configuring symantec antivirus corporate edition phần 4 docx

Along with discussing the hard-ware requirements necessary to implement the NAVCE software, we’ll examine thesteps involved in an actual NAVCE server installation.The NAVCE installation

Q: I have a subset of traveling users who only connect to the home networkevery few weeks How can I best handle their Quarantine needs?

A: You have two options here, depending on the “computer-savviness” of thepeople in question.You can either configure their individual PCs to submitany quarantined items directly to SSR, bypassing your central QuarantineServer entirely Or, you can set up a second central Quarantine Server tohandle Email-based Scan and Deliver submissions, and configure these clients

to point to it instead of a Quarantine Server using Internet-based Scan andDeliver

Implementing NAVCE 7.6

to Servers

Solutions in this chapter:

■ Understanding NAVCE 7.6 Servers

■ Implementing NAVCE 7.6 To Servers

■ Understanding NAVCE 7.6 Registry Keys on

; Solutions Fast Track

; Frequently Asked Questions

Norton AntiVirus Corporate Edition (NAVCE) Servers are the main pillars of theNorton AntiVirus Solution Without them you would not be able to deploy a NAVCEsolution NAVCE servers allow you to manage clients, distribute virus updates, performalerting procedures, and so much more.The NAVCE server is critical to a viable

NAVCE implementation; if you wish to install managed NAVCE clients, you will need

to install at least one NAVCE server

In this chapter, we will discuss the steps necessary to install and configure theseservers that are so critical to the NAVCE infrastructure Along with discussing the hard-ware requirements necessary to implement the NAVCE software, we’ll examine thesteps involved in an actual NAVCE server installation.The NAVCE installation process

is largely the same whether you are installing to an Windows NT Workstation, Server,

or Windows 2000 Professional or Server machine, therefore the procedures discussed inthis chapter can be used as a guideline for any sort of NAVCE installation

We’ll conclude the chapter with an examination of the various components of theNAVCE Server software.This includes the Registry keys and Windows services that theNAVCE server software requires to function, as well as the grc.dat file that NAVCEuses to update client configuration information Possessing a working understanding ofthese components will serve you well as you develop a comprehensive antivirus strategyfor your company’s network

Understanding NAVCE 7.6 Servers

To begin, we should define some terminology that will appear quite often throughout

this chapter It is important to understand the difference between the terms server and

NAVCE Server NAVCE Server refers to the programs and services that the NAVCE

software package offers to assist administrators in managing antivirus protection on

NAVCE clients On the other hand, a physical server refers to a piece of dedicated work hardware that can serve many types of file and application services, not just those

net-offered by Symantec

The two major components of the NAVCE server software are as follows:

■ Server Program The NAVCE Server Program refers to the core executable(.exe) files and other files that are required for the NAVCE server to function

Basic Components of an Antivirus (AV) Solution

Any well-constructed AV application consists of the following primary ponents, all three of which are implemented within the NAVCE server pro- gram:

com-■ A Scanning Application This is a user interface (UI) that defines

scanning options (such as file types, directories and drives to be scanned) features, and alerts.

■ A Virus Engine A virus engine scans files for suspicious activity

and behavior, such as a file that includes instructions to delete the contents of a directory or drive If the engine detects this type of behavior, it will check the virus definitions to determine if the virus signature is known and how it should be repaired It will then follow pre-defined instructions (such as repair or delete file)

or will prompt the user via the scanning application The virus engine in NAVCE is called NAVEX The NAVEX engine architecture

is different from other AV vendors in that it can be updated matically via the LiveUpdate incremental downloads Most other vendors only allow automatic downloads of virus definitions, while engine updates require reinstallation of their software which can result in system downtime With NAVCE, virus defini- tion downloads, and NAVEX engine updates can be performed while a system is running.

auto-■ Virus Definitions Virus definitions help determine whether a file

has already been identified as a virus, as well as instructions for repairing it.

On the other hand, AMS 2 provides centralized alerting and emergency management capabilities AMS 2 allows parent servers to collect alert infor- mation from their clients and forward these alerts to the primary NAVCE server within each server groups An administrator can then view the alerts from any server and take administrative actions (such as quarantining or removing files) accordingly.

Notes from the Underground…

Continued

Windows NT / 2000 Server System Minimum

■ Intel Pentium Processor (Intel Pentium Pro or higher)

■ 62MB free disk space for NAVCE Server files

■ 10MB free disk space for AMS2 Server files

■ Local administrative rights

■ Administrative file shares like C$ and admin$ must be enabled

AMS 2 can be configured to send alerts via any of the following mechanisms:

■ Message Box

■ Send Page (e-mail to pager)

■ Send Internet Mail

■ Run Program (can be an executable configured to perform any custom actions)

■ Broadcast

■ Send SNMP Trap

■ Write to Event Log

■ Load an NLM

Utilizing Windows NT 4.0 Workstation or Windows 2000 Professional Systems as NAVCE Servers

It is possible to install NAVCE server on a Windows NT 4.0 Workstation or Windows

2000 Professional system; but as with anything else there are pros and cons associatedwith this decision.The greatest benefit of using the Windows Workstation or

Professional versions is that of cost savings: the cost of procuring a Windows NT orWindows 2000 client PC is significantly lower than procuring even a low-end server

You should consult your software reseller for accurate pricing information, but if youare basing the decision solely on cost, you may wish to opt for installing NAVCE on aworkstation operating system

On the other hand, Windows NT Workstation and Windows 2000 Professionalonly support a maximum of ten concurrent (file sharing) network connections Whilethis does not specifically limit the number of TCP connections that NAVCE clients

System Requirements

Remember that these are the recommended specifications for running only

the NAVCE Server program In other words, any additional components such as the Symantec System Center Console (SSC), or the Alert Management System 2 (AMS 2 ), or any unrelated applications also require additional resources When defining your system specifications, you also need to consider the requirements for the operating system itself For example, the minimum system requirements for Windows 2000 server are

as follows:

■ Pentium 133MHz or higher

■ 256MB RAM recommended minimum

■ 2GB hard disk with a minimum of 1GB free space

As you can see, these minimum system requirements are far higher than those recommended by Symantec to install the NAVCE server As a system administrator, you’ll need to test your hardware to determine that it will realistically function within your specific network environment For more detailed information on NAVCE scalability and system requirements, consult the Symantec Knowledge Base.

Designing & Planning…

will be able to establish with the workstation, it does limit the number of connections

that can be established that require access to file shares, named pipes and so on

Therefore, while a NAVCE server running on Windows NT 4.0 or Windows 2000

Professional can theoretically service any number of NAVCE clients, it will only be able

to distribute virus definitions to 10 clients at any given moment.This can seriouslyimpact the speed with which the definitions are distributed to the end clients

Novell NetWare Server

System Minimum Requirements

If you wish to install the NAVCE server software onto a Novell server, you’ll need to

be sure that your server hardware meets the following requirements Please note that atthe time of this writing, NAVCE 7.61 is not supported under Novell 6 or 6.5.You’ll

need to implement SAVCE 8.0 if you wish to use Netware 6.x.

■ NetWare 3.12 and 3.2 (does not allow for Quarantine Server support);

NetWare 4.11 with Support Pack 9; NetWare 4.2 with Support Pack 9;

NetWare 5.x with or without Support Pack 2

■ 3MB RAM beyond any other memory requirements to run the NortonAntiVirus NLMS

■ If you are running NetWare 3.12, you’ll need Streams.nlm 3.12 or later.Versions of NetWare more recent than v3.12 will requite 3.11.nlm version4.12 and clib.nlm version 3.12g or better

■ NetWare 4.1x requires LIBUPF, which is available in Support Pack 7 or later

■ 70MB of available disk space for Norton AntiVirus server files, as well as46MB for NAVCE client disk images

■ 10MB disk space for AMS2files (20MB will be required during the tion process)

installa-NOTE

SFT III is not supported.

Implementing NAVCE 7.6 to Servers

When rolling out the NAVCE software to the servers in your network environment,you’ll need to develop a plan for deploying the various modules of the NAVCE soft-ware In this section, we’ll discuss some key points to keep in mind when installingNAVCE to Windows NT 2000 servers so that the installation process can go assmoothly as possible We’ll then spend the bulk of the section going step by stepthrough an actual installation routine so that you can understand and plan for everystep along the way

Developing a Deployment Plan

No project can be successfully completed without formulating a deployment plan

Since NAVCE contains several different modules as well as administration and ment tools, you should become familiar with each component and determine whichones need to be installed on each piece of equipment Once you have determined theexact needs for your network environment, you can begin to plan the actual serverinstallations

manage-Windows NT/2000 NAVCE Server Installation Considerations

Some factors to consider when installing NAVCE Server to NT/2000 are as follows:

■ Operating system You need to determine the operating system that theNAVCE Server will use Along with deciding between using a client or aserver operating system, you should determine which service packs to install,and if there are any other standards within your enterprise environment thatyou should consider

■ Destination folder for the installation files Often in an enterprise ronment you will have software installation standards that need to be adheredto.These may include installing all programs to the root of C: drive, orinstalling all the programs to the D: drive instead of the C: drive Before youproceed, make sure that you are aware of any such standards, as well as theavailable drive space in comparison with the minimums set forth by Symantec.There are several additional points to keep in mind when installing a NAVCEServer Group (Server Group planning is discussed more fully in Chapter 2)

envi-■ Server group membership Decide whether your newly installed NAVCEserver will join an existing server group or if you will be creating a new one

Be sure to adhere to any deployment or enterprise naming standards that mayhave been created during the planning stages of your NAVCE implementa-tion.

■ Server group password Be sure that you know the server group password

to join existing server group If you will be creating a new server group, youshould decide upon a password in advance and communicate this password toanyone else within IT or management who requires it

■ NAV services startup You will be asked if you want NAVCE services toload automatically upon startup or if you would want them to be launchedmanually In most cases you’ll want these services to launch automatically.However, the option for a manual start will be available during the installationprocess

Installing NAVCE 7.6 to Windows NT/2000 Servers

In this section we’ll go over the steps needed to install the NAVCE server software to aWindows 2000 server

1 From the Windows 2000 desktop, insert CD 2 of the NAVCE installationmedia, or browse to a network location where the CD 2 files are available

2 Double-click on the CDStart.exe icon.

3 Click Install Norton AntiVirus to Servers as shown in Figure 5.1.

Figure 5.1NAVCE Main Installation Screen

5 This will bring you to the License Agreement window (Figure 5.3) Select I agree then click Next.

6 You will be prompet to select the item that you wish to install (Figure 5.4)

For the purpose of this chapter select Server Program Uncheck Alert Management System AMS 2 if it is checked.Then click Next We’ll cover

the installation and configuration of AMS2 in Chapter 3

Figure 5.2 Installing NAVCE Server

Figure 5.3 License Agreement and Warranty

Figure 5.4Selecting NAVCE Server Components

7 Next you will be prompted to select the computers you wish to install theNAVCE sever program to (Figure 5.5) Click the name of the computer you

are installing to and click Add Here, we are installing to the local computer

named Athar-Test01

8 You will see that Athar-test01 now appears in the Destination computers: pane

as shown in Figure 5.6 Click Next.

9 Now, you will need to select the destination for the NAVCE server programfiles on the machine Athar-test01 For the purpose of this exercise we willinstall to the default location in the program files folder on drive C as shown

in Figure 5.7 Accept this location by clicking Next If you would like to

select an alternate location for the NAVCE server program files, highlight the

Figure 5.5 Selecting a Target Computer

Figure 5.6Verifying the NAVCE Install Destination Computer

10 The next window (Figure 5.8) is where you can either enter a new NortonAntiVirus Server group name or join an existing group Here, we will accept

the default server group name of Norton Antivirus 1 and click Next.

11 You will be asked to verify the creation of the new server group as shown in

Figure 5.9 Click Yes.

12 If you are running a NetWare server, it is best to configure the NAVCE

Server to start up automatically If this applies, select Automatic startup and click Next as shown in Figure 5.10 NAVCE Servers automatically start run-

ning on system startup if you are running Windows NT or Windows 2000

Figure 5.7Select the Program Files Destination

Figure 5.8 Creating a New Server Group

Figure 5.9 Verifying the Creation of a New Server Group

13 You will now be reminded that SSC is already be installed on your system If

so, click Next as shown in Figure 5.11 If not, follow the directions on the

screen and refer to Chapter 3 for additional information

14 The Wizard now will tell you that the default password on the initial run is

“symantec” (all lower case) as shown in Figure 5.12 It is a good practice to go

back and change the password after the installation is complete Click Finish.

Figure 5.10Configuring Server Startup Options

Figure 5.11Symantec System Center Console Information

Figure 5.12Select Server Group Password

15 A warning will appear informing you that you virus definitions are not up to

date (Figure 5.13) Place a check mark next to Don’t remind me again until after next update Then click Close.You will update the virus defini-

tions after the server install has been verified as working properly

16 You should now be able to view the Setup Progress window (Figure 5.14)

Verify that this information is correct and then click Close.

17 You will be returned to the AutoRun splash screen Click Exit as shown in

Figure 5.15

Figure 5.13Virus Definition File Warning

Figure 5.14Setup Progress

Figure 5.15Exiting Installation Screen

18 Reboot the system to complete the installation of the NAVCE server software.

The installation process that we described in this section is nearly identical to thesteps needed to install NAVCE on any other Windows platform.Therefore, you can usethis exercise as a template to install NAVCE server on nearly any Windows-based oper-ating system within your network environment

Configuring NAVCE 7.6 Servers

As we discussed at the beginning of this chapter, NAVCE server refers to the services

that a NAVCE system provides to your network clients Now that the server nent of NAVCE is installed on our Windows 2000 Terminal Server, we can begin toconfigure it Configuring antivirus protection on a NAVCE server is quite similar tothat of a NAVCE client; therefore you should refer to those instructions within thischapter.The largest difference that you will notice is in the method of accessing theNAVCE console: when attempting to start the NAVCE server console, you will beprompted for the Norton AntiVirus Server Group password (Figure 5.16)

compo-This is the password that was established while installing the server software in theprevious section (Figure 5.12).The default password for a NAVCE server console is

“symantec” (case sensitive) Once you enter the password and click OK, you will see

the NAVCE server console.The console appears to be identical to the NAVCE clientconsole with the exception of an additional section labeled General Information In aNAVCE server, you will notice that there is a Server Grp caption which defines theNAVCE server group that this NAVCE server belongs to In a client console, youwould see parent server information in the same area of the console

Uninstalling NAVCE 7.6 from

Figure 5.16 Unlocking the Norton AntiVirus Server Group

standard uninstall routine fails or terminates abnormally, you can use the alternatemethods discussed in the subsequent sections.

Uninstalling NAVCE Using the Command Line

You can uninstall the NAVCE server software from the command line by issuing thefollowing command:

msiexec.exe /q/x {D6C64C68-F9F5-11D3-BEEA-00A0CC272509}

You can run this command by clicking on Start | Run, or by opening a

Command Prompt window If you receive an error when issuing this command, youmay need to specify the path to the msiexec.exe file, as in the following example:

C:\program files\resource kit\toools\msiexec.exe /q/x BEEA-00A0CC272509}

{D6C64C68-F9F5-11D3-Manual Uninstall

Uninstalling NAVCE manually will require you to delete all NAVCE-related items andinformation from the Start Menu, Windows file system and registry First, you need tostop the following services from within the Control Panel Services applet:

CurrentControlSet\Services key:

■ DefWatch

■ Intel Alert Handler

■ Intel File Transfer

■ Norton AntiVirus Server

■ SymEvent (if NAVCE is the only Symantec product installed on this machine)Then you should also delete the following entries within the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application key:

■ Defwatch

■ Intel Alert Handler

■ Intel Alert Originator

■ Intel AMS II

■ Intel File Transfer Service

■ Intel PDS Service

■ Norton AntiVirusNext, remove the following miscellaneous registry entries and keys:

■ HKEY_LOCAL_MACHINE\Software\Symantec\Repair value

■ HKEY_LOCAL_MACHINE\Software\Symantec\SourceDir value

■ HKEY_LOCAL_MACHINE\Software\Symantec\TargetDir value

■ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Installer\UpgradeCodes\

96C46C6D5F9F3D11EBAE000ACC725290

To finish cleaning up the Windows registry, click on Edit | Find, and delete all

occurrences of the following two strings:

■ VirusProtect6

■ 86C46C6D5F9F3D11EBAE000ACC725290Once you’ve removed all of these entries, reboot your computer and continue

Finally, you’ll need to delete any of the following folders and files from the hard drive

of the Windows machine in question (If you’ve installed the Windows operating system

to a directory other than ‘C:\WINNT’, modify the file listing accordingly.):

■ C:\Program Files\NAVNT

■ C:\Program Files\NAV

■ C:\Program Files\Common Files\Symantec Shared\VirusDefs

■ C:\Documents and Settings\All Users\Application Data\Symantec\NortonAntiVirus Corporate Edition\7.5

■ C:\WINNT\Profiles\All Users\Application Data\Symantec\NortonAntiVirus Corporate Edition\7.5

■ C:\Winnt\Installer\{D6C64C68-F9F5-11D3-BEEA-00A0CC272509}

Understanding NAVCE 7.6

Registry Keys on NT / 2000 Servers

NAVCE stores all of its configuration information in the Windows Registry Differentmachines will record different registry keys and entries depending upon their rolewithin the NAVCE solution On the primary server within a server group, for example,the registry stores information about the server group, the settings for all the NAVCEservers as well as the settings for the clients

NAVCE Registry Components

The root location for NAVCE registry entries is HKEY_LOCAL_MACHINE\

SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion.This is where all clientand server settings are stored If you create a virus scan on the local computer, the corre-sponding configuration information would be stored at HKEY_CURRENT_USER\Software\Intel\Landesk\VirusProtect6\CurrentVersion which can be seen in Figure 5.17

Considerations for Uninstalling NAVCE Server

Before you uninstall NAVCE server from a system, you need to make sure that any clients that rely on that server for their configuration information are redirected to another NAVCE server You can accomplish this by editing the grc.dat file, or by re-running the NAVCE client installation process This topic is discussed in detail in Chapter 3.

Designing & Planning…

Figure 5.17 The CurrentVersion Registry Key

con-Network Registry and is a great way to access the registry on a remote computer without needing to be physically present at the server itself In this example, NT- IRVA-0552 is the Primary NAVCE Server for the server group “Site Servers.”

There are several other keys that are important to understand Let’s discuss some ofmore critical ones

AddressCache Registry Key

The AddressCache Registry key (Figure 5.18) stores information regarding eachNAVCE server within the server group.There is a subfolder within this key for everyNAVCE server in the server group.The path to this key is HKEY_LOCAL_

MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\

AddressCache

When you launch the SSC console, it connects to the registry on the primaryserver (which is NT-IRVA-0552 in our case) and populates itself with the most currentinformation from this registry key

ClientConfig Registry Key

The ClientConfig Registry key (Figure 5.19) stores all the administrator defined tings for the clients.This is the key that is used to create most of the grc.dat file.This

set-Figure 5.18 The AddressCache Registry Key

key is created on all parent NAVCE servers Since the primary server can also be aparent server, this key is also created on the primary server: essentially, any server acting

as a NAVCE parent must have this key within its registry.The path to this key is

HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\

CurrentVersion\ClientConfig

DomainData Registry Key

The DomainData Registry key (Figure 5.20) key can be found only on the primaryNAVCE server and contains the settings for clients and servers within the server group.Any changes that you make to a server group from the SSC console (SSC) will berecorded within this key As soon as this key is updated, the primary server directly con-nects to the registry on each secondary server and adds the contents of this key to thesecondary server For example, the contents of the DomainData\ClientConfig Registrykey will be copied to the ClientConfig Registry key on each secondary server, as well

as the ClientConfig Registry key on the primary server.The path to this key is

HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\

CurrentVersion\DomainData

Figure 5.19 The ClientConfig Registry Key

Clients Registry Key

The Clients Registry key (Figure 5.21) stores information about the individual clients

of a particular NAVCE server.This key contains one folder for each of the clients ofthe parent server.The path to this key is HKEY_LOCAL_MACHINE\SOFTWARE\

Intel\LANDesk\VirusProtect6\CurrentVersion\Clients

Children Registry Key

The Children Registry key (Figure 5.22) stores a list of all the secondary servers withinthe server group

Figure 5.20 The DomainData Registry Key

Figure 5.21 The Clients Registry Key

Figure 5.22 The Children Registry Key

A Word about Registry Keys and the Certification Exam

If you wish to take the NAVCE SPS exam, be sure that you fully understand the differences between the Registry keys that we just discussed These keys often appear within questions on the certification exam It is good to know what each key contains For your review, here is a list of the keys that you must be familiar with:

Notes from the Underground…

Understanding NAVCE 7.6 Services Running on NT / 2000 Servers

There are three core services that are used by the NAVCE server program.These areNorton AntiVirus Server, DefWatch and Intel Ping Discovery Service (PDS) In thissection, we’ll discuss each of these services

Norton AntiVirus Server (rtvscan.exe)

RTVScan is the core program in the NAVCE solution It is a multithreaded process(capable of performing more than one task simultaneously) that performs alerting, dis-covery, scanning, definition updating and other functions within the NAVCE environ-ment.This is the service that clients and servers use to communicate with each other

(In order to locate one other across the network, clients and servers use the PDS which

we will discuss shortly.)

One of RTVScan’s functions is to perform a Timer Loop.This process discovers

new virus definition (.vdb) files in the NAVCE folder and processes them.This serviceexists on both NAVCE servers and clients; it performs similar functions for both instal-lations Depending upon whether it is operating on a NAVCE server or a NAVCEclient, the Timer Loop performs the following functions:

■ Schedules events such as definition updates and scans

■ On primary servers, it checks secondary servers every 5 minutes to checkvirus definition versions If the definitions on secondary servers are not themost recent ones available, new definitions are pushed out to them

■ On parent servers, it queries clients every three minutes for their virus tion and grc.dat versions If the definitions on the client are outdated, newdefinitions are pushed to the client

defini-■ On managed clients, it connects to the parent server every 60 minutes toverify that the client possesses the latest definitions and grc.dat files

■ On the local computer, it checks for updated virus definitions (.vdb) everythree minutes

■ On the local computer, it checks for a new grc.dat file every sixty seconds Ifthe Timer Loop encounters a new grc.dat file, it imports any changes into thelocal registry and then deletes the grc.dat file upon completion

■ On the local computer, it checks for LiveUpdate settings every minute If anysettings change, a new Liveupdt.hst file is generated

DefWatch (defwatch.exe)

When new virus threats emerge, they can often proliferate before Symantec can releaseupdated virus definitions to repair the damage done by these viruses In such cases,Symantec releases virus definitions that can at least quarantine the infected files untildefinitions containing a repair function are created.This way, even if virus definitionsthat can actually reverse the damage done by a virus have not yet been released,

NAVCE will still be able to detect and quarantine the infected files to avoid spreadingthe infection even further

In some cases, a virus completely destroys the content of a file in which case theonly solution is to restore it from a backup version However, in other cases, it is pos-sible to repair the infected files using the new virus definitions.This is where theDefWatch service comes into play As soon as new virus definitions become available on

a NAVCE server, the Norton AntiVirus Server Service (RTVScan) notifies the

DefWatch service.The DefWatch service then scans quarantined files to check if newdefinitions are able to repair previously quarantined files

Intel Ping Discovery Service (pds.exe)

The Intel Ping Discovery Service (PDS) is the first NAVCE Server service to load Italways loads on the same port (38293 for IP, 34903 for IPX) and acts as a “traffic cop”

to inform any NAVCE clients or servers which the port that RTVScan is running on

NOTE

For additional detail on PDS, please refer to Chapter 6 where this topic is covered in greater detail.

Introducing the grc.dat File

The grc.dat is a text file that stores any changes made to NAVCE clients Any changesmade via the Symantec SSC console to a server or server group are placed into agrc.dat file on the server.These changes are then later propagated to the clients.Thefollowing is a brief overview of how a configuration change would cause the grc.dat

3 The server’s RTVScan process includes a thread called CheckGRC that runsevery 60 seconds to check for the value of the ProcessGRCNow key.

4 If the server’s RTVScan finds that the value of the ProcessGRCNow key is 1,

it parses the registry and creates a new grc.dat file on the server’s \NAV tory

direc-5 Another thread then pushes it out to the \NAV directory on the clients

6 On the clients, RTVScan runs a CheckGRC process every 60 seconds tocheck for the existence of the grc.dat in the \Norton Antivirus directory If thefile is found, RTVScan converts it to registry entries and then deletes the file

The grc.dat File

The grc.dat file is stored at several locations on the primary NAVCE server, the mostcritical of which is located in C:\Program Files\NAV\grc.dat Whenever any settingsneed to updated on the NAVCE client, this version of the file will be copied to theNAVCE clients Copies of the file are also located within each subfolder of the folder

at C:\Program Files\NAV\clt-inst For example, it is located at C:\Program Files\

NAV\clt-inst\WIN32\grc.dat.This version of the file is copied to the target (orNAVCE client) computer during a NAVCE installation On the NAVCE clients, thefile can be found at different locations depending upon the operating system.This will

be discussed in more detail in Chapter 6

There are usually only two compelling reasons for editing the grc.dat file: either tochange the parents server name on a client or to change whether or not a client willuse LiveUpdate The options for changing client management options using the grc.datfile are covered in Chapter 2

In this chapter we discussed the steps in implementing NAVCE servers, a critical ponent in your network’s NAVCE implementation At this point, you should be able todefine technical specifications for the platform on which you will be installing theNAVCE server software.You should also understand the necessary steps in installing theserver program to a Windows-based computer system We also discussed some installa-tion considerations for NAVCE servers that should be addressed and considered prior

com-to beginning the installation process And, we also covered the steps in uninstalling aNAVCE server and the steps that you should take before performing an uninstallaction

Another key topic in this chapter was the list of registry keys that are used to storevarious kinds of information about a NAVCE infrastructure Be sure that you arefamiliar with them, since they will save you countless hours when troubleshooting mostissues We also discussed the Norton AntiVirus Server (rtvscan.exe), DefWatch

(defwatch.exe) and Intel Ping Discovery Service (pds.exe) services that run the NAVCEserver program, what each service does and how each one fits into the NAVCE solu-tion Finally, we learned about the grc.dat file which is used to store changes made toconfiguration settings and how it is propagated

Solutions Fast Track

Understanding NAVCE 7.6 Servers

; Server program and AMS2comprise the two main components of theNAVCE server

; Remember that the minimum requirements for the Symantec software do not

take into account any other Symantec or third-party software that needs to berunning on the NAVCE server

; Understand the implications of using the Workstation/Professional version ofWindows.The workstation edition of the Microsoft operating systems canonly host 10 concurrent network connections, which will limit your ability to

Implementing NAVCE 7.6 To Servers

; Develop a deployment plan to ensure that your software installation does not

interfere with any existing processes on your network and servers

; Server summary options, the server group and server startup options are some

of the factors you must consider before you begin deployment

; As you step through the installation sequence for the NAVCE server software,

you’ll notice that the installation is identical for local or remote targetcomputers

; Before you can configure a NAVCE server, you must unlock it using the same

password that you set during installation If you left it unaltered, the password

; The root location for all NAVCE registry entries isHKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion

; The Registry keys to remember and understand are AddressCache,ClientConfig, DomainData, Clients and Children

; The DomainData key can be found only on the primary server

; A child computer is secondary NAVCE server whereas a client is anycomputer that is running the NAVCE client software

Understanding NAVCE 7.6 Services

Introducing the grc.dat File

; The grc.dat file is used to store any changes made to the NAVCE clients via

the SSC console

; As soon as the changes are made, the file is copied to various locations on the

NAVCE server Copies of the file are then copied from these differentlocations to the NAVCE client depending upon the nature of the client’scommunication with the server

Q: What is the difference between Windows NT/2000 Server and NAVCE Server?

A: A NAVCE Server refers to a software package that offers antivirus monitoring andinstallation capabilities such as program installation and definition updates forNAVCE clients On the other hand, Windows NT/2000 Server refers to the a net-work operating system

Q: Is it necessary to install AMS2to all NAVCE servers?

A: AMS2 is required only on primary servers However, since there is always a bility of promoting a secondary server to primary status, most administrators prefer

possi-to install AMS2 to all NAVCE servers

Q: I accidentally installed AMS2to all my NAVCE servers How can I remove it?

A: AMS2 can be uninstalled using the Add/Remove Programs applet within theWindows Control Panel where it is listed as “AMS Server.” Once it is uninstalled,reboot the system and remove the folders located at “C:\Program Files\AMSServer” and “C:\WINNT\System32\AMS_II”

Q: Where can I look for resources to assist me in troubleshooting the NAVCE serverimplementation process?

A: A comprehensive list of issues is provided within the readme.txt file on your lation media, or on the Internet at Symantec’s exhausting collection of KnowledgeBase articles

instal-Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your questions about this chapter answered by the author, browse to

www.syngress.com/solutions and click on the “Ask the Author” form.

Q: How can I retrieve a password that I set for a NAVCE server group?

A: In order to retrieve the password for NAVCE server group, you must:

1 Launch the Password Retrieval Utility located at C:\ Program Files\

SSC\TOOLS\IFORGOT.EXE

2 Within the utility, enter the name of the primary server for the server group

3 Click Get Password.

4 Copy the Encrypted Password and provide it to Symantec Technical Support

as requested which can be seen in Figure 5.23 They will be able to decryptthe password and return it to you in cleartext

Figure 5.23Encrypted Password Retrieval Utility

Implementing NAVCE 7.6 to Client PCs

Solutions in this chapter:

■ Understanding NAVCE 7.6 Client PCs

■ Implementing NAVCE 7.6 to Client PCs

■ Understanding NAVCE 7.6 Registry Keys

; Solutions Fast Track

; Frequently Asked Questions

Clients’ systems are prize targets for malicious attacks of virtually any type, fromwrongdoers on the Internet to even those on your internal network.Theseattacks can be viruses downloaded through e-mails and disseminated throughoutthe intranet by design or by unsuspecting users Some companies have their e-mail systems set up to strip certain attachments from e-mails, such as *.exe or

*.vbs files, because of the potential hazard one of these files may present A craftyassociate, however, may simply remove the extension of the suspicious file andsend it anyway, with instructions to the recipient to add the three-letter extensionupon receipt.Thus, it is imperative you have some type of protection on all clientmachines, whether they’re always connected (such as internal LAN clients), oronly occasionally connected (remote users) From a corporate security standpoint,

it is even a good idea to encourage the use of antivirus software on personalhome systems For instance, employees who telecommute may be inclined tocomplete business projects at home and then bring their work into the office on

a floppy disk or CD-ROM, along with whatever virus might exist on theirsystem.The bottom line is that malicious coders are constantly coming up withnew and interesting ways to create and distribute viruses’ everyday.Take the fol-lowing case study as an example…

Jim was a new member of a popular news group and was astounded by theinformation he could receive He found people that would share their ownknowledge of where to download digital quality music and even give him copies

of their own Although he had ethical issues given the controversy he’d heard rounding it, he thought, “Who would know?” Happy with his newfound wealth

sur-of music, Jim decided to share some with his friends, burning a CD with some sur-ofhis favorite music He took the CD to work and handed it to any associate thatwanted to load the music on his or her computer and listen He eventuallynoticed a music file that was appended with a *.vbs extension “Hmmm… That’sweird?” he thought He double-clicked the mysterious music file, but nothinghappened He figured it was no big deal since he had plenty of other music tohear.Thus, Jim, a user with absolutely no malicious intent, ended up unleashing aworm onto his company’s intranet Everyone who got the file, and was similarly

client software updates, the latest virus definitions and configure system scans torun at predetermined times Another invaluable feature is the ability to easilyimplement the rollout of the client software using the tools that come withNAVCE 7.6 or such third-party implementation tools as Microsoft SystemsManagement Server or Novell ZENworks for Desktops.

New computers added to the network can be protected quickly and easilywith these tools Users who only connect occasionally to the network can beconfigured to download the latest updates and virus definitions from the server aswell With this local administration, client computer settings will remain consis-tent and well-protected throughout the company

In this chapter, we will discuss the many different methods for installing theNAVCE 7.6 client software to systems on the network by using either third-partysoftware deployment tools or those provided by NAVCE 7.6 We’ll take a look atthe Registry settings, services, and components of the client software as well

Understanding NAVCE 7.6 Client PCs

Before we delve into the details of the NAVCE 7.6 client software and mentation, we should familiarize ourselves with the different types of NAVCEclients that are possible on our network Depending on the goals of our informa-tion systems’ security policies or perhaps our personal interests, we can choosefrom one of three types of client setups.The clients can be managed clients,unmanaged clients, or sometimes-managed clients, as described in the following:

imple-■ Managed clients These are clients that combine together to make upour local area networks, (LAN’s).These computers are considered stablebecause they never leave the network, which is governed by whateversecurity policies are in place.They are assigned to a parent server (man-aging server) that will keep them current with the latest softwareupdates and virus definitions.These clients have the ability to send andreceive virus alerts and can be found easily on the Symantec SystemCenter (SSC) console under their respective parent servers

■ Unmanaged clients These clients have all the features of NAVCE 7.6with a few exceptions.They are not able to receive any type of manage-ment direction from the NAVCE servers.Therefore, any virus definition

or software updates must be obtained manually by the user running thesoftware Being unmanaged, they, of course, have no parent server and do

not appear in the SSC console An example of this type of client could

be an associate’s personal home computer

■ Sometimes-managed clients These client systems have the potential

to, and often do, leave the safety of the intranet.These systems are usuallylaptops that are taken home for the weekend or depart with their users

on business trips.They maintain the functionality of the managed clientswith a few exceptions While they have parent servers, they can onlyaccept software and virus definition updates when connected to the net-work and appear faint in the SSC console.These computers are pro-tected from malicious code, yet only to the point that their last updatesprovide

To understand the features of these Client PCs and they’re particular clienttype, we should also discuss the properties of NAVCE 7.6 and its methods ofcommunication on the network In addition to the traffic incurred from serverscommunicating with other servers, server-to-client traffic, although minimal, issomething to consider

Check-in Intervals

On IP and IPX networks, clients send notifications to the server only when an

event is generated, and to periodically provide status information, or Check-in, to

the server.The client status information is sent via a 1KB User Datagram

Protocol (UDP) packet, and the server will not respond unless further action isrequired.This status information provides the server with the client informationneeded to keep the SSC console current.The parent servers send updates, (soft-ware and virus definitions), and configurations, (grc.dat), to their respective clients

as well

Designing & Planning…

forwarding A broadcast domain indicates a group of computers in a

LAN that can contact each other via broadcast A broadcast is simply a packet sent from one host to all hosts on the segment to which it is attached, instead of a unicast which is a packet sent from one host to another host on the segment One positive feature of a router is that it will stop broadcast traffic, thus cutting down on unnecessary network traffic.

UDP is considered an unreliable protocol, as opposed to TCP, which has been deemed “reliable.” This simply means that TCP will send infor- mation that will be read by the intended recipient and an acknowledg- ment will be returned to the sender claiming it has been received.

“Unreliable,” on the other hand, indicates it is not specifically sent to one recipient, but broadcasted to everyone with the hope that the appropriate system will pick it up

The unreliable protocol will also not expect an acknowledgment of receipt and just assume the message has gotten to where it needs to go.

Both UDP and TCP are used in conjunction with the IP protocol and are part of the TCP/IP protocol suite Using office communications as an analogy, TCP would be like making an office phone call, while UDP could

be compared to using the intercom system

Imagine that someone left their car lights on in the parking lot and

we don’t want them returning to a dead battery after a long day’s work.

If we knew whose car it was, we could call our officemate by dialing their number and waiting for an answer If there was no answer, we would more than likely try again later and perhaps again, until they picked up

Now suppose we didn’t know whose car it was, but being a Good Samaritan, we thought it a good idea to still try and inform the unsus- pecting owner We could ask the front desk to let everyone in the building know through the intercom system In this case, everyone would receive, (or hear), the message Most likely all but one person would simply disregard the announcement, and that one person could act on it They may never acknowledge receiving it, and instead run out and shut off their lights On the other hand, the person might not hear the message and is therefore out of luck

One advantage of using the UDP protocol is that it is significantly smaller than TCP and does not consume as much bandwidth Now that

we essentially understand how UDP works, it’s easy to see that the

parent server and the client should be on the same broadcast domain if

we are implementing on a router-segmented network or a switched work utilizing virtual local area networks.

net-Check-in intervals are used to update the parent server of the client’s tence.The default is for the client to send the 1KB UDP check-in packet every

exis-60 minutes If the server has not received a check-in from the client within theserver-specified amount of time, the client will be dropped from the SSC consolelist of connected computers.This will hinder the ability of the client to receivetimely updates and configuration settings

There are some basic guidelines for configuring the Client Check-in Interval

If a computer is on a stable network—for example, a managed client—the defaultcheck-in of 24 hours or greater would suffice For remote users, sometimes man-aged, a shorter interval may be needed, due to the lack of firewalls and other cor-porate security features While the check-in packet is very small, as more

computers are added to a parent server, more traffic will be generated and tually the network may become quite congested challenging the parent serverwith the task of processing all the check-in packets, not to mention, managingthe necessary updates.Therefore, we can see that the longer the check-in interval,the less network traffic there will be and the less strain placed on the server.Theclient check-in interval can be set within the Registry, discussed later, or withinthe settings of the Virus Definition Manager on the parent server

even-1 Start the Symantec System Center console.

2 Right-click the parent server of the clients to be adjusted

3 Select the Virus Definition Manager by choosing All Tasks |

Norton AntiVirus | Virus Definition Manager

4 In the lower half of the Virus Definition Manager, select the Settings

button

5 The Update Settings dialog box should appear.Type in the number, in

minutes, desired for the client’s check-in period

6 Select OK.

7 Close the SCC console

From this point on, the updated information will be written to a tion file, grc.dat, and automatically pushed to the child clients of the parent server

configura-has passed, and so on), the client will not get its correct updates.This will bringabout inconsistencies within the network and possibly give an administrator afalse sense of security that all the clients are safely protected.

For communications between servers and clients, NAVCE 7.6 uses the IntelPing Discovery Service (PDS) PDS is used by the various services that NAVCE7.6 utilizes, and is the first service to load when a NAVCE 7.6 server is started,utilizing ports 38293 for IP and 34903 for IPX Once the Intel PDS server ser-vice has been installed, the RTVScan program will load RTVScan (covered inmore detail later) requests a listening port by making a call to WinSock For morestability, the RTVScan will request the same port every time it is loaded If thesame port is not available, another port will then be assigned Once a port isassigned, RTVScan submits information regarding its listening port andApplication ID (APP ID) to the PDS system and requests PDS to listen for anydata attempting to reach itself.This allows the PDS system to manage otherapplication services by forwarding their requests, or pings, to the correct ports ofthe service requested.The steps are summarized in the following paragraphs

For Servers:

1 PDS loads on a static port

2 PDS listens on IP port 38293 (or IPX port 34903)

3 RTVScan attempts to load on a static port (or obtains a dynamic port)

4 RTVScan updates PDS with its port and APP ID information

5 When a service needs the RTVScan program, it sends a “ping” to the PDS

6 PDS then replies with a “pong” packet indicating the RTVScan information

For Clients:

1 The PDS does not load on the client system

2 RTVScan attempts to load on a static port (or obtains a dynamic port)

3 RTVScan updates the system’s parent server with the client’s port information

4 The parent server receives the port information and updates its clientRegistry key

5 RTVScan will search for the grc.dat file (the configuration and parentserver name) locally and process it, if available