346 Chapter 8 • Configuring Your NAVCE 7.6 Environment common program and document file extensions. Just for fun, let’s add the extensions for programs. Click Programs (Figure 8.25). 5. You will now see a list of all file extensions defined by NAVCE to be associated with programs and executables (Figure 8.26). 6. Before we exit, let’s restore the list to its default setting. Click the Use Defaults button (Figure 8.27). Although it may not appear that much has changed within the list, notice that the scrollbar has become visibly “thinner.”This implies that the list has grown considerably in length. www.syngress.com Figure 8.25 Adding File Extensions for Programs Figure 8.26 Adding File Extensions for Programs 245_Symantec_08.qxd 5/8/03 12:29 PM Page 346 Configuring Your NAVCE 7.6 Environment • Chapter 8 347 7. Click OK to return to the main window for File System Realtime Protection Options. Configuring File System Realtime Protection Actions When NAVCE’s File System Realtime Protection encounters a file it believes to be infected, it can perform various actions. Let’s explore the possible actions that the software can take. 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection. (Figure 8.28). On the right side of the window, you will see two tabs labeled “Macro Virus” and “Non-Macro Virus.” On each tab, you can select a primary and secondary option. For example, the default action is to “Clean virus from file.” www.syngress.com Figure 8.27 Resetting File Extensions to Default Figure 8.28 File System Realtime Protection Options 245_Symantec_08.qxd 5/8/03 12:29 PM Page 347 348 Chapter 8 • Configuring Your NAVCE 7.6 Environment If this primary action fails, the secondary default action is to “Quarantine infected file.” Let’s examine each option and what it means: ■ Clean virus from file NAVCE attempts to permanently remove the virus from the infected file leaving the pertinent data intact. ■ Quarantine infected file NAVCE physically moves the infected file from it physical location on the disk to the Quarantine.This is unlike the move operation performed on a file within by a user through an operating system. Usually when a file is “moved” on a disk, only a logical pointer to the file is updated and the file appears as if it has been moved. Here, as we discussed earlier, the file is physi- cally moved. ■ Delete infected file NAVCE deletes the infected file from the computer’s hard drive. Again, this is unlike a normal delete opera- tion. Usually when you delete a file, you can find it inside the Recycle Bin.This is because only the logical pointer to the file has been altered. When NAVCE deletes a file, it is physically purged from the disk. ■ Leave alone (log only) When this option is selected, the infected file is left unaltered. It remains infected and stays capable of infecting other parts of the system.The only action taken by NAVCE is that an entry is added in the Virus History to keep a log of the infected file. Although this option seems a bit contradictory to the very pur- pose of the software, it can come in handy on systems that are deemed so critical that any necessary changes (such as removing an infected file) must be performed by a human.Therefore, the log is used solely to collect alerts. Note that if you select “Leave alone (log only)” as the primary action, the secondary action will be grayed out. 3. Once the actions are configured as desired or as dictated by your enter- prise security policies, click OK. www.syngress.com 245_Symantec_08.qxd 5/8/03 12:29 PM Page 348 Configuring Your NAVCE 7.6 Environment • Chapter 8 349 Configuring File System Realtime Protection Virus Notification Message Options In the section labeled “Options,” you can set message options and file and folder exclusions. Let’s start with message options. 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection. Ensure that the checkbox labeled “Display message on infected computer” is checked. (Figure 8.29). 3. Click Message (Figure 8.30). You will notice lines of text such as “Action taken: [Action Taken].”The text not enclosed between square parentheses is plain text.This means that this is a static caption that will appear on every virus message.The text enclosed within the square parentheses is a variable field known as a message parameter. Message parameters are dynamically updated and added to the virus notification message so that the displayed message contains relevant specifics. Quite often, NAVCE administrators will add a static line of text with some instructions (such as “Please contact the helpdesk”) at the bottom of this message. www.syngress.com Figure 8.29 File System Realtime Protection Options 245_Symantec_08.qxd 5/8/03 12:29 PM Page 349 350 Chapter 8 • Configuring Your NAVCE 7.6 Environment A list of available message parameters for File System Realtime Protection (as well as manual scans) is shown in Table 8.1.To add a mes- sage parameter, right-click anywhere within the text area of the window and select Insert Field. Table 8.1 Virus Notification Message Parameters Message Parameter Explanation [Filename] Full file path and name [Virusname] Name of detected virus [User] Network log on name of user [Computer] Name of computer [ActionTaken] Action taken on infection [Filename] File name (no path) [Datefound] The date when Norton AntiVirus detected the virus [Status] Indicates the state of the file: Infected, Not Infected, or Deleted NOTE There are additional message parameters available for virus notification messages created for Microsoft Exchange Realtime Protection and Lotus Notes Realtime Protection. When triggered by File System Realtime Protection or a manual scan, the virus notification message is displayed www.syngress.com Figure 8.30 Display Message Window 245_Symantec_08.qxd 5/8/03 12:29 PM Page 350 Configuring Your NAVCE 7.6 Environment • Chapter 8 351 on the screen of the infected computer. However, when triggered by Microsoft Exchange Realtime Protection or Lotus Notes Realtime Protection, the notification message can also be sent to the sender of the infected e-mail via an e-mail message or to a designated person (or persons) responsible for the mail infrastructure. 4. Once the message is customized as desired or as specified by your enter- prise security policies, click OK to return to the File System Realtime Protection Options main window. Configuring File and Folder Exclusions for File System Realtime Protection File and folder exclusions can help prevent NAVCE from scanning data that does not need to be protected.This helps negotiate a balance between the protection required and the system resources required. Exclusions can also help decrease the load placed on system resources if the data is not susceptible to becoming infected. To configure file and folder exclusions: 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection. 3. Check the checkbox labeled Exclude selected files and folders. Click Exclusions. (Figure 8.31). www.syngress.com Figure 8.31 Excluding Selected Files and Folders 245_Symantec_08.qxd 5/8/03 12:29 PM Page 351 352 Chapter 8 • Configuring Your NAVCE 7.6 Environment 4. Check the checkbox labeled Check file for exclusion before scan- ning. Click Extensions. (Figure 8.32). 5. Enter filename extensions for all files that you want excluded and then click Add. The window should be similar to Figure 8.33. Here, lets add a TXT extension, which is used for text files. 6. Click OK to return to the Exclusions screen. 7. In the Exclusions screen this time, click Files/Folders (Figure 8.34). 8. Select any files and folders that you wish to exclude (Figure 8.35).Then click OK to return to the File System Realtime Protection Options main window. www.syngress.com Figure 8.32 Forcing NAVCE to Check File Exclusions Figure 8.33 Adding File Extensions to be Excluded Figure 8.34 Setting Folder Exclusions 245_Symantec_08.qxd 5/8/03 12:29 PM Page 352 Configuring Your NAVCE 7.6 Environment • Chapter 8 353 www.syngress.com Figure 8.35 Selecting Folders to be Excluded Practical Applications of File and Folder Exclusions – Microsoft Exchange We just discussed how to exclude files and folders from real-time pro- tection. Such a discussion may seem to negate the very purpose of the software but it has some practical applications. One classic example is pro- tecting Microsoft Exchange servers. As you may have guessed, NAVCE was designed to protect whole files rather than a specific portion of a file. This kind of design is obviously not ideal for protecting a file (such as a message store) that could contain multiple mailboxes each containing countless e-mail messages. If identified to be infected and NAVCE attempted to delete or quarantine the entire file, the impact caused would be more severe than the damage caused by the virus itself. Understand that this is not exactly a shortcoming of the NAVCE software. This would be true of any other antivirus software designed to protect file systems. There are other antivirus solutions (especially within the Norton/Symantec AntiVirus product line) to protect the Exchange server that are not within the scope of this book. In a case such as the Microsoft Exchange server, NAVCE is used to protect only the file system rather than the Exchange server itself, and this requires certain folders to be excluded. For more information about the specifics of this undertaking, please refer to Symantec Knowledge Base Documents 2000110108382448 and 2002051609590948. Also, refer to Microsoft Knowledge Base article 245822. Designing & Planning… 245_Symantec_08.qxd 5/8/03 12:29 PM Page 353 354 Chapter 8 • Configuring Your NAVCE 7.6 Environment Configuring Drive Types for File System Realtime Protection NAVCE’s File System Realtime Protection protects against viruses on the local system.There is an option where this protection can be extended to any network drives that the system accesses. To enable network drive types, complete the following steps. 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection (Figure 8.36). Check the checkbox labeled Network. Then click OK. www.syngress.com Figure 8.36 File System Realtime Protection Options - Network Drives A Word of Caution about Network Drive Protection Before checking this seemingly harmless checkbox, you must understand the potential impact that this could have on your enterprise infrastruc- ture. Whether or not you allow this box to be checked will depend largely upon your enterprise environment. Whereas it is impossible to examine every possible scenario (since most environments are a blend of Configuring & Implementing… Continued 245_Symantec_08.qxd 5/8/03 12:29 PM Page 354 Configuring Your NAVCE 7.6 Environment • Chapter 8 355 www.syngress.com various server types), let’s discuss two extremes that may help illustrate the point of discussion. Understand that these sample scenarios are purely for academic discussion and are not recommendations for your environment. As the NAVCE administrator, it is up to you to make an informed decision about your environment. Scenario 1: Microsoft Windows Based File Servers Let’s imagine that every file server (that serves up files and data) in your environment is based on a Microsoft operating system. If you have already installed NAVCE on every server, it would be pointless to enable Network Drive Type protection on the clients. This is because the soft- ware on the server would already be scanning files as they are accessed rendering the scan conducted by the client redundant. Imagine 500 clients logging in to the Windows domain every morning and downloading their roaming profiles from a Windows- based file server. Imagine the load that would be placed on the server if every client (as well as the server) scanned every file as it was accessed and downloaded to the client. In such a case, it would make more sense to enable the protection only on the server and not on the clients. It may even make sense to dis- able and lock this option from the parent server. Scenario 2: Network Appliance File Servers (Filers) Before we begin with Network Appliance File Servers (often called NetApp Filers), let’s spend a minute to understanding this type of file servers. File servers such as NetApp Filers and Quantum Snap drives use their own file and operating system. Since they are unlike conventional systems in that they do not run a mainstream operating system (such as Microsoft Windows,) programs cannot be installed onto them. They can either be “front-ended” with antiviral software, or you can use a NAVCE system to conduct scans at scheduled intervals. Now, in this scenario, imagine that you have 1000 client systems each running NAVCE. Every user on their system has their home drive mapped where they store their documents and e-mail. In other words, the file servers are constantly being battered by clients. If Network Drive Type were enabled, the file servers would have a significantly lower input/output (I/O) throughput. Every client performing scans would slow down others as well. In such a case, it would make more sense to dis- able the network protection on the clients. It may make more sense to either front-end the file servers with an antivirus product designed specifically for this purpose, or to conduct virus scans at scheduled intervals. 245_Symantec_08.qxd 5/8/03 12:29 PM Page 355 [...]... everything looks good, click Close (Figure 8.50) Figure 8.50 Setup Progress 16 You should now be back at the opening splash screen for Installing Symantec AntiVirus Solutions Scroll down and click Exit as shown in Figure 8.51 www.syngress.com 365 245 _Symantec_ 08.qxd 366 5/8/03 12:29 PM Page 366 Chapter 8 • Configuring Your NAVCE 7 .6 Environment Figure 8.51 Exiting Installation Screen 17 Reboot the system... of Norton Antivirus 1 and click Next Figure 8.45 Create NAVCE Server Group 10 You will be asked to confirm your action with a message like that shown in Figure 8. 46 Click Yes www.syngress.com 363 245 _Symantec_ 08.qxd 364 5/8/03 12:29 PM Page 364 Chapter 8 • Configuring Your NAVCE 7 .6 Environment Figure 8. 46 Create a New Server Group 11 Now, you must specify the Server Startup Options for Norton AntiVirus. .. Solution for NAVCE 7 .6 I Implementing Your Security Solution for NAVCE 7 .6 I Securing NAVCE 7 .6 Windows NT/2000 Servers I Securing NAVCE 7 .6 Novell NetWare Servers I Securing NAVCE 7 .6 Client PCs I Using the Reset ACL (resetacl.exe) Tool Summary Solutions Fast Track Frequently Asked Questions 375 245 _symantec_ 09.qxd 3 76 5/8/03 12:33 PM Page 3 76 Chapter 9 • Securing Your NAVCE 7 .6 Environment Introduction... Norton AntiVirus to Servers (Figure 8.40) Figure 8.40 NAVCE Installation Console 4 Select Install and click Next (Figure 8.41) Figure 8.41 Installing NAVCE Server www.syngress.com 361 245 _Symantec_ 08.qxd 362 5/8/03 12:29 PM Page 362 Chapter 8 • Configuring Your NAVCE 7 .6 Environment 5 At this point you will be presented with the Symantec License Agreement Window Select I agree then click Next 6 This... briefly cover the same options on a group of NAVCE servers and clients using the SSC Console NOTE NAVCE 7.x does not support NetWare 6. 0 The next release of the NAVCE product which is titled Symantec AntiVirus Corporate Edition (SAVCE) 8.0 provides full compatibility with NetWare 6. 0 Configuring Windows NT 4.0/2000 Cluster Server Protection NAVCE clients can be used to protect Microsoft Windows Cluster Servers... console, you will be prompted for the Norton AntiVirus Server Group password (Figure 8.52) www.syngress.com 245 _Symantec_ 08.qxd 5/8/03 12:29 PM Page 367 Configuring Your NAVCE 7 .6 Environment • Chapter 8 Figure 8.52 Unlocking Server Group This is the password that we set while installing the server software Since we accepted the default, the password is symantec. ” Once you enter the password and click... server But, with corporate travel and notebook computers becoming increasingly pervasive, assuming that the client and server will share a local area network (LAN) is shortsighted Quite often, employees will travel from one building, one geographical region, and even one country to another.This adds the location of www.syngress.com 367 245 _Symantec_ 08.qxd 368 5/8/03 12:29 PM Page 368 Chapter 8 • Configuring... available at: ftp://ftp .symantec. com/public/english_us_canada/ products/norton _antivirus/ navcorp/manuals/roaming.pdf This document outlines the theory and operation behind Roaming Client Support It also discusses the tasks necessary to implement it with sample scenarios Additional information is available within the Symantec Knowledge Base Document 2001092013012148 www.syngress.com 369 245 _Symantec_ 08.qxd... resources, view Symantec Platinum Knowledge Base Documents 2001040412150348 and 2000072514215039 Although Symantec has no document specifically for Windows XP at this time, much if not all of the documentation available for Windows NT/2000 will apply www.syngress.com 373 245 _Symantec_ 08.qxd 5/8/03 12:29 PM Page 374 245 _symantec_ 09.qxd 5/8/03 12:33 PM Page 375 Chapter 9 Securing Your NAVCE 7 .6 Environment... click Next as shown in Figure 8.38 Figure 8.38 Enabling Terminal Services 5 Click Finish (Figure 8.39) www.syngress.com 359 245 _Symantec_ 08.qxd 360 5/8/03 12:29 PM Page 360 Chapter 8 • Configuring Your NAVCE 7 .6 Environment Figure 8.39 Completing Terminal Services Installation 6 At this point you will be prompted to reboot your machine Click Yes to restart the computer Once the system has been rebooted, . Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection (Figure 8. 36) . Check the checkbox labeled. Let’s start with message options. 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection. Ensure. configure file and folder exclusions: 1. Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition. 2. Click Configure | File System Realtime Protection. 3. Check