Savcref

Symantec AntiVirus Corporate Edition Reference Guide
Symantec AntiVirus Corporate Edition Reference Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 10.0
Copyright Notice
Copyright 2005 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Trademarks
Symantec, the Symantec logo, LiveUpdate, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. Norton Internet Security, Norton Personal Firewall, Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, and Symantec Security Response are trademarks of Symantec Corporation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support groups primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and virus definitions updates for virus outbreaks and security alerts. Symantec technical support offerings include:

A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program
Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.
Licensing and registration

If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.
Contacting Technical Support

Customers with a current support agreement may contact the Technical Support group via phone or online at www.symantec.com/techsupp. Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at www-secure.symantec.com/platinum/.
When contacting the Technical Support group, please have the following:

Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues:

Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals
Contents
Technical support Chapter 1 Chapter 2 Introducing the reference guide

What is in the reference guide ............................................................................. 7
Antivirus protection and email servers

About configuring Symantec AntiVirus on email servers .............................. 9 Stand-alone server configuration ............................................................. 10 Managed client configuration .................................................................... 11 Unmanaged client configuration .............................................................. 11 File scanning on Exchange servers ................................................................... 12 Directories to include .................................................................................. 13 Directories and files to exclude ................................................................. 13 Extensions to exclude .................................................................................. 15 Directories to exclude when other Symantec products are installed ................................................................................................. 16
Chapter 3
Reset ACL tool

About the Reset ACL tool .................................................................................... 17 Restricting registry access with the Reset ACL tool ...................................... 17
Chapter 4
Importer tool
About the Importer tool ...................................................................................... 19 How the Importer tool works ..................................................................... 20 Where the Importer tool is located ........................................................... 20 Importing addresses using the Importer tool ................................................. 20 Deleting entries from the address cache .......................................................... 21 Advanced usage ................................................................................................... 22 Getting Help while using the Importer tool .................................................... 23 Known problems .......................................................................................... 24
6 Contents
Chapter 5
Windows services
Symantec AntiVirus services ............................................................................ 25 Symantec System Center services .................................................................... 28
Chapter 6
Cryptography basics
Overview ............................................................................................................... 29 About cryptographic keys and algorithms ...................................................... 30 About one-way hashes and digital signatures ................................................ 31 About digital certificates and PKIs ................................................................... 32 About SSL .............................................................................................................. 35
Chapter 7 Chapter 8
Event Log entries

Symantec AntiVirus events ............................................................................... 37
How certificates are implemented

How certificates establish a chain of trust ...................................................... 43 How clients and servers authenticate certificates ......................................... 45 Authentication paths and methods .................................................................. 46 Certificate store directories ............................................................................... 47 File naming conventions .................................................................................... 48 Server group root certificates and private keys ..................................... 48 Server certificates and private keys ......................................................... 49 Login CA certificates and private keys ..................................................... 49 Certificate signing requests ....................................................................... 49 Other certificate details ...................................................................................... 50 Certificate and CSR counters ..................................................................... 50 Certificate and key file formats ................................................................. 50 Server group root key archival .................................................................. 51 About promoting secondary servers to primary servers ...................... 51 About viewing certificates .......................................................................... 51 About preserving certificates and issue time .......................................... 52 Install a primary server and secondary server in each server group .......................................................................................... 52
Index
Chapter
Introducing the reference guide

This chapter includes the following topics:
What is in the reference guide
This reference guide contains technical product information for Symantec AntiVirus, including information on tools that are on the Symantec AntiVirus CD. It is intended for system administrators and others who install and maintain this product in a networked, corporate environment.
What is in the reference guide

Table 1-1 lists and describes the topics in this reference guide. Table 1-1 Topic Reference guide topics Description
Antivirus protection This chapter provides examples of how you should implement and email servers antivirus protection on email servers. Reset ACL tool Many of the configuration settings for Symantec AntiVirus are stored in the Windows registry. Reset ACL lets you restrict access to these registry settings on Windows XP/2000 operating systems to prevent unauthorized users from making changes. The Importer tool is a command-line utility specifically for use with the Symantec System Center. The Importer tool lets you import as many sets of computer names and IP addresses into a special address cache as you need. Symantec AntiVirus can then locate computers during the Discovery process in situations where the computer names cannot be resolved using WINS/DNS.
Importer tool
8 Introducing the reference guide What is in the reference guide
Table 1-1 Topic

Windows services
Reference guide topics Description

This chapter lists the names of services run automatically by Symantec AntiVirus and the Symantec System Center. Those names appear in the Windows Services control panel. This chapter lists the events written by Symantec AntiVirus to the Windows Event Log.
Event Log entries
Cryptography basics This chapter provides an overview of the cryptography concepts that administrators need to understand if they do not know the difference between a digital signature and a digital certificate. Administrators need this knowledge to understand how Symantec AntiVirus uses certificates. How certificates are implemented This chapter provides an overview of how Symantec AntiVirus implements digital certificates to secure communications between the Symantec System Center, servers, and clients by using SSL.
Chapter
Antivirus protection and email servers


About configuring Symantec AntiVirus on email servers File scanning on Exchange servers
About configuring Symantec AntiVirus on email servers

Symantec AntiVirus antivirus software is a file system scanner, and is not designed to handle server functions. Products that are specifically designed to protect Microsoft Exchange, Domino, and other gateway servers handle server functions. Allowing Symantec AntiVirus to scan certain parts of a mail server can cause unexpected behavior, problems, or even total data loss. If you install Symantec AntiVirus antivirus software on an email server, you need to take some precaution to prevent damage to the data on the server. One precaution that you must take is to exclude certain directories and files from scanning. How you make these exclusions depends on the following circumstances:

Whether you install Symantec AntiVirus server or client on email servers Whether you want to manage email servers from the Symantec System Center
Note: For the latest details on which directories and files to exclude from scanning, consult the Symantec Knowledge Base on the Symantec Web site.
10 Antivirus protection and email servers About configuring Symantec AntiVirus on email servers
Symantec AntiVirus client software also has Auto-Protect for email, which monitors the standard email ports. Auto-Protect can cause performance degradation or failure if it is installed and enabled on an email server. Therefore, you must disable this feature if you install the client software on an email server. You can install Symantec AntiVirus software in the following configurations:

Stand-alone server configuration Managed client configuration Unmanaged client configuration
Stand-alone server configuration

In the stand-alone server configuration, you install antivirus server software on an email server, and then place the server in a separate server group that is dedicated to email servers. This configuration is the preferred one because it generates the smallest exposure for error. Be sure to name the server group in a way that indicates that it contains email servers. Configure the File System Auto-Protect options, Scheduled Scan options, and Manual Scan options for the server group to exclude the email server software directory structure and the temporary processing directory for the email server. The Symantec AntiVirus antivirus server does not include email Auto-Protect options that are provided by the antivirus client, so you do not have to disable it. Configure the servers in the server group to receive virus definitions updates from the primary server by using the Virus Definition Transport Manager (VDTM). If a Symantec antivirus product for the email server is also installed, disable the LiveUpdate schedule for that product. The virus definitions downloads are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions.
Antivirus protection and email servers About configuring Symantec AntiVirus on email servers
11
Managed client configuration

In the managed client configuration, you install Symantec AntiVirus antivirus client software on an Exchange server, and then place the server in a separate client group that is dedicated to Exchange servers. Be sure to name the client group in a way that indicates that it contains Exchange servers. Configure the File System Auto-Protect options, Scheduled Scan options, and Manual Scan options for the client group to exclude the email server software directory structure and the temporary processing directory for the antivirus scanner. Be sure to disable all email Auto-Protect options if they are installed and enabled. Warning: If you configure Symantec AntiVirus as a client on an email server, be sure to disable email Auto-Protect if it is installed. This feature monitors the standard mail ports, and can cause performance degradation or failure if it is installed on email servers. Configure the clients in the client group to receive virus definitions updates from the parent server by using VDTM. If a Symantec antivirus product for the email server is also installed, disable the LiveUpdate schedule for that product. The virus definitions that Symantec AntiVirus and the antivirus products for email servers download are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions.
Unmanaged client configuration

In the unmanaged client configuration, you install Symantec AntiVirus client software from the installation CD and execute the Setup.exe file in the SAV directory. If you use the installation files from an installed Symantec AntiVirus server or use the client rollout installers, the client will automatically retrieve configuration information from the selected parent server and become a managed client. Configure the File System Auto-Protect options, Scheduled Scan options, and Manual Scan options for the client to exclude the email server software directory structure and the temporary processing directory for the antivirus scanner. Be sure to disable all email Auto-Protect options if they are installed and enabled.
12 Antivirus protection and email servers File scanning on Exchange servers
Warning: If you configure Symantec AntiVirus as a client on an email server, be sure to disable email Auto-Protect if it is installed. This feature monitors the standard mail ports, and can cause performance degradation or failure if it is installed on mail servers. Configure the client software to use LiveUpdate to retrieve updates from Symantec on a regular schedule. If a Symantec antivirus product for the email server is also installed, disable the LiveUpdate schedule for that product, and configure Symantec AntiVirus to run LiveUpdate. The virus definitions that Symantec AntiVirus and the antivirus products for email servers download are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions.
File scanning on Exchange servers

Symantec AntiVirus protects the file system on an Exchange server, not the Exchange server. Products such as Symantec Mail Security for Microsoft Exchange protect Exchange servers. Certain directories must be excluded from scanning by Symantec AntiVirus to prevent problems with the Internet Mail Connector (IMC) or Information Store (IS). If Auto-Protect scans the Exchange directory structure or the Symantec Mail Security processing directory, it can cause the following:

False positive virus detections Unexpected behavior on the Exchange server Damage to the Exchange databases
To correctly configure file scanning, you need to understand the following information:

Directories to include Directories and files to exclude Extensions to exclude Directories to exclude when other Symantec products are installed
Note: For the latest details on which directories and files to exclude from scanning, consult the Symantec Knowledge Base on the Symantec Web site.
Antivirus protection and email servers File scanning on Exchange servers
13
Directories to include
You can safely include the following directories and files in scans on all versions of Microsoft Exchange Server:

Exchsrvr\Address Exchsrvr\Bin Exchsrvr\Conndata Exchsrvr\Exchweb Exchsrvr\Res Exchsrvr\Schema
Any additional directories that are not a part of a standard Exchange installation, and that are not included in the list of directories and files to exclude, are safe to include.
Directories and files to exclude

The directories and files to exclude depend on the version of Microsoft Exchange Server that you have installed. Add all listed directories and files to the exclusion lists for File System Auto-Protect, Scheduled Scans, and Manual Scans. Note: The Tmp.edb file might be in multiple locations. Search for the file, and exclude it in any found locations. You can exclude single files by using the client and server software that is installed on the Exchange server. You cannot exclude single files by using the Symantec System Center with server and client group configurations. Therefore, for all three configurations, you must exclude Tmp.edb by using the Symantec AntiVirus user interface on the Exchange server.
Microsoft Exchange Server 5.5

Table 2-1 lists the directories and files to exclude for Microsoft Exchange Server 5.5. Table 2-1 Files to exclude for Microsoft Exchange Server 5.5 Default file location
Default location: Exchsrvr\Mdbdata Default location: Exchsrvr\Mtadata Tmp.edb Default location and name: Exchsrvr\server_name.log Default location: Exchsrvr\Srsdata Default location: Exchsrvr\IMCDATA <Drive>:\Winnt\System32\Inetsrv
Directory and files

Exchange databases Exchange MTA files Exchange temporary files Additional log files
Site Replication Service (SRS) files Inbox for Internet Mail Connector Microsoft Internet Information Service (IIS) system files Outbox for Internet Mail Connector
Exchsrvr\IMCDATA\OUT director
Microsoft Exchange Server 2000

Table 2-2 lists the directories and files to exclude for Microsoft Exchange Server 2000. Table 2-2 Files to exclude for Microsoft Exchange Server 2000 Default file location
Default location: Drive M Default location: Exchsrvr\Mdbdata Default location: Exchsrvr\Mtadata Tmp.edb Default location: Exchsrvr\server_name.log Default location: Exchsrvr\Mailroot Default location: Exchsrvr\Srsdata <Drive>:\Winnt\System32\Inetsrv
Directory and files

The Installable File System (IFS) Exchange databases Exchange MTA files Exchange temporary files Additional log files Virtual server directory Site Replication Service (SRS) files Internet Information Service (IIS) system files
Antivirus protection and email servers File scanning on Exchange servers
15
Microsoft Exchange Server 2003

Table 2-3 lists the directories and files to exclude for Microsoft Exchange Server 2003. Table 2-3 Files to exclude for Microsoft Exchange Server 2003 Default file location
Default location: Exchsrvr\Mdbdata Default location: Exchsrvr\Mtadata Tmp.edb Default location: Exchsrvr\server_name.log Default location: Exchsrvr\Mailroot Default location: Exchsrvr\Srsdata Default location: Exchsrvr\Srsdata
Directory and files

Exchange databases Exchange MTA files Exchange temporary files Additional log files Virtual server directory Site Replication Service (SRS) files Internet Information Service (IIS) system files Working directory for message conversion .tmp files
Default location: Exchsrvr\Mdbdata You can change the location of this directory. For additional information, consult the Microsoft Knowledge Base. By default, this directory is the location from which you run the executable, but you can specify where you run the file from when you run the utility. For information on the location of this file, consult the Microsoft Knowledge Base.
The temporary directory that is used with offline maintenance utilities such as Eeseutil.exe
The directory that contains the checkpoint (.chk) file
Extensions to exclude
Because certain files are not always saved in the expected locations, exclude the following file extensions on all versions of Microsoft Exchange Server:

.log .edb
Directories to exclude when other Symantec products are installed

Excluding these directories is critical to product operation. Each product uses its temp directory as a processing directory. If the temp directories are not excluded from file system scanning, the antivirus programs might conflict and cause unexpected behavior, including potential data loss.
Norton AntiVirus 2.x for Microsoft Exchange

Exclude the following directories when you use this product:

<drive>:\Program Files\NAVMSE\Temp <drive>:\Program Files\NAVMSE\Quarantine <drive>:\Program Files\NAVMSE\Backup
Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange


<drive>:\Program Files\Symantec\SAVFMSE\Temp <drive>:\Program Files\Symantec\SAVFMSE\Quarantine
Symantec Mail Security 4.0 for Microsoft Exchange


<drive>:\Program Files\Symantec\SMSMSE\4.0\Server\Temp <drive>:\Program Files\Symantec\SMSMSE\4.0\Server\Quarantine
Symantec Mail Security 4.5 for Microsoft Exchange


<drive>:\Program Files\Symantec\SMSMSE\4.5\Server\Temp <drive>:\Program Files\Symantec\SMSMSE\4.5\Server\Quarantine
Chapter
Reset ACL tool


About the Reset ACL tool Restricting registry access with the Reset ACL tool
About the Reset ACL tool

Reset ACL (Resetacl.exe) lets you limit access to the Symantec AntiVirus registry key on Windows XP/2000 computers. By default, these computers allow all users to modify the data stored in the registry for any application, including Symantec AntiVirus. Reset ACL removes the permissions that allow full access by all users to the following Symantec AntiVirus registry key and its subkeys: HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion
Restricting registry access with the Reset ACL tool

You can use the Reset ACL tool to restrict registry access. To restrict registry access with the Reset ACL tool 1 2 Roll out Resetacl.exe, located on the Symantec AntiVirus CD in the Tools folder, to unsecured computers. Run Resetacl.exe on each of these computers.
After you have run Resetacl.exe, only users with Administrator rights can change the registry key values. While the Reset ACL tool boosts security for Symantec AntiVirus on these computers, administrators should be aware that there are several trade-off considerations.
18 Reset ACL tool Restricting registry access with the Reset ACL tool
In addition to losing access to the registry, users without Administrator rights will not be able to do the following:

Start or stop the Symantec AntiVirus service. Run LiveUpdate. Schedule LiveUpdate. Configure Symantec AntiVirus. For example, users cannot set Auto-Protect or email scanning options.
The options associated with these operations appear dimmed in the Symantec AntiVirus interface. In addition, the user can modify scan options, but the changes are not saved in the registry or processed. The user can also save manual scan options as the default set, but the options are not written to the registry.
Chapter
Importer tool

About the Importer tool Importing addresses using the Importer tool Deleting entries from the address cache Advanced usage Getting Help while using the Importer tool
About the Importer tool

The Importer tool (Importer.exe) identifies computers in a non-WINS environment to the Symantec System Center console. This lets Symantec AntiVirus locate computers during the network discovery process, when the names cannot be browsed using WINS/DNS. It is a command-line utility. In addition to importing the paired names and IP addresses of computers located in non-WINS environments, you can add any other computer name and IP address pairing to the text file so that the computer is discovered in the future. For example, you may want to add the name and address of a computer that has not been discovered successfully for an unknown reason. Note: In most cases, you should not need the Importer tool. The Find Computer feature of the Symantec System Center can usually find and identify Symantec AntiVirus servers on the network by means of address caching and the normal Discovery process.
20 Importer tool Importing addresses using the Importer tool
How the Importer tool works

The Importer tool runs on any computer on which the Symantec System Center is installed. You can use it to import pairs of computer names and IP addresses from a text file into the address cache registry entries used by the Symantec System Center. Once the computer name and address pairs are imported, entries are created in the registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache You must run a Local Discovery or Intense Discovery after importing the data file. The Discovery queries the addresses of the computers. The computers running the Symantec AntiVirus server are added to the Discovery Service in memory and have complete entries created in the registry. The Discovery Service can then find the computers each time that the Discovery Service is run.
Where the Importer tool is located

The Importer tool consists of a single file, Importer.exe. Importer.exe is located on the Symantec AntiVirus CD in the Tools folder. You can copy Importer.exe to any folder on a computer on which the Symantec System Center is installed, and then run it.
Importing addresses using the Importer tool

To import addresses to the address cache, you must be logged on with Administrator rights. This is necessary so that you have write access to HKEY_LOCAL_MACHINE.
Import addresses using the Importer tool

To import addresses using the Importer tool, you must complete the following tasks:

Create a data file containing paired computer names and IP addresses. Run the Importer tool. Note: You must run the Importer tool from a command prompt.
Run the Discovery Service.
Importer tool Deleting entries from the address cache
21
To create a data file 1 2 Create a new file with a text editor such as Notepad. Type the data in the following format: <server name><comma><IP address><linefeed> Avoid typing incorrect IP addresses for servers. No validation is performed to determine if two servers have the same IP address in the Importer text file. Save the file. For example, a data file named Computers.txt might look as follows: Computer 1, 192.168.3.121 Computer 2, 192.168.3.122 Computer 3, 192.168.3.123 Computer 4, 192.168.3.124 Computer 5, 192.168.3.125 Computer 6, 192.168.3.126
Note: You can type a semicolon or colon to the left of an address to comment it out. For example, if you know that a network segment is down, you can comment out associated subnet addresses. To run the Importer tool 1 At the command-line prompt, type the following command:
<fullpath> importer <filename>
where <fullpath> represents the full path to the Importer and <filename> represents the full path of the import file, such as C:\Computers\Computers.txt 2 Press Enter.
Deleting entries from the address cache

Data imported from the data file does not overwrite information that is already stored in the address cache. If you have data that should be overwritten, such as an incorrect computer address, clear the cache before running the Importer. Note: After importing the contents of the data file, do not click Clear Cache Now. Doing so deletes the contents of the address cache, including the imported data.
22 Importer tool Advanced usage
To delete entries from the address cache 1 2 In the Symantec System Center console, on the Tools menu, click Discovery Service. Under Cache Information, click Clear Cache Now.
Once you run Discovery after the data import, the correct data is available for future discovery sessions.
Advanced usage
The command line takes four parameters:

Import file path First delimiter Second delimiter Order (1 = computer name/IP address, 2 = IP address/computer name; the default is 1)
Note: The second delimiter needs to be a single character only. For example, the ampersand cannot be used because the user would have to enter the following: & For example, an import file named Machines.txt, in C:\MACHINES, could read as follows: 192.168.3.121/Server 1 192.168.3.122/Server 2 192.168.3.123/Server 3 The above example is in IP address/computer name order (2). The first parameter is a slash (/) and the second is a linefeed. The corresponding syntax for the command line would be: importer C:\MACHINES\Machines.txt / LF 2 After the computer name and IP address pairs are imported, entries are created in the registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache You must run a local or intense discovery after importing the data file. The discovery queries the computer IP addresses. The computers running Symantec AntiVirus are added to the Discovery Service in memory and have complete
Importer tool Getting Help while using the Importer tool
23
entries created in the registry. The Discovery Service can then find the computers each time that the Discovery Service is run.
Getting Help while using the Importer tool

You can access Help on Importer switch and syntax information. To get Help while using the Importer tool 1 2 At the command line, type the following:
Importer
Press Enter.
The Importer tool displays the following Help information:

Simple Usage : IMPORTER <filename> <filename> : full path of import file File format : <server name><comma><ip address><linefeed> Example File : Server 1,192.168.3.121 Server 2,192.168.3.122 Server 3,192.168.3.123 press "a" for advanced usage When "a" is pressed for advanced usage, the following help will be displayed: Advanced Usage: IMPORTER <filename> <delimiter 1> <delimiter 2> <order> <filename> : full path of import file <delimiter 1> : separator between first and second item in pair <delimiter 2> : separator between pairs NOTE: for carriage return/linefeed delimiters, use LF for space delimiters, use SP for comma, use , <order> : order of computer name/ip address pairs 1 = computer name/ip address order 2 = ip address/computer name order EXAMPLE File contents : 192.168.3.121/Server 1 192.168.3.122/Server 2 192.168.3.123/Server 3 Command line : IMPORTER C:\MyFolder\MyFile.txt / LF 2
24 Importer tool Getting Help while using the Importer tool
Known problems
Importer depends on the HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\AddressCache key used by the Symantec System Center. If this key is not present, an error message appears. The Importer modifies the AddressCache key under HKLM, so the user needs local administrator rights. The Importer tool aids in the discovery process of the Symantec System Center. The Importer determines whether the Symantec System Center is present on the local computer. If not, an error message appears. After an import, the computer names paired with their IP addresses in the registry are not complete. They show only the computer under the Address_0 and Protocol dword values. A discovery must be run to complete the process (using the Run Discovery Now button in the Discovery Service Properties dialog box). Do not click the Clear Cache Now option in the Discovery Service Properties dialog box. This deletes the contents of the address cache, including the imported data. The Importer cannot assist in locating computers during the installation process. Note: When you are pushing the Symantec AntiVirus client and server to remote computers, an Import option appears in the Select Computer dialog box. Do not confuse this Import option with the Import option on the ClientRemote Install and AV Server Rollout installation screens. The Importer does not overwrite existing IP addresses in the address cache; this is an intended design feature. However, there is a possibility that an incorrect IP address may exist in the cache. In such a case, the Importer cannot correct it.
Chapter
Windows services

Symantec AntiVirus services Symantec System Center services
Symantec AntiVirus services

Table 5-1 lists the names and descriptions for Symantec AntiVirus server services. These appear in the Windows Services control panel. Table 5-1 Service name
Common client application
Symantec AntiVirus server services Binary name

ccApp.exe
Description
Primary client application service that is also used by Auto-Protect for file systems and email. Service that is used to scan POP3 messages. Service that is used to store encrypted settings. Service that watches for newly arriving virus definitions. Launches a scan of the files in Quarantine when the new virus definitions arrive. Service that protects Symantec proccesses.
Common client event manager Common client settings manager Defwatch
CcEvtMgr.exe
CcSetMgr.exe
Defwatch.exe
Temper Protection
SPBBCSvc.exe
26 Windows services Symantec AntiVirus services
Table 5-1 Service name

Intel PDS
Symantec AntiVirus server services Binary name

Pds.exe
Description
Ping Discovery Service. Allows Discovery of Symantec AntiVirus on this computer to occur. Applications register with this service, along with an APP ID, and a pong packet to return in response to ping requests. Main Symantec AntiVirus service. Most Symantec AntiVirus serverrelated tasks are performed in this service. Service that provides the system tray icon.
Symantec AntiVirus Server
Rtvscan.exe
Virus protection tray icon VPtray.exe
Table 5-2 lists the names and descriptions for Symantec AntiVirus client services. These appear in the Windows Services control panel. Table 5-2 Service name
Common client application
Symantec AntiVirus client services Binary name

ccApp.exe
Description
Primary client application service that is also used by Auto-Protect for file systems and email. Service that is used to scan POP3 messages. Service that is used to scan client password service POP3 messages. Service that is used to store encrypted settings. This service appears in the Windows Task Manager Processes when an installation fails. The service normally deletes itself after the Symantec AntiVirus Configuration Wizard runs.
Common client event manager Common client password service Common client settings manager Configuration Wizard service
CcEvtMgr.exe
CcPwdSvc.exe
CcSetMgr.exe
CfgWzSvc.exe
Windows services Symantec AntiVirus services
27
Table 5-2 Service name

Defwatch
Symantec AntiVirus client services Binary name

Defwatch.exe
Description
Service that watches for newly arriving virus definitions. Launches a scan of the files in Quarantine when the new virus definitions arrive. Service that protects Symantec proccesses. One of the main Symantec AntiVirus virus scanning services. Most Symantec AntiVirus clientrelated tasks are performed in this service. Provides roaming server data to roaming clients. Symantec Network Drivers.
Temper Protection
SPBBCSvc.exe
Symantec AntiVirus Client
Rtvscan.exe
Client roaming service
Savroam.exe
Common client Symantec SNDSrvc.exe Network Drivers Virus protection for 32-bit operating systems VPC32.exe
One of the main Symantec AntiVirus services. Service that provides the system tray icon.
Virus protection tray icon VPtray.exe
28 Windows services Symantec System Center services
Symantec System Center services

Table 5-3 lists the names and descriptions for Symantec System Center services. These appear in the Windows Services control panel. Table 5-3 Service name
Symantec System Center Discovery Service
Symantec System Center services Binary name

Nsctop.exe
Description
Discovery Service used to find Symantec AntiVirus servers on the network. The Discovery Service also populates the console with objects.
Table 5-4 lists the names and descriptions for Alert Management System2 services. These appear in the Windows Services control panel. Table 5-4 Service name
IntelAlert Handler
Alert Management System2 services Binary name

Hndlrsvc.exe
Description
AMS2 Alert Handler service. Provides alerting actions such as message boxes, pages, emails, and so on. AMS2 Alert Originator service. Lets alerts be received on this computer. Alerts can be received from either the local computer (in the case of a primary server), or from a remote computer (in the case of unmanaged clients using a centralized AMS2 server). File transfer service. Provides file transfer capabilities to AMS2. Ping Discovery Service. Allows Discovery of Symantec AntiVirus on this computer to occur. Applications register with this service, along with an APP ID, and a pong packet to return in response to ping requests.
Intel Alert Originator
Iao.exe
Intel File Transfer
Xfr.exe
Intel PDS
Pds.exe
Chapter
Cryptography basics

Overview About cryptographic keys and algorithms About one-way hashes and digital signatures About digital certificates and PKIs About SSL
Overview
Symantec AntiVirus communications use the Secure Sockets Layer (SSL) protocol, which Netscape created to conduct secure transactions between Web servers and clients. Most online transactions that involve money moving across the Internet use SSL. SSL uses a Public Key Infrastructure (PKI), digital certificates, and cryptography. For administrative purposes, you might need to understand how SSL uses certificates because you might need to manage or create certificates. To understand what a certificate is and how it is used, you need to understand the basics of cryptography as it is used in SSL.
30 Cryptography basics About cryptographic keys and algorithms
About cryptographic keys and algorithms

In its simplest form, a cryptographic key is a secret code that a cryptographic algorithm (instruction sequence) uses to encrypt and decrypt messages. This algorithm might be nothing more than transposing one alphabetic letter with another. The key in this algorithm is knowing which letter is transposed with another. For example, you might transpose the letter A with B, the letter B with C, and so on. More complicated algorithms and keys might break a message into a series of groups, each of which has the same number of letters. The algorithm assigns each group a unique key that rearranges the numbered sequence. For example, in the first group the first letter is transposed to the third letter, the second letter is transposed to the first letter, and the third letter is transposed to the second letter. To decrypt the message, you need the algorithm and the key for each group. These examples illustrate a symmetric algorithm and key where the same key is used to encrypt and decrypt messages. For security reasons, you keep this key hidden and private, and you distribute this key only to the intended receiver. Asymmetric keys and algorithms are also used in cryptography when two different keys are used to encrypt and decrypt messages. One key is called a private key that you keep hidden, and one key is called a public key that you distribute to anyone who wants to send you encrypted messages or read your encrypted messages. Your private key decrypts messages that are encrypted with your public key, and your public key decrypts messages that are encrypted with your private key. One public and private key is called a key pair. If you distribute your public key to all of your friends, or if you place your public key where all of your friends can retrieve it, you can encrypt a message and send it to all of your friends. Your friends obtain your public key and decrypt the message. They know with certainty that the message came from you because only your private key can encrypt the message and only you possess this key. If one of your friends wants to send a message to you that only you can read, that person encrypts the message with your public key, sends you the message, and only you can decrypt the message because you have not given your private key to anyone else. If someone else intercepts the message, that person cannot decrypt the message without possessing your private key. These concepts form the foundation for understanding how SSL works. Modern symmetric-key algorithms include Triple-DES, RC5, and the current NIST standard of Advanced Encryption Standard (AES). Modern implementations of asymmetric-key algorithms include RSA, ECC, and El Gamal.
Cryptography basics About one-way hashes and digital signatures
31
About one-way hashes and digital signatures

A one-way hash is an algorithm that takes the contents of a variable-length computer file (message) and produces a fixed-length value. This fixed-length value has at least three names: hash, hash value, and message digest. If you change one bit in the computer file and then rerun the hashing algorithm on the file, the second value differs from the first value. For example, suppose that you create an unencrypted file that contains the name of a one-way hashing algorithm, generate a hash value for the file, and send the file to a friend along with the hash value. Upon receipt, your friend reads the file, notices the name of the hashing algorithm, uses this algorithm to generate a hash value on the same file, and compares the values. If the values match, your friend knows with certainty that the file contents have not been altered or tampered with. If the values do not match, your friend knows that the file contents have been altered and does not trust the information in the file. If you want your friend to know with certainty that the unencrypted message came from you, you encrypt the hash value by using your private key. Upon receipt, your friend decrypts the hash value by using your public key. If decryption is successful, your friend knows with certainty that the message came from you because only you possess your private key. To verify the integrity of the file, your friend then recalculates the hash value and compares it to the value that you sent with the message. A hash value that is encrypted with a private key is called a digital signature. The digital part of the term implies 1s and 0s. The signature part of the term implies the uniqueness of a fingerprint, and the identity of the person who encrypted the hash value is known with certainty. The act of encrypting a hash value with a private key is called signing. These concepts form the foundation for understanding how SSL uses digital certificates. Modern implementations of one-way hashing algorithms include MD4, MD5, and SHA.
32 Cryptography basics About digital certificates and PKIs
About digital certificates and PKIs

A digital certificate is a file that contains the following:

A public key Identifying information about the claimed owner of the certificate A one-way hash that is encrypted with the claimed owners private key (digital signature) Other information such as the name of the one-way hashing algorithm and the asymmetric encryption strength
Root Certificate Authorities (CAs) provide digital certificates to people who request and pay for certificates. Root CAs can create and sign certificates that allow other CAs to create certificates as well, which forms a hierarchy of CAs. The root CA is always at the top of the hierarchy, and the root CA always signs its own certificate, which is called a self-signed certificate. Two root CAs that are widely used across the Internet are VeriSign and Entrust. Figure 6-1 illustrates the type of digital certificate that Symantec AntiVirus uses, which is based on the X.509v3 standard. This certificate is a self-signed server group root certificate.
Cryptography basics About digital certificates and PKIs
33
Figure 6-1
Digital certificate example
Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption // Hashing and asymmetric algorithms Issuer: OU=Server Group Root CA, CN=4930435c2aa91e4abb4e6c9d527eb762 Validity Not Before: Nov 20 05:47:44 2001 GMT Not After: Nov 20 05:47:44 2002 GMT Subject: Subject: OU=Server Group Root CA, CN=4930435c2aa91e4abb4e6c9d527eb762 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): // Public key that is used for decryption and encryption 00:ba:54:2c:ab:88:74:aa:6b:35:a5:a9:c1:d0:5a: 9c:fb:6b:b5:71:bc:ef:d3:ab:15:cc:5b:75:73:36: b8:01:d1:59:3f:c1:88:c0:33:91:04:f1:bf:1a:b4: 7b:c8:39:c2:89:1f:87:0f:91:19:81:09:46:0c:86: 08:d8:75:c4:6f:5a:98:4a:f9:f8:f7:38:24:fc:bd: 99:24:37:ab:f1:1c:d8:91:ee:fb:1b:9f:88:ba:25: da:f6:21:7f:04:32:35:17:3d:36:1c:fb:b7:32:9e: 42:af:77:b6:25:1c:59:69:af:be:00:a1:f8:b0:1a: 6c:14:e2:ae:62:e7:6b:30:e9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Key Usage: Certificate Sign, CRL Sign X509v3 Subject Key Identifier: FE:04:46:ED:A0:15:BE:C1:4B:59:03:F8:2D:0D:ED:2A:E0:ED:F9:2F X509v3 Authority Key Identifier: keyid:E6:12:7C:3D:A1:02:E5:BA:1F:DA:9E:37:BE:E3:45:3E:9B:AE:E5:A6 Signature Algorithm: sha1WithRSAEncryption 34:8d:fb:65:0b:85:5b:e2:44:09:f0:55:31:3b:29:2b:f4:fd: aa:5f:db:b8:11:1a:c6:ab:33:67:59:c1:04:de:34:df:08:57: 2e:c6:60:dc:f7:d4:e2:f1:73:97:57:23:50:02:63:fc:78:96: 34:b3:ca:c4:1b:c5:4c:c8:16:69:bb:9c:4a:7e:00:19:48:62: e2:51:ab:3a:fa:fd:88:cd:e0:9d:ef:67:50:da:fe:4b:13:c5: 0c:8c:fc:ad:6e:b5:ee:40:e3:fd:34:10:9f:ad:34:bd:db:06: ed:09:3d:f2:a6:81:22:63:16:dc:ae:33:0c:70:fd:0a:6c:af: bc:5a -----BEGIN CERTIFICATE----- // Certificate in encoded format MIIDoTCCAwqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCRkox DTALBgNVBAgTBEZpamkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQww CgYDVQQLEwNJQ1QxFjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0B CQEWF2FkbWluaXN0cmF0b3JAc29wYWMub3JnMB4XDTAxMTEyMDA1NDc0NFoXDTAy MTEyMDA1NDc0NFowgYkxCzAJBgNVBAYTAkZKMQ0wCwYDVQQIEwRGaWppMQ0wCwYD VQQHEwRTdXZhMQ4wDAYDVQQKEwVTT1BBQzEMMAoGA1UECxMDSUNUMRYwFAYDVQQD Ew13d3cuc29wYWMub3JnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbmlzdHJhdG9yQHNv cGFjLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAulQsq4h0qms1panB 0Fqb+2u1cbzv06sVzFt1cza4AdFZP8GIwDORBPG/GrR6yDnCiR+HD5EZgQlGDIYI 2HXEb1qYSvn49zgk/L2UJDer8RzYke77G5+IuiXa9iF/BDI1Fz02HPu3Mp5Cr3e2 JRxZaa++AKH4sBpsFOKuYudrMOkCAwEAAaOCARUwggERMAkGA1UdEwQCMAAwLAYJ YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud DgQWBBT+BEbtoBW+wUtZA/gtDe0q4O35LzCBtgYDVR0jBIGuMIGrgBTmEnw9oQLl -----END CERTIFICATE-----
34 Cryptography basics About digital certificates and PKIs
When a person or corporation wants a certificate to use in a Public Key Infrastructure (PKI) that is used across the Internet, that person (John, for example) completes a Certificate Signing Request (CSR), which contains identifying information such as a phone number, address, and so forth. In some implementations, John can generate a private and public key pair, and include the public key with the request. In other implementations, John can request that the CA create the private and public key pair, and return the private key securely. John sends the CSR to a Registration Authority (RA). The RA confirms the persons identity, and then the RA sends the CSR to a CA. The CA creates a digital certificate, defines a time over which the certificate is valid, adds Johns personal information, inserts Johns public key, digitally signs the certificate with the CAs private key, and then sends the certificate to John along with Johns private key if the CA created the private key. The CA is now responsible for managing the certificate for John for as long as it is valid. To verify that the CA created the certificate, people can decrypt the digital signature by using the CAs public key. Now, if John wants to send a message to Mary and wants Mary to know that the message actually came from him, John creates his message, creates a one-way hash of the message, digitally signs the hash with his private key, and sends the message along with his digital certificate to Mary. Before Mary reads the message, she sends a request to the CA to validate Johns certificate. Certificates can be revoked for a variety of reasons, one of which is that John lost his private key, it became public and was distributed in Internet chat rooms, and John sent a request to the CA to put his key on the Certificate Revocation List (CRL), which lists invalid certificates. The CA checks its database to see if the certificate is Johns and has not expired, and then checks the CRL to see if his certificate has been revoked. If the certificate is not on the CRL and has not expired, the CA responds to Mary that the certificate is Johns and is valid. Mary then successfully decrypts Johns digital signature by using Johns public key, and knows that Johns message has not been altered in transit, and that it came from John. For reference, Symantec AntiVirus uses an internal root CA (external CAs include Entrust and VeriSign), and the primary server in each server group performs root CA activities. The primary server creates a self-signed certificate that serves as the highest level of trust, and is valid for 10 years. Symantec AntiVirus does not implement an RA or CRL, but does use CSRs. Finally, Symantec AntiVirus implements these components to support SSL, which secures communications between clients, servers, and the Symantec System Center.
Cryptography basics About SSL
35
About SSL
Netscape developed SSL to secure traffic between Web servers and browsers. SSL uses public and private keys, and digital certificates to negotiate a symmetric key and algorithm to use to encrypt traffic between the two. However, most Web browsers rarely query the root CA to see if a certificate is valid. They verify that the root CAs certificate is installed locally and is valid. Browsers compare the received certificate against the installed certificate to verify that digital signatures match. To see a list of trusted root certificates that are installed with Internet Explorer, check Tools, Internet Options, Content, Certificates, Trusted Root Certification Authorities. You can also view the content of the certificates. The following list summarizes a successful SSL connection between a Web browser and a Web server:

A browser sends a request to a server for a secure page. The server sends its digital certificate to the browser. The browser authenticates the server by validating the digital certificate against its list of installed certificates, and concludes that the certificate is valid. The browser chooses a random symmetric key and an algorithm that it wants to use to encrypt traffic to and from the server, encrypts the key and algorithm by using the servers public key that is contained in its digital certificate, and sends the certificate to the server. The server decrypts the message by using its private key, and then encrypts all additional information that it sends to the client by using the symmetric key and algorithm. The server can also tell the client to try another symmetric key and algorithm, which is the negotiation process. The client decrypts all information that it receives from the server by using the symmetric key and algorithm, and encrypts all information that it sends back to the server by using the same symmetric key and algorithm. The server and client use this symmetric key to encrypt communications until the communications session ends. This symmetric key is also called a session key and is used only for the duration of the communications session. If the browser wants to talk to the server at a later date, the browser and server negotiate a different session key by using the same process, and potentially a different algorithm.
The traffic between the server and client is encrypted by using symmetric cryptography because is it much faster than asymmetric cryptography.
36 Cryptography basics About SSL
Symantec AntiVirus uses SSL between clients, servers, and the Symantec System Center. However, Symantec AntiVirus does not use Web servers or browsers. Symantec AntiVirus uses SSL-enabled primary and secondary servers, and SSL-enabled clients. However, the way that they communicate is very similar to the way that Web servers and browsers communicate. Furthermore, root certificates are installed locally on clients by default. Symantec AntiVirus server certificates are digitally signed by a self-signed server group root CA, so server certificates contain information that identifies the root CA. When Symantec AntiVirus clients receive a server certificate, they validate that the server group root CA signed it by comparing it to the server group root CA certificate that is installed locally. Both certificates contains fields that identify the server group root CA, and these fields must match. The servers certificate is also known as a chained certificate, because it contains information that identifies the server group root CA. A chain of trust can then be traced back to the server group root CA.
Chapter
Event Log entries

Symantec AntiVirus events
Symantec AntiVirus events

Table 7-1 lists events that are forwarded to the Symantec System Center. Many, but not all, of these events appear in the Windows 2000/XP Application Log. Also, the Windows Application Log might not completely conform to this list. For example, event number 34 appears as a log forwarding error in the Symantec System Center, but the event number 34 appears as an Information event for starting Event and Settings Manager. Table 7-1 Event
Scan Stopped
Events Event number

2
Description
Occurs when antivirus scanning completes. Occurs when antivirus scanning starts. Occurs when a parent server sends a .vdb file to a secondary server. Occurs when scanning detects a virus. Occurs when scanning fails to gain access to a file or directory. Occurs when Symantec AntiVirus loads a new .vdb file.
Scan Started
Definition File Sent To Server
Virus Found
Scan Omission
Definition File Loaded
38 Event Log entries Symantec AntiVirus events
Table 7-1 Event

Checksum
Events Event number

10
Description
Occurs when a checksum error occurs when verifying a digitally signed file. Occurs when Auto-Protect is not fully operational. Occurs when a server updates its configurations according to the changes made from the console, excluding configuration changes made in the PRODUCTCONTROL or DOMAINDATA registry keys. Occurs when the Rtvscan.exe service is unloaded. Occurs when the Rtvscan.exe service is loaded. Occurs when new definitions are downloaded by a scheduled definitions update. Occurs when Symantec AntiVirus has deleted or quarantined more than 5 infected files within the last minute. The number of files quarantined or deleted and the time interval are configurable from the registry. The defaults are 5 files in 60 seconds. Occurs when quarantined files are sent to a Quarantine Server. Occurs when a file is delivered to Symantec Security Response. Occurs when Symantec AntiVirus cannot back up a file or restore a file from Quarantine. Occurs when a scan is stopped before it completes.
Auto-Protect
11
Configuration Changed
12
Symantec AntiVirus Shutdown
13
Symantec AntiVirus Startup
14
Definition File Download
16
Scan Action Auto-Changed
17
Sent To Quarantine Server
18
Delivered To Symantec Security Response Backup Restore Error
19
20
Scan Aborted
21
Event Log entries Symantec AntiVirus events
39
Table 7-1 Event
Events Event number

22
Description
Occurs when Auto-Protect fails to load. Occurs when Auto-Protect loads successfully. Occurs when Auto-Protect is unloaded. Occurs when a parent server removes a client computer from its clients list. This will happen by default when a client computer fails to check in with its parent server for over thirty days. Occurs when a scheduled scan is snoozed/paused (delayed). Occurs when a snoozed/paused scan is restarted. Occurs when a roaming client is added to a server. Occurs when a roaming client is removed from a server. Occurs when a license warning message is generated. Occurs when there is a license error. Occurs when an unauthorized communication attempt is made. Occurs when there is a problem with the log forwarding process. Also logs when Event and Settings Manager are started. Occurs when a license is installed. Occurs when a license is allocated. Occurs when a license is validated.
Symantec AntiVirus Auto-Protect Load Error Symantec AntiVirus Auto-Protect Loaded Symantec AntiVirus Auto-Protect Unloaded Removed Client
23
24
25
Scan Delayed
26
Scan Re-started
27
Roaming Client added to Server
28
Roaming Client deleted from Server License Warning
29
30
License Error
31
Access Denied Warning
33
Log Forwarding Error
34
License Installed License Allocated License Status
35 36 37
Table 7-1 Event
Events Event number

38
Description
Occurs when a license is deallocated. Occurs when definitions are rolled back. Occurs when a computer is not protected with definitions. Occurs when Auto-Protect detects a threat. Occurs when Auto-Protect performs a successful side-effects repair for adware or spyware. Occurs when Auto-Protect fails to perform a successful side-effects repair for adware or spyware. Occurs when Auto-Protect is ready to perform a side-effects repair for adware or spyware. Occurs when an error occurs with Auto-Protect. Occurs when a managed computer configuration fails a compliancy test. Occurs when a managed computer configuration passes a compliancy test. Occurs when SymProtect blocks a tamper attempt. Occurs when adware and spyware scans start. Note: This event number is out of numerical sequence in this table and placed here for convenience.
License Deallocated
Definitions Rollback
39
Definitions Unprotected
40
Detection Action
40
Successful Remediation Action
42
Failed Remediaton Action
43
Pending Remediation Action
44
Auto-Protect Error
46
Compliancy Failure
47
Compliancy Success
48
SymProtect Action
49
Scan Started
64
Scan Stopped
50
Occurs when adware and spyware scans stop.
Event Log entries Symantec AntiVirus events
41
Table 7-1 Event

Login Failed
Events Event number

51
Description
Occurs when a user login is not authenticated and fails. Occurs when a user login is authenticated and successful. Occurs when an attempt is made to access functionality that is not permitted. Occurs when antivirus client software is installed. Occurs when firewall client software is installed. Occurs when client software is uninstalled. Occurs when an attempt to uninstall client software fails, and the client software is restored. Occurs when a server group root certificate is created for a server group and installed in the roots directory. Occurs when a primary server issues a login CA certificate and a server certificate to a secondary server in a server group. Occurs when a server group root certificate is added or deleted. Occurs when a server tries to initialize its secure protocol but fails. Occurs when a client checks in with its parent server for configuration changes. Occurs when a client fails to check in with its parent server within a specified time interval.
Login Succeeded
52
Unauthorized Communications
53
Antivirus Client Installation
54
Firewall Client Installation
55
Client Software Uninstalled
56
Client Software Uninstall Rollback
57
Server Group Root Certificate Issued
58
Server Certificate Issued
59
Trusted Root Change
60
Server Certificate Startup Failed
61
Client Checkin
62
No Client Checkin
63
Chapter
How certificates are implemented


How certificates establish a chain of trust How clients and servers authenticate certificates Authentication paths and methods Certificate store directories File naming conventions Other certificate details
How certificates establish a chain of trust

This version of Symantec AntiVirus introduces a new and enhanced network security communications architecture that uses the Secure Sockets Layer (SSL) protocol and digital certificates over TCP. This new architecture encrypts management communications between Symantec AntiVirus entities, and requires authentication processes to occur before servers and clients accept configuration changes. To understand these authentication processes, you must understand the difference between a digital signature and a digital certificate. See Cryptography basics on page 29. Figure 8-1 illustrates the hierarchical trust model that Symantec AntiVirus uses to establish secure communications over SSL with certificates. Symantec AntiVirus uses these certificates during SSL negotiations between the Symantec System Center, servers, and clients to perform authentication.
44 How certificates are implemented How certificates establish a chain of trust
Figure 8-1
Certificates and the chain of trust
The primary server in each server group creates and manages a self-signed root certificate. This certificate is called the server group root certificate, and is the foundation on which servers and clients trust each other in a server group. The server group root certificate has a lifetime of 10 years. If you promote secondary servers to primary servers, the server group certificate is automatically promoted to the new primary server.
How certificates are implemented How clients and servers authenticate certificates
45
All servers, both primary and secondary, also possess a server end-entity certificate. Each server initially generates and self-signs this certificate during installation, generates a certificate signing request (CSR), and submits both to the primary server for processing and signing. The primary server processes the CSR, creates and digitally signs a new server certificate, increments a numerical counter value in the certificate name by one, and then returns it to the server. The new server end-entity certificate now has an established chain of trust to the server group root certificate. Note: The primary server creates this server certificate for itself automatically from its server group root certificate.
How clients and servers authenticate certificates

When a server tries to push a new configuration to a client, it presents its server certificate to the client, the client compares the server certificate to the server group root certificates that it possesses, and verifies that the server certificate is digitally signed by one of clients server group root certificates. When the client finds the appropriate server group root certificate and verifies the chain of trust back to the server group root certificate, the client accepts the new configuration. If the client cannot verify the chain of trust, it does not accept the new configuration. A similar system is used to authenticate users. A login CA certificate is created and signed by the server group root certificate when a primary server is created to establish a chain of trust back to the server group root certificate. This login CA certificate is also valid for 10 years. When a user successfully authenticates to a server group (unlocks it from the Symantec System Center), the user initially authenticates by using a user name and password. The user then receives a temporary login certificate that is signed by the login CA certificate. This certificate is time-stamped and is valid for a specific amount of time, after which it expires. The default time value is 24 hours. You can modify this time value by using the Login Certificate Settings dialog box for a server group in the Symantec System Center. When servers and clients receive the users request for configuration changes, they verify that the users login certificate establishes a chain of trust back to the server group root certificate. If clients successfully authenticate the chain of trust, they then compare their system clocks to the certificates time stamp. If they verify that the certificate has not expired, they accept the users configuration changes.
46 How certificates are implemented Authentication paths and methods
The login certificate is generated with a time limitation for security purposes, but is valid across all time zones. If a specific user account is deleted in the Symantec System Center, the temporary login certificate that is associated with that user cannot be renewed after it expires, regardless of the time zone. If the login certificate expires after the user authenticates to a server or client, the user is automatically issued another valid login certificate. Be aware that unsynchronized computer system clocks in a server group might prohibit servers and clients from authenticating a users login certificates because of the time differential. For example, suppose that you have a login certificate that contains a primary servers time stamp and is valid for 30 minutes. Then, suppose that the user attempts to authenticate to a client that has a clock that is set 45 minutes ahead of the primary server clock. When the client receives the login certificate, it believes that the login certificate expired 15 minutes ago based on its system clock setting, and does not permit configuration changes by the logged in user. Note: Use a system clock synchronization method in your computer networks. Otherwise, communications might fail until computers have clock values that are within the client certificates time expiration window. You can set the certificates time value in the Symantec System Center.
Authentication paths and methods

Table 8-1 describes the authentication paths and methods that are used to authenticate Symantec AntiVirus entities. Table 8-1 Authentication paths and methods Method
Servers authenticate the Symantec System Center users by using either a password or certificate. The Symantec System Center authenticates servers by using certificates. Servers do not authenticate clients. Clients authenticate servers by using certificates. Clients authenticate the Symantec System Center users by using certificates. The Symantec System Center does not authenticate clients.
Authentication path
Symantec System Center to server
Server to client Client to server
Client to Symantec System Center
Symantec System Center to client
How certificates are implemented Certificate store directories
47
Certificate store directories

A typical installation creates top-level directories that store executable files for servers, clients, and the Symantec System Center. The default names of these directories are different. For example, on servers the default name is \SAV, and on the computer that hosts the Symantec System Center, the default name is \Symantec System Center. Under these top-level directories, a typical installation creates subdirectories that store certificates, private keys, and certificate signing requests (CSRs). These directories are called the certificate store, and are contained under a directory called \pki. The subdirectory names are certs, private-keys, cert-signing-requests, and roots. Server certificate stores are controlled by Access Control Lists (ACLs) for administrator access only. The Symantec System Center certificate store is not controlled by ACLs for administrator access, because restricted users might need to access the certificates in the certificate store. As a result, private keys are not saved to the Symantec System Center certificate store. Client certificate stores are controlled by parent servers, and client certificate stores use only the roots directory, which is auto-populated and controlled by parent servers. Table 8-2 lists and describes the directories that the certificate store contains under the \pki directory, and the files that the directories contain by location. Table 8-2 Component
Symantec System Center
Certificate store directories and files Directory

Certs: Empty. Private-keys: Empty. Cert-signing-requests: Empty. Roots: Contains the root certificates for all server groups.
Primary server
Certs: Contains the login CA and server certificates. Private-keys: Contains the private keys for the server group, login CA, and servers. Cert-signing-requests: Contains generated certificate signing requests (CSRs) for the server group, login CA, and servers. Use the server group CSR when you manually create an enterprise root certificate. The other two CSRs are used dynamically. Roots: Contains the root certificate for the server group in which it is installed. Might also contain root certificates for other server groups.
48 How certificates are implemented File naming conventions
Table 8-2 Component

Secondary server
Certificate store directories and files Directory

Certs: Contains the login CA and server certificates. Private-keys: Contains the private keys for the login CA and servers. Cert-signing-requests: Empty. Roots: Contains the root certificate for the first server group in which it is a member. Might also contain root certificates for other server groups.
Clients
Certs: Empty. Private-keys: Empty. Cert-signing-requests: Empty. Roots: Contains the root certificate for the first server group in which it is a member. Might also contain root certificates for other server groups to permit roaming.
File naming conventions

Certificate names contain globally unique identifiers (GUIDs). GUIDs are unique IDs that are installed on each computer to prevent name collisions so that you can move servers from one server group to another. Certificate names also contain counters to provide historical records of a server's previous membership in the same domain and to permit the reissuing of a certificate to the same entity. Server group names are not included in certificates or file names so that you can rename server groups. File naming conventions fall into the following categories:

Server group root certificates and private keys Server certificates and private keys Login CA certificates and private keys Certificate signing requests
Server group root certificates and private keys

The following examples show server group root certificate and private key naming conventions:

<server-group-guid>.<counter>.servergroupca.cer <server-group-guid>.<counter>.servergroupca.pvk
How certificates are implemented File naming conventions
49
The following examples show actual names for a certificate and private key:

4930435c2aa91e4abb4e6c9d527eb762.0.servergroupca.cer 4930435c2aa91e4abb4e6c9d527eb762.0.servergroupca.pvk
The server group root private key is used only to add new servers to a server group, so you should safely archive the key after you set up a server group with a primary server, and after you add any necessary secondary servers. The key is not necessary for high-volume activity, such as adding clients and authenticating users.
Server certificates and private keys

The following examples show server certificate and private key naming conventions:

<server-name>.<server-group-guid>.<counter>.server.cer <server-name> <server-group-guid>.<counter>.server.pvk

INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.server.cer INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.server.pvk
Login CA certificates and private keys

The following examples show login CA certificate and private key naming conventions:

<server-name>.<server-group-guid>.<counter>.loginca.cer <server-name> <server-group-guid>.<counter>.loginca.pvk

INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.loginca.cer INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.loginca.pvk
Certificate signing requests

The following examples show server group root, server, and login CA CSR naming conventions:

<server-group-guid>.<counter>.servergroupca.csr <server-name>.<server-group-guid>.<counter>.server.csr <server-name>.<server-group-guid>.<counter>.loginca.csr
50 How certificates are implemented Other certificate details
The following examples show actual names for CSRs:

4930435c2aa91e4abb4e6c9d527eb762.0.servergroupca.cer INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.server.cer INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.loginca.cer
Other certificate details

These details are provided for your information:

Certificate and CSR counters Certificate and key file formats Server group root key archival About promoting secondary servers to primary servers About viewing certificates About preserving certificates and issue time Install a primary server and secondary server in each server group
Certificate and CSR counters

Each certificate and CSR has a <counter> field. Each time a certificate or request is generated, the certificate or CSR that is generated next has the counter field incremented by a value of one. For example, each server group root certificate, as it is generated for each primary server in a new server group, has the <counter> field incremented by one. All server group root certificates are in the \pki\roots directory under the directory that contains the Symantec System Center files.
Certificate and key file formats

All certificates and private keys are held in unencrypted PEM-formatted files. The PEM format is DER for ASN.1 format data that has been Base-64 encoded.
How certificates are implemented Other certificate details
51
Server group root key archival

You must closely guard the private key that is associated with the server group root certificate. No tool should be capable of moving your private key from the primary server in your environment. You should back up your private key to a removable storage device, secure the device in a vault, delete it from the primary server, and remove it from the Recycle Bin on Windows computers. Use this key when you add secondary servers only. When you need to add secondary servers, replace the private key in the private-keys directory on the primary server, add the secondary server, and then re-secure the key. Warning: Do not lose your server group root private key. If you do, you will not be able to add secondary servers to your server group. If you lose your key, create another server group and move your secondary servers and clients to that group.
About promoting secondary servers to primary servers

When you promote a secondary server to a primary server, the server group private key is not automatically copied to the new primary server even if it exists on the demoted primary server. To add additional servers to the server group that has a new primary server, you must copy the server group private key to the \pki\private-keys directory on the new primary server.
About viewing certificates

Internet Explorer and most Web browsers let you view certificates. Typically, most Web browsers have file associations for the .cer extensions, so you can double-click the .cer files and view them in a certificate viewer. If you have not installed a certificate in a Web browser before you view it, the certificate viewer typically lets you know that the certificate is not to be trusted. If you install the certificate from the certificate viewer, most Web browsers then trust the certificate, and display additional information about the certificate.
52 How certificates are implemented Other certificate details
About preserving certificates and issue time

Login certificates are short-lived and are not normally preserved on management servers like server and login CA certificates are. Furthermore, certificate names do not indicate the date and time that they are issued. To preserve all certificates and include the date and time that they are issued in the name, set the following registry key DWORD value to a value other than 0: HKLM\Software\LANDesk\VirusProtect6\CurrentVersion\ArchiveCerts When you set the registry key DWORD value to non-0 on a management server, issued-YYMMDDHHMMSSMMMM-<certtype>.cer certificate files are written to the \Program Files\SAV directory every time that a new certificate is issued. The YYMMDDHHMMSSMMMM is a hex output of 2-digit year, 2-digit month, 2-digit day, 2-digit 24 hour, 2-digit minute, 2-digit seconds, and 4-digit milliseconds.
Install a primary server and secondary server in each server group

A best practice for implementing server groups is to always have a primary server and secondary server in each group. When a server group contains two or more antivirus servers, every server other than the primary antivirus server is defined as a secondary server. Symantec AntiVirus servers do not require server operating systems, and do not support email scanning. If your server group contains only one antivirus server, which would be the primary server, and if that server crashes, you will not be able to unlock and manage that server group from the Symantec System Center, and your certificate infrastructure will become obsolete until you restore a backup. If you have a secondary antivirus server in the group, you will be able to unlock that server group, promote the secondary server to a primary server, move the clients to the new primary server by copying the Grc.dat file from the primary server to the clients, and reestablish communications with your managed clients. For additional information about the Grc.dat file and client communications, refer to the Symantec AntiVirus Installation Guide in the client installation chapter.
Index
A
access, limiting with the Reset ACL tool 17 address cache and administrator rights 20 deleting entries from 21 Administrator rights and the Importer tool 20 alerts and the Intel Alert Handler service 28 and the Intel Alert Originator service 28 AMS services Intel Alert Handler 28 Intel Alert Originator 28 Intel File Transfer 28 Intel PDS 28
D
data file, creating 21 Defwatch.exe 25, 27 Discovery and the Importer tool 7, 19 Intense Discovery 20 Local Discovery 20
E
email servers configuring 9 managed client configuration 11 stand-alone configuration 10 unmanaged client configuration 11 Exchange servers directories and files to exclude 13 extensions to exclude 15 file scanning on 12
C
certificates about promoting secondary servers to primary servers 51 authentication paths and methods 46 backing up 51 CSR counters 50 directory locations 47 end entity 45 establishing a chain of trust 43 file formats 50 file naming conventions 48 how clients and servers authenticate 45 server group root lifetime 44 server root key archival 51 viewing 51 client services See also server services; services Defwatch 27 Symantec AntiVirus 27 command line and the Importer tool 19 computer names creating a data file for the Importer tool 21 importing 7
F
file transfer service and AMS 28 Find Computer feature and the Importer tool 19
H
Help for the Importer tool 23 Hndlrsvc.exe 28
I
Iao.exe 28 Importer tool about 7, 19 advanced usage 22 and the Find Computer feature 19 getting help with 23 how it works 20 importing addresses with 20 known problems with 24 running 21 where it is located 20
54 Index
Importer.exe 20 Intel Alert Handler 28 Intel Alert Originator 28 Intel File Transfer 28 Intel PDS 28 Intense Discovery 20 IP addresses creating a data file for the Importer tool 21 importing 7
V
virus definitions updates and the Defwatch client service 27 and the Defwatch server service 25
W
Windows registry configuration settings in 7 restricting access to 17
L
license events 39 LiveUpdate and the Reset ACL tool 18 Local Discovery 20
X
Xfr.exe 28
N
Nsctop.exe 28
P
Pds.exe 26, 28 Ping Discovery Service and the Intel PDS service 26
R
registry key 17 restricting access 17 settings 7 Reset ACL tool about 7, 17 restricting registry access with 17 Resetacl.exe 17 Rtvscan.exe 26, 27
S
Savroam.exe 27 security and the Reset ACL tool 17 server services See also client services; services Defwatch 25 Intel PDS 26 Symantec AntiVirus 26 services 25 See also client services; server services Symantec System Center 28

Savcref

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Savcref

Diunggah oleh

Hak Cipta:

Format Tersedia

Symantec AntiVirus Corporate Edition Reference Guide

Symantec AntiVirus Corporate Edition Reference Guide

Licensing and registration

Contacting Technical Support

Technical support Chapter 1 Chapter 2 Introducing the reference guide

Antivirus protection and email servers

Reset ACL tool

Event Log entries

How certificates are implemented

Introducing the reference guide

What is in the reference guide

What is in the reference guide

8 Introducing the reference guide What is in the reference guide

Table 1-1 Topic

Reference guide topics Description

Event Log entries

Antivirus protection and email servers

About configuring Symantec AntiVirus on email servers

Stand-alone server configuration Managed client configuration Unmanaged client configuration

Stand-alone server configuration

Managed client configuration

Unmanaged client configuration

12 Antivirus protection and email servers File scanning on Exchange servers

File scanning on Exchange servers

Antivirus protection and email servers File scanning on Exchange servers

Exchsrvr\Address Exchsrvr\Bin Exchsrvr\Conndata Exchsrvr\Exchweb Exchsrvr\Res Exchsrvr\Schema

Directories and files to exclude

14 Antivirus protection and email servers File scanning on Exchange servers

Microsoft Exchange Server 5.5

Directory and files

Microsoft Exchange Server 2000

Directory and files

Antivirus protection and email servers File scanning on Exchange servers

Microsoft Exchange Server 2003

Directory and files

The directory that contains the checkpoint (.chk) file

16 Antivirus protection and email servers File scanning on Exchange servers

Directories to exclude when other Symantec products are installed

Norton AntiVirus 2.x for Microsoft Exchange

<drive>:\Program Files\NAVMSE\Temp <drive>:\Program Files\NAVMSE\Quarantine <drive>:\Program Files\NAVMSE\Backup

Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange

<drive>:\Program Files\Symantec\SAVFMSE\Temp <drive>:\Program Files\Symantec\SAVFMSE\Quarantine

Symantec Mail Security 4.0 for Microsoft Exchange

<drive>:\Program Files\Symantec\SMSMSE\4.0\Server\Temp <drive>:\Program Files\Symantec\SMSMSE\4.0\Server\Quarantine

Symantec Mail Security 4.5 for Microsoft Exchange

<drive>:\Program Files\Symantec\SMSMSE\4.5\Server\Temp <drive>:\Program Files\Symantec\SMSMSE\4.5\Server\Quarantine

Reset ACL tool

About the Reset ACL tool

Restricting registry access with the Reset ACL tool

About the Importer tool

20 Importer tool Importing addresses using the Importer tool

How the Importer tool works

Where the Importer tool is located

Importing addresses using the Importer tool

Import addresses using the Importer tool

Run the Discovery Service.

Importer tool Deleting entries from the address cache

Deleting entries from the address cache

22 Importer tool Advanced usage

Importer tool Getting Help while using the Importer tool

Getting Help while using the Importer tool

The Importer tool displays the following Help information: