Documente Academic
Documente Profesional
Documente Cultură
Copyright Notice
Copyright 2005 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Trademarks
Symantec, the Symantec logo, LiveUpdate, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. Norton Internet Security, Norton Personal Firewall, Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, and Symantec Security Response are trademarks of Symantec Corporation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support groups primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and virus definitions updates for virus outbreaks and security alerts. Symantec technical support offerings include:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program
Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.
When contacting the Technical Support group, please have the following:
Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues:
Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals
Contents
Chapter 3
Chapter 4
Importer tool
About the Importer tool ...................................................................................... 19 How the Importer tool works ..................................................................... 20 Where the Importer tool is located ........................................................... 20 Importing addresses using the Importer tool ................................................. 20 Deleting entries from the address cache .......................................................... 21 Advanced usage ................................................................................................... 22 Getting Help while using the Importer tool .................................................... 23 Known problems .......................................................................................... 24
6 Contents
Chapter 5
Windows services
Symantec AntiVirus services ............................................................................ 25 Symantec System Center services .................................................................... 28
Chapter 6
Cryptography basics
Overview ............................................................................................................... 29 About cryptographic keys and algorithms ...................................................... 30 About one-way hashes and digital signatures ................................................ 31 About digital certificates and PKIs ................................................................... 32 About SSL .............................................................................................................. 35
Chapter 7 Chapter 8
Index
Chapter
This reference guide contains technical product information for Symantec AntiVirus, including information on tools that are on the Symantec AntiVirus CD. It is intended for system administrators and others who install and maintain this product in a networked, corporate environment.
Antivirus protection This chapter provides examples of how you should implement and email servers antivirus protection on email servers. Reset ACL tool Many of the configuration settings for Symantec AntiVirus are stored in the Windows registry. Reset ACL lets you restrict access to these registry settings on Windows XP/2000 operating systems to prevent unauthorized users from making changes. The Importer tool is a command-line utility specifically for use with the Symantec System Center. The Importer tool lets you import as many sets of computer names and IP addresses into a special address cache as you need. Symantec AntiVirus can then locate computers during the Discovery process in situations where the computer names cannot be resolved using WINS/DNS.
Importer tool
Cryptography basics This chapter provides an overview of the cryptography concepts that administrators need to understand if they do not know the difference between a digital signature and a digital certificate. Administrators need this knowledge to understand how Symantec AntiVirus uses certificates. How certificates are implemented This chapter provides an overview of how Symantec AntiVirus implements digital certificates to secure communications between the Symantec System Center, servers, and clients by using SSL.
Chapter
About configuring Symantec AntiVirus on email servers File scanning on Exchange servers
Whether you install Symantec AntiVirus server or client on email servers Whether you want to manage email servers from the Symantec System Center
Note: For the latest details on which directories and files to exclude from scanning, consult the Symantec Knowledge Base on the Symantec Web site.
10 Antivirus protection and email servers About configuring Symantec AntiVirus on email servers
Symantec AntiVirus client software also has Auto-Protect for email, which monitors the standard email ports. Auto-Protect can cause performance degradation or failure if it is installed and enabled on an email server. Therefore, you must disable this feature if you install the client software on an email server. You can install Symantec AntiVirus software in the following configurations:
Antivirus protection and email servers About configuring Symantec AntiVirus on email servers
11
Warning: If you configure Symantec AntiVirus as a client on an email server, be sure to disable email Auto-Protect if it is installed. This feature monitors the standard mail ports, and can cause performance degradation or failure if it is installed on mail servers. Configure the client software to use LiveUpdate to retrieve updates from Symantec on a regular schedule. If a Symantec antivirus product for the email server is also installed, disable the LiveUpdate schedule for that product, and configure Symantec AntiVirus to run LiveUpdate. The virus definitions that Symantec AntiVirus and the antivirus products for email servers download are exactly the same. Therefore, only one application should run LiveUpdate. All installed Symantec antivirus products share the same virus definitions.
False positive virus detections Unexpected behavior on the Exchange server Damage to the Exchange databases
To correctly configure file scanning, you need to understand the following information:
Directories to include Directories and files to exclude Extensions to exclude Directories to exclude when other Symantec products are installed
Note: For the latest details on which directories and files to exclude from scanning, consult the Symantec Knowledge Base on the Symantec Web site.
13
Directories to include
You can safely include the following directories and files in scans on all versions of Microsoft Exchange Server:
Any additional directories that are not a part of a standard Exchange installation, and that are not included in the list of directories and files to exclude, are safe to include.
Site Replication Service (SRS) files Inbox for Internet Mail Connector Microsoft Internet Information Service (IIS) system files Outbox for Internet Mail Connector
Exchsrvr\IMCDATA\OUT director
15
Default location: Exchsrvr\Mdbdata You can change the location of this directory. For additional information, consult the Microsoft Knowledge Base. By default, this directory is the location from which you run the executable, but you can specify where you run the file from when you run the utility. For information on the location of this file, consult the Microsoft Knowledge Base.
The temporary directory that is used with offline maintenance utilities such as Eeseutil.exe
Extensions to exclude
Because certain files are not always saved in the expected locations, exclude the following file extensions on all versions of Microsoft Exchange Server:
.log .edb
Chapter
About the Reset ACL tool Restricting registry access with the Reset ACL tool
After you have run Resetacl.exe, only users with Administrator rights can change the registry key values. While the Reset ACL tool boosts security for Symantec AntiVirus on these computers, administrators should be aware that there are several trade-off considerations.
18 Reset ACL tool Restricting registry access with the Reset ACL tool
In addition to losing access to the registry, users without Administrator rights will not be able to do the following:
Start or stop the Symantec AntiVirus service. Run LiveUpdate. Schedule LiveUpdate. Configure Symantec AntiVirus. For example, users cannot set Auto-Protect or email scanning options.
The options associated with these operations appear dimmed in the Symantec AntiVirus interface. In addition, the user can modify scan options, but the changes are not saved in the registry or processed. The user can also save manual scan options as the default set, but the options are not written to the registry.
Chapter
Importer tool
This chapter includes the following topics:
About the Importer tool Importing addresses using the Importer tool Deleting entries from the address cache Advanced usage Getting Help while using the Importer tool
Create a data file containing paired computer names and IP addresses. Run the Importer tool. Note: You must run the Importer tool from a command prompt.
21
To create a data file 1 2 Create a new file with a text editor such as Notepad. Type the data in the following format: <server name><comma><IP address><linefeed> Avoid typing incorrect IP addresses for servers. No validation is performed to determine if two servers have the same IP address in the Importer text file. Save the file. For example, a data file named Computers.txt might look as follows: Computer 1, 192.168.3.121 Computer 2, 192.168.3.122 Computer 3, 192.168.3.123 Computer 4, 192.168.3.124 Computer 5, 192.168.3.125 Computer 6, 192.168.3.126
Note: You can type a semicolon or colon to the left of an address to comment it out. For example, if you know that a network segment is down, you can comment out associated subnet addresses. To run the Importer tool 1 At the command-line prompt, type the following command:
<fullpath> importer <filename>
where <fullpath> represents the full path to the Importer and <filename> represents the full path of the import file, such as C:\Computers\Computers.txt 2 Press Enter.
To delete entries from the address cache 1 2 In the Symantec System Center console, on the Tools menu, click Discovery Service. Under Cache Information, click Clear Cache Now.
Once you run Discovery after the data import, the correct data is available for future discovery sessions.
Advanced usage
The command line takes four parameters:
Import file path First delimiter Second delimiter Order (1 = computer name/IP address, 2 = IP address/computer name; the default is 1)
Note: The second delimiter needs to be a single character only. For example, the ampersand cannot be used because the user would have to enter the following: & For example, an import file named Machines.txt, in C:\MACHINES, could read as follows: 192.168.3.121/Server 1 192.168.3.122/Server 2 192.168.3.123/Server 3 The above example is in IP address/computer name order (2). The first parameter is a slash (/) and the second is a linefeed. The corresponding syntax for the command line would be: importer C:\MACHINES\Machines.txt / LF 2 After the computer name and IP address pairs are imported, entries are created in the registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AddressCache You must run a local or intense discovery after importing the data file. The discovery queries the computer IP addresses. The computers running Symantec AntiVirus are added to the Discovery Service in memory and have complete
23
entries created in the registry. The Discovery Service can then find the computers each time that the Discovery Service is run.
Press Enter.
Known problems
Importer depends on the HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\ CurrentVersion\AddressCache key used by the Symantec System Center. If this key is not present, an error message appears. The Importer modifies the AddressCache key under HKLM, so the user needs local administrator rights. The Importer tool aids in the discovery process of the Symantec System Center. The Importer determines whether the Symantec System Center is present on the local computer. If not, an error message appears. After an import, the computer names paired with their IP addresses in the registry are not complete. They show only the computer under the Address_0 and Protocol dword values. A discovery must be run to complete the process (using the Run Discovery Now button in the Discovery Service Properties dialog box). Do not click the Clear Cache Now option in the Discovery Service Properties dialog box. This deletes the contents of the address cache, including the imported data. The Importer cannot assist in locating computers during the installation process. Note: When you are pushing the Symantec AntiVirus client and server to remote computers, an Import option appears in the Select Computer dialog box. Do not confuse this Import option with the Import option on the ClientRemote Install and AV Server Rollout installation screens. The Importer does not overwrite existing IP addresses in the address cache; this is an intended design feature. However, there is a possibility that an incorrect IP address may exist in the cache. In such a case, the Importer cannot correct it.
Chapter
Windows services
This chapter includes the following topics:
Description
Primary client application service that is also used by Auto-Protect for file systems and email. Service that is used to scan POP3 messages. Service that is used to store encrypted settings. Service that watches for newly arriving virus definitions. Launches a scan of the files in Quarantine when the new virus definitions arrive. Service that protects Symantec proccesses.
CcEvtMgr.exe
CcSetMgr.exe
Defwatch.exe
Temper Protection
SPBBCSvc.exe
Description
Ping Discovery Service. Allows Discovery of Symantec AntiVirus on this computer to occur. Applications register with this service, along with an APP ID, and a pong packet to return in response to ping requests. Main Symantec AntiVirus service. Most Symantec AntiVirus serverrelated tasks are performed in this service. Service that provides the system tray icon.
Rtvscan.exe
Table 5-2 lists the names and descriptions for Symantec AntiVirus client services. These appear in the Windows Services control panel. Table 5-2 Service name
Common client application
Description
Primary client application service that is also used by Auto-Protect for file systems and email. Service that is used to scan POP3 messages. Service that is used to scan client password service POP3 messages. Service that is used to store encrypted settings. This service appears in the Windows Task Manager Processes when an installation fails. The service normally deletes itself after the Symantec AntiVirus Configuration Wizard runs.
Common client event manager Common client password service Common client settings manager Configuration Wizard service
CcEvtMgr.exe
CcPwdSvc.exe
CcSetMgr.exe
CfgWzSvc.exe
27
Description
Service that watches for newly arriving virus definitions. Launches a scan of the files in Quarantine when the new virus definitions arrive. Service that protects Symantec proccesses. One of the main Symantec AntiVirus virus scanning services. Most Symantec AntiVirus clientrelated tasks are performed in this service. Provides roaming server data to roaming clients. Symantec Network Drivers.
Temper Protection
SPBBCSvc.exe
Rtvscan.exe
Savroam.exe
Common client Symantec SNDSrvc.exe Network Drivers Virus protection for 32-bit operating systems VPC32.exe
One of the main Symantec AntiVirus services. Service that provides the system tray icon.
Description
Discovery Service used to find Symantec AntiVirus servers on the network. The Discovery Service also populates the console with objects.
Table 5-4 lists the names and descriptions for Alert Management System2 services. These appear in the Windows Services control panel. Table 5-4 Service name
IntelAlert Handler
Description
AMS2 Alert Handler service. Provides alerting actions such as message boxes, pages, emails, and so on. AMS2 Alert Originator service. Lets alerts be received on this computer. Alerts can be received from either the local computer (in the case of a primary server), or from a remote computer (in the case of unmanaged clients using a centralized AMS2 server). File transfer service. Provides file transfer capabilities to AMS2. Ping Discovery Service. Allows Discovery of Symantec AntiVirus on this computer to occur. Applications register with this service, along with an APP ID, and a pong packet to return in response to ping requests.
Iao.exe
Xfr.exe
Intel PDS
Pds.exe
Chapter
Cryptography basics
This chapter includes the following topics:
Overview About cryptographic keys and algorithms About one-way hashes and digital signatures About digital certificates and PKIs About SSL
Overview
Symantec AntiVirus communications use the Secure Sockets Layer (SSL) protocol, which Netscape created to conduct secure transactions between Web servers and clients. Most online transactions that involve money moving across the Internet use SSL. SSL uses a Public Key Infrastructure (PKI), digital certificates, and cryptography. For administrative purposes, you might need to understand how SSL uses certificates because you might need to manage or create certificates. To understand what a certificate is and how it is used, you need to understand the basics of cryptography as it is used in SSL.
31
A public key Identifying information about the claimed owner of the certificate A one-way hash that is encrypted with the claimed owners private key (digital signature) Other information such as the name of the one-way hashing algorithm and the asymmetric encryption strength
Root Certificate Authorities (CAs) provide digital certificates to people who request and pay for certificates. Root CAs can create and sign certificates that allow other CAs to create certificates as well, which forms a hierarchy of CAs. The root CA is always at the top of the hierarchy, and the root CA always signs its own certificate, which is called a self-signed certificate. Two root CAs that are widely used across the Internet are VeriSign and Entrust. Figure 6-1 illustrates the type of digital certificate that Symantec AntiVirus uses, which is based on the X.509v3 standard. This certificate is a self-signed server group root certificate.
33
Figure 6-1
Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption // Hashing and asymmetric algorithms Issuer: OU=Server Group Root CA, CN=4930435c2aa91e4abb4e6c9d527eb762 Validity Not Before: Nov 20 05:47:44 2001 GMT Not After: Nov 20 05:47:44 2002 GMT Subject: Subject: OU=Server Group Root CA, CN=4930435c2aa91e4abb4e6c9d527eb762 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): // Public key that is used for decryption and encryption 00:ba:54:2c:ab:88:74:aa:6b:35:a5:a9:c1:d0:5a: 9c:fb:6b:b5:71:bc:ef:d3:ab:15:cc:5b:75:73:36: b8:01:d1:59:3f:c1:88:c0:33:91:04:f1:bf:1a:b4: 7b:c8:39:c2:89:1f:87:0f:91:19:81:09:46:0c:86: 08:d8:75:c4:6f:5a:98:4a:f9:f8:f7:38:24:fc:bd: 99:24:37:ab:f1:1c:d8:91:ee:fb:1b:9f:88:ba:25: da:f6:21:7f:04:32:35:17:3d:36:1c:fb:b7:32:9e: 42:af:77:b6:25:1c:59:69:af:be:00:a1:f8:b0:1a: 6c:14:e2:ae:62:e7:6b:30:e9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Key Usage: Certificate Sign, CRL Sign X509v3 Subject Key Identifier: FE:04:46:ED:A0:15:BE:C1:4B:59:03:F8:2D:0D:ED:2A:E0:ED:F9:2F X509v3 Authority Key Identifier: keyid:E6:12:7C:3D:A1:02:E5:BA:1F:DA:9E:37:BE:E3:45:3E:9B:AE:E5:A6 Signature Algorithm: sha1WithRSAEncryption 34:8d:fb:65:0b:85:5b:e2:44:09:f0:55:31:3b:29:2b:f4:fd: aa:5f:db:b8:11:1a:c6:ab:33:67:59:c1:04:de:34:df:08:57: 2e:c6:60:dc:f7:d4:e2:f1:73:97:57:23:50:02:63:fc:78:96: 34:b3:ca:c4:1b:c5:4c:c8:16:69:bb:9c:4a:7e:00:19:48:62: e2:51:ab:3a:fa:fd:88:cd:e0:9d:ef:67:50:da:fe:4b:13:c5: 0c:8c:fc:ad:6e:b5:ee:40:e3:fd:34:10:9f:ad:34:bd:db:06: ed:09:3d:f2:a6:81:22:63:16:dc:ae:33:0c:70:fd:0a:6c:af: bc:5a -----BEGIN CERTIFICATE----- // Certificate in encoded format MIIDoTCCAwqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCRkox DTALBgNVBAgTBEZpamkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQww CgYDVQQLEwNJQ1QxFjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0B CQEWF2FkbWluaXN0cmF0b3JAc29wYWMub3JnMB4XDTAxMTEyMDA1NDc0NFoXDTAy MTEyMDA1NDc0NFowgYkxCzAJBgNVBAYTAkZKMQ0wCwYDVQQIEwRGaWppMQ0wCwYD VQQHEwRTdXZhMQ4wDAYDVQQKEwVTT1BBQzEMMAoGA1UECxMDSUNUMRYwFAYDVQQD Ew13d3cuc29wYWMub3JnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbmlzdHJhdG9yQHNv cGFjLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAulQsq4h0qms1panB 0Fqb+2u1cbzv06sVzFt1cza4AdFZP8GIwDORBPG/GrR6yDnCiR+HD5EZgQlGDIYI 2HXEb1qYSvn49zgk/L2UJDer8RzYke77G5+IuiXa9iF/BDI1Fz02HPu3Mp5Cr3e2 JRxZaa++AKH4sBpsFOKuYudrMOkCAwEAAaOCARUwggERMAkGA1UdEwQCMAAwLAYJ YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud DgQWBBT+BEbtoBW+wUtZA/gtDe0q4O35LzCBtgYDVR0jBIGuMIGrgBTmEnw9oQLl -----END CERTIFICATE-----
When a person or corporation wants a certificate to use in a Public Key Infrastructure (PKI) that is used across the Internet, that person (John, for example) completes a Certificate Signing Request (CSR), which contains identifying information such as a phone number, address, and so forth. In some implementations, John can generate a private and public key pair, and include the public key with the request. In other implementations, John can request that the CA create the private and public key pair, and return the private key securely. John sends the CSR to a Registration Authority (RA). The RA confirms the persons identity, and then the RA sends the CSR to a CA. The CA creates a digital certificate, defines a time over which the certificate is valid, adds Johns personal information, inserts Johns public key, digitally signs the certificate with the CAs private key, and then sends the certificate to John along with Johns private key if the CA created the private key. The CA is now responsible for managing the certificate for John for as long as it is valid. To verify that the CA created the certificate, people can decrypt the digital signature by using the CAs public key. Now, if John wants to send a message to Mary and wants Mary to know that the message actually came from him, John creates his message, creates a one-way hash of the message, digitally signs the hash with his private key, and sends the message along with his digital certificate to Mary. Before Mary reads the message, she sends a request to the CA to validate Johns certificate. Certificates can be revoked for a variety of reasons, one of which is that John lost his private key, it became public and was distributed in Internet chat rooms, and John sent a request to the CA to put his key on the Certificate Revocation List (CRL), which lists invalid certificates. The CA checks its database to see if the certificate is Johns and has not expired, and then checks the CRL to see if his certificate has been revoked. If the certificate is not on the CRL and has not expired, the CA responds to Mary that the certificate is Johns and is valid. Mary then successfully decrypts Johns digital signature by using Johns public key, and knows that Johns message has not been altered in transit, and that it came from John. For reference, Symantec AntiVirus uses an internal root CA (external CAs include Entrust and VeriSign), and the primary server in each server group performs root CA activities. The primary server creates a self-signed certificate that serves as the highest level of trust, and is valid for 10 years. Symantec AntiVirus does not implement an RA or CRL, but does use CSRs. Finally, Symantec AntiVirus implements these components to support SSL, which secures communications between clients, servers, and the Symantec System Center.
35
About SSL
Netscape developed SSL to secure traffic between Web servers and browsers. SSL uses public and private keys, and digital certificates to negotiate a symmetric key and algorithm to use to encrypt traffic between the two. However, most Web browsers rarely query the root CA to see if a certificate is valid. They verify that the root CAs certificate is installed locally and is valid. Browsers compare the received certificate against the installed certificate to verify that digital signatures match. To see a list of trusted root certificates that are installed with Internet Explorer, check Tools, Internet Options, Content, Certificates, Trusted Root Certification Authorities. You can also view the content of the certificates. The following list summarizes a successful SSL connection between a Web browser and a Web server:
A browser sends a request to a server for a secure page. The server sends its digital certificate to the browser. The browser authenticates the server by validating the digital certificate against its list of installed certificates, and concludes that the certificate is valid. The browser chooses a random symmetric key and an algorithm that it wants to use to encrypt traffic to and from the server, encrypts the key and algorithm by using the servers public key that is contained in its digital certificate, and sends the certificate to the server. The server decrypts the message by using its private key, and then encrypts all additional information that it sends to the client by using the symmetric key and algorithm. The server can also tell the client to try another symmetric key and algorithm, which is the negotiation process. The client decrypts all information that it receives from the server by using the symmetric key and algorithm, and encrypts all information that it sends back to the server by using the same symmetric key and algorithm. The server and client use this symmetric key to encrypt communications until the communications session ends. This symmetric key is also called a session key and is used only for the duration of the communications session. If the browser wants to talk to the server at a later date, the browser and server negotiate a different session key by using the same process, and potentially a different algorithm.
The traffic between the server and client is encrypted by using symmetric cryptography because is it much faster than asymmetric cryptography.
Symantec AntiVirus uses SSL between clients, servers, and the Symantec System Center. However, Symantec AntiVirus does not use Web servers or browsers. Symantec AntiVirus uses SSL-enabled primary and secondary servers, and SSL-enabled clients. However, the way that they communicate is very similar to the way that Web servers and browsers communicate. Furthermore, root certificates are installed locally on clients by default. Symantec AntiVirus server certificates are digitally signed by a self-signed server group root CA, so server certificates contain information that identifies the root CA. When Symantec AntiVirus clients receive a server certificate, they validate that the server group root CA signed it by comparing it to the server group root CA certificate that is installed locally. Both certificates contains fields that identify the server group root CA, and these fields must match. The servers certificate is also known as a chained certificate, because it contains information that identifies the server group root CA. A chain of trust can then be traced back to the server group root CA.
Chapter
Description
Occurs when antivirus scanning completes. Occurs when antivirus scanning starts. Occurs when a parent server sends a .vdb file to a secondary server. Occurs when scanning detects a virus. Occurs when scanning fails to gain access to a file or directory. Occurs when Symantec AntiVirus loads a new .vdb file.
Scan Started
Virus Found
Scan Omission
Description
Occurs when a checksum error occurs when verifying a digitally signed file. Occurs when Auto-Protect is not fully operational. Occurs when a server updates its configurations according to the changes made from the console, excluding configuration changes made in the PRODUCTCONTROL or DOMAINDATA registry keys. Occurs when the Rtvscan.exe service is unloaded. Occurs when the Rtvscan.exe service is loaded. Occurs when new definitions are downloaded by a scheduled definitions update. Occurs when Symantec AntiVirus has deleted or quarantined more than 5 infected files within the last minute. The number of files quarantined or deleted and the time interval are configurable from the registry. The defaults are 5 files in 60 seconds. Occurs when quarantined files are sent to a Quarantine Server. Occurs when a file is delivered to Symantec Security Response. Occurs when Symantec AntiVirus cannot back up a file or restore a file from Quarantine. Occurs when a scan is stopped before it completes.
Auto-Protect
11
Configuration Changed
12
13
14
16
17
18
19
20
Scan Aborted
21
39
Description
Occurs when Auto-Protect fails to load. Occurs when Auto-Protect loads successfully. Occurs when Auto-Protect is unloaded. Occurs when a parent server removes a client computer from its clients list. This will happen by default when a client computer fails to check in with its parent server for over thirty days. Occurs when a scheduled scan is snoozed/paused (delayed). Occurs when a snoozed/paused scan is restarted. Occurs when a roaming client is added to a server. Occurs when a roaming client is removed from a server. Occurs when a license warning message is generated. Occurs when there is a license error. Occurs when an unauthorized communication attempt is made. Occurs when there is a problem with the log forwarding process. Also logs when Event and Settings Manager are started. Occurs when a license is installed. Occurs when a license is allocated. Occurs when a license is validated.
Symantec AntiVirus Auto-Protect Load Error Symantec AntiVirus Auto-Protect Loaded Symantec AntiVirus Auto-Protect Unloaded Removed Client
23
24
25
Scan Delayed
26
Scan Re-started
27
28
29
30
License Error
31
33
34
35 36 37
Description
Occurs when a license is deallocated. Occurs when definitions are rolled back. Occurs when a computer is not protected with definitions. Occurs when Auto-Protect detects a threat. Occurs when Auto-Protect performs a successful side-effects repair for adware or spyware. Occurs when Auto-Protect fails to perform a successful side-effects repair for adware or spyware. Occurs when Auto-Protect is ready to perform a side-effects repair for adware or spyware. Occurs when an error occurs with Auto-Protect. Occurs when a managed computer configuration fails a compliancy test. Occurs when a managed computer configuration passes a compliancy test. Occurs when SymProtect blocks a tamper attempt. Occurs when adware and spyware scans start. Note: This event number is out of numerical sequence in this table and placed here for convenience.
License Deallocated
Definitions Rollback
39
Definitions Unprotected
40
Detection Action
40
42
43
44
Auto-Protect Error
46
Compliancy Failure
47
Compliancy Success
48
SymProtect Action
49
Scan Started
64
Scan Stopped
50
41
Description
Occurs when a user login is not authenticated and fails. Occurs when a user login is authenticated and successful. Occurs when an attempt is made to access functionality that is not permitted. Occurs when antivirus client software is installed. Occurs when firewall client software is installed. Occurs when client software is uninstalled. Occurs when an attempt to uninstall client software fails, and the client software is restored. Occurs when a server group root certificate is created for a server group and installed in the roots directory. Occurs when a primary server issues a login CA certificate and a server certificate to a secondary server in a server group. Occurs when a server group root certificate is added or deleted. Occurs when a server tries to initialize its secure protocol but fails. Occurs when a client checks in with its parent server for configuration changes. Occurs when a client fails to check in with its parent server within a specified time interval.
Login Succeeded
52
Unauthorized Communications
53
54
55
56
57
58
59
60
61
Client Checkin
62
No Client Checkin
63
Chapter
How certificates establish a chain of trust How clients and servers authenticate certificates Authentication paths and methods Certificate store directories File naming conventions Other certificate details
Figure 8-1
The primary server in each server group creates and manages a self-signed root certificate. This certificate is called the server group root certificate, and is the foundation on which servers and clients trust each other in a server group. The server group root certificate has a lifetime of 10 years. If you promote secondary servers to primary servers, the server group certificate is automatically promoted to the new primary server.
How certificates are implemented How clients and servers authenticate certificates
45
All servers, both primary and secondary, also possess a server end-entity certificate. Each server initially generates and self-signs this certificate during installation, generates a certificate signing request (CSR), and submits both to the primary server for processing and signing. The primary server processes the CSR, creates and digitally signs a new server certificate, increments a numerical counter value in the certificate name by one, and then returns it to the server. The new server end-entity certificate now has an established chain of trust to the server group root certificate. Note: The primary server creates this server certificate for itself automatically from its server group root certificate.
The login certificate is generated with a time limitation for security purposes, but is valid across all time zones. If a specific user account is deleted in the Symantec System Center, the temporary login certificate that is associated with that user cannot be renewed after it expires, regardless of the time zone. If the login certificate expires after the user authenticates to a server or client, the user is automatically issued another valid login certificate. Be aware that unsynchronized computer system clocks in a server group might prohibit servers and clients from authenticating a users login certificates because of the time differential. For example, suppose that you have a login certificate that contains a primary servers time stamp and is valid for 30 minutes. Then, suppose that the user attempts to authenticate to a client that has a clock that is set 45 minutes ahead of the primary server clock. When the client receives the login certificate, it believes that the login certificate expired 15 minutes ago based on its system clock setting, and does not permit configuration changes by the logged in user. Note: Use a system clock synchronization method in your computer networks. Otherwise, communications might fail until computers have clock values that are within the client certificates time expiration window. You can set the certificates time value in the Symantec System Center.
Authentication path
Symantec System Center to server
47
Primary server
Certs: Contains the login CA and server certificates. Private-keys: Contains the private keys for the server group, login CA, and servers. Cert-signing-requests: Contains generated certificate signing requests (CSRs) for the server group, login CA, and servers. Use the server group CSR when you manually create an enterprise root certificate. The other two CSRs are used dynamically. Roots: Contains the root certificate for the server group in which it is installed. Might also contain root certificates for other server groups.
Clients
Certs: Empty. Private-keys: Empty. Cert-signing-requests: Empty. Roots: Contains the root certificate for the first server group in which it is a member. Might also contain root certificates for other server groups to permit roaming.
Server group root certificates and private keys Server certificates and private keys Login CA certificates and private keys Certificate signing requests
<server-group-guid>.<counter>.servergroupca.cer <server-group-guid>.<counter>.servergroupca.pvk
49
The following examples show actual names for a certificate and private key:
4930435c2aa91e4abb4e6c9d527eb762.0.servergroupca.cer 4930435c2aa91e4abb4e6c9d527eb762.0.servergroupca.pvk
The server group root private key is used only to add new servers to a server group, so you should safely archive the key after you set up a server group with a primary server, and after you add any necessary secondary servers. The key is not necessary for high-volume activity, such as adding clients and authenticating users.
The following examples show actual names for a certificate and private key:
INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.server.cer INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.server.pvk
The following examples show actual names for a certificate and private key:
INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.loginca.cer INFODEV-TEST1.4930435c2aa91e4abb4e6c9d527eb762.0.loginca.pvk
Certificate and CSR counters Certificate and key file formats Server group root key archival About promoting secondary servers to primary servers About viewing certificates About preserving certificates and issue time Install a primary server and secondary server in each server group
51
Index
A
access, limiting with the Reset ACL tool 17 address cache and administrator rights 20 deleting entries from 21 Administrator rights and the Importer tool 20 alerts and the Intel Alert Handler service 28 and the Intel Alert Originator service 28 AMS services Intel Alert Handler 28 Intel Alert Originator 28 Intel File Transfer 28 Intel PDS 28
D
data file, creating 21 Defwatch.exe 25, 27 Discovery and the Importer tool 7, 19 Intense Discovery 20 Local Discovery 20
E
email servers configuring 9 managed client configuration 11 stand-alone configuration 10 unmanaged client configuration 11 Exchange servers directories and files to exclude 13 extensions to exclude 15 file scanning on 12
C
certificates about promoting secondary servers to primary servers 51 authentication paths and methods 46 backing up 51 CSR counters 50 directory locations 47 end entity 45 establishing a chain of trust 43 file formats 50 file naming conventions 48 how clients and servers authenticate 45 server group root lifetime 44 server root key archival 51 viewing 51 client services See also server services; services Defwatch 27 Symantec AntiVirus 27 command line and the Importer tool 19 computer names creating a data file for the Importer tool 21 importing 7
F
file transfer service and AMS 28 Find Computer feature and the Importer tool 19
H
Help for the Importer tool 23 Hndlrsvc.exe 28
I
Iao.exe 28 Importer tool about 7, 19 advanced usage 22 and the Find Computer feature 19 getting help with 23 how it works 20 importing addresses with 20 known problems with 24 running 21 where it is located 20
54 Index
Importer.exe 20 Intel Alert Handler 28 Intel Alert Originator 28 Intel File Transfer 28 Intel PDS 28 Intense Discovery 20 IP addresses creating a data file for the Importer tool 21 importing 7
V
virus definitions updates and the Defwatch client service 27 and the Defwatch server service 25
W
Windows registry configuration settings in 7 restricting access to 17
L
license events 39 LiveUpdate and the Reset ACL tool 18 Local Discovery 20
X
Xfr.exe 28
N
Nsctop.exe 28
P
Pds.exe 26, 28 Ping Discovery Service and the Intel PDS service 26
R
registry key 17 restricting access 17 settings 7 Reset ACL tool about 7, 17 restricting registry access with 17 Resetacl.exe 17 Rtvscan.exe 26, 27
S
Savroam.exe 27 security and the Reset ACL tool 17 server services See also client services; services Defwatch 25 Intel PDS 26 Symantec AntiVirus 26 services 25 See also client services; server services Symantec System Center 28