194 Chapter 4 • Implementing Central Quarantine 2.01 Q: I have a subset of traveling users who only connect to the home network every few weeks. How can I best handle their Quarantine needs? A: You have two options here, depending on the “computer-savviness” of the people in question.You can either configure their individual PCs to submit any quarantined items directly to SSR, bypassing your central Quarantine Server entirely. Or, you can set up a second central Quarantine Server to handle Email-based Scan and Deliver submissions, and configure these clients to point to it instead of a Quarantine Server using Internet-based Scan and Deliver. www.syngress.com 245_Symantec_04.qxd 5/8/03 4:10 PM Page 194 Implementing NAVCE 7.6 to Servers Solutions in this chapter: ■ Understanding NAVCE 7.6 Servers ■ Implementing NAVCE 7.6 To Servers ■ Understanding NAVCE 7.6 Registry Keys on NT / 2000 Servers ■ Understanding NAVCE 7.6 Services Running on NT / 2000 Servers ■ Introducing the grc.dat File Chapter 5 195 ; Summary ; Solutions Fast Track ; Frequently Asked Questions 245_Symantec_05.qxd 5/8/03 3:55 PM Page 195 196 Chapter 5 • Implementing NAVCE 7.6 to Servers Introduction Norton AntiVirus Corporate Edition (NAVCE) Servers are the main pillars of the Norton AntiVirus Solution. Without them you would not be able to deploy a NAVCE solution. NAVCE servers allow you to manage clients, distribute virus updates, perform alerting procedures, and so much more.The NAVCE server is critical to a viable NAVCE implementation; if you wish to install managed NAVCE clients, you will need to install at least one NAVCE server. In this chapter, we will discuss the steps necessary to install and configure these servers that are so critical to the NAVCE infrastructure.Along with discussing the hard- ware requirements necessary to implement the NAVCE software, we’ll examine the steps involved in an actual NAVCE server installation.The NAVCE installation process is largely the same whether you are installing to an Windows NT Workstation, Server, or Windows 2000 Professional or Server machine, therefore the procedures discussed in this chapter can be used as a guideline for any sort of NAVCE installation. We’ll conclude the chapter with an examination of the various components of the NAVCE Server software.This includes the Registry keys and Windows services that the NAVCE server software requires to function, as well as the grc.dat file that NAVCE uses to update client configuration information. Possessing a working understanding of these components will serve you well as you develop a comprehensive antivirus strategy for your company’s network. Understanding NAVCE 7.6 Servers To begin, we should define some terminology that will appear quite often throughout this chapter. It is important to understand the difference between the terms server and NAVCE Server. NAVCE Server refers to the programs and services that the NAVCE software package offers to assist administrators in managing antivirus protection on NAVCE clients. On the other hand, a physical server refers to a piece of dedicated net- work hardware that can serve many types of file and application services, not just those offered by Symantec. The two major components of the NAVCE server software are as follows: ■ Server Program The NAVCE Server Program refers to the core executable (.exe) files and other files that are required for the NAVCE server to function. ■ AMS 2 The Alert Management System 2 (AMS 2 ) is an optional component within a NAVCE server installation.This feature, as the name suggests, offers alerting features such as an e-mail to the administrator regarding any detected virus activity. www.syngress.com 245_Symantec_05.qxd 5/8/03 3:55 PM Page 196 www.syngress.com Implementing NAVCE 7.6 to Servers • Chapter 5 197 Basic Components of an Antivirus (AV) Solution Any well-constructed AV application consists of the following primary com- ponents, all three of which are implemented within the NAVCE server pro- gram: ■ A Scanning Application This is a user interface (UI) that defines scanning options (such as file types, directories and drives to be scanned) features, and alerts. ■ A Virus Engine A virus engine scans files for suspicious activity and behavior, such as a file that includes instructions to delete the contents of a directory or drive. If the engine detects this type of behavior, it will check the virus definitions to determine if the virus signature is known and how it should be repaired. It will then follow pre-defined instructions (such as repair or delete file) or will prompt the user via the scanning application. The virus engine in NAVCE is called NAVEX. The NAVEX engine architecture is different from other AV vendors in that it can be updated auto- matically via the LiveUpdate incremental downloads. Most other vendors only allow automatic downloads of virus definitions, while engine updates require reinstallation of their software which can result in system downtime. With NAVCE, virus defini- tion downloads, and NAVEX engine updates can be performed while a system is running. ■ Virus Definitions Virus definitions help determine whether a file has already been identified as a virus, as well as instructions for repairing it. On the other hand, AMS 2 provides centralized alerting and emergency management capabilities. AMS 2 allows parent servers to collect alert infor- mation from their clients and forward these alerts to the primary NAVCE server within each server groups. An administrator can then view the alerts from any server and take administrative actions (such as quarantining or removing files) accordingly. Notes from the Underground… Continued 245_Symantec_05.qxd 5/8/03 3:55 PM Page 197 198 Chapter 5 • Implementing NAVCE 7.6 to Servers Windows NT / 2000 Server System Minimum Requirements According to Symantec, the minimum specifications for a NAVCE server running Windows NT/2000 are as follows: ■ Windows NT 4.0 Service Pack 3 or higher, or Windows 2000 ■ 32MB RAM ■ Intel Pentium Processor (Intel Pentium Pro or higher) ■ 62MB free disk space for NAVCE Server files ■ 10MB free disk space for AMS 2 Server files ■ Local administrative rights ■ Administrative file shares like C$ and admin$ must be enabled www.syngress.com AMS 2 can be configured to send alerts via any of the following mechanisms: ■ Message Box ■ Send Page (e-mail to pager) ■ Send Internet Mail ■ Run Program (can be an executable configured to perform any custom actions) ■ Broadcast ■ Send SNMP Trap ■ Write to Event Log ■ Load an NLM 245_Symantec_05.qxd 5/8/03 3:55 PM Page 198 Implementing NAVCE 7.6 to Servers • Chapter 5 199 Utilizing Windows NT 4.0 Workstation or Windows 2000 Professional Systems as NAVCE Servers It is possible to install NAVCE server on a Windows NT 4.0 Workstation or Windows 2000 Professional system; but as with anything else there are pros and cons associated with this decision.The greatest benefit of using the Windows Workstation or Professional versions is that of cost savings: the cost of procuring a Windows NT or Windows 2000 client PC is significantly lower than procuring even a low-end server. You should consult your software reseller for accurate pricing information, but if you are basing the decision solely on cost, you may wish to opt for installing NAVCE on a workstation operating system. On the other hand, Windows NT Workstation and Windows 2000 Professional only support a maximum of ten concurrent (file sharing) network connections. While this does not specifically limit the number of TCP connections that NAVCE clients www.syngress.com System Requirements Remember that these are the recommended specifications for running only the NAVCE Server program. In other words, any additional components such as the Symantec System Center Console (SSC), or the Alert Management System 2 (AMS 2 ), or any unrelated applications also require additional resources. When defining your system specifications, you also need to consider the requirements for the operating system itself. For example, the minimum system requirements for Windows 2000 server are as follows: ■ Pentium 133MHz or higher ■ 256MB RAM recommended minimum ■ 2GB hard disk with a minimum of 1GB free space As you can see, these minimum system requirements are far higher than those recommended by Symantec to install the NAVCE server. As a system administrator, you’ll need to test your hardware to determine that it will realistically function within your specific network environment. For more detailed information on NAVCE scalability and system requirements, consult the Symantec Knowledge Base. Designing & Planning… 245_Symantec_05.qxd 5/8/03 3:55 PM Page 199 200 Chapter 5 • Implementing NAVCE 7.6 to Servers will be able to establish with the workstation, it does limit the number of connections that can be established that require access to file shares, named pipes and so on. Therefore, while a NAVCE server running on Windows NT 4.0 or Windows 2000 Professional can theoretically service any number of NAVCE clients, it will only be able to distribute virus definitions to 10 clients at any given moment.This can seriously impact the speed with which the definitions are distributed to the end clients. Novell NetWare Server System Minimum Requirements If you wish to install the NAVCE server software onto a Novell server, you’ll need to be sure that your server hardware meets the following requirements. Please note that at the time of this writing, NAVCE 7.61 is not supported under Novell 6 or 6.5.You’ll need to implement SAVCE 8.0 if you wish to use Netware 6.x. ■ NetWare 3.12 and 3.2 (does not allow for Quarantine Server support); NetWare 4.11 with Support Pack 9; NetWare 4.2 with Support Pack 9; NetWare 5.x with or without Support Pack 2 ■ 3MB RAM beyond any other memory requirements to run the Norton AntiVirus NLMS ■ If you are running NetWare 3.12, you’ll need Streams.nlm 3.12 or later. Versions of NetWare more recent than v3.12 will requite 3.11.nlm version 4.12 and clib.nlm version 3.12g or better ■ NetWare 4.1x requires LIBUPF, which is available in Support Pack 7 or later ■ 70MB of available disk space for Norton AntiVirus server files, as well as 46MB for NAVCE client disk images ■ 10MB disk space for AMS 2 files (20MB will be required during the installa- tion process) NOTE SFT III is not supported. www.syngress.com 245_Symantec_05.qxd 5/8/03 3:55 PM Page 200 Implementing NAVCE 7.6 to Servers • Chapter 5 201 Implementing NAVCE 7.6 to Servers When rolling out the NAVCE software to the servers in your network environment, you’ll need to develop a plan for deploying the various modules of the NAVCE soft- ware. In this section, we’ll discuss some key points to keep in mind when installing NAVCE to Windows NT 2000 servers so that the installation process can go as smoothly as possible. We’ll then spend the bulk of the section going step by step through an actual installation routine so that you can understand and plan for every step along the way. Developing a Deployment Plan No project can be successfully completed without formulating a deployment plan. Since NAVCE contains several different modules as well as administration and manage- ment tools, you should become familiar with each component and determine which ones need to be installed on each piece of equipment. Once you have determined the exact needs for your network environment, you can begin to plan the actual server installations. Windows NT/2000 NAVCE Server Installation Considerations Some factors to consider when installing NAVCE Server to NT/2000 are as follows: ■ Operating system You need to determine the operating system that the NAVCE Server will use. Along with deciding between using a client or a server operating system, you should determine which service packs to install, and if there are any other standards within your enterprise environment that you should consider. ■ Destination folder for the installation files Often in an enterprise envi- ronment you will have software installation standards that need to be adhered to.These may include installing all programs to the root of C: drive, or installing all the programs to the D: drive instead of the C: drive. Before you proceed, make sure that you are aware of any such standards, as well as the available drive space in comparison with the minimums set forth by Symantec. There are several additional points to keep in mind when installing a NAVCE Server Group (Server Group planning is discussed more fully in Chapter 2). ■ Server group membership Decide whether your newly installed NAVCE server will join an existing server group or if you will be creating a new one. www.syngress.com 245_Symantec_05.qxd 5/8/03 3:55 PM Page 201 202 Chapter 5 • Implementing NAVCE 7.6 to Servers Be sure to adhere to any deployment or enterprise naming standards that may have been created during the planning stages of your NAVCE implementa- tion. ■ Server group password Be sure that you know the server group password to join existing server group. If you will be creating a new server group, you should decide upon a password in advance and communicate this password to anyone else within IT or management who requires it ■ NAV services startup You will be asked if you want NAVCE services to load automatically upon startup or if you would want them to be launched manually. In most cases you’ll want these services to launch automatically. However, the option for a manual start will be available during the installation process. Installing NAVCE 7.6 to Windows NT/2000 Servers In this section we’ll go over the steps needed to install the NAVCE server software to a Windows 2000 server. 1. From the Windows 2000 desktop, insert CD 2 of the NAVCE installation media, or browse to a network location where the CD 2 files are available. 2. Double-click on the CDStart.exe icon. 3. Click Install Norton AntiVirus to Servers as shown in Figure 5.1. 4. The Welcome window as shown in Figure 5.2 should appear. Select Install and click Next. www.syngress.com Figure 5.1 NAVCE Main Installation Screen 245_Symantec_05.qxd 5/8/03 3:55 PM Page 202 Implementing NAVCE 7.6 to Servers • Chapter 5 203 5. This will bring you to the License Agreement window (Figure 5.3). Select I agree then click Next. 6. You will be prompet to select the item that you wish to install (Figure 5.4). For the purpose of this chapter select Server Program. Uncheck Alert Management System AMS 2 if it is checked.Then click Next. We’ll cover the installation and configuration of AMS 2 in Chapter 3. www.syngress.com Figure 5.2 Installing NAVCE Server Figure 5.3 License Agreement and Warranty Figure 5.4 Selecting NAVCE Server Components 245_Symantec_05.qxd 5/8/03 3:55 PM Page 203 [...]... C:\Program Files\NAV I C:\Program Files\Common Files \Symantec Shared\VirusDefs I C:\Documents and Settings\All Users\Application Data \Symantec\ Norton AntiVirus Corporate Edition\ 7.5 I C:\WINNT\Profiles\All Users\Application Data \Symantec\ Norton AntiVirus Corporate Edition\ 7.5 I C:\Winnt\Installer\{D6C64C68-F9F5-11D3-BEEA-00A0CC272509} www.syngress.com 245 _Symantec_ 05.qxd 212 5/8/03 3:55 PM Page 212 Chapter... speed of the infestation Norton AntiVirus Corporate Edition (NAVCE) 7.6 allows network administrators the ability to manage all client computers from one central location, providing efficient antivirus protection and enforcing their corporate security policies From this central location, the administrator can apply NAVCE 7.6 www.syngress.com 245 _Symantec_ 06.qxd 5/9/03 4: 09 PM Page 227 Implementing NAVCE... HKEY_LOCAL_MACHINE\SOFTWARE \Symantec\ Norton AntiVirus NT Next you’ll delete the following entries under the HKLM\System\ CurrentControlSet\Services key: I DefWatch www.syngress.com 245 _Symantec_ 05.qxd 210 5/8/03 3:55 PM Page 210 Chapter 5 • Implementing NAVCE 7.6 to Servers I Intel Alert Handler I Intel File Transfer I Intel PDS I NAVAP I NAVAPEL I NAVENG I NAVEX15 I Norton AntiVirus Server I SymEvent (if NAVCE is the only Symantec. .. CurrentVersion\Run\VPTray www.syngress.com 245 _Symantec_ 05.qxd 5/8/03 3:55 PM Page 211 Implementing NAVCE 7.6 to Servers • Chapter 5 I HKEY_LOCAL_MACHINE\Software \Symantec\ Repair value I HKEY_LOCAL_MACHINE\Software \Symantec\ SourceDir value I HKEY_LOCAL_MACHINE\Software \Symantec\ TargetDir value I 211 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Installer\UpgradeCodes\ 96C46C6D5F9F3D11EBAE000ACC725290... primary server for the server group 3 Click Get Password 4 Copy the Encrypted Password and provide it to Symantec Technical Support as requested which can be seen in Figure 5.23 They will be able to decrypt the password and return it to you in cleartext Figure 5.23 Encrypted Password Retrieval Utility www.syngress.com 245 _Symantec_ 06.qxd 5/9/03 4: 09 PM Page 225 Chapter 6 Implementing NAVCE 7.6 to Client... implementation process? A: A comprehensive list of issues is provided within the readme.txt file on your installation media, or on the Internet at Symantec s exhausting collection of Knowledge Base articles www.syngress.com 223 245 _Symantec_ 05.qxd 2 24 5/8/03 3:55 PM Page 2 24 Chapter 5 • Implementing NAVCE 7.6 to Servers Q: How can I retrieve a password that I set for a NAVCE server group? A: In order to retrieve... Change Destination… www.syngress.com 245 _Symantec_ 05.qxd 5/8/03 3:55 PM Page 205 Implementing NAVCE 7.6 to Servers • Chapter 5 205 Figure 5.7 Select the Program Files Destination 10 The next window (Figure 5.8) is where you can either enter a new Norton AntiVirus Server group name or join an existing group Here, we will accept the default server group name of Norton Antivirus 1 and click Next Figure 5.8... Figure 5.11 Symantec System Center Console Information 14 The Wizard now will tell you that the default password on the initial run is symantec (all lower case) as shown in Figure 5.12 It is a good practice to go back and change the password after the installation is complete Click Finish Figure 5.12 Select Server Group Password www.syngress.com 245 _Symantec_ 05.qxd 5/8/03 3:55 PM Page 207 Implementing... ClientConfig Registry key (Figure 5.19) stores all the administrator defined settings for the clients.This is the key that is used to create most of the grc.dat file.This www.syngress.com 245 _Symantec_ 05.qxd 2 14 5/8/03 3:55 PM Page 2 14 Chapter 5 • Implementing NAVCE 7.6 to Servers key is created on all parent NAVCE servers Since the primary server can also be a parent server, this key is also created on the primary... information will serve you well as you prepare to take the Symantec certification exams www.syngress.com 245 _Symantec_ 05.qxd 5/8/03 3:55 PM Page 217 Implementing NAVCE 7.6 to Servers • Chapter 5 217 Understanding NAVCE 7.6 Services Running on NT / 2000 Servers There are three core services that are used by the NAVCE server program.These are Norton AntiVirus Server, DefWatch and Intel Ping Discovery Service . FilesCommon Files Symantec SharedVirusDefs ■ C:Documents and SettingsAll UsersApplication Data Symantec Norton AntiVirus Corporate Edition 7.5 ■ C:WINNTProfilesAll UsersApplication Data Symantec Norton AntiVirus. UsersApplication Data Symantec Norton AntiVirus Corporate Edition 7.5 ■ C:WinntInstaller{D6C64C68-F9F5-11D3-BEEA-00A0CC272509} www.syngress.com 245 _Symantec_ 05.qxd 5/8/03 3:55 PM Page 211 212. Quarantine Server using Internet-based Scan and Deliver. www.syngress.com 245 _Symantec_ 04. qxd 5/8/03 4: 10 PM Page 1 94 Implementing NAVCE 7.6 to Servers Solutions in this chapter: ■ Understanding