refreshing SSC Console Introducing Alert Management System2 Processing Alert Management Compatible AMS2 Alerts for each Operating System Implementing Alert Management System2 Uninstalling Alert Management System2 Configuring AMS2 Alerts Configuring Alert Messages Configuring Default Alert Messages Configuring AMS2 Message Box Alerts Configuring AMS2 Broadcast Alerts Configuring AMS2 Alerts to Run Programs Configuring the Load an NLM Alert Configuring the Send E-mail Alert Configuring the Send Page Alert Configuring for a Known Paging Service Configuring for an Unknown Paging Service Configuring Alerts for SNMP Configuring the Send SNMP Trap Alert Configuring Alerts for the Windows NT/2000/XP Event Log Managing Configured Alerts Testing Configured Alerts Exporting Alerts to Other Systems Introducing NAVCE Notification Methods Not Requiring AMS2 Customizable Messages Histories and the Event Log

xvii

119 120 120 120 121 121 122 122 123 123 124 125 127 129 130 132 133 134 134 135 135 136 137 137 138 138 141 141 142 142 143 143 143

xviii

Contents

Understanding Scan Histories Understanding Virus Histories Understanding Virus Sweep Histories Understanding the Event Log Summary Solutions Fast Track Frequently Asked Questions Chapter 4 Implementing Central Quarantine 2.01 Introduction Introducing Central Quarantine 2.01 Implementing Quarantine Console 2.01 Quarantine Console 2.01 System Requirements Recommended Configuration Installing Quarantine Console 2.01 Uninstalling Quarantine Console 2.01 Implementing Quarantine Server 2.01 Quarantine Server 2.01 System Requirements Recommended Configuration Installing Quarantine Server 2.01 Understanding the Quarantine Server Services Running on NT/2000 Servers Uninstalling Quarantine Server 2.01 Configuring Central Quarantine 2.01 Configuring Quarantine Server for Internet-Based Scan and Deliver Configuring Quarantine Server for Email-Based Scan and Deliver Configuring Submissions of Suspected Viruses to SSR Receiving and Testing Updated Fingerprints from SSR Configuring Managed Client PCs to Route Suspected Viruses to the Quarantine Server Troubleshooting Central Quarantine 2.01 Summary Solutions Fast Track Frequently Asked Questions

143 143 144 144 146 147 150 153 154 155 156 156 157 157 159 160 161 161 161 164 165 166 169 181 182 183 184 185 190 191 193

Contents

xix

Chapter 5 Implementing NAVCE 7.6 to Servers 195 Introduction 196 Understanding NAVCE 7.6 Servers 196 Windows NT / 2000 Server System Minimum Requirements 198 Utilizing Windows NT 4.0 Workstation or Windows 2000 Professional Systems as NAVCE Servers 199 Novell NetWare Server System Minimum Requirements 200 Implementing NAVCE 7.6 to Servers 201 Developing a Deployment Plan 201 Windows NT/2000 NAVCE Server Installation Considerations 201 Installing NAVCE 7.6 to Windows NT/2000 Servers 202 Configuring NAVCE 7.6 Servers 208 Uninstalling NAVCE 7.6 from Windows NT/2000 Servers 208 Uninstalling NAVCE Using the Command Line 209 Manual Uninstall 209 Understanding NAVCE 7.6 Registry Keys on NT/2000 Servers 212 NAVCE Registry Components 212 AddressCache Registry Key 213 ClientConfig Registry Key 213 DomainData Registry Key 214 Clients Registry Key 215 Children Registry Key 215 Understanding NAVCE 7.6 Services Running on NT/2000 Servers 217 Norton AntiVirus Server (rtvscan.exe) 217 DefWatch (defwatch.exe) 218 Intel Ping Discovery Service (pds.exe) 218 Introducing the grc.dat File 218 The grc.dat File 219 Summary 220 Solutions Fast Track 220 Frequently Asked Questions 223

xx

Contents

Chapter 6 Implementing NAVCE 7.6 to Client PCs Introduction Understanding NAVCE 7.6 Client PCs Check-in Intervals Intel Ping Discovery Service Communication Tools NAVCE 7.6 Client PC System Requirements MS-DOS Client PC System Requirements Windows 3.x Client PC System Requirements Windows 9x/Me/NT/2000/XP Client PC System Requirements Implementing NAVCE 7.6 to Client PCs Developing a Deployment Plan Installing NAVCE 7.6 to Client PCs Installing from an Internal Web Server IIS Web Server Client Installations Apache Web Server Client Installations Installing from a Client Disk Image on a NAVCE Server Remotely Installing NAVCE Client to NT/2000/XP Client PCs Installing the NAVCE Client Locally Installing the NAVCE Client through Logon Scripts Installing the NAVCE Client from Floppy Disks or a Self-Extracting Deliverable Package Understanding Third-Party Installation Methods Using Microsoft IntelliMirror to Deploy the NAVCE Client Using Microsoft Systems Management Server to Deploy the NAVCE Client Using Novell ZENworks for Desktops to Deploy the NAVCE Client Uninstalling NAVCE from Client PCs Understanding NAVCE 7.6 Registry Keys on NT/2000/XP Client PCs Windows 9x/NT/2000/XP

225 226 227 228 230 232 233 233 233 233 235 236 237 239 240 246 251 252 259 264 267 273 274 275 276 276 277 277

Contents

xxi

Understanding NAVCE 7.6 Services Running on NT/2000/XP Client PCs 279 Norton AntiVirus Server (RTVScan.exe) 280 DefWatch (defwatch.exe) 281 vpexrt.exe 281 vptray.exe 281 Testing Your Deployment 282 Summary 284 Solutions Fast Track 284 Frequently Asked Questions 287 Chapter 7 Upgrading from Prior Versions Introduction NAVCE Upgrade Considerations Testing Your Deployment Developing an Upgrade Plan Testing Your Rollout Planning Virus Definition Update Methods Upgrading from NAVCE 7.0 and 7.5 Upgrading from NAVCE 6.x Upgrading the Norton System Center Exploring Automatic Migration Options Upgrading from NAV for NetWare Automatically Migrating NAVCE Client PCs Upgrading 16-Bit Windows Client PCs Upgrading Windows 9x/Me Client PCs Upgrading Windows NT Client PCs Upgrading Unmanaged NAVCE Client PCs Upgrading Remote Client PCs Migrating from Third-Party LAN Antivirus Products Sample Project Plan for NAVCE Upgrade Identifying Project Resources and Major Tasks Determining Timelines Identifying Task Dependencies Summary Solutions Fast Track Frequently Asked Questions

289 290 291 292 293 293 295 297 298 299 299 300 301 302 302 304 305 306 309 310 311 318 320 323 323 326

xxii

Contents

Chapter 8 Configuring Your NAVCE 7.6 Environment Introduction Configuring NAVCE 7.6 Clients Installing a NAVCE Client in Unmanaged Mode Exploring and Configuring the NAVCE Client Configuring NAVCE Services Load Options File System Realtime Protection Options Enable/Disable File System Realtime Protection Configuring File System Realtime Protection Advanced Options Configuring File System Realtime Protection File Types Options Configuring File System Realtime Protection Actions Configuring File System Realtime Protection Virus Notification Message Options Configuring File and Folder Exclusions for File System Realtime Protection Configuring Drive Types for File System Realtime Protection Other Types of Scans and Clients Configuring Windows NT 4.0/2000 Cluster Server Protection Configuring Windows NT 4.0 Terminal Server Protection Configuring Windows 2000 Terminal Services Protection Enabling Terminal Services on a Windows 2000 Server Switching from Application Server to Remote Administration Mode Installing NAVCE on Windows 2000 Terminal Server Configuring NAVCE 7.6 Servers Configuring Multiple NAVCE Clients and Servers Configuring Roaming for NAVCE 7.6 Clients Features of Roaming Client Support Roaming Client Support Requirements Implementing Roaming Client Support Summary Solutions Fast Track Frequently Asked Questions

329 330 330 331 339 339 340 340 341 344 347 349 351 354 356 356 357 357 358 360 361 366 367 367 368 368 369 370 370 372

Contents

xxiii

Chapter 9 Securing Your NAVCE 7.6 Environment 375 Introduction 376 Evaluating Security Requirements for Your Organization 377 Determining Your Security Policies 378 Writing It All Down: Drafting Your Network Security Policy 381 Acceptable Use Policy 381 Internet Usage 382 Disaster Recovery Policy 382 Antivirus Policy 383 Identifying Threats to Network Security 383 Natural Disasters 384 Hackers 384 Social Engineering 384 Internal Threats 385 Viruses/Trojans/Worms 385 Network-Based Attacks 386 Developing a Security Solution for NAVCE 7.6 386 Designating a Server 387 Selecting a Network Protocol 388 Implementing Your Security Solution for NAVCE 7.6 391 Installing Central Quarantine Server 391 Configuring Central Quarantine Server 392 Configuring Firewall Settings 394 Enabling NAVCE Communication 394 Configuring LiveUpdate Access 395 Allowing Access for AMS2 396 Configuring Quarantine Server Ports 397 Securing NAVCE 7.6 Windows NT/2000 Servers 397 Locking Down the NAVCE Installation 397 Creating or Changing a Server Group Password 398 Hardening the Windows Operating System 399 Providing Physical Security for Your Windows NT/2000 Server 399 Configuring the Operating System for Maximum Security 400 Protecting Terminal Servers 403

xxiv

Contents

Restricting Virus Scans on Terminal Servers Managing Access to the NAVCE 7.6 Registry Keys on NT/2000 Servers Auditing Access to the Windows Registry Securing NAVCE 7.6 Novell NetWare Servers Enabling NetWare Servers to Forward to Quarantine Server Using the IPX Protocol Configuring FTP Downloads of Antivirus Updates for NetWare Servers Testing the FTP Function in Novell NetWare Securing Your NetWare Servers Securing NAVCE 7.6 Client PCs Monitoring NAVCE Client Definitions Preventing a User from Canceling a Virus Scan Managing Access to the NAVCE 7.6 Registry Keys on NT/2000/XP Client PCs Introducing the Reset ACL (resetacl.exe) Tool Special Considerations When Using the Reset ACL Tool Undoing resetacl.exe Changes Summary Solutions Fast Track Frequently Asked Questions Chapter 10 Updating Virus Protection Introduction Introducing the Virus Definition Transport Method (VDTM) The RTVScan Timer Loop Features of the Virus Definition Transport Method Configuring a Server to Use VDTM Introducing Symantec LiveUpdate LiveUpdate versus VDTM Considerations for Configuring LiveUpdate Configuring External LiveUpdate Configuring Internal LiveUpdate LiveUpdate Administration Utility Introduction and System Requirements

403 405 406 409 409 410 410 411 412 413 414 415 416 417 418 420 420 423 431 432 434 435 436 436 439 439 442 442 445 446

Contents

xxv

Installing Symantec LiveUpdate 1.5.3.21 Administration Utility Configuring LiveUpdate Using the LiveUpdate Administration Utility Configuring Servers and Clients to Connect to the Internal LiveUpdate Server Introducing Intelligent Updater Summary Solutions Fast Track Frequently Asked Questions

451 453 456 456 458

Chapter 11 Troubleshooting Your NAVCE 7.6 Environment Introduction Troubleshooting Basics DNS Issues Reverse Zones DNS Configuration Notes DNS Troubleshooting Applications Dynamic DNS and the NAVCE Environment Alternative Forms of Name Resolution DHCP Issues Directory Services Issues Firewalls and the NAVCE Environment Troubleshooting Servers Windows NT/2000 Servers Installation Errors Configuring a Primary NAVCE Server Verifying Check-in Frequency and keepalive Packets Verifying Client/Server Communication Inability to Communicate with Clients through the SSC Setting the Preferred Protocol Configuring Clients Combining 16-Bit and 32-Bit Clients Failed Notifications NAVCE Server Installation Issues Uninstalling NAVCE Server LiveUpdate Issues

461 462 462 463 466 468 470 478 479 482 483 483 486 486 486 487 487 488 489 490 491 492 492 493 496 500

447 450

xxvi

Contents

DUAL NIC Systems Additional Fixes Novell NetWare Servers Installation Issues Debugging NAVCE in NetWare NetWare Servers and Windows NT/2000 Configuring a Preferred Protocol for a NetWare Server Problems Conducting Scans in NetWare Servers Troubleshooting Client PCs Solving Hard-Drive Issues Printing Problems Problems Creating a Rescue Disk Scanning for Additional Files vptray Issues Placing a Shortcut in the Windows Startup Folder Exchange Server Issues Outlook Express Issues Windows Me and the Restore\Temp and _Restore\Archive Folders NAVCE Fails after Using the Windows Me/XP System Restore Feature Modifying Files Obtaining and Installing Old Definition Files NAVCE Installation Issues Registry Permissions NTFS Permissions Verifying Distributed Component Object Model Configuration Uninstalling Client Versions of NAVCE Uninstalling NAVCE from Windows NT/2000/XP Client Systems Uninstalling NAVCE from Windows 9x and Me Client Systems Troubleshooting Roaming Client Support Server List File Size Limits File Syntax

502 504 505 505 506 508 508 510 510 510 511 512 513 514 515 515 516 516 517 517 518 518 518 519 520 523 523 526 528 528 528

Contents

DNS Issues Fully Qualified Domain Names versus Host Names DNS and Duplicate Host Names Addressing Performance Issues Problems after Using LiveUpdate Maximum Number of Clients and the Registry Size Value Slow Client Logoff in Terminal Services Achieving Balance Page Faults and RTVScan Tracking Performance Improving Performance Accessing Information Databases Additional Symantec Search Engines Third-Party Search Engines Search Techniques Summary Solutions Fast Track Frequently Asked Questions

xxvii

528 528 529 529 530 530 531 532 532 532 533 534 535 536 536 537 537 540

Chapter 12 Scanning for Viruses and Handling Virus Outbreaks 545 Introduction 546 Virus Scanning Methods 547 Real-Time Scans 547 Scheduled Scans 549 Manual Scans 550 Configuring Computer Virus Scans 550 Configuring Manual Scans 550 Configuring Manual Scans from Symantec System Center 550 Configuring Manual Scans from the Client 556 Symantec Bloodhound Heuristics 557 Symantec Striker 558 Configuring Real-Time Scans 559 File Systems 559 Messaging Systems 563 Locking Real-Time Scanning Options 565 Configuring Scheduled Scans for Servers 566

xxviii

Contents

Scheduling Scans for Specific Servers Scheduling Scans for Server Groups Configuring Scheduled Scans for Client PCs Configuring Logon Scans Configuring Startup Scans Configuring Custom Scans Analyzing the Results of Computer Virus Scans Understanding Computer Virus Outbreaks Identifying Computer Virus Outbreaks Responding to Computer Virus Outbreaks Communicating the Outbreak Containing a Virus Outbreak Using Virus Sweeps Cleaning up a Virus Outbreak Understanding Alert Management Server2 Using Built-in Notifications Displaying Notification Messages to End Users Using the Virus History Feature Taking Actions Against Infected Files Recovering from Boot Sector Viruses Managing the Virus Outbreak Process Summary Solutions Fast Track Frequently Asked Questions

566 568 568 568 571 572 572 573 574 574 575 576 577 580 580 580 580 582 582 582 585 588 589 591

Chapter 13 Backup and Disaster Recovery Introduction Basic Principles of Backup and Disaster Recovery Creating a Baseline of Your Network Leaving Room for Growth Planning for Data Retention Creating a Workable Backup Schedule Creating a Tape Rotation Scheme Providing an Offsite Storage Location Striking a Balance Between Cost and Convenience Training Your Staff Involving Your Users in the Disaster Recovery Process

595 596 596 597 598 598 599 599 601 604 604 604

Contents

xxix

Testing Your Backups Designing a Disaster Recovery Plan Defining Mission-Critical Criteria for Your Organization Identifying Vulnerabilities Implementing a Backup Strategy Choosing Backup Software Selecting Hardware and Media Floppy Disks Hard Drives and Disks CD-R/CD-RW/DVD-R Iomega Drives Magnetic Tapes Jukeboxes, Stack Loaders, and the Like Magneto-Optical and Floptical Disks Creating a Backup Schedule Defining Support and Service Levels for Your Organization Backing Up Dedicated NAVCE 7.6 Servers Using NTBackup in Windows 2000 Using the Command Line to Schedule Backups Testing NAVCE Server Backup Jobs Restoring Dedicated NAVCE 7.6 Servers Summary Solutions Fast Track Frequently Asked Questions

605 606 607 609 610 610 611 612 613 613 613 614 615 615 616 620 622 622 629 631 633 637 638 640

Appendix A Norton AntiVirus 2003 and 2003 Professional Edition Introducing NAV 2003 and NAV 2003 Professional Edition System Requirements NAV 2003 System Requirements NAV 2003 Professional Edition System Requirements Installing NAV 2003 Preparing for the Installation Beginning the Installation First-Time Use Troubleshooting the Installation Configuring NAV 2003 LiveUpdate

643 643 644 645 646 646 646 648 652 657 657

xxx

Contents

Interactive versus Express Mode Configuring Auto-Protect Configuring SmartScan Configuring Bloodhound The Auto-Protect Advanced Window The Auto-Protect Exclusions List Window Configuring Script Blocking Configuring Manual Scan Options Configuring E-mail Protection Protecting Instant Messenger Traffic Configuring The Miscellaneous Section Password Protection for NAV 2003 Viewing Log Files Saving Your Changes:The Options File Troubleshooting NAV 2003 Uninstalling NAV 2003 Installing NAV 2003 Professional Edition Post-Install Tasks Configuring NAV 2003 Professional Edition Conducting a Full Scan Configuring the Norton Protected Recycle Bin Troubleshooting NAV 2003 Professional Edition Troubleshooting the Installation Troubleshooting the Configuration Uninstalling NAV 2003 Professional Edition Index

658 659 660 661 662 662 662 663 664 665 666 667 667 668 668 669 670 672 675 676 679 681 682 682 682 685

Foreword

We have all become accustomed to using computers for e-mail, writing, financial modeling, and data storage, as well as retrieving many types of data both at home and at work.These computers are typically connected to company networks and the Internet, normally 24 hours a day, 365 days a year.These same computers and networks, though designed to be accessible, were not necessarily designed to be secure— in other words, data security was not a primary focus during their development. Unfortunately, the security of online computing resources has been an issue since the early days of computer networks. It didn’t take long before the first computer worm appeared, and from that day forward, computers, and the networks they run, have needed protection against viruses,Trojan horses, and worms, whether automated or driven by unscrupulous users. This struggle between companies/users and malicious coders raises many concerns, such as: ■

Who is using your computer?



How secure is your data?



Are your corporate marketing plans or customers’ credit card numbers being copied across an unsecured network by a computer worm, or via a backdoor Trojan while you work?



Is Greyware (such as Spyware or Adware) infiltrating your corporate users’ computers via spam and causing the leakage of information by way of surfing and purchasing habits?

Many of these threats can be delivered by malicious code via corporate e-mail systems, public networks,Web sites, or shared corporate network resources.They can use either known or unpublished software vulnerabilities to exploit badly designed xxxi

xxxii

Foreword

software, all for the purpose of gaining control of a user’s computer. However, with all of the advancements in user education, antivirus software, and information security in general, we are still a long way from the trusted and secure computing services currently on the drawing board. The aforementioned problems are just some of the privacy and data security issues malicious code is connected with. A sound security policy encompassing software solutions, security policies, and employee work practices is essential in effectively combating these types of threats. But, as you likely know, relying on individual computer users to protect their own computers simply does not work. Antivirus software has been helping users protect themselves against malicious code since the first worms and viruses appeared on desktop computers in the late 80s and early 90s. Many vendors in the antivirus software industry have come and gone in the fight against viruses. Over the years, the Symantec Corporation has acquired several smaller antivirus and data security vendors for their unique technologies, culminating in the acquisition of IBM and Intel’s antivirus business in the latter part of the 1990s. Both of these acquisitions were to have a significant impact on Symantec’s approach to its enterprise software solutions; resulting in the birth of Norton AntiVirus Corporate Edition (NAVCE). NAVCE breathed new life into Norton AntiVirus, and the consumer and enterprise editions headed in different directions to satisfy two distinct needs: those of the average home user, and those of the corporate network administrator.The technologies acquired from Intel and IBM—enterprise antivirus software management and automated virus handling, respectively—were the keystones of this divergence.There are, however, several common components shared by the home and enterprise products, including the core virus scanning engine and the interfaces to the Digital Immune System (DIS), where new viruses are processed and updated virus definitions are created and distributed. These key components, along with comprehensive network management features, are the backbone of an effective enterprise antivirus software solution, and differentiate NAVCE in a highly competitive marketplace. NAVCE 7.6 gives network administrators control over the client side of the antivirus scanning product, enabling planned and controlled rollouts of product upgrades and virus definition updates. Clients can be locked down so users cannot turn off the antivirus protection or alter the settings of the antivirus software. PC administrators can run regularly scheduled virus scans to supplement on-access scanning, and view virus activity on their client base using centralized reporting and quarantine tools.

www.syngress.com

Foreword

xxxiii

NAVCE continues to evolve with Symantec AntiVirus Corporate Edition (SAVCE) versions 8, 8.1, and 8.5, offering additional functionality that provides comprehensive virus protection for workstations and network servers enterprise wide Version 8.5 not only improves the speed of virus scanning as well as the delivery speed of virus definitions to workstations, but also reduces the size of these updates, and adds digital signatures to them. All this with an enhanced protection of configuration settings which offers such valuable features as the ability to re-enable real-time virus protection. It also provides improved manageability and deployment while simultaneously requiring fewer servers. These are all improvements on the tried and tested NAVCE 7.6, which Configuring Symantec AntiVirus Enterprise Edition teaches you how to implement, upgrade, and configure in a diverse network environment.The authors of Configuring Symantec AntiVirus Enterprise Edition have experience implementing and managing NAVCE installations in enterprises that range from 50 to 5000 users with multiple servers, and have hands-on experience with the day-to-day operation of NAVCE, from installation to troubleshooting to infection recovery. Whether you are managing an existing NAVCE 7.6 configuration or implementing SAVCE version 8.x, this book will help you get the most out of your software installation, allowing you to maximize your virus protection while minimizing both the cost of ownership and your own workload. —David Banes Symantec Security Response Asia Pacific Regional Manager

www.syngress.com

Chapter 1

Introduction To Norton AntiVirus Corporate Edition (NAVCE) Solutions in this chapter: ■

A Brief History of Computer Viruses



Fighting Back with Antivirus Programs



Antivirus Solutions and the Enterprise



Centralizing Antivirus Management



Introducing Symantec Security Response



Symantec Support for Operating Systems and Networks



Symantec AntiVirus Corporate Edition 8.0



Symantec Product Specialist Certification Information

; Summary

; Solutions Fast Track

; Frequently Asked Questions 1

2

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

Introduction At some time in the last 15 years many of us blinked, and upon opening our eyes we found the world on the verge of becoming one large network. Public and private networks were interconnected both far and near, and now in your corner of this interconnected puzzle, virus protection for the network has become your responsibility. With numerous unforeseeable viruses attempting to infiltrate your network, providing reliable and secure virus protection should be one of your top concerns. Norton AntiVirus Corporate Edition 7.6 (NAVCE) propels the terms “reliable” and “secure” to an exceedingly higher level. NAVCE can help protect your network, both servers and clients alike, with the most up-to-date protection in a completely automated environment. With a well-designed and implemented deployment of NAVCE, worrying about virus protection for your network will be history. NAVCE provides a truly proactive approach to your virus protection needs that won’t leave you scrambling for answers when a virus threat arises. Understanding computer viruses, and what they are capable of, can provide you with a clearer understanding of why a product such as NAVCE should be introduced into your network structure.

NOTE This book is intended to introduce you to the NAVCE 7.x AntiVirus software. It will provide you with the finer particulars to help you utilize the software to proactively and reactively guard your network from virus threats. Additionally, this book provides information necessary for you to pass the Symantec Product Specialist certification Exam 250-011.

A Brief History of Computer Viruses As computers became more popular in the home and workplace, viruses followed them in through the door. Viruses are nothing more than moderately small programs designed to disrupt and alter the functionality of a computer. The word malicious is defined by Merriam-Webster’s Collegiate Dictionary as: given to, marked by, or arising from malice. Additionally, malice is defined as: The desire

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

to cause pain, injury, or distress to another—or—the intent to commit an unlawful act or cause harm without legal justification or excuse.There are thousands of viruses floating around the networks of the world, and a great percentage of them fall into this definition. However, not all viruses are malicious, some are just disruptive. Others, however, are not only disruptive, but destructive at heart, designed to destroy the recipient’s system.

Malware Malware comes from the phrase “malicious software.”The term is functional in covering an entire scope of aggressive software such as Trojan horses and worms. Though malware’s definition may vary, it basically describes any software or code that is specifically designed to damage and/or disrupt a system.The overall problem with this generic definition boils down to a simple issue: how one receives the malware, and whether the sender’s intensions were malicious. Hypothetically, in order to better understand malware, let’s say we have constructed a secure networked lab environment so we can write, test, and study such programs. In our excitement of breaking a code we have been studying and reinventing a specific malware program, we send our findings along with the program itself to all of our co-authors, and forget to add an appropriate subject line to the e-mail warning the recipients of the e-mail’s content. Surely, our intent was to share our findings with our peers, and not to cause any destruction to their systems. However, upon opening the e-mail and watching their entire system being formatted before their eyes, others might not perceive the issue in the same manner as we did.The program itself was purely malicious, but our intent was not. Does that make it malware? What if we had clearly warned the recipients of the email’s attachment and they chose to open it in an unsecured environment? Is it then considered malware? This is a very tricky question, with no clear-cut answer. No matter how you perceive the generic definition offered in the previous paragraph, it is fair to say that most viruses—worms,Trojan horses, and macro viruses alike—are malware.

Viruses For viruses to efficiently perform the devious functions their creators intend, they somehow need to be executed. Once executed, most viruses will attempt to replicate themselves throughout the computer and ultimately (if interconnected to other computers) onto the network. Viruses are activated when an infected program is loaded into memory and executed either by its own code or by the www.syngress.com

3

4

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

hands of the user.Though we will discuss several types of viruses in this subsection, it should be noted that all viruses adhere to one, if not both, of the following characteristics: Though there are several recognized types of viruses, they all fall into two major categories. ■

Viruses that are not destructive but can be disruptive



Viruses that are destructive and destroy data

Notes from the Underground… Aggravating Viruses During my teaching years, I grew accustomed to using removable hard drives. I had different hard drives set up for each individual class I taught, one for my Novell classes, one for my Windows 95 class, and so on. This made it particularly easy on instructors (myself included) when moving from classroom to classroom. Windows 98 had just been released and I couldn’t wait to assist in co-writing the course. However, I foolishly forgot to install an antivirus program onto the new hard drive that I had set up to teach this new course. The hard drive became seriously infected with the W97M.Class.A.Gen virus (a.k.a., the Class.Poppy or Woobie virus). No data was destroyed, however attempts to save Microsoft Word 97 documents resulted in pop-up windows that directly insulted me by name. Additionally, nearly one hundred files were created inside the “My Documents” folder bearing the names of Document1, Document2, and so on! In a non-networked environment, I’ll take a malicious macro over this aggravation any day of the week! To avoid the aggravation altogether, always have some form of virus protection on your computers.

No matter how you categorize viruses, they all have a similar task in mind, to disrupt the normal flow of data processing. For this reason alone, you should take every step possible to eradicate these threats and prevent them from attacking your systems. Most viruses will attach themselves to other programs that are routinely executed.These routinely executed programs and files will most commonly have extensions such as .EXE, .COM, and .DLL.These files can enter your www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

systems by users downloading an infected file from a Web site or bulletin board, or users introducing infected disks into a floppy drive.

Worms A worm is a program whose primary function is to replicate its code. Depending on how the worm was written, it will perform this replication from drive to drive or even by using some form of transport mechanism such as e-mail. Quite often, a worm arrives into a system in the form of what appears to be a harmless piece of software such as a “joke program” sent by a known source in the form of an e-mail attachment.These devils are destructive in nature. Worms are designed to replicate themselves throughout a system’s disks and memory, attempting to use up all of the infected machine’s resources and , if successful, eventually crash the system.The most notorious worm to date is unequivocally the Klez family of viruses. Most of the Klez worms exploit vulnerabilities found in Microsoft’s Outlook and Outlook Express programs.This is particularly true of the W32.Klez.A@mm worm, which will attempt to execute itself when you open or preview an infected message.The Klez.A worm execute its payload on the thirteenth of January, March, May, July, September, and November.The damage from this worm causes files on local and mapped drives to become zero bytes in size. When this or any virus strikes your system, patches and fixes to assist in the eradication of the infection can be easily downloaded from http://securityresponse .symantec.com

Logic Bombs When discussing worms, one must make mention of logic bombs. These are program routines that destroy data when certain conditions are met. For example, a logic bomb may reformat your hard disk or insert random code into files on a predetermined date. Most viruses are logic bombs because they unleash their damage after a specific lapse in time or when a trigger event occurs during the common use of the computer.

Macro Viruses Some of the newer viruses in the computer world are macro viruses. Macro viruses are extremely common and eliminating them from networks has been known to cost companies a great deal of administrative overhead. When Microsoft introduced Visual Basic into its release of Office 97, even low-level hackers were provided with a tool, which allowed for the creation of malicious

www.syngress.com

5

6

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

code that was simple to write and easy to deploy. Macro viruses are Visual Basic for Applications (VBA) script files that provide easy access into a computer.Though macro viruses were originally designed to infect the Microsoft Office suite of applications (that is, Microsoft Word, Microsoft Excel, Microsoft Access, and so on), newer strains have been written to infect other programs as well. The two most well-known macro viruses from recent years have been Melissa (W97M.melissa) and the ILOVEYOU (VBS.LoveLetter) viruses.

Trojan Horses Trojan horses are best described by the age-old analogy of “a wolf in sheep’s clothing.” When introduced to your system, the form of the Trojan horse appears to be a file of desirable, or even useful, content. Once unleashed, the damage can be of a terrific nature, the Trojan horse deleting, destroying, or sometimes even “stealing” your data. On a positive note,Trojan horses do not replicate themselves. For this type of malicious code to spread you would have to bring it directly into your system, most commonly by the simple act of opening an e-mail attachment. One notable example of a Trojan horse is the program Back Orifice. Released in 1997 by the Hacker group “Cult of the Dead Cow” (CDC), Back Orifice 2000 (from here on referred to as BO2K) is a powerful remote-administration tool used by many underground hackers. BO2K is broken down into two functional parts. A small and virtually invisible “server” piece that runs on the recipient’s system, and a client-end piece that runs on the hacker’s computer.The server software is a small program that secretly installs itself on a recipient’s system and runs even after a system reboot. It can attach itself to any Windows executable, which will run normally after its installation.This means the server-side piece can creep in just like other viruses, completely undetected. BO2K runs over any User Datagram Protocol (UDP) port but will default to using port 31337. Once installed, hackers can type in commands, and the command is the only thing that is sent to the system running the server software.The recipient, or victim’s computer then translates the command and sends back status messages or other pertinent information, depending on the command that had been sent.The hacker can initiate numerous commands, resulting in such outcomes as producing a directory listing, a list of running processes, a process termination, and keystroke logging. BO2K also supports the ability to write custom dynamic link library (DLL) plug-ins to extend the flexibility of the program. Here’s another hypothetical scenario. Say that you have a salesperson at your company who has access to a great deal of sensitive documentation and financial www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

records on your network. Additionally, this individual uses a laptop as their primary workstation and does a large amount of traveling with the laptop. Unbeknownst to the individual, the BO2K Trojan has entered the device and has been silently running on the laptop, logging all its keystrokes.The individual then returns to your main office after a lengthy sales-related trip and reattaches the laptop to your enterprise network.This done, the devious hacker, who has waited patiently for the infiltration of the device, can attempt, in most cases successfully, to gain access to your company’s bank-account numbers… hypothetically, that is. What makes the deployment of a program such as BO2K even easier is if the hack is done as an “inside job.” It’s not uncommon for hacking attempts to be made by “trusted” employees. Let’s face it; all employees are not necessarily trustworthy. A disgruntled insider with a little bit of knowledge could launch an attack on an unprotected system, making their way into an infinite amount of company data and exposing sensitive documentation such as executive salaries. Internal hackers have several advantages working on their side.They can easily obtain knowledge of the network just from knowing the “right person” in the “right department.” Furthermore, with the right “water-cooler” skills, such employees could maintain an apparently non-network–threatening relationship with key members of the IT department. Most notably, the worst part of an inside attack is that the individual running the software is already behind your firewall. The BO2K program and its source code can be downloaded from www.cultdeadcow.com/tools/bo.html, so it’s not a bad idea to filter this site from your proxy server. Backdoor.SubSeven is another Trojan horse that is quite similar to BO2K. It grants a hacker (or any unauthorized individual) access to a computer over the Internet. When the server portion of the program is properly installed and running on a computer, it is possible for the hacker to accomplish tasks such as editing the Registry, setting up the computer as an FTP server, browsing its file system, taking screen shots, opening and closing programs, editing a currently running program’s information, and even restarting the system.

Other Miscellaneous Malicious Programs One mustn’t forget boot sector and master boot record viruses when discussing malicious programs. Even a less protective antivirus solution could easily eliminate these, the predecessors of today’s more complicated viruses. Both types of “boot” viruses are memory-resident viruses and were primarily written for DOS systems. However, no matter what operating system you are using, all computers are potential targets for these types of viruses. www.syngress.com

7

8

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

Boot sector viruses virtually take over the system area of a floppy or hard disk.The virus will attach itself onto a small program within the boot record that is run each time you startup from the disk. Once the virus has firmly planted itself into memory it can cause damage to other disks. Any non-write–protected floppy disks that are introduced into the system, which you attempt to write to, will in turn receive the virus. Master boot record viruses are quite similar to the boot sector variety, with one distinct difference: the location in which they dispense the infected code. Master boot record viruses usually save the original boot record to a new location, replacing it with an infected version, which in turn baffles the computer when booting. Examples of both types of boot viruses include Stoned, Baboon, KillRoy, and NYB.

Damage & Defense… Virus Hoaxes Virus hoaxes are false (and usually quite ridiculous) messages that are almost always sent via e-mail. In most cases, they are the equivalent to (if little more than) a bad chain letter. An Internet user, who has little, if no knowledge of true viruses, commonly forwards these hoaxes. These messages are usually sent out of fear and in the hopes of warning friends of the possible danger, which was probably the e-mail creator’s intent in the first place. Some common phrases used in hoaxes are: ■

If you have accidentally received an e-mail titled (name of hoax), do not open it!



Delete immediately!



The virus will delete everything on your hard drive!



Today (any reputable organization) announced the threat of this new virus…



Forward this to everyone in your address book!

There is nothing worse then one of your end-users receiving an e-mail, which panics them into deleting system-oriented files from their computers. A similar scenario happened at my current place of Continued

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

employment. You may have heard of the “Teddy Bear” virus hoax email—unfortunately, one user on our network had not. It all started with an e-mail that read as follows: “I found this little bear in my machine, and because of that I am sending this message in order for you to find it in your machine. The procedure is very simple: The objective of this email is to warn all Hotmail users about a new virus that is spreading by MSN Messenger. The name of this virus is jdbgmgr.exe and it is sent automatically by the Messenger and by the address book, too. The virus is not detected by McAfee or Norton and it stays quiet for 14 days before damaging the system.” The e-mail goes on to warn the recipient of how they desperately need to delete this item from their computer before it unleashes its wrath. The file referenced by the hoax is Jdbgmgr.exe, which happens to be the Microsoft Debugger Registrar for Java. In most cases, deleting Jdbgmgr.exe on the average computer will have no adverse effects, and reinstalling it is actually quite simple. However, what if the e-mail referenced a critical system file? I’ve met 5th graders with more computer savvy then many CEOs, and the last thing I need in my daily IT rounds is for a call to be placed with the helpdesk stating that the CEO’s computer won’t restart because he got rid of his teddy bear! You should always warn your end-users to ignore virus threats that come from any other source then the IT department. Most hoax e-mail warnings rarely stray from this simple pattern. If you wish to verify the authenticity of a virus or a hoax, search for the potential virus name with Symantec’s Security Response Hoax page at www.symantec.com/ avcenter/hoax.html.

Fighting Back with Antivirus Programs An antivirus program is software that guards your computer (or your entire network) from the endless threat of viruses that constantly bombard you and your systems. Antivirus programs are designed to seek out and categorize potential viruses as they attempt to enter and wreak havoc on your systems. With the overabundance of antivirus programs available to you, a great deal of time could be spent just trying to determine which product suits you and your needs. In this next section, we discuss both commercial and freeware solutions that could suit not only the largest enterprise networks, but the stand-alone home user as well.

www.syngress.com

9

10

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

Commercial Antivirus Programs If you are looking for a corporate solution, or better yet, an Enterprise-wide solution to your antivirus needs, you are definitely in the market for a commercial antivirus program. A commercial antivirus program is software that you would purchase at a cost, and depending on whether you are protecting one computer or an entire network, that cost could vary greatly. Programs such as Norton AntiVirus 2003 (shown in Figure 1.1), which is intended for the home Internet user, has a suggested retail price of $49.95. As for a corporate solution, the Panda Software Enterprise Suite (with a perpetual license) is intended for large enterprise networks and retails for around $990. Figure 1.1 Norton AntiVirus 2003

Notes from the Underground… You Ask “What Do I Use?” Somewhere around late 1999, I became dissatisfied with the numerous different antivirus programs I had used on my home systems. That’s when I switched over to Symantec’s Norton AntiVirus. It should be noted that Norton AntiVirus is considered to be the world’s most trusted antivirus solution. This claim is based on NPDTechworld’s Top Selling Business Software list generated from October 1999 through June 2002, which listed the product as the top-selling retail antivirus software product in the world. This IT industry based marketing information site can be accessed at www.npdtechworld.com.

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

Computer Associates Computer Associates (CA) offers a variety of antivirus solutions on their website (www.cai.com). InoculateIT Advanced Edition and eTrust InoculateIT are the current antivirus contenders offered by CA.Advanced edition is designed for mid- to large-sized organizations that have multiple servers and workstations. It provides centralized management functionality designed to ease the protection of large networks against virus attacks. With the advanced edition, large-scale deployment is simplified with the single-point remote installation of all servers, clients, and antivirus agents. eTrust InoculateIT is CA’s award-winning antivirus solution. eTrust InoculateIT has been designed to reduce virus infections, and simplify and automate updating virus signatures. Extensive features include multiple scanning engine support, realtime detection with system cure, and centralized event logging and alerting. eTrust InoculateIT addresses all the potential points of entry for virus attacks, from desktops to servers.

Network Associates Network Associates (www.nai.com) is better known to the computer purchasing public for their wildly popular McAfee line of products. Current programs offered by Network Associates are VirusScan Professional 7.0 and the Total Virus Defense (TVD) Suite. VirusScan Professional 7.0 was created for small businesses and home networks, which have multiple computers. It allows you to protect your computer and safeguard your business and personal data. It is a more “network-oriented” version of the popular McAfee VirusScan and protects up to five PCs. The TVD suite was designed to protect large-enterprise networks with virus security and a multi-tier defense system, safeguarding data at every point of entry. With features too numerous to mention, its largest drawback is that it is only available in the United States and Canada.

Panda Software Panda Software (www.pandasoftware.com) is the “new kid on the block.”This software upstart has been slowly conquering the antivirus market, campaigning behind the slogan “Ridding the planet of viruses!”They offer numerous antivirus programs for homes and businesses.

Freeware Antivirus Programs The best things in life are free! And freeware is just that: free downloadable software from the Internet.There are literally hundreds of free antivirus programs www.syngress.com

11

12

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

that are easily downloaded with a simple mouse click, and finding them couldn’t be simpler. When cruising around the information superhighway searching for freeware, the Web site www.TheFreeSite.com (see Figure 1.2) offers several freeware antivirus programs.The following list is only a sampling of the antivirus software available on the site: ■

AVG Free Edition



Symantec CarrierScan



SurfinGuard



VCatch Basic



AntiVir Personal Edition.

Figure 1.2 TheFreeSite.com

Be advised that most freeware antivirus products are limited in their functionality and simply do not have the extensive features offered by their commercial counterparts.

NOTE AntiVir can also be obtained at www.free-av.de—however, you better be able to read German!

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

Antivirus Solutions and the Enterprise Making a stand-alone personal computer with Internet connections impervious to viruses is a simple enough task. All you really need in most cases is a CDROM drive, the software, adequate intelligence, and about five minutes. However, securing an enterprise network consisting of numerous servers, and hundreds (if not thousands) of clients, can be an overwhelmingly daunting task. Norton AntiVirus Corporate Edition is designed to ease the deployment of such a scenario.This powerful enterprise solution not only facilitates the deployment of the product to your servers and clients without having to physically attend to those computers, its numerous features provide hassle-free management and up-to-date viral security protection throughout your network.

Designing & Planning… The Best Laid Plans The design, planning, and deployment of NAVCE into your network should be done with as much attention to detail as you used in designing and implementing your enterprise network itself. Too often I have witnessed peers treating the deployment of a software product onto an enterprise network’s structure like it was a freeware game being loaded onto a personal computer. Implementing NAVCE 7.6 into your mid- to large-sized Enterprise network will only be an easy task if you take the time to completely plan out the deployment of the software. Understand and plan in advance which servers will assume prominent roles in your NAVCE design. Make sure all servers and clients meet minimum (if not recommended) requirements to run the software, and take the appropriate steps necessary to upgrade any computers that fall short of these requirements. Take the time to cover every aspect of the deployment, leaving no stone unturned. A well-planned deployment of NAVCE will greatly reduce the administrative over-head that you and your IT department currently spend managing virus protection security. Figure 1.3 clearly shows that there is a level of complexity here when you lay out the design. For instance, look at the difference in the components: 1. LiveUpdate Server Connection (used to get new virus definitions) Continued

www.syngress.com

13

14

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

2. Master Primary Server 3. Primary Server 4. Secondary Server 5. Clients (Managed) Workstations

Figure 1.3 Viewing a NAVCE Hierarchy 1

2

3

4

5

It is imperative you understand all the components of NAVCE and how they work together (this will be explained throughout the book). The NAVCE product, when laid out correctly in the design stage, will deliver you full functionality at the end of the deployment. If you cut corners and do not prepare for the deployment, you may find that many of the services you wanted to work a specific way may not work at all. The NAVCE product is very large and can be complicated. You should make every attempt to design the rollout before you actually go live with the deployment. It will help you clearly plan out what you need to install and set up, and where all the components need to be placed for the system to function as advertised.

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

What’s New in NAVCE v7.6 ALERT! ALERT! You’ve just received an alert message from NAVCE! You’ve been alerted that a client in a remote location has been infected with a nasty little .kak worm. Do you pick up the phone and call your desktop support team in that location? No need. From the comfort of your computer, simply launch the Symantec System Center (SSC) console and read the virus history log on the infected computer. While viewing the computer’s virus information, why not run a full virus scan on the computer just for good measure and check the quarantine to determine what path on the local machine the virus originated from? Network administrators’ dreams do come true! Before we discuss several of the features in NAVCE, let’s look at the additions made to version 7.6. Table 1.1 lists some of the new features that have been introduced to NAVCE v7.6. Table 1.1 New Features of NAVCE v7.6 New Features

Description

Client Support

NAVCE 7.6 extends support to your newer Windows XP and Windows Me clients. Additionally, there is now added support for mobile clients on your network. With NAVCE 7.6, you have the ability to run the software on Microsoft Windows NT 4.0 Terminal Server edition and also on Windows 2000 Terminal Services. This feature provides the capability to set how many days NAVCE will remind you that a new virus had been found on the network. Virus Found alerts will appear every three days, by default. This feature allows you to import a text file containing a list of computer IP addresses that you have pre-selected for installation of the NAVCE software.

Terminal Server Support

Virus Found Alerts

IP Address Importing

NOTE IP address importing was designed for Windows NT 4.0 and Windows 2000 Server, and is not intended for use with Novell NetWare.

www.syngress.com

15

16

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

Introducing Norton Antivirus Extensible (NAVEX) Engine Technology The NAVEX Engine Technology is a virus-scanning engine the actually reprograms the NAV engine to detect new classes of viruses.This new Engine Technology enables the rapid deployment and automatic updating of the existing NAV scanning and repair engines in the course of regularly updating your virus definitions. It allows for the creation of a single shared scanning and repair engine across multiple tiers of your network.This task is performed while eliminating the need to uninstall and reinstall existing software. Additionally, you will not need to install new software or be required to reboot any of your systems for this task to complete.This feature will not only maximize your systems’ uptime, it will ultimately minimize your total cost of ownership. Simply stated, NAVEX extends the NAV engine to detect new classes of viruses without requiring major updates. All you need to do is update virus definitions to add new protection to your system, and let your network go about its business.Your servers will automatically communicate these new updates to each other, and in turn pass them along to their clients. With so many variations of existing viruses having the ability to propagate themselves rapidly, and with new viruses arriving on the scene daily, worrying about your network’s ability to stop viruses in their tracks can have you pulling your hair out. But by utilizing antivirus technology of this level, you can truly put your mind at ease.

Centralizing Antivirus Administration What makes NAVCE an attractive solution for your networking needs is its capability to be centrally administered. Having the ability to monitor all your servers and clients from the comforts of your own work area using a single application speaks for itself. Whether monitoring clients to launch virus scans, or rolling out an installation directly onto a remote server, the need to physically move from computer to computer is eliminated. This centralized management solution is accomplished by using the Symantec System Center (SSC) program, as shown in Figure 1.4. SSC takes advantage of Microsoft’s existing technology by utilizing the Microsoft Management Console (MMC) framework.This provides you with the ability to manage your entire enterprise NAVCE solution from any Windows NT/2000 or XP Professional computer. Even though it is only necessary to install SSC onto one computer, www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

you can install it on as many computers as needed in order to accommodate your administrative requirements. For more information on the SSC, see Chapter 3, “Implementing Symantec System Center and Alert Management System2 (AMS2).” Figure 1.4 Symantec System Center Console

The NAVCE Client / Server Architecture There are several components involved in the client/server architecture of NAVCE.This system hierarchy (shown in Figure 1.5) starts at the top with server groups.You can use server groups to organize your servers into more manageable sections of your network. Servers can be grouped by location, operating system platform, or even set up to accommodate multiple administrators who are responsible for specific servers on your network. Each group must have a server designated as the primary server or as the entire hierarchy’s master primary server. There can be only one master primary in the hierarchy. Primary servers are used for retrieving and dispensing virus updates to all other servers in your system hierarchy. All other servers within the group are designated as secondary servers. Secondary servers are children in the pecking order.They retrieve updates from their designated primary servers and dispense that information to their clients.

www.syngress.com

17

18

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

Figure 1.5 A System Hierarchy

Damage & Defense… Prevention Means Protection Don’t be the individual to point the finger of blame when a virus destroys your company’s data. The CIO of the company I currently work for recently said to me (and I paraphrase), “Blame never solved anything.” It doesn’t take a big distraction within your hectic IT schedules to forget to update your virus definitions…for a day or two. That’s all it takes for a virus to do its damage. Utilizing the SSC console, you can configure a primary or master primary server to automatically connect to Symantec’s FTP site to download updated definitions for you on a daily basis. Now, that’s protection.

NAVCE Communication Methods Once you have deployed NAVCE 7.6 throughout your network, you might wonder how communications takes place between your NAV servers and your computers running the client software.

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

Server-to-Server Communication Servers communicate within their designated groups. Using the SSC, you can control how often, and at what time of the day, servers within a group will contact other servers to ensure they are running the latest updates available. This is achieved by creating a hierarchy system that the servers adhere to.The hierarchy determines which servers will obtain data from others. Assigning a server one of the following specific roles will accomplish this chain of command: ■

Master primary server



Primary server



Secondary server



Parent servers

NOTE For more information on server types within a server group, see Chapter 2, “Designing a Managed Antivirus Infrastructure.”

Server-to-Client Communication Clients communicate directly with their parent server. Once the client software has been installed onto a computer, the NAVCE real-time protection service will handle that communication. A 32-bit client does not need to be logged into, or even map drives to its parent server to receive virus definition updates or to send alert messages to that server. However, 16-bit clients cannot pass along or receive NAVCE data unless they are logged onto the parent server. By default, all client/server communications take place on predetermined ports. IP will use port 2967, whereas IPX will default to port 33345. If either of these ports happens to be in use, a random port will be acquired to allow the communication session to occur.

www.syngress.com

19

20

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

Introducing Symantec Security Response Symantec Security Response (SSR) is the service formerly known as Symantec AntiVirus Research Center (SARC). SSR is considered by many to be the world’s leading Internet security research and support organization. SSR is a service that provides boundless information on known viruses and is continually developing technologies to eliminate these threats. Additionally, SSR is dedicated to educating the public on safer computer practices. When new computer viruses appear, SSR creates identification and detection methods for these viruses, and provides a repair or delete operation against the threats. Virus definition updates are available to all users of Norton AntiVirus products. Symantec also provides its users with updated virus definitions completely free of charge.These definitions are easy to obtain and install, and are updated regularly by SSR. For information on security advice, viruses, and hoaxes, visit the SSR Web site at http://securityresponse.symantec.com, as shown in Figure 1.6. Figure 1.6 Security Response Web Site

SSR collects virus samples from many different sources to analyze them before they become a threat to the general public.To assist SSR researchers in www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

this undertaking, Symantec has developed a sophisticated series of web spiders over the years. One of Symantec’s first spider technologies was called Seeker.The Seeker program was written in JAVA, a programming language specifically designed for use on the Internet. Seeker allowed SARC to utilize the Internet as a resource for virus sample gathering. Seeker collected virus samples for examination by checking known virus transmission sites and combing other parts of the Internet for suspect malicious files.

Designing & Planning… For Lack of a Better Term… Web spiders (a.k.a., wanderers, worms, and robots), are actually computer programs that navigate the Internet retrieving documentation based upon specific search criteria, and then subsequently retrieve all other documents referenced in the search. Spiders obtain data from Web sites using the Hypertext Transfer Protocol (HTTP), the standard protocol for document retrieval on the Internet. However, the term spider typically gives individuals false, or even bad, impressions. One false supposition is that the program moves swiftly from site-to-site, multiplying the way a real spider might. Strangely enough, these are characteristics of a virus! Perhaps that is why they are also known as worms. As for bad impressions, knowing the amount of people who suffer from even the slightest form of arachnophobia, one might wonder why the more appropriate term “robot” wasn’t the clear winner when it came to labeling. Instead, playing on the words World Wide Web, the term “spider” won out against the competition. As for me, I still want to meet the Microsoft developer who coined the phrase “Thunk Layer”!

Another more advanced method, developed in 1997, is the Bloodhound system. Bloodhound, unlike Seeker, detects viruses by studying files for virus-like behavior. Since most viruses only spread under specific circumstances, Bloodhound actually coaxes possible viruses into demonstrating their malicious intent. If a program demonstrates any virus-like characteristics, the code is sent to the Symantec AntiVirus Research Automation (SARA) system or a SSR virus researcher for www.syngress.com

21

22

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

additional analysis.This trial and error system has been shown to detect a high percentage of new, unknown viruses.

Symantec Scan and Deliver All Symantec AntiVirus programs are designed to isolate or quarantine any code entering the system which it deems infected. An item will only be quarantined when the system is unable to repair the infected code using its current set of virus protection definitions. Once data has been moved to the Central Quarantine, the incurable viruses can be submitted to SSR for analysis.The theory here being that if there isn’t a cure, Symantec will attempt to find one.This technology built into NAVCE is known as Scan and Deliver. NAVCE uses one of two configurable methods for submitting samples to SSR.These methods are: ■

E-mail-based Scan and Deliver



Internet-based Scan and Deliver

NOTE For more information on configuring Scan and Deliver, see Chapter 4, “Implementing Central Quarantine 2.01.”

Symantec AntiVirus Research Automation (SARA) When samples are received by SSR, they are transferred directly into the Symantec AntiVirus Research Automation (SARA) system.This system performs a fully automated analysis, with definition development, and quality assurance, for integration into all Norton AntiVirus products. According to Symantec, a sample submitted into a dedicated SARA system can be completely processed in less than 15 minutes. On a daily basis, SARA researches, and indexes an abundant amount of potential viruses. Using this limited artificial intelligence, SSR is able to hurdle normal standards of service, to provide full virus protection from known threats, as well as protection from threats yet to come.

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

Symantec Support for Operating Systems and Networks One of the more attractive benefits of NAVCE is the amount of platforms it can be used with, not only on the server side, but on the client side as well. With so many networks running various platforms, it’s comforting to know that a single software package can manage and protect all of your operating system needs.

Supported Operating Systems for Clients This following section will provide details on supported operating systems for clients and their minimum requirements. Chances are that regardless of what the basis of your network’s client platform is, most of your clients have the capability to run the client software. Whether you need protection for Windows 3.1 or Windows XP, or a Citrix thin client, NAVCE 7.6 can defend your networked client’s needs.The following subsections will provide details on supported operating systems for clients and their minimum requirements.

DOS PCs Yes, I too still have a few DOS clients floating around in my company’s enterprise network, as I am sure you do.These machines are usually dedicated to a single function somewhere out on your network. In most instances, these clients have been kept around for that single 16-bit program that they are running, even though the software manufacturer has released numerous GUI versions over the years. It reflects the old adage: if it ain’t broke…don’t fix it! You can protect these DOS client as long as they meet the following requirements: ■

An Intel 386 33MHz processor (actually, a Pentium processor, or better, is recommended)



640KB of system memory



2MB of extended memory



An extended memory manager (such as EMM386)



8MB of disk space, with 10MB available during the installation



MS-DOS 5.0 or later

www.syngress.com

23

24

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

Windows 3.x When referring to Windows 3.x it should be noted that the NAVCE client software can be installed on version 3.1 or later. Additionally, Windows 3.11 and Windows for Workgroups are also supported, all with the following requirements: ■

An Intel 486 processor or better



16MB of RAM at a minimum



640KB of system memory



23MB of disk space, with 35MB available during the installation

The Remaining Windows Family The following list of Windows operating systems can be installed as NAVCE clients: ■

Windows 9x (95, 95 OSR2 and OSR2.1, 98, and 98SE)



Windows Millennium Edition



Windows XP



Windows NT 4.0 Workstation and Server (with Service Pack 3 or later)



Windows 2000 Professional, Server, and Advanced Server

Designing & Planning… A Server by Any Other Name When discussing clients, you should note that Microsoft Windows servers could have NAVCE installed as a client, as opposed to having the server software installed and participating in a server group. This would be a judgment call by you and your team while designing your system hierarchy. In my current job, we have a mix of Novell and Microsoft servers running NAVCE. Novell NetWare plays the role of file and print share, while our Windows servers handle services such as DHCP, DNS, IIS, and ISA Proxy. However, no client in our network is considered a “child” to any of these Microsoft production servers. So, in actuality, I could Continued

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

have installed all of my Microsoft servers as clients to a single server running the server software. Keep in mind, there is no wrong way to design your layout, this gives you the freedom to plan a design that meets your needs and makes sense to you and your IT staff.

Additionally, these systems must meet the following hardware requirements: ■

32MB of RAM



An Intel 486 processor (again, a Pentium processor or better is recommended)



43MB of disk space, with 80MB available during the installation



WINSOCK 2.0 or later

Supported Operating Systems for Servers Your servers are the front line of your virus defense.They dispense your updates and communicate information to and from your clients to ensure that your network has complete virus protection.The following section provides details on supported operating systems for various servers and their minimum requirements.

Windows NT 4.0 and Windows 2000 In the Windows NT 4.0 and Windows 2000 family, not a single system is incapable of running the NAVCE server software.These systems include: ■

Windows NT 4.0 Workstation (with Service Pack 3 or later)



Windows 2000 Professional



Windows NT 4.0 Server (with Service Pack 3 or later)



Windows 2000 Server



Windows 2000 Advanced Server

Additionally, they must all meet the following hardware requirements: ■

32MB RAM (64MB or better is recommended)



An Intel Pentium processor (Pentium Pro or better is recommended)



62MB of free disk space for the NAVCE server files

www.syngress.com

25

26

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE) ■

55MB of free disk space for the NAVCE client disk image



55MB of free disk space for AMS2 server files

Novell NetWare The following Novell NetWare platforms can run the NAVCE server software: ■

NetWare 3.12, with the following requirements: streams.nlm version 3.12 or later; clib.nlm version 3.12g or later; and after311.nlm version 4.12



NetWare 3.2



NetWare 4.11 and 4.2 running Support Pack 9



NetWare 5x

Additionally, they must all meet the following hardware requirements: ■

3MB RAM above NetWare requirements for NAVCE NLMs



70MB of free disk space for the NAVCE server files



46MB of free disk space for the NAVCE client disk image



10MB of free disk space for AMS2 server files, with 20MB available during the installation

NetWare Loadable Modules (NLMs) are executable programs written to run on Novell NetWare servers.The majority of inherent server programs, and thirdparty Novell software will have the .NLM file extension. Symantec’s latest version of NAVCE is compatible with NetWare 6.0; this will allow you to have uninterrupted protection if you choose to upgrade to the latest release of Novell NetWare. For more information on NAVCE 8.0 and other new releases of Symantec products, see Appendix A, “NAV 2003 and 2003 Professional Edition.”

Support for Cluster Servers, Terminal Servers, and More… NAVCE 7.6 provides support for cluster servers on both the Microsoft Windows and Novell NetWare platforms. Additionally, you’ll find support for Terminal Servers and for Citrix MetaFrame software that you may be running on your network. www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

Windows NT 4.0/2000 Cluster Servers If you are utilizing clustering within your Windows NT 4.0 or Windows 2000 environment, you can provide virus protection for these servers by performing the following tasks: ■

First, install the NAVCE client software to all of the local computers that are part of the cluster. However, do not install the client to any shared drives.



Deploy NAVCE to your clients using the local server names, not the shared cluster names.

Novell NetWare Cluster Servers If you are utilizing clustering within your Novell NetWare environment, you can provide virus protection for these cluster servers by performing the following tasks: ■

Add the appropriate command to your autoexec.ncf file to launch cluster services



Ensure that all volumes have been mounted

Once these tasks have been completed, simply launch NAVCE. Properly completing these tasks guarantees that all volumes are detected.

Windows NT 4.0/2000 Terminal Servers NAVCE 7.6 can protect the servers in your network that are running either NT 4.0 Terminal Service Edition or Windows 2000 Terminal Services. However, you should note that the NAVCE client software does not install onto servers running these services. NAVCE works on Terminal Servers in much the same way that it works on file servers, the only difference being alerting. Alerts will only work for users that are logged on to the server console, whereas users connected through a terminal client session do not receive alerts at all.

Understanding AppSec and Windows NT 4.0/2000 Terminal Servers The application security tool AppSec, is a GUI-based application that allows you to secure your multiuser environment and restrict users to only be able to access

www.syngress.com

27

28

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

a predetermined set of network applications. By enabling application security using AppSec, you will cause the system to reject all user attempts to execute a program that they are not approved to use. AppSec can be utilized on servers running either Windows NT 4.0 Terminal Server Edition or Windows 2000 Terminal Services, and automatically installs with NT 4.0 Terminal Server Edition.To use AppSec on Windows 2000 Terminal Services servers, you will need to install the program from the Windows 2000 Server Resource Kit, and additionally install the AppSec hotfix.You can find information about the installation of AppSec and its associated hotfixes at www.microsoft.com/windows2000/techinfo/reskit/tools/hotfixes/appsec-o.asp.

Citrix MetaFrame 1.8 NAVCE 7.6 is designed to additionally protect your Citrix MetaFrame thin clients (version 1.8 and later). Citrix MetaFrame is software that supports “application server computing,” in which your applications run on the server for multiple users. Only screen changes within the user interface are sent to your individual clients machines.The base technology in the MetaFrame software is the Independent Computing Architecture (ICA) protocol that controls the input/ output between a client and server.The processing that takes place is provided by the native capabilities of UNIX, or by configurable options in Windows NT 4.0 Terminal Server Edition and Windows 2000 Terminal Servers.

NOTE For more detailed information on Cluster Servers and Terminal Servers, see Chapter 8, “Configuring Your NAVCE 7.6 Environment.”

Supported Networking Protocols NAVCE 7.6 has the capability to communicate with all your Novell NetWare and Windows NT 4.0/2000 servers. When administrating your NAVCE environment, the SSC can communicate using either IP or IPX. Depending on your networks throughput, SSC can switch which protocol it is utilizing at the time to speed communications between servers and clients. An important item to make note of is that if both IPX and IP protocols are present on either your servers or your clients, by default SSC will use IPX. If your www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

server is running only IP but the clients have IPX and IP, you may lose client communication to the console, and clients will be displayed as Not Logged In.

Configuring & Implementing… Properly Configuring Server Details When running both protocols, you may want Symantec System Center to only display IP addresses. A temporary solution to displaying only IP addresses could be accomplished by performing the following tasks: 1. In SSC, click Tools | Find Computer..., then select the Network Discovery tab. 2. Type the IP address of the primary server in the Server Address field and click IP for the Address Type. 3. Click the Find Now button. Once the server is displayed, highlight it and click the Sync Item button. 4. Exit the Find Computer dialog box and refresh SSC. 5. Click the Console menu and then select Save to save the changes. This solution is temporary, and running a discovery will cause SSC to revert to displaying IPX addresses. Additionally, this procedure would need to be completed for every server to ensure that your clients update their protocol settings to reflect the changes. You may be running both protocols and wish for either IP or IPX address to be displayed at all times in SSC. You can change these Preferred Protocol settings for both Microsoft Windows and Novell NetWare servers by following the steps outlined in the Symantec Knowledge Base document ID#1999120813251448 which can be found along with other helpful information at www.symantec.com/search.

Symantec AntiVirus Corporate Edition 8.0 Symantec’s newest release of NAVCE is called Symantec AntiVirus Corporate Edition 8.0 (SAVCE).Though the name has changed slightly, it is virtually the www.syngress.com

29

30

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

same program with a few new features and added platform support. SAVCE 8.0, just like NAVCE 7.6, provides advanced virus protection and monitoring across the enterprise from a single management console. Its centralized, scalable management built on industry-leading technology will allow for rapid deployment and automatic virus protection through a reduced virus definition file size. With enforceable antivirus policy management across multiple platforms, SAVCE 8.0 will also enable up-to-the-minute protection for your mobile workstations via a new “roaming” virus definition update capability. The extensive platform support provided by SAVCE 8.0 now includes full support for NetWare 6.0, while SAVCE 8.0 provides scalable, cross-platform virus protection for all of the workstations and servers across your entire enterprise network. New security features plus centralized policy management enable administrators to manage workstation and server groupings logically, as well as create, deploy, and lock down security policies and settings to keep systems upto-date and properly configured at all times.

Windows Client Support SAVCE 8.0 supports the following Windows clients: ■

Windows 98



Windows 98 SE



Windows Millennium Edition



Windows NT 4.0 Workstation, Server, and Terminal Server Edition with Service Pack 6a



Windows 2000 Professional, Server and Advanced Server



Windows XP Home and Professional Edition

Your Windows clients must have at least 32MB RAM and 45MB of free disk space to support SAVCE 8.0. It is additionally recommended that your clients have an Intel Pentium processor that is a Pentium II or better.

Windows Server Support SAVCE 8.0 supports the following Windows servers:

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1 ■

Windows NT 4.0 Workstation, Server, and Terminal Server Edition with Service Pack 6a



Windows 2000 Professional, Server, and Advanced Server



Windows XP Professional.

Though your Windows servers should have at least 32MB of RAM, 64MB or better is recommended.You should have 111MB of disk space (65MB of disk space is for SAVCE server files, and 46MB of disk space is for the SAVCE client disk image), with an additional 15MB of disk space for AMS2 server files if you choose to install and utilize the AMS2 Server features. Again, an Intel Pentium processor that is a Pentium II or better is recommended.

NOTE Symantec AntiVirus Corporate Edition does not support the scanning of Macintosh volumes on Windows servers for Macintosh viruses.

NetWare Server Support As with NAVCE 7.6, the NetWare 5x platform is still covered by Symantec’s upgraded antivirus. However, NAVCE 7.6 dose not provide support for NetWare 6.This has all changed with the introduction of SAVCE 8.0.This should bring cheers of glee to all you Novell enthusiasts (myself included)! SAVCE supports your newer NetWare 6.0 servers; however, you will need to apply Novell’s SP1 to your NetWare 6.0 installation. The hardware requirements for SAVCE 8.0 are identical to those needed to install NAVCE 7.6, with the exception that you will need 15MB RAM instead of 3MB (above standard NetWare RAM requirements) for Symantec AntiVirus NLMs.

Symantec Product Specialist Certification Information The Symantec Product Specialist (SPS) certifications focus on a single security product and its role in an overall security system.

www.syngress.com

31

32

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

These exams are electronic-based, multiple-choice examinations that allow you to test your skills against Symantec’s published objectives.These certification exams can be taken through independent test centers (such as Prometric), on Symantec’s behalf. All exams are closed book, so having any printed material, computers, or calculators with you during the exam is not permitted. Once you complete the exam, you will receive instant on-screen feedback of your results. Beta exams however will not provide this instant feedback. The standard fee for released certification exams range anywhere from $125 to $150 worldwide.There is a customary fee for a beta version of an exam, while a limited number of “free seats” are offered. Unlimited additional seats are available at $75 for each beta exam. However, Symantec reserves the right to change certification exam fees at any time. Achieving a SPS certification in any Symantec technology can significantly assist you on many levels.The training involved in your certification preparation will provide you with a greater sense of confidence when using the product. Additionally, SPS certification helps you gain recognition and credibility within your position and can improve your earning potential and overall marketability. When preparing for your certification exam, Symantec recommends that you gain as much hands-on experience with the software as possible.You should specifically work with the version on which you plan to test, applying learned skills to real-world situations. Optionally, you might want to attend Symantec’s recommended training courses. Information on these courses can be found at www.symantec.com/education.

NOTE The maximum length of time allowed for Exam 250-011 is 105 minutes.

Exam Objectives All Symantec exams are based on a series of objectives developed for each of the topics covered in an exam.Topics and objectives vary for each exam.The following lists Symantec’s nine major topics, along with the associated objectives you should concentrate on when preparing for Exam 250-011.

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

Topic 1: Symantec AntiVirus Solution ■

Describe the various types of malicious codes and the potential damage they may cause.



Identify all NAVCE components and their functionality.



Define/differentiated primary, secondary, and master primary servers.



Define managed, sometimes managed, and unmanaged clients.



Differentiate between NAV servers.



Identify network traffic among all components.



Perform basic management functions when starting the Symantec System Center Console.

Topic 2: Installation ■

Identify the order of installation for the NAVCE components.



Identify the considerations and requirements needed to install NAVCE for servers and clients.



Identify the various methods of installing NAVCE for clients remotely.



Describe a Web-based installation.



Describe how to use Instopts.ini,ToNAV,ToLU, and ToAPP to distribute files during installation.

Topic 3:The Discovery Process ■

Define Discovery and its function.



Identify the three types of discovery.

Topic 4: Updating Virus Definitions ■

Describe how virus definition files are obtained and distributed.



Differentiate between LiveUpdate and the Virus Definition Transport Method.

www.syngress.com

33

34

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE) ■

Describe how to configure LiveUpdate to retrieve definitions from an internal and external LiveUpdate server.



Define and adjust scalability.



Describe the rtvscan timer loop process.

Topic 5: Scanning and Configuring Client E-mail ■

Describe how NAVCE scans client e-mail.



Describe the e-mail scanning integration process with Lotus Notes and Microsoft Exchange.

Topic 6: Virus Scans ■

Configure the four scanning methods.



Differentiate the four scanning methods.

Topic 7: Client/Server Communication ■

Identify the communication components.



Describe the communication process when services, servers, or clients load.



Describe the communication process when a client finds its parent server.



Identify the function of the grc.dat file explaining how and why its generated and used.



Troubleshoot client/server communications.

Topic 8: Central Quarantine and Quarantine Server ■

Define Central Quarantine and its components.



Describe the relationship between Icepack, Defcast, and NAVCE servers and clients.



Install and configure Central Quarantine servers.

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

Topic 9: Alert Management System (AMS2) ■

Define and configure the Alert Management System (AMS2).

Notes from the Underground… A Simple Word of Advice Having spent many years teaching, I’ve observed that my students’ primary goal is to prepare for the certifications associated with their courses. In conversations, they’d often say, “Oh, I hear Novell Exams are really hard” or “Microsoft exams are the hardest!” So, I would tell them repeatedly, “Certification exams are only as easy as you make them.” I have always believed this to be true of certification exams, regardless of the vendor. The fact is: if you invest the time to learn a product thoroughly, nothing that shows up on that vendor’s certification exam should surprise you at all. My advice is this: the more study and hands-on practice you put toward your SPS certification preparation, the easier the exam will be. This book will greatly aid you in preparing for the SPS Exam 250-011, just take your time and use the preceding exam topics to guide you in your studies. If you prepare well, using this book and online documentation as sources, you will surely pass the SPS exam.

www.syngress.com

35

36

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

Summary Viruses are everywhere, so be prepared for them. Given the available antivirus solutions out there, there’s no reason to put your network’s protection on the back burner. It’s far too risky. Also, keep in mind that commercial solutions are far better than freeware.The abundant freeware antivirus programs on the Internet can’t match the protection provided by a robust program such as Norton AntiVirus Corporate Edition. An enterprise network’s needs are far more complex than that of a small- or mid-sized network. NAVCE 7.6 is designed to not only meet the needs of larger enterprise networks, it easily covers the requirements of smaller companies. With so many responsibilities bestowed upon you in your daily routine of maintaining the corporate LAN/WAN structure, your ability to manage virus protection company wide should not be an issue you lose sleep over. With features such as the new Norton Antivirus Extensible (NAVEX) Engine and the Symantec System Center (SSC), NAVCE all but places your virus protection solution on autopilot. NAVEX automates the downloading of signature updates to your systems, while SSC provides that single point of administration to monitor virus activity, scan for computer viruses, schedule virus definition downloads, and verify their versions on your systems… and that’s just scratching the surface. With support for both Microsoft and Novell servers, and wide support for numerous client platforms, NAVCE most certainly can handle any virus threat that attempts to penetrate your network.This is truly antivirus protection that practically runs itself! Whether you’re using a Symantec antivirus product or not, it’s good to know you still have the resources of Symantec Security Response (SSR) on your side. This service of Symantec does much more than just develop updated virus signatures for their own product line by constantly seeking out new viruses, and defining and “fingerprinting” them to the point that they are no longer the threat they once were. With the ability to achieve Product Specialist Certification in the Norton AntiVirus Corporate Edition product (and other Symantec products), you can not only hone your skills and protect your network, but achieving a Symantec SPS in NAVCE will show others the caliber of your work.

www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

Solutions Fast Track A Brief History of Computer Viruses ; Not all malicious code is necessarily a virus.

; For viruses to efficiently work, they must execute and replicate

themselves.

; A well-educated end user is the best line of defense against viruses.

Fighting Back with Antivirus Programs ; Most antivirus companies market home and business versions of

antivirus products. Research to determine which product suits your needs.

; Not all antivirus programs offer the same features, therefore they do not

offer the same level of protection.

; For an antivirus program to be efficient, it needs to be updated regularly.

Antivirus Solutions and the Enterprise ; NAVCE 7.6 is designed to handle the intricacies of a large corporate

enterprise network.

; New features in NAVCE 7.6 allow you to protect your Windows XP

and Windows Me clients.

; Norton Antivirus Extensible (NAVEX) Engine technology eases the

ability to receive virus signature updates and distribute them throughout your network without unnecessary downtime.

Centralizing Antivirus Management ; Symantec System Center (SSC) allows you to manage your enterprise

wide antivirus solution from a single point of administration.

; SSC lets you create a system hierarchy, permitting you to arrange your

servers into logical groups to assist in administrative needs.

www.syngress.com

37

38

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

; All server administrative tasks can be accomplished from an SSC

console.

Introducing Symantec Security Response ; Symantec Security Response (SSR) provides you with a powerful

Internet research tool for investigating virus threats.

; Symantec provides free virus updates developed by SSR for all its

antivirus products.

; Scan and Deliver technology allows the automated sample submission to

SSR of potential viruses that have entered your network, which your current virus definitions could not remove.

Symantec Support for Operating Systems and Networks ; NAVCE 7.6 supports all Windows client and server platforms.

; NAVCE 7.6 supports all versions of Novell NetWare, from 3.x

through 5.1.

; NAVCE 7.6 supports various thin clients, Citrix MetaFrame, and

Windows Terminal Servers.

Symantec AntiVirus Corporate Edition 8.0 ; Symantec’s newest release of NAVCE is called Symantec AntiVirus

Corporate Edition 8.0 (SAVCE).Though the name has changed slightly, it is virtually the same program with a few new features and added platform support.

; SAVCE 8.0 also gives up-to-the-minute protection to your mobile

workstations via a new “roaming” virus definition update capability.

; The extensive platform support provided by SAVCE 8.0 now includes

full support for NetWare 6.0.

; Symantec AntiVirus Corporate Edition 8.0 provides scalable, cross-

platform virus protection for all your workstations and servers across your entire enterprise network. www.syngress.com

Introduction to Norton AntiVirus Corporate Edition (NAVCE) • Chapter 1

; New security features plus centralized policy management enable

administrators to manage workstation and server groupings logically, and create, deploy, and lock down security policies and settings to keep systems up-to-date and properly configured at all times.

Symantec Product Specialist Certification Information ; Preparing for, and taking, the SPS Exam for NAVCE 7.6 will further

advance your knowledge of the product.

; When considering certification on a Symantec product, utilize the

exam objectives provided by Symantec on their education site at www.symantec.com/education/certification.

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: With so many different types of viruses, how do I know if a computer on my network actually has one?

A: At first sight, one can never be sure that a computer is infected with a virus. Quite often, it’s a blanketed excuse to blame a virus for what is nothing more than faulty equipment.This is further reason to implement a product such as NAVCE 7.6 on your network. If a known virus, or suspect malicious code, enters your network, NAVCE eliminates or quarantines the data before it can do any permanent damage to your systems.

Q: The budget for our IT department has been extremely limited over the past few years. We are a single location with five NT 4.0 servers and less than one hundred 9x clients throughout our departments (including IT). Once NAVCE is deployed, how can I manage my NAVCE client from a Windows 98 SE computer?

A: Unfortunately, you can’t.The Symantec System Center works as a “snap-in” to the Microsoft Management Console (MMC).Your clients won’t need to www.syngress.com

39

40

Chapter 1 • Introduction to Norton AntiVirus Corporate Edition (NAVCE)

be upgraded; however, you will need at least one computer running Windows NT 4.0, 2000, or XP Professional to install SSC and be able to manage your NAVCE environment.

Q: What happens when a “new” virus appears on the scene, how will NAVCE 7.6 protect my network?

A: Because NAVCE utilizes the new Norton AntiVirus Extensible (NAVEX) Engine technology, it is able to monitor suspect code it does not identify as a known virus. Additionally, due to the advanced technology provided by Symantec Security Response and Symantec Antivirus Research Automation, SSR typically provides updated definitions (along with system fixes) for new viruses within 24 hours of their release.

Q: I administer a small, 50-user network which is attached to two Microsoft servers and uses a NetWare server to handle our file- and print-share needs. With a name such as Corporate Edition, is NAVCE 7.6 within my company’s financial means?

A: Yes. NAVCE 7.6 can be obtained in “multiuser packs” of 5-, 10-, 25-, and 50user licenses, which are “built in” to the product for smaller companies who don’t need to enter into a licensing program due to the limited amount of computers that will be running the software.

www.syngress.com

Chapter 2

Designing a Managed Antivirus Infrastructure

Solutions in this chapter: ■

Understanding NAVCE Server Groups



Planning NAVCE Server Roles



Determining NAVCE Client Configurations



NAVCE Licensing

; Summary

; Solutions Fast Track

; Frequently Asked Questions

41

42

Chapter 2 • Designing a Managed Antivirus Infrastructure

Introduction In a managed Norton AntiVirus Corporate Edition (NAVCE) environment, server groups will provide a physical and logical structure in which to manage your network clients. Server groups create a manageable collection of servers and workstations running the NAVCE software that you, the administrator, can configure quite easily and efficiently, as changes made once will propagate to all members of the server group without any additional effort. You can also perform NAVCE-related tasks like scheduling regular hard disk scans and performing ad-hoc virus sweeps of an entire server group with only one or two mouse clicks, thus freeing you to attend to other matters. NAVCE servers within a server group can serve several different functions in managing your NAVCE clients. Each server group contains a primary server that acts as the staging point for all configuration changes and updates that you make to the server group: any changes will be copied to the primary server first, and then circulated to the rest of the server group. Any additional servers within the group are considered secondary servers.They provide load balancing by acting as parent servers to NAVCE clients, receiving updates from the primary server and copying them to the NAVCE clients under their jurisdiction. A final server type that can be quite useful on a large enterprise network is the master primary server, which acts as a single point of contact with the Symantec Web site to download all product and definition updates.To better understand this, take a look at Figure 2.1. In this diagram, you can see that the master primary server receives updates from the Symantec Web site (www.symantec.com) and copies them out to the primary servers of the three different server groups shown. Each server group then has several secondary servers functioning in addition to the primary server, which then copies the updates to the NAVCE clients within each group.

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

Figure 2.1 Viewing the Server Group Hierarchy Internet Sites (www.symantec.com)

Primary Server Server Group

Master Primary Server

Primary Server Server Group

Primary Server

Secondary Server

Secondary Server

NAVCE Client

NAVCE Client

NAVCE Client

NAVCE Client

NAVCE Client NAVCE Client

Server Group (Detailed)

Depending on their physical location and network connectivity, NAVCE clients can be managed in a number of different ways. Client machines that are connected to the same local area network (LAN) as the NAVCE primary and secondary servers can be managed through the Symantec System Center (SSC) console, and can communicate quite frequently with their primary servers to

www.syngress.com

43

44

Chapter 2 • Designing a Managed Antivirus Infrastructure

receive updates and send alerts regarding any virus infections they may encounter. You can manage clients that are not well connected to the same network as the NAVCE server group through the use of the grc.dat file, or by delegating the responsibility of updating virus definitions to the computer user themselves. The final topic in this chapter centers on NAVCE software licensing for your small, mid-sized, or enterprise-level installation needs. Symantec offers several attractive bulk licensing options to maximize your investment in Symantec software, and to ensure that staying in compliance with licensing needs is as simple as possible. Symantec’s licensing options provide pricing incentives based on the number of licenses purchased, starting with as little as one server or ten client product licenses.This flexibility makes it easy for even a Small Office/Home Office (SOHO) environment to take advantage of the various licensing options available to Symantec’s business customers.

Understanding NAVCE Server Groups When you create your first NAVCE server on either a Windows or NetWare server machine, you’ll be prompted to create a new server group. Put simply, a server group is a collection of NAVCE servers and clients that communicate with each other to share configuration and status information. A NAVCE server group can contain servers and clients running any supported operating system, and can include machines from different Windows domains and workgroup structures— the NAVCE server group structure is not dependent on Windows or NetWare security to function.This allows you the administrative convenience to manage the antivirus settings of computers contained in multiple NetWare or Windows domains using a single NAVCE server group. Server groups allow you to apply identical NAVCE policies and settings to an entire group of clients and servers in a single step, as well as running NAV-related tasks like virus sweeps with similar ease and efficiency.You can create as many or as few server groups as you require in order to best manage your network’s antivirus policies. You’ll manage the server group(s) on your network using the Symantec System Center (SSC) console, a management tool based on the Microsoft Management Console (MMC). Using the SSC console, you can create and delete server groups, add or move servers and clients within multiple groups, and perform many other NAVCE-related administrative tasks. A server or client with NAVCE installed on it can only belong to a single server group at any given time; however, moving machines from one server group to another is a simple matter of dragging-and-dropping within the SSC console, as we’ll discuss shortly. www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

NOTE For administrators who are upgrading from NAVCE version 6.0 or migrating from LANDesk Virus Protect 5.01 or later, server groups are the functional equivalent of Norton AntiVirus and Virus Protect domains in those two products.

Server Group Planning Considerations When you are designing your NAVCE server group structure, there are a number of considerations to keep in mind in order to maximize your network performance and manageability. Since NAVCE server groups are not dependent on Microsoft or Novell security structures to function, you can choose to base your NAVCE installations on your existing network domain structure, or create a wholly separate one to centrally manage the antivirus scanning needs of multiple workgroups or domains. When deciding on the placement of your NAVCE server groups, you should factor the following points into your decision-making process: 1. Define your server groups based on the administrative structure of your IT staff. If all of your administrators possess the same clearance to perform antivirus-related functions on all network machines, then you can simplify your NAVCE implementation by creating a small number of server groups that can be centrally administered. If your network management model is more decentralized, it may be necessary to create a separate server group for individual departments or locations so that the local or onsite administrator can manage each group independently. 2. Both NetWare and Windows NT/2000 servers can reside in the same server group, allowing you to simultaneously configure both types of servers remotely. Since most of the configuration parameters are the same for both server types, combining them into a single server group will greatly speed the NAVCE implementation process. 3. Since server groups can be password-protected, consider adding the NAVCE server group password to any central repository of administrative passwords that you maintain. (Maintaining a list of administrative passwords in a safe deposit box or other secure location is often a best

www.syngress.com

45

46

Chapter 2 • Designing a Managed Antivirus Infrastructure

practice in cases of disaster recovery or staff turnover so that no administrative systems can be rendered inaccessible by a lost password.) 4. Group machines together that share common antivirus configurations needs. Since all members of a server group can share the same product configuration settings, you can group together clients and servers that require a more secure configuration into one group, and machines with different security requirements—for example, software development environments—in another. 5. Avoid creating server groups that span wide area network (WAN) links. Server group clients communicate with their parent NAVCE server frequently, which can unnecessarily clog or slow a potentially expensive WAN link with NAVCE-related network traffic. Also, the Symantec System Center discovers new clients and servers using network broadcasts, which do not travel across WAN links by default. 6. While NAVCE server groups do not rely on NetWare or Windows NT/2000 security to function, grouping NetWare servers from the same NDS container or Windows NT/2000 servers from the same domain into one same server group will simplify your client installations because of streamlined login script configuration. 7. The NAV documentation states that a single NAVCE server can comfortably handle up to 3,000 clients on a 100Mbps network without adverse performance reactions; however, your mileage may vary depending on your specific hardware configuration. Be prepared to scale your server hardware to meet the needs of the clients on your network.

Choosing Servers to Be Part of a Group When selecting servers to act as primary or secondary servers within a NAVCE server group, there are a number of factors to keep in mind. While the NAVCE server software does not always require its own server, you’ll want to select servers that have sufficient hardware resources available to address the needs of your NAVCE environment. Pushing out virus definitions and product updates will require sufficient network bandwidth to communicate with all clients associated with the server group, so you would not want to designate a server that is already handling a great amount of network traffic—a highly utilized database or e-mail server, for example. Beyond that, your other primary consideration is location: select a server or servers that are as close to the same subnet as the clients www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

they will be managing so that no unnecessary traffic is sent across any slow or expensive WAN links.You’ll also want the servers to be part of a “well-connected” network—that is, residing on a network connection that is reliable and always on.This will ensure your NAVCE clients receive their updates in a timely fashion. When selecting hardware, remember that the hardware requirements set forth by Symantec are minimums only, and do not take into account any other software or services that may be running on the target computer. Especially in the case of servers that are running multiple applications, more is always better when it comes to RAM, CPU speed, and available hard disk space. At a minimum, remember that the recommended system requirements for NAVCE and the SSC are as follows in the next two subsections.

NAVCE for Windows NT/2000 ■

Windows NT 4.0 Service Pack 3 or later (Server or Workstation), or Windows 2000 Professional, Server, or Advanced Server, Service Pack 3 or later



32MB of RAM (at least 64MB is recommended)



Intel Pentium Processor (Pentium Pro or better is recommended)



62MB of free disk space for the server installation files, 55MB additional 2 for client installation images, plus another 10MB for the AMS installation

NAVCE for NetWare ■

NetWare 3.12, 3.2, 4.11, 4.2, or NetWare 5.x



3MB of RAM beyond any other requirements for the NAVCE NLMs



70MB of free disk space for the server installation files, 46MB additional 2 for client installation images, plus another 10MB for the AMS installation

www.syngress.com

47

48

Chapter 2 • Designing a Managed Antivirus Infrastructure

NOTE Currently, NAVCE 7.6 is not supported with NetWare version 6 or 6.5. You will have to move to SAVCE 8.0 if you would like to use NetWare 6.x. It is recommended you check the Symantec Web site to confirm this when/if you do in fact move to the version 6 environment, as support options may change in the future after this publication is printed and on the shelf.

Creating a NAVCE Server Group During the NAVCE server installation, you’ll be prompted to create a new server group or join an existing server group. However, you can also create a new server group separately from a NAVCE server install using the Symantec System Center (SSC) console. From the SSC console, right-click the System Hierarchy icon and select New | Server Group, as shown in Figure 2.2. From here, the server group creation process is as simple as entering the name of the new group in the prompt shown in Figure 2.3. Figure 2.2 Creating a New Server Group

Figure 2.3 Naming the New Server Group

After you’ve created the new server group, the first thing you should do is assign a password to the group so no one can make any unauthorized or uninwww.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

tended changes to your NAVCE server or client configurations. If you administer multiple server groups, you have the option of configuring all of them with the same password. Otherwise, you can create different passwords to allow for increased security and/or distributed management functions: establishing a separate server group at a remote branch office, say with the local administrator responsible for securing a unique password for the server group, for example.To configure the server group password, follow the steps in the next section.

Creating or Changing a Server Group Password To create a new server group and establish a unique password, you’ll need to do the following: 1. Right-click the System Hierarchy icon and select Refresh to update the server group listing to include the new group you just created. Right-click the desired server group, then select Configure Server Group Password. Enter the current (old) password, and then enter the new password twice to confirm it, as illustrated in Figure 2.4. Click OK when you’re finished. NAVCE will display a message indicating the password was changed successfully. Figure 2.4 Changing a Server Group Password

2. Once you’ve established a server group password, you can configure the SSC to your needs so it’s ready for you every time you open the console. Right-click System Hierarchy and select Properties. Place a check mark next to Lock All Server Groups When Exiting Console, as illustrated in Figure 2.5.

www.syngress.com

49

50

Chapter 2 • Designing a Managed Antivirus Infrastructure

Figure 2.5 Locking Server Groups When Exiting the SSC

NOTE I recommend against selecting Save This Password when unlocking a server group, as you’re effectively defeating the purpose of having a password in the first place. If someone obtains use of your workstation, they will be able to access and change any of your NAVCE configuration settings. If you accidentally set the “Save This Password” option, simply go back into the Properties sheet of the System hierarchy to re-enable automatic locking of the SSC console. You may feel your workstation or office area is sufficiently secure that you can opt for the convenience of saving your console passwords, but consider this: I was walking through an area of my company where customers were not normally entertained under any circumstances, and found a teenage boy sitting at the keyboard of one of the office workstations, typing and clicking merrily away. As it happens, this was the son of the employee who worked at that desk. While his actions were doubtless innocuous enough, this demonstrates the importance of securing your workstation environment under any circumstances. If you are logged onto your workstation with an administrative password, anyone who gains access to your desktop has obtained the “Keys to the Kingdom.”

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

Configuring & Implementing… The Joy of Default Passwords When you create a new Symantec Server Group, the default password to access the group is “symantec” in all lowercase letters. This can create a very simple but annoying issue where a local administrator creates a new server group and does not check the documentation, instead calling you to complain of a forgotten password. However, the existence of the default password in NAVCE server groups can sometimes create more complex and unexpected issues within the Symantec System Center console. Here are a few examples: 1. You’ve modified the password associated with a NAVCE server group, but when you attempt to uninstall NAVCE from one or more of your network clients, you see a message indicating that the password is invalid. In this situation, the initial password of “symantec” was hard-coded into the client’s uninstall information before you changed the server group password. 2. On a Windows NT server, one or more server groups cannot be unlocked. When you click Unlock Server Group, you are not prompted for a password and nothing seems to happen. This is occurring because of network difficulties between the server group’s primary server and the workstation that’s running the Symantec System Console. To correct this, either reboot the primary NAVCE server or restart the following services: ■

Defwatch



Intel PDS



Intel File Transfer



Intel Alert Originator



Intel Alert Handler



Norton AntiVirus Server



Symantec System Center Discovery Service

www.syngress.com

51

52

Chapter 2 • Designing a Managed Antivirus Infrastructure

Planning NAVCE Server Roles When configuring a NAVCE server group, there are five different roles that a computer can fall into. Each of these roles plays a different part in the server group, and each has different responsibilities in propagating changes and updates to the other machines in the group.The five possible roles that a computer can assume in a NAVCE server group are described in the next five sections.

Primary Servers Each NAVCE computer contains one primary server that is designated by the administrator.This server assumes the responsibility for transmitting configuration changes to the other machines in the network, and often also communicates antivirus signature updates to the other members of the group. If you are using the Alert Management Server function, the primary server also processes all alerts for the server group. A master primary server can run any of these operating systems: ■

Windows NT 4.0 Server or Workstation



NetWare 3.x, 4.x, or 5.x



Windows 2000 Professional, Server, or Advanced Server

Any changes you make to server options in a NAVCE group will modify the system registries of the affected servers. If you set these changes at the server group level, the changes are first recorded to the master primary server’s Registry in the HKEY_LOCAL_MACHINE\Software\Intel\LAN Desk\VirusProtect6\ CurrentVersion\Domain Data key.The primary server will then communicate these changes to the other servers in the NAVCE server group using the transman communication method, which relies on the transman.dll file that exists on all NAVCE server group members.You’ll need to designate a primary server in a server group before you can make any large-scale configuration changes. Figure 2.6 provides a graphical illustration of the relationship between primary servers and the rest of the machines in a NAVCE server group.

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

Figure 2.6 Server Relationships in a NAVCE Server Group

Primary Server

Secondary Server

NAVCE Client

NAVCE Client

Secondary Server

NAVCE Client

NAVCE Client

NAVCE Client

Secondary Servers Any computer running the NAVCE server software that has not been designated as the primary server in a server group is considered to be a secondary server within that group. Secondary servers receive updates from the primary server, and then communicate the changes and updates to the NAVCE clients within the server group. If there were no secondary servers present in a server group, configuration changes would be communicated directly from the primary server to the NAVCE clients; secondary servers provide a means of distributing the load necessary to update a large number of network clients. Secondary servers also provide fault tolerance, as you can quickly designate one as the primary server if the original primary server fails or is moved to another network location or role.To name a secondary server as the new primary server in a NAVCE server group, simply right-click the secondary server you want to promote to the master server role and click Make Server a Primary Server, as shown in Figure 2.7. Figure 2.7 Designating a New Primary Server

www.syngress.com

53

54

Chapter 2 • Designing a Managed Antivirus Infrastructure

Designing & Planning… What’s New in 8.0? The latest release of Symantec AntiVirus Corporate Edition (SAVCE), includes some features that will greatly improve the usefulness and efficiency of NAVCE server groups and the various server roles. ■

Discovery Service The service that locates NAVCE servers that are available to be managed by the Symantec System Center console has been streamlined to improve its speed. The Discovery process itself is now based on the server-group hierarchy rather than relying solely on network broadcasts, querying the primary server for a list of known secondary servers, and then querying the secondary servers for a list of clients. This minimizes the chance of a client or server remaining hidden during a discovery process



Enhanced rollout to secondary servers The software process that’s used for client and server updates is now multithreaded, allowing for much more efficient network bandwidth and CPU usage.

Master Primary Server In a large organization with many NAVCE server groups, you can designate a single NAVCE server to retrieve antivirus signature and product updates from the Symantec Web site, and then configure the primary servers of your NAVCE server groups to retrieve their definitions from this designated server, rather than having each primary server go directly to Symantec.The use of a master primary server is quite effective in limiting your organization’s exposure to possible Internet-based attacks by configuring only one machine to connect to the Web in this fashion. A practical application of a master primary server would be to allow only the designated server to communicate outside of your organization’s firewall on the ports necessary to retrieve NAVCE updates, and to configure your master servers to only accept updates from the master primary server. (Security topics like this one will be discussed more fully in Chapter 13.) You can see a diagram of this network configuration in Figure 2.8.

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

Figure 2.8 Sample Master Primary Server Installation

Symantec LiveUpdate

Firewall

Master Primary Server

Primary Server

NAVCE Client

NAVCE Client

Primary Server

NAVCE Client

NAVCE Client

Primary Server

NAVCE Client

NAVCE Client

It’s important to note that the master primary server is used only as a mechanism for securely retrieving Symantec updates; you’ll still make NAVCE configuration changes using the primary servers in each server group. Once you’ve configured the primary server in each of your server groups to retrieve its definitions and updates from the desired machine, no other configuration is needed to designate the server as the master primary server. To configure server groups to use a master primary server, right-click the server group in the SSC console and select All Tasks | Norton AntiVirus | Virus Definition Manager.You’ll see the screen shown in Figure 2.9.

www.syngress.com

55

56

Chapter 2 • Designing a Managed Antivirus Infrastructure

Figure 2.9 Configuring a Master Primary Server

Click Configure to select a new master primary server. Under Source, select Another protected server.You’ll be prompted to select a master primary server, as shown in Figure 2.10. Figure 2.10 Selecting a Source for Updates

Repeat this procedure for each primary server that you want to receive updates from the master primary server.

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

Parent Servers Any NAVCE server that communicates configuration updates to one or more NAVCE clients is considered a parent server. A primary server can act as a parent server or a secondary server, or vice versa. Just as primary servers transmit Registry changes to the secondary serves in the groups they manage, parent servers deliver changes to client computers and update any client settings in the parent server’s Registry. The role of parent server is dynamically assigned, rather than being specified by the administrator.To manually control which parent server will provide updates to a specific client, you’ll need to copy the grc.dat file from the hard drive of the chosen parent server, using one of the following directories (depending on the platform of the client being re-configured): ■

~\NAV\Clt-inst\Win32



~\NAV\Clt-inst\Win16



~\NAV\Clt-inst\DOS

You’ll then copy the appropriate grc.dat file into one of the following folders on the client computer: ■

For Windows 95, 98, and ME: ~\Program Files\Norton AntiVirus



For Windows NT: ~\WINNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\Version Number



For Windows 2000 or XP: ~\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\Version Number

Determining NAVCE Client Configurations Now that you’ve configured your NAVCE servers and organized them into server groups, it’s time to turn your attention to your client installations. Similar to the server side, NAVCE offers several options for managing antivirus protection for the clients on your network. In this section, we’ll examine the different choices available and discuss the important points of each. Armed with this information, you’ll be able to make the best decisions when configuring your clients

www.syngress.com

57

58

Chapter 2 • Designing a Managed Antivirus Infrastructure

for antivirus protection within a NAVCE server group. We’ve included some real-world examples of each client type; these examples are graphically illustrated in Figure 2.11. Figure 2.11 Sample Client Configuration Diagram Branch Office Connected via a T-1 line 100 managed Clients

Branch Office Connected via Dial-up Modem 25 Lightly Managed Clients

Corporate Headquarters NAVCE Server with 250 Managed Clients

Home Office User with Dial-in Access Only 3 Unmanaged Clients

Salesperson Working in Corporate HQ 2 Days per Week This Laptop is a Sometimes Managed Client

Managed Clients Client PCs that attach to your network on a regular basis are best configured as managed clients. Managed clients assume that they are connected to their parent server via a high-speed LAN connection, and communicate often with the server group to receive configuration updates and transmit status information regarding virus infections and the like. Managed clients are those that are viewable through the SSC console. Since managed clients assume they are constantly attached to the network, they will contact their parent server as often as necessary for changes, allowing for quick updates when new virus definitions are made available.They will also immediately issue an alert to the SSC console if their local copy of NAVCE encounters a virus infection, and can be configured to forward any virus-infected file to a Central Quarantine Server. (Installing and configuring Central

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

Quarantine is covered in Chapter 4.) Managed clients can be configured to receive software and virus signature updates through either a parent server or directly from the Symantec LiveUpdate service. As an administrator, you can configure managed clients to receive their NAVCE installations and upgrades via network login scripts, along with mandating a centrally configured antivirus scanning schedule.You can also provide extremely tight security for managed clients by locking down antivirus configuration options so that the client user cannot change or remove them.

Sometime Managed The best real-world example of a sometime managed client would be a laptop belonging to a traveling salesman who only reports to the corporate office two days every week.These clients are largely identical to fully managed clients in terms of their configuration, but they appear as grayed-out or unavailable in the SSC console when they are not connected to the corporate network. If a sometime managed client’s parent server does not hear from the client for three consecutive days, the icon will be removed from the SSC console window. However, any configuration options that you locked down will remain that way, even though the machine is not actively connected to the corporate network, and any scheduled virus scans will still launch as usual. When the salesman returns to the office and logs onto the corporate LAN on the following Monday, any configuration changes and signature updates will be automatically downloaded to his PC at that time.

Lightly Managed If you support a user population that is only connected to your corporate LAN via a slow or expensive WAN link, you’ll want to find a way to manage their NAVCE settings without adding them to an existing server group. Rather than managing these clients through the SSC console, you’ll configure and update lightly managed clients strictly through the grc.dat file.You can preconfigure this file with any necessary defaults and options when the NAVCE software is initially installed, and roll out an updated grc.dat using e-mail, FTP, or a third-party software utility whenever you need to perform any configuration changes or updates. A possible example of this configuration might be a branch office in a location without access to high-speed Internet access that uses a 56K dial-up line to connect to the corporate headquarters.

www.syngress.com

59

60

Chapter 2 • Designing a Managed Antivirus Infrastructure

WARNING Be certain that whatever mechanism you’re using to update the grc.dat file is a secure one, as a malicious user or attacker could alter the file to wreak havoc on your lightly managed clients. Use a secure file download solution like HTTPS, which is HTTP used with Secure Sockets Layer (SSL) or Secure FTP (which also uses SSL) technology, or send the updated files via encrypted e-mail which can be accomplished with PGP or Pretty Good Privacy, a personal (and free) e-mail encryption utility.

Unmanaged The last client type is somewhat of a paradox in a managed environment, as you’re actually configuring it not to be managed by any of your NAVCE servers or server groups.These unmanaged clients have no connection to your corporate network, and therefore no reasonable means to connect to a parent server to receive software and definition updates. Even if an unmanaged client is connected to your LAN at some point, this machine would not appear in the SSC console and you would not be able to manage it using the NAVCE server group functions. Again, this goes against your biggest IT asset, which is control over your resources. Users of unmanaged clients must connect directly to Symantec LiveUpdate for their program and virus signature updates in order to maintain an adequate level of virus protection. The decision of whether to configure a machine as a lightly managed client or leave it wholly unmanaged is one of personal preference, but in my mind it largely hinges on the “computer-savviness” of the user in question. If the user is one who will be diligent in connecting to LiveUpdate to keep their NAVCE configuration up-to-date, then the unmanaged client option may be preferable to the potential security risks presented by manually distributing updated grc.dat files. On the other hand, if you feel that an unmanaged client will simply never be updated once the initial NAVCE installation is completed, the implications of distributing configuration files to lightly managed clients would be greatly outweighed by the alternative. If you wish to reconfigure an unmanaged client to be managed via the grc.dat file or to become a fully managed client, you have two possible options:

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2 ■

Copy the appropriate grc.dat file to the client hard drive, just as if you were updating a lightly managed client.



Force a re-install of the NAVCE client, specifying a NAVCE server to act as the new parent server.

Likewise, if you have a managed client that you need to convert to an unmanaged configuration, you can either edit the grc.dat file, or uninstall and reinstall the NAVCE client.

WARNING If you uninstall a managed client that has had the client options locked down, you’ll need to delete the following Registry key before reinstalling NAVCE, or else the user will still be unable to edit any scanning or configuration options, even in an unmanaged installation. To allow users to make configuration changes, remove the following Registry key: HKEY_LOCAL_MACHINE\Software\Intel\Landesk\VirusProtect6 Editing the Registry is a risky proposition at best, so be sure you have a recent backup of the machine in question before attempting to make this change.

NAVCE Licensing Computer software is perhaps the most valuable technological investment for a modern organization, running everything from desktop PCs and office productivity applications to securing wide area networks with VPN encryption.The increasing proliferation of high-speed Internet access, coupled with the availability of writeable CD and DVD media, has made it easy to create an exact copy of a program in seconds. An adverse side effect of this, however, is that software piracy is becoming more widespread. From home computer users to professionals who deal wholesale in improperly licensed operating systems and applications, you can find examples of software piracy everywhere from businesses and government to schools and homes. Software piracy not only takes money away from the companies that make the software, but also hurts all computer users because less money is therefore available for research and development of new software and updates for existing packages.That’s why proper software licensing is a

www.syngress.com

61

62

Chapter 2 • Designing a Managed Antivirus Infrastructure

paramount concern to any network manager, no matter the size of your organization. In order to make licensing decisions as cost-effective as possible, Symantec offers multiple unit pricing as well as two bulk licensing programs that will allow business customers to purchase NAVCE licenses in quantities, rather than simply relying on buying multiple shrink-wrapped retail copies of Symantec products. As an added incentive, the Symantec Value and Elite program offerings combine server and client protection into a single price structure, allowing you to easily license antivirus protection for all servers and clients on your network. In this section, we’ll discuss the various licensing and options offered by Symantec for Symantec AntiVirus Enterprise Edition.

Damage & Defense… A Victimless Crime? The easy accessibility of such Internet phenomena as Napster, KaZaA, and other peer-to-peer file-sharing applications has created, for many, the feeling that software piracy is a harmless pursuit. But according to the Business Software Alliance (www.bsa.org), software piracy had the following impact on the computer industry in the United States: ■

$2.6 billion dollars in lost company profits



$1.5 billion in lost tax revenue



$5.6 billion dollars in lost wages



118,000 lost jobs

While it can be easy to be blasé about a corporate behemoth losing what seems to be only a few dollars from that illegal copy of WinFax you installed on your brother’s home PC, take a look at that final estimate: the number of jobs lost to software piracy in a single year was nearly the same as the population of New Haven, Connecticut. (Or Topeka Kansas, Palmdale California, Coral Springs Florida…you get the idea.) The penalties for corporate software piracy are also very real: pirates can be held liable to the copyright holder for as much as $150,000 USD for each program copied. The associated criminal prosecution can mean an additional $250,000 USD in fines and/or up to five Continued

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

years in prison. You could ask the question…“But how is anyone going to find out?” The majority of software piracy cases are instigated based on information provided by ex-employees; someone who may feel disgruntled enough following a layoff to make a phone call to Microsoft, Symantec, or a third-party organization like the BSA. Vendor-specific “whistle-blower” programs allow yet another potential avenue for report licensing violations. Novell, for example, has a “snoop” program that will actually give you a cut of the take depending on how much of that take is based on percentages. Don’t take the chance with you or your company’s licensing compliance, as it could end up costing you much more than you think in the long run. Setting aside the legal ramifications of software piracy for the moment, the popular Peer-to-Peer (P2P) file-sharing applications also introduce inherent security risks to your organization or home PCs. The nature of these file-sharing applications is entirely decentralized; there is no central administration or monitoring of shared software or content. A significant result of this is that there is simply no way to be certain that any software offered by these services is free from viruses, Trojans, or other pieces of malicious code. This is even spelled out by the makers of P2P software, as in this disclaimer on the KaZaA Web site: “Most files that are accessible using KaZaA Media Desktop originate from other users. This means that there will always be the risk of irresponsible users introducing viruses…” (www.kazaa.com/en/help/ virus.htm) Put simply, there is no guarantee that the software package a user downloads is what it purports to be. This creates an incredibly simple medium for virus writers to propagate their destructive creations. These malicious code writers often bank on the gullibility of some users of P2P networks: by giving a file the name of a popular song, movie title, or software application, many people will jump to download it without a thought. For reasons relating to both legal liability and potential security hazards, properly licensed software is a must for any well-managed corporate environment. Symantec software should be no exception, especially given the attractive licensing programs available even to small and mid-sized companies.

www.syngress.com

63

64

Chapter 2 • Designing a Managed Antivirus Infrastructure

WARNING Any discussion of actual dollar amounts in the next section is intended as a guesstimate only; prices of software, like anything else, will fluctuate over time and vary by region. Consult your Symantec representative or computer reseller for actual pricing information before making any final decisions.

The Symantec Value Program Symantec has designed the Value Program for small- to medium-sized businesses. This program allows you to purchase as few as ten licenses for a variety of Symantec products, including NAVCE. If your organization requires additional Symantec products, you can combine these purchases to achieve an even more attractive pricing structure.You can enter the Value Program with an order of as few as ten desktop licenses, making it quite cost-effective even for a Small Office/Home Office (SOHO) organization.You can also combine purchases of different Symantec products to increase your discount level even further. Qualifying products within the Value Program can include that shown in Table 2.1 (this list is subject to change, consult your product reseller for the most current information). Table 2.1 Symantec Value Program Representative Qualifying Products Product Groups AntiVirus AntiVirus Web servers

WinFax PRO Symantec Enterprise Firewall Symantec Ghost Desktop Firewall Symantec pcAnywhere Symantec Web Security Norton Utilities Symantec CarrierScan ProComm Plus Symantec Enterprise Security Manager (ESM)

Symantec Intruder Alert Symantec NetProwler Symantec NetRecon Symantec I-Gear Symantec MailGear

As you can see, even an extremely small office can qualify for bulk pricing in this example: three copies each of Norton AntiVirus, WinFax PRO, and Norton Utilities would immediately qualify a SOHO installation for bulk licensing under

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

the Value Program.This provides organizations with an elegant alternative to purchasing multiple retail copies of Symantec products to meet their licensing requirements; and the certificate-based licensing allows companies to conveniently license additional Symantec software with nothing more than a purchase order. Certificate-based licensing means that, rather than receiving ten, 50, or 100 individual shrink-wrapped copies of the product in question, you’ll receive a certificate from Symantec that explains all of the terms and conditions of your licensing agreement. If you need to purchase additional licenses, you’ll simply receive a new certificate reflecting the additional –license purchase.The Value Program offers the pricing levels shown in Table 2.2, with the per-unit price decreasing as the purchase “band” increases. Table 2.2 Representative Purchase Levels within the Value Program Band

Quantities (U.S.)

S A B C D E F

1–9 (this refers to server products only) 10–24 25–99 100–249 250–499 500–1,999 2,000+

When weighing your licensing options, keep the following key points of the Symantec Value Program in mind: ■

Delivers substantial benefits through a single transaction



Offers multiple discount levels starting with purchases of as few as one server or 10 desktop licenses



Greater discounts available through “mix-and-match” purchases of related Symantec products



Meets licensing requirements for as few as 10 PCs up to 2000 seats and higher



Provides upgrade insurance and technical support for many antivirus and content filtering products

www.syngress.com

65

66

Chapter 2 • Designing a Managed Antivirus Infrastructure ■

Supports academic institutions with special pricing



Requires no commitment beyond a one-time purchase

When you make a Value Program purchase, you also have the opportunity to purchase a software maintenance program from Symantec, currently referred to as Gold Maintenance. Gold Maintenance offers a comprehensive program of software protection including Upgrade Insurance, premiere technical support resources, and access to security and virus signature content updates where applicable. Upgrade Insurance will qualify your organization for a free copy of any product upgrades released during the term of the maintenance contract, thus defusing the argument of “As soon as I buy a new software package, something better will come out the following week.” Maintenance packages are available for most products purchased through the Value Program, and are bundled with most antivirus and content filtering product licenses. With the Value Program, companies of any size can now take advantage of consistent licensing, discounts, and product support in one easy step. With a simple ordering process and low entry requirements, the Value Program offers an ideal licensing solution for small- to mid-sized companies who want to maintain their licensing compliance as well as maximize the value of their investment in Symantec software products.

Symantec Elite Program Designed for companies with more substantial license requirements, the Symantec Elite Program offers enterprise-level organizations the flexibility to manage and control repeating software purchases in order to maximize the longterm value of their software investment dollars.The Value Program offers the pricing levels shown in Table 2.3, with the per-unit price decreasing as the purchase level increases. Table 2.3 Representative Pricing Structure for the Symantec Elite Program Band

Minimum Purchase Amount

A B C

$75,000 $125,000 $175,000

The Elite Program offers two contract-based plans that will lock in attractive benefits and pricing structures throughout the term of the contract. Like the www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

Value Program, both of the Elite Program options allow you to combine Symantec products to increase your purchasing leverage, and both offer increasingly large discounts for larger volume purchases.

The Commit Option The Commit option allows organizations to immediately maximize their volume discounts based on an up-front purchase.The established price band will then be valid for the two-year term of the contract. In other words, if your organization makes an initial purchase in the Band C pricing structure, any additional purchases made during the term of the contract will reflect the Band C per-unit pricing.

The Forecast Option The Forecast option allows companies to minimize their up-front costs by only requiring an initial purchase equaling 25 percent of their two-year forecast.Your company’s actual purchases under this option will be compared against this initial forecast on an annual basis, at which time any adjustments to pricing bands and arrangements can be made, if necessary. So, if your company enrolls in the Forecast Option at the representative Band C level listed in Table 2.3, they would make an initial outlay of at least $43,750 USD. ($175,000 USD multiplied by 25 percent or .25). If your company decides at the end of the year that they will not be able to meet the $175,000 purchase commitment during the two-year contract term, their pricing structure will be reassessed to Band A or Band B, and any billing adjustment will be made accordingly.

Support for Decentralized Purchasing Depending on your company’s organizational structure, under the Elite Program you can make purchases centrally for the entire enterprise, or on a decentralized basis at the branch, subsidiary, or cost-center level.These individual business units will still be able to receive the same pricing and support structure regardless of where the purchase originated.This can also allow individual offices to choose their own local resellers and support options, and even maintain separate copies of their purchase confirmations and licensing documentation if necessary.This option would be most attractive for a parent company with multiple child organizations that may not be managed as a single cohesive unit, or for a company with an international presence.

www.syngress.com

67

68

Chapter 2 • Designing a Managed Antivirus Infrastructure

When deciding which licensing option is the right decision for your company, here are some key benefits of the Symantec Elite Program to consider: ■

Offers two-year contracts with a streamlined legal review process for organizations whose license purchasing requirements begin at $75,000 USD MSRP



Allows organizations to structure their purchasing power centrally or at the subsidiary level



Offers the flexibility to accommodate different business models via Commit and Forecast contract options



Provides increasing licensing incentives through three discount pricing bands



Delivers consistent terms and conditions to business locations worldwide



Provides upgrade protection and technical support via the Gold Maintenance offering

When you make a licensing purchase through the Elite Program, your company will be required to purchase a Symantec maintenance package (currently the Gold Maintenance offering) for the duration of the contract term.This is the same maintenance program offered in conjunction with the Value Program, offering upgrade insurance, technical support, and product updates where applicable for as long as you are enrolled in the Elite Program. Purchasing the Gold Maintenance program will boost the usefulness of your Symantec software installations by providing the technical support whenever necessary, as well as delivering the latest software upgrades and updates whenever new versions are released. As you can see, the Elite Program allows an enterprise-level organization to control their software purchasing in order to gain the maximum benefit from their volume purchases. With two contractual purchasing options designed with flexibility in mind, Symantec can offer organization with different purchasing policies and structures attractive options for gaining greater value from their software license purchases. END USER

Product Offerings If you need to provide antivirus protection for server hardware in addition to your network client PCs, Symantec offers multiple product options within either www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

of the licensing programs discussed earlier. (Server products can also be purchased on an individual basis.) Depending on your purchasing decision, you can provide antivirus protection for the following products and platforms through Symantec’s licensing programs: ■

Windows 2000 Server Family



Windows NT 4.0 SP 6.0a Server



Windows Small Business Server



Windows Terminal Services



Novell NetWare 5.x/6.x



MS Exchange 5.0 (or later) on Windows NT/2000



MS Exchange 2000



Lotus Notes/Domino 5.0.8 (or later), running on Windows NT/2000



SMTP Internet Email Gateways on Windows NT/2000



SMTP Internet Email Gateways on Solaris



Firewalls on Windows NT/2000



Firewalls on Solaris

In addition, you can purchase antivirus products for network clients running any of the following platforms: ■

Windows XP Home



Windows XP Professional



Windows 2000 Professional



Windows NT 4.0 Workstation



Windows 98/ME



Macintosh OS/8 (or later)

NOTE As with all of the information discussed in this section, consult your Symantec representative or computer reseller for the most current list of product availability and pricing options.

www.syngress.com

69

70

Chapter 2 • Designing a Managed Antivirus Infrastructure

Summary Norton AntiVirus Corporate Edition has introduced server groups as an administrative model to maintain and configure your network’s antivirus software protection. In this chapter, we discussed the salient details of server groups and their component pieces: primary servers as the primary point of contact in performing updates to your client configurations, secondary servers that provide load balancing in disseminating those updates to NAVCE clients, and master primary servers that act to create a consistent level of antivirus protection across multiple server groups in an enterprise NAVCE implementation.You can mix and match these three server roles to create an optimum administrative model for your antivirus management needs. Once we covered the steps necessary to configure NAVCE servers within a server group, we then moved on to the various management options available for NAVCE client computers. Machines that are attached to a corporate network on a consistent basis can be best managed through the SSC console, where they can send and receive updates and status messages as often as necessary. Unfortunately, as the client’s level of connectivity with a central network decreases, so does the level of flexibility and control in maintaining antivirus protection. Luckily, NAVCE offers the ability to control these lightly managed clients through the use of customized grc.dat files that will still allow you to exert some modicum of control over the NAVCE configuration of remote and lightly managed client machines. Finally, on the other end of the spectrum from clients that you can manage 24/7 via the SSC, you’ll configure unmanaged clients to allow the enduser full control over maintaining and updating their own definition files. The final topic in this chapter revolved around choosing the appropriate Symantec licensing structure to meet your company’s needs. Each workstation and server requires a license for Norton AntiVirus as well as any other Symantec products in use on your network, and Symantec has created several licensing options to provide discounted pricing on bulk purchases. While the specific pricing of Symantec products will vary over time and by geographic region, hopefully we’ve provided a good overview of the program options currently available to you so that you can make an intelligent decision with the help of your Symantec representative or computer reseller of choice.

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

Solutions Fast Track Understanding NAVCE Server Groups ; Server groups provide a mechanism to organize and update a large

number of NAVCE clients and servers as one logical unit.

; Designed to simplify administration of your NAVCE installation, server

groups can contain NetWare servers as well as most flavors of Windows operating systems in a single group, allowing all of your operating systems to possess a uniform configuration standard.

; NAVCE server groups should adhere to your network’s physical

structure, taking care to avoid creating server group memberships that span wide area network (WAN) links.

Planning NAVCE Server Roles

; Each NAVCE server group contains a single primary server that acts as

the point of contact for all configuration changes and updates.

; Secondary servers receive updates from the primary server and then

distribute them to the NAVCE clients within the server group. If there aren’t any secondary servers in the group, the primary server will broadcast updates directly to the clients.

; Use a master primary server in an environment with multiple server

groups in order to maintain a consistent set of antivirus definitions and program updates across your entire enterprise.

Determining NAVCE Client Configurations

; Managed and sometime managed clients should be those machines that

are consistently attached to the same network segment as the primary and secondary servers in the NAVCE server group.

; Use a third-party utility or encrypted file transfer to distribute updated

grc.dat files to your sometime managed clients.

; Unmanaged client updates occur at the discretion of the person or

persons using the PC. User training regarding the importance of regular

www.syngress.com

71

72

Chapter 2 • Designing a Managed Antivirus Infrastructure

updates is paramount to ensure that these clients maintain an appropriate level of antivirus protection.

NAVCE Licensing ; Appropriate software licensing is critical for any business, both from a

legal perspective, as well as from the standpoint of network security.

; The Symantec Value Program provides a simple way for small- to mid-

sized companies to take advantage of bulk licensing and discount pricing.

; Enterprise-level implementations may wish to consider the Elite

Program, which allows you to pay in full up-front or base your purchases on a two-year forecast.

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: I have changed the password associated with my NAVCE server group several times, and I now need to uninstall the client software from several PCs. How can I change the password required to uninstall the NAVCE client software?

A: To change the password needed to uninstall the client software, follow these steps: 1. Open the Symantec System Center. 2. Unlock the server group in question. 3. Right-click the server group, and click All Tasks | Norton AntiVirus | Client Administrator Only Options. 4. On the Security tab shown in Figure 2.12, verify that Ask for password to allow uninstall of Norton AntiVirus client is checked, and then click Change.

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

Figure 2.12 Changing the Client Administrator Password

5. Type the new password twice to confirm, and then click OK twice. Now that you’ve changed the password at the server, you’ll probably want to propagate the change out to your clients as quickly as possible.To do this, right-click the server group again, then click All Tasks | Norton AntiVirus | Client Realtime Protection Options.You’ll see the screen shown in Figure 2.13. Click Reset All to push the new password to your NAVCE client computers. Figure 2.13 Resetting Client Protection Options

Q: I accidentally entered the wrong username and password when installing the NAVCE server software on my Novell Server. I was able to provide the

www.syngress.com

73

74

Chapter 2 • Designing a Managed Antivirus Infrastructure

correct name when I launched the program, but now it isn’t functioning correctly.

A: Entering the incorrect password on the NetWare server caused the NetWare groups “nortonantivirususer” and “nortonantivirusadmin” to not be assigned the appropriate file system rights on the SYS: drive of the NetWare server. You can uninstall and reinstall using the appropriate username and password, or else manually create the following rights assignments for those two groups (in Table 2.4, R=Read, W=Write, C=Create, M=Modify, and F=FileScan): Table 2.4 File and Folder Permissions in NetWare File/Folder

Rights Assignment

SYS:NAV SYS:NAV\Alert SYS:Login\Nav SYS:Login\Nav\I2_LDVP.TMP SYS:Login\Nav\I2_LDVP.VDB SYS:Login\Nav\VPTEMP

RF RWCF RWCMF RWCMF RWCMF RWCMF

Q: Can I provide definitions of file updates to the users of my unmanaged NAVCE clients?

A: Use the Definition Updater (located on Disc 1 at ~\prodmgmt\nosuprt\mobileup), which allows your Distribution Console to e-mail updates to clients with the appropriate agent installed. Check the administration manual for installation and configuration details.

Q: If I have a client connected to a secondary server that’s connected to a primary server, which is in turn connected to the master primary server, why don’t I just have the immediate parent server download the latest virus definitions directly from Symantec?

www.syngress.com

Designing a Managed Antivirus Infrastructure • Chapter 2

A: Using a master primary server guarantees that the definitions’ levels will be the same for your entire enterprise. Delegating definitions downloads to lower-level servers may result in differing virus definitions being available from one server group to the next, potentially allowing a virus infection to enter. Using a master primary server can also limit your organization’s exposure to Internet traffic, since only the master primary server will need to traverse outside of the corporate LAN to download definition and product updates.

www.syngress.com

75

Chapter 3

Implementing Symantec System Center and Alert Management System2 (AMS2) Solutions in this chapter: ■

Understanding the Symantec System Center



Implementing the Symantec System Center



The Symantec System Discovery Process



Introducing Alert Management System2



Implementing AMS2



Configuring AMS2 Alerts



Managing Configured Alerts



NAVCE Notification Methods Not Requiring AMS2

; Summary

; Solutions Fast Track

; Frequently Asked Questions

77

78

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Introduction In this chapter, we’ll explore two components that make the overall Norton AntiVirus Corporate Edition (NAVCE) product such a successful tool in the fight against computer viruses: the Symantec System Center (SSC) and the Alert Management System2 (AMS2). First, we’ll learn about the SSC: what the SSC is, how it fits into your antivirus strategy, its minimum system requirements, and what configuration is recommended to receive the best performance. Afterward, we’ll explore the various features of the SSC and how you can use them to manage NAVCE clients and servers in your enterprise.Then, we’ll introduce add-ons to the SSC, and explain how they can enhance your management capabilities even further. Following that, you will learn how to install the SSC and its add-ons.The services that the SSC requires to function will be explained, and you will be guided through troubleshooting SSC operation, including how to uninstall the SSC and its add-ons, if necessary. From there, we will examine the discovery process the SSC uses to find manageable resources.You will learn about the different types of discovery the SSC has available, how to configure them, and the network bandwidth that the SSC will utilize. We will then delve into the AMS2, discussing how the AMS2 allows you to monitor your anti-virus system through various alerts. We will explore how the AMS2 is implemented, by detailing the installation procedure, its minimum system requirements, and the services required for its proper operation.You will also be given basic information on how to troubleshoot the AMS2, or uninstall it if you need to. From there, we will discuss configuring each of the AMS2 alerts, how to manage them, and explain other available alert options that don’t require the AMS2 at all. By chapter’s end, you should have a thorough knowledge of the SSC and AMS2, and how it will enable you to use the NAVCE product to its fullest potential.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Understanding the Symantec System Center The Symantec System Center (SSC) is a console snap-in to the Microsoft Management Console (MMC).The MMC is an extensible, common interface for management applications. It’s been included in the Windows operating system since Windows NT–based Internet Information Server (IIS), and was finally standardized in Windows 2000.The MMC will also run on Windows NT 4.0, Windows 95, and Windows 98, and offers a common central framework for management snap-ins, provided by Microsoft (like Systems Management Server and SQL Server) and third-party software vendors.These snap-ins provide the actual management behavior; the MMC itself does not provide any management functionality being essentially the tool you use to centrally manage and utilize any number of such utilities.

NOTE The MMC is very customizable, but you can’t just add anything to it. Some products will not allow the customization of the MMC as an addin or removable snap-in. The SSC cannot be augmented in anyway. This discussion, with regards to the MMC, is to show you how the SSC is modeled. You can create a new MMC for yourself by selecting Start | Run and typing in MMC /a. You can add a new snap-in by choosing Console | Add/Remove Snap in…, clicking Add, and then saving the console with an *.msc extension. For more information on the MMC, visit the MMC Web site: www.microsoft.com/windows2000/techinfo/ howitworks/management/mmcover.asp.

The SSC provides a centralized interface that allows you to manage your entire NAVCE implementation from one console.This console is one of the main reasons NAVCE is such a successful product for helping protect network environments from computer virus infection. With it, you will be able to keep track of almost every aspect of your anti-virus strategy you have leveraged with NAVCE, and will be able to perform the following tasks and more: ■

Implement and manage server groups From the SSC console, you can create new server groups, delete or rename current server groups,

www.syngress.com

79

80

Chapter 3 • Implementing Symantec System Center and Alert Management System2

move servers from one server group to another, and configure settings that will apply to all servers that belong to a server group. ■

Remotely perform manual virus scans and sweeps In emergency situations, you can remotely initiate fully configurable virus scans of single or multiple computers, or virus sweeps of entire server groups and all of their clients. With this functionality, you are able to start a virus scan of every NAVCE resource you manage on your network with a few mouse clicks in the SSC console.



Configure virus definition update options The SSC allows you to configure all of your NAVCE resources for one or multiple virus definition update schemes, be it LiveUpdate or virus definition sharing. More details about these options can be found in Chapter 10.



Configure scheduled virus scans Through the SSC console, you can set up virus scans of varying configurations that can run daily, weekly, or monthly at a specific time you specify.You can set up these scans for entire server groups as well as specific servers, all the way down to the client level.



Configure real-time virus scanning options for servers and clients Using the SSC, you can configure every aspect of real-time scanning for the clients and servers in your enterprise without visiting each individual client or server.You can configure clients and servers with different options, if different levels of protection are required.You can also configure client and server scanning options for an entire server group, to make management of configuration easier.



Configure and manage AMS alerts You can configure the AMS2 alerts for all of your server groups through the SSC console, giving each server group a different alert configuration depending on your needs. More information on configuring and managing alerts will be discussed later in this chapter.



View detailed NAVCE client information From the SSC console, you will be able to view detailed information about your clients and servers, such as the last completed virus scan, the date of virus definitions, the scan engine version, IP address, and client/server status.

2

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

The basic install includes the SSC console and the AMS2 console.The SSC management capabilities can be enhanced by other Symantec add-ons that will be discussed later in this chapter.

SSC Minimum Requirements The minimum requirements to install the SSC are as follows: ■

Windows NT 4.0 with Service Pack (SP) 5 or later, Windows 2000, or Windows XP Professional.



Microsoft Management Console (MMC) version 1.2 or later (installed by default in Windows 2000 and Windows XP Professional).



Microsoft Internet Explorer 5.5 with SP1 (Windows XP Professional comes with Internet Explorer 6.0 installed by default).



32MB RAM (64MB RAM recommended).



A Pentium 166MHz or higher processor.



22MB hard disk space (30MB during installation). If the MMC is not installed, add an additional 3MB of hard disk space (10MB during installation).



A network configured to use the TCP/IP and/or the IPX protocol.



Administrator rights to the system where you are installing the SSC.

Notes from the Underground… System Requirements Remember, you should never use the bare minimum requirements suggested by the vendor unless you plan on having a system that suffers from slow performance or degradation as you actually use the system. With the preceding list of requirements, always remember to (at minimum) double the requirements on a production server. I would recommend from personal experience that you don’t deploy this product with only 32MB slated for memory usage. NAVCE is a very memory-intensive product (which is as it should, given it scans memory for issues) and you Continued

www.syngress.com

81

82

Chapter 3 • Implementing Symantec System Center and Alert Management System2

should not skimp on this hardware requirement at all. I run my NAVCE system with a minimum of 512MB of RAM. In Figure 3.1, you see that it is indeed possible to run the console using only 10–15 MB of memory (note it shows up as the MMC!). Just be aware of each component you are running, and check it with the Task Manager (or System Monitor) so you understand the resource usage for your production systems.

Figure 3.1 Task Manager

Although this is only a console, you never know where you may launch it. If you launch it from a workstation, then you have to make sure you have the minimum memory to launch it. In the example shown in Figure 3.1, the console was launched from the server. As you can see, it really doesn’t matter where you run it, just make sure the proper requirements are available. In summary, do not think that the SSC is NAVCE… the requirements list is separate from the SSC. With such a modular product, it’s necessary to think this way, otherwise you may wind up with a slow running system from which you are trying to administer the NAVCE product.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Additional Requirements for SSC Snap-ins If MMC 1.2 is not present on the computer where you are installing the SSC, the installation program will load it automatically. If the system does not meet Internet Explorer requirements, you will be prompted to upgrade your Internet Explorer to the proper version.

Recommended Configurations It is recommended that your system have at least the minimum system requirements for the operating system you will use the SSC on.Therefore, you will also have to factor in the additional requirements for the SSC, as well as the snap-ins you are planning to implement. Next, for optimum performance, multiply those numbers by a factor of two or more, depending on the daily rigors of your system. If all you are going to do on the system is manage your implementation of NAVCE, then your requirements for optimum performance will not be as high as if you use other management tasks simultaneously. For example, Microsoft lists minimum system requirements for Windows 2000 as the following: ■

A 133MHz or higher Pentium-compatible CPU



256MB of RAM



2GB of hard disk space with a minimum of 1GB free space

With that in mind, you can see that some of Windows 2000’s minimum requirements are different than those needed to run the SSC. If you merge the two lists and take into account what you will need to run both, the minimum requirements might look something like this: ■

A 166MHz Pentium processor



256MB of RAM



2GB of hard disk space with a minimum of 1GB free space



Microsoft Internet Explorer 5.5 with SP1



A network configured to use the TCP/IP and/or the IPX protocol



Administrator rights to the system where you are installing the SSC

www.syngress.com

83

84

Chapter 3 • Implementing Symantec System Center and Alert Management System2

For optimum performance, your system requirements would approximate these specifications: ■

A 500MHz Pentium III processor



512MB of RAM



4GB of free hard disk space



Microsoft Internet Explorer 5.5 with SP2 and the latest Microsoft security patches



A network configured to use the TCP/IP and/or the IPX protocol



Administrator rights to the system where you are installing the SSC

To some, this might look like overkill, but following these guidelines when configuring your system to use the SSC, should allow for the most stable environment possible.Table 3.1 outlines the recommended configurations for each operating system. Table 3.1 Recommended Operating System Requirements Operating System Windows NT 4.0 (SP6a) with latest security patches Windows 2000 (SP3) with latest security patches Windows XP (SP1) with latest security patches

System RAM

Free Hard Drive Space

Internet Explorer Version

Pentium II 266MHz

128MB

1GB

5.5 SP2 and latest security patch

Pentium III 500MHz

512MB

4GB

6.0 SP1 and latest security patch

Pentium III 850MHz

512MB

10GB

6.0 SP1 and latest security patch

Processor

www.syngress.com

Other MMC 1.2, CD-ROM

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Designing & Planning… The SSC and How It Uses Its Supported Protocols If you are supporting both Windows and NetWare operating systems, you should install both TCP/IP and IPX protocols on the computer that will be running the SSC. Windows systems will try to connect to NetWare servers first by IPX, and then try to connect with TCP/IP. Having both protocols installed in this case, may enhance SSC performance. You will also need to steer clear of using the SSC over a link that does not use the same protocols on the other side of the link. For example, if you try to connect to servers and clients on one side of a WAN link that are only running IPX, and the side that you are on is TCP/IP only; then those servers and clients will not be visible. By default, the IPX protocol will be used if both TCP/IP and IPX are present. If a server is only running TCP/IP and the client has both TCP/IP and IPX, then you may lose client communication to the console. In cases like this, you can set the preferred protocol you want to use on servers and clients by going to the HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion key in the Registry and finding the PreferedProtocol value. To use TCP/IP, set the PreferedProtocol value to a DWORD value of 0x00000000 (0), or 0x00000001 (1) to use IPX. To make the changes take effect, start and stop the NAV service.

Exploring SSC Features The SSC is a very powerful tool for managing your implementation of NAVCE. With all its snap-ins installed, you will be able to perform a multitude of configuration and management tasks on your NAVCE servers and clients without having to leave your desk. In this part of the chapter, we will explore the features of the SSC and the snap-ins that are available to enhance its functionality. The SSC is also a multiple platform management tool. It can manage and configure NAVCE clients and servers on the following operating systems. For clients: ■

Windows 3.x and DOS (these systems do not appear in the SSC console, but are included in a virus sweep when their parent server starts one)



Windows 95/98/Me www.syngress.com

85

86

Chapter 3 • Implementing Symantec System Center and Alert Management System2 ■

Windows NT 4.0



Windows 2000



Windows XP

For servers: ■

Windows NT 4.0



Windows 2000



NetWare 3.12 and 3.2 (without Quarantine Server support); NetWare 4.11 with SP 7; NetWare 4.20, with or without SP7; NetWare 5.0, with or without SP2; NetWare 5.1

SSC will also work with Server Discovery. In most instances, the SSC will automatically discover manageable clients and servers with the SSC Discovery Service and add them to the console.This will be discussed in more detail later in the chapter. Let’s take a look at how Discovery services works with the SSC.

Discovery Services In other instances, some of the SSC features, like those listed next, enhance the SSC’s discovery capabilities. ■

IP Discovery The IP Discovery function of the SSC will discover resources for managing either by IP address or IP subnet.



Importer.exe The Discovery service that the SSC uses relies upon WINS name resolution. In an environment like a pure Windows 2000 network in which WINS is unavailable, you can use the importer.exe command line tool to import computer information from a text file into the address cache of the computer using the SSC.

Server Groups Administration The SSC allows you to perform several management and configuration tasks for server group administration, like those described next. ■

Configuring NAVCE Server Groups In the SSC, you can create and manage server groups, which can share a common configuration for ease of administration.This is discussed in detail in Chapter 2.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3 ■

Configuring NAVCE for Server Groups Members You can also configure your server groups to combine all of your servers into one server group, regardless of operating system, so your Windows-based servers can be managed along with your Novell-based servers.This can be accomplished by either assigning each new NAVCE server to the same group, as they are created, or dragging and dropping servers from one group to another as needed.



Deploy the NAVCE Client to Windows NT/2000/XP Computers With the Remote Client NT Installation add-on installed, you can deploy the NAVCE client to any Windows NT-based system remotely, right from the SSC interface.This method of deploying NAVCE clients is discussed in detail in Chapter 6.



Deploy NAVCE Server to Windows NT/2000 Computers With the Norton AntiVirus Server Rollout add-on, you can also deploy the NAVCE server program to Windows NT/2000 workstations and servers remotely from the SSC interface.This method of deploying NAVCE servers will be discussed in detail in Chapter 5.

Task Initiation The SSC is capable of initiating numerous tasks that allow you to easily complete NAVCE management functions that may be repetitive, or involve visits to multiple computers. Some of these tasks include the following: ■

Performing virus scans anywhere in the SSC System Hierarchy, be it at the server group, server, or client level.



Viewing file system protection status in real time.You can actually watch files on NAVCE clients as they are being scanned.



Viewing NAVCE events and virus activity for an entire server group, or any NAVCE server or client individually.



Viewing and managing configurations for an entire server group or any NAVCE server or client.

Managing Alerts The SSC allows you to configure and manage all of the alerts from your NAVCE implementation from one central location.You can either set up alerting for your www.syngress.com

87

88

Chapter 3 • Implementing Symantec System Center and Alert Management System2

server groups separately, or set up alerts for one of your server groups, and then export them to your other server groups so you will have identical alert configurations.

Remote Capabilities The SSC has a variety of remote administration capabilities built-in. Some of the tasks you can perform include: ■

Initiating Virus Scans With the SSC, you are able to initiate a virus scan on a NAVCE server or client manually and have it start immediately with the options you determine. It is also possible to start a virus sweep of all NAVCE systems in your organization with just a few clicks of the mouse.



Updating Virus Definitions With the SSC Virus Definition Manager feature, you can manually initiate a download of updated virus definitions for all the servers contained in a server group in an emergency situation, instead of waiting for the regularly scheduled time.



Remote Client and Server Installation With the appropriate administrative rights and the Remote Client NT Installation and Norton AntiVirus Server Rollout add-ons, you can remotely install the NAVCE client or server on any Windows NT-based network computer which meets system requirements.

Symantec Snap-ins for SCC The following snap-ins can enhance the SSC’s management functionality past its basic features. In the next few sections, we will explore the following snap-ins: ■

The AMS2 snap-in



The Norton AntiVirus Corporate Edition management snap-in



Symantec System Center Console add-ons

AMS2 Snap-in This essential console add-on allows you to manage and configure AMS2 notifications for your entire NAVCE implementation from one central location. More detail about this console’s vast capabilities is given in the section of this chapter devoted to the AMS2 system. www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

The Norton AntiVirus Corporate Edition Management Snap-in The NAVCE management snap-in allows control over settings on NAVCE clients and servers. Some of the management capabilities include locking settings on clients and managing the download and distribution of up-to-date virus definition files.This snap-in also allows for the viewing of more detailed information in the SSC console, like the date of the client’s last virus scan, the scan engine version, and the date of the virus definition files.This difference is shown in Figures 3.2 and 3.3. Figure 3.2 Console View without the NAVCE Management Snap-in

Symantec System Center Console Add-ons This snap-in gives you two options: ■

Norton AntiVirus Server Rollout Copies all the files necessary to remotely deploy the NAVCE server install to a computer through the SSC without the need of a CD.



Remote Client NT Installation Copies all the files necessary to remotely deploy the NAVCE client install to a computer through the SSC without the need of a CD. www.syngress.com

89

90

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Figure 3.3 Console View with the NAVCE Management Snap-in

Implementing SSC In this section, you will learn how to install and configure the SSC and its addons.The installation process of these programs is fairly straightforward, and resembles most Windows-compatible software installations.To install the SSC and its add-ons, follow the directions in the next section.

Uninstalling Legacy NAVCE and LANDesk Products Before you can install the SSC on your computer, you must first uninstall NAVCE 6.0 or LANDesk Virus Protect.To uninstall LANDesk Virus Protect, go to the Add/Remove Programs applet in the Control Panel, or run the vpremove.exe program found in the main LANDesk folder. NAVCE 6.0 can also be uninstalled from the Add/Remove Programs applet in the Control Panel.

WARNING If you have older versions of SSC and NAVCE installed, upgrade to SSC 4.6 and NAVCE 7.6. Do not mix older versions with newer ones on the same computer, as this could make the SSC not work properly.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Installing SSC To install the SSC on a computer, follow these steps: 1. Insert Disk 1 of the NAVCE CDs into your CD-ROM drive. Unless you have Autoplay disabled, the install interface will automatically run (Figure 3.4). If you have Autoplay disabled, you can start the install interface by going to the root of the NAVCE CD and running cdstart.exe. Figure 3.4 The Install Menu from CD 1

2. Click Install Symantec System Center. 3. After reading the Welcome screen, click Next (Figure 3.5). Figure 3.5 The Starting Dialog for the SSC Installation

4. Read the Software License Agreement, and make sure you can accept all of the terms it describes. If this is acceptable, click Yes.

www.syngress.com

91

92

Chapter 3 • Implementing Symantec System Center and Alert Management System2

5. On the next screen (Figure 3.6), you will be given the choice of the components you want to install. If the MMC is checked, then it is not present on your system.You can not uncheck this option if you want the install to continue. After selecting the components you want to install, click Next. Figure 3.6 SSC Component Install Options

6. You are then given the choice as to where you wish to install the SSC (Figure 3.7). Click Next to accept the default location, or navigate to select a different folder by using the Browse button.This option comes in handy if there isn’t enough free hard drive space to install the SSC to the default location.You can then select a hard drive that does have enough free space. Once you have selected the folder you want, click Next. Figure 3.7 The Choose Destination Location Dialog

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

7. The install of the SSC will then begin. If the MMC install runs, you may be asked to reboot your computer after the MMC install is finished. If this happens, you should choose NOT to reboot your computer; so the rest of the SSC install can complete.You should reboot your computer after the entire SSC installation is completed (Figure 3.8). Figure 3.8 The SSC Setup Completion Screen

NOTE If your computer is set up to boot from the CD-ROM drive, you might want to make sure you remove the CD from the CD-ROM before the install completes, as your computer will boot up to the Norton AntiVirus Emergency Disk utilities that are contained on CD 1.

Installing the AMS2 Snap-in This snap-in is essential to managing and configuring AMS2, and should be installed when the SSC is installed. If you did not install the AMS2 console, rerun the SSC install on CD 1 and choose the option to install the AMS2 console. AMS2 will be discussed in more detail later in the chapter.

Installing the Norton AntiVirus Corporate Edition Management Snap-in The install for this snap-in is located on NAVCE CD 2.To complete the install, follow these instructions. www.syngress.com

93

94

Chapter 3 • Implementing Symantec System Center and Alert Management System2

1. Insert Disk 2 of the NAVCE CDs into your CD-ROM drive. Unless you have Autoplay disabled, the install interface will automatically run (Figure 3.9). If you have Autoplay disabled, you can start the install interface by going to the root of the NAVCE CD and running cdstart.exe. Figure 3.9 The Install Menu for CD 2

2. Click Install Norton AntiVirus Snap-in. 3. After reading the Welcome screen, click Next. 4. Read the Software License Agreement and make sure you agree to all of the terms it describes. If they are acceptable, click Yes. 5. You are then given the choice of where to install the Norton AntiVirus Snap-in. Click Next to accept the default location, or navigate to select a different folder by using the Browse button. Once you have selected the folder you want, click Next. 6. The install will then begin. When complete, click Finish.

Installing Symantec System Center Console Add-ons Follow these steps to install the SSC add-ons: 1. Insert Disk 2 of the NAVCE CDs into your CD-ROM drive. As long as you have Autoplay disabled, the install interface will automatically run. You can then call up the install interface by going to the root of the NAVCE CD and running cdstart.exe. 2. Click Install Symantec System Center Console Add-Ons. 3. After reading the Welcome screen, click Next. www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

4. Read the Software License Agreement and make sure you agree to all of the terms it describes. If they are acceptable, click Yes. 5. You are then given options as to what you wish to install. Check the box in front of the option or options you want, and then click Next. 6. You are then given the choice of where to install the Norton AntiVirus Snap-in. Click Next to accept the default location, or navigate to select a different folder by using the Browse button. Once you have selected the folder you want, click Next. 7. The install will then begin. When it completes, click Finish.

Understanding SSC Services Running on Windows NT/2000 Servers When you install the SSC on a Windows-based system, it also installs certain services that are required for the SSC to function. ■

Symantec System Center Discover Service (nsctop.exe) This is the main SSC Discovery service that finds NAVCE servers on the network. It is set to run at system startup automatically, and will run even when the SSC is not opened.



Intel Ping Discovery Service (pds.exe) This service is for discovering products on the computer that the SSC installed. Applications from other NAVCE clients and servers register with this service, and it also sends pong packets in response to ping requests. It loads on 38293 for IP, and 34903 for IPX.

Troubleshooting: The SSC Does Not Retain Configuration Settings After setting a NAVCE server or client configuration with the SSC, you will notice the old settings have returned the next time you open the SSC.This may indicate that the parent server to the NAVCE server or client is not receiving configuration information from the SSC.To correct this, do the following: 1. Verify that the Norton AntiVirus Server, Symantec System Discovery, Intel PDS, Intel Alert Handler, and Intel File Transfer services are all started. www.syngress.com

95

96

Chapter 3 • Implementing Symantec System Center and Alert Management System2

2. If they are, stop and start each of these services. Look for any error messages and check the Event Logs for errors. If this does not provide a solution, uninstall and reinstall the affected NAVCE server or client.

Troubleshooting: If You Don’t See Clients in the SSC If you think you have clients that are not showing up under their parent server in the SSC, you can do the following: 1. Examine the following Registry key on the parent server: HKEY_LOCAL_MACHINE\Software\Intel\Landesk\VirusProtect6\ CurrentVersion\Clients. If the parent server has received communication from the client in the past three days, then the client should be listed under this key. 2. If there are clients listed in this Registry key that are not showing up in the SSC, try refreshing the SSC cache.The steps to do this are detailed later in this chapter in the “SSC Discovery Process” section. 3. If clients still do not appear after this, close out the SSC, and stop and restart the Symantec System Center Discovery Service. After the service has restarted, reopen the SSC and check for the clients you are looking for.

Uninstalling SSC To uninstall the SSC, follow these steps: 1. Click the Start button. 2. Go to Settings | Control Panel. 3. Once the Control Panel opens, go to Add/Remove Programs (Add or Remove Programs on Windows XP). 4. Select Symantec System Center and click the Change/Remove button. 5. Follow the instructions and/or prompts that appear until finished.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Uninstalling the Norton AntiVirus Corporate Edition Management Snap-in To uninstall the NAVCE management snap-in, follow the following steps: 1. Click the Start button. 2. Go to Settings | Control Panel. 3. Once the Control Panel opens, go to Add/Remove Programs (Add or Remove Programs on Windows XP). 4. Select Norton AntiVirus Snap-in and click the Change/Remove button. 5. Follow the instructions and/or prompts that appear until finished.

Manually Uninstalling the SSC and Its Snap-ins It is possible the uninstall method in Add/Remove Programs can become corrupted and not work properly. In such cases, you can manually uninstall the SSC and its snap-ins by doing the following: 1. Log on to the computer with an account that has administrative rights.

WARNING It is highly recommended that you make a backup of the system Registry before performing these steps, as a corrupted Registry may result in an inoperable computer. For information on how to back up the Registry, take a look at the following Microsoft Knowledge Base articles: ■





HOW TO: Back Up, Edit, and Restore the Registry in Windows NT 4.0 (Q323170) HOW TO: Back Up, Edit, and Restore the Registry in Windows 2000 (Q322755) HOW TO: Back Up, Edit, and Restore the Registry in Windows XP (Q322756)

2. Make sure all SSC snap-ins have been removed before continuing. 3. Stop the following services if they are present. ■

Defwatch



Intel Alert Handler www.syngress.com

97

98

Chapter 3 • Implementing Symantec System Center and Alert Management System2 ■

Intel File Transfer



Intel PDS



Norton AntiVirus Server or Norton AntiVirus Client



Symantec System Center Discovery Service

If you wish to uninstall the SSC only, follow these steps: 1. Click the Start button and then click Run. 2. Type regedit in the Run window and press Enter to open up the Registry Editor. 3. Completely delete the following Registry keys: HKEY_CLASSES_ROOT\AMSExtensionAbout.1 HKEY_CLASSES_ROOT\AMSSnap.AMSExtension HKEY_CLASSES_ROOT\AMSSnap.AMSExtension.1 HKEY_CLASSES_ROOT\AppID\NscTop.EXE HKEY_CLASSES_ROOT\AppID\{5DA6E404AA8B11D2A77600105AA735A0} HKEY_CLASSES_ROOT\CLSID\{03C4F3A4204C11D39CAB00C04F688466} HKEY_CLASSES_ROOT\CLSID\{0E19C9A0CED411d29E5D0040053C9E1F} HKEY_CLASSES_ROOT\CLSID\{0E19C9A1CED411d29E5D0040053C9E1F} HKEY_CLASSES_ROOT\CLSID\{0FD7D204F36211D280EB00C04F68D969} HKEY_CLASSES_ROOT\CLSID\{0FD7D205F36211D280EB00C04F68D969} HKEY_CLASSES_ROOT\CLSID\{103363F469F911D2B34C00104B22D5DF} HKEY_CLASSES_ROOT\CLSID\{2DA131BAB63F11D2A77700105AA735A0} HKEY_CLASSES_ROOT\CLSID\{4F5B120B25EF11D380F400C04F68D969} HKEY_CLASSES_ROOT\CLSID\{4F5B120C25EF11D380F400C04F68D969} HKEY_CLASSES_ROOT\CLSID\{537E45B0237311D3ABEE00C04FAC113E} HKEY_CLASSES_ROOT\CLSID\{77D97BF4349F11D380F500C04F68D969} HKEY_CLASSES_ROOT\CLSID\{77D97BF7349F11D380F500C04F68D969} HKEY_CLASSES_ROOT\CLSID\{90310CF67A8911D2A77500105AA735A0} HKEY_CLASSES_ROOT\CLSID\{958632A70D7411d3809900C04F6B8429} HKEY_CLASSES_ROOT\CLSID\{AD035DE200FD11D380EC00C04F68D969} HKEY_CLASSES_ROOT\CLSID\{B2F04430034A11D39B1900104B279EC4} HKEY_CLASSES_ROOT\CLSID\{C5AC3CD0D36311D29B0A00104B279EC4} HKEY_CLASSES_ROOT\CLSID\{E381F1E0910E11D1AB1E00A0C90F8F6F} HKEY_CLASSES_ROOT\CLSID\{FA6F74F3027711D39B1900104B279EC4} HKEY_CLASSES_ROOT\CLSID\{c5ac3cd7d36311d29b0a00104b279ec4}

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3 HKEY_CLASSES_ROOT\CLSID\{c5ac3cd8d36311d29b0a00104b279ec4} HKEY_CLASSES_ROOT\CLSID\{c5ac3cd9d36311d29b0a00104b279ec4} HKEY_CLASSES_ROOT\ComUtil.FindTopologyItemDialog HKEY_CLASSES_ROOT\ComUtil.FindTopologyItemDialog.1 HKEY_CLASSES_ROOT\ComUtil.PasswordDialog HKEY_CLASSES_ROOT\ComUtil.PasswordDialog.1 HKEY_CLASSES_ROOT\Interface\{03C4F3A3204C11D39CAB00C04F688466} HKEY_CLASSES_ROOT\Interface\{078D7B60A76F11D2B35200104B22D5DF} HKEY_CLASSES_ROOT\Interface\{0E19C9A2CED411D29E5D0040053C9E1F} HKEY_CLASSES_ROOT\Interface\{15EB5B92CD2211D2A77C00105AA735A0} HKEY_CLASSES_ROOT\Interface\{1656E8706E9D11D2B34C00104B22D5DF} HKEY_CLASSES_ROOT\Interface\{2782D18C122A11D3809C00C04F6B8429} HKEY_CLASSES_ROOT\Interface\{2D5F97CCAFD211D192510060979C3468} HKEY_CLASSES_ROOT\Interface\{2DA131B9B63F11D2A77700105AA735A0} HKEY_CLASSES_ROOT\Interface\{4F5B120B25EF11D380F400C04F68D969} HKEY_CLASSES_ROOT\Interface\{4F5B120D25EF11D380F400C04F68D969} HKEY_CLASSES_ROOT\Interface\{61388DB00CB011D380EE00C04F68D969} HKEY_CLASSES_ROOT\Interface\{6FA6754C041211D39B1900104B279EC4} HKEY_CLASSES_ROOT\Interface\{77D97BF3349F11D380F500C04F68D969} HKEY_CLASSES_ROOT\Interface\{77D97BF5349F11D380F500C04F68D969} HKEY_CLASSES_ROOT\Interface\{77D97BF6349F11D380F500C04F68D969} HKEY_CLASSES_ROOT\Interface\{77D97BF8349F11D380F500C04F68D969} HKEY_CLASSES_ROOT\Interface\{8DB98EF2C06A11D2A77700105AA735A0} HKEY_CLASSES_ROOT\Interface\{8FD7BA62B4A311D2A77700105AA735A0} HKEY_CLASSES_ROOT\Interface\{90310CF57A8911D2A77500105AA735A0} HKEY_CLASSES_ROOT\Interface\{9039B6360FD311D3809C00C04F6B8429} HKEY_CLASSES_ROOT\Interface\{958632A60D7411D3809900C04F6B8429} HKEY_CLASSES_ROOT\Interface\{A6624BBCD66C11D280E600C04F68D969} HKEY_CLASSES_ROOT\Interface\{AFCC34A2C09011D2A77700105AA735A0} HKEY_CLASSES_ROOT\Interface\{C5AC3CD0D36311D29B0A00104B279EC4} HKEY_CLASSES_ROOT\Interface\{C5AC3CD1D36311D29B0A00104B279EC4} HKEY_CLASSES_ROOT\Interface\{C5AC3CD2D36311D29B0A00104B279EC4} HKEY_CLASSES_ROOT\Interface\{C5AC3CD3D36311D29B0A00104B279EC4} HKEY_CLASSES_ROOT\Interface\{C5AC3CD4D36311D29B0A00104B279EC4} HKEY_CLASSES_ROOT\Interface\{C5AC3CD5D36311D29B0A00104B279EC4} HKEY_CLASSES_ROOT\Interface\{C6D3D1C001BD11D39B1900104B279EC4} HKEY_CLASSES_ROOT\Interface\{DAC4E6A0D83111D280E700C04F68D969}

www.syngress.com

99

100

Chapter 3 • Implementing Symantec System Center and Alert Management System2 HKEY_CLASSES_ROOT\Interface\{E381F1E9910E11D1AB1E00A0C90F8F6F} HKEY_CLASSES_ROOT\Interface\{E381F1EB910E11D1AB1E00A0C90F8F6F} HKEY_CLASSES_ROOT\Interface\{F339BF22C09311D2A77700105AA735A0} HKEY_CLASSES_ROOT\Interface\{F3A6FCB3C06A11D2A77700105AA735A0} HKEY_CLASSES_ROOT\Interface\{F763C2E4590611D380DA00C04F6B8429} HKEY_CLASSES_ROOT\Interface\{FA6F74F2027711D39B1900104B279EC4} HKEY_CLASSES_ROOT\LdTop.LDTopology HKEY_CLASSES_ROOT\LdTop.LDTopology.1 HKEY_CLASSES_ROOT\NSC.EManage.1 HKEY_CLASSES_ROOT\NSC.EManage.EManage HKEY_CLASSES_ROOT\NortonDIS.About HKEY_CLASSES_ROOT\NortonDIS.About.1 HKEY_CLASSES_ROOT\NscEm.ClientsDHTML HKEY_CLASSES_ROOT\NscEm.ClientsDHTML.1 HKEY_CLASSES_ROOT\NscEm.DomainDHTML HKEY_CLASSES_ROOT\NscEm.DomainDHTML.1 HKEY_CLASSES_ROOT\NscEm.ServersDHTML HKEY_CLASSES_ROOT\NscEm.ServersDHTML.1 HKEY_CLASSES_ROOT\NscTop.AVClientContainer HKEY_CLASSES_ROOT\NscTop.AVClientContainer.1 HKEY_CLASSES_ROOT\NscTop.AVServerContainer HKEY_CLASSES_ROOT\NscTop.AVServerContainer.1 HKEY_CLASSES_ROOT\NscTop.AVTopologyContainer HKEY_CLASSES_ROOT\NscTop.AVTopologyContainer.1 HKEY_CLASSES_ROOT\NscTop.ClientContainer HKEY_CLASSES_ROOT\NscTop.ClientContainer.1 HKEY_CLASSES_ROOT\NscTop.ServerContainer HKEY_CLASSES_ROOT\NscTop.ServerContainer.1 HKEY_CLASSES_ROOT\NscTop.TopologyContainer HKEY_CLASSES_ROOT\NscTop.TopologyContainer.1 HKEY_CLASSES_ROOT\NscTop.TopologyDiscovery HKEY_CLASSES_ROOT\NscTop.TopologyDiscovery.1 HKEY_CLASSES_ROOT\ODBC.FileDSN HKEY_CLASSES_ROOT\PageExtension.LiveUpdateSnapin HKEY_CLASSES_ROOT\PageExtension.LiveUpdateSnapin.1 HKEY_CLASSES_ROOT\SnapinAbout.1 HKEY_CLASSES_ROOT\TypeLib\{0FD7D1F7F36211D280EB00C04F68D969}

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3 HKEY_CLASSES_ROOT\TypeLib\{103363E669F911D2B34C00104B22D5DF} HKEY_CLASSES_ROOT\TypeLib\{5DA6E403AA8B11D2A77600105AA735A0} HKEY_CLASSES_ROOT\TypeLib\{B2F04424034A11D39B1900104B279EC4} HKEY_CLASSES_ROOT\TypeLib\{E381F1A0910E11D1AB1E00A0C90F8F6F} HKEY_CLASSES_ROOT\TypeLib\{FA6F74E5027711D39B1900104B279EC4} HKEY_CLASSES_ROOT\transman.objects HKEY_CLASSES_ROOT\transman.objects.1 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\UserAssist\{75048700EF1F11D09888006097DEACF9} HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\AMS2\Installed HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\AMS2\MsgSysCfg HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Console HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Filter HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\OpenDomains HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\OpenServers HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\UnlockedDomains HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\ {0A624A66269C11d380F400C04F68D969} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\ {11B529F0769711d2B34C00104B22D5DF} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\ {4F9765D0790711d2B34C00104B22D5DF} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\ {5DD3E8C0776311d2B34C00104B22D5DF} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\ {F01B4B50775A11d2B34C00104B22D5DF} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\ {0FD7D204F36211D280EB00C04F68D969} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\

www.syngress.com

101

102

Chapter 3 • Implementing Symantec System Center and Alert Management System2 {103363F469F911D2B34C00104B22D5DF} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\ {B2F04430034A11D39B1900104B279EC4} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ App Paths\NSCEM.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Uninstall\Symantec System Center HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\AMSDB HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec System Center HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_INTEL_ALERT_HANDLER HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_INTEL_FILE_TRANSFER HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_INTEL_PDS HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NSCTOP HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\ Application\Intel AMS II HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\ Application\Intel Alert Handler HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\ Application\Intel File Transfer Service HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\ Application\Intel PDS Service HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Intel Alert Handler HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Intel File Transfer HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Intel PDS HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NSCTOP HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Intel Alert Handler HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Intel File Transfer HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Intel PDS HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NSCTOP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\ LEGACY_INTEL_ALERT_HANDLER HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\ LEGACY_INTEL_FILE_TRANSFER HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\ LEGACY_INTEL_PDS

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NSCTOP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ Application\Intel AMS II HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ Application\Intel Alert Handler HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ Application\Intel File Transfer Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ Application\Intel PDS Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Intel Alert Handler HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Intel File Transfer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Intel PDS HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NSCTOP

4. Remove the following Registry entries and/or values: ■

In the left pane, go to HKEY_LOCAL_MACHINE SOFTWARE\ INTEL. Select the CurrentLanguage entry in the right pane, and delete it.



In the left pane, go to HKEY_LOCAL_MACHINE SOFTWARE\ INTEL\DLLUsage\VP6. Select the C:\Program Files\Common Files\Symantec Shared\SSC\Transman.dll entry in the right pane, and delete it.



In the left pane, go to HKEY_LOCAL_MACHINE\SOFTWARE\ INTEL\LANDesk\AMS 2 SNMP Generator\CurrentVersion. Select the Pathname entry in the right pane, and delete it.



In the left pane, go to HKEY_LOCAL_MACHINE\SOFTWARE\ INTEL\LANDesk\AMS2\MsgSysCfg. Select the RetryMult entry in the right pane, and delete it.



In the left pane, go to HKEY_LOCAL_MACHINE\SOFTWARE\ ODBC\ODBC.INI\ODBC Data Sources. Select the AMSDB entry in the right pane, and delete it.

www.syngress.com

103

104

Chapter 3 • Implementing Symantec System Center and Alert Management System2 ■

In the left pane, go to HKEY_LOCAL_MACHINE\SOFTWARE\ Symantec\InstalledApps. Select the SSCADMIN and the VP6UsageCount entries in the right pane, and delete them both.

5. Close regedit. 6. To remove the SSC from the hard drive, navigate to the folder where you installed the SSC (the default is C:\Program Files\SSC) and delete the SSC folder. 7. After this is complete, reboot the computer. Now, if you desire to uninstall only the NAV snap-in, follow these steps to uninstall it manually: 1. Click the Start button and then click Run. 2. Type regedit in the Run window and press Enter to open up the Registry Editor. 3. Completely delete the following Registry keys: HKEY_CLASSES_ROOT\CCMAILUI.CCMailUICtrl.1 HKEY_CLASSES_ROOT\CLNTCON.ClntConCtrl.1 HKEY_CLASSES_ROOT\EXCHNGUI.ExchngUICtrl.1 HKEY_CLASSES_ROOT\LANDesk.VirusProtect.ScanDlgs HKEY_CLASSES_ROOT\LDDATETIME.LDDateCtrl.1 HKEY_CLASSES_ROOT\LDDATETIME.LDStaticDateTimeCtrl.1 HKEY_CLASSES_ROOT\LDDATETIME.LDTimeCtrl.1 HKEY_CLASSES_ROOT\LDVPCTLS.LDVPActionsCtrl.1 HKEY_CLASSES_ROOT\LDVPCTLS.LDVPEditCtrl.1 HKEY_CLASSES_ROOT\LDVPCTLS.LDVPExtensionsCtrl.1 HKEY_CLASSES_ROOT\LDVPCTLS.LDVPFtpBbsConfigCtrl.1 HKEY_CLASSES_ROOT\LDVPCTLS.LDVPResultsCtrl.1 HKEY_CLASSES_ROOT\LDVPCTLS.LDVPUpdateManagerCtrl.1 HKEY_CLASSES_ROOT\LDVPCTLS.LDVPUpdateSetupCtrl.1 HKEY_CLASSES_ROOT\LDVPCTLS.LDVPVirusDetailsCtrl.1 HKEY_CLASSES_ROOT\LDVPDLGS.LDVPAboutDlgCtrl.1 HKEY_CLASSES_ROOT\LDVPDLGS.LDVPCompressedCtrl.1 HKEY_CLASSES_ROOT\LDVPDLGS.LDVPListVirusesCtrl.1 HKEY_CLASSES_ROOT\LDVPDLGS.LDVPMessageConfigCtrl.1 HKEY_CLASSES_ROOT\LDVPDLGS.LDVPRecipientsCtrl.1

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3 HKEY_CLASSES_ROOT\LDVPDLGS.LDVPScheduleCtrl.1 HKEY_CLASSES_ROOT\LDVPDLGS.LDVPStorageViewCtrl.1 HKEY_CLASSES_ROOT\LDVPDLGS.LDVPVirusExclusionsCtrl.1 HKEY_CLASSES_ROOT\LDVPUI.LDVPUICtrl.1 HKEY_CLASSES_ROOT\LOTNOTESUI.LotNotesUICtrl.1 HKEY_CLASSES_ROOT\NAVCORP.RemoteManagement HKEY_CLASSES_ROOT\NAVCORP.RemoteManagement.1 HKEY_CLASSES_ROOT\NavCorpH.NavCorpConsoleHelp HKEY_CLASSES_ROOT\NavCorpH.NavCorpConsoleHelp.1 HKEY_CLASSES_ROOT\NavCorpXAbout.1 HKEY_CLASSES_ROOT\SRVCON.SrvConCtrl.1 HKEY_CLASSES_ROOT\Shelsel2.Shelsel2 HKEY_CLASSES_ROOT\Shelsel2.Shelsel2.1 HKEY_CLASSES_ROOT\VPReports.Report HKEY_CLASSES_ROOT\shellprops.shellprops HKEY_CLASSES_ROOT\shellprops.shellprops.1 HKEY_CLASSES_ROOT\CLSID\{0E5B8743872A11D08865444553540000} HKEY_CLASSES_ROOT\CLSID\{2192708A997111D0B59000AA00A861BD} HKEY_CLASSES_ROOT\CLSID\{21CBC128E39711D1B7A000A0C99C7131} HKEY_CLASSES_ROOT\CLSID\21CBC129E39711D1B7A000A0C99C7131} HKEY_CLASSES_ROOT\CLSID\{2707AAC5C26811D1826300A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{2707AAC6C26811D1826300A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{2E76B2B7C60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{2E76B2B8C60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{2E76B2BBC60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{2E76B2BCC60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{2E76B2BFC60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{2E76B2C0C60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{2E76B2C3C60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{2E76B2C4C60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{407FE4AA5D3611D280D500A0C9749E83} HKEY_CLASSES_ROOT\CLSID\{407FE4AB5D3611D280D500A0C9749E83} HKEY_CLASSES_ROOT\CLSID\{40C57BF5CA8611D1B78200A0C99C7131} HKEY_CLASSES_ROOT\CLSID\{40C57BF6CA8611D1B78200A0C99C7131} HKEY_CLASSES_ROOT\CLSID\{4128E6944BB911D1819000A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{4128E6954BB911D1819000A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{43943CCA883C11D183A400A0C9749EEF}

www.syngress.com

105

106

Chapter 3 • Implementing Symantec System Center and Alert Management System2 HKEY_CLASSES_ROOT\CLSID\{4DEF8DD1C4D111D182DA00A0C9749EEF} HKEY_CLASSES_ROOT\CLSID\{536604C2B82E11D1825200A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{536604C3B82E11D1825200A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{592DC44C497711D1818D00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{592DC44F497711D1818D00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{7F365837F57811D1B7B200A0C99C7131} HKEY_CLASSES_ROOT\CLSID\{7F365838F57811D1B7B200A0C99C7131} HKEY_CLASSES_ROOT\CLSID\{840628ABD2E611D182DD00A0C9749EEF} HKEY_CLASSES_ROOT\CLSID\{86F193F028FB11D390F600104B252F2C} HKEY_CLASSES_ROOT\CLSID\{8F6F6788400911D1818400A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{91581CB10E7B11D19D9300A0C95C1762} HKEY_CLASSES_ROOT\CLSID\{921BD9FB496311D1818D00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{AAEDBDA35A8211D092E100AA00A861BD} HKEY_CLASSES_ROOT\CLSID\{AAEDBDA45A8211D092E100AA00A861BD} HKEY_CLASSES_ROOT\CLSID\{ABBAB8BDE4F111D1A42C00A0C9A243C6} HKEY_CLASSES_ROOT\CLSID\{ABBAB8BEE4F111D1A42C00A0C9A243C6} HKEY_CLASSES_ROOT\CLSID\{AFBBB9C68A9911D188920080C75FFCC4} HKEY_CLASSES_ROOT\CLSID\{AFBBB9C78A9911D188920080C75FFCC4} HKEY_CLASSES_ROOT\CLSID\{B91B0CADD86611D1B78C00A0C99C7131} HKEY_CLASSES_ROOT\CLSID\{B91B0CAED86611D1B78C00A0C99C7131} HKEY_CLASSES_ROOT\CLSID\{BE9F41823A3911D39CB900C04F688466} HKEY_CLASSES_ROOT\CLSID\{BEE62D804A0711D1818E00A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{C61E34CEC9FB11D1B78100A0C99C7131} HKEY_CLASSES_ROOT\CLSID\{C61E34CFC9FB11D1B78100A0C99C7131} HKEY_CLASSES_ROOT\CLSID\{C859248A513E11D1819400A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{C859248B513E11D1819400A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{D99C2ADAAE3611D1822000A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{D99C2ADBAE3611D1822000A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{F32F2026860711D188920080C75FFCC4} HKEY_CLASSES_ROOT\CLSID\{F32F202A860711D188920080C75FFCC4} HKEY_CLASSES_ROOT\CLSID\{F32F202B860711D188920080C75FFCC4} HKEY_CLASSES_ROOT\CLSID\{F7B888EED30C11D291BE0020AF24FE3C} HKEY_CLASSES_ROOT\CLSID\{F7B888EFD30C11D291BE0020AF24FE3C} HKEY_CLASSES_ROOT\CLSID\{FC894628B91D11D1825400A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{FC894629B91D11D1825400A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{FF1C1AB8C27D11D1826300A0C95C0756} HKEY_CLASSES_ROOT\CLSID\{FF1C1AB9C27D11D1826300A0C95C0756}

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3 HKEY_CLASSES_ROOT\Interface\{21927088997111D0B59000AA00A861BD} HKEY_CLASSES_ROOT\Interface\{21927089997111D0B59000AA00A861BD} HKEY_CLASSES_ROOT\Interface\{21CBC126E39711D1B7A000A0C99C7131} HKEY_CLASSES_ROOT\Interface\{21CBC127E39711D1B7A000A0C99C7131} HKEY_CLASSES_ROOT\Interface\{2707AAC3C26811D1826300A0C95C0756} HKEY_CLASSES_ROOT\Interface\{2707AAC4C26811D1826300A0C95C0756} HKEY_CLASSES_ROOT\Interface\{2B464071A8C211D182D000A0C9749EEF} HKEY_CLASSES_ROOT\Interface\{2E76B2B5C60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{2E76B2B6C60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{2E76B2B9C60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{2E76B2BAC60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{2E76B2BDC60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{2E76B2BEC60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{2E76B2C1C60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{2E76B2C2C60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{407FE4A85D3611D280D500A0C9749E83} HKEY_CLASSES_ROOT\Interface\{407FE4A95D3611D280D500A0C9749E83} HKEY_CLASSES_ROOT\Interface\{40C57BF3CA8611D1B78200A0C99C7131} HKEY_CLASSES_ROOT\Interface\{40C57BF4CA8611D1B78200A0C99C7131} HKEY_CLASSES_ROOT\Interface\{4128E6924BB911D1819000A0C95C0756} HKEY_CLASSES_ROOT\Interface\{4128E6934BB911D1819000A0C95C0756} HKEY_CLASSES_ROOT\Interface\{536604C0B82E11D1825200A0C95C0756} HKEY_CLASSES_ROOT\Interface\{536604C1B82E11D1825200A0C95C0756} HKEY_CLASSES_ROOT\Interface\{592DC44A497711D1818D00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{592DC44B497711D1818D00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{592DC44D497711D1818D00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{592DC44E497711D1818D00A0C95C0756} HKEY_CLASSES_ROOT\Interface\{7F365835F57811D1B7B200A0C99C7131} HKEY_CLASSES_ROOT\Interface\{7F365836F57811D1B7B200A0C99C7131} HKEY_CLASSES_ROOT\Interface\{840628BFD2E611D182DD00A0C9749EEF} HKEY_CLASSES_ROOT\Interface\{86F193F028FB11D390F600104B252F2C} HKEY_CLASSES_ROOT\Interface\{91581CB00E7B11D19D9300A0C95C1762} HKEY_CLASSES_ROOT\Interface\{AAEDBDA15A8211D092E100AA00A861BD} HKEY_CLASSES_ROOT\Interface\{AAEDBDA25A8211D092E100AA00A861BD} HKEY_CLASSES_ROOT\Interface\{ABBAB8BBE4F111D1A42C00A0C9A243C6} HKEY_CLASSES_ROOT\Interface\{ABBAB8BCE4F111D1A42C00A0C9A243C6} HKEY_CLASSES_ROOT\Interface\{AFBBB9C48A9911D188920080C75FFCC4}

www.syngress.com

107

108

Chapter 3 • Implementing Symantec System Center and Alert Management System2 HKEY_CLASSES_ROOT\Interface\{AFBBB9C58A9911D188920080C75FFCC4} HKEY_CLASSES_ROOT\Interface\{B91B0CABD86611D1B78C00A0C99C7131} HKEY_CLASSES_ROOT\Interface\{B91B0CACD86611D1B78C00A0C99C7131} HKEY_CLASSES_ROOT\Interface\{C61E34CCC9FB11D1B78100A0C99C7131} HKEY_CLASSES_ROOT\Interface\{C61E34CDC9FB11D1B78100A0C99C7131} HKEY_CLASSES_ROOT\Interface\{C8592488513E11D1819400A0C95C0756} HKEY_CLASSES_ROOT\Interface\{C8592489513E11D1819400A0C95C0756} HKEY_CLASSES_ROOT\Interface\{D99C2AD8AE3611D1822000A0C95C0756} HKEY_CLASSES_ROOT\Interface\{D99C2AD9AE3611D1822000A0C95C0756} HKEY_CLASSES_ROOT\Interface\{F32F2024860711D188920080C75FFCC4} HKEY_CLASSES_ROOT\Interface\{F32F2025860711D188920080C75FFCC4} HKEY_CLASSES_ROOT\Interface\{F32F2028860711D188920080C75FFCC4} HKEY_CLASSES_ROOT\Interface\{F32F2029860711D188920080C75FFCC4} HKEY_CLASSES_ROOT\Interface\{FC894626B91D11D1825400A0C95C0756} HKEY_CLASSES_ROOT\Interface\{FC894627B91D11D1825400A0C95C0756} HKEY_CLASSES_ROOT\Interface\{FF1C1AB6C27D11D1826300A0C95C0756} HKEY_CLASSES_ROOT\Interface\{FF1C1AB7C27D11D1826300A0C95C0756} HKEY_CLASSES_ROOT\TypeLib\{21927087997111D0B59000AA00A861BD} HKEY_CLASSES_ROOT\TypeLib\{2707AAC2C26811D1826300A0C95C0756} HKEY_CLASSES_ROOT\TypeLib\{2E76B2B4C60311D1826C00A0C95C0756} HKEY_CLASSES_ROOT\TypeLib\{536604BFB82E11D1825200A0C95C0756} HKEY_CLASSES_ROOT\TypeLib\{592DC449497711D1818D00A0C95C0756} HKEY_CLASSES_ROOT\TypeLib\{840628A8D2E611D182DD00A0C9749EEF} HKEY_CLASSES_ROOT\TypeLib\{AAEDBDA05A8211D092E100AA00A861BD} HKEY_CLASSES_ROOT\TypeLib\{BE9F41723A3911D39CB900C04F688466} HKEY_CLASSES_ROOT\TypeLib\{C61E34CBC9FB11D1B78100A0C99C7131} HKEY_CLASSES_ROOT\TypeLib\{F32F2023860711D188920080C75FFCC4} HKEY_CLASSES_ROOT\TypeLib\{FAD5CC540E6811D19D9100A0C95C1762} HKEY_CLASSES_ROOT\TypeLib\{FF1C1AB5C27D11D1826300A0C95C0756} HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\ComCache HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Common HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\SnapIn HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\NodeTypes\ {7D604BFEAC8F11d192500060979C3468}

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\ {F7B888EED30C11D291BE0020AF24FE3C} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ App Paths\NAVCORPX.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Uninstall\Norton AntiVirus Enterprise Snapin HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton AntiVirus Enterprise Snapin HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec System Center\ ExtensionsUninstall\Norton AntiVirus Enterprise Snapin

3. Remove the following Registry entries and/or values: ■

In the left pane, go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{0A624A66-269C-11d3-80F400C04F68D969}\Extensions\Contextmenu. Select the {F7B888EE-D30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane, go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{0A624A66-269C-11d3-80F400C04F68D969}\Extensions\NameSpace. Select the {F7B888EED30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane, go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{0A624A66-269C-11d3-80F400C04F68D969}\Extensions\Task. Select the {F7B888EE-D30C11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane, go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{11B529F0-7697-11d2-B34C00104B22D5DF}\Extensions\Contextmenu. Select the {F7B888EE-D30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane, go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{11B529F0-7697-11d2-B34C00104B22D5DF}\Extensions\NameSpace. Select the {F7B888EED30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it. www.syngress.com

109

110

Chapter 3 • Implementing Symantec System Center and Alert Management System2 ■

In the left pane, go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{4F9765D0-7907-11d2-B34C00104B22D5DF}\Extensions\Contextmenu. Select the {F7B888EE-D30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{4F9765D0-7907-11d2-B34C00104B22D5DF}\Extensions\NameSpace . Select the {F7B888EED30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{4F9765D0-7907-11d2-B34C00104B22D5DF}\Extensions\PropertySheet. Select the {F7B888EE-D30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{4F9765D0-7907-11d2-B34C00104B22D5DF}\Extensions\ToolBar. Select the {F7B888EED30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{5DD3E8C0-7763-11d2-B34C00104B22D5DF}\Extensions\Contextmenu. Select the {F7B888EE-D30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{5DD3E8C0-7763-11d2-B34C00104B22D5DF}\Extensions\NameSpace. Select the {F7B888EED30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{5DD3E8C0-7763-11d2-B34C00104B22D5DF}\Extensions\ToolBar. Select the {F7B888EED30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3 ■

In the left pane go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{F01B4B50-775A-11d2-B34C00104B22D5DF}\Extensions\Contextmenu. Select the {F7B888EE-D30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{F01B4B50-775A-11d2-B34C00104B22D5DF}\Extensions\NameSpace. Select the {F7B888EED30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{F01B4B50-775A-11d2-B34C00104B22D5DF}\Extensions\PropertySheet. Select the {F7B888EE-D30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane, go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\MMC\NodeTypes\{F01B4B50-775A-11d2-B34C00104B22D5DF}\Extensions\ToolBar. Select the {F7B888EED30C-11D2-91BE-0020AF24FE3C} entry in the right pane, and delete it.



In the left pane go to, HKEY_LOCAL_MACHINE\SOFTWARE\ Symantec\InstalledApps. Select the SSCNAVSNAPIN entry in the right pane, and delete it.



In the left pane go to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Uninstall\Norton AntiVirus Enterprise Snap-in. Select the DisplayName and the UninstallString entries and delete them both.

4. Close regedit. To remove the NAVCE management snap-in from the hard drive, do the following: 1. Go to the C:\Program Files\Common Files\Symantec Shared\SSC folder and delete the following files: ■

CCMailUI.ocx



ExchngUI.ocx www.syngress.com

111

112

Chapter 3 • Implementing Symantec System Center and Alert Management System2 ■

LDDateTm.ocx



LDVPCtls.ocx



LDVPDlgs.ocx



LotNtsUI.ocx



ldvpui.ocx



scandlgs.dll



vprpts.dll



webshell.dll

2. Go to the C:\Program Files\SSC folder and delete the following files: ■

ClntCon.ocx



Navcorph.dll



Navcorpx.dll



SrvCon.ocx

3. Go to the C:\Program Files\HELP folder and delete the following files: ■

enuctls.chm



enudlgs.chm



enuview.chm



enuvpadm.chm



NAV_Snap.chm

4. Go to the C:\Program Files\SSC\HTML folder and delete the Navstart.htm file. 5. After this is complete, reboot the computer.

The SSC Discovery Process When you run your SSC console for the first time, it will ping your network to find all available NAVCE servers. As soon as the servers reply, they are added to the console hierarchy. NAVCE clients are added to the console view when their parent server is selected in the console tree. To discover computers on your network, the SSC sends a ping packet to a remote computer. Ping is a basic program that verifies a specific computer exists www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

and can accept requests. When the Intel Ping Discovery Service (Intel PDS) gets a ping, it responds with a pong packet. Ping and pong packets are both about 1K in size, and both IP and IPX pings are sent to determine what protocol the remote machine uses. Pong packets contain information such as the date of the last virus scan or the date of the remote computer’s definition files and it is this process that tells you the computer is working properly. To configure the Discovery Service, perform the following steps. 1. Open the SSC console. 2. Select any section below Console Root. 3. On the Tools menu at the top of the SSC, select Discovery Service. From there, a dialog (Figure 3.10) will open presenting you with the options you can configure. Figure 3.10 The Discovery Service Configuration

The Discovery Cycle The timeout for the Discovery Cycle is configurable. Depending on the options you select, you can set the timeout period from 1 to 1,440 minutes, with the default being 480 minutes (eight hours). To configure the Discovery Cycle, open the Discovery Service dialog as previously described, and change the value to the number you want. Keep in mind that a new discovery will be skipped if a previous discovery has not completed. If you have a large network, try not to schedule your discovery time to be very low. It will need time to complete. www.syngress.com

113

114

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Load from Cache Only This form of discovery will try to refresh all of the servers that the SSC knows about.The keys in the AddressCache Registry key are enumerated, and each server is sent pings to see if they are still available.The information in the console is then refreshed.

Local Discovery This form of discovery sends a broadcast ping over the local subnet of the computer running the SSC. Servers on the local subnet reply with pongs.This works well on small subnets, but you will experience better results using Intense Discovery on large subnets.

Intense Discovery This form of discovery walks the entire network and tries to resolve all of the computers it finds into a network address. When it has the network addresses, it then tries to send ping requests.This is the most thorough form of discovery and may take a long time if you have a large network. Local Cache Discovery and Local Discovery will also run at the same time as an Intense Discovery.This form of discovery is limited by several factors, including the availability of a WINS server, the network subnet and router configuration, the DNS configuration, and the NT domain and workgroup configuration. For this reason, you may want to use IP Discovery. To manually run a Discovery Cycle, follow these steps: 1. Open the SSC console. 2. Select any section below Console Root. 3. On the Tools menu at the top of the SSC, select Discovery Service. 4. Several options will appear. Select any of the Discovery methods described earlier in the chapter. In addition, you can choose to only scan NetWare Servers, just NT servers, or both. 5. You can also select how many Intense Discovery threads you want, with each thread being an independent search for manageable NAVCE resources. 6. Once you have decided what options you want to use, click the Run Discovery Now button to begin, and then click Close to close the Discovery Dialog. www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

You can also clear all NAVCE server and client information out of memory and the address cache, and then immediately run a Discovery cycle with the settings you choose by clicking the Clear Cache Now button.

NOTE When you clear the cache, the server groups will become locked unless you have saved the passwords.

IP Discovery As mentioned earlier in the chapter, the IP Discovery function of the SSC will discover resources to manage by either IP address or IP subnet. After manageable resources have been discovered, they are added to the address cache of the computer that the SSC is installed on. To use IP Discovery, follow these steps: 1. In the SSC console, select any section below Console Root. 2. On the Tools menu, select Discovery Service. 3. In the dialog that follows, click the Advanced tab (Figure 3.11). Figure 3.11 The Advanced Tab of the Discovery Service Properties Dialog

www.syngress.com

115

116

Chapter 3 • Implementing Symantec System Center and Alert Management System2

4. From there, check the box labeled Enable IP Discovery. As long as this is checked, IP Discovery will run whenever you run Intense Discovery. If you want to run Intense Discovery without IP Discovery, just uncheck the box to disable it. 5. In the Scan Type list, select one of the following: ■

IP Subnet This will cause the console to broadcast to each subnet.



IP Address This will cause the console to ping every computer in the range of IP addresses that you designated.

6. If you chose IP Address, then, in the appropriate Beginning of range and End of range boxes, type in the addresses for the beginning and ending ranges of the IP addresses you want to scan. 7. If you chose IP Subnet, type the subnet mask in the Subnet mask box to refine your search.

Damage & Defense… Unknown Server Groups Appear in the SSC If you begin seeing server groups that you cannot explain showing up in your SSC console, it is possible they are from another network you are connected to. Since the SSC uses port 38293 to communicate with NAVCE servers that are using TCP\IP, server groups from other connected networks may be visible in your console; yours may be visible to others as well. To prevent this from happening, make sure your firewall blocks port 38293 bidirectionally. This exact situation happened to me once, and this method solved the problem quite nicely.

Adding Clients on LANs without WINS As mentioned earlier in the chapter, Importer.exe is a command line tool used to import information from a text file into the address cache of the computer using the SSC. Since the discovery service relies on WINS to operate, this tool will have to be used to import resources into the SSC before they can be managed. The Importer.exe tool can be found on CD 1 in the Admtools folder, and can be used on any computer that has the SSC installed. www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Using the importer.exe to import computers is accomplished by performing the following three tasks: 1. Make a data file containing information on the computers you want to import. 2. Run the importer.exe. 3. Run a Discovery Cycle. You will have to have Administrator rights to the machine you are running the Importer tool on. The data file can be made in Notepad or some other text editor, but each entry must be in this format. Server, IP address

For example, a data file called resources.txt might look like this. Resource 1, 192.168.0.1 Resource 2, 192.168.0.2 Resource 3, 192.168.0.3 Resource 4, 192.168.0.4 Resource 5, 192.168.0.5

You may also type a semicolon or colon to the left of an address in the data file to comment it out if it is a resource you want to add at a later time. After creating the data file, run importer.exe with this syntax at the command prompt. Importer [filename].

Where [filename] represents the path of the data file. The data you import with the importer tool does not overwrite information that is already in the address cache. If you have information you no longer want in the address cache, clear the cache before running the importer tool. After you have imported your information with the tool, do not clear the cache unless you want to clear out your imported data. Table 3.2 lists a number of the more common importer.exe error codes and their typical causes.

www.syngress.com

117

118

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Table 3.2 Common Importer.exe Codes Error

Cause

Symantec System Center is not installed. File % cannot be opened. Incorrect number of parameters. Command-line parameter Order must be 1 or 2. Second delimiter parameter can only be one-character long, except for SP and LF. First delimiter parameter can only be one-character long except for SP and LF. Cannot create Registry key for server name . Cannot Open CurrentVersion of Registry key.

SSC must be installed on the computer that runs Importer.exe. The import file does not exist. Does not provide the correct parameters. You have not provided the correct order number. You have provided an invalid delimiter parameter.

Cannot Open AddressCache Registry key. Ignoring File Entry: IP Address invalid or ambiguous. Ignoring File Entry: Server name exceeds 48-byte maximum. Ignoring empty entry in import file. Ignoring file entry for server name . No IP address found. Ignoring file entry for IP address . No server name found. Skipping server name . Registry entry already exists. www.syngress.com

You have provided an invalid delimiter parameter. You do not have Administrator rights the computer. The \HKLM\Software\Intel\LANDesk\ VirusProtect6\CurrentVersion Registry key does not exist. The \HKLM\Software\Intel\LANDesk\ VirusProtect6\CurrentVersion\AddressCache Registry key does not exist. You have provided an invalid IP address in the .txt files. The server name contains more than 48 bytes in the .txt files. The .txt file contains no data. The .txt file contains no IP address in the entry. The .txt contains no server name in the entry. The server name is already in the Registry entry.

Continued

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Table 3.2 Common Importer.exe Codes Error

Cause

Cannot set the IP address value The Address_0 Registry key was unable to for server name . be created under HKLM\Software\Intel\ Landesk\VirusProtect6\CurrentVersion\ AddressCache\. This may be caused by the system having low free disk space. Cannot set the protocol value The Protocol Registry key was unable to be for server name . created under HKLM\Software\Intel\Landesk\ VirusProtect6\CurrentVersion\AddressCache\ . This may be caused by the system having low free disk space.

Considering Network Bandwidth Utilization This section of the chapter will explain the types and quantities of network traffic that the SSC generates, and the possible impact it might have on your network.

SSC Console Traffic The SSC can communicate with all NetWare servers, Windows servers, and clients.The communication protocol can be IP on IPX, and may switch automatically depending on the situation. When server configurations change, the SSC sends updates to each server in the group directly, instead of through the parent. Global changes are sent through the parent server, individual client changes go directly to the client.There must be a direct IP-to-IP or IPX-to-IPX path for this communication to take place.

Server-to-Server Traffic Using either one of the supported protocols, servers communicate with each other to send virus definition updates and to forward alerts. Servers check their parents every five minutes for new virus definition updates. Only the primary server is able to send virus definition file updates to the other servers in the group (if virus definition sharing is enabled). Placing a new virus definition file on a server other than the primary will not let other servers automatically get that virus definition file unless a server-to-server download is scheduled. No traffic is initiated between servers unless there is a new virus definitions file to send.The preceding is also true for new updates to a server. www.syngress.com

119

120

Chapter 3 • Implementing Symantec System Center and Alert Management System2

When a secondary server detects an event that triggers an alert to the primary, the AMS2 on the primary then processes that alert. No AMS2 traffic is generated unless there are alerts to forward.

Discovery Cycle Traffic The SSC generates traffic when it updates information about NAVCE servers through the Discovery Cycle.This cycle is set to 480 minutes (eight hours) by default, but can be changed as needed. The amount of traffic generated by this process is minor. More traffic could potentially be generated by NAVCE client/server communication.

NAVCE Client/Server Traffic By default, NAVCE clients send a 1KB packet to their parent every 60 minutes. This packet contains status information about the client, such as computer name or the date of virus definition files. When the parent receives the packet, it will store that information in the Registry. If there is existing information on that client in the Registry, that information is updated if needed. If the server has newer definition files than the client, then the server pushes them to the client. If the client does not reach the parent server, it will try again at its next check in cycle.

NOTE Client status packets are sent using UDP. To avoid communication problems, you should make sure that you do not block UDP-based communications between a client and its parent.

NAVCE Server/Client Traffic When a parent server receives an update to a configuration or a new virus definition file, it will push what is needed to the client. If a parent receives a status update packet from a client and there is no action needed, then the parent server does not respond. Clients will usually update their parent server whenever there is a change in its status. It may take several minutes before that information is available in the SSC.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

By default, the server/client check-in interval is set to 60 minutes.This can be changed as needed. Keep in mind that increasing this interval could cause communication issues between a client and its parent, and outdated information in the SSC. To change the server/client check in interval: 1. Open the SSC. 2. Right-click a server or server group. 3. Go to All Tasks | Norton AntiVirus | Virus Definition Manager. 4. Click Settings. 5. Set the new frequency.

Manually Generated Traffic: NAVCE Client Enumeration When you select a server in the SSC console tree, the SSC gets all of the client information from that server by checking its Children key to determine what clients are currently connected.This may cause a large amount of traffic depending on how many clients are connected to that server.There also may be a delay regarding the time the client shows up in the right pane of the SSC; the more clients there are, the longer the process may take due to additional network traffic.

Manually Generated Traffic: Server Role Reassignment When you assign a server to the role of a primary server or server group, the DomainData Registry key is moved from the old primary server to the new primary so the server group settings can be passed on.This could take some time, and the SSC console must be able to contact both servers so it can act as a gobetween for the transfer of data from old to new. After the transfer is complete, the key is deleted from the old server. This assignment will also cause the SSC to attempt to enable the AMS2 alert notifications however, and these will have to be exported manually from the old primary server. (This procedure is covered in the section on the AMS2 system.) When the AMS2 switch on the new primary is enabled, the server will then try to route any AMS2 action to itself. If the AMS2 is not installed on the new primary, you will not see AMS2 alerts until it is installed. See the section on the

www.syngress.com

121

122

Chapter 3 • Implementing Symantec System Center and Alert Management System2

AMS2 for more details on transferring alert actions between servers.To complete the process, the SSC will try to point all of the secondary servers in the server group to the new primary. As a safety measure, all DomainData keys are deleted from all other secondary servers so any secondary servers that were updated manually or unavailable during a previous primary upgrade will be corrected.The SSC will also delete the Children key from the old primary server, as it no longer manages other servers, but leaves the Client key intact.

Manually Generated Traffic: Moving NAVCE Servers between Groups In the SSC console, you can drag and drop a server from one server group to another. When this happens, the SSC contacts the server and updates its Parent Registry key to point to its new primary server. When that key changes, the server submits its pong data to its new primary server.This completes the process, and the server will now show up in the new server group.

Manually Generated Traffic: Refreshing SSC Console There are different ways of refreshing the SSC; each one is done differently depending on what part of the SSC you are refreshing. ■

Refreshing the System Hierarchy When you refresh at the system hierarchy level, the SSC reloads the data from the Discovery Service, and no network traffic is generated. Consider this refresh a way to synch up the console and the Discovery Service.



Refreshing a Server Group When you refresh the SSC at the server group level, the SSC performs a ping to do two things. ■

The ping contacts the primary server, and has it report information on the secondary servers under it.This list may be more up-to-date than discovery data, so you may see more servers in the console.



The SSC will walk the list of servers in the Discovery Service and tries to ping them directly. When a server responds, the SSC updates the Discovery Service and the SSC console.This process affects only those computers in the server group or those that are pinged. No clients are updated.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3 ■

Refreshing a Server When you refresh a server in the SSC, a ping is sent to that server to refresh the server data, and get a new list of clients. This will update all of the client data in the Discovery Service and add any new clients that may have been added to the server as a client since the last refresh. Once the Discovery Service is updated, the SSC updates the client data it displays.



Refreshing NAVCE Clients You cannot refresh a client directly.To refresh the data for a client, refresh its parent server instead.

Introducing Alert Management System2 The AMS2 generates configurable alerts when certain conditions are met that allow you to monitor the status of your NAVCE implementation. Although there are several conditions that the AMS2 can notify you about, it is primarily used to alert you to virus activity.The AMS2 is comprised of two separate components, programs that run on each NAVCE server and programs that run on the computer that the SSC is installed on. The Alert Management System2 has various features available to allow you to monitor your NAVCE implementation thoroughly.The AMS2 is very flexible, and has a wide array of alerting options for several alerting strategies that can easily be adapted for just about any network environment.

Processing Alert Management One of the great aspects of the AMS2 is the varied types of alerting options available. A description of all the alerting options follows, and instructions on setting up these alerts are included later in the chapter. ■

Message Box This alert action displays a message box on the computer you specify.You can choose to have the message box beep when it comes up, or have the message box stay on top of all the windows until OK is clicked.



Broadcast This alert action sends a message to all computers logged on to the server that generated the alert.



Internet Mail This alert action sends an Internet mail message to the e-mail address you specify. When using this alert action, you need to set the SMTP mail server through which the alert action will be sent. If you

www.syngress.com

123

124

Chapter 3 • Implementing Symantec System Center and Alert Management System2

put the name of the server in the alert, there must be a DNS server configured so the server’s IP address can be resolved. If you don’t have a DNS server, you can put the IP address in directly. It would also probably be a good idea to check with your e-mail administrator to make sure your SMTP server will accept this kind of message. If you do not have an SMTP server, this alert will not work. ■

Paging This alert action sends a pager message to the number you configure. Any computer that is going to send this alert action will need to have a modem installed.



Running Programs This alert action runs a program on the computer for which you configure it.This allows you to run any specialized process you choose, like making a quick backup of data, in the event its corresponding criteria are triggered.



NT/2000/XP Event Log Entries This alert action creates an entry in the Windows NT/2000/XP Event Log’s Application Log.This entry is logged on the server the alert action came from.This is only available on Windows NT/2000/XP computers.



SNMP Traps This alert action generates an SNMP trap when an alert occurs. SNMP (Simple Network Management Protocol) is a messagebased protocol founded on a manager/agent model consisting of Get, GetNext, and Set messages and responses.You can configure these alerts to forward these traps to other third-party products.



Loading Novell NLM This alert action loads a NetWare Loadable Module (NLM) on the selected NetWare server where the alert occurs. This is similar to the Run Program alert action for a Windows NT–based computer.

Compatible AMS2 Alerts for each Operating System Some AMS2 alerts are not compatible with all operating systems.The following is a list of alerts each operating system can’t support. ■

Windows 9x/Me PCs These operating systems cannot be configured for the Write to the NT Event Log, Send SNMP Trap, and the Load and NLM alert actions.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3 ■

Windows NT 4.0 Workstation/Server These operating systems can be configured for all of the alert actions except the Load an NLM alert action.



Windows 2000 Professional/Server/Advanced Server These operating systems can be configured for all of the alert actions except the Load an NLM alert action.



Windows XP Home/Professional These operating systems can be configured for all of the alert actions except the Load an NLM alert action.



Novell NetWare 3.x, 4.x, and 5.x These operating systems can be configured for all of the alerts except the Write to Windows NT Event Log.

Implementing Alert Management System2 The two components of AMS2 are usually installed at the same time the SSC is installed on a computer, or at the same time the NAVCE server program is installed. AMS2 usually goes hand in hand with the installs of either of those programs.

Notes from the Underground… Installing AMS2 as a Stand-Alone Application Though not recommended in most situations, it is possible to install AMS2 on a Windows NT–based server as a stand-alone application. The install procedure is as follows: 1. Install AMS2 from NAVCE CD 2 from this location: \NAVCORP\ ROLLOUT\AVSERVER\AMS2\WINNT\setup.exe. 2. Restart the computer. 3. Download the Ams_ii.zip from Symantec Knowledge Base Document Id 2001020809252248 (you can search for that at Continued

www.syngress.com

125

126

Chapter 3 • Implementing Symantec System Center and Alert Management System2

www.symantec.com/techsupp/enterprise/products/nav/ nav_76_ce/search.html). 4. Decompress the three files contained in ams_ii.zip into the %winnt%\system32\AMS_ii folder. (%WINNT% is the folder that the operating system is installed in, something which depends on the system configuration). 5. Stop and start all Intel services. You may then configure AMS2 on this computer using the SSC or through the aMSAdmin.exe program found in the Program Files\NAV folder.

The following is a list of services you might see if you are running AMS2 on a Windows NT or Windows 2000 server. ■

Intel Alert Handler (hndlrsvc.exe) This AMS2 service provides alerting actions such as message boxes, pages, and so on.



Intel Alert Originator (iao.exe) This AMS2 service allows for alerts to be received on the machine it’s installed on. Alerts can be received from the local machine (like a primary server) or from a remote machine.



Intel File Transfer (xfr.exe) This service provides file transferring capabilities to the AMS2 system.

Now if you run the AMS2 console, you won’t be able to configure alerts.You should check to see that both the AMS2 console and AMS2 on at least one computer are able to configure alerts. Another common problem is that, following the install, your modem might not work.This problem usually has something to do with the Send Page alert action. For you to use the Send Page alert action successfully, the computer that sends the alert must have three items. 1. An installed version of AMS2. 2. A modem configured for AMS2. 3. A phone line connected to the computer. Before you can use a modem to send pages with AMS2, you must configure it with the modemcfg.exe program. From the program, you can select the proper www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

COM port and modem settings to allow this type of alert to work properly.To configure your modem for AMS2 use, follow these steps: 1. Go to the C:\winnt\system32\AMS_ii folder in Windows Explorer and double-click the modemcfg.exe program. 2. Choose the COM port the modem uses. 3. Choose the correct modem type. 4. Click OK to finish and save these settings.

Uninstalling Alert Management System2 To uninstall the AMS2 system, follow these steps: 1. Click the Start button. 2. Go to Settings | Control Panel. 3. Once the Control Panel opens, go to Add/Remove Programs (Add or Remove Programs on Windows XP). 4. Select AMS Server and click the Change/Remove button. 5. Follow the instructions and/or prompts that follow until finished. 6. After the install completes, reboot the computer. To uninstall and then reinstall AMS2 without reinstalling any other SSC components, follow these steps: 1. Perform the normal uninstall instructions described earlier in this chapter. 2. Make sure both the C:\Program Files\AMS Server and the C:\winnt\system32\AMS_ii folders are deleted. 3. Restart your computer. 4. Insert NAVCE CD 2 into your CD-ROM drive. 5. Go to the %CD DRIVE%\ NAVCORP\ROLLOUT\AVSERVER\ AMS2\WINNT folder. 6. Run setup.exe. 7. After the install completes, reboot your computer.

www.syngress.com

127

128

Chapter 3 • Implementing Symantec System Center and Alert Management System2

To manually uninstall the AMS2: 1. Delete the following Registry keys: ■

HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk\AMS2



HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk\AMS2\ SNMP\Generator

2. Delete the C:\WINNT\SYSTEM32\AMS_II folder. 3. Delete the ams2inst.log file in the C:\WINNT folder.

Configuring & Implementing… Forwarding AMS2 Alerts from Unmanaged Clients Follow these steps to forward AMS2 alerts from unmanaged clients: 1. Open up Notepad and create a new text file. 2. Add the following text as shown: [KEYS] !KEY!=$REGROOT$\Common AMSServer=S AMS=D1 !KEY!=$REGROOT$\ProductControl LoadAMS=D1

3. Replace (without the brackets) with the IP or IPX address for the AMS2 server you want the client to forward alerts to. 4. Save the file as grc.dat to the client directory where NAVCE is installed.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Configuring AMS2 Alerts This section describes in detail how to configure each AMS2 alert action. It also explores some notification options that do not require AMS2, but that are built into the NAVCE management snap-in.

Configuring & Implementing… Using Advanced Discovery Options to Configure AMS2 Alerts Faster If you have a large network, you could possibly speed up and simplify your configuration of AMS2 by using the Advanced Discovery option. This will allow you to search a specific segment of your network for AMS2 computers. This can be very useful if you manage a large network with many different servers, but you want to confine your search for AMS2-enabled servers to a certain section of the network or subnet mask. The discovery process is even faster if you limit your search to only the network segments you need. You can use this Advanced Discovery with either IP or IPX. To configure Advanced Discovery, follow these steps: 1. In the SSC console, right-click the server group you want to manage. 2. Click All Tasks | Configure AMS. 3. In the dialog that opens next, click Options (Figure 3.12). 4. If you use IPX, put the IPX broadcast address (where you want to search for AMS2 resources) in the Add IPX field. 5. If you use TCP/IP, enter the TCP/IP broadcast address (where you want to search for AMS2 resources) in the Add IP field. 6. Click Add to add the address you have entered to the Current Discovery Broadcast Addresses list. Only the broadcast networks listed here will be searched to discover new AMS2 resources. If you do not enter any broadcast networks, the entire network will be searched each time you start a discovery. Continued

www.syngress.com

129

130

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Figure 3.12 The Advanced Discovery Options Configuration

7. Click OK to save any changes made and return to the Alert Actions box.

Configuring Alert Messages Configuring all AMS2 alerts involve three basic tasks: ■

Selecting a type of alert in the Alert Actions dialog box.



Selecting the alert action you want for the alert. (This determines what AMS2 will do when that alert condition is triggered.)



Configuring the alert action you selected.

There are no default alert actions for any of the alerts. If you do not configure AMS2 alerts actions, no alerts will be generated. However, virus alerts, and other AMS2 actions will be forwarded to the AMS2 log. To open the Alert Actions dialog, follow these steps. 1. In the SSC console, select the server group you want to configure and right-click it. 2

2. Click All Tasks | Configure AMS (Figure 3.13).

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Figure 3.13 The AMS2 Alert Configuration Dialog

NOTE If the AMS2 detects a message larger than 1KB, the message will not be delivered. If you have configured a default alert, it will be delivered instead. You can set up your default alert to let you know when a message exceeds this limit.

Each alert action has its own configuration wizard, and once you configure an alert, it will show up in the list of alerts in the Alert Configuration dialog (Figure 3.13). An alert action will run on the computer you select when the action is configured (see Figure 3.14).The computer must support the action it is assigned (for example, computers that have Send Page actions must have a configured modem) or the alert action will not run. Figure 3.14 The Set Alert Action Dialog

www.syngress.com

131

132

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Alert actions that have text, like Send Page and Message Box, have information that can be configured with certain alert parameters.Table 3.3 lists these parameters. Which parameters are available will depend on the alert being configured. Table 3.3 Alert Message Parameters Alert Parameter

Description









Action that was performed at event trigger. Name of alert. Name of computer where alert came from. Date when alert was generated. Details about the alert. Name of the alert that failed to process. Location of file on alerting computer. Name of the alert server. Action that was configured to run at event trigger. Either Critical or Non-Critical. Product that was source of notification. Time alert was generated.

You can use these alert parameters as variables in the text messages as well as in the configured alert actions. Make sure the variables are enclosed in < >, so they will display properly.

Configuring Default Alert Messages To configure a default alert message, do the following: 1. Open the Alert Actions dialog. 2. Click Default Alert, and then click Configure. 3. Click Message Box, and then click Next. 4. Select a computer that will generate the alert, and then click Next. 5. Select whether you want the dialog box to “Beep when displayed” or “Always be on top until cleared.” 6. Click Next (Figure 3.15). 7. Type the Action Name that best describes the message you are configuring. www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Figure 3.15 Configuring the Alert Message

8. In the actual Message box, either: ■

Type a custom message text you want to be shown.



Click Default to use the generic message information for this alert action, and any other message you want to appear. Note that the parameter is the name of the AMS2 server that produced the alert. Put in the place of if you want the name of the computer that caused the alert.

9. Click Finish.

Configuring AMS2 Message Box Alerts To configure a message box alert, do the following: 1. Open the Alert Actions dialog. 2. Select the alert you want to configure. 3. Click Configure. 4. Click Message Box, and then click Next. 5. Select a computer that will generate the alert, and then click Next. 6. Select whether you want the dialog box to Beep when displayed or Always be on top until cleared (Figure 3.16). 7. Click Next. 8. Enter a name for the action. 9. In the message box, type the message you want and use alert parameters as needed.You can also click Default to set the default message.

www.syngress.com

133

134

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Figure 3.16 Message Box Configuration Options.

10. Click Finish to save.

Configuring AMS2 Broadcast Alerts To configure a broadcast alert, do the following. 1. Open the Alert Actions dialog. 2. Select the alert you want to configure. 3. Click Configure. 4. Click Broadcast, and then click Next. 5. Select a computer that will generate the alert, and then click Next. 6. Enter a name for the action. 7. In the message box, type the message you want and use alert parameters as needed.You can also click Default to set the default message. 8. Click Finish to save.

Configuring AMS2 Alerts to Run Programs To configure an AMS2 alert to run a program in the event of an incident, perform the following steps: 1. Open the Alert Actions dialog. 2. Select the alert you want to configure. 3. Click Configure. 4. Click Run Program, and then click Next. 5. Select a computer that will generate the alert, and then click Next. www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

6. Enter the full path name to the program you want to run (including the name of the program). 7. Enter any command-line parameters for the program. 8. Select whether you want the program to be normal, minimized, or maximized when it executes. 9. Click Finish.

Configuring the Load an NLM Alert To configure the Load an NLM alert action, do the following: 1. Open the Alert Actions dialog. 2. Select the alert you want to configure. 3. Click Configure. 4. Click Load An NLM, and then click Next.The first time you configure this alert, AMS2 needs to search the network for NetWare computers that will be able to perform this action. 5. If the computer you are looking for does not show up in the list, click Discover to search again and find that computer. 6. Select a computer where the NLM will load, and then click Next. 7. Enter or choose the NLM that you want to load. NLMs are usually stored in the SYS:SYSTEM directory on NetWare servers. 8. Enter any command line options you want to use. 9. Click Finish.

Configuring the Send E-mail Alert To configure an e-mail alert, do the following: 1. Open the Alert Actions dialog. 2. Select the alert you want to configure. 3. Click Configure. 4. Click Send Internet Mail, and then click Next. 5. Select a computer that will generate the alert, and then click Next.

www.syngress.com

135

136

Chapter 3 • Implementing Symantec System Center and Alert Management System2

6. In the Internet Address, Sender Name, Subject, and Mail Server fields, enter the appropriate information. Once you have set up one of these alerts, that information will be available from a drop-down list in subsequent alerts. 7. Click Next. 8. Enter an action name. 9. In the message box, type the message you want and use alert parameters as needed.You can also click Default to set the default message. 10. Click Finish.

Configuring the Send Page Alert To configure a send page alert, do the following. 1. Open the Alert Actions dialog. 2. Select the alert you want to configure. 3. Click Configure. 4. Click Send Page, and then click Next. 5. Select a computer that will generate the alert, and then click Next (Figure 3.17). Figure 3.17 Configuring the Send Page Alert

6. Enter the Access Telephone Number you call for your paging service. Make sure to enter any numbers needed to reach an outside line. 7. Enter the Pager ID number and password you use to access your paging service. If you don’t have a password, just leave it blank.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

8. Select your service type. If your service isn’t listed, try one of the generic types. For more information, see the sections on “Configuring a Known Paging Service” and “Configuring for an Unknown Paging Service.” 9. Click Next. 10. If you are sending a page to an alphanumeric pager, in the Message box, type the message you want and use alert parameters as needed.You can also click Default to set the default message. If you are sending a page to a numeric pager, you can only enter numbers in the Message box. 11. Enter an action name. 12. Click Finish.

Configuring for a Known Paging Service To configure a Send Page alert for a known paging service, select you’re paging service from the list in the Service section.

Configuring for an Unknown Paging Service To configure for an unknown paging service, perform the following tasks: 1. Open the Alert Actions dialog. 2. Select the alert you want to configure. 3. Click Configure. 4. Click Send Page, and then click Next. 5. Select a computer that will generate the alert, and then click Next. 6. Click Settings. 7. Enter the protocol, maximum message length, baud rate, data bits, stop bits, and parity that your paging system needs. If you don’t know this information, you can get it from your paging service. 8. Click OK and continue configuring the alert as described in the last section.

www.syngress.com

137

138

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Configuring Alerts for SNMP AMS2 can generate SNMP traps when an alert action is triggered.You can configure systems generating alerts to send these traps to a management console such as HP OpenView,Tivoli Enterprise Console, and Compaq Insight Manager.

Configuring the Send SNMP Trap Alert To configure a SNMP Trap alert, do the following: 1. Open the Alert Actions dialog. 2. Select the alert you want to configure. 3. Click Configure. 4. Click Send SNMP Trap, and then click Next. 5. Select a computer that will generate the alert, and then click Next. 6. In the SNMP trap, type any message text you want to display and use alert parameters as needed. 7. Enter an action name. 8. Click Finish.

Configuring SNMP Trap Settings for Windows NT To configure SNMP trap settings for Windows NT, perform the following actions: 1. In the Windows NT Control Panel, double-click Network. 2. Click Services. 3. Click SNMP Service, then Properties. 4. Click Traps. 5. In the Community Name box, click Public. 6. If there is no public entry in the list, type it in and then click Add. 7. Under Trap Destinations, click Add. 8. Enter the addresses or host names of the computers you want the traps sent to. Click Add. 9. Click OK, and then click Close.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Configuring SNMP Trap Settings for Windows 2000 To configure SNMP trap settings for Windows 2000, do the following: 1. Right-click My Computer, and then click Manage. 2. Expand the Services and Applications node, and then click Services. 3. In the right pane, double-click SNMP Service. 4. Click the Traps tab. 5. In the Community Name box, type Public. 6. If there is no public entry in the list, type it in and then click Add. 7. Under Trap Destinations, click Add. 8. Enter the addresses or host names of the computers where you want the traps sent. Click Add. 9. Click OK, and then click Close.

Configuring SNMP Trap Settings for Windows XP To configure SNMP trap settings for Windows XP, do the following: 1. Right-click My Computer, and then click Manage. 2. Expand the Services and Applications node, and then click Services. 3. In the Details pane, double-click SNMP Service. 4. Click the Traps tab. 5. In the Community Name box, type Public. 6. If there is no public entry in the list, type it in and then click Add. 7. Under Trap Destinations, click Add. 8. Enter the addresses or host names of the computers where you want the traps sent. Click Add. 9. Click OK, and then click Close.

Configuring SNMP Trap Settings for Novell NetWare 4.1x/5.x To configure SNMP trap settings for Novell NetWare 4.1x/5.x, do the following: 1. In the NetWare server console, type: load inetcfg 2. Click Protocols and press Enter. www.syngress.com

139

140

Chapter 3 • Implementing Symantec System Center and Alert Management System2

3. Click TCP/IP and press Enter. 4. Click SNMP Manager Table, and then press Enter to show the SNMP Manager Table. 5. Do one of the following: ■

To modify an existing address, select it, and press Enter.



To add a new address, press the Insert key, type an IP address, then press Enter.



To delete an address, select it, press the Delete key, and then press Enter to confirm the deletion.

6. Press the Esc key to close the dialog box. 7. Press Enter to confirm the change to the database.

Configuring SNMP on a NetWare Server In order to configure AMS2 to send SNMP traps on a NetWare server, you have to perform the following tasks. ■

Configure AMS2 SNMP alerts through the SSC console.



Verify that AMS2 is installed on the NetWare server. If it isn’t, install it.



Configure TCP/IP on the NetWare server.



Configure SNMP on the NetWare server.

To configure SNMP on a NetWare server, follow these steps: 1. Load the Internetworking Configuration utility by typing load inetcfg at the server console. 2. Click the Internetworking Configuration menu, point to Protocols, point to TCP/IP, and then click SNMP Manager Table. 3. To add an SNMP Manager, press Insert, and then type the IP address of the computer where the SNMP console is installed. 4. Press the Esc key until you are back to the Internetworking Configuration menu. 5. Click Manage Configuration, point to Configure SNMP parameters, and then click Trap State. 6. Click Send Traps with Specified Community, and then press Enter. www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

7. Click the Trap community, and then type public as the name. 8. Press Esc and save changes. 9. Press Esc again until you have exited from inetcfg. 10. From the server console, type: load edit sys:etc\initsys.ncf 11. Replace the existing SNMP load command with the following command: load snmp.nlm t=public 12. Save the changes to the initsys.ncf file, and then restart the server.

Configuring Alerts for the Windows NT/2000/XP Event Log To configure the Write to Event Log action, do the following: 1. Open the Alert Actions dialog. 2. Select the alert you want to configure. 3. Click Configure. 4. Click Write to Event Log, and then click Next. 5. Select a computer to generate the alert, and then click Next. 6. Enter a name for the action. 7. In the message box, type the message you want and use alert parameters as needed.You can also click Default to set the default message. 8. Click Finish to save.

Managing Configured Alerts After you have configured all of your alert actions, do the following: ■

Test your alerts to make sure they work properly.



Delete any alerts you no longer need.



Export alerts other AMS2-enabled computers.

www.syngress.com

141

142

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Testing Configured Alerts To test an alert, do the following: 1. Open the Alert Actions dialog. 2. Select an alert you want to test, and click Test. If you do not see your alert actions after a reasonable amount of time, the AMS2 log should have a log entry as to why the alert action failed.

Exporting Alerts to Other Systems Each AMS2-enabled computer stores its alerts in a local database. When you reassign a parent server, you must export your AMS2 alerts from your old parent server to your new one, before the new parent server can forward AMS2 alerts. This does not happen automatically with the parent server reassignment. For emergency purposes, it is a good idea to export AMS2 alerts to a few other servers in case the primary AMS2 server goes down for any period of time.The only alerts that will be on the new server are ones that the server is capable of running, such as the Send Page alert.You can pick and choose which alerts you want to export, or you can export all of your alerts between servers. To export alert actions to other computers, do the following: 1. Open the Alert Actions dialog. 2. Choose one of these tasks. ■

Click the Norton AntiVirus Corporate Edition folder if you want to export all alerts related to NAVCE.



Select either an alert to export all of its actions, or just one alert to export its action.

3. Click Export. 4. Choose the computers you want to export alerts to from the list that appears. If you don’t see any computers, click Discovery to find them, as mentioned earlier in this chapter. 5. Click Export. 6. Click Yes to confirm. 7. In the status dialog, verify that the alert actions exported successfully.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Introducing NAVCE Notification Methods Not Requiring AMS2 If you don’t use AMS2, the NAVCE Management Snap-in has other built-in notification methods that do not require AMS2, such as: ■

A customizable message box.



Histories and event logs which provide details about viruses, virus sweeps, and scan histories.

Customizable Messages When configuring client and server real-time protection options, you can choose the option to have a custom message box appear on the screen of the infected computer when a virus is detected. The default alert has variables in brackets similar to other messages in the AMS2 system, and you may customize it to fit your environment. Using this method of notification is not as effective as AMS2 since it relies on the user notifying an administrator that a virus has been detected on their machine.

Histories and the Event Log If you do not have the AMS2 configured in your implementation of NAVCE, then histories and event logs will be your primary source of information activity on your network. In such cases, the Virus History should be checked on a daily basis. A description of each history type is listed next.

Understanding Scan Histories Use the Scan History to view scans that have run, or are running on, specific servers, or on server groups.You can specify a certain time range to filter the amount of data that you see.To view the Scan History: 1. In the SSC, select an unlocked server group. 2. In the Tools menu, choose Logs | Scan History.

Understanding Virus Histories This history lists all detected viruses for selected computers or server groups.You can select an item in the list to perform actions on the item such as Move to www.syngress.com

143

144

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Quarantine or Delete.This history also shows details about each virus detected, including the name and location of the infected file, the name of the infected computer, and what actions were taken to combat the virus.To view the Virus History, do the following: 1. In the SSC, select an unlocked server group. 2. In the Tools menu, choose Logs | Virus History.

Understanding Virus Sweep Histories The Virus Sweep History displays information on virus sweeps that have been performed.To view the Virus Sweep History: 1. In the SSC, select an unlocked server group. 2. In the Tools menu, choose Logs | Virus Sweep History. 3. Click View Results to examine the results of prior sweeps.

Understanding the Event Log This contains all other logged information that does not fall into the previous categories.To view the Event Log: 1. In the SSC, select an unlocked server group. 2. In the Tools menu, click Logs | Event Logs. When viewing these various histories and logs, you can sort the data you are viewing by clicking the column headers.You can filter items by date with the following parameters: ■

Today



Past seven days



This month



All items



Selected range of days

To filter items by date: 1. In the SSC, select the server group or server you want to look at. 2. In the Tools menu, choose Logs, then one of the following: www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3 ■

Event Log



Scan History



Virus History



Virus Sweep History

3. In the list box, click one of the following options: ■

Today



Past seven days



This month



All items



Selected range of days

4. If you chose Selected Range, select a start date and an end date, then click OK.

www.syngress.com

145

146

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Summary The Symantec System Center (SSC) is a snap-in for the Microsoft Management Console (MMC) to be installed on a computer slated to manage an implementation of Norton AntiVirus Corporate Edition (NAVCE).The SSC links together your NAVCE implementation and enables you to manage your enterprise antivirus protection as effectively as possible.This chain can be strengthened with other various snap-ins and add-ons like the NAVCE Management snap-in and the Quarantine Console. Though relatively simple in its installation, the SSC’s network scanning capabilities need to be considered before it can be implemented successfully since the computer that will run this tool must be able to support its functionality.The SSC has extensive capabilities for discovering manageable NAVCE resources, but can produce a good quantity of network traffic if not used properly. Gathering a thorough knowledge of the traffic the SSC can generate is recommended. The Alert Management System2 (AMS2) is a highly configurable and fully featured automatic notification system that allows you to monitor almost every aspect of your NAVCE implementation. As the SSC is the chain that links your NAVCE implementation together, the AMS2 is the lock that holds it in place by allowing you to be notified of almost any change in NAVCE resources. AMS2 alerts ranging from e-mails sent to a specified e-mail address, to pages sent to an alphanumeric pager that can be configured to notify you about activity like virus alerts and errors in loading virus definition files. Once an AMS2 alert has been configured, the alert can be tested at any time or exported to other AMS2enabled computers, as desired. If the robust notification capabilities of the AMS2 system are not required in your organization, you can use other notification methods built into the NAVCE Management snap-in. However, these methods involve a larger level of management, as they require more human interaction to be effective. It is recommended they be used to augment the capabilities of AMS2 instead of replace them. Hopefully this chapter has given you a good handle on just what the SSC and the AMS2 is capable of, and allowed you to make informed decisions on how to use it effectively in your environment.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Solutions Fast Track Understanding the Symantec System Center ; The SSC is a snap-in for the Microsoft Management Console.

; The SSC is the centralized interface for managing an implementation of

NAVCE.

; The SSC can only be installed on Windows systems.

; If you are managing NAVCE in a combination of TCP/IP and IPX

environments, make sure to install both protocols on the computer where the SSC will be used.

; The SSC must have an IP-to-IP or IPX-to-IPX link to NAVCE

resources to function properly.

Implementing the Symantec System Center ; You must uninstall NAVCE 6.0 (or earlier) or LANDesk Virus Protect

before installing the SSC.

; If you are going to use SSC 4.6, you should have NAVCE 7.6 installed

on your computer as well. Do not mix older versions with new versions of either of these softwares.

; The SSC install is on CD 1, and must be installed first before any other

SSC snap-ins.

; The NAVCE Management snap-in and the SSC console add-ons are

on CD 2.

; The Quarantine Console install is on CD 1.

; The SSC Discovery Service (nsctop.exe) and the Intel Ping Discovery

Service (pds.exe) will run in the background on a computer that has the SSC installed, regardless of whether the SSC is running.

The Symantec System Discovery Process ; When you run the SSC for the first time, it will ping your network for

NAVCE resources. www.syngress.com

147

148

Chapter 3 • Implementing Symantec System Center and Alert Management System2

; Ping and pong packets sent back and forth from the SSC and NAVCE

resources are 1KB in size.

; The Discovery Cycle can be configured to run from every 1 to 1440

minutes, but a new discovery will not start unless the last one is completed.

; Discovery can be configured to read from the SSC’s local cache, ping

the local subnet, or perform an intense discovery that will walk the entire network.

; The Discovery Cycle can be run manually at any time.

; Discovery can also be configured to scan a range of IP addresses or

subnets.

; The Discovery process is dependent on WINS. For networks without

WINS, the Importer.exe command line tool (found on CD 1), can be used to import resources from a properly formatted text file into the SSC’s cache.

; When using the SSC, network bandwidth needs to be considered.

Familiarize yourself with the types of traffic the SSC can generate, and how they are generated.

Introducing Alert Management System2 ; The AMS2 is a configurable alert system that allows you to monitor your

implementation of NAVCE.

; The available AMS2 alerts include the following: ■

Message Box



Broadcast



Send Internet Mail



Send Page



Run Program



Write to Windows NT Event Log



Send SNMP Trap



Load an NLM

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Implementing AMS2 ; The AMS2 is usually installed with the SSC, but it can be installed as a

stand-alone application if desired, using the install on CD 2.

; The AMS2 does not have any alerts preconfigured.To start using it, first

configure your desired alerts.

; The Intel Alert Handler (hndlrsvc.exe), Intel Alert Originator (iao.exe)

and the Intel File Transfer (xfr.exe) service will run in the background on any computer where AMS2 is installed.

Configuring AMS2 Alerts ; You can configure AMS2 alerts faster by using the Advanced Discover

options.

; If an AMS2 detects an alert that is larger than 1KB in size, it will not be

delivered. If you have a Default Alert configured, it will be delivered instead.

; When you set up an AMS2 alert, computers that are not capable of

sending the alert will not be available from the selection list.

; Before you can configure a Send Page alert, you must configure your

modem for use with AMS2 by running the modemcfg.exe tool found in the %WINDOWS%\system32\AMS_ii folder.

Managing Configured Alerts ; It is recommended that AMS2 alerts be tested after creation to make sure

they are configured properly.

; You must export your AMS2 alerts before you change primary servers, or

your AMS2 could be lost.

NAVCE Notification Methods Not Requiring AMS2 ; There are three methods of notification that do not require AMS2 and

which are built into the NAVCE Management snap-in.They include ■

Customizable message boxes www.syngress.com

149

150

Chapter 3 • Implementing Symantec System Center and Alert Management System2 ■

Virus, Virus Sweep, and Scan Histories



Event Logs

; Customizable message boxes appear on the client or server that initiated

the alert.These alerts need to be seen before they can be acted on.

; The various histories and event logs are stored on those systems that

they detail. If these systems become unavailable, so does this information.

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: How do I “unsave” the SSC server group password? A: To do this, lock the server group in question. Right-click the server group and click Configure Server Group Password. Input the old password, and then input the new “unique” password. Click OK. Close the SSC, and when prompted to save, click No.

Q: Is there any way to filter server groups shown in the SSC console? A: You can do this by opening the SSC console, and then right-clicking System Hierarchy. Click Filter Server Group View. Uncheck any server groups you do not want to see.Then click OK.

Q: Where are the AMS2 logs located? A: In Windows, they are located at %WINDOWS%\system32\AMS_II. For NetWare, they are in SYS:SYSTEM.

Q: What ports need to be open to use AMS2 through a firewall? A: The Intel Ping Discovery Service uses UDP ports 38293 and 38037. Additionally, Msgsys uses the TCP port 38292 for AMS2, so it will also need to be open to work properly.

www.syngress.com

Implementing Symantec System Center and Alert Management System2 • Chapter 3

Q: How do I configure AMS2 to send an SMS text alert to my cell phone when a virus has been detected?

A: AMS2 is not really configured for SMS, but there is a way to work around that. Configure a “Send Internet Mail” alert to send an e-mail to the e-mail address of your phone. In the subject field of the alert, type “virus found.” This is all the information that will be available.

Q: How do I create or export a list of servers and clients from the SSC? A: If you have version 1.2 or later of the Microsoft Management Console (1.2 is included with Windows 2000) installed on the computer that has the SSC, you may export a list of clients and servers by following these steps: 1. Open SSC, and unlock your desired server group. 2. Select either a server group or a server. 3. Right-click what you selected, and then click Export List. 4. Choose a destination and a filename from the Save As menu, then click Save to create the exported file. This will create a comma or tab delimited text file that can be imported into Microsoft Excel or Access.

Q: The SSC closes every time I click any option under Norton AntiVirus on the Tools menu. When this happens, I don’t get any error messages. How do I go about fixing this problem?

A: The cause of the problem could be related to the AMS2 database being corrupted.To repair the database, follow these instructions: 1. Close the SSC if it is open. 2. Open up the ODBC applet either in the Control Panel or under Administrative Tools in the Programs menu. 3. Select the System DSN tab. 4. Highlight the AMSDB entry, and then click Configure. 5. Click Repair. 6. Click OK when prompted to Repair Database Amsdb.mdb. 7. A message should then appear saying the database was successfully repaired. www.syngress.com

151

152

Chapter 3 • Implementing Symantec System Center and Alert Management System2

Q: How do I determine which version of the SSC I am using? A: You can determine the version of the SSC by following these steps: 1. Open up the SSC. 2. Click Console. 3. Click Add/Remove Snap-in. 4. Click the Standalone tab. 5. Click Symantec System Center. 6. Click About.The version number is in the lower-left corner.

www.syngress.com

Chapter 4

Implementing Central Quarantine 2.01

Solutions in this chapter: ■

Introducing Central Quarantine 2.01



Implementing Quarantine Console 2.01



Implementing Quarantine Server 2.01



Configuring Central Quarantine 2.01



Troubleshooting Central Quarantine 2.01

; Summary

; Solutions Fast Track

; Frequently Asked Questions

153

154

Chapter 4 • Implementing Central Quarantine 2.01

Introduction When a client on your network encounters an infected file that cannot be repaired, it typically isolates the infected file in a local Quarantine directory to prevent the virus from spreading to other file system areas of the infected machine. Symantec Central Quarantine provides the option to further remove these files from harm’s way by forwarding a copy of each infected client file to a single network location for the administrator to investigate and take any additional actions.This central repository for infected files consists of two parts: ■

The Quarantine Server



The Quarantine Console

In this chapter we will begin with a description of the features and architecture of Symantec Central Quarantine, and instructions on how to install the two main components of the Quarantine service. Once the Server and Console have been installed on your network, you need to configure the central repository to receive infected files from your Norton Antivirus Corporate Edition (NAVCE) clients. Central Quarantine can monitor your network using the TCP or SPX protocol(s), listening to a pre-established port number that you’ll set your clients to transmit information on. Once Central Quarantine receives a user-submitted file, it stores the submission in a directory on the Quarantine Server component until the file can be transmitted to Symantec Security Response (SSR), a team of Symantec’s virus experts and security engineers, virus hunters, and global technical support teams that work to analyze and provide defense against new virus strains as they are discovered or reported by customers and businesses. Once Central Quarantine has sent a file to SSR for examination, they’ll be able to investigate it and provide you with updated virus definitions if necessary. The chapter concludes with a discussion of steps you can take in trou2 bleshooting Central Quarantine.The Alert Management Server (AMS ) provides a useful way to monitor the health and well being of your Quarantine Server, Quarantine Console, and any files and virus definitions being processed by SSR. Using customized alerts, you can configure your Symantec installation to notify an administrator via pager or e-mail if some component of Central Quarantine is having difficulty or ceases functioning. Given the wide array of provided utilities, you should have no difficulty in monitoring and controlling any virus-infected files you may encounter on your network.

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Introducing Central Quarantine 2.01 Symantec’s Central Quarantine provides a mechanism to isolate infected files until they can be examined, repaired, or deleted by a network administrator. Central Quarantine is composed of two primary components: the Quarantine Server and the Quarantine Console.The Quarantine Server serves as the actual repository where suspect and infected files are stored on a designated server disk drive, while the Quarantine Console is the interface that allows administrators to configure Quarantine settings and address quarantined files. Central Quarantine allows you to configure your network clients to forward their quarantined files to a central location on your network, rather than attempting to manage Quarantine directories on the individual PC hard drives throughout your network. Given the continuing evolution of virus threats, it’s entirely possible that one of your network clients may encounter a malicious file that cannot be detected by the most recent NAVCE virus signatures because the virus is simply too new. This is where Symantec heuristics comes into play. Heuristics (described in greater detail in Chapter 12) works to detect files that display behaviors that might be indicative of a virus. (For example, while a file called notavirus.vbs that issues a command to “Delete C:\Windows\explorer.exe” might be one that a user wished to launch intentionally, odds are much greater that this file is actually a virus. Symantec’s heuristic technologies would identify this file as a potential virus (even if the latest virus definition files did not include an entry for anything resembling a “Delete Explorer.exe Virus”) and forward it to the Central Quarantine Server.You then have the option to submit this suspect file to Symantec Security Response (SSR), the division of the Symantec Corporation that investigates new virus outbreaks. Quarantine Server’s architecture allows you to submit these files directly over the Internet (using either the HTTP protocol or SMTP e-mail).

NOTE Symantec Antivirus Research Automation (SARA) is a new feature that aids Symantec’s team of virus experts by enabling a large number of Quarantine submissions to be analyzed and appropriate definitions distributed to customers without the need for manual investigation or intervention. This can greatly speed the process of distributing virus signatures, often helping to stop newly discovered viruses before they can spread out of control.

www.syngress.com

155

156

Chapter 4 • Implementing Central Quarantine 2.01

Implementing Quarantine Console 2.01 You can install the Quarantine Console on a separate machine from the Quarantine Server itself—an administrative workstation would be ideal for this purpose. If you have multiple Quarantine Servers in your environment, you can use a single Quarantine Console to connect to each Quarantine Server in turn, or create multiple Quarantine Console sessions to connect to each Server. In this section, we’ll cover the steps necessary to install and configure the Quarantine Console component of the NAVCE Central Quarantine service.

Quarantine Console 2.01 System Requirements You can use the Quarantine Console either in conjunction with, or independent of, the Symantec System Center (SSC) console. If you’re installing to a machine where the SSC console has already been installed, the minimum hardware requirements for the Quarantine Console must meet the following: ■

128MB RAM



Minimum swap file size of 250MB



12MB available disk space

If you have not and do not plan to install the SSC console, you need to make sure the following additional requirements are also met: ■

Windows 2000 Professional or Server, or NT Server 4.0 with Service Pack 5 or later



Windows NT Server 4.0 must have the DCOM module installed



Internet Explorer 5.5 or later



Microsoft Management Console (MMC) version 1.2 or better



You will need administrative rights to the Windows servers or the Windows domain where you plan to install the Norton AntiVirus Quarantine Server

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

NOTE When choosing the operating system of the computer that will be running the Quarantine Console, remember that it does not necessarily need to be installed on the same computer as the Quarantine Server. This makes an administrative workstation running Windows 2000 Professional an ideal choice for installation of the Quarantine Console.

Recommended Configuration As with most software packages, the system requirements set forth by Symantec for Quarantine Console installation represent the bare minimum—in most cases you’ll want to have as much RAM and hard disk space available as possible. Additional RAM will speed your computer’s processing time since it will be able to store more information in speedy virtual memory instead of copying data to and from the hard drive. And with hard drives getting cheaper and cheaper, configuring a workstation with much more than 12MB of free space is usually a fairly inexpensive proposition.

Installing Quarantine Console 2.01 You’ll install the Quarantine Console from the NAVCE installation CD Disk 2. On the machine that you’ve designated to run the Console software, insert the CD into your CD-ROM drive. If the Autoplay menu (shown in Figure 4.1) doesn’t automatically appear within a minute or so, open Windows Explorer and click x:\cdstart.exe. (Where x represents the drive letter of your CDROM.) The NAVCE installation menu should then appear on your desktop. Perform the following steps to complete the installation. Figure 4.1 NAVCE Quarantine Console Installation Main Screen

www.syngress.com

157

158

Chapter 4 • Implementing Central Quarantine 2.01

1. From the Autoplay menu, click Install Quarantine Console.You’ll see the screen shown in Figure 4.2. Click Next to begin the installation process. Figure 4.2 Quarantine Console Setup Initial Screen

NOTE If you don’t have Internet Explorer version 5.5 or better, the Quarantine Console installer will prompt you to upgrade your IE installation before allowing you to continue.

2. On the following screen, click Yes to accept the software agreement, and click Next to continue.You’ll then be prompted to select a destination directory, as illustrated in Figure 4.3. As with most Windows applications, you can accept the default directory or click Browse to choose a different one.

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Figure 4.3 Choosing a Destination Directory

3. Click Next again once you’ve made your selection. It will take a few minutes for the files to copy from the installation CD, at which point you’ll be prompted to reboot. Once your PC has rebooted, move to the next section to begin configuring the Quarantine Console.

NOTE If it hasn’t already been installed, the Quarantine Console installation 2 process will also install the Alert Management Server (AMS ). While not 2 an intrinsic component of the Central Quarantine software, AMS provides many benefits to your anti-virus defense strategy that we’ll discuss later in the chapter.

Uninstalling Quarantine Console 2.01 Removing the Quarantine Console is little different from uninstalling most standard Windows applications. Follow these instructions to uninstall the Quarantine Console from your server or workstation: 1. Choose Start | Settings | Control Panel and select Add/Remove Programs. If you are using a Windows 2000 machine, make sure you are on the Change or Remove Programs screen.

www.syngress.com

159

160

Chapter 4 • Implementing Central Quarantine 2.01

2. Scroll through the list of installed programs until you locate the Symantec Quarantine Console Snap-in item in the list of installed applications, as seen in Figure 4.4. 3. Click Change/Remove and follow the prompts to uninstall the Symantec Quarantine Console. Figure 4.4 Removing the Central Quarantine

Implementing Quarantine Server 2.01 The Quarantine Server component acts as a centralized file store for infected files that could not be repaired by Norton AntiVirus. When this occurs, the infected client machines will forward the files in question to the Quarantine Server so you can repair them manually or forward them to SSR for further analysis. In this section, we’ll cover the steps in installing Quarantine Server software.

NOTE Quarantine Server needs to be installed on a Windows NT or 2000 machine; it cannot be installed on a NetWare server.

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Quarantine Server 2.01 System Requirements As I mentioned previously, the Quarantine Server and the Quarantine Console snap-in do not necessarily need to be installed on the same machine.The minimum hardware requirements to run the Quarantine Server software are as follows: ■

Windows 2000, or NT Server 4.0 with Service Pack 5 or later



Windows NT Server DCOM module (this applies to NT Server 4.0 installations only)



Internet Explorer version 5.5 or later



128MB RAM



Minimum swap file size of 250MB



15MB available disk space (you can leave as much as 4GB available to store quarantined items)



Administrative rights to the Windows NT servers or domain in which you plan to install the Quarantine Server

Recommended Configuration Just as with the Quarantine Console, these system requirements are the minimum necessary for the Quarantine Server to function. Especially if the Quarantine Server is running on a machine that is hosting other network services and applications, you should realistically consider a minimum of 256MB of RAM, or more if the overall load on the server calls for it.The same goes for hard drive space, as more is definitely better than less: you never want to find yourself in a position where you’re scrambling to reconfigure a production server because the space on the system drive is dwindling. I try not to allow any of the drives on my servers to fall below 100MB of free space at any given time (you may find your environment and comfort levels dictate more space or less).

Installing Quarantine Server 2.01 To install the Quarantine Server software, follow the steps listed in this section. On the machine from which you’ve chosen to run the Server software, insert the NAVCE Installation CD into your CD-ROM drive. If the Autoplay menu (shown in the “Installing Quarantine Console 2.01” section as Figure 4.1) doesn’t automatically appear, run x:\cdstart.exe. (where x represents the drive letter of www.syngress.com

161

162

Chapter 4 • Implementing Central Quarantine 2.01

your CD-ROM) from Windows Explorer or a command prompt.The NAVCE installation menu should then appear on your desktop.To complete the installation, do the following: 1. From the Autoplay splash screen on the CD-ROM of your installation media, select Install Central Quarantine Locally. 2. Click Next on the Welcome dialog box and Yes on the Software License agreement. 3. Click Browse to select a destination folder for the Quarantine Server program files, or just click Next to accept the default location. 4. On the screen shown in Figure 4.5, choose whether you want to use Internet-based or e-mail–based delivery of infected files to Symantec. Symantec recommends using Internet-based delivery, since it provides for automatic delivery and routing of virus-infected files, updated definitions, and virus cures. (This is what allows SARA to function properly.) If you choose Email-based delivery, you’ll need to perform all of these functions manually. Once you’ve made your selection, click Next to continue.

NOTE In this section, we are assuming you’ll be using Internet-based submissions. If you select “Email-based” you will only be prompted for the amount of drive space to allocate for file submissions. The rest of the steps covered in this section are specific to Internet-based delivery.

Figure 4.5 Selecting a Communication Method

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

5. Specify how much drive space you want to allocate to incoming files sent to the Quarantine Server.This space will exist on the drive letter and directory that you specified in Step 3. (The minimum recommended by Symantec is 500MB, but you can increase this depending on the needs of your environment.) Click Next to continue. 6. On the Customer Information screen shown in Figure 4.6, complete all requested fields.This data will allow Symantec to better assist you with any technical support needs you may have later. Click Next when you’re ready to move on. Figure 4.6 Entering Your Customer Information

7. Accept the default value of gateways.dis.symantec.com as the gateway name on the Web Communication screen, and click Next. (You can always change this later if necessary.) 8. On the Alerts Configuration screen, decide whether you wish to link 2 the Quarantine Server with the AMS server on your network. Configuring the two together will allow you to be notified immediately if any quarantine-related events occur on your network. Place a check 2 mark next to Enable alerts and enter the name of the AMS computer on your network, as shown in Figure 4.7.You can always configure this later if you are not ready to do so now.You’ll note that, unlike in previous screens, you will need to manually enter the DNS or NetBIOS 2 name of your AMS machine; you do not have the option to browse to the computer using Network Neighborhood or My Network Places.

www.syngress.com

163

164

Chapter 4 • Implementing Central Quarantine 2.01

Figure 4.7 Configuring Alerts with the Quarantine Server

9. Click Next to begin copying files to the Quarantine Server hard drive. You’ll be prompted to reboot the machine when the installation has completed.

Understanding the Quarantine Server Services Running on NT/2000 Servers The Central Quarantine installation process will add the following services (shown in Table 4.1) to your Windows NT or 2000 server. If you rely on any hardware- or software-based firewall software, be sure to allow these services and executables appropriate access to your internal and routed network. (Network security as it relates to NAVCE will be covered more fully in Chapter 13.) Table 4.1 Services and Executables Installed by Central Quarantine Service Name

Executable Name

Description

Symantec Central Quarantine

Qserver.exe

Symantec Quarantine Agent

Icepack.exe

Accepts submissions of infected files from servers and clients and also communicates with the Symantec Quarantine Console. Facilitates communication between the Quarantine Server and the antivirus gateway used to connect to the Internet. Continued

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Table 4.1 Services and Executables Installed by Central Quarantine Service Name

Executable Name

Symantec Quarantine Scanexplicit.exe Scanner

Description Using the Quarantine Server’s set of antivirus definitions, it scans any files submitted to the Quarantine Server from your network clients.

Uninstalling Quarantine Server 2.01 Removing the Quarantine Server can be done the same way as any other Windows application. Follow these instructions: 1. Go to Start | Settings | Control Panel and select Add/Remove Programs. (If you are using a Windows 2000 machine, make sure you are on the Change or Remove Programs screen.) 2. Select the Symantec Central Quarantine item in the list of installed applications, as shown in Figure 4.8. Figure 4.8 Removing the Central Quarantine Server

3. Click Remove. Click Yes to confirm and follow the on-screen prompts. 4. You’ll be given the choice to remove the AMS2 system files during the uninstall process.You will be able to successfully uninstall the Quarantine

www.syngress.com

165

166

Chapter 4 • Implementing Central Quarantine 2.01

Server without uninstalling AMS2. If you are uninstalling to switch from Internet-based to Email-based Scan and Deliver, you can leave the AMS2 files intact to save time during reinstallation. However, if you are removing Central Quarantine from this computer entirely, you can uninstall AMS2 at the same time in order to fully remove all Central Quarantine–related files.

Configuring Central Quarantine 2.01 Now that you’ve installed the components of Symantec Central Quarantine, you’ll need to configure them to protect your network from virus-infected files. We’ll begin with configuring the Quarantine Console to manage a Quarantine Server, either on the same machine locally or installed on a remote server. Next, we’ll move on to the Quarantine Server component itself, where you can customize the directory in which it will store submitted files, the network protocol it uses to communicate with NAVCE clients, and other useful items. Finally, we’ll cover the steps needed to configure your NAVCE clients to properly utilize the newly-installed Quarantine Server, as well as how to configure your Central Quarantine installation to communicate with SSR to submit suspect files and retrieve new virus signatures. The Quarantine Console requires little in the way of customization – the most important piece of information will be the name of the Quarantine Server that it will be connecting to.To configure the console, go to Start | Programs | Symantec Central Quarantine | Symantec Quarantine Console and follow these steps: 1. Right-click the Symantec Central Quarantine icon and select Attach to server, as shown in Figure 4.9.

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Figure 4.9 Attaching to a Remote Quarantine Server

2. On the screen shown in Figure 4.10, specify whether the console should attach to a local Quarantine Server—that is, a Quarantine Server that’s installed on the same machine as the Console itself—or a remote machine. If you select Other Computer, you’ll need to specify the username, password, and Windows NT/2000 domain of an account with administrative rights to that server. Figure 4.10 Specifying the Remote Server

Once you’ve specified the Quarantine Server you want to connect to, you can configure or alter the Quarantine Server settings whenever you require.

www.syngress.com

167

168

Chapter 4 • Implementing Central Quarantine 2.01

NOTE You can either manually enter the DNS or NetBIOS name of the remote computer you wish to connect to, or click Browse to locate the computer using Network Neighborhood in Windows NT or My Network Places in Windows 2000.

Configuring & Implementing… Creating a Custom Microsoft Management Console The SSC and Central Quarantine Console are both based on the Microsoft Management Console (MMC), which is a general-purpose management tool created by Microsoft. Symantec has provided the SSC and quarantine consoles as pre-configured administrative tools for your convenience, but as an administrator you can easily create your own customized management consoles. You can use this feature to delegate administration tasks bycreating MMC consoles that have preconfigured snap-ins like the Quarantine Server tool. Follow these steps to create a custom console: 1. Open a new Microsoft Management Console by choosing Start | Run, then type mmc.exe and click OK. 2. On the Console menu, click Add/Remove Snap-in. 3. Click Add to display the installed snap-ins. 4. Browse to the Central Quarantine Console snap-in and click Add again. 5. Add any additional administrative tools you wish, then click Close when you’re done. When you are finished, Click File | Save As on the Console menu. Specify a filename and path for the MMC console. The MMC console will be saved with an *.msc extension; you can now transfer the console to another user to open on a client computer with the administrative tools preconfigured.

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Configuring Quarantine Server for InternetBased Scan and Deliver Once you’ve configured the Quarantine Console, you can connect to your Quarantine Server to make any configuration changes or additions. If you are using the SSC console, choose Start | Programs | Symantec System Center | Symantec System Center Console, then right-click Symantec Central Quarantine (machinename) and select Properties. In this section, we’ll go over the configuration options available for a Quarantine Server using the Internet for its Scan and Deliver function.

WARNING To change between the Internet- and Email-based Scan and Deliver mechanisms, you’ll need to re-install the Quarantine Server.

You’ll begin configuring the Quarantine Server on the General tab. As you can see in Figure 4.11, this tab allows you to set or change the directory where the Quarantine Server will store files submitted by your network clients.You’ll notice there is no “Browse” function; if you want to change the directory the Quarantine Server uses, you’ll need to re-type the directory path manually. From this tab, you can also set the following options regarding drive space usage: ■

Maximum allowable size This denotes the largest size (in megabytes) that the Quarantine directory will be permitted to expand to.The default value is 500MB.You can raise or lower this as your environment dictates.



Warning size The point at which the Quarantine Console will log a warning message to the Windows Event Viewer Application log in order to inform the administrator that the disk usage for the Quarantine Server is nearing its maximum capacity.The default value for this field is 450MB.



Maximum allowable number of samples This sets a cap on the number of virus-infected files that can be submitted to the Quarantine directory at any time.The default maximum value is 750 samples.

www.syngress.com

169

170

Chapter 4 • Implementing Central Quarantine 2.01 ■

Purge samples as needed You can place a check mark next to this to manage the Quarantine Server on-the-fly. Keep in mind that any purged files will not be submitted to SSR and cannot be retrieved.

Figure 4.11 The General Tab

The Protocols section determines the port that the Quarantine Server will use to receive submissions of files from infected clients. Place a check mark next to Listen on IP or Listen on SPX depending on the protocol in use on your internal network, and then type the port number that the Quarantine Server will use to accept file submissions.You can choose any port number between 1025 and 65535; this will become the port that your clients will use to forward any infected files to the Central Quarantine.You’ll then need to ensure you’ve enabled whatever port you’ve selected within your internal network configuration; otherwise clients will be unable to submit virus-infected files to Central Quarantine. The final configurable option on this screen is Console refresh, which controls how often the Quarantine Console updates its information. By default, the console will update itself every five minutes.This should be fine for most situations, though you may wish to shorten the refresh rate to one or two minutes if your network is in the midst of a virus outbreak in which your clients are submitting many files to Central Quarantine. (Responding to a virus outbreak will be covered in greater detail in Chapter 12.)

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

WARNING If the Quarantine Server directory reaches its maximum allowable size and “Purge samples as needed” has not been checked, clients will not be able to submit infected files to the Quarantine Server until the directory is manually purged by an administrator.

Notes from the Underground… The Next Big Thing: SAVCE 8.0 The next release of NAVCE contains many features that are sure to enhance your network’s anti-virus protection strategy. Here are some of the new features relating to Central Quarantine and signature updates: ■

New Client groups In earlier versions of NAVCE, all computers managed by the same NAVCE parent server were governed by identical antivirus policies. The client group feature in version 8.0 allows you to create logical groups of computers within server groups to allow for more granular control over NAVCE settings like Quarantine Options.



Smaller virus definitions files size The average sizes of virus definitions files have shrunk from 4MB to under 100KB, greatly enhancing network performance in retrieving new definition files from Symantec Security Response.



One button update The SSC allows you to update virus definitions for the entire system hierarchy, server group, or parent servers with a single mouse click.



Quarantine Purge The Quarantine Purge feature allows you to automatically delete files in local Quarantine directories that are older than a specified date.



Enhanced rollouts to secondary servers NAVCE primary servers can now forward virus definitions updates asynchronously to clients and secondary servers, greatly improving network performance during definition updates.

Continued

www.syngress.com

171

172

Chapter 4 • Implementing Central Quarantine 2.01



Enhanced Symantec System Center The SSC now provides additional display columns that indicate the status of virus definition updates and the last check-in time for clients.

You’ll use the Web Communication tab (illustrated in Figure 4.12) to dictate which Symantec gateway your Quarantine Server will use to submit samples to SSR.You should not change the default gateway address of gateways.dis. symantec.com unless you are hosting your own gateway on an extremely large enterprise network, at which point Symantec technical support will offer specific configuration instructions for this tab. Place a check mark next to Secure Submission and Secure Download to ensure all files sent to, and received from, SSR will be encrypted during transmission.These options are checked by default, and should remain so unless you are using an extremely slow connection for which encryption creates an intolerable performance issue. Figure 4.12 The Web Communication Tab

If you are using a proxy server on your internal network, use the Firewall tab (shown in Figure 4.13) to denote the IP address and login information that the Quarantine Server will use to transmit information to the Internet.You can specify the DNS or NetBIOS name of the proxy server in the firewall name field, or else enter the numeric IP address in dotted-decimal notation (169.254.1.4, for example). If your proxy server uses a port other than 80, specify that in the firewall port field.

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Figure 4.13 The Firewall Tab

The Sample Policy tab (Figure 4.14) allows you to customize the way in which the Quarantine Server processes user-submitted files.You can configure one or more of the following three options: ■

Placing a check mark next to Automatic Sample Submission will automatically route any files submitted by your network clients directly to Symantec System Response. If you leave this box unchecked, you’ll need to manually submit files to Symantec for analysis. Queue check interval dictates how often the Quarantine Server checks for new files that need to be routed to SSR.



The Submission frame allows you to dictate whether quarantined files should be submitted to SSR intact, or if the contents of any documents (Microsoft Word, Excel, and so on) should be stripped away, leaving only the executable portion of the quarantined file. Strip user data from sample prevents contents of documents from being sent to the Symantec gateways.You can leave it unchecked to submit files in their original format.



Status Query Interval indicates how often your Quarantine Server will check in with SSR for any updates on submitted files.The default value in this field is 60 minutes.

www.syngress.com

173

174

Chapter 4 • Implementing Central Quarantine 2.01

Figure 4.14 The Sample Policy Tab

NOTE From the Definition Policy tab shown in Figure 4.15, you will configure the frequency with which the Quarantine Server will query Symantec for new virus definitions. When dealing with the Quarantine Server, there are two types of virus definitions: certified and noncertified. Certified definitions have been thoroughly tested by Symantec and have been released to the general population, while SSR may occasionally release noncertified signatures to address a specific virus issue within one or more organizations in response to a sample submission that has been determined to contain a new virus. (Most noncertified definitions will become certified at some point.)

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Figure 4.15 The Definition Policy Tab

The Definition Policy tab contains the following pieces of information: ■

The Current field displays the sequence number of the definitions that are currently in use, and indicates whether they are certified or not.This field is read-only and cannot be edited by the administrator.



The Download field determines how often your Quarantine Server will check the gateway for new certified definitions.The default setting is 480 minutes or eight hours, which will be sufficient for most purposes. However, during periods of increased virus activity you will likely wish to increase the frequency at which your Quarantine Server will check for new virus definitions.

NOTE Certified definitions will supercede any other definition sets that your Quarantine Server is currently using.

The Install Definitions tab, shown in Figure 4.16, allows you to specify how the Quarantine Server will handle any new definitions it receives from SSR. By default, all NAVCE servers on your network will receive both certified and noncertified definitions as soon as they become available. If you wish to exert greater

www.syngress.com

175

176

Chapter 4 • Implementing Central Quarantine 2.01

control over the distribution of virus definitions on your network, use these settings to define which servers and clients will receive certified versus noncertified updates. Figure 4.16 The Install Definitions Tab

Your options for handling certified definitions are fairly straightforward. Place a check mark next to Install On Selected Servers and use the Select button to add or delete as many NAVCE servers as you wish. Once this policy has been defined, only the servers that you specify with the Select button will automatically receive certified definitions; any other NAVCE servers will need to be updated manually. If you like, you can exert even more granular control over the handling of noncertified virus definitions.To do so, select any or all of the following options: 1. Install on infected clients Checked by default, this automatically deploys new definitions to infected client machines, whether the virus definitions have been certified by Symantec or not. Uncheck this box if your anti-virus policy requires that only certified definitions be installed on client machines.You can always apply the new definitions to any infected machines manually after testing them for stability and accuracy. 2. Install on servers of infected clients This installs the noncertified definitions to the parent servers of any infected clients, thus making the new definitions available to all clients of that server group.This option is not checked by default.

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

3. Install on selected servers This functions just as it does for certified definitions: use the Select button to include whichever NAVCE servers you wish to receive the noncertified definitions. Finally, the Delivery section determines how frequently Central Quarantine will attempt to transmit new definitions to a client or server that is not connected to the network. By default, Central Quarantine will attempt to re-send new definitions every 15 minutes. The Customer Information tab should reflect the demographic information you entered when you installed the Quarantine Server. From here, you can edit any contact names or e-mail addresses, as well as your Symantec Account number. For more information on account numbers and Symantec licensing, refer back to Chapter 2. The Alerting tab (shown in Figure 4.17) allows Central Quarantine to interact with an Alert Management Server running on the same machine or a remote server. In fact, no information on this tab will be configurable until you specify the name of the server that is running AMS2. Enter the appropriate machine name in the AMS Server Name field, using an IP address or DNS/NetBIOS name. Figure 4.17 The Alerting Tab

The General section of the Alerting tab allows you to set the following AMS2 options.The configurable options available in this section are listed as follows:

www.syngress.com

177

178

Chapter 4 • Implementing Central Quarantine 2.01 ■

Send Events to AMS This is unchecked by default. Place a check mark to activate AMS2 alerts.



NT Event Log All events recorded by Central Quarantine will be entered into the Windows NT and Windows 2000 Application log.This option is checked by default.



Alert Check Interval This indicates how frequently AMS2 will query the Quarantine Server for new alerts that need to be sent; the default value is 15 minutes.The Alert Check Interval can be set at a minimum interval of one minute.



AMS Server Name The Computer Name or IP address of the machine running the AMS2 application.



Send Test Alert Click this to send a test to make sure AMS2 is working. A dialog will appear informing you that your test was queued and that it will be sent at the next defined interval.



Configure Opens the AMS2 property sheet.This is the heart of AMS2’s interaction with the Quarantine Server, as it defines which Quarantinerelated incidents will trigger an alert and defines exactly what that alert should be.



Configure Event Notification This is a detailed list of all the possible alerts that the Quarantine Server can generate. Some of these alerts have configurable settings: for example, an “Unable to connect to the Gateway” event will wait for one hour before triggering AMS2 to send an alert, in case the Quarantine Server successfully retries the submission during that time.You can use this screen to configure the number of minutes that the Quarantine Server will wait before sending the alert for this and other Quarantine-related alerts.

On the final Quarantine Server properties page, you’ll see the General Errors tab.This screen shows a detailed history list of error messages that the Quarantine server has logged to the Windows NT/2000 Event Viewer. Click Apply and OK when you’re satisfied with the configuration options you’ve set.

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Damage & Defense… Configuring an AMS2 Alert Like the old adage of a tree falling in the woods with no one around to hear it, you’ll never be able to resolve a network issue if you aren’t somehow made aware of it. For most “front-end” applications like email and Web servers, ringing phones and frantic users will quickly alert you to an outage. However, this will likely not be the case with an application like Central Quarantine. This is where AMS2 comes into play. You’ll first need to configure the Quarantine Console to forward any alerts to AMS2 for processing, as explained in the following steps: 1. Right-click Symantec Central Quarantine and select Properties. 2. From the Alerting tab, click the Configure button. A new dialog box opens as shown in Figure 4.18. This is a list of all Central Quarantine events that can be configured to trigger an AMS2 alert. (These conditions are detailed more fully in the “Troubleshooting Central Quarantine” section later in this chapter.)

Figure 4.18 The CQ Events Dialog

3. Select the event you want to configure an alert for, then click Configure. 4. Select an action from the options presented (shown in Figure 4.19), and click Next.

Continued

www.syngress.com

179

180

Chapter 4 • Implementing Central Quarantine 2.01

Figure 4.19 Selecting an Alert Action

The options to choose from in Figure 4.19 are as follows: ■

Message Box This opens a pop-up window on the specified target computer. Select a target computer to receive the message, specify the text of the Alert message and then click Finish.



Send Page This sends a numeric or alphanumeric message to a pager recipient using an attached modem. Enter the information necessary to connect to the specified pager, specify Alert message, and click Finish.



Send Internet Mail This sends an SMTP e-mail message to a specified recipient. Select a computer that will send the message from the list along with the appropriate mail server information. Specify the text of the Alert message and then click Finish.



Run Program This option launches an executable on the target computer. This can start or stop a service or run a batch program, for example. Select a target computer from the list, enter the required application launch information and click Finish.



Broadcast This transmits a message to a recipient on the local network. Select the computer that will receive the message, specify the text of the Alert, and then click Finish.



Send SNMP Trap When chosen, this option sends an SNMPcompliant trap message to an SNMP node. Select a computer from the list, specify what the Alert will tell the recipient, and then click Finish. Continued

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4



Write to Event Log This posts an alert message to the Windows NT/2000 Application Event Log. Specify the text of the Alert and click Finish.



Load an NLM This option loads a specified NLM on a discoverable NetWare server running the NAVCE NLMs. Select the NetWare computer from the list, enter the required server information, and click Finish.

The newly defined alert action will appear underneath the event name, as shown in Figure 4.20. Select the alert and click Test Action to ensure it’s functioning properly. Specify additional Alerts for any other Central Quarantine conditions, then click Close when you’ve finished.

Figure 4.20 A Newly Defined Event Action

Configuring Quarantine Server for Email-Based Scan and Deliver The configuration options for a Quarantine Server using Email-based Scan and Deliver are much more limited than those discussed in the previous section.The only information you’ll need to provide is the directory for submitted files to be stored in, and the protocol and port that the Quarantine Server will listen for client submissions. Use the following steps to configure your Quarantine Server for this delivery method. 1. Right-click the Symantec Central Quarantine icon and select Properties. 2. The General tab, shown in Figure 4.21, will appear; it’s the only configuration item available to you. www.syngress.com

181

182

Chapter 4 • Implementing Central Quarantine 2.01

3. In the Quarantine Folder section, specify the directory that the Quarantine Server will use to store submitted files, as well as the maximum amount of drive space the directory can use. Figure 4.21 Configuring Email-Based Scan and Deliver

4. From the Protocols field, enable IPX or SPX as appropriate to your environment, and specify a port number for either or both.You’ll need to configure your NAVCE clients to use the same port number to submit infected files to the Central Quarantine.

Configuring Submissions of Suspected Viruses to SSR If you’ve configured your Quarantine Server for manual handling of file submissions from your network clients, you’ll use the Scan and Deliver Wizard to prepare the file for submission to SSR.You’ll see a list of Quarantined Items when you open the Quarantine Console, as shown in Figure 4.22. From here, you can take any number of actions ■

To manually submit an item to SSR for analysis, right-click the item and select Submit item to SARC.The Scan and Deliver Wizard will then examine the file and either prepare it for submission to Symantec Security Response, or else recommend a different action. (For example, the virus contained in the file might be eliminated with your current set of definitions, which may indicate that the client who submitted the file does not possess the most recent virus signatures.)

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4 ■

If Symantec has notified you that a submitted file is not infected, you can restore it to its original location by right-clicking the item and selecting Restore.This will make absolutely no attempt to repair the file, and as such should be used with extreme care.



To permanently delete a file in the Quarantine Server, right-click the item and select Delete.

Figure 4.22 Viewing Quarantined Files

Receiving and Testing Updated Fingerprints from SSR Once you’ve received a virus update from SSR, you should test it thoroughly before installing it on your production network. We’ve already covered the steps necessary to specify which NAVCE servers should receive certified versus noncertified virus definitions, but even certified definitions should be tested to ensure they do not interfere with any proprietary information or applications on your network. To test a new virus definition against an infected file, right-click the item(s) in the Quarantine Console and select All Tasks | Repair Item.You can then examine and re-scan the file to ensure it is no longer virus-infected. Once you are satisfied that the new virus definitions are functioning properly, you can distribute them to your NAVCE servers.

www.syngress.com

183

184

Chapter 4 • Implementing Central Quarantine 2.01

Configuring Managed Client PCs to Route Suspected Viruses to the Quarantine Server When you’ve completed the setup and configuration of your Central Quarantine installation, you’ll need to configure some or all of your network clients to forward any quarantined files to the Central Quarantine Server. Like most NAVCE features, you can configure this at the server group level, for a single server within a server group, or for an individual client PC.To set Quarantine options at whatever level you choose, you’ll use the SSC console. 1. Select Start | Programs | Symantec System Center | Symantec System Center Console. 2. Unlock your server group if necessary, then right-click the server group, server, or client PC you want to set Quarantine options for. (Use the Ctrl key to select multiple nonsequential PCs or servers simultaneously.) 3. From the pop-up menu, select All Tasks | Norton Antivirus | Quarantine Options.You’ll see the screen shown in Figure 4.23. Figure 4.23 Setting Client Quarantine Options

4. Place a check mark next to Enable Quarantine or Scan and Deliver. 5. To use your newly created Quarantine Server, click the radio button next to Allow Forwarding to Quarantine Server. From here, you’ll need to fill in the following items:

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4 ■

Server Name Manually enter the computer name or IP address, or use the Browse button to navigate to the Quarantine server using Network Neighborhood/My Network Places.



Port/Protocol The values in these two fields need to match what you specified when installing the Quarantine Server in the Protocols section of the General tab. (See Figure 4.21 for reference.)



Retry Specifies how often the client will attempt to retransmit a file if it can’t reach the Quarantine Server.The default value is 600 seconds (five minutes.)

6. If you want your clients to bypass the central Quarantine Server and submit their files directly to Symantec Security Response, click the radio button next to Allow Submissions via Scan and Deliver. We only recommend this in a Small Office/Home Office (SOHO) environment, as it becomes unmanageable when dealing with more than a few PCs. 7. Click OK when you’re satisfied with the configuration of your clients’ Quarantine Options.The changes will propagate to your NAV clients at the next NAVCE update, which occurs every 60 minutes by default.

Troubleshooting Central Quarantine 2.01 Once installed, Central Quarantine is fairly straightforward to use and maintain. If you do run into difficulties with either the Console or Server component, there are a number of items you can check to determine the source of the issue.The Alert Management Server will be of great use in this, as it can provide you, the administrator, with any number of alerts specific to the Central Quarantine process. In this section, we’ll look at some tips to restore your Central Quarantine installation to working order. The overwhelming majority of issues connected to the Quarantine Console will be related to either network connectivity or file permissions.The Quarantine Console’s sole purpose in life is to connect to a Quarantine Server, after all, so the largest issue it will have is not being able to find the server it is meant to attach to. If you find your Quarantine Console cannot connect to a remote server, here are the best places to investigate:

www.syngress.com

185

186

Chapter 4 • Implementing Central Quarantine 2.01 ■

Check the network settings on the workstation/server where the Quarantine Console is installed. Can it connect to other network resources on the same subnet? On a remote subnet?



If the Console workstation can successfully connect to other network resources, make sure the username and password you’re using to connect to the Quarantine Server are correct, and that the user account has administrative rights to the machine the Server software is installed on.

The potential issues surrounding the Quarantine Server are slightly more involved than those for the Console. Luckily, AMS2 provides an exhaustive list of alerts that will assist you in troubleshooting the server installation. In addition, the Windows NT/2000 Application Event Viewer will log most of these events as well, allowing you to review the logs to determine the source of the trouble. Table 4.2 lists the possible alerts generated by the Quarantine Server along with a brief definition of each.

NOTE Network connectivity can affect the Quarantine Server just as easily as the Console: be sure to check and test the network settings of the machine that the Quarantine Server is installed on as a part of your troubleshooting process.

Table 4.2 Detailed Explanations of Events Event

What?

Unable to connect to the gateway

The Quarantine Server cannot connect to the Symantec gateway. This may be a result of an external Internet connectivity outage or configuration issue. Defcast is the process that sends new virus definitions to all specified clients. If this returns a failure, check your net work connectivity and settings.

Defcast error

Continued

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Table 4.2 Detailed Explanations of Events Event

What?

Cannot install definitions on target machines

The updated definitions could not be installed on one or more of your NAVCE clients. This error will occur frequently if you have clients that are often disconnected from the network. The Quarantine Server cannot locate or access the directory in which it stores new definitions. Check the file permissions associated with that directory. If the Quarantine Scanner service fails to load or is manually stopped, then client samples cannot be scanned by Central Quarantine and will not be sent to the SSR. Restart the Quarantine Scanner service or the Quarantine Server itself. The Quarantine Agent service is required to send samples to, and receive reports from, the Symantec gateway. Restart the service or the machine. Updated certified or noncertified definitions have not yet been delivered. This message is usually informational unless a larger network outage is taking place. Informational: new certified definitions have been delivered from SSR. These will be installed according to your current Quarantine Server policies. Informational message. The new noncertified definitions will be installed according to the policies you set during the Quarantine Server installation.

Unable to access definition directory

Cannot connect to Quarantine Scanner svc (service)

The Quarantine Agent service has stopped

Waiting for needed definitions

New Certified definitions arrived

New Noncertified definitions arrived

Continued

www.syngress.com

187

188

Chapter 4 • Implementing Central Quarantine 2.01

Table 4.2 Detailed Explanations of Events Event

What?

Disk quota remaining is low for Quarantine directory

The disk space set aside for quarantine to store samples is running low. Either raise the amount of space allocated or manually delete extraneous virus samples. The disk space available on the Quarantine Server drive is less than the amount that should be available in the configured quota. The virus or suspect file could not be repaired. The new definitions from SSR could not be installed. The virus definitions are potentially corrupt, or the client installation failed for another reason. The sample could not be processed. Investigate the log files and resubmit the file for processing if necessary. The submitted file could not be processed automatically by SARA. Contact Symantec Technical Support for further assistance. The submitted file could not be submitted automatically. Double-check the file properties and perform a manual submission to SSR. New virus definitions are available and should have been installed, but have not been. Check network connectivity and manually update definition files if necessary. New virus definitions have arrived from SSR but have not been installed on your clients yet. Check network connectivity and manually update definition files if necessary.

Disk free space is less than Quarantine max size

Sample: was not repaired Sample: unable to install definitions

Sample: processing error

Sample: needs attention from Tech Support

Sample: held for manual submission

Sample: too long without installing new defs

Sample: too long with Distributed Status

Continued

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Table 4.2 Detailed Explanations of Events Event

What?

Sample: too long with Needed status Virus definitions have not yet been retrieved from SSR. Check your LiveUpdate configuration and perform a manual update. Sample: too long with The Symantec gateway has not Released status responded to a request for definition updates. This may be a result of transient Internet traffic issues, or internal network connectivity. Sample: too long with A file has been submitted by the Submitted status Quarantine Server, but has not yet been accepted by the Symantec gateway. This may be a result of Internet traffic or internal connectivity issues. Sample: too long with A sample has not been initially Quarantined status scanned by the Quarantine Server. Make sure that all necessary services are running. Sample: new definitions New virus definitions are being held for delivery held on the Quarantine Server instead of being delivered to your network clients. Check network connectivity settings and make sure all Central Quarantine services are running.

www.syngress.com

189

190

Chapter 4 • Implementing Central Quarantine 2.01

Summary No matter the size of your network, your antivirus solution needs to provide a mechanism to isolate potentially harmful files from your network clients and servers.This is where Symantec Central Quarantine comes into play: you can configure your network clients to forward any suspect files to a central location where they can be analyzed and repaired. If your local server cannot repair the file in question, the file can then be forwarded to Symantec Security Response (SSR) for further analysis. After analyzing a submitted file, SSR can return updated virus signatures, either those that have been certified for general circulation, or noncertified definitions to address a new threat that your organization may have encountered. Symantec Central Quarantine contains two main components: the server directories where submitted files are housed, analyzed and transmitted, and the management console that will permit you to administer the Quarantine Server from any location on your network.You can also manage the Quarantine Server as a part of the Symantec System Center instead of the stand-alone Quarantine Console.This provides ultimate flexibility in managing your antivirus management tasks, as well as allowing the flexibility to delegate tasks between multiple staff members.You can also customize how your NAVCE environment will receive updated virus definitions from SSR, perhaps creating a policy that permits production servers to be updated using only certified virus signatures. After you’ve installed and configured Central Quarantine, you can use its integration with the Alert Management Service to keep your Quarantine Server running smoothly. AMS2 can alert you through e-mail, pager, pop-up window, and more to inform you when new virus definitions have arrived from Symantec Security Response, or if there is some issue preventing Central Quarantine from operating at peak performance.You can set different alerts for different categories of messages—logging informational messages to the Windows Event Viewer, but sending a numeric page to an on-call administrator if the Symantec gateway cannot be contacted, for example. Alert mechanisms like these can assist you in a troubleshooting capacity as well. As an administrator, you’ll want to integrate all of these features to create a functional Quarantine Server solution for your network.

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Solutions Fast Track Introducing Central Quarantine 2.01 ; Allows infected files on client machines to be forwarded to a central

location with no user intervention.

; Submissions can be sent to Symantec Security Response and new

definitions retrieved by an administrator, allowing good administrative control over the installation of new definitions.

; Central Quarantine is comprised of two components: the Quarantine

Server that houses submitted files, and the Quarantine Console that allows the administrator to configure and manage quarantined files.

Implementing Quarantine Console 2.01 ; The Quarantine Console can be installed as a part of, or independent

from, the Symantec System Center console that is used to handle the bulk of the NAVCE management functions.

; Minimum hardware requirements include 128MB of RAM and 12MB

of free drive space—however, more is definitely better where hardware resources are concerned.

; You can install the console on the machine that will be housing the

Quarantine Server, or on a remote administrative workstation to increase the physical security of your server resources.

Implementing Quarantine Server 2.01 ; Select a drive on your Quarantine Server that has as much free space as

possible so that you’ll be prepared to handle any surge in submission samples during a virus outbreak.

; Configure the server to listen for user-submitted files on a unique TCP

or SPX port number within your network. Check the port number you select to ensure it’s not in use by any other third-party applications your company may be using.

www.syngress.com

191

192

Chapter 4 • Implementing Central Quarantine 2.01

; You need to choose between Internet-based and Email-based delivery of

user-submitted files to SSR.

Configuring Central Quarantine 2.01 ; Use Central Quarantine’s integration with AMS2 to keep informed of

any incidents or events that affect the operation of your Quarantine Console or server.

; Define a policy to determine which of your NAVCE servers will

automatically receive both certified and noncertified definition updates from SSR.

; If your organization uses a proxy server or firewall, specify this in the

configuration settings so that Central Quarantine will be able to communicate with the Symantec gateway.

Troubleshooting Central Quarantine 2.01 ; If the directory that Central Quarantine uses to store submitted files

becomes full, no further user submissions will be accepted until it is cleared.

; Ensure that the user account the Console is using to connect to the

Server has administrative access to the Windows NT/2000 machine itself.

; At all times, be aware of any internal or external network connectivity

issues that may be affecting the operation of Central Quarantine.

www.syngress.com

Implementing Central Quarantine 2.01 • Chapter 4

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: I accidentally selected Email-based Scan and Deliver when I installed the Quarantine Server, and do not see a spot in the console that will allow me to change to Internet-based.

A: The Quarantine Server can only perform one Scan and Deliver method at a time.To change the method in use on your server, re-install the Quarantine Server software from the NAVCE installation CD.

Q: I configured the Quarantine Server to listen for TCP traffic on port 445, and now my NAVCE server is freezing. What’s wrong?

A: TCP ports numbered 1024 and lower are reserved for existing programs and applications such as Telnet, FTP, LDAP, and HTTP. If you configure your Quarantine Server to employ a port that’s in use by one of these applications, you will receive unexpected (and probably unwanted) results. Assign the Quarantine Server a port number higher than 1024 to listen on.

Q: The hard drive on my Quarantine Server failed, and I need to update my client definitions right away. How can I manually apply the definitions to my NAVCE environment as quickly as possible?

A: Go to the Symantec Security Response Web site (at http://securityresponse. symantec.com as of this writing) to obtain an installation package to manually apply the latest definitions to your NAVCE environment.

www.syngress.com

193

194

Chapter 4 • Implementing Central Quarantine 2.01

Q: I have a subset of traveling users who only connect to the home network every few weeks. How can I best handle their Quarantine needs?

A: You have two options here, depending on the “computer-savviness” of the people in question.You can either configure their individual PCs to submit any quarantined items directly to SSR, bypassing your central Quarantine Server entirely. Or, you can set up a second central Quarantine Server to handle Email-based Scan and Deliver submissions, and configure these clients to point to it instead of a Quarantine Server using Internet-based Scan and Deliver.

www.syngress.com

Chapter 5

Implementing NAVCE 7.6 to Servers

Solutions in this chapter: ■

Understanding NAVCE 7.6 Servers



Implementing NAVCE 7.6 To Servers



Understanding NAVCE 7.6 Registry Keys on NT / 2000 Servers



Understanding NAVCE 7.6 Services Running on NT / 2000 Servers



Introducing the grc.dat File

; Summary

; Solutions Fast Track

; Frequently Asked Questions

195

196

Chapter 5 • Implementing NAVCE 7.6 to Servers

Introduction Norton AntiVirus Corporate Edition (NAVCE) Servers are the main pillars of the Norton AntiVirus Solution. Without them you would not be able to deploy a NAVCE solution. NAVCE servers allow you to manage clients, distribute virus updates, perform alerting procedures, and so much more.The NAVCE server is critical to a viable NAVCE implementation; if you wish to install managed NAVCE clients, you will need to install at least one NAVCE server. In this chapter, we will discuss the steps necessary to install and configure these servers that are so critical to the NAVCE infrastructure. Along with discussing the hardware requirements necessary to implement the NAVCE software, we’ll examine the steps involved in an actual NAVCE server installation.The NAVCE installation process is largely the same whether you are installing to an Windows NT Workstation, Server, or Windows 2000 Professional or Server machine, therefore the procedures discussed in this chapter can be used as a guideline for any sort of NAVCE installation. We’ll conclude the chapter with an examination of the various components of the NAVCE Server software.This includes the Registry keys and Windows services that the NAVCE server software requires to function, as well as the grc.dat file that NAVCE uses to update client configuration information. Possessing a working understanding of these components will serve you well as you develop a comprehensive antivirus strategy for your company’s network.

Understanding NAVCE 7.6 Servers To begin, we should define some terminology that will appear quite often throughout this chapter. It is important to understand the difference between the terms server and NAVCE Server. NAVCE Server refers to the programs and services that the NAVCE software package offers to assist administrators in managing antivirus protection on NAVCE clients. On the other hand, a physical server refers to a piece of dedicated network hardware that can serve many types of file and application services, not just those offered by Symantec. The two major components of the NAVCE server software are as follows: ■

Server Program The NAVCE Server Program refers to the core executable (.exe) files and other files that are required for the NAVCE server to function.



AMS2 The Alert Management System2 (AMS2) is an optional component within a NAVCE server installation.This feature, as the name suggests, offers alerting features such as an e-mail to the administrator regarding any detected virus activity.

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

197

Notes from the Underground… Basic Components of an Antivirus (AV) Solution Any well-constructed AV application consists of the following primary components, all three of which are implemented within the NAVCE server program: ■

A Scanning Application This is a user interface (UI) that defines scanning options (such as file types, directories and drives to be scanned) features, and alerts.



A Virus Engine A virus engine scans files for suspicious activity and behavior, such as a file that includes instructions to delete the contents of a directory or drive. If the engine detects this type of behavior, it will check the virus definitions to determine if the virus signature is known and how it should be repaired. It will then follow pre-defined instructions (such as repair or delete file) or will prompt the user via the scanning application. The virus engine in NAVCE is called NAVEX. The NAVEX engine architecture is different from other AV vendors in that it can be updated automatically via the LiveUpdate incremental downloads. Most other vendors only allow automatic downloads of virus definitions, while engine updates require reinstallation of their software which can result in system downtime. With NAVCE, virus definition downloads, and NAVEX engine updates can be performed while a system is running.



Virus Definitions Virus definitions help determine whether a file has already been identified as a virus, as well as instructions for repairing it.

On the other hand, AMS2 provides centralized alerting and emergency management capabilities. AMS2 allows parent servers to collect alert information from their clients and forward these alerts to the primary NAVCE server within each server groups. An administrator can then view the alerts from any server and take administrative actions (such as quarantining or removing files) accordingly. Continued

www.syngress.com

198

Chapter 5 • Implementing NAVCE 7.6 to Servers

AMS2 can be configured to send alerts via any of the following mechanisms: ■

Message Box



Send Page (e-mail to pager)



Send Internet Mail



Run Program (can be an executable configured to perform any custom actions)



Broadcast



Send SNMP Trap



Write to Event Log



Load an NLM

Windows NT / 2000 Server System Minimum Requirements According to Symantec, the minimum specifications for a NAVCE server running Windows NT/2000 are as follows: ■

Windows NT 4.0 Service Pack 3 or higher, or Windows 2000



32MB RAM



Intel Pentium Processor (Intel Pentium Pro or higher)



62MB free disk space for NAVCE Server files



10MB free disk space for AMS2 Server files



Local administrative rights



Administrative file shares like C$ and admin$ must be enabled

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

199

Designing & Planning… System Requirements Remember that these are the recommended specifications for running only the NAVCE Server program. In other words, any additional components such as the Symantec System Center Console (SSC), or the Alert Management System2 (AMS2), or any unrelated applications also require additional resources. When defining your system specifications, you also need to consider the requirements for the operating system itself. For example, the minimum system requirements for Windows 2000 server are as follows: ■

Pentium 133MHz or higher



256MB RAM recommended minimum



2GB hard disk with a minimum of 1GB free space

As you can see, these minimum system requirements are far higher than those recommended by Symantec to install the NAVCE server. As a system administrator, you’ll need to test your hardware to determine that it will realistically function within your specific network environment. For more detailed information on NAVCE scalability and system requirements, consult the Symantec Knowledge Base.

Utilizing Windows NT 4.0 Workstation or Windows 2000 Professional Systems as NAVCE Servers It is possible to install NAVCE server on a Windows NT 4.0 Workstation or Windows 2000 Professional system; but as with anything else there are pros and cons associated with this decision.The greatest benefit of using the Windows Workstation or Professional versions is that of cost savings: the cost of procuring a Windows NT or Windows 2000 client PC is significantly lower than procuring even a low-end server. You should consult your software reseller for accurate pricing information, but if you are basing the decision solely on cost, you may wish to opt for installing NAVCE on a workstation operating system. On the other hand, Windows NT Workstation and Windows 2000 Professional only support a maximum of ten concurrent (file sharing) network connections. While this does not specifically limit the number of TCP connections that NAVCE clients www.syngress.com

200

Chapter 5 • Implementing NAVCE 7.6 to Servers

will be able to establish with the workstation, it does limit the number of connections that can be established that require access to file shares, named pipes and so on. Therefore, while a NAVCE server running on Windows NT 4.0 or Windows 2000 Professional can theoretically service any number of NAVCE clients, it will only be able to distribute virus definitions to 10 clients at any given moment.This can seriously impact the speed with which the definitions are distributed to the end clients.

Novell NetWare Server System Minimum Requirements If you wish to install the NAVCE server software onto a Novell server, you’ll need to be sure that your server hardware meets the following requirements. Please note that at the time of this writing, NAVCE 7.61 is not supported under Novell 6 or 6.5.You’ll need to implement SAVCE 8.0 if you wish to use Netware 6.x. ■

NetWare 3.12 and 3.2 (does not allow for Quarantine Server support); NetWare 4.11 with Support Pack 9; NetWare 4.2 with Support Pack 9; NetWare 5.x with or without Support Pack 2



3MB RAM beyond any other memory requirements to run the Norton AntiVirus NLMS



If you are running NetWare 3.12, you’ll need Streams.nlm 3.12 or later. Versions of NetWare more recent than v3.12 will requite 3.11.nlm version 4.12 and clib.nlm version 3.12g or better



NetWare 4.1x requires LIBUPF, which is available in Support Pack 7 or later



70MB of available disk space for Norton AntiVirus server files, as well as 46MB for NAVCE client disk images



10MB disk space for AMS2 files (20MB will be required during the installation process)

NOTE SFT III is not supported.

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

201

Implementing NAVCE 7.6 to Servers When rolling out the NAVCE software to the servers in your network environment, you’ll need to develop a plan for deploying the various modules of the NAVCE software. In this section, we’ll discuss some key points to keep in mind when installing NAVCE to Windows NT 2000 servers so that the installation process can go as smoothly as possible. We’ll then spend the bulk of the section going step by step through an actual installation routine so that you can understand and plan for every step along the way.

Developing a Deployment Plan No project can be successfully completed without formulating a deployment plan. Since NAVCE contains several different modules as well as administration and management tools, you should become familiar with each component and determine which ones need to be installed on each piece of equipment. Once you have determined the exact needs for your network environment, you can begin to plan the actual server installations.

Windows NT/2000 NAVCE Server Installation Considerations Some factors to consider when installing NAVCE Server to NT/2000 are as follows: ■

Operating system You need to determine the operating system that the NAVCE Server will use. Along with deciding between using a client or a server operating system, you should determine which service packs to install, and if there are any other standards within your enterprise environment that you should consider.



Destination folder for the installation files Often in an enterprise environment you will have software installation standards that need to be adhered to.These may include installing all programs to the root of C: drive, or installing all the programs to the D: drive instead of the C: drive. Before you proceed, make sure that you are aware of any such standards, as well as the available drive space in comparison with the minimums set forth by Symantec.

There are several additional points to keep in mind when installing a NAVCE Server Group (Server Group planning is discussed more fully in Chapter 2). ■

Server group membership Decide whether your newly installed NAVCE server will join an existing server group or if you will be creating a new one.

www.syngress.com

202

Chapter 5 • Implementing NAVCE 7.6 to Servers

Be sure to adhere to any deployment or enterprise naming standards that may have been created during the planning stages of your NAVCE implementation. ■

Server group password Be sure that you know the server group password to join existing server group. If you will be creating a new server group, you should decide upon a password in advance and communicate this password to anyone else within IT or management who requires it



NAV services startup You will be asked if you want NAVCE services to load automatically upon startup or if you would want them to be launched manually. In most cases you’ll want these services to launch automatically. However, the option for a manual start will be available during the installation process.

Installing NAVCE 7.6 to Windows NT/2000 Servers In this section we’ll go over the steps needed to install the NAVCE server software to a Windows 2000 server. 1. From the Windows 2000 desktop, insert CD 2 of the NAVCE installation media, or browse to a network location where the CD 2 files are available. 2. Double-click on the CDStart.exe icon. 3. Click Install Norton AntiVirus to Servers as shown in Figure 5.1. Figure 5.1 NAVCE Main Installation Screen

4. The Welcome window as shown in Figure 5.2 should appear. Select Install and click Next.

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

203

Figure 5.2 Installing NAVCE Server

5. This will bring you to the License Agreement window (Figure 5.3). Select I agree then click Next. Figure 5.3 License Agreement and Warranty

6. You will be prompet to select the item that you wish to install (Figure 5.4). For the purpose of this chapter select Server Program. Uncheck Alert Management System AMS2 if it is checked.Then click Next. We’ll cover the installation and configuration of AMS2 in Chapter 3. Figure 5.4 Selecting NAVCE Server Components

www.syngress.com

204

Chapter 5 • Implementing NAVCE 7.6 to Servers

7. Next you will be prompted to select the computers you wish to install the NAVCE sever program to (Figure 5.5). Click the name of the computer you are installing to and click Add. Here, we are installing to the local computer named Athar-Test01. Figure 5.5 Selecting a Target Computer

8. You will see that Athar-test01 now appears in the Destination computers: pane as shown in Figure 5.6. Click Next. Figure 5.6 Verifying the NAVCE Install Destination Computer

9. Now, you will need to select the destination for the NAVCE server program files on the machine Athar-test01. For the purpose of this exercise we will install to the default location in the program files folder on drive C as shown in Figure 5.7. Accept this location by clicking Next. If you would like to select an alternate location for the NAVCE server program files, highlight the name of workstation you will be using a server and click Change Destination…

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

205

Figure 5.7 Select the Program Files Destination

10. The next window (Figure 5.8) is where you can either enter a new Norton AntiVirus Server group name or join an existing group. Here, we will accept the default server group name of Norton Antivirus 1 and click Next. Figure 5.8 Creating a New Server Group

11. You will be asked to verify the creation of the new server group as shown in Figure 5.9. Click Yes. Figure 5.9 Verifying the Creation of a New Server Group

12. If you are running a NetWare server, it is best to configure the NAVCE Server to start up automatically. If this applies, select Automatic startup and click Next as shown in Figure 5.10. NAVCE Servers automatically start running on system startup if you are running Windows NT or Windows 2000.

www.syngress.com

206

Chapter 5 • Implementing NAVCE 7.6 to Servers

Figure 5.10 Configuring Server Startup Options

13. You will now be reminded that SSC is already be installed on your system. If so, click Next as shown in Figure 5.11. If not, follow the directions on the screen and refer to Chapter 3 for additional information. Figure 5.11 Symantec System Center Console Information

14. The Wizard now will tell you that the default password on the initial run is “symantec” (all lower case) as shown in Figure 5.12. It is a good practice to go back and change the password after the installation is complete. Click Finish. Figure 5.12 Select Server Group Password

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

207

15. A warning will appear informing you that you virus definitions are not up to date (Figure 5.13). Place a check mark next to Don’t remind me again until after next update.Then click Close.You will update the virus definitions after the server install has been verified as working properly. Figure 5.13 Virus Definition File Warning

16. You should now be able to view the Setup Progress window (Figure 5.14). Verify that this information is correct and then click Close. Figure 5.14 Setup Progress

17. You will be returned to the AutoRun splash screen. Click Exit as shown in Figure 5.15. Figure 5.15 Exiting Installation Screen

www.syngress.com

208

Chapter 5 • Implementing NAVCE 7.6 to Servers

18. Reboot the system to complete the installation of the NAVCE server software. The installation process that we described in this section is nearly identical to the steps needed to install NAVCE on any other Windows platform.Therefore, you can use this exercise as a template to install NAVCE server on nearly any Windows-based operating system within your network environment.

Configuring NAVCE 7.6 Servers As we discussed at the beginning of this chapter, NAVCE server refers to the services that a NAVCE system provides to your network clients. Now that the server component of NAVCE is installed on our Windows 2000 Terminal Server, we can begin to configure it. Configuring antivirus protection on a NAVCE server is quite similar to that of a NAVCE client; therefore you should refer to those instructions within this chapter.The largest difference that you will notice is in the method of accessing the NAVCE console: when attempting to start the NAVCE server console, you will be prompted for the Norton AntiVirus Server Group password (Figure 5.16).

Figure 5.16 Unlocking the Norton AntiVirus Server Group

This is the password that was established while installing the server software in the previous section (Figure 5.12).The default password for a NAVCE server console is “symantec” (case sensitive). Once you enter the password and click OK, you will see the NAVCE server console.The console appears to be identical to the NAVCE client console with the exception of an additional section labeled General Information. In a NAVCE server, you will notice that there is a Server Grp caption which defines the NAVCE server group that this NAVCE server belongs to. In a client console, you would see parent server information in the same area of the console.

Uninstalling NAVCE 7.6 from Windows NT/2000 Servers There are several methods of uninstalling NAVCE server from a Windows based machine.The preferred method would be to use the Add/Remove Programs applet from within the Windows Control Panel. If you encounter a situation in which the

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

209

standard uninstall routine fails or terminates abnormally, you can use the alternate methods discussed in the subsequent sections.

Uninstalling NAVCE Using the Command Line You can uninstall the NAVCE server software from the command line by issuing the following command: msiexec.exe /q/x {D6C64C68-F9F5-11D3-BEEA-00A0CC272509}

You can run this command by clicking on Start | Run, or by opening a Command Prompt window. If you receive an error when issuing this command, you may need to specify the path to the msiexec.exe file, as in the following example: C:\program files\resource kit\toools\msiexec.exe /q/x {D6C64C68-F9F5-11D3BEEA-00A0CC272509}

Manual Uninstall Uninstalling NAVCE manually will require you to delete all NAVCE-related items and information from the Start Menu, Windows file system and registry. First, you need to stop the following services from within the Control Panel Services applet: ■

DefWatch



Intel Alert Handler



Intel Originator



Intel File Transfer



Intel PDS



Norton AntiVirus Server

Next you’ll need to remove all references to NAVCE from the Windows Registry. Remember that editing the Registry is a risky proposition: you should have a viable backup of the computer system in question so that you can restore it to working order in case something goes wrong.You’ll need to delete the following folders and sub-keys: ■

HKEY_CLASSES_ROOT\*\Shellex\ContextMenuHandlers\LDVPMenu



HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\ Norton AntiVirus NT

Next you’ll delete the following entries under the HKLM\System\ CurrentControlSet\Services key: ■

DefWatch www.syngress.com

210

Chapter 5 • Implementing NAVCE 7.6 to Servers ■

Intel Alert Handler



Intel File Transfer



Intel PDS



NAVAP



NAVAPEL



NAVENG



NAVEX15



Norton AntiVirus Server



SymEvent (if NAVCE is the only Symantec product installed on this machine)

Then you should also delete the following entries within the HKEY_LOCAL_ MACHINE\System\CurrentControlSet\Services\EventLog\Application key: ■

Defwatch



Intel Alert Handler



Intel Alert Originator



Intel AMS II



Intel File Transfer Service



Intel PDS Service



Norton AntiVirus

Next, remove the following miscellaneous registry entries and keys: ■

HKEY_LOCAL_MACHINE\Software\Intel\DLLUsage\VP6



HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps\ VP6ClientInstalled



HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps\ VP6UsageCount



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Uninstall\ {D6C64C68-F9F5-11D3-BEEA00A0CC272509}



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\VPTray

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5 ■

HKEY_LOCAL_MACHINE\Software\Symantec\Repair value



HKEY_LOCAL_MACHINE\Software\Symantec\SourceDir value



HKEY_LOCAL_MACHINE\Software\Symantec\TargetDir value



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Installer\UpgradeCodes\ 96C46C6D5F9F3D11EBAE000ACC725290

211

To finish cleaning up the Windows registry, click on Edit | Find, and delete all occurrences of the following two strings: ■

VirusProtect6



86C46C6D5F9F3D11EBAE000ACC725290

Once you’ve removed all of these entries, reboot your computer and continue. Finally, you’ll need to delete any of the following folders and files from the hard drive of the Windows machine in question (If you’ve installed the Windows operating system to a directory other than ‘C:\WINNT’, modify the file listing accordingly.): ■

C:\Program Files\NAVNT



C:\Program Files\NAV



C:\Program Files\Common Files\Symantec Shared\VirusDefs



C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5



C:\WINNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5



C:\Winnt\Installer\{D6C64C68-F9F5-11D3-BEEA-00A0CC272509}

www.syngress.com

212

Chapter 5 • Implementing NAVCE 7.6 to Servers

Designing & Planning… Considerations for Uninstalling NAVCE Server Before you uninstall NAVCE server from a system, you need to make sure that any clients that rely on that server for their configuration information are redirected to another NAVCE server. You can accomplish this by editing the grc.dat file, or by re-running the NAVCE client installation process. This topic is discussed in detail in Chapter 3.

Understanding NAVCE 7.6 Registry Keys on NT / 2000 Servers NAVCE stores all of its configuration information in the Windows Registry. Different machines will record different registry keys and entries depending upon their role within the NAVCE solution. On the primary server within a server group, for example, the registry stores information about the server group, the settings for all the NAVCE servers as well as the settings for the clients.

NAVCE Registry Components The root location for NAVCE registry entries is HKEY_LOCAL_MACHINE\ SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion.This is where all client and server settings are stored. If you create a virus scan on the local computer, the corresponding configuration information would be stored at HKEY_CURRENT_USER\ Software\Intel\Landesk\VirusProtect6\CurrentVersion which can be seen in Figure 5.17.

Figure 5.17 The CurrentVersion Registry Key

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

213

NOTE You may notice at the bottom of the screen in the preceding figure that the key began with “NT-IRVA-0552\HKEY_LOCAL_MACHINE” rather than “My Computer\HKEY_LOCAL_MACHINE.” This is because in this example we are connecting to the registry of a NAVCE server named NT-IRVA-0552 via a LAN connection. This can be done within the registry editor by clicking File | Connect Network Registry and is a great way to access the registry on a remote computer without needing to be physically present at the server itself. In this example, NTIRVA-0552 is the Primary NAVCE Server for the server group “Site Servers.”

There are several other keys that are important to understand. Let’s discuss some of more critical ones.

AddressCache Registry Key The AddressCache Registry key (Figure 5.18) stores information regarding each NAVCE server within the server group.There is a subfolder within this key for every NAVCE server in the server group.The path to this key is HKEY_LOCAL_ MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\ AddressCache.

Figure 5.18 The AddressCache Registry Key

When you launch the SSC console, it connects to the registry on the primary server (which is NT-IRVA-0552 in our case) and populates itself with the most current information from this registry key.

ClientConfig Registry Key The ClientConfig Registry key (Figure 5.19) stores all the administrator defined settings for the clients.This is the key that is used to create most of the grc.dat file.This www.syngress.com

214

Chapter 5 • Implementing NAVCE 7.6 to Servers

key is created on all parent NAVCE servers. Since the primary server can also be a parent server, this key is also created on the primary server: essentially, any server acting as a NAVCE parent must have this key within its registry.The path to this key is HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\ClientConfig.

Figure 5.19 The ClientConfig Registry Key

DomainData Registry Key The DomainData Registry key (Figure 5.20) key can be found only on the primary NAVCE server and contains the settings for clients and servers within the server group. Any changes that you make to a server group from the SSC console (SSC) will be recorded within this key. As soon as this key is updated, the primary server directly connects to the registry on each secondary server and adds the contents of this key to the secondary server. For example, the contents of the DomainData\ClientConfig Registry key will be copied to the ClientConfig Registry key on each secondary server, as well as the ClientConfig Registry key on the primary server.The path to this key is HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\DomainData.

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

215

Figure 5.20 The DomainData Registry Key

Clients Registry Key The Clients Registry key (Figure 5.21) stores information about the individual clients of a particular NAVCE server.This key contains one folder for each of the clients of the parent server.The path to this key is HKEY_LOCAL_MACHINE\SOFTWARE\ Intel\LANDesk\VirusProtect6\CurrentVersion\Clients.

Figure 5.21 The Clients Registry Key

Children Registry Key The Children Registry key (Figure 5.22) stores a list of all the secondary servers within the server group.

www.syngress.com

216

Chapter 5 • Implementing NAVCE 7.6 to Servers

Figure 5.22 The Children Registry Key

Notes from the Underground… A Word about Registry Keys and the Certification Exam If you wish to take the NAVCE SPS exam, be sure that you fully understand the differences between the Registry keys that we just discussed. These keys often appear within questions on the certification exam. It is good to know what each key contains. For your review, here is a list of the keys that you must be familiar with: ■

AddressCache



DomainData



ClientConfig



Clients



Children

Be sure to understand the difference between Clients Registry keys and Children Registry key. A child computer is a (secondary) NAVCE server whereas a client computer is NAVCE client. Having a clear understanding of this information will serve you well as you prepare to take the Symantec certification exams.

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

217

Understanding NAVCE 7.6 Services Running on NT / 2000 Servers There are three core services that are used by the NAVCE server program.These are Norton AntiVirus Server, DefWatch and Intel Ping Discovery Service (PDS). In this section, we’ll discuss each of these services.

Norton AntiVirus Server (rtvscan.exe) RTVScan is the core program in the NAVCE solution. It is a multithreaded process (capable of performing more than one task simultaneously) that performs alerting, discovery, scanning, definition updating and other functions within the NAVCE environment.This is the service that clients and servers use to communicate with each other. (In order to locate one other across the network, clients and servers use the PDS which we will discuss shortly.) One of RTVScan’s functions is to perform a Timer Loop.This process discovers new virus definition (.vdb) files in the NAVCE folder and processes them.This service exists on both NAVCE servers and clients; it performs similar functions for both installations. Depending upon whether it is operating on a NAVCE server or a NAVCE client, the Timer Loop performs the following functions: ■

Schedules events such as definition updates and scans.



On primary servers, it checks secondary servers every 5 minutes to check virus definition versions. If the definitions on secondary servers are not the most recent ones available, new definitions are pushed out to them.



On parent servers, it queries clients every three minutes for their virus definition and grc.dat versions. If the definitions on the client are outdated, new definitions are pushed to the client.



On managed clients, it connects to the parent server every 60 minutes to verify that the client possesses the latest definitions and grc.dat files.



On the local computer, it checks for updated virus definitions (.vdb) every three minutes.



On the local computer, it checks for a new grc.dat file every sixty seconds. If the Timer Loop encounters a new grc.dat file, it imports any changes into the local registry and then deletes the grc.dat file upon completion.



On the local computer, it checks for LiveUpdate settings every minute. If any settings change, a new Liveupdt.hst file is generated

www.syngress.com

218

Chapter 5 • Implementing NAVCE 7.6 to Servers

DefWatch (defwatch.exe) When new virus threats emerge, they can often proliferate before Symantec can release updated virus definitions to repair the damage done by these viruses. In such cases, Symantec releases virus definitions that can at least quarantine the infected files until definitions containing a repair function are created.This way, even if virus definitions that can actually reverse the damage done by a virus have not yet been released, NAVCE will still be able to detect and quarantine the infected files to avoid spreading the infection even further. In some cases, a virus completely destroys the content of a file in which case the only solution is to restore it from a backup version. However, in other cases, it is possible to repair the infected files using the new virus definitions.This is where the DefWatch service comes into play. As soon as new virus definitions become available on a NAVCE server, the Norton AntiVirus Server Service (RTVScan) notifies the DefWatch service.The DefWatch service then scans quarantined files to check if new definitions are able to repair previously quarantined files.

Intel Ping Discovery Service (pds.exe) The Intel Ping Discovery Service (PDS) is the first NAVCE Server service to load. It always loads on the same port (38293 for IP, 34903 for IPX) and acts as a “traffic cop” to inform any NAVCE clients or servers which the port that RTVScan is running on.

NOTE For additional detail on PDS, please refer to Chapter 6 where this topic is covered in greater detail.

Introducing the grc.dat File The grc.dat is a text file that stores any changes made to NAVCE clients. Any changes made via the Symantec SSC console to a server or server group are placed into a grc.dat file on the server.These changes are then later propagated to the clients.The following is a brief overview of how a configuration change would cause the grc.dat file to be generated and propagated to NAVCE clients 1. An administrator makes changes on a server or server group via the SSC. 2. The value of the registry key ProcessGRCNow is changed from 0 to 1.This takes place on any server or servers that are affected by this change.

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

219

3. The server’s RTVScan process includes a thread called CheckGRC that runs every 60 seconds to check for the value of the ProcessGRCNow key. 4. If the server’s RTVScan finds that the value of the ProcessGRCNow key is 1, it parses the registry and creates a new grc.dat file on the server’s \NAV directory. 5. Another thread then pushes it out to the \NAV directory on the clients. 6. On the clients, RTVScan runs a CheckGRC process every 60 seconds to check for the existence of the grc.dat in the \Norton Antivirus directory. If the file is found, RTVScan converts it to registry entries and then deletes the file.

The grc.dat File The grc.dat file is stored at several locations on the primary NAVCE server, the most critical of which is located in C:\Program Files\NAV\grc.dat. Whenever any settings need to updated on the NAVCE client, this version of the file will be copied to the NAVCE clients. Copies of the file are also located within each subfolder of the folder at C:\Program Files\NAV\clt-inst. For example, it is located at C:\Program Files\ NAV\clt-inst\WIN32\grc.dat.This version of the file is copied to the target (or NAVCE client) computer during a NAVCE installation. On the NAVCE clients, the file can be found at different locations depending upon the operating system.This will be discussed in more detail in Chapter 6. There are usually only two compelling reasons for editing the grc.dat file: either to change the parents server name on a client or to change whether or not a client will use LiveUpdate. The options for changing client management options using the grc.dat file are covered in Chapter 2.

www.syngress.com

220

Chapter 5 • Implementing NAVCE 7.6 to Servers

Summary In this chapter we discussed the steps in implementing NAVCE servers, a critical component in your network’s NAVCE implementation. At this point, you should be able to define technical specifications for the platform on which you will be installing the NAVCE server software.You should also understand the necessary steps in installing the server program to a Windows-based computer system. We also discussed some installation considerations for NAVCE servers that should be addressed and considered prior to beginning the installation process. And, we also covered the steps in uninstalling a NAVCE server and the steps that you should take before performing an uninstall action. Another key topic in this chapter was the list of registry keys that are used to store various kinds of information about a NAVCE infrastructure. Be sure that you are familiar with them, since they will save you countless hours when troubleshooting most issues. We also discussed the Norton AntiVirus Server (rtvscan.exe), DefWatch (defwatch.exe) and Intel Ping Discovery Service (pds.exe) services that run the NAVCE server program, what each service does and how each one fits into the NAVCE solution. Finally, we learned about the grc.dat file which is used to store changes made to configuration settings and how it is propagated.

Solutions Fast Track Understanding NAVCE 7.6 Servers ; Server program and AMS2 comprise the two main components of the

NAVCE server.

; Remember that the minimum requirements for the Symantec software do not

take into account any other Symantec or third-party software that needs to be running on the NAVCE server.

; Understand the implications of using the Workstation/Professional version of

Windows.The workstation edition of the Microsoft operating systems can only host 10 concurrent network connections, which will limit your ability to provide updated virus definition files to your client machines.

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

Implementing NAVCE 7.6 To Servers ; Develop a deployment plan to ensure that your software installation does not

interfere with any existing processes on your network and servers.

; Server summary options, the server group and server startup options are some

of the factors you must consider before you begin deployment.

; As you step through the installation sequence for the NAVCE server software,

you’ll notice that the installation is identical for local or remote target computers.

; Before you can configure a NAVCE server, you must unlock it using the same

password that you set during installation. If you left it unaltered, the password is “symantec.”

; You can uninstall NAVCE server using Add/Remove programs, a command

line utility or by manually deleting files and registry entries.

; Before you uninstall NAVCE server, you must ensure that the clients are

redirected to a new parent server.

Understanding NAVCE 7.6 Registry Keys on NT/2000 Servers ; The root location for all NAVCE registry entries is

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect 6\CurrentVersion.

; The Registry keys to remember and understand are AddressCache,

ClientConfig, DomainData, Clients and Children.

; The DomainData key can be found only on the primary server.

; A child computer is secondary NAVCE server whereas a client is any

computer that is running the NAVCE client software.

www.syngress.com

221

222

Chapter 5 • Implementing NAVCE 7.6 to Servers

Understanding NAVCE 7.6 Services Running on NT/2000 Servers ; Norton AntiVirus Server (rtvscan.exe) is the core program in the NAVCE

solution.

; Defwatch (defwatch.exe) is a service that scans quarantined files with new

definitions.

; Intel Ping Discovery Service (pds.exe) loads on port 38293 for IP and 34903

for IPX. It provides the port information for rtvscan to any application that requests it.

Introducing the grc.dat File ; The grc.dat file is used to store any changes made to the NAVCE clients via

the SSC console.

; As soon as the changes are made, the file is copied to various locations on the

NAVCE server. Copies of the file are then copied from these different locations to the NAVCE client depending upon the nature of the client’s communication with the server.

www.syngress.com

Implementing NAVCE 7.6 to Servers • Chapter 5

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: What is the difference between Windows NT/2000 Server and NAVCE Server? A: A NAVCE Server refers to a software package that offers antivirus monitoring and installation capabilities such as program installation and definition updates for NAVCE clients. On the other hand, Windows NT/2000 Server refers to the a network operating system.

Q: Is it necessary to install AMS2 to all NAVCE servers? A: AMS2 is required only on primary servers. However, since there is always a possibility of promoting a secondary server to primary status, most administrators prefer to install AMS2 to all NAVCE servers.

Q: I accidentally installed AMS2 to all my NAVCE servers. How can I remove it? A: AMS2 can be uninstalled using the Add/Remove Programs applet within the Windows Control Panel where it is listed as “AMS Server.” Once it is uninstalled, reboot the system and remove the folders located at “C:\Program Files\AMS Server” and “C:\WINNT\System32\AMS_II”.

Q: Where can I look for resources to assist me in troubleshooting the NAVCE server implementation process?

A: A comprehensive list of issues is provided within the readme.txt file on your installation media, or on the Internet at Symantec’s exhausting collection of Knowledge Base articles.

www.syngress.com

223

224

Chapter 5 • Implementing NAVCE 7.6 to Servers

Q: How can I retrieve a password that I set for a NAVCE server group? A: In order to retrieve the password for NAVCE server group, you must: 1. Launch the Password Retrieval Utility located at C:\ Program Files\ SSC\TOOLS\IFORGOT.EXE. 2. Within the utility, enter the name of the primary server for the server group. 3. Click Get Password. 4. Copy the Encrypted Password and provide it to Symantec Technical Support as requested which can be seen in Figure 5.23. They will be able to decrypt the password and return it to you in cleartext.

Figure 5.23 Encrypted Password Retrieval Utility

www.syngress.com

Chapter 6

Implementing NAVCE 7.6 to Client PCs

Solutions in this chapter: ■

Understanding NAVCE 7.6 Client PCs



Implementing NAVCE 7.6 to Client PCs



Understanding NAVCE 7.6 Registry Keys on NT/2000/XP Client PCs



Understanding NAVCE 7.6 Services Running on NT/2000/XP Client PCs



Testing Your Deployment

; Summary

; Solutions Fast Track

; Frequently Asked Questions 225

226

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

Introduction Clients’ systems are prize targets for malicious attacks of virtually any type, from wrongdoers on the Internet to even those on your internal network.These attacks can be viruses downloaded through e-mails and disseminated throughout the intranet by design or by unsuspecting users. Some companies have their email systems set up to strip certain attachments from e-mails, such as *.exe or *.vbs files, because of the potential hazard one of these files may present. A crafty associate, however, may simply remove the extension of the suspicious file and send it anyway, with instructions to the recipient to add the three-letter extension upon receipt.Thus, it is imperative you have some type of protection on all client machines, whether they’re always connected (such as internal LAN clients), or only occasionally connected (remote users). From a corporate security standpoint, it is even a good idea to encourage the use of antivirus software on personal home systems. For instance, employees who telecommute may be inclined to complete business projects at home and then bring their work into the office on a floppy disk or CD-ROM, along with whatever virus might exist on their system.The bottom line is that malicious coders are constantly coming up with new and interesting ways to create and distribute viruses’ everyday.Take the following case study as an example… Jim was a new member of a popular news group and was astounded by the information he could receive. He found people that would share their own knowledge of where to download digital quality music and even give him copies of their own. Although he had ethical issues given the controversy he’d heard surrounding it, he thought, “Who would know?” Happy with his newfound wealth of music, Jim decided to share some with his friends, burning a CD with some of his favorite music. He took the CD to work and handed it to any associate that wanted to load the music on his or her computer and listen. He eventually noticed a music file that was appended with a *.vbs extension. “Hmmm… That’s weird?” he thought. He double-clicked the mysterious music file, but nothing happened. He figured it was no big deal since he had plenty of other music to hear.Thus, Jim, a user with absolutely no malicious intent, ended up unleashing a worm onto his company’s intranet. Everyone who got the file, and was similarly curious, would only add to the speed of the infestation. Norton AntiVirus Corporate Edition (NAVCE) 7.6 allows network administrators the ability to manage all client computers from one central location, providing efficient antivirus protection and enforcing their corporate security policies. From this central location, the administrator can apply NAVCE 7.6 www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

client software updates, the latest virus definitions and configure system scans to run at predetermined times. Another invaluable feature is the ability to easily implement the rollout of the client software using the tools that come with NAVCE 7.6 or such third-party implementation tools as Microsoft Systems Management Server or Novell ZENworks for Desktops. New computers added to the network can be protected quickly and easily with these tools. Users who only connect occasionally to the network can be configured to download the latest updates and virus definitions from the server as well. With this local administration, client computer settings will remain consistent and well-protected throughout the company. In this chapter, we will discuss the many different methods for installing the NAVCE 7.6 client software to systems on the network by using either third-party software deployment tools or those provided by NAVCE 7.6. We’ll take a look at the Registry settings, services, and components of the client software as well.

Understanding NAVCE 7.6 Client PCs Before we delve into the details of the NAVCE 7.6 client software and implementation, we should familiarize ourselves with the different types of NAVCE clients that are possible on our network. Depending on the goals of our information systems’ security policies or perhaps our personal interests, we can choose from one of three types of client setups.The clients can be managed clients, unmanaged clients, or sometimes-managed clients, as described in the following: ■

Managed clients These are clients that combine together to make up our local area networks, (LAN’s).These computers are considered stable because they never leave the network, which is governed by whatever security policies are in place.They are assigned to a parent server (managing server) that will keep them current with the latest software updates and virus definitions.These clients have the ability to send and receive virus alerts and can be found easily on the Symantec System Center (SSC) console under their respective parent servers.



Unmanaged clients These clients have all the features of NAVCE 7.6 with a few exceptions.They are not able to receive any type of management direction from the NAVCE servers.Therefore, any virus definition or software updates must be obtained manually by the user running the software. Being unmanaged, they, of course, have no parent server and do

www.syngress.com

227

228

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

not appear in the SSC console. An example of this type of client could be an associate’s personal home computer. ■

Sometimes-managed clients These client systems have the potential to, and often do, leave the safety of the intranet.These systems are usually laptops that are taken home for the weekend or depart with their users on business trips.They maintain the functionality of the managed clients with a few exceptions. While they have parent servers, they can only accept software and virus definition updates when connected to the network and appear faint in the SSC console.These computers are protected from malicious code, yet only to the point that their last updates provide.

To understand the features of these Client PCs and they’re particular client type, we should also discuss the properties of NAVCE 7.6 and its methods of communication on the network. In addition to the traffic incurred from servers communicating with other servers, server-to-client traffic, although minimal, is something to consider.

Check-in Intervals On IP and IPX networks, clients send notifications to the server only when an event is generated, and to periodically provide status information, or Check-in, to the server.The client status information is sent via a 1KB User Datagram Protocol (UDP) packet, and the server will not respond unless further action is required.This status information provides the server with the client information needed to keep the SSC console current.The parent servers send updates, (software and virus definitions), and configurations, (grc.dat), to their respective clients as well.

Designing & Planning… UDP Traffic on a Routed Network The NAVCE 7.6 client computers communicate status information to their parent servers using the UDP protocol. This being the case, the parent server and their respective client will need to be on the same broadcast domain or be separated by a router that supports broadcast Continued

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

forwarding. A broadcast domain indicates a group of computers in a LAN that can contact each other via broadcast. A broadcast is simply a packet sent from one host to all hosts on the segment to which it is attached, instead of a unicast which is a packet sent from one host to another host on the segment. One positive feature of a router is that it will stop broadcast traffic, thus cutting down on unnecessary network traffic. UDP is considered an unreliable protocol, as opposed to TCP, which has been deemed “reliable.” This simply means that TCP will send information that will be read by the intended recipient and an acknowledgment will be returned to the sender claiming it has been received. “Unreliable,” on the other hand, indicates it is not specifically sent to one recipient, but broadcasted to everyone with the hope that the appropriate system will pick it up. The unreliable protocol will also not expect an acknowledgment of receipt and just assume the message has gotten to where it needs to go. Both UDP and TCP are used in conjunction with the IP protocol and are part of the TCP/IP protocol suite. Using office communications as an analogy, TCP would be like making an office phone call, while UDP could be compared to using the intercom system. Imagine that someone left their car lights on in the parking lot and we don’t want them returning to a dead battery after a long day’s work. If we knew whose car it was, we could call our officemate by dialing their number and waiting for an answer. If there was no answer, we would more than likely try again later and perhaps again, until they picked up. Now suppose we didn’t know whose car it was, but being a Good Samaritan, we thought it a good idea to still try and inform the unsuspecting owner. We could ask the front desk to let everyone in the building know through the intercom system. In this case, everyone would receive, (or hear), the message. Most likely all but one person would simply disregard the announcement, and that one person could act on it. They may never acknowledge receiving it, and instead run out and shut off their lights. On the other hand, the person might not hear the message and is therefore out of luck. One advantage of using the UDP protocol is that it is significantly smaller than TCP and does not consume as much bandwidth. Now that we essentially understand how UDP works, it’s easy to see that the parent server and the client should be on the same broadcast domain if we are implementing on a router-segmented network or a switched network utilizing virtual local area networks.

www.syngress.com

229

230

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

Check-in intervals are used to update the parent server of the client’s existence.The default is for the client to send the 1KB UDP check-in packet every 60 minutes. If the server has not received a check-in from the client within the server-specified amount of time, the client will be dropped from the SSC console list of connected computers.This will hinder the ability of the client to receive timely updates and configuration settings. There are some basic guidelines for configuring the Client Check-in Interval. If a computer is on a stable network—for example, a managed client—the default check-in of 24 hours or greater would suffice. For remote users, sometimes managed, a shorter interval may be needed, due to the lack of firewalls and other corporate security features. While the check-in packet is very small, as more computers are added to a parent server, more traffic will be generated and eventually the network may become quite congested challenging the parent server with the task of processing all the check-in packets, not to mention, managing the necessary updates.Therefore, we can see that the longer the check-in interval, the less network traffic there will be and the less strain placed on the server.The client check-in interval can be set within the Registry, discussed later, or within the settings of the Virus Definition Manager on the parent server. 1. Start the Symantec System Center console. 2. Right-click the parent server of the clients to be adjusted. 3. Select the Virus Definition Manager by choosing All Tasks | Norton AntiVirus | Virus Definition Manager 4. In the lower half of the Virus Definition Manager, select the Settings button. 5. The Update Settings dialog box should appear.Type in the number, in minutes, desired for the client’s check-in period. 6. Select OK. 7. Close the SCC console. From this point on, the updated information will be written to a configuration file, grc.dat, and automatically pushed to the child clients of the parent server we have just modified.

Intel Ping Discovery Service Client and server communication is essential for the management features of NAVCE 7.6. If a client is not recognized by a server (that is, if a check-in interval www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

has passed, and so on), the client will not get its correct updates.This will bring about inconsistencies within the network and possibly give an administrator a false sense of security that all the clients are safely protected. For communications between servers and clients, NAVCE 7.6 uses the Intel Ping Discovery Service (PDS). PDS is used by the various services that NAVCE 7.6 utilizes, and is the first service to load when a NAVCE 7.6 server is started, utilizing ports 38293 for IP and 34903 for IPX. Once the Intel PDS server service has been installed, the RTVScan program will load. RTVScan (covered in more detail later) requests a listening port by making a call to WinSock. For more stability, the RTVScan will request the same port every time it is loaded. If the same port is not available, another port will then be assigned. Once a port is assigned, RTVScan submits information regarding its listening port and Application ID (APP ID) to the PDS system and requests PDS to listen for any data attempting to reach itself.This allows the PDS system to manage other application services by forwarding their requests, or pings, to the correct ports of the service requested.The steps are summarized in the following paragraphs. For Servers: 1. PDS loads on a static port. 2. PDS listens on IP port 38293 (or IPX port 34903). 3. RTVScan attempts to load on a static port (or obtains a dynamic port). 4. RTVScan updates PDS with its port and APP ID information. 5. When a service needs the RTVScan program, it sends a “ping” to the PDS. 6. PDS then replies with a “pong” packet indicating the RTVScan information. For Clients: 1. The PDS does not load on the client system. 2. RTVScan attempts to load on a static port (or obtains a dynamic port). 3. RTVScan updates the system’s parent server with the client’s port information. 4. The parent server receives the port information and updates its client Registry key. 5. RTVScan will search for the grc.dat file (the configuration and parent server name) locally and process it, if available. www.syngress.com

231

232

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

6. The client then sends a ping to its parent server requesting an RTVScan listening port. 7. The parent server sends pong with RTVScan port information. 8. The client sends a keepalive packet that includes the client’s name, GUID, server group, and parent server information.

NOTE You should be aware that when you load the RTVScan executable, you will see why the need for the system requirements (described next) is so great. RTVScan.exe has been known to take up quite a bit of your precious system resources (including memory and CPU time). You may very well see CPU hogging on servers as well. In reality, for what the executable does, it is very important that it is there, and you must strictly adhere to the requirements listed in this chapter. Skimping on them could cause your systems to slow down due to resource consumption. Be especially careful on NetWare servers where NAVCE’s RTVScan could take up about 25 percent of your total CPU usage during times when it is being utilized.

Communication Tools Communication between the NAVCE 7.6 components is a vital feature of the corporate edition software.The pinging of requests and ponging of replies, along with the use of APP IDs, can be very confusing the first time around. Here is a brief description of these components. ■

Ping Packet A 60-byte packet sent to the PDS requesting information regarding the location, or port, of an application. 16 bytes of this packet are NAVCE data.



Pong Packet A 500-byte packet sent in response to a ping request. This packet includes port and APP ID information for the requested application. 458 bytes of this packet are NAVCE data.



Application ID Identifies the software version that was requested.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

NAVCE 7.6 Client PC System Requirements When considering options for installing NAVCE 7.6 client software on our client computers, we need to verify that our systems will meet the minimum requirements.The following specifies the minimum computer setup we need to have for the client software.

MS-DOS Client PC System Requirements For backward compatibility, NAVCE 7.6 has included support for MS-DOS as follows: ■

MS-DOS 5.0 or later version



Intel 386tm 33MHz processor (a Pentium or faster is recommended)



640KB of system memory



2MB of extended memory



Extended memory manager (for example, HIMEM or EMM386)



8MB of free space (10MB is needed to perform an installation)

Windows 3.x Client PC System Requirements Windows 16-bit systems have also been taken into consideration, for backward compatibility: ■

Windows 3.1 or later, enhanced mode (Windows 3.11 and Windows for Workgroups are supported)



Intel 486 processor (a Pentium or faster is recommended)



16MB of RAM



640KB of system memory



23MB of free disk space (35MB is needed to perform an installation)

Windows 9x/Me/NT/2000/XP Client PC System Requirements Windows 32-bit systems, our primary focus of this chapter, require the following components:

www.syngress.com

233

234

Chapter 6 • Implementing NAVCE 7.6 to Client PCs ■

Windows 9x, Windows Me, Windows NT 4.0 with Service Pack 3 or later, Windows 2000, or Windows XP



Intel 486 processor (a Pentium or faster is recommended)



32MB RAM minimum



43MB of free disk space (80MB is needed to perform an installation)



WinSock 2.0 or later

Configuring & Implementing… Further Steps Needed for Windows XP A client logging on to a target machine with local credentials will need to make a change to the Windows XP configuration before NAVCE client rollout can occur. Windows NT/2000 and XP all require the user to have local administrator rights to install the client software on the target computer. In addition, the user must also be logged on to the network with the correct rights, granting them the ability to install the client software. At this point, we may be wondering why a client would be installing the software in the first place. There are certain installation methods in which a client may be an ideal candidate for installing the client software on a system. One of these occasions is when using a Web-based installation method, such as with an IIS server or Apache server (described later). The server setup program creates a group called NORTONANTIVIRUSUSER, which will provide the read and file scan rights needed by the user for running a client installation. These rights can be granted by adding the user to the NORTONANTIVIRUSUSER group. If a user logs on to a Windows XP machine that is not part of a domain and attempts to use the local credentials (such as an administrator user account without password set), the user will be seen on the network as a guest. All resources that this user will attempt to access will have the same permissions, which is that of the guest account. The following steps can be used to resolve this issue: 1. Select Start | Run… and type secpol.msc in the text box. 2. On the left pane, expand the Local Policies folder. Continued

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

3. Click Security Options to view its contents in the right pane. 4. Scroll down the right pane and double-click Network Access: Sharing and security model for local accounts to open its value editor. 5. Select the setting for Classic (local users authenticate as themselves). 6. Click OK. 7. Close the Local Security Settings window. With this done, Windows XP clients will be ready for action and can authenticate to the network with the correct credentials to access needed resources. Keep in mind, local accounts should be password protected to keep mischievous users from masquerading as others to access resources normally forbidden to them. But we already knew that.

As we have previously seen, the NAVCE client software performs many functions and can, at times, be very resource-intensive. During the installation, we will see a prime example of the need for these minimum hardware requirements. Copying files to the remote computer, running the installation program and updating the Registry all take their toll on the system. Another primary area of resource consumption is the client initialization. Once the installation is complete, the client will advertise its existence to its parent server and download all the latest software and virus definition updates. Available resources and network architecture are important factors to consider when selecting a method of installation.These methods are described in the next section.

Implementing NAVCE 7.6 to Client PCs Some considerations will need to be taken into account before installing NAVCE 7.6 client to the network. For instance, what exactly is it we wish to accomplish with this implementation. Of course we want to protect our network from Internet and e-mail viruses. Other considerations might be the ability to manage our entire antivirus software from a central location. We will probably want our computers to be up-to-date with the latest virus definitions and software patches as well. We would most likely want a way to manage our client computers without having to walk around and log on to each one individually either.

www.syngress.com

235

236

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

NAVCE is a tool that we can use to assist us with what we want to accomplish. It allows us to manage our client computers from a central point. We can have our NAVCE server set up to maintain the collection and distribution of the latest virus definitions and software patches.This process will help to keep our networks consistent with our antivirus security policies. In this section, we will investigate the installation methods given to us by NAVCE 7.6 and how they work. We will also take a look at some third-party utilities and how they can help us with a NAVCE client installation deployment.

Developing a Deployment Plan As with any new software deployment on a network, extensive planning must be a priority.This is not the most exciting part of a project, but it’s very necessary in order to keep the implementation from turning into a fiasco—which might create more excitement than anyone would want. While developing our plan, we will want to first verify that a NAVCE 7.6 implementation is capable of running on our network.The previously noted hardware requirements should be checked to ensure compatibility with our network resources. Once these requirements are determined, we can evaluate the more useful NAVCE deployment tools and decide what we want installed and what we don’t. An example could be that your network uses the “Wise” installation system (www.wise.com) to package all your software and give clients access via a Web interface. In this case, it isn’t likely you would need to utilize the NAVCE 7.6 deployment tools. While there isn’t any documented limit to the number of clients that can be added to a particular parent server, the server’s hardware and the network’s bandwidth properties should be considered. As mentioned earlier, the check-in interval should be considered with regard to the number of UDP packets the parent server will need to process. We want to become familiar with the implementation methods available to us and choose the best option for the network environment in question. A good example to use might be a business with 300 Windows 2000 professional computers on one network and one intended management server, or parent server. In this case, we could choose to use the “Remotely Installing NAVCE Client to NT/2000/XP Client PCs” method of installation and simply add all the computers in the domain as clients. We may choose to implement a silent client installation as well.The silent installation method will install the client software and require no user interaction.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Finally, we highly recommend testing the implementation of whichever rollout option is chosen or testing various methods to see what will work best for the network in question. Selecting a few test subjects and practicing the implementation is a good way to weed out any problems without affecting the production network. While testing, it is also a good idea to document the procedure and any difficulties—or beneficial features, for that matter—which may have arisen.

Installing NAVCE 7.6 to Client PCs One of the factors involved with helping us develop our plan for deployment is an understanding of the different options given to us by NAVCE 7.6.These options include developing basic script files that will be read by NAVCE 7.6, which allow us to automate aspects of the installation such as assigning parent servers to manage clients—or not to manage clients if that’s our choice. We could install from the disk, but that may lead to consistency problems on our network. Other options include the creation of log on scripts or using floppy drives. Before we get into the specifics of the installations, there are a couple of files which we’ll need to review.They will be brought up now and again within the installation method descriptions and it’s helpful to have an understanding of what they are and how they are used.The first file we will discuss is the grc.dat file, which can be found on the NAVCE Disk 2 CD-ROM in the NAVCORP\ROLLOUT\AVSERVER\CLIENTS\WIN32 directory.The file can be viewed in Figure 6.1. Figure 6.1 grc.dat [KEYS] ; The option for locking manual LiveUpdate: ; 0=allow manual LU; 1=disable manual LU ; note that the default setting for a standalone install should be 0 ; admins should uncomment the next two lines to prohibit the client from running LU ;!KEY!=$REGROOT$\PatternManager ;LockUpdatePattern=D1

; The option for locking access to LiveUpdate scheduling: ; 0=allow LU scheduling; 1=disable LU scheduling ; note that the default setting for a standalone install should be 0

Continued

www.syngress.com

237

238

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

Figure 6.1 Continued ; admins should uncomment the next two lines to prohibit the client from scheduling LU ;!KEY!=$REGROOT$\PatternManager ;LockUpdatePatternScheduling=D1

; The option for locking the ability to load/unload the NAV service: ; 0=allow client to unload; 1=lock option to unload ; note that the default setting for a standalone install should be 0 ; admins should uncomment the next two lines to prohibit the client from unloading NAV ;!KEY!=$REGROOT$\AdministratorOnly\Security ;LockUnloadServices=D1

; The option for Unmanaged AV Clients to forward to central AMS Server: ; AMS=1, LoadAMS=1, AMSServer= Server ; AMS=0, LoadAMS=0, AMSServer=

- Forward to selected AMS - Do not forward AMS Alerts

; -- Uncomment Following 5 lines for Central AMS alerting -;!KEY!=$REGROOT$\Common ;AMSServer=S ;AMS=D1 ;!KEY!=$REGROOT$\ProductControl ;LoadAMS=D1

Parent=

A very important feature of this *.dat file is the very last line, Parent=.This allows the administrator to insert the name of the intended parent server for a particular client. For example: Parent=WebServerName

When this file is copied to the client computer, the indicated server, WebServerName, will automatically become the parent server, or managing server. This is the case, only when the NAVCE 7.6 server program has been installed on the Web server. Otherwise, the value for Parent= will remain unset and the client will remain unmanaged. www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

We can see all the default options are commented out with a “;” except for the last line, Parent=. When editing this file, it is important to use a basic text editor, such as Notepad.This will eliminate the formatting errors we may get by using a word processor such as MS Word.

NOTE For those of us who aren’t really good at coding, the semicolon comments out certain lines within the code, which has the same effect as deleting the line. Commenting out a line will keep the line there, yet it will not be read when the script, or program, is executed. This allows a programmer to edit a file without actually deleting a line, making it very easy to see what recent changes have been made and, if needed, revert back to using that line.

With all the different network configurations, NAVCE 7.6 installations give us plenty of options to choose from and let us pick the one most appropriate. Let’s now investigate the various methods of distributing NAVCE 7.6 to our clients.There are six options for installation: ■

Installing from an internal Web server



IIS Web server client installations



Apache Web server client installations



Installing from a client disk image on a NAVCE server



Remotely installing a NAVCE client to NT/2000/XP client PCs



Installing the NAVCE clients locally



Installing the NAVCE clients using logon scripts



Installing the NAVCE clients from floppy disks or a self-extracting deliverable package

Installing from an Internal Web Server Installing NAVCE 7.6 clients from an internal Web server is helpful because it provides a single management point to specify preferences for the network environment it is being used in.The theory behind this style of implementation is

www.syngress.com

239

240

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

that the client can simply follow a link (e-mailed to the client), which points them to the proper location where they can install the software across the network. Clients on Windows 2000/NT/XP networks, however, will need to have administrator rights on their local machine (or an administrator will need to log on and perform the installation). An important factor to keep in mind is when NAVCE 7.6 Server is installed on an internal Web server, which is then used for client deployment; this Web server will become the default parent server to manage those clients.This can be changed through a process described later. The internal Web server installation method has many variations for setting up the client images. We can perform the installation from an IIS Server 4.0 or 5.0, or an Apache HTTP Server 1.3.12 or later.This implementation will work with Windows 9x/Me/NT/2000/XP clients that are running Internet Explorer 4.0 or later. Once the following implementation configuration settings have been made, the actual deployment can be set in motion.

NOTE Settings for the local intranet must be set to medium to allow Symantec ActiveX controls to be downloaded to the client. After installation, the original settings may be restored if desired.

IIS Web Server Client Installations In some instances we may want to install the NAVCE 7.6 server on an internal Web server and perform an installation in which the end user will not have to interact with the installation process (called a silent installation). Other times, we may want the same silent client installation method, but, for whatever reason, we may not want to install the NAVCE 7.6 server program on our production Web server.These are a couple of client rollout options that are available to us, and which are covered in the subsequent sections. The following example describes an implementation using 4.x and 5.x IIS servers.These are the chosen versions for stability reasons, where IIS 5.1 is currently distributed with Windows 2000/XP. IIS 6.x implementation is very similar to the 5.x implementation and should be tested to ensure reliability.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Configuring an IIS Server “with” NAVCE 7.6 Server Installed The following steps should be taken to configure an IIS server in preparation for implementation to the client machines. 1. Start IIS Internet Services Manager for the particular version being used, which is located at Start | Programs: Administrative Tools directory for IIS 5.0 Windows NT 4.0 Option Pack | Microsoft Internet Information Server | Internet Service Manager for IIS 4.0

2. Expand the Web server icon by clicking the + to its left. 3. Expand the Web Sites folder by clicking the + to its left.This process will expose the Default Web Site icon. 4. Right-click the Default Web Site and click New | Virtual Directory... 5. We are now in the Virtual Directory Creation Wizard. Click Next. 6. Select an Alias for your client install directory (one you can easily remember), and type that into the Alias text box. For this example, we will call it “Client_Install.” 7. Click Next. 8. Browse to the location where NAVCE is installed on the Server (or type in the path if known) and click the Clt-inst folder.Typically, this folder is located in the \Program Files\NAV directory. 9. Click Next. 10. We are now given the option for Access Permissions. Select Read and uncheck any other options that may be selected by default. 11. Select Next and then Finish for IIS 5.0, or just Finish for IIS 4.0 12. Close the Internet Information Services dialog box.

Client Install for IIS “with” NAVCE 7.6 Server Installed (Windows NT/2000/XP) The client installation for IIS with NAVCE 7.6 server installed on Windows NT/2000/XP systems, requires we edit the Startnt.htm file by using a text editor

www.syngress.com

241

242

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

such as Notepad.The Startnt.htm file can be found on NAV Disk 2 in the Cltinst\Webinst directory.The steps to edit this file are listed next. 1. Enter the name of the Web server to be used in place of Enter_Server_Name:

2. Our previously created Client_Install directory name will replace the Enter_Virtual_Homedirectory_Name value:

For silent installs: 1. The file, Files_nt.ini, can be found within the Clt-inst\Webinst folder and will need to be modified. 2. Find the General section and delete the semicolons from the start of the following lines: InstallOptions=/s /v" /qn /li Webinst.log" MSILogFileName=Webinst.log

Client Install for IIS “with” NAVCE 7.6 Server Installed (Windows 9x/Me) In the client install for IIS with NAVCE 7.6 server installed on Windows 9x/Me systems, we will again use a text editor, such as Notepad, but this time edit the Start9x.htm file.The steps to edit this file are as follows: 1. Enter the name of the Web server to be used in place of Enter_Server_Name: .

2. Our previously created Client_Install directory name will replace the Enter_Virtual_Homedirectory_Name value:

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

For silent installs: 1. The file, Files_9x.ini can be found within the Clt-inst\Webinst folder and will need to be modified. 2. Find the General section and delete the semicolons from the start of the following lines: InstallOptions=/s /v" /qn /li Webinst.log" MSILogFileName=Webinst.log

Configuring an IIS Server “without” NAVCE 7.6 Server Installed In some instances, we may not want to install the NAVCE server program. For example, we may not have room on our server or we may not want to add another service to our production server without serious testing first, even though we need antivirus protection now. In such cases, we can still create regular and silent installations using the following procedures. For this process, we will need to have our NAVCE 7.6 Disk 2 or access to the Disk 2 files available to us.The steps for preparation are as follows: 1. On your internal Web server, create a new directory on the root drive (typically C:) and call it Nav.Then create and a folder within Nav called Clt-inst. Example C:\Nav\Clt-inst

2. The following folders and their contents will need to be copied from the NAVCE 7.6 Disk 2 to the Nav\Clt-inst folder we have just created. ■

Navcorp\Rollout\Avserver\Clients\Win32

Navcorp\Rollout\Avserver\Clients\Webinst For the next procedure, you’ll need to open the Internet Services Manager. (This is dependent upon the version of IIS you are using.) ■

1. Open the Internet Services Manager by double-clicking the Web server icon. 2. Right-click the Default Web Site and select New | Virtual Directory. 3. Click Next. 4. Select an Alias for our client install directory and type that into the Alias text box. For this example, name it Client_Install. www.syngress.com

243

244

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

5. Click Next. 6. Select our previously created Clt-inst folder. 7. Click Next. 8. We are now given the option for Access Permissions, select Read and uncheck any options that may be selected by default. 9. Click Next and then Finish for IIS 5.0, or Finish for IIS 4.0

Client Install for IIS “without” NAVCE 7.6 Server installed (Windows NT/2000/XP) The client installation process without the server program installed is virtually the same as the previous exercise with the exception of the silent install. For the Windows NT/2000/XP systems, we need to edit the Startnt.htm file by using a text editor such as Notepad. As mentioned earlier, the Startnt.htm file can be found on NAVCE Disk 2 in the Clt-inst\Webinst directory. Perform the following steps: 1. Enter the name of the Web server to be used in place of Enter_Server_Name. .

2. Our previously created Client_Install directory name will replace the Enter_Virtual_Homedirectory_Name value.

For silent managed client Web installs, use a text editor, such as Notepad, to edit the files grc.dat, the Files_nt.ini, and the Startnt.htm file.The next steps detail this process. 1. Edit the grc.dat file, which is located within the \Clt-inst\Win32 directory. Within this file, we will need to append an argument to the end of it.This line indicates the client’s parent server, which will be the server used to manage it, which is preceded by the letter “S”. Using the text editor, add the name of our Web server as follows: PARENT=S

www.syngress.com

eg. PARENT=SOurServer

Implementing NAVCE 7.6 to Client PCs • Chapter 6

2. Find the file, Files_nt.ini, in the Clt-inst\Webinst folder. It needs to be modified. 3. Find the General section and delete the semicolons from the start of the following lines: InstallOptions=/s /v" /qn /li Webinst.log MSILogFileName=Webinst.log

Client Install for IIS “without” NAVCE 7.6 Server Installed (Windows 9x/Me) For the Client installation for IIS systems without NAVCE 7.6 server installed, we will again use a text editor, such as Notepad, and this time edit the Start9x.htm file. 1. Enter the name of the Web server to be used in place of Enter_Server_Name. .

2. Our previously created Client_Install directory name will replace the Enter_Virtual_Homedirectory_Name value.

For the Windows 9x/Me Silent managed client installs, we will need to make changes to the grc.dat, Files_9x.ini, and Start9x.htm files. Use a text editor, such as Notepad, and edit these files as follows: 1. Like with the Windows NT/2000/XP installations, we need to edit the grc.dat file, located within the \Clt-inst\Win32 directory. Within this file, we need to append an argument to the end of it indicating that the parent server will be used to manage the particular client.This line will be the client’s parent server name, which is preceded by the letter “S”. Using the text editor, add the name of our Web server as follows: PARENT=Seg. PARENT=SOurServer

2. Find the file, Files_9x.ini, within the Clt-inst\Webinst folder. It needs to be modified.

www.syngress.com

245

246

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

3. Find the General section and delete the semicolons from the start of the following lines: InstallOptions=/s /v" /qn /li Webinst.log MSILogFileName=Webinst.log

Silent Unmanaged Client Web Installs When configuring a silent unmanaged Client Installation, the previous steps detailed for a silent managed client install should be taken, with respect to the operating system in question.The difference is the exception of the grc.dat file editions.The grc.dat file essentially tells the client computer who its parent server is by indicating the value for Parent= argument. By not indicating the name of the Parent server, the client will not be managed and it will be up to the client to update the system manually.

Apache Web Server Client Installations Now that we’ve covered the Web server installation for IIS and its many different configuration options, we will take a look at these options again and how they work with Apache Web servers. Notice that the Apache Web server does not have a “virtual directory.”This is indicated within the Start9x.htm or Startnt.htm files by the use of double quotes.The Apache Web server also needs to be installed as a service. Aside from those differences, the client installation setups are virtually the same. Again, any client who receives an installation from a Web server will automatically be configured to recognize that Web server as its parent server.

Configuring an Apache Web Server “with” NAVCE 7.6 Server Installed When the NAVCE 7.6 server program is installed, several changes will need to be made from the default settings. First, we must use a text editor, such as Notepad, to edit the Srm.conf file, which is located within the Root Drive\Program Files\Apache Group\Apache\Conf directory by default. 1. The following lines indicate that the VirtualHost, or the Apache Web server, is located at an IP address, which we will need to replace with our Web server’s IP address. 2. The WebServerName will also need to be replaced with the Apache Web server’s name.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

3. The default path on the DocumentRoot line then indicates the location of the NAVCE files. DirectoryIndex default.htm

#ServerName WebServerName DocumentRoot "Root_Drive\Program Files\Nav\Clt-inst"

Client Install for Apache “with” NAVCE 7.6 Server Installed (Windows NT/2000/XP) To install the client software on Windows NT/2000/XP systems that will be managed by an Apache Web server with NAVCE 7.6 server installed, we will need to edit the Startnt.htm file by using our text editor.The steps to edit this file are listed next: 1. Replace the Enter_Server_Name value with the name of the Web server to be used.

2. Delete the Enter_Virtual_Homedirectory_Name value, leaving only the double quotes. For example:

For silent installs, edit Files_nt.ini, which can be found in the Clt-inst\Webinst folder. Within the General section, delete the semicolons from the start of the following lines. InstallOptions=/s /v" /qn /li Webinst.log" MSILogFileName=Webinst.log

Client Install for Apache “with” NAVCE 7.6 Server Installed (Windows 9x/Me) For the Windows 9x/Me client installs, we will need to make changes to the Start9x.htm file. Use a text editor, and edit these files as follows:

www.syngress.com

247

248

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

1. Replace the Enter_Server_Name value with the name of the Web server to be used.

2. Delete the Enter_Virtual_Homedirectory_Name value, leaving only the double quotes. For example:

For silent installs, edit Files_9x.ini, which can be found in the Cltinst\Webinst folder. Within the General section, delete the semicolons from the start of the following lines. InstallOptions=/s /v" /qn /li Webinst.log" MSILogFileName=Webinst.log

Steps to Configure an Apache Web Server “without” NAVCE 7.6 Server Installed As mentioned earlier under the section for IIS configurations, in some instances we may not want to install the NAVCE Server Program. Even though we may lack hard drive space or don’t want to add yet another service to our critical production server, we may still need this functionality. In such cases, we can create regular and silent installs for an Apache Web server using the following procedures. For this process, we need to have our NAVCE 7.6 Disk 2 or access to the Disk 2 files available to us.The steps for preparation are as follows: 1. On your internal Web server, create a new directory on the root drive (typically C:) and call it Nav.Then create a folder within Nav named Clt-inst: Example C:\Nav\Clt-inst

2. The following folders and their contents will need to be copied from the NAVCE 7.6 Disk 2 to the Nav\Clt-inst folder we have just created. ■

Navcorp\Rollout\Avserver\Clients\Win32



Navcorp\Rollout\Avserver\Clients\Webinst

3. We can now complete the configuration of our Web server, as if the server program was installed, as discussed earlier. Now let’s edit the Srm.conf file, which is located within the Root Drive\Program

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Files\Apache Group\Apache\Conf directory by default.To do this, complete these final steps: 4. The following lines will indicate that the VirtualHost, or the Apache Web server, is located at the IP address, which we will need to replace with our own Web server’s IP address. 5. The WebServerName must also be replaced with the Apache Web server’s name. 6. The default path on the DocumentRoot line then indicates the location of the NAVCE files.

#ServerName WebServerName DocumentRoot "Root_Drive\Program Files\Nav\Clt-inst"

Client Install for Apache “without” NAVCE 7.6 Server Installed (Windows NT/2000/XP) To install the client software on Windows NT/2000/XP systems to be managed by an Apache Web server without NAVCE 7.6 server installed, we need to edit the Startnt.htm file.The steps to edit this file are listed next. 1. Replace the Enter_Server_Name value with the name of the Web server to be used.

2. Delete the Enter_Virtual_Homedirectory_Name value, leaving only the double quotes. For example:

For silent managed installs, complete the following as well: 1. Edit Files_nt.ini, which can be found in the Clt-inst\Webinst folder. Within the General section, delete the semicolons from the start of the following lines. InstallOptions=/s /v" /qn /li Webinst.log" MSILogFileName=Webinst.log

www.syngress.com

249

250

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

2. Edit the grc.dat file, located within the \Clt-inst\Win32 directory. Within this file, we must append an argument to the end of it.This line indicates the client’s parent server name, which preceded by the letter “S”. Using your text editor, add the name of our Web server as follows: PARENT=Seg. PARENT=SOurServer

Client Install for Apache “without” NAVCE 7.6 Server Installed (Windows 9x/Me) For the Windows 9x/Me client installs, we will need to make changes to the Start9x.htm file. Use a text editor, such as Notepad, and edit these files as follows: 1. Replace the Enter_Server_Name value with the name of the Web server to be used. .

2. Delete the Enter_Virtual_Homedirectory_Name value, leaving only the double quotes. For example:

For silent managed installs, complete the following as well: 1. Edit Files_9x.ini, which can be found in the Clt-inst\Webinst folder. Within the General section, delete the semicolons from the start of the following lines. InstallOptions=/s /v" /qn /li Webinst.log" MSILogFileName=Webinst.log

2. Edit the grc.dat file, which is located within the \Clt-inst\Win32 directory. Within this file, we must append an argument to the end of it.This line indicates the client’s parent server name, which is preceded by the letter “S”. Using your text editor, add the name of our Web server as follows: PARENT=Seg. PARENT=SOurServer

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Silent Unmanaged Client Web Installs As with the IIS client installations, when configuring a silent unmanaged client install for Apache, with the exception of the grc.dat file editions, the previous steps for a silent managed client install should be taken, with respect to the operating system in question.This will prevent the client from reading information regarding the name of the installation Web server, thus keeping the client system unmanaged.

Assigning Parent Servers As previously discussed, the Web server that deploys the client installation will automatically become that client’s parent server upon a client reboot.This is the case when the NAVCE 7.6 server program is installed on the Web server, otherwise the client will be unmanaged. However, the grc.dat file may be edited to indicate a different management server for a specific client. Another method for changing parent servers is to copy the grc.dat file from the server we wish to be the parent server to the install directories of the Web server used for the install, and then restart the client computer.

Installing from a Client Disk Image on a NAVCE Server Installing from a client disk image requires a system that is running the NAVCE 7.6 server program and the installing user to be on the client system. As a part of the default installation, the server program creates a client installation folder, Cltinst, also known as the client disk image.This disk image is available as a network share, which gives all users Read access. For a client to actually install from this directory, they will need to have the rights of Read and File Scan.These permissions can be easily given by adding users to the NORTONANTIVIRUSUSER group, which was also created, by default, during the server installation. If maintaining the appropriate permissions, a client can connect to a server’s client disk image and install the client program across the network.This server will automatically become the managing, or parent, server of the client as well. The following lists the steps necessary to install from a server’s client disk image: 1. Give users appropriate rights to access the installation program and install it. As previously mentioned, they can be added to the NORTONANTIVIRUSUSER group which will give the user the Read and File Scan rights needed to perform the installation. www.syngress.com

251

252

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

2. Make the client users aware of the network share that they can connect or map a network drive to.The following lists the default directories for Windows and NetWare: ■

Windows NT/2000 servers \\Servername\Vphone\Clt-inst



NetWare servers \\Servername\Sys\Nav\Clt-inst

3. Once the user has accessed the correct install directory, they must choose the appropriate setup program for their operating system.The options are: ■

Windows 9x/Me/NT/2000/XP system Cltinst\Win32\Setup.exe



Windows 3.x, Windows for Workgroups Cltinst\Win16\Setup.exe



For DOS 5.0 systems Clt-inst\Dos\Install.bat

4. Once the appropriate *.exe file is selected, the installation can begin by executing the file.

Remotely Installing NAVCE Client to NT/2000/XP Client PCs The remotely installing NAVCE client method allows an administrator to roll out an installation to multiple clients simultaneously without having to actually move to each computer in the building, log on, and start the install.This procedure does, however, require Domain Administrator rights, or a user account that includes the correct rights to log on to the chosen computers and install programs. We will need the NAVCE 7.6 Disk 2 for this exercise, or access to the files. This procedure allows us to easily select computers by name in one pane and add them to the particular NAV Server we desire.

NOTE If all the NAVCE 7.6 Disk 2 files are copied to a shared drive, we can map a network drive to that share and double-click the CDStart.exe file. This will give us the same result as if the CD’s autorun splash screen started when we placed the disk in our drive.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

1. Placing the NAVCE 7.6 Disk 2 in our drive (or accessing the shared files on the network and double-clicking the CdStart.exe), we receive the following splash screen. For this installation method we will select the Install Norton AntiVirus to NT Clients option, as shown in Figure 6.2. Figure 6.2 Disk 2 Splash Screen

2. This takes you to the window shown in Figure 6.3, which welcomes you to the install utility. Select Next. Figure 6.3 The Client Install Utility Welcome Screen

3. Here you can choose the type of network our clients are residing on. For instance, we will select the Microsoft Windows Network, as shown in Figure 6.4.

www.syngress.com

253

254

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

Figure 6.4 Network Selection

4. From this point, it’s a matching game. Referring to Figure 6.5, select your client from the left pane and the NAV Server from the right. Next, click Add, which virtually assigns that client to a parent server. Figure 6.5 Client Selection

5. Once the target client(s) have been added, it will appear in the AntiVirus Servers pane in a tree-style format (see Figure 6.6).

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Figure 6.6 Parent Server Selection

6. Add any extra clients desired. We can also reinstall clients if we choose to change their respective parent server (see Figure 6.7). Figure 6.7 Installation Status Screen

7. Select Done when all the installations are completed.

Importing from a Text File Sometimes, we want to create a large rollout, but it’s very time-consuming to point, click, and add every client we want to install software on. NAVCE 7.6 and later thankfully gives us a tool to expedite the task, using an ASCII text file to import a list of IP addresses.This feature was primarily created for installing clients (using the remote installation method covered earlier) on networks that are non-WINS. WINS is a feature employed by Microsoft to allow computers to communicate with other computers by using a computer name.The import www.syngress.com

255

256

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

option allows an administrator to import a list of IP addresses when browsing computer names, since the previous example displayed will not work. Figure 6.8 shows a short sample import file using Notepad as the text editor. Figure 6.8 Import File

This particular file has the IP addresses specified by their respective computer names. Such an option makes management easy, but it’s not required. In this format, the semicolon (;) can be used to comment out lines that the installation program should ignore. A colon (:) will perform the same function as the semicolon. 1. To use this method, select the Install Norton AntiVirus to NT Clients option. 2. The Welcome screen should appear, click Next. 3. Select the NAVCE 7.6 server we wish to be the managing parent server. Choosing the server will enable the “Import…” option. 4. Click the Import… button. 5. Browse to our text file. Select the appropriate file and click the Open button. Once the open button is clicked, wait almost a minute for the IP addresses to be resolved (the length of time will depend on the speed of the other network and the number of computers being deployed). If an IP address in your list does not exist on your network (perhaps the computer is shut down, it has a new IP address, and so on), it will simply not be included in the Selection Summary (shown in Figure 6.9), allowing us to proceed with those computers that were found.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Figure 6.9 Selected Target Systems

6. Click the OK button.This step may ask you to authenticate (provide a username and password) to a client that your local log-on credentials may not have access to. 7. The particular IP addresses assigned to our server will then appear (see Figure 6.10). Figure 6.10 Parent Server/Client Verification

8. We are given an option to check any possible errors during the installation interactively, for each computer, or to have errors logged to a file (see Figure 6.11). Choose to have any possible errors logged to the C:\WINDOWS\NAVCECLN.txt file. Click Yes.

www.syngress.com

257

258

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

Figure 6.11 Log or Interaction Prompt

9. The Status of Remote Client Installation(s) screen should appear (see Figure 6.12), where the progress of the installations can be viewed. It doesn’t take long for the files to be distributed, maybe three minutes for these four clients.They may be loaded at different speeds as well. Figure 6.12 Installation Status Screen

10. When everything has finished copying, you a new window will pop-up. Click Done.The installation is complete. Notice that the NAVCE 7.6 icon is no longer in the system tray of our clients. If we check our NAVCE client program status, we will see the installation is actually complete.The icon will reappear in the system tray upon reboot.This isn’t truly important, but it will have you wondering if the icon just disappears.

NOTE This method is not intended for use on NetWare systems.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Installing the NAVCE Client Locally By far the simplest way to install the client software is to access the Disk 2 files and select Install Norton AntiVirus Client Locally.This is as easy as installing any type of software by running the install program and selecting the options as we go. Note, however, that this is a time-consuming process in which clients are installed one at a time, increasing the chance of human error when it comes to selecting the correct server. 1. Using this method, open the NAVCE startup screen and select the option for Install Norton AntiVirus Client Locally (as shown in Figure 6.13). Figure 6.13 The Disk 2 Splash Screen: Install Norton AntiVirus Client Locally

2. NAVCE then opens the Install Wizard. On the Welcome screen, click Next (see Figure 6.14). Figure 6.14 Local Client Installation Welcome Screen

www.syngress.com

259

260

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

3. The licensing agreement offered by NAVCE 7.6 will appear. Click Next. 4. The next screen, shown in Figure 6.15, displays a list of options for installing snap-ins that coincide with any installed mail services we currently have. As shown in Figure 6.15, if the program is not installed, the box will not be checked; it’s usually safe to continue with the default setting given. In this case, Microsoft Outlook is installed on the machine. If we plan to add Lotus Notes, we could select the snap-in and save us the trouble of updating at a later time. Figure 6.15 Snap-in Selection

5. The next screen (Figure 6.16) let’s us indicate whether our clients’ status is Managed or Unmanaged. One reason this installation method is not widely preferred (despite how easy it is) is because a user may not select Managed.This might be a simple oversight where someone may have sped through the installation without reading all the steps. Regardless of why, if the client is not installed as managed, the installation will either need to be run again appropriately, or the grc.dat file will need to be copied from the correct parent server and placed within the client’s NAVCE directory. In this exercise, we will select the Managed radio button.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Figure 6.16 The Managed and Unmanaged Options

NOTE The following should be taken into consideration when configuring email support. NAVCE provides support for: ■ ■ ■

Lotus Notes 4.5x, 4.6x, and 5.0 Microsoft Exchange 5.0 and 5.5 Microsoft Outlook 97/98/2000/XP MAPI (Internet e-mail is not supported)

Developing & Deploying… The NAV Sole Proprietor Edition: Making an Unmanaged Client Managed If, perchance, a client has been configured as unmanaged—something we don’t want—there are two methods for assigning a parent server. The first method is straightforward, but isn’t what most people are looking for: uninstalling the NAVCE 7.6 client software and reinstalling it so it correctly identifies the parent server. After all, nobody likes to do the same work twice, especially when it could be avoided initially. Fortunately, the install program really doesn’t take a whole lot of time; the uninstall does require a reboot to remove some of its files, however. Continued

www.syngress.com

261

262

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

The second method for correcting this problem is to copy the grc.dat file from the intended parent server and place it in the appropriate directory of the client. Here is a list of the different options and locations of files: 1. Copy the grc.dat file from the appropriate directory in regards to the client’s operating system from the designated parent server: ■

C:\NAV\Clt-inst\Win32



C:\NAV\Clt-inst\Win16



C:\NAV\Clt-inst\DOS

2. On the Client, place the copied file within the directory (according to the operating system), as stated next: ■

Windows 2000/XP C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5



Windows NT C:\winnt\Profiles\ All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5



Windows 9x/Me C:\Program Files\Norton AntiVirus

With the appropriate server file copied to the client directory, the client will need to be restarted. This will cause the RTVScan.exe file to search for the grc.dat file and update the configuration accordingly. The RTVScan.exe file will then delete the grc.dat file. Presto! We are done. Our rogue client is now a managed client. These methods may also be used for changing from one parent server to another. Just select the new parent server and follow the previous steps.

6. Here, the installation can get complicated, proving why this installation is not a preferred method.You will see the Server name is left blank and we are given the option to insert our server’s NetBIOS name or Browse to the NAVCE server we wish to use. When a server name is entered and we select the Next button, the installation program will search for the designated computer name. If one is found, we may continue, if one is not found, we will receive an error, as shown in Figure 6.17.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Figure 6.17 Parent Server Name Mismatch Error

The problem will not necessarily arise when the user inputs an invalid name (stopping the installation), but when the user puts in a valid NAV server name that is not the one intended. For instance, if we had the servers NAVCE1, NAVCE2, NAVCE3, this could be very easy for a network administrator to keep in order, yet a user may select any of the three (as long as the installation program can reach them all) and still continue with the installation. Of course, if this happens, we can later add our client to a parent server by copying the grc.dat file to the correct directory, or reinstalling the client software. 7. Add the server name (see Figure 6.18). Figure 6.18 Parent Server Selection Screen

8. The server name will be verified and we can continue. 9. The client software will now install and be configured to its parent server. 10. Select Finish.

www.syngress.com

263

264

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

Installing the NAVCE Client through Logon Scripts Installing through logon scripts is an option available for both Windows NT/2000 servers and NetWare servers.The logon scripts will check the existence, or version number, of the client when the system is logged on to the network.The server then has the capability to install or update the client software automatically, or prompt the user to do so. We only need to make changes on the parent server and then the network can be brought up-to-date.This option requires the user, logging on to a client computer, to have administrative rights on the local computer, as the install or update will need to make changes to the Registry.This process is straightforward and particular options can be configured within the SSC.

NOTE 16-bit clients will need to have a temporary directory specified in their Autoexec.bat file. A line such as set temp = C:\Temp will work. The directory can be named anything as long as the Autoexec.bat file indicates its location.

In the sections immediately following, we’ll discuss several ways to configure this option, for both Windows NT/2000 server and NetWare server.

Windows NT Logon Script Setup The Windows NT logon script setup can also be used for Windows 2000.The following describes how to assign the logon script to a particular user, or target user. Once the script is configured and assigned, it will be executed the next time the user logs on to the network. 1. Copy the Vplogon.exe and Nbpshpop.exe files to the netlogon share on the server.These files can be found, by default, in the C:\winnt\System32\Repl\Import\Scripts folder on Windows NT servers and the C:\winnt\Sysvol\Sysvol\Domainname\Scripts folder on Windows 2000 servers. (If the network has BDCs, these files will need to be copied, or replicated, to all servers.) 2. Set up the options for the script by opening the Symantec System Center console.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

3. Unlock the Server Group, right-click the appropriate server, and select All Tasks | Norton AntiVirus | Client Login Scan And Installation. 4. Select Installation. 5. Here we can select the installation options as follows: ■

Automatically Install The installation is automatic, offering the user no options.



Ask the user The user is given the option to install.



Do not install This option does not install any files.

6. Select OK. 7. Assign the script to our intended recipients using the User Manager. 8. For each user we want to use this script, do the following: ■

Open the User Manager by going to Start | Programs Administrative Tools | User Manager.



Double-click the target user to open its properties.



Type Vplogon.bat in the logon Script Name text box.



Click OK, and OK again, to close the User Manager window.

NetWare Logon Script Setup The NetWare logon script process is easily configured by setting our options in the SSC console and then adding a target user to the NORTONANTIVIRUSUSER group that is automatically created by the NAVCE 7.6 server installation program.The setup option for NetWare is as follows: 1. Open the Symantec System Center console. 2. Right-click the server to be configured and go to All Tasks | Norton AntiVirus | Client Login Scan and Installation. 3. Select Installation. 4. We’re now presented with logon installation options as follows: ■

Automatically Install The installation is automatic, offering the user no options.



Ask the user The user is given the option to install.

www.syngress.com

265

266

Chapter 6 • Implementing NAVCE 7.6 to Client PCs ■

Do not install This option does not install any files.

Force Update During Next Login This option will push update files to the client computer. The Force Update During Next Login option will be run one time only.To run another update, the option will need to be checked again. By checking this box, the ClientNumber value in the Vp_login.ini will increment.This new, incremented number will be compared to the current ClientNumber, and if different, the client will be updated.The key in question is located within the Registry under: ■

HKEY_LOCAL_MACHINE\Software\Intel\VirusProtect6\CurrentVersion\Client Number

5. Click OK. 6. Add all the target users to the NORTONANTIVIRUSUSER group.To do this for NetWare 4.x and 5.x, perform the following steps: 1. Open the NetWare Administrator (Nwadmin32.exe or Nwadmn95.exe) utility from a client computer. 2. Double click on the NORTONANTIVIRUSUSER group. 3. Select Members in the Group dialog box. 4. Add target users to the group by selecting the users and clicking Add. 5. Click OK, and OK again, to close the open dialog boxes. 6. Close the NetWare Administrator utility. To add the target users to the NORTONANITVIRUSUSER group for NetWare 3.2, complete the following steps: 1. Start the NetWare system console by typing SYSCON within the Sys:Public directory. 2. Select Group Information and press Enter. 3. Select the NORTONANTIVIRUSUSER group and press Enter. 4. Select Member List and press Enter. 5. Now press the Insert key and add the target users to the group. 6. Close all open panes using the Escape button, and then close the system console. www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Installing the NAVCE Client from Floppy Disks or a Self-Extracting Deliverable Package Yet another option for installing the client program is to install from floppy disks or by using a self-extracting file. We can use the utility package.exe to create installation disks with the intent of distributing the software to our clients who are not connected to our managed network. For instance, home users, while of course possible, would not be feasible to have set up the ability to manage with a parent server. Allowing our users to take this software to home computers will help ensure the security of our network indirectly. When a user is working at home, and not using NAVCE 7.6 client, or any antivirus software for that matter, viruses or other malicious programs could be easily downloaded.The next time the home user VPN’s to the network, a multitude of security risks are introduced to our once secure network. Another possibility, as mentioned at the beginning of this chapter, is a user who burns a CD or brings in documents on a floppy and loads it onto their work computer. Again, such acts threaten the network. To use the Symantec Package Utility, for either the floppy disk creation or the Self-Extracting Deliverable package, make sure there is enough free disk space on the hard drives. It hardly seems a concern given the 100GB hard drives on the market today, but you never know.The following indicates what must be available for the creation process and install of both methods: ■

Windows 9x/NT/2000 21MB to create the package and 75MB for the install process.



Windows 3.1 5MB to create the package and 10MB for the install process.



DOS 4MB to create the package and 5MB for the install process.

Using the Symantec Package Utility to Create a Self-Extracting Deliverable Package The Package utility, package.exe is located on NAVCE 7.6 Disk 2 in the directory of Navcorp\Rollout\Avserver\Clients and is called the NAVCE Client Packager. With this utility, we can create one of two installation methods.The first is a single self-extracting executable for the client installation file, and the other is a set of floppy disks. First, we will cover the creation process of the self-extracting file as follows:

www.syngress.com

267

268

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

1. Open the directory Disk2\Navcorp\Rollout\Avserver\Clients. 2. Double-click the package.exe file.The following dialog box (shown in Figure 6.19) should appear. Figure 6.19 Client Packager: Single File Selected

3. Select the particular operating system to prepare an installation package for. Here, choose Windows 9x/NT/2000. (Other options include Windows 3.1 and DOS.) 4. Select the check box to enable a silent installation package. By choosing this option, the Accept Setup.wis Options For Silent Install is enabled. Select this option as well.This file serves as an answer file for the installation. It is only read during for the first install on a system. If the system has been previously installed, and is being reinstalled or upgraded, the file will not be used (even if designated). For more information on the Setup.wis file, please refer to the Notes From the Underground… sidebar located at the end of this section. 5. Select the Web or e-mail option. 6. Designate a directory where the package will be placed upon creation. Let’s keep the default for this example. 7. Click the Create button. 8. The files will begin compressing (see Figure 6.20).The process could take nearly two minutes to complete.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Figure 6.20 Client Packager Compression Status

9. Click OK to finish the creation and then click the Close button. 10. The icon for our Win32 installation (shown in Figure 6.21) will appear in the C:\Windows\Temp\NAV32EXE directory. For a Windows 3.1 and DOS installation, the directories would be NAV16EXE and NAVDSEXE respectively. Now that the package is created, we can proceed with the implementation of the client machine. Figure 6.21 Newly Created Client Installation File

11. First we will need to give the client system access to the client installation package. We can do this by sharing a folder the client can map to, or copying the file to the client computer.

NOTE E-mailing the file is an option, but it may not be the best one. The packaged file for the Windows 9x/NT/2000 is 26.5MB. I know at my office, I would get a brisk slap on the wrist for trying to e-mail a file this large.

www.syngress.com

269

270

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

12. Once we have placed the executable on the client machine, double-click the file. 13. Select OK to begin the installation. 14. Since we prepared the installation for silent mode, we can sit back and the installation will work without being noticed.

Notes from the Underground… The Setup.wis File in Depth: To Answer or Not to Answer An answer file is a script file that provides the input needed for a program installation. For instance, when an installation program asks if we want to install support for Exchange or Lotus notes, instead of prompting us for input, the installation program will read the preconfigured information in the answer file to get its answer, thus giving us a silent install. The Setup.wis file has been provided for use with Windows 9x/NT/2000/XP and is located within the directory on NAVCE 7.6 disk 2\NAVCORP\ROLLOUT\AVSERVER\CLIENTS\WIN32. The following is an excerpt of some of the more commonly customizable options from the Setup.wis file. Note the use of 1’s and 0’s, which equal true or false, respectively. [DestinationFolder] InstallDir=Default

The value can be either Default, for a typical installation, or a path to a customized directory.

[RunOptions] StartAutoProtect=1

This value indicates to the system if File System Realtime Protection will be used or not. 1 enables real-time protection and 0 disables it.

Continued

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6 [SetupCompleteSuccess] BootOption=0

On Windows 9x systems, this value indicates whether or not there should be a forced reboot after installation. 1 diables the automatic reboot and 0 enables the automatic reboot.

DisplaySilentMsg=1

This value indicates whether or not to display a dialog box, indicating the system will be rebooted, during a silent installtion. 1 will display the dialog box and 0 will not display the dialog box.

[SnapIns] ForceInstall=0

This value indicates if the user will have the option to choose the install or not. 1 forces the installation, and 0 does not.

Notes=1

This value indicates the option for installing the Lotus notes snap-in. (1) for yes, (0) for no.

Exchange=1

This value indicates whether to install the Exhange snap-in (1) or not install the snap-in (0).

Looking at this file, we can make correlations to a regular interactive installation. For instance, during installation of the client, we are asked what e-mail support we would like to include. If we are deploying our client software to a group of similar systems, this file will allow us to customize all the systems to use the same features.

Using the Symantec Package Utility to Create a Set of Floppy Disks The process of creating a set of floppy disks for a client installation is covered in this section. Some may find it a little outrageous, considering it takes a total of 20 floppy disks to create this installation method for Windows 9x/NT/2000 clients. However, there may be some instances where a floppy disk installation is the only method available.This setup process is outlined in the following: 1. Double-click the package.exe file, which resides on the NAVCE Disk 2, Navcorp\Rollout\Avserver\Clients directory. www.syngress.com

271

272

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

2. Select the particular operating system to prepare an installation package for. Choose Windows 9x/NT/2000. (Other options are Windows 3.1 and DOS.) 3. Select the check box to enable a silent installation package. By choosing this option, the Accept Setup.with Options for Silent Install is enabled. Select this option as well.This file serves as an answer file for the installation.This file is only read during for the first install on a system. If the system has been previously installed and is being reinstalled or upgraded, even if designated, the file will not be used. 4. For the floppy disk install, select the button labeled Floppy disk – Multiple files that each fit on a floppy disk, shown in Figure 6.22. Figure 6.22 Client Packager—Floppy Disk Selected

5. For this exercise, keep the default as TEMP directory. 6. Select Create. (This process will take five minutes to run.) 7. Click Ok and Close. 8. (The next steps involve putting the information on a series of floppy disks.) Find the location of the files just created. In this case, C:\WINDOWS\TEMP\NAV32FLP. Note that many more files have been created instead of “one” Self-Extracting Deliverable Package file (see Figure 6.23).

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

Figure 6.23 Floppy Disk Files

For a Windows 3.1 and DOS installation, the directories would be NAV16FLP and NAVDSFLP, respectively. 9. Label a floppy as Disk 1 and copy the NAV732.exe file to the first floppy. 10. Repeat this process for all of the .cab files in sequence. Now that we have our floppy disks ready, we can proceed with the implementation of our client machine. 1. Insert the floppy disk labeled disk 1. 2. Double-click My Computer. 3. Double-click 3-1/2 Floppy (A:) (if the A: drive is your floppy drive). 4. The NAV732.exe file should appear. Double-click it. 5. Follow the onscreen instructions. (This particular installation method will allow us to specify a parent server if we would like.) 6. Select Yes to reboot the client machine.

Understanding Third-Party Installation Methods Although NAVCE 7.6 gives us many valuable options for client distribution, there are numerous other third-party software distribution tools available for use as well. Altiris eXpress Client Management Suite and Microsoft’s System www.syngress.com

273

274

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

Management Systems Server are just a few of the many we will cover in this section. With all the options given by NAVCE 7.6, one might wonder at the logic behind using a third-party solution for implementing this product, or any product that provides its own implementation methods for that matter. One reason is that a network administrator may not want to introduce an extra service to the network and consume bandwidth. Another reason may be that the network administrator is comfortable with the tools currently being used, or with the consistency of reporting formats, or the software inventory control, or perhaps it’s just their personal preference. Nevertheless, plenty of alternative options exist and we will talk about a few of them here.

Using Microsoft IntelliMirror to Deploy the NAVCE Client Microsoft IntelliMirror is a network management tool built in to the Windows 2000 operating system.This tool provides the functionality for user data management, user settings management, and software installation and maintenance through the use of the Active Directory. IntelliMirror may be used to rollout NAVCE 7.6 client software—however, it is limited by the fact that the network must be running Active Directory.This tool is not able to deploy NAVCE 7.6 server or upgrade earlier versions of NAV. To deploy NAVCE 7.6 client software using MS IntelliMirror, perform these steps and follow them up with a client system reboot. 1. Open Start | Programs | Administrative Tools | Active Directory Users and Computers. 2. If NAVCE client software is to be deployed to: ■

A Domain Right-click the domain and select Properties.



Specific systems Right-click the organizational unit in which the computers reside, and select Properties.

3. Select a current group policy or choose New to create a new group policy from the Group Policy tab. 4. Select Edit. 5. Within the Group Policy pane, select Computer Configuration | Software Settings | Software Installation.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

6. Go to New | Package by right-clicking Software Installation. 7. Browse to the location of the NAVCE 7.6 client installation files and select Navce.msi. 8. Click the Open button. 9. Click Assign and then OK.

Using Microsoft Systems Management Server to Deploy the NAVCE Client Microsoft Systems Management Server (SMS) is a powerful network tool that can be used for software distribution, remote computer management, and managing assets such as hardware and Windows-based software. As expected, SMS can be used to roll out NAVCE 7.6 to the client computers. It has certain advantages for network management, too, since it closely integrates with other Windows 2000 servers and applications. SMS also provides a check point-restart feature that will continue a client installation from the point where it was interrupted if the network was somehow disconnected. Bandwidth management, scheduling, and status reporting are other advantageous features of this product. The NAVCE 7.6 Disk 2 includes a PDF file that SMS can utilize to deploy the client software to Windows 9x/Me/NT/2000 systems while minimizing configuration time.The PDF serves as an answer file that SMS can import to create a compressed NAVCE 7.6 software package. Using SMS, we would first create a source directory for each operating system version of the client installation we will be installing. Next, we need to copy the files from the NAVCE 7.6 Disk 2 Navcorp\Rollouts\Avserver\Clients directory to our newly created source directory (or directories). A query will need to be created for verifying a client’s free disk space for the installation and then the client installation package must be created. Once the previous tasks have been completed, an SMS job can be generated and the implementation can begin. Additional steps will need to be taken if the goal of the distribution is to create silent installs for managed clients. As we learned earlier, the Setup.wis file is an answer file that the NAVCE 7.6 client installation program can use to enable a silent installation.This file should be edited for any preferences prior to packaging of the client installation.The grc.dat file will need to have a parent server included in the configuration.This would involve opening grc.dat with a text

www.syngress.com

275

276

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

editor and adding the parent server name to the last line of the configuration as follows: PARENT=S

eg. PARENT=SourServer

Microsoft SMS is an excellent tool and provides many features. For more information about SMS and the software packaging and deployment capabilities, be sure to check www.microsoft.com/smserver/default.asp for product documentation.

Using Novell ZENworks for Desktops to Deploy the NAVCE Client Novell ZENworks for Desktops is a desktop management system which allows a network administrator to deploy software, operating system images to clients, and many other features all from a central point. For software distribution, Novell ZENworks uses a utility called Application Launcher. Application Launcher can be used to create a client installation package and deploy that package to client systems running Windows 3.x/9x/NT/2000. Support is provided for Windows Installer (MSI) packages and ZfD snAppShot packages.To deploy the NAVCE client: 1. Create an Application Object that points to the NAVCE 7.6 client installation files.This can be done from the Network Administrator utility. For Windows, the client installation files will default to Sys:\Nav\Clt-inst\Win32\Setup.exe. 2. Configure the Application Object by setting the option to associate the Application Object with the organization unit or target systems, and by setting the system requirements to the corresponding operating system files on the server. 3. Select the Application Object install style.

Uninstalling NAVCE from Client PCs Sometimes it is ideal to perform a complete uninstall of a previous version of an application to get a good clean fresh install of a newer version. NAVCE 7.6 provides an easy method to uninstall, which is simply done within the Control Panel.The following steps walk you through an uninstall.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

1. Click Start | Settings | Control Panel | Add/Remove Programs. 2. Select Norton AntiVirus Corporate Edition. 3. Click the Remove button. The program files have now been uninstalled.There are still, however, files that are marked for deletion upon booting up. If our intention to uninstall NAVCE 7.6 is to reinstall the same program, perhaps with different settings, a reboot will need to take place. If the computer isn’t first rebooted, the installation process will error out and display a message that the system needs a reboot. Figure 6.24 shows an example of this error message. Figure 6.24 Possible Installation Error

Understanding NAVCE 7.6 Registry Keys on NT/2000/XP Client PCs It is important for a network administrator to be familiar with the Registry keys used by the client systems.The following Registry keys are created during an NAVCE 7.6 installation and are considered important, therefore it’s best to be aware of their existence.They are listed in order of importance and operating system.

Windows 9x/NT/2000/XP In Figure 6.25, note the location of the ProcessGRCNow key, as discussed earlier. The parent server name can be seen and adjusted within the parent key. We can also see the IP ports currently configured, the name of the alert directory, and many other configuration options. Editing the Registry should be a last resort, as most of these options can be configured using a GUI tool provided by NAVCE 7.6.These keys are all found within HKEYUSERS\.DEFAULT\Software\Intel.

www.syngress.com

277

278

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

Figure 6.25 Registry Keys Used by All Client Operating Systems

The following Registry keys are located on the parent server, yet are directly related to the client configurations and updates.These keys can be changed to customize our system configuration. Knowledge of these keys is also helpful in troubleshooting any issue that may arise. The following keys can be modified for customization of the file pushing abilities. Here we can set the time for checking updates and inspect the age of certain files (grc.dat, virus definitions, and so on). ■

By comparing these keys, the age of virus definitions can be obtained: HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\Clients\ComputerName\PatternVersion (and UsingPattern)



This value can be checked to indicate whether a client is accepting updates or not: HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\Clients\ComputerName\Flags.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6 ■

Check-in configuration options. 60 minutes by default. HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersi on\ClientConfig\PatternManager\CheckConfigMinutes



The timestamp located here is used as a reference for the server to check the age of a clients grc.dat file: HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\Clients\ComputerName\GRCUpdateTime

Changes to the default location of the error reporting files for software and virus definition updates can be made in the following.These error reports include the time and reasons for failure of file updates. ■

grc.dat file rollout errors: HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\Clients\ComputerName\GRCUpdateFailedReason



grc.dat file rollout error time: HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\Clients\ComputerName\GRCUpdateFailedTime



Error codes reported during a virus definition update: HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\Clients\ComputerName\DefUpdateFailedReason



Length of time of last definition update: HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\Clients\ComputerName\DefUpdateElapsedTime

Understanding NAVCE 7.6 Services Running on NT/2000/XP Client PCs Now we will discuss the services running on the NAVCE 7.6 client systems. These services function as communicators to the server for updating client status (such as RTVScan), and virus definition updates and utilization (such as DefWatch). Another service discussed here is responsible for real-time virus protection, or Auto-Protect.These services are important to note as they work

www.syngress.com

279

280

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

together to create the NAVCE 7.6 environment and could be useful for troubleshooting purposes if needed.

Norton AntiVirus Server (RTVScan.exe) One of the main features of NAVCE 7.6 is the RTVScan.exe program. RTVScan is responsible for managing crucial portions of the NAVCE system, including updating virus definitions throughout the network, updating client systems with the latest configuration settings via the grc.dat file, and managing the Liveupd.hst file.The RTVScan.exe file resides on both the servers and client systems.These files work in conjunction with each other to update the clients with any new configuration information. RTVScan.exe on the server checks for changes made within the SSC console. If a change is made, RTVScan file will adjust the grc.dat accordingly and export the new grc.dat file to all intended client computers. At that point, the client RTVScan will detect the new grc.dat file and update the client system’s Registry appropriately. Group level client option configurations made from the server are recorded to the ClientConfig key and that information is written to the \Nav\grc.dat file. By updating the client configuration options when we press the OK button, the CurrentVersion\ProductControl\ProcessGRCNow key on the target server will have its value of 0 changed to 1.The 1 indicates a change has been made which is then read by an RTVScan thread, which monitors this key. Once read, RTVScan will rebuild the grc.dat file and another thread will start the distribution to the appropriate clients. The RTVScan program on the client machines runs a CheckGRC call every 60 seconds, by default.The CheckGRC call checks for any new grc.dat files that may have been recently received. When configuration changes are made on the server and the new grc.dat file is pushed and then received on a client system, the RTVScan program will use the new configuration file to update its local system Registry keys. Once the Registry update is complete, the RTVScan will delete the grc.dat file and resume monitoring for new configuration changes. In addition to the grc.dat file configuration updates, the client RTVScan will also perform the check-in function with the parent server at 60-minute intervals, and check local virus definitions every three minutes. If multiple changes are being made close together, such as a change is made | OK, another change is made |

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

OK and so on, the ProcessGRCNow Registry key will remain at a value of 1 until all the configuration updates are carried out. RTVScan will continue to check the ProcessGRCNow key until if finds the value to equal 0.

NOTE RTVScan95 is the RTVScan version for Windows 9x/Me systems.

DefWatch (defwatch.exe) DefWatch, utilizing RTVScan, monitors the VirusDefs folder for any changes made to it, including newly added definitions or older definitions due to a rollback.The changes made to this folder are created by the DefCast program, which resides on the Quarantine Server. When new definitions arrive, RTVScan notifies the DefWatch service. DefWatch then picks up the new definitions and scans the \Program Files\Norton AntiVirus\Quarantine folder on the server.

vpexrt.exe The vpexrt program provides the client system with a first line of defense against incoming threats.This real-time monitoring is also known as Auto-detect, and scans all incoming e-mail attachments and any incoming files being processed by the client system.

vptray.exe The vptray.exe program is responsible for showing the NAVCE icon within the system tray.To display or remove this icon from the system tray of managed clients, a configuration change must be made using the SSC console. The following changes can be used to add the icon to the system tray for managed clients. 1. Select the parent server from the SSC console and right-click it. 2. Choose All Tasks | Norton AntiVirus | Client Administrator Only Options. 3. Click Show Norton AntiVirus Icon on Desktop. 4. Click OK.

www.syngress.com

281

282

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

To remove the icon from the system tray, simply deselect the Show Norton AntiVirus Icon on Desktop button and click OK. For unmanaged clients, a change must be made to the Registry as follows. We highly recommend backing up all Registry settings when making changes. 1. Select Start | Run. 2. Type regedit in the text box and select OK. 3. Select the key: HKEY_LOCAL_MACHINE\Software\Intel\Landesk\VirusProtect6\ CurrentVersion\AdministratorOnly\General

4. Right-click ShowVPIcon (found in the right pane). 5. Change the value to 1. 6. Close Regedit and reboot the computer.

Testing Your Deployment At this point, you should now have a firm understanding of the roles client computers can play, the access that is needed to obtain installation files, the installation method preferred in relation to your network and an understanding of how the servers and clients utilize the NAVCE services to communicate with one another. Now it is time for us to test the deployment of the NAVCE 7.6 clients. If things go well, this can be a fun part of the installation; if they go badly, it can be a serious headache—hence our reason for testing our set up configuration on a few machines that are not critical to production. For this portion of a deployment, it is ideal to have these extra computers available to test on. If there are no machines that can be used for testing purposes, the deployment should be carried out with the greatest of care and, of course, a secure backup strategy should be in place.

NOTE We recommend having a list of procedures in place for ease of installation and to perhaps act as a check-list/notepad for any errors or common issues that may arise.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

The process for installing a NAVCE 7.6 environment with managed clients should first include an installation of at least one server to act as a managing, or parent, server. Once the server is installed and configured to our liking, the installation of the clients may proceed. When installing the clients we should have an idea of the client type (managed, unmanaged, or sometimes managed). It is a good idea to perform the installation on one operating system at a time—for instance, installing on Windows XP machines and later moving to Windows 2000 or 9x machines.This will severely cut down on troubleshooting issues later by allowing us to concentrate on one OS at a time. By performing this test in a controlled environment, we can play around with different configurations, practice pushing files, and uninstall and reinstall client software using different methods. We can even try different operating systems or client types.This testing should help update the current plan of implementation we already have, and any notes taken will help to streamline the process.

www.syngress.com

283

284

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

Summary The client software rollout of NAVCE 7.6 is a process that can be easily performed if correct planning and testing is completed first.This chapter has discussed the hardware requirements needed by the client systems to enable them to handle both processing software and virus definition updates.The RTVScan program has the potential to bring a client system to its knees, yet only at times designated by the network administrator. For instance, a client laptop that has not been on the network for quite some time, depending on its hardware configuration, may run sluggishly while the latest updates are being traversed across the network. NAVCE provides us with many options for the rollout procedure, including options for unmanaged clients, (no parent servers), and silent installs for minimal user interaction. Some of the options provided by Symantec include using a Web interface, installing directly from the NAVCE CD-ROM, or pushing an installation from a server. Logon scripts are yet another option. NAVCE client software rollout is also easily implemented using third-party software. If a network is already running Microsoft SMS or any number of other software implementation tools, the client software can be adjusted to suit those needs.The development of an implementation plan includes becoming familiar with these installation methods and how these options will interact with various networks. Bandwidth utilization requirements need to be considered, as well as processor exertion on the parent servers. Once an installation method is selected, testing the method on a few machines is highly recommended.This testing should be performed within a controlled environment and on one platform at a time.This methodology will help uncover trouble spots and show how to deal with them in the realworld installation.

Solutions Fast Track Understanding NAVCE 7.6 Client PCs ; Managed clients use a managing parent server for configuration, virus

definition, and software updates.The parent server can provide a central point of management for all its managed clients, or child systems.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

; Unmanaged clients do not have a parent server assigned to them and must

be updated manually for the latest configuration, virus definitions, and software updates.This may be useful for clients who work from home.

; Sometimes-managed clients are client systems, such as laptops, that are

regularly taken off the network and receive configuration, virus definitions, and software updates only when reattached.This can be useful for clients who travel.

Implementing NAVCE 7.6 to Client PCs ; The implementation process of NAVCE 7.6 client software can be

expedited by several methods provided with the software.These options can be performed by installing, or not installing, a NAVCE 7.6 server, using a Web server interface, or pushing software to managed client systems.

; User rights must be taken into consideration for implementation. If a

typical user is installing the software, perhaps from a Web interface, the user must have local administrative rights on that system.The user must have read and file scan rights as well, which can be accomplished by adding the user to the NORTONANTIVIRUSUSER group.This group is automatically created when running the server setup program.

; Third-party software options may be used to implement NAVCE 7.6 as

well. For example, Microsoft Systems Management Server (SMS) is a popular tool that works efficiently with the client rollout. Other thirdparty solutions, including Novell ZENworks and Altiris, are available and could be a more efficient option if the service is currently running on the network.

Understanding NAVCE 7.6 Registry Keys on NT/2000/XP Client PCs ; Managing the location of error reporting can be configured within the

Registry.The values to the keys GRCUpdateFailedTime, GRCUpdate FailedReason, and DefUpdateFailedReason can be modified to write in different directories.

www.syngress.com

285

286

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

; Check-in intervals may be set within the Registry if the SSC console is

unavailable.This option can be changed within the CheckConfigMinutes key.The default is 60 minutes.

; The age of current virus definition files as well as the age of the current

grc.dat file can be determined here and, if necessary, spur an update from the parent server.

; The Registry keys may also be modified for the location of the parent

servers, alert directory, and local NAV files.

Understanding NAVCE 7.6 Services Running on NT/2000/XP Client PCs ; RTVScan is the tool used for managing updates to a client computer as

well as to update all servers with information regarding the location of client systems and their status. RTVScan monitors various configuration settings, grc.dat, and makes comparisons from server to client (and server to server) to determine if an update is necessary. If RTVScan deems an update is needed, it will update and export a grc.dat file, at which point the receiving system’s instance of RTVScan will read the necessary changes, make those changes, and delete the grc.dat file.

; DefWatch provides up-to-date virus definition file environments by

utilizing RTVScan to alert it of new files. Once DefWatch is alerted to the presence of the new virus definitions, it will update the system and check the quarantine folder on the server.

; vpexrt is the first line of defense for a client system, and handles real-

time system scanning, otherwise known as Autoscan.This program scans e-mail attachments and other files as the client system processes them.

Testing Your Deployment ; Testing the deployment is best accomplished by having a detailed plan

for each of the installation methods that seem feasible for the particular network in question.

www.syngress.com

Implementing NAVCE 7.6 to Client PCs • Chapter 6

; The test should be performed within a controlled environment and

perform on one type of platform at a time.This separation of platforms will provide an easier stage for troubleshooting any issues that may arise.

; Documentation of the entire test procedure is crucial. Notes on

everything from errors to successes will all help create and streamline the actual deployment process when it is performed.

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: Why can’t I turn off the NAVCE icon in the system tray? A: If the client is managed, it must be shut off from the server. If the client is unmanaged, the setting must be altered within the Registry.

Q: I power down my computer every night before I go home and reboot every morning. Why does my computer run so slowly the next morning?

A: The network administrator must have NAVCE set to run scans every 24 hours.There is most likely a scan set to run in the early morning hours when it’s thought no one will be affected. When your computer is brought back on line, it will receive the order to scan the system from the parent server and proceed with the scan.

Q: I work at home and e-mail attachments to my work computer all the time. Will NAVCE catch any viruses on my work computer?

A: NAV will catch the viruses when processing the e-mail. However, there are ways the virus can still get through. For instance, an attachment is compressed to save time while e-mailing a large file.Thus, the virus will essentially be encapsulated within the compressed file and can still be introduced to the corporate network upon de-compression.

www.syngress.com

287

288

Chapter 6 • Implementing NAVCE 7.6 to Client PCs

Q: Why does RTVScan delete the grc.dat file once the updates have been made? A: The grc.dat file is deleted for security reasons. If the grc.dat file was to be left on a client system, remote users could potentially access this file and make changes to the security settings of the client.

Q: I don’t want to give my users local administrative rights on my computer. How can I still perform a client rollout?

A: By using the Install NAV to NT Clients option from Disk 2, the client’s system account will be used instead of the user account.This will enable the installation without having to assign local administrative rights.

www.syngress.com

Chapter 7

Upgrading from Prior Versions

Solutions in this chapter: ■

NAVCE Upgrade Considerations



Developing an Upgrade Plan



Upgrading from NAVCE 7.0 and 7.5



Exploring Automatic Migration Options



Migrating from Third-Party LAN Antivirus Programs



Sample Project Plan for NAVCE Upgrade

; Summary

; Solutions Fast Track

; Frequently Asked Questions 289

290

Chapter 7 • Upgrading from Prior Versions

Introduction Upgrade… that omnipresent networking word. No matter what the size of your network, this word seems to rear its head practically on a weekly basis. Whether referencing your system’s hardware, server operating systems, client platforms, or the networkwide applications you are utilizing, you probably find yourself upgrading technology continually. And the larger and older your network, the more you stumble upon these upgrades. Has the word upgrade found its way into your antivirus solution? Possibly you are already utilizing an older version of Norton AntiVirus Corporate Edition (NAVCE) and are not only looking to learn the finer points of version 7.6, but also seeking information on how easily you can upgrade your existing installation. If you are looking to upgrade, you already know how an enterprisewide product of this nature can be quite involved to deploy.You probably took a great deal of time developing a deployment plan while cross-referencing every possible incompatibility issue you could think of, and your hindsight in this matter can serve you well. We like to think of NAVCE as a dynamic piece of software that is shared by hundreds of computers throughout your network for the sole purpose of protecting the network from imminent virus attacks.The software is dynamic in the sense that all the computers throughout your network perform a specific function automatically once they have the software installed and their role is defined. Granted, some of your computers are running the server-side software, while the remainder of your network is running the client software. Nonetheless, all of these devices are interconnected by NAVCE. With that thought in mind, you probably have many concerns and considerations regarding your network’s upgrade, so let’s begin addressing them.

NOTE It is important to make very clear that all upgrade processes need to be clearly planned, thought out, tested and done with utmost precision. A failed upgrade only adds new problems to your old solution, and a successful upgrade to a new platform (such as any older Symantec AntiVirus suites) will add new complexity and even some new incompatibilities to your preexisting infrastructure. It is also extremely important to test your upgrade in a lab environment first. Failure to do so could create massive problems you may not be aware of until it’s too late.

www.syngress.com

Upgrading from Prior Versions • Chapter 7

NAVCE Upgrade Considerations There are many questions you may contemplate when planning to upgrade NAVCE to version 7.6. Which servers should you upgrade first? Can you utilize your existing management console? What is the best way to minimize unprotected clients during the antivirus migration? How can you increase the odds of an effortless and efficient deployment? Breathe deep and relax. Remember, Rome wasn’t built in a day. It took much time and planning. Upgrading your antivirus will be far easier if you invest your time and efforts into developing a solid migration plan. Additionally, your plans to migrate to NAVCE 7.6 may center on a much larger enterprise network. If such is the case, your upgrade considerations may be more diverse. For example, a larger enterprise network would most likely have a greater number of applications. In this global scheme, the possibility that you are running different applications at remote sights, all which perform similar or identical functions, could cause a greater concern regarding incompatibility issues. Furthermore, these applications may be installed, or even written in a different language! Certainly, you may possess an advanced level of knowledge concerning the configuration of particular software products, but are your remote locations using that same software to complete the same tasks? Acquiring information such as this in advance will assist you in your planning phase and give you a stronger sense of insight when dealing with application incompatibilities.

Configuring & Implementing… Oops… I Didn’t Consider That! We’re not all perfect, and even when laying out the greatest of plans, it is easy to overlook minute details, as I recently did in my current employers migration. We were migrating from another high-profile antivirus software to NAVCE 7.6. With the assistance of my Lead Network/Security Engineer, we built up a small test lab with servers running the same operating systems and software that was in our actual environment. We tested NAVCE against several other applications, including our backup software. We were confident of our testing and planning, but overlooked one major point: we tested NAVCE against the Continued

www.syngress.com

291

292

Chapter 7 • Upgrading from Prior Versions

latest version of our backup software that was only deployed in our headquarters location. We were running Computer Associates’ latest versions of its widely known backup software ARCserve (now known as BrightStor). However, all of our remote sights were running older versions of the ARCserve software. Needless to say, we discovered this minor problem when our remote sights were failing to complete daily system backups. Luckily, the solution to this problem was as easy as visiting that vendor’s Web site and finding available software patches that addressed the issue. I highly recommend that, when investigating all possible issues with your deployment, you pay particular attention to your backup software. If you are utilizing “real-time” protection, NAVCE will scan files when your backup software attempts to write files to your backup medium. Test your configuration against all versions of software that you are utilizing so as to avoid mishaps such as this one that caught me by surprise.

Testing Your Deployment If the resources are available to you, you should consider creating a testing lab that mirrors your actual environment on a smaller scale. A small-scale mockrollout is likely to expose issues that could occur in your actual migration. Possible issues could center on other installations of software that you are utilizing throughout your network. Once these possible software incompatibilities are exposed, you can develop a plan to work around, patch or even fix the issue and test its overall outcome.

Notes from the Underground… Application Mayhem Our problems with backup software didn’t end there. Being a large manufacturing company, my employer had a great deal of design engineers working throughout all our facilities. Strangely enough, you’d think that as each location was staffed and networked over the years, the same CAD programs would have ended up being used companywide. Unfortunately, such was not the case. Domestically, our engineers Continued

www.syngress.com

Upgrading from Prior Versions • Chapter 7

were using three extremely different CAD programs to produce their drawings and product designs. Our headquarters location was using PTC’s Pro/ENGINEER, while remote locations were using SolidWorks Office Professional and a Unigraphics CAD program. Luckily, these programs had no direct bearing on the antivirus solution. However, due to the size of the files generated by these CAD programs, there had always been an issue concerning data backup procedures. As stated, we were using various versions of Computer Associates’ ARCserve for NetWare backup software on the file servers of all remote locations. This is where the problem tied in with NAVCE. Both services would “lock-up” on most open files, especially if the file in question were one of the larger CAD drawings. This in turn would cause extremely high utilization on the server being backed-up. In the end, the solution was to install Computer Associates’ Open File Agent for NetWare on all of our file servers storing these files. The fix to the second backup issue was also simple, but finding it took some time. The fix also produced an additional cost for acquiring the new software, a consideration that had not been factored into the original planning phase. Hindsight is always 20/20, and in this case, I wish my foresight had been the same.

Your lab will additionally serve you well in testing multiple techniques of client upgrades to identify which method would suit your needs.The fact is that you definitely have more computers that will be running the client software, and you will want this portion of your upgrade or migration to go as smoothly as possible.

Developing an Upgrade Plan All good deployments must have a plan.The true success of your deployment will be exposed in the end, and that success will revolve around the deployment plan you create and utilize. Create your plan for upgrading based on all the information you acquired in your testing lab. However, if you are not in a position to set up a testing lab to analyze the software deployment, research all your options and be sure to have a contingency plan if any aspect of your deployment goes awry.

Testing Your Rollout Once you feel you are ready for deployment, consider a test rollout within a single (preferably small) department within your organization.The best possible www.syngress.com

293

294

Chapter 7 • Upgrading from Prior Versions

candidate would most likely be your IT department.The underlying fact here is that this department is comprised of sophisticated high-end users who not only will need to be more familiar with the product during the rollout, but be able to assist with input if issues arise. If any aspect of the deployment creates corruption on the client side, it is in your best interest to have a user who can deal with the problem, and ultimately help correct the issue. After piloting your rollout within a single department, you should by this point have exposed possible additional issues that may not have been brought to light in your testing lab. Make the necessary changes to your deployment plan to reflect issues not covered in the pilot rollout. Probably the most important aspect of your deployment is the training of your support staff. Educating your support staff should ultimately be considered a high point within the overall rollout scheme. When your staff knows how to react to possible issues, correcting these issues can be simple. Additionally, you should educate your end users so, as the environment noticeably changes around them, they will know what to expect. If your end users are preoccupied with attempting to comprehend why their computer seems to have changed, chances are your helpdesk will become inundated with calls notifying you of events you were already expecting to occur.

Notes from the Underground… Your Average End User Is there such a thing as an average end user anymore? This long has been a term that many of us have used to describe the low-tech level of intelligence that a company employee possesses. I am confident that you, just as I, have cracked a million jokes concerning the networking and basic computer knowledge of users at every company where you have procured employment. Certainly, educating your end users to the level of your preference would be an astronomical undertaking, but keeping them abreast of network changes is quite simple and can only work to your advantage. If I, or any of my departmental peers feel that end users will notice changes made to the network infrastructure, I make sure to notify them first. A simple e-mail sent throughout the company can ease fears of those end users who tend to get overly protective of their computers. Continued

www.syngress.com

Upgrading from Prior Versions • Chapter 7

Within my e-mail software, I maintain several draft templates that can easily be altered and e-mailed within minutes. I have templates for everything from new virus notifications to structural file system changes. I not only find that this e-mail notification system works to incorporate end users as a proactive component of the network, it also generates great “PR” for the IT department who tend to be blamed for every possible problem that exists in the work environment. When your end users know what to expect, they won’t be wasting time around the water cooler comparing notes with other employees in an attempt to find out “what the IT department is up to now!”

Planning Virus Definition Update Methods Because there are several different methods of receiving virus definition update files for your servers and clients with version 7.6, it is important you decide in advance (preferably before your pilot rollout) what method of updating you will utilize. Configure your plan to include your remote clients and those clients that travel often and as a result are not always connected to your network. It is important to remember that if you are upgrading from pre-7.x versions of NAV or LANDesk Virus Protect, the updating procedure and scheduling established in that environment will not automatically migrate to your new environment. Because of this, you will need to reconfigure these options to provide protection to your servers and client.This fact alone may warrant upgrading your management console utility before any other component, ensuring you are fully protected throughout your rollout.

Testing Each Rollout Phase During your rollout, you should test all clients and servers to immediately verify they are receiving their virus updates. Never take for it granted that your plan is working.Test the environment after every phase of the rollout to make sure you are protected.

www.syngress.com

295

296

Chapter 7 • Upgrading from Prior Versions

Damage & Defense… Now You See Them… Now You Don’t! During our recent migration to NAVCE 7.6, we found that several clients, although displayed under their parent servers in the SSC console, would not receive updated definition files, and after several days would drop off the list entirely. Additionally, a particular NetWare server would not update its definition files from its primary server. It became apparent that the virus definition files were not updating correctly on the server because the new definition files were somehow being corrupted when sent to that server. To bring the offending server back into the fold was quite easy. I would launch the Novell RCONSOLE utility to remotely take control of the remote server’s system console and unload the NAVCE Console module from the server. Then, I would browse the file system of the server to its SYS:NAV directory to delete the virus definition file that carried the date of the server’s last definition update. Once deleted, I would manually copy the latest virus update file from the primary server to the corrupted server and launch NAVCE by issuing the Load Vpstart command on the server’s system console. This fix worked every time we experienced the issue on a server. As for the clients that would drop out of the SSC console, you can uninstall, reboot, and reinstall the NAVCE 7.6 client software on that computer. In most cases, this will fix the problem; however, we found that some clients would resume their erratic behavior of not updating and thereafter dropping from the console following a short period of time. In this case, you can run LiveUpdate locally even if a policy setting locks out a client from doing so. To bypass these settings, browse to the LiveUpdate directory on the computer and execute luall.exe. Running this program overrides any LiveUpdate locks you may have set in the client policy, and will allow the corrupted computer to run the LiveUpdate utility. We found this method to be quite successful in returning clients to the console permanently. But wait, there’s more! Clients who do not communicate with their parent server for more than three days will automatically be dropped from the SSC console. A parent server is responsible for maintaining a list of their clients. The SSC console only lists clients that a parent server maintains in its list. However, this means that an individual simply going on vacation and having their computer powered down for a week would drop from the console after 72 hours of not communicating with its Continued

www.syngress.com

Upgrading from Prior Versions • Chapter 7

parent. You may then (as I had) flag this client as corrupted since it was dropped. To overcome this issue, we extended the “time-out” value for our clients in the SSC console with a modified Registry setting. To extend this three-day time-out, complete the following steps: 1. On the parent server, launch the Registry Editor, and then select the following key: HKEY_LOCAL_MACHINE\ SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion. This path is identical on a NetWare server when using the Vpregedt module. NAVCE 7.6 should be unloaded prior to making any changes. 2. Right-click the CurrentVersion key, and then select New | DWORD Value. Name the new value ClientExpirationTimeout. 3. Right-click the new value, and select Modify. Change the value from Base to Decimal. 4. The text box will display a 0, and this number represents hours. Replace the 0 with the number of hours that you want to be the new time-out interval for your NAVCE environment. (336 = 14 days, 168 = 7 days, 120 = 5 days). 5. Click OK, and exit the Registry Editor. No restart is required. 6. Reload the Norton AntiVirus or Symantec AntiVirus Server Service.

Upgrading from NAVCE 7.0 and 7.5 Upgrading from these two previous versions can be accomplished with far more ease than any other scenario. In most cases, the NAVCE Setup program will detect earlier versions of NAVCE and LANDesk Virus Protect. Once detected, the Setup program will automatically migrate these older versions to 7.6. When upgrading from an earlier 7.0 version, it is imperative you plan calls for the migration of your servers before that of your clients. If you were to upgrade the clients first, they will still attempt to connect to their existing parent server, which will still be running the older version of the software. When this occurs, the client will attempt to overwrite its installation with the server’s version, which may possibly cause corruption to the client.

www.syngress.com

297

298

Chapter 7 • Upgrading from Prior Versions

When upgrading from version 7.0 and 7.0x, the custom settings that were configured for your clients and servers will be preserved.This will alleviate the need to reestablish configurations once the migration has been completed.

Upgrading from NAVCE 6.x NAVCE 6.x will also automatically be detected when the NAVCE 7.6 Setup program is initiated. However, when migrating from an earlier version, such as NAVCE 6.0 or LANDesk Virus Protect, most of your custom client and server settings will be lost. Some of these lost settings include, but are not limited to, the following: ■

All Scheduled scans and scan options



All real-time protection options



The NAV activity logs



All Quarantine forwarding information

There are however, two major settings that will be retained when upgrading from these earlier versions.The first setting that will be retained will be that of your established Client/Parent relationships.Your clients will still “report” to their original parent server to receive updates and send alerts. Secondly, your “domains” will be retained and converted into Symantec System Center server groups. To migrate a server from NAVCE 6.x or 7.0x to NAVCE 7.6, complete the follow steps: 1. Using Disk 2, execute the AntiVirus Server rollout tool and choose Update (Figure 7.1). By selecting Update, you will preserve your existing domain structure, allowing NAVCE 7.6 to migrate it into a server group. Figure 7.1 The AntiVirus Server Rollout Tool’s Welcome Screen

www.syngress.com

Upgrading from Prior Versions • Chapter 7

2. Once the server has been upgraded, you may need to restart the server if files in use were replaced.

Upgrading the Norton System Center Before upgrading a single server on your network, you may want to upgrade your management console to allow you to manage both your servers and clients as soon as they are rolled out. If you were using a previous version of NAV, you were most likely managing your antivirus environment using the Norton System Center.To migrate to the current management utility, the Symantec System Center (SSC), you will need to completely install the SSC and the required management snap-ins onto a different computer than the one you are using to run the Norton System Center. Bear in mind that SSC takes advantage of Microsoft’s existing technology by utilizing the Microsoft Management Console (MMC) framework.Thus, you will only be able to install SSC onto a Windows NT/2000 or XP Professional computer. Throughout your migration, you may continue to use the Norton System Center to manage existing NAV 4.x and 5.x clients until they are migrated to NAVCE 7.6. Once your migration is complete, you may wish to uninstall the Norton System Center.To do so, access the Add/Remove programs applet within the management computer’s Control Panel, and remove the Norton System Center, followed by the Norton Event Manager.

NOTE For additional information on installing SSC, refer to Chapter 3.

Exploring Automatic Migration Options As discussed in the last section, a great deal of the components found in the previous version of NAVCE will automatically migrate into version 7.6.This is a benefit that can cut your overall time devoted to the rollout by a considerable margin. Automatic migration is accomplished by a series of processes that occur upon executing the NAVCE 7.6 Setup program.The steps are as follows:

www.syngress.com

299

300

Chapter 7 • Upgrading from Prior Versions ■

The Setup program calls pmig.dll, this is the migration DLL. The DLL checks specific Registry keys to establish if NAV, Norton SystemWorks, or LANDesk Virus Protect already exists on the computer. If any of these programs exist, their current version is identified.



Once the version of the existing program is determined, pmig.dll will obtain the product’s uninstall key listed in the Registry. However, if it is determined that Norton SystemWorks is already resident on the computer, the NAVCE Setup program will terminate.



If a valid version of NAVCE or LANDesk Virus Protect is detected, any items found in either the “Quarantine” or “Virus Bin” are then moved to Program Files\Symantec\Conversion.



The existing product’s uninstall feature is launched with the previously obtained Registry uninstall value, after which, the NAVCE install program executes.



Towards the end of the installation, items that may have been moved to the Conversion folder are scanned for infection. If the files are infected with a virus, they are converted into NAVCE Quarantine items, if they are not infected, the install program will delete them altogether.



The NAVCE install program completes and exits.

NOTE After completing your installation on various Windows platforms, such as 95 and 98, NT Workstation, and Server 4.x, you must restart these computers before they can be protected by NAVCE 7.6.

Upgrading from NAV for NetWare The NAVCE 7.6 Setup program is capable of automatically migrating any NetWare server running NAVCE version 6.x or later. Unfortunately, the NAVCE 7.6 install cannot detect an installation of NAV for NetWare. Hence, you will first need to uninstall NAV for NetWare before you migrate the server.To migrate a server from NAV for NetWare to NAVCE 7.6, complete the follow steps:

www.syngress.com

Upgrading from Prior Versions • Chapter 7

1. On the server you intend to upgrade, unload NAV from the Norton AntiVirus console on that server. It is important to note that if do not unload the NAV NLM and you attempt to load NAVCE 7.6, the installation will fail when you initiate the LOAD VPSTART /Install startup command. 2. Remove all of the NAV for NetWare files from your NetWare server. 3. Use the NetWare Administrator program to remove the NAV server object from your NDS tree. Additionally, if it exists, remove the NAV load command from the server’s autoexec.ncf file. 4. Using Disk 2, execute the AntiVirus Server rollout tool (Figure 7.2) in order to install NAVCE 7.6 to your NetWare server. Figure 7.2 Selecting a NetWare Server Using the AntiVirus Server Rollout Tool

Automatically Migrating NAVCE Client PCs Migrating your clients will probably consume the greatest amount of time spent on your NAVCE rollout. Before migrating your clients to your new antivirus solution, you’ll need to determine which servers will supply policies and act as parent servers for your clients. Once you have determined which clients will look to which parents, you are ready to go. Every server in your environment that receives the NAVCE 7.6 server software installation automatically receives a full set of installation files for all supported client platforms.These files are located in the Program Files\Nav\Clt-inst folder on a Windows NT/2000 server or in the SYS:NAV\clt-inst directory on a NetWare server. When a client executes the Setup program from the appropriate Clt-inst subdirectory, that client will look to that server as its parent server.

www.syngress.com

301

302

Chapter 7 • Upgrading from Prior Versions

Once you set the client configurations on a server, these policy settings are saved to the grc.dat file. Whether you make configuration changes or not, this file will exist within every server’s client installation directories and will be updated every time the policy is changed. When you install NAVCE to a client, these policy settings, which include the parent server’s identification, are copied to the client.

Upgrading 16-Bit Windows Client PCs If you have older 16-bit clients that need to be upgraded to NAVCE 7.6, and they are running Norton AntiVirus 4.x, LANDesk Virus Protect, or NAVCE 6.x. there’s a little uninstall work involved. Since these clients are not capable of automatically being migrated, you will first need to remove their current antivirus versions. To uninstall NAV 4.x for DOS/Windows 3.1, you will need to run the Setup program utilizing the uninstall command line switch. This program, aptly named setup.exe, can be located within the directory that NAV was installed into—for example, C:\NAV. To uninstall LANDesk Virus Protect or NAVCE 6.x, you can run the program vpremove.exe located in the original installation directory. When uninstalling any of these 16-bit versions from a DOS client, you might want to create a batch file and store it on a network drive so that once your DOS clients are attached to the network, simply executing the batch file will accomplish your uninstall needs. Once the prior versions have been removed from your clients, you can install the NAVCE 7.6 16-bit client software from within the NAV\Clt-inst\Win16 directory of the selected parent server.

Upgrading Windows 9x/Me Client PCs How you upgrade your Windows clients entirely depends on the level of trust you have in your end users.This is to say, do you want them to assist, or would you rather handle the task on your own. Here are two recommended options: ■

Utilize a login script. No muss or fuss.Your end users log into the network, and the installation is quietly run in the background.



Actually involve the end users by having them run the Setup program themselves.

When upgrading Windows 95/98/ME clients, you should run setup.exe from the \NAV\Clt-inst\Win32 folder. Additionally, if you want to initiate a silent www.syngress.com

Upgrading from Prior Versions • Chapter 7

installation onto your clients, you can execute the Setup program using the following command line switches: Setup.exe /s /v /qn.

NOTE If a computer has the NAV user interface open (vpc32.exe) during an attempt to upgrade the client software, the product installation and migration will exit and fail.

Damage & Defense… Client Installation Errors During my company’s recent migration to NAVCE 7.6, to reduce the amount of travel time I would personally incur (thus reducing overall cost), we worked on three projects simultaneously in our remote locations: our NAVCE migration, our NetWare 5 upgrade, and our rollout of Windows 2000 DHCP servers. As a result I went from one end of the U.S. to the other in a matter of a few months! Towards the end of both of our projects, I found myself in one of our facilities located in Tijuana, Mexico. Most of the clients in this location were Windows 95 clients running IE 4.0. Needless to say, the client computers in this location hadn’t had a single patch, fix, of support pack loaded onto them since the initial installation some time ago in 1997. In short, there wasn’t any chance of these computers being able to install NAVCE due to the fact that their Microsoft installer packages were not up-to-date. The clients were then completely updated with all available critical patches, at which point we migrated our clients to NAVCE 7.6. However, towards finishing up the client migration, several clients refused to install the NAVCE program, thus producing the error message, “25002 Failed to load navinsnt.dll…” which caused the installation to fail. At this point, two factors were working against me. The first: there were no IT members staffed at this location, and the second: a return flight to New York was scheduled for me the following morning. As a result of these constraints, half of the updated clients in this location never received the NAVCE 7.6 client software. Upon returning to our Long Island headquarters, I immediately investigated the issue. I located a document on Symantec’s Support site Continued

www.syngress.com

303

304

Chapter 7 • Upgrading from Prior Versions

(Document ID: 2000120113551548) that directly referenced this error. Unfortunately, the proposed fix was not applicable. Even worse, whenever I attempted to apply a fix to one of the problematic computers, it had to be done by phone with my part-time tech in Tijuana! That’s when I finally called Symantec and opened a support ticket with them. Immediately, the support tech handling my call pointed me to documentation I had already found on my own. However, he additionally e-mailed me the following information: "Had a customer getting this error when trying to install NAVCE 7.6 client to a Win 98 computer. After running RNAV, going through a NAVCE manual uninstall, pre-installing LiveUpdate 1.7.22, preinstalling Symevnt, copying the WIN32 directory to the hard drive and trying an install, we STILL had this error. After checking the clnt-inst directory WIN32\Support, we noticed he was missing two DLLs. I sent him the missing NAVCUST2.DLL and NAVINS95.DLL. He copied them into the support directory and the install was successful. Guess the DLL has to be there to actually run the DLL."

Upon further investigation, I found that the file navinst95.dll had been missing from the parent server’s SYS:NAV\Clt-Inst\Win32\SUPPORT directory at that location. After copying the DLL to the server, I had my contact in Tijuana try yet another installation and, to my blissful amazement, it was successful! All 14 clients that previously were unable to install NAVCE were successfully in my SSC console and updating virus definitions within minutes of him completing the installs. If I learned anything from this situation, it was to not hesitate to involve Symantec Support when stumped by an issue.

Upgrading Windows NT Client PCs Here again we are confronted with an issue of how well you trust your end user’s technical skills.To involve, or not to involve them… that is yet again the question. As with your Windows 95/98/Me clients, you presented with the same two choices for Windows NT clients, however there’s a twist. Whether utilizing a login script or the talents of an end user, in either case, the individual logged on to the Windows NT client that is to install NAVCE must have administrative rights to that computer. However, a third option is available in the form of the Windows NT Client Install utility.This utility eliminates the need for the local administrator rights to

www.syngress.com

Upgrading from Prior Versions • Chapter 7

be granted to the end user logged on to the Windows NT client. However, an administrator who wants to run the Windows NT Client Install utility must have administrative rights to the domain that the client computer is a member of.To start the utility, go to the Menu bar in the SSC Console, click Tools | NT Client Install, and follow the directions.You can also run the executable ntremote.exe found on Disk 2 in the folder Navcorp\Rollout\Ntclient. No matter which method of upgrade you choose, automatic migration from earlier versions will occur and the client will inherit the policy that was stored on their parent server.

Notes from the Underground… Client Checklists You may find it helpful to create a checklist of tasks that need to be addressed on your client computers. Unless you are running the latest “cutting-edge” technology for your clients, chances are a few of them fall short of being defined as “up-to-date.” As stated earlier, my company’s NAVCE 7.6 upgrade was performed simultaneously with our NetWare 5 upgrade and our DHCP rollout, so a client checklist was a necessity. Tasks that needed to be performed on our client computer included running Windows Update to receive the most recent patches and fixes; switching from static to dynamic IP addresses; uninstalling the previous antivirus program; installing a newer version of the Novell client software; renaming the computers to match the CIO’s new naming standards; auditing the computer for the helpdesk software… and the list went on and on! To solve the infinite number of tasks required by each client, I created a simple two-column multirowed table in a Microsoft Word document. Placing the task into the table in a “logical flow” order, team members found it easier to complete all upgrades on the clients while guaranteeing that no individual task was overlooked.

Upgrading Unmanaged NAVCE Client PCs Unmanaged clients do not communicate or rely on any parent server within the NAVCE infrastructure. If you decide to migrate unmanaged NAVCE clients www.syngress.com

305

306

Chapter 7 • Upgrading from Prior Versions

running older versions, to be managed clients in your 7.6 environment, you must first decide which servers are going to be the parent servers to each unmanaged client. Once you have arrived at this decision, you will need to copy the grc.dat file from the NAV folder of the chosen parent server to the Application data folder on the unmanaged client. After rebooting the unmanaged client, Rtvscan.exe detects the existence of the grc.dat file; the file is then processed, thus allowing communications to begin with the parent server. It is at this point that you can manage the client from the SSC Console as you would any other client on the network. Now that the computer is a managed client, automatic migration is possible.

Upgrading Remote Client PCs Throughout your company there are quite possibly several users who rarely, if ever, are “in-house” and connected to the network. With their laptops in tow, they attend conferences, conventions, and perspective clients and buyers of your organization services.These remote users are unique in the overall aspect of your NAVCE 7.6 rollover. When the time comes to migrate these clients, you will need to utilize the program package.exe.The package.exe utility can create a self-extracting executable, or a set of installation diskettes for your remote users.The disk set created by package.exe will migrate clients whose computers or laptops are running earlier versions of Norton AntiVirus or LANDesk Virus Protect, as they would any other client on your network. Before creating the install disk set, there are few major considerations to take into account. First, you will need to decide whether these clients should be managed or unmanaged clients. If they are to be managed, you will then need to decide which server will serve as the clients’ parent server.To further ease the administration of these clients, you may want to consider the creation of a separate server group to serve their needs.This will allow you the freedom to create a policy that specifically suits the needs of such remote users. Either way, you will also need to determine your antivirus policy and virus definition updates before creating the install disk. By doing so in advance, you will ensure that the clients receive the policy you have chosen.

Creating an Install Set for Managed Remote Clients The following steps are a guideline to assist you in accomplishing the creation of an install disk set for those remote clients you wish to upgrade as managed clients.

www.syngress.com

Upgrading from Prior Versions • Chapter 7

1. Select the parent server and/or server group for your remote clients, and then set the policy on the parent server to reflect the exact policy settings you want the remote clients to receive. 2. Determine if you want NAVCE to install into a folder other than the default folder.To install into another directory other than the default, edit the setup.wis file (Figure 7.3) that is located in the NAV\Cltinst\Win32 folder of the parent server. Within the file, locate the [DestinationFolder] section and identify the line that reads InstallDir=Default. Replace the word Default with the full path of the location you want the program to install to on your remote clients. Figure 7.3 The setup.wis File

3. Determine if you want a reboot to occur automatically after the installation.Your Windows 95, 98, and Me clients will reboot by default, as your Windows NT and 2000 clients will not. 4. Execute package.exe from the parent server’s Clt-inst folder, making sure to select the correct media type and client platform, and whether or not to perform the installation silently.

Creating an Install Set for Unmanaged Remote Clients I guess these are the users you trust 100 percent! The following steps are a guideline to assist you in accomplishing the creation of an install disk set for those remote clients you wish to upgrade to NAVCE 7.6, while letting them exist as unmanaged clients. www.syngress.com

307

308

Chapter 7 • Upgrading from Prior Versions

1. On your NAVCE 7.6 Disk 2, execute package.exe (Figure 7.4), which is located in the Navcorp\Rollout\Avserver\clients directory. Figure 7.4 The package.exe Program

2. Choose a target operating system that the install set is being created to upgrade. 3. If you want the upgrade to occur without user intervention, check Create a Silent Installation Package. 4. When prompted, select the floppy disk option. If you choose to, you could alternatively select the Web or email option to create a selfextracting executable. 5. Once created, send the disk sets to your remote users.

Damage & Defense… On the Road Again… In my current employment, I find that packing up my laptop and traveling to our remote locations normally consumes approximately 30 percent of my yearly work time. However, no matter how much I travel, my laptop is never disconnected from the network more than two days at a time. My laptop is always communicating with its parent server to receive updates and send alerts if necessary. I wish I could say the same for many of my current employer’s Sales force. These individuals are the true description of mobile users, who also fall into the broad category of “remote users.” Continued

www.syngress.com

Upgrading from Prior Versions • Chapter 7

To minimize possible data damage, and in the best interests of defense, you should make sure that you protect these clients. If any of these wanderers in your company are to remain as unmanaged clients, make sure that you set the policy for these clients to guarantee that the users can launch the LiveUpdate utility to receive virus definition updates on their own, or be sure to schedule LiveUpdate sessions for them. The last thing you need in your environment is the unleashing of a virus threat when one of these users returns to home base, docks their laptop, and connects to the network.

Notes from the Underground… Is Space at a Premium? While recently completing an enterprisewide rollover to NAVCE 7.6 for my current employer, I found in the end that a total of 18 servers in our headquarters location had the NAVCE server software installed. However, a single NetWare server was performing the role of the parent server to all clients in this location. Two servers in particular were older machines running Windows NT 4.0, and disk space issues were a serious concern. Knowing that these two servers in question would never serve as parent servers to any clients in our NAVCE hierarchy, I chose to delete the NAV\Clt-inst directory and its subdirectories reclaiming approximately 50MB of hard disk space. I eventually deleted this directory substructure on all Windows 2000 servers, too, knowing that they would never be parent servers.

Migrating from Third-Party LAN Antivirus Products The NAVCE 7.6 installation program is not capable of identifying the existence of another vendor’s antivirus product that may be installed on your servers and clients.This fact will result in the need for you to manually uninstall any other antivirus product installed on your systems. After you uninstall the third-party antivirus software, you may need to reboot specific systems (such as the Windows www.syngress.com

309

310

Chapter 7 • Upgrading from Prior Versions

family of operating systems) to complete the uninstall process. Once the product has been removed, you may proceed to install NAVCE 7.6.

Sample Project Plan for NAVCE Upgrade Within this section, we will go through the procedure of creating a sample project plan for a “fabricated” company. For this sample scenario, we will use Microsoft’s Project 2000 software to create our project plan. Let’s get started by creating a project scenario and some background information for our fictitious company. You are the Senior Network Administrator for the global manufacturing company “Make-Stuff Incorporated” which has been in the business of “making stuff ” since 1954 (Figure 7.5).You work in the corporate headquarters, which is located in an industrial park in northern New Jersey. Other domestic locations include production plants in Battle Creek and Midland Michigan, Chicago Illinois, Albany New York, San Diego California,Tampa Florida, and Seattle Washington. Additionally, there are four production plants in Europe located in London and Manchester England, Basel Switzerland, and Stockholm Sweden. This scenario would result in a fairly large network by anyone’s standard! Since all remote locations were acquired through corporate acquisitions over the years, your overall network was pieced together utilizing many different technologies and various vendors’ operating systems and software. In this network, headquarters is running five Novell NetWare 5.1 servers, while every remote location is running a single Novell server whose versions range from NetWare 4.11 to 5.1. Your entire Novell NetWare server environment exists within a single NDS tree called STUFF_INC. Figure 7.5 “Make-Stuff Inc”

Additionally, headquarters is running multiple services on a total of six Microsoft Windows 2000 servers.These services include ISA proxy, IIS web services, DHCP services, WINS and DNS services, faxware services, as well as local file storage. All remote locations have between one and four Microsoft servers running similar services on Windows 2000 or Windows NT 4.0. Lastly, what is the current antivirus solution in place? Make-Stuff Incorporated is currently running various versions of Computer Associates’ InoculateIT and InocuLAN Antivirus on all server and client computers companywide. www.syngress.com

Upgrading from Prior Versions • Chapter 7

There it is.The scenario has been defined. So, where do we begin? Chances are, every person you pose that question to will give you a different answer. Therefore, let’s “begin at the beginning,” by identifying the resources available to us for this project.

NOTE Please take into account that the information provided in this section is designed as a guideline to assist you in developing your own plan that will suit your company’s actual needs when the time comes to upgrade your antivirus solution to NAVCE 7.6. Additionally, there is no “wrongway” to create a project plan, nor are the steps detailed here within the exact or definitive method of designing a deployment project for NAVCE 7.6. Additionally, it should be noted that these guidelines are based upon a NAVCE 7.6 migration performed by my coworkers and I on our current employers WAN.

Identifying Project Resources and Major Tasks As you begin to formulate your plan on paper, one of the easiest ways to get started is to create an itemized list of all resources available to the project. First, let’s define what could be considered a resource in the overall scheme of your plan.You are a resource, so are the NAVCE 7.6 installation CDs, as are the members of your project staff. Basically, anything defined as work or materials should be considered a resource. So, let’s start with the individuals that will be assisting in the actual deployment of your sample plan. In view of the fact that there are a total of 11 remote locations of various sizes in your sample project, one might assume that many individuals outside of the IT staff located in the New Jersey headquarters will most likely assist in seeing this project through to completion. Identifying each of these individuals and the skill-sets that they can bring to the project is fundamental to the planning phase.These individuals can supply you with a great deal of insight and information in relation to each of their remote sites.Though in a scenario such as the one created here, you may have visited these remote sights, even regularly, but you still don’t work there on a day-to-day basis.These staff members do work there daily, and it is likely that they will be able to readily supply information that

www.syngress.com

311

312

Chapter 7 • Upgrading from Prior Versions

is crucial to the plan, information that could take you a day or two of research to discover on your own. An additional possible resource that has already been defined is our servers. You will observe, in exploring this plan, that there is a total of 44 servers, 17 Novell NetWare servers, and 27 Microsoft Windows NT or 2000 servers. With that many servers, it would be helpful to identify how many client computers are in each location. Whereas upgrading 44 servers might be a moderately easy task, rolling over hundreds of clients may not be as easy. If a remote facility has a great number of employees using a computer that is solely dedicated to their use, that remote sight may be understaffed to handle the number of clients to be upgraded during the client migration portion of the project. Knowing whether a site has 50 clients or 200 clients that need to be upgraded can greatly alter your plan and would be a major help in identifying team members with the ability to travel abroad and assist you.

Notes from the Underground How Much Is too Much? Over the years, I have seen and been involved with many project plans that I felt were “over-planned.” Would you consider airplane tickets and other associated travel arrangements to be “resources”? Neither would I. Surely arranging travel plans might be a task that you may want added into your plan, but is labeling a printout of your travel itinerary as a resource really necessary? Some IT managers may argue that it is; however, I think it is just another cog in the wheel which could be labeled as “over-planning.” Only you know your staff and your superiors, and what they might be looking for in a project plan. Give them “what they want,” while keeping in mind “what they need” to make the project’s completion a success. With any project plan, I always stick to the age-old KISS principle, “Keep It Simple, Stupid!”

Identifying major tasks within the upgrade is the next logical step in continuing with the sample project plan. Using Microsoft’s Project 2000, enter these top-level tasks into your project planner. As shown in Figure 7.6, the major tasks identified for our sample upgrade project to NAVCE 7.6 are www.syngress.com

Upgrading from Prior Versions • Chapter 7 ■

The Preparation phase



Product implementation in headquarters



Product implementation in remote sites



Testing the migration



Documenting the upgrade



Quality assurance and supervisory sign-off of the project



The project’s completion

Figure 7.6 Entering Major Tasks into Project 2000

With the major tasks identified, we can now determine the next level of tasks that belong within each of the major tasks. Approach each major task individually to determine its subtasks. Examining our first task, the “preparation phase,” begin to explore subtasks that are part of your overall preparation of the migration. These subtasks may include, but are not limited to, the following: ■

Analyzing the scope of the project



Projecting a timeline



Purchasing the NAVCE 7.6 software

www.syngress.com

313

314

Chapter 7 • Upgrading from Prior Versions ■

Purchasing a Support Package from Symantec



Identifying team members of the migration



Training the team



Investigating possible hardware upgrades



Creating a testing lab

These are just a few possible subtasks you would want to add to the project plan.To simplify our plan, I have condensed the tasks listed previously into five tasks, and inserted them into our project plan in rows 3 to 7, as shown in Figure 7.7. Figure 7.7 Entering Subtasks into the Project Plan

NOTE NAVCE 7.6x is a fully supported enterprise product, which Symantec will continue to support through March, 2005. Symantec also provides support packages (such as Gold and Platinum Support) when purchasing any of their products. These additional levels of support can offer you the ability to open unlimited “support tickets” with Symantec’s Support Center to assist you in solving problems that arise before, during, and after your migration. When deciding on what level of additional (if any) www.syngress.com

Upgrading from Prior Versions • Chapter 7

support your company may need, you can research many of these issues by visiting Symantec’s Enterprise Support site on the Web at www.symantec.com/techsupp/enterprise/. (See Figure 7.8.)

Figure 7.8 Symantec’s Enterprise Support Web Page

Continue to determine all of your major task’s subtasks throughout your project plan and enter them into the planner accordingly.You may discover as you are outlining your project that several subtasks will incur their own set of subtasks. Additionally, you will also discover that many of your tasks are dependent on the competition of previous tasks. Microsoft’s Project 2000 supplies you with numerous features that allow you to link tasks together and group a series of tasks beneath other tasks. As you identify and enter your subtasks into your project, your “outline” of the project begins to take on a life of its own. Second-level subtasks give birth to third-level tasks, and the project grows even larger. At this point, your sample project has grown to a total of 63 tasks from beginning to completion.The overall outline in your project plan for an NAVCE 7.6 upgrade is as follows:

www.syngress.com

315

316

Chapter 7 • Upgrading from Prior Versions

The Preparation Phase 1. Analysis of project scope/timeline 2. Order and purchase of AV software 3. Team building and project creation 4. Train both team and key end-users 5. Install new servers for SSC The Implementation Phase (HQ) 1. Windows 2000 Servers ■

HQ_ISA (Primary)



HQ_DATA1



HQ_DATA2



HQ_FAX



HQ_WEB



HQ_DHCP

2. Novell Servers ■

NW_FS1 (Master Primary)



NW_FS2



NW_GWPO



NW_ENG



NW_HR

Implementation Phase Remote Servers 1. Novell Server ■

Battle Creek, MI (2)



Midland, MI (1)



Chicago, IL (1)



Albany, NY (1)



San Diego, CA (1)



Tampa, FL (1)

www.syngress.com

Upgrading from Prior Versions • Chapter 7 ■

Seattle, WA (1)



Europe ■

London, UK (1)



Manchester, UK (1)



Basel, CH (1)



Stockholm, SE (1)

2. Windows 2000 Servers ■

Battle Creek, MI (3)



Midland, MI (1)



Chicago, IL (2)



Albany, NY (1)



San Diego, CA (2)



Tampa, FL (1)



Seattle, WA (1)



Europe ■

London, UK (4)



Manchester, UK (2)



Basel, CH (2)



Stockholm, SE (2)

Testing after Migration 1. Verify virus definition updates ■

Servers



Clients

2. Verify policy settings ■

Servers



Clients

Documentation 1. Collect remote documentation www.syngress.com

317

318

Chapter 7 • Upgrading from Prior Versions

2. Compile data 3. Add to IT intranet QA and Project Completion Sign-Off 1. Submission of completed project plan 2. Sign-off from CIO Project Completion The completed task list is shown in Figure 7.9. Figure 7.9 Completed Task List in Project 2000

Determining Timelines Now comes the point in your sample project where you need to estimate the amount of time each individual task will need to be completed. Determining your timelines is a crucial segment of planning any project. Every individual task needs a respective completion date to keep the overall project on track. You can enter your estimated times by selecting a task and clicking, or double-clicking, its Duration cell.You can now enter the time allotted for the individual task. As you enter the time duration into the project plan, you will observe that your overall timescale will begin to change to reflect the duration times you have entered. www.syngress.com

Upgrading from Prior Versions • Chapter 7

Designing & Planning… Time Is on My Side… Yes, It Is! When estimating the time needed to complete a task, it is in your best interest to slightly overestimate the time frame. If you feel that an individual task can be completed in two days, are you calculating that time frame based upon your time invested in the task, or a team member’s? Are you accounting for the daily tasks on the network that might take you or a team member away from the project? Granted, several team members may be able to dedicate 100 percent of their workday to the migration, while others may be called away to handle daily networking and desk-support tasks unrelated to the project. Factoring this in to your time frames will give your project a realistic completion date. The worst that could happen is that several tasks could finish ahead of time, thus resulting in completing the project ahead of schedule… and how good would that appear to your superiors!

However, you may find as you are calculating time frames, that a task may have been overlooked and not added to the original plan.There is no reason for alarm in this case; you can add additional tasks (Figure 7.10) at any point throughout the project plan’s creation. Simply select the row below where you want the added task to appear, and from the Menu bar select Insert | New Task (or press the Insert key). A new row will appear in your project plan, allowing you to enter the new task name. In our sample, I have added, Create Lab and Perform Testing as a final subtask to the preparation phase. Figure 7.10 Adding Additional Tasks and Duration Times

www.syngress.com

319

320

Chapter 7 • Upgrading from Prior Versions

As you enter time durations for your tasks, you will notice that the time durations for your major tasks will automatically update to reflect the combined times of the individual subtasks. Additionally, in our sample, the five major tasks were added as subtasks to the overall project that was defined in Row 1 as “NAVCE 7.6 Upgrade.” Using this technique of creating only two Level-One outline tasks, the first representing the project’s name and the last being the completion of the project, the duration time displayed in Row 1 will always reflect the time needed to complete the entire project (see Figure 7.11). Figure 7.11 Time Duration for the Entire Project

Identifying Task Dependencies As with any project, identifying task dependencies will assist in your plan. By examining the major tasks, it becomes obvious that certain tasks would have to be completed before others could even be started. Equally, several subtasks would have to be completed in a specific order, with certain task’s start dates relying on a preceding task’s completion (see Figure 7.12). For an example using our five major tasks, you couldn’t start the “testing after migration” phase of the project until your team has completed either of the “Implementation” phases in either headquarters or the remote facilities. As for subtasks, observe the three subtasks of the documentation phase.These three tasks of collecting, compiling, and producing documentation would have to be completed in order, fully completing one task before moving to the next. You can link two or more tasks by simultaneously selecting these tasks using the Ctrl+click method of selection, and clicking the Link button on the Standard toolbar (also shown in Figure 7.12, the button is represented by two chain links connected together). Once tasks have been linked to show dependencies, an arrow will be displayed between the tasks to illustrate their link in the project. By linking your tasks once their time duration has been entered, not only will you be able to accurately identify the time needed for the entire project, but www.syngress.com

Upgrading from Prior Versions • Chapter 7

also the expected day of the project’s completion. With your project plan completed (see Figure 7.13), it’s time to put together your team and start briefing them on the scope of the project. Figure 7.12 Linking Dependent Tasks

Figure 7.13 The Completed Project Plan

www.syngress.com

321

322

Chapter 7 • Upgrading from Prior Versions

There it is. Our company “Make-Stuff ” has a project plan in place that will take approximately 27 days to complete. Hopefully, this sample plan will give you an infinite amount of ideas when planning your own projects. Additionally, if you have access to either Microsoft’s Project 2000 or Project 2002, and are familiar with the Microsoft Office suite of applications, learning this program should come naturally. As with Microsoft’s other Office application, most of the toolbar features in Project are identical, which will create a comfort-zone when learning the application.

NOTE There are many other features within the Microsoft Project 2000 application which will aid you in creating a project plan that were not covered in this section. One feature in particular allows you to create a resource list, which in turn allows you to assign those defined recourses to a task (see Figure 7.14).

Figure 7.14 Recourses Assigned to a Task

For more information on Microsoft’s Project 2000 or Project 2002, visit Microsoft’s Web site at www.microsoft.com/office/evaluation/ tours.asp to view their animated tour of this and other MS-Office Suite programs.

www.syngress.com

Upgrading from Prior Versions • Chapter 7

Summary Any time you are faced with the possibility of upgrading enterprise software on your network, I’m sure your eyes roll back in your head, as do mine, given the enormity of the task. In the case of migrating your existing Norton AntiVirus solution to NAVCE version 7.6, you can cast your apprehensive thoughts aside. As with any aspect of upgrading and maintaining your network and its services, the overall success in upgrading your antivirus solution comes down to two words that have been uttered repeatedly throughout this book… time and planning. Investing your time wisely to develop a foolproof plan for your migration deployment will guarantee an effortless upgrade, and additionally reduce your administrative overhead for the project. Once a detailed deployment plan is in place, testing your deployment in a secure environment will provide you with an opportunity to discover possible mishaps that would have surfaced during the actual deployment. If issues do arise within your testing lab, you’ll be able to identify these unforeseen issues, and incorporate the necessary changes into your overall deployment plan. With the technological advancements offered by Symantec’s NAVCE 7.6, it stands to reason that upgrading your environment to this version of the product can only be beneficial in the long run. With previous versions easily upgrading via the automatic migration technology, much of the assumed pressure associated with a task of this magnitude is simplified. When all is said and done and your upgrade is completed, you will reap the rewards of a robust antivirus solution. It’s like my Grandfather always said,“the reward of a job well done is… a job well done.”

Solutions Fast Track NAVCE Upgrade Considerations ; Plan the flow of your migration. Start by migrating your management

console first, and then migrate your servers, followed by your clients.

; Create a testing lab to perform a small-scale rollout to expose possible

issues that may occur while performing your actual rollout.

; If you are migrating from existing antivirus software other than NAV

4.x, 5.x, or LANDesk Virus Protect, you need to prepare for the fact that clients may experience a short period of time when they are unprotected from new virus threats released in the wild.You can www.syngress.com

323

324

Chapter 7 • Upgrading from Prior Versions

minimize this time frame by planning the removal of the previous antivirus solution and upgrading the clients as soon as possible.

Developing an Upgrade Plan ; Set aside time within your plan to allow for the training of your staff

and end users. Providing such training can help reduce downtime incurred from the uncertainty experienced by uninformed end users.

; Plan to perform a pilot rollout within a controlled portion of your

network so you can “debug” your deployment plan.

; After completing each individual phase of your deployment, take the

time to test your results. Be sure each phase was truly successful and that the computers involved in that phase are protected and receiving virus updates.

Upgrading from NAVCE 7.0 and 7.5 ; When upgrading your clients from version 7.0x, migrate your servers

first. When a client is upgraded before its parent server, the client attempts to install the 7.0x software over the newer version.

; Custom configurations for clients and servers are not lost when

upgrading from version 7.0, 7.0x, and 7.5.

; Custom configurations for clients and servers are lost when migrating

from an earlier version such as NAVCE 6.0 or LANDesk Virus Protect.

; Domain settings from previous versions are converted into Symantec

System Center server groups during your migration.

Exploring Automatic Migration Options ; The migration DLL Pmig.dll is the key component called by the Setup

program.This DLL establishes the existence of previous installs of NAV, identifies their version, obtains their uninstall key, and their quarantined items.

; Every server receives a full set of installation files for supported client

platforms.This allows the server to be a parent server in the future even if it is not designated as one during the initial migration. www.syngress.com

Upgrading from Prior Versions • Chapter 7

; Client configurations set on a parent server are saved to that server’s

grc.dat file.

; Though the NAVCE 7.6 Setup program is capable of migrating servers

running NAVCE 6.x for NetWare, setup.exe does not recognize installations of any version of NAV for NetWare.

; Upgrading your clients with the Setup program can be accomplished

without end-user intervention by initiating a silent install from a command line and executing setup.exe with the switches /s /v /qn.

; All client upgrades, including Windows NT and 2000 clients, can be

executed from a batch file.

; When upgrading NT clients via a login script or having the end user

run the Setup program manually, the local user must have Administrative rights to the computer.

; The package.exe utility creates a set of install disks that allow you to

upgrade your remote clients whether they are managed or unmanaged clients.

; The setup.wis file of each parent server contains the default settings for a

client installation.

Migrating from Third-Party LAN Antivirus Programs ; The Setup program cannot identify the existence of third-party antivirus

software on servers or clients.

; When running antivirus programs other than previous versions of

NAVCE or LANDesk Virus Protect, you must manually uninstall the product before upgrading.

; When upgrading from third-party antivirus programs on a NetWare

server, unload the program and delete its installation directory.You may wish to additionally delete unused system files left behind by the program.These files are commonly found in either the SYS:SYSTEM or SYS:PUBLIC directories. Check with that vendor’s documentation for a listing of files that are no longer needed on your system.

www.syngress.com

325

326

Chapter 7 • Upgrading from Prior Versions

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: When planning our network’s migration to NAVCE 7.6, a great deal of time was spent planning our server groups and determining which servers would be parent servers to our client. Now that our migration is complete, hindsight has shown us that our original plan could have used a few improvements. Is it possible now that the upgrade is finished to move servers to different server groups, and assign clients to alternate parent servers?

A: Yes, moving servers to other server groups is possible at all times during, and after, your migration. Utilizing the SSC console, you can simply drag and drop a server from one group to another. However, this feature is not extended to your clients.To assign a different parent server to a client, you would need to copy that server’s grc.dat file down to the client’s application directory. Additional information on the role of the grc.dat file can be found in Chapter 5.

Q: There has been a significant lapse in time since my company has upgraded its virus protection software. We are currently running Norton AntiVirus 3.0 and are ready to deploy NAVCE 7.6. Are there any major considerations to take into account given that we are currently running a much older version of Symantec AntiVirus software?

A: You need to be aware of the fact that the NAVCE 7.6 Setup program will detect versions of NAV that predate version 4.0. However, the Setup program’s attempt to uninstall these versions will fail. Even though the uninstall experiences a failure to complete, NAVCE will still attempt to install itself. This scenario also applies to versions of LANDesk Virus protect that predate version 5.01. Be sure to include the manual task of uninstalling this software into your deployment plan before you migrate your clients.

Q: In our network, we currently have a Windows NT server that is acting as our NAV 5.0 Quarantine Server. When our migration to NAVCE 7.6 is complete, www.syngress.com

Upgrading from Prior Versions • Chapter 7

I would like this server to continue serving as the Quarantine server to the new antivirus rollout. How should I go about doing this?

A: When you try to install NAVCE 7.6 to your NAV 5.0 Quarantine Server, the install program will display a warning screen alerting you that the Quarantine server will be disabled while the migration is performed. Continuing with the installation will convert and move existing quarantined items to the local Quarantine server of the new NAVCE installation. At this point, you will no longer have a functional Quarantine server. Once the migration is complete, use the Symantec System Center console to configure your existing server to continue its role as the Quarantine server for the your network deployment of NAVCE 7.6.

Q: During our migration from another vendor’s antivirus product to NAVCE 7.6, members of our project team did our best to minimize our client’s vulnerability due to periods where they were unprotected during the switch. However, after completing the upgrade, I launched the Symantec System Center and found that a great number of servers and clients on the network were inundated with viruses, many whose names were not familiar to the project team or me. Is it possible this infestation was the result of those short periods of time when our clients were unprotected?

A: Yes, anything’s possible. However, it is more likely that it can be accredited to the fact that NAVCE 7.6 uses a new scan-engine technology called the Norton Antivirus Extensible Engine (NAVEX).This advanced scan engine has improved virus detection capabilities, particularly when it comes to macro viruses. Additionally, it might detect viruses that your previous installation was not able to detect, or discover known viruses under a different name.

Q: When upgrading several problematic clients on our network from NAV 5.0 to NAVCE 7.6, I noticed that not all of their quarantined items were migrated to the new installation’s Quarantine folder. Is the fact that these clients had a history of high-level virus activity in the past responsible for the upgrade failing to migrate these quarantined items?

A: Most likely, the answer is no. During a migration, the NAVCE examines all items found in Quarantine. If it is determined that the file is actually infected with a virus, it will be migrated to the new installations local quarantine. However, if NAVCE determines that the quarantined item was not infected, instead of migrating it, the installation simply deletes the item. www.syngress.com

327

Chapter 8

Configuring Your NAVCE 7.6 Environment

Solutions in this chapter: ■

Configuring NAVCE 7.6 Clients



Configuring NAVCE 7.6 Servers



Configuring Roaming for NAVCE 7.6 Clients

; Summary

; Solutions Fast Track

; Frequently Asked Questions

329

330

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Introduction In this chapter, we will discuss how to configure a Norton AntiVirus Corporate Edition (NAVCE) 7.6 infrastructure to protect various resources within an enterprise network. Within this chapter, we will be performing many different procedures that will require that the NAVCE console be launched. For each of these procedures, we will assume that the NAVCE console is not visible and needs to be invoked by clicking Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. As redundant as this seems, this approach is necessary to create a “cookbook” procedure that can be referred to without depending on any preceding actions.These procedures can be invaluable when authoring instructions or solutions for the end users within a company. It is also important to understand the difference between the terms server and NAVCE server. NAVCE servers are not called servers because of the Windows NT/2000 Server operating system. Rather, they are called NAVCE servers because of the services they provide to NAV clients. We will also differentiate between the words corporate and enterprise. Since the NAVCE product contains the word “corporate,” we will refer to a business network environment as an “enterprise network” or “enterprise environment” rather than a “corporate network” or “corporate environment.” We will also focus on systems with NAVCE clients installed and systems with NAVCE servers installed. In an enterprise environment, the most critical resources are servers that provide various services to clients and end users. Most often, these are the systems that need to be protected with far more vigilance than end-user systems due to the fact that they are the backbone of the enterprise infrastructure. A single domain controller that is damaged by a virus can have an impact on an entire site, whereas if a single end user’s computer crashes, the effect is isolated.

Configuring NAVCE 7.6 Clients The NAVCE client can be installed using many different methods. It is often remotely installed or “pushed out” from a NAVCE server.This installs the client in a managed mode, which limits the amount of configuration changes that can be made on the client console.

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Installing a NAVCE Client in Unmanaged Mode The following is a step-by-step process for installing the NAVCE client in an unmanaged mode. Usually, this would not be done in an enterprise environment. However, since we are conducting this exercise purely for academic purposes, it is necessary to have a client that can be configured without any constraints placed on it by its parent server’s security policies. Later in this chapter, we will also briefly discuss how to make these same changes from the server side using the Symantec System Center Console. 1. Insert CD 2 or browse to a network location where CD 2 files are available. 2. Double-click on the CDStart.exe icon. 3. Click Install Norton AntiVirus Client Locally (Figure 8.1) Figure 8.1 NAVCE Main Installation Screen

4. You will be presented with the Norton AntiVirus Corporate Edition Setup program wizard. Click Next (Figure 8.2).

www.syngress.com

331

332

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Figure 8.2 Welcome Screen

5. Select I accept the terms in the license agreement (Figure 8.3). Click Next. Figure 8.3 NAVCE License Agreement

6. You are now offered the option of selecting a mail snap-in (Figure 8.4). Mail snap-ins are modular add-ons to the NAVCE software that provide virus protection customized for the e-mail received within the mail application. Mail snap-ins provide a specific method of silently decompressing received e-mail messages into a temporary folder and then scanning them for viruses. Notice that we did not select any mail snap-ins. This is because we are attempting to conduct a “no-frills” install of the NAVCE client. Click Next.

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Figure 8.4 Mail Snap-In Selection

7. Now pick the destination client for installing NAVCE. Accept the default by clicking Next (Figure 8.5). Figure 8.5 Destination Folder for the NAVCE Program Files

8. Next, select the type of network setup you want to use. For the purposes of this chapter, select Unmanaged (Figure 8.6) and then click Next.

www.syngress.com

333

334

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Figure 8.6 Selecting Network Setup Type

9. Click Next at the Ready to Install the Program window (Figure 8.7). Figure 8.7 Installing NAVCE Program Files

10. Ensure that File System Realtime Protection is checked, as shown in Figure 8.8. Click Next.

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Figure 8.8 Enable File System Realtime Protection

11. You will see a message alerting you that your virus definitions are out of date. Click Don’t remind me again until after next update (Figure 8.9) and then click Close.You do not want to update a definition file until after the NAVCE installation is complete. Figure 8.9 Update Virus Definition Files

12. At the Technical Support window click Next (Figure 8.10).

www.syngress.com

335

336

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Figure 8.10 Technical Support Information

13. You are now reminded to run LiveUpdate at the end of the installation (Figure 8.11). Click Next. Figure 8.11 LiveUpdate

14. Ensure that Run LiveUpdate after installation is checked, (Figure 8.12). Click Next.

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Figure 8.12 Force LiveUpdate to Run After Installation

15. By forcing a LiveUpdate task after the install you will have to review the LiveUpdate configuration setting.The first LiveUpdate window that you will see displays the Symantec Products that are currently installed on your machine. Click Next (Figure 8.13). Figure 8.13 LiveUpdate Currently Installed Symantec Products

16. After the update you will see a series of green checks next to each product or component.This means that the LiveUpdate was successful. Click Finish (Figure 8.14).

www.syngress.com

337

338

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Figure 8.14 LiveUpdate

17. You will be brought back to the Installation wizard. At this point you should click Finish (Figure 8.15). Figure 8.15 Installation Completed

We just installed the NAVCE client on a Windows 2000 server with Service Pack 3. However, from the screen captures, you would not have been able to determine what platform it is was being installed to.This works in our favor because this exercise will be applicable to any Windows NT-based operating system including Windows NT and 2000 Server platforms and Windows NT

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

4.0 Workstation/Server, Windows 2000 Professional/Server, and Windows XP Professional or Home Edition.

Exploring and Configuring the NAVCE Client Now that we have a Windows 2000 Server with an unmanaged NAVCE client installed on it, we can begin to explore the interface and configure it as required.

Configuring NAVCE Services Load Options Quite often in an enterprise environment, there are scenarios where end users have to load and unload NAVCE services. Usually, this request is made due to the strain that NAVCE places on the system resources. Code writers, developers, and system stress testers need the highest possible numbers for marketing blurbs and often want to tweak a system until it “screams.” Unloading NAVCE services is different than disabling File System Realtime Protection, which we will discuss shortly. 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Uncheck the checkbox labeled Load Norton AntiVirus Services (Figure 8.16). Figure 8.16 NAVCE Console Default Screen

3. Click Unload (Figure 8.17).

www.syngress.com

339

340

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Figure 8.17 Unloading NAVCE Services

This disables all Norton AntiVirus processes such as configuration and file updates, scheduled scans, and real time protection. By viewing the process in the Windows Task Manager, you will notice that rtvscan.exe is no longer visible.To reload the services, all you need to do is to access the console again as specified in Step 1 and check the box.

File System Realtime Protection Options NAVCE offers a continuous background virus scan that checks files whenever they are accessed, copied, saved, moved, opened, or closed.This is the most effective way to protect a system against any malicious code because for any code to be executed, it has to be accessed by the operating system. When configuring File System Realtime Protection, you can enable or disable the protection, select file types, decide upon actions for the software to take when a virus is found, configure notification options, set file and folder exclusions, and include or exclude network drives.The following sections discuss how to configure various aspects of this feature.

Enable/Disable File System Realtime Protection To disable the File System Realtime Protection: 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. Uncheck the box labeled Enable File System Realtime Protection (Figure 8.19).You will notice that the window is now grayed out.

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Figure 8.18 Disabling File System Realtime Protection

3. Click OK.

NOTE In order to re-enable this protection, perform Steps 1 through 3 again but this time check the box labeled Enable File System Realtime Protection.

Configuring File System Realtime Protection Advanced Options To configure NAVCE’s File System Realtime Protection: 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection. Click Advanced (Figure 8.19).

www.syngress.com

341

342

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Figure 8.19 File System Realtime Protection Options

3. Select options as desired or as specified by your corporate security policies. (Figure 8.20). Figure 8.20 Advanced File System Realtime Protection Options



In the section labeled “Scan files when,” you can choose whether files are scanned when accessed or modified.The default selection is “Accessed or modified.”This option offers significantly more protection and therefore places a slightly higher load on the system resources. It is recommended this section be left at its default settings.



In the section labeled “Backup options,” you can select whether files are backed up before being repaired. When NAVCE encounters an infected file, it can take one of many preconfigured actions. If

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

NAVCE is configured to delete a file that it finds to be infected, you could potentially lose important files. Another consideration to bear in mind is the operating system files. Since many of the files within the operating system are executables, they can potentially be infected by a virus. If operating system files become infected and are deleted, you would be in a bind if you needed to restart the system. Therefore, it is best to leave this option configured as is. A prudent administrator would check for any quarantined files or view the NAVCE log before rebooting a critical server.You can view the backed up items in the console by clicking View | Backup Items. Remember that the backed up files are still infected. ■

In the section labeled “Additional advanced options,” you will notice a button labeled “Heuristics.” As a quick aside, the word heuristic is defined by the dictionary as being related to exploratory problemsolving techniques that utilize self-educating techniques (as the evaluation of feedback) to improve performance. Quite appropriately, this option defines the behavior of the NAVCE virus scanning technology called Bloodhound to protect against new or unknown viruses. Bloodhound analyzes and monitors activity being performed on the system that NAVCE is installed on. If it detects any activity that it deems “suspicious,” it will prevent the code from being executed.

4. Click Heuristics (Figure 8.21). Although you can configure options as desired or as specified by your corporate security policies, it is recommended that the default settings are left intact. Here, you may enable or disable the Bloodhound technology by checking or clearing the checkbox labeled Enable Bloodhound(TM) virus detection technology.You may also select the desired sensitivity level. For most systems, leaving the default settings intact will suffice. Figure 8.21 Heuristic Settings

www.syngress.com

343

344

Chapter 8 • Configuring Your NAVCE 7.6 Environment

5. Click OK to return to the File System Advanced Options window as seen previously in Figure 8.20. 6. Click Floppies, which should bring you to the window shown in Figure 8.22. In the section labeled Floppy settings, you can select boot virus detection and subsequent actions. Although you can configure options as desired or as specified by your corporate security policies, it is recommended that the default settings are left intact, especially the system shutdown settings. Figure 8.22 Floppy Disk Protection Settings

7. Click OK to return to the File System Advanced Options window (shown previously in Figure 8.20). 8. Click OK to return to the main window for File System Realtime Protection Options (shown previously in Figure 8.19).

Configuring File System Realtime Protection File Types Options To configure NAVCE’s File System Realtime Protection’s File types options: 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection. In the section labeled File types, you may either choose All types or Selected. It is highly recommended that you leave the All types selection unchanged. However, in the interest of academic knowledge, let’s explore the options available to us. Select Selected and then click Extensions (Figure 8.23).

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Figure 8.23 Selecting File Types by Extensions

3. Select all of the file extensions and click Remove (Figure 8.24).

Figure 8.24 Removing all Currently Selected File Extensions

NOTE To select all of the file extensions, click on the first file extension (named 386). Then scroll down to the bottom of the list and while pressing the Shift key, click on the last file extension (named XL?). The entire list will be highlighted. Click the Remove button.

4. Now that no extensions are specified, you can either add a specific one (such as .exe for executable files) or use the buttons provided to add all

www.syngress.com

345

346

Chapter 8 • Configuring Your NAVCE 7.6 Environment

common program and document file extensions. Just for fun, let’s add the extensions for programs. Click Programs (Figure 8.25). Figure 8.25 Adding File Extensions for Programs

5. You will now see a list of all file extensions defined by NAVCE to be associated with programs and executables (Figure 8.26). Figure 8.26 Adding File Extensions for Programs

6. Before we exit, let’s restore the list to its default setting. Click the Use Defaults button (Figure 8.27). Although it may not appear that much has changed within the list, notice that the scrollbar has become visibly “thinner.”This implies that the list has grown considerably in length.

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Figure 8.27 Resetting File Extensions to Default

7. Click OK to return to the main window for File System Realtime Protection Options.

Configuring File System Realtime Protection Actions When NAVCE’s File System Realtime Protection encounters a file it believes to be infected, it can perform various actions. Let’s explore the possible actions that the software can take. 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection. (Figure 8.28). On the right side of the window, you will see two tabs labeled “Macro Virus” and “Non-Macro Virus.” On each tab, you can select a primary and secondary option. For example, the default action is to “Clean virus from file.” Figure 8.28 File System Realtime Protection Options

www.syngress.com

347

348

Chapter 8 • Configuring Your NAVCE 7.6 Environment

If this primary action fails, the secondary default action is to “Quarantine infected file.” Let’s examine each option and what it means: ■

Clean virus from file NAVCE attempts to permanently remove the virus from the infected file leaving the pertinent data intact.



Quarantine infected file NAVCE physically moves the infected file from it physical location on the disk to the Quarantine.This is unlike the move operation performed on a file within by a user through an operating system. Usually when a file is “moved” on a disk, only a logical pointer to the file is updated and the file appears as if it has been moved. Here, as we discussed earlier, the file is physically moved.



Delete infected file NAVCE deletes the infected file from the computer’s hard drive. Again, this is unlike a normal delete operation. Usually when you delete a file, you can find it inside the Recycle Bin.This is because only the logical pointer to the file has been altered. When NAVCE deletes a file, it is physically purged from the disk.



Leave alone (log only) When this option is selected, the infected file is left unaltered. It remains infected and stays capable of infecting other parts of the system.The only action taken by NAVCE is that an entry is added in the Virus History to keep a log of the infected file. Although this option seems a bit contradictory to the very purpose of the software, it can come in handy on systems that are deemed so critical that any necessary changes (such as removing an infected file) must be performed by a human.Therefore, the log is used solely to collect alerts. Note that if you select “Leave alone (log only)” as the primary action, the secondary action will be grayed out.

3. Once the actions are configured as desired or as dictated by your enterprise security policies, click OK.

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Configuring File System Realtime Protection Virus Notification Message Options In the section labeled “Options,” you can set message options and file and folder exclusions. Let’s start with message options. 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection. Ensure that the checkbox labeled “Display message on infected computer” is checked. (Figure 8.29). Figure 8.29 File System Realtime Protection Options

3. Click Message (Figure 8.30). You will notice lines of text such as “Action taken: [Action Taken].”The text not enclosed between square parentheses is plain text.This means that this is a static caption that will appear on every virus message.The text enclosed within the square parentheses is a variable field known as a message parameter. Message parameters are dynamically updated and added to the virus notification message so that the displayed message contains relevant specifics. Quite often, NAVCE administrators will add a static line of text with some instructions (such as “Please contact the helpdesk”) at the bottom of this message.

www.syngress.com

349

350

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Figure 8.30 Display Message Window

A list of available message parameters for File System Realtime Protection (as well as manual scans) is shown in Table 8.1.To add a message parameter, right-click anywhere within the text area of the window and select Insert Field. Table 8.1 Virus Notification Message Parameters Message Parameter

Explanation

[Filename] [Virusname] [User] [Computer] [ActionTaken] [Filename] [Datefound]

Full file path and name Name of detected virus Network log on name of user Name of computer Action taken on infection File name (no path) The date when Norton AntiVirus detected the virus Indicates the state of the file: Infected, Not Infected, or Deleted

[Status]

NOTE There are additional message parameters available for virus notification messages created for Microsoft Exchange Realtime Protection and Lotus Notes Realtime Protection. When triggered by File System Realtime Protection or a manual scan, the virus notification message is displayed

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

on the screen of the infected computer. However, when triggered by Microsoft Exchange Realtime Protection or Lotus Notes Realtime Protection, the notification message can also be sent to the sender of the infected e-mail via an e-mail message or to a designated person (or persons) responsible for the mail infrastructure.

4. Once the message is customized as desired or as specified by your enterprise security policies, click OK to return to the File System Realtime Protection Options main window.

Configuring File and Folder Exclusions for File System Realtime Protection File and folder exclusions can help prevent NAVCE from scanning data that does not need to be protected.This helps negotiate a balance between the protection required and the system resources required. Exclusions can also help decrease the load placed on system resources if the data is not susceptible to becoming infected. To configure file and folder exclusions: 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection. 3. Check the checkbox labeled Exclude selected files and folders. Click Exclusions. (Figure 8.31). Figure 8.31 Excluding Selected Files and Folders

www.syngress.com

351

352

Chapter 8 • Configuring Your NAVCE 7.6 Environment

4. Check the checkbox labeled Check file for exclusion before scanning. Click Extensions. (Figure 8.32). Figure 8.32 Forcing NAVCE to Check File Exclusions

5. Enter filename extensions for all files that you want excluded and then click Add. The window should be similar to Figure 8.33. Here, lets add a TXT extension, which is used for text files. Figure 8.33 Adding File Extensions to be Excluded

6. Click OK to return to the Exclusions screen. 7.

In the Exclusions screen this time, click Files/Folders (Figure 8.34). Figure 8.34 Setting Folder Exclusions

8. Select any files and folders that you wish to exclude (Figure 8.35).Then click OK to return to the File System Realtime Protection Options main window. www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Figure 8.35 Selecting Folders to be Excluded

Designing & Planning… Practical Applications of File and Folder Exclusions – Microsoft Exchange We just discussed how to exclude files and folders from real-time protection. Such a discussion may seem to negate the very purpose of the software but it has some practical applications. One classic example is protecting Microsoft Exchange servers. As you may have guessed, NAVCE was designed to protect whole files rather than a specific portion of a file. This kind of design is obviously not ideal for protecting a file (such as a message store) that could contain multiple mailboxes each containing countless e-mail messages. If identified to be infected and NAVCE attempted to delete or quarantine the entire file, the impact caused would be more severe than the damage caused by the virus itself. Understand that this is not exactly a shortcoming of the NAVCE software. This would be true of any other antivirus software designed to protect file systems. There are other antivirus solutions (especially within the Norton/Symantec AntiVirus product line) to protect the Exchange server that are not within the scope of this book. In a case such as the Microsoft Exchange server, NAVCE is used to protect only the file system rather than the Exchange server itself, and this requires certain folders to be excluded. For more information about the specifics of this undertaking, please refer to Symantec Knowledge Base Documents 2000110108382448 and 2002051609590948. Also, refer to Microsoft Knowledge Base article 245822.

www.syngress.com

353

354

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Configuring Drive Types for File System Realtime Protection NAVCE’s File System Realtime Protection protects against viruses on the local system.There is an option where this protection can be extended to any network drives that the system accesses. To enable network drive types, complete the following steps. 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection (Figure 8.36). Check the checkbox labeled Network. Then click OK. Figure 8.36 File System Realtime Protection Options - Network Drives

Configuring & Implementing… A Word of Caution about Network Drive Protection Before checking this seemingly harmless checkbox, you must understand the potential impact that this could have on your enterprise infrastructure. Whether or not you allow this box to be checked will depend largely upon your enterprise environment. Whereas it is impossible to examine every possible scenario (since most environments are a blend of Continued

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

various server types), let’s discuss two extremes that may help illustrate the point of discussion. Understand that these sample scenarios are purely for academic discussion and are not recommendations for your environment. As the NAVCE administrator, it is up to you to make an informed decision about your environment.

Scenario 1: Microsoft Windows Based File Servers Let’s imagine that every file server (that serves up files and data) in your environment is based on a Microsoft operating system. If you have already installed NAVCE on every server, it would be pointless to enable Network Drive Type protection on the clients. This is because the software on the server would already be scanning files as they are accessed rendering the scan conducted by the client redundant. Imagine 500 clients logging in to the Windows domain every morning and downloading their roaming profiles from a Windowsbased file server. Imagine the load that would be placed on the server if every client (as well as the server) scanned every file as it was accessed and downloaded to the client. In such a case, it would make more sense to enable the protection only on the server and not on the clients. It may even make sense to disable and lock this option from the parent server.

Scenario 2: Network Appliance File Servers (Filers) Before we begin with Network Appliance File Servers (often called NetApp Filers), let’s spend a minute to understanding this type of file servers. File servers such as NetApp Filers and Quantum Snap drives use their own file and operating system. Since they are unlike conventional systems in that they do not run a mainstream operating system (such as Microsoft Windows,) programs cannot be installed onto them. They can either be “front-ended” with antiviral software, or you can use a NAVCE system to conduct scans at scheduled intervals. Now, in this scenario, imagine that you have 1000 client systems each running NAVCE. Every user on their system has their home drive mapped where they store their documents and e-mail. In other words, the file servers are constantly being battered by clients. If Network Drive Type were enabled, the file servers would have a significantly lower input/output (I/O) throughput. Every client performing scans would slow down others as well. In such a case, it would make more sense to disable the network protection on the clients. It may make more sense to either front-end the file servers with an antivirus product designed specifically for this purpose, or to conduct virus scans at scheduled intervals.

www.syngress.com

355

356

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Other Types of Scans and Clients In the preceding section we spent considerable time exploring various options of the File System Realtime Protection in detail.This learning experience was not limited to the File System Realtime Protection. Virtually all of the knowledge and experience you just acquired is applicable to manual and scheduled scans, other Microsoft-based platforms, and even server side security policies.You will find that even when installing NAVCE servers, the protection options for the server itself are configured much like the unmanaged client. Later in this chapter, we will briefly cover the same options on a group of NAVCE servers and clients using the SSC Console.

NOTE NAVCE 7.x does not support NetWare 6.0. The next release of the NAVCE product which is titled Symantec AntiVirus Corporate Edition (SAVCE) 8.0 provides full compatibility with NetWare 6.0.

Configuring Windows NT 4.0/2000 Cluster Server Protection NAVCE clients can be used to protect Microsoft Windows Cluster Servers. Any version of the NAVCE 7.0x (or higher) client software can be used to protect a Windows NT cluster. For a Windows 2000 cluster, you must use NAVCE version 7.03 build 53a or higher. NAVCE server software is not supported on a Windows server in a cluster configuration. Protecting a Windows NT/2000 Cluster Server is fairly uncomplicated. However, due to the complexity of the way that the operating system behaves, there are some guidelines that a NAVCE administrator must adhere to.The following is a brief list of some of these guidelines: 1. Only NAVCE Client software should be installed on a Windows Cluster Server. NAVCE server is not supported on this platform 2. The NAVCE client must be installed on each system that is a part of the cluster. If the software is being deployed remotely, it must be “pushed” to

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

each system (by name) that is a member of the cluster rather than the cluster’s virtual or shared name. 3. The client must not be installed to the shared drive. Instead, it must be installed on the (local) physically attached drive for each server in the cluster. 4. The clients on each cluster member must point to the same NAVCE parent server so that the virus definitions and security policies are identical across all the members of the cluster. Once the NAVCE software is installed on a cluster, you will notice that there are minor nuances to the way that it behaves in this configuration compared to how it behaves on a stand-alone server. A list of documented behaviors is available within Symantec Knowledgebase Document 1999110109074348. Of course, you may observe other unique behaviors that may need to be analyzed and corrected on a case-by-case basis.

Configuring Windows NT 4.0 Terminal Server Protection As per Symantec, the NAVCE 7.6 client cannot be installed on Windows NT 4.0 Terminal Server.This is due to a limitation with InstallShield 6.This limitation has been corrected in InstallShield 7.Therefore, the next release of NAVCE (SAVCE 8.0) can be installed on NT 4.0 Terminal Servers. Since that is beyond the scope of this book, it will suffice to say that NAVCE 7.6 is not supported on the Windows NT 4.0 Terminal Server platform.

Configuring Windows 2000 Terminal Services Protection NAVCE 7.6 is the first version of the software that offers support for Terminal Server versions of the Windows 2000 server platform. Previously, administrators had little choice but to depend on NTFS-based permissions to avoid execution of any malicious or unauthorized code. Even today, many cautious administrators choose to avoid antivirus protection rather than install newly written software. Installing NAVCE on a Windows 2000 Terminal Server is slightly tricky in the sense that it depends upon how your server is configured at the time that you are installing it. If Terminal Services are already enabled on a Windows 2000 server, only the server component of NAVCE can be installed.The client www.syngress.com

357

358

Chapter 8 • Configuring Your NAVCE 7.6 Environment

component will detect that Terminal Services are enabled and will refuse to proceed with the installation.Therefore, if you want to install the NAVCE client on a terminal server, you must do so prior to enabling terminal services. Once the NAVCE client is installed, you may enable Terminal Services. It is highly recommended that you install the NAVCE client rather than the NAVCE server for several reasons.The NAVCE client uses less memory, disk, and CPU resources than the server does. Since a NAVCE server will allow NAVCE clients to attach to it, this can also lead to additional resource usage on the server which can in turn severely impact the computing experience for users connected to the server via a terminal session. If Terminal Services are already enabled on a Windows 2000 Server machine and it is in application server mode, you must either switch to remote administration mode or you must use the change user /install command before you can proceed with the installation. Many administrators prefer to avoid switching to remote administration mode once the system is in application server mode because some applications can lose certain customizations.Therefore, if your server is already up and running in application server mode, you have little choice but to install NAVCE server on it. If, however, you are able to safely switch from application server mode to remote administrator mode, you may have a choice between the NAVCE client and the server. Therefore, we will install a NAVCE client, configure it, and then enable Terminal Services. Since you have learned how to install a NAVCE client already within this chapter, we will omit the installation procedure and continue on to the steps necessary to enable Terminal Services on a Windows 2000 Server.

Enabling Terminal Services on a Windows 2000 Server In this example, we will be using a stand-alone Windows 2000 Server. We have already installed an unmanaged NAVCE client. Now, we will enable the Terminal Services in remote administration mode. While enabling Terminal Services, you may be prompted to insert a copy of your Windows 2000 Server CD. When prompted, you may either insert the CD or provide a path to the I386 directory on the system or the network.

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

1. Click Start | Settings | Control Panel. 2. Click Add/Remove Programs.Then Click Add/Remove Windows Components to start the Windows Components Wizard (Figure 8.37). Figure 8.37 Windows Components Wizard

3. Select Terminal Services in the list of available components and click Next. 4. Select Remote Administration mode and click Next as shown in Figure 8.38. Figure 8.38 Enabling Terminal Services

5. Click Finish (Figure 8.39).

www.syngress.com

359

360

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Figure 8.39 Completing Terminal Services Installation

6. At this point you will be prompted to reboot your machine. Click Yes to restart the computer. Once the system has been rebooted, terminal services will be enabled and ready to accept Terminal Server (RDP) connections.

NOTE NAVCE protection for the terminal server platform is relatively new and therefore has some limitations. For a list of known issues and limitations, please refer to Symantec Knowledge Base Article 2001092012091148.

Switching from Application Server to Remote Administration Mode The NAVCE client cannot be installed on a Windows 2000 Server running in application server mode. If your server is in application server mode, you will need to switch to remote administration mode before you can proceed with the NAVCE client installation.To do this, you must follow the steps listed in the preceding section titled “Enabling Terminal Services on a Windows 2000 Server.” As you switch the mode of operation, you may notice (depending on your Windows 2000 terminal services configuration) that the Terminal Services Setup will attempt to delete custom settings and will have a check mark by the box

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

ICA_Tcp Connection. If you see this, you must uncheck this box and continue with the rest of the steps until you are prompted to restart the system.

Installing NAVCE on Windows 2000 Terminal Server Previously, we installed the NAVCE client to a Windows 2000 server before enabling Terminal Services. In the event that you have a Windows 2000 server already running Terminal Services, you would need to install NAVCE server to the system. Let’s start with a Windows 2000 Terminal Server and install NAVCE server to it. 1. On the Terminal Server console, insert CD 2 or browse to a network location where CD 2 files are available. 2. Double-click on the CDStart.exe icon. 3. Click Install Norton AntiVirus to Servers (Figure 8.40). Figure 8.40 NAVCE Installation Console

4. Select Install and click Next (Figure 8.41). Figure 8.41 Installing NAVCE Server

www.syngress.com

361

362

Chapter 8 • Configuring Your NAVCE 7.6 Environment

5. At this point you will be presented with the Symantec License Agreement Window. Select I agree then click Next. 6. This will bring you to the Select Items Window as shown in Figure 8.42. Select Server Program. Uncheck Alert Management System AMS2 if it is checked.Then click Next. Figure 8.42 Select NAVCE Server Program

7. At this point, you will have to select the install location. Click the name of the computer you are installing to and click Add. Here, we are installing to the local computer named Athar-Test01. When finished your screen should appear similar to Figure 8.43. Click Next. Figure 8.43 Select Computer(s)

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

8. You should be presented with a Severe Summary window that confirms your previous action. Verify that the information is correct and click Next (Figure 8.44). Figure 8.44 Select Destination

9. Now you have the option to enter a new Norton antivirus server group name or join an existing group (Figure 8.45). Here, we will accept the default server group name of Norton Antivirus 1 and click Next. Figure 8.45 Create NAVCE Server Group

10. You will be asked to confirm your action with a message like that shown in Figure 8.46. Click Yes.

www.syngress.com

363

364

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Figure 8.46 Create a New Server Group

11. Now, you must specify the Server Startup Options for Norton AntiVirus 1 (Figure 8.47). Select Automatic startup and click Next. Figure 8.47 Configure Server Startup Options

12. You should be provided with SSC Console information (Figure 8.48). Read this carefully and click Next. Figure 8.48 Symantec System Center Console Information

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

13. Finally, you will be provided with the default password for unlocking your new server Group.Take note of this and click Finish (Figure 8.49). Figure 8.49 Select NAVCE Server Group Password

14. You will then be prompted with the Virus Definition File Warning window that you previously saw in Figure 8.9. Check the box labeled Don’t remind me again until after next update.Then click Close. 15. You should now verify that your setup was successful in the Setup Progress window as shown in Figure 8.50. If everything looks good, click Close (Figure 8.50). Figure 8.50 Setup Progress

16. You should now be back at the opening splash screen for Installing Symantec AntiVirus Solutions. Scroll down and click Exit as shown in Figure 8.51. www.syngress.com

365

366

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Figure 8.51 Exiting Installation Screen

17. Reboot the system. We just performed a NAVCE server install on a Windows 2000 Terminal Server. But, as it turns out, the installation process is identical to that on any other Windows platform.Therefore, this knowledge and experience is portable to any Windows-based system where you install NAVCE server.

Configuring NAVCE 7.6 Servers As discussed at the beginning of this chapter, a NAVCE server does not mean NAVCE software on Windows (NT/2000) Server platform. Instead, it refers to the services that a NAVCE system provides to its clients. Now that the server component of NAVCE is installed on the Windows 2000 Terminal Server, we can begin to configure it.The configuration of a NAVCE server’s own protection options is remarkably similar to that of a NAVCE client.Therefore, you can refer to that section within this chapter.The only difference is that the method of accessing the NAVCE console is different. When attempting to start the NAVCE server console, you will be prompted for the Norton AntiVirus Server Group password (Figure 8.52).

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Figure 8.52 Unlocking Server Group

This is the password that we set while installing the server software. Since we accepted the default, the password is “symantec.” Once you enter the password and click OK, you will see the NAVCE server console.The console appears to be identical to the NAVCE client console with the exception of the section labeled “General Information.” In a NAVCE server, you will notice that there is a “Server Grp” caption, which defines the NAVCE server group that this NAVCE server belongs to. In a client console, you would see parent server information in the same area of the console.

Configuring Multiple NAVCE Clients and Servers Thus far, we have explored how to configure the protection on both a NAVCE server as well as a NAVCE client. But, as an administrator, you will be required to make changes to large groups of clients and servers.This is where the Symantec System Center Console (SSC) comes into play. Since you have already worked extensively with the SSC in an earlier chapter, we will not discuss the installation and configuration here. It should suffice to say that you could configure and lock down settings for groups of servers and clients from the SSC.

Configuring Roaming for NAVCE 7.6 Clients You may already be familiar VDTM and LiveUpdate, which are the two most popular delivery mechanisms for virus updates. VDTM is the overwhelming choice in many enterprise environments simply because it is easy to configure and operates silently in the background.The greatest disadvantage to VDTM is the fact that the virus definitions downloaded are larger than 3MB. A file of such heft is inconsequential if the client (user’s system) is in the same building as the server. But, with corporate travel and notebook computers becoming increasingly pervasive, assuming that the client and server will share a local area network (LAN) is shortsighted. Quite often, employees will travel from one building, one geographical region, and even one country to another.This adds the location of www.syngress.com

367

368

Chapter 8 • Configuring Your NAVCE 7.6 Environment

the client as a new variable to the NAVCE equation. What is worse is that when they are in this new location, they are actually inside the same building as another NAVCE server but it is not the parent that their NAVCE clients are attached to. Until recently, NAVCE clients had no choice but to attempt to contact their parent NAVCE server and to keep trying to reach it even if it was non-functional or obsolete. Fortunately, Symantec has addressed this challenge with the newer releases of NAVCE and has appropriately named it Roaming Client Support. Roaming Client Support is a completely modular add-on feature.This means that it is up to the NAVCE administrator to decide whether or not to implement it within the environment. NAVCE will work with or without it.Therefore, we will not discuss it at length here.

Features of Roaming Client Support Roaming Client Support is a service for NAVCE clients that allows them to connect to the optimal parent server based on network connection speeds and geographic proximity. All that really means is that roaming options enable NAVCE clients to choose from a list of NAVCE parent servers based on some criteria. Roaming Client Support allows NAVCE offers the following features and benefits: ■

Automatic connection to the nearest NAVCE server whenever the clients’ network address changes or upon startup.



Automatic connection to a different NAVCE server if the current parent is unreachable for any reason.



Automatic periodic checks for the nearest NAVCE server even if the network location has not changed.This results in automatic load balancing for NAVCE servers.

Roaming Client Support Requirements Currently, Roaming Client Support is limited to NAVCE running on any of the following platforms: ■

Windows 9x



Windows NT 4.0



Windows 2000



Windows XP

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Implementing Roaming Client Support There is no “one size fits all” recipe to implement NAVCE Roaming Client Support. Each enterprise environment is unique and it is up to the NAVCE administrator to decide how to best serve the enterprise user community. Roaming Client Support is covered in significant detail within a PDF file, which is available on your NAVCE installation CD inside the DOCS directory.The file is also available at: ftp://ftp.symantec.com/public/english_us_canada/ products/norton_antivirus/navcorp/manuals/roaming.pdf This document outlines the theory and operation behind Roaming Client Support. It also discusses the tasks necessary to implement it with sample scenarios. Additional information is available within the Symantec Knowledge Base Document 2001092013012148.

www.syngress.com

369

370

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Summary In this chapter, we learned how to configure NAVCE to protect the file system. We spent the majority of our time exploring and configuring the NAVCE File System Realtime Protection.This was because this single feature covers almost all aspects of virus protection. It applies both to clients and servers and many of the options selected here are the ones that need to be decided upon and configured for groups of servers and clients. We did not spend any time on configuring the virus history feature since it is more related to AMS2 and is covered elsewhere in the book. We also did not work with other scans since their configuration parameters are also a subset of the features discussed within File System Realtime Protection. As an administrator, you will find that an overwhelming portion of consideration and planning goes towards deciding upon the client side real-time protection options.You will find that much of the knowledge and experience derived from this discussion will be applicable in many other aspects of your career as a NAVCE administrator. Hence, we spent almost the entire chapter on the installation, configuration, and discussion of this single feature.

Solutions Fast Track Configuring NAVCE ; The knowledge and experience gained while configuring File System Realtime Protection is very valuable. ; NAVCE client configuration on a majority of current Windows

operating systems is identical.

; Unloading NAVCE services is different from disabling File System

Realtime Protection.

; File System Realtime Configuration will require a lot of forethought

and planning.

; NAVCE can take a variety of actions based upon pre-defined

configurations.

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

; Files and folders can be included or excluded from NAVCE protection

and scans. In some cases (such as Microsoft Exchange Server machines,) it is necessary to exclude certain files and folders.

; Virus notifications can be configured to meet your enterprise needs.

; Before you enable network drives, it is wise to understand the impact of

such a decision.

; NAVCE 7.6x supports cluster and terminal servers but its behavior is

slightly different than that on a stand-alone system.

Configuring Roaming for NAVCE 7.6 Clients ; Roaming Client Support is a service for NAVCE clients that allows

them to connect to the optimal parent server based on network connection speeds and geographic proximity.

; Roaming Client Support is covered in significant detail within a PDF

file, which is available on your NAVCE installation CD inside the DOCS directory.The file is also available at: ftp://ftp.symantec.com/ public/english_us_canada/products/norton_antivirus/navcorp/manuals/r oaming.pdf.

; Roaming Client Support is a modular feature of the NAVCE solution.

This means that it is not a required component for the software to function. It is up to the administrator to decide whether it is a good fit for their enterprise environment.

www.syngress.com

371

372

Chapter 8 • Configuring Your NAVCE 7.6 Environment

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: How can I check if NAVCE protection is working? A: You can use the AntiVirus Test File created by the European Institute for Computer Antivirus Research (EICAR) specifically for this purpose. It is available at www.eicar.org/anti_virus_test_file.htm.This file can also be used to test your enterprise virus notification (such as AMS2) and other corporate procedures.

Q: Since I have a choice between the client and server, which portion of NAVCE should I use on a terminal server?

A: It is strongly recommended that you install the NAVCE client on your server before enabling terminal services. NAVCE server has a higher system resource usage (often referred to as “resource footprint”) than NAVCE client software. Since you need every last bit of computing power reserved for terminal sessions on a terminal server, it would be best to stay away from NAVCE server. Also, when you use NAVCE server, there is a possibility of clients being attached (as children) and placing even more load on the system resources.

Q: Do I really need a NAVCE server at every office location? A: Symantec recommends that you implement you NAVCE solution such that you have a NAVCE server at every physical location.This is beneficial not only for faster propagation of virus definitions but also because the User Datagram Protocol (UDP) client check-in (as implemented by Symantec) is not routable.

www.syngress.com

Configuring Your NAVCE 7.6 Environment • Chapter 8

Q: What are the best practices for configuring and maintaining a NAVCE implementation?

A: For a complete list and discussion of best practices for a NAVCE implementation, view Symantec Platinum Knowledge Base Document 2002053008103348. Be sure to revisit this document every few months as it is constantly updated.

Q: How can I configure NAVCE such that I get the best possible virus protection with minimal impact to my system performance?

A: This is the classic paradox that every NAVCE administrator faces. Obviously, the system resources required for virus protection will be commensurate with your virus protection requirements. For a detailed discussion of the “protection vs. performance” question, view Symantec Platinum Knowledge Base Document 2000102709320948.

Q: How can I configure my Windows-based computer such that I get optimal performance while running NAVCE?

A: This is an extension of the previous FAQ in the sense that the platform that NAVCE will run on needs to be configured such that the result is a healthy balance between adequate virus protection and acceptable system performance. For a discussion on how to configure Windows 9x/Me/NT/2000 systems for optimal use of system resources, view Symantec Platinum Knowledge Base Documents 2001040412150348 and 2000072514215039. Although Symantec has no document specifically for Windows XP at this time, much if not all of the documentation available for Windows NT/2000 will apply.

www.syngress.com

373

Chapter 9

Securing Your NAVCE 7.6 Environment Solutions in this chapter: ■

Evaluating Security Requirements for your Organization



Developing a Security Solution for NAVCE 7.6



Implementing Your Security Solution for NAVCE 7.6



Securing NAVCE 7.6 Windows NT/2000 Servers



Securing NAVCE 7.6 Novell NetWare Servers



Securing NAVCE 7.6 Client PCs



Using the Reset ACL (resetacl.exe) Tool

; Summary

; Solutions Fast Track

; Frequently Asked Questions 375

376

Chapter 9 • Securing Your NAVCE 7.6 Environment

Introduction Now that we’ve covered the installation and planning requirements for Norton Antivirus Corporate Edition (NAVCE), let’s turn our attention to securing that environment. Security concerns permeate all facets of the modern network administrator’s life, and, as such, should enter into your installation and configuration plans at the earliest possible juncture.Your life will be much simpler (and your security solutions that much better) if you address security as part of the overall implementation process rather than attempting to ratchet security measures into place after the fact. When addressing security concerns in your environment, remember that security is a process, not a product. In other words, antivirus protection is a major component of any network security plan, but you also need to ensure that the servers housing the NAVCE software and the network connection it is using to access the Internet are equally secure. Otherwise, you’re facing the equivalent of installing a state-of-the-art security system in your house, then leaving the front door wide open. If any one aspect of your security plan is weak, the rest of your network will suffer.The topics we’ll cover in this chapter will not only deal with securing the NAVCE software itself, but will also touch on operating system security, regulation of network traffic through firewall technologies, and auditing your network (including your NAVCE installation) for any potentially hostile activity. When determining the technical requirements of your network security policy, understanding the potential threats against your network cannot be overstated. As such, we’ll discuss the various kinds of threats—human, physical and technological—that your network will need to be protected against. We’ll also discuss the importance of documentation such as disaster recovery plans—when (not if ) you find your data lost to a virus, you’ll certainly be thankful you took the time to put such recovery mechanisms into place. Once you’ve created an overall security plan for your organization, you can attend to the specifics of securing your NAVCE installation.The remainder of this chapter will therefore address the particulars of selecting and securing the machine that will host the NAVCE service, as well as steps you can take to lock down NAVCE to create a consistent level of antivirus protection across your entire network. We’ll also examine the network traffic generated by NAVCE so that you can configure your firewall or proxy server to allow your antivirus protection to operate correctly within a secured environment.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Evaluating Security Requirements for Your Organization While the focus of this book is antivirus protection, virus threats only make up a portion of a company’s overall security concerns. Establishing an overall information security policy is critical in ensuring that your organization has the necessary information and preparation to address concerns when (not if ) they arise. A quality network security policy is as much a business concern as it is a technological one; it should be developed with involvement from all facets of an organization—Risk Management, Legal, Human Resources, and so on.You should obtain support from all areas of the organizations when drawing up a security policy. Not only will the input of these various departments provide a more wellrounded security solution, you’ll obtain more “buy-in” from your users since they were involved in the planning process. Corporate security policies provide a common baseline of security procedures based on the organization’s information security requirements, extending in many cases to legal and industry compliance and due diligence issues. (This will also assist an organization in demonstrating its security consciousness to customers, stockholders, and the like.) A final component of a corporate security policy focuses on user training and awareness. Attentiveness to information security cannot reside solely with the MIS department or it will be unavoidably doomed to failure. When planning network and information security policies, your three chief concerns are the confidentiality, integrity, and availability of all types of corporate data.These three security objectives answer the following key questions: ■

Who has access to my data?



Has my data been corrupted or altered in any way?



Will I be able to access my data when I need it?

All methods, technologies, and practices within information security will ultimately address one or more of these key concepts. ■

Confidentiality prevents any unauthorized disclosure of data, ensuring that information is only available to people authorized to view it.You’ll hear about this most often as it relates to personal privacy and the protection of personal data: Social Security numbers, credit card information, and the like. A network security policy should call for physical, administrative, and technological controls to ensure that corporate and personal www.syngress.com

377

378

Chapter 9 • Securing Your NAVCE 7.6 Environment

information remains free from inadvertent or malicious disclosure.These controls can include a physical safe-deposit box to store items such as birth certificates and hard copies of tax returns, administrative procedures within an Accounting department to make sure that payroll information remains confidential, and technologies like Secure Socket Layer (SSL) encryption to allow for secure transmission of pertinent data. Virus protection assists in protecting confidentiality, in that many virus threats can read or collect information from an infected hard drive or e-mail system. ■

The concept of data integrity is concerned with preserving the accuracy and consistency of all types of data against fraudulent alteration. Safeguards designed to protect data integrity should ensure that only authorized persons are able to modify data. (Compare this with confidentiality safeguards: we have moved away from determining who can see a piece of data, and are now asking who can modify it.) Taken one step further, integrity checks also make sure that an authorized user cannot make unauthorized changes to corporate data: A bank teller may be authorized to view your checking account information, but certainly shouldn’t be able to transfer money from your account into someone else’s. Integrity controls are also designed to maintain data consistency; that is, ensuring that two plus two will equal four at all times. Securing data integrity is another critical task for antivirus software, as it protects system and data files from virus-related corruption, alteration, and even deletion.



The final piece of the “Information Security Triad” is availability. Similar to the age-old question of trees falling in the forest and whether they make a sound when no one can hear them, if your users can’t access their data when they need it, then it hardly matters if that data’s confidentiality and integrity have been maintained or not.Technologies such as load balancing, off-site backups and application clustering all assist in protecting corporate data against destruction. NAVCE also works in ensuring this last factor through real-time protection and heuristic scanning that can proactively quarantine virus infections before they have a chance to propagate to the rest of your network.

Determining Your Security Policies In drawing up security guidelines for your organization, there are two opposing philosophies. Quite simply, one philosophy advocates permitting all traffic that is

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

not explicitly forbidden, while the other prohibits all that is not specifically allowed.This is more commonly referred to as the deny all method, and is illustrated in Table 9.1.There you can see that the only open ports are those associated with FTP, WEB, and E-MAIL, all others are blocked. While this is a highly secure network configuration, it involves a bit more legwork in configuring a network application like NAVCE to function properly. (We’ll discuss some of the particulars of this in the section “Developing a Security Solution for NAVCE 7.6” later in this chapter.) Table 9.1 A Highly Restrictive Network Usage Policy IRC

CHAT

TELNET

AIM

NET RADIO

FTP

NetBIOS

IGMP

DHCP

LDAP

E-MAIL

IKE

WEB

XNS

SAP

NFS

Compare the highly restrictive configuration in Table 9.1 with Table 9.2, in which most network ports have been left open and only individual applications have been blocked from use. NAVCE will usually function correctly “out-of-thebox” in this type of environment, as the ports it requires to function are typically already available for use. However, this ease of use comes at a price: With more network ports open, a LAN configured in this manner will be more susceptible to Internet- and e-mail-based virus and worm attacks. In a configuration like this, it is critical to maintain and update a complete antivirus protection strategy to keep virus and network threats at bay. Table 9.2 More Permissive Usage Guidelines IRC

CHAT

TELNET

AIM

NET RADIO

FTP

NetBIOS

IGMP

DHCP

LDAP

EMAIL

IKE

WEB

XNS

SAP

NFS

In determining the technical configurations necessary to support your chosen network policy, you should ask yourself and others (manager, helpdesk personnel, Webmaster, developers, and so on) a few questions. ■

Who (and where) are my users? A LAN contained within a single building will have differing security requirements from an enterprise-level www.syngress.com

379

380

Chapter 9 • Securing Your NAVCE 7.6 Environment

corporation with many office locations and traveling laptop users. Determine how your users will be accessing network resources: via a local network connection, across a modem, ISDN or shared Internet connection, or even via a wireless Personal Digital Assistant (PDA) connection. Each access mechanism will need to be properly secured to ensure the security of your user logins and password security.

WARNING Password security is often the “weakest link” in any network security policy, be it a result of people sharing or forgetting their passwords, or setting their password to be their youngest child’s birth date. Security awareness training will help in this regard, as users will be far more likely to select appropriately complex passwords if they understand the potential fallout of having their easy-to-guess password compromised by a malicious outsider.



What applications do my users require on a daily/weekly/ monthly basis? Begin with an inventory of the software installed on your clients’ PCs, then go one step further and conduct a survey or audit of each department’s business processes.You will be amazed at how many quirky little dial-up file transfer applications and the like are brought to your attention during such an audit.This step will serve two purposes: It will allow you to plan your network security configuration to allow all required applications to run, and this will likely present an opportunity to streamline or improve business processes that you might not even have known existed. After all, in order to support your users, you must first understand what their needs are.



What are the network resources required by my user applications? If an application is passing traffic across the network, you need to know how that traffic is being passed. Most network-aware applications will operate using a specific TCP or UDP port, and it would be impossible to correctly configure network security without knowing which ports are required for your applications to function.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Writing It All Down: Drafting Your Network Security Policy Whether you choose one of the extreme approaches described at the beginning of this section or choose to configure your security policies somewhere inbetween, the most important part of the equation lies in actually recording the policy so that it can be implemented within your organization. A network security policy can be a massive document, with many possible sub-headings under its jurisdiction. When drafting your security policy, you can use any or all of the following sections as appropriate to your network.

Acceptable Use Policy While a network security plan is only as useful as it is pertinent to your organization, we can’t think of a company whose network would not benefit from the construction of an acceptable use policy. As the name implies, this document details what types of activity and usage are (and are not) permitted on a corporate network. Most modern security surveys indicate that the greatest security risk on a network often originates from internal staff and employees. Consider the following situations: ■

Pirated software found on a company’s computer system opens the door to legal exposure and copyright violations, even if the software was not installed by a member of the IT staff.



An employee uses a customer database to spam people with get-richquick e-mails.



A system administrator encounters pornographic material on an employee hard drive while performing PC maintenance.



An unauthorized employee uses NMAP or another network scanner to search for vulnerabilities on a corporate LAN.

While an acceptable use policy might not have averted any of these situations, it’s nonetheless critical to have one in place so that whoever encounters a dilemma (like IT, Human Resources, and so forth) will know two things: ■

That a violation has occurred



The appropriate steps to take in response

www.syngress.com

381

382

Chapter 9 • Securing Your NAVCE 7.6 Environment

NOTE A quick search query of “acceptable use policy” into your favorite search engine (like www.google.com) will result in hundreds upon hundreds of documents that you can use to help add a layer of security to your network security policies.

Internet Usage While a policy regarding appropriate use of Internet resources could easily be categorized under acceptable use, many organizations have created a separate policy to draw attention to this most essential of issues. A September 2000 Gartner survey reports that many users spend between two and three hours a day surfing non-work-related Web sites, and that number has likely only grown since then. Create a policy outlining what defines acceptable use of the Internet, while allowing some time for personal Internet usage (during the lunch hour, for example). Again, user awareness is key: make Internet use a part of new employee orientations, or add it to corporate training programs.

Disaster Recovery Policy If you’re debating whether or not to invest the time and resources required to develop a disaster recovery plan remember that a “disaster” doesn’t even have to revolve around a tornado or fire: data corruption resulting from a power outage or virus outbreak can put a network out of commission just as effectively as rising flood waters. If you’ve already surveyed your users’ business processes (as we advised in the last section), then you’ve already completed the first steps in developing a disaster recovery strategy. While we could spend an entire book discussing disaster recovery planning, the major steps involved are as follows: identify your critical assets, back them up on a regular basis, and have a policy in place to implement recovery procedures in the event of a major outage. An effective plan needs to include detailed plans regarding the backup of all critical systems and the storage of these backups at an off-site location that can be brought online within a satisfactory time frame.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Antivirus Policy One of the most common mistakes in designing antivirus protection for a corporate network is to skip straight into rolling out software and configuration options, without first explicitly defining the role of antivirus software on your network. Specifically: you may take it as a matter of common sense that any and all PCs connected to your network need to have antivirus protection installed on them, but what about the sales representative or consultant who needs network access for his (virus-infected) laptop to run a sales presentation? You don’t even need a “foreign” computer system for this nightmare scenario to play out. Something as simple as an infected floppy disk can bring your network down if you have not mandated antivirus protection for all computers on your network. A well-formed antivirus policy should include the following elements: ■

Require all computer systems to have antivirus software installed before they can be connected to the network.



Forbid users from disabling or altering antivirus features, including scanning and updating functions.



Mandate that a full system scan be performed if antivirus software needs to be disabled for any reason, such as installation of new software.



Add a disclaimer to all outgoing e-mail messages stating that they have been scanned for virus infections. Configuring these disclaimers will be specific to the e-mail server and operating system you’re using. For example, in Microsoft Exchange you would create an OutboundAppend Registry value in the HKLM\SYSTEM\CurrentControlSet\Services\ MSExchangeIMC\Parameters\Extension Registry key. Consult the Microsoft Knowledge Base or your e-mail server’s vendor Web site for more detailed information.

Identifying Threats to Network Security Before developing a network security policy, you first need to understand what sorts of threats your network is susceptible to. While the particulars of an attack against your organization will vary based on its size and structure, all network threats will target one or more of the following: confidentiality, integrity, or availability. In this section, we’ll discuss a partial list (though there are countless others) of the more commonly encountered hazards to the integrity of your network and its security. www.syngress.com

383

384

Chapter 9 • Securing Your NAVCE 7.6 Environment

Natural Disasters Call it bad luck or call it an “act of God,” but sometimes the very planet we live on can jump up and deal us a truly rotten hand. Floods, fires, earthquakes and the like can drastically affect the availability of your network data and services. While events like these are in most cases unavoidable, you can mitigate the associated damage with an effective disaster recovery plan.

Hackers Hackers are perhaps the most widely publicized threat to modern information security. From a teenaged Matthew Broderick bringing the world to the brink of nuclear Armageddon in the movie WarGames to real-life examples of Web site defacing and identity theft, the very word “hacker” has become a media catch phrase for the dangers of the modern Internet. In reality, however, the term implies nothing more than a user or group of users who have sufficient time and persistence to find and exploit technological and human weaknesses (see “Social Engineering,” next) that they then exploit, either for financial gain or simple bragging rights. Hackers can impact all three facets of the information security equation, potentially compromising all aspects of a system’s data.

Social Engineering Social engineering is a technique usually (but not necessarily) employed by hackers to breach network security.This method is unusual, however, in that it does not require a computer. Social engineering is similar to hacking in that the perpetrator is gathering information in order to gain unauthorized access to a network system. Unlike the hacker who capitalizes on physical or technological system vulnerabilities, a social engineering attack gains information by manipulating peoples’ trust and/or gullibility.The most common way of accomplishing this is via telephone. Say for example that an attacker has discovered the login page to one of your Web-based server applications. He or she might look up the name of a powerful executive in the company directory, then telephone the help desk claiming to be that person and insisting that their password to this application needs to be reset. By claiming the identity of someone important, the social engineer is hoping that whoever answers the phone will be intimidated into bypassing normal security procedures in order to keep this person happy. As you can see from this example, help desks are the most common targets of this sort of attack: their job is to resolve problems and provide excellent customer service; they may not always take the time necessary to verify the identity of the caller. www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

While the method of gaining information is different from that of a traditional hacker, the end result is the same: your data becomes compromised by a breach in network security. Since social engineering is an inherently human attack, your best defense against it lies in user training and awareness. Create guidelines for the helpdesk to verify every caller’s identity, and draft specific procedures for use in resetting passwords. Don’t restrict this type of training solely to the help desk, either: communicate the steps necessary to reset a password with all members of your organization, along with an explanation of the security risks that make such a policy necessary.

Internal Threats A common but often overlooked threat to an organization’s network security often comes from within the company itself. Internal users can cause more damage, whether malicious or unintentional, than any external hacker simply because they already have legitimate access to network resources. And even if the damage done is inadvertent, the results can still be catastrophic. For example, end users can take advantage of nonbusiness-related Internet applications that can open up holes in information systems. Chat rooms, peer-to-peer file sharing, games and music broadcasts all open up ports for communication, which can provide a point of attack for an intruder to exploit. And we’re all familiar with the administrative horror stories of users who write their names and passwords on Post-it notes taped to their desk or underneath their keyboard, thus providing another avenue of entry for observant hackers or curious or disgruntled employees, who have even been known to search offices after-hours in search of this type of information. Similar to social engineering attacks, these threats are best mitigated through awareness training and the development of an acceptable use policy (discussed in the section “Drafting Your Network Security Plan”).

Viruses/Trojans/Worms Viruses,Trojans, and worms are possibly the most disruptive of the security incidents described in this section.These threats can alter or delete data files and executable programs, flood e-mail servers and network connections with superfluous traffic, and even create back-door access that can allow a remote attacker to take over a computer entirely. While you’ll often hear the terms virus and worm used interchangeably, there is a slight difference. A virus will maliciously alter an existing file, and then use that alteration to propagate itself. A worm, on the other

www.syngress.com

385

386

Chapter 9 • Securing Your NAVCE 7.6 Environment

hand, will simply replicate itself over and over again for the purpose of exhausting system resources such as hard drive space and processor cycles. (This is a perfect illustration of the difference between affecting data integrity in the case of a virus, and data availability in the case of a worm. Granted, a major virus outbreak will also eventually affect data availability as well, but the initial point of attack is more concerned with the former.) Finally, the Trojan takes its name from the Greek myth of the Trojan horse, where attackers from Sparta infiltrated Troy by hiding inside a horse’s statue, ostensibly offered as a gift. In much the same way, a computer Trojan masquerades as a friendly or benign file (usually an e-mail attachment) that, when executed, can damage a computer’s data or otherwise circumvent operating system security measures.

Network-Based Attacks New breeds of network attacks seem quite unlike the conventional threats posed by viruses and worms, as they do not actually gain entry into a targeted computer system. In a Denial of Service (DoS) attack, however, the purpose of the attack is somewhat different. Rather than attempting to access, alter or destroy a company’s data, the DoS attack will flood the victim’s network with such a large amount of network traffic that legitimate users of the system cannot access it. A well-orchestrated DoS attack, in fact, will not only slow down a system but cause it to hang or fail outright when its resources become taxed to the point that it can no longer function.Taking the model one step further, the Internet has also made possible the Distributed Denial of Service (DDoS) attack, in which dozens, or even hundreds, of systems attack a target simultaneously. And just to show how many of these threats are interrelated, a common means of beginning a DDoS attack is through the use of a Trojan. In this way, a computer can be taking part in a DDoS attack without the user or IT staff even knowing it.

Developing a Security Solution for NAVCE 7.6 As you surely know, the threat from computer viruses has reached staggering proportions in today’s connected world. As such, no network security policy can really be complete without giving some thought to antivirus protection.You’ve already taken the first step: selecting a standard antivirus package for your organization to create uniform levels of virus protection.Your next step will be to select an appropriate computer to run the NAVCE server application on, as well as a network protocol to communicate with other servers and clients. www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Designating a Server Once you’ve established a security policy and outlined plans for antivirus protection on your network, the next step will be to designate a machine to run the NAVCE server application. (As a reminder, the hardware requirements for a machine to run the server software are listed in Table 9.3.) Since most modern PCs, particularly servers, can more than handle the requirements necessary to run a NAVCE server, you need to determine whether you will dedicate a single machine to perform nothing but antivirus functions, or if you will install NAVCE on an existing server that is already handling other file- and applicationsharing duties. Table 9.3 System Requirements for Windows and NetWare Servers Windows NT/2000

NetWare

32MB RAM Intel Pentium Processor ~200MB Free Drive Space

3MB RAM (beyond other NW requirements) ~150MB Free Drive Space

Installing a separate machine to handle NAVCE server functions will allow you to secure it more heavily, as you can lock down the operating system to only allow the Symantec applications to run.This will also allow you to restrict network traffic to and from the dedicated server so that your routers and firewalls will transmit only NAVCE-specific network traffic.The specific ports and applications will be covered in the section “Implementing Your Security Solution for NAVCE 7.6,” later in the chapter. If you are installing NAVCE to an existing server, be sure to reference this section to ensure that you’ve enabled all necessary network traffic to and from the existing machine.

NOTE Although these are the system requirements listed for minimal functionality, you should know that, the more you scale up your servers (hardware requirements), the better functionality and responsiveness you will receive. It is common to double the minimum requirements on any product box and run performance monitoring tools after the installation to make sure your servers are running efficiently.

www.syngress.com

387

388

Chapter 9 • Securing Your NAVCE 7.6 Environment

Selecting a Network Protocol NAVCE can use the IP or IPX protocol to communicate with any combination of Windows NT, Windows 2000, and Novell NetWare servers. While your choice of protocol will be dependent on the overall needs of your organization, there are certain considerations specific to a secure NAVCE environment that you need to keep in mind.The most significant of these relates to how NAVCE communicates between servers and clients. In order for a NAVCE server to communicate with the client PCs on your network, they must have a protocol in common. That means, if your server only has IPX loaded while your clients are speaking nothing but IP, no communication will occur between them.This includes all alert notifications, virus definition updates, and commands to launch scans or virus sweeps.You can see this concept illustrated in Figure 9.1. Figure 9.1 Communication in a Multiprotocol Environment Server Running IP Only

Server Running IP and IPX

Server

Server NO COMMUNICATION!!!

Workstation

Workstation Workstations Running IPX Only

Workstation

Workstation

Workstation

Workstation

Workstations Running IPX Only

NOTE Pay attention to the difference between the server on the left in Figure 9.1, where no communication can occur between servers and clients, and the server on the right in which servers and clients are able to communicate because they are using a common protocol. www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

WARNING Clients that are running IPX only will not be visible in the SSC console unless you enable Microsoft File and Print Sharing for NetWare on the NAVCE server.

Notes from the Underground… Configuring the Default Protocol for NAVCE Servers and Clients If your network configuration mandates that you run both TCP/IP and IPX on your clients, you’ll find that NAVCE has a habit of defaulting to IPX, even if your servers are only using TCP/IP. This will cause your clients to lose their connection to the NAVCE server, or cause them to “drop off” from the SSC management console. Windows Operating Systems To configure TCP/IP as the preferred protocol for NAVCE on Windows operation systems, complete the following steps. 1. Add the following Registry entry to the parent server: In the HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion key, create a REG_DWORD entry for PreferedProtocol (note the spelling) with a value of 0x00000000 (0) for IP or 0x00000001 (1) for IPX. This will set the preferred protocol on the parent server. 2. Separately establish the preferred protocol for your NAVCE clients. (This change will propagate from the parent server in the same way as antivirus definition and other updates.) In the HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\ClientConfig key, create a REG_DWORD entry for PreferedProtocol (note the spelling) with a value of 0x00000000 (0) for IP or 0x00000001 (1) for IPX. This will set the preferred protocol on the parent server. Continued

www.syngress.com

389

390

Chapter 9 • Securing Your NAVCE 7.6 Environment

3. Stop and restart the Norton AntiVirus Server service to force the update to propagate to your clients. If one or more clients are not communicating with the parent server as a result of this protocol confusion, manually overwrite the grc.dat file to the Norton AntiVirus directory on the client. Novell NetWare To configure TCP/IP as the preferred protocol for Novell NetWare operating systems, you’ll need to add the two Registry entries described earlier using the VPREGEDT.NLM utility. To do this, complete the following steps. 1. Unload the NAVCE NLM from the server console. 2. Load VPREGEDT.NLM. 3. Press F5 to open the Command Menu. (The Add, Edit, Open, and Delete functions will only be available to you after you’ve pressed F5.) 4. Highlight the VirusProtect6 key and press Enter. 5. Press F5 again. Use the Down-arrow key to select Add Value and press Enter. 6. In the Enter new value name box, type PreferedProtocol (again, note the spelling). 7. In the Select Data Type box, select DWORD and press Enter. 8. In the Enter the data box, type 0 for IP and 1 for IPX and press Enter. To create the PreferedProtocol parameter in the ClientConfig subkey, continue with the following steps: 9. Press F5 and down-arrow to Open a subkey, then press Enter. (You can simply press O as a shortcut.) 10. Scroll down the subkey list to the ClientConfig key and press Enter. 11. Press F5 again. Use the Down-arrow key to select Add Value and press Enter. 12. In the Enter new value name box, type PreferedProtocol (again, note the spelling). 13. In the Select Data Type box, select DWORD and press Enter. Continued

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

14. In the Enter the data box, type 0 for IP and 1 for IPX, then press Enter. 15. Press ESC to exit VPREGEDT.NLM. 16. At the System Console, restart the NAVCE NLM by typing LOAD VPSTART and pressing Enter.

Implementing Your Security Solution for NAVCE 7.6 In this section, we’ll address the specifics of securely configuring NAVCE features such as Central Quarantine Server and LiveUpdate functions. Both of these functions provide a single point of administration within your network that will greatly ease the administration of your antivirus protection: Quarantine Server providing a central point for clients to submit infected files to, and LiveUpdate a single point of distribution for product and antivirus signature updates.

Installing Central Quarantine Server Central Quarantine Server is used as a centralized repository for infected files that could not be repaired by Norton AntiVirus on infected client machines. When this occurs, the client machines will forward the infected files to Quarantine Server so an administrator can examine them or automatically forward them to Symantec for analysis. In this section, we’ll cover the steps in installing Central Quarantine Server and Quarantine Server Management client on your NAVCE server.

NOTE Central Quarantine Server needs to be installed on a Windows NT or 2000 machine; it cannot be installed on a NetWare server.

1. From CD 2 in your installation media, select Install Central Quarantine Locally. 2. Click Next at the Welcome dialog box and Yes on Software License agreement.

www.syngress.com

391

392

Chapter 9 • Securing Your NAVCE 7.6 Environment

3. Select a destination folder, or just click Next to accept the default location. 4. Choose whether you want to use Internet-based or e-mail-based delivery of infected files to Symantec. Symantec recommends using Internet-based delivery as it provides for automatic delivery and routing of virus-infected files, updated definitions, and virus cures; if you choose Email-based delivery, you’ll need to perform all of these functions manually. Click Next to continue. 5. Specify how much drive space you want to allocate to incoming files sent to Quarantine Server.This space will exist on the drive letter and directory that you specified in Step 3. 6. Accept all remaining installation defaults and click Finish to complete the setup process. 7. Return to the main splash screen on CD2 and select Install the Central Quarantine Snap-in. Follow the prompts to complete the snap-in installation. (The installation of the Central Quarantine Snap-in is a standard Windows installation routine, which you should be familiar with.)

Configuring Central Quarantine Server Now that you’ve installed Quarantine Server, you need to configure it to be able to receive virus-infected files from your client PCs, paying special attention to configuring the network port those clients will use to transmit infected files. (You’ll see this in Step 4.) 1. From the SSC console, right-click Norton Antivirus Quarantine and click Attach to Server. 2. Enter the server name, username, and password that Quarantine Server will use.The user account does not necessarily need to be an administrator account, but it will require file and directory permissions to the directory that will be storing quarantined files. Click OK when you’re finished. 3. Right-click the Central Quarantine Snap-in again and select Properties.You’ll see the screen shown in Figure 9.2.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Figure 9.2 Configuring Central Quarantine Properties

4. Specify the directory in which you want quarantined files to be stored. This is the directory that the user (listed in Step 2) will require access to. Then set the maximum amount of disk space that you want to allot to Quarantine Server.

NOTE If the Quarantine directory reaches the maximum size set in step 4, NAVCE will not accept any new files until the administrator empties the directory.

5. Place a check mark next to Listen on IP and then type the port number that Quarantine Server will use to accept file submissions; you can choose any number between 1025 and 65536.This will be the port that your clients will use to forward any infected files to Central Quarantine Server, as such you’ll need to ensure that you’ve enabled whatever port you’ve selected within your internal network configuration. Otherwise, clients will be unable to submit virus-infected files to Quarantine. (You’ll then need to configure your outgoing network traffic to allow traffic to pass from your Quarantine Server to Symantec; we’ll cover this in the next section.)

www.syngress.com

393

394

Chapter 9 • Securing Your NAVCE 7.6 Environment

Configuring Firewall Settings If your NAVCE server is sitting on the protected side of a firewall, you’ll need to allow access to certain network ports and .exe files in order for things like LiveUpdate to function properly. In this section, we’ll list the ports that NAVCE requires, as well as other relevant firewall-related security settings. Remember to consult your individual firewall documentation to determine the exact steps you’ll need to follow in order to allow NAVCE-related traffic to pass.The actual steps you’ll take to open these ports will be dependent on the manufacturer and model of your firewall device or software. When in doubt, consult the vendor documentation or Web site.

Enabling NAVCE Communication The core NAVCE application uses the following network ports to communicate from client to server, as well as between servers. Depending on your physical network layout, you will need to enable some or all of the ports listed in Table 9.4. Table 9.4 Port Requirements for NAVCE Core Components Application

TCP/UDP

Port Number

Intel PDS Service Roaming Client with NAVCE 7.6 RTVScan Transman

UDP UDP UDP UDP

38293 1056 2967 38037

WARNING If port 2967 is not available, NAVCE will attempt to use a dynamic port. This port will be assigned by the NAVCE server and can be different every time it requests a port. If you need to configure RTVScan to request a different port, you can configure a different value by editing the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\ VirusProtect6\CurrentVersion\AgentIPPort. All usual disclaimers regarding the dangers of manually editing the Registry apply. Test, back up, back up again, and test some more before implementing this change in a production environment.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Configuring LiveUpdate Access LiveUpdate creates a central point on your network for all product and virus signature updates from Symantec, greatly simplifying your virus protection strategy. In order to function properly from the designated NAVCE server, LiveUpdate requires use of the ports, .exe files, and Internet domains listed in Table 9.5.These items must be available for both inbound and outbound traffic, as LiveUpdate will send an outbound request to the Symantec servers, and any updated virus definitions will then need to enter the network in order to be propagated to your NAVCE clients. Table 9.5 Firewall Configuration for LiveUpdate LiveUpdate Configuration Information Port Type (TCP/UDP)

Port Number

TCP TCP TCP

80 (HTTP) 21 (FTP) 443 (HTTPS)

.exe Filename

Description

Lucomserver.exe Runlr.exe

Live Update Communication* LiveReg Subscription Updater*

Internet Domains anyhost.symantec.com anyhost.symantecliveupdate.com anyhost.akamai.net * typically found in C:\Program Files\Symantec\LiveUpdate

Symantec currently provides its LiveUpdate content via Akamai, Inc., which has over 8,000 servers worldwide to provide sufficient availability for customers downloading new virus signatures. Because of this large number of servers, Symantec recommends against basing any firewall rules on IP addresses, as there is no reasonable way to expect that those 8,000 machines will always maintain the same IP information.

www.syngress.com

395

396

Chapter 9 • Securing Your NAVCE 7.6 Environment

NOTE For an additional level of NAVCE security, configure a test server on your network to ensure the validity of all new antivirus definitions. This will eliminate the potentially disastrous threat of a malicious executable being mistaken for a LiveUpdate package, as well as the more common (but still thankfully rare) issue of catching a “buggy” antivirus definition before it’s propagated to your clients. Once you’ve tested the update on your test server, you can copy the .VDB file to the ~\Program Files\NAV directory on your primary NAVCE server. (Be sure to configure any secondary servers to retrieve their updates only from the master server, not from a LiveUpdate server.) You can also use this configuration to test patches or hotfixes that Symantec releases to correct any security vulnerabilities within the NAVCE software itself.

Allowing Access for AMS2 The AMS2 service provides administrators with timely notifications via e-mail, pager, and Windows Messaging regarding virus infections on a network.This service relies on the Intel Ping Discovery Service (PDS), as well as the msgsys.exe application in order for alerts to function properly.To ensure that both items perform as expected, open up the following ports on your firewall: ■

UDP Port 38293 (for PDS)



UDP Port 38037 (for PDS)



TCP Port 38292 (for msgsys.exe)

NOTE Just like LiveUpdate, these ports need to be enabled for both inbound and outbound traffic.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Configuring Quarantine Server Ports Symantec Quarantine Server requires specific network ports in order to communicate with the Symantec Security Response, the auto-response server to which it submits quarantined files for analysis. Unlike the firewall configuration necessary for LiveUpdate and AMS2, Quarantine Server requires ports opened for outbound traffic only. Further, the ports that Symantec Quarantine Server requires are only open for the time it takes NAVCE to submit a file to Symantec; the ports don’t remain constantly open.To enable Symantec Quarantine Server to function behind a firewall, you need to enable the following three ports: ■

TCP Port 2847 (for file transmission)



TCP Port 2848 (for file transmission)



TCP Port 80 (HTTP, used to retrieve virus definition updates via LiveUpdate)

Securing NAVCE 7.6 Windows NT/2000 Servers There are any number of ways in which you can secure a NAVCE installation on a Windows NT or Windows 2000 server. Some of these steps are specific to NAVCE, but you can also take other measures to secure the operating system and network protocol themselves. Remember, your NAVCE installation is only as secure as the hardware it resides on. In this section, we’ll examine some of the options available to increase the security of your Windows NT/2000 server machines.

Locking Down the NAVCE Installation After you’ve installed NAVCE and created a server group, the first thing you should do is assign a password to the group so that no one can make any unauthorized changes to your NAVCE server or client configurations.The default password for any server group is symantec, which is scarcely a security measure at all. If you are managing multiple server groups, you can set all of them with the same password, or else create different passwords to allow for distributed management—for instance, establishing a separate server group at a remote branch office, with the local administrator responsible for securing the server group with a separate password. www.syngress.com

397

398

Chapter 9 • Securing Your NAVCE 7.6 Environment

Creating or Changing a Server Group Password To create a new server group and establish a unique password, do the following: 1. Open the Symantec System Console (SSC). Right-click the System Hierarchy in the left-hand pane, then select New | Server Group. Enter a name for the server group and click OK, as shown in Figure 9.3. Figure 9.3 Creating a New Server Group

2. Right-click the System Hierarchy again and select Refresh to update the server group listing. Right-click the desired server group, then select Configure Server Group Password. Enter the current (old) password, then enter the new password twice to confirm, as illustrated in Figure 9.4. Click OK when you’re finished. NAVCE will display a message indicating that the password was changed successfully. Figure 9.4 Changing a Server Group Password

3. Once you’ve established a server group password, the SSC will prompt you for it every time you open the console. If you need to reconfigure the SSC to automatically lock your server group, right-click System Hierarchy and select Properties. Place a check mark next to Lock All Server Groups When Exiting Console, as illustrated in Figure 9.5. Figure 9.5 Locking Server Groups When Exiting the SSC

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

NOTE We recommend against selecting Save This Password when unlocking a server group, as you’re effectively defeating the purpose of having a password in the first place. If someone obtains use of your workstation, they will be able to access and change your NAVCE settings without any obstacles.

Hardening the Windows Operating System Establishing and using a server group password is the first step in securing your NAVCE installation. However, there are steps you can take to increase the security of the machine it resides on as well. While by no means an exhaustive reference, the following tips will help you create a more secure Windows NT or 2000 server for your NAVCE server installation.

NOTE As with any recommendations regarding nondefault configuration changes: be sure to test all aspects of these security updates in a test environment before implementing them on a production server. And, of course, always have a good backup ready in case something unexpected happens.

Providing Physical Security for Your Windows NT/2000 Server Securing servers requires attention to all aspects of IT security. If even one facet of your security structure can be circumvented, then all the money in the world spent on the rest of your security plan won’t matter a bit. Because of this, physical security is equally important to your security plans as antivirus protection, firewalls, and the like. After all, if someone can gain physical access to the equipment, then even the most innocuous user can wreak untold havoc on your critical systems.You can ensure the physical security of your NAVCE servers by remembering the following points: www.syngress.com

399

400

Chapter 9 • Securing Your NAVCE 7.6 Environment ■

Install the server behind a locked door, and ensure that all keys are carefully accounted for. Re-key the server room door after any staff turnover.



Keep the CPU case locked during day-to-day use, and manage access to CPU keys just as you would the keys to the server room itself.

WARNING Make sure you maintain a backup copy of all keys in a location that is off-site but easily reachable in the event of an emergency: a bank safedeposit box would be a good choice.



Disable the server’s floppy disk and CD-ROM in the hardware BIOS to prevent an intruder from using them to bypass the NT/2000 login system.



Don’t forget about your backup tapes! Malicious intruders often target backup tapes in order to obtain access to confidential company data. Establish a schedule for rotating backup tapes off-site, and store the local copies in a locked cabinet or safe.

Configuring the Operating System for Maximum Security Once you have attended to the physical security of your servers, you can turn your focus to the operating system software. Here are some recommended OS configuration options to keep in mind when securing a NAVCE server: ■

Rename the Administrator and Guest accounts to more harmlesssounding account names like jsmith or tbrown in keeping with your account naming conventions.To lure potential attackers off-track, create a “fake” Administrator and Guest account, and leave them permanently disabled. Also, avoid common service account names like “backup,” “MSSQLAgent,” and so on as these are also common targets for wouldbe intruders.



Use the NTFS file system to secure the hard drives on which the operating system and the NAVCE software reside.The default permissions

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

on most Microsoft operating systems allow the Everyone group Full Control; therefore, test the effects of limiting these permissions for nonadministrative users. (As with most permission changes, use a test server before making any permanent changes, as you can potentially render the server OS inoperable by mistake.) ■

Configure system auditing, then establish a schedule to regularly monitor the Event Viewer logs for signs of improper access or access attempts.



Configure a warning message to be displayed at logon. Everyone has heard the apocryphal story of the company that failed in its attempts to prosecute a hacker because their login screen simply read “Welcome.” At minimum you should configure a simple message such as “This is a private computer system, unauthorized use is prohibited.”



Do not allow the server to be shut down without logging on.This is configured via policies in Windows 2000 and via a Registry setting in NT4, and will prevent an unauthorized user from clicking Shut Down by simply pressing Ctrl+Alt+Del.They will instead be required to present a valid User ID and password before being allowed to shut down the operating system.

NOTE There are exceptions to every rule, and the recommended Do Not Allow Shutdown… setting is no different. In cases where you are housing your servers in a dedicated machine room, you may wish to allow shutdown from the Ctrl+Alt+Del dialogue box. This way, if your NAVCE server needs to be rebooted in the middle of the night, the machine room operators won’t need logon access to the server in order to reboot it for you. You’ll need to base this decision on your comfort level with your systems’ physical security; and remember to document your configuration choices.

www.syngress.com

401

402

Chapter 9 • Securing Your NAVCE 7.6 Environment

Configuring & Implementing… Securing TCP/IP Even if you’re not using a firewall or other network security device, you can still filter the network traffic that your server will accept by only allowing specific TCP and UDP ports to access the machine itself. (Unlike fully featured firewalls, however, this will only affect inbound network traffic—outbound traffic will continue as normal. Also, you will not be able to block ICMP traffic in any way.) To access these configuration options, select either of the following: ■

In Windows NT4, select the Network applet within the Control Panel and select Properties. From the Protocols tab, select the TCP/IP Protocol Properties option. Select the IP Address tab, then Advanced. Place a check mark next to Enable Security and click Configure.



From a Windows 2000 machine, select the Local Area Connection Properties sheet. Then, from the General tab, click Internet Protocol (TCP/IP) | Properties | Advanced | Options | TCP/IP Filtering | Properties. Regardless of the operating system in question, you’ll see the screen shown in Figure 9.6.

Figure 9.6 Configuring TCP/IP Filtering

In each column, (TCP Ports, UDP Ports and IP Protocols), you can select either of the following options: ■

Permit All Permits all packets for TCP or UDP traffic. Continued

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9



Permit Only Allows only selected TCP or UDP traffic. Click Permit Only, click Add, and use the list of required protocols in the Configuring Your Firewall Settings section to restrict traffic going to your NAVCE server.

Make sure to test this configuration first for adequate response times, as enabling TCP/IP filtering will create some additional processor and bandwidth overhead on the server it’s running on.

Protecting Terminal Servers NAVCE offers protection to Windows NT and 2000 Terminal Services (TS), including the client sessions created on these servers.The major differences between Terminal Services protection and the services offered on other NT/2000 servers lie in the Alert function, as well as the need to prevent users logged into TS clients from running virus scans against the server.You’ll need to keep the following points in mind when designing a protection scheme for your Terminal Servers. ■

The client for Terminal Services will not monitor any activity that takes place on the client’s local hard drive.To ensure complete virus protection, you’ll need to install NAVCE on the local hard drive as well.



Virus alerts cannot be routed to different virtual client sessions, nor can you run the SSC console from within a Terminal Services session. However, if you are logged directly into the server console itself, both of these items will function properly.



vptray.exe (the program that displays real-time protection status) does not load during a terminal services session, though it will run on the server console itself.



NAVCE will not protect network drive letter mappings that are created during a terminal services session.

Restricting Virus Scans on Terminal Servers In order to prevent users logged into virtual sessions from launching resourceintensive virus scans of your terminal server, you’ll need to restrict the availability of these functions to your end users.You’ll accomplish this through the Appsec utility, which is installed in the Administrative Tools folder on a Windows NT4 Terminal Server, or in the Windows 2000 Resource Kit. Appsec will create an www.syngress.com

403

404

Chapter 9 • Securing Your NAVCE 7.6 Environment

authorized list of applications that Terminal Services users will be permitted to launch from a virtual session.To enable Appsec security, follow these steps: 1. Launch the Appsec utility by clicking Start | Programs | Administrative Tools | Application Security in NT4, or Start | Program Files | Windows Resource Kit | Tools | Alphabetized List of Tools | Application Security in Windows 2000.You’ll see the Authorized Applications window shown in Figure 9.7. Figure 9.7 Authorized List of Terminal Server Applications

2. In the Security window, place a check mark next to Enabled, and add all necessary .exe filenames to the list of Authorized Applications. (Notice that Appsec enables many of the .exe files necessary for Windows to function for you.) If this is the first time you’ve enabled AppSec, you’ll receive the warning message shown in Figure 9.8, informing you that any changes you make will not affect any currently connected TS clients until they logout and reconnect. Figure 9.8 Running AppSec for the First Time

WARNING As with all security configurations, make sure to test any changes you make before deploying them en masse to your client base.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Managing Access to the NAVCE 7.6 Registry Keys on NT/2000 Servers Restricting user access to the NAVCE Registry keys editing tools such as regedit.exe is imperative in maintaining the security of your antivirus protection strategy. One way of accomplishing this is to deny non-administrative users access to Registry editors such as regedit.exe.You can accomplish this via the Group Policy Editor in Windows 2000 Active Directory or the System Policy Editor in NT4.These tools make available a GUI-enabled environment in which security changes can be made with a single mouse-click.

WARNING A full discussion of Windows NT/2000 system policies is beyond the scope of this book. For additional information, consult the Microsoft Web site or check out Hack Proofing Windows 2000 Server (Syngress, ISBN: 1-931836-49-3).

1. From the Windows 2000 administrative tools, click Active Directory Users and Computers. Right-click your domain name and choose Properties and click the Group Policy tab. 2. In the left-hand pane, navigate to User Configuration | System. You’ll see the screen shown in Figure 9.9. Figure 9.9 System Configuration Options in Group Policy

4. Double-click Disable Registry Editing Tools in the right-hand pane, and click the radio button next to Enabled. Click OK when finished. www.syngress.com

405

406

Chapter 9 • Securing Your NAVCE 7.6 Environment

The local security policy will refresh automatically within 90 minutes, or when the PC is rebooted. Once you’ve performed these steps, the workstation user will receive the error message shown in Figure 9.10 if he or she attempts to access any Windows Registry editing tools. Figure 9.10 Error Message Once Registry Editing Has Been Disabled

Another option, referring back to Figure 9.9, would be to enable Don’t Run Specified Windows Applications, and configure it to include regedit.exe and regedt32.exe. Which plan you choose will depend on the specific needs of your environment.Test everything before you implement it on a production system!

Auditing Access to the Windows Registry It’s not enough to configure Registry security and then simply assume it’s working.You should configure your Windows systems to audit the Registry for any unauthorized access, and ensure your security settings are really functioning the way they should be. Just like the Registry permissions, you’ll enable Registry auditing using the REGEDT32 utility on any Windows NT/2000/XP system. For Windows NT4, open REGEDT32, navigate to the key you want to audit, then click Security | Auditing. In Windows 2000 and Windows XP, you’ll select Security | Permissions | Advanced, then select the Auditing tab. Whichever operating system you’re dealing with, you’ll set up the Auditing function in the same way. Begin with the screen shown in Figure 9.11.You can see that no auditing is currently enabled on this Registry key. Click Add to create an auditing entry.You can set a single audit policy for your entire user base, or create more detailed entries for a specific user or group of users. In this case, we’ll select the “Everyone” group as depicted in Figure 9.12. Once we’ve selected the user or group(s) that we want to audit, we then choose the actions we want to watch out for.You can audit the success or failure of the following actions: ■

Query Value Attempts to read one of the key’s values



Set Value Attempts to change a key value or create a new key value

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9 ■

Create Subkey Attempts to create a new subkey under the current key



Enumerate Subkeys Attempts to query the key for a list of its subkeys



Notify Provides notification events generated by the key



Create Link Attempts to create a symbolic link to the key



Delete Attempts to delete the key, one of its subkeys, or one of its values



Write DAC Attempts to change the security permissions to the key and its subkeys and values (DAC refers to “Discretionary Access Control,” which simply means the security settings are user-configurable and not mandated by the operating system)



Read Control Attempts to access the security permissions for the key

Figure 9.11 Enabling Registry Auditing

Figure 9.12 Selecting a User Group to Audit

Generally, you should be more concerned with attempts to modify, delete, or change the security permissions of a Registry key than attempts to read or query

www.syngress.com

407

408

Chapter 9 • Securing Your NAVCE 7.6 Environment

a key, as the latter is most often simply NAVCE or other software performing normal functions. You can enable auditing on the NAVCE subkey (HKEY_LOCAL _MACHINE(HKLM)\Software\Intel\LANDesk\VirusProtect6\Current Version) to ensure that your NAVCE security settings are functioning properly, and to monitor for any potential attacks. Other non-NAVCE-specific Registry keys that might be suitable candidates for auditing include the following: ■

HKLM\SYSTEM\CurrentControlSet\Control\Lsa



HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders



HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon

WARNING Auditing system access creates a small amount of processor overhead on the system being monitored—while this should be negligible, it still warrants testing before implementing it on a large scale.

You can view any events that are recorded by the Auditing function in the NT/2000/XP Event Viewer, most commonly found under Administrative Tools. All of these entries will be listed in a Security log entry like this one, which you can see was a successful attempt to query and enumerate a subkey of SOFTWARE\INTEL: Event Type:

Success Audit

Event Source:

Security

Event Category:

Object Access

Event ID:

560

Description: Object Open: Object Server:

Security

Object Type:

Key

Object Name:

\REGISTRY\MACHINE\SOFTWARE\INTEL\Intel 3D Scalability Toolkit

New Handle ID: Accesses

www.syngress.com

440 READ_CONTROL

Securing Your NAVCE 7.6 Environment • Chapter 9 Query key value Enumerate sub-keys Notify about changes to keys

Privileges

-

NOTE If you are operating a domain environment, you’ll need to enable auditing at the domain level before it will function on an individual server or workstation.

Securing NAVCE 7.6 Novell NetWare Servers NAVCE supports antivirus protection from a Novell NetWare server running either the TCP/IP or IPX network protocol.The steps in securing a Novell NAVCE server are largely similar to those involved in securing a Windows NT or 2000 server. In this section, we’ll cover the steps necessary to configure your NetWare servers to forward infected attachments to Quarantine Server using the IPX protocol, as well as how to make certain that clients attaching to a NetWare server will receive automatic definition updates. We’ll conclude with a few overall recommendations for securing a Novell NetWare server.

Enabling NetWare Servers to Forward to Quarantine Server Using the IPX Protocol In order for NetWare servers to forward to Quarantine Server using IPX instead of TCP/IP, you’ll need to determine the IPX address of Quarantine Server, as you’ll configure forwarding using this instead of the server’s computer name. Follow these steps to determine the IPX address of Quarantine Server: 1. From a command window on Quarantine Server, find the Network number and device number by typing ipxroute config.

www.syngress.com

409

410

Chapter 9 • Securing Your NAVCE 7.6 Environment

TIP While an IP address has a format like 192.168.1.2, an IPX address will consist of an 8-digit number followed by a 12-digit number. The network number and device number are separated by a dot (.).

2. Type these numbers into the Server Name textbox in the following format: Network Number.Device Number.

Configuring FTP Downloads of Antivirus Updates for NetWare Servers Before a NetWare server can automatically update virus definitions for NAV CE from the Internet, you must first properly configure FTP on the server itself so that it can establish an FTP session to ftp.symantec.com. Keep the following points in mind when configuring NetWare for FTP connections: ■

To use FTP on your NetWare server, you’ll need to make sure you’ve installed the TCP/IP protocol. If you’re running NetWare 5.x (and now 6.x),TCP/IP is installed by default. Configure TCP/IP using the INETCFG utility to point to your LANs DNS server(s)s and Internet gateway.



Install Unix Print Services: from NetWare 5, run NWCONFIG from the command line and install it from the ~\NWUXPS directory on your NetWare CD. With systems earlier than NetWare 5, Unix Print Services can be installed using install.nlm and selecting Install product not listed… In either case, make sure to reapply the latest Novell Support Pack after installing.



You’ll configure FTP itself through the UNICON console in NetWare: load UNICON from the command line. NetWare will prompt you for the admin login and password before allowing you to complete the configuration process.

Testing the FTP Function in Novell NetWare Simply configuring NAVCE for virus updates isn’t sufficient to protect your network: you need to make sure that the download process is functioning properly. www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

While we’ll cover troubleshooting your NAVCE installation more fully in Chapter 11, what follows is a quick way to test that FTP is functioning. 1. Open the NetWare console Command Line Interface (CLI). 2. Type unicon and then press Enter. 3. Enter your admin username and password. 4. Click Perform File Operations, followed by Copy Files Using FTP. 5. Enter ftp.symantec.com as the target FTP server. Use the username anonymous and enter your e-mail address as the password. 6. Press Enter to open the FTP connection. If the FTP service is functioning correctly, you should now have an FTP session open with ftp.symantec.com. 7. Navigate to the following directory :/public/english_us_canada/ antivirus_definitions/norton_antivirus_corp.You should see a listing of various definitions and files. 8. Press Esc until you return to the Copy Files Using FTP menu option and press Enter. 9. When satisfied that your FTP connection is working, press Delete to close the session to ftp.symantec.com, and Esc again until you’ve exited the UNICON utility. If the preceding steps fail to connect to ftp.symantec.com, then try pinging a remote Internet site using the NetWare CLI from the NetWare console CLI.

Securing Your NetWare Servers Many of the general security recommendations for a NetWare server are identical to those listed for NT and 2000 machines. Physically securing the NetWare server is critical; if an intruder gains unhampered physical access to the server console, they can compromise the machine and the entirety of its applications and data by loading malicious NetWare Loadable Modules (NLMs), removing auditing capabilities and more. Other NetWare-specific security measures available to you include: ■

The SCRSAVER.NLM utility, which locks the screen and prompts for an administrative username and password before allowing access to the console. Place this NLM in the autoexec.ncf file to ensure that it loads every time you bring the NetWare server online. www.syngress.com

411

412

Chapter 9 • Securing Your NAVCE 7.6 Environment ■

Disabling RCONSOLE and RCONSOLJ, the two NetWare remote access utilities. Both have a known weak password encryption algorithm, and an intruder might be able to trap the REMOTE password, and gain access to the console. Also, for Rconsole and RconJ to execute on startup, you’ll be required to enter passwords into an unencrypted text file. (This vulnerability alone makes RCONSOLE a favorite target for NetWare attackers.)

WARNING NAVCE is not compatible with the NetWare secure console utility, which prevents NLMs loading from any directories other than SYS: SYSTEM and C:\NWSERVER. If you’ve accidentally enabled secure console, you’ll need to shut down and reboot the NetWare server to allow NAVCE to function properly again.

Securing NAVCE 7.6 Client PCs NAVCE allows a number of configuration options that provide more secure antivirus protection for your client PCs. Effective planning of your server and client installation will stand you in good stead here, as any configuration options that you set from the SSC before performing your installations will be locked and unchangeable at the client level. (Don’t worry, though, if you need to make changes later. SSC will propagate those out to the client workstations as well.) The largest benefit of locking down client configurations is that end users will not be able to change NAVCE options that you, the administrator, have set.This includes scan configuration and schedules, as well as LiveUpdate settings. Locking client options ensures that all of these configured options will be implemented uniformly on your client PCs. For example, there are options within the NAVCE scan types that prevent users from canceling a scan while it is being performed. (Configuring antivirus scans is covered in greater detail in Chapter 12.)

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Monitoring NAVCE Client Definitions One of your most important administrative tasks in securing your NAVCE client PCs is ensuring that all of your clients are receiving the most recent antivirus definitions. Check the main Symantec Web site for the most recent definition file, then compare that against the client view in the Symantec System Console, as shown in Figure 9.13. Workstations that are one definition file “behind” are probably not yet a cause for concern, as they may have been powered off when the latest updates were configured—perhaps a user was on vacation. But if a subset of client PCs (or the entire server group) are severely out-of-date, you’ll need to verify that LiveUpdate is functioning properly on your network.You can also use this view to determine the last time a full scan was run on a client workstation, as well as what version of the NAVCE software they’re currently using. Figure 9.13 Verifying Client Definition Files

NOTE Figure 9.13 was taken from a live network to show you a real-world solution in use. The clients’ names have been removed to keep their identities secure. This is not how the console normally looks so be aware that your clients’ NetBIOS names will in fact appear next to the computer icons on the left-hand side of the console.

www.syngress.com

413

414

Chapter 9 • Securing Your NAVCE 7.6 Environment

Preventing a User from Canceling a Virus Scan When configuring a manual or scheduled virus scan against an individual client, server, or server group, the Scan Advanced Options screen will allow you to specify whether or not you want the user to be able to cancel the scanning process. You can either remove the check mark next to Show scan progress on computer being scanned (as illustrated in Figure 9.14) or allow the scan progress to be shown while removing the Stop button from the progress window. Either will permit the virus scan to run without potential interruption from the user. Figure 9.14 Preventing a User from Canceling a Manual or Scheduled Virus Scan

WARNING If you configure your virus scans to show the progress window, don’t forget to place a check mark next to Close scan progress when done to avoid end-user confusion.

NAVCE also provides the option to scan memory as well as boot records and hard drive files whenever a DOS or Windows 3.x client logs onto the network. Similar to the scan options available for 32-bit clients, you can configure login scans so that the end user cannot cancel them. Right-click the appropriate server or server group, then select All Tasks | Norton AntiVirus | Client Logon Scan and Installation. (This will also be covered more fully in Chapter 12.) From the Client Logon Options screen shown in Figure 9.15, place a check mark next to Don’t allow user to cancel login scan.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Figure 9.15 Configuring Client Login Option Scans

We’ll also discuss another piece of client security in Chapter 12—specifically, locking NAVCE scanning options on 32-bit client PCs. When you perform this step, end users will be unable to change any custom scan settings that you’ve set from the NAVCE server, including disabling real-time protection or the timing of any scheduled scans. For complete instructions on locking client options, refer to the appropriate section in Chapter 12.

Managing Access to the NAVCE 7.6 Registry Keys on NT/2000/XP Client PCs Another important factor in securing your NAVCE client machines is restricting user access to the system Registry. Much of the work on a Windows client takes place in the Registry; it is where software application and operating system configuration settings typically reside. Allowing all users unfettered access to the Registry is akin to allowing your five year old to play with a monkey wrench under the hood of your car without supervision: your automobile could be rendered inoperable even without your child intending to do any harm. As we previously discussed in the section on Restricting Access to the Registry in Windows NT/2000, you can use Group Policy or the System Policy Editor to protect the Registry at the server level.

www.syngress.com

415

416

Chapter 9 • Securing Your NAVCE 7.6 Environment

NOTE If you’re operating in a workgroup environment that does not rely on domain security for authentication, you can edit the GPEDIT.MSC file on a stand-alone Windows 2000 machine. You’ll have a very similar configuration. Alternatively, Symantec has also provided the Reset ACL Utility allowing administrators to restrict access to the specific Registry entries created by a NAVCE installation. We will discuss the use of this utility in the next section.

Introducing the Reset ACL (resetacl.exe) Tool When NAVCE is installed to a Windows NT 4.0 Workstation client, all users of the machine will have full access to all Registry settings associated with the program.This would allow a malicious or unwitting user to change their workstation’s scan settings or even stop the NAV services altogether.To combat this, NAVCE offers the resetacl.exe utility to limit access to the NAVCE Registry key—HKEY_LOCAL_MACHINE(HKLM)\Software\Intel\LANDesk\ VirusProtect6\Current Version—to administrative users only.You can see a sample login script in Figure 9.16.To use the Reset ACL tool on your network, you’ll need to do the following: 1. Copy the resetacl.exe file (found in the ~\ADMTOOLS folder) to all desired NT4 Workstation clients. Depending on the number of clients involved, you can perform this through a login script or by manually using administrative shares.

NOTE Remember that Windows NT4/2000/XP create administrative shares at the root of each workstation drive, denoted with the drive letter followed by the “$” character. The $ denotes a hidden share—that is, one that isn’t visible through normal browsing of the Windows network. You can access administrative shares using the syntax of \\%workstation-name%\ drive-letter%$: \\nt4wks\c$, for example. (Even Windows 95/98 can be manually configured to create these administrative shares.)

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Figure 9.16 Sample Login Script for a Windows Network

2. Run the utility from each workstation you want to protect. Once resetacl.exe completes, only members of your Administrators group will be able to access the Registry key that controls NAVCE’s functions on the workstation.

NOTE You can find more information about Windows Scripting at http://msdn.microsoft.com, or look on the Symantec home page for specific scripting information about Symantec products.

3. In addition to being unable to change NAVCE’s Registry settings, nonadministrative users will also find the following restrictions after resetacl.exe has been run: ■

Users will be unable to start or stop the NAVCE service, either using the client console or the Services Control Panel applet.



LiveUpdate will not be able to run, nor can non-administrative users schedule it to run.



Most configuration options will be unavailable. Users will be unable to disable real-time protection or change e-mail scanning options.



Users will be able to change manual scanning options, but these changes will not be saved to the Registry; the next time a manual scan is run, it will revert to the default or administrator-set settings.

Special Considerations When Using the Reset ACL Tool While limiting user access to the NAVCE Registry keys may seem like a nobrainer of a good idea, there are a number of factors to bear in mind before www.syngress.com

417

418

Chapter 9 • Securing Your NAVCE 7.6 Environment

running the Reset ACL tool across your entire network. First and foremost, resetacl.exe does nothing more than provide an automated tool to edit Registry settings and permissions. Editing the Registry is an inherently risky proposition, and one that can render a computer problematic or even inoperable. And unlike many other Graphical User Interface (GUI) Registry editing tools, Reset ACL does not offer any means of protecting you from yourself…there’s no “Undo/Are You Sure?/No-Wait-I-Really-Really-Didn’t-Want-To-Do-That” option. resetacl.exe assumes that if you’re running the tool, then you clearly must understand (and want) all of the changes associated with it. So, before you roll out the Reset ACL tool to your production workstations, it is critical that you do the following: ■

Test the usefulness of this utility for your Windows clients. Select a “guinea pig” workstation—or even better, use a disk-imaging utility to replicate your corporate hard drive and desktop settings onto a spare PC—and test all aspects of its operation after applying resetacl.exe . For example, a traveling laptop user might not be a good candidate for resetacl.exe as he or she will likely be relying on LiveUpdate to receive new antivirus signatures, and this utility will render that function inoperable. Nor should you limit your testing solely to NAVCE’s functions. Make sure that the entire workstation operates as you think it should, as seemingly isolated Registry changes can often have unexpected and cascading results on other user applications and operating system functions.



Back up your data! This is the most critical part of testing a new function on a production system, whether it be a server or workstation. As administrators, we are sometimes so eager to implement a new security measure or software update that we simply assume that it’s going to work, and apply it without taking appropriate measures to protect our assets. Imagine how unhappy the Senior Director of Department ABC would be if he or she found her PC unusable after you applied what you told her would be a “10-second software update.” Even if you’ve tested Reset ACL against test machines, and even if it’s worked perfectly for the last 15 machines you’ve updated, take the extra few minutes to back up the workstation’s Registry, as well as any data files stored on the local drive.You’ll be glad you did if anything goes unexpectedly awry.

Undoing resetacl.exe Changes To reset the Registry alterations made by the Reset ACL utility, you will need to edit the Windows Registry manually. (All disclaimers made in the previous section www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

about the risks associated with editing the Registry go doubly here, since you’re working entirely without a net at this point.) Click Start | Run, then type regedt32.exe and click OK. For those who are not familiar with REGEDT32, it is slightly different from the regedit.exe utility that was introduced with the first iteration of the Registry in Windows 95. REGEDT32 came onto the scene with Windows NT4, and is used primarily to edit security permissions on specific Registry keys and subkeys, a function that REGEDIT does not offer

NOTE You can also use regedt32.exe to make manual adjustments to the permissions assigned to the NAVCE Registry keys, thus bypassing the Reset ACL utility altogether. In our traveling laptop user example, this would allow you to assign specific permissions to his or her individual user account, while still locking down the Users Group as a whole. Remember to test any changes you make before implementing them on a production network.

From the main REGEDT32 screen, navigate to the Registry key that was affected by Reset ACL: HKLM\Software\Intel\LANDesk\VirusProtect6\ Current Version, then click the Security menu and select Permissions.You’ll see a screen similar to the one in Figure 9.17. Click the entry for the Users group, and re-enable the check mark next to Full Control on the Permissions screen. (If the Users group is missing, click Add to enter it manually.) When you’ve finished, click OK and reboot the PC for the permission changes to take effect. Figure 9.17 Changing Registry Permissions Using regedt32.exe

www.syngress.com

419

420

Chapter 9 • Securing Your NAVCE 7.6 Environment

Summary Securing servers requires a holistic approach: if one aspect of your security plan is weak, all the time and money expended on the rest of it won’t make much of a difference at all. In this chapter, we examined security issues in implementing a NAVCE server, from high-level concerns such as creating an overall network security policy to configuration information that’s specific to the NAVCE software itself. And though operating system configuration is really a topic for another book, we also looked at some tips for securing both Microsoft and Novell operating systems. Establishing an overall network security plan for your organization is critical to the success of any individual component of that plan, whether you’re concerned with antivirus protection, disaster recovery, or any other factor. In determining your company’s overall security philosophy and plan, it’s critical for you to have an understanding of the types of threats that a network will face, especially one connected to the Internet and the World Wide Web. As such, Chapter 9 discussed security threats, including hackers, Denial of Service attacks, natural disasters, and the like. We then continued with a discussion of securing your entire network infrastructure, touching on your network infrastructure, Microsoft and Novell server operating systems, and, finally, the NAVCE software itself. When creating your own security plan, remember that a network security policy is only as good as its weakest link.You need to provide for all elements of security, including physically securing servers and configuring security measures within your server and workstation operating systems. Most major software and hardware vendors provide links to security patches and fixes on their Web sites. Make sure your configurations remain current in order to avert any newly devised attack.

Solutions Fast Track Evaluating Security Requirements for Your Organization ; Determine the Who, What, and Where? of your users’ computing needs:

which departments/business processes will be affected by these security requirements, which applications do they require to get their jobs done,

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

and where are the departments located in relation to the network services that they require?

; Remember the old USENET adage regarding password security: A

password should be like a toothbrush: use it every day, change it often, and never share it with anyone else.

; Document all aspects of your security plan, including any Acceptable

Use policies and Disaster Recovery strategies you have in place.

Developing a Security Solution for NAVCE 7.6 ; Create a consistent antivirus monitoring strategy, and use it to

communicate with all levels of your organization—not just the IT staff.

; Designate a Windows NT/2000 or Novell NetWare server to provide

NAVCE services for your network. Determine whether NAVCE will be the only application offered by this machine, or if you’re going to install the service onto an existing file and application server.

; Select the network protocol or protocols that the NAVCE server will

use to communicate with your clients and servers. Remember that, in order for updates to function properly, the NAVCE server must have at least one protocol in common with all servers and clients.

; If your network environment requires you to run TCP/IP and IPX on

your NAVCE server machine, ensure that the addition of a second network protocol does not create unacceptable levels of network traffic and processing overhead.

Implementing Your Security Solution for NAVCE 7.6 ; Install the Central Quarantine Server and configure your NAVCE

clients to forward any infected files there.

; Within Quarantine Server, use the Internet-based delivery method for

automatic routing of any suspect files to Symantec Security Response, or SMTP mail-based delivery for manual handling.

; Use the tables listed in this chapter to configure your firewalls and routers

to permit the ports necessary to allow NAVCE and its component functions (AMS2, LiveUpdate, and so on) to function properly.

www.syngress.com

421

422

Chapter 9 • Securing Your NAVCE 7.6 Environment

Securing NAVCE 7.6 Windows NT/2000 Servers ; Remember to consider the entire server environment, not just the

NAVCE software installation. Physical security and operating system configuration are just as important to the overall well-being of your network environment.

; Change the default symantec password when creating a new server group,

and configure the SSC to prompt for the server group password whenever you close and re-open the console. Do not select the Save Password option when unlocking the server group, or you’ll defeat the purpose of having a password in the first place.

; Use built-in Windows utilities and applets to secure access to the

Windows Registry against unauthorized intrusions, and restrict users from launching resource-intensive scans of terminal servers using the AppSec utility.

Securing NAVCE 7.6 Novell NetWare Servers ; Thoroughly configure and test the NetWare FTP service to ensure that

LiveUpdate will function properly on your network.

; When using the IPX protocol, use ipxroute config to determine your

server’s network number, as you will use this number rather than the machine name in forwarding files to Quarantine Server.

; Remember that client PCs running only the IPX protocol will not

appear in the SSC console screen.

Securing NAVCE 7.6 Client PCs ; Use the Symantec System Center console to prevent end-users from

stopping scheduled virus scans.

; Lock real-time protection options in the SSC console to ensure

consistent virus protection across your network.

; For your 16-bit clients, configure login scans so that the user will be

unable to cancel them.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Using the Reset ACL (resetacl.exe) Tool ; Reset ACL will limit your users’ ability to access or alter many key

NAVCE functions, ensuring that the configuration dictated by your antivirus strategy is not compromised.

; Test the changes made by resetacl.exe thoroughly for any unexpected

results, and be especially careful not to apply it to a workstation that relies on locally-launched LiveUpdates to obtain new virus definitions

; If you need to undo the changes wrought by RESETACL, use any

Registry editor to restore full permissions on the HKLM\Software\ Intel\LANDesk\VirusProtect6\Current Version Registry key.

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: I support a small organization with a limited budget. What are the benefits of recommending the expense of a firewall to my management? Isn’t antivirus software sufficient to protect my network?

A: Connecting any private network to the Internet, regardless of its size, can expose critical and confidential data to malicious attack from anywhere in the world. Firewalls can protect anything from an individual computer to a large corporate network from hostile Internet-based intrusion. Anyone who is responsible for a private network that is connected to a public network should strongly consider firewall protection. In this connected world, firewall protection is roughly equal in importance to maintaining renter’s insurance. Facing even a single incident without it will certainly make you wish you’d decided to make the investment. In terms of the efficacy of antivirus software in completely protecting your network from threats, it is by nature only as good as the latest virus definitions, which were in turn created in response to the latest viruses. While technologies like Bloodhound Heuristics (see Chapter 12) attempt to stay

www.syngress.com

423

424

Chapter 9 • Securing Your NAVCE 7.6 Environment

one step ahead of the hacker community, someone (and realistically hundreds of someones) will become infected with a new virus threat before the makers of antivirus software can create a defense against it. A firewall will close the gap between the known virus threats addressed by antivirus definitions, and the unknown threats that crop up on the Internet every single day.

Q: Our network utilized a proxy server to restrict Internet access. How do I configure LiveUpdate to function behind a proxy?

A: By default, LiveUpdate will use the proxy server settings set up within Internet Explorer. If you need to change this default value, access the LiveUpdate applet in the Control Panel. Select I want to customize my proxy settings for LiveUpdate, and fill out all required fields, as illustrated in Figure 9.18. Figure 9.18 Customizing Proxy Settings for LiveUpdate

Q: What is the best way to determine what ports I need to open at my firewall in order for my Windows clients and servers to function?

A: I recently found a wonderful freeware utility called FPORT (available at www.foundstone.com) that will inventory a Windows-based client or server PC for all open TCP and UDP ports. Even more useful than that, however, FPORT will display exactly which service or .exe file is using the ports in question, similar to the output shown in Figure 9.19. (This is quite useful not only from a system inventory standpoint, but also in ensuring that your machines aren’t running anything they shouldn’t be.) Using a utility like this in conjunction with a detailed software inventory should be sufficient to determine what ports and/or .exe files you’ll need to enable on your firewall.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Figure 9.19 Sample Output from fport.exe

Q: What are the benefits or drawbacks of using software-based personal firewalls (like ZoneAlarm or BlackIce Defender) instead of a single enterprise firewall solution?

A: A personal firewall is most effective when used exactly as it sounds like it should be: protecting an individual (personal) computer, or providing protection for one or two PCs in a self-contained Small-Office-Home-Office (SOHO) environment. However, because they are designed to run on individual client PCs, personal firewall packages don’t offer any options for centralized management or configuration. Once you start talking about a medium- to large-sized corporate environment (anything over ten PCs), personal firewall software becomes increasingly impractical—it simply does not scale well.

Q: How can I secure the NAVCE installation for those clients who never attach to my corporate LAN?

A: For remote or traveling users who will never connect to a NAVCE parent server, you can provide a CD with a custom NAVCE installer with pre-configured LiveUpdate and other configuration settings. (You can use any software designed to create automated installation packages, including WinInstall, Systems Management Server, and so on.) While the Reset ACL tool will prevent the user from altering any of these settings, it will unnecessarily cripple the NAV installation of a remote user. Even though this will be a largely unnetworked computer, configure it in a Managed configuration anyway, as it will simplify the NAVCE update process if the user ever does need to attach it to the corporate network. For client machines that will be connecting to the network from multiple locations, use the Roaming Client Support.

www.syngress.com

425

426

Chapter 9 • Securing Your NAVCE 7.6 Environment

Q: What are some good guidelines to follow when securing a Windows or NetWare server?

A: Use the following checklist as a starting point. Some items are Microsoft- or Novell-specific; others are common to the installation of any secure computing system. As always, test these changes before deploying them in a production environment, especially those that involve Registry changes.You can also refer to Figure 9.20 for a quick visual overview of the physical layout of a typical NAVCE-protected network, and the kinds of threats you can expect to have directed against your various network components. ■

Physically secure the server. Install the server in a locked room, use a CPU case lock and maintain the keys to both in a separate and controlled (but still accessible) location.



Enable a strict password policy, including minimum password length and complexity requirements.



Disable the Guest account.



Rename the Administrator account on Windows NT/2000/XP/.NET machines.



Regularly monitor the user account list for any unusual or unauthorized account creation.



Create two accounts for your administrative users: one for everyday use, checking e-mail and so on, and a second one for actual network administration functions. (The idea here being to avoid having Domain Admins logged in all the time when it’s not strictly necessary.)



Assign Windows NT/2000 file and share permissions to the Authenticated Users group instead of the Everyone group.



Use NTFS on all NT-family disk partitions. FAT and FAT32 possess no security features.



Shut down and disable any unnecessary services, especially services like IIS and RAS that have security configuration issues of their own.



Enable auditing and configure file permissions on the Windows NT/2000 Event Viewer Security log.



Regularly monitor the Security, System, and Application logs in the Windows NT/2000/XP Event Viewer to detect any unauthorized activities.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9 ■

Subscribe to the Microsoft e-mail notification service to stay informed of all new patches and updates.



Use TCP/IP filtering to restrict the TCP and UDP ports that can traverse your network.



Clear the pagefile.sys at shutdown by changing the value of HKLM\ SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown to 1.



Use the Encrypted File System (EFS) in Windows 2000/XP/2003 to create an additional layer of security for your file shares.



Change the boot order in the system BIOS to prevent booting from a floppy disk or CD-ROM. In the case of extreme security concerns, remove the drives entirely.



In Novell NetWare, use the CONLOG.NLM file to record all keystroke activity on the server console.This information will be stored in the consol.log file, stored in the SYS:ETC directory.



Lock all NAVCE client options to ensure uniform virus protection on your network. Use the Reset ACL utility, if appropriate.



Hold regular user awareness training, either in person or via e-mail, memos, and so on, to maintain user awareness of antivirus and network security concerns.

Figure 9.20 Common LAN Threats Remote Clients

Remote Clients 1

Firewall

NAVCE Server

Internal Network Clients

2

3

www.syngress.com

427

428

Chapter 9 • Securing Your NAVCE 7.6 Environment

Table 9.6 Area 1 of Figure 9.20 Threat

Defense

Port scanning and network attacks, and password sniffing Out-of-date virus definitions

Enforce VPN encrypted connections Preinstall NAVCE with frequent LiveUpdates

Table 9.7 Area 2 of Figure 9.20 Threat

Defense

Operating system vulnerabilities

Proactively monitor vendor Web sites for patches Test all updates before releasing into live production Use REGEDT32 to secure NAVCE Registry keys CPU locks, BIOS passwords

Fraudulent or buggy NAVCE updates Registry attacks Physical security

Table 9.8 Area 3 of Figure 9.20 Threat

Defense

Malicious e-mail attachments Peer-to-peer file sharing Weak passwords

E-mail policies, end-user training Group policies, internal firewalls Enforce strong passwords and regular password changes CPU locks, BIOS passwords

Physical security

Q: How can I determine which of my network PCs are not attached to the NAVCE system console?

A: While there isn’t a simple way to query NAVCE to “Tell me all the clients that aren’t attached to you,” your best bet is to compare the contents of the SSC console with your list of computer accounts in Windows NT4 Server Manager or Active Directory Users and Computers in Windows 2000. Either or both of these lists can be exported to a text file for easy analysis in a spreadsheet or other reporting software.

www.syngress.com

Securing Your NAVCE 7.6 Environment • Chapter 9

Q: What do you do when you’re finally finished developing your network security policy?

A: The real answer here is that you’re never finished with a network security policy. It’s a living document that needs to grow and change along with the rest of your company’s business processes, technological advances, and security needs.

www.syngress.com

429

Chapter 10

Updating Virus Protection

Solutions in this chapter: ■

Introducing the Virus Definition Transport Method (VDTM)



Introducing Symantec LiveUpdate



Introducing Intelligent Updater

; Summary

; Solutions Fast Track

; Frequently Asked Questions

431

432

Chapter 10 • Updating Virus Protection

Introduction Virus definition files contain unique segments, often referred to as “signatures,” of thousands of viruses. Norton Antivirus Corporate Edition (NAVCE) detects viruses by comparing files that are being scanned against these virus definition files. If a pattern in a file on a computer matches that of a virus definition file, NAVCE considers the file infected and attempts to rectify the situation by performing a “Clean,” “Repair,” “Delete,” or “Quarantine” operation. Consequently, if the file being scanned does not match any patterns contained in the definition files, NAVCE considers it clean. It is therefore quite obvious that in order to protect a system, the virus definition files must always be kept current.The next step in the process is to decide how to obtain the files, how to update the client computers within a corporate environment, and how often to perform these updates. In this chapter, we will explore some of the different virus definition delivery and distribution mechanisms, their advantages and disadvantages, and their setup processes. Before we delve into these various mechanisms, let us first understand how to determine what viruses a system is capable of detecting. In order to obtain a list of viruses, you can simply launch the NAVCE client and click File | View Virus List. You can then scroll through the list (see Figure 10.1) or search for it by clicking the Find button and entering the name of the virus.You do not need to know the full name of the virus. For example, you can check for all known variants of the Nimda virus (W32.Nimda.A@mm through W32Nimda.Q@mm) by searching for “nimda.”The search is not case sensitive. Figure 10.1 Virus List

www.syngress.com

Updating Virus Protection • Chapter 10

Virus definition files have an extension of .vdb, so throughout the rest of the chapter, whenever a file is referred to as a .vdb file, you should read it as a virus definition file. A .vdb file is, quite simply, a zipped up file set that contains all the virus definitions known to Symantec as of the moment it was downloaded. Once downloaded, it is decompressed and moved into a subfolder located at C:\Program Files\Common Files\Symantec Shared\VirusDefs. As you can see in Figure 10.2, one of the folders at this location is named 20030104.003.The 20030104 number preceding the period indicates that the set of definitions contained in this folder are dated January 4, 2003.The 003 following the period is the revision number. Therefore, this entire number indicates that this is Revision 3 of the definitions released on January 4, 2003.To the veteran NAVCE administrator, this naming convention must seem different.This is because with version 7.6x of NAVCE, Symantec has started using this new user-friendly naming method. Figure 10.2 File Location for Virus Definitions

There are several virus definition update mechanisms within the NAVCE solution. ■

Virus Definition Update Method (VDTM) This is a completely automated method of updating all servers and clients in the enterprise network. It requires minimal configuration because the clients automatically connect to their parent servers to copy the updates. www.syngress.com

433

434

Chapter 10 • Updating Virus Protection ■

LiveUpdate When using this technology, LiveUpdate servers connect to Symantec’s FTP site and download the definition files. Managed servers and clients can then download the definitions from this internal LiveUpdate server.



Intelligent Updater The Intelligent Updater is an alternative to using LiveUpdate as a virus update mechanism. When downloaded and executed on a system, the Intelligent Updater searches for the Norton AntiVirus software and updates the virus definitions accordingly.



package.exe package.exe creates a single file for a target operating system.This file can be used to install the Norton AntiVirus software and also includes the virus definitions as of that date.This is a great tool for creating installation files but is not too practical for updating the definitions.



Mobile Definition Updater Using the Mobile Definition Updater, the clients receive their definitions via their enterprise e-mail.This method, although still functional, is no longer supported by Symantec.

Of the aforementioned update vehicles, we will cover the first two in significant detail and briefly review the others.

Introducing the Virus Definition Transport Method (VDTM) Virus Definition Transport Method (VDTM) is a completely automated virus definition delivery and distribution mechanism. It requires minimal configuration on the part of the system administrator. In fact, this is the default method for distributing virus definition files to servers and clients. Clients configured to use VDTM automatically connect to their parent servers over a network link and copy the updates. By now, you should be comfortable with the behavior of primary and secondary servers so we will not delve too deeply into how they interact with each other. However, we will cover the path taken by virus definitions as they travel from the Symantec Web site to their final destination at a client computer. The way that a client or server configured to use VDTM works is that it downloads an entire .vdb archive from its parent server and then decompresses them as discussed earlier. As you can imagine, with tens of thousands of virus definitions contained in each .vdb file, the file size of these archives can become quite www.syngress.com

Updating Virus Protection • Chapter 10

significant. An average .vdb file is usually over 3.5MB in size. Understandably, this places a significant load on the network links. However, since this method is completely free of configuration and maintenance, it proves to be an overwhelmingly popular method of configuration within a corporate network. You must be thinking “surely, something must be occurring in the background to make all of this work.” Well, of course! And this is where the concept of the RTVScan timer loop becomes important.

The RTVScan Timer Loop RTVScan is the core program with NAVCE. It performs functions such as alerting, discovery, scanning, processing definition updates, and so on. It also runs a Timer Loop that handles new .vdb files as it finds them on the system.This process decompresses the .vdb files and places them in a folder that reflects the date they were released on. The Timer Loop behaves differently depending upon whether it is on a client or a server. It performs the following functions: ■

Schedules events such as definition updates and scans.



On primary servers, it contacts the secondary servers every five minutes to check for virus definition versions. If the definitions on the secondary servers are not as new as the ones on the primary, new definitions are pushed out to them.



On parent servers, it checks clients every three minutes looking for virus definitions and grc.dat versions. If the definitions on the client are not as new as the ones on the parent server, new definitions are pushed to the client.



On managed clients, it connects every 60 minutes to the parent server to verify that the client has the latest definitions and grc.dat files.



On the local computer, it checks for new virus definitions (.vdb) every three minutes.



On the local computer, it checks for a new grc.dat file every minute. If a new grc.dat file is found, the changes are imported into the local Registry and the grc.dat file is deleted.



On the local computer, it checks for LiveUpdate settings every minute. If any settings change, a new liveupdt.hst file is generated. We will be discussing LiveUpdate and the liveupdt.hst file later in this chapter. www.syngress.com

435

436

Chapter 10 • Updating Virus Protection

So, in summary, on clients, it: ■

Checks with parents every 60 minutes.



Checks local virus definitions every three minutes.



Checks local grc.dat files every minute.

On parent servers, it: ■

Checks client keys in the Registry every three minutes to see if the grc.dat file and definitions are up-to-date.

On primary servers, it: ■

Checks its Registry every five minutes to ensure the secondary servers are up-to-date.

On all servers, it: ■

Checks for new definitions every three minutes and processes them.

Features of the Virus Definition Transport Method Now that we have discussed the Timer Loop, we can go over the process by which the definitions flow from the primary server to the end clients. Using VDTM, it is necessary to have only the parent server configured to download the virus definitions from Symantec.The other (non-primary) servers in the server group are configured by default to retrieve the definitions from this primary server.There are several methods of updating the primary server. Usually, the primary server retrieves the latest virus definitions from Symantec’s site using LiveUpdate or FTP.The other servers in the server group check in regularly with this parent server to obtain the definitions.The clients, in a similar fashion, retrieve the definitions from their parent server.

Configuring a Server to Use VDTM Now that we have explored the theory, we can discuss how to configure a NAVCE server to use VDTM. 1. Click Start | Programs | Symantec System Center | Symantec System Center Console. 2. Select and unlock the server group you wish to work on.

www.syngress.com

Updating Virus Protection • Chapter 10

3. Right-click the primary NAVCE server for this server group.Then, click All Tasks | Norton AntiVirus | Virus Definition Manager. You will now see the Virus Definition Manager Screen (Figure 10.3) for the server (NT-IRVA-0552, in this case). Figure 10.3 The Virus Definition Manager

4. In the section labeled “How Servers Retrieve Virus Definition Updates,” you can choose to either update only the primary server in the server group or update each NAVCE server individually.The most common choice is to update only the primary server but there are often compelling reasons to go with the latter option. For now, select the Update the Primary Server of this Server Group only button, then click Configure. 5. Ensure that the box labeled Schedule for automatic updates is checked (as shown in Figure 10.4).Then click Schedule. 6. Select the time and frequency of your updates and click OK. However, being the prudent system administrator that you are, you would click the Advanced button and set some further options (Figure 10.5). 7. As shown in Figure 10.6, you can select the number of hours that missed events are handled within.You can also set some randomization hours. Here for example, we started out with 1:00 P.M., which is the www.syngress.com

437

438

Chapter 10 • Updating Virus Protection

midpoint of the usual nine-to-five day. Performing the update within 240 minutes of 1:00 P.M. effectively means the update will occur at some point during the work day. Figure 10.4 Configuring the Primary Server Updates

Figure 10.5 Configuring the Virus Definition Update Schedule

Figure 10.6 Advanced Scheduling Options for Virus Definition Updates

8. Click OK on each successive window until all the windows are closed. 9. Click Console | Exit to close the Symantec System Center (SSC).

www.syngress.com

Updating Virus Protection • Chapter 10

You have now successfully configured your NAVCE server to use VDTM. Another setting worth considering and “tweaking” to meet your needs is the frequency with which your clients check in with their parent server.This can be done by clicking Virus Definition Manager | Settings. In the Update Settings window (Figure 10.7), to choose how often the NAVCE clients check the parent server for updates. Figure 10.7 Settings for VDTM Update Interval

Introducing Symantec LiveUpdate Now that you’re familiar with VDTM, let’s look at how LiveUpdate works. LiveUpdate is a Symantec technology that allows Symantec products to connect via FTP or HTTP to a Symantec server and retrieve program updates and virus definitions.

LiveUpdate versus VDTM Now that you have a reasonable understanding of both VDTM and LiveUpdate, let’s compare the benefits and drawbacks of both in Table 10.1. Table 10.1 LiveUpdate versus VDTM VDTM Advantages

Fully automated. Only one server needs to be updated. All other machines get updated automatically. Minimal configuration required. Clients get updated within ten minutes of a server update Disadvantages Clients and servers copy the entire definitions file.

LiveUpdate Clients download incremental updates (called MicroDefs). This results in less network traffic Can be scheduled. Can be used to apply program updates.

Requires more configuration.

www.syngress.com

439

440

Chapter 10 • Updating Virus Protection

Designing & Planning… Should I Use VDTM or LiveUpdate? As you can see, there are benefits and disadvantages to either approach. Even when using LiveUpdate, you have the option of using an Internal or External LiveUpdate configuration. The easiest way to answer this question is to take stock of your network configuration, the number of clients you will be serving and your users’ work habits. In other words, each observation you make brings you closer to your answer. Let’s go over some sample scenarios. Make a guess and then check the answers that follow. Who said this couldn’t be fun? 1. A software company environment consists solely of stationary desktop computers. Some programmers work during normal business hours. Others come in during the night shift. Most employees turn their systems off when they go home. Others leave them running for days. 2. A pharmaceutical research and development company consists of a team of traveling salespeople and process engineers who stay at the headquarters. The salespeople travel across the globe and use whatever Internet service the local hotel can provide. They use VPN software to connect to the company headquarters to check their e-mail at least once a day. 3. An engineering company has hundreds of employees. The majority of employees work within their offices around the world. Other employees work from home, connecting to the company network from time to time for a few minutes. Salespeople are always on the road and use whatever internet service they can find. They do not use VPN to connect to the company. Instead, they check their e-mail using their company’s secure Web site. And now the answers: 1. This is a classic example where you have plenty of bandwidth on a company LAN. This is the perfect scenario for using VDTM. The size of the files being transferred is of no consequence. What matters here is that you are keeping administration and configuration to a minimum. Continued

www.syngress.com

Updating Virus Protection • Chapter 10

2. This scenario is slightly involved. You have process engineers that could potentially use VDTM, but then the salespeople who would have to download megabytes. You use an Internal LiveUpdate server and instruct the salespeople to launch LiveUpdate at least once a day when they connect to the company. Remember, this is just one of the possible solutions. We will discuss this in more detail shortly. 3. This scenario although seemingly complex is typical of an average company. In this case, VDTM is quite impractical due to the various link speeds. In such circumstances, an Internal LiveUpdate server wouldn’t work because traveling employees do not connect to the company network. What about an external (Symantec’s) LiveUpdate server? Wouldn’t you lose administrative control over what definitions are applied to the end clients? Not necessarily. Perhaps a combination of VDTM and LiveUpdate? Good guess! Keep reading. As you can see in scenarios 2 and 3, most companies are not textbook examples. They are diverse in their functional groups and varied in the behavior of their employees. In such cases, could there be a configuration that best serves all employees in all solutions? Yes. Often NAVCE administrators end up using a combination of VDTM and LiveUpdate. This is done by leaving LiveUpdate enabled and configuring it to connect to Symantec’s (External) LiveUpdate servers daily. This gives the end user the best of both worlds. When on the LAN, the RTVScan timer forces the client to check for updates as often as it is configured to. When not on the LAN, the LiveUpdate schedule kicks in and updates the client using definitions from Symantec’s LiveUpdate servers. There is currently one situation where this hybrid solution can backfire a little. This is when a client connects to the company network using VPN over a slow (dial-up) link. The VPN software usually tricks NAVCE software into thinking it is connected to the LAN and a large .vdb file can potentially be downloaded across the slow link. The good news is that with its next release of NAVCE (which will be known as Symantec AntiVirus Corporate Edition 8.0 or SAVCE 8.0), VDTM will also make use of smaller incremental virus definitions (MicroDefs) used by LiveUpdate. Remember, there are always compelling reasons to choose VDTM, LiveUpdate, or a combination of both. The scenarios we discussed here are purely instructional. You should study your company’s environment and assess requirements before making this or any other decision.

www.syngress.com

441

442

Chapter 10 • Updating Virus Protection

As you can see, both methods have certain features that are appealing. However, it is up to the system administrator to decide which method best suits the needs of the environment they are trying to protect.

Considerations for Configuring LiveUpdate There are two ways that LiveUpdate can be configured. We will cover the configuration process for both models later in this chapter. For now, just concentrate on the theory and conceptual architecture.The following is a brief introduction to the two methods of LiveUpdate configuration: ■

External LiveUpdate In this method, managed servers are configured to connect to Symantec for virus and program updates.



Internal LiveUpdate In this method, one of the servers is configured to retrieve updates from Symantec. Other servers are configured to connect to this internal LiveUpdate server to retrieve virus and program updates.

There are advantages and disadvantages to both approaches.Table 10.2 shows a brief comparison of the two. Table 10.2 Internal versus External LiveUpdate Configurations Internal LiveUpdate Advantages

Less traffic on the enterprise Internet connection. Definitions can be tested before they are distributed to clients. Disadvantages More configuration required. An internal server must be dedicated to LiveUpdate. Possibly more maintenance.

External LiveUpdate Less configuration required. Less maintenance.

More traffic on the enterprise Internet connection. Cannot test definitions before they are distributed to clients.

Configuring External LiveUpdate Since it is the easier of the two LiveUpdate models, let’s go over the process of configuring an External LiveUpdate server. To configure servers to retrieve updates from Symantec’s FTP site:

www.syngress.com

Updating Virus Protection • Chapter 10

1. Launch the SSC by clicking Start | Programs | Symantec System Center | Symantec System Center Console. 2. Right-click the Server Group you wish to configure. 3. Select All Tasks | Norton AntiVirus | Virus Definition Manager. A screen will appear like that shown in Figure 10.8. Figure 10.8 Virus Definition Manager at a Server Group Level

4. Select Update each Server in this Server Group individually. 5. Click Configure.The screen in Figure 10.9 should appear. Figure 10.9 Configuring Updates for a Server Group

www.syngress.com

443

444

Chapter 10 • Updating Virus Protection

6. If LiveUpdate is not currently selected as the Update Source, click Source. 7. Select LiveUpdate. Figure 10.10 shows the screen that will be displayed. Figure 10.10 Configuring the Virus Definition Source

8. Click OK. 9. In the next screen that appears, click Update Now or schedule a time to retrieve updates. You have now successfully set up all the computers within the server group to obtain their updates from Symantec’s Web site. If you are the curious type and want to know the LiveUpdate settings that NAVCE uses to retrieve virus definitions from Symantec, click the Configure button in the Setup Connection window, as shown in Step 7 of the preceding process.You should see the window shown in Figure 10.11. Figure 10.11 Default FTP Settings for LiveUpdate via FTP

Since it was truncated in Figure 10.11, here is the path in the field labeled “remote folder” for your benefit: /public/english_us_canada/antivirus_definitions/ norton_antivirus_corp. Therefore, the actual location of these definitions at Symantec’s FTP servers is ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/ norton_antivirus_corp/. A screenshot of this folder is provided in Figure 10.12. www.syngress.com

Updating Virus Protection • Chapter 10

Figure 10.12 Different Types of Files Available at Symantec

Notice there are a multitude of files named using the same convention we discussed in the beginning of this chapter. But, as you can see, the files also have some unfamiliar suffixes—for example, x86.exe. We’ll discuss these files and their usage later in this chapter.

Configuring Internal LiveUpdate Before we jump into the actual configuration, let’s conduct a high-level overview of our process. In order to configure NAVCE servers and clients to retrieve updates from an internal LiveUpdate server, we will: 1. Install and configure the LiveUpdate Administrator Utility and specify the packages to be downloaded to a particular directory. 2. Choose a LiveUpdate server type.This can be an FTP, HTTP, or any other NT/NetWare server type on the enterprise LAN. 3. Use the SSC to configure LiveUpdate on the internal LiveUpdate server. 4. Use SSC to configure other servers and clients to connect to the internal LiveUpdate server. 5. Use SSC to set the LiveUpdate retrieval interval. Now, let’s begin with the LiveUpdate Administrator Utility. www.syngress.com

445

446

Chapter 10 • Updating Virus Protection

LiveUpdate Administration Utility Introduction and System Requirements The LiveUpdate Administration Utility is exactly that. It allows a System administrator to download update packages and configure clients to retrieve those updates from a central LiveUpdate server. As per Symantec, the minimum system requirements to install the LiveUpdate Administration Utility 1.5 and later are as follows: ■

Any of the following operating systems: ■

Windows 2000 Professional/Server/Advanced Server/Data Center



Windows NT 4.0 Workstation/Server/Enterprise Server/Terminal Server



Windows XP Home/Professional



Windows 95/98/98 SE/Me



Internet Explorer 4.0 or later



A Pentium 100MHz processor



16MB RAM



25MB hard disk space and up to 500MB of additional space for LiveUpdate packages

Notes from the Underground… A Word on “System Requirements” and Their Consequences You must understand that these are the minimum system requirements used solely for this software. In other words, your system must have far more CPU speed, RAM, and free disk space to be able to run the platform on which this is installed and executed. Take for example, the minimum system requirements for Windows 2000 server: ■

A Pentium 133MHz processor or higher Continued

www.syngress.com

Updating Virus Protection • Chapter 10



256MB RAM (recommended minimum)



2GB hard disk space with a minimum of 1.0GB free space

Again, these are the minimum for Windows 2000 Server. So, as a realistic system administrator, you must be quite familiar with what is listed as a minimum by a vendor and what actually works. While we’re on the topic of system requirements, let’s go over another common issue. Often, the LiveUpdate Administration Utility is installed on the same system as the NAVCE software. The requirements for NAVCE server are just as unrealistic, and to keep costs low, many beginners install the NAVCE software on the workstation version of Windows NT/2000. If you recall, Windows NT Workstation and Windows 2000 Professional only support a maximum of ten concurrent network connections. This can seriously impact the speed with which definitions are distributed to end clients. Newer viruses increasingly grow into what Symantec terms as blended threats. Blended threats attack a network simultaneously through multiple channels—for example, e-mail (SMTP), network shares, Microsoft IIS exploits, and by responding to network announcements routinely made by all clients participating in a Windows domain. At such times, when the virus is traveling through the network, it is critical to make the latest definitions available to all clients. So, consider your environment and choose carefully. Remember, it’s better to perform capacity planning in advance and even err on the side of caution rather than cut costs. This way, your cost-conscious supervisor won’t be getting that phone call in the middle of the night when a virus is running rampant across your network and you can’t distribute the definitions fast enough.

Installing Symantec LiveUpdate 1.5.3.21 Administration Utility Now, let’s install the Symantec LiveUpdate Administration Utility.You can find this utility on CD 1 of your NAVCE installation set. However, quite often, newer versions are available on Symantec’s Web site.Therefore, in our example, we will download the latest version rather than installing it from the CD.

www.syngress.com

447

448

Chapter 10 • Updating Virus Protection

1. Download the latest version of the LiveUpdate Administration Utility (luau.exe) from www.symantec.com/techsupp/files/lu/lu.html and double-click it. 2. Click Yes to begin the installation (as shown in Figure 10.13). Figure 10.13 Installing the LiveUpdate Administration Package

3. In the Welcome screen that appears in Figure 10.14, click Next. Figure 10.14 The Welcome Screen

4. Select the destination folder for the installation files by clicking the Browse button. Or, simply click Next (see Figure 10.15).

NOTE This destination folder is only for the executable files for this utility. The location where the update files will be downloaded and stored is configured later. Therefore, it is often best to leave this destination folder at its default location.

5. Verify the settings and click Next (see Figure 10.16).

www.syngress.com

Updating Virus Protection • Chapter 10

Figure 10.15 Configuring the Target Location for Program Files

Figure 10.16 Confirm Installation Settings

6. Check the box labeled Launch LiveUpdate Administration Utility and click Finish (Figure 10.17). Figure 10.17 Finishing Up and Launching the LUAU

www.syngress.com

449

450

Chapter 10 • Updating Virus Protection

7. You have now successfully installed the software. Be sure to read the section marked “Important Note” included in the window shown in Figure 10.18. Figure 10.18 Release Notes for the LUAU

For your benefit, the entire text message is shown next: “Important Note: If you have a custom host file (liveupdt.hst) on your client machines, you MUST modify the name field (as displayed in the Description area of the Host File Editor) of the first or second entry to prevent the LiveUpdate installer (lusetup.exe) from overwriting your custom host file during an update. The LiveUpdate installer is used to install or patch LiveUpdate.The client installer will NOT overwrite the existing liveupdt.hst file IF the Name fields within the Description area of the Host File Editor in either the first or second entries of the customized liveupdt.hst host file have been modified.” To learn how to uninstall or troubleshoot the LiveUpdate Administration Utility, please refer to the resources mentioned in the FAQ section at the end of this chapter.

Configuring LiveUpdate Using the LiveUpdate Administration Utility Now that you have successfully installed the LiveUpdate Administration Utility, let’s take a quick tour of the console to see how it works. Figure 10.19 is a screenshot of the “Retrieve Updates” view of the LUAU. Here, you would select the language and the Symantec product lines you want to update. If you click Host File Editor in the left pane, you will see the view shown in Figure 10.20. Here, you can create or edit a custom host file to distribute within your environment.

www.syngress.com

Updating Virus Protection • Chapter 10

Figure 10.19 Configuring LUAU for Product Updates

Figure 10.20 The Host File Editor within the LUAU

Configuring Servers and Clients to Connect to the Internal LiveUpdate Server Now that we have set up an internal LiveUpdate server, let’s configure the other (NAVCE) servers and clients to connect to this internal LiveUpdate server. 1. Launch the SSC by clicking Start | Programs | Symantec System Center | Symantec System Center Console. 2. Right-click the Server or Server Group you wish to configure.

www.syngress.com

451

452

Chapter 10 • Updating Virus Protection

NOTE This setting applies to all servers and clients in the hierarchy. Therefore, if you wish to configure all your clients in this manner, it may be advisable to perform this step at the Server Group level. For this example, we will work on the Server Group level.

3. Select Properties. 4. Click the LiveUpdate tab to see the screen shown in Figure 10.21. Figure 10.21 LiveUpdate Settings at a Server Group Level

5. Select Internal LiveUpdate Server. 6. Select the Type of connection—for example, FTP, HTTP, or LAN. 7. Enter the server Name. 8. Enter the server Location. 9. Enter the Login Name required to access this server. 10. Enter the Login Password required to access this server.

NOTE Symantec recommends you leave the Login Name and Password fields (from Steps 9 and 10) blank so that any internal client can access the server with minimal configuration. www.syngress.com

Updating Virus Protection • Chapter 10

11. Enter the FTP, URL, IP address, or UNC path for this server. 12. For example: ■

ftp.internalliveupdateserver.com



http://internalliveupdateserver.com



10.7.199.133



\\internalliveupdateserver

NOTE The preceding server names were purely instructional. In reality, you would want to keep your server name short and easy to remember. Also, recall that NetBIOS names should not be more than 15 characters in length.

13. Select Apply settings to all clients if you want the clients to also get their updates from the internal LiveUpdate server.

NOTE This option will be grayed out if you are performing this operation on the Server Group level.

Congratulations! You have now successfully configured an Internal LiveUpdate server.

Introducing Intelligent Updater An alternative to LiveUpdate, Symantec’s Intelligent Updater updates virus definitions. LiveUpdate automatically downloads and then installs virus definitions. It can be launched on demand or configured to execute according to a schedule. However, if for some reason, LiveUpdate is not functioning, or if you need to download and install updates manually, you can download and use the Intelligent Updater to install the virus definitions.

www.syngress.com

453

454

Chapter 10 • Updating Virus Protection

On some occasions, it becomes necessary to use the Intelligent Updater. One such scenario is when a new virus emerges and a LiveUpdate file has not been released by Symantec. In such cases, while its AntiVirus team is working towards a “cure” for the new virus, Symantec often releases beta versions of virus definitions to its customers. Such definitions may not repair the infected files but will nonetheless allow the NAVCE clients to identify the file as infected.This can keep the virus from spreading within the company environment. The Intelligent Updater can be downloaded as two large files or as multiple smaller files.The first large file is for users that have network or dial-up Internet access.The smaller files are created such that they can be copied to floppy disks and used to update computers not connected to the Internet.The second large file is an all-inclusive package used by system administrators who need to maintain multiple versions of NAV on multiple platforms. In order to update a Windows-based system using the Intelligent Updater, do the following: 1. Point your Web browser to: http://securityresponse.symantec.com/ avcenter/defs.download.html. 2. Select the appropriate language. 3. Select Norton AntiVirus Corporate Edition from the list of products.

NOTE You will also see “Symantec AntiVirus Corporate Edition” in this list, which refers to version 8.0 (or later) of this software.

4. Click Download Updates.You will then be taken to a new page. In this case, it will be http://securityresponse.symantec.com/avcenter/ download/pages/US-NAVCE.html. 5. The filename you require will be based upon the naming convention discussed at the beginning of this chapter, which will have some sort of suffix—for example, 20030110-017-x86.exe. 6. In the screen shown in Figure 10.22, click Save and then click OK. 7. Save the file to the Desktop. 8. After the file is downloaded, close the Web browser and launch the file you just downloaded.The screen shown in Figure 10.23 should appear. www.syngress.com

Updating Virus Protection • Chapter 10

Figure 10.22 Executing the Intelligent Updater

Figure 10.23 The Confirmation Dialog for Intelligent Updater

9. Click Yes to execute the Intelligent Updater.

www.syngress.com

455

456

Chapter 10 • Updating Virus Protection

Summary In this chapter, we learned about virus definition files, what they do and their naming convention.You should now be able to determine the date of release and the version number simply by inspecting the filename.You should also be able to determine if a particular virus can be detected using the virus list feature within the NAVCE client. We learned about the five different methods of downloading and distributing virus definitions. Of these methods, we covered the Virus Definition Transport Method (VDTM), LiveUpdate (both Internal and External configurations), and the Intelligent Updater in significant detail. Since we also delved into the inner workings of VDTM and how it uses the RTVScan Timer Loop, you should now have extensive knowledge of the process by which virus definitions are retrieved and distributed.You also should understand the advantages and disadvantages of LiveUpdate and VDTM and now be able to make an informed decision regarding which method you should use in your environment. In addition, we learned about the Intelligent Updater, its purpose, and usage. Essentially, you should now be able to configure your NAVCE server to use VDTM or LiveUpdate. And, if necessary, you should be able to use the Intelligent Updater to update the virus definitions on a particular client or server.

Solutions Fast Track Introducing the Virus Definition Transport Method (VDTM) ; The Virus Definition Transport Method (VDTM) is a completely

automated virus definition delivery and distribution mechanism.

; A client or server configured to use VDTM will download an entire

.vdb archive from its parent server and then decompress it.

; RTVScan is the core program with Norton AntiVirus Corporate

Edition. It performs functions such as alerting, discovery, scanning, and processing definition updates

; Virus protection files contain unique patterns from thousands of

different viruses. When a file is scanned to check for viruses, its binary

www.syngress.com

Updating Virus Protection • Chapter 10

code is compared with these snippets to determine if there is a pattern match with any known virus.

; If a pattern is matched, the Norton AntiVirus Corporate Edition

(NAVCE) software considers the file infected and attempts to remedy the situation. However, if the virus is new enough, or the virus definition files are out-of-date, an infected file will appear clean to the software.Therefore, it is critical that virus definition files be kept as current as possible.

Introducing Symantec LiveUpdate ; Symantec’s LiveUpdate allows Symantec products to connect via FTP or

HTTP to a Symantec server and retrieve program updates and virus definitions.

; There are two ways to configure LiveUpdate: ■

External LiveUpdate In this method, managed servers are configured to connect to Symantec for virus and program updates.



Internal LiveUpdate In this method, one of the servers is configured to retrieve updates from Symantec. Other servers are configured to connect to this internal LiveUpdate server to retrieve virus and program updates.

Introducing Intelligent Updater ; An alternative to LiveUpdate, Symantec’s Intelligent Updater also

updates virus definitions.

; The Intelligent Updater can be downloaded as two large files or as

multiple smaller files.

; The most common scenario for using Intelligent Updater is when a new

virus emerges and a LiveUpdate file has not been released by Symantec. In such cases, while the AntiVirus team is working towards a “cure” for the new virus, Symantec often releases beta versions of virus definitions to its customers.Though such definitions may not repair infected files, they nonetheless allow NAVCE clients to be able to identify those files as infected.

www.syngress.com

457

458

Chapter 10 • Updating Virus Protection

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: Should I use VDTM or LiveUpdate for my clients? A: This really depends on your network configuration and the work habits of your company’s employees. See the sidebar titled “VDTM or LiveUpdate?” for more information.

Q: Should I disable LiveUpdate for my clients? A: In many cases this is not advisable. However, in some companies there may be compelling reasons to do this. One such scenario occurs when a new set of virus definitions is downloaded and renders some software unusable. In such cases, you may need to disable LiveUpdate on your clients and apply an older set of virus definitions.

Q: If I use two Internal LiveUpdate servers for my clients and one of them crashes, will the clients “fail-over” to the second one?

A: No. Norton AntiVirus will not “fail-over” to the next LiveUpdate server. However, with the next version of this software (to be named Symantec AntiVirus Version 8.0), it will be possible to define multiple LiveUpdate servers.

Q: I think I need additional help. Do you know of any resources? A: Most of the documentation you will require is already included on your installation CDs. However, you can also get excellent documentation from the following: ■

The Symantec Enterprise Support Site for Norton Antivirus Corporate Edition 7.6: www.symantec.com/techsupp/enterprise/products/nav/ nav_76_ce/manuals.html.

www.syngress.com

Updating Virus Protection • Chapter 10 ■

The Symantec Knowledgebase for Norton AntiVirus Corporate Edition 7.6: www.symantec.com/techsupp/enterprise/products/nav/nav_76_ce/ search.html.



LiveUpdate manuals, patches, and files located at www.symantec.com/ techsupp/files/lu/lu.html.



Other resources include Syngress Solutions (www.syngress.com/ solutions),Yahoo Groups (for example http://groups.yahoo.com/ group/avadmins), and other Internet discussion groups.

Q: Why doesn’t LiveUpdate download definitions when the Security Response Web site or a virus write-up shows that more recent definitions are available?

A: You can find the answer to that question at: http://service1.symantec.com/ SUPPORT/sharedtech.nsf/docid/2002021908382713.

www.syngress.com

459

Chapter 11

Troubleshooting Your NAVCE 7.6 Environment

Solutions in this chapter: ■

Troubleshooting Basics



Troubleshooting Servers



Troubleshooting Client PCs



Troubleshooting Roaming Client Support



Addressing Performance Issues



Accessing Information Databases

; Summary

; Solutions Fast Track

; Frequently Asked Questions 461

462

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Introduction Troubleshooting NAVCE 7.6 systems requires you to consider the entire environment within which it resides. It is not enough to work only with the NAVCE client and server interfaces.You must be prepared to troubleshoot the operating system upon which NAVCE is installed, as well as support infrastructure (for instance, domain name system (DNS), firewalls, directory services, and so on). In this chapter, you will learn how to take a more holistic approach to troubleshooting your entire environment. From Windows 9x systems (for example, Windows 95/98/Me) to NT/2000/XP systems to Novell systems, you will learn about all of the essential troubleshooting concepts that can help you control problems as they appear. You also will learn how to overcome problems with both NAVCE 7.6 clients and NAVCE 7.6 servers. In addition, this chapter will also discuss common NAVCE problems in regards to Novell servers. From issues concerning problems with Novell servers as clients to ensuring that they properly show up on the Symantec System Console (SSC). Throughout this chapter, you will learn about how to work with both standard and Remote Client Services (RCS) clients, and how to improve server performance. Finally, though NAVCE was designed to impact system performance as little as possible, problems can still happen.Therefore, this chapter will discuss common stability and performance issues and how to resolve them. By the end of this chapter, you should have a clear idea how to resolve some of the most common NAVCE issues, and will also have more insights into some of the more peculiar problems that have occurred. Hopefully, by reading this chapter you will either find a solution to your peculiar problem, or be given a direction to take to help solve your own problems when implementing NAVCE 7.6.

Troubleshooting Basics When troubleshooting NAVCE clients and servers, you will have to work with the following local resources: ■

Log files



Temporary files that may exist and cause installation, uninstallation, and configuration issues



The Windows Registry

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

When investigating issues, do not simply focus on local problems such as temp files, log files, and the Windows Registry.You will also have to investigate foundational network issues.The following are basic, foundational network issues that will likely appear when you encounter problems with your NAVCE 7.6 environment: ■

The Domain Name System (DNS)



Directory Services (for example, Microsoft Active Directory and Novell Directory Services)



The Dynamic Host Configuration Protocol (DHCP)



Firewalls

DNS Issues The following section discusses DNS issues, including detailed information on DNS configuration. If you already understand DNS thoroughly, you may want to skim through this particular section. It is vital, however, that you know DNS and that you implement it properly before deploying NAVCE. Symantec has found that implementing a proper DNS structure can help eliminate problems with your NAVCE environment. DNS is, of course, not the only resolution method used in networks. Microsoft’s legacy solution called the Windows Internet Naming Service (WINS) has existed for some time, and is still in use. However, DNS has become the primary name resolution method, and this chapter will address it first.The following bullet points outline some background information concerning DNS records. Because a properly functioning DNS environment is vital for the NAVCE environment, it is necessary to review some of the more essential DNS concepts. If you are already familiar with DNS issues, you might want to skim through the next few pages. When configuring DNS, make sure you create the following: 1. A primary name server (also called a master name server) A primary name server contains records for an entire domain or subdomain. For example, if you wish to resolve names for a company named yourcompany.com, you would create a primary name server that would then contain forward and reverse zone files.To make your DNS structure more fault tolerant, you can create a secondary name server (also called a slave name server). A secondary name server receives all of its information from a primary name server via a zone transfer. www.syngress.com

463

464

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

2. Forward zone files Contains mappings of names to IP addresses for the primary (or secondary) zone. Each zone contains individual entries that refer to each individual system in the network. Forward zones can contain various record types, including: ■

A Informs the DNS server that the entry is for a standard host running IPv4, currently still the standard for IP-based traffic on the Internet. An A record simply maps an IP address to a host name.



AAA Refers to hosts running IPv6, the next standard for IP-based traffic.



CNAME Known as “canonical name” records, a CNAME entry allows you to give another name to a host. If, for example, a host already has an A name entry mapping the host name of c1226878-a to the IP address of 10.100.100.45, it would be possible to create a CNAME record that also allows the name of “www” to map to it, as well.



MX Called a “Mail Exchange Record,” this entry allows you to map a domain name (such as company.com) to a specific host that will accept and transfer SMTP-based e-mail (for example, mail.company.com). MX records are necessary because they enable people to send e-mail to a domain, rather than a specific system.

Reverse zones Contains mappings of IP addresses to names. As with a forward zone, a reverse zone contains entries for individual systems. However, reverse zones generally contain only one type of record: the PTR, or “pointer” record.You will learn more about reverse zones in the following section entitled “Reverse Zones.” Figure 11.1 shows a DNS configuration for a small network.This particular configuration is from the DNS service found in Windows 2000. ■

Figure 11.1 Viewing a DNS Configuration in the Windows 2000 DNS Snap-in

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Notes from the Underground… Why so Much about DNS? It may seem a bit strange that this chapter is reviewing DNS troubleshooting tools so deeply. However, if you have one simple problem in your DNS structure, it is almost guaranteed that problems will appear. What’s more, problems that appear will not seem to be related to DNS, and will cause you to waste your time chasing other issues that will not solve your problem. In one case, a systems administrator using Windows 2000 and Active Directory took three days just to trace a problem to the fact that she had missing reverse DNS lookup zones and a PDC that had an improper DNS name entry. Once these problems were fixed, NAVCE no longer performed slowly, and users could log on quickly.

The configuration in Figure 11.1 would apply to a much larger network. Notice that both forward and reverse lookup zones exist in this particular setup. Notice also that each zone has individual entries that map names to IP addresses.

NOTE If you do not have proper primary servers and forward zones, it is very possible for your NAVCE roaming clients and primary/secondary NAVCE to become confused and fail to connect with each other.

You do not, of course, have to use Microsoft products for DNS. Figure 11.2 shows an example of a forward zone found in a Linux system running BIND 9.

www.syngress.com

465

466

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Figure 11.2 Viewing a Forward Zone in Linux Running BIND 9

Take note of how each service uses A records. Notice also how the Linux service also includes CNAME, IN, and AAAA records.

NOTE When creating a forward zone to suit your NAVCE environment, it is always best to first create a map of workstation names and IP addresses before actually configuring the DNS service. A map will allow you to have a master plan that you then implement by configuring the server.

Reverse Zones It is not enough to create forward DNS zones.You must also have reverse lookup entries. Follow the steps outlined next: 1. Create a reverse zone in your DNS server for each IP network address: A reverse zone must be dedicated to a specific network address. If, for example, you have the 192.168.2.0 network, then you must create a www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

reverse DNS zone for this specific network that will be known as 2.168.192.in-addr.arpa. If you have additional networks of 192.168.3.0, 192.168.4.0, and 192.168.5.0, you would have to create separate reverse zones of 3.168.192.in-addr.arpa, 4.168.192.in-addr.arpa, and 5.168.192.in-addr.arpa. 2. Populate the appropriate reverse zone with entries specific to that particular network. Each entry will map the host IP address of a specific host name. Windows 2000, for example, allows you to automatically create a PTR record with each forward record you create, as shown in Figure 11.3. Figure 11.3 Creating an Associated Pointer (PTR) Record When Generating a Forward Record in Windows 2000

A reverse DNS zone is not absolutely essential for NAVCE, actually. Still, the absence of a proper DNS structure can cause secondary issues that could create problems for NAVCE. Such issues include: ■

Inability for network management applications to run properly Network management applications can include Secure Shell (SSH) and applications that use the Simple Network Management Protocol (SNMP).



Problems with workstations and servers that use directory services servers Directory services servers from both Novell and Microsoft generally require proper DNS structures to function. Failure to implement reverse DNS lookup may cause you to mistake an Active Directory problem with NAVCE.

www.syngress.com

467

468

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

NOTE When configuring DNS in Microsoft’s native DNS service, do not think that creating a forward zone will automatically create a reverse lookup zone or file. Even if you select the Create Associated Pointer (PTR) Record check box that is supplied, for example, with Windows 2000. Also, if you try to have Windows create the associated PTR record and you have not yet created a reverse zone, a reverse zone record will not be created.

Figure 11.4 shows an example of a reverse lookup zone in a Linux system running BIND 9. Figure 11.4 A Reverse Lookup Zone in BIND 9

DNS Configuration Notes The following are some notes to consider when creating your DNS structure as a foundation for any additional service, including NAVCE 7.6: ■

When running Microsoft Active Directory, make sure that your Domain Controller has a DNS server installed and running. Otherwise, your Active Directory clients may not be able to resolve names, and will take an inordinate amount of time to log in. NAVCE 7.6 clients will exacerbate the problem, because they, too, will spend time looking for their primary servers.This process can take as long as five to ten minutes, which is clearly an unacceptable amount of time to wait for login.



Microsoft Active Directory requires DNS to be running on the Active Directory Domain Controller. Check the DNS service on the Domain Controller for entries that begin with an underscore (_). Such entries reflect the fact that clients have registered with DNS and Active

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Directory. If the underscore entries are not present, then you may have diagnosed a DNS problem in regards to Active Directory.This DNS problem may affect all applications, including NAVCE 7.6 implementations. ■

Make sure that Microsoft systems, especially the Domain Controller, have standard NetBIOS names. Make sure that names are continuous, 15-character names. Use standard characters such as those found in the alphabet. Be especially careful not to use a period in a NetBIOS name, as a period can be misinterpreted by the Domain Controller and/or DNS name as part of a domain name. For example, a machine with a NetBIOS name of server.domain1 in the DNS domain of company.com could be misinterpreted by DNS, and may cause problems in regards to NAVCE and Active Directory; extensively long logins may occur as a result. Afterward, server.domain1.company.com will effectively be the DNS name of a system with the NetBIOS name of server.domain1. Various DNS clients may think they need to go to the machine name of the server that belongs to the domain1.server.com DNS domain, which would cause significant problems. As a result, DNS clients would spend an inordinate amount of time looking for the proper domain controller.



Windows XP systems should use the DNS service on the Windows 2000 server running Active Directory. Doing so helps ensure that the XP systems are properly registered to the domain controller, which can improve login time.



If you are using BIND, later versions (for example, BIND 8 or 9) use the /etc/named.conf file.This file must be formatted in a specific way, and must properly refer to the forward and reverse zone files for a specific zone. Otherwise, your DNS configuration will fail, or experience serious problems that may cause your NAVCE 7.6 implementation to fail. For more information about configuring the /etc/named.conf file, go to BIND’s official Web site: www.isc.org/products/BIND/.



If using BIND 8 or 9, the semicolon (;) counts as a comment.You can also use the hash mark (#). Anything after a semicolon or hash mark is not considered by BIND.



When changing information in a forward or reverse zone file, you may have to restart the DNS service or daemon to make sure the service or

www.syngress.com

469

470

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

daemon re-reads its configuration information and reflects the changes you have made. ■

Use DNS troubleshooting tools to ensure DNS is functioning properly before using NAVCE 7.6 in a managed environment.

NOTE It is easy to confuse name resolution issues with NAVCE client/server problems. In smaller environments especially, you may be responsible for working with name resolution issues, so it is very important you understand how to make changes to the structure, or at least understand how to read DNS information.

DNS Troubleshooting Applications Common DNS troubleshooting applications include: ■

nslookup Arguably the most popular DNS troubleshooting tool. Allows you to determine the presence of forward and reverse DNS lookup entries.This is a universal tool, found in Windows, Novell, and UNIX systems that use TCP/IP. It’s also a command-line tool.



host Found in UNIX-based systems, the host command is similar to the nslookup command, in that it allows you to troubleshoot DNS zones. host is run from the command line, like nslookup.



dig Also found in UNIX-based systems, the dig command allows for advanced troubleshooting of various DNS servers from the command line.



GUI-based applications Using applications such as Ping Pro (www.ipswitch.com) can help you quickly conduct Whois queries, as well as conduct nslookup/host/dig-like queries from a GUI.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Using nslookup Using nslookup, you can: ■

Verify that a client is designated to the proper DNS server.



Verify records of various types, including A, CNAME, MX, and AAA.



Conduct zone transfers (as long as your system is authorized to do so).

The nslookup application has two modes: ■

One-time Where you issue the nslookup command with an argument that is the name of a client so you can view its DNS record entry. For example, to look up a system named sandi, you would issue the: nslookup sandi command



Interactive Where you issue the nslookup command without any arguments to enter an nslookup session.

Figure 11.5 shows a one-time nslookup session in Windows XP.The user of nslookup now knows the following information: 1. The DNS server used by the system is at james.stangernet.com, with the IP address of 192.168.2.5. 2. The system named sandi.stangernet.com has the IP address of 192.168.2.4. Figure 11.5 Issuing a One-Time nslookup Command in Windows XP

Figure 11.6 shows an interactive nslookup session in Windows XP.You’ll notice it’s possible to conduct multiple queries about systems (for example, sandi and james).You can then type exit to quit an nslookup session.

www.syngress.com

471

472

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Figure 11.6 Conducting an Interactive nslookup Session

Figure 11.7 shows a non-interactive nslookup session in a Linux system. In Figure 11.7, you can see that the -sil option allows you to avoid viewing a message informing you that most Linux systems have begun to deprecate the use of nslookup.The -query option allows you to determine which type of query you will issue. Arguments to the -query option include A, MX, AAAA, and CNAME. In the –query command used in Figure 11.7, the ANY option was used to view the information for the entire stangernet.com domain, as well as discover the name server, which happens to be, in this case, the system named james.stangernet.com.This information can be helpful when troubleshooting a NAVCE environment because it allows you to determine the authoritative server for your particular domain. Figure 11.7 Issuing a One-Time nslookup Command in Linux

NOTE When troubleshooting your NAVCE environment, make sure you use applications such as nslookup to verify that name resolution is occurring the way you think it is.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

The nslookup command in UNIX-based systems works similarly to that in Microsoft systems. Using nslookup is useful in many ways. If you find, for example, that you cannot use nslookup properly, chances are that your client is not properly configured to use DNS.Therefore, perform the following steps: 1. Verify that the DNS server has proper forward and reverse DNS lookup zone entries. 2. Verify that the client is using the correct DNS server. You are not limited to using nslookup, however.You can also use the host and dig commands, if you have access to a UNIX system.

Using host The host command is similar to the noninteractive version of the nslookup command. Using the host command, you can: ■

Review records of various types, including A, AAA, CNAME, and MX.



Conduct zone transfers.



Identify authoritative name servers.

For example, Figure 11.8 shows how it is possible to conduct a zone transfer for an entire DNS domain using the host -l stangernet.com command. Figure 11.8 Conducting a Zone Transfer for the stangernet.com Domain Using the host -l Command

Figure 11.9 shows how you can use the host -a [hostname] command to view information concerning a host’s IP address and DNS server. www.syngress.com

473

474

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Figure 11.9 Using the host -a Command

With the host command, you can easily identify the name server for a domain, as well as problems that might occur concerning A name records, because it allows you to list all information concerning the domain, as long as you have permission to list zone files and other information.

Notes from the Underground… Conducting Zone Transfers It is always a good idea to limit zone transfers for DNS servers. However, doing so may thwart your troubleshooting efforts. If possible, contact the administrator of your DNS servers and have them enable zone transfers for your particular system, or discover which systems you can use to conduct detailed queries of the DNS server. If you are using Windows 2000, for example, you can enable zone transfers for a particular host by opening the DNS snap-in, then right-clicking a particular zone (for example, company.com) and selecting Properties. Once you see the Properties dialog box for that zone, click the Zone Transfers tab. In the Zone Transfers tab, you can then take the necessary steps to either allow any host to conduct a zone transfer (generally a bad idea, because it could allow a hacker to map the entire network), or allow a certain host to conduct zone transfers). In UNIX systems, you need to configure the named.conf file. Using Linux systems, for example, you would edit the /etc/named.conf Continued

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

file and enter an allow-transfer phrase inside of a zone configuration entry. For example, in the following entry, the allow-transfer phrases allow systems with IP addresses of 192.168.2.5, 192.168.2.57, and 192.168.2.68 to obtain zone transfers: zone "stangernet.com” in { type master; file "forward.zone"; allow-transfer { 192.168.2.5; 192.168.2.57; 192.168.2.68; }; };

It is imperative you properly use open and close wickets (that is, both { and }), as previously shown. After you make these changes, restart the named service to make sure the changes take effect.

Using dig The dig command is the most sophisticated DNS troubleshooting tool. It reports the most information, allows the most involved queries, and is the most difficult to use. Like host, dig is a one-time command.The general syntax for using dig is as follows: dig @dns_server_name

fully-qualified_dns_name_of_server

record_type

A fully-qualified DNS name (FQDN) is one that contains the host name and domain name (such as www.syngress.com). Figure 11.10 shows how dig is used to query the DNS server named james for the IP address of the system titled blake.stangernet.com. Although many NAVCE applications (for instance, NAVRoam, used for roaming client support) do not use FQDNs, your DNS structure should provide FQDN information for all servers.

www.syngress.com

475

476

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Figure 11.10 Using dig to Query a host Record

In Figure 11.10, the question section is where the application provides you with the server’s understanding of the query you made using dig. In the answer section, you see that blake.stangernet.com has the IP address of 192.168.2.2. In the Authority and Additional sections, you see that james.stangernet.com (with the address of 192.168.2.5) is the authoritative name server. Figure 11.11 shows how it is possible to discover CNAME entries. For example, the session shown next indicates that www.stangernet.com is a CNAME entry for the original DNS name of c1226878-a.stangernet.com. Figure 11.11 Using dig to View CNAME Entries

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Now that you understand how to use dig, let’s take a look at GUI-based DNS troubleshooting tools for Windows.

Using GUI applications GUI-based applications essentially combine several troubleshooting tools into one.Troubleshooting tools include: ■

Trace route (for example, tracert in Windows system) Counts router hops between systems.



Ping Tests connectivity using ICMP.



Whois Queries Whois servers for authoritative DNS information concerning registered DNS servers.

GUI-based applications include: ■

WS Ping ProPack (www.ipswitch.com)



DNS Expert (www.menandmice.com)



Sam Spade (www.samspade.com)

Figure 11.12 shows Ping Pro. Notice Ping Pro is set to query the DNS server for an A name record in a system named sandi. Notice also that the DNS server that Ping Pro will use is the one used by the “stack,” which means it is set to use the same DNS server that is configured in the Local Area Connection properties. You can, if you wish, specify a different name server. Specifying a different name server allows you to query various name servers in your enterprise. Figure 11.12 The Ping Pro Lookup Tab

www.syngress.com

477

478

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Figure 11.13 shows Sam Spade, which is available free of charge. Figure 11.13 The Sam Spade Lookup Tab

Using the previous troubleshooting tools, you should be able to configure DNS forward and reverse zones that NAVCE can use.

Log Files When experiencing troubles with NAVCE, a system’s log files are most likely your best friends. In Windows NT/2000/XP, check for DNS problems in the Event Viewer. In UNIX-based systems, check the system log file (for example, /var/log/mesages in Linux system).The DNS log and /var/log/messages files can inform you of various problems, including: ■

Improper DNS entries in servers.



Messages from clients informing you of DNS problems and the steps taken by clients to try and enforce name resolution.



Failed services.

In one case, an improper NetBIOS name on a server caused the following entry to occur on a Windows 2000 Domain Controller: “Registration of the DNS record company.com. 600 IN A 192.168.2.8’ failed with the following error: DNS server unable to interpret format.” Once the system’s NetBIOS name was changed, the problem resolved itself, and all NAVCE clients were able to function properly.

Dynamic DNS and the NAVCE Environment Dynamic DNS (DDNS) is a relatively new development that allows DNS servers to automatically update their databases to reflect changes in client addresses. Understanding DDNS is relevant to NAVCE because it can add a layer of complexity to your NAVCE environment; traditionally, DNS databases and name-toIP-address mappings were static. With the advent of DNS, name-to-IP-address www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

mappings have become more fluid, and can cause confusion as you implement NAVCE. In traditional DNS, if a client changed its IP address (for example, due to a new DHCP lease), the DNS server would still reflect old information until the systems administrator manually updated the forward and reverse zone files. Previously, the only service that could automatically update its database was the Windows Internet Naming Service (WINS), which is discussed later in this chapter. DDNS is supported by various servers, including: ■

Microsoft Windows 2000 Server



Microsoft Windows 2000 Advanced Server



Microsoft Windows 2003



Any UNIX system running BIND 8 or later

Even if the DNS server is equipped with DDNS, you will still need to activate the feature on most servers.

Troubleshooting DDNS DDNS can be the source of rather pesky problems, just like DHCP, mostly because information keeps changing.The following are ways to troubleshoot DDNS: ■

Review log files of both clients and servers.You will be able to identify times when clients cannot find hosts and are forced to resort to alternative name resolution, or simply inform you that name resolution cannot occur at all. Servers will inform you about DDNS problems through log files as well. Using Windows Event Viewer and the Unix /var/log/messages file, you can identify when a DNS server or daemon has experienced a problem.



Disable DDNS and resort to static DNS mapping for a period of time so you can troubleshoot problems. Once you can isolate issues by dealing with nondynamic information, you can then begin to systematically tackle a problem.

Alternative Forms of Name Resolution Although a primary form of name resolution, DNS is not the only form available. Additional methods include:

www.syngress.com

479

480

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment ■

WINS



Static files (for example, the /etc/hosts file in Linux/UNIX systems, or the [drive]\WINNT\system32\drivers\etc\hosts or [drive]\system32\drivers\etc\lmhosts files). Many networks still employ the Windows Internet Naming Service (WINS) to resolve names. Increasingly, WINS is being dropped for DNS for the following reasons: •

Microsoft Active Directory considers WINS a legacy naming service and will not work optimally without DNS.



WINS is generally a Microsoft-centric solution. Although the UNIX Samba series of daemons allows UNIX-based systems (for example, Solaris, Linux, AIX, HP-UX) to become true WINS clients, using WINS nevertheless ties your network too closely to one vendor.



The advent of DDNS has obviated the only benefit WINS offers, which is the ability for the service to dynamically update its database when a client changes its IP address.

Troubleshooting Alternative Forms of Name Resolution Microsoft workstations and servers can often experience name resolution issues in regards to NAVCE because they may not be configured to resolve names in a way you expect. For example, your system may be configured as a node that uses only WINS, or it may use both WINS and DNS.To make sure your NAVCE system is resolving names as you expect, you need to know its node type. Microsoft systems can be classified as one of four different types of nodes, depending upon how they are configured to resolve names.Table 11.1 describes each of these four types. Table 11.1 Node Types Type of Node

Description

b-node (Broadcast)

Attempts broadcasts for name resolution before trying the two extensions, which are DNS servers and lmhosts files. A common configuration, because most systems use DNS rather than WINS. If you set your system to use a primary and secondary WINS server, it will become an h-node. When faced with resolving a host name, the

h-node (Hybrid)

Continued

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Table 11.1 Node Types Type of Node

Description system will first send a directed datagram to a WINS server, then try broadcasting as a resolution method. Failing these methods, the client will then attempt to try DNS servers and then the lmhosts file.

m-node (Mixed)

p-node (Point to point)

First uses broadcasts, then uses a WINS server. After both of these fail, the extensions are tried (the DNS server, then the lmhosts file). Uses a directed datagram first to contact a WINS server. Then, the extensions (the DNS server and then the lmhosts file) are used to resolve names.

Remember that any operating system has a specific resolution order. Windows systems configured as h-node clients, for example, resolve names in the following order: 1. Query the local computer’s name to see if the name being queried is simply the system’s own host name. If this is the case, then the name resolution occurs and the system then proceeds to resolve the IP address to MAC addresses. 2. Read the local HOSTS file. 3. Query to the DNS server given for the system. 4. Check the local NetBIOS name cache. 5. Query the WINS server given for the system. 6. Conduct a broadcast for NetBIOS name resolution to all hosts on the subnet. 7. Check the local LMHOSTS file. If the Windows system is configured as a WINS client, the following order is followed by default: 1. Check the NetBIOS name cache. 2. Query the WINS server. 3. Broadcast for NetBIOS name resolution. 4. Check the local LMHOSTS file. www.syngress.com

481

482

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

5. Check the hosts file. 6. Query a DNS server. So, as you troubleshoot your NAVCE environment, make sure you consider the system’s node type. B-node, p-node and m-node systems resolve in a different order.The reason for this long summary of name resolution is that you need to make sure there is no conflict between the hosts, lmhosts files, as well as WINS and DNS servers. If you keep encountering resolution problems, make sure you review all name resolution possibilities to eliminate conflicts. Finally, when you make a change in the lmhosts file, you will have to use the nbtstat -R command to purge and refresh the NetBIOS cache. Linux systems, for example, resolve names according to entries placed into the /etc/hosts.conf file. Usually, the default is to first check the hosts file, then check the DNS server (known as BIND).The following is an example of a default /etc/host.conf file: order hosts, bind

DHCP Issues It is very possible for DHCP to cause problems with your NAVCE 7.6 environment, mainly because address and naming conflicts can easily arise. Consider using static addresses for foundational systems, including: ■

NAVCE servers (both primary and secondary)



Directory services servers



DNS servers



NAVCE clients that cause problems (for example, they have slow login times, or do not properly appear on the SSC)

When troubleshooting problems, you also may want to configure certain clients to use static IP addresses so you can easily identify problems.

NOTE It should be noted that you should never use DHCP for your NAVCE servers. Any server in your farm should always have a statically assigned IP address.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Directory Services Issues When working with directory services servers (for instance, Microsoft Active Directory and Novell Directory Services), consider the following: ■

Make sure all servers have host names that can be easily resolved via DNS.



If using Microsoft Active Directory, make sure the PDC has a fully functional DNS server running.



Make sure all domain controllers are functioning properly before you suspect a specific NAVCE problem.

Once you consider the preceding issues (along with DNS), you can begin to suspect additional sources, including firewalls.

Firewalls and the NAVCE Environment In many cases, clients cannot obtain new grc.dat files and new virus definitions due to restrictive firewalls.The following are various issues to consider when supporting NAVCE clients and servers behind firewalls.The listings include the specific ports used for update and control: ■

The Ping Discovery Service (PDS) listens on UDP port 38293 for requests from potential NAVCE clients. Each request is called a “ping” by Symantec; do not confuse this UDP-based ping with a standard ICMP echo request or echo reply message. Each time a server receives a ping, it determines if the client is registered, then responds with a “pong” packet that uses the same UDP port as the ping packet.The PDS helps clients determine which port to use when obtaining updates. UDP port 38293 cannot be changed by editing the Registry, because it is designed to enable the entire NAVCE environment. However, if port 38293 is not available for some reason, NAVCE will simply allocate another port.You will, however, have to configure your clients to use this new port.



The RTVScan.exe process loads, and allocates a port from the system. NAVCE 7.6 requests a static port first. If you are using TCP/IP, then UDP port 2967 is requested first. If you are running an IPX/SPX network, port 33345 is used.The following Registry entries allow you to register IP and IPX-based ports: www.syngress.com

483

484

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment ■

If you wish to configure a Quarantine Server, you must choose a port for it. Symantec recommends that you choose any UDP port between 1025 and 65536.



NAVCE can send alerts concerning virus attacks, and other events.The Msgsys service is responsible for this, and uses ports 3807 and 3892.



NAV 7.6 roaming clients connect to UDP port 1056 on the server.The clients themselves use any port above 1023 to connect to port 1056.

Notes from the Underground… A Full Quarantine? Check Your Corporate Firewall or Desktop Firewall Software Clients configured to send viruses to a central NAVCE Quarantine Server may inexplicably collect viruses in their own Quarantine, rather than sending them to the Quarantine Server. Many times, this problem is caused by a firewall that is blocking the UDP port you have chosen for the Quarantine Server. As a result, the client simply stores the viruses in its own Quarantine until the problem is resolved. Open the firewall connection to solve the problem. Desktop firewall software (for example, that found natively in Windows XP, or in applications such as BlackICE and ZoneAlarm) can also block connections to the Quarantine Server, especially if the software is set to block all ports but those you explicitly allow. In such cases, simply add a new rule that adds the UDP port of the Quarantine Server.

Later versions of RTVScan will try to allocate port UDP 1025 for a server, and 1026 for a client. The ports mentioned earlier are considered by NAVCE to be “static ports.” If NAVCE fails to allocate the default ports or those entered in the preceding Registry locations, then RTVScan will have the Windows networking application (Winsock) allocate a dynamic port (any port ranging from 49152 through 65535).

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Always remember that an intervening firewall can block the preceding traffic. Two firewall stances exist: Default closed and default open. Default closed firewalls block all traffic unless explicitly accepted. Default open firewalls allow all traffic unless explicitly dropped.You will have to configure default closed firewalls to open both ingress (incoming) traffic, as well as egress (outgoing) traffic. Make sure you work with your firewall administrator to open all necessary ingress and egress ports. For the sake of reference, here are the common port ranges: ■

Well-known ports: 0 through 1023.These are reserved for specific applications, and generally available only to administrative users, such as administrator, supervisor, and root.



Registered ports: 1024 through 49151. these are assigned to certain applications and daemons.



Dynamic (that is, private) ports: 49152 through 65553.These are unassigned and can be used by anyone.

Configuring & Implementing… Firewall Issues When working with firewalls, make sure you consider the previous information to open additional TCP and UDP ports. For example, an intervening firewall may be blocking DNS queries (UDP port 53). Also, remember that DNS servers conduct zone transfers using TCP port 53, so you may have to open this port as well to ensure that your DNS server is properly updated. Consider additional ports, including those important to Microsoft systems, such as TCP/UDP port 135, which is used by Active Directory. Additional Microsoft-specific ports include TCP/UDP ports 137, 138, and 139. Remember that you will need to allocate these specific ports, as well as TCP and UDP ports above 1023, which are used by NAVCE clients to make connections to specific ports.

www.syngress.com

485

486

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Troubleshooting Servers When troubleshooting NAVCE servers themselves, remember the following: ■

Log files can be your best friend. Read them carefully, as they help document any issues your server may be having.



Be ready to edit the Windows Registry. Back it up at all times before making any changes, however, as improper changes can damage either your NAVCE installation or your entire operating system.



Look for related issues, such as fragmented disks, little available system memory, and network problems, that may be the true root cause of the problem.

In the following section, you will learn more about troubleshooting NAVCE in both Windows and Novell environments.

Windows NT/2000 Servers The following errors are some of the most common examples of the problems encountered on Windows NT/2000 systems.

Installation Errors The following list is a catalog of various installation errors that have commonly occurred in regards to Windows servers (for example, Windows NT/2000 systems). ■

You receive an error message that reads, “This installation package cannot be installed by Windows Installer service.You must install a Windows service pack that contains a newer version of the Windows Installer service.”To solve this problem, obtain instmsia.exe, which is available on the second NAVCE installation disk in the \Navcorp\ Rollout\Avserver\Clients\Win32.



You cannot see a Windows NAVCE server, because it is on the other side of a router or a bridge.To solve this problem, use a hosts or lmhosts entry. As soon as you can see the server in, say, Windows Explorer, you will be able to see it in the NAVCE installation application.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Configuring a Primary NAVCE Server Even if you have only one NAVCE server, it must be designated as primary. It is possible in some situations for a secondary server to be placed into a position where it must act as a primary server.To ensure your NAVCE server is primary when it should be, take the following steps: 1. Open the SSC. 2. Right-click the Symantec AV server group and unlock it. 3. Find and right-click the Symantec NAVCE 7.6 system in question. 4. Choose to make this NAVCE 7.6 system a primary server.

Verifying Check-in Frequency and keepalive Packets When working with the SSC, most problems center on making sure that clients are properly recognized and managed using NAVCE’s protocols. Problems generally take the following forms: ■

The SSC does not report clients that you know exist; sometimes clients appear, then disappear for no apparent reason.



You cannot configure clients from the SSC.



You determine that clients are not receiving automatic virus definition updates.

To solve these problems, you need to verify: ■

That clients are checking into the server frequently enough for updates.



That the keepalive feature on the client is properly set.The UDP keepalive packet is designed to provide updated client information to the NAVCE server, as well as ensure that clients receive updates and the latest configuration settings. For example, if the client sends a keepalive packet and it is noticed that the client has older virus definitions or an out-of-date configuration file, then the server will send new information.The keepalive packet is roughly 1KB in size, and should not cause network problems, even if sent by hundreds of clients. If you have thousands of clients sending these packets, then you need to scale your environment to multiple NAVCE servers on separate subnets to reduce traffic.You can increase the keepalive packet value rather than use

www.syngress.com

487

488

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

additional NAVCE servers. If the keepalive packet value is set too high, fewer packets will be sent, resulting in less UDP traffic on the network. However, two problems may occur by setting the keepalive packet too high: First, the client may not receive updated definitions. Second, the client may no longer appear on the SSC. Keep the interval short enough so that the client does not disappear. By default, the keepalive value is 60 minutes (one hour). Older versions of NAVCE are set at three minutes. ■

That NAVCE is working properly on both the client and the server.



That clients and servers are properly communicating; if network communications are not occurring, there is no sense in trying to fix either the client or the server.

Verifying that Clients Check in Frequently To verify how often clients check in with their NAVCE parent(s), take the following steps within the SSC: 1. Right-click a server or server group in the SSC console, then go to All Tasks. 2. Click Norton AntiVirus, and open the Virus Definition Manager. 3. Once in Virus Definition Manager, make sure the Update Virus Definitions From Parent Server check box is selected. 4.

Check the Set Client Configuration From Parent Server box if not already done so.

Verifying Frequency of keepalive Packets To ensure that keepalive packets are set according to your needs, simply open the SSC, go to the Update Settings window, and then increase or decrease the default value.

Verifying Client/Server Communication When verifying client/server communication, you can approach the task from several different angles. Each is described next: ■

Open the NAVCE client interface and confirm that the value in the Parent Server field is the NAVCE server you expect.This check will work, of course, only if you have recently changed the server.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11 ■

Take the grc.dat file from the NAVCE parent server and have the NAVCE client import it.The client will then have new, updated information about the parent.



Copy the grc.dat file from the parent server to the client. Doing so will update the client concerning the NAVCE parent.



You can use the debugon.reg and debugoff.reg files on the client.These Registry files are designed to alter the Registry of the client and a server, and are freely available from Symantec (www.symantec.com). They are designed to present messages on either a client or a server that help you determine exactly when a keepalive packet has been sent or received.To obtain these files, simply conduct a search on the site for either of these two files. Once you obtain debugon.reg, import it onto the client as administrator, which is a script that displays the phrase “CheckInWithMommy” each time a keepalive packet is sent to the server.To stop this, import the file named debugoff.reg.You can use these clients on NAVCE server systems, too. In Windows NT/2000 systems acting as NAVCE servers, you can also import the debugon.reg file to see how the NAVCE services are running. Once you import this file onto the server, you will then see a message that reads “Alive — , where client_name is the name of a client that has checked in with the server.You can then import the debugoff.reg file to turn off debugging mode.

Inability to Communicate with Clients through the SSC In some cases, you may find you can see clients found in the SSC, but you cannot actually issue commands to them or otherwise communicate with them. In such cases, the following steps will help you refresh the SSC: 1. Go to the parent server and use a Registry editor (for example, regedit or regedt32) to access the following key: HKEY_LOCAL_MACHINE\Software\Intel\Landesk\ VirusProtect6\CurrentVersion\Clients 2. You will see a list of clients that have registered through keepalive packets in the past three days. Some of these clients will be valid, while

www.syngress.com

489

490

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

others are not.This is why you cannot communicate with some (or all) of the clients you see. 3. Delete all of the clients. 4. Still in the Registry, wait for the subkeys to be regenerated. If you do not see any regeneration, exit the Registry and then re-enter the Registry and go to the same key listed previously. If you still do not see new keys after 10 or 20 minutes, then verify that all clients and serves are using the same communications protocol.

Setting the Preferred Protocol Sometimes client/server communication can fail because of protocol incompatibility. If you have both TCP/IP and IPX/SPX installed (either on a NAVCE server or NAVCE client), it is possible that a communications problem will result.This is because NAVCE will default to using IPX/SPX instead of TCP/IP. If some of your clients and some of your servers use only TCP/IP, or your routers and firewalls are not configured to forward IPX/SPX traffic, then you will experience a communications problem.To solve this problem in Windows NT/2000/2003 servers, take the following steps: First, configure the parent server to use the protocol you wish.To do this, take the following steps: 1. Go to the Symantec Web site and download either of the following Registry files: ■

PreferedProtocol_IP.reg Sets the server to use TCP/IP as the preferred protocol.

PreferedProtocol_IPX.reg Sets the server to use IPX/SPX as the preferred protocol. These files are freely available, questionable spelling and all. Simply search for them by name, or use the phrase “to set the preferred protocol used by Norton AntiVirus Corporate Edition.” ■

NOTE Yes, the text string of “PreferedProtocol” is spelled as Symantec intended. Engineers have to be good programmers, not good spellers, apparently.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

2. Once you have downloaded the necessary file, as administrator, simply double-click the preferred file and take the necessary steps to finish importing the file. 3. Using a Registry editor, make sure that the PreferedProtocol value for the following key has been changed to your preference: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusP rotect6\CurrentVersion. Look in the right-hand pane for the PreferedProtocol field. If you have selected IP, the DWORD value will read 0x00000000 (0). If you have selected IPX, the value will read as follows: 0x00000001 (1).

Configuring Clients You must, of course, configure clients to use the correct protocol. As with the servers, you must download two more files from Symantec. For the clients, the files are called: ■

ClientPreferedProtocol_IP.reg: For configuring clients to use TCP/IP.



ClientPreferedProtocol_IPX: For configuring clients to use IPX/SPX.

Rather than go to each server, you can simply use one of the preceding files on the NAVCE primary server. As long as clients can communicate with the server, they will receive the new settings. So, take the following steps on the parent NAVCE server: 1. Import the preferred file for your client. 2. Using a Registry editor, verify the Registry key: KEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusPro tect6\CurrentVersion\ClientConfig 3. Look in the PreferedProtocol field. If the system is set for IP, the DWORD value will read 0x00000000 (0). If you have set the system for IPX, the value will read 0x00000001 (1). One you have imported these values, do the following: 1. Create a new grc.dat file, either by: ■

Stopping and starting the NAVCE server service



Updating the primary server’s virus definitions



Going into the SSC and clicking the Reset all button www.syngress.com

491

492

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

2. Verify that the client has received the new grc.dat file. If clients are communicating, they will receive the update through keepalive packets. However, if clients cannot communicate due to a protocol mismatch, you can copy the new grc.dat file to each client.The following are the default locations where the new grc.dat file goes for various operating systems (assuming a C:\ drive). ■

Windows 2000/XP: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.6



Windows NT: C:\WINNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.6



Windows 9x: C:\Program Files\Norton AntiVirus, or C:\Program Files\NAV

Combining 16-Bit and 32-Bit Clients It is possible to use the SSC to scan 32-bit clients (for instance, Windows NT/2000/XP), as well as 16-bit clients (such as Windows for Workgroups 3.11). As you might suspect, 32-bit clients have more options available than 16-bit systems. If you combine 16-bit and 32-bit clients into one group, however, in order to conduct a scan, then only the 16-bit options will be available to you, even for 32-bit clients.This is a feature, and not a bug.To obtain all 32-bit options, segregate 16-bit clients for a separate scan. It is important to understand that when you configure and administer remote 16-bit clients through the SSC, you cannot administer them individually, nor can you create a group of 16-bit clients out of multiple server groups.You must work with 16-bit clients out of each group. If you try to combine 16-bit clients from multiple server groups, your configuration attempts will fail.

Failed Notifications It is possible to configure NAVCE to send e-mail and SMB-based notifications concerning virus events. If you fail to receive these messages, first make sure that firewall and name service issues are not causing the problem; if, for example, a firewall is blocking e-mail from one subnet to another, or if your system’s host name has changed, you may be improperly blaming NAVCE. Once you have confirmed that NAVCE is the source of the problem, chances are that the

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

problem will be due to the fact that the host names given are improperly formatted. Go to the mail settings window, and then confirm that no spaces exist between the names of recipients. Names must be separated using semicolons, but no spaces should exist between names, as shown: james;sandi;jamey;jacob;joel;joseph

Spaces can exist between the semicolons to accommodate multiple-name email addresses. If e-mail names are for recipients with first and last names, for example, then the list must be formatted as follows: james stanger;sandi stanger;jamey stanger;jacob stanger;joel stanger;joseph stanger

If you wish to send SMB-based alerts, then the same formatting applies. Separate machine names should be divided by colons, with no spaces in between: workstation1;server1;workstation2;server1

Finally, if you wish to have a system receive NAVCE alerts, format the list in the same way.

NAVCE Server Installation Issues The following is a discussion of how to identify and resolve various installation troubleshooting problems.

Third-Party Application Problems It is possible to install NAVCE using third-party applications, as well as custom login scripts. However, when using these third-party applications, you may encounter the 0x20000046e error, which indicates that the NAVCE service wishes to interact with the Windows desktop.To solve this problem, open the Services snap-in and then access the properties for the NAVCE application. Once in the NAVCE’s properties, select the option that allows NAVCE to interact with the desktop.

Incomplete Installations NAVCE has been known to fail roughly half way through the installation process.The installation program will simply fail, in many cases causing you to press Ctrl+Alt+Delete to kill the installation program. When you try to reinstall, the

www.syngress.com

493

494

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

installation program will report the error: “Setup has found an incomplete installation. Setup cannot continue to install.” To solve this problem, use Windows Search to find the following files: ■

~syminst.exe The correct installation binary for Windows systems.



_syminst.exe The correct installation binary for NetWare systems.

You can then double-click the appropriate file, and you will be able to install the programs.

Problems Reinstalling If you have a problem uninstalling NAVCE after a failed installation, consider the following steps: 1. Use the Add/Remove Programs icon in the Control Panel (Add or Remove Programs in Windows XP). 2. Download the appropriate NAVCE removal tool, use it, and then manually delete all NAVCE folders on the hard drive. Next, using a Registry editor, remove the HKLM\software\INTEL\LANDESK key.The NAVCE removal tool is freely available from Symantec. Download and use the appropriate tool. If you are running Windows NT/2000/XP, the download location is here: ftp://uark.edu/pub/PC/util/msicuu2knt.exe. If you are running Windows 9x/Me, you will need to download the file from ftp://uark.edu/pub/PC/util/msicu9x.exe.

Old Installation Paths In some cases, after an aborted installation, the installation program will not run again and will reference an old installation path.This problem occurs because the previous installation has failed, but the MSI installer application has left behind an install path in the Registry. As long as this installation path remains in the Registry, the installation may fail.To solve the problem, you need to edit the Registry. Go to the following location: HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INSTALLER\PRODUCTS\[random number] where [random number] is, as you might suspect, a random number generated by the system. Delete the key for NAVCE 7.6, and then conduct the installation again.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Post-Installation Issues The following message might appear just after installation: “This application uses Ctl3d32.dll, which is not the correct version.This version of Ctl3d32.dll is designed only for Windows NT.”The following message is related to a failed installation, even though NAVCE seems to have installed correctly: “This application uses Ctl3d32.dll which has not been correctly installed.The .dll file must be installed in the windows system folder.”This message usually appears after a user logs on. No one solution exists for solving this problem. Consider the following solutions, in order: ■

Uninstall and reinstall NAVCE.



Remove vptray.exe from the Registry and have it start from the Windows Startup folder. Read the section entitled “Printing Problems” for more information about editing the Registry and having NAVCE start from the Windows Startup folder.



The Ctl3d32.dll file may be corrupt. Make sure your CD has this file, and that it is version 2.31.00 or later. If the file is corrupt, conduct a search for all versions of this file. Open Windows Explorer or a command prompt and rename all instances.You may have to restart in DOS mode or Safe Mode in some operating systems, because the file may be in use during a standard login session. Once you rename the file, you can download a new copy of the file from various locations, including www.microsoft.com. Simply conduct a search on the site to obtain the latest version of the file for your operating system.The following is a list of proper file sizes, depending upon the operating system you are using: ■

Windows 95: 26,624 bytes (26.0 KB)



Windows 98: 45,056 bytes (44.0 KB)



Windows NT/2000 and XP: 27,136 bytes (26.5 KB)

NOTE It has also been known for a message concerning an incorrect version of Ctl3d32.dll to appear after running LiveUpdate.

www.syngress.com

495

496

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Uninstalling NAVCE Server Of course, the best way to remove NAVCE is to use tools specific to the operating system. For Windows servers, use the Add/Remove icon, found in the Control Panel (in Windows XP, this is Add or Remove Programs). Failing this option, you will have to remove NAVCE manually. Doing so involves the following three procedures: ■

Removing files and folders from the hard drive.



Removing entries from the Registry.



Removing entries from the Windows Start menu.

To begin the process of removing all items, you must first stop all NAVCE services, which can include: ■

The PDS service



The Def W atch service



The Alert Handler service



The File Transfer service



The Originator service

Editing the Registry To remove NAVCE elements from the Registry, take the following steps: 1. Back up the Registry using Windows backup utilities. Also, create a set of rescue disks so you can run the necessary applications to repair your system in case the edited Registry experiences a problem and makes your system unbootable. 2. Go to the following Registry key: HKEY_CLASSES_ROOT\*\Shellex\ContextMenuHandlers. 3. Find the LDVPMenu entry, and delete it. 4. Delete the following subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton AntiVirus NT. 5. Go to the key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services and delete the following entries:

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11 ■

Norton AntiVirus Server



DefWatch



Intel Alert Handler



Intel Alert Originator



Intel File Transfer



Intel PDS



NAVAP



NAVAPEL



NAVENG



NAVEX15

6. Go to the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eve ntLog\Application and delete the following folders: ■

Defwatch



Intel Alert Handler



Intel Alert Originator



Intel AMS II



Intel File Transfer Service



Intel PDS Service



Norton AntiVirus

7. Navigate to yet another key, HKEY_LOCAL_MACHINE\Software\ Intel\DLLUsage\VP6, and once there, delete the VP6 folder. 8. Go to the key HKEY_LOCAL_MACHINE\Software\ Symantec\InstalledApps and delete the following values: ■

VP6ClientInstalled



VP6UsageCount

www.syngress.com

497

498

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

NOTE If you are using Windows NT, the preceding names will be called “values.”

9. Using regedit, search the entire Registry for the following text strings and delete any and all references to them: ■

VirusProtect6



86C46C6D5F9F3D11EBAE000ACC725290

10. Go to the following key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Uninstall, and delete any entries that have the following values: ■

D6C64C68-F9F5-11D3-BEEA-00A0CC272509.

11. Move to locate the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run. Once there, delete the vptray name (called “Value” in Windows NT). 12. Find and delete the following keys: ■

HKEY_LOCAL_MACHINE\Software\Symantec\Repair value



HKEY_LOCAL_MACHINE\Software\Symantec\SourceDir value



HKEY_LOCAL_MACHINE\Software\Symantec\TargetDir value



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Installer\UpgradeCodes\96C46C6D5F9F3D11EBA E000ACC725290 key

13. You can then close the Registry editor. 14. Restart your system. If the system is not bootable, use your backup copy of the Registry and your Windows repair disks (or ERD) to restore the original Registry.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Removing NAVCE from the Hard Drive If you wish, you can also remove the following folders if they are present: ■

[drive]\Program Files/NAV (or [drive]/Program Files/NAVNT, for NT systems)



[drive]\Program Files\Common Files\Symantec Shared\VirusDefs



[drive]:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5



[drive]:\WINNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5



[drive]:\WINNT\Installer\{D6C64C68-F9F5-11D3-BEEA00A0CC272509}

NOTE Make sure that no other applications use the virus definitions. Otherwise, you will have to restore this directory.

Removing NAVCE from the Start Menu To remove NAVCE from your Start menu, take the following steps: 1. Right-click the Start button, then click the Open All Users option. 2. Double-click the Programs icon. 3. Once in the Programs window, find the folder for NAVCE, and then delete it.

NOTE If you are using Windows NT/2000, you can also use the Windows Installer Cleanup utility, freely available from Microsoft (search for document number Q240116). For specific instructions on how to install and use the Windows Installer Cleanup utility, see the section entitled, “Uninstalling NAVCE from Windows 9x and Me Client Systems,” later in this chapter. www.syngress.com

499

500

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

LiveUpdate Issues After installation, NAVCE 7.6 requires a server restart to make sure that LiveUpdate will work. In some cases, however, NAVCE 7.6 will fail to prompt users to restart the system. As a result, the Registry entries necessary to start the LiveUpdate engine are not run. Restart the system to make sure the new entries are read and enacted by the operating system. It is also possible that the person who installed NAVCE may have chosen not to restart the system. Nevertheless, restart the system first to see if a simple reread of the Registry solves the problem. If LiveUpdate continues to experience problems, consider the following solutions: ■

Check for network problems (for example, DNS, firewall, DHCP issues).



Verify that the client is, in fact, configured to use LiveUpdate.



Conduct a manual LiveUpdate to see if the engine is working.

Now, let’s take a look at some specific problems and solutions.

Proxy Server Settings It is possible that a proxy server is blocking LiveUpdate sessions. Open NAVCE and check for proper firewall and/or proxy server settings. Required information can include: ■

Proxy server or firewall IP address and/or DNS name



Proxy server port



Authentication information (for example, a username)

Invalid System Account It is also possible that NAVCE will not start because it is using an invalid system account. NAVCE will create its own system account, but it is not necessary to use this particular account. Although it is a bad idea to change this account arbitrarily, if a problem occurs, you can always create a new account. If you create a new account, make sure it has administrative privileges for the system. Otherwise, NAVCE will not be able to use necessary resources, directories, and files. For example, if NAVCE does not have administrative privileges, it will not be able to allocate the proper ports for networking.To modify the account NAVCE uses, take the following steps:

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

1. Create an account with administrative privileges.You can do this using the Computer Management snap-in and adding a user. Make sure you supply a password and add the user to the Administrators group.You may want to write down the password, because you will have to enter it shortly when you choose a new account for the NAVCE service. 2. Open the Services snap-in (for example, by going to Start | Programs | Administrative Tools | Services in Windows 2000, or Start | Control Panel | Administrative Tools | Services in Windows XP). 3. When the Services snap-in appears, find the service for NAVCE, rightclick it and select Properties. 4. Once in the Properties dialog box for the NAVCE service, find the account NAVCE uses. In both Windows 2000 and XP, you would click the Log On tab for the NAVCE service and then select the This account radio button.You can add the account name and password information here. 5. Stop and restart the NAVCE service. When it restarts, it will be using the account you created.

UNC Share Issues Many systems administrators prefer to have LiveUpdate obtain shares from an SMB-based share on a Windows server. However, it is possible that some systems may not have rights to attach to this share. In such cases, LiveUpdate will fail. Several options are available in this situation: ■

Change the account the NAVCE service uses. Make sure that this account has enough permissions on the network to access the share.



Configure the LiveUpdate share to allow null sessions (for example, sessions that allow any user to connect).



Change the permissions on the LiveUpdate share to allow connections from all servers that use LiveUpdate.

www.syngress.com

501

502

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

DUAL NIC Systems Dual NIC systems are useful in various situations, including: ■

When you need a relatively inexpensive proxy server or firewall solution.



When you need two NICs to help distribute connections entering the system.

In dual NIC systems, NAVCE 7.6 should bind according to the NIC’s priority. NAVCE will then work with the IP address bound to the highest priority NIC. However, in cases where the binding priority becomes confused, take the following steps: 1. Access the properties for the local area connection. In Windows 9x/NT/2000, simply right-click the Network Neighborhood icon. 2. Take the necessary steps to access the Advanced Settings dialog box. In Windows 2000, for example, look for the Advanced selection in the top menu bar. Choose Advanced | Advanced Settings, as shown in Figure 11.14. Figure 11.14 Configuring Adapter Priority in Windows 2000

3. Make sure you are in the Adapters and Bindings tab (the default).This tab shows all NICs bound to the system, in order of priority. Figure 11.15 shows how to change the priority of a standard Ethernet NIC over a wireless NIC.The standard Ethernet NIC is the one that, in this case, should receive priority, because you wish the Symantec AV service to bind to it.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Figure 11.15 Changing Adapter Priority in Windows 2000

4. Click OK to return to the Network and Dial-up Connections window. You have now manually set your binding priority to accommodate NAVCE 7.6. In Windows XP, you would follow similar steps: 1. Access the properties for the local area connection. In Windows XP, one way to get there is through Control Panel | Network and Internet Connections | Network Connections, then right-click the Local Area Connection icon. If you have configured your system to use Windows 9x/NT/2000-style icons such as Network Neighborhood, simply right-click it to bring up the Network Connections window, and then right-click the Local Area Connection dialog box. 2. Once you have accessed the Local Area Connection dialog box, click the Advanced menu option in the menu bar at the top, as shown in Figure 11.16. Figure 11.16 Accessing the Advanced Settings Dialog Box in Windows XP

www.syngress.com

503

504

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

3. Once you have clicked the Advanced menu option, select the Advanced Settings option.You will then see the Advanced Settings window, where you can configure the priority of the various NICs you have. All you need to do is highlight the NIC that has NAVCE 7.6 configured on it and then give it priority. You now know how to set priority on both Windows 2000 and XP systems.

Additional Fixes The following is a list of fixes you can try in case standard solutions do not work. ■

Desktop firewalls You may have desktop firewall installed on your server (for example, a product such as ZoneAlarm or Norton Personal Firewall). If at all possible, disable these applications.They are really not designed to protect servers in the first place, and they might be blocking NAVCE traffic. Nevertheless, if you must have a desktop firewall installed on a server, configure it so it does not block NAVCE traffic. Also, the Internet Connection Firewall feature in Windows XP may be causing a problem in regards to client and server communication.



NetBIOS over TCP/IP Many times, security administrators will disable NetBIOS over TCP/IP in order to cut down on scanning attacks, as well as security issues that occasionally crop up with Windows systems. Open the Advanced TCP/IP Properties dialog box and click the WINS tab. Make sure the Enable NetBIOS over TCP/IP option is selected.



The SMB Signing bug and Windows XP If you are using Windows XP systems that use SMB signing and have Service Pack 1 installed, it is possible that users might experience long delays when transferring files, or even when opening common Microsoft Office files. NAVCE on the client is often blamed, but in many cases the actual problem has to do with something called the SMB Signing bug. SMB signing is a feature in Windows XP where SMB packets are digitally signed to provide more security as files are transferred.The bug can be resolved by reading the instructions given in Microsoft’s Knowledge Base article 810907, available at www.microsoft.com.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Novell NetWare Servers When working with NetWare servers, common problems include: ■

Failed installation



Initiating debugging procedures



Protocol incompatibility



Scanning problems

The following sections include discussions of each.

Installation Issues When installing on Novell systems, you need the following information: ■

A username with proper permissions for installation and configuration.



A password for the username.



A container name.This container will hold login scripts that you can use to install the NAVCE client to remote systems.

If you specify an incorrect container name, you will have to reinstall NAVCE again on the Novell server. If you mistakenly specify an incorrect container name, simply complete the installation, then issue the following command: Load sys:\nav\vpstart.nlm /remove

Now, reinstall NAVCE using the proper container name.

False CPU Utilization Readings When installation starts, NetWare may misreport CPU utilization settings when you install NAVCE using the standard vpstart/install command. Although NetWare may report this reading, it is not correct.To test this, load any other NLM.You will find that NetWare will report a more accurate CPU utilization level.

Failure to Find a NetWare Server If, during installation, the installation application fails to find a particular NetWare server, consider the following options:

www.syngress.com

505

506

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment ■

Make sure the Novell client software on the system is properly installed. If the NetWare redirector fails, you will not be able to see any Novell servers. Verify that the NetWare redirector is working properly, then proceed with the installation.



Verify that the NAVCE server is recognized by the NDS tree. Make sure the server has logged on.

Debugging NAVCE in NetWare Many times, it is necessary to invoke debugging in your NetWare NAVCE implementation so that you gather detailed information about what is going on. To enable debugging from the system console, take the following steps: 1. Log on as supervisor, or as a user with equivalent administrative permissions. 2. Make sure NAVCE has been unloaded from the NetWare server’s memory.You do this by typing Alt+F10. 3. Enter the following command in the console to begin debug mode: load vpstart /debug

4. Two things will result from this command: ■

NAVCE will start again.



A screen will appear called “RTVSCAN - Debug.”This screen will show you all the information concerning NAVCE.

5. When finished, press Alt+F10 to unload NAVCE again.

NOTE If you want to save all of the output to a text file, issue the following command: load vpstart /debug=L

You will receive the same information as opening a debug screen in the console. However, saving the information to a text file may help you read through the output more carefully.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

You may not want to use the NetWare console, however.To enable debugging through the NAVCE NetWare interface, take the following steps: 1. Open the NAVCE interface. 2. Press the F6 key.You will be asked for a password. If you are logging on for the first time, the default password is “symantec”, in all lower case. You will then be shown a disclaimer message. Press any key to dismiss it. 3. Click the option for the Debug Menu and press Enter. 4. You will be provided with a debug menu. From this menu, click the Toggle Debug option, then press Enter.You are now in debugging mode. Look for the phrase “Debug: ON” in the Current Configuration window to verify you are in debugging mode. 5. You are not yet in verbose mode, however, which provides much more detailed information about NAVCE.To enter verbose mode, click the Toggle Verbose option, then press the Enter key. As with standard debug mode, you can verify that verbose mode is on by viewing the Current Configuration window and looking for the words “Verbose: ON.” 6. To stop debugging mode, click the Toggle Debug option, then press Enter. Debugging will stop.You can repeat this step for verbose mode, as well. 7. To exit the Debug menu, press the Esc key. 8. To exit the Administrator menu, press the Esc key again.

NOTE Once in NAVCE, to write the debug output to a file, look for the Toggle Logging option, highlight it and then press Enter. You will see that the Current Configuration panel shows that logging has been enabled. The log file will be stored in the SYS:NAV/vpdebug.log file You can view log files using any text editor, and toggle logging off just like you did with debug and verbose mode.

www.syngress.com

507

508

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

NetWare Servers and Windows NT/2000 Networks that still use IPX/SPX only are increasingly rare, but in such cases, you may find that a NetWare system running only IPX/SPX and no DNS server will have problems receiving updates from a Windows NT/2000 server that resides in another NAVCE server group.This is especially problematic if the Windows NT/2000 server resides across a router or firewall.The source of the trouble has to do with the fact that NetWare servers do not store the address of the Windows NT/2000 systems in its cache.To solve this problem, you can: ■

Add TCP/IP support to the NetWare server. Doing so will enable the server to communicate properly with the Windows NT/2000 server.



Move the NetWare server to the same group as the Windows NT/2000 server. After one full day (24 hours), the NetWare server will add the Windows NT/2000 server’s address to its cache.You can then move the NetWare server back to its original location, and it will now be able to address the Windows NT/2000 server properly.

Configuring & Implementing… Where Can I Exclude Files for Real-Time Protection? You may be asking yourself where you can exclude certain extensions from NAVCE’s real-time protection in NetWare servers. Unlike Windows servers and clients, you cannot configure NAVCE real-time protection to exclude files by extension on a NetWare server.

Configuring a Preferred Protocol for a NetWare Server You may be experiencing problems with having your NetWare server communicate with other systems.This is because your NetWare system may be using IPX/SPX instead of TCP/IP, or vice versa.To solve this problem, you need to set a preferred protocol:

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

1. Log on to the NetWare console as supervisor, or as a user who has administrative rights. 2. Stop (that is, unload) NAVCE at the NetWare console (Alt+F10). 3. Load the vpregedt.nlm module, which allows you to edit system entries for NAVCE. 4. Once in vpregedt, you will see that it has two panes, or windows. 5. Press F5 to open a key. 6. Make sure the VirusProtect6 key is selected by default, then press Enter. All subkeys to this key reside in the left-hand pane of vpregedt. All values for the key reside in the right-hand pane. 7. You need to add new values to the VirusProtect6 key, then to the VirusProtect6/ClientConfig subkey.To add a new value to the VirusProtect6 key, pres F5. 8. You will be given a menu of options for editing the VirusProtect6 key. Press on the down arrow to select the Add Value option and press Enter. 9. A dialog box will appear that reads Enter new name value. Enter the following: PreferedProtocol. Make sure you follow the spelling exactly as shown. Normally, “preferred” is spelled with two r’s. However, enter only one r. 10. After you have entered PreferedProtocol, you will see a Select Data Type dialog box. Select the DWORD option, then press Enter. 11. In the Enter the data dialog box that appears, you must type either a 0 or a 1.The value of 0 refers to IP.The value of 1 refers to IPX. Choose the value appropriate for your situation. 12. You have now set your copy of NAVCE on the server to use a preferred protocol. Now you must set the preferred protocol for all clients.To do this, edit the ClientConfig subkey. 13. Find the ClientConfig subkey, then press F5. 14. Use your down arrow to select Add Value. When the Enter new value name dialog box appears, enter PreferedProtocol. Remember not to type in “PreferredProtocol.” 15. The Select Data Type dialog box will appear. Select the DWORD option, then press Enter. www.syngress.com

509

510

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

16. When the Enter the data dialog box appears, enter either 0 (for IP) or 1 (for IPX), then press Enter. 17. Once you are finished configuring a preferred protocol, press the Esc key to exit the vpregedtmodule. 18. You are now ready to restart NAVCE.To do so, type load vpstart at the console, then press Enter.

Problems Conducting Scans in NetWare Servers When running a scan on a NetWare system, you may receive the error: “RTVSCAN could not load NDS function.”This error message pertains to NDS, specifically the NetWare Loadable Module (NLM) named dsapi.nlm.This module allows Novell systems to make connections to an NDS tree. If the version is out-of-date, NAVCE will not work properly.To solve this problem, download the very latest version from Novell’s Web site (www.novell.com). Once you install the new module, conduct the scan again. If possible, reboot the system to ensure the new dsapi.nlm module is properly loaded.

Troubleshooting Client PCs The following sections describe various issues relating to certain NAVCE clients.

Solving Hard-Drive Issues NAVCE may fail to run properly if the disk is fragmented, has file allocation errors, or has corrupted system files.To solve these problems, consider the following commands: ■

sfc /scannow Checks for corrupted system files (for example, ntdetect.com and bootsect.dos). Additional options are available to you when you use sfc, including: ■

/scanonce If you use this option, sfc will run at the next system reboot and scan all system files. However, the sfc command will not run on subsequent reboots.



/scanboot Has the system scan all system files each time the system is rebooted.



/cancel Removes all references to future scans, so the system will not use sfc automatically.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11 ■

/quiet Has sfc conduct scans and replace files without user interaction.



/enable Enables Windows File Protection.



/purgecache Scans all files immediately and deletes all file caches so scans and repairs perform optimally.



/cachesize Determines the cache size used by sfc.



chkdsk /f Locates bad sectors and file allocation information.



You also should use disk-defragging applications to ensure your hard drive is working optimally.This is done by running the sfc /scannow command.

NOTE If you are wondering whether you have to issue similar commands on NAVCE servers as well, the answer is “yes.” However, clients tend to experience disk defragmentation and file allocation errors more often, and so this issue is covered under client issues.

Printing Problems In some cases, printing from applications such as Microsoft Word or Excel may become impossible after NAVCE is installed. First, make sure your printer is online and working. If the system you are printing from is connecting to a remote print server, make sure the system’s network connection is working by pinging the print server or printer.You may also want to verify that other workstations can use the remote printer; the last thing you want to do is mistake a printer or network problem for one caused by NAVCE. Once you have determined that NAVCE is actually causing the problem, focus on NAVCE’s Auto-Protect feature.This feature starts running on the system using settings in the Registry. In some systems, when the Auto-Protect service runs from the Registry, it can interfere with printing, because the service does not allow the print driver to completely initialize.To solve this problem, have NAVCE’s Auto-Protect feature load from the StartUp folder, rather than from

www.syngress.com

511

512

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

settings in the Registry.To place an Auto-Protect icon into the Start menu, do the following: 1. Open NAVCE so that you see the main window and then choose Options | Auto-Protect. 2. Find the check box that has Auto-Protect load using Registry settings at startup and deselect it.Then, take the necessary steps to return to the NAVCE main window. 3. Add the Auto-Protect icon to the Start menu.To do this, right-click the Start button and choose Open. 4. Once in the Start menu, create a new shortcut by right-clicking the Start menu window and selecting New | Shortcut.Then, click the Browse button and navigate to the Program Files\Norton AntiVirus to find the navapw32.exe file. 5. Once you have found this file, click it so it is highlighted, then click Next. 6. Click Finish. 7. To test your work, reboot the system to see that: ■

NAVCE runs automatically.



You can now print documents.

You now have a workaround for clients who have problems printing.

Problems Creating a Rescue Disk As soon as you install NAVCE, one of your first tasks should be to create a rescue disk. A rescue disk allows you to recover from infections from previously unknown viruses, and will provide a foundation for emergency repairs that may occur. However, you may find that NAVCE fails to create a rescue disk. Specifically, NAVCE may begin to create a rescue disk, but then report an error message that reads “Invalid Partition Tables,” and then fail to complete its task. This problem usually occurs because NAVCE is very particular about the hard disk information it reads. If NAVCE senses that a disk’s partition tables are not within certain tolerances, it will refuse to act further. After all, the rescue disk must use stable disk and storage information, and if the hard drive is not in a sufficiently stable state, the rescue disk may replicate those errors. If an improperly

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

created rescue disk were ever used, it might damage the system even more than a virus. To solve the problem, you pursue the following paths: ■

Run an application such as Scandisk (or, if you are a true Symantec devotee, Norton Disk Doctor).



Use a copy of fdisk to make sure all of the partitions are properly formatted. Be careful using fdisk, as it is used to create and destroy partitions; using fdisk improperly can destroy all data on your hard drive. If you use it correctly, however, you can determine if any partitions are damaged, or whether you need to create and even format (using the format command) any partitions that might be causing the fore-mentioned error message.

NOTE Before you use ScanDisk, always disable File System Realtime Protection scanning. Otherwise, NAVCE may interfere with ScanDisk and improperly report an attack from a virus.

Scanning for Additional Files It is has traditionally been thought that scanning compressed files was a waste of time and resources. However, virus creators can be pretty savvy, and have begun to create viruses that exploit traditional assumptions. It is possible, therefore, for a hacker to write a virus that exploits, for example, *.cab files, which are Windows-based compressed files. Windows *.cab files are used by Windows Update, for example, to download operating system updates. It is very likely that many *.cab files already exist on your client or server. NAVCE does not enable *.cab file scanning by default.To have NAVCE scan for these files by default, take the following steps: 1. Stop the NAVCE service. 2. Obtain the dec2cab.dll from the NAVCE installation disks. Copy this file to the main NAVCE folder (for example, the NAVCE directory off of C:\Program files). 3. Restart NAVCE. www.syngress.com

513

514

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

The dec2cab.dll file will then be read, which has NAVCE scan .cab files.You can also, of course, create a custom entry in NAVCE that has it search for any file with a .cab ending. After making your changes, make sure your primary server exports all changes to clients using a new grc.dat file.

vptray Issues In some cases, vptray (the NAVCE application that runs in your login environment) will crash and consume up to 100 percent of the CPU’s resources. In these cases, you have two options: 1. Restart the system In some cases, a simple restart will solve the problem for either a long period of time, or permanently. 2. Obtain an update for the application If the problem recurs often, Symantec is probably aware of it, and has likely published updates, available at www.symantec.com. In some cases, you may not want to run vptray automatically, either because it can cause problems with other applications and services if loaded at the wrong time (as with printing in applications such as Microsoft Word), or because you simply do not want the vptray icon to show up on the taskbar.To eliminate vptray from the taskbar, take the following steps: 1. Create a backup of the Registry. Save this backup on the local system off of the C:\ drive and on a remote system. Editing the Registry can be tricky, and the slightest mistake could render a system unbootable or damage various services. Keeping a local and remote backup ensures you can access a working copy at all times. 2. Open the Registry editor (for example, by choosing Start | Run, and entering either regedit or regedt32). 3. Go to the following subkey: HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\ Run 4. Remove the reference to vptray. 5. Exit the Registry.Your changes will be saved automatically.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Placing a Shortcut in the Windows Startup Folder If you want, you can then place a shortcut to vptray.exe in the Startup folder. Taking this step will have vptray still run, but at a later time. So, though this step may eliminate the problem of vptray interfering with other applications, it still will have vptray appear in the taskbar: 1. Find the vptray.exe binary. Either use the Search feature in Windows, or open Windows Explorer and go to the NAVCE folder off of the Program Files directory. 2. Once you have found the vptray.exe binary, right-click it and then select Copy. 3. Take the following steps, depending upon the operating system you are using: •

Windows 2000/XP: Go to [drive]:\Documents and \Settings\ All Users\Start Menu\Programs\StartUp folder.



Windows NT 4.0: Go to [drive]:\WINNT\Profiles\All Users\ Start Menu\Programs\StartUp folder.



Windows 9x/Me: Go to the [drive]:\Windows\Start Menu\ Programs\StartUp folder.

4. Click the Edit menu, then click Paste Shortcut. Make sure you paste a shortcut, not the entire application. 5. Log out of your login shell and log back in to make the changes take effect.

Exchange Server Issues When Microsoft Exchange servers process SMTP, POP3, and workgroup-related e-mail they must generate temporary files and log files.These files often contain references to viruses and other suspicious traffic, because Exchange servers are designed to simply process e-mail, rather than filter it. If you install NAVCE client onto an Exchange server and allow full access to the drive, NAVCE can mistake temporary and log files used by Exchange for viruses and may either quarantine or delete the file. As you might suspect, Exchange servers don't take too kindly to having critical files deleted and/or quarantined, and will usually stop responding to requests.

www.syngress.com

515

516

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

In severe cases, Exchange servers may actually refuse to restart.To recover from deleted or quarantined files, take the following steps: ■

Exclude critical Exchange files and directories.



Use the Isinteg application to verify the integrity of all Exchange files used to process information.This application is freely available from Microsoft, as per Knowledge Base article Q219419.



Use the Eseutil application to actually recover lost files and databases. This application is also freely available as per Knowledge Base article 219419 (formerly Q219419).

Outlook Express Issues As with Microsoft Exchange server, Outlook Express can fall victim to NAVCE’s zeal in deleting any trace of a virus in any file or folder. Problems include: ■

NAVCE quarantining the Outlook Express inbox, or other folders.



NAVCE deleting the Outlook Express inbox, or other folders.

To solve this problem, Make sure you exclude all folders that may be affected this way.

Windows Me and the _Restore\Temp and _Restore\Archive Folders Most modern Windows systems have an automatic restore feature called System Restore.This feature allows systems to conduct a rollback to a previous version in case of an improper system setting change, or in case an application has somehow damaged the system. Windows Me’s particular implementation of the System Restore feature stores files and configuration settings in folders named _Restore\Temp and _Restore\Archive.These files are protected by Windows Me’s System Restore feature. NAVCE misinterprets this protection as a virus, and will inform you about this apparent problem.These folders are not a threat, as discussed in the following Microsoft Knowledge Base article: http://support.microsoft.com/ support/kb/articles/Q263/4/55.ASP The best way to solve this problem is to exclude these directories from manual and automatic scans.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

NAVCE Fails after Using the Windows Me/XP System Restore Feature On systems that have used the System Restore feature, it is possible for NAVCE to fail. Symptoms include NAVCE failing to start, or a yellow exclamation mark on NAVCE’s taskbar. Even more worrisome, all may appear to be well, but in fact NAVCE simply fails to detect viruses, which ends up lulling unsuspecting users into a false sense of security. To solve this problem, you can either edit files off of the [drive]:\Program Files\Common Files\Symantec\Shared\VirusDefs\ directory, or obtain old virus definitions and place them in the NAVCE client’s repository. Doing so will force NAVCE to obtain more current information.

NOTE Create backups of the files you edit. Doing so allows you to at least return NAVCE to the original problem, in case you make a mistake.

Modifying Files In order to modify files, perform the following steps: 1. Open the [drive]:\Program Files\Common Files\ Symantec\Shared\VirusDefs\definfo.dat file and find the CurDefs= value.This value indicates the current definition file. Change whatever value you find to the same value in LastDefs=, which is in the same file. Try this option first, as it is the most likely cause. Make sure you save the file and close it. 2. Open the [drive]:\Program Files\Common Files\Symantec\Shared\VirusDefs\usage.dat file. Find a value surrounded in brackets ([ ]), and make sure it has the same value as LastDefs=. 3. Restart NAVCE. 4. Run LiveUpdate.

www.syngress.com

517

518

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Obtaining and Installing Old Definition Files If the preceding solution does not work, obtain old definition files.To do so, take the following steps: 1. Copy the contents of the NAVCORP\ROLLOUT\AVSERVER\ CLIENTS\WIN32\VirDefs\ folder on Disk 2 of your original NAVCE disk. 2. Paste the contents of the preceding folder into the following folder on your system: [drive]:\Program Files\Common Files\Symantec Shared\ VirusDefs\INCOMING\. 3. Restart NAVCE. You can then run LiveUpdate to obtain the most recent definition and engine files to protect your system. If the preceding solutions do not work, consider either of the following: ■

Consulting Symantec’s latest advice, found on Symantec’s Technical Support Page or its Online Support Knowledge Base (discussed in-depth later in this chapter).



Uninstalling and reinstalling NAVCE.

NAVCE Installation Issues In addition to the installation issues found in the preceding section concerning NAVCE servers, NAVCE client installation issues regarding clients include: ■

Registry permissions



NTFS permissions



DCOM configuration

Registry Permissions Usually, the Registry will allow changes. However, it is possible to change permissions on various Registry keys. Security administrators often change permissions on subkeys to increase system security. When you install NAVCE, you must ensure that the following Registry keys and subkeys can be modified:

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11 ■

HKLM\Software\Symantec



HKLM\Software\Intel\Landesk



HKLM\Software\Microsoft\Windows\CurrentVersion



HKLM\System\CurrentControlSet\Services

Each of the subkeys must allow full control to the Administrator account and the system.To verify settings, do the following: 1. Highlight the key you wish to verify. 2. Select Security | Permissions. 3. Verify the settings. If you need to assign full control to a key, click Advanced, then click the option that reads Reset permissions on all child objects and enable propagation of inheritable permissions. 4. Click Apply. Verify permissions for all keys, then attempt installation again.

NTFS Permissions NTFS permissions can also cause problems. Using a tool such as Windows Explorer, verify that the System and Administrator accounts have full control over the following resources: All drives on the system (for example, C:\ and D:\) The [drive]\Program Files folder ■

The [drive]\Program Files\Common Files folder



The [drive]\Program Files\Symantec folder



The [drive]\Program Files\Nav folder



The [drive]\WINNT\Installer folder



The [drive]\Documents and Settings\All Users\Application Data\Symantec



The [drive]\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5

All users must have read-only permissions for the preceding folders.

www.syngress.com

519

520

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Verifying Distributed Component Object Model Configuration Distributed Component Object Model (DCOM) is Microsoft’s name for the libraries and applications used to allow applications and the operating system to work together. DCOM regards all applications, services, files, and folders as objects, and DCOM mediates between these objects. In your case, DCOM may be configured to disallow launching of installation applications.To verify DCOM settings, use the dcomcnfg application.The following are instructions for Windows 2000 and XP systems.

Windows NT/2000 In Windows 2000, take the following steps to ensure all accounts are allowed to launch applications: 1. Open a command prompt and type the following: dcomcnfg. 2. Press Enter.

NOTE You may see a message informing you that a classID (CLSID) for various files is not recorded properly. Click Yes to accept these values if you are sure that they should exist on your system.

3. When the Distributed COM Configurations Properties window appears, click the Default Properties tab. 4. Verify that the Default Impersonation Level says Identify, as shown in Figure 11.17. Figure 11.17 Viewing the Distributed COM Configuration Properties Window in Windows 2000

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

5. If the Default Impersonation Level is different, use the drop-down box to change the setting. 6. Click the Default Security tab. 7. Find the Default Launch Permissions section and click the Edit Default button for that section. 8. The Registry Value Permissions dialog box will appear. Verify that both Administrators and the System accounts have Allow Launch permissions. To change permissions, use the drop-down dialog box, shown in Figure 11.18. Figure 11.18 Changing Default Installation Permissions in DCOM

Windows XP In Windows XP, take the following steps: 1. Open a command prompt, type dcomcnfg and press Enter. 2. The Component Services window will appear, as shown in Figure 11.19. Figure 11.19 The Windows XP Component Services Window

www.syngress.com

521

522

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

3. Expand the Component Services icon so you see all the sub-icons, as shown in Figure 11.20. Figure 11.20 The Windows XP Component Services Window Showing All Icons

4. Right-click the My Computer icon, then select Properties. 5. Once in the My Computer Properties window, select the Default Properties tab, shown in Figure 11.21. Figure 11.21 The Windows XP Default Properties Tab

6. Once in the Default Properties tab, make sure the Default Authentication Level drop-down box reads Connect, and that the Default Impersonation Level drop-down box reads Identify. 7. Click the Default COM Security tab, shown in Figure 11.22.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Figure 11.22 The Default COM Security Tab

8. Click the Edit Default button for both the Access Permissions and Launch Permissions sections and verify that the System and Administrators accounts have Allow next to them. If these accounts are not listed, add them.

Uninstalling Client Versions of NAVCE The following are instructions for manually uninstalling NAVCE from client systems, including Windows NT/2000/XP and Windows 9x.

Uninstalling NAVCE from Windows NT/2000/XP Client Systems As with uninstalling NAVCE from servers, using the Add/Remove Programs (Add or Remove Programs) icon is the best way to remove NAVCE. If you cannot, you will have to remove entries from the Windows Registry, from the system hard drive, and from the Start menu.To do so, take the following steps: 1. Log on as Administrator, or as a user who has administrative privileges. 2. Using regedit, back up the windows Registry. Also, create rescue disks for your system. Doing so ensures that if a problem exists with the Registry after you have edited it, you will be able to recover from it. 3. Stop NAVCE.

www.syngress.com

523

524

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

4. Go to the following subkey: HKEY_CLASSES_ROOT\*\Shellex\ ContextMenuHandlers. Once there, delete the LDVPMenu entry. 5. Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services subkey and remove the following entries: ■

Defwatch



NAVAP



NAVAPEL



NAVENG



NAVEX15



Norton AntiVirus Client

6. If you find an additional entry that reads Norton AntiVirus Server, delete it, too. 7. Verify that no other Symantec products are installed. If no others are installed, you can also delete the SymEvent entry. 8. Once you have deleted the preceding entries where necessary, go to the following subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\EventLog\Application. At this subkey, delete the Norton AntiVirus entry. 9. Go to the HKEY_LOCAL_MACHINE\Software\INTEL\DLLUsage subkey and delete the VP6 entry. 10. In the left pane, click My Computer, then go to Edit and click Find. Search for the following strings and delete anything related to them: ■

VirusProtect6



74BE21DBFDBD3D11EBAE000ACC725290

11. Go to the HKEY_LOCAL_MACHINE\Software\Symantec\ InstalledApps subkey and delete the following entries: ■

VP6TempID



VP6ClientInstalled



NAVCEClientNumber

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

12. Go to the following subkey and delete it: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD12E B47-DBDF-11D3-BEEA-00A0CC272509} 13. Go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run subkey and delete the vptray.exe reference. 14. Restart your system. If the system is not bootable, use your backup copy of the Registry and your Windows repair disks to restore the original Registry.

Removing NAVCE Folders from the Hard Drive To remove NAVCE folders from the hard drive, take the following steps: 1. Using Windows Explorer, go to the [drive]:\Programs Folder and then find either the NAV folder (for Windows 2000/XP, or NAVNT (Windows NT) and delete it. 2. In Windows 2000, go to [drive]:\Documents and Settings\All Users\Application Data\Symantec\ and delete the Norton AntiVirus Corporate Edition folder. If NAVCE is the only Symantec application on your system, you can delete the entire Symantec directory. 3. In Windows NT, Go to [drive]:\WINNT\Profiles\All Users\Application Data\ and delete the Norton AntiVirus Corporate Edition folder. If NAVCE is the only Symantec application on your system, you can delete the entire Symantec directory. 4. Find the [drive]:\Program Files\Common Files\Symantec Shared folder and delete it.

Removing NAVCE from the Start Menu To remove NAVCE from the start menu, right-click the Start menu and click Open, then double-click the Programs icon.You will see various icons. Find the Norton AntiVirus Corporate Edition folder and then delete it.

www.syngress.com

525

526

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Uninstalling NAVCE from Windows 9x and Me Client Systems If you can’t use the Add/Remove Programs utility from the Control Panel, take the following steps to remove NAVCE from Windows 9x and Me systems: 1. Back up the Registry. 2. Open regedit and go to the HKEY_CLASSES_ROOT\*\Shellex\ ContextMenuHandlers\LDVPMenu entry and delete the LDVPMenu entry. 3. Go to the HKEY_LOCAL_MACHINE\SOFTWARE\Intel\ DLLUsage\VP6 and remove the VP6 entry. 4. Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run and remove the vptray entry. 5. Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunServices and remove the Defwatch and RTVScan entries. 6. Go to My Computer (in the left-hand pane) and click Edit | Find and then search for and delete any references to the following: ■

74BE21DBFDBD3D11EBAE000ACC725290



VirusProtect6

7. Go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\App Management\ARPCache\ key and delete the following subkey: {BD12EB47-DBDF-11D3-BEEA-00A0CC272509}. 8. You can then delete all references from the Start menu as discussed in the earlier section entitled “Uninstalling NAVCE from Windows NT/2000/XP Client Systems.”

Removing NAVCE from the Start Menu To remove all folders on the hard drive of a Windows 9x/Me system, go to the Program Files folder and delete the Norton AntiVirus and Symantec sub-folders. If NAVCE is the only Symantec product installed, you can also delete the Symantec Shared folder.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Using the Windows Installer Clean Up Utility To complete removing NAVCE so that you can reinstall NAVCE successfully, download the Windows Installer Clean Up utility from Microsoft’s Web site (www.microsoft.com). Search for the utility by name, or by its Knowledge Base article number (Q240116). Once you see the Knowledge Base article, download the appropriate installation binary for the Windows Installer Clean Up utility that suits your particular operating system (for example, Windows 98). To use the Windows Installer Clean Up utility, take the following steps: 1. Double-click the installation binary. 2. Go to Start | Programs and click the Windows Installer Clean Up icon. 3. The Windows Installer Clean Up utility will appear, showing a list of applications installed through Windows Installer, as shown in Figure 11.23. Figure 11.23 The Windows Installer Clean Up Utility Main Window

4. Find the entry for Norton Antivirus Corporate Edition and highlight it. 5. Click the Remove button. Close the Windows Installer Clean Up utility. You are now ready to reinstall NAVCE onto your Windows 9x system.

www.syngress.com

527

528

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Troubleshooting Roaming Client Support As far as roaming clients are concerned, the following are some of the more common issues to consider.

Server List File Size Limits If you have problems getting a server to import a server list file of roaming servers, check the size of the server list file. If this file is larger than 512 bytes, your system will fail to process it. Even if the file approaches this size limit, you may encounter problems. Pare down the list as much as possible and attempt another import.

File Syntax When configuring the roaming client server list, make sure the syntax is correct. All entries should contain the name of the computer, the type of server, the level of server used, and the actual servers on that level:

If configuring a list for the client, you must use the word . For example, the next entry shows a line for a client that accesses three level 0 servers (named navce1, navce2, and navce3): Parent 0 navce1, navce2, navce3

DNS Issues The following section discusses two DNS issues that have caused headaches for many systems administrators.

Fully Qualified Domain Names versus Host Names NAVCE often has problems reading FQDN information. In some cases, the following command may fail, due to an improper DNS entry: Navroam /nearest

Roaming client systems must remain in touch with a parent server, yet they cannot handle references to an FQDN. As a result, the following message may appear: www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Error: “FAILED time 0 server level 1 delay ms result ffffffff ” appears with Norton AntiVirus Corporate Edition roaming client To solve this problem, simply use the NAVCE parent server’s host name (for example, server1, rather than server1.company.com).

DNS and Duplicate Host Names It is a truism that DNS names should be unique. In a large enterprise, however, it is common for systems in different departments to have the same host name, because the rest of the DNS name makes the systems unique. For example, suppose you have two departments—research and marketing—at a company called company.com. Suppose further that each department has its own DNS zone. As a result, you would have the following DNS zones: ■

research.company.com



marketing.company.com

Now, suppose that each department has a system with the host name of manager.The FQDN for each system would be as follows: ■

manager.research.company.com



manager.marketing.company.com

Each system has a unique name. However, remember that NAVCE does not like to use FQDNs. As a result, NAVCE may have some problems contacting the correct system.To solve this problem, change the DNS information for the clients so the host names are not duplicated.

NOTE Roaming clients can also be blocked by firewalls or network connectivity troubles. Make sure you consider networking issues in addition to DNS whenever a problem arises.

Addressing Performance Issues The following sections outline a few performance issues that often occur when implementing NAVCE. www.syngress.com

529

530

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Problems after Using LiveUpdate After completing a run of LiveUpdate, NAVCE might encounter either (or both) of the following problems: ■

In subsequent scans, all files are omitted from scanning.



RTVScan uses 100 percent of CPU.



Windows generates the following error: “Microsoft Visual C++ runtime library,” with the text of “Runtime Error! Program: ...\rtvscan.exe. R6025 -pure virtual function call.”

This problem is generally caused by an old dec2cab.dll file.To solve this problem, you have two choices. First, try simply restarting NAVCE and conducting another scan. Sometimes, NAVCE will mistakenly think that its dec2cab.dll file is too old, when it really isn’t. If this solution does not help, take the following steps: 1. Check the date and time of other Dec2 files. Conduct a search for all De2-based files by entering the following into Windows Search: De2*. All of the files you find should have the same date and version. 2. Remove the old dec2Cab.dll file and obtain a new dec2Cab.dll file from your NAVCE installation disk. 3. Stop and restart NAVCE to make sure your changes take effect.

Maximum Number of Clients and the Registry Size Value When troubleshooting performance, it is important to remember the maximum number of clients recommended by Symantec. According to Symantec, NAVCE servers should have fewer than 1000 clients connected at a time. If your server has anywhere near this number of clients attached to it, you likely will need to increase the size of the Registry. Otherwise, your NAVCE server will run slowly. Symantec recommends changing the value to at least 35MB, which is usually the maximum value in Windows 2000 servers.To make this change, do one of the following (depending upon your operating system): ■

In Windows NT: Go to Start | Settings | Control Panel, then open the System Settings window by double-clicking the System icon. Once

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

in the System Properties window, click the Performance tab, then click the Change button.You can then type the number in the Maximum Registry Size box. ■

In Windows 2000: Go to Start | Settings | Control Panel, and select the System icon.The System Properties dialog box will appear. Click the Advanced tab. In the Virtual Memory section of the Performance Options tab, click the Change button. At the bottom of the Virtual Memory window, you will see a section entitled Maximum Registry size. Enter the appropriate value here.



In Windows XP: No limit exists for the Windows Registry, thus you cannot change or enforce a maximum setting. For more information about this, consult Microsoft’s Knowledge Base article number 292726.

Slow Client Logoff in Terminal Services It is possible for a terminal services client to experience problems after installing NAVCE 7.6. Specifically, clients may notice extremely slow logout times, and will seem to stop, or “hang,” during logout at the “saving your settings...” part of the logout.This problem occurs because the terminal services client is trying to save your profile, and Windows cannot save your profile, due to the fact that NAVCE failed to tell the difference between users logged on interactively, and those logged on through a terminal server. Profiles should be loaded only for locally logged on users. However, NAVCE would load a user profile even for those who had logged on remotely, and would keep it open even after the user logged off. Whenever a user logged off from the system, the operating system would try to save the user profile settings, retrying for at least 60 seconds, and often for several minutes. To verify that this problem is caused by NAVCE, open Event Viewer and view all Application event log entries for a message that, among other things, informs you that your Windows system cannot unload your Registry file, and that after multiple attempts (usually nine), the settings were finally saved. Two solutions exist for this problem: ■

Upgrade your version of NAVCE to NAVCE 7.61 build 37.This build contains additional programming that enables NAVCE to tell the difference between a local and remote login.

www.syngress.com

531

532

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment ■

Log on interactively to the NAVCE server under any account.To enhance security, lock the screen using the Windows screen saver.

Achieving Balance It is possible to exclude certain types of files, as well as specific directories from a system scan to avoid a performance impact during a scan. It may be tempting to exclude a large amount of a system’s drive. However, try to achieve a balance. Ask yourself the following questions: ■

If I exclude a directory from scanning, what are the chances it might be exploited by a virus, worm, or Trojan horse?



If I exclude a specific type of file (for example, text files, .DLL files, or modified files), what are the chances this type of file might get targeted by a virus, worm, or Trojan horse?

Rather than limiting NAVCE, consider stopping unnecessary services on the system. Use the necessary applications and interfaces to verify applications and services running in the background that can be deactivated. In many cases, stopping unnecessary services will free up resources, and will make the server or client able to provide the resources demanded by NAVCE.

Page Faults and RTVScan In some clients, it is possible for the RTVScan application to generate a large number of page faults, which means that the system is encountering a shortage of RAM. Although a certain number of page faults is expected, you may see that the page fault number increases.This occurs because RTVScan accesses the Registry every minute, even though it is not scanning the system. The most effective way to solve the problem of page faults is to add more system RAM. If you cannot do this, disable various unnecessary services and applications to free up memory required for RTVScan.You will then see a marked decrease in page faults.

Tracking Performance When tracking performance issues on Windows NT/2000/XP, use the Performance snap-in (Performance Monitor in Windows NT). Counters to consider include:

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11 ■

% Processor time (from the Processor object)



Disk Read Bytes/sec and Disk Write Bytes/sec (from the PhysicalDisk object)



Handle count, and Pool Nonpaged Bytes (from the Process object)

Additional objects to consider include: ■

% Usage (from the Paging File object)



Pages/sec (Memory)



Page faults/sec (Memory)

Figure 11.24 shows the Windows XP Professional Performance snap-in, displaying key performance counters in regards to NAVCE clients and servers. Figure 11.24 The Performance Snap-in in Windows XP

Improving Performance When improving performance for NAVCE, consider the following choices: ■

Increasing the size of the Windows Page file



Disabling unnecessary services and applications



Adding more system more RAM



Upgrading the system’s CPU

www.syngress.com

533

534

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Accessing Information Databases Thus far, you have learned about known problems. Inevitably, a problem will arise that has never really been documented before. Fortunately, Symantec does a pretty good job of keeping its documentation current.The best way to access current information is to access its Knowledge Base Web site. Here, you can learn about: ■

The latest bugs in NAVCE



Critical updates



Techniques for improving your NAVCE environment

You can access all areas of the Knowledge Base, as well as additional areas of Symantec’s Web site by going to the following URL: www.symantec.com/ search/. From this URL, you have the option of conducting searches concerning any particular Symantec product, including NAVCE. Once you load the search page, you will be able to: ■

Enter text strings to search for relevant information, much like how you would in Google, Altavista, or any other search engine



Conduct searches using specific Knowledge Base article numbers (for example, 810907)



Limit your search to only the Knowledge Base



Determine specific regions you wish to search

Figure 11.25 shows an example of a NAVCE search that targets only Knowledge Base articles found in the Europe, Middle East, and Africa region.

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Figure 11.25 Conducting a Knowledge Base Search

When conducting a search, consider using words and phrases such as: ■

NAVCE



Norton AntiVirus Corporate Edition



Troubleshooting



NAVCE Troubleshooting



NAVCE XP (or any other reference to an operating system)

Additional Symantec Search Engines Other Symantec search engines are available for a variety of tasks: ■

If you wish to receive a broad overview of all that Symantec offers on the Web, go to the following page: www.symantec.com/siteindex.html.



To focus only on specific incidents and the latest virus outbreaks, go to the following Symantec page: http://securityresponse.symantec.com/.



If you have more general technical support questions concerning NAVCE, start at: www.symantec.com/techsupp/.

www.syngress.com

535

536

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Third-Party Search Engines You are not limited to Symantec’s Web site. Consider using various search engines, including: ■

Google (www.google.com) A general search engine that has been able to not only conduct thorough searches for all Internet-based content, but has also been able to rank all search hits according to popularity. It does this by calculating the number of links that point to a particular site. Additionally, Google has a useful Advanced Search section that can help you focus on finding specific information relating to NAVCE.



Altavista (www.altavista.com) A traditional search engine that also enables you to conduct advanced searches.

Search Techniques As you use any of the search engines discussed previously (including those offered by Symantec), remember the following: ■

Any text within quotation marks will be searched as a complete phrase. Thus, if you type in “NAVCE troubleshooting questions” all results (if there are any—there weren’t as of this writing) will contain the phrase “NAVCE troubleshooting questions.” If you omit the question marks, then all hits will contain the words “NAVCE,”“troubleshooting,” and “questions” somewhere in the page reported.



Use the language-specific sections for each site.You can, for example, conduct a search that returns only Russian-language hits, or to omit all pages that contain a particular language.



Use delimiters, such as the minus sign (-).This sign allows you to omit certain words and phrases that you do not wish to see. It can help you omit extraneous information so you can focus on relevant NAVCE information. Delimiters can change from site to site, but the minus sign is nearly universal.



Conduct Boolean searches, which are phrases that use the words “and,” “not,” and “or.” Boolean searches further help you refine your search so that results are focused on specific NAVCE issues. For example, the following phrase searches for NAVCE 7.6 or Norton AntiVirus Corporate Edition 7.6:“NAVCE 7.6” or “Norton AntiVirus Corporate Edition 7.6.”

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

Summary Effective troubleshooting involves the ability to consider multiple factors, make educated guesses, and isolate specific causes. In this chapter, you have learned about specific problems that can arise in Windows and NetWare-based clients and servers.You not only learned about how to recognize and resolve known issues, but also how to conduct searches on Symantec’s Web site for problems that may arise in the future. You can now move forward with confidence knowing that you are equipped with the tools and knowledge necessary to properly troubleshoot your NAVCE environment. With this knowledge, you can quickly resolve network-based issues (for example, those pertaining to DNS and firewalls), as well as problems related to the operating systems that reside beneath NAVCE clients and servers. Now that you know how to troubleshoot client/server communication, performance issues, and roaming clients, you should now feel better equipped to identify and countermand virus outbreaks in your network.

Solutions Fast Track Troubleshooting Basics ; Do not allow network-based issues to fool you into thinking that

NAVCE is the cause of a particular problem. Unless indications point strongly to local issues (for example, those having to do with NAVCE operations), remember that in a managed NAVCE environment, network factors can produce problems that seem to be caused by NAVCE.

; Always look to your server log files, as well as those generated by

NAVCE.They will inform you concerning DNS issues, as well as failed services that may have caused problems for your environment.

; Remember the specific ports used by NAVCE, including the PDS

(UDP port 38293), RTVScan (2967 for UDP in IP-based systems, and 33345 in IPX-based systems), and roaming clients (UDP port 1056).

www.syngress.com

537

538

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Troubleshooting Servers ; You must have a primary NAVCE server. If, for some reason, all servers

think they are secondary servers, take the necessary steps to promote one.

; Clients and servers can easily begin to ignore each other if the keepalive

packet values are not properly set for your particular environment.To ensure that clients remain in the SSC, take the necessary steps to change the keepalive packet value. Also, if communication problems persist, you may have to choose a preferred protocol on your NAVCE servers and export the updated grc.dat files to clients.

; When working with 16- and 32-bit clients, make sure that you

understand that if you combine these clients, only the 16-bit options will be available to you. Finally, remain aware of various bugs and issues that can surface from time to time (for example, the SMB Signing bug). Be prepared to install and configure updates for both NAVCE servers and clients, as well as operating systems.

Troubleshooting Client PCs ; When troubleshooting a client’s inability to function, don’t forget to

verify the integrity of the hard drive. Virus applications can be a bit finicky about the state of a hard drive. Use applications such as chkisk, sfc, and defrag to verify and (if necessary) remediate the integrity of the hard drive.

; In some cases, vptray runs too early in the login process, and can cause

problems with printing and other services, as well as applications.To resolve such problems, edit the Registry and remove the reference that has vptray run too quickly. Replace it with a shortcut in the Start menu.

; NAVCE should be used carefully. In many systems, you will have to

exclude certain files and folders from scanning. For example, Windows Me’s System Restore feature stores files and folders in the _Restore\Temp and _Restore\Archive folders. NAVCE can mistake these files and folders for viruses. Also, NAVCE has been known to cause problems in services and applications such as Microsoft Exchange and Outlook Express, because it finds a virus and quarantines or deletes

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

a resource that winds up being an essential service or application resource (for example, a log file or the Outlook Express Inbox).

Troubleshooting Roaming Client Support ; The Navroam client requires that you use a host name for a particular

client or server, not an FQDN.

; When troubleshooting clients, first verify that the SAVRoam.exe process

is running.This application is responsible for processing Registry entries and network information so it can find the nearest NAVCE server.

; If you have problems getting a server to import a server list file of

roaming servers, check the size of the server list file. If this file is larger than 512 bytes, your system will fail to process it. Even if the file approaches this size limit, you may encounter problems. Pare down the list as much as possible and attempt another import.

Addressing Performance Issues ; Make sure you achieve a balance between excluding resources and

protecting your system. Excluding certain resources can greatly reduce NAVCE’s impact on system performance during scans. However, excluding too many resources can expose your system to unnecessary risk.

; Consider installing more RAM if you encounter a performance issue.

Additional RAM will help reduce page faults, and it will also help reduce the impact of manual and automatic scans. If you cannot install more RAM, consider disabling unnecessary services running on the system.

; When tracking performance issues on Windows NT/2000/XP, use the

Performance snap-in (Performance Monitor in Windows NT). Counters to consider include: % Processor time (from the Processor object), Disk Read Bytes/sec and Disk Write Bytes/sec (from the PhysicalDisk object), and % Processor time, Handle count, and Pool Nonpaged Bytes (from the Process object).

www.syngress.com

539

540

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

Accessing Information Databases ; Before contacting customer support, see if you can discover the problem

yourself. Go to Symantec’s Home page and conduct searches using Symantec’s Knowledge Base.

; Do not limit yourself to Symantec’s Web site, though it is full of good

information. Conduct additional searches on sites such as Google and Altavista.

; When conducting searches, use delimiters (for example, the minus (-)

sign), as well as Boolean commands (for example, “and,” “not,” and “or”).

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: NAVCE seems to be quite slow. It also will not create a rescue disk. What can I do?

A: Verify the integrity of your disk. Run the following commands or processes to help determine the nature of the problem: ■

sfc /scannow (scans for corrupted system files)



chkdsk /f



You should also run defrag

Q: How can I make clients check in more often to the SSC? Clients keep disappearing from the console.

A: Use the SSC to open the Virus Definition Manager, then select Update Virus Definitions from Parent Server,” then in the Settings section, select the Set Client Configuration from Parent Server option. Next, go to the Update Settings window and increase the amount of times that clients send keepalive packets.These settings will enable your clients to stop disap-

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

pearing from the SSC console.To make sure that the client is updated, have the client import the server’s latest grc.dat file.

Q: What tools are available to me if I wish to verify the rate that NAVCE clients are checking in with NAVCE servers?

A: You have several options, including: ■

Opening the NAVCE client interface and then confirming that the value in the Parent Server field is the NAVCE server you expect.This check will work, of course, only if you have recently changed the server.



Take the grc.dat file from the NAVCE parent server and have the NAVCE client import it.The client will then have new, updated information about the parent.



Copy the grc.dat file from the parent server to the client. Doing so will update the client concerning the NAVCE parent.



You can use the debugon.reg file on the client. Import this file and check for messages, as discussed earlier in this chapter.You can also import this file on the server.

Q: I can’t seem to get LiveUpdate to run. I have a fresh installation, but the problem continues.

A: The problem is that you have an older version of LiveUpdate. Go to the following FTP site to obtain the latest version of LiveUpdate: ftp://ftp.symantec.com/public/. If, for example, you reside in the United States or Canada, you would go to the following location: ftp://ftp.symantec.com/public/english_us_canada/liveupdate/updates/lusetup. exe. If you were in Russia, for example, you would go to ftp://ftp.symantec.com/public/russian/liveupdate/.

Q: I have a Novell system running NAVCE. What commands do I issue to start debugging mode for NAVCE from my NetWare console?

A: First, unload NAVCE by pressing Alt+F10.Then, issue the following command to have all NAVCE debug information sent to both a window on your screen, as well as to a file named SYS:NAV\vpdebug.log: load vpstart /debug=L

www.syngress.com

541

542

Chapter 11 • Troubleshooting Your NAVCE 7.6 Environment

To stop debug output, press Alt+F10 again.You can read the log file using any text editor.

Q: I am experiencing problems with opening files in Microsoft Office applications (for example, Word and Excel). I can open the files eventually, but it takes at least 30 seconds for a simple, relatively small file (100KB) to open. I am using a 3GHz system, so I know it’s not a performance issue. I have seen this problem on several systems with NAVCE installed. I am using Windows XP, Service Pack 1.

A: The problem could be either with the NAVCE Office plug-in, or with your system, which is running Service Pack 1 and is thus susceptible to the SMB Signing bug. Disabling the plug-in will resolve the problem, but will also reduce the overall security of your system. Go to the Symantec Web site (www.symantec.com) and obtain the latest fix for the plug-in. Also, Microsoft has confirmed that Microsoft systems open Office documents more slowly due to the SMB Signing bug.They have, however, provided a solution for this problem. Go to the Microsoft Web site and search for Knowledge Base article number 810907. As of this writing, the hotfix for the SMB signing bug is available at http://support.microsoft.com/default.aspx?scid=kb%3benus%3b810907. Once you install this hotfix, you should then be able to open files quickly.You may want to first disable the plug-in, install the hotfix, then test how quickly documents open.You can then enable the plug-in after upgrading it to see if the upgrade has worked.

Q: I have had a similar problem, but on several clients that are not Windows XP. A: Go to KnowledgeBase article 313519 on the Microsoft Web site (www.microsoft.com) and follow the instructions. Once you make the suggested changes on your domain controller, issue the following command: secedit /refreshpolicy machine_policy /enforce

Then, reboot your system to verify the problem is solved.

Q: I am using WINS as a name resolution method. I wish to switch over to use DNS to prepare for my NAVCE implementation, as well as Microsoft Active Directory. What steps should I take to make this migration as simple as possible?

www.syngress.com

Troubleshooting Your NAVCE 7.6 Environment • Chapter 11

A: This question is about how to transition from WINS to DNS in such a way as to avoid downtime for your business. It is almost essential that you use DNS for your name resolution before you deploy NAVCE. Before you touch your WINS resolution on the network, first create a test network for your DNS system. Configure a new DNS scheme on this isolated network. Create both forward and reverse zones.Then, conduct extensive tests on your DNS structure using troubleshooting tools (for example, nslookup). Once you are sure that DNS is working well, deploy your DNS server in a production environment.To make the transition easy, you may want to use both WINS and DNS for a while, then slowly transition all clients to DNS.This transition may take several days or weeks, depending upon the size of your company. Once you are sure that DNS is working properly by checking all client and server log files in regards to DNS, you can then tombstone your WINS servers and make all systems dedicated DNS clients. Use Active Directory implementation to make sure this scheme is working properly. Only once you are sure that DNS is working properly should you then begin your NAVCE implementation. As far as Microsoft Active Directory is concerned, you may want to configure all systems to participate in Active Directory before transitioning to NAVCE. Because DNS and directory services are foundational network elements, you should try to make sure that these are all functioning properly before adding a centralized virus management scheme such as NAVCE.

Q: I try to install NAVCE 7.6, but I can’t continue the installation. I also receive an error with the code of 2355. I am in a managed environment. What can I do to solve this problem?

A: You are trying to install an unmanaged client in a managed environment. Run the installation again from the local hard disk, or from your CD drive. If you install from a CD, select only the following option: Install to local workstation.Then, choose managed in the Install Type dialog box. Doing so ensures that the system searches for the NAVCE server.

www.syngress.com

543

Chapter 12

Scanning for Viruses and Handling Virus Outbreaks

Solutions in this chapter: ■

Virus Scanning Methods



Configuring Computer Virus Scans



Analyzing Results of Virus Scans



Understanding Outbreaks

; Summary

; Solutions Fast Track

; Frequently Asked Questions

545

546

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

Introduction In this chapter, we get to the meat and potatoes of Norton Antivirus Corporate Edition (NAVCE): namely, performing virus scans and responding to virus outbreaks on your network. In previous chapters, we covered the steps necessary to plan, install, and configure a NAVCE server installation, including the Symantec System Center (SSC) management console, as well as the Alert Management Server2 (AMS2) utility. Now we’ll see how to put that configuration to use in protecting a corporate LAN/WAN configuration. NAVCE offers several different methods to scan computers for virus infections.The foundation of Symantec’s virus protection scheme is real-time scanning, in which files are examined each time they are accessed or modified by the user or operating system. Administrators can augment this continuous protection with regular scans of servers and clients.The SSC utility allows for great flexibility in creating a scanning schedule that meets the needs of your users and clients while not sacrificing network and hardware performance. Manual scans provide a means to quickly scan a small number of client or server computers, either as a troubleshooting step or in response to a virus alert from AMS2. And for the continued protection of 16-bit client operating systems, Symantec offers logon scanning for DOS and Windows 3.x. We’re going to take a good look at the technology involved in Symantec’s Bloodhound Heuristics, a kind of smart sniffer (hence the name) that attempts to flag virus-infected files for which the corresponding signature files perhaps haven’t even been created yet. We’ll also talk about the growing exposures being created by the evolving world of Instant Messaging technologies, as well as look at hardware and bandwidth performance considerations for running the various NAVCE functions across your LAN/WAN without affecting the performance of your clients and users. There’s a saying about the best-laid plans of mice and men often going astray, and the world of virus protection is no different. No matter how well you plan and maintain the virus protection on your network, sooner or later you will most likely have an outbreak to contend with. As such, we conclude this chapter with a discussion of managing virus outbreaks, both from the standpoint of the Symantec technologies available to address these situations, but also from a more overall real-world perspective where things like customer service and user communication simply cannot collapse.

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

Virus Scanning Methods NAVCE offers several different options for scanning the servers and clients on your network. Many configuration options are common to all types of scans within NAVCE, so we’ll concentrate on those features that are unique to each scan type. In the coming pages, we will discuss the following types of virus scans: ■

Real-time scans Used for continuous monitoring and protection.



Scheduled scans Centralized management and convenience for full and partial scans.



Manual scans A quick, on-the-fly method of scanning a small subset of your network, this can also be focused to scan a single PC.



Logon scans Provides backwards-compatible virus protection for DOS and Windows 3.x 16-bit clients.

Real-Time Scans Real-time scans are perhaps the most useful feature ever developed for antivirus software.This scan inspects each and every file on a client hard drive or server share that is read from, or written to, a local or shared drive.You also have the option of scanning e-mail data on many 32-bit client platforms, particularly Microsoft Exchange or Lotus Notes.

Notes from the Underground… Performance Considerations for Norton Antivirus NAVCE is a software program like any other, and as such, demands a certain amount of CPU, memory, hard drive, and network bandwidth from the PCs it is installed on. As an administrator, you need to test all aspects of the NAVCE installation to ensure you are meeting your network’s virus protection needs without unduly affecting the performance of your client PCs. Here are a few specific items to keep in mind: ■

Real-time scanning While the demand placed on a client or server by real-time scanning is usually negligible, there are Continued

www.syngress.com

547

548

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

some server applications that merit additional testing. Specifically, some backup software applications use open file agents that can conflict with the way NAVCE handles real-time file scans. Before implementing NAVCE in your production environment, take a look at your server’s performance metrics while a backup is running. In Windows 2000, for example, you can view Processor: %Processor Time and System: Processor Queue Length within Microsoft’s Performance Monitor, as shown in Figure 12.1. The Microsoft Web site can provide more detailed information on performance baselines and monitoring.

Figure 12.1 Windows 2000 Performance Monitor



Network Performance Considerations Any time NAVCE must perform a scan or read information from a remote PC, the bandwidth of your LAN/WAN becomes a consideration. NAVCE functions extremely well in a LAN operating at 10/100/1000 Mbps, or remote WAN sites connected by a T1 line or better. If you have remote sites that are connected by lower speed ISDN or dial-up lines, consider locating a NAVCE server or server group at the remote site so that NAVCE traffic does not need to go across the WAN lines. (In addition to being slower, this may also prove more costly in situations where connectivity is charged by the amount of data transmitted.) You also need to be aware of the number of clients attaching to an individual NAVCE server. The NAV Continued

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

documentation states that a single NAVCE server can comfortably handle up to 3000 clients on a 100-Mbps network without adverse performance reactions; however, your mileage may vary depending on your specific hardware configuration. Be prepared to scale your server hardware to meet the needs of the clients on your network. ■

CPU Utilization When configuring a manual or a scheduled scan, NAVCE allows you to “throttle down” the CPU Utilization. Just like any other performance-related settings, you must determine an acceptable trade-off between protection and user-friendliness: the lower you set the CPU Utilization, the longer a scan will take. In a well-connected (10/100-Mbps LAN, T1, or better WAN) network, I find that the default CPU Utilization is acceptable.

Scheduled Scans Along with the continuous protection offered by NAVCE’s real-time scanning, you can also scan your client and server hard drives on a regular basis (for example, running a full scan after you’ve downloaded new virus definitions). Using this feature, you can schedule full or partial virus scans during non-business hours so that user productivity will not be adversely affected. Similar to other types of NAVCE scans, you can configure scheduled scans to monitor an entire hard drive, or exclude certain files or file types as appropriate to your environment.

NOTE Any time you perform a virus scan, hard drive activity and network traffic are generated. Scheduling full virus scans for the wee hours of the morning allows you to strike a balance between performance and protection on your network. There’s really no hard-and-fast rule for how often to scan your PCs. I perform a scan of my entire network on a weekly basis, but you can schedule events more or less frequently as your network policies and comfort level dictates.

www.syngress.com

549

550

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

Manual Scans While real-time and scheduled antivirus scans are essential in maintaining ongoing virus protection for your entire network, manual scans are useful to quickly scan a small portion of your network, or even a single hard drive. Any number of circumstances might create a need for a manual virus scan, including: ■

Bringing a new computer online



Performing a scan as a step in troubleshooting a baffling PC problem



Seeing something out of the ordinary

In the following section, we’ll cover the necessary steps in configuring scans from the Symantec System Center server utility, as well as from the NAVCE client console.

Configuring Computer Virus Scans In this section, we’ll cover the specifics of configuring the various scanning options. First, we’ll launch manual scans from one or multiple workstations, and then enable scans for an entire server or server group. After that we’ll cover the configuration options for real-time and scheduled scans, for both clients and servers.

Configuring Manual Scans You can launch a manual scan in two ways: from the Symantec System Center (SSC) console, or from the local workstation. Either method will accomplish the same result.Therefore, you should select the method that best suits your needs in a given situation.Typically, launching scans from the SSC is the method of choice for scanning multiple clients simultaneously, or to scan a single PC from a remote location. Conversely, launching scans from the client console is more useful when you’re already seated in front of the workstation in question.

Configuring Manual Scans from Symantec System Center To begin a manual scan from the SSC for a single workstation, start by opening the management console. (Typically, this can be done by selecting Start | Programs | Symantec System Center | Symantec System Center Console, though your specific configuration may vary.) www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

Expand the appropriate server group, then right-click the workstation you want to scan. Navigate the pop-up menu to All Tasks | Norton Anti-Virus | Start Manual Scan, as shown in Figure 12.2. Figure 12.2 Launching a Manual Virus Scan

From here, select the drive(s) or directories you want to scan, and launch a scan using the default scanning options. However, you also have the option of customizing your scanning process, for additional control over the NAVCE scan, click the Options button.This will take you to the screen shown in Figure 12.3. Figure 12.3 Configuring Scanning Options

The main Options menu allows you to: ■

Specify the action NAVCE should take upon encountering an infected file



Display a message on the target computer if the scan encounters an infected file



Scan only specific file types or extensions



Exclude specific files or folders from the scan



Regulate the CPU utilization that the scan will use.

The final option is especially useful if you need to perform scans during the business day and want to keep user disruption to a minimum, this is also useful if www.syngress.com

551

552

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

your network is supporting older hardware configurations and bandwidth is a precious commodity.This option is discussed more fully in the “Performance Considerations for Norton Antivirus” section later in this chapter. By default, NAVCE will first attempt to clean any virus-infected file it encounters, and then send the file into the Quarantine directory on the local hard drive if the file cannot be cleaned (see Figure 12.4). Once an infected file is moved to Quarantine, it cannot be accessed or executed by any user until an administrator cleans the file and moves it back to its original location (see Figure 12.5). However, if the infected file cannot be repaired, the administrator has the option to delete the file, or return it to the operating system without repair (not recommended).This topic is covered in more detail in the section, “Responding to Computer Virus Outbreaks,” later in the chapter. Figure 12.4 Choosing What Action the Scanner Will Take

Figure 12.5 Selecting the Action for Quarantined Files

If you wish, you can also alter the default behavior of NAVCE for Macro and Non-Macro viruses.The primary and secondary actions can: ■

Attempt to clean the file



Move the file to quarantine



Delete the file entirely



Leave the file alone

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

In most cases, if you’re able to replace the infected file with a virus-free copy, you will want to select Delete as the desired action. Selecting No action provides you with complete control over how virus-infected files are handled, as you will need to address each infection individually.

NOTE Clean is only available as a primary action. If the clean process fails on the first try, NAVCE will not attempt it again.

If NAVCE encounters a virus, you can immediately alert the user to the situation by displaying a pop-up window on the client computer, similar to that shown in Figure 12.6. Place a check mark next to Display message on infected computer in the Scan Options window to display a default message that will include the file location, virus name, and action taken.This topic will be covered in greater detail in the section, “Displaying Notification Messages to End Users,” later in this chapter. Figure 12.6 Displaying a Message on the Client Computer

By default, NAVCE scans all file types during a manual scan.The Selected Extensions window (shown in Figure 12.7) allows you to exclude specific file extensions from the scanning process. Simply enter the file extension you want the scan to ignore and click Add.You can also load all file extensions associated with document files (DOC, XLS, PPT, and so forth) and/or program files (COM, EXE, BAT, and so on) en masse. Click OK to return to the main Scan Options window. If you choose to restrict scans based on file extension,Table 12.1 shows the minimum file extensions that Symantec recommends scanning:

www.syngress.com

553

554

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

Figure 12.7 Configuring Scanning Exclusions Based on File Extensions

Table 12.1 Common File Extensions Extension Description

Extension Description

386

Driver

ACM

ACV

Driver; audio compression/ decompression manager AX file Batch Java Class Applet Control Panel (MS Windows) MS Word Document Dynamic Link Library

ADT

Driver; audio compression manager ADT file; fax

BAT BIN COM CSG

Batch file Binary file Executable Corel Script

DOT PPS

MS Word Template MS PowerPoint Viewer

AX BTM CLA CPL DOC DLL file PPT

SH SHS SYS VBS VSS VXD WSH

Rich Text Format document SCR

Shell Script (*nix) Shell scrap file Device driver VBScript Visio Virtual Device Driver Windows Script Host Settings File

www.syngress.com

SHB SMM VBE VSD VST WSF XLS

Fax/screensaver/snapshot; script for Faxview/MS Windows Corel Show Background Amipro VESA BIOS (core function) Visio Visio Windows Script File Microsoft Excel Document

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

WARNING When manually adding file extensions, be careful not to use the leading “.” Otherwise, NAVCE will produce the error in Figure 12.8.

Figure 12.8 File Extension Error Message

We have also included this error message because of a useful piece of information, as you can see, you can use the ‘?’ or ‘*’ wildcards when adding file extensions to the exclusion list.

The Advanced button in the Scan Options window (shown in Figure 12.9) also provides more granular control over manual scan options. NAVCE’s default behavior expands all compressed files (.ZIP, .TAR, and so forth) and then scans its contents. If a file has a compressed file contained within a compressed file, NAVCE will expand the sublevels of compressed files up to three levels deep. To change this setting, either enter a new number in the Expand XXX levels deep window or use the arrow buttons to the right of the setting.You can also specify whether or not NAVCE will back up a file before it attempts to repair it. Figure 12.9 Setting Advanced Scanning Options

NOTE You might want to disable this option in order to conserve disk space, or if the file is so large that the process of backing it up places too much of a drain on the computer’s hardware resources. www.syngress.com

555

556

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

WARNING If you’re running in a Novell environment, NetWare will extract each file contained within a compressed archive, copy it to the SYS: volume, and perform the scan from there. As such, your SYS: volume must have enough free space available to accommodate the largest Zip files on your network.

Once satisfied with the scanning options you’ve selected, click OK until you get back to the first screen (this is the Select Items window), then click Start to begin the manual scan. If you want to retain any custom settings for future manual scans, click Save Settings before beginning the scan. Any future manual scans will reflect the changes you’ve made as the new default scanning options.

Configuring Manual Scans from the Client There may be times where you want to launch a virus scan from an end-user’s workstation instead of the SSC console, most commonly when you are troubleshooting a client PC.Though your specific configuration may vary, your first step will be to open the NAVCE client window through Start | Programs | Norton Antivirus Corporate Edition | Norton Antivirus Corporate Edition.This opens the window shown in Figure 12.10. From here, select the drive(s) and folder(s) you want to check, and then click the Scan button to continue. Figure 12.10 Launching a Scan from the Local Workstation

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

NOTE In a managed environment, you should not rely on launching manual scans from the client console. The SSC console allows for a much greater degree of centralized control over configuration and scanning options for the whole of your network.

Symantec Bloodhound Heuristics As IT professionals, it seems as though we hear about new virus outbreaks every week, if not on a daily basis. One of the greatest challenges faced by antivirus software developers is this struggle to keep up with the continuous barrage of viral threats.To respond to this challenge, Symantec has developed a heuristic method of detecting new and emerging virus threats. For those of you who are not familiar with the term, heuristics attempt to proactively identify new and emerging viruses and virus-like behaviors using a “best guess” method. In March of 2002, Symantec Corporation announced that it had been granted a patent (U.S. Patent #6,357,008) for its Bloodhound Heuristics technology. (You can find the full news release at www.symantec.com/press/2002/ n020320.html.) This technology is packaged in all Symantec AntiVirus products, including the server, desktop, and gateway solutions. For information on how to configure heuristic options, refer to the “Configuring Real-Time Scans” section later in this chapter.

Designing & Planning… Understanding Symantec Bloodhound Heuristics Computer science academic types will typically explain the mathematics behind the “best guess” with the analogy of a traveling salesman. Let’s assume a traveling shoe salesman “Henry” needs to plan his latest itinerary. Henry has sales appointments in Seattle, Boston, Houston, Moscow, and Berlin; however, Henry would like to minimize the amount of time he spends on a plane. In this scenario, it seems fairly obvious Continued

www.syngress.com

557

558

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

that Henry’s route should take him from Seattle to Houston, then to Boston, then across the Atlantic to Berlin before finishing up in Moscow. Seems pretty simple, right? You wouldn’t send poor Henry from Seattle to Berlin and then back to Houston, as the time he spent in the air would be far greater than necessary. But what if Henry has 500 cities to visit instead of just five? At this point, arriving at the most efficient route becomes a much more complicated matter. We could list the various mileages between the 500 different cities and mathematically determine the single most efficient route …but then Henry wouldn’t be receiving his completed travel plans for several months. (For the next time you want to win a geek trivia game, this method is called an algorithm.) So, how does Henry make a decision with a not-unreasonable amount of time and effort? That’s where the “best guess” of heuristics comes into play. Heuristics makes certain assumptions and takes special logical shortcuts to arrive at a nearly optimal solution—with much greater speed than the painstaking alternative of using complicated algorithms. Why the long-winded excursion into the wonderful world of computer science mathematics? Because the challenges presented in antivirus detection are remarkably similar to Harry’s plight. Quite simply, there is no reasonable way to believe that an antivirus software package will be able to detect every single virus that has ever been encountered, along with every new threat that comes across the Internet, without ever making a mistake. Heuristic virus detection in general, and Symantec’s Bloodhound Heuristics in particular, is an attempt to balance speed against accuracy, and security against usability. Rather than relying solely on an exhaustive and cumbersome database of virus definitions, Symantec Bloodhound Heuristics detects viruses by analyzing the structure and behavior of scanned files, searching for various patterns of “virus-like” behavior. For example, a file called PUNKY.VBS that issues a command to “DELTREE C:\*.*” might be something that a user wished to launch intentionally, but in reality the odds are fairly good that such a file is, in fact, a virus. Bloodhound would flag such a file as a virus, even if the latest virus definition files did not include an entry for anything resembling a “PUNKY Virus.”

Symantec Striker Another formidable difficulty facing antivirus software developers is the polymorphic virus. A simple computer virus replicates an exact copy of itself as it travels

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

throughout a LAN or e-mail system.This process, while troublesome, becomes relatively simple to correct. Once the right definition is created, the definition will stop the virus dead in its tracks. On the other hand, polymorphic viruses are specifically designed to evade detection by changing (or morphing) their signature as they replicate themselves from machine to machine.To combat this, Symantec has developed its Striker technology that uses detection schemes specific to each polymorphic virus, rather than a generic set of rules that could otherwise overlook this new breed of threat. Another wonderful feature of Symantec Striker is that is does not require any additional purchase, configuration, or upkeep. Symantec Striker has been included by default in all Symantec products since Norton AntiVirus 2.0.

Configuring Real-Time Scans Real-time scanning is enabled by default in Norton AntiVirus Corporate Edition; however, you do have some flexibility in configuring how these scans are performed.There are two separate configuration pages for real-time scanning: one for servers, and one for clients. Both of these configuration pages can be accessed from the server or server group level by selecting All Tasks | Norton AntiVirus | Server Realtime Protection Options or Client Realtime Protection Options. (The Client Options page can also be accessed by right-clicking an individual workstation if you need a different configuration for a small subset of client PCs.) The major difference between the client and server configuration sheets is that the client page includes a separate tab for configuring e-mail protection, which we discuss later in this chapter. For now, let’s start by looking at the configuration page for real-time scanning of file systems.

File Systems Most of the options in Figure 12.11 should look familiar by this point, and are configured similar to options shown in previous sections.The key here, obviously, is the check mark, enabling file-system real-time protection, as well as the check boxes under Drive types.These check boxes enable real-time scanning of CDROMs, floppies, and shared network drives. (CD-ROM is not selected by default, but as you can see, my NAVCE configurations lend new meaning to the word thorough.)

www.syngress.com

559

560

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

Figure 12.11 Configuring Real-Time Protection for File Systems

Configuring & Implementing… File Caching with Real-Time Scanning NAVCE uses a file-caching mechanism for real-time scanning of most Windows-based PCs (95/98/NT/2000/ME/XP). While the real-time scan is running, NAVCE maintains a running list of files it has scanned and therefore assumes to be infection-free. Once a file is added to this cache, it is not scanned again until the file is modified, the computer reboots, new antivirus definitions are downloaded, or real-time protection options change. This feature allows real-time scanning to take place without unduly affecting client performance.

In Figure 12.11, clicking the Advanced button, which is located next to the Enable file system realtime protection option, will take you to the screen shown in Figure 12.12.

Advanced Options: Heuristics The first choice here is to determine whether to scan files every time they are accessed and modified, or to only scan modified files. Scanning only modified files results in faster performance because fewer files are being scanned. However, this performance break comes at a price, as some files will not be scanned while using this option. Personally, we recommend selecting the Accessed and Modified www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

option in all but the most extreme circumstances, as the performance impact is minimal in comparison to the full level of virus protection that it provides. Figure 12.12 Advanced Options for Real-Time File Scanning

Under the Additional Advanced Options section of this window, you will be able to configure settings for Bloodhound Heuristics, as well as NAVCE’s behavior for scanning floppy disks and monitoring “virus-like behavior.”The Heuristics button will take you to the screen shown in Figure 12.13. Figure 12.13 Heuristics Configuration Options

From here you can either enable or disable the Bloodhound feature entirely, or select one of three levels of protection, each increasingly strict in their level of heuristic monitoring. ■

Minimum level of protection This requires the least amount of processor and memory overhead, but you run the risk of NAVCE overlooking some potential threats.You can globally modify Heuristic sensitivity to this level if you are experiencing performance issues with the default settings.



Default level of protection This provides a balance between protection and performance (and is the sensitivity level that we recommend for most network installations).



Maximum level of protection This offers the most thorough heuristic scanning, but with an associated increase in processing overhead. www.syngress.com

561

562

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

If you are in the midst of a virus outbreak, or if a client PC is exhibiting strange behaviors that you cannot otherwise account for, we recommend you temporarily enable the maximum sensitivity level at the server and server group level, or for one or more individual clients.

NOTE Unusual behavior or system problems can have many causes; an infection by a malevolent program is just one of them. If you suspect a PC of being infected with a virus, worm, or Trojan, you can temporarily set the Heuristic scanning level to “Maximum Level of Protection.” While this will obviously have an impact on the computer’s performance, it may flag a virus-infected file for which you haven’t yet received the most recent NAV definitions.

Advanced Options: Floppies The Floppies screen will allow you to set the following options: ■

Check floppies for boot viruses upon access Select this to have NAVCE scan the boot record of any disk inserted into a floppy drive. If you choose this option—and we highly recommend you do—you will need to specify whether NAVCE should clean an infected boot record, or leave it alone. (Boot records cannot be deleted or quarantined, as they are necessary for the disk itself to function.)



Do not check floppies upon system shutdown If you want NAVCE to skip scanning the floppy drive when the computer is powered off normally, place a check mark next to this option.

Advanced Options: Monitor Finally, the Monitor screen provides granular control over the way NAVCE reacts to “virus-like behaviors.” What does that mean, exactly? Virus-like activities are operating system commands that viruses will often perform when attempting to infect a client or server.

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

WARNING Monitor options only apply to Windows 9x clients; these settings have no effect on Windows NT, 2000, or XP systems where all virus-like activities are monitored by default.

NAVCE monitors the following actions by default: ■

Low-level hard drive format During a low-level format, all hard drive information is lost—information which is usually unrecoverable. Obviously, this is a high-risk operation that most users (including you) would not perform on anything resembling a regular basis. Unless you disable monitoring for this action (which is unadvisable), NAVCE will either automatically allow (not our personal recommendation), automatically disallow, or prompt the user for confirmation of the format.



Write to hard drive/floppy disk boot records Few programs (a notable exception being the operating system Format command) typically write to the boot sector of a floppy, and even fewer do so to the hard drive. Just like the low-level format monitoring, NAVCE will allow the write operation, disallow it, or prompt the user to confirm.

NOTE If you’re looking to save a few pennies by reformatting all those old floppy disks lying around your office, temporarily disable this feature or NAV will alert you on every format. (Just remember to turn it back on when you’re done!)

Messaging Systems The other configuration options available in real-time scanning are specific to Messaging Systems. NAVCE’s real-time scans can monitor and inspect e-mail messages for the following e-mail clients: ■

Lotus Notes versions 4.5x, 4.5, 5.0



Microsoft Exchange clients for versions 5.0 and 5.5 www.syngress.com

563

564

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks ■

Microsoft Outlook 97/98/2000 (NAVCE can only provide e-mail monitoring for Outlook 98 if it is using MAPI settings, not Internet Mail)

NOTE Even if you don’t use one of the e-mail clients previously listed, real-time scanning will often check file attachments when you double-click them, just as most mailers will save an attachment to a temporary directory on your local hard drive before opening it—assuming you’ve configured your scanning options to scan files every time they’re accessed and modified. In order to perform scans of remote e-mail data, a separate product needs to be used. Consult the Symantec Web site for an up-to-date list of mail server protection options.

Real-time scanning of messaging systems has many of the same configuration options as other NAVCE scans, in which you can customize the default and backup actions to be taken against virus-infected messages, specify which file types and extensions to scan, and configure warning messages to display on infected computers.You can also customize an additional warning message to notify the sender of the e-mail, and any other personnel you’d like to alert—for example, your security officer or mail administrator.

Notes from the Underground… Are You Sure that E-mail Came from the Person You Think It Did? Take a look at this e-mail that a friend of mine received a while ago. It arrived in their inbox in a very professional-looking HTML format: From: "eBay Announcement" Subject: Account Verification

Dear Ebay user,

Continued

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website , we are undertaking a periodic review of our member accounts. You are requested to visit our site by following the link given below

http://www.ebay .com/verification

Please fill in the required information. [This is required for us to continue to offer you a safe and risk free environment to run your auctions, and maintain the Ebay Experience.

Thank you Accounts Management

First, you should note that the “required information” included Social Security and credit card information under the guise of billing verification. Many online sites state in their privacy policies that they will never ask for your personal information in this type of manner. That should have been the first tip that something rotten was going on. Next, take a really good look at that URL. As you can see, it appears to the average user to be a legitimate eBay link, when in actuality it redirects the browser to something far more sinister. I have to imagine that thousands of people fell for this scam before it was discovered and taken offline. While this message did not contain a virus, per se, it demonstrates the sort of behavior that you need to train your users and clients to be on the lookout for. Anything and everything that requires you to send your personal information via the Internet deserves a second look to ensure its legitimacy. Remember: The credit rating you save could be your own.

Locking Real-Time Scanning Options One particular “gotcha” when configuring real-time scanning options is: In order to make sure your installed clients are all using the scanning options you set up, lock those options within the SCC. If you do not lock an option you have changed, this change will not filter out to existing client installations, nor will it apply to any future installations. www.syngress.com

565

566

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

To lock real-time scanning options, right-click the appropriate server group and select All Tasks | Norton Antivirus | Server/Client Realtime Protection Options.Then simply click the padlock icons next to any options you have customized (Figure 12.14). Figure 12.14 Unlocked File Protection Options

When you’ve finished locking down all customized settings, click Reset All to propagate your changes out to all managed clients.

NOTE After you have locked the real-time scanning options, your client PCs will typically update themselves to reflect these changes either within 60 minutes, or when the client reboots.

Configuring Scheduled Scans for Servers Norton Antivirus will allow you to establish separate scanning schedules for your clients and servers. Since most companies’ servers are running 24/7, you can relegate server scans to the early morning hours when server usage will likely be smallest.This will minimize (if not entirely eliminate) any noticeable performance impact from the virus scan in the eyes of your users. As with manual scanning operations, scheduled scans can be established for individual servers or clients, or for an entire server group.

Scheduling Scans for Specific Servers To create a scheduled scan for specific server machines, right-click one or more servers (remember to hold down CTRL when selecting multiple machines at the same time), then navigate to All Tasks | Norton Antivirus | Scheduled Scans.This will take you to Figure 12.15. Notice the separate tabs for Server Scans and Client Scans, as they can be configured independently of each other. To begin creating a new scheduled scan, click New to go to the screen shown in Figure 12.16. Enter a descriptive name for the scan, and then set the time and frequency at which you want it to run.The Scan Settings button will www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

take you to the now-familiar screen where you configure file types to scan, assign actions and backup actions, set CPU usage, and so forth. Click OK to return to the main configuration page. Figure 12.15 Viewing All Scheduled Server Scans

Figure 12.16 Creating a New Scheduled Server Scan

The Advanced button in Figure 12.16 allows you to determine how to handle missed events—that is, what happens when a client or server is powered off or unavailable during a scheduled scan. By default, the scheduled scan will take place as soon as the unavailable PC is returned to service. Placing a check mark next to Handle Missed Events Within… will place a limit on that function—for example, only allowing a missed scan to run if the PC is returned to service within four days of the scheduled time of the original scan.

NOTE To run a scheduled scan on demand, simply select the appropriate item and click Start Scan. This will save you the effort of creating a manual scan with the same options as an existing scheduled one. www.syngress.com

567

568

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

Scheduling Scans for Server Groups To schedule scans for one or more server groups, right-click the System Hierarchy icon and select All Tasks | Norton AntiVirus | Scheduled Scans, then proceed as described in the previous heading. NAVCE will propagate the scheduled scan and any custom settings to all servers within the server group(s) you selected.

Configuring Scheduled Scans for Client PCs The steps for configuring scheduled scans on client workstations are largely identical to those for servers.Your largest area of flexibility lies in how far down the System Hierarchy you choose to configure the scan. We can configure client scans for an entire server or server group, or for a single client PC.This allows a great deal of granularity in controlling when, and how often, NAVCE performs client scans: you may create two separate schedules for PCs—one for the day shift, another for the night shift—or schedule more frequent scans for missioncritical client computers. ■

Scheduling Scans for Specific Client PCs To schedule a scan on an individual client PC, right-click the desired client and select All Tasks | Norton Antivirus | Scheduled Scans.



Scheduling Scans for Client PCs by Server Groups Scheduling a scan for all client PCs attached to a server group is nearly identical to the steps listed in scheduling for individual clients: right-click a server group or the System Hierarchy icon, then select All Tasks | Norton AntiVirus | Scheduled Scans. Select the Client Scans tab and follow the steps described in the section “Configuring Scheduled Scans for Servers.”

Configuring Logon Scans For those Windows 3.1x and DOS clients that may still be hiding in your arsenal, fear not, Symantec still has you covered. NAVCE includes a logon scan function for use with 16-bit clients.This feature scans the critical files of a 16-bit client during a login script run from a NetWare or Windows server. In this section, we’ll cover the steps in configuring a logon scan, and how to add the logon scan configuration to a login script within a typical Novell or Microsoft network. To begin configuring logon scanning, right-click a server or server group, then select All Tasks | Norton AntiVirus | Client Logon Scan and www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

Installation. Selecting the Login Scan tab allows you to set specific scanning options for your 16-bit clients using the screen shown in Figure 12.17. Figure 12.17 Configuring Login Scan Options

Your first choice is selecting which locations should be scanned when the user logs in.You can select any or all of the following: ■

Boot sector and partition table



Memory



All local drives (this will scan all hard drives, CD-ROMs, and floppy drives attached to the local workstation)

Scanning the first two items at login typically only takes a few seconds. Choosing to scan local drives at login obviously provides more thorough antivirus protection, but it can lengthen your users’ login time significantly, depending on the speed of the computer and the size of the local drives. Be sure to test these options thoroughly before implementing them on your live network: if anyone on your IT staff walks in the door at 7 A.M., they will be more than grateful. Your next step is to select which file types should be checked by the logon scan.You can choose to scan All Files and Compressed Files, such as .ZIP and .TAR.

www.syngress.com

569

570

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

WARNING The All Files option is actually somewhat deceiving. Selecting only the All Files option will NOT scan Compressed Archives unless you select it separately!

After you have configured logon scanning within the NAVCE console, you will need to assign a network logon script to the users on your NetWare or Windows NT/2000 network. While a full discussion of Novell and/or Microsoft network user administration is beyond the scope of this chapter—and indeed this book—we’ll go over some of the basic steps in doing so for both environments. Within NetWare, it’s as simple as adding the appropriate users to the NORTONANTIVIRUSUSER group that was created during the NAVCE server installation. In a Windows environment, follow the steps listed next. 1. Copy the VPLOGON.BAT and NBPSHPOP.EXE files from the ~\NAV\Logon directory into one of the following locations: ■

Windows NT Copy into the Repl$ share of each Primary Domain Controller (PDC) and Backup Domain Controller (BDC), typically found at C:\WINNT\System32\Repl\Import\Scripts.



Windows 2000 Copy into the Scripts share of all controllers, usually C:\WINNT\Sysvol\DomainName\Scripts.

2. Within User Manager (in Windows NT) or Active Directory Users and Computers (Windows 2000), assign the VPLOGON.BAT file (using the Profile tab shown next in 12.18) to each user whose computer you want scanned at logon. If you have an existing login script for your DOS and Windows 3.x clients, simply add the contents of VPLOGON.BAT to your existing script using a text editor.

NOTE Logon scans run the VSCAND.EXE executable on the client computer. If this is taking too long to run, enable disk caching using a utility like SMARTDRV.EXE in the AUTOEXEC.BAT file.

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

Figure 12.18 Adding a Login Script in Windows 2000

Configuring Startup Scans Unlike the other scan types we’ve discussed in this chapter, startup scans are only configured from the NAVCE client console rather than the Symantec System Center. Startup scans are primarily intended for unmanaged clients that don’t connect to a NAVCE server on a regular basis.To configure a new startup scan, open the Norton Antivirus client console from the intended workstation and follow these steps: 1. Navigate to Startup Scans, then click New Startup Scan. 2. Enter a descriptive name for the scan, then click Next.You’ll see the screen in Figure 12.19. Figure 12.19 Configuring a Startup Scan

www.syngress.com

571

572

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

3. Select the drive letter(s) and directories you wish to scan on system startup. Remember that the more information you select, the longer the startup scan will take to run. 4. Use the Options button to configure file extensions to scan, CPU utilization, actions for NAVCE to take, and so on. (You should be quite familiar with this screen by now.) 5. Click Save to store the scan information to the client console. The scan you just created will now run whenever you restart your computer. You can return to the client window to manually run, edit, or delete the startup scan at a later point.

Configuring Custom Scans Custom scans are quite similar to the previously described startup scans, in that they are configured from the client console and are primarily useful for nonmanaged NAVCE clients. Unlike startup scans, a custom scan will only run when it is manually launched using the Scan button.To configure a custom scan, follow the steps listed previously, beginning from the Custom Scans window.

Analyzing the Results of Computer Virus Scans NAVCE retains the results of all virus scans in log files stored in the primary NAVCE server Event Log of the primary server, which can then be viewed from the SSC console on the NAVCE server (on a NetWare server, this information is stored in the SYS: volume).These log files can be viewed using the SSC console as-is, or exported to text format for further manipulation and analysis. Correctly interpreting virus scan results is critical and can be useful in recognizing possible virus activity on your local network. To view a log of all virus events that have occurred within a specific server or server group, right-click the appropriate icon in the SSC console and select All Tasks | Logs | Virus History.You’ll see a screen similar to the one shown in Figure 12.20.The virus history screen provides you with the following information: ■

Date



Filename

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12 ■

Virus name



Virus type (File, Boot sector, Memory)



Action taken (Cleaned, Quarantined, Deleted, Left Alone)



Computer



User



Original location of the file



Current status of the file (Cleaned, Infected, Quarantined, Deleted)

Figure 12.20 Viewing a Server Virus History

You can either view this information directly from the Virus History window, or else export the information to a Comma Separated Value (CSV) file. This is especially useful if you wish to store your virus histories in a database like Microsoft Access or SQL or import them into a reporting tool such as Crystal Reports. Also, exporting the data to a CSV file is the only means of collecting data from multiple server groups into one location for viewing and reporting.To export Virus History information to a CSV file, open the Virus History screen on the desired server group (All Tasks | Logs | Virus History). Click the blue floppy-disk icon, then select a name and a location to save the file. The contents of the file (a sample of which is shown in Figure 12.21) can now be imported into any database or reporting tool.

Understanding Computer Virus Outbreaks Maintaining antivirus protection is similar to buying homeowner’s insurance—it’s not a question of if, but when, you’re going to need it.The race between software developer and virus-writer has been speeding along for years, and the pace shows www.syngress.com

573

574

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

no sign of slowing. In the following sections, we’ll go over the process of recognizing and taking action against virus activity on your network. Figure 12.21 Viewing Virus History after Exporting to CSV Format

Identifying Computer Virus Outbreaks Under most circumstances, the alerts provided by AMS2 will provide sufficient warning of any virus problems on your network. However, this becomes less effective in the case of new or polymorphic viruses that are not covered within the latest antivirus definitions. (Some viruses even go one step further by attempting to block access to the major antivirus Web sites, Symantec’s included, to prevent administrators from obtaining the appropriate virus signatures.) So, how do you recognize a virus if NAVCE doesn’t recognize the virus? Experience, instinct, and a good dose of common sense. If you notice severely degraded server performance, a sudden surge in network traffic, or a rash of unresponsive or malfunctioning PCs, you should begin to suspect virus or worm activity.

Responding to Computer Virus Outbreaks We’re fairly certain that most system administrators have encountered a situation similar to the antivirus commercials you see on television. Specifically, the one where the notoriously uneducated user stops the network administrator in the hallway and says “Hey, I just opened that e-mail virus like you told me not to.” The help desk switchboard lights are flickering like fireworks, response times across your network have dropped considerably, and your e-mail server has apparently decided to take off and not leave any forwarding information.The main

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

receptionist is transferring calls to you left and right, the sales department is having a collective coronary, Bill from corporate finance keeps sticking his head into your office door asking if you’ve fixed the problem yet, and you’re just trying to get down the hall to the server room without being waylaid with more reports of an outage you’re already aware of. Relax, you’re not the first person this has happened to, and heaven knows you won’t be the last. It’s best to think of virus outbreaks in terms of three simple (yet infinitely important) concepts that we refer to as “The Three Cs.”The Three Cs of virus response are as follows: ■

Containment



Cleanup



Communication

Communicating the Outbreak “But wait,” you say. “You listed communication as the last of the Three Cs. Why are we talking about it first?” Despite our best efforts to effectively manage the technology under our purview, sometimes something out of our control takes place. And while you may be working furiously to correct the situation, you should never forget that you have an entire network of people—not just machines— who need to understand what is happening with the computer on their desktop.

Notes from the Underground… End-User Communication End-user communication can also help to alleviate virus outbreaks, or even prevent them before they start. A real-world example: I walked into work early one morning and was stopped en route to my office (by an even earlier riser than myself) with the following sentence. “Hey, Laura, I had about 15 messages in my Inbox this morning with ILOVEYOU as the subject line. It really didn’t look right to me, so I didn’t open any of them. Do you want to take a look?” Did I ever…a quick visit to Symantec’s Web site indicated that there was a new e-mail-borne virus Continued

www.syngress.com

575

576

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

making the rounds. It was a nasty bugger that had already brought several major corporations’ networks to a standstill, and an updated virus signature was not yet available. However, even without new antivirus definitions, it became clear that the virus was transmitting itself via a .VBS attachment. Twenty minutes of reconfiguring the mail server to reject .VBS attachments, and ILOVEYOU managed to sail right on past my network and users. But if I hadn’t been made aware of the problem, the situation could certainly have played out much differently. To take this story back a step, the early-morning ILOVEYOU recipient would not have known to alert me to anything out of the ordinary had I not provided end-user training on how to recognize potentially hazardous email attachments. I know we all think of “training” as a bunch of folks sitting in a classroom trying desperately not to doze off, but the training in this case was a simple e-mail memo. It doesn’t have to be anything grandiose: circulate a memo, hang a flyer by the coffee machine, whatever will get the message across.

Does your organization have any sort of disaster recovery procedure in place, or any parallel or spare systems you can bring online to keep your business functioning? If not, now would be a great time to start planning against a rainy day, because it will most certainly be simpler to generate such a plan before it starts “raining,” rather than in the midst of a computer-virus-induced typhoon. Make sure to involve all segments of your user base in developing these procedures, as the input you receive will be nothing short of invaluable.

Containing a Virus Outbreak Now that we’ve discussed the more customer-service oriented factors of handling a virus outbreak, let’s get down to the actual mechanics of getting your users and network services back online with a minimum of disruption and downtime.The first step in containing a virus outbreak is to identify any and all virus-infected PCs on your network. Hopefully you’ve already configured the Alert Management Server (AMS2) to provide Windows Messaging, e-mail, and pager alerts of virus infections. (For specific information on how to configure the AMS2, please refer to Chapter 3.) In the following sections, we’ll discuss the use of NAVCE’s Virus Sweep function, as well as how to respond to a virus outbreak on your network.

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

NOTE Check the Symantec corporate home page for any updated virus definitions that you may have missed before proceeding. Especially in the case of widespread virus activity, Symantec may release multiple definition files in a single day; for your own peace of mind, never simply assume that you’re using the latest definitions available to you.

Using Virus Sweeps If AMS2 reports several client computers on your network with virus infections, you’ll be quite thankful for NAVCE’s Virus Sweep function. Using the SSC console, you can quickly launch a virus sweep of your entire system, a server group, or all client computers connecting to a single server. With a single click from the SSC console, you will know within minutes which of your client and server PCs are virus-infected. (Virus sweeps have the additional advantage of being a type of scan that cannot be cancelled by the end user.) To launch a virus sweep of your entire system, open the SSC console window. Right-click System Hierarchy, then select All Tasks | Norton Antivirus | Start Virus Sweep.To sweep a specific server or server group, right-click the appropriate item within the System Hierarchy and follow the same steps, as shown in Figure 12.22. Figure 12.22 Launching a Virus Sweep of a Server Group

Using the SSC console, you can view the results of a virus sweep by selecting All Tasks | Logs | View Virus Sweep History from the appropriate server or server group. See the window shown in Figure 12.23. www.syngress.com

577

578

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

Figure 12.23 Viewing Virus Sweep History

WARNING Depending on the size of your LAN/WAN, a virus sweep can cause considerable network traffic. Also important to remember is that once started, a sweep cannot be cancelled. If the situation is not an emergency, make sure you take these performance considerations into account before you launch a virus sweep of your network.

From Figure 12.23, you can do the following: ■

Start a new virus sweep



View the results of a prior sweep



Delete the results of a sweep

Select the virus sweep whose results you want to see, then click View Results.You’ll see the date and time that the scan finished on each PC (this field will be blank if the scan is still in progress), the total number of files scanned and the total number infected, as shown in Figure 12.24.You can click the floppydisk icon to export the scan results to a text file for archiving or reporting. Figure 12.24 Viewing the Results of a Virus Sweep

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

NOTE If a workstation is turned off when you launch the virus sweep, the scan will begin the next time the PC is turned on.

Once you’ve determined which of your PCs have become virus-infected, you’ll need to decide what action to take in order to clean the various machines. If at all feasible, we highly recommend disconnecting the infected PCs from your LAN until the virus infection can be removed, since allowing these machines continued network and Internet access will only serve to further propagate the virus to your network and those of others.This is especially the case with worms like Code Red and Nimda, where an infected machine will actively seek out (port scan) other vulnerable machines to infect. In certain extreme cases where the virus infestation has spread beyond a manageable point, you may wish to disconnect your company’s Internet connection and/or the inbound Simple Mail Transfer Protocol (SMTP) traffic to your e-mail server.This will provide the ultimate “quarantined” environment to prevent further virus infections while you work to restore order to your network.

NOTE Here are two useful definitions to be familiar with when dealing with virus outbreaks: ■

Simple Mail Transfer Protocol (SMTP) This protocol is designed to do exactly what it sounds like: provide for the timely and efficient delivery of electronic mail. SMTP transfers messages between clients and servers, as well as between servers, but it does not concern itself with the specifics of client mailboxes or downloading of messages. The SMTP protocol is fully defined by Request for Comment (RFC) 821, available from the Internet Engineering Task Force homepage at www.ietf.org.



Port Scan A process of connecting to TCP and UDP ports on a given system to determine which services are running. While this is not an attack, per se, port scanning is the first step in determining what operating system and software applications are in use on a target system, enabling the attacker to formulate an effective plan of attack. Viruses such as Nimda use port scans to discover other machines that are vulnerable to infection. www.syngress.com

579

580

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

Cleaning up a Virus Outbreak Once you have identified the infected PCs on your network, the next step is to restore the compromised machines to a working (and virus-free) state.You will need to decide on a case-by-case basis how best to address virus infections. Some can be fixed with simple file quarantining and deletion, while more insidious infections can require measures as extreme as reformatting and reinstalling a workstation from scratch. In this section, we’ll discuss several tools that NAVCE offers to accomplish this task, including the Alert Management Server, Built-in Notifications and viewable virus histories, as well as other options available from the Symantec Web site.

Understanding Alert Management Server2 Alert Management Server2 (AMS2) is a separate snap-in that can be installed for use with the SSC Console.This snap-in alerts an on-call administrator to a virus problem via pager, e-mail, an so forth. (Configuration of AMS2 is covered extensively in Chapter 3.) The Alert Management Server should act as your first line of defense in detecting a virus outbreak.

Using Built-in Notifications NAVCE also offers two notification methods that can operate in place of, or in addition to, AMS2; the Alert Management Server does not necessarily need to be installed in order for these notifications to run.These alert methods are as follows: ■

Customizable message boxes that can be displayed in an e-mail message or on the infected computer’s desktop



Virus histories maintain a log of all virus activity found whenever NAVCE performs any type of antivirus scan

Displaying Notification Messages to End Users When configuring a manual, scheduled, or real-time scan, you can use the Message button to display a pop-up window that immediately alerts the user to the situation. Using the variables listed next, you can customize what is displayed to the user when NAVCE finds an infected file.The default warning uses both system variables and plain text, as shown in Figure 12.25. Items contained within brackets (such as [Logged by]) are variables, while anything entered outside of the brackets displays as-is.The full list of variables and their descriptions are explained in Table 12.2. www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

Figure 12.25 Displaying a Message on the Client Computer

Table 12.2 Understanding Symantec’s E-mail Notification Variables What You Enter

What Is Displayed

[ActionTaken]

Action taken on the infected file (Cleaned, Quarantined, Deleted, Left Alone) [Computer] NetBIOS or DNS workstation name of the target computer [DateFound] Date and time that the virus alert was generated [Event] Type of event: “Virus Found,” and so on [Location] Drive letter containing the infected file [Logged by] Type of scan that flagged the virus: real-time, manual, or scheduled [PathandFilename] Full directory path to the infected file [Status] Current state of the infected file (Infected, Not Infected, Deleted) [User] Network login name of the user logged in at the time the alert is generated [VirusName] Name of detected virus

Alternatively, you can simply display a generic message to your user without noting specific file information, similar to the one shown in Figure 12.26. Figure 12.26 Creating a New Message to Display on a Client Computer

NOTE The field containing NAVCE message information handles plain text only. You cannot include things like text formatting, embedded HTML, or MAILTO: links.

www.syngress.com

581

582

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

Using the Virus History Feature From any server group, right-click All Tasks | Logs | Virus History to view a detailed description of any recent virus activity on the clients and servers attached to that group.You can also select Scan History to view the results of the latest scheduled scan run against the server group, and Event History to view other information that may not specifically relate to a virus infection. (For example, the last time the antivirus service was restarted, or when the newest antivirus definitions were downloaded.) You can view any of these items in the following time frames: ■

Today



Past seven days



This month

Or you can view items within a very precise range, such as December 8th through the 29th. From here you will be able to take necessary actions against infected files.

Taking Actions Against Infected Files If NAVCE flags a file containing a virus that it was unable to repair, you can use the Virus History screen to take further actions against any infected files, particularly if you just downloaded a newer set of antivirus definitions. From the Virus History screen, right-click any listed file to perform any of the actions we’ve covered in this chapter, such as cleaning, deleting, or quarantining a file. (An example of this function is shown in the following section.) You can also undo whatever action NAVCE performed against the file.This is useful if you want to remove a file from quarantine so it can be repaired with newer virus definitions.

Recovering from Boot Sector Viruses If you suspect that a hard drive has become infected with a boot sector virus (for example, you are unable to start the computer in question), you can use the Norton AntiVirus Rescue Disk Set to correct the situation. (Detailed instructions on creating the Rescue Disk Set can be found in Chapter 3.) The following describes the steps necessary to repair a boot sector virus on a hard drive. NAVCE can detect and repair a floppy disk boot sector virus by simply performing a manual scan.

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

NOTE A boot sector virus resides on a portion of the computer drive that is only read when the computer is powered up, at which point the virus loads into memory. They typically spread via floppy disks, which also have a boot sector that can become infected. If an infected floppy disk is present in the disk drive when a computer is booted up, the virus will be loaded into the computer’s memory and can spread to other computers and floppies.

Cleaning the Hard Drive Boot Sector 1. Power the computer down completely. Wait approximately 30 seconds, or until all hard drive activity has stopped. (This prevents unnecessary wear-and-tear on the physical components of the hard drive.) 2. Place the Norton AntiVirus Rescue Boot Disk into your floppy (A:) drive, then power the computer on. 3. Wait until the PC has fully booted and the screen displays the A:\ prompt. 4. Remove the Rescue Boot from the A:\ drive, and insert the Norton AntiVirus Program Disk. 5. Type Go and press Enter to begin. 6. Follow the instructions that appear on the screen in order to clean the boot sector virus. 7. When you’re finished, remove all floppy disks and reboot normally.

Restoring a Hard Drive Boot Sector If your hard drive’s boot sector cannot be repaired using the preceding steps, you can restore a copy of the boot sector from the Rescue Disks.This will over-write the infected boot sector with a clean backup copy, thus preventing the virus from spreading any further. Follow these steps to restore the boot sector from backup. 1. Restart the computer using the Norton AntiVirus Rescue Boot Disk (as described in Steps 1 and 2 in the previous section). 2. From the A: prompt, type Rescue and then press Enter.

www.syngress.com

583

584

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

3. Press the Tab key until the flashing cursor appears in the Boot Records menu option. Press the Spacebar to expand the menu. 4. Press the Tab key again until the cursor reaches the Partition Tables menu, then press the Spacebar again to expand the menu. 5. Press the Tab key until the cursor appears under Restore, then press Enter. 6. Follow the on-screen instructions to restore a clean copy of the hard drive boot sector. 7. When done, remove the Rescue Disk from the A: drive and reboot the PC as you normally would.

Damage & Defense… When All Else Fails… So what happens when a system has become irreparably compromised? While NAVCE’s quarantining and cleaning functions can handle most of the virus infections, there are some circumstances in which your only 100-percent-sure option is to reinstall the PC from scratch. So what are some useful points to keep in mind when restoring a machine from a virus infection? Here’s a basic overview of the process: 1. Install a clean version of your operating system If a machine is compromised by a virus or worm, remember that anything on that system could have been modified. This includes the operating system files, any network services running on the machine, as well as information stored in cache memory. At that point, the only way to be really sure that a computer is free from intruder modifications is to reinstall the operating system from a trusted copy of original media—install from read-only media like a CDROM rather than a potentially compromised file share on a server hard drive. Make sure that you install all available security fixes from the vendor Web site before reconnecting the machine to your network, lest the cycle of virus propagation begin once again. Only addressing the vulnerability that Continued

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

initially compromised the machine in question may not be enough to ensure a secure environment. 2. Disable any unnecessary services Configure your system (especially server systems) to offer only those services you specifically intend to use, and no others. The most conservative approach is to disable all services and then reenable them one by one as they are needed. (Obviously you’ll want to test this configuration before placing the server into production.) 3. Install all vendor security patches At the risk of sounding redundant, make absolutely certain you install the full set of security patches for each of your systems. This is the fundamental step in defending your systems from further attack. Check with your vendor regularly for any updates or new patches that relate to your systems— many vendors offer e-mail bulletins whenever a new update is released. You can also consult third-party and external security awareness sites such as www.cert.org and others.

Managing the Virus Outbreak Process In Figure 12.27, you’ll see a synopsis of the steps involved in responding to a virus outbreak within your network. (Details on each step of the workflow can be seen in Table 12.3.) Use this workflow as a reference as you work through the various steps in restoring your network services.The most often overlooked piece of the equation is the final one, that of documenting the incident and analyzing the steps taken in handling the restoration. While the specific threats presented by new viruses will undoubtedly change and expand over time, many of the troubleshooting steps involved in addressing them will not. As such, an analysis of what did and did not work as planned will assist you in being better prepared for the next incident. Maybe a virus outbreak occurred while you were on vacation, and you did not assign a backup pager number in AMS2.These are the sorts of lessons that we think we’ll never forget, but unless they are documented will become a distant memory sooner than you imagine.Take the time now to preserve your thoughts, observations, and recommendations for handling future virus incidents.

www.syngress.com

585

586

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

Figure 12.27 Managing a Computer Virus Outbreak Recognize the Threat

Take Preventative Actions

Notify End Users

Clean Infected PCs, Restore Service

Documentation and Analysis

Table 12.3 Virus Outbreak Workflow Tasks and Appropriate Actions Workflow Task

Actions

Recognize the Threat

Use the Alert Management Server2 utility to notify administrators of known virus threats via e-mail, pager or Windows pop-up message. Use the Virus Sweep function to quickly scan your entire network. A new or unreported virus may manifest itself in unusually high network traffic, poor or unresponsive workstation or server performance. Disconnect any virus-infected PCs from your network to prevent further propagation of the virus. If your network connection is becoming overloaded, consider disconnecting your Internet connection or external e-mail until the situation is resolved. Depending on the situation, another less drastic option could be to block traffic on a specific network port, or block e-mail attachments with a specific file extension or “FROM:” address. This step really should come first, second, fifth, last, and everything in-between. Your clients and users need to be informed about what’s going on, if for no other reason than so that they don’t continue to propagate the virus infection through lack of information or preparation. Virus and security awareness should be an ongoing project for any serious computer administrator.

Take Preventative Actions

Notify End Users

Continued

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

Table 12.3 Virus Outbreak Workflow Tasks and Appropriate Actions Workflow Task

Action

Clean Infected PCs, Restore Service

Obtain the newest virus signatures from the Symantec Web site, as well as any removal tools available for removing the infection. Beginning with your servers, remove the infected PC from the network while performing the cleanup so that it does not become re-infected before the cleanup process manages to complete. Perform a full scan of all drives and ensure that realtime scanning is fully functional before returning the computer to the network. Repeat for all infected servers, then move onto individual workstations. Once everything is running again, take a look at what went right and what went wrong and write it down. What quirky little nuance of that network application gave you trouble? What additional resources would have helped you? What would you do differently next time?

Documentation Analysis

www.syngress.com

587

588

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

Summary Scanning for viruses and managing virus outbreaks are two of the primary functions of any antivirus offering, and Symantec’s AntiVirus is no exception. In previous chapters we went over the steps in planning and installing NAVCE for servers and clients; here, we discuss the daily use of its functions.The various scanning options available—real-time, scheduled, and manual—provide us with a plethora of tools to keep our networks virus-free. The various NAVCE virus scans can be customized in any number of ways to best serve your users and network environment. If you are supporting legacy or budget hardware configurations, you can lower the total CPU time used by NAVCE during a scan to avoid impeding normal use of the machine, or use scheduled scans to perform virus monitoring during off-hours when the PC may not be in use at all.You can choose one of three levels of protection within Symantec’s Bloodhound Heuristics function in order to reach the best possible trade-off between security and usability. If desired, you can even exclude, en masse, entire folders or groups of file extensions from the NAVCE scans. And as always, a configuration that works for one administrator may not work for another. A healthy dose of horse sense, combined with the use of monitoring tools, like Windows 2000 Performance Monitor, will help you determine the best course of action for your situation. Dealing with a virus outbreak can be one of the more frustrating aspects of an administrator’s life; luckily, Symantec offers several tools to make the job a bit easier. Correctly configuring the Alert Management Server plug-in will provide immediate alerts via e-mail, pager, and so on, in the event of any virus infections on your network. All such activity is also recorded in Virus History logs on the NAVCE parent server: these logs provide your first step in determining what sort of virus threat you’re facing. Once you’ve determined that your network is facing an outbreak, virus sweeps allow you to quickly determine the level of virus infection on your network, while NAVCE quarantining and cleaning functions will eliminate most of the virus types you’ll encounter. For those viruses that are so new that a specific detection signature hasn’t yet been developed, you’re still protected by Symantec’s heuristic technology, as well as by NAVCE’s default monitoring for virus-like behaviors. All of these tools should go a long way towards keeping your network virus-free and your users up and running, even in the face of continuing and evolving virus threats.

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

Solutions Fast Track Virus Scanning Methods ; Use manual scans for a quick, ad-hoc scan of a single computer or small

group of PCs. Especially useful for troubleshooting, or if something about a machine just doesn’t feel right.

; Scheduled scans will automate ongoing scans of any or all machines on

your network. Remember that a virus scan will create processor and hard drive activity while it is underway, so make sure you keep your users informed about scanning schedules.

; Real-time scanning checks every file on a hard drive when a user or an

application accesses them.This functionality is enabled by default, and can also examine e-mail files for the most recent versions of Lotus Notes and Microsoft Outlook.

Configuring Computer Virus Scans ; You can scan the entire contents of a hard drive, or select specific files

based on their three-letter extension or file type.

; When NAVCE encounters an infected file, it can take any of the

following actions: clean the infected file, send it to quarantine, delete the file, or leave it alone.

; Use NAVCE scanning options to fine-tune CPU utilization to keep

your end users happy and productive while performing a virus sweep or scheduled scan of your entire network, as this can produce quite a demand on network bandwidth and PC response time.

Analyzing Results of Virus Scans ; NAVCE Virus logs provide a count of the number of files scanned on a

given client or server, as well as how many (if any) are infected. If the virus is covered in the latest anti-virus definitions, you’ll also see the name of the infection(s) in question.

www.syngress.com

589

590

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

; If a file is flagged with a “Bloodhound.something” virus, it means that

Symantec’s Bloodhound Heuristics have flagged this file as being potentially virus-infected, though the virus signature is not included in the newest definitions. Forward the file to SARC for examination as soon as possible.

; Depending on how you configured NAV’s actions and backup actions

when responding to a virus-infected file, clean or delete any flagged files as appropriate.

; If you chose Leave Alone as the default action (or inaction, in this case)

for NAVCE to take upon finding an infection, it is imperative that you address the situation as quickly as possible. Until you take manual action, the user of the infected PC can access and execute the virus like any normal file, potentially spreading the virus to other computers on your network.

Understanding Outbreaks ; Use the Alert Management System2 (AMS2) to send alerts of virus

infections to administrators.

; AMS2 can send an alert via the Windows Messenger, e-mail, or numeric

pager.

; Virus sweeps provide a “one-click” means of scanning your entire

network for viral infections.

; Remember the three Cs of handling virus outbreaks: Contain, Clean,

and Communicate...though the “Communicate” portion should be part of the entire process from start to finish.

www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: We’ve just been slammed by a virus. It has propagated through e-mail, and we can’t obtain the latest signature files because the antivirus vendors’ Web servers are all overloaded. How do I contain this virus?

A. Some of the more recent e-mail-borne viruses (ILOVEYOU and Sircam spring immediately to mind) have blocked access to the major antivirus software vendors’ Web sites in an attempt to stop users from downloading necessary virus updates.Your best bet in this situation is to use a completely clean and virus-free PC (build one from scratch if you have to) and use it to obtain the newest virus definitions, as well as any removal utilities that Symantec has made available to combat a specific threat. Start with your NAV servers and any other mission-critical machines—again, unplug them from the LAN if necessary—and begin to update definitions, run full scans and verify real-time system protection. Only return these machines to the LAN environment when you are certain all vulnerabilities have been patched, otherwise the machines could become reinfected as soon as you plug the network cable back in.

Q: How can I configure my users’ e-mail software so they will be less likely to infect their computer and my network?

A: Within Norton AntiVirus, your best bet is to simply follow the best practices we’ve been discussing throughout the chapter: ensure that real-time scanning (especially of messaging systems) is enabled, that antivirus definitions are updated on a regular basis, and that you schedule regular scans of your entire network. Apart from that, many major vendors offer options for e-mail filtering based on content and/or file extensions.The decision to implement such a solution is obviously specific to your business needs, but it’s useful to note that many e-mail-based viruses are transmitted via file types that most business

www.syngress.com

591

592

Chapter 12 • Scanning for Viruses and Handling Virus Outbreaks

users would not need to send or receive during the course of a normal business day (VBS, SHS, and so on).

Q: What are some good resources for making sure that my network computers stay secure and virus-free?

A: The best place to start are the vendor Web sites for all of your systems and software: Symantec, Microsoft, Apple, Cisco, you name it. Most offer e-mail notifications of new updates and bulletins. Other third-party and independent Web sites offer excellent cross-platform security information. Here are a few to get you started. ■

www.symantec.com



www.microsoft.com



www.cisco.com



www.cert.org



www.sans.org



www.sarc.com

Q: My corporate users have begun relying more and more heavily on Instant Messaging technologies: AOL, MSN, ICQ, and the like. Does this present any new challenges for antivirus protection?

A: Instant messaging applications have become the latest craze for hackers intent on stealing personal information or otherwise wreaking havoc on unsuspecting users. Industry analysts have estimated that over 200 million people were using IM technology as of 2001, and other industry leaders are predicting that corporate users particularly will grow to as much as 300 million within the next three years. As IM technologies become more and more complex, offering rich new features, such as file transfer and voice-over-IP, the potential for exposure increases dramatically. (Consider, if you will, the potential of a Code Red–style worm that targets not just Internet-connected PCs, but corporate IM-enabled devices such as Palms, PDAs, and “smart” cellular phones.) Luckily, similar to e-mail borne viruses like Klez and ILOVEYOU, the new wave of Instant Messaging viruses and worms can be best avoided by preventative maintenance, user awareness, and a healthy dose of common sense. The early threats against Instant Messaging are quite similar to the earliest e-mail borne viruses.You see, in the beginning, there was text. With older IM www.syngress.com

Scanning for Viruses and Handling Virus Outbreaks • Chapter 12

clients who only pass ASCII text back and forth across the Internet, the largest hacking risk was simply that of social engineering or accidental disclosure: an unwitting user would disclose confidential information during the course of an otherwise benign conversation. But the latest versions of AIM, Yahoo, ICQ, and the like have begun to allow file sharing, and that’s where hackers have begun to drool.Today, rather than just trying to stop the latest version of Elf-Bowling from overrunning your e-mail server (and wasn’t that hard enough?), you now have to worry about it being tossed back and forth over AIM and ICQ. And, of course, the inherent risk of users exchanging executable programs becomes a question of “What if there is a virus in there?” If I’m a corporate e-mail administrator and somebody e-mails me a virus, I have an e-mail virus scan on my system. But without managed and up-to-date client anti-virus protection, by the time it comes down to a laptop or desktop you’re back to depending on individual users to keep their definitions up-to-date. (But then, that’s why you’re reading this book, isn’t it?) First the bad news: At present, there exists no security software that specifically monitors Instant Messaging programs. However, most generally accepted security measures, including (but not limited to) properly configured and managed antivirus software will do pretty nicely to monitor IM. And though it should go without saying, always maintain (and teach your users to maintain) a healthy dose of paranoia when it comes to accepting files via Instant Messaging from people you don’t know.You want to be as careful of IM-transferred files as you are with e-mail attachments—the next Klez could very easily originate from your Buddy List instead of Microsoft Outlook.

www.syngress.com

593

Chapter 13

Backup and Disaster Recovery

Solutions in this chapter: ■

Basic Principles of Backup and Disaster Recovery



Designing a Disaster Recovery Plan



Implementing a Backup Strategy



Defining Support and Service Levels for Your Organization



Backing Up Dedicated NAVCE 7.6 Servers



Restoring Dedicated NAVCE 7.6 Servers

; Summary

; Solutions Fast Track

; Frequently Asked Questions 595

596

Chapter 13 • Backup and Disaster Recovery

Introduction Most of the topics addressed in this book discuss the use of Norton Antivirus Corporate Edition (NAVCE) to prevent network outages or data losses caused by virus outbreaks. However, the best laid plans of mice, men, and network administrators often go awry, and the formulation of a proactive backup plan and disaster recovery strategy is essential to ensure that your network is protected. Whether you are protecting a single Small Office/Home Office (SOHO) server or a large corporate enterprise, there are some basic principles of computer backups and business continuity planning (BCP) that are common to all network installations. We’ll begin this chapter by exploring some of these concepts, such as assessing potential risks to your information services, defining your critical data and processes, and procuring offsite recovery locations. We’ll then discuss the more hands-on details of developing a backup plan: selecting hardware and software, creating a viable schedule to perform your backups, and creating a tape rotation scheme that will provide the most complete coverage for your data. This chapter concludes with a step-by-step walk-through of performing a backup of a dedicated NAVCE Windows server, and even more importantly, using the built-in Microsoft backup utility to restore your information.The Windows 2000 Backup Utility (NTBACKUP) has an easy-to-use GUI interface that will walk you through the backup process step-by-step, or for more granular control you can use command-line switches to automate the process on multiple servers and machines.The exercises included in the final section will illustrate that even if you don’t have the funds to invest in a third-party backup solution, this integrated utility will allow you to perform a full or partial backup of your NAVCE server.

Basic Principles of Backup and Disaster Recovery Planning for disaster recovery is inherently similar to creating a strategy antivirus protection: it’s less a question of if, but rather when you’ll need the benefits provided by an effective plan. In preparing for that inevitable moment when the things that can go wrong, do… here are a few principles to keep in mind: ■

Create a baseline of your network



Leave room for growth

www.syngress.com

Backup and Disaster Recovery • Chapter 13 ■

Plan for data retention



Create a workable backup schedule



Provide an offsite storage location



Strike a balance between cost and convenience



Train your staff



Involve your users in the disaster recovery process



Test your backups

Each of these golden rules is detailed in the sections that follow.

Creating a Baseline of Your Network Even though we know that you’ll want to start backing up your critical data right away (especially if you don’t already have a backup mechanism in place), you should still take the time to ensure that your backup plan is, in fact, the right one to meet your needs. In order to ascertain this, you’ll need to create a baseline of your network services and applications. A baseline is one part system inventory, one part performance snapshot: you’ll not only create a list of which applications and services are running, but also determine how they operate in terms of overall network traffic and storage needs. Establish an inventory of all applications in use on your network, then monitor those applications using the Windows NT/2000 performance monitor or a third-party utility to determine how much disk space they use on a daily, weekly, and monthly basis. (If you’ve followed the topics discussed in Chapter 9, you may have completed at least some of this inventory already.)

NOTE Make sure you monitor the performance and disk usage on your network over an extended period of time: you’re not only concerned with how your network is performing today, but also how its performance and storage needs change over time.

Creating this baseline of your network will assist you in determining your total backup requirements by answering some important questions. First, how much data really exists on your network? Is it housed on a single server, on multiple servers in a single subnet or building, or on many different servers and www.syngress.com

597

598

Chapter 13 • Backup and Disaster Recovery

workstations throughout an enterprise WAN? Next, how much does your data change on a daily basis? For example, a static data archive that is accessed frequently but rarely altered will call for a different backup strategy than an interactive database that processes hundreds of transactions daily. Finally, does your network rely on any specialized applications like Exchange, Oracle, or SQL? These typically require additional considerations in creating a backup strategy, usually in terms of a specific software package or add-on. Don’t forget to include antivirus protection when inventorying your network. Is NAVCE running on one or more dedicated servers on your network, or is it running as an additional service on a server that’s performing other functions? Make sure you include all NAVCE directories and services (for instance, AMS2, Quarantine, and so forth) in your list of services that need to be backed up. In the final analysis, a network baseline is critical in determining what you need to back up on your network. Whether you use built-in Windows or Novell monitoring tools or a third-party performance analyzer, this step cannot be overlooked if you want to create a successful backup and disaster recovery strategy for your network.

Leaving Room for Growth With ever-increasing dependence on data storage and the corresponding decrease in prices of high capacity hard drives and other storage media, your network’s disk usage and corresponding backup plan will almost certainly need to be revised and expanded as time goes on.This expansion can also potentially affect your NAVCE installation, requiring you to bring a new parent server online to protect additional clients, for example. It’s important to revisit the baseline discussed in the previous section on a regular basis to see what has changed on the network that needs to be included with your backup strategy. Because of this, make sure your selection of backup software, hardware, and media will allow sufficient room for growth so that you won’t be forced to abandon the entire system and buy a completely new one six months down the road.

Planning for Data Retention With the corporate scandals of the world tramping across the CNN news ticker every day, data retention schedules have become an essential component of any backup plan. It is absolutely critical that your company complies with all federal, state, and/or industry-specific regulations regarding how long data should be maintained. Consult your legal department or whomever else you need for www.syngress.com

Backup and Disaster Recovery • Chapter 13

assistance in this matter, because like everything else in this venture, it’s certainly best to get it right the first time. Don’t forget to consider client workstations in this equation either: if your corporate data retention calls for maintaining e-mail data for twelve months, but some users have copies of every item they’ve sent or received in the last five years, that information could easily come back to haunt you in a legal proceeding.

Creating a Workable Backup Schedule Unless you invest in a software agent designed to handle open files, your data and applications will be unavailable during the time it takes to perform your backups. Full backups take the longest amount of time to back up but are the quickest to restore. Integrating incremental or differential backups into your backup strategy will reduce the time that nightly backups require, but will add to the time needed in the event a file restore is necessary. As with everything else, you need to find a comfortable balance between data protection and usability.

NOTE See the section on “Creating a Backup Schedule” later in this chapter for a detailed explanation of the difference between incremental and differential backups, and how they can benefit your network backup strategy.

Creating a Tape Rotation Scheme Simply establishing a backup schedule is not enough to provide protection for your network data; you also need to delineate a media rotation scheme that provides a deep history of file versions.This is especially critical if you need to restore from a virus outbreak, as you may need to go back more than merely a day or two in order to restore an uninfected copy of a file or directory. It is also handy if you need to roll back to a previous version of NAVCE antivirus definitions for any reason.Two popular rotation schedules are the Tower of Hanoi and the Grandfather-Father-Son.You can choose the one that works for you, or use them as a template to customize one that fits your needs. Whichever rotation scheme you choose, be sure to put it in place at all of your business locations.

www.syngress.com

599

600

Chapter 13 • Backup and Disaster Recovery

The Grandfather-Father-Son Rotation Scheme The Grandfather-Father-Son scheme begins with daily backups.You’ll label three sets of four “Son” tapes, Monday through Thursday, for use on its labeled day. In this scenario, the daily “Son” tapes will not be overwritten for three weeks.These nightly backups can be full backups, incremental, or differential, depending on whatever time constraints you’re under. The weekly “Father” backups follow a similar pattern: a set of five weekly backup media is labeled “Week1,” “Week 2,” and so forth. Full backups are recorded weekly, on the day that you don’t use “Son” media. (Following the example in the previous paragraphs, these would be the “Friday” tapes, though that is certainly not set in stone.) You’ll re-use the “Father” tape monthly. The last set of media is the “Grandfather” set that you’ll use for monthly backups, typically on the final business day of each month.This monthly backup will vary throughout the year, replacing a daily or weekly tape depending on where it falls on the calendar.Typically, you’ll overwrite “Grandfather” tapes on a quarterly or yearly basis, depending on version history and data retention requirements.The GFS backup scheme is illustrated in Table 13.1. Table 13.1 Grandfather-Father-Son Tape Rotation Sun 2 9 16 23

Mon Mon1 Son Mon2 Son Mon3 Son Mon1 Son

Tue Tue1 Son Tue2 Son Tue3 Son Tue1 Son

Wed Wed1 Son Wed2 Son Wed3 Son Wed1 Son

Thu Thu1 Son Thu2 Son Thu3 Son Thu1 Son

Fri Week1 Father Week2 Father Week3 Father Week4 Son

Sat 1 8 15 22 29 Grandfather

30

The Tower of Hanoi Rotation Scheme The Tower of Hanoi rotation scheme is more complex, and is typically managed by the backup software itself, rather than manually by an administrator. Media set “A” is used every other backup session—in this example, for daily backups. Begin on Day 1 with “A” and repeat every other backup (every other day).The next www.syngress.com

Backup and Disaster Recovery • Chapter 13

media set “B” starts on the first backup day that doesn’t use an “A” tape (in this case, Day2), and repeats every fourth backup session. Media set “C” starts on the first non-“A” or non-“B” backup day and repeats every eighth session. Media set “D” starts on the first non-“A,” non-“B,” or non-“C” backup day and repeats every sixteenth session. Media set “E” alternates with media set “D.”You can see this illustrated in Table 13.2. Table 13.2 Sample Tower of Hanoi Schedule Sun

Mon

Tue

Wed

Thu

Fri

Sat

A D A B A

B A E A B

A B A D

C A B A

A C A B

B A C A

A B A C

The advantage to this scheme is that the more frequently used media sets have more recent copies of a file, while less frequently used media retain older versions. Since the tapes repeat on a mathematical rather than a chronological basis, you should periodically remove tapes from the rotation for archive purposes.

Providing an Offsite Storage Location No matter what size your network, you can’t claim to have created a viable disaster recovery plan without providing for some sort of remote data storage.Take a lesson from the following anecdote: as the story goes, a random network administrator was walking past their office building at about 9P.M. on a weeknight.There had been some sort of after-hours seminar in one of the conference rooms, and someone had pulled the fire alarm. So there was our hero, staring at four fire engines parked in front of his building with their lights flashing. His first thought was, “Will I be risking my life if I go in there to grab the backup tapes that are in my desk drawer?”Though it ought to go without saying, don’t let this happen to you. Keep a small amount of backup media onsite, and move the rest to an alternate location.The choice of locale is up to you, but I would certainly recommend that you store them at the very least in another building, so that a major disaster will not be able to affect your servers and your backup media. If your company does business in multiple offices or cities, some elements of your choice in offsite locations will become much simpler—you can

www.syngress.com

601

602

Chapter 13 • Backup and Disaster Recovery

store backup tapes from the Princeton, New Jersey servers at the New York City office, and so on. But even a configuration such as this should still make some provisions for a wholly separate site in case of an emergency that affects the entire enterprise.

WARNING When choosing a site for your offsite data storage, don’t give in to overkill: Your backup media shouldn’t be so far away that it can’t be accessed within a reasonable time frame. Backup tapes that are inaccessible for any reason will do you and your company no good whatsoever.

When choosing a remote site, there are several possibilities: ■

Mutual aid agreement This is a reciprocal agreement with another company or service provider in which you agree to assist each other in the event of an emergency.This can take the form of simple backup storage—swapping tapes with the other company’s network administrator on a regular basis to store them at each others’ sites—all the way to providing actual workspace and computing resources to allow the partner company to continue functioning through a disaster. While this idea seems valid (and a bringer of good karma, to boot), on closer examination it has several apparent flaws. It first assumes that the two organizations possess sufficiently comparable computing environments such that one could support the processes of another. Second, a disaster of sufficient magnitude to affect both organizations would render the agreement meaningless. Finally, there is the matter of security: without some official agreement such as bonding or security clearances, most companies would not be comfortable leaving their backup tapes and critical data in the hands of another, possibly competing, location.



Cold site This is the least expensive option for hosting an alternate business location. It simply consists of a room or an area that’s ready for PCs and servers to be installed into. It possesses electrical and heating/cooling services, but no preconfigured equipment or servers. In the event of a service outage, computer equipment and communications links will need to be brought in, and all data and applications will need to be restored or reinstalled before business processes can continue.This

www.syngress.com

Backup and Disaster Recovery • Chapter 13

is obviously a labor-intensive process, but it provides an alternate site for a company that may not have the budget for a more comprehensive plan. If you opt for this type of offsite location, be sure to include NAVCE in your list of applications and servers that need to be restored to the cold site. ■

Warm site One step up from a cold site, warm sites will have the necessary computer equipment and network services (such as T-1 or ISDN lines) already installed. In a warm site, you need only perform data restores and update NAVCE to the most current antivirus signatures to return your company to at least temporary working order.This increase in recovery speed comes in return for the increased cost of maintaining redundant equipment and connectivity.



Hot site This is the most involved (and expensive) option in establishing an alternate processing site.The level of expense associated with a hot site is quite extensive, as it requires installing two complete sets of IT infrastructure: servers, software, and so on, requiring a great deal of staff involvement in keeping the alternate site up-to-date.The advantage of a hot site is that all necessary communications, hardware, and software will be almost immediately available for use during an emergency, and can support your network’s business processes even during an extended outage.

NOTE Many hot sites use a process called “remote journaling,” where all data modifications made on production servers are immediately replicated to their hot-site counterparts. This removes from the recovery process the time required to restore from the most recent backup, allowing your users to resume work right away.

Whether you establish a fully functional hot site to allow your business to continue functioning, maintain a simple offsite storage location for your backup tapes so that your data can still be restored following a disaster, or any step inbetween, designating an offsite storage or processing location should be a part of any good disaster recovery plan.

www.syngress.com

603

604

Chapter 13 • Backup and Disaster Recovery

Striking a Balance Between Cost and Convenience We are all in a time of belt-tightening and making do with less than we’d otherwise like. So, when determining your disaster recovery plans, meet with all of your decision-makers and department heads to figure out how much downtime is, if not acceptable, at least tolerable. If they’re not willing to drop five figures on a Gigabit-Ethernet storage area network, for example, then be prepared to offer a “down-sell.” Before you leave the room, make sure they understand what they’re paying for and what it’s getting them. If your company doesn’t use service level agreements (SLAs), this might be a good time to develop one. (We’ll talk about SLAs in the “Defining Support and Service Levels for Your Organization” section later in the chapter.)

Training Your Staff Depending on the size of your organization, every member of your IT staff (or at least a sizable portion thereof ) should be able to restore a file or directory upon request.Think about it: do you want to be the one to tell a vice president that she can’t get their spreadsheet back until the “backup guy” returns from lunch? Remember always to keep your users happy and productive—it’s the biggest part of our job, after all.

Involving Your Users in the Disaster Recovery Process What plans, if any, do you have for backing up your users’ workstation hard drives? If users are expected to save their data to the LAN in order for it to be included in the nightly backups, have they been made aware of this? When was the last time you reminded them? And did anyone tell the new accountant who started last week? Consider adding a ten-minute “Welcome to your Help Desk” presentation to your company’s employee orientation—you can extend this to touch on backup issues, antivirus awareness, and NAVCE usage; whatever you feel is necessary. Issue friendly reminders via e-mail or a printed memo circulated every quarter or so. Do a little, do a lot, as your environment dictates, but make sure your users know enough to get into the game.

www.syngress.com

Backup and Disaster Recovery • Chapter 13

Testing Your Backups The importance of this simply cannot be overstated, since your backups are only as good as how well they perform when you actually need a file restored. Don’t become another network administrator who runs backups faithfully for months and months only to discover too late that your tapes contain no useful information. Build some time into your weekly schedule to perform test restores of various files and directories to verify that your tapes are functioning properly. Also take the time to test a full restore of your major applications and services: documenting the steps to take if your e-mail server suffers a failed motherboard and you need to rebuild a new machine from scratch, for example.

Notes from the Underground… Making Sure Your NAVCE Servers Can Be Restored The best way to ensure that your NAVCE server is being backed up properly is to perform a test restore on a regular basis. You can use a dedicated workstation for this purpose, or simply restore the information to a test directory on the production NAVCE server. The backup hardware and software that you’re using will largely dictate your options in performing a test restore—you may be limited to performing a restore on the machine that physically contains the backup device, for example. The most critical file to restore is the grc.dat file, as this contains all pertinent configuration information for your NAVCE clients. However, you should attempt to restore all NAVCE-specific files in the ~\Program Files directory structure, including such default locations as ~\Program Files\NAV and ~\Program Files\Symantec Shared. Once you have performed a test restore, use Windows Explorer to compare the size, date, and version number of the test files against those in the production environment. (Make sure to check the “Date created” field rather than the “Date Modified” field, as the latter will change on a daily basis in the case of most NAVCE program files and DLLs.) For text files—such as grc.dat and others—open the files in Notepad to compare their contents—they should be identical. Finally, for a true litmus test, manually copy the restored files directly into the production locations to verify that NAVCE will continue to function using your restored files. Continued

www.syngress.com

605

606

Chapter 13 • Backup and Disaster Recovery

The grc.dat file becomes especially important if you need to install or re-create your NAVCE installation on a machine with a different computer name—NAVSERVER2.test.com instead of NAVSERVER1.test.com, for example. You’ll need to manually edit the grc.dat file to point to the new NAVCE server name using the following syntax: Parent=S

You’ll then use a batch file or login script to push the modified grc.dat to your NAVCE clients. Otherwise, your clients will continue to look for update information from the old server name, and will no longer receive antivirus definition updates and the like. The grc.dat file resides, by default, in the following locations on your NAVCE clients: ■

Windows 9x/ME: C:\Program Files\Norton AntiVirus



Windows NT: C:\WINNT\Profiles\All Users\Application Data\ Symantec\Norton Antivirus Corporate Edition\7.x, where x is the version number of the NAVCE software you are running



Windows 2000/XP: C:\Documents and Settings\All Users\ Application Data\Symantec\Norton Antivirus Corporate Edition\7.x

Once you’ve copied the modified grc.dat file to your clients, they will begin to look to the new NAVCE server for update information after they’ve been rebooted.

Designing a Disaster Recovery Plan Designing a disaster recovery plan falls into two conceptual halves: 1. Define the critical processes and potential liabilities faced by your organization. (“What needs to be protected?”) 2. Detail the actual steps required to ensure that your business functions. (“How are we going to protect these processes?)

NOTE You’ll often hear the term Business Continuity Plan (BCP) used within the context of disaster recovery. The key difference between a BCP and a disaster recovery plan is one of timing: A BCP is primarily concerned with

www.syngress.com

Backup and Disaster Recovery • Chapter 13

the preliminary steps of identifying the critical processes and the potential losses to prepare against—the first half of the process. A disaster recovery plan deals with the second half of the equation, or the actual steps needed to protect corporate data and processes in the event of an actual incident.

Defining Mission-Critical Criteria for Your Organization Properly determining which files, services, and applications need to be included in the disaster-recovery strategy is a step whose importance cannot be overstated. In Chapter 9, we discussed inventorying your company’s business processes and network applications in conjunction with developing a security strategy: we’ll use the same process here to determine an appropriate backup strategy. A properly formulated disaster recovery plan needs to address all areas of information technology within your company, including (but not limited to): 1. LAN and WAN network infrastructure, including routers, hubs, switches, and wiring 2. User workstations, including all locally installed applications 3. File and application servers, including any internally hosted Web or e-mail servers 4. Storage of archive and backup data and media 5. Personnel duties and responsibilities Subsequent to identifying the services and applications that need to be addressed by your disaster recovery plan, your next step will be to prioritize them based on the potential impact that would be created by the loss of that service. This phase can prove to be the toughest needle to thread, since every single department manager will insist that his or her process is the most critical to the overall survival of the business. (What makes this even tougher is that, more often than not, every single one of them will be right.) This kind of prioritization is one that cannot be made by the IT staff alone—similar to the network security plan discussed in Chapter 9. Formulating a disaster recovery plan will require involvement and buy-in from all facets of your organization. While there are no hard and fast rules for prioritizing your company’s network services, here are a few things to keep in mind: www.syngress.com

607

608

Chapter 13 • Backup and Disaster Recovery ■

Time-sensitive and legally mandated processes should be prioritized ahead of those services that are not.The most common example of this is payroll, but it can also include ordering of inventory and supplies, or filing financial reports with an agency such as the Securities and Exchange Commission (SEC). Solicit the involvement of your legal department or corporate counsel if there are any doubts or gray areas.



Determine the maximum downtime that a network service or application can sustain before the damage to the company becomes absolutely irrevocable. Obviously, in a perfect world we’d like to say that zero downtime is tolerable—however, that goal is simply unattainable.



When examining your NAVCE configuration, keep in mind that while the availability of the NAVCE server may not seem to directly affect your users’ productivity, some form of antivirus protection needs to be available to your users as quickly as possible, especially if the outage you’re recovering from was caused by a virus outbreak in the first place. Reestablishing your NAVCE configuration as a major priority will prevent your clients and servers from becoming virus infected (or reinfected) while you perform data and service restorations.

NOTE Would you say that 99.99 percent uptime is an impressive number? I certainly would. But think about this: an application with 99.99 percent uptime will sustain an average of 525 minutes (or just short of nine hours) of downtime each year. That might mean ten minutes of unavailability every Saturday night, or nine hours of continuous downtime due to an extended network outage.



Assuming that some downtime is going to occur, at some point you’ll want to factor in the resources necessary to restore a particular service to working order. For example, let’s say you decide the payroll application has the highest priority on your network, but restoring that application will only take one person 20 minutes to perform. On the basis of that information, you can plan to allocate additional staff to a more laborintensive process like physically setting up end-user workstations in an alternate location.

www.syngress.com

Backup and Disaster Recovery • Chapter 13 ■

The number one priority of any disaster recovery plan is that of personnel safety.You can talk about preserving capital and assets and the corporate image until you’re blue in the face, but your largest concern must be ensuring and maintaining the safety of your people.

Identifying Vulnerabilities Once you’ve determined your organization’s critical processes and established its relative priorities, you’ll need to determine the actual impact that would occur in the event of a service disruption.The potential losses in a service interruption come in two varieties: ■

Quantitative losses These are losses that can be expressed in concrete figures, usually financial ones.This can include direct effects such as lost sales resulting from an outage of your e-commerce application. However, financial losses can also result from a “trickle-down” effect like additional monies paid to contractors during an outage, fines assessed after a regulatory violation or contract violation created by an outage, and so forth.



Qualitative losses While not the kind of shortfall that can be recorded in a bank account register, can be as devastating to an organization as a straightforward financial loss. Especially in an age of instant news reporting, public image and credibility can be more important to a company’s stability than anything else—a highly publicized disaster incident can shake your customer’s confidence in an instant. Other such damages can extend to the loss of market share resulting from a data loss.

NOTE Make sure that your disaster recovery plan addresses communication needs—not just to keep internal staff apprised of the current network status, but to inform other appropriate parties like shareholders or media contacts. This will prevent unfounded rumors from taking root and adversely affecting your customers’ perceptions of the situation.

www.syngress.com

609

610

Chapter 13 • Backup and Disaster Recovery

Implementing a Backup Strategy Once you’ve determined which data needs to be included in your organization’s backup and disaster recovery strategies, you’ll next turn to more practical matters of selecting an appropriate backup technology.You’ll need to select an appropriate hardware and software combination to meet your data storage needs. (We’ll discuss various options for this in an upcoming section.) Finally, you’ll create a backup schedule that’s suited to the needs of your network environment, using a combination of full backups with differential or incremental backups to speed the nightly backup process.These three considerations will complete the “How,” “Where,” and “When” pieces of your backup puzzle.

Choosing Backup Software Similar to any other PC or server utility, there are innumerable choices in backup software on the market today. While the final choice of a backup software vendor is beyond the scope of this book, there are a few key factors that should be present in any software choice. Keep the following checklist in mind while evaluating and selecting backup software for your network: ■

Hardware requirements Determine what sort of hardware resources your backup software will need to run properly. As you are well aware, there are “recommended” requirements, and then there are “operating” requirements. In other words, the stated minimum on a vendor Web site may not be a practical reality within your network environment. Most vendors will provide a limited-time evaluation copy of their software for you to test: perform some reasonably intensive backups while monitoring your server and network performance metrics—processor time, hard disk usage, bandwidth utilization, and the like. Make sure that whatever package you select will be able to perform backups within your necessary time frames without bringing the rest of your system services to a grinding halt.



Software compatibility Aside from the obvious “Will this run on my operating system?” question, many applications like Microsoft Exchange, SQL Server, and Oracle require special software plug-ins (commonly referred to as agents) in order to be backed up properly.The reason for this is that these applications keep certain files open for use at all times, and many “vanilla” backup software packages are unable to process them

www.syngress.com

Backup and Disaster Recovery • Chapter 13

correctly. Make sure you include any of these agents in the testing phase described in the previous bullet, as they will certainly create additional hardware and bandwidth demands on your network. Also, determine how the backup software will interoperate with NAVCE’s real-time scanning function: some packages may require you to disable real-time scanning during the backup process, providing their own built-in virus scanning before a file is copied to tape or other backup media. ■

Security Backup tapes are an often overlooked vulnerability in any security plan. Since most backup software packages are available commercially, a disgruntled employee could simply slip a backup tape into his or her briefcase, and then use another computer to restore and access your company’s confidential data. While physically protecting your backup tapes is more a human and administrative function than anything else, your backup software should provide some built-in security mechanisms.You should be able to encrypt and password-protect the contents of your backup tapes, ensuring that even if the tapes leave your physical control, a would-be attacker would find them useless. Additionally, make sure that the network traffic created as the files are copying is also encrypted, in order to circumvent any damage from network sniffers or capture utilities.

Selecting Hardware and Media Along with selecting the software that you’ll use to back up the data on your network, you’ll also need to decide what type of media you’ll use to store that data.You should base this decision on your overall network structure, as well as the total amount of data that you’ll be contending with. In this section, we’ll cover the different types of media available, from simple floppy disks to autoloading tape and optical jukeboxes. We’ll first discuss each item individually, and provide a summary of the backup capacity of the various media options in Table 13.3. Each option is discussed further in the following sections.

www.syngress.com

611

612

Chapter 13 • Backup and Disaster Recovery

Table 13.3 Backup Media Capacities Media Type

Capacity

Floppy disk Hard drives CD-R/W DVD-R Iomega Zip drives

1.44MB Variable, currently >100GB 650MB >9.4GB 100MB/250MB/750MB, other options in the multiple-gigabyte level 225MB >525MB 1–10GB 40–320+GB 128MB–1.2GB 21–120MB

9-track magnetic tape QIC magnetic tape DAT magnetic tape DLT magnetic tape Magneto-optical disks Floptical disks

NOTE With the ever-expanding nature of data storage needs, the storage options available (as well as the exact capacity specifications of these media) will certainly change over time. Consult your favorite hardware vendor before making a purchasing decision regarding backup hardware and media.

Floppy Disks While a mere 1.44MB seems tiny by modern standards, floppy disks have the advantage of being one of the more ubiquitous of storage media options: Any PC manufactured in the last few years contains a 3.5-inch disk drive, and all modern operating systems can copy files to and from a floppy disk with no additional software requirements. Floppy disks have the added advantage of being extremely inexpensive (especially if purchased in bulk), and they can provide reliable long-term storage if handled correctly. While their low storage capacity combined with an inability to automatically swap one disk for another during a backup process makes floppy disks an impractical means of performing large backup operations, they are www.syngress.com

Backup and Disaster Recovery • Chapter 13

certainly better than nothing. Its most common application is for the ad-hoc storage or transportation of individual files or directories.

Hard Drives and Disks Another backup solution involves using a second hard drive to create a disk image backup, wherein you copy all of the data, programs, and configuration information from one disk directly onto the other.You can then use this second disk as a backup if the first drive should fail. With the continuing drop in the cost of hard drives, this option is increasingly attractive, and just like floppy disks they will be recognized by any operating system. However, there are a few problems with it. First of all, it requires the use of a third-party disk imaging software utility like Norton Ghost in order to replicate software and Registry settings effectively, without which the backup would be effectively useless. Additionally, it isn’t an appropriate solution for even a small or medium-sized network since it doesn’t easily handle changed or updated files, instead creating a one-time “snapshot” of the drive in question. Finally, the fragile nature of the drive hardware itself makes it difficult to transport and store them outside of the workstation, making this a poor choice for the offsite storage necessary in a disaster recovery situation.

CD-R/CD-RW/DVD-R Writeable CD-ROMS, CD-RW, and DVD-R media are becoming a de facto standard for new PC configurations, and provide 650MB to 10GB of storage capacity.These drives require software from the manufacturer or another third party in order to function properly. At this time, Windows XP is the only operating system that supports read-writeable CD-ROMS. If you’re not using Windows XP, you can still install additional software so that you can use the drive to perform data backups.This is another solution that is most effective for individual workstation backups; but does not scale well to a network- or enterpriselevel backup solution.

Iomega Drives The Iomega Corporation offers a wide range of external storage products that are ideal for use as backup media.These drives attach to USB, FireWire, or parallel ports, and provide storage capacities ranging from 100MB up to 120GB. With the longevity of the Iomega product line, these products have a good track record of providing backwards compatibility for legacy media. A 750MB Zip drive can read from, and write to, media created for the original 100MB Zip www.syngress.com

613

614

Chapter 13 • Backup and Disaster Recovery

drive.The greatest advantage of the Iomega products is portability: the drives themselves are designed to be easily transported from machine to machine, allowing files backed up on one workstation to be restored onto another one.

Magnetic Tapes This is the first media option we’ve discussed that is specifically designed for network-level backup solutions, in which data from multiple servers and workstations can be consolidated onto a single backup device.This is the traditional backup medium that has been in use for decades.The options for a tape drive include attaching a drive directly to a specific machine or using a newer Network Attached Storage (NAS) device that hooks directly into your network infrastructure. Rather than relying on the server’s operating system to run the backup services (which obviously adds processing overhead to the backup process), NAS technology creates a “smart” backup drive that is essentially independent and self-sufficient, able to operate much more quickly since it has only one task to worry about. The only serious drawback to magnetic tapes is speed: they are a sequential storage device that cannot access data randomly like a hard drive or CD-ROM; think of it as the difference between fast-forwarding and rewinding an audio tape versus skipping tracks on a compact disc.You’ll also need to ensure appropriate storage for the tapes themselves, as they don’t react well to extremes in temperature or humidity. Even taking these considerations into account, however, high storage capabilities and decreasing cost make magnetic tapes your best choice for archiving large amounts of data. Since magnetic tapes have been in use for so long, you’ll see any number of different tape formats that we’ll discuss next.

WARNING Unlike floppy drives and CD-ROM drives whose ubiquity in the PC hardware structure is almost assured, tape drives designed for one tape format usually cannot read media designed for another. Make sure that you keep a working drive in place for any and all tape formats you use on your network.



9-track tape (a.k.a., half-inch tape) This is the oldest standard in magnetic tape storage. It consists of half-inch tape wound on a circular reel. Although these tapes are still in use in some environments, they are

www.syngress.com

Backup and Disaster Recovery • Chapter 13

extremely bulky and the storage capacity is small by today’s standards—a half-inch tape reel will store 225MB at the highest density. ■

QIC (quarter inch cartridge) tapes QIC was the first format to supplant the 9-track, and was widely used several years ago.The drives themselves are inexpensive and the media is far less bulky than tape reels.Their most common storage capacities include 150MB, 320MB, and 525MB.



DAT (digital audio tape) DAT comes in two standard sizes, 8mm and 4mm. 4mm DATs support storage capacities from 1–8 GB, while 8mm DATs support capacities up to 10GB. A major disadvantage of these tapes seems to be that they are more sensitive to heat damage than other types of tape.The 4mm is one of the most widely used but has largely been replaced by DLT.



DLT (digital linear tapes) The most common tape formats in use today, DLT tapes range in capacity from 40GB to well over 300GB.The obvious drawback to DLT drives is cost—the physical drives themselves range from several hundred to several thousand dollars.

Jukeboxes, Stack Loaders, and the Like Jukeboxes and stack loaders are designed to automate the handling of media to single or multiple DAT, DLT, or optical drives.You’ll often here these referred to as tape or optical libraries.These devices are able to load and unload tapes into removable media drives on an automated or as-needed basis.They utilize the same drives discussed in the last section, and are most useful for large data-storage requirements, eliminating the need for human intervention to swap tapes in the middle of a backup. (Since most enterprise backups occur in the wee hours of the morning, this makes the life of the average network administrator much simpler.)

Magneto-Optical and Floptical Disks Magneto-optical disks are also designed for enterprise backups.They are more stable than magnetic tape media because they are written magnetically but read optically, which means that accessing data will not degrade the media.They can store anywhere from 128MB to 1.2GB of raw data.These drives are quite expensive, as is the media itself. So-called “floptical disks” utilize the same technology as magneto-optical disks.They have a smaller storage capacity of 21–120MB of raw data, and are www.syngress.com

615

616

Chapter 13 • Backup and Disaster Recovery

similar in appearance to a standard 3.5-inch disk drive.These drives were designed about a decade ago to replace standard floppy drives, but the technology didn’t quite catch on, so they are now few and far-between. Floptical drives can read and write to basic floppy diskettes.

Creating a Backup Schedule Now that we’ve discussed the “What,” “Why,” and “How” of a backup and disaster recovery strategy, we need to turn our attention to the question of “When.” As with most decisions relating to your network, you’ll need to develop a solution that balances data protection against the overall usability of your network resources. Protecting your data at least once per day is essential; however, the cost and time required to perform a full backup everyday can be unfeasible for networks with large amounts of data. If a full backup takes 13 hours to run, for example, then running it every single day would overlap even a 9–5 user’s ability to access critical data.You can instead opt to copy only changed files on a daily basis, running a full backup once a week.You can choose to perform daily backups that are either incremental or differential. Differential backups copy every file that has changed since the last full backup, while incremental backups address only files that have changed since the previous incremental or full backup. Let’s say that you perform a full (normal) backup of your network every Sunday night, and a differential backup on all remaining nights.Your network suffers a virus outbreak on Friday evening after the Friday backup has run. In order to restore your data to the server, you will need to restore the Week1 tape containing the most recent full backup. Once you’ve obtained the newest virus definitions from Symantec, you can restore the Friday differential tape to attempt to repair infected files. (See Table 13.4 for a graphical illustration of this process.) If the infected files cannot be repaired, you can restore the last-known good copy of your data by restoring the Thursday differential tape.

www.syngress.com

Table 13.4 Differential Backup and Restore Scenario

617

Week1 Tape

Monday Tape

Tuesday Tape

Wednesday Tape

Thursday Tape

Friday Tape

Saturday Tape

File A created

File A untouched

File A changed

File A changed

File A untouched

File A untouched

File B created File C created

File B untouched File C changed

File B changed File C changed File D created

File B untouched File C untouched File D untouched

File B untouched File C changed File D untouched

File A infected by Klez virus File B deleted File C untouched File D infected by Klez virus

Normal Backup Includes

Differential Backup Includes

Differential Backup Includes

Differential Backup Includes

Differential Backup Includes

Differential Backup Includes

Differential Backup Includes

File File File File

File File File File

File File File File

File A

File A

File C File D

File C File D

File A File B File C

File C

A B C D

A B C D

A B C D

File C untouched File D untouched

618

Chapter 13 • Backup and Disaster Recovery

If you’re using incremental backups in the same situation, you’ll need to restore the Week1 tape containing the most recent full backup, as well as the Monday,Tuesday, Wednesday, and Thursday incremental tapes. Since the incremental backup resets the archive bit when it backs up a file, each day’s tape only contains those files that were changed since the incremental backup the night before. (See Table 13.5 for a graphical illustration of this process.) Once you’ve updated your antivirus definitions, you can restore the final incremental tape before attempting to repair any infected files. Using incremental backups will make for quicker backup times but will lengthen the restore process. Differential backups are exactly the opposite: the nightly backups will take longer, but the restore process will be simpler.

WARNING Never mix and match incremental with differential backups: pick one or the other and stick with it. Otherwise, this will create inconsistent file protection and confusion during the restore process, since a different method needs to be used for the two types of backups.

No matter what the circumstances, you should perform a full backup of your critical network data at least once per week.This will minimize the number of backup tapes to search for a recent copy of a single file, simplifying the restore and disaster-recovery processes. Full backups will also create a level of redundancy by duplicating any files that exist on any prior weeks’ full backups.This can be a lifesaver if there is a case of data corruption that goes undiscovered for a significant length of time.This is unfortunately a common concern in the case of “logic bomb” virus infections where a file becomes infected weeks or months before the virus delivers its malicious “payload”—cases of logic bombs have been tied to a virus-writer’s birthday or the anniversary of a news or political event. In cases like this, you’ll need to restore the file at a point before it became infected, not just when it began to wreak havoc on your network.

www.syngress.com

Table 13.5 Incremental Backup and Restore Scenario

619

Week1 Tape

Monday Tape

Tuesday Tape

Wednesday Tape

Thursday Tape

Friday Tape

Saturday Tape

File A created

File A untouched

File A changed

File A changed

File A untouched

File A untouched

File B created File C created

File B untouched File C changed

File B changed File C changed File D created

File B untouched File C untouched File D untouched

File B untouched File C changed File D untouched

File A infected by Klez virus File B deleted File C untouched File D infected by Klez virus

Normal Backup Includes

Incremental Backup Includes

Incremental Backup Includes

Incremental Backup Includes

Incremental Backup Includes

File File File File

File A

File A File B File C

File C

A B C D

File C untouched File D untouched

Incremental Incremental Backup Backup Includes Includes File A

File C File D

620

Chapter 13 • Backup and Disaster Recovery

Defining Support and Service Levels for Your Organization Another key factor in developing a disaster recovery strategy for your network is the creation of one or more service level agreements (SLAs). An SLA attempts to define the scope of a service provider’s responsibilities in maintaining critical applications on a network.The service provider in question can either be an external vendor to whom you’ve outsourced a critical service (your Internet Service Provider, for example), or the SLA can be an internal document detailing the IT department’s duties in maintaining network availability. In this section, we’ll describe the major components of an SLA, using a dedicated NAVCE as a real-world example.

NOTE Entering into an SLA with an external service provider should be viewed like any other contract, and should not be completed without expert financial and legal advice.

1. Define the scope of services In this step, you’ll be defining exactly what service or application the SLA is referring to, and what level of responsibility the IT department will have in maintaining this service. Your first step will be to delineate the hardware and software that comprises the service in question—in the case of a NAVCE, this would be the physical server or servers on which NAVCE resides, as well as the NAVCE itself. Be careful not to fall victim to “scope creep” in establishing this definition: while the proper function of NAVCE will likely be dependent on your company’s Internet connection, these are two distinct services that should be defined separately. (Especially since your Internet connection will likely be covered by an external SLA with your Internet Service Provider anyway.) This is not to say that an SLA for a particular service should not reference other services or applications, but the scope of an SLA should be restricted to those items that are inextricably related.Your NAVCE server will be functional (if not terribly useful) if your Internet connection goes down, but the failure of the server’s motherboard is an entirely different matter. www.syngress.com

Backup and Disaster Recovery • Chapter 13

2. Determining SLA schedules The 24/7 availability of the Internet has created an implied expectation that all network services and resources should be universally available as well.This schedule particularly ties in with the backup concepts we’ve discussed in this chapter, in that your NAVCE server may be unavailable for an hour a night to perform your daily backups. Defining this schedule of availability allows your users to schedule their work around the system availability—not to mention keeping the help desk from ringing your phone at 2 A.M. to report what they think is a problem, but which is really a scheduled outage. (Obviously SLAs will differ for more interactive applications like a corporate e-mail server.) 3. Outlining roles and responsibilities So you’ve established that your e-mail server should be available 24/7, except between 2 and 3 A.M. daily for scheduled backups. But now it’s 7 P.M. and the NAVCE server is inaccessible, who should your help desk call if they cannot solve the problem themselves? The answer to that question is another critical piece in the SLA puzzle. It’s not enough to simply define what you’re going to provide; you need to decide how you’re going to respond to outages. Create a coverage schedule so that at least one primary and one backup support person is available for the duration of time that the application is available to your users.You’ll also need to establish a system to escalate support calls if the scheduled support person is unavailable or cannot correct the problem. Finally, inform your users of the turn-around time they can anticipate in responding to, and resolving, the problem. (Or obtain this information from your service provider, if the SLA is an external one.)

NOTE If the size of your staff permits it, make sure you rotate the responsibility of off-hour availability to various members of the IT department so that no one person gets burned out.

www.syngress.com

621

622

Chapter 13 • Backup and Disaster Recovery

Backing Up Dedicated NAVCE 7.6 Servers No matter which software package you select to perform your server backups, the basic principles involved remain the same.You need to select the appropriate files to protect, schedule the backups to run on a consistent schedule, and create a rotation schedule to ensure your backup schedule provides complete data protection for your network. In this section, we’ll cover the steps in backing up a NAVCE server running Windows 2000 server, using the native Windows 2000 backup utility.

Using NTBackup in Windows 2000 The Windows 2000 Backup utility provides an easy-to-use wizard that allows you to quickly set up a backup schedule for your NAVCE server.You can use this wizard to back up the files and directories necessary to restore your NAVCE server, including the ~\Program Files\NAV directory and the contents of your customized grc.dat file.To launch the wizard, click Start | Programs | Accessories | System Tools | Backup, then select the Schedule Jobs tab. From the screen shown in Figure 13.1, click Add Job. Figure 13.1 Launching the Built-in Windows 2000 Backup Utility

The Backup Wizard will begin with the typical “Welcome to the Backup Wizard, click Next to continue…” screen. Click Next to begin the actual configuration of your server backups.The wizard will first attempt to simplify your life by offering you some preconfigured choices in selecting files. www.syngress.com

Backup and Disaster Recovery • Chapter 13

WARNING If you are using a new backup tape, or one that contains data in a format that NTBackup doesn’t recognize, you’ll see the following prompt to erase the tape and format it for NTBackup’s use, as shown in Figure 13.2.

Figure 13.2 Preparing a New Backup Tape

As you can see in Figure 13.3, you have the option of backing up one of the following: ■

Back up everything on my computer Clicking this option will back up the entire contents of the hard drive, Registry, and Active Directory information, if applicable.



Back up selected files, drives or network data Clicking this option allows you the most granular control over files that are being backed up.



Only back up the System State data Clicking this option will back up the computer’s Registry, COM+ files, boot files, and the Active Directory or local user database.

Figure 13.3 Preconfigured Options for System Backups

www.syngress.com

623

624

Chapter 13 • Backup and Disaster Recovery

Select one of the three options presented, then click Next. If you choose to manually select which files and directories to back up, you’ll see the screen shown in Figure 13.4.You can back up any files on the local hard drive, as well as files located on one or more network shares. If you are pressed for time in your backup process, the minimum amount of information you should protect on a dedicated NAVCE server should include the following: ■

Windows 2000 directory, typically C:\WINNT or C:\WINDOWS



C:\Program Files directory, especially ~\Program Files\NAV, ~\ Program Files\Symantec, and ~\Program Files\AMS Server



System State information (this is visible by expanding the “+” sign next to “My Computer”)

Figure 13.4 Selecting Files to Back Up

This list makes the assumption, of course, that the server running NAVCE is a dedicated one and does not house any other applications or file shares. If this isn’t the case, then you’ll obviously need to alter your file selections accordingly. Once you are satisfied with your selections, click Next to continue the Backup Wizard. On the next screens, shown in Figures 13.5 and 13.6, you’ll choose the destination for your backup information.You can back up to either a file or a physical tape drive. If you’re saving to a file, enter the location you want to save to; otherwise, select the media set name of the tapes being used. (If this is your first time using NTBackup, the only option available will be “New Media.”) Click Next to continue.

www.syngress.com

Backup and Disaster Recovery • Chapter 13

Figure 13.5 Saving Backups to a File

Figure 13.6 Selecting the Media Set

NOTE If you selected “Back up everything on my computer” or “Only back up the System State data” in Figure 13.3, you’ll skip the file selection screen (Figure 13.4) and move directly to selecting the backup destination (Figure 13.5).

After selecting the destination for your backup, you’ll select the type of backup you’re scheduling. From the screen shown in Figure 13.7, select one of the following backup types:

www.syngress.com

625

626

Chapter 13 • Backup and Disaster Recovery ■

Normal Backs up all selected files and marks them as having been backed up.You’ll also hear this referred to as a “full” backup.



Copy Backs up all selected files but does not mark any of them as backed up.This backup type is most useful as an ad-hoc method of backing up critical files before a software or hardware upgrade or editing the system Registry.



Incremental Backs up any files that have been created or changed since the last backup, and marks them as having been backed up. For example, a file that was altered on a Wednesday would be included in the Wednesday evening incremental backup, but would not be included in any subsequent incremental backups unless it’s changed again.



Differential Backs up any files that have been created or changed since the last backup, but does not mark them as backed up. In effect, this will back up all new and changed files between normal or full backups.The file altered on Wednesday would be included in the Wednesday,Thursday, and Friday evening differential backup, even if the file was only altered on Wednesday and left untouched for the remainder of the week.



Daily Backs up all files that have been created or altered on the same day as the backup.The daily backup does not mark the files as backed up.

Figure 13.7 Choosing the Type of Backup

When you’re ready to continue, click Next to specify the following additional backup options: ■

Verify data after backup The verification process will add time to the backup job, but will help to ensure that the backup was successful.

www.syngress.com

Backup and Disaster Recovery • Chapter 13 ■

Use hardware compression Hardware compression will allow more information to be stored on the backup media.This will reduce the amount of money you spend on tapes. More importantly, it will also help to fit a larger backup selection onto a single tape, preventing the need to manually switch tapes if your tape drive does not support automatic tape loading.

Click Next again to specify how NTBackup will handle the backup media itself. As you can see in Figure 13.8, if the backup tape you’re using already contains information, you can choose to overwrite the tape or append the new backup job to the end of the tape.You can also set security on the backups such that only Administrators and the owners of the files will have access to the contents of the backup media, creating an added layer of security for your network backups. Figure 13.8 Specifying Media Options

On the next screen, you’ll specify a media label for your backup tapes—this is necessary to allow Windows to catalog the tape if and when you need to perform a file restore.You can accept the default label containing the time and date that the backup job was created, or insert one of your own. Click Next and specify the username and password that Windows NT will use to run the backup job. You need to use an account that is a member of the Administrators, Domain Administrators, or Backup Operators group in order for the backup to function properly; otherwise, the backup will only be able to access those files to which Joe Average User has appropriate NTFS permissions. Click Next again to use the Windows Task Scheduler to create a name and a schedule for the backup job you’ve just created, as shown in Figure 13.9, then click Next and Finish until you’ve completed the Backup Wizard.You should note at

www.syngress.com

627

628

Chapter 13 • Backup and Disaster Recovery

this point that you can only schedule one backup job at a time using this process. If you want to create a normal backup that runs once a week combined with nightly differential backups, you’ll need to run the wizard twice, once for each job. Figure 13.9 Setting a Schedule for the Backup Job

When you’ve finished these steps, return to the Schedule Jobs tab in the NTBackup interface.This will present a graphical illustration of your backup schedule that will allow to you quickly spot any errors or omissions. Figure 13.10 shows a typical backup schedule of nightly differential backups followed by a weekly full backup. Notice that the job types are represented with a “D” for differential, “N” for normal, and so forth. Figure 13.10 Viewing the Complete Backup Schedule

www.syngress.com

Backup and Disaster Recovery • Chapter 13

Using the Command Line to Schedule Backups Along with the Backup Wizard, you can also use the Windows command line to create backup jobs.This is useful if you are creating backup jobs for several machines, as you can save time by creating a single batch file and propagating it out to multiple target machines rather than launching the wizard interface from each individual computer.You can also combine this command-line functionality with the Windows scheduler to create fully functional backup schedules for your entire network.The syntax of ntbackup.exe is as follows: ntbackup backup [systemstate] "@bks file name" /J {"job name"} [/P {"pool name"}] [/G {"guid name"}] [/T { "tape name"}] [/N {"media name"}] [/F {"file name"}] [/D {"set description"}] [/DS {"server name"}] [/IS {"server name"}] [/A] [/V:{yes|no}] [/R:{yes|no}] [/L:{f|s|n}] [/M {backup type}] [/RS:{yes|no}] [/HC:{on|off}] [/SNAP:{on|off}]

In this section, we’ll examine the most commonly used parameters, as well as some real-life examples of working command-line syntaxes. ■

The systemstate parameter This specifies that you want to back up the System State data (the Registry, COM+ files, boot files, and Active Directory database).You can only back up the System State using a Normal or Copy backup; incremental and differential backups will not work.

NOTE The NTBackup utility will only back up the System State data on a local computer. You cannot back up the System State data on a remote computer without using a third-party backup utility.



@bks file name If you want to back up more than one directory at a time, you’ll need to create a .bks file to enumerate the list of directories and files to back up.To make a .bks file, open Notepad and list the directories or files that you want to back up, one to a line. If you need to skip a specific file or subdirectory within your backup selections, add a line that specifies the name of the file or directory that you want to skip, followed by the /exclude parameter. For example, if I need to back

www.syngress.com

629

630

Chapter 13 • Backup and Disaster Recovery

up C:\Laura, C:\Laurastuff, and C:\Program Files, but not the C:\Laura\Pst directory, I would use the file shown in Figure 13.11. Figure 13.11 Creating the .bks File

WARNING When you save the .bks file, you need to use Unicode encoding instead of ANSI or ASCII, otherwise the job will fail.



/M {backup type} Denotes the backup type that you’re creating—either normal, copy, differential, incremental, or daily.



/V:{yes|no} Including /V:YES in your command line will instruct NTBackup to verify the data after the backup is complete.This is the same as selecting the corresponding check mark during the Backup Wizard.



/J {“job name”} Specifies the job name that will appear in the backup log file. Pick a descriptive job name that will describe the files and folders you are backing up in the current backup job, along with the date and time that the files were backed up.



/L:{f|s|n} This will delineate the type of log file that NTBackup will produce: full, summary, or no log at all.



/R:{yes|no} Restricts access to this tape to the data owner or members of the Administrators group.



/HC:{on|off} Turns hardware compression on or off, if your tape drive hardware supports it.

www.syngress.com

Backup and Disaster Recovery • Chapter 13

Configuring & Implementing… Examples of NTBackup Command-Line Syntax Now that we’ve examined the overall structure of the NTBackup syntax, let’s look at a few examples of the command line in action. The first example backs up the remote file share \\test-ws\c$. It names the job “My Job 1,” uses a tape from the “Backup” media pool, and names the tape “Command Line Backup 1.” It also includes the job description “Command Line Functionality.” Backup verification is turned on, data access is not restricted to the owner/administrator, the logging level is set to summary only, remote storage data is not backed up, and hardware compression is enabled. ntbackup backup \\test-ws\c$ /m normal /j "My Job 1" /p "Backup" /n "Command Line Backup 1" /d "Command Line Functionality" /v:yes /r:no /l:s /rs:no /hc:on

The second example involves the following piece of code which performs a copy backup named “My Job 2” of the local drive D:\. The backed up files and folders are appended to the tape named “Command Line Backup 1.” All other options use their default values. ntbackup backup d:\ /j "My Job 2" /a /t "Command Line Backup 1" /m copy

The final example performs a backup using the default backup type specified in the Backup program. It uses the backup selection file named backup.bks, located in the C:\data\ directory to choose which files to backup. The backup job is named “Backup Weekly” and it overwrites the tape named “Test Backup 1” with the new name “Production Backup 1.” ntbackup backup "@C:\data\backup.bks" /j "Backup Weekly" /t "Test Backup 1" /n "Production Backup 1"

Testing NAVCE Server Backup Jobs You can verify that your newly created backup jobs are functioning properly by launching them manually. Click Start | Program Files | Accessories | Task Scheduler. Right-click the job you want to run, and select Run Now.You’ll see

www.syngress.com

631

632

Chapter 13 • Backup and Disaster Recovery

the screen shown in Figure 13.12 when the backup is complete, showing a summary of the time elapsed and the amount of information processed. Click Report to see a more detailed account of the backup job, similar to this one: Backup description: "Set created 2/28/2003 at 12:03 PM" Backup Type: Normal Backup started on 2/28/2003 at 12:03 PM. Backup completed on 2/28/2003 at 12:03 PM. Directories: 8 Files: 8 Bytes: 10,860 Time:

5 seconds

---------------------Backup Status Operation: Backup Active backup destination: DLT Media name: "Media created 2/28/2003 at 12:01 PM" Backup of "C: " Backup set #2 on media #1 Backup description: "Set created 2/28/2003 at 12:08 PM" Backup Type: Normal Backup started on 2/28/2003 at 12:08 PM. Backup completed on 2/28/2003 at 12:08 PM. Directories: 8 Files: 8 Bytes: 10,860 Time:

6 seconds

Figure 13.12 A Completed Backup

www.syngress.com

Backup and Disaster Recovery • Chapter 13

Restoring Dedicated NAVCE 7.6 Servers In this section, we’ll cover the steps necessary to recover from a worst-case scenario—that is, the total loss of a dedicated NAVCE server. Just like the previous section, we’ll assume that the server is running Windows 2000, and is using the native NTBackup utility for data protection. (You’ll remember that, in order to protect a NAVCE server, you need to include the following directories in your backup plan: the Windows 2000 directory, typically C:\WINNT or C:\WINDOWS, the C:\Program Files directory, especially the ~\Program Files\ NAV, ~\Program Files\Symantec and ~\Program Files\AMS Server directories, and the System State or Registry information.)

WARNING You cannot restore files from the command line using the ntbackup command, only the GUI interface.

First and foremost, what is the state of the hardware on which the NAVCE server resided before our supposed catastrophic failure? (Your path in restoring the server will depend greatly on your hardware, as you should only restore System State information to identically configured hardware.) When the physical server is ready for use, install the server operating system according to the vendor’s instructions and the dictates of your corporate environment. At this point, you’ll begin the restore process by launching NTBackup, typically via Start | Programs | Accessories | System Tools | Backup. Click Restore Wizard to begin with the screen shown in Figure 13.13. Select the files and directories you need to restore, and click Next to continue. On the next screen, you can simply click Finish to begin the restore process using the following default parameters: the selected files will be restored to their original locations, and any existing files will not be over-written by the contents of the backup tape. If you need to alter either of these settings, click Advanced. The first screen you’ll come to is shown in Figure 13.14. From here, you’ll specify one of the following three locations to restore your files to: ■

Original location This will restore all information to its original location in the directory structure. I would recommend against using this option unless you are absolutely certain that the restored information www.syngress.com

633

634

Chapter 13 • Backup and Disaster Recovery

will function properly without any modification, a difficult assumption to make when restoring from software corruption or a virus outbreak. ■

Alternate location This creates the directory structure of your restored information beginning from the location you specify: c:\restore\Program Files\NAV instead of c:\Program Files\NAV, for example.This will allow you to confirm the viability of your restored data, at which point you can copy it back to its proper location. If you select this option, you’ll be prompted to select the starting point for the restore using the standard Windows Explorer “Browse” function.



Single folder This option will restore all files into a single directory, without creating any associated directory structure. Like the previous selection, you’ll use the “Browse” function to choose the folder to restore into.

Figure 13.13 Beginning the Restore Process

Figure 13.14 Selecting a Restore Location

www.syngress.com

Backup and Disaster Recovery • Chapter 13

When you are satisfied with your selection, click Next to continue.You’ll move to the screen shown in Figure 13.15.These selections are fairly selfexplanatory: if you are restoring files to their original locations, this will allow you to decide what to do when the backup process attempts to overwrite an existing file: leave the existing file in place, replace it if the backup file is newer, or to replace all existing files with the contents of the backup tape. Figure 13.15 Choosing How to Handle Existing Files

WARNING You will not have the same option that you have in other Windows functions, namely, to decide on an individual file basis whether to overwrite or not. Your selection on this screen will apply to all files copied during the restore process.

Click Next to move to the final screen in the restore process.You’ll have the option to specify the configuration choices shown in Figure 13.16, the most common of which is to restore the NTFS security associated with the files being restored.

www.syngress.com

635

636

Chapter 13 • Backup and Disaster Recovery

Figure 13.16 Advanced Restore Options

Click Next and then Finish to begin the restore. Just like the backup process, you’ll see a notification screen when the restore is completed, with a log file similar to the one shown here. (If you’ve restored the System State, you’ll be prompted to reboot the NAVCE server when the restore is completed.) ---------------------Restore Status Operation: Restore

Backup of "G: \\sfs-admin\docs" Backup set #1 on media #1 Backup description: "Set created 2/28/2003 at 12:09 PM"

Restore started on 2/28/2003 at 12:13 PM. Restore completed on 2/28/2003 at 12:13 PM. Directories: 8 Files: 8 Bytes: 10,860 Time:

2 seconds

----------------------

www.syngress.com

Backup and Disaster Recovery • Chapter 13

Summary Without a strong disaster recovery plan, any network installation is living on uncertain ground.The topics covered in this chapter included a discussion of the finer points involved in creating a disaster recovery plan, as well as the particulars of selecting backup hardware and software.The most critical step, of course, is in determining a plan of action before any sort of disaster strikes.This means developing a call-down list of essential personnel, a prioritized schedule of which services need to be restored in what order, and a breakdown of each team member’s individual tasks and responsibilities. It’s important not to assume that all of your personnel will necessarily be available when a network outage occurs: you can’t exactly expect your servers to have the courtesy not to fail while the head of your DR project is on vacation, after all. Have a backup plan even to your backup plan! You’ll want to develop a plan for all of your network services, even those that you may not think are specific to the IT department. For example, do you rely on external DNS or SMTP servers? If so, make sure that you understand what your service level agreement with your ISP entails. It might even be advisable to contract with a second ISP to provide backups to these services. What about your company’s telephone and PBX services? Voicemail, even if it is an announceonly—“We are experiencing a service outage.”—message, can prove crucial to keeping your employees and customers informed during the recovery process. And while we’re on the subject… don’t forget to keep your users informed before and during any sort of disaster. Will your employees work from home while you fix the servers? Do staff members have any specific disaster recovery–related responsibilities that they’ll need to attend to during a service outage? Does anyone in your company who isn’t a server administrator or help desk operator know any of this? In creating a disaster recovery plan for your network, it’s also important not to limit your planning to a “best-case scenario.” How well is your e-mail or web server going to function if, rather than having your usual T-1 for connectivity, you are limited to a 128-Kbps ISDN backup circuit? If this requires any configuration changes—IE, configuring Microsoft Exchange to use a dial-up connection to retrieve e-mail—make sure that all the necessary steps have been tested and documented. As a final note, always be sure to maintain an offsite copy, not only of your network’s data, but also of your disaster recovery documentation itself.This way you can avoid the embarrassing egg-on-one’s-face scenario that would follow the www.syngress.com

637

638

Chapter 13 • Backup and Disaster Recovery

question: “But how do we get to disaster recovery documentation that’s stored on a server that isn’t accessible?” Whether you choose to store your backup information in a formal offsite storage facility or in a fire-safe in your junior administrator’s garage, create a plan for moving your backup media and documentation to an alternate location, and keep the offsite copy updated as changes occur.

Solutions Fast Track Basic Principles of Backup and Disaster Recovery ; Create a schedule of backups, tape rotation, and media retention that

will balance protection with usability, while meeting any corporate or legal compliance guidelines for your organization.

; Select hardware that will meet all of your data storage needs, and

software that will provide sufficient security and backup coverage for any specialized applications such as e-mail and database servers.

; Remember in any emergency, the most critical aspect of any disaster

recovery plan is the safety of your employees and personnel.

Designing a Disaster Recovery Plan ; Inventory all network applications and services throughout your

organization, including those that are provided by external vendors as well as ones that are maintained internally.

; Involve all of your departments in determining which data is the most

critical, and what the maximum allowable downtime is for each application and service.

; Make sure to factor in the amount of capital and labor that will be

necessary to restore each of the network services so that you can create the most efficient recovery plan.

; Ensure that NAVCE protection is brought back online as a first priority

so that your clients and servers will not become virus-infected while you’re attempting to perform other aspects of disaster recovery planning.

www.syngress.com

Backup and Disaster Recovery • Chapter 13

Implementing a Backup Strategy ; Where are you going to back up your data? Select backup hardware and

tape media that will handle all of your current data storage needs, while keeping an eye towards future expandability.

; How are your backups going to run? Make sure that your backup

software selection provides the necessary functionality, security, and interoperability with NAVCE so that you aren’t sacrificing antivirus protection during your backup window.

; When will your data be backed up? Create a backup schedule that will

balance your data’s protection with necessary user availability.

Defining Support and Service Levels for Your Organization ; Service level agreements serve to formalize support agreements between

the IT department and the users they support, or between your company and an external service provider.

; Create a measurable baseline to determine the level of availability that

users can reasonably expect from a given service or application—if an application needs to be taken offline during backups, make sure that the users of that application are aware of the times it will be unavailable.

; Develop a detailed coverage schedule so that your users know whom to

contact in the event of an outage.

Backing Up Dedicated NAVCE 7.6 Servers ; If you cannot back up the entire contents of a dedicated NAVCE server,

include at minimum the and Program Files directories, along with the System State and Registry data.

; Perform a full backup of your data at least once per week, and nightly

full, incremental or differential backups as time and media constraints indicate.

www.syngress.com

639

640

Chapter 13 • Backup and Disaster Recovery

; You can propagate a backup job to multiple servers by combining the

NTBackup command-line syntax with the Windows Task Scheduling functionality.

Restoring Dedicated NAVCE 7.6 Servers ; Perform frequent test restores to confirm the viability of your backups.

; Only restore system state and Registry data to the same machine or one

with an identical hardware configuration.

; If disk space permits, restore your data to an alternate location so you

can test its accuracy before returning the server to the production environment.

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: I have a Windows XP Workstation with a built-in CD-RW drive. Can I back up my files to CD?

A: The version of NTBackup that comes with Windows XP cannot write files directly to a CD-R or CD-RW, despite the fact that these devices are supported natively by the operating system. However, you can use the following steps as a workaround: 1. Go to the Backup tab in the NTBackup GUI. 2. Select the files you want to back up to CD-RW. 3. Select File as your backup destination, and use the following file location: C:\Documents and Settings\\Local Settings\Application Data\Microsoft\CD Burning\Backup.bkf.

4. Open Windows Explorer. Right-click your CD-RW drive, and then select Write these files to CD to write the backup files to CD-RW.

www.syngress.com

Backup and Disaster Recovery • Chapter 13

Q: I’m using NTBackup at the command line to schedule my backup jobs, and some options are not performing the way that I think they should. Do I need to specify a setting for every command-line switch?

A: Certain command-line options will default to whatever settings you have already established through the graphical user interface (GUI) version of Backup unless you change them using a command-line option.The command-line switches that exhibit this behavior are: /V, /R, /L, /M, /RS, and /HC. For example, if you’ve turned on hardware compression in the Options dialog box in NTBackup, it will be used automatically by any command-line backups you create if you do not specify otherwise in the command line. If you specify /HC:off at the command line, this will set the Options dialog box GUI setting and ensure that hardware compression is not used.

Q: I’ve just restored my NAVCE server from a hardware failure. Part of this restore involved reinstalling the Windows server operating system.The server is no longer able to authenticate against the domain, even though there’s an existing computer account and I gave it the same NetBIOS and DNS name when I reinstalled it. What do I need to do to allow the server to log on to the domain again?

A: This behavior happens whenever you reinstall the operating system on a Windows PC. Even though you’ve given the restored PC the same name it used to have, it now has a different globally unique identifier (GUID), a hexadecimal identification number that the Windows security process assigns to every user and computer account.You’ll need to delete the existing computer account and re-create it so that the GUID information will be in sync.

Q: My NAVCE server suffered a hardware failure, and I brought up a completely different server to get everything running as quickly as possible. Can I still use my network backups, even though the hardware is different?

A: Restoring to different hardware is a slightly different process than restoring to the same machine. Most importantly, you won’t be able to restore the System state or Registry information as this data is hardware-specific.Your best course of action in this scenario will be to manually reinstall the server operating system and all server applications, including NAVCE, to allow the proper Registry entries to be created. Once you’ve done this, use your network backups to restore your data files, such as the grc.dat file used to configure your NAVCE clients. www.syngress.com

641

Appendix A

Norton AntiVirus 2003 and 2003 Professional Edition

Norton AntiVirus 2003 (NAV 2003) and Norton AntiVirus 2003 Professional Edition (NAV 2000 Professional Edition) represent Symantec’s latest offerings for home users. In this appendix, you will learn more about these offerings, including how to install, configure, troubleshoot, and (if necessary) uninstall them. First, let’s take a look at some of the features found in each of these applications.

Introducing NAV 2003 and NAV 2003 Professional Edition NAV 2003 is designed for home users and workstations in a smaller workplace.These clients cannot be managed centrally. While they may be useful in some enterprise environments, they may not provide all of the features you may need. A basic matrix of features and the products they are available in can be seen in Table A.1.

643

644

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

Table A.1 Norton AntiVirus 2003 and 2003 Professional Feature Matrix Feature/NAV Version Professional Edition Password-protected options Instant messaging scanning Outgoing E-mail scanning Worm blocking Automatic removal of Trojans and worms Automatic update Two-user license Interactive versus Express Mode Enhanced logging Microsoft Office Support (For Windows 2000 Office or later) Windows Recycle Bin Protection Norton Recycle Bin

NAV 2003

NAV 2003

X X X X X

X X X X X

X X

X X X

X X

X X

X X

The primary difference between NAV 2003 and NAV 2003 Professional Edition is that you get a two-user license, which makes it more cost-effective in many situations. One of the chief problems with all Norton AntiVirus products has been weak logging. Now, you can export all entries as standard text files that you, or an automated application, can parse easily.You can access all log entries, which includes activities, virus lists, quarantined items, and an online virus encyclopedia by simply clicking the Reports hyperlink. Before we discuss all of the features found in NAV 2003, let’s take a look at the system requirements.

System Requirements Symantec has earned a reputation for creating relatively stable antivirus software, so it is likely that most users will simply install NAV 2003 and NAV 2003

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

Professional Edition on their systems without thinking much about hardware and software requirements. Nevertheless, the system requirements are shown next.

NAV 2003 System Requirements To install NAV 2003 onto a system, your configuration should be similar to one of the following: ■

Windows XP Home Edition or Windows XP Professional A Pentium/AMD 300MHz processor or higher. At least 128MB of RAM. 256MB would be better, as antivirus applications are RAM-hungry, especially when conducting hard drive scans and scanning incoming and outgoing mail.



Windows 2000 Professional A Pentium/AMD processor with at least 64MB of RAM. 128MB would be better.



Windows Me A 150MHz processor with at least 32MB of RAM.



Windows 98 A 133MHz system with at least 32MB of RAM.

All installations require the following: ■

A DVD or CD-ROM drive.



Microsoft Internet Explorer 5.0 or later (5.5 is best).



At least 70MB of free hard disk space.

If you wish to enable e-mail scanning, you need a standard e-mail client, such as: ■

Microsoft Outlook



Microsoft Outlook Express



Netscape Messenger



Eudora

Generally, if the e-mail client uses Windows networking, it is supported.To utilize instant messenger protection, you must use the following clients: ■

Version 4.6 or later of MSN Messenger and Windows Messenger.



Yahoo! Instant Messenger version 5.0 or later.



AOL Instant Messenger version 4.7 or later.

www.syngress.com

645

646

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

Earlier versions of the previous instant messaging clients are not officially supported. Furthermore, other instant messaging clients you may be using are not officially supported.

NAV 2003 Professional Edition System Requirements If you wish to use NAV 2003 Professional Edition, it is best if you install it on systems equipped as follows: ■

Windows XP Home Edition and Windows XP Professional A 300MHz or higher system with at least 128MB of RAM. If you plan on employing this system in a busy e-mail environment, use 256MB of RAM.



Windows 2000 Professional A 133MHz system with at least 64MB of RAM. Again, 128MB would be a much better choice.



Windows Me A 150MHz processor with at least 32MB of RAM.



Windows 98 A 133MHz processor with 32MB of RAM at a minimum.

The requirements for e-mail and instant messaging clients are the same as NAV 2003.

Installing NAV 2003 The following instructions apply to any version of Windows supported by NAV 2003. However, this particular installation was conducted on a Windows 2000 Professional system.

Preparing for the Installation Before you install NAV 2003, take the following preliminary steps: 1. Back up all important system and data files. Although NAV 2003 has a solid reputation for clean, easy installations, don’t take any chances. 2. Obtain the installation binary.The binary can be either NAV 2003’s Delivery Client, which is simply an application designed to obtain the actual NAV 2003 binary from Symantec’s Web/FTP site, or the fullfledged set of applications that come with the CD-ROM or from a full

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

Internet download. If you have obtained only the Delivery Client application, you must have Internet access to complete your installation. Regardless of your installation method, make sure you obtain any and all files from trusted media. 3. Close down all applications and processes before you run the installation program. 4. NAV 2003, like almost any application, will modify the Registry. If you wish to be particularly careful, back up the Registry using the tools found in Windows (for example, select Start | All Programs | Accessories | System Tools | Backup in Windows XP Professional, and Start | Programs | Accessories | System Tools | Backup in Windows 2000 Professional). 5. Uninstall any and all existing antivirus software.You can do this by going to Start | Control Panel | Add or Remove Programs in Windows XP, or Start | Settings | Control Panel | Add/Remove programs in earlier Windows systems (such as Windows 2000 Professional or Windows Me). 6. It is imperative you conduct a virus scan before installing NAV 2003, otherwise the product will fail to install. If you use FAT32, boot your system using the CD-ROM to conduct a scan. If your system does not support booting from CD-ROM, read the following instructions. 7. If you have access to a network, go to http://security.symantec.com and conduct a scan of your system. Follow the instructions on this site to conduct a scan. If you find a virus, take steps to remove it before you install NAV 2003. If you do not have access to a network, move on to install the product from the CD-ROM, if it is available. 8. Make sure your system is configured to boot from the CD-ROM, not from the C:\ drive.You may have to enter CMOS to change your system’s configuration. If your CD-ROM is bootable, proceed with the installation. 9. If the CD-ROM is available, boot your system from the NAV 2003 CD-ROM. If your system does not support booting from CD-ROM, create emergency disks using the Emergency Disk program, which is available on the CD-ROM, or from Symantec at www.symantec.com/ techsupp/ebd.html.To create bootable floppies from the NAV 2003 CD-ROM, take the following steps: www.syngress.com

647

648

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition ■

Obtain at least four floppy disks. Bring some extras in case any disks fail.



Insert the NAV 2003 CD-ROM into your disk drive. When you see the NAV 2003 window appear, click Browse CD, and then doubleclick the Support folder.



Double-click the Edisk folder, and then double-click NED.exe, which is the disk creation program.



Click OK to begin the disk creation process. As you create disks, make sure you label them correctly and write-protect them so data cannot be damaged or altered.

NOTE You can also obtain the Emergency Disk program from www.symantec.com/techsupp/ebd.html.

10. Regardless of whether you are using floppies or a CD-ROM, restart the computer, and then boot up using Symantec’s applications. Once you have done so, conduct a scan of your hard drive to verify no viruses exist on your system. 11. Once you have made sure your system is clean of viruses, you are ready to install NAV 2003.

Beginning the Installation Once you’ve completed the preceding steps, do the following: 1. Double-click the actual installation binary.The Norton AntiVirus 2003 Setup initial dialog box will appear, as shown in Figure A.1. Figure A.1 The Norton AntiVirus 2003 Setup Dialog Box

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

2. Click the Install button. 3. After a moment, the Norton AntiVirus 2003 Setup Installation Wizard initial window will appear, as shown in Figure A.2. Figure A.2 The Norton AntiVirus Setup Installation Wizard Initial Window

4. Click Next.The Licensing Agreement will appear, as shown in Figure A.3 Figure A.3 The Setup Licensing Window

5. Click the radio button next to the text that reads I accept the license agreement, and click Next. 6. The Destination Folder window will appear, as shown in Figure A.4.

www.syngress.com

649

650

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

Figure A.4 The Destination Folder Window

7. If you wish, click the Browse button and take the necessary steps to enter an appropriate destination folder. Most people simply accept the default settings, which is what we will do in this particular example. Accept the default and click Next. 8. You will be informed that the setup program is ready to install the application, as shown in Figure A.5. Figure A.5 The Ready to Install the Application Screen

9. Click Next to install NAV 2003.You will see the setup application go through the necessary steps as it initializes the system, creates directories, installs the files and updates the Registry. When the installation is nearly complete, you will be allowed to view the Readme document, which www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

contains configuration tips and information about NAV 2003 that was learned too late for inclusion in the standard NAV 2003 help files. Scan through this file, and then click Next. 10. You will see the screen shown in Figure A.6, indicating that the actual NAV 2003 files have been installed. Figure A.6 The Finish Screen

You have now taken the initial steps to install NAV 2003. However, you are not finished.You will now need to register, as well as conduct an initial configuration of NAV 2003 and then scan your system. Once you click Finish, you will see the Norton AntiVirus Information Wizard screen, shown in Figure A.7. Figure A.7 The AntiVirus Information Wizard

www.syngress.com

651

652

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

First-Time Use You are now ready to configure NAV 2003 for first-time use.To do this, register the product, configure LiveUpdate, then conduct an initial scan.Take the following steps to configure NAV 2003 for first-time use: 1. Once the Norton AntiVirus Information wizard appears, click Next. You will be asked to register. If necessary, select the appropriate country for your registration, and then click Next. 2. You will be asked if you wish Symantec to communicate with you.Take the appropriate steps to determine what information Symantec can send you. People rarely want such information, so you may wish to deselect all of the options. Click Next. 3. You will be asked to take a short survey. If you want to skip the survey, simply click Next. Otherwise, take the survey, which is composed of nine questions. After clicking Next, the screen shown in Figure A.8 appears. Figure A.8 The Registration Window

4. If you require custom settings (perhaps you need to select a modem or a proxy server), click the Settings dialog box and take the necessary steps to configure your system. 5. In this particular instance, the system is already configured (it is directly connected to a network with Internet access), so simply click Next. A screen appears indicating you have registered your system.

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

6. Click Next.You will be asked if you wish to use Norton AntiVirus 2003’s Rapid Registration, or if you wish to use the standard step-bystep wizard. Select the step-by-step wizard, and then press Finish.The Subscription Service window appears, shown in Figure A.9. Figure A.9 The Subscription Service Window

7. Figure A.9 tells you how long you will have access to complementary virus definitions. By default, you will be given just over a year (396 days).You can, if you wish, purchase a renewal at that time. Click Next. The Post Install Tasks window appears, as shown in Figure A.10. Figure A.10 The Post Install Tasks Window

8. In this window, you will be able to determine exactly what NAV 2003 will do after it is installed.The options include: www.syngress.com

653

654

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition ■

Run LiveUpdate Allows NAV 2003 to receive new binaries and virus definition files via Symantec’s LiveUpdate feature.This is a valuable option, and should be selected unless you have a security policy and/or firewall that specifically forbids it.



Scan for viruses Informs NAV 2003 to conduct regular scans for viruses, and remain active in the taskbar.



Schedule weekly scans of local hard drives This option has the configuration program provide you with configuration screens that allow you to determine exactly when NAV 2003 will run.

9. Leave all three of the options selected, then click Next. NAV 2003 will then provide a summary of your configuration, as shown in Figure A.11. Figure A.11 The NAV 2003 Summary Window

10. Click Finish.The LiveUpdate screen appears, as shown in Figure A.12. This screen allows you to begin obtaining the list of updates. Figure A.12 The LiveUpdate Screen

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

11. Click Next to obtain new virus definitions. After some time, a network connection will be made, and you will be presented with a screen informing you of the needed updates for your product. See Figure A.13. Figure A.13 The LiveUpdate Results Screen

12. Click Next to download and install them. 13. After a few moments, you will be informed that the LiveUpdate process is complete. Any changes made will be displayed in a screen similar to Figure A.14. Figure A.14 The NAV 2003 LiveUpdate Summary Screen

14. Click Finish. 15. Now that NAV 2003 contains the most recent updates, it will conduct a thorough scan of your system. Wait until this scan is finished. As you wait, a screen will appear like that shown in Figure A.15.

www.syngress.com

655

656

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

Figure A.15 NAV 2003 Scan Progress

16. This scan may take some time, depending upon the size of your hard drive and the speed of your system’s CPU. When the scan is finished, you will see a screen similar to that shown in Figure A.16. Figure A.16 A Completed Scan Screen from NAV 2003

17. Click the Finished button, and a NAV 2003 System Status screen appears.This screen, shown in Figure A.17, calls all needed items to your attention. Figure A.17 The NAV 2003 System Status Screen

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

18. If you have not conducted a full system scan, you will see a red “Not Completed” next to the Full System Scan hyperlink. When finished, close the main window. NAV 2003 will minimize to an icon in your taskbar. Anything marked in red requires your immediate attention. Close this window. NAV 2003 will still run, and will be available in the taskbar.You will be able to see the NAV 2003 icon. If you are using a default installation of Windows XP Professional, you may have to click a side arrow in order to see this icon. Once you have completed the preceding steps, you will have successfully installed NAV 2003.

Troubleshooting the Installation If you experience installation problems, do the following: 1. Find the MSI log file and prepare to send it in to Symantec. Do this by going to Start | Run, then entering the following command: %windir%\temp.This command will launch Windows Explorer, showing the Windows temporary directory.The % signs tell Windows to open the system root directory, which is often /WINNT, but can be any directory if you have made a custom installation. 2. Once you see this directory, search for the nav.log file. If you have not configured your system to show file extensions, you will only see a file (or an icon for a text file) called NAV. 3. Copy this file to your desktop and prepare to read its contents to Symantec supportover the phone, or to e-mail the file to them. Also, the Registry can be restored from the backup you (hopefully) created earlier.This way, you can then start from scratch.

Configuring NAV 2003 LiveUpdate First, let’s take a look at how to configure LiveUpdate. NAV 2003 supports Automatic LiveUpdate, which is where LiveUpdate runs if it senses that it is connected to the Internet. LiveUpdate is not activated by default when you install NAV 2003.To configure Automatic LiveUpdate, maximize NAV 2003 by double-clicking its icon in the taskbar, or by opening it from the Start menu (for

www.syngress.com

657

658

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

example, Start | All Programs | Norton Antivirus | Norton AntiVirus 2003 in Windows XP Professional). Next, click the Options hyperlink in the NAV 2003 main window, then select LiveUpdate.You will see the menu shown in Figure A.18. Figure A.18 The LiveUpdate Window

This window allows you to configure certain features of LiveUpdate, including: ■

Automatic LiveUpdate



Automatically applying updates so you do not have to do it manually



Providing a warning icon in the taskbar in case updates are not run regularly

Simply place a check in the Enable automatic LiveUpdate (recommended) box, then click OK.You now have configured LiveUpdate to run automatically.

Interactive versus Express Mode It is important to note that as far as LiveUpdate is concerned, one important change is that it now has two modes: ■

Interactive Mode Interactive Mode requires that the user must be present to walk NAV 2003 or NAV 2003 Professional Edition through an update, confirming the upgrade.



Express ModeNAV 2003/2003 Professional Edition performs the LiveUpdate actions without user prompting.

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

Interactive is selected by default.You can easily switch from Interactive to Express by clicking the LiveUpdate button, then clicking the Configure button. Notice that you do not click the Options hyperlink, as you did before. After marking the LiveUpdate button, select the Express Mode radio button. Next, choose one of the following options: ■

I want to click Start to run LiveUpdate Requires LiveUpdate to wait for your interaction.



I want LiveUpdate to start automatically Allows NAV 2003 to start without any user interaction.

Figure A.19 shows a system configured to have LiveUpdate start automatically in Express Mode. Figure A.19 Configuring LiveUpdate to Use Express Mode

Configuring Auto-Protect One of the strengths of any Symantec antivirus product is its auto-protect features. NAV 2003 has all of these features, as shown in Figure A.20.

www.syngress.com

659

660

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

Figure A.20 The NAV 2003 Auto-Protect Screen

From here, you can configure the standard auto-protect features.You can also use SmartScan, which allows you to search only for selected files.

Configuring SmartScan Once you select the Scan files using SmartScan button, you can then determine file extensions that will be scanned. Figure A.21 shows the Program File Extensions window. Figure A.21 The Program File Extensions Window

You can also add new extensions by clicking the New button and entering the appropriate values.

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

Configuring Bloodhound Like almost any other antivirus product, NAV 2003 relies upon two things: ■

The detection engine The set of binaries and libraries that scan the system’s drives and memory for problems



The definition updates The list of viruses the detection engine will search for

If you do not keep both of the preceding items current, you will not have optimal protection. Most antivirus products do a fairly good job of keeping the detection engine and virus definitions updated. However, you should not depend solely on these two items. NAV 2003 has a feature called “Bloodhound,” which checks the hard drive for suspicious activity. Bloodhound, therefore, supplements virus definitions by conducting repeated checks on disk writes, as well as system memory. If it discovers suspicious activity, it will generate a warning. By default, Bloodhound is set to the default level. Set it only to a lower level if you have a good reason (for example, you are using a custom application). Setting Bloodhound to a higher level may cause it to report false positives, which is where it mistakes legitimate activity for an attack.The highest level of protection is useful when you are trying to track down an unknown problem.To configure Bloodhound, simply click the Bloodhound icon beneath the Auto-Protect icon.You can then select the options shown in Figure A.22. Figure A.22 Configuring the Bloodhound Auto-Protect Feature

www.syngress.com

661

662

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

The Auto-Protect Advanced Window As far as Advanced features are concerned, you can configure NAV 2003 to skip scanning removable media and floppies.The Exclusions window, shown earlier in Figure A.22, allows you to exclude any item on the hard drive.These can include: ■

Files Simply enter the extension of a file, and it will not be scanned during the next NAV 2003 round.



File extensions You can enter the * command, followed by an actual file extension. For example, *.txt would skip all files that end in .txt.



Directories You can enter the path of an entire directory to exclude it.

The Auto-Protect Exclusions List Window The Auto-Protect Exclusions List window is shown in Figure A.23. Figure A.23 The Auto-Protect Exclusions List Window

Configuring Script Blocking The Auto-Protect script-blocking feature allows you to protect your system from scripts (for example, JavaScript and VBScript) that can be executed. Simply enable or disable the feature. If the feature is enabled, you can then configure NAV 2003 to either prompt you for further instructions, or simply suppress all suspicious activities, as shown in Figure A.24.

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

Figure A.24 The Auto-Protect Script Blocking Window

Configuring Manual Scan Options You can also set manual scanning options. When scanning manually, you have the choice of searching various boot records, including the Master Boot Record (MBR) for problems. In addition, you can determine what NAV 2003 will do when it finds a virus, as well as what types of files to search for. See Figure A.25. Figure A.25 Manual Scan Options

By default, all files are scanned, which is called “comprehensive file scanning.” You can also use SmartScan if you like (discussed previously). Either way, you should now have access to the Bloodhound and Exclusions options, in regards to manual scans. Keep in mind, though, that many antivirus applications have had problems scanning compressed files (such as those compressed using NTFS). NAV 2003 is configured, by default, to scan compressed volumes. However, if

www.syngress.com

663

664

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

you want to disable this feature (say, for drives that are not often used), you may do so using this window.

Configuring E-mail Protection The Internet section is broken up into E-mail, Instant Messenger, and LiveUpdate. We have already discussed LiveUpdate, so let’s focus on the E-mail window, as shown in Figure A.26. Figure A.26 The E-mail Window

The e-mail window allows you to determine if you wish to scan both incoming and outgoing e-mail (for example, POP3 and SMTP, respectively). Scanning incoming and outgoing e-mail can be especially hard on a system with low RAM, so if you experience a serious reduction in speed, consider disabling the feature.You may, however, want to skip to the troubleshooting section that follows to learn more about how you may be able to solve slow speeds. NAV 2003 gives you various options if it finds a virus.The E-mail scanning window also allows you to have NAV 2003 stop worms from attacking your system. Again, you may want to disable this feature if your system’s performance is reduced. Still, it would be best if you obtained more RAM, especially in today’s computing environment. The Advanced button beneath the E-mail window allows you to configure the following: ■

Protect against timeouts Scanning a particularly large e-mail (for example, 5 or more MB) can cause the message to be sent very slowly, especially if your system does not have much RAM. Many SMTP

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

servers will not tolerate slow communication and will send a timeout message. NAV 2003 has a feature that communicates with the SMTP server to try and get it to keep the connection alive. ■

Display the tray icon As you might suspect, this allows you to see the NAV 2003 icon in the Windows taskbar.You may want to disable this feature on systems to dissuade users from tampering with the program. Still, this feature only enables security through obscurity. In the following section, you will see how it is possible to password-protect NAV 2003.



Display progress indicator when sending e-mail Allows you to see exactly when an e-mail is finished being sent.

All of the preceding features are enabled by default.

Protecting Instant Messenger Traffic Instant messenger applications have become increasingly popular.These clients enable real-time connections and allow quick file transfers. Many companies do not explicitly block instant messaging clients, because most of the clients use TCP and/or UDP ports above 1024, and most firewalls do not block these ports.The NAV 2003 Instant Messenger window, shown in Figure A.27, allows you to protect your system from viruses that can be uploaded and downloaded by these clients. Figure A.27 The Instant Messenger Window in NAV 2003

As you can see from the previous image, all supported clients (for example, AOL Instant Messenger 4.7 or later) can be protected.You can have NAV 2003

www.syngress.com

665

666

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

automatically repair the file, ask you what to do with the file, or use the quarantine feature if a repair is unsuccessful. Finally, if you are using the supported MSN client, NAV 2003 can even notify someone who has sent an infected file.

Configuring The Miscellaneous Section The Miscellaneous section, shown in Figure A.28, allows you to enable the following: ■

Quarantine backup behavior The quarantine option may destroy or damage an important file while attempting to isolate it. For example, it might end up ruining a Word document you have been working on all week, or actually destroying a key system library file. NAV has been written to create a backup file by default. However, if disk space is limited, you may wish to disable this feature. Still, it would be best to leave this setting activated and obtain a larger hard drive; the last thing you want to do is have Quarantine’s behavior cause you to lose data or render a system unusable.



Enable Office Plug-in Allows NAV 2003 to protect Microsoft office against Macro viruses and other attacks.



What to do when virus protection is out of date Enables NAV 2003 to warn you by changing the program’s icon in the taskbar. By default, this value is selected. It is advisable to leave this setting activated.



How to control access to option settings NAV 2003 allows you to password-protect all options so that only those who have the password can configure NAV 2003.

Figure A.28 The Miscellaneous Section in NAV 2003

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

Password Protection for NAV 2003 One of the features sadly lacking in almost all virus protection software is the ability to control access to its inner workings. NAV 2003 has solved this problem. To activate passwords, take the following steps: 1. Maximize NAV 2003, then click the Options button to bring up the Options window. 2. Click the Miscellaneous hyperlink.You will see the Miscellaneous screen, shown previously in Figure A.28. Place a check next to the Enable password protection for options checkbox. Immediately, a dialog box will appear, as shown in Figure A.29. Figure A.29 The Options Password Dialog Box

3. Enter and confirm the password. Now, all users will be prompted for the password you have created whenever they wish to change options for this system.

Viewing Log Files As mentioned earlier, checking logs has become much easier in NAV 2003. If you click the View Report button, you will see the Log Viewer application. Figure A.30 shows a simple log entry in NAV 2003. Figure A.30 Viewing Logs in NAV 2003

www.syngress.com

667

668

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

Notice the three categories: ■

Virus Alerts Indicates when NAV 2003 finds a virus.



Application Activity Indicates when scans have started and finished.



Errors Indicates when problems have occurred during execution of a command.

You can export log files by right-clicking a category, then selecting the Export Category As option.You can then save this file to a text file.

Saving Your Changes:The Options File The Norton AntiVirus application is simply a GUI that makes changing text files and the Windows Registry more convenient. Whenever you make a change to NAV 2003, you will be asked if you really wish to change the options file. Indicate yes or no, depending upon your preference.You will not have to restart NAV 2003 after making these changes; NAV 2003 will read the altered configuration file immediately. Now that you know a bit more about how to configure NAV 2003, let’s take a look at some common troubleshooting issues.

Troubleshooting NAV 2003 The following are some key issues to consider when troubleshooting problems with NAV 2003: ■

Sometimes, Windows 98 and XP systems will hang when creating a new e-mail, or if an infected document is found.To avoid these problems, use Windows Update and upgrade to DCOM 1.3 or later.



In some cases, Auto-protect will corrupt the video display temporarily when an Auto-protect message appears.The primary solution for this problem is to contact the vendor for the video card and obtain the most recent driver.



For modem users, if you configure NAV 2003 to scan outgoing e-mail, the scanning process may take so long that Outlook Express will disconnect the modem before the message is actually sent.To correct this problem, simply disable the setting in, say, Outlook Express or Outlook that automatically disconnects the modem.This inconvenience is a small price to pay for protecting your system from viruses.

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A ■

Windows systems often use Dynamic Volumes, which are sections of hard drives gathered together into one logical volume. Examples of logical volumes include those created in RAID 5. If used on a dynamic volume, NAV 2003 can present an error message that reads “Unable to read boot record on drive.”This error message appears quite grave, but is simply informing you that the dynamic volume is not bootable. NAV 2003 will still scan the drive and find any problems.



If you are using PGP to encrypt your hard disk, remember that this procedure encrypts the master boot record (MBR). As a result, NAV 2003 cannot scan it for viruses. If you receive an error message to this effect, consider disabling scanning of the MBR in the Options section discussed previously. Also, PGP’s primary use is to digitally sign e-mails. Digital signatures help ensure that no illicit (or unknown) changes have been made to the e-mail. However, if an e-mail is infected, and NAV 2003 receives it, NAV 2003 will modify the actual e-mail in an attempt to repair the infection. As a result, PGP will inform you through your email client that the message has been changed and is potentially not valid.This message is not a bug in either PGP, your e-mail client (for example, Microsoft Outlook/Outlook Express), or NAV 2003. It is simply a message informing you that the e-mail has been changed.To ensure that this document is secure, have the person who sent you the original e-mail send an uninfected copy.

Now that you understand some of the common troubleshooting issues, let’s take a look at how to uninstall NAV 2003.

Uninstalling NAV 2003 When uninstalling NAV 2003, take the following steps: 1. Go to Start | Control Panel | Add or Remove Programs (Add/Remove Programs in Windows versions earlier than Windows XP Professional or Home Edition), then select the Norton AntiVirus icon. 2. You can then remove the application by taking the following actions, depending upon the operating system you are using:

www.syngress.com

669

670

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition ■

Windows 98 (all versions) and Me Click the Remove button next to the Norton AntiVirus icon. Restart the system to make sure all changes have taken effect.

Windows 2000 and XP (Professional and Home Edition) Click the Change button.Then, select the Remove option. In Windows 2000, you will not be able to click the Remove option until you click Change. Afterward, restart the system to make sure all changes have taken effect. Now, let’s take a look at installing, configuring, and troubleshooting NAV 2003 Professional Edition. ■

Installing NAV 2003 Professional Edition When installing NAV 2003 Professional Edition, follow the preliminary steps discussed earlier in the section “Installing NAV 2003,” then do the following: 1. Double-click the actual installation binary. If you are using the Delivery Client, click the Launch icon, then download the necessary files. 2. Once you have downloaded the files, double-click the installation binary.You will see the Welcome screen shown in Figure A.31. Figure A.31 The NAV 2003 Professional Edition Welcome Screen

3. Click Next. 4. On the Software Licensing Agreement window that appears, select the I accept the license agreement radio button, then click Next. 5. The next window allows you to select a destination folder. Most people accept the default, so click Next. www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

6. You will be informed that the installation wizard is now ready to install the product. Click Next. 7. At this time, the wizard will initialize the system, create directories, alter the Registry and install all of the necessary binary and text files for NAV 2003 Professional Edition. When the wizard is finished, you will be shown a simple text file with the latest information on the product. Review the information, then click Next. 8. Click Finish.The NAV 2003 Professional Edition welcome screen will now appear, as shown in Figure A.32. Figure A.32 The NAV 2003 Professional Edition Welcome Screen

9. Click Next.You will now be directed to register the product. First, enter the name of the country you reside in, if it’s not already selected.Then, click Next. 10. You will then be asked if you wish to receive any information from Symantec. Select only those options you want (most prefer to receive no information), then click Next. 11. Enter information about you and your company and click Next. 12. Enter your company’s address, and then click Next. 13. You will be asked if you want to participate in a survey. While you can choose to participate in the survey, you can also simply click Next to continue the installation. 14. Click Next to retrieve your registration. If you are connected to the Internet, your registration will be returned quickly. Click Next again.

www.syngress.com

671

672

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

15. At this time, you will be given a chance to choose either Rapid Registration, or the Step-by-step wizard. Choose the Step-by-step wizard, and then click Finish.The rapid registration window allows you to immediately retrieve and install a registration number. However, in these steps, we will do the registration manually so that you learn more about what goes on “beneath the hood” of NAV 2003 Professional. 16. The Subscription Service window will appear, as shown in Figure A.33. Figure A.33 The Subscription Service Window

17. The Subscription Service window describes the length of the service you have registered for. Generally, the subscription will last for just over a year (for example, 381 days).You then have the option of renewing. Once you have reviewed your information, click Next to begin the post-install tasks.

Post-Install Tasks The following are the post-install tasks you will have to complete for NAV 2003 Professional Edition. 1. After clicking Next, the Post Install Tasks screen appears (shown in Figure A.34). 2. As with NAV 2003 Home Edition, you have the following options:

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

Figure A.34 The NAV 2003 Professional Post-Install Screen



Run LiveUpdate Allows NAV 2003 to receive new binaries and virus definition files via Symantec’s LiveUpdate feature.This is a valuable option, and should be selected, unless you have a security policy and/or firewall that specifically forbids it.



Scan for viruses Instructs NAV 2003 to conduct regular scans for viruses, and remain active in the taskbar.



Schedule weekly scans of local hard drives Has the configuration program provide you with configuration screens that allow you to determine exactly when NAV 2003 will run.

3. Leave all of the settings at their default (unless you have a compelling reason to choose otherwise), then click Next. 4. You will see a summary of the choices you have made, similar to that shown in Figure A.35. Figure A.35 The NAV 2003 Professional Edition Summary Page

www.syngress.com

673

674

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

5. Click Finish.The LiveUpdate screen will appear, as shown in Figure A.36. Figure A.36 The LiveUpdate Window

6. When the LiveUpdate window appears (see Figure A.36) click the Configure button. At this point, you can configure LiveUpdate for either Interactive Mode or Express Mode. Interactive Mode is standard, and requires you or another party to confirm steps taken by LiveUpdate. However, in Express Mode, NAV 2003 Professional will simply automate all of the tasks. For the purposes of this lab, leave the setting on Interactive Mode.You can always change this setting later. If you click the FTP, HTTP, and ISP tabs, you will see that you can configure proxy servers and dial-up or LAN connections. Do so at this time, depending upon the needs of your system. When you are finished, click OK, then click Next. 7. NAV 2003 Professional Edition will then download all necessary updates. You will see a message informing you of all the products and components that need to be downloaded and installed, as shown in Figure A.37. Figure A.37 The LiveUpdate Products and Components Window

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

8. Click Next. 9. When LiveUpdate finishes, NAV 2003 Professional Edition will inform you about the elements that have been installed. Figure A.38 shows a typical LiveUpdate screen. Review these elements, then click Finish. Figure A.38 The LiveUpdate Confirmation Screen

NOTE You may have to expand some of the icons to view the details concerning installation.

10. Click Finish. 11. You now need to reboot your system. Click OK to reboot immediately. If you wish, select the alternative radio button to keep working without rebooting. However, NAV 2003 Professional Edition will not be properly configured until the next reboot. You are now ready to configure additional elements of NAV 2003 Professional Edition.

Configuring NAV 2003 Professional Edition You will find that configuring NAV 2003 Professional Edition is very similar to NAV 2003 Home Edition. Refer to the instructions given earlier for more information about conducting various tasks. Differences exist, however, especially because NAV 2003 Professional Edition provides an enhanced Recycle Bin. Before we discuss the Recycle Bin, you will want to complete your first

www.syngress.com

675

676

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

full-system scan, enable Automatic LiveUpdate, and further configure LiveUpdate to use Express Mode.

Conducting a Full Scan The following steps illustrate how to conduct a full scan. 1. As soon as your system reboots, log back on.You will see that NAV 2003 Professional Edition will automatically run. If this does not happen, go to the taskbar and double-click the NAV 2003 Professional Edition icon. Alternatively, in Windows XP go to Start | All Programs | Norton AntiVirus | Norton AntiVirus 2003 Professional Edition to open the program. As soon as NAV 2003 Professional Edition opens, you will see its main window. It will inform you about any necessary tasks that have not been completed(Figure A.39). Figure A.39 The NAV 2003 Professional Edition Main Window

2. First, click the Full System Scan hyperlink.Then, click the Scan Now button at the lower right-hand corner of the window to begin a scan. This initial scan is important, because it confirms that NAV 2003 Professional Edition has been installed properly, and it also helps ensure that this system does not have any viruses.

NOTE The initial full scan will take some time.

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

3. When you are finished with the scan, you can then view the results, as shown in Figure A.40. Figure A.40 A Scan Summary from NAV 2003 Professional Edition

4. Dismiss this message, and you will be returned to the main NAV 2003 Professional Edition window.You will see that the Full System Scan link no longer has a red “Not completed” message next to it. Notice, however, that the Automatic LiveUpdate feature is not activated by default, as shown in Figure A.41. Figure A.41 The NAV 2003 Professional Edition Main Window Showing Required Attention to LiveUpdate

5. To configure Automatic LiveUpdate, click the Options hyperlink.Then, select the LiveUpdate hyperlink.The Automatic LiveUpdate window will appear. Select the check box next to Enable automatic LiveUpdate (recommended), as shown in Figure A.42.

www.syngress.com

677

678

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

Figure A.42 The Automatic LiveUpdate Window

6. Click OK.You will be returned to the NAV 2003 Professional Edition main window, where you will see that Automatic LiveUpdate is now in active mode. 7. To configure LiveUpdate in Express Mode, click the LiveUpdate hyperlink at the top left-hand portion of the main window. Once the LiveUpdate window appears, click the Configure button. 8. The LiveUpdate Configuration window is displayed. Notice that it currently is set for Interactive Mode. Click the Express Mode radio button.Two radio buttons will appear. Select the one next to the text that reads I want LiveUpdate to start automatically, as shown in Figure A.43. Figure A.43 Choosing Express Mode in NAV 2003 Professional Edition

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

9. Click OK, then Next, then Next again. After NAV 2003 Professional Edition finishes processing its reconfiguration, click Finish. 10. You will receive a message informing you that you will have to reboot your system. Click OK to do so. If, for some reason, you do not wish to reboot, first click the Continue working with Windows radio button, then click OK.The changes you have made to NAV 2003 Professional Edition will not activate, however, until you reboot. So, it is always best to reboot your system as soon as possible. 11. Once you have rebooted, NAV 2003 Professional Edition will run automatically, but in minimized form. Double-click the NAV 2003 Professional Edition icon in the task bar. Once you do this, you can then proceed to further configure this program to your tastes.

Configuring the Norton Protected Recycle Bin As you know, one of the major differences between NAV 2003 Professional Edition and NAV 2003 Home Edition is that NAV 2003 Professional Edition modifies your recycle bin to provide more robust protection for deleted files.You will see a new icon on your desktop called Norton Protected Recycle Bin. You can configure the Norton Protected Recycle Bin to provide access to your standard Windows Recycle Bin, if you wish. However, NAV 2003 Professional Edition’s Protected Recycle Bin is quite useful because it even protects files that have been deleted using the command prompt.You can configure the settings for both the NAV 2003 Professional Edition Recycle Bin and the standard Windows Recycle Bin in the Advanced Tools section, shown in Figure A.44. Figure A.44 The NAV 2003 Professional Edition Advanced Tools Section

www.syngress.com

679

680

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

From this window, you can customize how both of your recycle bins will protect files. 1. Find the Recycle Bin Properties section in Advanced Tools.Then, click one of the Modify buttons. If you change the properties of one icon, the properties of the next will also change, so it does not matter which one you choose. 2. Once you click the Modify button, you will see the Norton Protected Recycle Bin Properties window, shown in Figure A.45. Figure A.45 The Norton Protected Recycle Bin Properties Window

3. From the window shown in Figure A.45, you can configure how the Norton Recycle Bin reacts to a double-click. By default, the Recycle Bin will show all protected files. However, you can configure it to bring up a wizard, which may help less experienced users obtain their files. If you wish to simply use the standard Windows Recycle Bin, you may select that radio button. 4. You can also change the title that appears on the recycle bin, if you wish. Now, click the Norton Protection tab. 5. The Norton Protection tab, shown in Figure A.46, helps you determine exactly how files will be protected.

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

Figure A.46 The Norton Protection Tab in NAV 2003 Professional Edition

6. From this window, you can: ■

Change the drive used.



Enable or disable protection.



Configure the Recycle Bin to purge files after a certain period of time (the default is seven days). You can also:



Create exclusions so that certain files will never be placed into the Recycle Bin.



Manually purge all files.



Determine the amount of the drive space that the Recycle Bin will occupy.

All of the other configurations you can make with Norton AntiVirus are identical to those discussed earlier with Norton 2003.

Troubleshooting NAV 2003 Professional Edition As far as troubleshooting NAV 2003 Professional Edition is concerned, the steps are very similar to that in NAV 2003 Home Edition. However, focus on the following issues.

www.syngress.com

681

682

Appendix A • Norton AntiVirus 2003 and 2003 Professional Edition

Troubleshooting the Installation Before installing, you should always: ■

Make sure you back up the Registry.



Verify that no viruses exist on the system prior to installing NAV 2003 Professional Edition. If a virus is present, the program will not install.



Determine if you are using NTFS or FAT32 as your file system. If you are using NTFS, then it is possible your account does not have sufficient permissions to install NAV 2003 Professional Edition.

Troubleshooting the Configuration When configuring NAV 2003 Professional Edition, consider the following issues: ■

The NAV 2003 Professional Edition GUI is simply a front end for programs that change text-based configuration files and the Windows Registry. Whenever you make a change, make sure that you commit all changes, or else your configuration will not be applied.



You do not need to restart NAV 2003 Professional Edition after making most changes.

Uninstalling NAV 2003 Professional Edition Uninstalling NAV 2003 Professional Edition requires the same steps as those needed to uninstall NAV 2003 Home Edition: 1. Go to Start | Settings | Control Panel | Add or Remove Programs (Add/Remove Programs in Windows versions earlier than Windows XP Professional or Home Edition), then select the Norton AntiVirus icon. 2. You can then remove the application by taking the following actions, depending upon the operating system you are using: ■

Windows 98 (all versions) and Me Click the Remove button next to the Norton AntiVirus icon. Restart the system to make sure all changes have taken effect.

www.syngress.com

Norton AntiVirus 2003 and 2003 Professional Edition • Appendix A

Windows 2000 and XP (Professional and Home Edition) Click the Change button, then select the Remove option. In Windows 2000, you will not be able to click the Remove option until you click Change. Afterward, restart the system to make sure all changes have taken effect. If you are using NAV 2003 Professional, it is likely you are using it in a higher security environment. For instance, you may have installed it onto a system such as Windows 2000 Professional or Windows XP Professional. Therefore, you will need administrative permissions to uninstall the application. ■

www.syngress.com

683

Index Symbols and Numbers : (colon) as comment delimiter, 256 . (period) in NetBIOS names, 469 ; (semicolon) in BIND, 469 comment delimiter, 239, 256 # (hash mark or crosshatch) in BIND, 469 _ (underscore) entries, 467–468 (angle brackets), 132, 143 3.x version of Norton AntiVirus (NAV), 326 4.x version of Norton AntiVirus (NAV), 302 5.x version of Norton AntiVirus (NAV), 326–327 6.x version of NAVCE, upgrading, 298–299, 302 7.6 version of NAVCE, 15 see also Upgrading to NAVCE 7.6 8.0 version of NAVCE. see Symantec AntiVirus Corporate Edition (SAVCE) 8.0 9-track tape, 614–615

A A and AAA records, 464, 471–473 Acceptable use policy, 381–382 Accounts, invalid, 500–501 Active Directory, Microsoft, 467–468, 483 ActiveX controls, Symantec, 239 Add/Remove Programs applet, 208 Address cache, 117 Address list, format for, 493 AddressCache key in Registry altering, 114 description, 213 Addresses, static, 482 Administration of SSC centralized, 16–19, 79–80 remote, 88 Administration Utility, LiveUpdate (luau.exe), 446–450

Administrative rights to clients, 304 Administrative shares, 416 Advanced Discovery option, 129–130 AgentIPPort key in Registry, 484 AgentIPXPort key in Registry, 484 Agreements mutual aid, 602 service level (SLAs), 604, 620–621 Akamai, Inc., 395 Alert Management System2 (AMS2) alerting options, 123–124 configuration, 163–164, 177–181 description, 89, 123, 146, 196–197, 580 forwarding alerts, 128 implementation, 125–128 incompatible operating systems, 124–125 locations, 223 mechanisms, 198 NAVCE access for, 396 Quarantine Console installation, 159 SPS training for, 35 stand-alone application, 125–126 sufficiency, 574 uninstalling, 127–128, 165–166, 223 see also Alert messages, configuring Alert messages, configuring Advanced Discovery option, 129–130 basic tasks, 80, 130–132 broadcast, 123, 134 customizable messages, 143 default message, 132–133 e-mail, 123, 135–136 event log, Windows, 124, 141 exporting alerts, 142 Load an NLM, 124–125, 135 managing alert actions, 87–88, 141 message box, 123, 133–134 paging, 124, 126–127, 131, 136–137 parameters, 132 programs, running, 124, 134–135 SMB-based, 493 685

686

Index

SMS text alerts, 151 SNMP traps, 138–141 testing alert actions, 142 without AMS2, 143–145 Alerts. see Alert Management System2 (AMS2); Alert messages, configuring Algorithms, 558 “Alive —” message, 489 Altavista search engine, 536 Alteration of data, 378 Altiris eXpress Client Management Suite, 273 AMS2. see Alert Management System2 (AMS2) AMS2 key in Registry, 128 Ams2inst.log file, 128 Analyzing results of virus scans, 572–573 Angle brackets (), 132, 143 AntiVir antivirus freeware, 11 Antivirus policy, 383 AntiVirus Server Rollout add-on, 87, 89, 298, 301 Antivirus software commercial, 9–11 enterprise considerations, 13–16 freeware, 11–12 McAfee, 11 overview, 9 AntiVirus Test File Web site, 372 Apache Web servers, 246–251 Apple Macintosh, lack of support for, 31 Application Launcher utility, 276 Application server mode, 360–366 Applications Altiris eXpress Client Management Suite, 273 auditing, 400 BlackICE, 484 disk defragmentation, 511 DNS Expert, 477 Eseutil, 516 Isinteg, 516 NAVCE third-party installation, 273–276, 493

network management, 467 Norton Disk Doctor, 513 Ping, 477 Ping Pro, 470 Sam Spade, 477 Scandisk warning, 513 Trace route (tracert), 477 for troubleshooting, 470–478 Whois Queries, 477 WS Ping ProPack, 477 ZoneAlarm, 484 AppSec application security tool, 27–28, 403–404 Architecture, client/server, 17 ARPCache key in Registry, 526 Artificial intelligence, 22 Attacks, network-based, 386 Auditing applications, 400 Auditing Registry access, 406–409 Auto-Protect features, 511–512, 659–664 AUTOEXEC.BAT file, 570 Automatic migration options client checklists, 305 client installation errors, 303–304 NAV for NetWare, 300–301 NAVCE client PCs, 301–309 processes, 299–300 remote clients, 306–309 from third-party products, 309–310, 325 unmanaged clients, 305–306 Automatic restore feature, Windows, 516–518 Availability, off-hour, 621 Availability of data, 378, 386 AVG Free Edition antivirus freeware, 11

B b-node (broadcast) name resolution, 480–482 Baboon boot virus, 8 Back Orifice 2000 Trojan horse (BO2K), 6–7 Back Orifice Trojan horse, 6 Backdoor.SubSeven Trojan horse, 7

Index

Backups ARCserve (now BrightStor) software, 292–293 baseline, creating, 597–598 CDs and DVDs, 613 cold site, 602–603 command-line, 629–632, 641 copy, 626 cost versus convenience, 604 daily, 626 data retention, 598–599 destination, 625 encryption of, 611 before file repairs, 342–343, 517, 523 floppy disks, 612–613 floptical disks, 615–616 Grandfather-Father-Son (GFS) rotation scheme, 600 growth, 598 hard disks, 613 hardware compression, 627, 630 hardware requirements, 610 hot site, 603 Iomega drives, 613–614 magneto-optical disks, 615–616 media and hardware, 611–616 media capacities, 612 media rotation scheme, 599–601 mutual aid agreement, 602 normal, 626 NTBackup in Windows 2000, 622–632 offsite, 400 precautionary, 97, 418 regular, 382 restoring regularly, 605–606 rotation schemes for backup media, 599–601 schedule for, 599, 616–619 security, 611 servers dedicated to NAVCE, 622–632 servers dedicated to NAVCE, restoring, 633–636 software, backup, 610–611 strategy, 610–621

687

system unavailability, 599 tapes, magnetic, 614–615 testing backups, 605 Tower of Hanoi rotation scheme, 600–601 training, 604 user involvement, 604 verification process, 626 warm site, 603 Zip drives, 613–614 see also Differential backups; Disaster recovery plan; Full backups; Incremental backups Bandwidth usage, 46–47, 119–123 Baseline, creating for backups, 597–598 BCP (business continuity plan), 596, 606–607 Best practices for NAVCE, 373 BIND definition, 482 Web site, 469 .bks file, 629–630 BlackICE firewall application, 484 Blame, 17 Blended threats, 447 Bloodhound, configuring, 661 Bloodhound Heuristics technology, 343, 557–558, 560–562 Bloodhound web spider, 21 Bloodhound.something virus, 590 BO2K (Back Orifice 2000) Trojan horse, 6–7 Book, Hack Proofing Windows 2000 Server, 405 Boolean searches, 536 Boot viruses description, 7–8 floppy disks, 582–583 hard disk boot sector, cleaning and restoring, 583–584 operating system, reinstalling, 584–585 recovering from, 582–585 Brackets, 580 BrightStor (formerly ARCserve) backup software, 292–293 Broadcast alerts, 123, 134 Broadcast domain, 229

688

Index

Bulk licensing, 62 Business continuity plan (BCP), 596, 606–607 Business Software Alliance, 62

C “Cs, three,” 575 CA. see Computer Associates (CA) .cab file suffix, 513 Cache clearing, 115 refreshing, 96 Caching files, 560 Caller identity, verifying, 385 Cancellation of virus scanning, 414–415, 577 Canonical name (CNAME) records, 464, 471–473, 476 Capacities backup media, 612 servers, 169 CarrierScan antivirus freeware, 11 CCMailUI.ocx file, 111 CD-RW and Windows XP, 613, 640 CDC (Cult of the Dead Cow) hackers, 6 CDs and DVDs for backups, 613 Central Quarantine Console Alert Management System2 (AMS2), 155 configuration, 157, 166–168 description, 155 hardware requirements, 156–157 implementation, 156–160 installation, 157–159 purpose, 185 refresh rate, 170 troubleshooting, 185–186 uninstalling, 159–160 see also Central Quarantine directories; Central Quarantine Server Central Quarantine directories changing, 169 full, 484 maximum size of, 169, 171, 392

purging by date, 171 use of, 552 see also Central Quarantine Console; Central Quarantine Server Central Quarantine Server configuration of managed clients, 184–185 configuration of ports, 170, 393, 397 configuration of server, 161, 169–182, 392–393 description, 155 domain name server (DNS), 168, 172 event log, Windows, 178 executables installed, 164–165 fingerprints, updated, 183 forwarding information lost, 298 frequency of update queries, 174 hardware requirements, 161 implementation, 160–166 installation, 161–164, 391–392 NetBIOS, 168, 172 NetWare not supported, 391 Norton AntiVirus 5.x, 327 purpose, 22 samples, quantity of, 169–170, 173 services on Windows NT or 2000, 164–165 SPX monitoring, 170, 191 status query interval, 173 Symantec Product Specialist (SPS) certifications, 34 TCP/IP monitoring, 170, 191, 193 troubleshooting, 186–189 uninstalling, 165–166 Windows NT or 2000 required, 160 see also Central Quarantine Console; Central Quarantine directories; Scan and Deliver method Centralized management, 16–19, 79–80 Certificate-based licensing, 65 Certifications, SPS. see Symantec Product Specialist (SPS) certifications Certified virus definitions, 174–176 Changes, propagating in SSC, 412 Check-in intervals, 228–230, 487–488

Index

CheckConfigMinutes key in Registry, 279 CheckGRC call, 280 “CheckInWithMommy” message, 489 Checklists client migration, 305 security for servers, 426–427 Children key in Registry altering, 122 description, 215–216 chkdsk command, 511, 540 Citrix MetaFrame 1.8, support for, 28 Class.Poppy or Woobie virus, 4 Clean Up utility, Windows Installer, 499, 527 Clearing SSC cache, 115 Client Administrator Password, 72–73 Client disk image, 251–252 Client groups, 171 Client key in Registry, 122 Client/server architecture, 17 communication, 19, 34, 120–121, 231, 488–489 traffic, 120–121 ClientConfig key in Registry altering, 491, 509 client option configurations, 280 description, 213–214 ClientExpirationTimeout value, 297 ClientPreferedProtocol_IP.reg file, 491 ClientPreferedProtocol_IPX.reg file, 491 Clients adding without WINS, 116–119 administrative rights, 304 check-in intervals, 228–230, 487–488 configuring for LiveUpdate, 451–453 configuring for NAVCE, 57–61, 330–339, 491–492 description, 227–228 enumeration traffic, 121 exporting lists of, 151 hardware requirements, 233–235 information, 80 lightly managed, 59

689

logoff, slow, 531–532 maximum number of, 530–531 migrating after servers, 297 migration options, 301–309 operating systems, support for, 23–25 refreshing, 123 Registry keys, 277–279 remote, 306–309 roaming, 367–369, 484, 528–529 services on, 279–282 16-bit, 264, 302, 492, 568–569 sometime managed, 59, 228 support, NAVCE, 15 32-bit, 492 three-day time-out, changing, 296–297 traveling, 425 troubleshooting, 510–516 uninstalling NAVCE, 276–277, 523–527 see also Clients, installing; Clients, managed; Clients, unmanaged Clients, installing from Apache Web server, 246–251 from client disk image, 251–252 errors, 303–304 from floppy disks, 267 grc.dat file, 237–239 from IIS Web Server, 240–246 from internal Web server, 239–240 locally, 258–267 from logon scripts, 264–266 managed, 330 from Microsoft IntelliMirror, 274–275 from Microsoft Systems Management Server (SMS), 275–276 from Novell ZENworks for Desktops, 276 planning, 235–237 remotely, 252–257 from self-extracting package, 267–273 silent installation, 236, 240, 302–303, 308 silent managed installation, 246 unmanaged, 331–339 Clients, managed description, 58–60, 227

690

Index

remotely installed, 330 routing viruses to quarantine, 184–185 Timer Loop, 217 Clients, unmanaged changing to managed, 261–262 description, 60–61, 227–228 installing, 331–339 upgrading, 305–306 Clients key in Registry altering, 489 description, 215 ClntCon.ocx file, 112 Cluster servers, support for, 26–27, 356–357 CNAME records, 464, 471–473, 476 Code Red worm, 579 Cold site, 602–603 Colon (:) as comment delimiter, 256 Command-line backups, 629–632, 641 Command line switches in Setup.exe, 303 Commands, sfc, 510–511 Comment delimiter (;), 239 Commercial antivirus software, 9–11 Commit option, 67 Communication client/server, 19, 34, 120–121, 231, 488–489 disaster recovery plan, 604, 609 enabling for NAVCE, 394 keepalive packets, 487–490 methods, 18–19, 162 needs, 609 NetWare, 28 ping and pong packets, 232 server-to-server, 19, 119–120 Symantec System Center (SSC) servers, 19, 489–490 virus outbreaks, 575–576 see also IP and IPX protocols; Ping Discovery Service (PDS);TCP/IP protocols Compaq Insight Manager, 138 Components of NAVCE, 197 Components of NAVCE Registry, 212–216 Compressed files, 513–514, 555, 569–570

Compressed NetWare archives, 556, 569–570 Compression, hardware, 627, 630 Computer Associates (CA) ARCserve (now BrightStor), 292–293 eTrust InoculateIT, 11, 310 InocuLAN Antivirus, 310 Open File Agent for NetWare, 293 Confidentiality of data, 377–378 Configuration Alert Management System2 (AMS2), 163–164, 177–181 alerts for Windows event log, 124, 141 Auto-Protect features, 659–664 Bloodhound in NAV 2003, 661 Central Quarantine Console, 157, 166–168 Central Quarantine Server, managed clients of, 184–185 Central Quarantine Server, ports for, 170, 393, 397 Central Quarantine Servers, 161, 169–182, 392–393 clients, for LiveUpdate, 451–453 clients, for NAVCE, 57–61, 330–339, 491–492 clients, roaming, 367–369 Discovery Cycle, 113 discovery services in SSC, 113 e-mail alert messages, 123 e-mail protection, 664–665 external LiveUpdate, 442–445 firewalls, 394–397 FTP, 410 hardening NAVCE servers, 400–401 Instant Messenger protection, 665–666 LiveUpdate, 395, 450–451 manual scans from clients, 556–557 manual scans from SSC, 550–556 manual scans in NAV 2003, 663–664 NAV 2003 Professional Edition, 675–679 NAVCE TCP/IP, 389–390 NetWare TCP/IP, 390 operating systems, for NAVCE servers, 400–403

Index

quarantine in NAV 2003, 666 real-time scans, 80, 559–566 RTVScan, 394 Scan and Deliver, 169–183 scheduled scans, 80, 566–568 script-blocking, 662–663 servers, NAVCE, 366–367 settings not retained, 95 SmartScan, 660 TCP/IP for NAVCE, 389–390 TCP/IP for NetWare, 410 Virus Definition Transport Method (VDTM), 436–439 virus definitions, updates of, 80 Windows TCP/IP, 389–390 wizard, 131 see also Alert messages, configuring Console, SSC detail in, 89 refreshing, 122–123 traffic from, 119 Console Add-ons snap-in for SSC, 89 Console traffic from SSC, 119 Containing virus outbreaks, 576–577 ContextMenuHandlers key in Registry, 496, 524, 526 Copy backups, 626 Corporate environment, 330 Corporate scandals, 598 CPU utilization, 549 CPU utilization readings, 505 Create Link key in Registry, auditing, 407 Create Subkey key in Registry, auditing, 407 Criteria, mission-critical, 607–609 Crosshatch (#) in BIND, 469 Crystal Reports, importing logs into, 573 Ctl3d32.dll file, 495 Ctrl + Alt + Del, disabling, 401 Cult of the Dead Cow (CDC) hackers, 6 CurrentControlSet\Services key in Registry, 496–497, 524 CurrentVersion key in Registry auditing, 407

691

clients, checking, 96 CurrentVersion\AgentIPPort, 484 CurrentVersion\AgentIPXPort, 484 CurrentVersion\ClientConfig, 213–214, 280, 491, 509 CurrentVersion\Clients, 215, 489 CurrentVersion\DomainData, 52, 121–122, 214 CurrentVersion\Run, 498, 514–515, 525–526 CurrentVersion\RunServices, 526 CurrentVersion\Uninstall, 498, 524 description, 212 PreferedProtocol field, 491 restricting, 416, 419 three-day client time-out, changing, 297 Custom scans, 572 Customizable messages, 143

D Daily backups, 626 DAT (digital audio tape), 615 Data confidentiality of, 377–378 destruction of, 378 integrity of, 378, 386 protection of, 378–379 retention of, 598–599 static or interactive, 598 Data files for Importer.exe, 117 Datagrams, 480–481 DCOM. see Distributed Component Object Model (DCOM) DDNS (Dynamic DNS), 478–479 DDoS (distributed denial of service) attacks, 386 Debugging NAVCE in NetWare, 506–507, 541 debugon.reg and debugoff.reg files, 489 dec2cab.dll file, 513–514, 530 Decentralized purchasing, 67–68

692

Index

Dedicated NAVCE server, 387, 622–632, 633–636 Default alert messages, 132–133 Default folder, NAVCE, 307 Default passwords, 51, 206, 208, 397 Defcast process, 187 definfo.dat file, 517 Definition Updater, 74 Definitions, virus. see Virus definitions, updates of Defragmentation applications, 511 DefUpdate... keys in Registry, 279 Defwatch service, 51, 97, 218, 281 Delete key in Registry, auditing, 407 Deleting Registry keys, 98–103, 104–109 Deleting Registry values, 103–104, 109–111 Denial of service (DoS) attacks, 386 “Deny all” method, 379 Dependencies, 320–322 Deployment planning, 201 testing, 282–283, 292–293 Desktop firewalls, 504 Destination for backups, 625 for restoring, 633–634 Destruction of data, 378 DHCP (Dynamic Host Configuration Protocol), 482 Differential backups definition, 616, 626 effects of, 618–619 not for System State, 629 NTBackup in Windows 2000, 629–630 reducing offline time, 599–600, 610 dig troubleshooting tool, 470, 475–476 Digital audio tape (DAT), 615 Digital linear tape (DLT), 615 Directories directory services servers, 483 listed by virus, 6, 7 selected for scanning, 551 see also Central Quarantine directories

Disabling LiveUpdate for clients, 458 Disaster recovery plan communication needs, 609 criteria, mission-critical, 607–609 designing, 606–607, 620 support and service levels, 620–621 user involvement, 604 vulnerabilities, 609 see also Backups Disaster recovery strategy, 382 Disasters, natural, 384 Disclaimer, e-mail, 383 Discovery Cycle configuring, 113 manually running, 114 traffic from SSC, 120 Discovery process description, 112–113 Discovery Cycle, 113, 114, 120 Importer.exe tool, 86, 116–119 Intense Discovery, 114–115 IP Discovery, 86, 115–116 IP display reversion, 29 Load from Cache Only discovery, 114 Local Cache Discovery, 114 Local Discovery, 114 SAVCE 8.0, 54 SPS training for, 33 WINS name resolution, 86, 116 WINS server, 114 Discovery services in SSC advanced properties, 115–116 clients unseen, 96 configuring, 113 description, 86 Discover Service (nsctop.exe), 95 Disk-defragmentation applications, 511 Disk image backup, 613 Disk imaging software, 613 Disk Operating System (DOS) hardware requirements, 23 logon scanning, 568

Index

memory-resident viruses, 7 support for, 23 Disk-space conservation, 309 Disk-space requirements. see Hardware requirements Disks, floppy. see Floppy disks Distributed Component Object Model (DCOM) permissions, 521, 523 Windows NT/2000, 520–521 Windows XP, 521–523 Distributed denial of service (DDoS) attacks, 386 DLL. see Dynamic link libraries (DLLs) DLLUsage key in Registry, 497, 524, 526 DLT (digital linear tape), 615 DNS. see Domain name servers (DNS) DNS Expert application, 477 Documenting incidents, 585 Domain Administrator rights, 252 Domain name servers (DNS) Central Quarantine Server, 168, 172 Dynamic DNS (DDNS), 478–479 fully qualified domain names (FQDN), 475, 528–529 host names, 529 non-Microsoft, 465–466 other forms of name resolution, 479–482 reverse DNS zones, 464, 466–468 troubleshooting configuration, 463–466, 468–470 troubleshooting reverse zones, 466–468 DomainData key in Registry description, 214 editing, 52, 121–122 Domains, broadcast, 229 Domains converted into server groups, 298 DOS. see Disk Operating System (DOS) DoS (denial of service) attacks, 386 Downtime, reducing differential backups, 599–600, 610 disaster recovery, 608 Drives

693

formatting, 3, 5, 563 letter mappings, 403 Quantum Snap, 355 types in File System Realtime Protection, 354–355 dsapi.nlm, 510 DVDs and CDs for backups, 613 Dynamic DNS (DDNS), 478–479 Dynamic Host Configuration Protocol (DHCP), 482 Dynamic link libraries (DLLs) Ctl3d32.dll file, 495 dec2cab.dll file, 513–514, 530 Navcorph.dll file, 112 Navcorpx.dll file, 112 navcust2.dll file, 304 navinst95.dll file, 304 plug-ins, 6 pmig.dll migration dll, 300 scandlgs.dll file, 112 transman.dll file, 52 vprpts.dll file, 112 webshell.dll file, 112 Dynamic ports, 485

E EBay fraud, 564–565 Editing tools for Registry disabling, 405–406 regedit.exe, 98, 405, 419, 489 regedt32.exe, 406, 419, 489 vpregedt.nlm, 390–391, 509 see also Registry, editing EICAR (European Institute for Computer Antivirus Research), 372 Elite program, 66–68 E-mail address list, format for, 493 alert messages, configuring, 123, 135–136 author of this book, 441 disclaimer, Exchange, 383 disconnecting, 579

694

Index

filtering, 591 Lotus Notes, 261, 563 notification variables, 581 programs, 563–564 protection, configuring, 664–665 retention of, 599 Scan and Deliver, 169, 181–182 scanning, 34, 547, 563–564 sender identity, 564–565 server protection options, 564 snap-ins, 332 SPS training for, 34 virus submissions, 162 Emergency Disk program, 648 Employees, trusted, 7 Encryption, VPN, 61 Encryption of backups, 611 End users advising, 294–295 trust in, 302, 304, 307 Engineering, social, 384–385 Enterprise considerations, 13–16 Enterprise environment, 330 Enterprise firewalls, 425 Enuctls.chm file, 112 Enudlgs.chm file, 112 Enumerate Subkeys key in Registry, auditing, 407 Enuview.chm file, 112 Enuvpadm.chm file, 112 Environment, corporate versus enterprise, 330 ERD, 498 Error codes for Importer.exe, 118–119 Error lists Central Quarantine Console, 185–186 Central Quarantine Server, 186–189 Error messages for installation, 486 Eseutil application, 516 eTrust InoculateIT antivirus software, 11, 310 European Institute for Computer Antivirus Research (EICAR), 372 Event log, Windows Central Quarantine Server, 178

configuring alerts for, 124, 141 filtering, 144–145 Scan History, 143 viewing, 144 Virus History, 143–144 Virus Sweep History, 144 Event Viewer, 478 Exams. see Symantec Product Specialist (SPS) certifications Exchange backup strategy, 598 clients for NAVCE, 563 e-mail disclaimer, 383 file and folder exclusions, 353 NAVCE support for, 261 problems with, 515–516 real-time scanning, 547 Realtime Protection, 350–351 ExchngUI.ocx file, 111 Exclusion from scanning file extensions, 345, 352, 553–555 files and folders, 351–354 Exporting alerts, 142 Extensions excluding from scanning, 345, 352, 553–555 including for scanning, 345 External LiveUpdate configuration, 442–445

F Fail-over, 458 “Father” tapes, 600 Fault tolerance, 53 Features in NAVCE version 7.6, 15 File extensions excluding from scanning, 345, 352, 553–555 including for scanning, 345 File-sharing, peer-to-peer (P2P), 62–63 File system, browsed by virus, 6, 7 File System Realtime Protection actions, 347–348 advanced options, 341–344

Index

description, 340 drive types, 354–355 enabling and disabling, 340–341 file and folder exclusions, 351–354 file types options, 344–347 Scandisk warning, 513 virus notification options, 349–351 File Transfer Protocol (FTP) configuration, 410 downloads of antivirus updates, 410 NetWare, testing in, 410–411 port 21 for, 395 server, virus-initiated, 7 troubleshooting, 411 Files caching, 560 compressed, 513–514, 555, 569–570 infected, 582 size limit for server list, 528 Filtering e-mail, 591 Fingerprinting viruses, 36 Firewalls benefits of, 423–424 BlackICE application, 484 configuring, 394–397 desktop, 504 personal or enterprise, 425 port, 172 ports, 172, 483–485 roaming clients, blocking, 529 troubleshooting, 483–485 ZoneAlarm application, 484 Flags key in Registry, 278 Floppy disks for backups, 612–613 boot sector viruses, 8 boot viruses, 582–583 creating installation disks, 271–273 installing clients from, 267 NAVCE options, 562 scanning, 344 Floptical disks for backups, 615–616

695

Folders exclusion from scanning, 351–354 NAVCE, default, 307 NAVCE, removing, 525 permissions, NetWare, 74 Startup in Windows, 515 Forecast option, 67 format command, 513 Format for e-mail address list, 493 Formatting hard disks, 3, 5, 563 Forward DNS zones, 464–466, 468 Forwarding alerts, 128 FPORT utility, 424 FQDN (fully qualified domain names), 475, 528–529 Fraud, eBay, 564–565 Freeware antivirus programs, 11–12 Frequency of check-ins, 228–230, 487–488 of scans, 342, 549 of update queries, 174 FTP. see File Transfer Protocol (FTP) Full backups definition, 626 offline time, 599, 616 part of mix, 610 redundancy, 618 Fully qualified domain names (FQDN), 475, 528–529

G Gateway address, 172 connection to, 186 Generator key in Registry, 128 GFS. see Grandfather-Father-Son (GFS) rotation scheme Globally unique identifier (GUID), 641 Gold Maintenance, 66, 68 Google search engine, 536 GPEDIT.MSC file, 416

696

Index

Grandfather-Father-Son (GFS) rotation scheme, 600 “Grandfather” tapes, 600 grc.dat file checked by RTVScan Timer Loop, 217, 435 clients, installing, 237–239 copying to clients, 306, 326, 605–606 creating, 501–502 description, 218–219 file locations, 606 parent servers, 57 restoring, 605–606 updated for new settings, 59–60, 302, 325 GRCUpdate... keys in Registry, 279 Growth, allowing for, 598 GUID (globally unique identifier), 641

H h-node (hybrid) name resolution, 480–482 Hack Proofing Windows 2000 Server book, 405 Hackers Cult of the Dead Cow (CDC), 6 identifying threats from, 384 Half-inch tape, 614–615 Hard disks for backups, 613 boot sector, cleaning and restoring, 583–584 formatting, 3, 5, 563 removing NAVCE from, 499, 525, 526 troubleshooting, 510–511 Hardening NAVCE servers configuration, 400–401 physical security, 399–400 TCP/IP, 402–403 Hardware compression, 627, 630 Hardware for backups, 611–616 Hardware requirements. see System requirements Hash mark (#) in BIND, 469 Help desks as security risks, 384–385 Heuristics, 155, 343, 557–558, 560–562

Hidden shares, 416 History log, 582 History of scans, 582 Hndlrsvc.exe (Intel Alert Handler), 126 Hoax-response Web page, 9 Hoaxes, 8–9 Host names, 529 host troubleshooting tool, 470, 473–474 Hot site, 603 HP OpenView console, 138

I Iao.exe (Intel Alert Originator), 126 ICA (Independent Computing Architecture) protocol, 28 ICA_Tcp Connection parameter, 361 Icepack.exe, 164 Identifying threats, 383–386 IIS (Internet Information Server), 79, 240–246 ILOVEYOU virus, 6, 575–576 Importer.exe tool, 86, 116–119 Importing IP Addresses in NAVCE, 15 Incidents, documenting, 585 Incomplete installations, 493–494 Incremental backups definition, 616, 626 effects of, 618–619 not for System State, 629 NTBackup in Windows 2000, 629–630 reducing offline time, 599–600, 610 Independent Computing Architecture (ICA) protocol, 28 InocuLAN Antivirus software, 310 InoculateIT antivirus software, 11, 310 Insight Manager (Compaq), 138 Installation Central Quarantine Console, 157–159 Central Quarantine Server, 391–392 client, managed, 330 client, unmanaged, 331–339 error messages, 486

Index

incomplete, 493–494 LiveUpdate Administration Utility, 447–450 MSI installer application, 494 NAV 2003, 646–652 NAV 2003 Professional Edition, 670–672 NAVCE, by third-party applications, 273–276, 493 NAVCE, problems with, 518–523 NAVCE, SPS training for, 33 NAVCE servers on Windows NT or 2000, 202–208 Netware server problems, 505–506 operating systems, reinstalling, 584–585 paths, old, 494–495 reinstallation problems, 494 remotely, NAVCE to Windows, 87, 89 Symantec System Center (SSC), 91–96, 147 Unix Print Services, 410 Installation paths, old, 494–495 InstalledApps key in Registry, 497, 524 Instant Messaging technologies, 546, 592–593 Instant Messenger protection, configuring, 665–666 instmsia.exe, 486 Insurance, upgrade, 66 Integrity of data, 378, 386 Intel Alert Handler (Hndlrsvc.exe), 126 Intel Alert Handler service, 51, 98 Intel Alert Originator (Iao.exe), 51, 126 Intel File Transfer service, 51, 98 Intel File Transfer (Xfr.exe), 126 Intel PDS service, 51, 98 Intel Ping Discovery Service (PDS). see Ping Discovery Service (PDS) Intelligent Updater, 434, 453–455 IntelliMirror, 274–275 Intense Discovery, 114–115 Internal LiveUpdate configuration, 445–453 Internal threats, 385 Internet-based Scan and Deliver, 169–181 Internet-based virus submissions, 162 Internet Explorer, version requirement, 158 Internet Information Server (IIS), 79, 240–246 Internet usage policy, 382

697

Intervals, check-in, 228–230, 487–488 “Invalid Partition Tables” message, 512 Invalid system accounts, 500–501 Iomega drives for backups, 613–614 IP addresses displaying, 29 format, 410 importing in NAVCE, 15 IP- and IPX-based ports, registering, 483–484 IP and IPX protocols client configuration, 491 installing both, 85 IPX/SPX networks, 508 pings, 113 selecting, 388–391 switching in SSC, 28–29, 119 TCP/IP-IPX/SPX incompatibility, 490 IP Discovery, 115–116 IPv4 and IPv6, 464 IPX/SPX networks, 508 ipxroute config command, 409 Isinteg application, 516

J jdbgmgr.exe virus hoax, 8 Journaling, remote, 603 Jukeboxes, 615

K .Kak worm, 15 KaZaA, 62–63 keepalive packets, 487–490 Keystroke logging, 6 KillRoy boot virus, 8 Klez worms, 5 Knowledge Base, Microsoft. see Microsoft Knowledge Base Knowledge Base, Symantec. see Symantec Knowledge Base

698

Index

L Label, media, 627 Laboratory for testing, 292–293 LANDesk Virus Protect uninstalling, 90 upgrading from, 295, 298, 302 versions before 5.01, 326 Language differences, 291 Laptop computers, 306, 367 LDDateTm.ocx file, 112 LDVPDlgs.ocx file, 112 ldvpui.ocx file, 112 Letter mappings for network drives, 403 Levels of protection, 561 Licensing NAVCE, 61–64 Lightly managed clients, 59 Linux operating system, 472, 474–475, 482 Listing directories, 6, 7 Listing processes, 6 LiveUpdate Administration Utility installation, 447–450 Administration Utility requirements, 446–447 clients, configuring for, 451–453 configuration, 395, 450–451, 657–659 description, 434 disabling for clients, 458 external, configuring, 442–445 fail-over, 458 internal, configuring, 445–453 internal versus external, 442 NAVCE problems after, 530 password, blank, 452 proxy server settings, 424, 500 servers, configuring for, 451–453 SMB-based shares, 501 troubleshooting, 500–501 unmanaged clients, 60–61 VDTM comparison, 439–442 Web sites, 448, 459 LiveUpdate Server Connection, 13 liveupdt.hst file, 435, 450

lmhosts file, 480–482 Load an NLM alert, 124–125, 135 Load from Cache Only discovery, 114 Load options for services, 339–340 Local Area Connection properties, 477 Local Cache Discovery, 114 Local Discovery, 114 Locking scanning options, 563–566 Log, event. see Event log, Windows Log files Ams2inst.log, 128 Crystal Reports, importing logs into, 573 history log, 582 MSI, 657 NAV 2003, 667–668 nav.log, 657 NTBackup, 630 SYS:NAV/vpdebug.log file, 507, 541 troubleshooting, 478 virus events, 572–573 see also Event log, Windows Logging keystrokes, 6 Logic bombs, 5, 618 Logon scans, 568–571 Logon script, client installation, 264–266 Logon script, network, 570 Logon warning message, 401 Losses, quantitative and qualtitative, 609 LotNtsUI.ocx file, 112 Lotus Notes e-mail, 261, 563 Lotus Notes Realtime Protection, 350–351 Lsa key in Registry, auditing, 407 luau.exe (LiveUpdate Administration Utility), 446–450

M m-node (mixed) name resolution, 481–482 Macintosh, lack of support for, 31 Macro viruses description, 5–6 Magnetic tapes for backups, 614–615

Index

Magneto-optical disks for backups, 615–616 Mail. see E-mail Mail Exchange Records, 464 Maintenance program, software, 66, 68 Malware, 3 Managed clients. see Clients, managed Management, centralized, 16–19, 79–80 Management consoles, 138 Management snap-in for NAVCE description, 89 uninstalling, 97 Managing alert actions, 87–88, 141 Managing virus outbreaks, 585–587 Manual notifications, 580–581 Manual Registry editing, 489, 496–498 Manual scans configuring from clients, 556–557 configuring from SSC, 550–556 configuring in NAV 2003, 663–664 reasons for, 550 Manual submissions of viruses to SSR, 182–183 Manual uninstallation, 209–212 Mappings of network drive letters, 403 Master boot record viruses. see Boot viruses Master name server, 463 Master primary server, 42, 54–57, 75 McAfee antivirus software, 11 Media and hardware for backups, 611–616 Media capacities, 612 Media label, 627 Media rotation schemes, 599–601 Melissa virus, 6 Memory. see System requirements Memory-resident viruses, 7 Message box alerts, 123, 133–134 Messages customizable, 143 Instant Messaging technologies, 546, 592–593 logon warning, 401 real-time scan messages, 563–565 MetaFrame 1.8, support for, 28

699

MicroDefs, 439, 441 Microsoft Active Directory, 467–468, 483 File and Print Sharing, enabling for NetWare, 389 IntelliMirror, 274–275 Internet Explorer, version requirement, 158 Office suite, 6, 666 Outlook and Outlook Express, 5, 261, 516, 564 Project 2000, 310–322 Systems Management Server (SMS), 275–276 see also Exchange; Microsoft Knowledge Base; Microsoft Management Console (MMC); Visual Basic (VB); Windows operating systems, support for Microsoft Knowledge Base Eseutil application, 516 Exchange server, 353 Isinteg application, 516 Registry backups, 97 SMB signing bug, 504 Windows Installer Clean Up, 499, 527 Windows Me System Restore, 516 Microsoft Management Console (MMC) customization of, 81, 168 exporting lists of servers and clients, 151 SSC use of, 16, 299 version requirement, 81, 83 Windows requirement, 39 Migration checklists, 305 options, 301–309 servers before clients, 297 see also Automatic migration options MMC. see Microsoft Management Console (MMC) Mobile Definition Updater, 434 Modemcfg.exe program, 126–127 Monitor screen, 562–563 Morphing, 559 Msgsys service, 484

700

Index

msgsys.exe application, 396 MSI installer application, 494 MSI log file, 657 msiexec.exe file, 209 Multiuser packs, 40 Mutual aid agreement, 602 MX records, 464, 471–473

N Name servers, 463 Names NetBios standard, 469 resolution, forms of, 463, 479–482 see also Domain name servers (DNS) Naming method, new, 433 Napster, 62 NAS (Network Attached Storage) devices, 614 Natural disasters, 384 NAV for NetWare migration options, 300–301 NAV Sole Proprietor Edition, 261–262 NAV user interface (vpc32.exe), 303 NAVCE. see Norton AntiVirus Corporate Edition (NAVCE) “NAVCE server,” definition of, 196, 330, 366 Navcorph.dll file, 112 Navcorpx.dll file, 112 navcust2.dll file, 304 NAVEX. see Norton Antivirus Extensible (NAVEX) engine technology navinst95.dll file, 304 Nav.log log file, 657 NAV_Snap.chm file, 112 Navstart.htm file, 112 NDS function in RTVScan, 510 Needs of users, 420–421 NetApp Filers, 355 NetBIOS cache, refreshing, 482 computer names, 168, 469 names, improper, 478 over TCP/IP, 504

proxy server names, 172 NetWare Alert Management System2 (AMS2) incompatibility, 125 Central Quarantine Server not supported, 160, 391 communicating with, 28 compressed archives, 556, 569–570 console, 507 enabling Microsoft File and Print Sharing, 389 file and folder permissions, 74 installation problems, 505–506 NAV for NetWare migration options, 300–301 NAVCE, debugging, 506–507 permissions, 74 PreferedProtocol parameter, 390–391, 509 preferred protocols, 508–510 RCONSOLE and RCONSOLJ (remote access utilities), 296, 412 secure console utility, 412 servers, scans in, 510 servers, troubleshooting, 505–510 servers and Windows, 508 SFT III not supported, 200 SNMP traps, 139–141 support for, 26–27, 30, 31, 356 TCP/IP, configuring for NAVCE, 390 testing FTP in, 410–411 versions 6.x, 48, 356 see also System requirements NetWare Loadable Modules (NLMs), 411, 510 Network Appliance File Servers, 355 Network Associates, 11 Network Attached Storage (NAS) devices, 614 Network-based attacks, 386 Network connections, concurrent (file sharing), 199 Network Drive Type protection, 354–355 Network Interface Cards (NICs), 501–504 Network management applications, 467 Networks

Index

bandwidth usage, 46–47, 119–123 corporate versus enterprise, 330 drive letter mappings, 403 IPX/SPX, 508 logon scripts, 570 protocol for NAVCE, 388–391 protocols, support for, 28–29 resources, required, 380 support for NetWare, 26, 30, 31 New viruses, 40 NIC (Network Interface Card), 501–504 Nimda worm, 579 9-track tape, 614–615 NLM (NetWare Loadable Modules), 411, 510 NMAP, 381 Node types in name resolution, 480 Noncertified virus definitions, 174 Normal backups. see Full backups Norton AntiVirus 3.x, 326 Norton AntiVirus 4.x, 302 Norton AntiVirus 5.x, 326–327 Norton AntiVirus Corporate Edition (NAVCE) components, 197 features in version 7.6, 15 operating systems, support for, 23–28 planning for, 13–14 purpose, 13 services, list of, 496 support date, 314 uninstalling, 72–73, 90, 494, 496–504 versions, not mixing, 90 see also Symantec AntiVirus Corporate Edition (SAVCE) 8.0 Norton Antivirus Extensible (NAVEX) engine technology, 16, 197, 327 Norton AntiVirus (NAV) 2003 access to option settings, 666 Auto-Protect features, configuring, 659–664 Bloodhound, configuring, 661 description, 643 differences from NAV 2003 Professional Edition, 644

701

e-mail protection, configuring, 664–665 first use of, 652–657 installing, 646–652 Instant Messenger protection, configuring, 665–666 LiveUpdate, configuring, 657–659 log files, 667–668 manual scanning, configuring, 663–664 Microsoft Office protection, configuring, 666 options file, 668 password protection, 667 quarantine, configuring, 666 script-blocking, configuring, 662–663 SmartScan, configuring, 660 system requirements, 644–646 troubleshooting, 657, 668–669 uninstalling, 669–670 Norton AntiVirus (NAV) 2003 Professional Edition configuring, 675–679 differences from NAV 2003, 644 first use of, 672–675 installing, 670–672 Norton Protected Recycle Bin, 679–681 troubleshooting, 681–682 uninstalling, 682–683 Norton Antivirus Rescue Disk Set, 582–583 Norton AntiVirus Server rollout tool. see AntiVirus Server Rollout add-on Norton AntiVirus Server (rtvscan.exe). see RTVScan Norton Ghost disk imaging, 613 Norton Protected Recycle Bin, 679–681 Norton System Center, 299 nortonantivirusadmin and nortonantivirususer groups, 74 NORTONANTIVIRUSUSER group, 234, 251, 265–266 Notebook computers, 306, 367 Notifications built-in, 580 failed, 492–493

702

Index

manual, 580–581 message parameters, 349–350 options in File System Realtime Protection, 349–351 see also Alert Management System2 (AMS2); Alert messages, configuring Notify key in Registry, 407 Notify key in Registry, auditing, 407 Novell Directory Services, 483 Novell NetWare. see NetWare Novell ZENworks for Desktops, 276 NPDTechworld, 10 nsctop.exe (Discover Service), 95 nslookup (DNS troubleshooting tool), 470–473 _nslookup troubleshooting tool, 470–473 NT, Windows. see Windows operating systems NT Client Install utility, 304 NTBackup in Windows 2000, 622–632 NTFS permissions, 519 NYB boot virus, 8

O Objectives of SPS exam, 32–35 Off-hour availability, 621 Office, Microsoft, 6 Offsite backups, 400 Offsite storage location, 601–604 “One-click” scanning, 590 Open File Agent for NetWare, 293 OpenView console (HP), 138 Operating systems Alert Management System2 (AMS2) incompatibility, 124–125 clients, 23–25 configuring for NAVCE servers, 400–403 Linux, 472, 474–475, 482 Macintosh, 31 reinstalling, 584–585 servers, 25–28, 52, 201 SSC requirements, 85–86 support for, 23–29

UNIX-based, 472, 474–475 see also Disk Operating System (DOS); Windows operating systems Option settings in NAV 2003, 666 Oracle, 598 OutboundAppend Registry value, 383 Outlook and Outlook Express, 5, 261, 516, 564 Over-planning, 312

P p-node (point-to-point) name resolution, 481–482 P2P (peer-to-peer) file-sharing, 62–63 Package, self-extracting, 267–273 package.exe utility, 267, 306–307, 434 Packets, keepalive, 487–490 Page faults in RTVScan, 532 Paging alert messages, 124, 126–127, 131, 136–137 Panda Software, 10–11 Parameters for alert messages, 132 Parent servers, 57, 217, 236, 251 Passwords blank, in LiveUpdate settings, 452 Client Administrator Password, 72–73 default, 51, 206, 208, 397 easy-to-guess, 400 NAV 2003, 667 repository, 45 retrieving, 224 Save This Password option, 50 saving, 399 server groups, 45, 49–51, 224, 366–367 setting, 398 toothbrush analogy, 421 for uninstalling NAVCE, 72–73 unsaving, 150 Patches, 303 PatternVersion key in Registry, 278 PDS. see Ping Discovery Service (PDS) Peer-to-peer (P2P) file-sharing, 62–63

Index

Performance considerations in NAVCE, 529–533, 547–549 over time, 597 protection, 373 Symantec System Center (SSC), 45 tracking, 532–533 Performance Monitor, Microsoft, 532–533, 548, 597 Period (.) in NetBIOS names, 469 Permissions DCOM, 521, 523 NetWare, 74 NTFS, 519 Windows Registry, 518–519 Personal firewalls, 425 PGP (Pretty Good Privacy), 60 Physical security, 399–400 Physical server, 196 Ping application, 112–113, 477 Ping Discovery Service (PDS) Alert Management System2 (AMS2), 396 client/server communication, 231 description, 95, 218, 230–232 pong packets, 95, 113, 232 requests from NAVCE clients, 483 Ping Pro, 470–473 Pings, Symantec, 483 Piracy, software, 61–63 Pirated software, 381 Placement of server groups, 45 Planning excessive, 312 for NAVCE, 13–14 sample project plan, 310–311 update methods, 295 upgrade to NAVCE 7.6, 291–297 Plug-ins. see Snap-ins Plug-ins, dynamic link library (DLL), 6 pmig.dll migration dll, 300 Pointer (PTR) records, 464, 467 Polymorphic viruses, 558–559 Pong packets, 95, 113, 232

703

Pornography, 381 Ports 21 for FTP, 395 80 for HTTP, 395, 397 135 for Active Directory, 485 137-139 for Microsoft, 485 443 for HTTPS, 395 1025-1026 for RTVScan, 484 1056 for roaming clients, 484 2847-2848 for file transmission, 397 2967 for IP, 19, 483 3807 and 3892 for Msgsys service, 484 31337 for BO2K, 6 33345 for IPX, 19, 483 34903 for PDS on IPX, 218, 231 38037 for PDS, 150, 396 38292 for msgsys.exe, 150, 396 38293 for PDS on IP, 116, 150, 218, 231, 396, 483 AMS2, 150 Central Quarantine Server, 170, 393, 397 common ranges, 485 firewalls, 172, 483–485 FPORT utility, 424 managed clients, 185 NAVCE core components, 394 private, 485 scans, 579 User Datagram Protocol (UDP), 6, 150, 484 well-known, 485 PreferedProtocol parameter NetWare, 390–391, 509 Windows, 85, 389–390 PreferedProtocol_IP.reg files, 490–491 PreferedProtocol_IPX.reg files, 490–491 Preferred protocols. see Protocols Pretty Good Privacy (PGP), 60 Primary name server, 463 Primary server, master, 42, 54–57 Primary servers, 42, 52–53, 487 Printing, troubleshooting, 511–512 Priorities for disasters, 607–609

704

Index

Private ports, 485 Processes, listing, 6 ProcessGRCNow key in Registry, 218–219, 281 Product offerings, 68–69 PRODUCTS in Registry, 494 Programs opening and closing, 7 run by alert messages, 124, 134–135 see also Applications Project 2000, 310–322 Propagation of worms, 579 Protection levels, 561 Protection versus performance, 373 Protocols network, for NAVCE, 388–391 preferred, 85, 389–390, 490–491, 508–510 supported by SSC, 85 see also IP and IPX protocols; Simple Mail Transfer Protocol (SMTP); Simple Network Management Protocol (SNMP); SPX protocol;TCP/IP protocols; User Datagram Protocol (UDP) Proxy servers LiveUpdate configuration, 424 Quarantine Server address, 172 settings, 500 PTR (pointer) records, 464, 467 Purchasing, decentralized, 67–68 Purpose of NAVCE, 13

Q QIC (quarter-inch cartridge) tape, 615 Qserver.exe, 164 Quantitative and qualtitative losses, 609 Quantum Snap drives, 355 Quarantine in NAV 2003, 666 Quarantine in NAVCE. see Central Quarantine Console; Central Quarantine directories; Central Quarantine Server

Quarter-inch cartridge (QIC) tape, 615 Queries, frequency of, 174 Query Value key in Registry, auditing, 406

R RCONSOLE and RCONSOLJ (remote access utilities), 296, 412 RCS (Remote Client Services), 462 Read Control key in Registry, auditing, 407 Real-time scans configuration pages, 559 configuring, 80, 559–566 description, 547 file systems, 559–563 floppy disks, 344, 562 heuristics, 343, 560–562 messaging systems, 563–565 monitor screen, 562–563 options, locking, 563–566 Rebooting in SSC installation, 93 Record types in forward DNS zones, 464 Recovering from boot viruses, 582–585 Recovery procedures, 382 Reformatting hard disks, 3, 5, 563 Refresh rate, 170 Refreshing NAVCE clients, 123 SSC cache, 96 SSC server groups, 122 SSC servers, 123 SSC system hierarchy, 122 regedit.exe (Registry editor), 98, 405, 419, 489 regedt32.exe (Registry editor), 406, 419, 489 Registered ports, 485 Registry, editing manually, 489, 496–498 by virus, 7 see also Editing tools for Registry Registry, Windows access, auditing, 406–409 components for NAVCE, 212–216

Index

IP- and IPX-based ports, registering, 483–484 Microsoft Exchange, 383 permissions, 518–519 size value, 530–531 SPS training for, 216 TCP/IP, configuring for NAVCE, 389–390 values, deleting, 103–104, 109–111 see also Editing tools for Registry; Registry, editing; Registry keys Registry keys access to, 404–409, 415–416 AddressCache, 114, 213 AMS2, 128 ARPCache, 526 CheckConfigMinutes, 279 Children, 122, 215–216 Client, 122 on client computers, 277–279 ContextMenuHandlers, 496, 524, 526 Create Link, 407 Create Subkey, 407 CurrentControlSet\Services, 496–497, 524 CurrentVersion, 96, 212, 297, 416, 419, 491 CurrentVersion\AgentIPPort, 484 CurrentVersion\AgentIPXPort, 484 CurrentVersion\ClientConfig, 213–214, 280, 491, 509 CurrentVersion\Clients, 215, 489 CurrentVersion\DomainData, 52, 121–122, 214 CurrentVersion\Run, 498, 514–515, 525–526 CurrentVersion\Uninstall, 498, 524 DefUpdate..., 279 deleting, 98–103, 104–109 DLLUsage, 497, 524, 526 Flags, 278 GRCUpdate..., 279 InstalledApps, 497, 524 NAVCE servers on Windows NT or 2000, 212–216 Notify, 407

705

PatternVersion, 278 ProcessGRCNow, 218–219, 281 PRODUCTS, 494 Repair, 498 SourceDir, 498 TargetDir, 498 UpgradeCodes, 498 UsingPattern, 278 VirusProtect6, 61, 509 VP6, 497 Reinstallation problems, 494 Remote access utilities (RCONSOLE and RCONSOLJ), 296, 412 Remote administration mode, 360–366 Remote administration of SSC, 88 Remote Client Services (RCS), 462 Remote clients, 306–309 Remote journaling, 603 Remote NAVCE installation to Windows, 87, 89 Repair key in Registry, 498 Repairing virus damage, 218 Replication Trojan horses, 6 viruses, 3 worm’s primary function, 5 Repository for passwords, 45 Rescue disk, creating, 512–513 Rescue Disk Set, Norton Antivirus, 582–583 Research Automation. see Symantec AntiVirus Research Automation (SARA) system Reset ACL (resetacl.exe) tool, 416–419 Resources, required, 380 Restarting the system, 7 Restore feature, Windows, 516–518 Restoring backups, 605–606 boot sector of hard disk, 583–584 grc.dat file, 605–606 servers, 633–636 servers dedicated to NAVCE, 633–636 Retention of data, 598–599 Reverse DNS zones, 464, 466–468

706

Index

Roaming Client Support, 367–369, 425, 528–529 Roaming clients. see Clients Robots, 21 Rollout tool, Norton AntiVirus Server. see AntiVirus Server Rollout add-on Rollouts secondary servers, 171 testing, 293–295 Rotation schemes for backup media, 599–601 RTVScan service configuring, 394 CPU use, excess, 530 description, 217, 280–281 NDS function, 510 page faults, 532 purpose, 306 resource hogging, 232 rtvscan.exe, 340, 483 Timer Loop, 217, 435–436 Run key in Registry, 498, 514–515, 525–526 RunServices key in Registry, 526

S Sam Spade application, 477 Samples, quantity to Quarantine Server, 169–170, 173 SARA (Symantec AntiVirus Research Automation) system, 22 SARC (Symantec AntiVirus Research Center), 20 SAVCE. see Symantec AntiVirus Corporate Edition (SAVCE) 8.0 Save This Password option, 50 Scan and Deliver method configuring for (email-based), 169, 181–182 configuring for (Internet-based), 169–181 configuring for SSR submissions, 182–183 description, 22 fingerprints, updated, 183 IPX or SPX monitoring, 182

see also Central Quarantine Console; Central Quarantine directories; Central Quarantine Server Scan History, 143 Scandals, corporate, 598 Scandisk warning, 513 scandlgs.dll file, 112 Scanexplicit.exe, 165 Scanning application, 197 Scanning e-mail, SPS training for, 34 Scanning for viruses. see Viruses, scanning for Scans custom, 572 frequency of, 342, 549 history of, 143, 582 Scans, real-time. see Real-time scans Schedule for backups, 599, 616–619 Scheduled scans configuring, 80, 566–568 description, 549 server groups, 568 Scope creep, 620 Screen shots, 7 Script-blocking, configuring, 662–663 Script files network logon script, 570 Visual Basic for Applications (VBA), 6 Windows Scripting, 417 SCRSAVER.NLM (screen lock), 411 Search engines, 535–536 Secondary servers, 42, 53–54, 171 Secure Shell (SSH), 467 Secure Socket Layer (SSL), 60, 378 Security awareness Web sites, 585 Security for backups, 611 Security for NAVCE clients client definitions, monitoring, 413 overview, 413 Registry keys, access to, 415–416 virus scan, canceling, 414–415, 577 Security for NAVCE servers auditing Registry access, 406–409 checklist, 426–427

Index

hardening, 399–403 operating system, configuring, 400–403 passwords, 397–399 physical security, 399–400 Registry keys, access to, 404–409 terminal servers, 403–404 see also Viruses, scanning for Security for Netware servers checklist, 426–427 FTP downloads of antivirus updates, 410 IPX forwarding to quarantine, 409–410 recommendations, 411–412 testing FTP in Netware, 410–411 Security Options in XP, changing, 234–235 Security patches, vendor, 585, 592 Security policy acceptable use, 381–382 antivirus policy, 383 availability of data, 378, 386 caller identity, verifying, 385 confidentiality of data, 377–378 creating, 378–381 description, 377–378 disaster recovery strategy, 382 documenting incidents, 585 drafting, 381–383 help desks as security risks, 384–385 input from all organizations, 377 integrity of data, 378, 386 Internet usage, 382 server for NAVCE, 387 workflow details, 585–586 Security Response Hoax page, 9 Security tool, AppSec, 27–28, 403–404 SecurityProviders in Registry, auditing, 407 Seeker web spider, 21 Seeking viruses, 21–22 Self-extracting package, 267–273 Semicolon (;) in BIND, 469 comment delimiter, 239, 256 Sender identity, e-mail, 564–565

707

Server groups administration in SSC, 79–80, 86–87 alert messages, configuring, 130–131 creating, 48–49 description, 17, 44–45 domains converted into, 298 master primary server, 42, 54–57 parent servers, 57, 217, 236, 251 passwords, 45, 49–51, 201–202, 224, 366–367 placement, 45 planning, 45–46, 201–202 populating, 46–47 primary servers, 42, 52–53, 487 reassignment, 122, 326 refreshing, 122 scheduled scans, 80, 568 secondary servers, 42, 53–54 unknown groups, 116 Server-to-server communication, 19, 119–120 Servers backing up, 622–632 capacity of, 169 client/server architecture of, 17–19 cluster, 26–27, 356–357 configuring for LiveUpdate, 451–453 configuring NAVCE, 208–212, 366–367 description, 196 designating, 387 DHCP, avoiding, 482 exporting lists of, 151 implementing NAVCE, 201–208 installation paths, old, 494–495 installations, incomplete, 493–494 Microsoft Exchange, 353, 515–516 migrating before clients, 297 NAVCE, dedicated to, 387 “NAVCE server,” definition of, 196, 330, 366 NAVCE Server Program, 196 NetWare, troubleshooting, 505–510 passwords for, 150, 397–399 physical, 196

708

Index

preferred protocols, 508–510 proxy, 172, 424, 500 refreshing, 123 Registry keys, NAVCE, 212–216 reinstallation problems, 494 restoring, 633–636 role reassignment, 121–122 secondary servers, 171 size limit for server list file, 528 Small Office/Home Office (SOHO), 596 space conservation, 309 terminal, 15, 26–28, 357, 403–404 third-party application problems, 493 troubleshooting Windows installation, 486 uninstalling NAVCE, 208–212 Windows NT or 2000 as NAVCE servers, 199–208 see also Central Quarantine server; Operating systems, support for; System requirements Service level agreements (SLAs), 604, 620–621 Services Central Quarantine Server on Windows NT or 2000, 164–165 on client computers, 279–282 Defwatch, 51, 97, 218, 281 list of, 496 load options for, 339–340 NAVCE on Windows NT or 2000, 217–218 Remote Client Services (RCS), 462 unloading, 339–340 see also Discovery services in SSC; Ping Discovery Service (PDS); RTVScan service;Terminal Services (TS) Set Value key in Registry, auditing, 406 Setup.exe command line switches, 303 Setup.wis file, 270, 275, 307 sfc commands, 510–511, 540 SFT III not supported, 200 Shares hidden, 416 SMB-based, 501

Signatures, virus, 432 Silent client installation, 236, 240, 302–303, 308 Silent managed client installation, 246 Simple Mail Transfer Protocol (SMTP), 579 Simple Network Management Protocol (SNMP), 124, 138–141, 180, 467 Single point of administration, 35 16-bit clients grouping with 32-bit clients, 492 logon scans, 568–569 temporary directory in Autoexec.bat, 264 upgrading, 302 Size limit for server list file, 528 Size value in Registry, 530–531 SLA (service level agreements), 604, 620–621 Small Office/Home Office (SOHO), 64, 596 SMARTDRV.EXE utility, 570 SmartScan, configuring, 660 SMB-based alerts, 493 SMB-based shares, 501 SMB signing bug, 504 SMS (Systems Management Server), 275–276 SMTP (Simple Mail Transfer Protocol), 579 Snap-ins Alert Management System2 (AMS2), 88, 580 Central Quarantine Server, 392 Console Add-ons for SSC, 89 mail, 332 Management for NAVCE, 89, 97 Performance Monitor (Windows 2000), 532–533, 548, 597 Professional Performance (Windows XP), 533 SSC, as snap-in to MMC, 16, 39, 79 SSC, requirements for, 83 SSC, snap-ins for, 88–90, 97–112 SSC, uninstalling from, 97–112 SNMP. see Simple Network Management Protocol (SNMP) Social engineering, 384–385 Software backup, 610–611

Index

maintenance program, 66, 68 piracy, 61–63, 381 spam, 381 see also Antivirus software SOHO (Small Office/Home Office), 64 Sometime managed clients, 59, 228 “Son” tapes, 600 SourceDir key in Registry, 498 Space conservation, 309 Spam, 381 Spiders, 21 SPS. see Symantec Product Specialist (SPS) certifications SPX protocol Central Quarantine Server monitoring, 170, 191 client configuration, 491 IPX/SPX networks, 508 Scan and Deliver monitoring, 182 TCP/IP-IPX/SPX incompatibility, 490 SQL, 598 Square brackets, 580 SrvCon.ocx file, 112 SSC. see Symantec System Center (SSC) SSH (Secure Shell), 467 SSL (Secure Socket Layer), 60, 378 SSR. see Symantec Security Response (SSR) Stack loaders, 615 Start menu, removing NAVCE from, 499, 525, 526 Startup folder in Windows, 515 Startup scans, 571–572 Static addresses, 482 Static data archive, 598 Static ports, 484 Status display program (vptray.exe), 281–282, 403, 495, 514–515 Status query interval, 173 Stoned boot virus, 8 Storage location, offsite, 601–604 Striker technology, 558–559 Submissions of viruses to SSR manual, 182–183

709

method of, 162 Support, Symantec, 304, 314–315 Support and service levels, 620–621 Support calls, escalating, 621 Support date for NAVCE, 314 SurfinGuard antivirus freeware, 11 Sweeps, virus, 80, 144, 577–579 Symantec ActiveX controls, 239 Symantec AntiVirus Corporate Edition (SAVCE) 8.0 features, 54, 171 operating systems, support for, 29–31 Symantec AntiVirus Research Automation (SARA) system, 22, 155 Symantec AntiVirus Research Center (SARC), 20 Symantec CarrierScan antivirus freeware, 11 Symantec Central Quarantine service, 164 Symantec Enterprise Support, 315, 458 see also Symantec Support Symantec Knowledge Base best practices for NAVCE, 373 cluster servers, 357 description, 534–535 LiveUpdate, 459 Microsoft Exchange server, 353, 515–516 Preferred Protocol settings, 29 protection versus performance, 373 Roaming Client Support, 369 terminal servers, 360 Windows resources, optimal use of, 373 Symantec Package Utility, 267–273 Symantec product offerings, 68–69 Symantec Product Specialist (SPS) certifications advice for, 35 beta exams, 32 description, 31–32 exam number, 2 exam topics, 32–35 Windows Registry, 217 Symantec Quarantine Agent service, 164 Symantec Quarantine Scanner service, 165

710

Index

Symantec search engines, 535 Symantec Security Response (SSR) configuring Scan and Deliver, 182–183 description, 20–22 Symantec Support, 304, 314–315 see also Symantec Enterprise Support Symantec System Center (SSC) administration, centralized, 16–19, 79–80 administration, remote, 88 alerts, managing, 88 bandwidth usage, 46–47, 119–123 cache, clearing, 115 cache, refreshing, 96 changes, propagating, 412 client view, 413 communication among servers, 19 communication with clients, 489–490 configuring Central Quarantine Server, 157, 392 console, detail in, 89 console, refreshing, 122–123 console, traffic from, 119 Console Add-ons snap-in, 89 description, 16–17, 44, 146 Discover Service (nsctop.exe), 95 discovery services, 86, 96, 113 features, 85–88 implementation, 90–112 installing, 91–96, 147 IP or IPX communication, 28–29 manual scan, configuring, 550–556 manual scan, launching, 550–551 operating systems required, 85–86 passwords, setting, 398 passwords, unsaving, 150 performance considerations, 45 requirements, 81–86 server group administration, 79–80, 86–87, 130–131 snap-ins, uninstalling, 97–112 supported protocols, 85 task initiation, 87

three-day client time-out, changing, 296–297 traffic, network, 119–123 troubleshooting, 96, 487–488 uninstalling, 96 upgrading, 299 version, finding, 152 versions, not mixing, 90 Windows version requirement, 299 See also Microsoft Management Console (MMC) _syminst.exe and ~syminst.exe installation binaries, 494 Syngress Solutions Web site, 459 Syntax of server list file, 528 System, restarting, 7 System accounts, invalid, 500–501 System requirements backups, 610 Central Quarantine Console, 156–157 Central Quarantine Server, 161 clients on MS-DOS, 233 clients on Windows, 233–235 Disk Operating System (DOS), 23 doubling, 81 LiveUpdate Administration Utility, 446–447 NAV 2003, 644–646 NAVCE on NetWare, 26, 47, 200, 387 NAVCE on Windows, 31 NAVCE on Windows NT or 2000, 25–26, 47, 198–199, 387 SAVCE 8.0, 31 Symantec System Center (SSC), 81–84 Windows operating systems, 83–84 System Restore feature, Windows, 516–518 System State backups, 623–624, 629, 635 Systems Management Server (SMS), 275–276

T Tape rotation schemes, 599–601 Tapes, magnetic, for backups, 614–615 TargetDir key in Registry, 498

Index

Task initiation in SSC, 87 Task Scheduler, Windows, 627 TCP/IP protocols Central Quarantine Server, 170, 191, 193 client configuration, 491 configuring for NAVCE, 389–390 configuring for NetWare, 410 hardening NAVCE servers, 402–403 IPX/SPX incompatibility, 490 NetBIOS over, 504 Teddy Bear virus hoax, 8 Terminal servers, support for, 15, 26–28, 357, 403–404 Terminal Services (TS), 357–360, 403, 531–532 Test rollout, 293 Testing. see Symantec Product Specialist (SPS) certifications Testing alert actions, 142 Testing laboratory, 292–293 Testing NAVCE deployment, 282–283, 292–293 TheFreeSite.com, 12 Thin clients, 38 Third-party application problems, 493 Third-party installation of NAVCE, 273–276, 493 Third-party LAN antivirus products, 309–310, 325 Third-party search engines, 536 32-bit clients, 492 Threats blended, 447 identifying, 383–386 internal, 385 “Three Cs,” 575 Three-day client time-out, changing, 297 Thunk Layer, 21 Time management, 319 Timer Loop, RTVScan, 217, 435–436 Tivoli Enterprise Console, 138 Tools

711

AppSec (application security), 27–28, 403–404 FPORT, 424 Importer.exe, 86, 116–119 NetWare secure console utility, 412 NMAP, 381 package.exe utility, 267, 306–307 RCONSOLE and RCONSOLJ (remote access utilities), 296, 412 RCONSOLJ (remote access utility), 412 regedit.exe (Registry editor), 98, 405, 419 regedt32.exe (Registry editor), 406, 419 resetacl.exe (Reset ACL), 416–419 SCRSAVER.NLM (screen lock), 411 SMARTDRV.EXE utility, 570 vpregedt.nlm (Registry editor), 390–391, 509 vpremove.exe (uninstaller), 90 vptray.exe (status display program), 281–282, 403, 495, 514–515 Windows Installer Clean Up, 499, 527 see also AntiVirus Server Rollout add-on; Editing tools for Registry Toothbrush analogy for passwords, 421 Topics of SPS exam, 32–35 Total Virus Defense Suite (TVD) software, 11 Tower of Hanoi rotation scheme, 600–601 Trace route (tracert) application, 477 Tracking performance, 532–533 Traffic, network, from SSC console activity, 119 console, refreshing, 122–123 Discovery Cycle, 120 NAVCE client enumeration, 121 NAVCE client/server, 120–121 server group reassignment, 122 server role reassignment, 121–122 server-to-client, 120–121 server-to-server, 119–120 Training, Symantec, 32 transman.dll file, 52 Traveling clients, 425 Trojan horse viruses

712

Index

Back Orifice 2000 (BO2K), 6–7 Backdoor.SubSeven, 7 description, 6–7 identifying threats, 385–386 Troubleshooting Active Directory, 467–468 applications for, 470–478 Central Quarantine Console, 185–186 Central Quarantine Server, 186–189 clients, 510–516 CPU utilization readings, 505 DNS configuration, 463–466, 468–470 DNS Expert, 477 firewalls, 483–485 fixes, miscellaneous, 504 FTP, 411 fully qualified domain names (FQDN), 475, 528–529 hard disks, 510–511 host names, 529 installation, NAVCE, 518–523 installation paths, old, 494–495 installations, incomplete, 493–494 invalid system accounts, 500–501 LiveUpdate, 500–501, 530 log files, 478 NAV 2003, 657, 668–669 NAV 2003 Professional Edition, 681–682 NetWare servers, 505–510 NetWare servers, scans in, 510 Network Interface Cards (NICs), 501–504 Ping, 477 printing, 511–512 quarantine directory full, 484 reinstallation problems, 494 reverse DNS zones, 466–468 Roaming Client Support, 528–529 Sam Spade, 477 Symantec System Center (SSC), 96, 487–488 TCP/IP-IPX/SPX incompatibility, 490 third-party application problems, 493 tools for, 470–478

Trace route (tracert), 477 Whois Queries, 477 Windows server installation, 486 WS Ping ProPack, 477 Trust in end users, 302, 304 Trusted employees, 7 TS. see Terminal Services (TS) TVD (Total Virus Defense Suite) software, 11

U UDP. see User Datagram Protocol (UDP) Unauthorized disclosure of data, 378–379 Underscore (_) entries, 467–468 Unicode encoding, 630 Uniform Naming Convention (UNC) share issues, 501 Uninstall key in Registry, 498 Uninstalling Alert Management System2 (AMS2), 127–128 by command line, 209, 302 manually, 209–212 NAV 2003, 669–670 NAV 2003 Professional Edition, 682–683 NAV for NetWare, 300–301 NAVCE, 90 NAVCE after failed installation, 494 NAVCE and LANDesk, 90 NAVCE clients, 276–277, 523–527 NAVCE removal tool, 494 NAVCE servers, 496–504 NAVCE servers on Windows NT or 2000, 208–212 password, 72–73 Quarantine Console, 159–160 Quarantine Server, 165–166 Symantec System Center (SSC), 96 Symantec System Center (SSC) snap-ins, 97–112 Windows Installer Clean Up utility, 499, 527 UNIX-based operating systems, 472, 474–475

Index

Unix Print Services, installing, 410 Unknown server groups, 116 Unloading services, 339–340 Unmanaged clients. see Clients, unmanaged Updates of virus definitions. see Virus definitions, updates of Upgrade Insurance, 66 UpgradeCodes key in Registry, 498 Upgrading to NAVCE 7.6 dependencies, 320–322 deployment, testing, 282–283, 292–293 end users, advising, 294–295 from LANDesk or NAV, 295, 298, 302, 326 language differences, 291 from NAVCE 7.0 and 7.5, 297–298 planning, 291–297 reasons, 290 resources, 311–312 rollout, testing, 293–295 sample project plan, planning, 310–311 silent installation, 302–303, 308 Symantec System Center (SSC), 299 tasks, 312–318 timelines, 318–320 version 6.x of NAVCE, upgrading, 298–299, 302 see also Automatic migration options URLs. see Web sites usage.dat file, 517 Use, acceptable, 381–382 User Datagram Protocol (UDP) client check-in, 228, 372 description, 228–229 ports, 6, 150 status packets in, 120 Users advising, 294–295 disaster recovery plan, involvement in, 604 needs, 420–421 trust in, 302, 304, 307 UsingPattern key in Registry, 278

713

V Value Program Commit option, 67 decentralized purchasing, 67–68 description, 64–67 Forecast option, 67 Variables alert parameters, 132 in e-mail notification, 581 VB (Visual Basic), 5–6 VBA (Visual Basic for Applications), 6 *.vbs files, 226 VBS.LoveLetter virus, 6 VCatch Basic antivirus freeware, 11 .vdb files, 433–435 VDTM. see Virus Definition Transport Method (VDTM) Vendor security patches, 585, 592 Verification process, 626 Versions of NAVCE 3.x, 326 4.x, 302 5.x, 326–327 7.6 and NetWare 6.0, 356 7.6 features, 15 not mixing, 90 see also Symantec AntiVirus Corporate Edition (SAVCE) 8.0; Upgrading to NAVCE 7.6 Virtual private network (VPN) encryption, 61 Virus Definition Manager, 230, 437, 443 Virus Definition Transport Method (VDTM) description, 434–435 features, 436 LiveUpdate comparison, 439–442 RTVScan Timer Loop, 217, 435–436 server, configuring for, 436–439 Virus definitions, updates of certified and noncertified definitions, 174–176 checking often, 577 configuring options, 80

714

Index

distributing among servers, 119 distributing to clients, 120 free access, 20 frequency of queries, 174 Intelligent Updater, 434, 453–455 master primary server, 54 methods, planning, 295 Mobile Definition Updater, 434 monitoring, 413 naming method, new, 433 old definition files, 518 package.exe utility, 306–307, 434 receiving and testing, 183 remote, 88 source of, 444 SPS training for, 33–34 testing validity of, 396 .vdb files, 433–435 Web site, 454 see also Intelligent Updater; LiveUpdate; Virus Definition Transport Method (VDTM) Virus engine, 197 Virus Found alerts, NAVCE, 15 Virus History, 143–144 Virus Sweep function, 80, 577–579 Virus Sweep History, 144 Viruses blended threats, 447 compared to worms, 385–386 definitions, 197 fingerprinting, 36 history, 3–5 identifying threats, 385–386 list of, 432 log of events, 572–573 logic bombs, 5, 618 mechanisms, 3–4 memory-resident, 7 new, 40 polymorphic, 558–559 routing to Central Quarantine Server, 184–185

seeking, 21–22 signatures, 432 verification Web page, 9 see also Boot viruses; Notifications;Trojan horse viruses; Virus definitions, updates of; Viruses, actions by; Viruses, outbreaks of; Viruses, scanning for; Viruses, specific Viruses, actions by blocking access to antivirus Web sites, 574, 591 configuring, 347–348 directories, listing, 7 editing Registry, 7 file system, browsing, 6, 7 FTP server, initiating, 7 port scans, 579 programs, opening and closing, 7 repairing, 218 screen shots, 7 system, restarting, 7 Viruses, outbreaks of Alert Management System2 (AMS2), 580 boot viruses, recovering from, 582–585 cleaning up, 580–585 communicating, 575–576 containing, 576–577 files, infected, 582 history log, 582 identifying, 574 managing, 585–587 sweeping, 80, 144, 577–579 see also Notifications Viruses, scanning for analyzing results, 572–573 cancellation of, 414–415, 577 compressed files, 555, 569–570 custom scans, 572 definitions, certified and noncertified, 174–176 file extensions, excluding, 345, 352, 553–555 file extensions, including, 345 floppy disks, 344 frequency of scans, 342, 549

Index

history of scans, 582 logon scans, 568–571 manual scans, 550–557 methods, 550–553 NAVCE clients, 414–415 NAVCE servers, 403–404 “one-click” scanning, 590 performance considerations, 547–549 remotely, 88 response options, 551–553 scheduled scans, 80, 549, 566–568 SPS training for, 34 startup scans, 571–572 see also Real-time scans Viruses, specific Baboon, 8 Bloodhound.something, 590 Class.Poppy or Woobie, 4 ILOVEYOU, 6, 575–576 KillRoy, 8 Melissa, 6 NYB, 8 Stoned, 8 VBS.LoveLetter, 6 W97M.Class.A.Gen, 4 W97M.melissa, 6 see also Trojan horse viruses VirusProtect6 key in Registry, 61, 509 VirusScan Professional software, 11 Visual Basic for Applications (VBA), 6 Visual Basic (VB), 5–6 VP6 key in Registry, 497 vpc32.exe (NAV user interface), 303 VPN (virtual private network) encryption, 61 vpregedt.nlm (Registry editor), 390–391, 509 vpremove.exe (uninstaller), 90 vprpts.dll file, 112 vptray.exe (status display program), 281–282, 403, 495, 514–515 VSCAND.EXE executable, 570 Vulnerabilities, 381, 609

715

W W32.Klez.A@mm worm, 5 W97M.Class.A.Gen virus, 4 W97M.melissa virus, 6 WAN (wide area network) links, 46 Wanderers, 21 Warm site, 603 Warning message at logon, 401 Web sites AntiVirus Test File, 372 AppSec (application security), 28 Back Orifice 2000 Trojan horse (BO2K), 7 BIND, 469 blocking access to, 574, 591 Business Software Alliance, 62 CERT, 585 DNS Expert application, 477 Emergency Disk program, 648 FPORT utility, 424 freeware antivirus programs, 11 hoax-response page, 9 LiveUpdate Administration Utility (luau.exe), 448 LiveUpdate manuals, patches, and files, 459 Microsoft Project 2000, 322 MMC customization, 81 NAVCE removal tool, 494 NAVCE technical support, 535 NetWare Loadable Modules (NLMs), 510 NPDTechworld, 10 patches and fixes, Symantec, 5 Ping Pro, 470 Roaming Client Support, 369 Sam Spade application, 477 security awareness, 585 SMTP definition, 579 Symantec Enterprise Support, 315, 458 Symantec Knowledge Base, 29, 459, 534–535 Symantec Security Response, 20, 193 Syngress Solutions, 459 Systems Management Server (SMS), 276

716

Index

training, Symantec, 32 vendor updates and bulletins, 592 virus definitions, updates of, 454 virus outbreaks, latest, 535 Windows Scripting, 417 WS Ping ProPack application, 477 Yahoo Groups, 459 Web spiders, 21 webshell.dll file, 112 Well-known ports, 485 Whois queries, 470 Whois Queries application, 477 Wide area network (WAN) links, 46 Windows Installer Clean Up utility, 499, 527 Windows Installer service, 486 Windows Internet Naming Service (WINS) database updating, automatic, 479 Discovery service, 86, 116 legacy solution, 463, 480 server, 114 Windows Me System Restore, 516 Windows operating systems 3.x, 24, 302, 568 administrative shares, 416 Alert Management System2 (AMS2) incompatibility, 124–125 application server mode, 360–366 Central Quarantine Server services, 164–165 cluster servers, 26–27, 356–357 Distributed Component Object Model (DCOM), 520–523 Event Viewer, 478 grc.dat file locations, 492, 606 hardware requirements, 25–26, 31, 83–84, 387 hidden shares, 416 Internet Information Server (IIS), 79 Me, 516–518 NAVCE clients, uninstalling, 523–527 NAVCE clients and servers, 87 NAVCE migration options, 301–309 NetWare servers, 508 NT or 2000 as NAVCE servers, 199–200

NT or 2000 required for Quarantine Server, 160 NTBackup in Windows 2000, 622–632 patches, 303 Performance Monitor (Windows 2000), 532–533, 548, 597 PreferedProtocol parameter, 85, 389–390 Professional Performance snap-in (Windows XP), 533 remote administration mode, 360–366 resources, optimal use of, 373 Roaming Client Support, 368 SNMP traps, 138–139 Start menu, removing NAVCE from, 499, 525, 526 Startup folder, 515 support for, 24–27, 30–31 System Restore feature, 516–518 Task Scheduler, 627 Terminal Services (TS), 357–360, 403 version requirement for SSC, 299 XP, DNS service for, 469 XP and CD-RW, 613, 640 XP and System Restore, 517–518 see also Event log, Windows; Registry, Windows; System requirements; XP, Windows Winlogon in Registry, auditing, 407 WINS. see Windows Internet Naming Service (WINS) Wizard, configuration, 131, 622–632 Woobie or Class.Poppy virus, 4 Workflow details, 585–586 Worms Code Red, 579 compared to viruses, 385–386 description, 5 .Kak, 15 Klez, 5 Nimda, 579 propagation, 579 Symantec web spiders, 21 W32.Klez.A@mm, 5

Index

Write DAC key in Registry, auditing, 407 WS Ping ProPack application, 477

X Xfr.exe (Intel File Transfer), 126 XP, Windows CD-RW, 613, 640 DNS service for, 469 NAVCE clients, installing, 234–235 Network Interface Cards (NICs), 503–504 Security Options, changing, 234–235 SMB signing bug, 504 System Restore, 517–518

Y Yahoo Groups, 459

Z Zip drives for backups, 613–614 ZoneAlarm firewall application, 484 Zones, DNS forward, 464–466, 468 reverse, 464, 466–468 transfers, 474

717

Syngress: The Definition of a Serious Security Library Syn•gress (sin-gres): noun, sing. Freedom from risk or danger; safety. See security. AVAILABLE NOW order @ www.syngress.com

Check Point Next Generation Security Administration

Cherie Amon and Doug Maxwell The Check Point Next Generation suite of products provides the tools necessary for easy development and deployment of Enterprise Security Solutions. Check Point VPN1/FireWall-1 has been beating out its competitors for years, and the Next Generation software continues to improve the look, feel, and ease of use of this software. Check Point NG Security Administration will show you the ins and outs of the NG product line. ISBN: 1-928994-74-1 Price: $59.95 USA $92.95 CAN

Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle

AVAILABLE NOW order @ www.syngress.com

Erik Pace Birkholz “Strap on the night vision goggles, apply the camo paint, then lock and load. Special Ops is an adrenaline-pumping tour of the most critical security weaknesses present on most any corporate network today, with some of the world’s best drill sergeants leading the way.” —Joel Scambray, Senior Director, Microsoft’s MSN “Special Ops has brought some of the best speakers and researchers of computer security together to cover what you need to know to survive in today’s net.” —Jeff Moss, President & CEO, Black Hat, Inc. ISBN: 1-931836-69-8 Price: $69.95 USA $108.95 CAN

AVAILABLE NOW order @ www.syngress.com

Stealing the Network: How to "Own the Box" Ryan Russell, FX, Kingpin, and Ken Pfiel “Stealing the Network: How to Own the Box is a unique book in the fiction department. It combines stories that are false, with technology that is real. While none of the stories have happened, there is no reason why they could not. You could argue it provides a road map for criminal hackers, but I say it does something else; it provides a glimpse into the creative minds of some of today’s best hackers, and even the best hackers will tell you that the game is a mental one.” — from the foreword by Jeff Moss, President & CEO, Black Hat, Inc. ISBN: 1-931836-87-6 Price: $49.95 USA $69.95 CAN