configuring symantec antivirus corporate edition phần 8 pot

Removing NAVCE from the Hard DriveIf you wish, you can also remove the following folders if they are present: ■ [drive]\Program Files/NAV or [drive]/Program Files/NAVNT, for NTsystems ■

13 You can then close the Registry editor.

14 Restart your system If the system is not bootable, use your backup copy

of the Registry and your Windows repair disks (or ERD) to restore theoriginal Registry

Removing NAVCE from the Hard Drive

If you wish, you can also remove the following folders if they are present:

■ [drive]\Program Files/NAV (or [drive]/Program Files/NAVNT, for NTsystems)

■ [drive]\Program Files\Common Files\Symantec Shared\VirusDefs

■ [drive]:\Documents and Settings\All Users\ApplicationData\Symantec\Norton AntiVirus Corporate Edition\7.5

■ [drive]:\WINNT\Profiles\All Users\ApplicationData\Symantec\Norton AntiVirus Corporate Edition\7.5

■ 00A0CC272509}

[drive]:\WINNT\Installer\{D6C64C68-F9F5-11D3-BEEA-NOTE

Make sure that no other applications use the virus definitions Otherwise, you will have to restore this directory.

Removing NAVCE from the Start Menu

To remove NAVCE from your Start menu, take the following steps:

1 Right-click the Start button, then click the Open All Users option.

2 Double-click the Programs icon.

3 Once in the Programs window, find the folder for NAVCE, and thendelete it

NOTE

If you are using Windows NT/2000, you can also use the Windows Installer Cleanup utility, freely available from Microsoft (search for docu- ment number Q240116) For specific instructions on how to install and use the Windows Installer Cleanup utility, see the section entitled,

LiveUpdate Issues

After installation, NAVCE 7.6 requires a server restart to make sure that

LiveUpdate will work In some cases, however, NAVCE 7.6 will fail to promptusers to restart the system As a result, the Registry entries necessary to start theLiveUpdate engine are not run Restart the system to make sure the new entriesare read and enacted by the operating system

It is also possible that the person who installed NAVCE may have chosen not

to restart the system Nevertheless, restart the system first to see if a simple read of the Registry solves the problem If LiveUpdate continues to experienceproblems, consider the following solutions:

re-■ Check for network problems (for example, DNS, firewall, DHCP issues)

■ Verify that the client is, in fact, configured to use LiveUpdate

■ Conduct a manual LiveUpdate to see if the engine is working

Now, let’s take a look at some specific problems and solutions

Proxy Server Settings

It is possible that a proxy server is blocking LiveUpdate sessions Open NAVCEand check for proper firewall and/or proxy server settings Required informationcan include:

■ Proxy server or firewall IP address and/or DNS name

■ Proxy server port

■ Authentication information (for example, a username)

Invalid System Account

It is also possible that NAVCE will not start because it is using an invalid systemaccount NAVCE will create its own system account, but it is not necessary touse this particular account Although it is a bad idea to change this account arbi-trarily, if a problem occurs, you can always create a new account If you create anew account, make sure it has administrative privileges for the system Otherwise,NAVCE will not be able to use necessary resources, directories, and files Forexample, if NAVCE does not have administrative privileges, it will not be able toallocate the proper ports for networking.To modify the account NAVCE uses,take the following steps:

1 Create an account with administrative privileges.You can do this usingthe Computer Management snap-in and adding a user Make sure yousupply a password and add the user to the Administrators group.You maywant to write down the password, because you will have to enter itshortly when you choose a new account for the NAVCE service.

2 Open the Services snap-in (for example, by going to Start | Programs

| Administrative Tools | Services in Windows 2000, or Start | ControlPanel | Administrative Tools | Services in Windows XP)

3 When the Services snap-in appears, find the service for NAVCE, click it and select Properties.

right-4 Once in the Properties dialog box for the NAVCE service, find theaccount NAVCE uses In both Windows 2000 and XP, you would click

the Log On tab for the NAVCE service and then select the This

accountradio button.You can add the account name and passwordinformation here

5 Stop and restart the NAVCE service When it restarts, it will be usingthe account you created

UNC Share Issues

Many systems administrators prefer to have LiveUpdate obtain shares from anSMB-based share on a Windows server However, it is possible that some systemsmay not have rights to attach to this share In such cases, LiveUpdate will fail

Several options are available in this situation:

■ Change the account the NAVCE service uses Make sure that thisaccount has enough permissions on the network to access the share

■ Configure the LiveUpdate share to allow null sessions (for example, sions that allow any user to connect)

ses-■ Change the permissions on the LiveUpdate share to allow connectionsfrom all servers that use LiveUpdate

DUAL NIC Systems

Dual NIC systems are useful in various situations, including:

■ When you need a relatively inexpensive proxy server or firewall tion

solu-■ When you need two NICs to help distribute connections entering thesystem

In dual NIC systems, NAVCE 7.6 should bind according to the NIC’s ority NAVCE will then work with the IP address bound to the highest priorityNIC However, in cases where the binding priority becomes confused, take thefollowing steps:

pri-1 Access the properties for the local area connection In Windows

9x/NT/2000, simply right-click the Network Neighborhood icon.

2 Take the necessary steps to access the Advanced Settings dialog box InWindows 2000, for example, look for the Advanced selection in the top

menu bar Choose Advanced | Advanced Settings, as shown in

Figure 11.14

3 Make sure you are in the Adapters and Bindings tab (the default).Thistab shows all NICs bound to the system, in order of priority Figure11.15 shows how to change the priority of a standard Ethernet NICover a wireless NIC.The standard Ethernet NIC is the one that, in thiscase, should receive priority, because you wish the Symantec AV service

to bind to it

Figure 11.14 Configuring Adapter Priority in Windows 2000

4 Click OK to return to the Network and Dial-up Connections window.

You have now manually set your binding priority to accommodateNAVCE 7.6

In Windows XP, you would follow similar steps:

1 Access the properties for the local area connection In Windows XP, one

way to get there is through Control Panel | Network and Internet

Connections | Network Connections , then right-click the Local

Area Connection icon If you have configured your system to use

Windows 9x/NT/2000-style icons such as Network Neighborhood,

simply right-click it to bring up the Network Connections window, and

then right-click the Local Area Connection dialog box.

2 Once you have accessed the Local Area Connection dialog box, click the

Advancedmenu option in the menu bar at the top, as shown in Figure 11.16

Figure 11.15 Changing Adapter Priority in Windows 2000

Figure 11.16 Accessing the Advanced Settings Dialog Box in Windows XP

3 Once you have clicked the Advanced menu option, select the

Advanced Settings option.You will then see the Advanced Settingswindow, where you can configure the priority of the various NICs youhave All you need to do is highlight the NIC that has NAVCE 7.6 con-figured on it and then give it priority

You now know how to set priority on both Windows 2000 and XP systems

Additional Fixes

The following is a list of fixes you can try in case standard solutions do not work

■ Desktop firewalls You may have desktop firewall installed on yourserver (for example, a product such as ZoneAlarm or Norton PersonalFirewall) If at all possible, disable these applications.They are really notdesigned to protect servers in the first place, and they might be blockingNAVCE traffic Nevertheless, if you must have a desktop firewall

installed on a server, configure it so it does not block NAVCE traffic.Also, the Internet Connection Firewall feature in Windows XP may becausing a problem in regards to client and server communication

■ NetBIOS over TCP/IP Many times, security administrators will able NetBIOS over TCP/IP in order to cut down on scanning attacks, aswell as security issues that occasionally crop up with Windows systems

dis-Open the Advanced TCP/IP Properties dialog box and click the

WINS tab Make sure the Enable NetBIOS over TCP/IP option is

selected

■ The SMB Signing bug and Windows XP If you are usingWindows XP systems that use SMB signing and have Service Pack 1installed, it is possible that users might experience long delays whentransferring files, or even when opening common Microsoft Office files.NAVCE on the client is often blamed, but in many cases the actualproblem has to do with something called the SMB Signing bug SMBsigning is a feature in Windows XP where SMB packets are digitallysigned to provide more security as files are transferred.The bug can beresolved by reading the instructions given in Microsoft’s KnowledgeBase article 810907, available at www.microsoft.com

Novell NetWare Servers

When working with NetWare servers, common problems include:

When installing on Novell systems, you need the following information:

■ A username with proper permissions for installation and configuration

■ A password for the username

■ A container name.This container will hold login scripts that you can use

to install the NAVCE client to remote systems

If you specify an incorrect container name, you will have to reinstall NAVCEagain on the Novell server If you mistakenly specify an incorrect container name,simply complete the installation, then issue the following command:

Load sys:\nav\vpstart.nlm /remove

Now, reinstall NAVCE using the proper container name

False CPU Utilization Readings

When installation starts, NetWare may misreport CPU utilization settings when

you install NAVCE using the standard vpstart/install command Although

NetWare may report this reading, it is not correct.To test this, load any otherNLM.You will find that NetWare will report a more accurate CPU utilizationlevel

Failure to Find a NetWare Server

If, during installation, the installation application fails to find a particular NetWareserver, consider the following options:

■ Make sure the Novell client software on the system is properly installed.

If the NetWare redirector fails, you will not be able to see any Novellservers Verify that the NetWare redirector is working properly, then pro-ceed with the installation

■ Verify that the NAVCE server is recognized by the NDS tree Make surethe server has logged on

Debugging NAVCE in NetWare

Many times, it is necessary to invoke debugging in your NetWare NAVCEimplementation so that you gather detailed information about what is going on

To enable debugging from the system console, take the following steps:

1 Log on as supervisor, or as a user with equivalent administrative sions

permis-2 Make sure NAVCE has been unloaded from the NetWare server’s

memory.You do this by typing Alt+F10.

3 Enter the following command in the console to begin debug mode:

load vpstart /debug

4 Two things will result from this command:

■ NAVCE will start again

■ A screen will appear called “RTVSCAN - Debug.”This screen willshow you all the information concerning NAVCE

5 When finished, press Alt+F10 to unload NAVCE again.

NOTE

If you want to save all of the output to a text file, issue the following command:

load vpstart /debug=L

You will receive the same information as opening a debug screen in the console However, saving the information to a text file may help you read through the output more carefully.

You may not want to use the NetWare console, however.To enable ging through the NAVCE NetWare interface, take the following steps:

debug-1 Open the NAVCE interface

2 Press the F6 key.You will be asked for a password If you are logging on

for the first time, the default password is “symantec”, in all lower case

You will then be shown a disclaimer message Press any key to dismiss it

3 Click the option for the Debug Menu and press Enter.

4 You will be provided with a debug menu From this menu, click the

Toggle Debug option, then press Enter.You are now in debugging

mode Look for the phrase “Debug: ON” in the Current Configurationwindow to verify you are in debugging mode

5 You are not yet in verbose mode, however, which provides much moredetailed information about NAVCE.To enter verbose mode, click the

Toggle Verbose option, then press the Enter key As with standard

debug mode, you can verify that verbose mode is on by viewing theCurrent Configuration window and looking for the words “Verbose:

ON.”

6 To stop debugging mode, click the Toggle Debug option, then press

Enter Debugging will stop.You can repeat this step for verbose mode,

as well

7 To exit the Debug menu, press the Esc key.

8 To exit the Administrator menu, press the Esc key again.

NOTE

Once in NAVCE, to write the debug output to a file, look for the Toggle

Logging option, highlight it and then press Enter You will see that the

Current Configuration panel shows that logging has been enabled The log file will be stored in the SYS:NAV/vpdebug.log file You can view log files using any text editor, and toggle logging off just like you did with debug and verbose mode.

NetWare Servers and Windows NT/2000

Networks that still use IPX/SPX only are increasingly rare, but in such cases, youmay find that a NetWare system running only IPX/SPX and no DNS server willhave problems receiving updates from a Windows NT/2000 server that resides inanother NAVCE server group.This is especially problematic if the WindowsNT/2000 server resides across a router or firewall.The source of the trouble has

to do with the fact that NetWare servers do not store the address of the

Windows NT/2000 systems in its cache.To solve this problem, you can:

■ Add TCP/IP support to the NetWare server Doing so will enable theserver to communicate properly with the Windows NT/2000 server

■ Move the NetWare server to the same group as the Windows NT/2000server After one full day (24 hours), the NetWare server will add theWindows NT/2000 server’s address to its cache.You can then move theNetWare server back to its original location, and it will now be able toaddress the Windows NT/2000 server properly

Configuring a Preferred

Protocol for a NetWare Server

You may be experiencing problems with having your NetWare server cate with other systems.This is because your NetWare system may be usingIPX/SPX instead of TCP/IP, or vice versa.To solve this problem, you need to set

communi-a preferred protocol:

Where Can I Exclude Files for Real-Time Protection?

You may be asking yourself where you can exclude certain extensions from NAVCE’s real-time protection in NetWare servers Unlike Windows servers and clients, you cannot configure NAVCE real-time protection to exclude files by extension on a NetWare server.

Configuring & Implementing…

1 Log on to the NetWare console as supervisor, or as a user who hasadministrative rights.

2 Stop (that is, unload) NAVCE at the NetWare console (Alt+F10).

3 Load the vpregedt.nlm module, which allows you to edit system entriesfor NAVCE

4 Once in vpregedt, you will see that it has two panes, or windows

5 Press F5 to open a key.

6 Make sure the VirusProtect6 key is selected by default, then press Enter.

All subkeys to this key reside in the left-hand pane of vpregedt Allvalues for the key reside in the right-hand pane

7 You need to add new values to the VirusProtect6 key, then to theVirusProtect6/ClientConfig subkey.To add a new value to the

VirusProtect6 key, pres F5.

8 You will be given a menu of options for editing the VirusProtect6 key

Press on the down arrow to select the Add Value option and press

10 After you have entered PreferedProtocol, you will see a Select Data

Type dialog box Select the DWORD option, then press Enter.

11 In the Enter the data dialog box that appears, you must type either a 0

or a 1.The value of 0 refers to IP.The value of 1 refers to IPX Choose

the value appropriate for your situation

12 You have now set your copy of NAVCE on the server to use a preferredprotocol Now you must set the preferred protocol for all clients.To dothis, edit the ClientConfig subkey

13 Find the ClientConfig subkey, then press F5.

14 Use your down arrow to select Add Value When the Enter new

value name dialog box appears, enter PreferedProtocol Remember

not to type in “PreferredProtocol.”

15 The Select Data Type dialog box will appear Select the DWORD

16 When the Enter the data dialog box appears, enter either 0 (for IP) or

1 (for IPX), then press Enter.

17 Once you are finished configuring a preferred protocol, press the Esc

key to exit the vpregedtmodule

18 You are now ready to restart NAVCE.To do so, type load vpstart at the console, then press Enter.

Problems Conducting Scans in NetWare Servers

When running a scan on a NetWare system, you may receive the error:

“RTVSCAN could not load NDS function.”This error message pertains toNDS, specifically the NetWare Loadable Module (NLM) named dsapi.nlm.Thismodule allows Novell systems to make connections to an NDS tree If the ver-sion is out-of-date, NAVCE will not work properly.To solve this problem, down-load the very latest version from Novell’s Web site (www.novell.com) Once youinstall the new module, conduct the scan again If possible, reboot the system toensure the new dsapi.nlm module is properly loaded

Troubleshooting Client PCs

The following sections describe various issues relating to certain NAVCE clients

Solving Hard-Drive Issues

NAVCE may fail to run properly if the disk is fragmented, has file allocationerrors, or has corrupted system files.To solve these problems, consider the fol-lowing commands:

■ sfc /scannow Checks for corrupted system files (for example,ntdetect.com and bootsect.dos) Additional options are available to you

when you use sfc, including:

■ /scanonce If you use this option, sfc will run at the next system reboot and scan all system files However, the sfc command will not

run on subsequent reboots

■ /scanboot Has the system scan all system files each time the system

is rebooted

■ /cancel Removes all references to future scans, so the system will

not use sfc automatically.

■ /quiet Has sfc conduct scans and replace files without user

interac-tion

■ /enable Enables Windows File Protection

■ /purgecache Scans all files immediately and deletes all file caches soscans and repairs perform optimally

■ /cachesize Determines the cache size used by sfc.

■ chkdsk /f Locates bad sectors and file allocation information

■ You also should use disk-defragging applications to ensure your hard

drive is working optimally.This is done by running the sfc /scannow

command

NOTE

If you are wondering whether you have to issue similar commands on NAVCE servers as well, the answer is “yes.” However, clients tend to experience disk defragmentation and file allocation errors more often, and so this issue is covered under client issues.

Printing Problems

In some cases, printing from applications such as Microsoft Word or Excel maybecome impossible after NAVCE is installed First, make sure your printer isonline and working If the system you are printing from is connecting to aremote print server, make sure the system’s network connection is working bypinging the print server or printer.You may also want to verify that other work-stations can use the remote printer; the last thing you want to do is mistake aprinter or network problem for one caused by NAVCE

Once you have determined that NAVCE is actually causing the problem,focus on NAVCE’s Auto-Protect feature.This feature starts running on the systemusing settings in the Registry In some systems, when the Auto-Protect serviceruns from the Registry, it can interfere with printing, because the service doesnot allow the print driver to completely initialize.To solve this problem, haveNAVCE’s Auto-Protect feature load from the StartUp folder, rather than from

settings in the Registry.To place an Auto-Protect icon into the Start menu, dothe following:

1 Open NAVCE so that you see the main window and then choose

Options | Auto-Protect

2 Find the check box that has Auto-Protect load using Registry

set-tings at startupand deselect it.Then, take the necessary steps to return

to the NAVCE main window

3 Add the Auto-Protect icon to the Start menu.To do this, right-click the

Start button and choose Open.

4 Once in the Start menu, create a new shortcut by right-clicking the

Start menu window and selecting New | Shortcut.Then, click the

Browsebutton and navigate to the Program Files\Norton AntiVirus to

find the navapw32.exe file.

5 Once you have found this file, click it so it is highlighted, then click

Next

6 Click Finish.

7 To test your work, reboot the system to see that:

■ NAVCE runs automatically

■ You can now print documents

You now have a workaround for clients who have problems printing

Problems Creating a Rescue Disk

As soon as you install NAVCE, one of your first tasks should be to create a rescuedisk A rescue disk allows you to recover from infections from previously

unknown viruses, and will provide a foundation for emergency repairs that mayoccur However, you may find that NAVCE fails to create a rescue disk

Specifically, NAVCE may begin to create a rescue disk, but then report an errormessage that reads “Invalid Partition Tables,” and then fail to complete its task.This problem usually occurs because NAVCE is very particular about thehard disk information it reads If NAVCE senses that a disk’s partition tables arenot within certain tolerances, it will refuse to act further After all, the rescue diskmust use stable disk and storage information, and if the hard drive is not in a suf-ficiently stable state, the rescue disk may replicate those errors If an improperly

created rescue disk were ever used, it might damage the system even more than avirus.

To solve the problem, you pursue the following paths:

■ Run an application such as Scandisk (or, if you are a true Symantecdevotee, Norton Disk Doctor)

■ Use a copy of fdisk to make sure all of the partitions are properly matted Be careful using fdisk, as it is used to create and destroy parti-tions; using fdisk improperly can destroy all data on your hard drive Ifyou use it correctly, however, you can determine if any partitions aredamaged, or whether you need to create and even format (using the

for-format command) any partitions that might be causing the

fore-men-tioned error message

NOTE

Before you use ScanDisk, always disable File System Realtime Protection scanning Otherwise, NAVCE may interfere with ScanDisk and improperly report an attack from a virus.

Scanning for Additional Files

It is has traditionally been thought that scanning compressed files was a waste oftime and resources However, virus creators can be pretty savvy, and have begun

to create viruses that exploit traditional assumptions It is possible, therefore, for ahacker to write a virus that exploits, for example, *.cab files, which are

Windows-based compressed files Windows *.cab files are used by WindowsUpdate, for example, to download operating system updates It is very likely thatmany *.cab files already exist on your client or server NAVCE does not enable

*.cab file scanning by default.To have NAVCE scan for these files by default, takethe following steps:

1 Stop the NAVCE service

2 Obtain the dec2cab.dll from the NAVCE installation disks Copy this file

to the main NAVCE folder (for example, the NAVCE directory off of

The dec2cab.dll file will then be read, which has NAVCE scan cab files.Youcan also, of course, create a custom entry in NAVCE that has it search for any filewith a cab ending After making your changes, make sure your primary serverexports all changes to clients using a new grc.dat file.

vptray Issues

In some cases, vptray (the NAVCE application that runs in your login ment) will crash and consume up to 100 percent of the CPU’s resources In thesecases, you have two options:

environ-1 Restart the system In some cases, a simple restart will solve the

problem for either a long period of time, or permanently

2 Obtain an update for the application If the problem recurs often,

Symantec is probably aware of it, and has likely published updates, able at www.symantec.com

avail-In some cases, you may not want to run vptray automatically, either because itcan cause problems with other applications and services if loaded at the wrongtime (as with printing in applications such as Microsoft Word), or because yousimply do not want the vptray icon to show up on the taskbar.To eliminatevptray from the taskbar, take the following steps:

1 Create a backup of the Registry Save this backup on the local system off

of the C:\ drive and on a remote system Editing the Registry can betricky, and the slightest mistake could render a system unbootable ordamage various services Keeping a local and remote backup ensures youcan access a working copy at all times

2 Open the Registry editor (for example, by choosing Start | Run, and entering either regedit or regedt32).

3 Go to the following subkey:

HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run

4 Remove the reference to vptray

5 Exit the Registry.Your changes will be saved automatically

Placing a Shortcut in the Windows Startup Folder

If you want, you can then place a shortcut to vptray.exe in the Startup folder

Taking this step will have vptray still run, but at a later time So, though this stepmay eliminate the problem of vptray interfering with other applications, it stillwill have vptray appear in the taskbar:

1 Find the vptray.exe binary Either use the Search feature in Windows, oropen Windows Explorer and go to the NAVCE folder off of the

Program Files directory

2 Once you have found the vptray.exe binary, right-click it and then select Copy.

3 Take the following steps, depending upon the operating system you are using:

• Windows 2000/XP: Go to [drive]:\Documents and \Settings\

All Users\Start Menu\Programs\StartUp folder

• Windows NT 4.0: Go to [drive]:\WINNT\Profiles\All Users\

Start Menu\Programs\StartUp folder

• Windows 9x/Me: Go to the [drive]:\Windows\Start Menu\

Programs\StartUp folder

4 Click the Edit menu, then click Paste Shortcut Make sure you paste a

shortcut, not the entire application

5 Log out of your login shell and log back in to make the changes takeeffect

Exchange Server Issues

When Microsoft Exchange servers process SMTP, POP3, and workgroup-relatede-mail they must generate temporary files and log files.These files often containreferences to viruses and other suspicious traffic, because Exchange servers aredesigned to simply process e-mail, rather than filter it If you install NAVCEclient onto an Exchange server and allow full access to the drive, NAVCE canmistake temporary and log files used by Exchange for viruses and may eitherquarantine or delete the file

As you might suspect, Exchange servers don't take too kindly to having

crit-In severe cases, Exchange servers may actually refuse to restart.To recover fromdeleted or quarantined files, take the following steps:

■ Exclude critical Exchange files and directories

■ Use the Isinteg application to verify the integrity of all Exchange filesused to process information.This application is freely available fromMicrosoft, as per Knowledge Base article Q219419

■ Use the Eseutil application to actually recover lost files and databases.This application is also freely available as per Knowledge Base article

219419 (formerly Q219419)

Outlook Express Issues

As with Microsoft Exchange server, Outlook Express can fall victim to NAVCE’szeal in deleting any trace of a virus in any file or folder Problems include:

■ NAVCE quarantining the Outlook Express inbox, or other folders

■ NAVCE deleting the Outlook Express inbox, or other folders

To solve this problem, Make sure you exclude all folders that may be affectedthis way

Windows Me and the

_Restore\Temp and _Restore\Archive Folders

Most modern Windows systems have an automatic restore feature called SystemRestore.This feature allows systems to conduct a rollback to a previous version incase of an improper system setting change, or in case an application has somehowdamaged the system

Windows Me’s particular implementation of the System Restore featurestores files and configuration settings in folders named _Restore\Temp and_Restore\Archive.These files are protected by Windows Me’s System Restorefeature NAVCE misinterprets this protection as a virus, and will inform youabout this apparent problem.These folders are not a threat, as discussed in the fol-lowing Microsoft Knowledge Base article: http://support.microsoft.com/

support/kb/articles/Q263/4/55.ASP

The best way to solve this problem is to exclude these directories frommanual and automatic scans

NAVCE Fails after Using the Windows Me/XP System Restore Feature

On systems that have used the System Restore feature, it is possible for NAVCE

to fail Symptoms include NAVCE failing to start, or a yellow exclamation mark

on NAVCE’s taskbar Even more worrisome, all may appear to be well, but infact NAVCE simply fails to detect viruses, which ends up lulling unsuspectingusers into a false sense of security

To solve this problem, you can either edit files off of the [drive]:\ProgramFiles\Common Files\Symantec\Shared\VirusDefs\ directory, or obtain old virusdefinitions and place them in the NAVCE client’s repository Doing so will forceNAVCE to obtain more current information

NOTE

Create backups of the files you edit Doing so allows you to at least return NAVCE to the original problem, in case you make a mistake.

Modifying Files

In order to modify files, perform the following steps:

1 Open the [drive]:\Program Files\Common Files\

Symantec\Shared\VirusDefs\definfo.dat file and find the CurDefs=

value.This value indicates the current definition file Change whatever

value you find to the same value in LastDefs=, which is in the same file.

Try this option first, as it is the most likely cause Make sure you save thefile and close it

2 Open the [drive]:\Program Files\CommonFiles\Symantec\Shared\VirusDefs\usage.dat file Find a value sur-rounded in brackets ([ ]), and make sure it has the same value as

LastDefs=.

3 Restart NAVCE

4 Run LiveUpdate

Obtaining and Installing Old Definition Files

If the preceding solution does not work, obtain old definition files.To do so, takethe following steps:

1 Copy the contents of the NAVCORP\ROLLOUT\AVSERVER\CLIENTS\WIN32\VirDefs\ folder on Disk 2 of your original NAVCEdisk

2 Paste the contents of the preceding folder into the following folder onyour system: [drive]:\Program Files\Common Files\Symantec Shared\VirusDefs\INCOMING\

3 Restart NAVCE

You can then run LiveUpdate to obtain the most recent definition andengine files to protect your system If the preceding solutions do not work, con-sider either of the following:

■ Consulting Symantec’s latest advice, found on Symantec’s TechnicalSupport Page or its Online Support Knowledge Base (discussed in-depthlater in this chapter)

■ Uninstalling and reinstalling NAVCE

NAVCE Installation Issues

In addition to the installation issues found in the preceding section concerningNAVCE servers, NAVCE client installation issues regarding clients include:

1 Highlight the key you wish to verify.

2 Select Security | Permissions.

3 Verify the settings If you need to assign full control to a key, click

Advanced , then click the option that reads Reset permissions on all

child objects and enable propagation of inheritable permissions

All drives on the system (for example, C:\ and D:\)The [drive]\Program Files folder

■ The [drive]\Program Files\Common Files folder

■ The [drive]\Program Files\Symantec folder

■ The [drive]\Program Files\Nav folder

■ The [drive]\WINNT\Installer folder

■ The [drive]\Documents and Settings\All Users\ApplicationData\Symantec

■ The [drive]\Documents and Settings\All Users\ApplicationData\Symantec\Norton AntiVirus Corporate Edition\7.5

All users must have read-only permissions for the preceding folders

Verifying Distributed Component

Object Model Configuration

Distributed Component Object Model (DCOM) is Microsoft’s name for thelibraries and applications used to allow applications and the operating system towork together DCOM regards all applications, services, files, and folders asobjects, and DCOM mediates between these objects In your case, DCOM may

be configured to disallow launching of installation applications.To verify DCOMsettings, use the dcomcnfg application.The following are instructions for

Windows 2000 and XP systems

You may see a message informing you that a classID (CLSID) for various

files is not recorded properly Click Yes to accept these values if you are

sure that they should exist on your system.

3 When the Distributed COM Configurations Properties window

appears, click the Default Properties tab.

4 Verify that the Default Impersonation Level says Identify, as shown inFigure 11.17

Figure 11.17 Viewing the Distributed COM Configuration Properties Window in Windows 2000

5 If the Default Impersonation Level is different, use the drop-down box

to change the setting

6 Click the Default Security tab.

7 Find the Default Launch Permissions section and click the Edit

Defaultbutton for that section

8 The Registry Value Permissions dialog box will appear Verify that bothAdministrators and the System accounts have Allow Launch permissions

To change permissions, use the drop-down dialog box, shown in Figure11.18

Windows XP

In Windows XP, take the following steps:

1 Open a command prompt, type dcomcnfg and press Enter.

2 The Component Services window will appear, as shown in Figure11.19

Figure 11.18 Changing Default Installation Permissions in DCOM

Figure 11.19 The Windows XP Component Services Window

3 Expand the Component Services icon so you see all the sub-icons, asshown in Figure 11.20.

4 Right-click the My Computer icon, then select Properties.

5 Once in the My Computer Properties window, select the Default

Properties tab, shown in Figure 11.21

6 Once in the Default Properties tab, make sure the DefaultAuthentication Level drop-down box reads Connect, and that theDefault Impersonation Level drop-down box reads Identify

7 Click the Default COM Security tab, shown in Figure 11.22.

Figure 11.20The Windows XP Component Services Window Showing All Icons

Figure 11.21The Windows XP Default Properties Tab

8 Click the Edit Default button for both the Access Permissions and

Launch Permissions sections and verify that the System andAdministrators accounts have Allow next to them If these accounts arenot listed, add them

Uninstalling Client Versions of NAVCE

The following are instructions for manually uninstalling NAVCE from client

sys-tems, including Windows NT/2000/XP and Windows 9x.

Uninstalling NAVCE from Windows NT/2000/XP Client Systems

As with uninstalling NAVCE from servers, using the Add/Remove Programs(Add or Remove Programs) icon is the best way to remove NAVCE If youcannot, you will have to remove entries from the Windows Registry, from thesystem hard drive, and from the Start menu.To do so, take the following steps:

1 Log on as Administrator, or as a user who has administrative privileges

2 Using regedit, back up the windows Registry Also, create rescue disksfor your system Doing so ensures that if a problem exists with theRegistry after you have edited it, you will be able to recover from it

3 Stop NAVCE

Figure 11.22 The Default COM Security Tab

4 Go to the following subkey: HKEY_CLASSES_ROOT\*\Shellex\ContextMenuHandlers Once there, delete the LDVPMenu entry.

5 Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services subkey and remove the following entries:

■ Norton AntiVirus Client

6 If you find an additional entry that reads Norton AntiVirus Server,delete it, too

7 Verify that no other Symantec products are installed If no others areinstalled, you can also delete the SymEvent entry

8 Once you have deleted the preceding entries where necessary, go to thefollowing subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\

Services\EventLog\Application At this subkey, delete the NortonAntiVirus entry

9 Go to the HKEY_LOCAL_MACHINE\Software\INTEL\DLLUsagesubkey and delete the VP6 entry

10 In the left pane, click My Computer, then go to Edit and click Find.

Search for the following strings and delete anything related to them:

12 Go to the following subkey and delete it: HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}

13 Go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\

Windows\CurrentVersion\Run subkey and delete the vptray.exe reference

14 Restart your system If the system is not bootable, use your backup copy

of the Registry and your Windows repair disks to restore the originalRegistry

Removing NAVCE Folders from the Hard Drive

To remove NAVCE folders from the hard drive, take the following steps:

1 Using Windows Explorer, go to the [drive]:\Programs Folder and thenfind either the NAV folder (for Windows 2000/XP, or NAVNT(Windows NT) and delete it

2 In Windows 2000, go to [drive]:\Documents and Settings\AllUsers\Application Data\Symantec\ and delete the Norton AntiVirusCorporate Edition folder If NAVCE is the only Symantec application

on your system, you can delete the entire Symantec directory

3 In Windows NT, Go to [drive]:\WINNT\Profiles\AllUsers\Application Data\ and delete the Norton AntiVirus CorporateEdition folder If NAVCE is the only Symantec application on yoursystem, you can delete the entire Symantec directory

4 Find the [drive]:\Program Files\Common Files\Symantec Shared folderand delete it

Removing NAVCE from the Start Menu

To remove NAVCE from the start menu, right-click the Start menu and click

Open , then double-click the Programs icon.You will see various icons Find

the Norton AntiVirus Corporate Edition folder and then delete it

Uninstalling NAVCE from

Windows 9x and Me Client Systems

If you can’t use the Add/Remove Programs utility from the Control Panel, take

the following steps to remove NAVCE from Windows 9x and Me systems:

1 Back up the Registry

2 Open regedit and go to the HKEY_CLASSES_ROOT\*\Shellex\ContextMenuHandlers\LDVPMenu entry and delete the LDVPMenuentry

6 Go to My Computer (in the left-hand pane) and click Edit | Find and

then search for and delete any references to the following:

■ 74BE21DBFDBD3D11EBAE000ACC725290

■ VirusProtect6

7 Go to theHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ key and delete the followingsubkey: {BD12EB47-DBDF-11D3-BEEA-00A0CC272509}

8 You can then delete all references from the Start menu as discussed inthe earlier section entitled “Uninstalling NAVCE from WindowsNT/2000/XP Client Systems.”

Removing NAVCE from the Start Menu

To remove all folders on the hard drive of a Windows 9x/Me system, go to the

Program Files folder and delete the Norton AntiVirus and Symantec sub-folders

If NAVCE is the only Symantec product installed, you can also delete the

Symantec Shared folder

Using the Windows Installer Clean Up Utility

To complete removing NAVCE so that you can reinstall NAVCE successfully,download the Windows Installer Clean Up utility from Microsoft’s Web site(www.microsoft.com) Search for the utility by name, or by its Knowledge Basearticle number (Q240116) Once you see the Knowledge Base article, downloadthe appropriate installation binary for the Windows Installer Clean Up utility thatsuits your particular operating system (for example, Windows 98)

To use the Windows Installer Clean Up utility, take the following steps:

1 Double-click the installation binary

2 Go to Start | Programs and click the Windows Installer Clean

Up icon

3 The Windows Installer Clean Up utility will appear, showing a list ofapplications installed through Windows Installer, as shown in Figure11.23

4 Find the entry for Norton Antivirus Corporate Edition and

high-light it

5 Click the Remove button Close the Windows Installer Clean Up

utility

You are now ready to reinstall NAVCE onto your Windows 9x system.

Figure 11.23The Windows Installer Clean Up Utility Main Window

Troubleshooting

Roaming Client Support

As far as roaming clients are concerned, the following are some of the morecommon issues to consider

Server List File Size Limits

If you have problems getting a server to import a server list file of roamingservers, check the size of the server list file If this file is larger than 512 bytes,your system will fail to process it Even if the file approaches this size limit, youmay encounter problems Pare down the list as much as possible and attemptanother import

File Syntax

When configuring the roaming client server list, make sure the syntax is correct.All entries should contain the name of the computer, the type of server, the level

of server used, and the actual servers on that level:

<computer><type of server><level><server list>

If configuring a list for the client, you must use the word <local> For

example, the next entry shows a line for a client that accesses three level 0 servers(named navce1, navce2, and navce3):

<local> Parent 0 navce1, navce2, navce3

DNS Issues

The following section discusses two DNS issues that have caused headaches formany systems administrators

Fully Qualified Domain Names versus Host Names

NAVCE often has problems reading FQDN information In some cases, the lowing command may fail, due to an improper DNS entry:

fol-Navroam /nearest

Roaming client systems must remain in touch with a parent server, yet theycannot handle references to an FQDN As a result, the following message mayappear:

Error: “FAILED time 0 server <server name> level 1 delay ms <xx> result ffffffff ”

appears with Norton AntiVirus Corporate Edition roaming client

To solve this problem, simply use the NAVCE parent server’s host name (forexample, server1, rather than server1.company.com)

DNS and Duplicate Host Names

It is a truism that DNS names should be unique In a large enterprise, however, it

is common for systems in different departments to have the same host name,because the rest of the DNS name makes the systems unique For example, sup-pose you have two departments—research and marketing—at a company calledcompany.com Suppose further that each department has its own DNS zone As aresult, you would have the following DNS zones:

■ research.company.com

■ marketing.company.comNow, suppose that each department has a system with the host name of manager.The FQDN for each system would be as follows:

■ manager.research.company.com

■ manager.marketing.company.comEach system has a unique name However, remember that NAVCE does notlike to use FQDNs As a result, NAVCE may have some problems contacting thecorrect system.To solve this problem, change the DNS information for the clients

so the host names are not duplicated

NOTE

Roaming clients can also be blocked by firewalls or network connectivity troubles Make sure you consider networking issues in addition to DNS whenever a problem arises.

Addressing Performance Issues

The following sections outline a few performance issues that often occur when

Problems after Using LiveUpdate

After completing a run of LiveUpdate, NAVCE might encounter either (or both)

of the following problems:

■ In subsequent scans, all files are omitted from scanning

■ RTVScan uses 100 percent of CPU

■ Windows generates the following error: “Microsoft Visual C++ runtimelibrary,” with the text of “Runtime Error! Program: \rtvscan.exe.R6025 -pure virtual function call.”

This problem is generally caused by an old dec2cab.dll file.To solve thisproblem, you have two choices First, try simply restarting NAVCE and con-ducting another scan Sometimes, NAVCE will mistakenly think that its

dec2cab.dll file is too old, when it really isn’t If this solution does not help, takethe following steps:

1 Check the date and time of other Dec2 files Conduct a search for allDe2-based files by entering the following into Windows Search: De2*.All of the files you find should have the same date and version

2 Remove the old dec2Cab.dll file and obtain a new dec2Cab.dll file fromyour NAVCE installation disk

3 Stop and restart NAVCE to make sure your changes take effect

Maximum Number of

Clients and the Registry Size Value

When troubleshooting performance, it is important to remember the maximumnumber of clients recommended by Symantec According to Symantec, NAVCEservers should have fewer than 1000 clients connected at a time If your serverhas anywhere near this number of clients attached to it, you likely will need toincrease the size of the Registry Otherwise, your NAVCE server will run slowly.Symantec recommends changing the value to at least 35MB, which is usually themaximum value in Windows 2000 servers.To make this change, do one of thefollowing (depending upon your operating system):

■ In Windows NT: Go to Start | Settings | Control Panel, then open the System Settings window by double-clicking the System icon Once

in the System Properties window, click the Performance tab, then click the Change button.You can then type the number in the

Maximum Registry Sizebox

■ In Windows 2000: Go to Start | Settings | Control Panel, and select the System icon.The System Properties dialog box will appear.

Click the Advanced tab In the Virtual Memory section of the

Performance Options tab, click the Change button At the bottom of

the Virtual Memory window, you will see a section entitled MaximumRegistry size Enter the appropriate value here

■ In Windows XP: No limit exists for the Windows Registry, thus youcannot change or enforce a maximum setting For more informationabout this, consult Microsoft’s Knowledge Base article number 292726

Slow Client Logoff in Terminal Services

It is possible for a terminal services client to experience problems after installingNAVCE 7.6 Specifically, clients may notice extremely slow logout times, and willseem to stop, or “hang,” during logout at the “saving your settings ” part of thelogout.This problem occurs because the terminal services client is trying to saveyour profile, and Windows cannot save your profile, due to the fact that NAVCEfailed to tell the difference between users logged on interactively, and thoselogged on through a terminal server Profiles should be loaded only for locallylogged on users However, NAVCE would load a user profile even for those whohad logged on remotely, and would keep it open even after the user logged off

Whenever a user logged off from the system, the operating system would try tosave the user profile settings, retrying for at least 60 seconds, and often for severalminutes

To verify that this problem is caused by NAVCE, open Event Viewer andview all Application event log entries for a message that, among other things,informs you that your Windows system cannot unload your Registry file, andthat after multiple attempts (usually nine), the settings were finally saved

Two solutions exist for this problem:

■ Upgrade your version of NAVCE to NAVCE 7.61 build 37.This buildcontains additional programming that enables NAVCE to tell the differ-ence between a local and remote login

■ Log on interactively to the NAVCE server under any account.Toenhance security, lock the screen using the Windows screen saver.

Achieving Balance

It is possible to exclude certain types of files, as well as specific directories from asystem scan to avoid a performance impact during a scan It may be tempting toexclude a large amount of a system’s drive However, try to achieve a balance Askyourself the following questions:

■ If I exclude a directory from scanning, what are the chances it might beexploited by a virus, worm, or Trojan horse?

■ If I exclude a specific type of file (for example, text files, DLL files, ormodified files), what are the chances this type of file might get targeted

by a virus, worm, or Trojan horse?

Rather than limiting NAVCE, consider stopping unnecessary services on thesystem Use the necessary applications and interfaces to verify applications andservices running in the background that can be deactivated In many cases, stop-ping unnecessary services will free up resources, and will make the server orclient able to provide the resources demanded by NAVCE

Page Faults and RTVScan

In some clients, it is possible for the RTVScan application to generate a largenumber of page faults, which means that the system is encountering a shortage ofRAM Although a certain number of page faults is expected, you may see thatthe page fault number increases.This occurs because RTVScan accesses theRegistry every minute, even though it is not scanning the system

The most effective way to solve the problem of page faults is to add moresystem RAM If you cannot do this, disable various unnecessary services andapplications to free up memory required for RTVScan.You will then see a

marked decrease in page faults

Tracking Performance

When tracking performance issues on Windows NT/2000/XP, use the

Performance snap-in (Performance Monitor in Windows NT) Counters to sider include:

con-■ % Processor time (from the Processor object)

■ Disk Read Bytes/sec and Disk Write Bytes/sec (from the PhysicalDiskobject)

■ Handle count, and Pool Nonpaged Bytes (from the Process object)

Additional objects to consider include:

■ % Usage (from the Paging File object)

■ Pages/sec (Memory)

■ Page faults/sec (Memory)

Figure 11.24 shows the Windows XP Professional Performance snap-in, playing key performance counters in regards to NAVCE clients and servers

dis-Improving Performance

When improving performance for NAVCE, consider the following choices:

■ Increasing the size of the Windows Page file

■ Disabling unnecessary services and applications

■ Adding more system more RAM

■ Upgrading the system’s CPU

Figure 11.24 The Performance Snap-in in Windows XP

Accessing Information Databases

Thus far, you have learned about known problems Inevitably, a problem will arisethat has never really been documented before Fortunately, Symantec does apretty good job of keeping its documentation current.The best way to accesscurrent information is to access its Knowledge Base Web site Here, you can learnabout:

■ The latest bugs in NAVCE

■ Critical updates

■ Techniques for improving your NAVCE environment

You can access all areas of the Knowledge Base, as well as additional areas ofSymantec’s Web site by going to the following URL: www.symantec.com/search/

From this URL, you have the option of conducting searches concerning anyparticular Symantec product, including NAVCE Once you load the search page,you will be able to:

■ Enter text strings to search for relevant information, much like how youwould in Google, Altavista, or any other search engine

■ Conduct searches using specific Knowledge Base article numbers (forexample, 810907)

■ Limit your search to only the Knowledge Base

■ Determine specific regions you wish to search

Figure 11.25 shows an example of a NAVCE search that targets onlyKnowledge Base articles found in the Europe, Middle East, and Africa region

When conducting a search, consider using words and phrases such as:

■ NAVCE

■ Norton AntiVirus Corporate Edition

■ Troubleshooting

■ NAVCE Troubleshooting

■ NAVCE XP (or any other reference to an operating system)

Additional Symantec Search Engines

Other Symantec search engines are available for a variety of tasks:

■ If you wish to receive a broad overview of all that Symantec offers onthe Web, go to the following page: www.symantec.com/siteindex.html

■ To focus only on specific incidents and the latest virus outbreaks, go tothe following Symantec page: http://securityresponse.symantec.com/

■ If you have more general technical support questions concerningNAVCE, start at: www.symantec.com/techsupp/

Figure 11.25 Conducting a Knowledge Base Search