- Computers & electronics
- Software
- Antivirus security software
- Symantec
- Scan Engine
- User manual
- 220 Pages
Symantec Scan Engine Antivirus Scan Engine Implementation Guide
Below you will find brief information for Antivirus Scan Engine Scan Engine. The Symantec AntiVirus Scan Engine is a carrier-class virus scanning and repair engine. It provides virus scanning and repair capabilities to any application on an IP network, regardless of platform, using one of three protocols. Any application can pass files to the Symantec AntiVirus Scan Engine for scanning, which in turn scans the files for viruses and returns a cleaned file if necessary.
advertisement
Assistant Bot
Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.
Symantec AntiVirus™
Scan Engine
Implementation Guide
Symantec AntiVirus™ Scan Engine
Implementation Guide
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Documentation version 4.3
PN: 10143971
Copyright Notice
Copyright © 2000-2003 Symantec Corporation.
All Rights Reserved.
Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation.
NO WARRANTY. The technical documentation is being delivered to you AS-IS, and
Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user.
Documentation may include technical or other inaccuracies or typographical errors.
Symantec reserves the right to make changes without prior notice.
No part of this publication may be copied without the express written permission of
Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Trademarks
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation.
CarrierScan Server, Bloodhound, LiveUpdate, NAVEX, Symantec AntiVirus, and Symantec
Security Response are trademarks of Symantec Corporation. Sun, Sun Microsystems, the
Sun logo, Sun Enterprise, Java, Ultra, and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc., in the United States and other countries. SPARC is a registered trademark of SPARC International, Inc. Products bearing SPARC trademarks are based on an architecture developed by Sun Microsystems, Inc. Microsoft, ActiveX, Windows,
Windows NT, and the Windows Logo are registered trademarks of Microsoft Corporation in the United States and other countries. Intel and Pentium are registered trademarks of
Intel Corporation. Red Hat is a registered trademark of Red Hat Software, Inc., in the
United States and other countries. Linux is a registered trademark of Linus Torvalds.
NetApp, Data ONTAP, NetCache, Network Appliance, and Web Filer are registered trademarks or trademarks of Network Appliance, Inc., in the United States and other countries. Adobe, Acrobat, and Acrobat Reader are trademarks of Adobe Systems
Incorporated. THIS PRODUCT IS NOT ENDORSED OR SPONSORED BY ADOBE SYSTEMS
INCORPORATED, PUBLISHERS OF ADOBE ACROBAT.
Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.
A modified version of a freeware SNMP library is used in this software. This software is
Copyright © 1988, 1989 by Carnegie Mellon University All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.
CMU software disclaimer: “CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS. IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.”
A set of Unicode handling libraries is used in this software. This software is Copyright (c)
1995-2002 International Business Machines Corporation and others. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.
IBM software disclaimer: “THE SOFTWARE IS PROVIDED ‘AS IS’, WITHOUT WARRANTY
OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY
SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER
RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.”
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our
Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide
Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.
Symantec technical support offerings include:
■
A range of support options that give you the flexibility to select the right amount of service for any size organization
■
Telephone and Web support components that provide rapid response and up-to-the-minute information
■
■
■
Upgrade insurance that delivers automatic software upgrade protection
Content Updates for virus definitions and security signatures that ensure the highest level of protection
Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program
■
Advanced features, such as the Symantec Alerting Service and Technical
Account Manager role, offer enhanced response and proactive security support
Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.
Licensing and registration
If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the
Symantec licensing and registration site at www.symantec.com/certificate.
Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.
Contacting Technical Support
Customers with a current support agreement may contact the Technical
Support group via phone or online at www.symantec.com/techsupp.
Customers with Platinum support agreements may contact Platinum Technical
Support via the Platinum Web site at www-secure.symantec.com/platinum/.
When contacting the Technical Support group, please have the following:
■
Product release level
■
■
■
Hardware information
Available memory, disk space, NIC information
Operating system
■
■
■
■
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description
■
■
■
Error messages/log files
Troubleshooting performed prior to contacting Symantec
Recent software configuration changes and/or network changes
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support.
Customer Service is available to assist with the following types of issues:
■
■
■
■
■
■
■
■
■
Questions regarding product licensing or serialization
Product registration updates such as address or name changes
General product information (features, language availability, local dealers)
Latest information on product updates and upgrades
Information on upgrade insurance and maintenance contracts
Information on Symantec Value License Program
Advice on Symantec's technical support options
Nontechnical presales questions
Missing or defective CD-ROMs or manuals
Symantec Corporation Software License Agreement
Enterprise Antivirus Software
THIS LICENSE AGREEMENT SUPERSEDES THE
LICENSE AGREEMENT CONTAINED IN THE
SOFTWARE INSTALLATION AND DOCUMENTATION.
SYMANTEC CORPORATION AND/OR ITS
SUBSIDIARIES (“SYMANTEC”) IS WILLING TO
LICENSE THE SOFTWARE TO YOU AS AN
INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY
THAT WILL BE UTILIZING THE SOFTWARE
(REFERENCED BELOW AS “YOU OR YOUR”) ONLY ON
THE CONDITION THAT YOU ACCEPT ALL OF THE
TERMS OF THIS LICENSE AGREEMENT. READ THE
TERMS AND CONDITIONS OF THIS LICENSE
AGREEMENT CAREFULLY BEFORE USING THE
SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE
CONTRACT BETWEEN YOU AND THE LICENSOR. BY
OPENING THIS PACKAGE, BREAKING THE SEAL,
CLICKING ON THE “AGREE” OR “YES” BUTTON OR
OTHERWISE INDICATING ASSENT
ELECTRONICALLY, OR LOADING THE SOFTWARE,
YOU AGREE TO THE TERMS AND CONDITIONS OF
THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE
TERMS AND CONDITIONS, CLICK ON THE “I DO NOT
AGREE”, “NO” BUTTON, OR OTHERWISE INDICATE
REFUSAL AND MAKE NO FURTHER USE OF THE
SOFTWARE.
1. License:
The software and documentation that accompanies this license (collectively the “Software”) is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the quantity of the Software for which
You have paid the applicable license fees after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a “License
Module”) that accompanies, precedes, or follows this license, Your rights and obligations with respect to the use of licensed copies of this Software are as follows:
You may:
A. use the Software in the manner described in the
Software documentation and in accordance with the
License Module. If the Software is part of an offering containing multiple Software titles, the aggregate number of copies You may use may not exceed the aggregate number of licenses indicated in the License
Module, as calculated by any combination of licensed
Software titles in such offering. Your License Module shall constitute proof of Your right to make such copies. If no License Module accompanies, precedes, or follows this license, You may make one copy of the
Software You are authorized to use on a single machine;
B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of
Your computer and retain the original for archival purposes;
C. use the Software on a network or to protect a network such as at the gateway or on a mail server, provided that You have a license to the Software for each computer that can access the network;
D. after written consent from Symantec, transfer the
Software on a permanent basis to another person or entity, provided that You retain no copies of the
Software and the transferee agrees to the terms of this license; and
E. use the Software in accordance with any additional permitted uses set forth in Section 8, below.
You may not:
A. copy the printed documentation which accompanies the Software;
B. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software;
C. use a previous version or copy of the Software after
You have received a disk replacement set or an upgraded version. Upon upgrading the Software, all copies of the prior version must be destroyed;
D. use a later version of the Software than is provided herewith unless You have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version;
E. use, if You received the software distributed on media containing multiple Symantec products, any
Symantec software on the media for which You have not received a permission in a License Module;
F. use the Software in any manner not authorized by this license; nor
G. use the Software in any manner that contradicts any additional restrictions set forth in Section 8, below.
2. Content Updates:
Certain Software utilize content which is updated from time to time (including but not limited to the following
Software: antivirus software utilize updated virus definitions; content filtering software utilize updated
URL lists; some firewall software utilize updated firewall rules; and vulnerability assessment products utilize updated vulnerability data; these updates are collectively referred to as “Content Updates”). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates which Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to obtain Content
Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to
You; provided, however, that if You purchase maintenance hereunder that includes particular
Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such
Content Updates as requiring separate purchase. This
License does not otherwise permit Licensee to obtain and use Content Updates.
3. Limited Warranty:
Symantec warrants that the media on which the
Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the
Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to
Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free.
THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU
OF ALL OTHER WARRANTIES, WHETHER EXPRESS
OR IMPLIED, INCLUDING THE IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR
A PARTICULAR PURPOSE AND NONINFRINGEMENT
OF INTELLECTUAL PROPERTY RIGHTS. THIS
WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS.
YOU MAY HAVE OTHER RIGHTS, WHICH VARY
FROM STATE TO STATE AND COUNTRY TO
COUNTRY.
4. Disclaimer of Damages:
SOME STATES AND COUNTRIES, INCLUDING
MEMBER COUNTRIES OF THE EUROPEAN
ECONOMIC AREA, DO NOT ALLOW THE LIMITATION
OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES SO THE BELOW
LIMITATION OR EXCLUSION MAY NOT APPLY TO
YOU.
TO THE MAXIMUM EXTENT PERMITTED BY
APPLICABLE LAW AND REGARDLESS OF WHETHER
ANY REMEDY SET FORTH HEREIN FAILS OF ITS
ESSENTIAL PURPOSE, IN NO EVENT WILL
SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL,
CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES,
INCLUDING ANY LOST PROFITS OR LOST DATA
ARISING OUT OF THE USE OR INABILITY TO USE
THE SOFTWARE EVEN IF SYMANTEC HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED
THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether You accept the Software.
5. U.S. Government Restricted Rights:
RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are
“Commercial Items”, as that term is defined in 48
C.F.R. section 2.101, consisting of “Commercial
Computer Software” and “Commercial Computer
Software Documentation”, as such terms are defined in
48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48
C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal
Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec
Corporation, 20330 Stevens Creek Blvd., Cupertino, CA
95014, United States of America.
6. Export Regulation:
Export, re-export of this Software is governed by the laws and regulations of the United States and import laws and regulations of certain other countries Export or re-export of Software to any entity on the Denied
Parties List and other lists promulgated by various agencies of the United States Federal Government is strictly prohibited.
7. General:
If You are located in North America or Latin America, this Agreement will be governed by the laws of the
State of California, United States of America.
Otherwise, this Agreement will be governed by the laws of England. This Agreement and any related
License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals and representations with respect to its subject matter; and
(ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. The original of this
Agreement has been written in English and English is
the governing language of this Agreement. Software and documentation is delivered Ex Works California,
U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS
2000). This Agreement may only be modified by a
License Module which accompanies this license or by a written document which has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact
Symantec for any reason, please write to: (i) Symantec
Customer Service, 555 International Way, Springfield,
OR 97477, U.S.A. or (ii) Symantec Customer Service
Center, PO BOX 5689, Dublin 15, Ireland.
8. Additional Restrictions for Specified
Software:
A. If the Software You have licensed is a specified
Symantec AntiVirus™ for a third party product or platform, You may only use that specified Software with the corresponding product or platform. You may not allow any computer to access the Software other than a computer using the specified product or platform. In the event that You wish to use the
Software with a certain product or platform for which there is no specified Software, You may use Symantec
AntiVirus Scan Engine.
B. If the Software You have licensed is Symantec
AntiVirus for Web Servers, the following additional use(s) and restriction(s) apply: i) You may use the Software only with files that are received from third parties through a web server; ii) You may use the Software only with files received from less than 10,000 unique third parties per month; and iii) You may not charge or assess a fee for use of the
Software for Your internal business.
C. If the Software You have licensed is Symantec Web
Security, independent of version or operating platform designation, upon the expiration of Your right to acquire Content Updates, the filtering definitions corresponding with all previous Content Updates will be entirely deleted and will no longer be available for use with the Software. Upon the expiration of Your right to acquire Content Updates, access to updated virus definitions will no longer be available, however,
You may continue to use virus definitions previously acquired.
D. If the Software You have licensed is Symantec
AntiVirus Corporate Edition, You may not use the
Software on or with devices on Your network running embedded operating systems specifically supporting network attached storage functionality without separately licensing a version of such Software specifically licensed for a specific type of network attached storage device under a License Module.
E. If the Software You have licensed is Symantec
AntiVirus for EMC® Celerra™ File Server, You may use the Software only with EMC Celerra servers and only if
You have a license to the Software for each Celerra
AntiVirus Agent (CAVA) associated with each such server. You may not allow any computer to access the
Software other than an EMC Celerra server.
EMC and Celerra are trademarks or registered trademarks of EMC Corporation in the U.S. and other countries.
Contents
Technical support
Chapter 1 Introducing the Symantec AntiVirus Scan Engine
About the Symantec AntiVirus Scan Engine ................................................... 15
The Symantec AntiVirus Scan Engine solution ...................................... 16
About Symantec AntiVirus Scan Engine deployment ........................... 20
How the scan engine works with the client application ........................ 21
About automatic load balancing ................................................................ 22
About the Internet Content Adaptation Protocol (ICAP) ....................... 23
About remote procedure call (RPC) ........................................................... 23
Testing virus detection capabilities .......................................................... 27
Chapter 2 Installing the Symantec AntiVirus Scan Engine
Windows 2000 Server/Server 2003 .......................................................... 29
Upgrading from a previous version .......................................................... 31
Running other antivirus products on the Symantec AntiVirus
Scan Engine server .............................................................................. 33
Installing the Symantec AntiVirus Scan Engine ............................................ 33
Installing on Windows 2000 Server/Server 2003 ................................... 34
Stopping and restarting the Symantec AntiVirus Scan Engine service ..... 37
Uninstalling the Symantec AntiVirus Scan Engine ....................................... 38
10 Contents
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Symantec AntiVirus Scan Engine administration
Virtual administrator account password ................................................. 40
About the main administration page ........................................................ 42
Activating product licenses
License warning and grace periods ........................................................... 50
Configuring the Symantec AntiVirus Scan Engine
About configuring the Symantec AntiVirus Scan Engine ............................. 55
Selecting the communication protocol ............................................................ 56
Configuring the Symantec AntiVirus Scan Engine native protocol ............ 57
How the scan engine works with the native protocol ............................ 57
Native protocol configuration options ..................................................... 57
How the scan engine works with ICAP ..................................................... 60
How the scan engine works with RPC ...................................................... 66
Notifying requesting users that a virus was found ................................ 72
Quarantining unrepairable infected files ................................................ 74
Editing the service startup properties ...................................................... 75
Setting scanning and blocking policies
Specifying limits for container files ......................................................... 85
Specifying processing limits that apply to all files ................................ 87
Changing the Bloodhound sensitivity level ............................................. 89
Contents 11
Chapter 7
Chapter 8
Chapter 9
Configuring and using logging
About Symantec AntiVirus Scan Engine logging .........................................107
Specifying the local logging level ............................................................113
Changing the log file location ..................................................................115
Changing the message string file location .............................................116
Logging events to the Windows Application Event Log ..............................116
Activating SNMP and SMTP logging ..............................................................117
Activating SNMP logging .........................................................................118
Specifying the alert bind address ............................................................122
Obtaining summary data from the local logs ................................................125
Interpreting summary data from the local logs ....................................127
Generating scanning statistics from the billing logs ...................................127
Interpreting scanning statistics ..............................................................129
Understanding the 95th percentile bandwidth measurement ...........130
Configuring LiveUpdate
Scheduling LiveUpdate to update virus definitions automatically ...132
Updating virus definitions manually .....................................................133
Scheduling LiveUpdate via the command line ..............................................133
Setting up your own LiveUpdate server .........................................................135
Customizing log entries
Preserving customized text during an upgrade ............................................138
About the 1000-series message strings ..........................................................139
About the 2000-series message strings ..........................................................145
About the 4000-series message strings ..........................................................149
Editing the ICAP access denied message .......................................................151
12 Contents
Chapter 10 Integrating the Symantec AntiVirus Scan Engine with SESA
Configuring SESA to recognize the Symantec AntiVirus
Installing the local SESA Agent ...............................................................156
Configuring the scan engine to log events to SESA .............................161
Scan engine events that are logged to SESA .................................................162
Interpreting scan engine events in SESA ......................................................163
Uninstalling the SESA integration components ...........................................163
Chapter 11 Using the Symantec AntiVirus Scan Engine command-line scanner
About the Symantec AntiVirus Scan Engine command-line scanner .......165
Setting up a computer to submit files for scanning .....................................166
Command-line scanner syntax and usage .....................................................167
Specifying the scan engine IP address and port ...................................170
Specifying the antivirus scanning mode ................................................171
Obtaining detailed scanning results .......................................................172
Requesting recursive scanning ...............................................................175
Disposing of infected files when an error occurs .................................175
Appendix A Editing the configuration file
Editing the Symantec AntiVirus Scan Engine configuration file ..............177
Updating the configuration file during an upgrade .....................................178
Changing protocol-specific settings via the configuration file ..........179
Changing resource allocation via the configuration file .....................184
Configuring logging options via the configuration file .......................188
Changing the administration settings via the configuration file ......192
Specifying processing limits via the configuration file .......................194
Changing the antivirus settings via the configuration file .................195
Blocking MIME partial message content via the configuration file ..198
Activating mail message body updates via the configuration file .....198
Changing the LiveUpdate base time .......................................................199
Contents 13
Appendix B Reviewing scanning statistics from the command line
Appendix C Return codes
Appendix D Using the silent install feature
Creating the response file for Windows 2000 Server/Server 2003 ...210
Creating the response file for Solaris and Linux ..................................211
Initiating the silent installation using the response file .............................213
Using the silent install feature for uninstallation ........................................214
Index
CD Replacement Form
14 Contents
Chapter
1
Introducing the Symantec
AntiVirus Scan Engine
This chapter includes the following topics:
■
■
About the Symantec AntiVirus Scan Engine
■
■
■
Considerations for implementation
About the Symantec AntiVirus Scan Engine
The Symantec AntiVirus Scan Engine, formerly marketed as CarrierScan Server, is a carrier-class virus scanning and repair engine. The Symantec AntiVirus
Scan Engine features all of the key virus-scanning technologies available in the complete line of Symantec antivirus products, making the Symantec AntiVirus
Scan Engine one of the most effective virus solutions available for detecting and preventing virus attacks.
The Symantec AntiVirus Scan Engine provides virus scanning and repair capabilities to any application on an IP network, regardless of platform, using one of three protocols. Any application can pass files to the Symantec AntiVirus
Scan Engine for scanning, which in turn scans the files for viruses and returns a cleaned file if necessary.
16 Introducing the Symantec AntiVirus Scan Engine
About the Symantec AntiVirus Scan Engine
The Symantec AntiVirus Scan Engine accepts scan requests from client applications using one of three protocols. The scan engine has its own native protocol and also can accept scan requests via a proprietary implementation of the remote procedure call (RPC) protocol and the Internet Content Adaptation
Protocol (ICAP).
The Symantec AntiVirus Scan Engine software development kit (SDK) is available for custom integration. You can create a custom integration via a client-side application program interface (API) C library using version 1.0 of
ICAP, presented in RFC 3507 (April 2003). Symantec also has developed connector code for some third-party applications for seamless integration with the Symantec AntiVirus Scan Engine.
The Symantec AntiVirus Scan Engine solution
The Symantec AntiVirus Scan Engine satisfies the following key needs of
Internet infrastructure organizations:
■
■
■
■
■
Scalability: The Symantec AntiVirus Scan Engine can run on existing computers in your organization’s infrastructure or on one or more separate computers on the network. Additional computers that run the scan engine can easily be added at any time to handle increased loads. The Symantec
AntiVirus Scan Engine API provides automatic load balancing for multiple scan engines that are running on the network.
Robustness: If the scan engine goes down for any reason, it automatically restarts, making the Symantec AntiVirus Scan Engine ideal for Internet environments that are always on.
Speed: The Symantec AntiVirus Scan Engine uses the Symantec AntiVirus™ engine, which is one of the fastest in the industry.
Virus protection: In addition to the virus protection capabilities available in all Symantec antivirus products, the Symantec AntiVirus Scan Engine offers controls to help prevent denial of service attacks that are caused by container files that are overly large or that contain multiple embedded compressed files.
Serviceability: Virus definitions for the Symantec AntiVirus Scan Engine can be automatically updated, without interruption in virus scanning, on all platforms. The Symantec AntiVirus Scan Engine supports Symantec
LiveUpdate™ technology.
Introducing the Symantec AntiVirus Scan Engine
About the Symantec AntiVirus Scan Engine
17
■
■
■
■
Manageability: The Symantec AntiVirus Scan Engine can be remotely managed from any computer on your network via a Web-based administrative interface. The Symantec AntiVirus Scan Engine provides full-featured logging and SMTP (simple mail transfer protocol) and SNMP
(simple network management protocol) alerting capability for a full range of activity, making it manageable in large environments.
Multiple protocol support: The Symantec AntiVirus Scan Engine accepts scan requests from client applications using one of three protocols:
■
■
The Symantec AntiVirus Scan Engine native protocol
The Internet Content Adaptation Protocol (ICAP), version 0.95
(proprietary implementation) and version 1.0 of ICAP, presented in
RFC 3507 (April 2003)
■
A proprietary implementation of remote procedure call (RPC)
Ease of integration: The Symantec AntiVirus Scan Engine runs on Sun
®
Solaris
®
, Red Hat
®
Linux
®
, and Microsoft
®
Windows
®
2000 Server and
Windows Server 2003 platforms. Because the scan engine can run on a separate computer on the network, it can easily be deployed in any environment that is running any set of platforms. If you want to use ICAP version 1.0 to do your own integration, a client-side API can be used to add virus scanning to any C or C++ application. To make integration with some third-party applications convenient and easy, Symantec also provides a number of connectors for the Symantec AntiVirus Scan Engine.
Billing support: The Symantec AntiVirus Scan Engine maintains bandwidth utilization statistics and file-scanning statistics to facilitate different billing schemes.
What’s new in version 4.3
The Symantec AntiVirus Scan Engine version 4.3 includes the following new features:
■
New client-side API using ICAP version 1.0: The underlying protocol in the
Symantec AntiVirus Scan Engine client-side API is now ICAP 1.0. If you have purchased the Symantec AntiVirus Scan Engine software development kit, the client-side API can be used to add virus scanning to any C or C++ application.
■
Command-line scanner: The Symantec AntiVirus Scan Engine now includes a command-line scanner, which is a multi-platform utility that lets you send files to be scanned for viruses via the command line. You can repair infected files and delete those that are unrepairable.
18 Introducing the Symantec AntiVirus Scan Engine
Where to start
■
■
■
■
■
■
Upgrade installation support: You now can install an upgrade to the
Symantec AntiVirus Scan Engine over an existing installation (without first uninstalling the previous version). Any configuration changes and customizations that have been made are preserved during the upgrade.
Upgraded logging features: Logging for each logging destination is activated individually by selecting a desired logging level for that destination.
Selecting the logging level lets you choose the types of events for which log messages are separated. You can select a different logging level for each logging destination.
Dynamic thread pool for antivirus scanning: The pool of scanning threads that is available to the Symantec AntiVirus Scan Engine for antivirus scanning now dynamically adjusts to the load that is being processed to measure system resources. You can change a number of parameters to control the dynamic thread pool.
Data trickle user comforting for ICAP: This feature prevents a user who downloads a large file from the Internet from receiving a session time-out error by trickling small amounts of the file to the user while the file is being scanned.
POST transaction antivirus scanning for ICAP 1.0: The Symantec AntiVirus
Scan Engine now scans files that are being posted to the Internet. The antivirus scanning and logging policies that are configured on the scan engine now also apply to POST transactions as well.
Client identification logging and notification for RPC: If you are using RPC, the Symantec AntiVirus Scan Engine now logs identifying information when a client requests a file that is found to be infected. A notification message informs users that a virus was detected in a file that they attempted to retrieve and indicates the disposition of the file.
Where to start
The Symantec AntiVirus Scan Engine Implementation Guide contains all of the instructions necessary to install and maintain the Symantec AntiVirus Scan
Engine. Follow these steps to ensure that you use the scan engine’s capabilities effectively:
■
Become familiar with the design and features of the software.
See “Introducing the Symantec AntiVirus Scan Engine” on page 15.
Introducing the Symantec AntiVirus Scan Engine
Where to start
19
■
■
■
■
■
Decide how to deploy the Symantec AntiVirus Scan Engine on your network to meet your specific requirements. If you plan to use ICAP version 1.0 to create a custom implementation of the scan engine and have purchased the
Symantec AntiVirus Scan Engine SDK, the Symantec AntiVirus Scan Engine
Software Developer’s Guide contains additional information on deploying the scan engine using this protocol. If you have purchased a specific connector for the Symantec AntiVirus Scan Engine, check the accompanying documentation for additional information on that particular implementation of the scan engine.
See “Considerations for implementation” on page 20.
Install the Symantec AntiVirus Scan Engine. Verify that your system meets the minimum requirements before installing.
See “Installing the Symantec AntiVirus Scan Engine” on page 29.
Activate the licenses for key features for the Symantec AntiVirus Scan
Engine, including antivirus scanning functionality and virus definitions updates, through the Symantec AntiVirus Scan Engine administrative interface.
See “Activating product licenses” on page 49.
Review the configuration information in Chapters 5–11 of this guide to fully customize the Symantec AntiVirus Scan Engine to meet your needs. This includes configuring LiveUpdate™, so that the scan engine always has the necessary information to detect and remove newly discovered viruses.
Configure the client applications that will send files for scanning to the
Symantec AntiVirus Scan Engine. If you purchased the Symantec AntiVirus
Scan Engine SDK, the Symantec AntiVirus Scan Engine Software Developer’s
Guide provides this information. If you have purchased a specific connector for the Symantec AntiVirus Scan Engine, see the documentation for that connector for instructions on configuring the client application.
20 Introducing the Symantec AntiVirus Scan Engine
Considerations for implementation
Considerations for implementation
The Symantec AntiVirus Scan Engine can be easily implemented into an existing infrastructure. The Symantec AntiVirus Scan Engine runs on Solaris,
Red Hat Linux, and Windows 2000 Server/Server 2003 platforms.
See “About Symantec AntiVirus Scan Engine deployment” on page 20.
Symantec provides connectors for some third-party products for seamless integration with the Symantec AntiVirus Scan Engine.
See “How the scan engine works with the client application” on page 21.
For custom integration using ICAP version 1.0, the Symantec AntiVirus Scan
Engine features a client-side API, which streamlines the integration of antivirus scanning for any C or C++ application. The Symantec AntiVirus Scan Engine API provides scheduling across any number of computers that are running the
Symantec AntiVirus Scan Engine.
See “About automatic load balancing” on page 22.
About Symantec AntiVirus Scan Engine deployment
In a typical configuration, files are passed to the Symantec AntiVirus Scan
Engine via a socket over the network because the scan engine is running on a separate computer. Depending on the network setup, client applications
(applications that have been configured to pass files to the scan engine for scanning) can pass a full path rather than the actual file to the Symantec
AntiVirus Scan Engine. For example, files to be scanned may be located on a drive that can be mounted over the network, such as a shared drive in Windows or a network file system (NFS) drive. If the client application and the scan engine have access to a shared directory, the client application can place the file in the shared directory and pass the full path to the Symantec AntiVirus Scan Engine, which can access the file directly.
For cases in which the client application is running on the same computer as the
Symantec AntiVirus Scan Engine, the client application can pass the file name to the scan engine, and the scan engine can open the file and scan it in place on the computer.
Introducing the Symantec AntiVirus Scan Engine
Considerations for implementation
21
One example of a typical integration of the Symantec AntiVirus Scan Engine is shown in
. Integration scenarios are discussed in detail in Symantec
CarrierScan Server Version 2.0: A Symantec White Paper, which is available on the Symantec Web site.
Figure 1-1 Typical integration of the Symantec AntiVirus Scan Engine
How the scan engine works with the client application
The Symantec AntiVirus Scan Engine is designed to be easily integrated into any environment to provide antivirus scanning for any application. Client applications are configured to pass files, via one of three protocols, to the
Symantec AntiVirus Scan Engine, which scans the files for viruses and returns cleaned files if necessary.
Depending on the protocol that is used, the Symantec AntiVirus Scan Engine can be configured to scan only certain file types that are passed to it by client applications. In other cases, the client application must decide what to scan and what to do with the results.
If you want to use ICAP to do your own integration, a client-side API can be used to add virus scanning to any C or C++ application. To make integration with some third-party applications convenient and easy, Symantec also provides a
22 Introducing the Symantec AntiVirus Scan Engine
About supported protocols number of connectors for the Symantec AntiVirus Scan Engine. Other software companies may develop connectors for the Symantec AntiVirus Scan Engine to provide antivirus scanning for their own products.
If you have purchased the Symantec AntiVirus Scan Engine with a connector, you may need to configure the Symantec AntiVirus Scan Engine to work with the connector. You may need to configure the third-party application to add virus scanning as well. You will need the information that is contained in the
Symantec AntiVirus Scan Engine Implementation Guide and any additional documentation that is included with the connector.
About automatic load balancing
The Symantec AntiVirus Scan Engine API provides scheduling across any number of computers that are running the Symantec AntiVirus Scan Engine.
Client applications that pass files to the scan engine benefit from load-balanced virus scanning without any additional effort. The API determines the appropriate Symantec AntiVirus Scan Engine (when multiple scan engines are used) to receive the next file to be scanned, based on the scheduling algorithm.
If a Symantec AntiVirus Scan Engine is unreachable or goes down during a scan, another scan engine is called and the faulty scan engine is taken out of rotation for a period of time. If all of the scan engines are out of rotation, the faulty scan engines are called again. The API does not stop trying to contact the scan engine unless five engines are not functioning, or it appears that a file that is being scanned might have caused more than one engine to go down.
Note: If you are using the Symantec AntiVirus Scan Engine as a plug-in using
RPC or ICAP, load balancing across multiple scan engines may be configurable, depending on the implementation. See the plug-in documentation.
About supported protocols
The Symantec AntiVirus Scan Engine lets client applications send scan requests using one of three protocols:
■
■
The native protocol
The Internet Content Adaptation Protocol (ICAP)
■
A proprietary remote procedure call (RPC) protocol
The protocol can be changed at any time.
See “Selecting the communication protocol” on page 56.
Introducing the Symantec AntiVirus Scan Engine
About supported protocols
23
About the native protocol
In the default configuration, the Symantec AntiVirus Scan Engine implements a simple TCP/IP protocol to provide antivirus functionality to client applications.
This protocol is text-based, like HTTP or SMTP, and uses standard ASCII commands and responses to communicate between client and server.
To scan a file, a client connects to IP port 7777 (the default), sends the file to be scanned, and then reads the results of the scan. After receiving the scan results, the client and server disconnect and must initiate new connections to scan subsequent files.
See “Configuring the Symantec AntiVirus Scan Engine native protocol” on page 57.
About the Internet Content Adaptation Protocol (ICAP)
ICAP is a lightweight protocol for executing a remote procedure call on HTTP messages. ICAP is part of an evolving architecture that lets corporations, carriers, and ISPs dynamically scan, change, and augment Web content as it flows through ICAP servers. The protocol lets ICAP clients pass HTTP messages to ICAP servers for adaptation (some sort of transformation or other processing, such as virus scanning). The server executes its transformation service on messages and responds to the client, usually with modified messages. The adapted messages may be either HTTP requests or HTTP responses.
In a typical integration, a caching proxy server retrieves requested information from the Web. At the same time, it caches the information (stores a copy on disk), and, where possible, serves multiple requests for the same Web content from the cache. A caching proxy server can use ICAP to communicate with the
Symantec AntiVirus Scan Engine and request scan and repair of content that is retrieved from the Web. The Symantec AntiVirus Scan Engine uses the proprietary version 0.95 implementation and version 1.0 of ICAP, presented in
RFC 3507 (April 2003), depending on the requesting client.
See “Configuring ICAP” on page 59.
About remote procedure call (RPC)
Remote procedure call (RPC) is a client/server infrastructure that increases the interoperability and portability of an application by letting the application be distributed over multiple platforms. The use of RPC frees the developer from having to be familiar with various operating system and network interfaces and simplifies the development of applications that span multiple operating systems and network protocols. Complexity is significantly reduced by keeping the
24 Introducing the Symantec AntiVirus Scan Engine
About virus protection semantics of a remote call the same whether or not the client and server are located on the same computer.
The Symantec AntiVirus Scan Engine uses a proprietary virus scanning protocol with the MS-RPC protocol (for Windows 2000 Server/Server 2003 platforms only) to interface with client applications. Any appropriate client can use RPC to communicate with the Symantec AntiVirus Scan Engine and request scanning and repairing of files.
See “Configuring RPC” on page 66.
About virus protection
The Symantec AntiVirus Scan Engine features all of the virus scanning technologies that are available in Symantec antivirus products. The Symantec
AntiVirus Scan Engine detects viruses, worms, and Trojan horses in all major file types (for example, Windows files, DOS files, and Microsoft Word and Excel files). The Symantec AntiVirus Scan Engine also includes a decomposer that handles most compressed and archive file formats and nested levels of files. You can configure the scan engine to limit scanning to certain file types based on file extension.
To protect against container files that can cause denial of service attacks (for example, container files that are overly large, that contain large numbers of embedded compressed files, or that have been designed to use resources maliciously and degrade performance), the Symantec AntiVirus Scan Engine lets you specify the maximum amount of time that the scan engine devotes to decomposing a container file and its contents, the maximum file size for individual files in a container file, and the maximum number of nested levels to be decomposed for scanning.
The Symantec AntiVirus Scan Engine also detects mobile code such as Java™,
ActiveX
®
, and stand-alone script-based threats. The Symantec AntiVirus Scan
Engine utilizes Symantec antivirus technologies, including Bloodhound™, for heuristic detection of new or unknown viruses; NAVEX™, which provides protection from new classes of viruses automatically via LiveUpdate; and
Striker, for the detection of polymorphic viruses.
If you would like to know whether the Symantec AntiVirus Scan Engine or any other Symantec product protects against a specific virus, visit the Symantec
Security Response™ Web site at: http://securityresponse.symantec.com
The Symantec AntiVirus Scan Engine technology is supported by the Symantec
Security Response team. These Symantec engineers work 24 hours per day,
7 days per week, tracking new virus outbreaks and identifying new virus threats.
Introducing the Symantec AntiVirus Scan Engine
About virus protection
25
How viruses are detected
When Symantec engineers identify a new virus, information about the virus (a virus signature) is stored in a virus definitions file. Virus definitions files are updated periodically via the Symantec automated LiveUpdate feature. When the
Symantec AntiVirus Scan Engine scans for viruses, it searches for these virus signatures. To supplement the detection of virus infections by virus signature, the Symantec AntiVirus Scan Engine includes Bloodhound technology, which heuristically detects new or unknown viruses based on the general characteristics exhibited by known viruses.
About Bloodhound heuristic technology
Symantec engineers have developed two types of heuristics for the detection of unknown viruses. The first, Bloodhound, is capable of detecting upwards of
80 percent of new and unknown executable file viruses. The second,
Bloodhound-Macro, detects and repairs over 90 percent of new and unknown macro viruses. Bloodhound requires minimal overhead since it examines only programs and documents that meet stringent prerequisites. In most cases,
Bloodhound can determine in microseconds whether a file or document is likely to be infected by a virus. If it determines that a file is not able to be infected, it immediately moves to the next file.
Bloodhound and executable viruses
Bloodhound uses artificial intelligence (AI) technology to isolate and locate the various logical regions of each application that it is told to scan. It analyzes the program logic in each of these regions for virus-like behavior and simulates this behavior to determine whether the program is a virus.
Bloodhound and macro viruses
Symantec Bloodhound-Macro technology uses a hybrid heuristic scheme to detect and repair more than 90 percent of all new and unknown macro viruses automatically. For example, every time that the Symantec AntiVirus Scan
Engine scans a Microsoft Word document, Bloodhound-Macro sets up a complete virtual environment into which it loads the document. The macros that are contained in the document are run as they would be in the word processing application.
Bloodhound-Macro monitors the macros as they run to see if they copy themselves from the host document to another virtual document. Bloodhound-
Macro also runs the copied macros and verifies that they can further propagate.
26 Introducing the Symantec AntiVirus Scan Engine
About virus protection
About NAVEX technology
NAVEX is a technology that lets the Symantec Security Response team update the antivirus scanning component of the Symantec AntiVirus Scan Engine during routine virus definitions updates. This means that no inline revisions or time-consuming upgrades are necessary to ensure that your antivirus protection stays current, regardless of platform, even against new virus threats.
The antivirus scanning component is made up of dozens of complex search algorithms, CPU emulators, and other program logic. The scanning component examines a file to determine whether it contains viruses. The scanning component scans files and disks for virus fingerprints (unique sequences of bytes that are known to be contained in viruses). These fingerprints are stored in the virus definitions files that are downloaded at least once per week. The scanning component also repairs infected files.
Occasionally, a new virus or class of viruses emerges that cannot be detected by existing scanning components. These viruses require new algorithms for detection and, consequently, a new scanning component. With the NAVEX technology, Symantec engineers can quickly upgrade the Symantec AntiVirus scanning components with no extra cost or effort required.
Striker technology
Striker technology identifies polymorphic computer viruses, which are the most complex and difficult viruses to detect. Like an encrypted virus, a polymorphic virus includes a scrambled virus body and a decryption routine that first gains control of the computer and then decrypts the virus body. However, a polymorphic virus also adds a mutation engine that generates randomized decryption routines that change each time that a virus infects a new program.
As a result, no two polymorphic viruses are the same.
Each time that Striker scans a new program file, it loads the file into a selfcontained virtual computer. The program executes in this virtual computer as if it were running on a real computer. The polymorphic virus runs and decrypts itself. Striker then scans, detects, and repairs the virus.
LiveUpdate
LiveUpdate ensures that your network is not at risk of infection by newly discovered viruses. Updated virus definitions files, which contain the necessary information to detect and eliminate viruses, are supplied by Symantec at least every week and whenever a new virus threat is discovered. The Symantec
AntiVirus Scan Engine can be configured to poll the Symantec LiveUpdate servers to determine whether updated virus definitions have been posted. If new virus definitions are available, the Symantec AntiVirus Scan Engine downloads
Introducing the Symantec AntiVirus Scan Engine
About virus protection
27 the files and installs them in the proper location. Virus protection stays current without any interruption in protection.
Testing virus detection capabilities
If you want to verify the virus detection capabilities of the Symantec AntiVirus
Scan Engine, visit the following Web site: http://www.eicar.org
The site provides a link to a test virus that should be detected by all major antivirus vendors.
Warning: Carefully read the disclaimers on the site prior to downloading the test file into your environment. Any attempts to test antivirus software with real or dummy viruses should be handled with extreme care.
If your computer already has antivirus software, you must disable the autoprotect mode of the antivirus software before downloading the test file.
28 Introducing the Symantec AntiVirus Scan Engine
About virus protection
Chapter
2
Installing the Symantec
AntiVirus Scan Engine
This chapter includes the following topics:
■
■
■
■
■
Installing the Symantec AntiVirus Scan Engine
Stopping and restarting the Symantec AntiVirus Scan Engine service
Uninstalling the Symantec AntiVirus Scan Engine
System requirements
Before you attempt to install the Symantec AntiVirus Scan Engine, verify that your server meets the system requirements.
Windows 2000 Server/Server 2003
■
Windows 2000 Server with Service Pack 3 or Windows Server 2003
■
■
■
■
■
Pentium III 500 MHz or higher
256 MB of RAM or higher
25 MB of hard disk space
1 network interface card (NIC) running TCP/IP with a static IP address
Internet connection for LiveUpdate of virus definitions
30 Installing the Symantec AntiVirus Scan Engine
System requirements
■
Microsoft Internet Explorer 6.0 (with Service Pack 1) or later or Netscape
Navigator 7.01 or later, with a Java 2 run-time environment (version 1.4 or later) installed, for Web-based administration
Note: The Web browser can be installed on any computer on your network that can access the server that is running the Symantec AntiVirus Scan
Engine.
Solaris
■
■
■
■
■
■
■
■
Solaris 7 or later
Sun Ultra 10 or higher
SPARC
®
400 MHz or higher
256 MB of RAM or higher
35 MB of hard disk space
1 network interface card (NIC) running TCP/IP with a static IP address
Internet connection for LiveUpdate of virus definitions
Netscape Navigator 7.01 or later, with a Java 2 run-time environment
(version 1.4 or later) installed, for Web-based administration
Note: The Web browser can be installed on any computer on your network that can access the server that is running the Symantec AntiVirus Scan
Engine.
Red Hat Linux
■
■
■
■
■
■
Red Hat Linux version 7.3 or later
Pentium III 500 MHz or higher
256 MB of RAM or higher
25 MB of hard disk space
1 network interface card (NIC) running TCP/IP with a static IP address
Internet connection for LiveUpdate of virus definitions
Installing the Symantec AntiVirus Scan Engine
Preparing for installation
31
■
Netscape Navigator 7.01 or later, with a Java 2 run-time environment
(version 1.4 or later) installed, for Web-based administration
Note: The Web browser can be installed on any computer on your network that can access the server that is running the Symantec AntiVirus Scan
Engine.
Preparing for installation
Before installing the Symantec AntiVirus Scan Engine, consider the following:
■
If you are upgrading from version 4.0.X or later of the Symantec AntiVirus
Scan Engine, you can install the upgrade over the existing installation
(without first uninstalling the previous version). If you are upgrading from an earlier version of the Symantec AntiVirus Scan Engine or Symantec
CarrierScan Server, you must uninstall the previous version first.
■
Another antivirus product should be run to protect the server that is running the Symantec AntiVirus Scan Engine.
Upgrading from a previous version
The Symantec AntiVirus Scan Engine version 4.3 installer checks to see which version (if any) of the scan engine is already installed, then does the following:
■
If no previous version of the scan engine is detected, a full installation is performed.
■
■
If an earlier version (any version earlier than 4.0.X) is detected, you are directed to first uninstall the previous version, and the installation is cancelled. (To uninstall earlier versions of the Symantec AntiVirus Scan
Engine or CarrierScan Server, see the documentation for that product.)
If an upgrade is possible, no option is presented at installation to uninstall the previous version. If you are running version 4.0.X and want a full, clean installation, you must uninstall the previous version before running the installer.
32 Installing the Symantec AntiVirus Scan Engine
Preparing for installation
Installing the upgrade over the existing installation preserves any customizations that you have made to the files and message catalogs in
Table 2-1
File and message catalogs preserved during upgrade
File or message catalog Description symcscan.cfg
policy.cfg, subjects.cfg, sizes.cfg, domains.cfg, and filenames.cfg
symcsmsg.dat
symcsinf.htm and symcsinf.msg (ICAP only)
Existing local logs and billing logs
Any changes that you have made to the Symantec
AntiVirus Scan Engine configuration file are preserved. If you have customized any configuration options, your customizations are written to the new configuration file
(for those options that are still used in the upgrade).
Note: Scan engine logging options have changed in version
4.3. Because in many cases the previous configuration options do not map to the new options, any customizations that you have made to the logging options are not preserved. You must reconfigure logging after installing the upgrade.
If you have a mail filter policy in effect (that is, you are filtering mail by message size, attachment file name or size, message origin, or subject line), your mail policy entries are retained.
If you have customized any of the message strings contained in the message string file, the customizations are retained. New message strings that are specific to the upgrade (those with new message ID numbers) are appended to the file.
Note: If an existing message string (one with an existing message ID) has been changed as part of the upgrade to the Symantec AntiVirus Scan Engine, the existing message string is commented out in the message string file so that any customizations are preserved in the file. The updated message is appended to the file, but is not commented out.
If you have customized any message strings in the message string file, you should check the string file after installing the upgrade to reconcile any new text with your customized text.
If you have customized the ICAP access denied message, your changes are retained.
Existing local log files and billing log files are not deleted.
Installing the Symantec AntiVirus Scan Engine
Installing the Symantec AntiVirus Scan Engine
33
Running other antivirus products on the Symantec AntiVirus Scan
Engine server
By design, the Symantec AntiVirus Scan Engine scans only files from client applications that are configured to pass files to the scan engine. The Symantec
AntiVirus Scan Engine does not protect the computer on which it is running.
Because the server on which the Symantec AntiVirus Scan Engine is running handles viruses, the server is vulnerable (if the server has no real-time virus protection of the operating system).
To achieve comprehensive virus protection with the Symantec AntiVirus Scan
Engine, it is important to protect the Symantec AntiVirus Scan Engine server from virus attacks. To protect the host computer, run an antivirus program such as Symantec AntiVirus Corporate Edition on the server that is running the
Symantec AntiVirus Scan Engine.
Warning: To prevent a conflict between the Symantec AntiVirus Scan Engine and the antivirus product that is running on the host computer, you must configure the antivirus product on the host computer so that it does not scan the temporary directory that is used by the Symantec AntiVirus Scan Engine for scanning.
Installing the Symantec AntiVirus Scan Engine
The Symantec AntiVirus Scan Engine should be installed on a computer that meets the system requirements.
See “System requirements” on page 29.
Ensure that your server’s operating system software and applicable updates are installed, configured, and working correctly before you install the Symantec
AntiVirus Scan Engine. Consult your server’s documentation for more information.
Once you have installed the Symantec AntiVirus Scan Engine, you must activate all applicable product licenses. You must also activate your subscription to virus definitions updates. The antivirus scanning features are not active until you activate the licenses.
See “Activating product licenses” on page 49.
If you are installing multiple Symantec AntiVirus Scan Engines, you may want to take advantage of the silent install feature for the scan engine.
See “Using the silent install feature” on page 209.
34 Installing the Symantec AntiVirus Scan Engine
Installing the Symantec AntiVirus Scan Engine
Installing on Windows 2000 Server/Server 2003
Only a single instance of the Symantec AntiVirus Scan Engine can be run on
Windows 2000 Server/Server 2003 computers.
To install the Symantec AntiVirus Scan Engine on Windows 2000 Server/
Server 2003
1 Log on to the computer on which you plan to install Symantec AntiVirus
Scan Engine as administrator or as a user with administrator rights.
2 Copy the ScanEngine.exe file from the CD onto the computer.
3
Run the .exe file.
4 Indicate that you agree with the terms of the Symantec license agreement, then click Next.
If you do not indicate that you agree, the installation is cancelled.
5 Select the location in which to install the Symantec AntiVirus Scan Engine, then click Next.
The default location is C:\Program Files\Symantec\Scan Engine.
6 Select one of the following communication protocols:
■
■
■
NATIVE
ICAP
RPC
If you select RPC as the communication protocol, type the IP address for the RPC client, and then type the account name and password to identify the account (with Backup Operator privileges on the RPC client) on which the Symantec AntiVirus Scan Engine will run.
If the Symantec AntiVirus Scan Engine is to support multiple RPC clients, you can add additional clients through the scan engine administrative interface. Only one RPC client can be specified at installation.
The default account is LocalSystem. If you accept the default account, you do not need to enter the password. Use the following format for the account name: domain\username. Make sure that the account has the appropriate permissions. You will not receive an error message if the account does not have appropriate permissions.
See “Editing the service startup properties” on page 75.
7 Click Next.
Installing the Symantec AntiVirus Scan Engine
Installing the Symantec AntiVirus Scan Engine
35
8
Select the port number on which the Web-based administrative interface listens.
The default port number is 8004. To disable, type 0.
Note: If you disable the administrative interface, you must configure the
Symantec AntiVirus Scan Engine by editing the configuration file.
See “Editing the configuration file” on page 177.
9
Type a password for the virtual administrative account that you will use to manage the Symantec AntiVirus Scan Engine.
10 Confirm the password by typing it again.
11 Click Next.
12 Follow the on-screen prompts to complete the installation.
When the installation is complete, the Symantec AntiVirus Scan Engine is installed as a Windows 2000/2003 service and is listed as Symantec
AntiVirus Scan Engine in the Services Control Panel. The Symantec
AntiVirus Scan Engine starts automatically when the installation is complete. Significant installation activities are recorded in the Windows
Application Event Log.
Installing on Solaris and Linux
The Solaris version of the Symantec AntiVirus Scan Engine is distributed as a self-extracting, self-installing shell archive (shar) named ScanEngine.sh.
Note: If you are installing the Symantec AntiVirus Scan Engine on Red Hat
Linux version 7.3, you must first install the C++ compatible libraries. These libraries are included in the Red Hat Linux distribution. They are contained in the compat-libstdc++6.2-2.9.0.16 RPM. If these libraries are not installed, the scan engine will not install.
To install the Symantec AntiVirus Scan Engine on Solaris and Linux
1 Log on as root to the computer on which you plan to install the Symantec
AntiVirus Scan Engine.
2 Copy the distribution file, ScanEngine.sh, from the CD onto the computer.
3 Change directories to the location in which you copied the distribution file.
4
Type the following command, then press Enter:
sh ./ScanEngine.sh
36 Installing the Symantec AntiVirus Scan Engine
Installing the Symantec AntiVirus Scan Engine
5
Indicate that you agree with the terms of the Symantec license agreement, then press Enter.
If you indicate No, the installation is cancelled.
6
Indicate whether to create the avdefs group.
The avdefs group has access rights to the directory that contains the virus definitions that are used by the Symantec AntiVirus Scan Engine. If you have previously installed a Symantec product on the computer, this group might already exist. If so, this option is not available.
7
Select the location in which to install the Symantec AntiVirus Scan Engine, then press Enter.
The default location is /opt/SYMCScan.
8
Select the location for the SymShared directory.
The SymShared directory contains the virus definitions that are used by the
Symantec AntiVirus Scan Engine to scan for viruses. The default location is
/opt/Symantec. If you have multiple Symantec products installed on the computer, this directory lets the products share virus definitions. If you have previously installed a Symantec product on the computer, this directory might already exist. If so, this option is not available.
9
Select the protocol to be used by the Symantec AntiVirus Scan Engine, then click Next.
10 Select the port number on which the Web-based administrative interface listens.
The default port number is 8004. To disable, type 0.
Note: If you disable the administrative interface, you must configure the
Symantec AntiVirus Scan Engine by editing the configuration file.
See “Editing the configuration file” on page 177.
11 Type a password for the virtual administrative account that you will use to manage the Symantec AntiVirus Scan Engine.
12 Confirm the password by typing it again.
The installer proceeds from this point with the installation. The Symantec
AntiVirus Scan Engine starts automatically as a daemon (service) when the installation is complete. A transcript of the installation is saved as
/var/log/SYMCScan-install.log for later review.
Installing the Symantec AntiVirus Scan Engine
Stopping and restarting the Symantec AntiVirus Scan Engine service
37
To ensure that the Symantec AntiVirus Scan Engine daemon is running on
Solaris and Linux
1 Type the following command:
ps -ea | grep sym
2 Press Enter.
You should see a list of processes similar to the following:
5358 ?0:00 symcscan
If nothing is displayed, the Symantec AntiVirus Scan Engine daemon did not start.
3 If the Symantec AntiVirus Scan Engine daemon did not start, type the following command:
/etc/init.d/symcscan restart
Stopping and restarting the Symantec AntiVirus
Scan Engine service
You might need to stop and restart the Symantec AntiVirus Scan Engine service.
Stopping and restarting the Symantec AntiVirus Scan Engine service results in a lost connection to client applications that are in the process of submitting a file for scanning. The client application must reestablish the connection and resubmit the file for scanning.
Instructions for stopping and restarting the Symantec AntiVirus Scan Engine service differ depending on the operating system that you are running. If you are running the Symantec AntiVirus Scan Engine on Windows 2000 Server/
Server 2003, stop and start service in the Services Control Panel.
To stop and restart the Symantec AntiVirus Scan Engine service on Solaris and Linux
1 Log on to the computer as root.
2 At the command prompt, do one of the following:
■
To stop the service, type the following command:
/etc/init.d/symcscan stop
■
■
To start the service, type the following command:
/etc/init.d/symcscan start
To stop and immediately restart the service, type the following command:
/etc/init.d/symcscan restart
38 Installing the Symantec AntiVirus Scan Engine
Uninstalling the Symantec AntiVirus Scan Engine
Uninstalling the Symantec AntiVirus Scan Engine
Use the following instructions for uninstalling the Symantec AntiVirus Scan
Engine.
Uninstalling the Symantec AntiVirus Scan Engine does not remove the license keys for the Symantec AntiVirus Scan Engine. If you are uninstalling the
Symantec AntiVirus Scan Engine permanently, you must manually uninstall the license keys. If you must manually remove the license keys, contact Symantec
Service and Support.
Uninstall the Symantec AntiVirus Scan Engine
Uninstallation instructions differ depending on the operating system that you are running.
To uninstall the Symantec AntiVirus Scan Engine on Windows 2000 Server/
Server 2003
1
Log on to the computer as administrator or as a user with administrator rights.
2 In the Add/Remove Programs Control Panel, click Symantec AntiVirus Scan
Engine.
3 Click Change/Remove.
4 Follow the on-screen prompts to complete the uninstallation.
To uninstall the Symantec AntiVirus Scan Engine on Solaris
1
Log on to the computer as root.
2 At the command prompt, type the following command:
pkgrm SYMCScan
3 Press Enter.
4 Follow the on-screen prompts to complete the uninstallation.
To uninstall the Symantec AntiVirus Scan Engine on Red Hat Linux
1 Log on to the computer as root.
2
At the command prompt, type the following command:
rpm -e SYMCScan
3
Press Enter.
Chapter
3
Symantec AntiVirus Scan
Engine administration
This chapter includes the following topics:
■
■
■
About the administrative interface
Accessing the administrative interface
Changing the administration settings
About the administrative interface
The Symantec AntiVirus Scan Engine is managed through a Web-based interface. This interface is provided through a built-in HTTP server. The
Symantec AntiVirus Scan Engine administrative interface is accessed via a Web browser on any computer on your network that can access the server that is running the Symantec AntiVirus Scan Engine.
The administrative interface is accessed using a virtual administrative account that is created at installation. The administrative interface lets you manage the
Symantec AntiVirus Scan Engine.
In order for changes that have been made through the administrative interface to take effect, you must restart the Symantec AntiVirus Scan Engine service.
When you are making changes to the Symantec AntiVirus Scan Engine configuration, remember that stopping and restarting the Symantec AntiVirus
Scan Engine service results in a lost connection to client applications that are in the process of submitting files for scanning. (The client application must reestablish the connection and resubmit the file for scanning.) You may want to schedule configuration changes for times when scanning is at a minimum.
Although it is possible for multiple administrative interface sessions to be active at one time for a single Symantec AntiVirus Scan Engine, this practice is
40 Symantec AntiVirus Scan Engine administration
About the administrative interface strongly discouraged. Having more than one user logged in at the same time can cause possible race conditions, as well as result in conflicting configuration changes being submitted.
Built-in HTTP server
The built-in HTTP server that provides the administrative interface is independent of any existing HTTP server that may be installed on your server and is not a general purpose Web server. During the installation process, you are prompted for the TCP/IP port number on which this built-in HTTP server listens. The port number that you specify must be exclusive to the Symantec
AntiVirus Scan Engine administrative interface and must not already be in use by any other program or service.
Because the built-in HTTP server is not a general purpose Web server, do not use port number 80 (the default port number for general purpose Web servers).
Unless you have a compelling reason to do otherwise, use the default setting
(8004). If you select a port number other than the default, do not forget which port number you chose.
Note: The built-in HTTP server port number differs from the port number on which the Symantec AntiVirus Scan Engine listens for client applications to pass files for scanning. This port number is exclusive to the Symantec AntiVirus
Scan Engine administrative interface.
Virtual administrator account password
A virtual administrative account is created at installation. You are also prompted to provide a password for this account during installation. Do not forget the password for this account because the virtual administrative account is the only account that you can use to manage the Symantec AntiVirus Scan
Engine. You can change the password via the administrative interface, but you must have the old password to change it.
Symantec AntiVirus Scan Engine administration
Accessing the administrative interface
41
Accessing the administrative interface
The administrative interface is accessed using a suitable Web browser. When you log on to the administrative interface, the password for the virtual administrative account is unencrypted. For security reasons, you should access the administrative interface using a switch or via a secure segment of the network.
Warning: Although it is possible for multiple administrative interface sessions to be active at one time for a single Symantec AntiVirus Scan Engine, this practice is strongly discouraged. Having more than one user logged in at the same time can cause possible race conditions, as well as result in conflicting configuration changes being submitted.
To access the administrative functions
1
Launch a Web browser on any computer on your network that can access the server that is running the Symantec AntiVirus Scan Engine.
2 Visit the following URL: http://<servername>:<port>/ where <servername> is the host name or IP address of the server that is running the Symantec AntiVirus Scan Engine and <port> is the port number that you selected during installation for the built-in Web server
(8004 is the default port number.)
3 In the Log on dialog box, in the Password box, type the password for the administrative account.
4 Click Log on.
The Symantec AntiVirus Scan Engine main administration page displays.
42 Symantec AntiVirus Scan Engine administration
Accessing the administrative interface
About the main administration page
The main administration page displays command buttons in the left pane and the Symantec AntiVirus Scan Engine Status page in the right pane.
Command buttons
Status
The command buttons
The command buttons in the left pane of the main administration page let you navigate to Symantec AntiVirus Scan Engine administrative functions. Clicking a command button causes the tabs for that function to appear in the right pane of the browser window.
The command buttons let you access the features in Table 3-1 .
Table 3-1 Command button functions
Command button Description
Status
Configuration
Blocking Policy
Lets you examine system metrics that have been calculated since the last restart.
To return to the main administration page from anywhere in the
Symantec AntiVirus Scan Engine administrative interface, on the
Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Status.
Lets you set up the Symantec AntiVirus Scan Engine for your network and configure the scan engine appropriately to provide scanning for client applications.
Lets you specify what to scan and what to block and set limits to protect server resources.
Symantec AntiVirus Scan Engine administration
Accessing the administrative interface
43
Table 3-1
Command button functions
Command button Description
Reporting
LiveUpdate
Licensing
Log Off
Lets you examine scanning statistics or log data.
Lets you update virus definitions files to ensure that your network remains protected against newly discovered viruses.
Lets you claim new license keys and check the status of the license keys that have already been installed.
Automatically logs you off of the administrative interface.
Password reentry is required to access the interface.
The Status pane
The Status pane on the main administration page displays system metrics that are calculated since the last time that the Symantec AntiVirus Scan Engine was restarted manually (rather than restarted through the administrative interface).
Metrics that are displayed in the Status pane are calculated from temporarily stored data. When the Symantec AntiVirus Scan Engine is manually shut down, the memory clears and the counts start over.
The top portion of the Status pane contains general information regarding scan engine operation. The following information displays in the top portion of the
Status pane:
■
■
■
■
Current status of the Symantec AntiVirus Scan Engine
Version number of the Symantec AntiVirus Scan Engine that is running
Protocol currently in use by the Symantec AntiVirus Scan Engine
IP address and port number to which the Symantec AntiVirus Scan Engine is bound
■
■
Date and revision number of the virus definitions that are currently in use by the Symantec AntiVirus Scan Engine
Date and time that the scan engine was last started
■
■
Total time that the scan engine has been running since the last restart
The status of any license keys that have been installed
The system metrics in the bottom portion of the Status pane provide a summary of virus scanning activity since the last manual restart. To obtain more detailed data on the virus scanning activity, you must activate the desired logging capabilities and use the Reporting features of the Symantec AntiVirus Scan
44 Symantec AntiVirus Scan Engine administration
Accessing the administrative interface
Engine. The following system metrics display in the bottom portion of the
Status pane:
■
Total viruses found
■
Total viruses repaired
This number can be different than the total number of viruses found because some malicious code cannot be repaired.
■
■
■
Total requests for scanning
Total number of files that have been scanned
The total number of files that have been scanned is not strictly a physical file count. The total includes the number of files as well as additional objects within container files that were scanned. Some containers, such as
MIME-encoded messages and Microsoft Office documents, have additional embedded objects that are not files but that may be scanned depending on the files that you have selected for scanning (the extension list settings).
Total megabytes of data scanned
You can update the system metrics on the Status pane or reset the counts to zero through the administrative interface.
To update the display at any time
◆
At the bottom of the page, click Refresh.
To reset the counts to zero at any time
◆
At the bottom of the page, click Reset Statistics.
Symantec AntiVirus Scan Engine administration
Changing the administration settings
45
Changing the administration settings
You can configure the administrative settings that are listed in
Symantec AntiVirus Scan Engine administrative interface and the virtual administrator account.
Table 3-2 Administration settings
Option Description
HTTP bind address The Symantec AntiVirus Scan Engine is managed through a Webbased interface, which is provided through a built-in HTTP server.
The HTTP server binds to all interfaces by default. You can restrict administrative access to a specific interface by entering the appropriate bind address.
HTTP port number The Web-based interface binds to a TCP/IP port number. You are prompted to provide an HTTP port number during installation, but the port number can be changed through the administrative interface.
Administrator password
The Symantec AntiVirus Scan Engine is managed using a virtual administrative account. The virtual administrative account is known only to the Symantec AntiVirus Scan Engine. It is not a system account. You are prompted to provide a password for this account at installation. The password for this account can be changed at any time through the Symantec AntiVirus Scan Engine administrative interface.
Do not forget the password that you enter for this account because the virtual administrative account is the only account that can be used to manage the Symantec AntiVirus Scan Engine. If you forget the password for the virtual administrative account, you must clear the adminpassword variable in the configuration file, and then log on to the administrative interface to enter a new password. (You won’t need a password.)
See “Editing the Symantec AntiVirus Scan Engine configuration file” on page 177.
Administrator timeout
The Symantec AntiVirus Scan Engine requires the administrator to log on to the administrative interface to access the administrative functions. The Symantec AntiVirus Scan Engine is configured to automatically log the administrator off after a selected period of inactivity by default. The default period of inactivity is five minutes. You can change the default time-out period.
46 Symantec AntiVirus Scan Engine administration
Changing the administration settings
To change the administration settings
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Admin tab, in the HTTP bind address box, type a bind address, if necessary.
By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by typing the appropriate bind address.
3 In the HTTP port number box, type a new port number.
The default setting is port 8004. The port number must be exclusive to the
Symantec AntiVirus Scan Engine interface and must not already be in use by any other program or service. Do not use port number 80. To disable the administrative interface, type 0.
4 In the New Password box, type the new password for the virtual administrative account.
5 In the Confirm box, type the new password again to verify that you typed it correctly.
6 In the Administrator timeout box, type the period of inactivity, in seconds, after which the administrator is automatically logged off.
The default setting is 300 seconds (5 minutes).
7 Click Confirm Changes to save the configuration.
Symantec AntiVirus Scan Engine administration
Changing the administration settings
47
8
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
48 Symantec AntiVirus Scan Engine administration
Changing the administration settings
Chapter
4
Activating product licenses
This chapter includes the following topics:
■
■
■
About licensing
Key features for the Symantec AntiVirus Scan Engine, including antivirus scanning functionality and virus definitions updates, are activated by license.
Licenses are initially installed following product installation through the
Symantec AntiVirus Scan Engine administrative interface. When a license expires, for example, when a virus definitions update subscription expires, a new license must be installed to renew the subscription. When no license is installed, limited functionality is available. A license affects the relevant behavior only. For example, when no antivirus scanning license is installed, an administrator can access the administrative interface to view and modify settings and run reports, but no antivirus scanning is performed. When no virus definitions update license is installed, new virus definitions updates are not downloaded to keep protection current.
See “Activating a license” on page 51.
50 Activating product licenses
About licensing
License warning and grace periods
When a license is within 30 days of the expiration date, it is considered to be in a warning period. After a license expires, the licensed feature continues to operate for a specified period of time. This is the grace period. If the grace period expires with no license renewal, all record of the license is removed and the product becomes unlicensed.
The Symantec AntiVirus Scan Engine can be configured to generate log entries to indicate that a license is in the warning period or the grace period. Log entries are generated every 24 hours during the period.
See “About Symantec AntiVirus Scan Engine logging” on page 107.
You can view detailed information on the status of all installed Symantec
AntiVirus Scan Engine licenses at any time by clicking Licensing on the
Symantec AntiVirus Scan Engine main administration page.
See “Checking the license status” on page 53.
The Symantec AntiVirus Scan Engine Status page, which is located in the left pane on the main administration page, also contains a License status entry that indicates whether any installed license is in either a grace or warning period.
Removing license files
Symantec AntiVirus Scan Engine licenses are not uninstalled automatically when the product is uninstalled. The license files remain in place, so that if you must uninstall and reinstall the Symantec AntiVirus Scan Engine for any reason, the license is intact on reinstall. Each installed license is stored in a separate file in the shared license directory that contains the licenses for all
Symantec products that are activated by license. The license files must be removed manually. If you must remove a license file, contact Symantec Service and Support.
Activating product licenses
Activating a license
51
Activating a license
Both the Symantec AntiVirus Scan Engine antivirus scanning functionality and your subscription to the virus definitions updates are activated by license. A separate license must be installed for each feature. If you purchase additional product features from Symantec as they become available for the Symantec
AntiVirus Scan Engine, these features will be activated with a new license.
To activate a license, you must have the serial number required for activation.
The serial number is printed on the Symantec Serial Number Certificate for the product.
Note: The Symantec Serial Number Certificate is not part of the Symantec
AntiVirus Scan Engine software distribution package. The Symantec Serial
Number Certificate is mailed separately and should arrive in the same time frame as your software.
Activate a license
Activating a license is a two-step process. You must complete both steps to activate a license:
■
Obtain the license file from Symantec by completing the online form. You must have a serial number to complete the online form. Once you complete the online form, you receive the license file via email from Symantec. (The complete license file is provided as an attachment to the email.)
■
Install the license file that you receive via the Symantec AntiVirus Scan
Engine administrative interface.
52 Activating product licenses
Activating a license
To obtain the license file
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Licensing.
2 On the Install tab, click the link to access Symantec’s Licensing and
Registration Web page.
3 Follow the instructions on the Web page to complete the online licensing form.
You must have the appropriate serial number to complete the form.
The license file is returned via email as an attachment. Make sure that the email address you provide on the online form is appropriate so that the license file will be accessible.
To install the license file
1 When you receive the email message from Symantec that contains the license file, save the file that is attached to the email message to the computer from which you will access the Symantec AntiVirus Scan Engine administrative interface.
2 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Licensing.
Activating product licenses
Checking the license status
53
3
Do one of the following:
■
On the Install tab, click Browse to browse to the location of the license file.
The path to the file should appear in the box to the left of the Browse button.
■
Open the license file using a text editor, such as Notepad, and copy and paste the entire contents of the file into the field on the Install tab.
Make sure that you use a text editor such as Notepad to open the file.
Because the license file is an XML file, browsers such as Microsoft
Internet Explorer add extra code as they open the license file. If the license file is altered in any way, it will not install.
4 Click Confirm Changes.
The software indicates whether the license was installed successfully.
5 Click Continue.
If the license was installed successfully, clicking Continue returns you to the
Status tab so that you can verify the updated license status. If the license did not install, clicking Continue returns you to the Install tab so that you can attempt the installation again.
Checking the license status
You can access detailed information on the Symantec AntiVirus Scan Engine product licenses at any time by clicking Licensing on the Symantec AntiVirus
Scan Engine main administration page and viewing the Status tab. For any installed license, you can check the license expiration date, the number of days remaining in the warning or grace period (if applicable), and the number of nodes licensed. A fulfillment ID for each installed license also appears on the
Status tab. You will need to supply the fulfillment ID to Symantec Service and
Support if you have questions regarding your license.
54 Activating product licenses
Checking the license status
The license information that is displayed is described in Table 4-1 .
Table 4-1
License status information
Column
Licensed feature
Expiration date
Nodes
Fulfillment ID
Description
Each installed license is listed according to the feature that is activated by the license.
The expiration date for each license is displayed. If the license is in either the warning period or the grace period, a warning message is also displayed in this column.
The number of licensed nodes is displayed for each installed license.
The fulfillment ID is the identification number for your license. Provide this number to Symantec Service and
Support if you have questions regarding your license.
Note: You can also check the status of your licenses from the Symantec
AntiVirus Scan Engine Status page, which is located in the left pane on the main administration page. The Status page displays a License status entry that indicates whether any installed license is in either a grace or warning period.
However, for more detailed information, you must click Licensing.
To check the license status
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Licensing.
2 On the Status tab, review the license information that is displayed.
Chapter
5
Configuring the Symantec
AntiVirus Scan Engine
This chapter includes the following topics:
■
■
About configuring the Symantec AntiVirus Scan Engine
Selecting the communication protocol
■
■
■
■
Configuring the Symantec AntiVirus Scan Engine native protocol
About configuring the Symantec AntiVirus Scan
Engine
You can set up the Symantec AntiVirus Scan Engine for your network and configure the scan engine to provide scanning services for client applications.
You can do the following:
■
Change the protocol that the scan engine uses to communicate with the client applications for which it is providing scanning services and configure any protocol-specific settings.
■
Allocate server and scan engine resources for operation of the Symantec
AntiVirus Scan Engine.
56 Configuring the Symantec AntiVirus Scan Engine
Selecting the communication protocol
Selecting the communication protocol
You can change the communication protocol that the scan engine uses to communicate with the client applications for which it is providing scanning services.
See “About supported protocols” on page 22.
You can choose from the following protocols:
■
■
The Symantec AntiVirus Scan Engine native protocol: The Symantec
AntiVirus Scan Engine uses its own native protocol by default. The native protocol is a simple TCP/IP protocol, which is text-based like HTTP or SMTP, and uses standard ASCII commands and responses to communicate between client and server.
See “Configuring the Symantec AntiVirus Scan Engine native protocol” on page 57.
The Internet Content Adaptation Protocol (ICAP): ICAP is a lightweight protocol for executing a remote procedure call on HTTP messages. The
Symantec AntiVirus Scan Engine supports both the proprietary 0.95 implementation of ICAP and version 1.0, presented in RFC 3507 (April
2003). The Symantec AntiVirus Scan Engine determines which is appropriate for the request based on the header data that is provided by the client application.
See “Configuring ICAP” on page 59.
■
Remote procedure call (RPC): The Symantec AntiVirus Scan Engine can be configured for Windows 2000 Server/2003 Server to use a proprietary virus scanning protocol with the MS-RPC protocol to interface with client applications. If you are running the Symantec AntiVirus Scan Engine on
Solaris or Linux, this option does not appear on the administrative interface.
See “Configuring RPC” on page 66.
After you select a protocol, you must provide protocol-specific configuration information. The configuration options differ depending on the protocol that you select.
Configuring the Symantec AntiVirus Scan Engine
Configuring the Symantec AntiVirus Scan Engine native protocol
57
Configuring the Symantec AntiVirus Scan Engine native protocol
In its default configuration, the Symantec AntiVirus Scan Engine implements a simple TCP/IP protocol to provide antivirus functionality to client applications.
How the scan engine works with the native protocol
The Symantec AntiVirus Scan Engine protocol is text-based like HTTP or SMTP and uses standard ASCII commands and responses to communicate between client and server. To submit a file for scanning, a client connects to the specified
IP port, sends the file to be scanned, and reads the results of the scan. After the scan results are received, the connection is terminated. A new connection is initiated for each file to be scanned.
Native protocol configuration options
If you select the native protocol, you must configure certain protocol-specific options. The configuration options for the native protocol are described in
Table 5-1 Protocol-specific options for the native protocol
Option
Scan engine bind address
Port number
Description
By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by entering the appropriate bind address. You can use 127.0.0.1 (the loopback interface) to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan Engine.
The specified port number must be exclusive to the Symantec
AntiVirus Scan Engine. The default port number is 7777. If you change the port number, use a number that is greater than 1024 that is not in use by any other program or service. If you are installing more than one instance of the Symantec AntiVirus Scan
Engine on a single computer, each Scan Engine service must have a unique port number.
58 Configuring the Symantec AntiVirus Scan Engine
Configuring the Symantec AntiVirus Scan Engine native protocol
Table 5-1
Protocol-specific options for the native protocol
Option Description
Local scan directory You only need to provide a local scan directory when you are using local file scanning options (that is, the client application and the
Symantec AntiVirus Scan Engine are running on the same computer and files are scanned in place on the computer) and you want to limit the Symantec AntiVirus Scan Engine so that only files under a particular directory can be scanned. If a local scan directory is not specified (which is the default), any file can be scanned. The directory that you specify must already exist.
If you are running the Symantec AntiVirus Scan Engine on Windows 2000
Server/Server 2003 and you change the protocol setting to the native protocol, you might need to change the service startup properties to identify an account that has sufficient permissions on which the Symantec AntiVirus Scan Engine will run.
See “Editing the service startup properties” on page 75.
To configure the native protocol
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Protocol tab, click Native protocol.
The configuration settings display for the selected protocol.
3 In the Scan Engine bind address box, type a bind address, if necessary.
By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by typing the appropriate bind
Configuring the Symantec AntiVirus Scan Engine
Configuring ICAP
59 address. Use 127.0.0.1 (the loopback interface) to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan
Engine.
4 In the Port number box, type the TCP/IP port number to be used by client applications to pass files to the scan engine for scanning.
The default setting is port 7777.
5 In the Local scan directory box, type a local scan directory, if necessary.
Any file can be scanned by default (when no local scan directory is specified). If you specify a directory for local scanning and you have client antivirus software installed to protect the computer that is running the
Symantec AntiVirus Scan Engine, you must exclude the local scan directory from real-time scanning and from all scheduled and manually invoked scans by the client antivirus software before passing files to the Symantec
AntiVirus Scan Engine for scanning.
6 Click Confirm Changes to save the configuration.
7 Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Configuring ICAP
The Symantec AntiVirus Scan Engine can be configured to use ICAP to communicate with clients that are running either ICAP version 0.95
(proprietary) or ICAP version 1.0, presented in RFC 3507 (April 2003). Any appropriate client can use ICAP to communicate with the Symantec AntiVirus
Scan Engine to request the scanning and repairing of files.
The Symantec AntiVirus Scan Engine software development kit (SDK) is also available for custom integration using version 1.0 of ICAP. The Symantec
AntiVirus Scan Engine client-side application program interface (API) C library streamlines the addition of virus scanning to any C or C++ application.
60 Configuring the Symantec AntiVirus Scan Engine
Configuring ICAP
How the scan engine works with ICAP
Multiple client applications that use different versions of ICAP (either version
0.95 or 1.0) can be configured to pass files to a single Symantec AntiVirus Scan
Engine. When ICAP is used as the communication protocol for the scan engine, the scan engine determines the appropriate version of ICAP to use, based on the header data that is passed in with each scan request from the client application.
The manner in which the Symantec AntiVirus Scan Engine determines whether to scan a file differs depending on which version of ICAP is used.
When ICAP 0.95 is the communication protocol, each time the Symantec
AntiVirus Scan Engine is contacted by an ICAP client to scan a file, a small amount of file data is transferred to the Symantec AntiVirus Scan Engine. This data contains the file name, the HTTP header, and the first few bytes of the file to be scanned. The scan engine examines this data to determine whether to scan the file. If the file type is one that the scan engine is configured to scan, the scan engine requests the remainder of the file from the client and scans it. If the scan engine is not configured to scan the file extension or does not recognize the file extension, the scan engine examines the first few bytes of the file’s contents to determine whether the file could contain a virus. Based on this examination, the scan engine might scan the file even if it is not configured to scan the file type.
ICAP 1.0 lets the Symantec AntiVirus Scan Engine initially provide information to the ICAP client on which file types are to be scanned, based on the scan engine configuration. Based on this information, the ICAP client forwards either the entire file to the scan engine for scanning (if the file extension is one that is identified for scanning) or the first few bytes of the file to the scan engine for preview (if the file extension is unknown or is not one that was identified for scanning). The scan engine examines the first few bytes of the file to determine whether the file could contain a virus. Based on this examination, the scan engine might request and scan a file even when it is not identified for scanning.
When the client application is using ICAP version 1.0 as the communication protocol, the Symantec AntiVirus Scan Engine now scans all POST transactions
(files that are being posted to the Internet) for viruses. The scanning and logging policies that are configured on the scan engine now apply to POST transactions as well.
When a virus is detected in a POST transaction, the posting client does not receive an error message indicating that a virus was found. The only manner in which a user can determine that a virus was found in a POST transaction is to examine the actual information that was posted to the destination Web site. For example, if the user attempted to post an email message with an attachment that was infected and could not be repaired, the email message would be posted, but the attachment would be replaced with a text file indicating that an infected file was deleted.
Configuring the Symantec AntiVirus Scan Engine
Configuring ICAP
61
ICAP configuration options
If you select ICAP as the protocol to be used by the Symantec AntiVirus Scan
Engine, you must configure certain ICAP-specific options. The configuration options for ICAP are described in
.
You must also configure the ICAP client to work with the Symantec AntiVirus
Scan Engine.
Table 5-2 Protocol-specific options for ICAP
Option
Scan Engine bind address
Port number
HTML message displayed for infected files
Description
By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by entering the appropriate bind address. You can use 127.0.0.1 (the loopback interface) to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan Engine.
The port number must be exclusive to the Symantec AntiVirus
Scan Engine. The default port number is 1344. If you change the port number, use a number that is greater than 1024 that is not in use by any other program or service. If you are installing more than one instance of the Symantec AntiVirus Scan Engine on a single computer, each scan engine service must have a unique port number.
The Symantec AntiVirus Scan Engine includes a default HTML message to display to users when access to a file is denied because it contains a virus. You can customize this message by specifying an alternate path and file name or by editing the existing file. If you choose to edit the existing file, you do not have to change this setting.
Note: If you are using ICAP 1.0, depending on the ICAP client for which the scan engine is providing scan and repair services, you might need to adjust the ICAP response from the scan engine when a file is blocked because it is infected and cannot be repaired.
The default setting is to send a replacement file when an unrepairable file is blocked. However, some ICAP 1.0 applications are configured to receive an ICAP 403 response instead. You can adjust this setting by editing the configuration file.
See “Configuring ICAP via the configuration file” on page 181.
62 Configuring the Symantec AntiVirus Scan Engine
Configuring ICAP
Table 5-2
Option
ICAP scan policy
Data trickle
Protocol-specific options for ICAP
Description
When an infected file is found, the Symantec AntiVirus Scan
Engine can do any of the following:
■
■
■
■
Scan only: Deny access to the infected file, but do nothing to the infected file.
Scan and delete: Delete all infected files, including files that are embedded in archive files without attempting repair.
Scan and repair files: Attempt to repair infected files, but do nothing to files that cannot be repaired.
Scan and repair or delete: Attempt to repair infected files, and delete any unrepairable files from archive files.
Note: If you are using the data trickle feature, the ICAP scan policy can only be set to Scan only. When you enable data trickle, the
ICAP scan policy is automatically reset to Scan only.
When a user attempts to download an extremely large or complex file from the Internet, antivirus scanning can cause a delay during which the requesting browser (and thus the user) receives no feedback on the progress of the download. You can use the data trickle feature to provide users with a quicker download response and avoid potential session time-out errors. When data trickle is enabled, the requested file is sent (trickled) to the user in small amounts at regular intervals until the scan is complete.
See “Enabling data trickle” on page 64.
Configuring the Symantec AntiVirus Scan Engine
Configuring ICAP
63
To configure ICAP
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Protocol tab, click ICAP.
The configuration settings display for the selected protocol.
3 In the Scan Engine bind address box, type a bind address, if necessary.
By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by typing the appropriate bind address. Use 127.0.0.1 (the loopback interface) to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan
Engine.
4 In the Port number box, type the TCP/IP port number to be used by client applications to pass files to the Symantec AntiVirus Scan Engine for scanning.
The default setting for ICAP is port 1344.
5 In the HTML message displayed for infected files box, type the path and file name to supply an alternate HTML file, if necessary.
6 In the ICAP scan policy list, select how you want the Symantec AntiVirus
Scan Engine to handle infected files.
The default setting is Scan and repair or delete.
7 Click Confirm Changes to save the configuration.
64 Configuring the Symantec AntiVirus Scan Engine
Configuring ICAP
8
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Enabling data trickle
When a user attempts to download an extremely large or complex file from the
Internet, a period of time elapses while antivirus scanning takes place during which the browser (and thus the user) receives no feedback on the progress of the download. Without feedback, the user might try to click the browser Refresh button several times even though the download is working properly. In some instances, the browser can time out waiting for the scan to complete. The
Symantec AntiVirus Scan Engine data trickle feature provides users with a quicker download response and avoids potential session time-out errors. When data trickle is enabled, the requested file is sent (trickled) to the user in small amounts at regular intervals until the scan is complete.
The data trickle feature is only available when you are using ICAP as the communication protocol. Data trickling is available for versions 0.95 and 1.0 of
ICAP. The ICAP scan policy must be set to Scan only. (When you enable data trickle, the ICAP scan policy is automatically reset to Scan only.) In the Scan only configuration, infected files cannot be deleted or repaired.
Using data trickle can compromise virus integrity. Serious consideration should be given to a number of factors before you use the data trickle feature.
See “Warnings and limitations about data trickle” on page 66.
To enable data trickle
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Protocol tab, under ICAP Protocol Configuration, check Enable
Trickle.
The ICAP protocol configuration settings display only when ICAP is selected as the communication protocol. Data trickling is disabled by default.
Configuring the Symantec AntiVirus Scan Engine
Configuring ICAP
65
3
In the Trickle Timeout box, type the number of seconds that the scan process will run before data trickling begins.
Data trickling is not invoked if scanning is complete before the trickle timeout elapses. The default setting is 5 seconds. The maximum setting is 86,400 seconds (24 hours).
4
Click Confirm Changes to save the configuration.
5 Do one of the following:
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
■
■
Click Restart to save your changes and restart the scan engine service now.
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
How data trickle works
When a user downloads a file, the Symantec AntiVirus Scan Engine stores a copy of the requested file in a buffer and begins the scanning process. While the copy is being scanned, a small portion of the original, unscanned file is sent to the user via the client application. The trickled data triggers the File Download or Save File As dialog box, which provides the user with a quicker download response. After the user enters a file location and clicks Save in the File
Download or Save File As dialog box, the file is trickled to the user in small amounts at regular intervals until the scan is complete which prevents the browser from timing out. The browser indicates how much of the file has been trickled so far.
If no virus is detected during the scan, data trickling stops, and the remainder of the file is sent to the user.
If a virus is detected, data trickling stops, and no additional data is sent to the user. The user receives no notification that the file might be incomplete or that it might contain a virus. However, Symantec AntiVirus Scan Engine logging regarding virus detection functions normally when data trickling is active. A log message about the virus detection is sent to all active logging destinations.
Note: Data trickling is not invoked during scanning of POST transaction data.
66 Configuring the Symantec AntiVirus Scan Engine
Configuring RPC
Warnings and limitations about data trickle
Enabling data trickle can compromise antivirus integrity. Symantec does not recommend using the data trickle feature for the following reasons:
■
The data that is trickled to the user might contain a virus.
Note: If you enable data trickle, you should install an antivirus program such as Symantec AntiVirus Corporate Edition that provides real-time virus scanning. If the trickled data is infected, the real-time virus scanning feature will detect the virus immediately.
■
■
■
■
For FTP downloads that use optimizers, when a broken connection is detected, the optimizer resumes the download from the point in which the disconnection occurred. This results in downloading the remainder of the file and possibly reconstructing an infected file.
ICAP requires that a return code message be included in the first line of the file header. When data trickling begins, ICAP return code 200 (OK) is embedded in the trickled data file. Because the file has not been scanned, this message might be inaccurate. The trickled data file might contain a virus.
When data trickling is enabled, the ICAP scan policy is set to Scan only. You cannot configure your scanning policy to repair or delete infected files when data trickle is enabled.
The user receives no notification that the trickled data file is incomplete or infected.
Configuring RPC
The Symantec AntiVirus Scan Engine can be configured to use RPC to interface with appropriate clients (for Windows 2000 Server/Server 2003). Any appropriate client application can use RPC to communicate with the Symantec
AntiVirus Scan Engine and request the scanning and repairing of files.
How the scan engine works with RPC
To use RPC, the Symantec AntiVirus Scan Engine must be installed on a computer that is running Windows 2000 Server/Server 2003 and must be located in the same domain as the RPC clients for which it will provide scanning and repair services. A single Symantec AntiVirus Scan Engine can support multiple RPC clients. For sites with larger scan volumes, multiple Symantec
AntiVirus Scan Engines also can be used to support one or more RPC clients.
Configuring the Symantec AntiVirus Scan Engine
Configuring RPC
67
A connection is maintained between each RPC client and the Symantec
AntiVirus Scan Engine. The Symantec AntiVirus Scan Engine monitors the connection with each RPC client by checking the connection at a configured time interval. If the scan engine determines that the connection is not active, it tries to reconnect. (The number of times that the scan engine tries to reestablish the connection can also be configured.) If the Symantec AntiVirus Scan Engine makes the maximum number of tries with no reply from any RPC client, the scan engine shuts down.
Logging to the RPC client logging subsystem
Certain Symantec AntiVirus Scan Engine events are logged to the RPC client’s logging subsystem. The following scan engine events are logged automatically:
■
■
■
Unrepairable infections
Container violations
Scans that are aborted because the antivirus scanning license is expired
User identification and notification when a virus is found
When a virus is found in a file that is requested from an RPC network-attachedstorage client, the Symantec AntiVirus Scan Engine automatically obtains (for logging purposes) identification information about the user who requested the infected file. The identification information includes the security identifier of the user and the IP address and host name of the requesting computer. This information is included in all related log messages that are sent to all active logging destinations for the scan engine. This feature provides administrators with as much information as possible when a virus is found.
Note: The Symantec AntiVirus Scan Engine can obtain only the information that is made available from the RPC client. In some cases, all or some of this information is not available. The information that is obtained is reported in the related log entries. Any identification information that is not obtained from the
RPC client is omitted from the log messages and from the user notification window.
You also can configure the Symantec AntiVirus Scan Engine to notify the requesting user that the retrieval of a file failed because a virus was found. The notification message only displays if the user is using a Windows computer. The notification messages includes the date and time of the event, the file name of the infected file, the virus name and ID, and the manner in which the infected file was handled (for example, the file was repaired or deleted).
68 Configuring the Symantec AntiVirus Scan Engine
Configuring RPC
To use the user notification feature, the Windows Messenger service must be running on the computer that is running the Symantec AntiVirus Scan Engine as well as the user’s computer.
See “Notifying requesting users that a virus was found” on page 72.
RPC configuration options
If you select RPC as the protocol to be used by the Symantec AntiVirus Scan
Engine, you must configure certain RPC-specific settings. The configuration options for RPC is described in
You must also configure the RPC client to work with the Symantec AntiVirus
Scan Engine.
Table 5-3 Protocol-specific options for RPC
Option Description
RPC client IP addresses
A single Symantec AntiVirus Scan Engine can support one or more
RPC clients. Clients must be located in the same domain as the scan engine. You must provide the IP address of each RPC client.
Check RPC connection every __ seconds
The Symantec AntiVirus Scan Engine maintains a connection with the RPC client. The Symantec AntiVirus Scan Engine can be configured to check the RPC connection with the client periodically to ensure that the connection is active. The default value is 20 seconds.
Maximum number of reconnect attempts
The Symantec AntiVirus Scan Engine can be configured to make a specified number of attempts to reestablish a lost connection with the RPC client. If the maximum number of attempts is made to reestablish the connection with no reply from the client, the
Symantec AntiVirus Scan Engine shuts down. By default, the
Symantec AntiVirus Scan Engine is configured to try to reconnect with the RPC client indefinitely.
Note: Do not set a maximum number of reconnect attempts if the scan engine is providing scanning for multiple RPC clients. Use the default setting so that the Symantec AntiVirus Scan Engine tries indefinitely to reconnect to the RPC clients.
Configuring the Symantec AntiVirus Scan Engine
Configuring RPC
69
Table 5-3
Option
RPC scan policy
Quarantine unrepairable files
Protocol-specific options for RPC
Description
When an infected file is found, the Symantec AntiVirus Scan
Engine can do any of the following:
■
■
■
Scan only: Deny access to the infected file, but do nothing to the infected file.
Scan and repair files: Attempt to repair infected files and deny access to any unrepairable files.
Scan and repair or delete: Attempt to repair infected files, and delete any unrepairable files from archive files.
Note: If you plan to quarantine infected files that cannot be repaired, you must select Scan and repair or delete.
You can quarantine unrepairable infected files using the Symantec
Central Quarantine version 3.0. The Symantec Central Quarantine software is included on the Symantec AntiVirus Scan Engine distribution CD along with supporting documentation.
For more information, see the separate Symantec Central
Quarantine document (CentQuar.pdf) also included on the CD.
See “Quarantining unrepairable infected files” on page 74.
If you change the protocol setting to RPC through the administrative interface
(rather than uninstalling and reinstalling the scan engine), you might need to change the service startup properties to identify an account with sufficient permissions on which the Symantec AntiVirus Scan Engine will run. You might also need to change the service startup properties if you edit the list of RPC clients.
See “Editing the service startup properties” on page 75.
70 Configuring the Symantec AntiVirus Scan Engine
Configuring RPC
Configure RPC
To configure RPC, you must do the following:
■
■
Provide an IP address for each RPC client for which the Symantec AntiVirus
Scan Engine will provide scanning services. You can add or delete RPC clients from this list at any time.
Configure the additional RPC-specific options.
To edit the list of RPC clients
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Protocol tab, click RPC.
The configuration settings are displayed for the selected protocol.
3 To add an RPC client to the list of RPC clients, do the following:
■
■
In the IP address box, type an IP address for an RPC client for which the
Symantec AntiVirus Scan Engine will provide scanning services.
Click Add.
The list of RPC clients updates to reflect your changes.
4 To delete an RPC client from the list of RPC clients, do the following:
■
■
In the list of RPC clients, select the IP address of the RPC client to be deleted.
You can select more than one entry by pressing Enter and selecting the desired entries.
Click Delete.
5 Click Confirm Changes to save the configuration.
6
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Configuring the Symantec AntiVirus Scan Engine
Configuring RPC
71
To configure additional RPC-specific options
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Protocol tab, click RPC.
The configuration settings are displayed for the selected protocol.
3 In the Check RPC connection every box, type how frequently the Symantec
AntiVirus Scan Engine checks the RPC connection with the RPC client to ensure that the connection is active.
The default interval is 20 seconds.
72 Configuring the Symantec AntiVirus Scan Engine
Configuring RPC
4
In the Maximum number of reconnect attempts box, type the maximum number of attempts that the Symantec AntiVirus Scan Engine will make to reestablish a lost connection with the RPC client.
The default setting is 0, which causes the Symantec AntiVirus Scan Engine to try indefinitely to reestablish a connection. Use the default setting if the scan engine is providing scanning for multiple RPC clients.
5
In the RPC scan policy list, select how you want the Symantec AntiVirus
Scan Engine to handle infected files.
The default setting is Scan and repair or delete.
6
Click Confirm Changes to save the configuration.
7 Do one of the following:
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
■
■
Click Restart to save your changes and restart the scan engine service now.
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Notifying requesting users that a virus was found
You can configure the Symantec AntiVirus Scan Engine to notify the requesting user that the retrieval of a file from an RPC-network-attached storage client failed because a virus was found. The notification message includes the date and time of the event, the file name of the infected file, the virus name and ID, the manner in which the infected file was handled (for example, the file was repaired or deleted). The notification message also includes information about the Symantec AntiVirus Scan Engine that detected the infection, including the
IP address and the port number and the date and revision number of the virus definitions that were used to detect the virus.
The user notification feature is only available when the requesting user’s computer is a Windows computer and is in the same domain as the Symantec
AntiVirus Scan Engine. The Windows Messenger service must be running on the computer that is running the Symantec AntiVirus Scan Engine, as well as on the user’s computer. If the notification information cannot be delivered to the requesting user, a failure message is logged.
Configuring the Symantec AntiVirus Scan Engine
Configuring RPC
73
To notify requesting users that a virus was found
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Logging tab, under Log Windows Messenger, check Enable Windows
Messenger Logging.
User notification is disabled by default.
3 Click Confirm Changes to save the configuration.
4
Do one of the following:
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
74 Configuring the Symantec AntiVirus Scan Engine
Configuring RPC
■
■
Click Restart to save your changes and restart the scan engine service now.
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Quarantining unrepairable infected files
When you are using the RPC protocol, you can quarantine unrepairable infected files. The quarantining of infected files is handled using the separately installed
Symantec Central Quarantine.
The Symantec AntiVirus Scan Engine forwards infected items that cannot be repaired to the Symantec Central Quarantine. Typically, heuristically detected viruses that cannot be eliminated by the current set of virus definitions are forwarded to the Quarantine and isolated so that the viruses cannot spread.
From the Quarantine, the infected items can be submitted to Symantec Security
Response for analysis. If a new virus is identified, new virus definitions are posted.
Note: You must select Scan and repair or delete as the RPC scan policy to forward files to the Quarantine. Once a copy of an infected file is forwarded to the Central Quarantine, the original infected file is deleted. If submission to the
Central Quarantine is not successful, the original file is not deleted, and an error message is returned to the RPC client. In this case, access to the infected file is denied.
The Symantec Central Quarantine is installed separately. It must be installed on a computer that is running Windows 2000 Server/Server 2003 in accordance with the supporting documentation. The Symantec Central Quarantine software and supporting documentation is included on the Symantec AntiVirus Scan
Engine distribution CD.
For more information, see the separate Symantec Central Quarantine document
(CentQuar.pdf).
If you plan to quarantine infected files that cannot be repaired, you must configure the Symantec AntiVirus Scan Engine to quarantine infected files and provide information for contacting the Symantec Quarantine Server.
Configuring the Symantec AntiVirus Scan Engine
Configuring RPC
75
To quarantine unrepairable infected files
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Protocol tab, under RPC specific configuration, check Quarantine
unrepairable files.
3
In the Quarantine Server box, type the host name or the IP address for the computer on which the Symantec Quarantine Server is installed.
4 In the Quarantine Port box, type the TCP/IP port number to be used by the
Symantec AntiVirus Scan Engine to pass files to the Central Quarantine.
This setting must match the port number that is selected at installation for the Symantec Quarantine Server.
5 Click Confirm Changes to save the configuration.
6
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Editing the service startup properties
If the Symantec AntiVirus Scan Engine is installed on Windows 2000 Server/
Server 2003 and you change the protocol setting to RPC or the native protocol through the administrative interface, you might need to change the service startup properties to identify an account that has the appropriate permissions.
The selected account must provide the Symantec AntiVirus Scan Engine with access to and appropriate permissions on the RPC clients (for RPC) or to any shared drives or UNC paths for which scanning services are to be provided (for the native protocol).
76 Configuring the Symantec AntiVirus Scan Engine
Configuring RPC
For RPC, this account must have Backup Operator privileges on the RPC clients.
For the native protocol, this account should have access to any shared drives or
UNC paths for which scanning is to be provided and should have Change permission if infected files that cannot be repaired are to be deleted.
Note: If you select RPC at installation, you are prompted for the account name and password for this account as part of the installation process, and you do not need to edit the service startup properties manually. This step is only necessary if you change protocols after installation through the administrative interface
(rather than uninstalling and reinstalling).
To edit the service startup properties for Windows 2000 Server/Server 2003
1 In the Windows 2000/2003 Control Panel, click Administrative Tools.
2 Click Services.
3 In the list of services, right-click Symantec AntiVirus Scan Engine, then click Properties.
4
In the Properties dialog box, on the Log On tab, click This Account.
5 Type the account name and password for the account on which the
Symantec AntiVirus Scan Engine will run.
Use the following format for the account name: domain\username.
6 Click OK.
7
Stop and restart the Symantec AntiVirus Scan Engine service.
Configuring the Symantec AntiVirus Scan Engine
Allocating resources
77
Allocating resources
You can allocate resources for the operation of the Symantec AntiVirus Scan
Engine. You can specify the settings that are listed in
.
Table 5-4 Resource settings
Option Description
Temporary directory for virus scanning
The Symantec AntiVirus Scan Engine stores files in a temporary directory for virus scanning. To support sites with large, specialized disk configuration, the location of this temporary directory can be specified. The disk space that is required for this directory varies depending on the volume of files to be scanned.
Scan engine performance depends on this directory being able to accommodate potentially large numbers of large files during periods of peak use.
For Linux and Solaris, the default temporary directory is /tmp/ savetmp.
For Windows 2000 Server/Server 2003, the default temporary directory is determined at installation. The temporary directory for the Symantec AntiVirus Scan Engine defaults to the temporary directory that is set for one of the following environment variables
(listed in the order in which they are checked):
■
■
■
■
System tmp
System temp
User tmp (the user that is performing the installation)
User temp (the user that is performing the installation)
If none of these variables has a value assigned, the temporary directory is the installation directory.
78 Configuring the Symantec AntiVirus Scan Engine
Allocating resources
Table 5-4
Option
Maximum number of threads allowed for scanning
Threshold number of queued requests
Log or send alerts for maximum load every __ minutes
Resource settings
Description
You can specify the maximum number of threads that are allowed for concurrent scanning.
The pool of scanning threads that are available to the Symantec
AntiVirus Scan Engine for antivirus scanning dynamically adjusts to the load that is being processed. You can change a number of additional related parameters in the configuration file. Usage may be the only method for determining the optimal settings for these parameters. Scan engine performance is dependent on scan volume, the number of client applications making requests, available memory and disk space, and the number of scanning threads.
See “Controlling the dynamic thread pool” on page 185.
When the number of scan requests exceeds the maximum number of scanning threads that are allowed, scan requests are queued until a thread becomes available. The threshold number of queued requests is configurable for the Symantec AntiVirus Scan Engine.
Note: If you are using the RPC protocol and are supporting multiple RPC clients, the Symantec AntiVirus Scan Engine creates a separate pool of threads for each RPC client. (The RPC clients do not share a common pool of threads.) Thus, the number of available threads for scanning that you select for this setting is applied to each RPC client individually.
When the number of queued requests to the Symantec AntiVirus
Scan Engine exceeds the specified threshold, the scan engine is at maximum load. The Symantec AntiVirus Scan Engine can be configured to log periods of time when it is at maximum load and to generate Load Exceeded log entries at a prescribed interval.
The Symantec AntiVirus Scan Engine continues to queue all incoming requests after the threshold is exceeded.
The alert interval is the number of minutes between log entries generated to indicate that maximum load has been exceeded.
Maximum load is exceeded when the number of requests to the
Symantec AntiVirus Scan Engine exceeds the specified threshold number of queued requests. If you change the alert interval, the
Symantec AntiVirus Scan Engine might remain at maximum load for a period of time. Select an interval that will be informative but will not result in an excessive number of log entries.
Note: For logging to occur when the scan engine is at maximum load, the logging level for the desired logging destination must be
set to Warning or higher. See “Logging levels” on page 109.
Configuring the Symantec AntiVirus Scan Engine
Allocating resources
79
Table 5-4
Option
Virus definition product name
In-memory file processing limits
Resource settings
Description
Solaris and Linux permit multiple instances of the Symantec
AntiVirus Scan Engine on the same computer. If you are running more than one scan engine on a single computer, the product name must be unique for each Scan Engine service so that both scan engines receive updated virus definitions via LiveUpdate.
This option only appears if you are running the scan engine on
Solaris or Linux.
The Symantec AntiVirus Scan Engine can decompose and scan the contents of container files in memory, which eliminates the latency imposed by on-disk scanning. This feature can improve performance in environments in which large volumes of container and archive file formats are routinely submitted for scanning. You can limit the resources consumed for in-memory file processing by specifying the following:
■
■
The maximum amount of RAM (in megabytes) used for the in-memory file system
The maximum file size (in megabytes) that can be stored in the in-memory file system
To allocate resources for the Symantec AntiVirus Scan Engine
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2
On the Resources tab, under System settings, type the temporary directory to be used for virus scanning.
If you have client antivirus software installed to protect the computer that is running the Symantec AntiVirus Scan Engine, you must exclude the temporary directory from real-time scanning and from all scheduled and
80 Configuring the Symantec AntiVirus Scan Engine
Allocating resources manually invoked scans by the client antivirus software before passing files to the Symantec AntiVirus Scan Engine for scanning.
3 In the Maximum number of threads allowed for scanning box, type the maximum number of scanning threads that are permitted for concurrent scanning.
The default setting and the maximum recommended value is 128.
4 In the Threshold number of queued requests box, type the threshold number of queued requests above which the Symantec AntiVirus Scan
Engine is considered to be at maximum load.
The default setting is 100.
5 If you have chosen to generate log messages when maximum load is exceeded, in the Log or send alerts for maximum load every box, type the desired alert interval in minutes.
The default setting is five minutes.
6 If you are running more than one instance of the Symantec AntiVirus Scan
Engine on Solaris or Linux, under Advanced settings, type an alternate virus definition product name in the box provided.
The default is SCANENGINE_43. If you are running the Symantec AntiVirus
Scan Engine on Windows 2000 Server/Server 2003, this setting does not appear on the administrative interface.
7 Under Server resources, in the Maximum RAM used for in-memory file system box, type the maximum amount of RAM that can be used for the inmemory file system.
The default setting is 16 MB.
Configuring the Symantec AntiVirus Scan Engine
Allocating resources
81
8
In the Maximum file size stored in in-memory file system box, type the maximum file size that can be stored in the in-memory file system.
The default setting is 3 MB. Files that exceed the specified size are written to disk.
9
Click Confirm Changes to save the configuration.
10 Do one of the following:
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
■
■
Click Restart to save your changes and restart the scan engine service now.
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
82 Configuring the Symantec AntiVirus Scan Engine
Allocating resources
Chapter
6
Setting scanning and blocking policies
This chapter includes the following topics:
■
■
About scanning and blocking policies
■
■
Configuring antivirus settings
Establishing a mail filter policy
About scanning and blocking policies
You can establish scanning and blocking policies for the Symantec AntiVirus
Scan Engine. Some scanning and blocking policy features differ depending on the protocol that you are using.
Depending on a number of factors, such as scan volume, the number of client applications making requests, available memory and disk space, and the selected number of scanning threads, you may need to impose restrictions on resources to maximize performance and security. Settings that provide maximum security also consume more resources. You can configure settings to restrict the amount of resources that handle certain types of files, adjust the sensitivity of heuristic virus detection, and specify the file types to be scanned.
You can establish a blocking policy to further limit the handling and scanning of certain files. Files that meet the established criteria are blocked immediately, which limits the resources that are expended by the Symantec AntiVirus Scan
Engine. For example, you can specify a maximum file name length, so that files that exceed the established limit are automatically rejected. If the Symantec
AntiVirus Scan Engine is providing scanning services for email client applications, you can establish a mail policy to filter email and email
84 Setting scanning and blocking policies
Specifying processing limits attachments based on a number of attributes. (The mail policy settings are applied to all MIME-encoded messages and do not affect nonMIME-encoded file types.)
Note: You can use some scanning and blocking policy settings during a virus outbreak to further protect your network. Once you have information on the characteristics of a new virus, you can use this information to block the infected attachment or email immediately, before virus definitions for the new virus have been posted. Or you can scan all file types rather than limiting the file types that are scanned for viruses for maximum coverage.
Specifying processing limits
You can impose restrictions on the amount of resources that can be used to handle individual files. These processing limits can be used to help you manage your resources and to protect your network against denial of service attacks.
You can specify processing limits that apply to the following:
■
■
Large container files: The Symantec AntiVirus Scan Engine uses a decomposer to extract all of the embedded files from a container file, scan all of the files, and reassemble the container file once scanning is complete.
For particularly large container files, this process can tie up a significant amount of resources. You can set limits to control the resources expended on large container files.
See “Specifying limits for container files” on page 85.
All files: Other types of limits can be applied to all files, such as the maximum number of bytes to be read in determining whether a file is
MIME-encoded.
See “Specifying processing limits that apply to all files” on page 87.
Setting scanning and blocking policies
Specifying processing limits
85
Specifying limits for container files
Certain container files (specifically container files that are large, that contain large numbers of embedded compressed files, or that have been designed to maliciously use resources and degrade performance) can cause a denial of service attack. To protect against these types of files, limits can be imposed on the Symantec AntiVirus Scan Engine decomposer for handling container files.
You can specify the following:
■
■
The maximum amount of time, in seconds, that is spent decomposing a container file and its contents
The maximum file size, in bytes, for individual files in a container file
■
The maximum number of nested levels to be decomposed for scanning
You can use some or all of these limits to control how the Symantec AntiVirus
Scan Engine handles container files. When any of these maximum values is met or exceeded for a given file, the Symantec AntiVirus Scan Engine stops processing the file and generates a log entry. You can specify whether to allow or deny access to files for which an established limit has been met or exceeded and for which processing has stopped. Access is denied by default.
Warning: If you plan to allow access to files for which a container violation has occurred, keep in mind that when a limit is met or exceeded, the Symantec
AntiVirus Scan Engine stops processing the file, and antivirus scanning is not completed. Allowing access to a file that has not been fully scanned can potentially expose your network to viruses and other malicious content.
If you allow access to files for which a container limit violation has occurred and the scan engine finds a virus before processing stops, the scan engine will not repair the file, even if under normal circumstances the infection could be repaired. In this case, the file is handled as though the infection is unrepairable.
In addition to establishing resource limits for container files, you can block access to all or certain types of malformed container files. Computer viruses and malicious programs sometimes create intentionally malformed files. These distortions are recognized by the scan engine. If the scan engine can identify the container type, in many cases the scan engine can repair the container file. In other cases, the container type cannot be determined and the distortion can be used as criteria to reject potentially infected files. You can choose to allow access to all malformed containers, block only those for which the container type cannot be identified, or block access to all malformed containers. The scan engine is configured by default to block only those containers for which the container type cannot be identified.
86 Setting scanning and blocking policies
Specifying processing limits
To specify limits for container files
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2 On the Limits tab, under Container file processing limits, in the Time to extract file meets or exceeds box, type the maximum time that the scan engine can spend extracting a single container file.
The default setting is 180 seconds (3 minutes). To disable this setting (so that no limit is imposed), type 0.
Note: This setting does not apply to .hqx and .amg files.
3 In the Maximum extract size of the file meets or exceeds box, type the maximum file size, in bytes, for individual files in a container file.
The default setting is 100 MB. To disable this setting (so that no limit is imposed), type 0.
Setting scanning and blocking policies
Specifying processing limits
87
4
In the Number of nested levels of files within container file meets or exceeds box, type the maximum number of nested levels of files that are decomposed within a container file.
The default setting is 10 levels. The maximum value for this setting is 50.
5
Select whether to allow or deny access to container files for which one or more limits are exceeded.
Access is denied by default.
6
Under Malformed container file processing, select one of the following to specify how the scan engine handles malformed container files:
■
Allow access to all malformed containers
■
■
Deny access if container type cannot be identified
This is the default setting.
Deny access to all malformed containers
7 Click Confirm Changes to save the configuration.
8
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Specifying processing limits that apply to all files
You can specify the following processing limits to apply to all files (rather than just to container files):
■
The maximum file name length, in bytes, for a given file (available for the native protocol only)
■
The maximum number of bytes that are read when determining whether a file is MIME-encoded
88 Setting scanning and blocking policies
Configuring antivirus settings
To specify limits for all files
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2 On the Limits tab, under File name length limits, in the File name length exceeds box, type the maximum file name length, in bytes, for a file name.
The default setting is 1024 bytes. To disable this setting (so that no limit is imposed), type 0. This feature is available for the native protocol only.
3 Under NonMIME threshold, in the No determination after reading box, type the maximum number of bytes that are read by the scan engine to determine whether a file is MIME-encoded.
The default setting is 200000 bytes. If the Symantec AntiVirus Scan Engine reads the maximum number of bytes with no determination, the file is considered to be nonMIME-encoded.
4 Click Confirm Changes to save the configuration.
5
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Configuring antivirus settings
You can configure certain aspects of antivirus scanning, including the file types to be scanned. You can change the following settings:
■
■
Bloodhound sensitivity level: To supplement the detection of virus infections by virus signature, the Symantec AntiVirus Scan Engine includes the Symantec patented Bloodhound technology, which heuristically detects new or unknown viruses based on characteristics generally exhibited by viruses. The sensitivity of the Bloodhound technology can be adjusted.
See “Changing the Bloodhound sensitivity level” on page 89.
File types to scan: Viruses are found only in file types that contain executable code. Bandwidth and time can be saved by limiting the files to be scanned to only those file types that can contain viruses. You can control which file types are scanned by specifying the file extensions that you want
Setting scanning and blocking policies
Configuring antivirus settings
89 to scan (using an inclusion list) or by specifying those extensions that you do not want to scan (using an exclusion list), or you can scan all file types regardless of extension.
See “Specifying file types to scan” on page 90.
Changing the Bloodhound sensitivity level
The Symantec AntiVirus Scan Engine includes the Symantec patented
Bloodhound technology, which heuristically detects new or unknown viruses.
The sensitivity of the Bloodhound technology can be adjusted.
Note: Increasing the Bloodhound sensitivity level may lead to occasional false positives.
For more information about Symantec AntiVirus Scan Engine virus detection capabilities, see
“How viruses are detected” on page 25.
To change the Bloodhound sensitivity level
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2 On the AntiVirus tab, under Heuristic scanning, select the Bloodhound sensitivity level.
The default Bloodhound sensitivity setting is Medium. You can select from low to high sensitivity, or you can turn off heuristic detection.
3 Click Confirm Changes to save the configuration.
4
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
90 Setting scanning and blocking policies
Configuring antivirus settings
Specifying file types to scan
You can control which file types are scanned by specifying extensions that you do not want to scan (using an exclusion list) or by specifying extensions that you want to scan (using an inclusion list), or you can scan all file types regardless of extension. Inclusion and exclusion lists by definition do not scan all file types; thus, new types of viruses might not always be detected. Scanning all files regardless of extension is the most secure setting but imposes the heaviest demand on resources.
Note: During virus outbreaks, you might want to scan all files even if you normally control the file types that are scanned with the inclusion or exclusion list.
The Symantec AntiVirus Scan Engine is configured by default to scan all files except those with extensions that are listed in a prepopulated exclusion list. The default exclusion list contains those file types that are unlikely to contain viruses, but you can edit this list.
Using an inclusion list to control which types of files are scanned is the least secure setting. Only those files types that are specifically listed in an inclusion list are scanned; thus, with an inclusion list, there is an almost limitless number of possible file extensions that are not scanned. For this reason, the inclusion list is not prepopulated, but you can choose to populate this list if you want to limit the file types that are scanned using an inclusion list.
If you use either the inclusion or the exclusion list to control the file types that are scanned (rather than scanning all files), the manner in which the list is applied differs depending on which of the following protocols are in use by the
Symantec AntiVirus Scan Engine:
■
Native protocol, RPC, and ICAP version 1.0: The inclusion or exclusion list is used by the Symantec AntiVirus Scan Engine only to determine which files to scan of those that are embedded in archival file formats (for example, .zip or .lzh files). All top-level files that are sent to the Symantec AntiVirus Scan
Engine are scanned regardless of file extension.
Note: If you are using the native protocol, RPC, or ICAP version 1.0 and want to control the file types that are scanned at the top level, you must provide logic or take advantage of existing mechanisms on the client side to send only certain file types to the Symantec AntiVirus Scan Engine for scanning.
The logic on the client side controls the types of files that are scanned at the top level, and the extension list setting controls which embedded files are scanned.
Setting scanning and blocking policies
Configuring antivirus settings
91
■
ICAP version 0.95: The inclusion or exclusion list applies to all files that are sent to the Symantec AntiVirus Scan Engine for scanning. The extension list is consulted for both top-level files and embedded files that are contained in archival file formats (for example, .zip or .lzh files).
Specify which file types to scan
You can scan all files regardless of extension, or you can control which file types are scanned by specifying extensions that you do not want to scan or that you want to scan. The Symantec AntiVirus Scan Engine is configured by default to scan all files except those with extensions that are listed in the prepopulated exclusion list.
To scan all files regardless of extension
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2
On the AntiVirus tab, under File types to be scanned, click Scan all files
regardless of extension.
3 Click Confirm Changes to save the configuration.
4 Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
92 Setting scanning and blocking policies
Configuring antivirus settings
To scan all files except for those with extensions that are in the exclusion list
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2 On the AntiVirus tab, under File types to be scanned, click Scan all files
except those with the following extensions.
3 Edit the exclusion list to add extensions that you do not want to scan or delete extensions that you want to scan.
Use a period with each extension in the list. Separate each extension with a semicolon (for example, .com;.doc;.bat). To exclude files with no extension, use two adjacent semicolons (for example, .com;.exe;;).
4 To restore the default extension list, click Restore default lists.
5 Click Confirm Changes to save the configuration.
Setting scanning and blocking policies
Configuring antivirus settings
93
6
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
To scan only files with extensions that are in the inclusion list
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2
On the AntiVirus tab, under File types to be scanned, click Scan files with
the following extensions.
3 Edit the inclusion list to add extensions that you want to scan or delete extensions that you do not want to scan.
The inclusion list is blank by default. Use a period with each extension in the list. Separate each extension with a semicolon (for example,
.com;.doc;.bat). To scan files that have no extensions, use two adjacent semicolons (for example, .com;.exe;;).
4 Click Confirm Changes to save the configuration.
5 Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
94 Setting scanning and blocking policies
Establishing a mail filter policy
Establishing a mail filter policy
If the Symantec AntiVirus Scan Engine is providing scanning services for email client applications, you can establish a mail policy to filter mail and mail attachments based on a number of attributes. These mail policy settings are applied to all MIME-encoded messages.
Mail policy settings do not affect nonMIME-encoded file types that might be passed to the Symantec AntiVirus Scan Engine for scanning. When a mail filter policy is in effect, the mail filter settings, including the updating of mail messages to indicate that a virus has been found, are applied only to MIMEencoded messages.
Note: The mail filter policy settings are not available if you are using RPC. If you are using ICAP, the mail filter policy settings do not apply if you have selected
Scan only as the scan policy. If you are using the native protocol, the mail policy settings do not apply when AVSCAN is the scan policy.
See “Mail filter policy settings” on page 94.
You can add text to the body of MIME-encoded messages to warn recipients that a virus was found in an attachment or that an attachment was deleted because it violated the mail filter policy. The default text indicates that an attachment was infected and repaired, or deleted because it could not be repaired, or that an attachment was deleted due to a mail policy violation. Variables can be used to include the file names of the affected attachments. You can customize the text that is added by editing the Symantec AntiVirus Scan Engine message string file, symcsmsg.dat.
See “Inserting text into MIME-encoded messages” on page 104.
Mail filter policy settings
You can use the mail policy settings to impose general restrictions on email. You can also use some mail filters during a virus outbreak to further protect your network. For example, once you have information on the characteristics of a new virus, you can use this information to block the infected attachment or email. You can use the file name or file size option if you know the exact name or size of an infected attachment. This lets you protect your network immediately, before virus definitions for the new virus have been posted.
Setting scanning and blocking policies
Establishing a mail filter policy
95
You can filter mail based on the settings in
Table 6-1
Mail filter settings
Filtering option Description
Total message size
Subject line
Message origin
Attachment file name
Specify a maximum size for messages so that messages that exceed the maximum mail size are rejected.
See “Filtering mail by total message size” on page 97.
Specify one or more subject lines that are known to be threats so that messages with these subject lines are rejected.
See “Filtering mail by subject line” on page 97.
Specify one or more domains or complete email addresses that are known to be threats so that messages from these domains are rejected.
See “Filtering mail by message origin” on page 99.
Specify one or more file names that are known to be threats, and select whether messages that contain attachments with these file names should be rejected, or delivered with the attachment deleted.
See “Filtering mail by attachment file name” on page 100.
Attachment file size Specify file sizes of attachments, and select whether messages that contain attachments of the specified size should be rejected, or delivered with the attachment removed.
See “Filtering mail by attachment file size” on page 102.
Partial messages Reject messages that have been broken down into a number of smaller, partial messages for transmission.
See “Blocking MIME partial message content” on page 103.
96 Setting scanning and blocking policies
Establishing a mail filter policy
Setting scanning and blocking policies
Establishing a mail filter policy
97
Filtering mail by total message size
You can specify a maximum size for mail messages. The maximum size includes the entire message including any attachments. Messages that exceed the maximum mail size are rejected.
A value of 0 (the default value) disables message blocking.
To filter mail by total message size
1
On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2 On the Mail tab, under Blocking by total message size, type a maximum size
(in bytes) that the scan engine will accept.
Type 0 (the default value) to disable message blocking (no maximum size).
Messages that are larger than the specified size are rejected.
3 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.
4
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Filtering mail by subject line
To filter mail by subject, you specify one or more subject lines (or strings to be found within subject lines) that are known to be threats. Messages with these subject lines are rejected.
Subject strings that you specify are matched against the subject line of each email. Wildcard characters can be used when you are not sure of the exact subject line. Any white space (tabs or spaces) at the beginning of the subject line is ignored. Any white space that you enter at the beginning of your search string
(the text that you enter for the subject line filter) is also ignored.
98 Setting scanning and blocking policies
Establishing a mail filter policy
You can filter mail by subject line during a virus outbreak to further protect your network. In the case of a new email-borne virus, if you know the subject line or part of the subject line of the infected message, you can use this information to block infected email. You can protect your network immediately, before virus definitions for the new virus have been posted.
Note: Entries that you make for this setting through the administrative interface are encoded and saved automatically as Unicode/UTF-8.
To filter mail by subject line
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2 On the Mail tab, under Blocking by subject line, type a text string to block.
Type as many subject lines to block as needed, one per line. Search strings are not case sensitive. Use the following wildcard characters as needed:
■
■
■
A question mark (?) to represent a single character.
An asterisk (*) to represent zero or more characters.
A backslash (\) as an escape character. For example, precede ? or * with
\ to match a literal ? or * in a file name. To match a literal \, use \\.
3 To remove a subject from the list, select it and press Delete.
4
To filter mail messages that have blank subject lines, check Block messages
with empty subject lines.
5 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.
6 Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Setting scanning and blocking policies
Establishing a mail filter policy
99
Filtering mail by message origin
To filter mail by message origin, you specify one or more domain names that are known to be threats. The domain name search string that you enter is matched against addresses in the From header of the email message. If the search string matches an address, the message is rejected.
You can use this filter to block mail from specific email addresses, as well as from a specific domain. The following wildcard characters can be used to control exactly what you want to block:
■
■
■
Using *@somedomain.com blocks [email protected] but does not block [email protected].
Using *@*somedomain.com or *somedomain.com blocks [email protected] and [email protected].
Using [email protected] (to block a specific email address) blocks only email from [email protected] and does not block [email protected] or [email protected].
To filter mail by message origin
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2 On the Mail tab, under Blocking by message origin, type a domain or email address to block.
Type as many domains or addresses to block as needed, one per line. Search strings are not case sensitive. Use the following wildcard characters as needed:
■
■
■
A question mark (?) to represent a single character.
An asterisk (*) to represent zero or more characters.
A backslash (\) as an escape character. For example, precede ? or * with
\ to match a literal ? or * in a file name. To match a literal \, use \\.
3 To remove a domain name from the list, select it and press Delete.
4
When you have finished establishing the mail policy, click Confirm Changes to save the configuration.
100 Setting scanning and blocking policies
Establishing a mail filter policy
5
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Filtering mail by attachment file name
When you filter mail by attachment file name, you specify one or more file names that are known to be threats and specify how the Symantec AntiVirus
Scan Engine will handle messages that contain attachments with any of the file names listed. The scan engine can reject the entire message or deliver the message with the attachment removed. Any attachments that do not match the listed file names are not removed and are delivered with the message.
For each full file name that you want to filter, you type a separate text string. If the text string that you type matches the file name of any attachment, the message is handled accordingly.
Wildcard characters can be used when you are not sure of an exact file name or want to block all attached files with a specific extension. For example, to block all attachments with the word virus in the file name, type *virus* as the search string. To block all attachments with the .exe extension, type *.exe.
Note: You can filter mail by attachment file name during a virus outbreak to further protect your network. In the case of a new email-borne virus, if you know the file name of the infected attachment, you can use this information to block the infected email. You can protect your network immediately, before virus definitions for the new virus have been posted.
Setting scanning and blocking policies
Establishing a mail filter policy
101
To filter mail by attachment file name
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2 On the Mail tab, under Blocking by attachment file name, type an attachment file name to block.
Type as many file names to block as needed, one per line. Search strings are not case sensitive. Use the following wildcard characters as needed:
■
A question mark (?) to represent a single character.
■
■
An asterisk (*) to represent zero or more characters.
A backslash (\) as an escape character. For example, precede ? or * with
\ to match a literal ? or * in a file name. To match a literal \, use \\.
3
Select one of the following to specify how the scan engine will handle messages that contain an attachment with a specified file name:
■
■
Delete the attachment: The scan engine removes any attachments with a specified file name and delivers the remainder of the message, including attachments with file names that do not match a specified file name. The mail message is not updated to indicate that an attachment has been deleted due to a mail policy violation unless you activate the mail message update feature.
See “Inserting text into MIME-encoded messages” on page 104.
Reject the message: The scan engine rejects any message that contains an attachment with a specified file name.
4
To remove a file name from the list, select it and press Delete.
5 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.
6 Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
102 Setting scanning and blocking policies
Establishing a mail filter policy
Filtering mail by attachment file size
When you filter mail by attachment file size, you specify one or more file sizes that are known to be threats and specify how the Symantec AntiVirus Scan
Engine will handle messages that contain attachments of any of the listed file sizes. The scan engine can be configured to reject the entire message or deliver the message with the attachment removed. Any attachments that do not match a specified size are not removed and are delivered with the message.
Note: You can filter mail by attachment file size during a virus outbreak to further protect your network. In the case of a new email-borne virus, if you know the exact size of the infected attachment, you can use this information to block potentially infected email messages. You can protect your network immediately, before virus definitions for the new virus have been posted.
To filter mail by attachment file size
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2 On the Mail tab, under Blocking by attachment file size, type an attachment file size (in bytes) to block.
Type as many file sizes to block as needed, one per line.
3 Select one of the following to specify how the scan engine will handle messages that contain attachments of a size that you have specified:
■
■
Delete the attachment: The scan engine deletes any attachments of a specified size and delivers the remainder of the message, including attachments that do not match a specified size. The mail message is not updated to indicate that an attachment has been deleted due to a mail policy violation unless you activate the mail message update feature.
See “Inserting text into MIME-encoded messages” on page 104.
Reject the message: The scan engine rejects any message that contains an attachment of a specified size.
4 To remove a file size from the list, select it and press Delete.
5 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.
Setting scanning and blocking policies
Establishing a mail filter policy
103
6
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Blocking MIME partial message content
The Symantec AntiVirus Scan Engine must have a MIME-encoded message in its entirety to effectively scan it for viruses. Some email software applications break large messages down into a number of smaller, more manageable, partial messages for transmission. These messages are typically transmitted separately and reassembled before delivery to the recipient. In these cases, because it has been broken down into a number of partial messages, the entire message
(including all attachments) is not available to the scan engine for scanning. The
Symantec AntiVirus Scan Engine is configured by default to reject partial messages because they cannot be effectively scanned for viruses.
To block MIME partial message content
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2 On the Mail tab, under Blocking MIME partial message content, check Block
MIME partial message content.
The scan engine is configured by default to block partial messages.
3 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.
104 Setting scanning and blocking policies
Establishing a mail filter policy
4
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Inserting text into MIME-encoded messages
The Symantec AntiVirus Scan Engine can be configured to add text to the body of a MIME-encoded message to warn the recipient of the message that an attachment was infected. The mail message body also is updated when an attachment is deleted because of a mail policy violation.
The default text indicates that an attachment contained a virus and was repaired, or that it was deleted because it contained a virus that could not be repaired or that violated the mail policy. The text can be customized. The default message text is:
ALERT!!! This email contained one or more infected files. The following attachments were infected and have been repaired: <listofinfectedfiles>. The following infected attachments were deleted: <listofdeletedfiles>. The following attachments were blocked because of mail policy violations: <listofblockedfiles>. You may wish to contact the sender to inform them about their infections. Thank you, Your ISP
------------ Original message text follows ------------
Note: Even when the mail message update feature is not activated, the Symantec
AntiVirus Scan Engine attaches a text file to mail messages in place of each attachment that is deleted because it cannot be repaired. The text file that is inserted is called DELETEDN.TXT, where N is a sequence number. For example, if two attachments are deleted, the replacement files are called DELETED0.TXT and DELETED1.TXT. The name of the file and the text that is contained in the file can be customized by editing the message string file, symcmsgs.dat.
Setting scanning and blocking policies
Establishing a mail filter policy
105
To insert text into MIME-encoded messages
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.
2 On the Mail tab, under Updating mail message body, check Add text to body
of infected MIME-encoded messages to warn recipient of infections.
The default text will be used when this feature is activated unless you customize the text.
3 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.
4
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
106 Setting scanning and blocking policies
Establishing a mail filter policy
Chapter
7
Configuring and using logging
This chapter includes the following topics:
■
■
About Symantec AntiVirus Scan Engine logging
■
■
■
■
■
Logging events to the Windows Application Event Log
Activating SNMP and SMTP logging
Obtaining summary data from the local logs
Generating scanning statistics from the billing logs
About Symantec AntiVirus Scan Engine logging
The Symantec AntiVirus Scan Engine provides a number of logging destinations. Logging to each available logging destination (for example, SNMP,
SMTP, or the Windows Application Event Log) can be activated individually by selecting a desired logging level for that destination. Selecting the logging level lets you choose the types of events for which log messages are generated. You can select a different logging level for each logging destination.
108 Configuring and using logging
About Symantec AntiVirus Scan Engine logging
Logging destinations
The Symantec AntiVirus Scan Engine lets you log to the following logging destinations:
■
■
■
■
■
■
Local logs: If you are running the Symantec AntiVirus Scan Engine on
Solaris or Linux, the default logging destination is to the local logs. The default location for the local logs for Solaris and Linux is /var/log/. The default location for the local logs for Windows 2000 Server/Server 2003 is
C:\Program Files\Symantec\Scan Engine\.
See “Configuring local logging” on page 112.
Windows Application Event Log: If you are running the Symantec AntiVirus
Scan Engine on Windows 2000 Server/Server 2003, the default logging destination is the Application Event Log.
See “Logging events to the Windows Application Event Log” on page 116.
SNMP and SMTP destinations: In addition to the local logging that is maintained by the Symantec AntiVirus Scan Engine, you can select SNMP
(Simple Network Management Protocol) or SMTP (Simple Mail Transfer
Protocol) as a separate logging destination. You can activate SNMP and
SMTP logging individually by providing the appropriate destination information.
See “Activating SNMP and SMTP logging” on page 117.
Billing logs: Billing logs contain scan volume data for the total number of files that are scanned and the average speed of processing. Scanning statistics for the billing logs are maintained automatically by the Symantec
AntiVirus Scan Engine. Billing information is logged to a billing log file, symcsbps.dat.
See “Generating scanning statistics from the billing logs” on page 127.
SESA: If you are running the Symantec Enterprise Security Architecture
(SESA), you can choose to log events regarding Symantec AntiVirus Scan
Engine antivirus activity to SESA. SESA includes an event management system that employs data collection services for events that are generated on computers that are managed by Symantec security products. SESA lets administrators view and manage the security data within a central location, the SESA Console.
See “Integrating the Symantec AntiVirus Scan Engine with SESA” on page 153.
RPC client logging subsystem (RPC only): If you are using RPC as the communication protocol, the Symantec AntiVirus Scan Engine logs certain events to the RPC client logging subsystem. Logging to the RPC client is in addition to the other available logging destinations.
See “Logging to the RPC client logging subsystem” on page 67.
Configuring and using logging
About Symantec AntiVirus Scan Engine logging
109
Logging levels
Logging for each logging destination is activated individually by selecting the desired logging level for that destination. You can select a different logging level for each logging destination. Selecting the logging level lets you choose the types of events for which log messages are generated.
Note: Although you can select a logging level for SESA, not all events for a given level are forwarded to SESA. Only a subset of scan engine events can be logged to SESA when logging to SESA is activated.
See “Scan engine events that are logged to SESA” on page 162.
Table 7-1 shows the events for which log messages are generated at each logging
level. Each logging level builds upon the previous levels (that is, each successive level includes the events of the logging levels below it as well as additional events).
Table 7-1 Events by logging level
Logging level
None
Error
Events logged at the logging level
■
■
■
■
No events are logged at this logging level.
■
Server crash
Virus definitions update error
License expired
Logging failure (SMTP/SNMP/RPC user notification)
Entries for this event are not logged to SMTP and
SNMP logging destinations, even if SNMP or
SMTP logging is active at this logging level.
RPC retry
Entries for this event are not logged to SMTP and
SNMP logging destinations, even if SNMP or
SMTP logging is active at this logging level.
110 Configuring and using logging
About Symantec AntiVirus Scan Engine logging
Table 7-1
Logging level
Warning
Information
Verbose
Events by logging level
Events logged at the logging level
■
■
■
■
■
■
■
■
■
■
■
■
All events logged at the Error logging level
Infection found
License about to expire
Threshold number of queued requests exceeded
Virus definitions rollback
Processing violation
Entries for this event are not logged to SMTP and
SNMP logging destinations, even if SNMP or
SMTP logging is active at this logging level.
Mail policy violation
Entries for this event are not logged to SMTP and
SNMP logging destinations, even if SNMP or
SMTP logging is active at this logging level.
All events logged at the Error logging level
All events logged at the Warning logging level
Server start
Server stop
Virus definitions update success
■
■
■
■
All events logged at the Error logging level
All events logged at the Warning logging level
All events logged at the Information logging level
All files scanned
Note: The Verbose logging level is not available for
SMTP, SNMP, and SESA logging.
Note: The Verbose logging level should be selected only for debugging purposes. Activating this logging level for general logging degrades performance significantly.
Configuring and using logging
About Symantec AntiVirus Scan Engine logging
111
Table 7-2 describes each individual logging event.
Table 7-2
Logging events
Logging event
Server crash
Virus definition update error
License expired
Logging failure (SMTP/SNMP/
RPC user notification)
RPC retry
Infection found
License about to expire
Description
Logs all instances of scan engine crashes.
Logs all errors that occur in virus definitions updates.
Logs each 24-hour period following a Symantec
AntiVirus Scan Engine license expiration.
Note: Log entries for an expired license are generated only during the grace period following the license expiration date. If the grace period expires before the license is renewed, all record of the existing license is removed and the product or feature becomes unlicensed.
Logs all errors in sending to SMTP/SNMP/pop-up window logging destinations that result in no log message being sent (for example, neither the primary nor the secondary SMTP server was available).
Note: Because the broadcast nature of SNMP prevents the detection of transmission failure, no log entry is generated when an SNMP message is not received because the SNMP console is down or the IP address for the SNMP console is entered incorrectly.
Note: Windows pop-up messages are generated only when you have selected RPC as the communication protocol and you have enabled user notification when a virus is found.
Logs attempts to reestablish a lost connection with an
RPC client.
Note: A log entry is generated after five attempts to connect. By default, the Symantec AntiVirus Scan
Engine is configured to try to reconnect with an RPC client indefinitely.
Logs all infections found in scanned files.
Logs each 24-hour period when a Symantec AntiVirus
Scan Engine license is about to expire (that is, the license is within 30 days of its expiration date).
112 Configuring and using logging
Configuring local logging
Table 7-2
Logging events
Logging event
Threshold number of queued requests exceeded
Virus definitions rollback
Processing violation
Mail policy violation
Server start
Server stop
Virus definition update
Log all files scanned
Description
Logs all instances when the threshold number of queued requests is exceeded for the scan engine.
Log entries are generated based on the selected alert interval.
Logs all instances in which the scan engine was able to revert to the previous virus definitions after a virus definitions update failure.
Logs all processing violations for scanned container files.
See “Specifying limits for container files” on page 85.
Logs all mail policy violations for scanned files.
Logs all instances of scan engine startup.
Logs all instances of scan engine shutdown.
Logs all instances of scan engine virus definitions updates.
Logs all files scanned.
Note: This logging event is only available at the
Verbose logging level. The Verbose logging level should be selected only for debugging purposes.
Activating this logging level for general logging purposes degrades performance significantly.
Configuring local logging
You can change the types of events that are logged to the local logs and change the locations of key logging files. You can do any of the following:
■
Change the local logging level: The default logging destination for Solaris and Linux is the local logs. You can select the types of scan engine events that are logged to the local logs by changing the local logging level. The default logging level for the local logs is Warning (Solaris and Linux only).
See “Specifying the local logging level” on page 113.
Configuring and using logging
Configuring local logging
113
■
■
Change the log file location: To accommodate sites with specialized disk configuration, the location of the Symantec AntiVirus Scan Engine log files can be changed. The disk space that is required for the log files varies depending on scan volume and associated activity. The specified location must be large enough to accommodate these files.
See “Changing the log file location” on page 115.
Change the message string file location: The message text for Symantec
AntiVirus Scan Engine log entries and SMTP insert messages is contained in an ASCII text file. You can change the location and file name of this file. You can customize the message text by editing this string file.
See “Changing the message string file location” on page 116.
Specifying the local logging level
If you are running the Symantec AntiVirus Scan Engine on Solaris or Linux, the default logging destination is the local logs. You can change the types of scan engine events that are logged to the local logs by selecting the appropriate local logging level. The default logging level for the local logs for Solaris and Linux is
Warning. Logging to the local logs is not activated by default for Windows 2000
Server/Server 2003.
To specify the local logging level
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Logging tab, under Log file location, select the Local Logging level from the list.
The default logging level for Solaris and Linux is Warning. The default setting for Windows 2000 Server/Server 2003 is None. Select Verbose only if you have been instructed to do so for debugging purposes by Symantec
Technical Service and Support.
114 Configuring and using logging
Configuring local logging
See “Logging levels” on page 109.
3 Click Confirm Changes to save the configuration.
4 Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Configuring and using logging
Configuring local logging
115
Changing the log file location
You can change the location of the local and billing log files. The file names for the log files cannot be changed. The default location for the log files for Solaris and Linux is /var/log/. The default location for the log files for Windows 2000
Server/Server 2003 is C:\Program Files\Symantec\Scan Engine\.
The disk space that is required for the log files varies depending on the scan volume and associated activity. The specified location must be large enough to accommodate these files. If you change the log file location, old log files are left in the old directory and are not removed during uninstallation. Old logs must be removed manually.
To change the log file location
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Logging tab, under Log file location, in the Log file path location box, type the path to the new location for the log file.
The default location for Solaris and Linux is /var/log/. The default location for Windows 2000 Server/Server 2003 is C:\Program Files\Symantec\Scan
Engine\.
3 Click Confirm Changes to save the configuration.
You must restart the Symantec AntiVirus Scan Engine service for this change to take effect. Data that was logged prior to restarting the service is contained in the previous log file and is not parsed for Symantec AntiVirus
Scan Engine reporting purposes.
4 Do one of the following:
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
■
■
Click Restart to save your changes and restart the scan engine service now.
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
116 Configuring and using logging
Logging events to the Windows Application Event Log
Changing the message string file location
The message text for Symantec AntiVirus Scan Engine log entries and SMTP insert messages is contained in an ASCII text file. You can change the location and file name of this file. The message text can be customized by editing the string file.
To change the message string file location
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Logging tab, under Logging properties, in the Path and filename for message string file box, type a new path and file name.
The default location for Solaris and Linux is
/opt/SYMCScan/etc/symcsmsg.dat. The default location for Windows 2000
Server/Server 2003 is C:\Program Files\Symantec\Scan
Engine\symcsmg.dat.
3 Click Confirm Changes to save the configuration.
4 Do one of the following:
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
■
■
Click Restart to save your changes and restart the scan engine service now.
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Logging events to the Windows Application Event
Log
If you are running the Symantec AntiVirus Scan Engine on Windows 2000
Server/Server 2003, the Application Event Log is the default logging destination. You can change the types of events that are logged to the
Application Event Log by selecting the appropriate Windows logging level. The default logging level for the Windows Application Event Log is Warning
(Windows 2000 Server/Server 2003 only).
Configuring and using logging
Activating SNMP and SMTP logging
117
To log events to the Windows Application Event Log
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Logging tab, under Log Windows, in the Windows Logging level list, select the appropriate logging level.
The default logging level for the Windows Application Event Log is Warning
(Windows 2000 Server/Server 2003 only).
See “Logging levels” on page 109.
3 Click Confirm Changes to save the configuration.
4 Do one of the following:
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
■
■
Click Restart to save your changes and restart the scan engine service now.
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Activating SNMP and SMTP logging
The Symantec AntiVirus Scan Engine provides SMTP (Simple Mail Transfer
Protocol) and SNMP (Simple Network Management Protocol) logging capabilities. SNMP or SMTP logging can be activated individually by selecting the appropriate logging level for SNMP or SMTP logging and providing the appropriate destination information.
To activate SNMP logging, you must select the logging level and provide the
SNMP community string and the IP address for a primary SNMP console for receiving the log messages. A second SNMP console can be identified if one is available. Log messages are sent to both the primary and secondary SNMP consoles in all cases.
See “Activating SNMP logging” on page 118.
118 Configuring and using logging
Activating SNMP and SMTP logging
To activate SMTP logging, you must select the logging level and identify a primary SMTP server for forwarding the log messages. You must also specify the email addresses of the recipients and the local domain for the Symantec
AntiVirus Scan Engine. A second SMTP server also can be identified if one is available.
See “Activating SMTP logging” on page 120.
If you have activated SNMP or SMTP logging and are running multiple
Symantec AntiVirus Scan Engines, you also may need to set an alert bind address for each scan engine so that you can identify the originating scan engine for each SNMP and SMTP log message.
See “Specifying the alert bind address” on page 122.
Activating SNMP logging
To activate SNMP logging, you must provide the SNMP community string and an IP address for a primary SNMP console for receiving the log messages. You can specify a second SNMP console if one is available. Log messages are sent to both the primary and secondary SNMP consoles in all cases.
If you need the Management Information Base file to configure SNMP logging, the file (symcscan.mib) is located in the MIB directory as part of the Symantec
AntiVirus Scan Engine distribution.
You must select the types of events for which SNMP log messages will be generated.
See “Logging levels” on page 109.
Configuring and using logging
Activating SNMP and SMTP logging
119
To activate SNMP logging for the Symantec AntiVirus Scan Engine
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Logging tab, under Log SNMP, select the SNMP logging level from the
SNMP Logging level list.
SNMP logging is not activated by default (the SNMP logging level is set to
None). The Verbose logging level is not available for SNMP logging.
See “Logging levels” on page 109.
3 In the Primary server IP address box, type the IP address of the primary
SNMP console to receive log messages.
4 In the Secondary server IP address box, type the IP address of a secondary
SNMP console to receive log messages if one is available.
120 Configuring and using logging
Activating SNMP and SMTP logging
5
In the SNMP Community box, type the SNMP community string.
The default setting is public.
6
Click Confirm Changes to save the configuration.
7 Do one of the following:
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
■
■
Click Restart to save your changes and restart the scan engine service now.
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Activating SMTP logging
To activate SMTP logging, you must identify a primary SMTP server for forwarding log messages. You must also specify the email addresses of the recipients and the local domain for the Symantec AntiVirus Scan Engine. You also can specify a second SMTP server if one is available.
You must select the types of events for which SMTP log messages will be generated.
See “Logging levels” on page 109.
Configuring and using logging
Activating SNMP and SMTP logging
121
To activate SMTP logging for the Symantec AntiVirus Scan Engine
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2 On the Logging tab, under Log SMTP, select the SMTP logging level from the
SMTP Logging level list.
SMTP logging is not activated by default (the SMTP logging level is set to
None). The Verbose logging level is not available for SMTP logging.
See “Logging levels” on page 109.
3 In the Primary server IP address box, type the IP address of the primary
SMTP server that will forward the log messages.
122 Configuring and using logging
Activating SNMP and SMTP logging
4
In the Secondary server IP address box, type the IP address of a secondary
SMTP server (if one is available) that will forward the log messages if communication with the primary SMTP server fails.
5 In the SMTP Domain box, type the local domain for the Symantec AntiVirus
Scan Engine.
The domain name is added to the From field for SMTP messages so that
SMTP log messages that are generated by the Symantec AntiVirus Scan
Engine originate from ScanServer@<servername>.<domainname>, where
<servername> is the name of the computer that is running the Symantec
AntiVirus Scan Engine and <domainname> is the domain name that is supplied here.
6 In the Recipient email addresses box, type the email addresses of the recipients of the SMTP log messages.
Separate each email address with a comma or space.
7 Click Confirm Changes to save the configuration.
8 Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Specifying the alert bind address
If you have activated SNMP or SMTP logging and are running multiple
Symantec AntiVirus Scan Engines, you can set an alert bind address for each scan engine to identify the originating scan engine for each SNMP and SMTP log message. The alert bind address of the originating scan engine is appended to all
SNMP and SMTP log messages as a means of identification.
Setting the alert bind address is only necessary if you have configured multiple scan engines to listen on the loopback interface (127.0.0.1) and each scan engine logs messages to the same SNMP or SMTP destination. Because the IP address on which the scan engine listens is used in SNMP and SMTP messages to identify the originating scan engine, it is not possible to determine which scan engine originated the log message when more than one is using the loopback
Configuring and using logging
Managing the local logs
123 interface. You can set a unique alert bind address for each scan engine to provide a method for identifying each scan engine.
To specify the alert bind address
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2
On the Logging tab, under Logging properties, in the Alert bind address box, type a bind address to identify the computer on which the Symantec
AntiVirus Scan Engine is running.
3 Click Confirm Changes to save the configuration.
4
Do one of the following:
■
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
Click Restart to save your changes and restart the scan engine service now.
■
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Managing the local logs
You can download the local log file in a selected format to a remote computer and save the data to a file, or you can clear the local log file.
You can download the log file in a comma-separated value (CSV) format for export to a file or in an HTML table format that displays in the browser window.
This lets you save or review log data in a usable format. The amount of data that can be downloaded is limited so as not to overwhelm the browser or the server.
You can download one or two megabytes of data. The data that is returned are the most recent log entries.
Note: If you attempt to download large log files during periods of peak usage,
Symantec AntiVirus Scan Engine performance might be impacted.
You also can clear the Symantec AntiVirus Scan Engine log file. This lets you keep the log file at a manageable size. Clearing the log file erases all of the log entries in the file. To retain access to the log data, download the log and export
124 Configuring and using logging
Managing the local logs the data to another file prior to clearing the log file. Logging continues from the date and time that you clear the logs.
Warning: For Windows 2000 Server/Server 2003, clearing the log file causes all of the application logs to be cleared, not just those for the Symantec AntiVirus
Scan Engine.
Manage log files
You can download or clear the log file.
To download the log file
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Reporting.
2
On the Download tab, under Downloading log files, select the amount of data, in megabytes, to download.
The size of the download is limited to 1 or 2 MB so that the amount of data that is returned does not overwhelm the browser or your server.
3 In the Download format list, select one of the following:
■
CSV: You can open the text file directly or save the file to a specified location.
■
Table: The data displays in the browser window in an HTML table format.
Sample HTML table output
4
Click Download Logfile.
Configuring and using logging
Obtaining summary data from the local logs
125
To clear the log file
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Reporting.
2 On the Download tab, click Clear Logs.
3 Confirm that you want to clear the application log.
For Windows 2000 Server/Server 2003, clearing the log file causes all of the application logs to be cleared, not just those for the Symantec AntiVirus
Scan Engine.
Obtaining summary data from the local logs
You can obtain summary data from the local logs for a given period of time. For the reported period, you can review the number of times that the scan engine started, the total number of viruses that were found, and the total number of viruses that were repaired. You can also review the virus types that were found during the reported period and the number of times that each type was found.
126 Configuring and using logging
Obtaining summary data from the local logs
To obtain summary data from the local logs
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Reporting.
2 On the Summary tab, type the start and end dates for the range on which you want to report.
Use the date format for your operating system locale.
3 Click Load Logs.
The log data for the requested period displays in the browser window.
Configuring and using logging
Generating scanning statistics from the billing logs
127
Interpreting summary data from the local logs
Sample summary data from the local logs is shown in
Figure 7-1 Sample Summary report
Date and time that the report is generated
Total number of server starts, viruses found, and viruses repaired for the reported period
Virus types that were found by the scan engine during the reported period and the number of each type found
Clicking a column heading sorts summary results alphabetically or by ascending or descending frequency of occurrence
Generating scanning statistics from the billing logs
The Symantec AntiVirus Scan Engine maintains scanning statistics to support billing for antivirus scanning that is based on megabits-per-second-per-month and file-based billing schemes. Each time that a file is scanned, the Symantec
AntiVirus Scan Engine submits scan statistics to an encrypted data file. You can examine these scanning statistics.
If you bill customers based on bandwidth consumption, you can use this bandwidth metering component to measure the number of megabits-persecond-per-month that are scanned by each Symantec AntiVirus Scan Engine.
The scan engine implements the 95th percentile bandwidth measurement scheme, making it easy for you to add an additional charge for antivirus scanning to existing megabits-per-second-per-month-based billing statements.
See “Understanding the 95th percentile bandwidth measurement” on page 130.
128 Configuring and using logging
Generating scanning statistics from the billing logs
The Symantec AntiVirus Scan Engine also tracks each file that is scanned for file-based billing schemes.
Billing information is logged to a billing log file, symcsbps.dat. The default location for the file for Solaris and Linux is /var/log/symcsbps.dat. The default location for Windows 2000 Server/Server 2003 is C:\Program
Files\Symantec\Scan Engine\symcsbps.dat. If you specified a different directory for the log files, the billing log file is located in that directory. The Symantec
AntiVirus Scan Engine maintains scanning statistics for the previous eight months.
To generate scanning statistics from the billing logs
1
On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Reporting.
2 On the Statistics tab, type the start and end dates for the range on which you want to report.
3 Click Generate Report.
The data for the requested period displays in the browser window.
Configuring and using logging
Generating scanning statistics from the billing logs
129
Interpreting scanning statistics
The scanning statistics that are maintained by the Symantec AntiVirus Scan
Engine support billing for antivirus scanning based on megabits-per-secondper-month and file-based billing schemes. You can examine these scanning statistics for a given time range in one of two ways. You can retrieve data via the
Statistics tab on the Symantec AntiVirus Scan Engine administrative interface
(recommended), or you can use the getstat utility, which also is included with the Symantec AntiVirus Scan Engine, to obtain statistical data via the command line.
See “Generating scanning statistics from the billing logs” on page 127.
A sample report that was generated through the administrative interface is shown in
.
Figure 7-2 Sample Statistics report
Total number of files that were scanned for the reported period
95th percentile bandwidth measurement for the reported period
Number of files that were scanned for each 30-minute period
Calculated average
KPS for each 30minute period
(identified by start time)
Clicking a column heading sorts the entries by that criteria
The total number of files that were scanned should not be interpreted strictly as a physical file count. This total includes the number of files as well as additional objects within container files that were scanned. Some containers, such as
MIME-encoded messages and Microsoft Office documents, have additional embedded objects that are not files but that may be scanned depending on the files that you have selected for scanning (the extension list settings). The total does not include any objects within container files that were not scanned because the object’s extension did not match those that were selected for scanning.
130 Configuring and using logging
Generating scanning statistics from the billing logs
For each 30-minute period that is in the specified date range, the total number of files that were scanned and the average KPS scanned for that 30-minute increment are reported. The 30-minute time periods are reported in Greenwich
Mean Time (GMT).
Note: The getstat utility reports the 95th percentile bandwidth measurement as a bits-per-second (bps) measurement rather than a kilobytes-per-second (KPS) measurement as through the interface. For more information about how the
95th percentile measurement is calculated, see
“Understanding the 95th percentile bandwidth measurement” on page 130.
Understanding the 95th percentile bandwidth measurement
The 95th percentile bandwidth measurement is based on a bits-per-second (bps) measurement. The Symantec AntiVirus Scan Engine tallies the number of bits for each file that is scanned in 30-minute increments. The average bps scanned for each 30-minute period is calculated and saved to the billing file. (Data is saved to the billing file every five minutes to prevent the loss of data in the event that the scan engine crashes.) The Symantec AntiVirus Scan Engine logs the average bps that are scanned for 48, 30-minute periods per day.
To make a data retrieval request, you specify a date range for which to view scan engine utilization. When a request is made, the data entries for each 30-minute period in the specified date range are sorted from highest to lowest average bps scanned. Of these entries, the top 5 percent (with the highest average bandwidth scanned) represent spikes in usage and are discarded. The next highest reading is considered the 95th percentile bandwidth measurement.
Note: The 95th percentile bandwidth measurement scheme is designed for billing for maximum bandwidth use and assumes that a system is used continuously rather than being shut down and restarted routinely.
Chapter
8
Configuring LiveUpdate
This chapter includes the following topics:
■
■
■
■
Scheduling LiveUpdate via the command line
Setting up your own LiveUpdate server
About LiveUpdate
LiveUpdate ensures that your network is not at risk of infection by newly discovered viruses. For Solaris and Linux, the Symantec AntiVirus Scan Engine features Symantec Java LiveUpdate technology, which is found in other
Symantec antivirus products for these platforms. For Windows 2000 Server/
Server 2003, a LiveUpdate client is installed with the Symantec AntiVirus Scan
Engine. On all platforms, the Symantec AntiVirus Scan Engine can be updated with the latest virus definitions without any interruption of virus scanning.
Note: To run LiveUpdate on Solaris or Linux, you must have the Java Runtime
Environment version 1.3.1 or later installed.
Updated virus definitions files, which contain the necessary information to detect and eliminate viruses, are supplied by Symantec at least every week and whenever a new virus threat is discovered. When new virus definitions files are available, the LiveUpdate technology automatically downloads the proper files and installs them in the proper location. If an error occurs, the Symantec
AntiVirus Scan Engine attempts to roll back to the previous virus definitions and continue scanning. If the rollback is unsuccessful, scanning is disabled.
132 Configuring LiveUpdate
Updating virus definitions
You can update virus definitions files and schedule LiveUpdate to run automatically so that you always have the most up-to-date protection.
See “Updating virus definitions” on page 132.
You can also schedule LiveUpdate via the command line, if necessary.
See “Scheduling LiveUpdate via the command line” on page 133.
Updating virus definitions
You can schedule LiveUpdate to run automatically by scheduling LiveUpdate, and you can force LiveUpdate to run immediately to obtain updated virus definitions when necessary.
You can also get the date and revision number of the virus definitions updates that the Symantec AntiVirus Scan Engine is currently using. These display automatically on the LiveUpdate tab. You might need to know the current version that the scan engine is using for Symantec Service and Support. You can also determine the status of the last LiveUpdate attempt.
Scheduling LiveUpdate to update virus definitions automatically
Scheduling LiveUpdate to occur automatically at a specified time interval ensures that the Symantec AntiVirus Scan Engine always has the most current virus definitions. You should schedule LiveUpdate so that you do not have to remember to update virus definitions regularly.
Note: When you install a valid virus definitions update content license for the
Symantec AntiVirus Scan Engine (for the first time or after the previous virus definitions update content license expired), an initial LiveUpdate attempt occurs automatically. Subsequent LiveUpdate attempts will occur automatically only if you schedule LiveUpdate.
When LiveUpdate is scheduled, LiveUpdate is invoked at the specified time interval relative to the LiveUpdate base time. The default LiveUpdate base time is the time that the scan engine was installed. You can change the LiveUpdate base time by editing the configuration file.
See “Changing the LiveUpdate base time” on page 199.
If you change the scheduled LiveUpdate interval, the interval adjusts based on the LiveUpdate base time.
Configuring LiveUpdate
Scheduling LiveUpdate via the command line
133
To schedule LiveUpdate to update virus definitions automatically
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click LiveUpdate.
2 In the Enable scheduled updates list, select the desired interval.
This setting is Off by default.
3 Click Confirm Changes to save the configuration.
Updating virus definitions manually
When necessary, you can run LiveUpdate manually to force an immediate update of virus definitions. If you have scheduled LiveUpdate, the next scheduled LiveUpdate attempt occurs as directed.
To update virus definitions manually
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click LiveUpdate.
2 Click LiveUpdate Now.
The screen refreshes to indicate whether the LiveUpdate was successful. It may take a few minutes for the screen to refresh.
Scheduling LiveUpdate via the command line
You can also schedule LiveUpdate via the command line to ensure that the
Symantec AntiVirus Scan Engine always has the most current virus definitions.
On Solaris and Linux, virus definitions updates can be scheduled using the UNIX cron scheduler and a shell script.
The cslive.exe client can be run from the command line to update virus definitions for the Symantec AntiVirus Scan Engine for Windows 2000 Server/
Server 2003.
134 Configuring LiveUpdate
Scheduling LiveUpdate via the command line
Schedule LiveUpdate via the command line
You can schedule LiveUpdate on UNIX and Windows platforms via the command line.
To schedule LiveUpdate via the UNIX cron scheduler (Solaris and Linux)
1
Create a user called symantec.
2 Open the /etc/group file and type symantec at the end of the avdefs line.
For more information, see the group man pages.
3 Change directories to /etc/cron.d.
4 Create a file called cron.allow.
This file contains the list of users who are allowed to use cron services.
5 Add the following line to the file:
symantec
For more information, see the cron and crontab man pages.
6 Run crontab -e symantec, and type the following line:
0 * * * * /usr/bin/sh /opt/SYMCScan/bin/liveupdate.sh -virusdefs -silent >
/dev/null
The cron scheduler will run the LiveUpdate script once per hour. For more information, see the cron and crontab man pages.
To run LiveUpdate on Windows 2000 Server/Server 2003
◆
At the command prompt, type one of the following commands:
■ cslive.exe /virusdefs /silent: Run LiveUpdate in silent mode (displays no prompting or display indicator).
■ cslive.exe /virusdefs: Run LiveUpdate and display a progress indicator.
LiveUpdate should be scheduled to run periodically (at least weekly) by using the
Windows at command. For example: at 02:00 every:M C:\Program Files\Symantec\Scan Engine\cslive.exe /virusdefs
/silent
This command runs LiveUpdate every Monday at 2:00 A.M. with no user intervention (/silent).
Configuring LiveUpdate
Setting up your own LiveUpdate server
135
Setting up your own LiveUpdate server
Depending on your network setup and the number of Symantec AntiVirus Scan
Engines that you have installed on your network, you might want to set up your own LiveUpdate server rather than have each scan engine on your network contact Symantec servers.
For more information, see the LiveUpdate Administration Utility, which is included on the Symantec AntiVirus Scan Engine CD.
If you set up your own LiveUpdate server, you will need to edit the LiveUpdate configuration for the Symantec AntiVirus Scan Engine to point to the local
LiveUpdate server. For Solaris and Linux, the Symantec AntiVirus Scan Engine
LiveUpdate configuration file contains the configuration options for
LiveUpdate. (The default location is /etc/liveupdate.conf.) For Windows 2000
Server/Server 2003, a LiveUpdate client, cslive.exe, is installed with the
Symantec AntiVirus Scan Engine. Contact Symantec Service and Support for more information.
136 Configuring LiveUpdate
Setting up your own LiveUpdate server
Chapter
9
Customizing log entries
This chapter includes the following topics:
■
■
Editing the message string file
■
■
■
■
■
Preserving customized text during an upgrade
About the 1000-series message strings
About the 2000-series message strings
About the 4000-series message strings
Editing the ICAP access denied message
About the message string file
Symantec AntiVirus Scan Engine log entries can be customized by editing the message string file.
The message string numbers in the file identify the classification of the message string. The message strings are numbered as follows:
■
1000 series: Message strings that are numbered in this manner are used to build the SNMP, SMTP, and local log entries. Log entries are generated for many activities, including startup, shutdown, virus definitions updates, infections found, and so on.
See Table 9-1, “Message string definitions,” on page 139.
138 Customizing log entries
Editing the message string file
■
■
2000 series: Message strings that are numbered in this manner are used to update email messages when an infected attachment is found and repaired or deleted (because it cannot be repaired). This type of message notifies the recipient of a scanned email message that one or more attachments that were contained in the message were infected. Variables can be used to customize these log messages.
See Table 9-2, “Default message text for MIME-encoded messages,” on page 146.
4000 series: Message strings that are numbered in this manner are used to build other log entries.
See Table 9-4, “Default log text,” on page 149.
Editing the message string file
Unless you have changed the location and file name of this file, the default location for Solaris and Linux is /opt/SYMCScan/etc/symcsmsg.dat. For
Windows 2000 Server/Server 2003, the default location is C:\Program
Files\Symantec\Scan Engine\symcsmg.dat.
To edit the Symantec AntiVirus Scan Engine message string file
1 Locate the Symantec AntiVirus Scan Engine message string file and open it with a text editor.
2 Make your changes to the file.
3 Save the changes to the file.
4
Stop and restart the Symantec AntiVirus Scan Engine.
Preserving customized text during an upgrade
You can upgrade the Symantec AntiVirus Scan Engine from 4.0.X or later without first uninstalling the previous version. Installing the upgrade over the existing installation preserves any customizations that you have made to the message string file, symcsmsg.dat.
Changes that occur to the message string file as a result of an upgrade are handled in the following manner:
■
New message strings that are specific to the upgrade (those with new message ID numbers) are appended to the message string file.
■
If an existing message string (one with an existing message ID) has been changed as part of the upgrade to the Symantec AntiVirus Scan Engine, the existing message string is commented out in the message string file so that
Customizing log entries
About the 1000-series message strings
139
■ any customizations are preserved in the file. The updated message is appended to the file, but is not commented out.
If you have customized any message strings in the message string file, you should edit the string file after installing the upgrade to reconcile the new text with your customized text.
About the 1000-series message strings
In most cases, you will not need to edit the message strings, but you can customize log messages for the Symantec AntiVirus Scan Engine if necessary.
Double-byte characters are supported for the scan engine message string text.
For each message string file entry, the text that follows the space after the string number and before the *** can be edited.
Each string file entry that is used in generating Symantec AntiVirus Scan
Engine log messages is described in
.
Table 9-1 Message string definitions
Number Default message text
1001
1002
1003
1004
1005
1006
Description
Scan Engine IP address:<IPaddress>
Scan Engine port number:<portnumber>
Scan Engine virus fingerprint date (revision) :<virus fingerprintdate>
Scan Engine threshold queue size:<queuesize>
The IP address of the Symantec
AntiVirus Scan Engine that is the subject of the log message
The port number of the Symantec
AntiVirus Scan Engine that is the subject of the log message
The date on which the virus definitions that are the subject of the log message were created (for virus update or update error) along with the virus definitions revision number
The threshold queue size for the
Symantec AntiVirus Scan Engine that is the subject of the log message
Scan Engine number of queued items:<queueditems>
The number of queued scan requests for the Symantec AntiVirus Scan Engine at the time of the reported event
Date/time of event:<date/time> The date and time of the reported event
(Symantec AntiVirus Scan Engine crash, startup, shutdown, and so on)
140 Customizing log entries
About the 1000-series message strings
Table 9-1
Message string definitions
Number Default message text
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
Description
System uptime (in seconds):<time>
Scan Engine Crash Alert
The Scan Engine has crashed.
The amount of time (at the time of the log entry) that the Symantec AntiVirus
Scan Engine has been running since the last crash or since startup
Subject of the Symantec AntiVirus Scan
Engine Crash Alert
Message body text for the Symantec
AntiVirus Scan Engine Crash Alert
Scan Engine Startup Alert
The Scan Engine has just started up.
Message body text for the Symantec
AntiVirus Scan Engine Startup Alert
Scan Engine Shutdown Alert
Subject of the Symantec AntiVirus Scan
Engine Startup Alert
The Scan Engine has been manually shut down.
Scan Engine Virus Definition
Update Alert
Subject of the Symantec AntiVirus Scan
Engine Shutdown Alert
Message body text for the Symantec
AntiVirus Scan Engine Shutdown Alert
Subject of the Symantec AntiVirus Scan
Engine Virus Definition Update Alert
The Scan Engine has updated its virus definitions.
Message body text for the Symantec
AntiVirus Scan Engine Virus Definition
Update Alert
Scan Engine Queue Overflow Subject of the Symantec AntiVirus Scan
Engine Load Exceeded Alert
The Scan Engine queue is backing up due to a large number of requests.
Message body text for the Symantec
AntiVirus Scan Engine Load Exceeded
Alert
Scan Engine Virus Definition
Error Alert
There was an error loading/ finding the Scan Engine virus definitions. All scanning will be disabled.
Subject of the Symantec AntiVirus Scan
Engine Virus Definition Error Alert, which is issued when an error occurs in updating the virus definitions and scanning is disabled
Message body text for the Symantec
AntiVirus Scan Engine Virus Definition
Update Error Alert, which is issued when an error occurs in updating the virus definitions and scanning is disabled
Customizing log entries
About the 1000-series message strings
141
Table 9-1
Message string definitions
Number Default message text
1020
1021
1022
1023
1024
1025
1026
1027
Description
Scan Engine Virus Definitions
Update Failure Alert
There was an error loading/ finding new Scan Engine virus definitions. Scanning will continue using the original definitions.
Subject of the Symantec AntiVirus Scan
Engine Virus Definitions Update Failure
Alert, which is issued when an error occurs in updating the virus definitions, but scanning continues using the previous virus definitions
Message body text for the Symantec
AntiVirus Scan Engine Virus Definitions
Update Failure Alert, which is issued when an error occurs in updating the virus definitions, but scanning continues using the previous virus definitions
Scan Engine Virus Definitions
Update and Rollback Failure
Alert
Subject of the Symantec AntiVirus Scan
Engine Virus Definitions Update and
Rollback Failure Alert, which is issued when an error occurs in updating the virus definitions and rollback to previous virus definitions is unsuccessful
There was an error loading/ finding new Scan Engine virus definitions. An attempt to roll back to the previous definitions has also failed. All scanning will be disabled.
Message body text for the Symantec
AntiVirus Scan Engine Virus Definitions
Update and Rollback Failure Alert, which is issued when an error occurs in updating the virus definitions and rollback to previous virus definitions is unsuccessful
Scan Engine Infection Found
Alert
The Scan Engine has resumed scanning using its previous virus definitions.
Message body text for the log entry that is issued when an error occurs in updating the virus definitions which states that scanning will continue using previous virus definitions
Scan Engine Non-repairable
Infection Found Alert
Subject of the Symantec AntiVirus Scan
Engine Infection Found Alert
The infection that has been found cannot be repaired.
Subject of the Symantec AntiVirus Scan
Engine Nonrepairable Infection Found
Alert
Message body text for the Symantec
AntiVirus Scan Engine Nonrepairable
Infection Found Alert
142 Customizing log entries
About the 1000-series message strings
Table 9-1
Message string definitions
Number Default message text
1028
1029
1030
1031
1032
1033
1035
Description
Virus name:
Virus ID:
Disposition:
Message body text that states the virus name for both the Infection Found Alert and Nonrepairable Infection Found Alert
The Symantec AntiVirus Scan Engine automatically inserts the virus name.
Message body text that states the virus
ID number for both the Infection Found
Alert and Nonrepairable Infection Found
Alert
The Symantec AntiVirus Scan Engine automatically inserts the virus ID.
Message body text that states the disposal method of the infected file for both the Infection Found Alert and
Nonrepairable Infection Found Alert
The Symantec AntiVirus Scan Engine automatically inserts the disposal method for the file.
An infection has been found but no repair has been attempted.
Message body text for the Infection
Found Alert when the Symantec
AntiVirus Scan Engine is configured to scan files but not to attempt repairs
The infection has been found and repaired.
Message body text for the Infection
Found Alert when the infected file can be repaired and the Symantec AntiVirus
Scan Engine is configured to repair infected files
The infection has been found and the infected file has been deleted.
Message body text for the Infection
Found Alert when the Symantec
AntiVirus Scan Engine is configured to delete infected files
Scan Engine mail policy initialization error
Subject of the Symantec AntiVirus Scan
Engine mail policy initialization error log entry
Customizing log entries
About the 1000-series message strings
143
Table 9-1
Message string definitions
Number Default message text
1036
1037
1038
1039
1040
1041
1042
1043
Description
There was an error loading/ finding the Scan Engine mail policy configuration files. Please correct the problem and restart the Scan Engine.
Message text for the Symantec AntiVirus
Scan Engine Mail Policy Initialization
Error log entry, which is issued when a mail policy configuration file is missing
Symantec AntiVirus Scan Engine
Logging Stopped
Message text for the log entry that is issued when logging stops for the
Symantec AntiVirus Scan Engine because the scan engine has been shut down or has crashed
A license is about to expire: Message body text for the Scan Engine
Licensing Alert when a Symantec
AntiVirus Scan Engine license is about to expire (within 30 days of its expiration date)
A license has expired:
Scan Engine Licensing Alert
Feature Name:
Message body text for the Scan Engine
Licensing Alert when a Symantec
AntiVirus Scan Engine license has expired
This alert is generated only while the scan engine is operating in the grace period.
Subject of the Scan Engine Licensing
Alert
Message body text that states the feature name for the license that is the subject of the Scan Engine Licensing Alert
Expiration Date:
Consult the License Status page for more information.
Message body text that states the expiration date for the license that is the subject of the Scan Engine Licensing
Alert
Additional message body text for the
Scan Engine Licensing Alert, which is issued when a Symantec AntiVirus Scan
Engine license has expired or is about to expire
144 Customizing log entries
About the 1000-series message strings
Table 9-1
Message string definitions
Number Default message text
1046 Virus definitions successfully rolled back to previous definitions.
1050
1051
1060
1061
1062
BAD_FILE_NAME
/BAD_COMPONENT_NAME
Client SID:
Client IP:
Client Computer:
Description
Message text for the log entry that is issued when an error occurs in updating the virus definitions and the rollback to previous virus definitions is successful
Message text that replaces <file name> in which the Symantec AntiVirus Scan
Engine was unable to determine proper character encoding
Message text that replaces <file name> for a file within a container for which the
Symantec AntiVirus Scan Engine was unable to determine proper character encoding
Message text that provides the Security
Identifier of the user who requested an infected file from an RPC client
This log entry is used only when you have selected RPC as the communication protocol, and the RPC client is running an appropriate operating system and version.
Message text that provides the IP address of the computer from which an infected file was requested
This log entry is used only when you have selected RPC as the communication protocol, and the RPC client is running an appropriate operating system and version.
Text that provides the host name of the computer from which an infected file was requested
This log entry is used only when you have selected RPC as the communication protocol, and the RPC client is running an appropriate operating system and version.
Customizing log entries
About the 2000-series message strings
145
Table 9-1
Message string definitions
Number Default message text
1101 CLEAN
1102
1103
1104
1105
1110
NOT REPAIRED
PARTIALLY REPAIRED
REPAIRED
BLOCKED
DELETED
Description
Message body text that appears to the right of Disposition to indicate that no virus has been found
Message body text that appears to the right of Disposition to indicate that a virus has been found, but the infected file has not been repaired
Message body text that appears to the right of Disposition to indicate that multiple viruses have been found, but not all of the viruses could be eliminated from the infected file
Message body text that appears to the right of Disposition to indicate that a virus has been found and the file has been repaired
Message body text that appears to the right of Disposition to indicate that a virus has been found and the file was blocked
Message body text that appears to the right of Disposition to indicate that a virus has been found, but the file could not be repaired and has been deleted
About the 2000-series message strings
The 2000-series strings are used to update email messages when an infected attachment is found and repaired or deleted because it cannot be repaired.
These message strings are intended to notify the recipient of a scanned email message that one or more attachments that were contained in the message were infected.
Note: To add this type of message to MIME-encoded messages, the Symantec
AntiVirus Scan Engine must be configured to update messages in this manner.
See “Inserting text into MIME-encoded messages” on page 104.
146 Customizing log entries
About the 2000-series message strings
The message strings that are used to update MIME-encoded messages are described in
Table 9-2
Default message text for MIME-encoded messages
Number Default message text
2000
2001
2002
2003
Description
ALERT!!! This e-mail contained one or more infected files. The following attachments were infected and have been repaired: <listofinfectedfiles>.
The following infected attachments were deleted: <listofdeletedfiles>.
The following infected attachments were blocked because of Mail Policy violations: <listofblockedfiles>. You may wish to contact the sender to notify them about their infected files.
Thank you.
---- Original message text follows ----
This message text is inserted into the body of MIME-encoded, textonly messages when an infected attachment is found and repaired or deleted from the message. Message strings 2000 and 2001 should be identical so that the inserted message is consistent.
<listofinfectedfiles> is generated by the variable **R; <listofdeletedfiles> is generated by the variable **D; and
<listofblockedfiles> is generated by the variable **P.
See Table 9-3, “Variables for customizing message strings,” on page 149.
Repeat of message string 2000 Message text that is inserted into the body of MIME-encoded messages that contain HTML when an infected attachment is found and repaired or deleted from the message. Default message text is the same for message strings 2000 and
2001. These two messages should be consistent.
No attachments are in this category.
Text that is inserted into message string 2000 or 2001 when no attachments are applicable for the variables **D, **R, or **P.
Mail Policy Block (Attachment Name) Text that replaces the <virusname> variable in message string 4000 when an attachment is deleted because it violates the mail policy that was established for attachment file names.
Customizing log entries
About the 2000-series message strings
147
Table 9-2
Default message text for MIME-encoded messages
Number Default message text
2004
2005
2006
2007
2008
2009
Description
Mail Policy Block (Attachment Size)
Mail Policy Block (Message Size)
Mail Policy Block (Subject Block)
Mail Policy Block (Domain Block)
Text that replaces the <virusname> variable in message string 4000 when an attachment is deleted because it violates the mail policy that was established for attachment file size.
Text that replaces the <virusname> variable in message string 4000 when an email message is blocked because it violates the mail policy for message size.
Text that replaces the <virusname> variable in message string 4000 when an email message is blocked because it violates the mail policy for subject lines.
Text that replaces the <virusname> variable in message string 4000 when an email message is blocked because it violates the mail policy for message origin.
Mail Policy Block (Partial Mime Block) Text that replaces the <virusname> variable in message string 4000 when an email message is blocked because it violates the mail policy for partial MIME message content.
Mail Policy Block (Can’t delete attachment, blocking message)
Text that replaces the <virusname> variable in message string 4000 when an email message is blocked because the attachment that violated the mail policy could not be deleted.
148 Customizing log entries
About the 2000-series message strings
Table 9-2
Default message text for MIME-encoded messages
Number Default message text
2010
2011
Description
DELETED**C.TXT
File name for the file that is substituted in a MIME-encoded message for any attachment that is deleted because it contains an unrepairable virus.
When a message contains more than one infected file, a separate
DELETED**C.TXT file is created for each file. The files are numbered sequentially beginning with 0 and use the **C variable in the file name.
Note: If you are using the native protocol, AVSCANREPAIRDELETE must be used for DELETED**C.TXT to replace deleted files. If you are using ICAP, the scan policy must be set to Scan and repair or delete. The
Symantec AntiVirus Scan Engine must be configured to delete any infected attachments from MIMEencoded messages.
file attachment: The file attached to this email was removed because it is infected with the <virusname> virus.
Text that is contained in the
DELETED**C.TXT file, which is substituted in a MIME-encoded message for any attachment that is deleted because it contains an unrepairable virus.
Customizing log entries
About the 4000-series message strings
149
Several variables can be used to customize the 2000 and 2001 message strings.
These variables are described in
.
Table 9-3
Variables for customizing message strings
Variable
**N
<br>
**R
**D
**I
**P
Description
Moves to the next line (text only)
Moves to the next line (HTML only)
Displays a list of all of the infected attachments that have been repaired for a message
Displays a list of all of the infected attachments that have been deleted for a message because they could not be repaired
Displays a list of all of the infected attachments that were identified for a message, whether they were deleted or repaired
Displays a list of all of the attachments that were deleted for a message because of mail policy violations
About the 4000-series message strings
The 4000-series message strings are used in log entries (when logging options are enabled). These message strings are described in
.
Table 9-4
Default log text
Number Default log text
4000
4001
4002
Description
A mail policy violation has been detected.<filename:virus name>
A virus was detected or an attachment or mail message was blocked because of a mail policy violation.
Appropriate logging must be enabled.
A file has been received and scanned.
<filename>
A file was scanned.
The Verbose logging level must be selected to induce logging for every file that is scanned.
Error trying to send an SMTP/SNMP/
POPUP alert.
Delivery of an SMTP, SNMP, or
POPUP log message failed, for example, if the SMTP server was unreachable.
150 Customizing log entries
About the 4000-series message strings
Table 9-4
Default log text
Number Default log text
4005
4010
4011
4012
4013
4014
4015
4016
4017
Description
The Scan Engine was unable to notify the filer that the scan had completed after the maximum number of retries.
Filer at <IPaddress>
The Symantec AntiVirus Scan
Engine successfully completed a scan after the maximum number of retries but was unable to notify the
RPC client.
was is
Used in message string 4012 to indicate that a file was infected but is no longer infected because it has been repaired.
Used in message string 4012 to indicate that a file was infected and is still infected because no repair has been attempted or it cannot be repaired.
File %s %s infected with virus %s.
A license is about to expire. Feature:
%s, expiration date: %s.
A license has expired. Feature: %s, expiration date: %s.
Container limit exceeded (container depth)
Used when an infection is found to indicate the name of the infected file, whether the file was or is still infected, and the virus name.
Used when a license is about to expire to indicate the feature activated by the license and the expiration date of the license.
Used when a license has expired to indicate the feature that is activated by the license and the expiration date of the license.
Used when the specified maximum number of nested levels to be decomposed for scanning is exceeded.
Container limit exceeded (extract time)
Container limit exceeded (file size)
Used when the specified maximum amount of time that is spent decomposing a container file and its contents is exceeded.
Used when the specified maximum file size for individual files in a container file is exceeded.
Customizing log entries
Editing the ICAP access denied message
151
Table 9-4
Default log text
Number Default log text
4018
4019
A container limit violation has been detected.
An Error occurred while trying to replace an infected file with the repaired copy. File: <filename>
4020
4030
4031
4032
4033
Malformed Container (File not scanned)
Detect viruses
Repair viruses
Delete viruses
Repair or delete viruses
Description
Used when a container limit violation has occurred.
Used when an error occurs in replacing an infected file with the repaired copy to indicate the file name.
Used when the Symantec AntiVirus
Scan Engine detects a malformed container and is configured to reject malformed containers.
Rule defined exclusively for logging events to SESA to scan files.
Rule defined exclusively for logging events to SESA to scan files and repair infected files.
Rule defined exclusively for logging events to SESA to scan and delete infected files.
Rule defined exclusively for logging events to SESA to scan files, repair infected files when possible, and delete infected files that cannot be repaired.
Editing the ICAP access denied message
When ICAP is being used, the Symantec AntiVirus Scan Engine displays an
HTML text message to a user when a requested file is blocked. Access to a file is blocked when the file contains a virus and cannot be repaired. The default text indicates that access is denied because the file contained a virus.
For Solaris and Linux, the default location and file name of the HTML file is
/opt/SYMCScan/etc/symcsinf.htm. For Windows 2000 Server/Server 2003, the default location and file name of the file is C:\Program Files\Symantec\Scan
Engine\SYMCSINF.htm.
152 Customizing log entries
Editing the ICAP access denied message
You can customize the text that is displayed in one of the following ways:
■
Edit the ICAP access denied HTML file.
■
Specify an alternate HTML file.
See “Configuring ICAP” on page 59.
The default text that is contained in the ICAP access denied message is described
.
Table 9-5 Default text for ICAP access denied message
Default text Description
The content you just requested had a problem and was blocked by the Symantec
AntiVirus Scan Engine based on local administrator settings. Contact your local administrator for further information.
Text contained in the symcsinf.htm file, which is displayed to the user when a requested file contains a virus and cannot be repaired
To edit the ICAP access denied message
1 Locate the Symantec AntiVirus Scan Engine ICAP access denied HTML file and open it with a text editor.
2 Make your changes to the file.
3 Save the file.
4
Stop and restart the Symantec AntiVirus Scan Engine.
Chapter
10
Integrating the Symantec
AntiVirus Scan Engine with
SESA
This chapter includes the following topics:
■
■
■
■
■
■
Scan engine events that are logged to SESA
Interpreting scan engine events in SESA
Uninstalling the SESA integration components
Uninstalling the local SESA Agent
About SESA
In addition to local logging for the Symantec AntiVirus Scan Engine, you can also choose to log virus-related events to the Symantec Enterprise Security
Architecture (SESA). SESA is an underlying software infrastructure and a common user interface framework. It integrates multiple Symantec Enterprise
Security products and third-party products to provide a central point of control of security within an organization. It provides a common management framework for SESA-enabled security products, such as the Symantec AntiVirus
Scan Engine, that protect your IT infrastructure from malicious code, intrusions, and blended threats.
SESA helps you increase your organization’s security posture by simplifying the task of monitoring and managing the multitude of security-related events and
154 Integrating the Symantec AntiVirus Scan Engine with SESA
Configuring logging to SESA products that exist in today’s corporate environments. SESA includes an event management system that employs data collection services for events generated on computers that are managed by Symantec security products. The event categories and classes include antivirus, content filtering, network security, and systems management. The range of events varies depending on the Symantec applications that are installed and managed by SESA.
You can monitor and manage these security-related events through the SESA
Console. The SESA Console is the common user interface that provides manageable integration of security technologies (Symantec or otherwise),
Symantec Security Services, and Symantec Security Response. You can query, filter, and sort data to reduce the security-related events that you see through the SESA Console, which allows you to focus on threats that require your attention. You can configure alert notifications in response to events, and generate, save, and print tabular and graphical reports of event status, based on filtered views that you have created.
The Symantec Enterprise Security Architecture is purchased and installed separately. SESA must be installed and working properly before you configure the Symantec AntiVirus Scan Engine to log events to SESA.
For more information, see the SESA documentation.
Configuring logging to SESA
The logging of virus-related events to the Symantec Enterprise Security
Architecture (SESA) is in addition to the local logging features for the Symantec
AntiVirus Scan Engine. Logging to SESA is activated independently of local logging. If you have purchased SESA, you can choose to send a subset of the virus-related events logged by the scan engine to SESA.
See “Scan engine events that are logged to SESA” on page 162.
To configure logging to SESA, you must complete the following steps:
■
Configure SESA to recognize the Symantec AntiVirus Scan Engine. In order for SESA to receive events from the scan engine, you must run the SESA
Integration Wizard that is specific to the Symantec AntiVirus Scan Engine on each computer that is running the SESA Manager. The SESA integration
Wizard installs the appropriate integration components for identifying the individual security product (in this case, the Symantec AntiVirus Scan
Engine) to SESA.
See “Configuring SESA to recognize the Symantec AntiVirus Scan Engine” on page 155.
Integrating the Symantec AntiVirus Scan Engine with SESA
Configuring logging to SESA
155
■
■
Install a local SESA Agent on the computer that is running the Symantec
AntiVirus Scan Engine. The local SESA Agent handles the communication between the scan engine and SESA.
See “Installing the local SESA Agent” on page 156.
Configure the Symantec AntiVirus Scan Engine (through the scan engine administrative interface) to communicate with the local SESA Agent and to log virus-related events to SESA.
See “Configuring the scan engine to log events to SESA” on page 161.
Configuring SESA to recognize the Symantec AntiVirus Scan Engine
To configure SESA to receive events from the Symantec AntiVirus Scan Engine, run the SESA Integration Wizard that is specific to the Symantec AntiVirus
Scan Engine on each computer that is running the SESA Manager. The SESA
Integration Wizard installs the appropriate integration components for identifying the Symantec AntiVirus Scan Engine to SESA. You must run the
SESA Integration Wizard for each SESA Manager computer to which you are forwarding events from the Symantec AntiVirus Scan Engine.
Each product that interfaces with SESA has a unique set of integration components. The integration components for all products that interface with
SESA are available when you purchase SESA and are not distributed with the individual security products. Thus, the SESA Integration component is not part of the Symantec AntiVirus Scan Engine software distribution package.
To configure SESA to recognize the Symantec AntiVirus Scan Engine
1 On the computer on which the SESA Manager is installed, insert the
Symantec AntiVirus Scan Engine distribution CD into the CD-ROM drive.
2
At the command prompt, change directories on the CD to the
Tools\SESA_SIPI_Installers\SAVSE\ Directory.
3 At the command prompt, type:
java -jar setup.jar
The SESA Integration Wizard starts.
4
Click Next until you see the SESA Domain Administrator Information window.
156 Integrating the Symantec AntiVirus Scan Engine with SESA
Configuring logging to SESA
5
In the SESA Domain Administrator Information window, type the specific information about the SESA Domain Administrator and the SESA Directory.
SESA Domain Administrator
Name
SESA Domain Administrator
Password
IP Address of SESA Directory
SSL Port
The name of the SESA Directory Domain
Administrator account.
The password for the SESA Directory Domain
Administrator account.
The IP address of the computer on which the SESA
Directory is installed (may be the same as the SESA
Manager IP address if both are installed on the same computer).
If you are using authenticated SSL instead of SESA default, anonymous SSL, you must enter the host name of the SESA Directory computer. For example, mycomputer.com.
For more information on SESA default, anonymous
SSL and upgrading to authenticated SSL, see the
Symantec Enterprise Security Architecture
Installation Guide.
The number of the SESA Directory secure port. The default port number is 636.
6 Follow the on-screen instructions to install the appropriate SESA integration components and complete the SESA Integration Wizard.
7
Repeat steps 1 through 6 on each SESA Manager computer to which you are forwarding Symantec AntiVirus Scan Engine events.
Installing the local SESA Agent
The local SESA Agent handles the communication between the Symantec
AntiVirus Scan Engine and SESA and is installed on the same computer that is running the Symantec AntiVirus Scan Engine. The local SESA Agent is provided as part of the software distribution package for the Symantec AntiVirus Scan
Engine. A separate install package for installing the Agent, agentinstaller, is located in the SESA_agent directory on the distribution CD for the Symantec
AntiVirus Scan Engine.
If you have more than one SESA-enabled product installed on a single computer, these products can share a local SESA Agent. However, each product must register with the Agent. Thus, even if an Agent has already been installed on the computer for another SESA-enabled security product, you must run the installer to register the Symantec AntiVirus Scan Engine with the Agent.
Integrating the Symantec AntiVirus Scan Engine with SESA
Configuring logging to SESA
157
The local SESA Agent is preconfigured to listen on the IP address 127.0.0.1 and port number 8086. The scan engine uses this information to communicate with the Agent. If you must change the IP address or port number for the Agent, you must do so through the SESA Console. (Once an Agent is installed, it is controlled through the SESA Console, even though it is running on the computer that is running the security product.) If you change the IP address or port number for the Agent, you must also update, through the Symantec AntiVirus
Scan Engine administrative interface, the information that the scan engine uses to contact the Agent.
Note: To install the local SESA Agent, you must have Java Runtime Environment version 1.3.1 or later already installed. If not, the SESA Agent installation will fail.
See the SESA documentation for more information.
See “Configuring the scan engine to log events to SESA” on page 161.
Install the local SESA Agent
The installation procedures differ depending on the operating system on which the local SESA Agent will be installed.
To install the local SESA Agent on Windows 2000 Server/Server 2003
1 Log on to the computer on which you have installed the Symantec AntiVirus
Scan Engine as administrator or as a user with administrator rights.
2 Copy the agentinstaller.exe file from the Symantec AntiVirus Scan Engine distribution CD onto the computer.
3 Run the .exe file.
4 Indicate that you agree with the terms of the Symantec license agreement, then click Next.
If you do not indicate that you agree, the installation is aborted.
5 Select the Symantec AntiVirus Scan Engine from the list of products to register with SESA.
Note: You can register only one product at a time. If you are installing the local SESA Agent to work with more than one Symantec product, you must run the installer again for each product.
6 Select the location in which to install the local Agent, then click Next.
The default location is C:\Program Files\Symantec\SESA.
158 Integrating the Symantec AntiVirus Scan Engine with SESA
Configuring logging to SESA
7
In the Primary SESA Manager IP address or host name box, type the IP address or host name of the computer on which the primary SESA Manager is running.
If SESA is configured to use Anonymous SSL (the default setting), type the
IP address of the primary SESA Manager. If SESA is configured to use
Authenticated SSL, type the host name of the primary SESA Manager (for example, computer.company.com).
8
In the Primary SESA Manager port number box, type the port number on which the SESA Manager listens.
The default port number is 443.
9
If you are running a Secondary SESA Manager that is to receive events from the scan engine, do the following:
■
In the Secondary SESA Manager IP address or host name box, type the
IP address or host name of the computer on which the Secondary SESA
Manager is running.
■
In the Secondary SESA Manager port number box, type the port number on which the Secondary SESA Manager listens.
The default port number is 443.
10 In the Organizational unit distinguished name box, type the organizational unit distinguished name to which the Agent will belong.
If the organizational unit is unknown or not yet configured, this setting can be left blank. Use the format shown in the example: ou=Europe,ou=Locations,dc=SES,o=symc_ses
The domain(s) (dc=) portion of the path should correspond to the domain that is managed by the selected SESA Management Server.
11 Select one of the following to indicate whether the local SESA Agent should start automatically whenever the computer is restarted.
■
Start SESA Agent automatically: The local SESA Agent starts automatically each time the computer is restarted.
■
Start SESA Agent automatically: You must manually restart the local
SESA Agent each time the computer is restarted.
12 Indicate whether the local SESA Agent should start immediately after the installation finishes.
If you indicate No, you must manually start the local SESA Agent after the installation is complete.
The installer proceeds from this point with the installation. When the installation is complete, the Agent is installed as a Windows 2000/2003 service and is listed as SESA AgentStart Service in the Services Control Panel.
Integrating the Symantec AntiVirus Scan Engine with SESA
Configuring logging to SESA
159
To install the local SESA Agent on Solaris and Linux
1 Log on as root to the computer on which you have installed the Symantec
AntiVirus Scan Engine.
2 Copy the agentinstaller.sh file from the Symantec AntiVirus Scan Engine distribution CD onto the computer.
3
Change directories to the location in which you copied the file.
4 Type the following command, then press Enter:
sh ./agentinstaller.sh
5 Indicate that you agree with the terms of the Symantec license agreement, then press Enter.
If you indicate No, the installation is aborted.
6 Select the Symantec AntiVirus Scan Engine from the list of products to register with SESA.
Note: You can register only one product at a time. If you are installing the
Agent to work with more than one Symantec product, you must run the installer again for each product.
7 Select the location in which to install the local SESA Agent, then click Next.
The default location is /opt/Symantec/SESA.
8 Type the IP address or host name of the computer on which the primary
SESA Manager is running.
If SESA is configured to use Anonymous SSL (the default setting), type the
IP address of the primary SESA Manager. If SESA is configured to use
Authenticated SSL, type the host name of the primary SESA Manager (for example, computer.company.com).
9 Type the port number on which the SESA Manager listens.
The default port number is 443.
10 If you are running a Secondary SESA Manager that is to receive events from the scan engine, do the following:
■
■
Type the IP address or host name of the computer on which the
Secondary SESA Manager is running.
Type the port number on which the Secondary SESA Manager listens.
The default port number is 443.
160 Integrating the Symantec AntiVirus Scan Engine with SESA
Configuring logging to SESA
11 Type the organizational unit distinguished name to which the Agent will belong.
If the organizational unit is unknown or not yet configured, this setting can be left blank. Use the format shown in the example: ou=Europe,ou=Locations,dc=SES,o=symc_ses
The domain(s) (dc=) portion of the path should correspond to the domain that is managed by the selected SESA Management Server.
12 Indicate whether the local SESA Agent should start automatically whenever the computer is restarted.
If you indicate No, you must manually restart the local SESA Agent each time the computer is restarted.
13 Indicate whether the local SESA Agent should start immediately after the installation finishes.
If you indicate No, you must manually start the local SESA Agent after the installation is complete.
The installer proceeds from this point with the installation. Unless you indicated otherwise during the installation, the local SESA Agent starts automatically when the installation is complete.
Stopping and restarting the local SESA Agent service
You may need to stop and restart the local SESA Agent.
Stop and restart the local SESA Agent service
Instructions for stopping and restarting the local service differ depending on the operating system that you are running. For Windows 2000 Server/Server
2003, you can stop and start the service in the Services Control Panel.
To stop and restart the local SESA Agent service on Solaris
◆
At the command prompt, do one of the following:
■
To stop the service, type the following command:
/etc/init.d/sesagentd stop
■
To start the service, type the following command:
/etc/init.d/sesagentd start
Integrating the Symantec AntiVirus Scan Engine with SESA
Configuring logging to SESA
161
To stop and restart the local SESA Agent service on Linux
◆
At the command prompt, do one of the following:
■
To stop the service, type the following command:
/etc/init.d/sesagentd stop
■
To start the service, type the following command:
/etc/init.d/sesagentd start
Configuring the scan engine to log events to SESA
After you have installed the local SESA Agent to handle communication between the Symantec AntiVirus Scan Engine and SESA, you must configure the
Symantec AntiVirus Scan Engine to communicate with the Agent by specifying the IP address and port number on which the Agent listens. You also can change the types of events that are logged to SESA. These settings are located on the
Symantec AntiVirus Scan Engine administrative interface.
To configure the scan engine to log events to SESA
1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.
2
On the Logging tab, under Symantec Enterprise Security Architecture, in the SESA Logging level list, select the appropriate logging level.
Logging to SESA is not activated by default.
See “Logging levels” on page 109.
3 In the SESA agent IP address box, type the IP address on which the local
SESA Agent listens.
The default setting is 127.0.0.1 (the loopback interface), which restricts connections to the same computer.
4 In the Port box, type the TCP/IP port number on which the local SESA Agent listens.
The port number that you enter here must match the port number on which the local SESA Agent listens. The default port is 8086.
5 Click Confirm Changes to save the configuration.
6
Do one of the following:
■
Click Continue to make additional changes to the Symantec AntiVirus
Scan Engine configuration.
If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.
162 Integrating the Symantec AntiVirus Scan Engine with SESA
Scan engine events that are logged to SESA
■
■
Click Restart to save your changes and restart the scan engine service now.
Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)
Scan engine events that are logged to SESA
You can choose a logging level to specify the types of events that are logged to
SESA. However, for each logging level, the events that are logged to SESA are a subset of the events that are normally logged by the Symantec AntiVirus Scan
Engine for that logging level. When you activate logging to SESA, only certain events are forwarded to SESA.
See “Logging levels” on page 109.
No events are logged to SESA at the Error logging level.
Symantec AntiVirus Scan Engine events that are forwarded to SESA when the logging level is Warning.
Table 10-1 Events that are logged to SESA at the Warning logging level
Logging option
Infection found
Description
Logs all infections found in scanned files
Table 10-2 lists the Symantec AntiVirus Scan Engine events that are forwarded
to SESA when the logging level is Information.
Table 10-2 Events that are logged to SESA at the Information logging level
Logging option
Infection found
Server start
Server stop
Virus definition update
Description
Logs all infections found in scanned files
Logs all instances of scan engine startup
Logs all instances of scan engine shutdown
Logs all instances of scan engine virus definitions updates
Integrating the Symantec AntiVirus Scan Engine with SESA
Interpreting scan engine events in SESA
163
Interpreting scan engine events in SESA
SESA provides extensive event management capabilities. SESA provides common logging of normalized event data for SESA-enabled security products like the Symantec AntiVirus Scan Engine. The event categories and classes include antivirus, content filtering, network security, and systems management.
SESA also provides centralized reporting capabilities, including graphical reports. Currently, the events forwarded to SESA by the Symantec AntiVirus
Scan Engine take advantage of the existing SESA infrastructure for antivirusrelated events.
You can create alert notifications for certain events, including those generated by the Symantec AntiVirus Scan Engine. Notifications include pagers, SNMP traps, email, and operating system event logs. You can define the notification recipients, day and time ranges when specific recipients are notified, and custom data to accompany the notification messages.
For more information about interpreting events in SESA and on SESA’s event management capabilities, see the SESA documentation.
Uninstalling the SESA integration components
If the Symantec AntiVirus Scan Engine is no longer forwarding messages to
SESA, you can uninstall the SESA integration components from each computer that is running the SESA Manager.
To uninstall the SESA integration components
◆
On the taskbar, click Start > Run, then type:
java -jar setup.jar -uninstall
Uninstalling the local SESA Agent
The local SESA Agent is automatically uninstalled when you uninstall the
Symantec AntiVirus Scan Engine. If more than one product is using the Agent, the uninstall script will remove only the Symantec AntiVirus Scan Engine registration and leave the Agent in place. If no other security products are using the Agent, the uninstall script will uninstall the Agent as well.
164 Integrating the Symantec AntiVirus Scan Engine with SESA
Uninstalling the local SESA Agent
Chapter
11
Using the Symantec
AntiVirus Scan Engine command-line scanner
This chapter includes the following topics:
■
■
■
About the Symantec AntiVirus Scan Engine command-line scanner
Setting up a computer to submit files for scanning
Command-line scanner syntax and usage
About the Symantec AntiVirus Scan Engine command-line scanner
The Symantec AntiVirus Scan Engine command-line scanner is a multi-platform utility that works in conjunction with version 4.0.4 or later of the Symantec
AntiVirus Scan Engine that is running on Windows 2000 Server/Server 2003,
Solaris, or Linux platforms. The command-line scanner acts as a client to the
Symantec AntiVirus Scan Engine through the scan engine application programming interface (API), which uses version 1.0 of the Internet Content
Adaptation Protocol (ICAP), presented in RFC 3507 (April 2003).
The command-line scanner lets you send files to the Symantec AntiVirus Scan
Engine to be scanned for viruses. The command-line scanner also lets you do the following:
■
Repair infected files and delete those that are unrepairable.
■
■
Recurse subdirectories for scanning multiple files.
Output information on command-line scanner and scan engine operation.
166 Using the Symantec AntiVirus Scan Engine command-line scanner
Setting up a computer to submit files for scanning
Setting up a computer to submit files for scanning
You can send files to the Symantec AntiVirus Scan Engine via the command line from the computer on which the Symantec AntiVirus Scan Engine is running or from a different computer. You can send files from a computer with a different operating system than the computer on which the scan engine is installed.
Note: Because files are sent to the Symantec AntiVirus Scan Engine for scanning, you can only specify files or directories for which you have appropriate permissions. To send files, you must have read access to the files. To repair (replace) or delete files, you must have permission to modify or delete files, as well as access to the directory in which the files are located.
The Symantec AntiVirus Scan Engine has been tested on the following platforms:
■
Windows 2000 Server and Windows Server 2003
■
■
Solaris 7 or later
Red Hat Linux version 7.3 or later
Note: To use the command-line scanner, you must select ICAP as the communication protocol for the Symantec AntiVirus Scan Engine.
If you are sending files from the same computer on which the Symantec
AntiVirus Scan Engine is running, you do not need to install any additional files for the command-line scanner. The appropriate files are installed automatically during the installation of the scan engine.
If you plan to submit files for scanning from a different computer using the command-line scanner, you must copy certain files to an appropriate directory on each computer from which you plan to submit files to the scan engine.
Using the Symantec AntiVirus Scan Engine command-line scanner
Command-line scanner syntax and usage
167
You can obtain the files from the following locations:
■
In the Symantec AntiVirus Scan Engine distribution package, in the toplevel Command_Line_Scanner directory
■
On the computer on which the Symantec AntiVirus Scan Engine is installed, in the Symantec AntiVirus Scan Engine installation directory, in the savsecls subdirectory
Note: The savsecls files are further organized into subdirectories by operating system. Use the files for the operating system of the computer from which you plan to submit files for scanning.
To set up a computer to submit files for scanning
1 Copy the entire contents of the directory for the appropriate operating system.
2
On the computer from which you plan to submit files for scanning, place the files in a directory location that is in the command prompt path.
Command-line scanner syntax and usage
The command-line scanner uses the following general syntax: savsecls [-options] <path> [<path>...]
Specifying what to scan
The <path> parameter lets you specify one or more files or directories to scan, separated by spaces. Use the absolute or relative path. If the specified path is to a file, the file is scanned. If the path is to a directory, all of the files in the directory are scanned.
Note: Do not use a path with symbolic linking. The scan engine will not follow a symbolic link to a file.
You can specify any combination of files and directories. Separate multiple entries with a space. For example: savsecls [-options] <pathtofile1> <pathtofile2> <pathtofile3>
168 Using the Symantec AntiVirus Scan Engine command-line scanner
Command-line scanner syntax and usage
You can specify any mounted file system, mount point, or mapped drive. For example:
C:\Work\Scantest.exe
/tim/export/home/
For both Windows and UNIX, follow the rules for your operating system for handling path names (including using special characters, quotation marks, or wildcard characters as necessary).
Note: If you have specified a directory for scanning and want to descend into subdirectories to scan additional files, you must also use the -recurse option.
See “Requesting recursive scanning” on page 175.
Because files are actually sent to the Symantec AntiVirus Scan Engine for scanning, you can only specify files or directories for which you have appropriate permissions. To send files, you must have read access to the files. To repair (replace) or delete files, you must have permission to modify or delete the files, as well as access to the directory in which the files are located.
If you do not specify a path, input data is read from STDIN and sent to the scan engine for scanning. After the scan, the data (either the original file, if it was clean, or the repaired file) is written to STDOUT. If a file is infected and cannot be repaired, no data is written to STDOUT.
Note: The command-line scanner handles DBCS-encoded names. These are converted to Unicode/UTF-8 before they are passed to the scan engine and are converted back to the locale of the server after scanning.
Using the Symantec AntiVirus Scan Engine command-line scanner
Command-line scanner syntax and usage
169
Supported options
The options that are supported by the command-line scanner are described in
Table 11-3
Supported options for the command-line scanner
Option
-server
-mode
-verbose
Description
Specify one or more scan engines for scanning files. Separate multiple entries with a semicolon. If you do not specify a scan engine, the server option defaults to the local host that is listening on the default port.
The format for each scan engine is <IPaddress:port>, where
IPaddress is the DNS name or IP address of the computer on which the scan engine is running, and port is the port number on which the scan engine listens.
Note: When more than one scan engine is specified, the load balancing and failover features of the API are activated automatically.
See “Specifying the scan engine IP address and port” on page 170.
Optionally override the default antivirus scanning mode. If you do not specify a scanning mode, the scan policy defaults to scanrepairdelete (the repair of infected files is attempted, and files that cannot be repaired are deleted). This is the recommended setting.
If you do not want to use the default antivirus scanning mode, you can specify one of the following:
■
■ scan: Files are scanned, but no repair is attempted. Infected files are not deleted.
scanrepair: The repair of infected files is attempted. Files that cannot be repaired are not deleted.
See “Specifying the antivirus scanning mode” on page 171.
Report detailed information on the file that is scanned. When this option is used, a line of output is printed to STDOUT for each file that is scanned. The information includes both the name of the file and the result of the scan, including the final disposition of the file.
See “Using the -verbose option” on page 172.
170 Using the Symantec AntiVirus Scan Engine command-line scanner
Command-line scanner syntax and usage
Table 11-3
Option
-details
-timing
-recurse
-onerror
Supported options for the command-line scanner
Description
Report detailed information regarding infections or violations that are found. When this option is used, a block of text is printed to
STDOUT for each file that is scanned. The output text indicates the name of the file that was scanned, detailed information about the infection or violation (for those files that are infected or violate an established policy), and the result of the scan (also provided for the -verbose option).
Note: If you use the -details option, you do not need to use the
-verbose option also. The output for the -verbose option is duplicated as part of the output for the -details option.
See “Using the -details option” on page 173.
Report the time required to scan a file. When this option is used, a line of output is printed to STDOUT for each file that is scanned.
The output includes the name of the file that was scanned and the time that the scan engine required to scan the file.
See “Using the -timing option” on page 174.
Recursively descend into subdirectories inside each path that is specified on the command line.
See “Requesting recursive scanning” on page 175.
Specify the disposition of a file that has been modified (repaired) by the scan engine when an error occurs in replacing the file. The default setting is to delete the file.
You can specify one of the following:
■
■ leave: The original (infected) file is left in place.
delete: The original (infected) file is deleted, even though the replacement data is unavailable.
See “Disposing of infected files when an error occurs” on page 175.
Specifying the scan engine IP address and port
The -server option lets you specify one or more scan engines for scanning files.
If you do not specify a scan engine, the server option defaults to the local host that is listening on the default port.
The format for each scan engine entry is <IPaddress:port>, where IPaddress is the DNS name or IP address of the computer on which the scan engine is running, and port is the port number on which the scan engine listens. You only
Using the Symantec AntiVirus Scan Engine command-line scanner
Command-line scanner syntax and usage
171 need to specify the port number if the scan engine is installed on a port other than the default. (The default port number for ICAP is 1344.) For example: savsecls -server 192.168.0.100 c:\temp savsecls -server 192.168.0.100:5555 c:\temp
You can specify multiple scan engines. Separate multiple entries with a semicolon. For example: savsecls -server 192.168.0.100:1344;192.168.0.101:1344 c:\temp
When more than one scan engine is specified, the load balancing and failover features of the API are activated automatically. The Symantec AntiVirus Scan
Engine API provides scheduling across any number of computers that are running the Symantec AntiVirus Scan Engine. The API determines the appropriate Symantec AntiVirus Scan Engine (when multiple scan engines are used) to receive the next file to be scanned, based on the scheduling algorithm.
If a Symantec AntiVirus Scan Engine is unreachable or stops responding during a scan, another scan engine is called and the faulty scan engine is taken out of rotation for 30 seconds. If all of the scan engines are out of rotation, the faulty scan engines are called again. The API does not stop trying to contact the scan engine unless five engines are not functioning or it appears that a file that is being scanned might have caused more than one engine to stop responding.
Specifying the antivirus scanning mode
The -mode option lets you override the default antivirus scanning mode for the command-line scanner. The default scanning mode is scanrepairdelete. The repair of infected files is attempted, and files that cannot be repaired are deleted.
You do not need to specify an antivirus scanning mode to use the default setting.
Scanrepairdelete is the recommended setting.
To override the default antivirus scanning mode, you can specify one of the following using the -mode option:
■ scan: Files are scanned, but no repair is attempted. Infected files are not deleted.
■ scanrepair: The repair of infected files is attempted. Files that cannot be repaired are not deleted.
For example: savsecls -server 192.168.0.100:1344 -mode scanrepair c:\temp
172 Using the Symantec AntiVirus Scan Engine command-line scanner
Command-line scanner syntax and usage
When files are sent to the scan engine for scanning via the command-line scanner, the command-line scanning mode always overrides the scan policy configuration on the Symantec AntiVirus Scan Engine (this includes scanning of files that are embedded in container files). If you do not specify a scanning mode using the -mode option, the default setting (scanrepairdelete) applies.
Obtaining detailed scanning results
Several options let you obtain detailed information regarding a scan.
Note: If you are using pipe mode to send a file for scanning via the command line, these options are not available.
Using the -verbose option
The -verbose option lets you obtain more detailed information on each file that is scanned. For example: savsecls -server 192.168.0.100:1344 -verbose c:\work\filea c:\work\fileb c:\work\filec c:\work\filed
When this option is used, a line of output is printed to STDOUT for each file. The information includes the name of the file that was scanned and the result of the scan, including the final disposition of the file.
Table 11-4 lists the possible scan result codes.
Table 11-4
Possible scan result codes for the -verbose option
Result code
-2
-1
0
Description
An error occurred within the Symantec AntiVirus Scan
Engine. The file was not scanned.
An error occurred within the command-line scanner. The file was not scanned.
The file was successfully scanned and is clean. A clean file result can mean any one of the following:
■
■
■
The file was clean to start with.
The file was infected and repaired.
The file was a container file and contained infected embedded files that were repaired or deleted.
Using the Symantec AntiVirus Scan Engine command-line scanner
Command-line scanner syntax and usage
173
Table 11-4
Result code
1
2
Possible scan result codes for the -verbose option
Description
The file was successfully scanned, was not able to be repaired, and was not deleted. (A not-clean result can mean that the file was unrepairable or that the scan policy did not permit repair.)
The file was successfully scanned, was not able to be repaired, and was deleted. (A not-clean result can mean that the file was unrepairable or that the scan policy did not permit repair.)
The output when four files (for example, a, b, c, and d) are scanned should look similar to the following: c:\work\filea -1 c:\work\fileb 2 c:\work\filec 2 c:\work\filed 0
Using the -details option
The -details option lets you obtain detailed information regarding the infections or violations that are found. For example: savsecls -server 192.168.0.100:1344 -details c:\work\filea c:\work\fileb c:\work\filec c:\work\filed
When this option is used, a block of text is printed to STDOUT for each file that is infected or violates an established policy. The output text indicates the name of the file that was scanned, detailed information about the infection or the violation, and the result of the scan (also provided for the -verbose option).
The output includes the following:
■
■
■
Problem name: Virus name or container violation description
Problem ID: Virus ID for viruses or pseudo-ID for policy violations
Disposition: Infected, repaired, or deleted
Note: The output data for disposition mirrors information that is returned by the Symantec AntiVirus Scan Engine for each infection or violation that is identified and might not reflect the final disposition of the file. The final disposition of the file is indicated by the code for the scan results (which is also displayed when you use the -verbose option).
174 Using the Symantec AntiVirus Scan Engine command-line scanner
Command-line scanner syntax and usage
The output when four files (for example, a, b, c, and d) are scanned and files c and d are found to be infected with the Kakworm.c virus should look similar to the following: c:\work\filec 2
Kakworm.c
2832
Infected c:\work\filed 2
Kakworm.c
2832
Infected
Using the -timing option
The -timing option lets you examine the time required to scan each file. For example: savsecls -server 192.168.0.100:1344 -timing c:\work\filea c:\work\fileb c:\work\filec c:\work\filed
When this option is used, a line of output is printed to STDOUT for each file that is scanned. The output includes the name of the file that was scanned and the time that the scan engine required to scan the file.
The reported scan time is calculated as the elapsed time between the opening and closing of the connection with the scan engine and is reported with millisecond accuracy.
The output when four files (for example, a, b, c, and d) are scanned should look similar to the following: c:\work\filea 0.018s
c:\work\fileb 0.013s
c:\work\filec 0.43s
c:\work\filed 0.03s
Using the Symantec AntiVirus Scan Engine command-line scanner
Command-line scanner syntax and usage
175
Requesting recursive scanning
The -recurse option lets you recursively descend into subdirectories inside each path that is specified on the command line. By default, the command-line scanner does not recursively search directories for files to send to the Symantec
AntiVirus Scan Engine for scanning. You must use the -recurse option to do so.
For example: savsecls -server 192.168.0.100:1344 -recurse c:\winnt
Note: This option does not apply when you are using pipe mode.
Disposing of infected files when an error occurs
The -onerror option lets you specify how to dispose of an infected file that has been modified (repaired) by the scan engine when an error occurs in replacing the file. The default setting is to delete the file.
You can specify one of the following:
■ leave: The original (infected) file is left in place.
■ delete: The original (infected) file is deleted, even though the replacement data is unavailable.
For example: savsecls -server 192.168.0.100:1344 -onerror delete c:\temp
Note: This option does not apply when you are using pipe mode.
176 Using the Symantec AntiVirus Scan Engine command-line scanner
Command-line scanner syntax and usage
Appendix
A
Editing the configuration file
This chapter includes the following topics:
■
■
■
Editing the Symantec AntiVirus Scan Engine configuration file
Updating the configuration file during an upgrade
Editing the Symantec AntiVirus Scan Engine configuration file
In addition to using the Web-based administrative interface, you can change the
Symantec AntiVirus Scan Engine settings by editing the configuration file, symcscan.cfg.
The configuration options for the Symantec AntiVirus Scan Engine can be configured through the Web-based administrative interface. Under regular circumstances, you should not need to edit the configuration file.
For Solaris and Linux, the default location for the configuration file is
/opt/SYMCScan/etc/symcscan.cfg. For Windows 2000 Server/Server 2003, the default location for the configuration file is C:\Program Files\Symantec\Scan
Engine\symcscan.cfg.
Note: In editing the configuration file, all high-ASCII and double-byte characters must be written in UTF-8 encoding.
178 Editing the configuration file
Updating the configuration file during an upgrade
To edit the Symantec AntiVirus Scan Engine configuration file
1 Locate the Symantec AntiVirus Scan Engine configuration file.
If you are running more than one copy of the Symantec AntiVirus Scan
Engine on a computer, ensure that you have the appropriate configuration file.
2 Open the configuration file with a text editor.
3 Make your changes to the configuration file.
See “Configuration options” on page 179.
4 Save the file.
5
Stop and restart the Symantec AntiVirus Scan Engine.
Updating the configuration file during an upgrade
You can upgrade the Symantec AntiVirus Scan Engine from 4.0.X or later without first uninstalling the previous version. Installing the upgrade over the existing installation preserves changes that you have made to the configuration file, symcscan.cfg.
Note: Scan engine logging options have changed in version 4.3. Because in many cases the previous configuration options do not map to the new options, any customizations that you have made to the logging options are not preserved.
You must reconfigure logging after installing the upgrade.
Changes that occur to the configuration file as a result of an upgrade are handled in the following manner:
■
A new configuration file replaces the existing configuration file.
■
■
If you have customized any values in the existing configuration file, those values are brought forward to replace the default settings in the new configuration file so that your changes are not altered during the upgrade.
Configuration options that are made obsolete by the upgrade are not transferred to the new configuration file.
Editing the configuration file
Configuration options
179
Configuration options
The configuration options are grouped by their appearance on the interface rather than the order in which they appear in the configuration file.
Warning: Several configuration options in the configuration file are not discussed in this chapter and should not be changed. Changing these options can detrimentally affect product performance. For example, the installation directory (InstallDir) is specified at installation, and the product will not function if you change this value in the configuration file.
Changing protocol-specific settings via the configuration file
You can change the communication protocol that the scan engine uses to communicate with the client applications for which it provides scanning services.
After you select the appropriate protocol, you must provide protocol-specific configuration information. The configuration options differ depending on the protocol that you select.
See “Selecting the communication protocol” on page 56.
Changing the communication protocol
You can change the communication protocol that the scan engine uses to communicate with the client applications.
To change the communication protocol
◆
At Protocol=, type one of the following:
■
■
■
NATIVE: Use the native protocol.
ICAP: Use ICAP.
RPC: Use RPC.
180 Editing the configuration file
Configuration options
Specifying a bind address and port number
The Symantec AntiVirus Scan Engine binds to an IP address and port number.
By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by entering the appropriate bind address.
The default port number setting for the native protocol is port 7777. The default port number setting for ICAP is port 1344.
Note: This setting is applicable to the native protocol and ICAP.
To specify a bind address and port number
1 At BindAddress=, type the IP address on which the Symantec AntiVirus
Scan Engine listens.
Use 127.0.0.1 (the loopback interface) to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan Engine.
2 At Port=, replace the existing port number with the new number.
If you change the port number, use a number that is greater than 1024 that is not in use by any other program or service.
Specifying a directory for local file scanning
You only need to provide a local scan directory when you are using local file scanning options and you want to limit the Symantec AntiVirus Scan Engine so that only files under a particular directory can be scanned. If a local scan directory is not specified (which is the default), any file can be scanned.
To specify a directory for local file scanning
◆
At LocalScanDir=, type the appropriate directory structure.
The specified directory must already exist.
Editing the configuration file
Configuration options
181
Configuring ICAP via the configuration file
If you select ICAP as the protocol to be used by the Symantec AntiVirus Scan
Engine, you must configure several ICAP-specific options.
To configure ICAP via the configuration file
1 At ICAPInfectionHTMLFile=, replace the existing path and file name with a new path and file name, if necessary.
The Symantec AntiVirus Scan Engine includes a default HTML message to display to users when access to a file is denied because it contains a virus.
You can customize this message by specifying an alternate path and file name or by editing the existing file. If you choose to edit the existing file, you do not have to change this setting.
2 At ICAPActionPolicy=, type one of the following to specify how to handle infected files:
■
■
SCAN: Deny access to the infected file, but do nothing to the infected file.
SCANDELETE: Delete all infected files without attempting repairs.
■
■
SCANREPAIR: Attempt to repair infected files, but do nothing to files that cannot be repaired.
SCANREPAIRDELETE: Attempt to repair infected files, and delete any unrepairable files from archive files.
3
At ICAPResponse=, type one of the following to specify the scan engine response when a file is blocked because it is unrepairable (ICAP 1.0 only):
■
0: Send an ICAP 403 response.
■
1: Send a replacement file.
Depending on the ICAP 1.0 application for which the scan engine is providing scan and repair services, you might need to adjust this setting.
The default setting is to send a replacement file (the file specified for
ICAPInfectionHTMLfile) when a file is blocked because it is unrepairable.
However, some ICAP 1.0 applications are configured to receive the ICAP 403 response instead.
182 Editing the configuration file
Configuration options
4
At ICAPPreviewAll=, type one of the following to indicate whether the scan engine should preview content:
■
0: Request content for only those files that are to be scanned based on the established configuration for which file types to scan.
■
1: Request preview content (fixed preview size) for all files, including those not indicated for scanning based on the established configuration for which file types to scan. This is the default setting to ensure that all file types that might contain viruses are scanned.
Configuring data trickle
When a user attempts to download an extremely large or complex file from the
Internet, antivirus scanning can cause a delay during which the requesting browser (and thus the user) receives no feedback on the progress of the download. When ICAP is used as the communication protocol, you can use the data trickle feature to provide users with a quicker download response and avoid potential session time-out errors. When data trickle is enabled, the requested file is sent (trickled) to the user in small amounts at regular intervals until the scan is complete. You can change the amount of time that elapses before data trickling begins.
Note: Data trickling can compromise antivirus integrity. Before enabling the data trickle feature, be sure that you read and understand all of the risks.
See “Warnings and limitations about data trickle” on page 66.
Configure data trickle
You can enable or disable data trickle, and you can change the trickle time-out period (the time that elapses before data trickling begins).
To enable data trickle
◆
At ICAPTrickleEnabled=, type one of the following:
■
1: Enable data trickle.
■
0: Disable data trickle.
The default setting is 0 (disabled).
To change the trickle time-out period
◆
At ICAPTrickleTimeout=, type the number of seconds to elapse before data trickling begins.
The default setting is 5 seconds.
Editing the configuration file
Configuration options
183
Configuring RPC via the configuration file
If you select RPC as the protocol to be used by the Symantec AntiVirus Scan
Engine, you must configure several RPC-specific options.
To configure RPC via the configuration file
1 At RPCClient=, type the IP address for each RPC client for which the
Symantec AntiVirus Scan Engine is to provide scanning services.
Use the format <IPaddress>;<IPaddress>;<IPaddress>, where <IPaddress> is a single IP address for a supported RPC client.
2 At RPCActionPolicy=, type one of the following to specify how to handle infected files:
■
■
■
SCAN: Deny access to the infected file, but do nothing to the infected file.
SCANREPAIR: Attempt to repair infected files, but do nothing to files that cannot be repaired.
SCANREPAIRDELETE: Attempt to repair infected files, and delete any unrepairable files from archive files.
3 At RPCConnectionCheckInterval=, type (in seconds) the interval at which the Symantec AntiVirus Scan Engine checks to ensure that the connection to the RPC client is still active.
The default interval is 20 seconds.
4 At RPCMaxReconnectAttempts=, type the maximum number of attempts the Symantec AntiVirus Scan Engine will make to reestablish a lost connection to the RPC client.
The default setting is 0, which causes the Symantec AntiVirus Scan Engine to try indefinitely to reestablish a connection.
Notifying requesting users that a virus was found
When a virus is found in a file that is requested from an RPC network-attachedstorage client, you can configure the Symantec AntiVirus Scan Engine to notify the requesting user that the retrieval of the file failed because a virus was found.
The user notification feature is only available when RPC is selected as the communication protocol and the requesting user’s computer is in the same domain as the Symantec AntiVirus Scan Engine.
To notify requesting users that a virus was found
◆
At LogPopup=, type 1 to enable notification that a virus has been found.
The default setting is 0 (disabled).
184 Editing the configuration file
Configuration options
Quarantining unrepairable infected files
When you are using the RPC protocol, you can quarantine unrepairable infected files using the Symantec Central Quarantine. The Symantec Central Quarantine software is included on the Symantec AntiVirus Scan Engine distribution CD.
The Symantec AntiVirus Scan Engine forwards infected items that cannot be repaired to the Symantec Central Quarantine. Typically, heuristically detected viruses that cannot be eliminated by the current set of virus definitions are forwarded to the Quarantine and isolated so that the viruses cannot spread.
See “Quarantining unrepairable infected files” on page 74.
To quarantine unrepairable infected files
1 At QuarantineInUse=, type 1 to quarantine unrepairable infected files.
The default setting is 0 (files are not quarantined).
2 At QuarantineServer=, type the host name or the IP address for the computer on which the Symantec Quarantine Server is installed.
3 At QuarantinePort, type the TCP/IP port number to be used by the Symantec
AntiVirus Scan Engine to pass files to the Central Quarantine.
This setting must match the port number that is selected at installation for the Symantec Quarantine Server.
Changing resource allocation via the configuration file
You can change basic configuration options for the operation of the Symantec
AntiVirus Scan Engine.
See “Allocating resources” on page 77.
Changing the temp directory location
The Symantec AntiVirus Scan Engine must store files in a temporary directory for virus scanning. To support sites with large, specialized disk configuration, the location of this temporary directory can be specified. The default temporary directory for Linux and Solaris is /tmp/navtemp. The default temporary directory for Windows 2000 Server/Server 2003 is determined at installation.
To specify a different location for the temporary directory
◆
At TempDir=, replace the existing path with the new path.
Editing the configuration file
Configuration options
185
Controlling the dynamic thread pool
The pool of scanning threads that is available to the Symantec AntiVirus Scan
Engine for antivirus scanning dynamically adjusts to the load being processed.
You can change several parameters to control the dynamic thread pool.
Note: To disable dynamic thread pool management and use a fixed thread pool size, use the desired number of scanning threads for the fixed thread pool for both the MinThreads and MaxThreads parameters. Use the same number for both parameters.
The configuration file parameters for controlling the dynamic thread pool are:
■
MinThreads: The minimum number of scanning threads that is created at start-up time and the minimum to keep alive regardless of the load that is being processed
The default setting is 16. You can increase this number if a typical load cannot be satisfied by the default setting of 16. This number cannot be larger than the value entered for the MaxThreads parameter.
■
■
MaxThreads: The maximum number of scanning threads that can be created regardless of the load that is being processed
The default setting is 128. The default value (128) is the maximum recommended value for this parameter. Increasing the value beyond 128 can make the software unstable. The MaxThreads value cannot be smaller than the value entered for the MinThreads parameter.
GrowThreadCount: The number of scanning threads to add when the load that is being processed cannot be handled by the existing threads
The default setting is 4. The GrowThreadCount value must be larger than the ShrinkThreadCount value and should not be close to the MaxThreads value. Reasonable values are in the range of 2 to 32.
Note: Creating new threads consumes resources. You should create new threads (GrowThreadCount) and keep them as long as possible. You should remove threads (ShrinkThreadCount) more slowly than you add threads so that you do not consume additional resources, thus creating new threads again in a short period of time.
■
ShrinkThreadCount: The number of scanning threads to remove when more threads are running than are needed for the load that is being processed
The default setting is 2. The ShrinkThreadCount value must be smaller than the GrowThreadCount value.
186 Editing the configuration file
Configuration options
■
■
■
BusyRequestCount: The number of queued requests (waiting to be processed by scanning threads) that triggers the creation of more scanning threads
The default setting is 4. The BusyRequestCount value cannot be less than 2 and must be less than the LoadMaximumQueuedClients value.
See “Changing the threshold number of queued requests” on page 187.
IdleThreadCount: The number of idle scanning threads that triggers the removal of scanning threads
The default setting is 4.
SecondsBetweenChecks: The number of seconds between evaluations of the thread pool activity
The default setting is 5 seconds. This value cannot be smaller than 2.
Note: Because thread pool activity is checked at the frequency specified for the SecondsBetweenChecks parameter, changes to the thread pool size occur at the same frequency.
To control the dynamic thread pool
1
At MinThreads=, type the minimum number of scanning threads to be created at start-up time and to keep alive regardless of load.
The default setting is 16. Do not use a value that is larger than the value entered for the MaxThreads parameter.
2
At MaxThreads=, type the maximum number of scanning threads to be created regardless of load.
The default setting and the maximum recommended value is 128. Do not use a value that is smaller than the value entered for the MinThreads parameter.
3
At GrowThreadCount=, type the number of scanning threads to add when the load that is being processed cannot be handled by the existing threads.
The default setting is 4. Use a value that is larger than the
ShrinkThreadCount value. Do not use a value that is close to the
MaxThreads value. Reasonable values are in the range of 2 to 32.
4
At ShrinkThreadCount=, type the number of scanning threads to remove when more threads are running than are needed.
The default setting is 2. Use a value that is smaller than the
GrowThreadCount value.
Editing the configuration file
Configuration options
187
5
At BusyRequestCount=, type the number of queued requests (waiting to be processed by scanning threads) that will trigger the creation of more scanning threads.
The default setting is 4. Do not use a value that is less than 2. This value must be less than the LoadMaximumQueuedClients value.
See “Changing the threshold number of queued requests” on page 187.
6 At IdleThreadCount, type the number of idle scanning threads that will trigger the removal of scanning threads.
The default setting is 4.
7 At SecondsBetweenChecks=, type the number of seconds between evaluations of thread pool activity.
The default setting is 5 seconds. Do not use a value that is less than 2.
Changing the threshold number of queued requests
When the number of queued requests to the Symantec AntiVirus Scan Engine exceeds the specified threshold, the scan engine is at maximum load.
To change the threshold number of queued requests to the Symantec
AntiVirus Scan Engine
◆
At LoadMaximumQueuedClients=, type the maximum number of queued requests.
The default setting is 100.
Specifying an alert interval
The alert interval is the number of minutes between log entries that are generated to indicate that maximum load has been exceeded.
To change the alert interval
◆
At LoadExceededAlertInterval=, replace the existing interval with the new interval.
The default setting is five minutes.
188 Editing the configuration file
Configuration options
Changing the virus definition product name
If you are running more than one scan engine on a single computer, the product name must be unique for each service so that both scan engines receive updated virus definitions via LiveUpdate. This option is applicable only if you are running the scan engine on Solaris or Linux.
To change the virus definition product name
◆
At DefinitionProductName=, type the new virus definition product name.
Limiting resources for in-memory file processing
You can limit the resources that are consumed for in-memory file processing by specifying the maximum amount of RAM (in bytes) to be used for the in-memory file system and the maximum file size (in bytes) that can be stored in the inmemory file system.
To limit resources for in-memory file processing
1 At InMemoryFileSystemSize=, type the maximum amount of RAM that can be used for the in-memory file system.
The default setting is 16000000 (~16 MB).
2 At MaxInMemoryFileSize=, type the maximum file size that can be stored in the in-memory file system.
Files that exceed the specified size are written to disk. The default setting is
3000000 (~3 MB).
Configuring logging options via the configuration file
You can activate logging for selected scan engine activities to a number of logging destinations and change the location of log files.
See “Configuring local logging” on page 112.
Specifying a different location for the local log files
To accommodate sites with specialized disk configuration, the location of the
Symantec AntiVirus Scan Engine local log files can be changed.
To specify a different location for the local log files
◆
At LogDir=, replace the existing location with the new location.
Editing the configuration file
Configuration options
189
Changing the location and file name of the message string file
The message text for Symantec AntiVirus Scan Engine log entries and SMTP insert messages is contained in an ASCII text file. You can change the location and file name of this file.
To change the path and file name of the message string file
◆
At StringFile=, replace the existing path and file name with a new path and file name.
Specifying what to log for each logging destination
The Symantec AntiVirus Scan Engine provides a number of logging destinations. Logging to each available logging destination (for example, SNMP,
SMTP, or the Windows Application Event Log) is activated individually by selecting a desired logging level for that destination. Selecting the logging level lets you choose the types of events for which log messages are generated.
In the configuration file, the logging levels are:
■
None: Do not log any messages to the specified logging destination.
■
■
Error: Log Error messages to the specified logging destination.
Warning: Log Warning and Error messages to the specified logging destination.
■
■
Information: Log Information, Warning, and Error messages to the specified logging destination.
Verbose: Log Information, Warning, and Error messages and a message for each file that is scanned to the specified logging destination.
See “Logging levels” on page 109.
Specify what to log for each logging destination
You can select a different logging level for each logging destination.
To specify what to log for local logging
◆
At LogLocal, select the desired logging level for local logging.
The default logging level for Solaris and Linux is Warning. The default logging level for Windows 2000 Server/Server 2003 is None. Select Verbose only if you have been instructed to do so for debugging purposes by
Symantec Technical Service and Support.
190 Editing the configuration file
Configuration options
To specify what to log for logging to the Windows Application Event Log
◆
At LogWindows, select the desired logging level for logging to the Windows
Event Log.
The default logging level is Warning (Windows 2000 Server/Server 2003 only). Select Verbose only if you have been instructed to do so for debugging purposes by Symantec Technical Service and Support.
To specify what to log for SESA logging
◆
At LogSESA, select the desired logging level for SESA logging.
Logging to SESA is not activated by default. Select Verbose only if you have been instructed to do so for debugging purposes by Symantec Technical
Service and Support.
To specify what to log for SNMP logging
◆
At LogSNMP, select the desired logging level for SNMP logging.
SNMP logging is not activated by default. The Verbose logging level is not available for SNMP logging.
To specify what to log for SMTP logging
◆
At LogSMTP, select the desired logging level for SMTP logging.
SMTP logging is not activated by default. The Verbose logging level is not available for SMTP logging.
Configuring the scan engine to log events to SESA
If you are running SESA, you must configure the Symantec AntiVirus Scan
Engine to communicate with the local Agent by specifying the IP address and port number on which the Agent listens.
In the configuration file, the SESA logging delivery parameters are:
■
■
SESAIP=
SESAPort=
See “Integrating the Symantec AntiVirus Scan Engine with SESA” on page 153.
Editing the configuration file
Configuration options
191
To configure the scan engine to log events to SESA
1 At SESAIP, type the IP address on which the local SESA Agent listens.
The default setting is 127.0.0.1 (the loopback interface), which restricts connections to the same computer.
2 At SESAPort, type the TCP/IP port number on which the local SESA Agent listens.
The port number that you enter here must match the port number on which the SESA Agent listens. The default setting is port 8086.
Configuring SNMP and SMTP logging via the configuration file
If you have activated SNMP or SMTP logging, you must provide the appropriate information for message delivery.
See “Activating SNMP and SMTP logging” on page 117.
Configure SNMP and SMTP logging via the configuration file
In the configuration file, the SNMP logging delivery parameters are:
■
SNMPPrimary=
■
■
SNMPSecondary=
SNMPCommunityString=
In the configuration file, the SMTP logging delivery parameters are:
■
SMTPPrimary=
■
■
■
SMTPSecondary=
SMTPRecipList=
SMTPDomain=
To configure SNMP logging via the configuration file
1 At SNMPPrimary=, type the IP address of the primary SNMP console that will receive log messages.
2 At SNMPSecondary=, type the IP address of a secondary SNMP console that will receive messages.
You do not have to specify a secondary SNMP console.
3 At SNMPCommunityString=, type the SNMP community string.
The default setting is public.
192 Editing the configuration file
Configuration options
To configure SMTP logging via the configuration file
1 At SMTPPrimary=, type the IP address of the primary SMTP server that will forward log messages.
2 At SMTPSecondary=, type the IP address of a secondary SMTP server that will forward log messages if communication with the primary SMTP server fails.
You do not have to specify a secondary SMTP server.
3 At SMTPRecipList=, type the email addresses for the recipients of SMTP log messages.
Separate multiple addresses with a comma or space.
4 At SMTPDomain=, type the local domain for the Symantec AntiVirus Scan
Engine.
The domain name is added to the From field for SMTP log messages, so that
SMTP log messages that are generated by the Symantec AntiVirus Scan
Engine originate from ScanServer@<servername>.<domainname>, where
<servername> is the name of the computer that is running the Symantec
AntiVirus Scan Engine and <domainname> is the SMTPDomain that you supply here.
Specifying an alert bind address for SNMP and SMTP logging
If you have activated SNMP or SMTP logging and are running multiple
Symantec AntiVirus Scan Engines, you can set an alert bind address for each scan engine to identify the originating scan engine for each SNMP and SMTP log message. The alert bind address of the originating scan engine is appended to all
SNMP and SMTP log messages as a means of identification.
To specify an alert bind address for SNMP and SMTP logging
◆
At AlertBindAddress=, type a bind address to identify the computer on which the Symantec AntiVirus Scan Engine is running.
Changing the administration settings via the configuration file
You can configure settings for the Symantec AntiVirus Scan Engine administrative interface and the virtual administrator account.
See “Changing the administration settings” on page 45.
Editing the configuration file
Configuration options
193
Specify a bind address and port number for the administrative interface
The administrative interface binds to an IP address and port number. By default, this Web interface binds to all interfaces. You can restrict access to a specific interface by entering the appropriate bind address. The default port number is
8004.
To specify a bind address and port number for the administrative interface
1 At AdminBindAddress=, type the IP address on which the Web interface listens.
2 At AdminPort=, replace the existing port number with the new number.
If you change the port number, use a number that is greater than 1024 that is not in use by any other program or service. If the port number is not set, the interface is not enabled.
Clearing the password for the administrator account
The Symantec AntiVirus Scan Engine is managed using a virtual administrative account. You are prompted to provide a password for this account at installation. The password for this account can be changed at any time through the Symantec AntiVirus Scan Engine administrative interface.
Note: You cannot change the password via the configuration file because the password is encrypted in the configuration file. If you forget the password for the virtual administrative account, clear the AdminPassword variable in the configuration file, and then log on to the administrative interface (no password is needed) to enter a new password.
To clear the password for the administrator account
◆
At AdminPassword=, delete the encrypted password.
194 Editing the configuration file
Configuration options
Changing the administrator time-out period
The Symantec AntiVirus Scan Engine is configured by default to automatically log off the administrator after a selected period of inactivity. The default period of inactivity is five minutes (300 seconds). You can change the default time-out period.
To change the administrator time-out period
◆
At AdminPortTimeout=, type the amount of time (in seconds) after which the Symantec AntiVirus Scan Engine automatically logs off the administrator.
Specifying processing limits via the configuration file
You can impose restrictions on the amount of resources that can be used to handle individual files. These processing limits can be used to help you manage your resources and to protect your network against denial of service attacks.
See “Specifying processing limits” on page 84.
Specify processing limits
You can specify processing limits that apply to the following:
■
Large container files: You can set limits to control the resources that are expended on large container files.
■
All files: Other types of limits can be applied to all files, such as the maximum number of bytes to be read in determining whether a file is
MIME-encoded.
To specify processing limits for large container files via the configuration file
1 At MaxExtractTime=, do one of the following:
■
Type the maximum allowable amount of time, in seconds, for decomposing a container file and its contents.
■
Type 0 to disable this variable.
The default setting is 180 seconds (3 minutes).
2 At MaxExtractSize=, do one of the following:
■
Type the maximum allowable file size, in bytes, for each file within a container file to be decomposed.
■
Type 0 to disable this variable.
The default setting is 100 MB.
Editing the configuration file
Configuration options
195
3
At MaxExtractDepth= type the maximum allowable number of nested levels of files within a container file to be handled by the decomposer.
The default setting is 10 levels. The maximum value that can be entered is
50.
4
At LimitChoiceStopCont=, type one of the following:
■
0: Allow access to container files for which one or more limits are exceeded.
■
1: Deny access to container files for which one or more limits are exceeded. This is the default setting.
5 At RejectMalformedContainers=, type one of the following:
■
■
■
0: Allow access to all malformed containers.
1: Deny access if container type cannot be identified.
This is the default setting.
2: Deny access to all malformed containers.
To specify processing limits that apply to all files via the configuration file
1
At MaxFileNameLength=, do one of the following:
■
Type the maximum allowable file name length, in bytes, for a given file.
■
Type 0 to disable this variable.
The default setting is 1024 bytes.
Note: This feature is functional for the native protocol only.
2 At NonMIMEThreshold=, type the maximum number of bytes that can be read to determine whether a file is MIME-encoded.
The default setting is 200000 bytes.
Changing the antivirus settings via the configuration file
You can configure certain aspects of antivirus scanning, including the file types to be scanned.
See “Configuring antivirus settings” on page 88.
196 Editing the configuration file
Configuration options
Changing the Bloodhound sensitivity level
To supplement the detection of virus infections by virus signature, the
Symantec AntiVirus Scan Engine includes the Symantec patented Bloodhound technology, which heuristically detects new or unknown viruses. The sensitivity of the Bloodhound technology can be adjusted.
To change the Bloodhound sensitivity level
◆
At BloodhoundLevel=, type one of the following:
■
■
1: Low sensitivity
2: Medium sensitivity
■
■
3: High sensitivity
0: Off
Specifying which file types to scan
Viruses are found only in file types that contain executable code. Bandwidth and time can be saved by limiting the files to be scanned to only those file types that can contain viruses. You can control which file types are scanned by specifying those extensions that you do not want to scan (using an exclusion list) or by specifying those extensions that you want to scan (using an inclusion list), or you can scan all file types regardless of extension.
Specify which file types to scan
The default exclusion list is preconfigured to contain the file extensions for file types that are not likely to contain viruses, but you can edit the default list. The
Symantec AntiVirus Scan Engine is configured by default to scan all file types except those that are contained in the exclusion list.
To scan all files regardless of extension
◆
At ExtensionPolicy=, type 0.
To scan only files with extensions that are in the inclusion list
1 At ExtensionPolicy=, type 1.
2 Edit the ExtensionList (the inclusion list) to add extensions that you want to scan or delete extensions that you do not want to scan.
Use a period with each extension in the list. Separate each extension with a semicolon (for example, .com;.doc;.bat). To scan files that have no extension, use two adjacent semicolons (for example, .com;.exe;;).
Editing the configuration file
Configuration options
197
To scan all files except those with extensions that are in the exclusion list
1 At ExtensionPolicy=, type 2.
2 Edit the ExclusionList to add extensions that you do not want to scan or delete extensions that you want to scan.
Use a period with each extension in the list. Separate each extension with a semicolon (for example, .com;.doc;.bat). To exclude files that have no extension, use two adjacent semicolons (for example, .com;.exe;;).
Specifying whether to scan top-level files
The Symantec AntiVirus Scan Engine is configured by default to scan all toplevel files. In limited circumstances, you can choose to open top-level files as container files (without scanning) and scan only the contents of the file.
Warning: This setting should only be changed from the default setting when the
Symantec AntiVirus Scan Engine is providing virus scan and repair services in an email-only environment (that is, no other types of files are being scanned).
You can safely bypass scanning of the top-level file in an email environment because the top-level file is a container file that is not subject to virus infection.
Not scanning top-level files when other types of files are being scanned can leave your network vulnerable to virus attack.
To specify whether to scan top-level files
◆
At ScanTopLevel=, type one of the following:
■
0: Open the top-level file as a container file and scan only the contents of the file (do not scan the top-level file).
■
1: Scan all top-level files.
This is the default setting.
198 Editing the configuration file
Configuration options
Blocking MIME partial message content via the configuration file
The Symantec AntiVirus Scan Engine must have a MIME-encoded message in its entirety to effectively scan it for viruses. Some email software applications break large messages down into a number of smaller, more manageable, partial messages for transmission. The Symantec AntiVirus Scan Engine is configured by default to reject partial messages because they cannot be effectively scanned for viruses.
To block MIME partial message content
◆
At RejectPartialMessages=, type one of the following:
■
■
0: Block partial messages.
This is the default setting.
1: Allow access to partial messages.
Activating mail message body updates via the configuration file
You can add text to the bodies of MIME-encoded messages to warn recipients that a virus was found in an attachment or that an attachment was deleted because it violated the mail filter policy. The default text indicates that an attachment was infected and repaired or deleted because it could not be repaired, or that an attachment was deleted because it violated the mail policy.
See “Inserting text into MIME-encoded messages” on page 104.
To activate mail message body updates
◆
At UpdateMailBody=, type one of the following:
■
1: Activate mail message body updates.
■
0: Deactivate mail message body updates.
Editing the configuration file
Configuration options
199
Scheduling LiveUpdate to occur automatically via the configuration file
You can schedule LiveUpdate to run automatically to obtain updated virus definitions. Scheduling LiveUpdate to occur automatically at a specified time interval ensures that the Symantec AntiVirus Scan Engine always has the most current virus definitions. You should schedule LiveUpdate so that you do not have to remember to update virus definitions regularly.
Warning: Scheduling LiveUpdate to occur automatically should be handled through the Symantec AntiVirus Scan Engine administrative interface (rather than by editing the configuration file). Entering an invalid value in the configuration file can result in LiveUpdate not functioning properly, which can leave your network vulnerable to virus attack because the Symantec AntiVirus
Scan Engine is not receiving updated virus definitions files.
Schedule LiveUpdate to occur automatically
◆
At LiveUpdateSchedule=, type the frequency at which LiveUpdate is attempted.
Specify the desired value in seconds. For example, to schedule LiveUpdate to occur once every hour, type 3600. Do not schedule LiveUpdate attempts more frequently than every 5 minutes (300 seconds). LiveUpdate is not scheduled by default.
Changing the LiveUpdate base time
You can change the relative start point, or LiveUpdate base time, from which to calculate scheduled LiveUpdate attempts. If you change the LiveUpdate base time, LiveUpdate attempts are scheduled every LiveUpdateSchedule seconds following the base time. The default LiveUpdate base time is the time at which the Symantec AntiVirus Scan Engine was installed.
The LiveUpdate base time is specified in UTC seconds since 00:00:00 January 1,
1970.
To change the LiveUpdate base time
◆
At LiveUpdateBaseTime=, type the relative start point, in UTC seconds, from which LiveUpdate attempts are scheduled.
200 Editing the configuration file
Configuration options
Extracting all streams from OLE structured storage documents for scanning
Certain Microsoft files, such as Microsoft Word and Excel documents, are OLE
(object linking and embedding) structured storage documents. OLE is a compound document standard developed by Microsoft that enables objects to be created with one application and linked or embedded in a second application. In this type of structured storage document, data is stored in a number of streams.
Only certain streams typically contain content that can contain viruses. The
Symantec AntiVirus Scan Engine is configured by default to extract and scan only those streams that are likely to contain viruses. For maximum protection, you can choose to extract and scan all streams, but performance might be negatively impacted depending on the number (and content) of files to be scanned.
To extract and scan all streams from OLE structured storage documents for scanning
◆
At ExtractNativeOLEStreamsOnly=, type 0.
The default setting is 1, which limits scanning to only those streams that are likely to contain viruses.
Appendix
B
Reviewing scanning statistics from the command line
This chapter includes the following topics:
■
■
Interpreting getstat utility data
Using the getstat utility
The Symantec AntiVirus Scan Engine maintains scanning statistics so that
Internet service providers can bill for antivirus scanning based on several billing schemes. Each time that a file is scanned, the Symantec AntiVirus Scan Engine submits scan statistics to the billing subsystem, which maintains an encrypted data file. You can access this information through the administrative interface.
See “Generating scanning statistics from the billing logs” on page 127.
You can also use the getstat utility, which is provided with the Symantec
AntiVirus Scan Engine, to obtain statistics for a given date range via the command line. For Solaris and Linux, the default location for the getstat utility is /opt/SYMCScan/bin/getstat. For Windows 2000 Server/Server 2003, the default location is C:\Program Files\Symantec\Scan Engine\getstat.
202 Reviewing scanning statistics from the command line
Interpreting getstat utility data
To use the getstat utility
1 Change directories to the directory in which the getstat tool is located.
2 Type a command using the following format: getstat.exe symcsbps.dat <endingdate> <numberofdays> where <endingdate> is the last day of the billing cycle (the last day in the time range for which you want information on scan engine usage), and
<numberofdays> is the number of days in the billing cycle (or the number of days for which you want to view usage statistics). If the symcsbps.dat file is not located in the same directory as the getstat utility, you must include the path to the log file in the command as well. Use the format MM/DD/YYYY for the <endingdate> entry.
For example, if you type
getstat.exe symcsbps.dat 11/27/2001 30
the generated report includes usage information for the 30-day period ending on 11/27/01.
Interpreting getstat utility data
A sample getstat utility report is shown below.
95th-percentile bandwidth measurement for reported period
Calculated average bps for each 30-minute period (shown in chronological order)
Total number of files that were scanned for the reported period
Number of files that were scanned for each 30-minute period (shown in chronological order)
The total number of files that were scanned should not be interpreted strictly as a physical file count. This total includes the number of files as well as additional objects within container files that were scanned. Some containers, such as
MIME-encoded messages and Microsoft Office documents, have additional embedded objects that are not files but that can be scanned depending on the
ExtensionList settings. The total does not include objects within container files
Reviewing scanning statistics from the command line
Interpreting getstat utility data
203 that were not scanned because the object’s extension did not match those in the
ExtensionList setting.
For each 30-minute period in the specified date range, the total number of files that were scanned and the average bits per second that were scanned for that
30-minute increment are reported. The 30-minute time periods are reported in
Greenwich Mean Time (GMT).
204 Reviewing scanning statistics from the command line
Interpreting getstat utility data
Appendix
C
Return codes
This chapter includes the following topics:
■
■
ICAP version 0.95 return codes
■
■
Native protocol return codes
The following return codes are generated for the native protocol:
■
200 Command okay.
■
■
201 Output file available.
203 Local output file available.
■
■
■
■
220 Symantec AntiVirus Scan Engine ready.
221 Service closing transmission channel.
230 File scanned.
420 Service not available, closing transmission channel.
■
■
■
■
■
■
430 File not acceptable at this time.
500 Syntax error, command unrecognized.
501 Syntax error in parameters.
502 Command not implemented.
503 Bad sequence of commands.
504 Unsupported protocol version.
206 Return codes
ICAP version 0.95 return codes
■
■
■
■
■
■
■
■
■
■
530 File not acceptable.
531 File unscannable.
532 Output file unavailable.
533 Error scanning file.
534 File name exceeds configured length.
535 Maximum Extract Time exceeded - scan incomplete.
536 Maximum Extract Depth exceeded - scan incomplete.
537 Maximum Extract Size exceeded - scan incomplete.
538 Malformed container file found. File not scanned.
539 Aborted - no AV scanning license.
ICAP version 0.95 return codes
The following return codes are generated for ICAP version 0.95:
■
100 Continue
■
■
200 OK
201 Created
■
■
■
■
204 No content necessary.
400 Bad request.
403 Forbidden. Infected and not repaired.
404 Not found.
■
■
■
■
■
■
■
■
■
■
405 Method not implemented.
420 Container extract time violation. File not scanned.
425 Container size violation. File not scanned.
430 Container depth violation. File not scanned.
431 Malformed container found. File not scanned.
432 Mail policy violation. File not scanned.
500 Internal server error.
503 Service unavailable/overloaded.
505 ICAP version not supported.
531 Container type cannot be repaired.
Return codes
CAP version 1.0 return codes
207
■
■
533 Error scanning file.
539 Aborted - no AV scanning license.
CAP version 1.0 return codes
The following return codes are generated for ICAP version 1.0:
■
100 Continue
■
■
200 OK
201 Created
■
■
■
■
204 No content necessary.
400 Bad request.
403 Forbidden. Infected and not repaired.
404 Not found.
■
■
■
■
■
■
■
■
405 Method not implemented.
408 Request timeout.
500 Internal server error.
503 Service unavailable/overloaded.
505 ICAP version not supported.
533 Error scanning file.
539 Aborted - no AV scanning license.
551 Resource unavailable.
RPC return codes
The following return codes are generated for RPC:
■
Infection found, repaired
■
■
Infection found, repair failed
Infection found, repair failed, file quarantined
■
■
■
■
Infection found, repair failed, quarantine failed
Infection found
Maximum Extract Size exceeded, scan incomplete
Maximum Extract Time exceeded, scan incomplete
208 Return codes
RPC return codes
■
■
■
■
Maximum Extract Depth exceeded, scan incomplete
Aborted - No AV scanning license
Internal server error
Infection found, repair failed, read-only file
Appendix
D
Using the silent install feature
This chapter includes the following topics:
■
■
■
■
About the silent install feature
Initiating the silent installation using the response file
Using the silent install feature for uninstallation
About the silent install feature
The silent install feature lets you automate the installation of the Symantec
AntiVirus Scan Engine. You can use the silent install feature when you are installing multiple Symantec AntiVirus Scan Engines with identical input values for installation. The silent install feature lets you capture the required input values for installation in a response file. You can use the response file for subsequent installations to read in the values so that the installations are silent
(freeing you from having to repeatedly supply input values for each installation).
Implementing the silent install feature is a two-step process:
■
■
Create a response file to capture your input values for installation.
Run the install program to read the response file and perform the install silently using the same responses that you specified in the response file.
210 Using the silent install feature
Creating the response file
Creating the response file
The response file contains the input values for the required responses for installation of the Symantec AntiVirus Scan Engine. You can create different response files for different installation scenarios, for example, different protocols, installation directories, or RPC clients.
The procedures for creating the response file differ for Windows 2000 Server/
Server 2003, Solaris, and Linux.
Creating the response file for Windows 2000 Server/Server 2003
For Windows 2000 Server/Server 2003, you must run the installation once to create the response file. The Symantec AntiVirus Scan Engine is initially installed with the /r switch so that your responses are captured in the response file. Ensure that the scan engine is not already installed before you begin.
To create the response file for Windows 2000 Server/Server 2003
1 Change directories to the location of the Symantec AntiVirus Scan Engine installation program, ScanEngine.exe.
2
At the command prompt, type:
ScanEngine /r
The installation proceeds as a normal (non-silent) install.
3 During the installation, respond to each dialog box with the desired input value for the silent installation.
When the installation completes, the response file is written to the disk.
Note: On Windows 2000 Server/Server 2003 only, the password that you enter for the virtual administrative account is stored in the response file unencrypted. Protect the response file accordingly to prevent the password from being compromised.
By default, the response file, setup.iss, is written to the WinNT directory. To specify a different name and location for the response file, use the /f1 switch.
For example, the following command writes a response file, install_savse.iss, to the temporary directory C:\Temp:
ScanEngine /r /f1"C:\Temp\install_savse.iss"
Note: Quotes must be used around the path and file name to handle an embedded space.
Using the silent install feature
Creating the response file
211
Creating the response file for Solaris and Linux
For Solaris and Linux, you can create the response file before you install the
Symantec AntiVirus Scan Engine.
A default response file, named response, is included as part of the Symantec
AntiVirus Scan Engine software distribution package. The response file is a text file that is preconfigured to contain the default settings for the scan engine installation options. You must edit this response file so that it contains the desired input values for the silent installation.
Note: Do not delete any of the parameters in the response file. The installer must read a value for each parameter.
The input values contained in the response file are listed in
Table D-1
Input values in the response file
Input value
SCANPort
Protocol
AdminPort
AdminPassword
InstallDir
LogDir
Description
Port number on which the Symantec AntiVirus Scan Engine listens. This port number must be exclusive to the Symantec
AntiVirus Scan Engine. The default port number differs depending on the protocol selected.
■
■
NATIVE: 7777
ICAP: 1344
Communication protocol used by the scan engine. Use NATIVE or ICAP.
Port number on which the Web-based administrative interface listens. The default port number is 8004.
Password for the virtual administrative account that you will use to manage the Symantec AntiVirus Scan Engine.
Note: You must use the GenEncryptPW utility, which is included in the scan engine distribution, to generate an encrypted password. Use the encrypted string that is returned
by the utility for this value. See “Generating an encrypted password” on page 213.
Location in which to install the Symantec AntiVirus Scan
Engine. The default location is /opt/SYMCScan.
Location in which to place the Symantec AntiVirus Scan Engine log files. The default location is /var/log.
212 Using the silent install feature
Creating the response file
Table D-1
Input value
SymShared
Input values in the response file
CreateAVDefsGroup
Description
Location of the SymShared directory. The default location is
/opt/Symantec.
Note: The SymShared directory contains the virus definitions that are used by the Symantec AntiVirus Scan Engine to scan for viruses. If you have multiple Symantec products installed on the computer, this directory lets the products share virus definitions. If you have previously installed a Symantec
AntiVirus product on the computer, this directory might already exist.
Boolean value that indicates whether to create the avdefs group. Use 0 if the group already exists, or use 1 to create the group.
The avdefs group has access rights to the directory that contains the virus definitions that are used by the Symantec
AntiVirus Scan Engine. If you have previously installed a
Symantec product on the computer, this group might already exist.
To create the response file for Solaris and Linux
1
Locate the response file, response, on the Symantec AntiVirus Scan Engine distribution CD and copy it to the /tmp directory on the computer that you are using.
For the silent installation to initiate, the response file must be located in the
/tmp directory.
2
Rename the file to no-ask-questions and open the file.
3 Supply the desired input value for each parameter.
Changes should be made only to the right of the equal sign (=).
4 At AdminPassword=, copy and paste the encrypted string that was generated by the GenEncryptPW utility.
Ensure that you copy the encrypted string in its entirety.
See “Generating an encrypted password” on page 213.
5
Save the file.
Using the silent install feature
Initiating the silent installation using the response file
213
Generating an encrypted password
The GenEncryptPW utility is included in the scan engine distribution so that you can protect the administrative password for managing the Symantec
AntiVirus Scan Engine. This utility encrypts the specified password and returns an encrypted string. You must copy the encrypted string in its entirety and paste it in the appropriate location in the response file.
To generate an encrypted password
1 Locate the GenEncryptPW utility on the Symantec AntiVirus Scan Engine distribution CD and copy it to the computer that you are using.
2
At the command prompt, type GenEncryptPW <password>, where
<password> is the password that you will use to access the Symantec
AntiVirus Scan Engine administrative interface.
The utility returns an encrypted string.
3
Save the entire encrypted string that is returned by the GenEncryptPW utility.
Initiating the silent installation using the response file
The procedures for initiating the silent installation differ for Windows 2000
Server/Server 2003, Solaris, and Linux.
The silent installation on Solaris and Linux initiates automatically if the installer finds the response file in the correct location. The existence of the noask-questions file in the /tmp directory tells the installer to perform a silent installation using the input values that are contained in the file. Before you begin the installation, ensure that the appropriate response file, titled no-askquestions, is located in the /tmp directory.
To initiate a silent installation on Windows 2000 Server/Server 2003, you must run the installation program using the /s switch to read the response file. The installation proceeds silently, using the input values that are contained in the response file.
Note: If you initiate a Symantec AntiVirus Scan Engine silent installation in which RPC is the selected communication protocol (Windows 2000 Server/
Server 2003 only), the RPC password that you enter is stored in the response file unencrypted. Protect the response file accordingly to prevent the password from being compromised.
214 Using the silent install feature
Using the silent install feature for uninstallation
To initiate a silent installation on Windows 2000 Server/Server 2003
1 Change directories to the location of the Symantec AntiVirus Scan Engine installation program, ScanEngine.exe.
2 At the command prompt, type:
ScanEngine /s /f1"C:\WinNT\setup.iss"
This command shows the default response file, setup.iss, in its default location, the WinNT directory. You will need to substitute appropriately if you have changed the response file name and location. For example:
ScanEngine /s /f1"C:\Temp\install_savse.iss"
The silent installation proceeds automatically from this point using the input values that are contained in the response file.
Using the silent install feature for uninstallation
You also can automate the uninstallation for the Symantec AntiVirus Scan
Engine on Windows 2000 Server/Server 2003. The procedures for using the silent uninstallation are the same as for the silent installation.
Using the silent install feature for uninstallation
You must create a second response file for uninstallation. After you have created the response file, you can initiate the silent uninstallation by running the installation program with the /s switch to read the response file.
Note: When you create the response file for the silent uninstallation, use the /f1 switch to specify a different name and location for the response file (rather than allowing the default settings), so you can easily distinguish the uninstallation response file from any response files that you have saved for silent installation.
To create the uninstallation response file
◆
At the command prompt, type:
ScanEngine /r /f1"C:\Temp\ScanEngine_uninstall.iss"
To initiate the silent uninstallation
◆
At the command prompt, type:
ScanEngine /s /f1"C:\Temp\ScanEngine_uninstall.iss"
Index
A
access denied message, customizing (ICAP) 151
administrative interface
administrator
password, configuring 45 time-out, configuring 45
alert bind address, configuring 122
alert interval, configuring 78
antivirus scanning
testing detection capabilities 27
B
billing logs
generating scanning statistics from 127
interpreting scanning statistics 129
bind address, configuring
for administrative interface 45
Bloodhound sensitivity, configuring 89
C
command-line scanner
obtaining detailed scanning results
details on infections found 173
disposition of each file scanned 172
scanning time for each file 174
options
disposing of infected files on error 175
command-line scanner (continued) options (continued)
obtaining detailed scanning results 172
specifying the scan engine 170
specifying the scanning mode 171
specifying what to scan 167 syntax and usage 167
configuration file
container file limits, specifying 84
D
data trickle
denial of service attacks, protection against 84
dynamic thread pool
configuring maximum number of threads 78
F
file types, specifying for scanning 90
filtering email
G
getstat utility
216 Index
H
HTML alerts, customizing (ICAP) 151
I
ICAP
access denied message, customizing 151
access denied message 61 bind address 61
infected files, disposing of 175
in-memory file processing limits, configuring 79
installing
on Windows 2000 Server/Server 2003 33
upgrading from previous versions 31
L
licensing
removing licenses 50 warning and grace periods 50
Linux
stopping and starting service 37, 161
LiveUpdate
configuring LiveUpdate server 135
scheduling via command line 133
local logging configuring
message string file location 116
local SESA Agent, installing 156
logging
description of logging events 111
log file location, changing 115
M
mail filter policy
by mail subject 97 by maximum mail size 97
malformed container files, blocking access 85
message string file
customizing message strings 139
MIME augmentation
N
native protocol
P
partial messages, blocking 103
port number, configuring
for administrative interface 45
protocol
Q
quarantining infected files 74
R
recursive scanning, requesting 175
return codes
RPC
notifying users when a virus is found 72
quarantining unrepairable files 74
S
scanning threads
scanning, via command line
obtaining scanning results 172
requesting recursive scanning 175
specifying the scanning mode 171
service, starting and stopping 37
service startup properties, editing 75
SESA Integration Wizard, installing 155
SESA, logging to
configuring the scan engine 161
installing the local Agent 156
Index 217
SESA, logging to (continued)
running the SESA Integration Wizard 155
silent installation creating the response file
SMTP logging
SNMP logging
Solaris
stopping and starting service 37, 160
statistics, from billing logs
summary log data
syntax for the command-line scanner 167
T
temporary directory, specifying 77
thread pool
configuring maximum number of threads 78
U
uninstalling Symantec AntiVirus Scan Engine 38
upgrading from previous versions 31
user notification of virus found (RPC) 72
218 Index
V
virus definitions
virus detection
virus notification message, RPC 72
W
Windows 2000 Server/Server 2003
Windows Event Log, configuring logging to 116
Symantec AntiVirus™ Scan Engine
CD Replacement Form
CD REPLACEMENT: After your 60-Day Limited Warranty, if your CD becomes unusable, fill out and return 1) this form, 2) your damaged CD, and 3) your payment (see pricing below, add sales tax if applicable), to the address below to receive replacement CD. DURING THE 60-DAY LIMITED WARRANTY PERIOD, THIS SERVICE IS FREE.
You must be a registered customer in order to receive CD replacements.
FOR CD REPLACEMENT
Please send me: _______ CD Replacement(s)
Name ______________________________________________________________________________________________________
Company Name _____________________________________________________________________________________________
_________________________________________________________________________
City _______________________ State ____________ Zip/Postal Code ___________________________________________
Country* __________________ Daytime Phone ________________________________________________________________
Software Purchase Date______________________________________________________________________________________
*This offer limited to U.S., Canada, and Mexico. Outside North America, contact your local Symantec office or distributor.
Briefly describe the problem: _________________________________________________________________________________
CD Replacement Price
Sales Tax (See Table)
Shipping & Handling
TOTAL DUE
$ 10.00
______
$ 9.95
______
SALES TAX TABLE: AZ (5%), CA (7.25%), CO (3%), CT (6%), DC (5.75%), FL (6%), GA (4%),
IA (5%), IL (6.25%), IN (5%), KS (4.9%), LA (4%), MA (5%), MD (5%), ME (6%), MI (6%),
MN (6.5%), MO (4.225%), NC (6%), NJ (6%), NY (4%), OH (5%), OK (4.5%), PA (6%), SC
(5%), TN (6%), TX (6.25%), VA (4.5%), WA (6.5%), WI (5%). Please add local sales tax (as well as state sales tax) in AZ, CA, FL, GA, MO, NY, OH, OK, SC, TN, TX, WA, WI.
FORM OF PAYMENT ** (Check One):
___ Check (Payable to Symantec) Amount Enclosed $ __________ ______ Visa _____ Mastercard _____ AMEX
Credit Card Number ______________________________________________________ Expires _________________________
Name on Card (please print) ___________________________________ Signature ___________________________________
**U.S. Dollars. Payment must be made in U.S. dollars drawn on a U.S. bank.
MAIL YOUR CD REPLACEMENT ORDER TO:
Symantec Corporation
Attention: Order Processing
555 International Way
Springfield, OR 97477 (800) 441-7234
Please allow 2-3 weeks for delivery within the U.S.
Symantec and Symantec AntiVirus are trademarks of Symantec Corporation.
Other brands and products are trademarks of their respective holder/s.
© 2003 Symantec Corporation. All rights reserved. Printed in the U.S.A.
219
220
advertisement
Key Features
- Scalability
- Robustness
- Speed
- Virus protection
- Serviceability
- Manageability
Frequently Answers and Questions
What is the Symantec AntiVirus Scan Engine?
How does the Symantec AntiVirus Scan Engine work with the client application?
What are the system requirements for the Symantec AntiVirus Scan Engine?
Related manuals
advertisement
Table of contents
- 1 Symantec AntiVirus™ Scan Engine Implementation Guide
- 4 Technical support
- 9 Contents
- 15 1. Introducing the Symantec AntiVirus Scan Engine
- 15 About the Symantec AntiVirus Scan Engine
- 16 The Symantec AntiVirus Scan Engine solution
- 17 What’s new in version 4.3
- 18 Where to start
- 20 Considerations for implementation
- 20 About Symantec AntiVirus Scan Engine deployment
- 21 How the scan engine works with the client application
- 22 About automatic load balancing
- 22 About supported protocols
- 23 About the native protocol
- 23 About the Internet Content Adaptation Protocol (ICAP)
- 23 About remote procedure call (RPC)
- 24 About virus protection
- 25 How viruses are detected
- 27 Testing virus detection capabilities
- 29 2. Installing the Symantec AntiVirus Scan Engine
- 29 System requirements
- 29 Windows 2000 Server/Server 2003
- 30 Solaris
- 30 Red Hat Linux
- 31 Preparing for installation
- 31 Upgrading from a previous version
- 33 Running other antivirus products on the Symantec AntiVirus Scan Engine server
- 33 Installing the Symantec AntiVirus Scan Engine
- 34 Installing on Windows 2000 Server/Server 2003
- 35 Installing on Solaris and Linux
- 37 Stopping and restarting the Symantec AntiVirus Scan Engine service
- 38 Uninstalling the Symantec AntiVirus Scan Engine
- 39 3. Symantec AntiVirus Scan Engine administration
- 39 About the administrative interface
- 40 Built-in HTTP server
- 40 Virtual administrator account password
- 41 Accessing the administrative interface
- 42 About the main administration page
- 45 Changing the administration settings
- 49 4. Activating product licenses
- 49 About licensing
- 50 License warning and grace periods
- 50 Removing license files
- 51 Activating a license
- 53 Checking the license status
- 55 5. Configuring the Symantec AntiVirus Scan Engine
- 55 About configuring the Symantec AntiVirus Scan Engine
- 56 Selecting the communication protocol
- 57 Configuring the Symantec AntiVirus Scan Engine native protocol
- 57 How the scan engine works with the native protocol
- 57 Native protocol configuration options
- 59 Configuring ICAP
- 60 How the scan engine works with ICAP
- 61 ICAP configuration options
- 64 Enabling data trickle
- 66 Configuring RPC
- 66 How the scan engine works with RPC
- 68 RPC configuration options
- 72 Notifying requesting users that a virus was found
- 74 Quarantining unrepairable infected files
- 75 Editing the service startup properties
- 77 Allocating resources
- 83 6. Setting scanning and blocking policies
- 83 About scanning and blocking policies
- 84 Specifying processing limits
- 85 Specifying limits for container files
- 87 Specifying processing limits that apply to all files
- 88 Configuring antivirus settings
- 89 Changing the Bloodhound sensitivity level
- 90 Specifying file types to scan
- 94 Establishing a mail filter policy
- 94 Mail filter policy settings
- 107 7. Configuring and using logging
- 107 About Symantec AntiVirus Scan Engine logging
- 108 Logging destinations
- 109 Logging levels
- 112 Configuring local logging
- 113 Specifying the local logging level
- 115 Changing the log file location
- 116 Changing the message string file location
- 116 Logging events to the Windows Application Event Log
- 117 Activating SNMP and SMTP logging
- 118 Activating SNMP logging
- 120 Activating SMTP logging
- 122 Specifying the alert bind address
- 123 Managing the local logs
- 125 Obtaining summary data from the local logs
- 127 Interpreting summary data from the local logs
- 127 Generating scanning statistics from the billing logs
- 129 Interpreting scanning statistics
- 130 Understanding the 95th percentile bandwidth measurement
- 131 8. Configuring LiveUpdate
- 131 About LiveUpdate
- 132 Updating virus definitions
- 132 Scheduling LiveUpdate to update virus definitions automatically
- 133 Updating virus definitions manually
- 133 Scheduling LiveUpdate via the command line
- 135 Setting up your own LiveUpdate server
- 137 9. Customizing log entries
- 137 About the message string file
- 138 Editing the message string file
- 138 Preserving customized text during an upgrade
- 139 About the 1000-series message strings
- 145 About the 2000-series message strings
- 149 About the 4000-series message strings
- 151 Editing the ICAP access denied message
- 153 10. Integrating the Symantec AntiVirus Scan Engine with SESA
- 153 About SESA
- 154 Configuring logging to SESA
- 155 Configuring SESA to recognize the Symantec AntiVirus Scan Engine
- 156 Installing the local SESA Agent
- 161 Configuring the scan engine to log events to SESA
- 162 Scan engine events that are logged to SESA
- 163 Interpreting scan engine events in SESA
- 163 Uninstalling the SESA integration components
- 163 Uninstalling the local SESA Agent
- 165 11. Using the Symantec AntiVirus Scan Engine command-line scanner
- 165 About the Symantec AntiVirus Scan Engine command-line scanner
- 166 Setting up a computer to submit files for scanning
- 167 Command-line scanner syntax and usage
- 167 Specifying what to scan
- 169 Supported options
- 170 Specifying the scan engine IP address and port
- 171 Specifying the antivirus scanning mode
- 172 Obtaining detailed scanning results
- 175 Requesting recursive scanning
- 175 Disposing of infected files when an error occurs
- 177 A. Editing the configuration file
- 177 Editing the Symantec AntiVirus Scan Engine configuration file
- 178 Updating the configuration file during an upgrade
- 179 Configuration options
- 179 Changing protocol-specific settings via the configuration file
- 184 Changing resource allocation via the configuration file
- 188 Configuring logging options via the configuration file
- 192 Changing the administration settings via the configuration file
- 194 Specifying processing limits via the configuration file
- 195 Changing the antivirus settings via the configuration file
- 198 Blocking MIME partial message content via the configuration file
- 198 Activating mail message body updates via the configuration file
- 199 Scheduling LiveUpdate to occur automatically via the configuration file
- 199 Changing the LiveUpdate base time
- 200 Extracting all streams from OLE structured storage documents for scanning
- 201 B. Reviewing scanning statistics from the command line
- 201 Using the getstat utility
- 202 Interpreting getstat utility data
- 205 C. Return codes
- 205 Native protocol return codes
- 206 ICAP version 0.95 return codes
- 207 CAP version 1.0 return codes
- 207 RPC return codes
- 209 D. Using the silent install feature
- 209 About the silent install feature
- 210 Creating the response file
- 210 Creating the response file for Windows 2000 Server/Server 2003
- 211 Creating the response file for Solaris and Linux
- 213 Initiating the silent installation using the response file
- 214 Using the silent install feature for uninstallation
- 215 Index
- 219 CD Replacement Form