Symantic AntiVirus CE

Tutorial: Installing Symantec AntiVirus CE

For this tutorial, we install CE on the denver domain controller (DC02).

1. On DC02, place the first CD of Corporate Edition in the CD drive. A new screen appears presenting you with several options. Click the option labeled Install Symantec AntiVirus .

2. A new set of options appears. Since we wish to install the antivirus server, click the option labeled Deploy Antivirus Server . On the screen that follows , choose Install and click Next . Agree with the license agreement and click Next .

3. On the next screen, ensure that the options labeled Server program and Alert Management System (AMS ² ) are checked and click Next .

4. The Select Computers window appears. The left side of the window contains all available computers on the network (minus computers in other domains), and the right side of the window contains the computers onto which we want to install the antivirus server. Since we wish to install to DC02, click DC02 and click the Add button. DC02 appears in the right column. Click Next twice.

5. CE uses a process of grouping antivirus servers together into logical units (similar to an OU). Before we can install CE on DC02, we need to define a default server group . In the space labeled Symantec AntiVirus Server Group , enter denver domain and click Next . You are warned that "Denver Domain" is a new server group. Click Yes to continue.

6. You are asked to supply a password to protect this new server group. This is separate from any of the administrator passwords for the domain controller. Enter a password and click OK .

7. On the Server Startup Options window, make sure that Automatic startup is selected and click Next . The following screen informs us of the Symantec System Center (SSC) MMC snap-in. We install this later. For now, click Next and Finish . Click Close when the server installation completes.

8. Make sure that DC02 is connected to the internet. Open Symantec AntiVirus Server located on Start ˆ’ > All Programs ˆ’ > Symantec Client Security . Enter the server password that you created in step 6.

9. Click the LiveUpdate button in the lower right corner of the window, click Next and Finish . Click Exit .

We must now install the various administration tools, most notably the Symantec System Center MMC snap-in.

Tutorial: Installing and Configuring Symantec System Center (SSC)

1. Go back to the CE installation CD 1 and, if necessary, double-click the CD's icon in My Computer . This brings up the CE installer menu once again.

2. Click Install Administrator Tools , and click Install Symantec System Center . Click Next , agree with the license agreement, and hit Next again.

3. On the select components window, make sure that all items are checked and click Next . Accept the default location for installation and click Next and Install . The installation process proceeds, and may take a few minutes to complete. Restart the computer when asked.

4. Once the computer reboots, open the SSC located on Start ˆ’ > All Programs ˆ’ > Symantec System Center Console .

5. On the left window pane, double-click the Symantec System Center object, and then double-click System Hierarchy . This reveals the denver domain server group that we created in the last tutorial. By default, it is locked. In order to edit its settings, we need to unlock it. Right-click denver domain and select Unlock Server Group .

6. In order for our server group to function properly, we need to designate a server in the group as a primary server ( Note: this would appear more relevant if we had multiple antivirus servers in our group ). Under denver domain, right-click DC02 and select Make Server a Primary Server . Click Yes .

   We now need to configure the LiveUpdate settings for our antivirus server. To review, we shall set this primary antivirus server to retrieve its virus definition files from the internet. These updates will then be pushed to all clients connected to the antivirus server.

7. Right-click DC02 , point to All Tasks ˆ’ > Symantec AntiVirus and click Virus Definition Manager . Make sure that Update the Primary Server of this Server Group only is selected. If we were to have any other antivirus servers in this group, they would all receive their updates from this primary server, DC02. Click Configure .

8. The Configure Primary Server Updates window appears. We need to tell this server how often to check Symantec's internet site for virus definition updates. Make sure that Schedule for automatic updates is checked. The default schedule is every Friday at 8pm.

9. Click Schedule . Set the Frequency to Daily at 8pm and click OK :

   

10. Under the heading of How Clients Retrieve Virus Definitions Updates , make sure that Update virus definitions from parent server is checked. This forces the clients to receive their antivirus updates from DC02. Click Settings . Set the time interval to 30 minutes . This tells each client to check for updated antivirus definitions files every half hour . Click OK twice to dismiss the remaining dialog boxes.

    We need to configure Corporate Edition's virus scanning settings.

11. Right-click DC02 , point to All Tasks ˆ’ > Symantec AntiVirus , and select Server Realtime Protection Options . The Realtime Protection window appears.

12. On the middle right portion of the window, click the Macro Virus tab. Make sure that Enable file system realtime protection is checked and click Advanced .

13. Click the Heuristics button at the bottom of the window and on the screen that appears, choose Maximum level of protection . ( Note: heuristic scanning helps the antivirus server to check for unknown viruses and virus-like activity ). Click OK twice. Click OK once again to dismiss the server realtime protection window.

    We must now configure the client settings for antivirus updates and protection.

14. Right-click DC02 , point to All Tasks ˆ’ > Symantec AntiVirus , and select Client Realtime Protection Options . Ensure that Enable file system protection is checked.

15. Click Advanced and Heuristics and set the protection level to maximum. Click OK three times to dismiss all dialog boxes.

The next step is to "push" the antivirus client software out to our client computers so that they receive the proper antivirus protection.

Tutorial: Pushing the Symantec AntiVirus Client Software to Windows 2000/XP Computers

1. Log into the denver.guinea.pig domain with a test computer running either Windows 2000 or Windows XP Professional. Make sure that the test computer is on the same IP subnet as DC02.

2. While still in the SSC on DC02, click the item labeled System Hierarchy in the left column of the display. Across the top of the window, click the Tools menu and select NT Client Install . Click Next .

3. The Select Computers window appears. The left column displays all available networked computers, both client and server. The right column displays all available Symantec AntiVirus CE servers. Since DC02 is the only CE server on our network, it appears alone in the right column.

   In the left column, expand the item labeled Microsoft Windows Network , and then expand the item labeled Denver . Two items appear: DC02 and your test client. For this example, our test client is named Win2000.

4. Click your test client once. In the right column, click DC02 once. Now click the Add button in the center of the window. You are asked to provide a domain administrator's username and password. Enter the denver domain's administrator username and password and click OK . The test client is added to the denver domain antivirus server group:

   

   Click Finish . The antivirus software is installed remotely over the network, or is "pushed" to the test client.

5. Click Done when the installation completes. It takes a few minutes for the installation to complete on the client computer.

6. Once the client is added to the antivirus server group, it appears (after a few minutes) in the SSC in the right column. To get a better idea of the status of each client, click DC02 in the left column, click the View menu, and choose Symantec AntiVirus . Using this customized view, we are able to check the status of the virus definitions file, the version of the antivirus client, and each computer's infection status:

Now that our antivirus server is protecting not only itself but also a client on our network, we need to configure the AMS to warn us when a virus is found.

Tutorial: Configuring Alert Management Server

In this tutorial, we configure the AMS to send us an email when a virus is found on any protected server or client. We also want the incident included in the Windows Event Log.

1. Open the AMS Admin Utility located on Start ˆ’ > All Programs ˆ’ > Alert Management Server . Click Configure AMS .

2. On the window that appears, expand the item labeled Norton AntiVirus Corporate Edition . A list appears containing all events that can be assigned an alert. For this example, click the Virus Found item and click Configure . The list of available actions appears:

   

3. Double-click Send Internet Mail . CE asks which computer should perform this action. The only choice is also the only CE antivirus server on the network: DC02 (dc02.denver.guinea.pig). Select DC02 and click Next .

4. The next window asks for an email address in which to send the alert. It also asks for a return address, subject, and outgoing (SMTP) mail server. Fill in these fields with your relevant information. For the Subject field, enter Virus Found on Network .( Note: it's wise to put the same email address in the To and Return fields ). Click Next .

5. In the Action Name field, enter Virus Warning: Email . Leave the rest of the text as-is and click Finish .

   Notice that we have a new entry under the Virus Found alert action category called Send Internet Mail . Now whenever a virus is found on any protected client or server, you will be notified via email.

   We must set up one more rule to ensure that a log is written into the Windows Event Log.

6. Double-click the Virus Found entry once again. In the Action list, click Write to Event Log and click Next .

7. Once again, click DC02 and click Next . In the Action name field, enter Virus Warning: Event Log . Click Finish , Close , and Exit .

Congratulations! Your antivirus server is ready to go. Now, we're going to assume that you do not have a stash of computer viruses just sitting on your hard drive somewhere; and that's a good thing, really! So without any viruses to test, how do we know that our system in place is actually working as it should?

The answer lies in a small text file that you can create yourself. The text file, called the EICAR test string , (developed by the European Institute for Computer Anti-Virus Research ) is a globally accepted means of testing antivirus software. The file is not really a virus, but most antivirus software will flag it as such.