configuring symantec antivirus corporate edition phần 7 pdf

Features of the Virus Definition Transport Method Now that we have discussed the Timer Loop, we can go over the process bywhich the definitions flow from the primary server to the end cl

Securing NAVCE 7.6 Windows NT/2000 Servers

; Remember to consider the entire server environment, not just theNAVCE software installation Physical security and operating systemconfiguration are just as important to the overall well-being of yournetwork environment

; Change the default symantec password when creating a new server group,

and configure the SSC to prompt for the server group passwordwhenever you close and re-open the console Do not select the SavePassword option when unlocking the server group, or you’ll defeat thepurpose of having a password in the first place

; Use built-in Windows utilities and applets to secure access to theWindows Registry against unauthorized intrusions, and restrict usersfrom launching resource-intensive scans of terminal servers using theAppSec utility

Securing NAVCE 7.6 Novell NetWare Servers

; Thoroughly configure and test the NetWare FTP service to ensure thatLiveUpdate will function properly on your network

; When using the IPX protocol, use ipxroute config to determine your

server’s network number, as you will use this number rather than themachine name in forwarding files to Quarantine Server

; Remember that client PCs running only the IPX protocol will notappear in the SSC console screen

Securing NAVCE 7.6 Client PCs

; Use the Symantec System Center console to prevent end-users fromstopping scheduled virus scans

; Lock real-time protection options in the SSC console to ensureconsistent virus protection across your network

; For your 16-bit clients, configure login scans so that the user will beunable to cancel them

Using the Reset ACL (resetacl.exe) Tool

; Reset ACL will limit your users’ ability to access or alter many keyNAVCE functions, ensuring that the configuration dictated by yourantivirus strategy is not compromised

; Test the changes made by resetacl.exe thoroughly for any unexpectedresults, and be especially careful not to apply it to a workstation thatrelies on locally-launched LiveUpdates to obtain new virus definitions

; If you need to undo the changes wrought by RESETACL, use anyRegistry editor to restore full permissions on the HKLM\Software\

Intel\LANDesk\VirusProtect6\Current Version Registry key

Q: I support a small organization with a limited budget What are the benefits ofrecommending the expense of a firewall to my management? Isn’t antivirussoftware sufficient to protect my network?

A: Connecting any private network to the Internet, regardless of its size, canexpose critical and confidential data to malicious attack from anywhere in theworld Firewalls can protect anything from an individual computer to a largecorporate network from hostile Internet-based intrusion Anyone who isresponsible for a private network that is connected to a public networkshould strongly consider firewall protection In this connected world, firewallprotection is roughly equal in importance to maintaining renter’s insurance

Facing even a single incident without it will certainly make you wish you’ddecided to make the investment

In terms of the efficacy of antivirus software in completely protectingyour network from threats, it is by nature only as good as the latest virus defi-nitions, which were in turn created in response to the latest viruses Whiletechnologies like Bloodhound Heuristics (see Chapter 12) attempt to stay

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your questions about this chapter answered by the author, browse to

www.syngress.com/solutions and click on the “Ask the Author” form.

one step ahead of the hacker community, someone (and realistically hundreds

of someones) will become infected with a new virus threat before the makers

of antivirus software can create a defense against it A firewall will close thegap between the known virus threats addressed by antivirus definitions, andthe unknown threats that crop up on the Internet every single day

Q: Our network utilized a proxy server to restrict Internet access How do Iconfigure LiveUpdate to function behind a proxy?

A: By default, LiveUpdate will use the proxy server settings set up within InternetExplorer If you need to change this default value, access the LiveUpdate applet

in the Control Panel Select I want to customize my proxy settings for

LiveUpdate, and fill out all required fields, as illustrated in Figure 9.18

Q: What is the best way to determine what ports I need to open at my firewall

in order for my Windows clients and servers to function?

A: I recently found a wonderful freeware utility called FPORT (available atwww.foundstone.com) that will inventory a Windows-based client or server

PC for all open TCP and UDP ports Even more useful than that, however,

FPORT will display exactly which service or exe file is using the ports in

question, similar to the output shown in Figure 9.19 (This is quite useful notonly from a system inventory standpoint, but also in ensuring that yourmachines aren’t running anything they shouldn’t be.) Using a utility like this

in conjunction with a detailed software inventory should be sufficient todetermine what ports and/or exe files you’ll need to enable on your firewall

Figure 9.18 Customizing Proxy Settings for LiveUpdate

Q: What are the benefits or drawbacks of using software-based personal firewalls(like ZoneAlarm or BlackIce Defender) instead of a single enterprise firewallsolution?

A: A personal firewall is most effective when used exactly as it sounds like itshould be: protecting an individual (personal) computer, or providing protec-tion for one or two PCs in a self-contained Small-Office-Home-Office(SOHO) environment However, because they are designed to run on indi-vidual client PCs, personal firewall packages don’t offer any options for cen-tralized management or configuration Once you start talking about amedium- to large-sized corporate environment (anything over ten PCs), per-sonal firewall software becomes increasingly impractical—it simply does notscale well

Q: How can I secure the NAVCE installation for those clients who never attach

to my corporate LAN?

A: For remote or traveling users who will never connect to a NAVCE parentserver, you can provide a CD with a custom NAVCE installer with pre-con-figured LiveUpdate and other configuration settings (You can use any soft-ware designed to create automated installation packages, including WinInstall,Systems Management Server, and so on.) While the Reset ACL tool will pre-vent the user from altering any of these settings, it will unnecessarily cripplethe NAV installation of a remote user Even though this will be a largely un-networked computer, configure it in a Managed configuration anyway, as itwill simplify the NAVCE update process if the user ever does need to attach

it to the corporate network For client machines that will be connecting tothe network from multiple locations, use the Roaming Client Support

Figure 9.19 Sample Output from fport.exe

Q: What are some good guidelines to follow when securing a Windows orNetWare server?

A: Use the following checklist as a starting point Some items are Microsoft- or

Novell-specific; others are common to the installation of any secure

com-puting system As always, test these changes before deploying them in a duction environment, especially those that involve Registry changes.You canalso refer to Figure 9.20 for a quick visual overview of the physical layout of

pro-a typicpro-al NAVCE-protected network, pro-and the kinds of threpro-ats you cpro-an expect

to have directed against your various network components

■ Physically secure the server Install the server in a locked room, use aCPU case lock and maintain the keys to both in a separate and con-trolled (but still accessible) location

■ Enable a strict password policy, including minimum password length andcomplexity requirements

■ Disable the Guest account

■ Rename the Administrator account on Windows NT/2000/XP/.NETmachines

■ Regularly monitor the user account list for any unusual or unauthorizedaccount creation

■ Create two accounts for your administrative users: one for everyday use,checking e-mail and so on, and a second one for actual network admin-istration functions (The idea here being to avoid having Domain

Admins logged in all the time when it’s not strictly necessary.)

■ Assign Windows NT/2000 file and share permissions to theAuthenticated Users group instead of the Everyone group

■ Use NTFS on all NT-family disk partitions FAT and FAT32 possess nosecurity features

■ Shut down and disable any unnecessary services, especially services likeIIS and RAS that have security configuration issues of their own

■ Enable auditing and configure file permissions on the WindowsNT/2000 Event Viewer Security log

■ Regularly monitor the Security, System, and Application logs in theWindows NT/2000/XP Event Viewer to detect any unauthorized activities

■ Subscribe to the Microsoft e-mail notification service to stay informed

of all new patches and updates

■ Use TCP/IP filtering to restrict the TCP and UDP ports that can verse your network

tra-■ Clear the pagefile.sys at shutdown by changing the value of HKLM\

SYSTEM\CurrentControlSet\Control\Session Manager\MemoryManagement\ClearPageFileAtShutdown to 1

■ Use the Encrypted File System (EFS) in Windows 2000/XP/2003 tocreate an additional layer of security for your file shares

■ Change the boot order in the system BIOS to prevent booting from afloppy disk or CD-ROM In the case of extreme security concerns,remove the drives entirely

■ In Novell NetWare, use the CONLOG.NLM file to record all keystrokeactivity on the server console.This information will be stored in theconsol.log file, stored in the SYS:ETC directory

■ Lock all NAVCE client options to ensure uniform virus protection onyour network Use the Reset ACL utility, if appropriate

■ Hold regular user awareness training, either in person or via e-mail,memos, and so on, to maintain user awareness of antivirus and networksecurity concerns

Figure 9.20 Common LAN Threats

Internal Network Clients

NAVCE Server Firewall

Remote Clients

Remote Clients

1

2

3

Table 9.6 Area 1 of Figure 9.20

live production Registry attacks Use REGEDT32 to secure NAVCE

Registry keys Physical security CPU locks, BIOS passwords

Table 9.8 Area 3 of Figure 9.20

Malicious e-mail attachments E-mail policies, end-user training Peer-to-peer file sharing Group policies, internal firewalls Weak passwords Enforce strong passwords and regular

password changes Physical security CPU locks, BIOS passwords

Q: How can I determine which of my network PCs are not attached to theNAVCE system console?

A: While there isn’t a simple way to query NAVCE to “Tell me all the clients

that aren’t attached to you,” your best bet is to compare the contents of the

SSC console with your list of computer accounts in Windows NT4 ServerManager or Active Directory Users and Computers in Windows 2000 Either

or both of these lists can be exported to a text file for easy analysis in aspreadsheet or other reporting software

Q: What do you do when you’re finally finished developing your network security policy?

A: The real answer here is that you’re never finished with a network security

policy It’s a living document that needs to grow and change along with therest of your company’s business processes, technological advances, and securityneeds

Updating Virus Protection

Solutions in this chapter:

■ Introducing the Virus Definition Transport Method (VDTM)

■ Introducing Symantec LiveUpdate

■ Introducing Intelligent Updater

Chapter 10

431

; Summary

; Solutions Fast Track

; Frequently Asked Questions

Virus definition files contain unique segments, often referred to as “signatures,” ofthousands of viruses Norton Antivirus Corporate Edition (NAVCE) detectsviruses by comparing files that are being scanned against these virus definitionfiles If a pattern in a file on a computer matches that of a virus definition file,NAVCE considers the file infected and attempts to rectify the situation by per-forming a “Clean,” “Repair,” “Delete,” or “Quarantine” operation Consequently,

if the file being scanned does not match any patterns contained in the definitionfiles, NAVCE considers it clean

It is therefore quite obvious that in order to protect a system, the virus tion files must always be kept current.The next step in the process is to decidehow to obtain the files, how to update the client computers within a corporateenvironment, and how often to perform these updates In this chapter, we willexplore some of the different virus definition delivery and distribution mecha-nisms, their advantages and disadvantages, and their setup processes

defini-Before we delve into these various mechanisms, let us first understand how todetermine what viruses a system is capable of detecting In order to obtain a list

of viruses, you can simply launch the NAVCE client and click File | View Virus List You can then scroll through the list (see Figure 10.1) or search for it

by clicking the Find button and entering the name of the virus.You do not need

to know the full name of the virus For example, you can check for all knownvariants of the Nimda virus (W32.Nimda.A@mm through W32Nimda.Q@mm)

by searching for “nimda.”The search is not case sensitive

Figure 10.1 Virus List

Virus definition files have an extension of vdb, so throughout the rest of thechapter, whenever a file is referred to as a vdb file, you should read it as a virusdefinition file A vdb file is, quite simply, a zipped up file set that contains all thevirus definitions known to Symantec as of the moment it was downloaded Oncedownloaded, it is decompressed and moved into a subfolder located at C:\ProgramFiles\Common Files\Symantec Shared\VirusDefs As you can see in Figure 10.2,one of the folders at this location is named 20030104.003.The 20030104 numberpreceding the period indicates that the set of definitions contained in this folder aredated January 4, 2003.The 003 following the period is the revision number.

Therefore, this entire number indicates that this is Revision 3 of the definitionsreleased on January 4, 2003.To the veteran NAVCE administrator, this naming

convention must seem different.This is because with version 7.6x of NAVCE,

Symantec has started using this new user-friendly naming method

There are several virus definition update mechanisms within the NAVCEsolution

■ Virus Definition Update Method (VDTM) This is a completelyautomated method of updating all servers and clients in the enterprisenetwork It requires minimal configuration because the clients automati-

Figure 10.2 File Location for Virus Definitions

■ LiveUpdate When using this technology, LiveUpdate servers connect

to Symantec’s FTP site and download the definition files Managedservers and clients can then download the definitions from this internalLiveUpdate server

■ Intelligent Updater The Intelligent Updater is an alternative to usingLiveUpdate as a virus update mechanism When downloaded and exe-cuted on a system, the Intelligent Updater searches for the NortonAntiVirus software and updates the virus definitions accordingly

■ package.exe package.exe creates a single file for a target operatingsystem.This file can be used to install the Norton AntiVirus softwareand also includes the virus definitions as of that date.This is a great toolfor creating installation files but is not too practical for updating the definitions

■ Mobile Definition Updater Using the Mobile Definition Updater,the clients receive their definitions via their enterprise e-mail.Thismethod, although still functional, is no longer supported by Symantec

Of the aforementioned update vehicles, we will cover the first two in cant detail and briefly review the others

signifi-Introducing the Virus Definition

Transport Method (VDTM)

Virus Definition Transport Method (VDTM) is a completely automated virus

defini-tion delivery and distribudefini-tion mechanism It requires minimal configuradefini-tion onthe part of the system administrator In fact, this is the default method for dis-tributing virus definition files to servers and clients Clients configured to useVDTM automatically connect to their parent servers over a network link andcopy the updates By now, you should be comfortable with the behavior of pri-mary and secondary servers so we will not delve too deeply into how theyinteract with each other However, we will cover the path taken by virus defini-tions as they travel from the Symantec Web site to their final destination at aclient computer

The way that a client or server configured to use VDTM works is that itdownloads an entire vdb archive from its parent server and then decompressesthem as discussed earlier As you can imagine, with tens of thousands of virus defi-nitions contained in each vdb file, the file size of these archives can become quite

significant An average vdb file is usually over 3.5MB in size Understandably, thisplaces a significant load on the network links However, since this method is com-pletely free of configuration and maintenance, it proves to be an overwhelminglypopular method of configuration within a corporate network.

You must be thinking “surely, something must be occurring in the background

to make all of this work.” Well, of course! And this is where the concept of theRTVScan timer loop becomes important

The RTVScan Timer Loop

RTVScan is the core program with NAVCE It performs functions such asalerting, discovery, scanning, processing definition updates, and so on It also runs

a Timer Loop that handles new vdb files as it finds them on the system.Thisprocess decompresses the vdb files and places them in a folder that reflects thedate they were released on

The Timer Loop behaves differently depending upon whether it is on a client

or a server It performs the following functions:

■ Schedules events such as definition updates and scans

■ On primary servers, it contacts the secondary servers every five minutes

to check for virus definition versions If the definitions on the secondaryservers are not as new as the ones on the primary, new definitions arepushed out to them

■ On parent servers, it checks clients every three minutes looking for virusdefinitions and grc.dat versions If the definitions on the client are not

as new as the ones on the parent server, new definitions are pushed tothe client

■ On managed clients, it connects every 60 minutes to the parent server toverify that the client has the latest definitions and grc.dat files

■ On the local computer, it checks for new virus definitions (.vdb) everythree minutes

■ On the local computer, it checks for a new grc.dat file every minute If anew grc.dat file is found, the changes are imported into the local

Registry and the grc.dat file is deleted

■ On the local computer, it checks for LiveUpdate settings every minute

If any settings change, a new liveupdt.hst file is generated We will bediscussing LiveUpdate and the liveupdt.hst file later in this chapter

So, in summary, on clients, it:

■ Checks with parents every 60 minutes

■ Checks local virus definitions every three minutes

■ Checks local grc.dat files every minute

On parent servers, it:

■ Checks client keys in the Registry every three minutes to see if thegrc.dat file and definitions are up-to-date

On primary servers, it:

■ Checks its Registry every five minutes to ensure the secondary serversare up-to-date

On all servers, it:

■ Checks for new definitions every three minutes and processes them

Features of the Virus Definition Transport Method

Now that we have discussed the Timer Loop, we can go over the process bywhich the definitions flow from the primary server to the end clients UsingVDTM, it is necessary to have only the parent server configured to download thevirus definitions from Symantec.The other (non-primary) servers in the servergroup are configured by default to retrieve the definitions from this primaryserver.There are several methods of updating the primary server Usually, the pri-mary server retrieves the latest virus definitions from Symantec’s site using

LiveUpdate or FTP.The other servers in the server group check in regularly withthis parent server to obtain the definitions.The clients, in a similar fashion,

retrieve the definitions from their parent server

Configuring a Server to Use VDTM

Now that we have explored the theory, we can discuss how to configure a

NAVCE server to use VDTM

1 Click Start | Programs | Symantec System Center | Symantec System Center Console

2 Select and unlock the server group you wish to work on

3 Right-click the primary NAVCE server for this server group.Then, click

All Tasks | Norton AntiVirus | Virus Definition Manager Youwill now see the Virus Definition Manager Screen (Figure 10.3) for theserver (NT-IRVA-0552, in this case)

4 In the section labeled “How Servers Retrieve Virus Definition Updates,”

you can choose to either update only the primary server in the servergroup or update each NAVCE server individually.The most commonchoice is to update only the primary server but there are often com-

pelling reasons to go with the latter option For now, select the Update the Primary Server of this Server Group only button, then click

Configure

5 Ensure that the box labeled Schedule for automatic updates is checked (as shown in Figure 10.4).Then click Schedule.

6 Select the time and frequency of your updates and click OK However,

being the prudent system administrator that you are, you would click the

Advancedbutton and set some further options (Figure 10.5)

7 As shown in Figure 10.6, you can select the number of hours thatmissed events are handled within.You can also set some randomizationhours Here for example, we started out with 1:00 P.M., which is the

Figure 10.3 The Virus Definition Manager

midpoint of the usual nine-to-five day Performing the update within

240 minutes of 1:00 P.M effectively means the update will occur at somepoint during the work day

8 Click OK on each successive window until all the windows are closed.

9 Click Console | Exit to close the Symantec System Center (SSC).

Figure 10.4 Configuring the Primary Server Updates

Figure 10.5 Configuring the Virus Definition Update Schedule

Figure 10.6 Advanced Scheduling Options for Virus Definition Updates

You have now successfully configured your NAVCE server to use VDTM.

Another setting worth considering and “tweaking” to meet your needs is thefrequency with which your clients check in with their parent server.This can be

done by clicking Virus Definition Manager | Settings In the Update Settingswindow (Figure 10.7), to choose how often the NAVCE clients checkthe parent server for updates

Introducing Symantec LiveUpdate

Now that you’re familiar with VDTM, let’s look at how LiveUpdate works

LiveUpdate is a Symantec technology that allows Symantec products to connectvia FTP or HTTP to a Symantec server and retrieve program updates and virusdefinitions

Advantages Fully automated Only one Clients download incremental

server needs to be updated updates (called MicroDefs) This All other machines get results in less network traffic updated automatically Can be scheduled

Minimal configuration Can be used to apply program required updates.

Clients get updated within ten minutes of a server update

Disadvantages Clients and servers copy Requires more configuration.

the entire definitions file.

Figure 10.7 Settings for VDTM Update Interval

Should I Use VDTM or LiveUpdate?

As you can see, there are benefits and disadvantages to either approach Even when using LiveUpdate, you have the option of using an Internal

or External LiveUpdate configuration The easiest way to answer this question is to take stock of your network configuration, the number of clients you will be serving and your users’ work habits

In other words, each observation you make brings you closer to your answer Let’s go over some sample scenarios Make a guess and then check the answers that follow Who said this couldn’t be fun?

1 A software company environment consists solely of tionary desktop computers Some programmers work during normal business hours Others come in during the night shift Most employees turn their systems off when they go home Others leave them running for days

sta-2 A pharmaceutical research and development company sists of a team of traveling salespeople and process engineers who stay at the headquarters The salespeople travel across the globe and use whatever Internet service the local hotel can provide They use VPN software to connect to the com- pany headquarters to check their e-mail at least once a day

con-3 An engineering company has hundreds of employees The majority of employees work within their offices around the world Other employees work from home, connecting to the company network from time to time for a few minutes.

Salespeople are always on the road and use whatever internet service they can find They do not use VPN to con- nect to the company Instead, they check their e-mail using their company’s secure Web site

And now the answers:

1 This is a classic example where you have plenty of bandwidth

on a company LAN This is the perfect scenario for using VDTM The size of the files being transferred is of no conse- quence What matters here is that you are keeping adminis- tration and configuration to a minimum

Designing & Planning…

Continued

2 This scenario is slightly involved You have process engineers that could potentially use VDTM, but then the salespeople who would have to download megabytes You use an Internal LiveUpdate server and instruct the salespeople to launch LiveUpdate at least once a day when they connect to the company Remember, this is just one of the possible solu- tions We will discuss this in more detail shortly

3 This scenario although seemingly complex is typical of an average company In this case, VDTM is quite impractical due

to the various link speeds In such circumstances, an Internal LiveUpdate server wouldn’t work because traveling

employees do not connect to the company network What about an external (Symantec’s) LiveUpdate server? Wouldn’t you lose administrative control over what definitions are applied to the end clients? Not necessarily Perhaps a combi- nation of VDTM and LiveUpdate? Good guess! Keep reading.

As you can see in scenarios 2 and 3, most companies are not book examples They are diverse in their functional groups and varied in the behavior of their employees In such cases, could there be a config- uration that best serves all employees in all solutions? Yes Often NAVCE administrators end up using a combination of VDTM and LiveUpdate.

text-This is done by leaving LiveUpdate enabled and configuring it to connect

to Symantec’s (External) LiveUpdate servers daily This gives the end user the best of both worlds When on the LAN, the RTVScan timer forces the client to check for updates as often as it is configured to When not on the LAN, the LiveUpdate schedule kicks in and updates the client using definitions from Symantec’s LiveUpdate servers

There is currently one situation where this hybrid solution can fire a little This is when a client connects to the company network using VPN over a slow (dial-up) link The VPN software usually tricks NAVCE software into thinking it is connected to the LAN and a large vdb file can potentially be downloaded across the slow link The good news is that with its next release of NAVCE (which will be known as Symantec AntiVirus Corporate Edition 8.0 or SAVCE 8.0), VDTM will also make use

back-of smaller incremental virus definitions (MicroDefs) used by LiveUpdate.

Remember, there are always compelling reasons to choose VDTM, LiveUpdate, or a combination of both The scenarios we discussed here are purely instructional You should study your company’s environment and assess requirements before making this or any other decision.

As you can see, both methods have certain features that are appealing.

However, it is up to the system administrator to decide which method best suitsthe needs of the environment they are trying to protect

Considerations for Configuring LiveUpdate

There are two ways that LiveUpdate can be configured We will cover the figuration process for both models later in this chapter For now, just concentrate

con-on the theory and ccon-onceptual architecture.The following is a brief introducticon-on

to the two methods of LiveUpdate configuration:

■ External LiveUpdate In this method, managed servers are configured

to connect to Symantec for virus and program updates

■ Internal LiveUpdate In this method, one of the servers is configured

to retrieve updates from Symantec Other servers are configured to nect to this internal LiveUpdate server to retrieve virus and programupdates

con-There are advantages and disadvantages to both approaches.Table 10.2 shows

a brief comparison of the two

Table 10.2 Internal versus External LiveUpdate Configurations

Internal LiveUpdate External LiveUpdate Advantages Less traffic on the enterprise Less configuration required.

Internet connection Less maintenance.

Definitions can be tested before they are distributed

to clients.

Disadvantages More configuration required More traffic on the enterprise

An internal server must be Internet connection.

dedicated to LiveUpdate Cannot test definitions before Possibly more maintenance they are distributed to clients

Configuring External LiveUpdate

Since it is the easier of the two LiveUpdate models, let’s go over the process ofconfiguring an External LiveUpdate server

To configure servers to retrieve updates from Symantec’s FTP site:

1 Launch the SSC by clicking Start | Programs | Symantec System Center | Symantec System Center Console.

2 Right-click the Server Group you wish to configure.

3 Select All Tasks | Norton AntiVirus | Virus Definition Manager.

A screen will appear like that shown in Figure 10.8

4 Select Update each Server in this Server Group individually.

5 Click Configure.The screen in Figure 10.9 should appear.

Figure 10.8 Virus Definition Manager at a Server Group Level

Figure 10.9 Configuring Updates for a Server Group

6 If LiveUpdate is not currently selected as the Update Source, click

You have now successfully set up all the computers within the server group

to obtain their updates from Symantec’s Web site

If you are the curious type and want to know the LiveUpdate settings that

NAVCE uses to retrieve virus definitions from Symantec, click the Configure button in the Setup Connection window, as shown in Step 7 of the preceding

process.You should see the window shown in Figure 10.11

Since it was truncated in Figure 10.11, here is the path in the field labeled

“remote folder” for your benefit: /public/english_us_canada/antivirus_definitions/norton_antivirus_corp

Therefore, the actual location of these definitions at Symantec’s FTP servers

is ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus_corp/ A screenshot of this folder is provided in Figure 10.12

Figure 10.10Configuring the Virus Definition Source

Figure 10.11 Default FTP Settings for LiveUpdate via FTP

Notice there are a multitude of files named using the same convention wediscussed in the beginning of this chapter But, as you can see, the files also havesome unfamiliar suffixes—for example, x86.exe We’ll discuss these files and theirusage later in this chapter.

Configuring Internal LiveUpdate

Before we jump into the actual configuration, let’s conduct a high-level overview

of our process In order to configure NAVCE servers and clients to retrieveupdates from an internal LiveUpdate server, we will:

1 Install and configure the LiveUpdate Administrator Utility and specifythe packages to be downloaded to a particular directory

2 Choose a LiveUpdate server type.This can be an FTP, HTTP, or anyother NT/NetWare server type on the enterprise LAN

3 Use the SSC to configure LiveUpdate on the internal LiveUpdateserver

4 Use SSC to configure other servers and clients to connect to theinternal LiveUpdate server

5 Use SSC to set the LiveUpdate retrieval interval

Now, let’s begin with the LiveUpdate Administrator Utility

Figure 10.12 Different Types of Files Available at Symantec

LiveUpdate Administration Utility

Introduction and System Requirements

The LiveUpdate Administration Utility is exactly that It allows a System istrator to download update packages and configure clients to retrieve thoseupdates from a central LiveUpdate server As per Symantec, the minimum systemrequirements to install the LiveUpdate Administration Utility 1.5 and later are asfollows:

admin-■ Any of the following operating systems:

■ Windows 2000 Professional/Server/Advanced Server/Data Center

■ Windows NT 4.0 Workstation/Server/Enterprise Server/TerminalServer

A Word on “System Requirements”

and Their Consequences

You must understand that these are the minimum system requirements used solely for this software In other words, your system must have far

more CPU speed, RAM, and free disk space to be able to run the form on which this is installed and executed

plat-Take for example, the minimum system requirements for Windows

2000 server:

■ A Pentium 133MHz processor or higher

Notes from the Underground…

Continued

Installing Symantec LiveUpdate 1.5.3.21 Administration Utility

Now, let’s install the Symantec LiveUpdate Administration Utility.You can find this utility on CD 1 of your NAVCE installation set However, quite often, newerversions are available on Symantec’s Web site.Therefore, in our example, we willdownload the latest version rather than installing it from the CD

■ 256MB RAM (recommended minimum)

■ 2GB hard disk space with a minimum of 1.0GB free space

Again, these are the minimum for Windows 2000 Server So, as a

realistic system administrator, you must be quite familiar with what is listed as a minimum by a vendor and what actually works

While we’re on the topic of system requirements, let’s go over another common issue Often, the LiveUpdate Administration Utility is installed on the same system as the NAVCE software The requirements for NAVCE server are just as unrealistic, and to keep costs low, many beginners install the NAVCE software on the workstation version of Windows NT/2000 If you recall, Windows NT Workstation and Windows

2000 Professional only support a maximum of ten concurrent network connections This can seriously impact the speed with which definitions are distributed to end clients

Newer viruses increasingly grow into what Symantec terms as

blended threats Blended threats attack a network simultaneously

through multiple channels—for example, e-mail (SMTP), network shares, Microsoft IIS exploits, and by responding to network announcements routinely made by all clients participating in a Windows domain At such times, when the virus is traveling through the network, it is critical to make the latest definitions available to all clients

So, consider your environment and choose carefully Remember, it’s better to perform capacity planning in advance and even err on the side

of caution rather than cut costs This way, your cost-conscious supervisor won’t be getting that phone call in the middle of the night when a virus

is running rampant across your network and you can’t distribute the definitions fast enough.

1 Download the latest version of the LiveUpdate Administration Utility(luau.exe) from www.symantec.com/techsupp/files/lu/lu.html anddouble-click it.

2 Click Yes to begin the installation (as shown in Figure 10.13).

3 In the Welcome screen that appears in Figure 10.14, click Next.

4 Select the destination folder for the installation files by clicking the

Browse button Or, simply click Next (see Figure 10.15).

NOTE

This destination folder is only for the executable files for this utility The location where the update files will be downloaded and stored is config- ured later Therefore, it is often best to leave this destination folder at its default location

5 Verify the settings and click Next (see Figure 10.16).

Figure 10.13 Installing the LiveUpdate Administration Package

Figure 10.14 The Welcome Screen

6 Check the box labeled Launch LiveUpdate Administration Utility and click Finish (Figure 10.17).

Figure 10.15 Configuring the Target Location for Program Files

Figure 10.16 Confirm Installation Settings

Figure 10.17 Finishing Up and Launching the LUAU

7 You have now successfully installed the software Be sure to read the section marked “Important Note” included in the window shown inFigure 10.18.

For your benefit, the entire text message is shown next:

“Important Note: If you have a custom host file (liveupdt.hst) on your clientmachines, you MUST modify the name field (as displayed in the Description area

of the Host File Editor) of the first or second entry to prevent the LiveUpdateinstaller (lusetup.exe) from overwriting your custom host file during an update.The LiveUpdate installer is used to install or patch LiveUpdate.The client

installer will NOT overwrite the existing liveupdt.hst file IF the Name fieldswithin the Description area of the Host File Editor in either the first or secondentries of the customized liveupdt.hst host file have been modified.”

To learn how to uninstall or troubleshoot the LiveUpdate AdministrationUtility, please refer to the resources mentioned in the FAQ section at the end ofthis chapter

Configuring LiveUpdate Using the

LiveUpdate Administration Utility

Now that you have successfully installed the LiveUpdate Administration Utility,let’s take a quick tour of the console to see how it works Figure 10.19 is a

screenshot of the “Retrieve Updates” view of the LUAU Here, you would selectthe language and the Symantec product lines you want to update

If you click Host File Editor in the left pane, you will see the view shown

in Figure 10.20 Here, you can create or edit a custom host file to distributewithin your environment

Figure 10.18 Release Notes for the LUAU

Configuring Servers and Clients to Connect to the Internal LiveUpdate Server

Now that we have set up an internal LiveUpdate server, let’s configure the other(NAVCE) servers and clients to connect to this internal LiveUpdate server

1 Launch the SSC by clicking Start | Programs | Symantec System Center | Symantec System Center Console

2 Right-click the Server or Server Group you wish to configure

Figure 10.19 Configuring LUAU for Product Updates

Figure 10.20 The Host File Editor within the LUAU

4 Click the LiveUpdate tab to see the screen shown in Figure 10.21.

5 Select Internal LiveUpdate Server.

6 Select the Type of connection—for example, FTP, HTTP, or LAN.

7 Enter the server Name.

8 Enter the server Location.

9 Enter the Login Name required to access this server.

10 Enter the Login Password required to access this server.

NOTE

Symantec recommends you leave the Login Name and Password fields (from Steps 9 and 10) blank so that any internal client can access the server with minimal configuration.

Figure 10.21 LiveUpdate Settings at a Server Group Level

11 Enter the FTP, URL, IP address, or UNC path for this server.

13 Select Apply settings to all clients if you want the clients to also get

their updates from the internal LiveUpdate server

Introducing Intelligent Updater

An alternative to LiveUpdate, Symantec’s Intelligent Updater updates virus nitions LiveUpdate automatically downloads and then installs virus definitions Itcan be launched on demand or configured to execute according to a schedule

defi-However, if for some reason, LiveUpdate is not functioning, or if you need todownload and install updates manually, you can download and use the IntelligentUpdater to install the virus definitions

On some occasions, it becomes necessary to use the Intelligent Updater Onesuch scenario is when a new virus emerges and a LiveUpdate file has not beenreleased by Symantec In such cases, while its AntiVirus team is working towards

a “cure” for the new virus, Symantec often releases beta versions of virus tions to its customers Such definitions may not repair the infected files but willnonetheless allow the NAVCE clients to identify the file as infected.This cankeep the virus from spreading within the company environment

defini-The Intelligent Updater can be downloaded as two large files or as multiplesmaller files.The first large file is for users that have network or dial-up Internetaccess.The smaller files are created such that they can be copied to floppy disksand used to update computers not connected to the Internet.The second largefile is an all-inclusive package used by system administrators who need to main-tain multiple versions of NAV on multiple platforms

In order to update a Windows-based system using the Intelligent Updater, dothe following:

1 Point your Web browser to: http://securityresponse.symantec.com/avcenter/defs.download.html

2 Select the appropriate language

3 Select Norton AntiVirus Corporate Edition from the list of products.

NOTE

You will also see “Symantec AntiVirus Corporate Edition” in this list, which refers to version 8.0 (or later) of this software.

4 Click Download Updates.You will then be taken to a new page In

this case, it will be http://securityresponse.symantec.com/avcenter/download/pages/US-NAVCE.html

5 The filename you require will be based upon the naming conventiondiscussed at the beginning of this chapter, which will have some sort ofsuffix—for example, 20030110-017-x86.exe

6 In the screen shown in Figure 10.22, click Save and then click OK.

7 Save the file to the Desktop

8 After the file is downloaded, close the Web browser and launch the fileyou just downloaded.The screen shown in Figure 10.23 should appear

9 Click Yes to execute the Intelligent Updater.

Figure 10.22 Executing the Intelligent Updater

Figure 10.23 The Confirmation Dialog for Intelligent Updater

In this chapter, we learned about virus definition files, what they do and theirnaming convention.You should now be able to determine the date of release andthe version number simply by inspecting the filename.You should also be able todetermine if a particular virus can be detected using the virus list feature withinthe NAVCE client

We learned about the five different methods of downloading and distributingvirus definitions Of these methods, we covered the Virus Definition TransportMethod (VDTM), LiveUpdate (both Internal and External configurations), andthe Intelligent Updater in significant detail Since we also delved into the innerworkings of VDTM and how it uses the RTVScan Timer Loop, you should nowhave extensive knowledge of the process by which virus definitions are retrievedand distributed.You also should understand the advantages and disadvantages ofLiveUpdate and VDTM and now be able to make an informed decision

regarding which method you should use in your environment In addition, welearned about the Intelligent Updater, its purpose, and usage

Essentially, you should now be able to configure your NAVCE server to useVDTM or LiveUpdate And, if necessary, you should be able to use the IntelligentUpdater to update the virus definitions on a particular client or server

Solutions Fast Track

Introducing the Virus

Definition Transport Method (VDTM)

; The Virus Definition Transport Method (VDTM) is a completelyautomated virus definition delivery and distribution mechanism

; A client or server configured to use VDTM will download an entire.vdb archive from its parent server and then decompress it

; RTVScan is the core program with Norton AntiVirus CorporateEdition It performs functions such as alerting, discovery, scanning, andprocessing definition updates

; Virus protection files contain unique patterns from thousands ofdifferent viruses When a file is scanned to check for viruses, its binary

code is compared with these snippets to determine if there is a patternmatch with any known virus.

; If a pattern is matched, the Norton AntiVirus Corporate Edition(NAVCE) software considers the file infected and attempts to remedythe situation However, if the virus is new enough, or the virusdefinition files are out-of-date, an infected file will appear clean to thesoftware.Therefore, it is critical that virus definition files be kept ascurrent as possible

Introducing Symantec LiveUpdate

; Symantec’s LiveUpdate allows Symantec products to connect via FTP orHTTP to a Symantec server and retrieve program updates and virusdefinitions

; There are two ways to configure LiveUpdate:

■ External LiveUpdate In this method, managed servers are ured to connect to Symantec for virus and program updates

config-■ Internal LiveUpdate In this method, one of the servers is ured to retrieve updates from Symantec Other servers are configured

config-to connect config-to this internal LiveUpdate server config-to retrieve virus andprogram updates

Introducing Intelligent Updater

; An alternative to LiveUpdate, Symantec’s Intelligent Updater alsoupdates virus definitions

; The Intelligent Updater can be downloaded as two large files or asmultiple smaller files

; The most common scenario for using Intelligent Updater is when a newvirus emerges and a LiveUpdate file has not been released by Symantec

In such cases, while the AntiVirus team is working towards a “cure” forthe new virus, Symantec often releases beta versions of virus definitions

to its customers.Though such definitions may not repair infected files,they nonetheless allow NAVCE clients to be able to identify those files

as infected

Q: Should I use VDTM or LiveUpdate for my clients?

A: This really depends on your network configuration and the work habits ofyour company’s employees See the sidebar titled “VDTM or LiveUpdate?”for more information

Q: Should I disable LiveUpdate for my clients?

A: In many cases this is not advisable However, in some companies there may becompelling reasons to do this One such scenario occurs when a new set ofvirus definitions is downloaded and renders some software unusable In suchcases, you may need to disable LiveUpdate on your clients and apply an olderset of virus definitions

Q: If I use two Internal LiveUpdate servers for my clients and one of them

crashes, will the clients “fail-over” to the second one?

A: No Norton AntiVirus will not “fail-over” to the next LiveUpdate server.However, with the next version of this software (to be named SymantecAntiVirus Version 8.0), it will be possible to define multiple LiveUpdateservers

Q: I think I need additional help Do you know of any resources?

A: Most of the documentation you will require is already included on your

installation CDs However, you can also get excellent documentation fromthe following:

■ The Symantec Enterprise Support Site for Norton Antivirus CorporateEdition 7.6: www.symantec.com/techsupp/enterprise/products/nav/nav_76_ce/manuals.html

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your questions about this chapter answered by the author, browse to

www.syngress.com/solutions and click on the “Ask the Author” form.

■ The Symantec Knowledgebase for Norton AntiVirus Corporate Edition7.6: www.symantec.com/techsupp/enterprise/products/nav/nav_76_ce/

search.html

■ LiveUpdate manuals, patches, and files located at www.symantec.com/

techsupp/files/lu/lu.html

■ Other resources include Syngress Solutions (www.syngress.com/

solutions),Yahoo Groups (for example http://groups.yahoo.com/

group/avadmins), and other Internet discussion groups

Q: Why doesn’t LiveUpdate download definitions when the Security ResponseWeb site or a virus write-up shows that more recent definitions are available?

A: You can find the answer to that question at: http://service1.symantec.com/

SUPPORT/sharedtech.nsf/docid/2002021908382713