savcref

8/4/2019 savcref

1/54

Symantec AntiVirus

Corporate EditionReference Guide

8/4/2019 savcref

2/54

Symantec AntiVirus Corporate EditionReference Guide

The software described in this book is furnished under a license agreement and may beused only in accordance with the terms of the agreement.Documentation version 10.0

Copyright NoticeCopyright 2005 Symantec Corporation.All Rights Reserved.Any technical documentation that is made available by Symantec Corporation is thecopyrighted work of Symantec Corporation and is owned by Symantec Corporation.NO WARRANTY. The technical documentation is being delivered to you AS-IS, andSymantec Corporation makes no warranty as to its accuracy or use. Any use of thetechnical documentation or the information contained therein is at the risk of the user.Documentation may include technical or other inaccuracies or typographical errors.

Symantec reserves the right to make changes without prior notice.No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

TrademarksSymantec, the Symantec logo, LiveUpdate, and Norton AntiVirus are U.S. registeredtrademarks of Symantec Corporation. Norton Internet Security, Norton Personal Firewall,Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, and SymantecSecurity Response are trademarks of Symantec Corporation.Other brands and product names mentioned in this manual may be trademarks orregistered trademarks of their respective companies and are hereby acknowledged.Printed in the United States of America.10 9 8 7 6 5 4 3 2 1

8/4/2019 savcref

3/54

Technical support

As part of Symantec Security Response, the Symantec global Technical Supportgroup maintains support centers throughout the world. The Technical Supportgroups primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for ourWeb-accessible Knowledge Base. The Technical Support group workscollaboratively with the other functional areas within Symantec to answer yourquestions in a timely fashion. For example, the Technical Support group workswith Product Engineering as well as Symantec Security Response to provideAlerting Services and virus definitions updates for virus outbreaks and securityalerts.

Symantec technical support offerings include: A range of support options that give you the flexibility to select the right

amount of service for any size organization Telephone and Web support components that provide rapid response and

up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure

the highest level of protection Global support from Symantec Security Response experts, which is

available 24 hours a day, 7 days a week worldwide in a variety of languagesfor those customers enrolled in the Platinum Support Program

Advanced features, such as the Symantec Alerting Service and TechnicalAccount Manager role, offer enhanced response and proactive securitysupport

Please visit our Web site for current information on Support Programs. Thespecific features available may vary based on the level of support purchased andthe specific product that you are using.

Licensing and registrationIf the product that you are implementing requires registration and/or a licensekey, the fastest and easiest way to register your service is to access theSymantec licensing and registration site at www.symantec.com/certificate.Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html,select the product that you wish to register, and from the Product Home Page,select the Licensing and Registration link.

Contacting Technical SupportCustomers with a current support agreement may contact the TechnicalSupport group via phone or online at www.symantec.com/techsupp.Customers with Platinum support agreements may contact Platinum TechnicalSupport via the Platinum Web site at www-secure.symantec.com/platinum/.

8/4/2019 savcref

4/54

When contacting the Technical Support group, please have the following: Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description

Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes

Customer ServiceTo contact Enterprise Customer Service online, go to www.symantec.com, selectthe appropriate Global Site for your country, then choose Service and Support.Customer Service is available to assist with the following types of issues:

Questions regarding product licensing or serialization

Product registration updates such as address or name changes

General product information (features, language availability, local dealers)

Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts

Information on Symantec Value License Program

Advice on Symantec's technical support options

Nontechnical presales questions

Missing or defective CD-ROMs or manuals

8/4/2019 savcref

5/54

Contents

Technical support

Chapter 1 Introducing the reference guideWhat is in the reference guide ............................................................................. 7

Chapter 2 Antivirus protection and email servers

About configuring Symantec AntiVirus on email servers ................ .............. 9Stand-alone server configuration ............................................................. 10Managed client configuration .................................................................... 11Unmanaged client configuration ................................ .............................. 11

File scanning on Exchange servers ................................................................... 12Directories to include .................................................................................. 13Directories and files to exclude .................................... ............................. 13Extensions to exclude .................................................................................. 15Directories to exclude when other Symantec products are

installed ................................................................................................. 16

Chapter 3 Reset ACL toolAbout the Reset ACL tool ............................. ................................................... .... 17Restricting registry access with the Reset ACL tool ...................................... 17

Chapter 4 Importer toolAbout the Importer tool ...................................................................................... 19

How the Importer tool works ..................................................................... 20Where the Importer tool is located .......................................... ................. 20

Importing addresses using the Importer tool ................................................. 20

Deleting entries from the address cache .......................................................... 21Advanced usage ................................................................................................... 22Getting Help while using the Importer tool .................................................... 23

Known problems .......................................................................................... 24

8/4/2019 savcref

6/54

6 Contents

Chapter 5 Windows servicesSymantec AntiVirus services ............................................................................ 25Symantec System Center services .................................................................... 28

Chapter 6 Cryptography basicsOverview ....................................................................... .................. ...................... 29About cryptographic keys and algorithms ...................................................... 30About one-way hashes and digital signatures ................ ................................ 31About digital certificates and PKIs .................................... .................. ............. 32About SSL ....................................................................................... ....................... 35

Chapter 7 Event Log entries

Symantec AntiVirus events ............................................................................... 37

Chapter 8 How certificates are implementedHow certificates establish a chain of trust ...................................................... 43How clients and servers authenticate certificates ......................................... 45Authentication paths and methods ............................. .................. ................... 46Certificate store directories ............................................................... ................ 47File naming conventions .................................................................................... 48

Server group root certificates and private keys ..................................... 48Server certificates and private keys ......................................................... 49

Login CA certificates and private keys ..................................................... 49Certificate signing requests ....................................................................... 49Other certificate details ...................................................................................... 50

Certificate and CSR counters ........................................................ ............. 50Certificate and key file formats ................................................................. 50Server group root key archival .................................................................. 51About promoting secondary servers to primary servers ...................... 51About viewing certificates .......................................................................... 51About preserving certificates and issue time .......................................... 52Install a primary server and secondary server in each

server group ........................................................................................ .. 52

Index

8/4/2019 savcref

7/54

Chapter 1

Introducing the referenceguide

This chapter includes the following topics:

What is in the reference guide

This reference guide contains technical product information for SymantecAntiVirus, including information on tools that are on the Symantec AntiVirusCD. It is intended for system administrators and others who install and maintainthis product in a networked, corporate environment.

What is in the reference guideTable 1-1 lists and describes the topics in this reference guide.

Table 1-1 Reference guide topics

Topic Description

Antivirus protectionand email servers

This chapter provides examples of how you should implementantivirus protection on email servers.

Reset ACL tool Many of the configuration settings for Symantec AntiVirus arestored in the Windows registry. Reset ACL lets you restrict accessto these registry settings on WindowsXP/2000 operating systems to prevent unauthorized users frommaking changes.

Importer tool The Importer tool is a command-line utility specifically for usewith the Symantec System Center. The Importer tool lets youimport as many sets of computer names and IP addresses into aspecial address cache as you need. Symantec AntiVirus can thenlocate computers during the Discovery process in situations wherethe computer names cannot be resolved using WINS/DNS.

8/4/2019 savcref

8/54

8 Introducing the reference guideWhat is in the reference guide

Windows services This chapter lists the names of services run automatically bySymantec AntiVirus and the Symantec System Center. Thosenames appear in the Windows Services control panel.

Event Log entries This chapter lists the events written by Symantec AntiVirus to theWindows Event Log.

Cryptography basics This chapter provides an overview of the cryptography conceptsthat administrators need to understand if they do not know thedifference between a digital signature and a digital certificate.Administrators need this knowledge to understand how SymantecAntiVirus uses certificates.

How certificates areimplemented

This chapter provides an overview of how Symantec AntiVirusimplements digital certificates to secure communications betweenthe Symantec System Center, servers, and clients by using SSL.

Table 1-1 Reference guide topics

Topic Description

8/4/2019 savcref

9/54

Chapter 2

Antivirus protection andemail servers


About configuring Symantec AntiVirus on email servers

File scanning on Exchange servers

About configuring Symantec AntiVirus on emailservers

Symantec AntiVirus antivirus software is a file system scanner, and is notdesigned to handle server functions. Products that are specifically designed toprotect Microsoft Exchange, Domino, and other gateway servers handleserver functions. Allowing Symantec AntiVirus to scan certain parts of a mailserver can cause unexpected behavior, problems, or even total data loss. If youinstall Symantec AntiVirus antivirus software on an email server, you need totake some precaution to prevent damage to the data on the server.

One precaution that you must take is to exclude certain directories and filesfrom scanning. How you make these exclusions depends on the followingcircumstances:

Whether you install Symantec AntiVirus server or client on email servers Whether you want to manage email servers from the Symantec System

Center

Note: For the latest details on which directories and files to exclude fromscanning, consult the Symantec Knowledge Base on the Symantec Web site.

8/4/2019 savcref

10/54

10 Antivirus protection and email serversAbout configuring Symantec AntiVirus on email servers

Symantec AntiVirus client software also has Auto-Protect for email, whichmonitors the standard email ports. Auto-Protect can cause performancedegradation or failure if it is installed and enabled on an email server. Therefore,you must disable this feature if you install the client software on an emailserver.

You can install Symantec AntiVirus software in the following configurations:

Stand-alone server configuration

Managed client configuration

Unmanaged client configuration

Stand-alone server configuration

In the stand-alone server configuration, you install antivirus server software onan email server, and then place the server in a separate server group that isdedicated to email servers. This configuration is the preferred one because itgenerates the smallest exposure for error. Be sure to name the server group in away that indicates that it contains email servers.

Configure the File System Auto-Protect options, Scheduled Scan options, andManual Scan options for the server group to exclude the email server softwaredirectory structure and the temporary processing directory for the email server.The Symantec AntiVirus antivirus server does not include email Auto-Protectoptions that are provided by the antivirus client, so you do not have to disable it.

Configure the servers in the server group to receive virus definitions updatesfrom the primary server by using the Virus Definition Transport Manager(VDTM). If a Symantec antivirus product for the email server is also installed,disable the LiveUpdate schedule for that product. The virus definitionsdownloads are exactly the same. Therefore, only one application should runLiveUpdate. All installed Symantec antivirus products share the same virusdefinitions.

8/4/2019 savcref

11/54

Antivirus protection and email serversAbout configuring Symantec AntiVirus on email servers

Managed client configurationIn the managed client configuration, you install Symantec AntiVirus antivirusclient software on an Exchange server, and then place the server in a separateclient group that is dedicated to Exchange servers. Be sure to name the clientgroup in a way that indicates that it contains Exchange servers.

Configure the File System Auto-Protect options, Scheduled Scan options, andManual Scan options for the client group to exclude the email server softwaredirectory structure and the temporary processing directory for the antivirusscanner. Be sure to disable all email Auto-Protect options if they are installedand enabled.

Warning: If you configure Symantec AntiVirus as a client on an email server, besure to disable email Auto-Protect if it is installed. This feature monitors thestandard mail ports, and can cause performance degradation or failure if it isinstalled on email servers.

Configure the clients in the client group to receive virus definitions updatesfrom the parent server by using VDTM. If a Symantec antivirus product for theemail server is also installed, disable the LiveUpdate schedule for that product.The virus definitions that Symantec AntiVirus and the antivirus products foremail servers download are exactly the same. Therefore, only one applicationshould run LiveUpdate. All installed Symantec antivirus products share thesame virus definitions.

Unmanaged client configurationIn the unmanaged client configuration, you install Symantec AntiVirus clientsoftware from the installation CD and execute the Setup.exe file in the SAVdirectory. If you use the installation files from an installed Symantec AntiVirusserver or use the client rollout installers, the client will automatically retrieveconfiguration information from the selected parent server and become amanaged client.

Configure the File System Auto-Protect options, Scheduled Scan options, and

Manual Scan options for the client to exclude the email server softwaredirectory structure and the temporary processing directory for the antivirusscanner. Be sure to disable all email Auto-Protect options if they are installedand enabled.

8/4/2019 savcref

12/54

8/4/2019 savcref

13/54

Antivirus protection and email serversFile scanning on Exchange servers

Directories to includeYou can safely include the following directories and files in scans on all versionsof Microsoft Exchange Server:

Exchsrvr\Address

Exchsrvr\Bin

Exchsrvr\Conndata

Exchsrvr\Exchweb

Exchsrvr\Res

Exchsrvr\Schema

Any additional directories that are not a part of a standard Exchange

installation, and that are not included in the list of directories and files toexclude, are safe to include.

Directories and files to excludeThe directories and files to exclude depend on the version of MicrosoftExchange Server that you have installed. Add all listed directories and files tothe exclusion lists for File System Auto-Protect, Scheduled Scans, and ManualScans.

Note: The Tmp.edb file might be in multiple locations. Search for the file, andexclude it in any found locations. You can exclude single files by using the clientand server software that is installed on the Exchange server. You cannot excludesingle files by using the Symantec System Center with server and client groupconfigurations. Therefore, for all three configurations, you must excludeTmp.edb by using the Symantec AntiVirus user interface on the Exchangeserver.

8/4/2019 savcref

14/54

14 Antivirus protection and email serversFile scanning on Exchange servers

Microsoft Exchange Server 5.5Table 2-1 lists the directories and files to exclude for Microsoft Exchange Server5.5.

Microsoft Exchange Server 2000Table 2-2 lists the directories and files to exclude for Microsoft Exchange Server2000.

Table 2-1 Files to exclude for Microsoft Exchange Server 5.5

Directory and files Default file location

Exchange databases Default location: Exchsrvr\Mdbdata

Exchange MTA files Default location: Exchsrvr\Mtadata

Exchange temporary files Tmp.edb

Additional log files Default location and name:Exchsrvr\server_name.log

Site Replication Service (SRS) files Default location: Exchsrvr\Srsdata

Inbox for Internet Mail Connector Default location: Exchsrvr\IMCDATA

Microsoft Internet InformationService (IIS) system files

:\Winnt\System32\Inetsrv

Outbox for Internet Mail Connector Exchsrvr\IMCDATA\OUT director

Table 2-2 Files to exclude for Microsoft Exchange Server 2000


The Installable File System (IFS) Default location: Drive M




Additional log files Default location: Exchsrvr\server_name.log

Virtual server directory Default location: Exchsrvr\Mailroot


Internet Information Service (IIS)system files

:\Winnt\System32\Inetsrv

8/4/2019 savcref

15/54

Antivirus protection and email serversFile scanning on Exchange servers

Microsoft Exchange Server 2003Table 2-3 lists the directories and files to exclude for Microsoft Exchange Server2003.

Extensions to excludeBecause certain files are not always saved in the expected locations, exclude thefollowing file extensions on all versions of Microsoft Exchange Server:

.log .edb

Table 2-3 Files to exclude for Microsoft Exchange Server 2003





Additional log files Default location: Exchsrvr\server_name.log

Virtual server directory Default location: Exchsrvr\Mailroot


Internet Information Service (IIS)system files

Default location: Exchsrvr\Srsdata

Working directory for messageconversion .tmp files

Default location: Exchsrvr\Mdbdata

You can change the location of this directory. Foradditional information, consult the MicrosoftKnowledge Base.

The temporary directory that is used

with offline maintenance utilitiessuch as Eeseutil.exe

By default, this directory is the location from

which you run the executable, but you canspecify where you run the file from when yourun the utility.

The directory that contains thecheckpoint (.chk) file

For information on the location of this file,consult the Microsoft Knowledge Base.

8/4/2019 savcref

16/54

16 Antivirus protection and email serversFile scanning on Exchange servers

Directories to exclude when other Symantec products are installedExcluding these directories is critical to product operation. Each product uses itstemp directory as a processing directory. If the temp directories are notexcluded from file system scanning, the antivirus programs might conflict andcause unexpected behavior, including potential data loss.

Norton AntiVirus 2.x for Microsoft ExchangeExclude the following directories when you use this product:

:\Program Files\NAVMSE\Temp

:\Program Files\NAVMSE\Quarantine

:\Program Files\NAVMSE\Backup

Symantec AntiVirus/Filtering 3.0 for Microsoft ExchangeExclude the following directories when you use this product:

:\Program Files\Symantec\SAVFMSE\Temp

:\Program Files\Symantec\SAVFMSE\Quarantine

Symantec Mail Security 4.0 for Microsoft ExchangeExclude the following directories when you use this product:

:\Program Files\Symantec\SMSMSE\4.0\Server\Temp

:\Program Files\Symantec\SMSMSE\4.0\Server\Quarantine

Symantec Mail Security 4.5 for Microsoft ExchangeExclude the following directories when you use this product:

:\Program Files\Symantec\SMSMSE\4.5\Server\Temp

:\Program Files\Symantec\SMSMSE\4.5\Server\Quarantine

8/4/2019 savcref

17/54

Chapter 3

Reset ACL tool


About the Reset ACL tool Restricting registry access with the Reset ACL tool

About the Reset ACL toolReset ACL (Resetacl.exe) lets you limit access to the Symantec AntiVirus registrykey on Windows XP/2000 computers.

By default, these computers allow all users to modify the data stored in theregistry for any application, including Symantec AntiVirus. Reset ACL removes

the permissions that allow full access by all users to the following SymantecAntiVirus registry key and its subkeys:

HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion

Restricting registry access with the Reset ACL toolYou can use the Reset ACL tool to restrict registry access.

To restrict registry access with the Reset ACL tool

1 Roll out Resetacl.exe, located on the Symantec AntiVirus CD in the Toolsfolder, to unsecured computers.

2 Run Resetacl.exe on each of these computers.

After you have run Resetacl.exe, only users with Administrator rights canchange the registry key values.

While the Reset ACL tool boosts security for Symantec AntiVirus on thesecomputers, administrators should be aware that there are several trade-off considerations.

8/4/2019 savcref

18/54

18 Reset ACL toolRestricting registry access with the Reset ACL tool

In addition to losing access to the registry, users without Administrator rightswill not be able to do the following:

Start or stop the Symantec AntiVirus service.

Run LiveUpdate.

Schedule LiveUpdate.

Configure Symantec AntiVirus.For example, users cannot set Auto-Protect or email scanning options.

The options associated with these operations appear dimmed in the SymantecAntiVirus interface.

In addition, the user can modify scan options, but the changes are not saved inthe registry or processed. The user can also save manual scan options as the

default set, but the options are not written to the registry.

8/4/2019 savcref

19/54

Chapter 4

Importer tool


About the Importer tool Importing addresses using the Importer tool

Deleting entries from the address cache

Advanced usage

Getting Help while using the Importer tool

About the Importer toolThe Importer tool (Importer.exe) identifies computers in a non-WINSenvironment to the Symantec System Center console. This lets SymantecAntiVirus locate computers during the network discovery process, when thenames cannot be browsed using WINS/DNS. It is a command-line utility.

In addition to importing the paired names and IP addresses of computerslocated in non-WINS environments, you can add any other computer name andIP address pairing to the text file so that the computer is discovered in thefuture. For example, you may want to add the name and address of a computerthat has not been discovered successfully for an unknown reason.

Note: In most cases, you should not need the Importer tool. The Find Computerfeature of the Symantec System Center can usually find and identify SymantecAntiVirus servers on the network by means of address caching and the normalDiscovery process.

8/4/2019 savcref

20/54

20 Importer toolImporting addresses using the Importer tool

How the Importer tool worksThe Importer tool runs on any computer on which the Symantec System Centeris installed. You can use it to import pairs of computer names and IP addressesfrom a text file into the address cache registry entries used by the SymantecSystem Center.

Once the computer name and address pairs are imported, entries are created inthe registry under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache

You must run a Local Discovery or Intense Discovery after importing the datafile. The Discovery queries the addresses of the computers. The computersrunning the Symantec AntiVirus server are added to the Discovery Service in

memory and have complete entries created in the registry. The DiscoveryService can then find the computers each time that the Discovery Service is run.

Where the Importer tool is locatedThe Importer tool consists of a single file, Importer.exe. Importer.exe is locatedon the Symantec AntiVirus CD in the Tools folder.

You can copy Importer.exe to any folder on a computer on which the SymantecSystem Center is installed, and then run it.

Importing addresses using the Importer toolTo import addresses to the address cache, you must be logged on withAdministrator rights. This is necessary so that you have write access toHKEY_LOCAL_MACHINE.

Import addresses using the Importer toolTo import addresses using the Importer tool, you must complete the followingtasks:

Create a data file containing paired computer names and IP addresses. Run the Importer tool.

Note: You must run the Importer tool from a command prompt.

Run the Discovery Service.

8/4/2019 savcref

21/54

Importer toolDeleting entries from the address cache

To create a data file

1 Create a new file with a text editor such as Notepad.

2 Type the data in the following format:Avoid typing incorrect IP addresses for servers. No validation is performedto determine if two servers have the same IP address in the Importer textfile.

3 Save the file.For example, a data file named Computers.txt might look as follows:Computer 1, 192.168.3.121Computer 2, 192.168.3.122Computer 3, 192.168.3.123

Computer 4, 192.168.3.124Computer 5, 192.168.3.125Computer 6, 192.168.3.126

Note: You can type a semicolon or colon to the left of an address to comment itout. For example, if you know that a network segment is down, you can commentout associated subnet addresses.

To run the Importer tool

1 At the command-line prompt, type the following command: importer

where represents the full path to the Importer and represents the full path of the import file, such asC:\Computers\Computers.txt

2 Press Enter .

Deleting entries from the address cacheData imported from the data file does not overwrite information that is alreadystored in the address cache. If you have data that should be overwritten, such asan incorrect computer address, clear the cache before running the Importer.

Note: After importing the contents of the data file, do not click Clear Cache Now.Doing so deletes the contents of the address cache, including the imported data.

8/4/2019 savcref

22/54

22 Importer toolAdvanced usage

To delete entries from the address cache

1 In the Symantec System Center console, on the Tools menu, click DiscoveryService .

2 Under Cache Information, click Clear Cache Now .

Once you run Discovery after the data import, the correct data is available forfuture discovery sessions.

Advanced usageThe command line takes four parameters:

Import file path

First delimiter Second delimiter

Order (1 = computer name/IP address, 2 = IP address/computer name; thedefault is 1)

Note: The second delimiter needs to be a single character only. For example, theampersand cannot be used because the user would have to enter the following:&

For example, an import file named Machines.txt, in C:\MACHINES, could read asfollows:

192.168.3.121/Server 1

192.168.3.122/Server 2

192.168.3.123/Server 3

The above example is in IP address/computer name order (2). The firstparameter is a slash (/) and the second is a linefeed. The corresponding syntaxfor the command line would be:

importer C:\MACHINES\Machines.txt / LF 2

After the computer name and IP address pairs are imported, entries are createdin the registry under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache

You must run a local or intense discovery after importing the data file. Thediscovery queries the computer IP addresses. The computers running SymantecAntiVirus are added to the Discovery Service in memory and have complete

8/4/2019 savcref

23/54

Importer toolGetting Help while using the Importer tool

entries created in the registry. The Discovery Service can then find thecomputers each time that the Discovery Service is run.

Getting Help while using the Importer toolYou can access Help on Importer switch and syntax information.

To get Help while using the Importer tool

1 At the command line, type the following:Importer

2 Press Enter .

The Importer tool displays the following Help information:

Simple Usage : IMPORTER

: full path of import file

File format :

Example File : Server 1,192.168.3.121

Server 2,192.168.3.122

Server 3,192.168.3.123

press "a" for advanced usage

When "a" is pressed for advanced usage, the following help will bedisplayed:

Advanced Usage: IMPORTER

: full path of import file

: separator between first and second item in pair

: separator between pairs

NOTE: for carriage return/linefeed delimiters, use LF

for space delimiters, use SP

for comma, use ,

: order of computer name/ip address pairs

1 = computer name/ip address order

2 = ip address/computer name order

EXAMPLE -

File contents : 192.168.3.121/Server 1

192.168.3.122/Server 2

192.168.3.123/Server 3

Command line : IMPORTER C:\MyFolder\MyFile.txt / LF 2

8/4/2019 savcref

24/54

24 Importer toolGetting Help while using the Importer tool

Known problemsImporter depends on the HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\AddressCache key used by the Symantec System Center. If thiskey is not present, an error message appears.

The Importer modifies the AddressCache key under HKLM, so the user needslocal administrator rights.

The Importer tool aids in the discovery process of the Symantec System Center.The Importer determines whether the Symantec System Center is present onthe local computer. If not, an error message appears.

After an import, the computer names paired with their IP addresses in theregistry are not complete. They show only the computer under the Address_0and Protocol dword values. A discovery must be run to complete the process

(using the Run Discovery Now button in the Discovery Service Properties dialogbox).

Do not click the Clear Cache Now option in the Discovery Service Propertiesdialog box. This deletes the contents of the address cache, including theimported data.

The Importer cannot assist in locating computers during the installationprocess.

Note: When you are pushing the Symantec AntiVirus client and server to remote

computers, an Import option appears in the Select Computer dialog box. Do notconfuse this Import option with the Import option on the ClientRemote Installand AV Server Rollout installation screens.

The Importer does not overwrite existing IP addresses in the address cache; thisis an intended design feature. However, there is a possibility that an incorrect IPaddress may exist in the cache. In such a case, the Importer cannot correct it.

8/4/2019 savcref

25/54

Chapter 5

Windows services


Symantec AntiVirus services Symantec System Center services

Symantec AntiVirus servicesTable 5-1 lists the names and descriptions for Symantec AntiVirus serverservices.

These appear in the Windows Services control panel.

Table 5-1 Symantec AntiVirus server services

Service name Binary name Description

Common clientapplication

ccApp.exe Primary client application servicethat is also used by Auto-Protect forfile systems and email.

Common client eventmanager

CcEvtMgr.exe Service that is used to scan POP3messages.

Common client settingsmanager

CcSetMgr.exe Service that is used to storeencrypted settings.

Defwatch Defwatch.exe Service that watches for newlyarriving virus definitions. Launchesa scan of the files in Quarantinewhen the new virus definitionsarrive.

Temper Protection SPBBCSvc.exe Service that protects Symantecproccesses.

8/4/2019 savcref

26/54

26 Windows servicesSymantec AntiVirus services

Table 5-2 lists the names and descriptions for Symantec AntiVirus clientservices.


Intel PDS Pds.exe Ping Discovery Service. AllowsDiscovery of Symantec AntiViruson this computer to occur.Applications register with thisservice, along with an APP ID, and apong packet to return in response toping requests.

Symantec AntiVirusServer

Rtvscan.exe Main Symantec AntiVirus service.Most Symantec AntiVirus server-related tasks are performed in thisservice.

Virus protection tray icon VPtray.exe Service that provides the systemtray icon.

Table 5-2 Symantec AntiVirus client services


Common clientapplication

ccApp.exe Primary client application servicethat is also used by Auto-Protect forfile systems and email.

Common client eventmanager

CcEvtMgr.exe Service that is used to scan POP3messages.

Common client passwordservice

CcPwdSvc.exe Service that is used to scan clientpassword service POP3 messages.

Common client settingsmanager

CcSetMgr.exe Service that is used to storeencrypted settings.

Configuration Wizardservice

CfgWzSvc.exe This service appears in theWindows Task Manager Processeswhen an installation fails. Theservice normally deletes itself afterthe Symantec AntiVirusConfiguration Wizard runs.

Table 5-1 Symantec AntiVirus server services


8/4/2019 savcref

27/54

Windows servicesSymantec AntiVirus services

Defwatch Defwatch.exe Service that watches for newlyarriving virus definitions. Launchesa scan of the files in Quarantinewhen the new virus definitionsarrive.

Temper Protection SPBBCSvc.exe Service that protects Symantecproccesses.

Symantec AntiVirusClient

Rtvscan.exe One of the main SymantecAntiVirus virus scanning services.Most Symantec AntiVirus client-

related tasks are performed in thisservice.

Client roaming service Savroam.exe Provides roaming server data toroaming clients.

Common client SymantecNetwork Drivers

SNDSrvc.exe Symantec Network Drivers.

Virus protection for32-bit operating systems

VPC32.exe One of the main SymantecAntiVirus services.

Virus protection tray icon VPtray.exe Service that provides the system

tray icon.

Table 5-2 Symantec AntiVirus client services


8/4/2019 savcref

28/54

28 Windows servicesSymantec System Center services

Symantec System Center servicesTable 5-3 lists the names and descriptions for Symantec System Center services.


Table 5-4 lists the names and descriptions for Alert Management System 2 services.


Table 5-3 Symantec System Center services


Symantec System CenterDiscovery Service

Nsctop.exe Discovery Service used to findSymantec AntiVirus servers on thenetwork. The Discovery Service alsopopulates the console with objects.

Table 5-4 Alert Management System 2 services


IntelAlert Handler Hndlrsvc.exe AMS 2 Alert Handler service.Provides alerting actions such asmessage boxes, pages, emails, andso on.

Intel Alert Originator Iao.exe AMS 2 Alert Originator service. Letsalerts be received on this computer.Alerts can be received from eitherthe local computer (in the case of aprimary server), or from a remotecomputer (in the case of unmanaged clients using acentralized AMS 2 server).

Intel File Transfer Xfr.exe File transfer service. Provides filetransfer capabilities to AMS 2.

Intel PDS Pds.exe Ping Discovery Service. AllowsDiscovery of Symantec AntiViruson this computer to occur.Applications register with thisservice, along with an APP ID, and apong packet to return in response toping requests.

8/4/2019 savcref

29/54

Chapter 6

Cryptography basics


Overview

About cryptographic keys and algorithms

About one-way hashes and digital signatures

About digital certificates and PKIs

About SSL

OverviewSymantec AntiVirus communications use the Secure Sockets Layer (SSL)protocol, which Netscape created to conduct secure transactions between Webservers and clients. Most online transactions that involve money moving acrossthe Internet use SSL. SSL uses a Public Key Infrastructure (PKI), digitalcertificates, and cryptography. For administrative purposes, you might need tounderstand how SSL uses certificates because you might need to manage orcreate certificates. To understand what a certificate is and how it is used, youneed to understand the basics of cryptography as it is used in SSL.

8/4/2019 savcref

30/54

30 Cryptography basicsAbout cryptographic keys and algorithms

About cryptographic keys and algorithmsIn its simplest form, a cryptographic key is a secret code that a cryptographic

algorithm (instruction sequence) uses to encrypt and decrypt messages. Thisalgorithm might be nothing more than transposing one alphabetic letter withanother. The key in this algorithm is knowing which letter is transposed withanother. For example, you might transpose the letter A with B, the letter B withC, and so on.

More complicated algorithms and keys might break a message into a series of groups, each of which has the same number of letters. The algorithm assignseach group a unique key that rearranges the numbered sequence. For example,in the first group the first letter is transposed to the third letter, the secondletter is transposed to the first letter, and the third letter is transposed to thesecond letter. To decrypt the message, you need the algorithm and the key foreach group.

These examples illustrate a symmetric algorithm and key where the same key isused to encrypt and decrypt messages. For security reasons, you keep this keyhidden and private, and you distribute this key only to the intended receiver.

Asymmetric keys and algorithms are also used in cryptography when twodifferent keys are used to encrypt and decrypt messages. One key is called aprivate key that you keep hidden, and one key is called a public key that youdistribute to anyone who wants to send you encrypted messages or read yourencrypted messages. Your private key decrypts messages that are encrypted

with your public key, and your public key decrypts messages that are encryptedwith your private key. One public and private key is called a key pair.

If you distribute your public key to all of your friends, or if you place your publickey where all of your friends can retrieve it, you can encrypt a message and sendit to all of your friends. Your friends obtain your public key and decrypt themessage. They know with certainty that the message came from you becauseonly your private key can encrypt the message and only you possess this key.

If one of your friends wants to send a message to you that only you can read,that person encrypts the message with your public key, sends you the message,and only you can decrypt the message because you have not given your privatekey to anyone else. If someone else intercepts the message, that person cannotdecrypt the message without possessing your private key.

These concepts form the foundation for understanding how SSL works. Modernsymmetric-key algorithms include Triple-DES, RC5, and the current NISTstandard of Advanced Encryption Standard (AES). Modern implementations of asymmetric-key algorithms include RSA, ECC, and El Gamal.

8/4/2019 savcref

31/54

Cryptography basicsAbout one-way hashes and digital signatures

About one-way hashes and digital signaturesA one-way hash is an algorithm that takes the contents of a variable-length

computer file (message) and produces a fixed-length value. This fixed-lengthvalue has at least three names: hash, hash value, and message digest. If youchange one bit in the computer file and then rerun the hashing algorithm on thefile, the second value differs from the first value.

For example, suppose that you create an unencrypted file that contains thename of a one-way hashing algorithm, generate a hash value for the file, andsend the file to a friend along with the hash value. Upon receipt, your friendreads the file, notices the name of the hashing algorithm, uses this algorithm togenerate a hash value on the same file, and compares the values. If the valuesmatch, your friend knows with certainty that the file contents have not beenaltered or tampered with. If the values do not match, your friend knows that thefile contents have been altered and does not trust the information in the file.

If you want your friend to know with certainty that the unencrypted messagecame from you, you encrypt the hash value by using your private key. Uponreceipt, your friend decrypts the hash value by using your public key. If decryption is successful, your friend knows with certainty that the messagecame from you because only you possess your private key. To verify theintegrity of the file, your friend then recalculates the hash value and compares itto the value that you sent with the message.

A hash value that is encrypted with a private key is called a digital signature.

The digital part of the term implies 1s and 0s. The signature part of the termimplies the uniqueness of a fingerprint, and the identity of the person whoencrypted the hash value is known with certainty. The act of encrypting a hashvalue with a private key is called signing.

These concepts form the foundation for understanding how SSL uses digitalcertificates. Modern implementations of one-way hashing algorithms includeMD4, MD5, and SHA.

8/4/2019 savcref

32/54

32 Cryptography basicsAbout digital certificates and PKIs

About digital certificates and PKIsA digital certificate is a file that contains the following:

A public key Identifying information about the claimed owner of the certificate

A one-way hash that is encrypted with the claimed owners private key(digital signature)

Other information such as the name of the one-way hashing algorithm andthe asymmetric encryption strength

Root Certificate Authorities (CAs) provide digital certificates to people whorequest and pay for certificates. Root CAs can create and sign certificates thatallow other CAs to create certificates as well, which forms a hierarchy of CAs.The root CA is always at the top of the hierarchy, and the root CA always signsits own certificate, which is called a self-signed certificate.

Two root CAs that are widely used across the Internet are VeriSign andEntrust.

Figure 6-1 illustrates the type of digital certificate that Symantec AntiVirususes, which is based on the X.509v3 standard.

This certificate is a self-signed server group root certificate.

8/4/2019 savcref

33/54

Cryptography basicsAbout digital certificates and PKIs

Figure 6-1 Digital certificate example

Certificate:Data:

Version: 3 (0x2)

Serial Number: 0 (0x0)Signature Algorithm: sha1WithRSAEncryption // Hashing and asymmetric algorithmsIssuer: OU=Server Group Root CA, CN=4930435c2aa91e4abb4e6c9d527eb762 Validity

Not Before: Nov 20 05:47:44 2001 GMTNot After: Nov 20 05:47:44 2002 GMT

Subject: Subject: OU=Server Group Root CA, CN=4930435c2aa91e4abb4e6c9d527eb762Subject Public Key Info:

Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)

Modulus (1024 bit): // Public key that is used for decryption and encryption00:ba:54:2c:ab:88:74:aa:6b:35:a5:a9:c1:d0:5a:9c:fb:6b:b5:71:bc:ef:d3:ab:15:cc:5b:75:73:36:b8:01:d1:59:3f:c1:88:c0:33:91:04:f1:bf:1a:b4:7b:c8:39:c2:89:1f:87:0f:91:19:81:09:46:0c:86:08:d8:75:c4:6f:5a:98:4a:f9:f8:f7:38:24:fc:bd:99:24:37:ab:f1:1c:d8:91:ee:fb:1b:9f:88:ba:25:da:f6:21:7f:04:32:35:17:3d:36:1c:fb:b7:32:9e:42:af:77:b6:25:1c:59:69:af:be:00:a1:f8:b0:1a:6c:14:e2:ae:62:e7:6b:30:e9

Exponent: 65537 (0x10001)X509v3 extensions:

X509v3 Basic Constraints: criticalCA:TRUE, pathlen:1

X509v3 Key Usage:Certificate Sign, CRL Sign

X509v3 Subject Key Identifier:FE:04:46:ED:A0:15:BE:C1:4B:59:03:F8:2D:0D:ED:2A:E0:ED:F9:2F

X509v3 Authority Key Identifier:keyid:E6:12:7C:3D:A1:02:E5:BA:1F:DA:9E:37:BE:E3:45:3E:9B:AE:E5:A6

Signature Algorithm: sha1WithRSAEncryption34:8d:fb:65:0b:85:5b:e2:44:09:f0:55:31:3b:29:2b:f4:fd:aa:5f:db:b8:11:1a:c6:ab:33:67:59:c1:04:de:34:df:08:57:2e:c6:60:dc:f7:d4:e2:f1:73:97:57:23:50:02:63:fc:78:96:34:b3:ca:c4:1b:c5:4c:c8:16:69:bb:9c:4a:7e:00:19:48:62:e2:51:ab:3a:fa:fd:88:cd:e0:9d:ef:67:50:da:fe:4b:13:c5:0c:8c:fc:ad:6e:b5:ee:40:e3:fd:34:10:9f:ad:34:bd:db:06:ed:09:3d:f2:a6:81:22:63:16:dc:ae:33:0c:70:fd:0a:6c:af:bc:5a

-----BEGIN CERTIFICATE----- // Certificate in encoded formatMIIDoTCCAwqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCRkoxDTALBgNVBAgTBEZpamkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQwwCgYDVQQLEwNJQ1QxFjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0BCQEWF2FkbWluaXN0cmF0b3JAc29wYWMub3JnMB4XDTAxMTEyMDA1NDc0NFoXDTAyMTEyMDA1NDc0NFowgYkxCzAJBgNVBAYTAkZKMQ0wCwYDVQQIEwRGaWppMQ0wCwYD

VQQHEwRTdXZhMQ4wDAYDVQQKEwVTT1BBQzEMMAoGA1UECxMDSUNUMRYwFAYDVQQDEw13d3cuc29wYWMub3JnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbmlzdHJhdG9yQHNvcGFjLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAulQsq4h0qms1panB

0 Fqb+2u1cbzv06sVzFt1cza4AdFZP8GIwDORBPG/GrR6yDnCiR+HD5EZgQlGDIYI2HXEb1qYSvn49zgk/L2UJDer8RzYke77G5+IuiXa9iF/BDI1Fz02HPu3Mp5Cr3e2JRxZaa++AKH4sBpsFOKuYudrMOkCAwEAAaOCARUwggERMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT+BEbtoBW+wUtZA/gtDe0q4O35LzCBtgYDVR0jBIGuMIGrgBTmEnw9oQLl-----END CERTIFICATE-----

8/4/2019 savcref

34/54

34 Cryptography basicsAbout digital certificates and PKIs

When a person or corporation wants a certificate to use in a Public KeyInfrastructure (PKI) that is used across the Internet, that person (John, forexample) completes a Certificate Signing Request (CSR), which containsidentifying information such as a phone number, address, and so forth. In someimplementations, John can generate a private and public key pair, and includethe public key with the request. In other implementations, John can request thatthe CA create the private and public key pair, and return the private keysecurely.

John sends the CSR to a Registration Authority (RA). The RA confirms thepersons identity, and then the RA sends the CSR to a CA. The CA creates adigital certificate, defines a time over which the certificate is valid, adds Johnspersonal information, inserts Johns public key, digitally signs the certificatewith the CAs private key, and then sends the certificate to John along with Johns private key if the CA created the private key. The CA is now responsiblefor managing the certificate for John for as long as it is valid. To verify that theCA created the certificate, people can decrypt the digital signature by using theCAs public key.

Now, if John wants to send a message to Mary and wants Mary to know that themessage actually came from him, John creates his message, creates a one-wayhash of the message, digitally signs the hash with his private key, and sends themessage along with his digital certificate to Mary. Before Mary reads themessage, she sends a request to the CA to validate Johns certificate. Certificatescan be revoked for a variety of reasons, one of which is that John lost his privatekey, it became public and was distributed in Internet chat rooms, and John sent arequest to the CA to put his key on the Certificate Revocation List (CRL), whichlists invalid certificates.

The CA checks its database to see if the certificate is Johns and has not expired,and then checks the CRL to see if his certificate has been revoked. If thecertificate is not on the CRL and has not expired, the CA responds to Mary thatthe certificate is Johns and is valid. Mary then successfully decrypts Johnsdigital signature by using Johns public key, and knows that Johns message hasnot been altered in transit, and that it came from John.

For reference, Symantec AntiVirus uses an internal root CA (external CAs

include Entrust and VeriSign), and the primary server in each server groupperforms root CA activities. The primary server creates a self-signed certificatethat serves as the highest level of trust, and is valid for 10 years. SymantecAntiVirus does not implement an RA or CRL, but does use CSRs. Finally,Symantec AntiVirus implements these components to support SSL, whichsecures communications between clients, servers, and the Symantec SystemCenter.

8/4/2019 savcref

35/54

Cryptography basicsAbout SSL

About SSLNetscape developed SSL to secure traffic between Web servers and browsers.

SSL uses public and private keys, and digital certificates to negotiate asymmetric key and algorithm to use to encrypt traffic between the two.However, most Web browsers rarely query the root CA to see if a certificate isvalid. They verify that the root CAs certificate is installed locally and is valid.Browsers compare the received certificate against the installed certificate toverify that digital signatures match.

To see a list of trusted root certificates that are installed with Internet Explorer,check Tools, Internet Options, Content, Certificates, Trusted Root CertificationAuthorities. You can also view the content of the certificates.

The following list summarizes a successful SSL connection between a Web

browser and a Web server: A browser sends a request to a server for a secure page.

The server sends its digital certificate to the browser.

The browser authenticates the server by validating the digital certificateagainst its list of installed certificates, and concludes that the certificate isvalid.

The browser chooses a random symmetric key and an algorithm that itwants to use to encrypt traffic to and from the server, encrypts the key andalgorithm by using the servers public key that is contained in its digital

certificate, and sends the certificate to the server. The server decrypts the message by using its private key, and then encrypts

all additional information that it sends to the client by using the symmetrickey and algorithm. The server can also tell the client to try anothersymmetric key and algorithm, which is the negotiation process.

The client decrypts all information that it receives from the server by usingthe symmetric key and algorithm, and encrypts all information that it sendsback to the server by using the same symmetric key and algorithm.

The server and client use this symmetric key to encrypt communications

until the communications session ends. This symmetric key is also called asession key and is used only for the duration of the communications session.

If the browser wants to talk to the server at a later date, the browser andserver negotiate a different session key by using the same process, andpotentially a different algorithm.

The traffic between the server and client is encrypted by using symmetriccryptography because is it much faster than asymmetric cryptography.

8/4/2019 savcref

36/54

36 Cryptography basicsAbout SSL

Symantec AntiVirus uses SSL between clients, servers, and the SymantecSystem Center. However, Symantec AntiVirus does not use Web servers orbrowsers. Symantec AntiVirus uses SSL-enabled primary and secondaryservers, and SSL-enabled clients. However, the way that they communicate isvery similar to the way that Web servers and browsers communicate.Furthermore, root certificates are installed locally on clients by default.

Symantec AntiVirus server certificates are digitally signed by a self-signedserver group root CA, so server certificates contain information that identifiesthe root CA. When Symantec AntiVirus clients receive a server certificate, theyvalidate that the server group root CA signed it by comparing it to the servergroup root CA certificate that is installed locally. Both certificates containsfields that identify the server group root CA, and these fields must match. Theservers certificate is also known as a chained certificate, because it containsinformation that identifies the server group root CA. A chain of trust can thenbe traced back to the server group root CA.

8/4/2019 savcref

37/54

Chapter 7

Event Log entries


Symantec AntiVirus events

Symantec AntiVirus eventsTable 7-1 lists events that are forwarded to the Symantec System Center. Many,but not all, of these events appear in the Windows 2000/XP Application Log.

Also, the Windows Application Log might not completely conform to this list.For example, event number 34 appears as a log forwarding error in theSymantec System Center, but the event number 34 appears as an Informationevent for starting Event and Settings Manager.

Table 7-1 Events

Event Event number Description

Scan Stopped 2 Occurs when antivirus scanningcompletes.

Scan Started 3 Occurs when antivirus scanningstarts.

Definition File Sent To Server 4 Occurs when a parent server sendsa .vdb file to a secondary server.

Virus Found 5 Occurs when scanning detects avirus.

Scan Omission 6 Occurs when scanning fails to gainaccess to a file or directory.

Definition File Loaded 7 Occurs when Symantec AntiVirusloads a new .vdb file.

8/4/2019 savcref

38/54

38 Event Log entriesSymantec AntiVirus events

Checksum 10 Occurs when a checksum erroroccurs when verifying a digitallysigned file.

Auto-Protect 11 Occurs when Auto-Protect is notfully operational.

Configuration Changed 12 Occurs when a server updates itsconfigurations according to thechanges made from the console,excluding configuration changesmade in the PRODUCTCONTROL

or DOMAINDATA registry keys.Symantec AntiVirus Shutdown 13 Occurs when the Rtvscan.exe

service is unloaded.

Symantec AntiVirus Startup 14 Occurs when the Rtvscan.exeservice is loaded.

Definition File Download 16 Occurs when new definitions aredownloaded by a scheduleddefinitions update.

Scan Action Auto-Changed 17 Occurs when Symantec AntiVirus

has deleted or quarantined morethan 5 infected files within thelast minute. The number of filesquarantined or deleted and thetime interval are configurablefrom the registry. The defaults are5 files in 60 seconds.

Sent To Quarantine Server 18 Occurs when quarantined files aresent to a Quarantine Server.

Delivered To Symantec SecurityResponse

19 Occurs when a file is delivered toSymantec Security Response.

Backup Restore Error 20 Occurs when Symantec AntiViruscannot back up a file or restore afile from Quarantine.

Scan Aborted 21 Occurs when a scan is stoppedbefore it completes.

Table 7-1 Events


8/4/2019 savcref

39/54

Event Log entriesSymantec AntiVirus events

Symantec AntiVirus Auto-ProtectLoad Error

22 Occurs when Auto-Protect fails toload.

Symantec AntiVirus Auto-ProtectLoaded

23 Occurs when Auto-Protect loadssuccessfully.

Symantec AntiVirus Auto-ProtectUnloaded

24 Occurs when Auto-Protect isunloaded.

Removed Client 25 Occurs when a parent serverremoves a client computer from itsclients list. This will happen bydefault when a client computerfails to check in with its parentserver for over thirty days.

Scan Delayed 26 Occurs when a scheduled scan issnoozed/paused (delayed).

Scan Re-started 27 Occurs when a snoozed/pausedscan is restarted.

Roaming Client added to Server 28 Occurs when a roaming client isadded to a server.

Roaming Client deleted fromServer

29 Occurs when a roaming client isremoved from a server.

License Warning 30 Occurs when a license warningmessage is generated.

License Error 31 Occurs when there is a licenseerror.

Access Denied Warning 33 Occurs when an unauthorizedcommunication attempt is made.

Log Forwarding Error 34 Occurs when there is a problemwith the log forwarding process.Also logs when Event and SettingsManager are started.

License Installed 35 Occurs when a license is installed.

License Allocated 36 Occurs when a license is allocated.

License Status 37 Occurs when a license is validated.

Table 7-1 Events


8/4/2019 savcref

40/54


License Deallocated 38 Occurs when a license isdeallocated.

Definitions Rollback 39 Occurs when definitions are rolledback.

Definitions Unprotected 40 Occurs when a computer is notprotected with definitions.

Detection Action 40 Occurs when Auto-Protect detectsa threat.

Successful Remediation Action 42 Occurs when Auto-Protect

performs a successful side-effectsrepair for adware or spyware.

Failed Remediaton Action 43 Occurs when Auto-Protect fails toperform a successful side-effectsrepair for adware or spyware.

Pending Remediation Action 44 Occurs when Auto-Protect is readyto perform a side-effects repair foradware or spyware.

Auto-Protect Error 46 Occurs when an error occurs withAuto-Protect.

Compliancy Failure 47 Occurs when a managed computerconfiguration fails a compliancytest.

Compliancy Success 48 Occurs when a managed computerconfiguration passes a compliancytest.

SymProtect Action 49 Occurs when SymProtect blocks atamper attempt.

Scan Started 64 Occurs when adware and spywarescans start.

Note: This event number is out of numerical sequence in this tableand placed here for convenience.

Scan Stopped 50 Occurs when adware and spywarescans stop.

Table 7-1 Events


8/4/2019 savcref

41/54

Event Log entriesSymantec AntiVirus events

Login Failed 51 Occurs when a user login is notauthenticated and fails.

Login Succeeded 52 Occurs when a user login isauthenticated and successful.

Unauthorized Communications 53 Occurs when an attempt is madeto access functionality that is notpermitted.

Antivirus Client Installation 54 Occurs when antivirus clientsoftware is installed.

Firewall Client Installation 55 Occurs when firewall clientsoftware is installed.

Client Software Uninstalled 56 Occurs when client software isuninstalled.

Client Software UninstallRollback

57 Occurs when an attempt touninstall client software fails, andthe client software is restored.

Server Group Root CertificateIssued

58 Occurs when a server group rootcertificate is created for a servergroup and installed in the rootsdirectory.

Server Certificate Issued 59 Occurs when a primary serverissues a login CA certificate and aserver certificate to a secondaryserver in a server group.

Trusted Root Change 60 Occurs when a server group rootcertificate is added or deleted.

Server Certificate Startup Failed 61 Occurs when a server tries toinitialize its secure protocol but

fails.Client Checkin 62 Occurs when a client checks in

with its parent server forconfiguration changes.

No Client Checkin 63 Occurs when a client fails to checkin with its parent server within aspecified time interval.

Table 7-1 Events


8/4/2019 savcref

42/54


8/4/2019 savcref

43/54

8/4/2019 savcref

44/54

44 How certificates are implementedHow certificates establish a chain of trust

Figure 8-1 Certificates and the chain of trust

The primary server in each server group creates and manages a self-signed rootcertificate. This certificate is called the server group root certificate, and is thefoundation on which servers and clients trust each other in a server group. Theserver group root certificate has a lifetime of 10 years. If you promote secondaryservers to primary servers, the server group certificate is automaticallypromoted to the new primary server.

8/4/2019 savcref

45/54

How certificates are implementedHow clients and servers authenticate certificates

All servers, both primary and secondary, also possess a server end-entitycertificate. Each server initially generates and self-signs this certificate duringinstallation, generates a certificate signing request (CSR), and submits both tothe primary server for processing and signing. The primary server processes theCSR, creates and digitally signs a new server certificate, increments a numericalcounter value in the certificate name by one, and then returns it to the server.The new server end-entity certificate now has an established chain of trust tothe server group root certificate.

Note: The primary server creates this server certificate for itself automaticallyfrom its server group root certificate.

How clients and servers authenticate certificatesWhen a server tries to push a new configuration to a client, it presents its servercertificate to the client, the client compares the server certificate to the servergroup root certificates that it possesses, and verifies that the server certificate isdigitally signed by one of clients server group root certificates. When the clientfinds the appropriate server group root certificate and verifies the chain of trustback to the server group root certificate, the client accepts the newconfiguration. If the client cannot verify the chain of trust, it does not accept thenew configuration.

A similar system is used to authenticate users. A login CA certificate is createdand signed by the server group root certificate when a primary server is createdto establish a chain of trust back to the server group root certificate. This loginCA certificate is also valid for 10 years.

When a user successfully authenticates to a server group (unlocks it from theSymantec System Center), the user initially authenticates by using a user nameand password. The user then receives a temporary login certificate that is signedby the login CA certificate. This certificate is time-stamped and is valid for aspecific amount of time, after which it expires. The default time value is 24hours. You can modify this time value by using the Login Certificate Settings

dialog box for a server group in the Symantec System Center.When servers and clients receive the users request for configuration changes,they verify that the users login certificate establishes a chain of trust back tothe server group root certificate. If clients successfully authenticate the chain of trust, they then compare their system clocks to the certificates time stamp. If they verify that the certificate has not expired, they accept the usersconfiguration changes.

8/4/2019 savcref

46/54

46 How certificates are implementedAuthentication paths and methods

The login certificate is generated with a time limitation for security purposes,but is valid across all time zones. If a specific user account is deleted in theSymantec System Center, the temporary login certificate that is associated withthat user cannot be renewed after it expires, regardless of the time zone. If thelogin certificate expires after the user authenticates to a server or client, theuser is automatically issued another valid login certificate.

Be aware that unsynchronized computer system clocks in a server group mightprohibit servers and clients from authenticating a users login certificatesbecause of the time differential. For example, suppose that you have a logincertificate that contains a primary servers time stamp and is valid for 30minutes. Then, suppose that the user attempts to authenticate to a client thathas a clock that is set 45 minutes ahead of the primary server clock. When theclient receives the login certificate, it believes that the login certificate expired15 minutes ago based on its system clock setting, and does not permitconfiguration changes by the logged in user.

Note: Use a system clock synchronization method in your computer networks.Otherwise, communications might fail until computers have clock values thatare within the client certificates time expiration window. You can set thecertificates time value in the Symantec System Center.

Authentication paths and methodsTable 8-1 describes the authentication paths and methods that are used toauthenticate Symantec AntiVirus entities.

Table 8-1 Authentication paths and methods

Authentication path Method

Symantec System Center to server Servers authenticate the Symantec SystemCenter users by using either a password orcertificate. The Symantec System Centerauthenticates servers by using certificates.

Server to client Servers do not authenticate clients.

Client to server Clients authenticate servers by usingcertificates.

Client to Symantec System Center Clients authenticate the Symantec SystemCenter users by using certificates.

Symantec System Center to client The Symantec System Center does notauthenticate clients.

8/4/2019 savcref

47/54

How certificates are implementedCertificate store directories

Certificate store directoriesA typical installation creates top-level directories that store executable files for

servers, clients, and the Symantec System Center. The default names of thesedirectories are different. For example, on servers the default name is \SAV, andon the computer that hosts the Symantec System Center, the default name is\Symantec System Center.

Under these top-level directories, a typical installation creates subdirectoriesthat store certificates, private keys, and certificate signing requests (CSRs).These directories are called the certificate store, and are contained under adirectory called \pki. The subdirectory names are certs, private-keys,cert-signing-requests, and roots.

Server certificate stores are controlled by Access Control Lists (ACLs) for

administrator access only. The Symantec System Center certificate store is notcontrolled by ACLs for administrator access, because restricted users mightneed to access the certificates in the certificate store. As a result, private keysare not saved to the Symantec System Center certificate store. Client certificatestores are controlled by parent servers, and client certificate stores use only theroots directory, which is auto-populated and controlled by parent servers.

Table 8-2 lists and describes the directories that the certificate store containsunder the \pki directory, and the files that the directories contain by location.

Table 8-2 Certificate store directories and files

Component Directory

Symantec SystemCenter

Certs: Empty.

Private-keys: Empty.

Cert-signing-requests: Empty.

Roots: Contains the root certificates for all server groups.

Primary server Certs: Contains the login CA and server certificates.

Private-keys: Contains the private keys for the server group,login CA, and servers.

Cert-signing-requests: Contains generated certificate signingrequests (CSRs) for the server group, login CA, and servers. Usethe server group CSR when you manually create an enterpriseroot certificate. The other two CSRs are used dynamically.

Roots: Contains the root certificate for the server group inwhich it is installed. Might also contain root certificates forother server groups.

8/4/2019 savcref

48/54

48 How certificates are implementedFile naming conventions

File naming conventionsCertificate names contain globally unique identifiers (GUIDs). GUIDs are uniqueIDs that are installed on each computer to prevent name collisions so that youcan move servers from one server group to another. Certificate names alsocontain counters to provide historical records of a server's previousmembership in the same domain and to permit the reissuing of a certificate tothe same entity. Server group names are not included in certificates or filenames so that you can rename server groups.

File naming conventions fall into the following categories:

Server group root certificates and private keys

Server certificates and private keys

Login CA certificates and private keys

Certificate signing requests

Server group root certificates and private keysThe following examples show server group root certificate and private keynaming conventions:

..servergroupca.cer

..servergroupca.pvk

Secondary server Certs: Contains the login CA and server certificates.Private-keys: Contains the private keys for the login CA andservers.

Cert-signing-requests: Empty.

Roots: Contains the root certificate for the first server group inwhich it is a member. Might also contain root certificates forother server groups.

Clients Certs: Empty.

Private-keys: Empty.

Cert-signing-requests: Empty.Roots: Contains the root certificate for the first server group inwhich it is a member. Might also contain root certificates forother server groups to permit roaming.

Table 8-2 Certificate store directories and files

Component Directory

8/4/2019 savcref

49/54

8/4/2019 savcref

50/54

50 How certificates are implementedOther certificate details

The following examples show actual names for CSRs:

4930435c2aa91e4abb4e6c9d527eb762.0.servergroupca.cer

INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.server.cer

INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.loginca.cer

Other certificate detailsThese details are provided for your information:

Certificate and CSR counters

Certificate and key file formats

Server group root key archival

About promoting secondary servers to primary servers

About viewing certificates

About preserving certificates and issue time

Install a primary server and secondary server in each server group

Certificate and CSR countersEach certificate and CSR has a field. Each time a certificate or requestis generated, the certificate or CSR that is generated next has the counter fieldincremented by a value of one. For example, each server group root certificate,as it is generated for each primary server in a new server group, has the field incremented by one. All server group root certificates are in the\pki\roots directory under the directory that contains the Symantec SystemCenter files.

Certificate and key file formatsAll certificates and private keys are held in unencrypted PEM-formatted files.The PEM format is DER for ASN.1 format data that has been Base-64 encoded.

8/4/2019 savcref

51/54

How certificates are implementedOther certificate details

Server group root key archivalYou must closely guard the private key that is associated with the server grouproot certificate. No tool should be capable of moving your private key from theprimary server in your environment. You should back up your private key to aremovable storage device, secure the device in a vault, delete it from the primaryserver, and remove it from the Recycle Bin on Windows computers. Use this keywhen you add secondary servers only. When you need to add secondary servers,replace the private key in the private-keys directory on the primary server, addthe secondary server, and then re-secure the key.

Warning: Do not lose your server group root private key. If you do, you will notbe able to add secondary servers to your server group. If you lose your key,create another server group and move your secondary servers and clients to that

group.

About promoting secondary servers to primary serversWhen you promote a secondary server to a primary server, the server groupprivate key is not automatically copied to the new primary server even if itexists on the demoted primary server. To add additional servers to the servergroup that has a new primary server, you must copy the server group privatekey to the \pki\private-keys directory on the new primary server.

About viewing certificatesInternet Explorer and most Web browsers let you view certificates. Typically,most Web browsers have file associations for the .cer extensions, so you candouble-click the .cer files and view them in a certificate viewer. If you have notinstalled a certificate in a Web browser before you view it, the certificate viewertypically lets you know that the certificate is not to be trusted. If you install thecertificate from the certificate viewer, most Web browsers then trust thecertificate, and display additional information about the certificate.

8/4/2019 savcref

52/54

52 How certificates are implementedOther certificate details

About preserving certificates and issue timeLogin certificates are short-lived and are not normally preserved onmanagement servers like server and login CA certificates are. Furthermore,certificate names do not indicate the date and time that they are issued. Topreserve all certificates and include the date and time that they are issued in thename, set the following registry key DWORD value to a value other than 0:

HKLM\Software\LANDesk\VirusProtect6\CurrentVersion\ArchiveCerts

When you set the registry key DWORD value to non-0 on a management server,issued-YYMMDDHHMMSSMMMM-.cer certificate files are written tothe \Program Files\SAV directory every time that a new certificate is issued. TheYYMMDDHHMMSSMMMM is a hex output of 2-digit year, 2-digit month, 2-digitday, 2-digit 24 hour, 2-digit minute, 2-digit seconds, and 4-digit milliseconds.

Install a primary server and secondary server in each server groupA best practice for implementing server groups is to always have a primaryserver and secondary server in each group. When a server group contains two ormore antivirus servers, every server other than the primary antivirus server isdefined as a secondary server. Symantec AntiVirus servers do not require serveroperating systems, and do not support email scanning.

If your server group contains only one antivirus server, which would be theprimary server, and if that server crashes, you will not be able to unlock andmanage that server group from the Symantec System Center, and yourcertificate infrastructure will become obsolete until you restore a backup. If youhave a secondary antivirus server in the group, you will be able to unlock thatserver group, promote the secondary server to a primary server, move theclients to the new primary server by copying the Grc.dat file from the primaryserver to the clients, and reestablish communications with your managedclients.

For additional information about the Grc.dat file and client communications,refer to the Symantec AntiVirus Installation Guide in the client installationchapter.

8/4/2019 savcref

53/54

Index

A

access, limiting with the Reset ACL tool 17address cache

and administrator rights 20deleting entries from 21

Administrator rights and the Importer tool 20alerts

and the Intel Alert Handler service 28

and the Intel Alert Originator service 28AMS services

Intel Alert Handler 28Intel Alert Originator 28Intel File Transfer 28Intel PDS 28

C

certificatesabout promoting secondary servers to primary

servers 51

authentication paths and methods 46backing up 51CSR counters 50directory locations 47end entity 45establishing a chain of trust 43file formats 50file naming conventions 48how clients and servers authenticate 45server group root lifetime 44server root key archival 51viewing 51

client servicesSee also server services; servicesDefwatch 27Symantec AntiVirus 27

command line and the Importer tool 19computer names

creating a data file for the Importer tool 21importing 7

D

data file, creating 21Defwatch.exe 25, 27Discovery

and the Importer tool 7, 19Intense Discovery 20Local Discovery 20

E

email serversconfiguring 9managed client configuration 11stand-alone configuration 10unmanaged client configuration 11

Exchange serversdirectories and files to exclude 13extensions to exclude 15file scanning on 12

Ffile transfer service and AMS 28Find Computer feature and the Importer tool 19

H

Help for the Importer tool 23Hndlrsvc.exe 28

I

Iao.exe 28

Importer toolabout 7, 19advanced usage 22and the Find Computer feature 19getting help with 23how it works 20importing addresses with 20known problems with 24running 21where it is located 20

8/4/2019 savcref

54/54

54 Index

Importer.exe 20Intel Alert Handler 28Intel Alert Originator 28Intel File Transfer 28

Intel PDS 28Intense Discovery 20IP addresses

creating a data file for the Importer tool 21importing 7

L

license events 39LiveUpdate and the Reset ACL tool 18Local Discovery 20

NNsctop.exe 28

P

Pds.exe 26, 28Ping Discovery Service and the Intel PDS service 26

R

registrykey 17

restricting access 17settings 7Reset ACL tool

about 7, 17restricting registry access with 17

Resetacl.exe 17Rtvscan.exe 26, 27

S

Savroam.exe 27security and the Reset ACL tool 17server services

See also client services; servicesDefwatch 25Intel PDS 26Symantec AntiVirus 26

V

virus definitions updatesand the Defwatch client service 27and the Defwatch server service 25

W

Windows registryconfiguration settings in 7restricting access to 17

X

Xfr.exe 28

Documents

savcref