Symantec Scan Engine Antivirus Scan Engine Implementation Guide

Symantec Scan Engine Antivirus Scan Engine Implementation Guide
Add to My manuals

Below you will find brief information for Antivirus Scan Engine Scan Engine. The Symantec AntiVirus Scan Engine is a carrier-class virus scanning and repair engine. It provides virus scanning and repair capabilities to any application on an IP network, regardless of platform, using one of three protocols. Any application can pass files to the Symantec AntiVirus Scan Engine for scanning, which in turn scans the files for viruses and returns a cleaned file if necessary.

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

Symantec Antivirus Scan Engine Implementation Guide | Manualzz

Symantec AntiVirus™

Scan Engine

Implementation Guide

Symantec AntiVirus™ Scan Engine

Implementation Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Documentation version 4.3

PN: 10143971

Copyright Notice

Copyright © 2000-2003 Symantec Corporation.

All Rights Reserved.

Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation.

NO WARRANTY. The technical documentation is being delivered to you AS-IS, and

Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user.

Documentation may include technical or other inaccuracies or typographical errors.

Symantec reserves the right to make changes without prior notice.

No part of this publication may be copied without the express written permission of

Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

Trademarks

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation.

CarrierScan Server, Bloodhound, LiveUpdate, NAVEX, Symantec AntiVirus, and Symantec

Security Response are trademarks of Symantec Corporation. Sun, Sun Microsystems, the

Sun logo, Sun Enterprise, Java, Ultra, and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc., in the United States and other countries. SPARC is a registered trademark of SPARC International, Inc. Products bearing SPARC trademarks are based on an architecture developed by Sun Microsystems, Inc. Microsoft, ActiveX, Windows,

Windows NT, and the Windows Logo are registered trademarks of Microsoft Corporation in the United States and other countries. Intel and Pentium are registered trademarks of

Intel Corporation. Red Hat is a registered trademark of Red Hat Software, Inc., in the

United States and other countries. Linux is a registered trademark of Linus Torvalds.

NetApp, Data ONTAP, NetCache, Network Appliance, and Web Filer are registered trademarks or trademarks of Network Appliance, Inc., in the United States and other countries. Adobe, Acrobat, and Acrobat Reader are trademarks of Adobe Systems

Incorporated. THIS PRODUCT IS NOT ENDORSED OR SPONSORED BY ADOBE SYSTEMS

INCORPORATED, PUBLISHERS OF ADOBE ACROBAT.

Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

A modified version of a freeware SNMP library is used in this software. This software is

Copyright © 1988, 1989 by Carnegie Mellon University All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.

CMU software disclaimer: “CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS

SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND

FITNESS. IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR

CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,

NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION

WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.”

A set of Unicode handling libraries is used in this software. This software is Copyright (c)

1995-2002 International Business Machines Corporation and others. All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the

Software is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

IBM software disclaimer: “THE SOFTWARE IS PROVIDED ‘AS IS’, WITHOUT WARRANTY

OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE

WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT

HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY

SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER

RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF

CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.”

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1

Technical support

As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our

Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide

Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.

Symantec technical support offerings include:

A range of support options that give you the flexibility to select the right amount of service for any size organization

Telephone and Web support components that provide rapid response and up-to-the-minute information

Upgrade insurance that delivers automatic software upgrade protection

Content Updates for virus definitions and security signatures that ensure the highest level of protection

Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program

Advanced features, such as the Symantec Alerting Service and Technical

Account Manager role, offer enhanced response and proactive security support

Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.

Licensing and registration

If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the

Symantec licensing and registration site at www.symantec.com/certificate.

Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

Contacting Technical Support

Customers with a current support agreement may contact the Technical

Support group via phone or online at www.symantec.com/techsupp.

Customers with Platinum support agreements may contact Platinum Technical

Support via the Platinum Web site at www-secure.symantec.com/platinum/.

When contacting the Technical Support group, please have the following:

Product release level

Hardware information

Available memory, disk space, NIC information

Operating system

Version and patch level

Network topology

Router, gateway, and IP address information

Problem description

Error messages/log files

Troubleshooting performed prior to contacting Symantec

Recent software configuration changes and/or network changes

Customer Service

To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support.

Customer Service is available to assist with the following types of issues:

Questions regarding product licensing or serialization

Product registration updates such as address or name changes

General product information (features, language availability, local dealers)

Latest information on product updates and upgrades

Information on upgrade insurance and maintenance contracts

Information on Symantec Value License Program

Advice on Symantec's technical support options

Nontechnical presales questions

Missing or defective CD-ROMs or manuals

Symantec Corporation Software License Agreement

Enterprise Antivirus Software

THIS LICENSE AGREEMENT SUPERSEDES THE

LICENSE AGREEMENT CONTAINED IN THE

SOFTWARE INSTALLATION AND DOCUMENTATION.

SYMANTEC CORPORATION AND/OR ITS

SUBSIDIARIES (“SYMANTEC”) IS WILLING TO

LICENSE THE SOFTWARE TO YOU AS AN

INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY

THAT WILL BE UTILIZING THE SOFTWARE

(REFERENCED BELOW AS “YOU OR YOUR”) ONLY ON

THE CONDITION THAT YOU ACCEPT ALL OF THE

TERMS OF THIS LICENSE AGREEMENT. READ THE

TERMS AND CONDITIONS OF THIS LICENSE

AGREEMENT CAREFULLY BEFORE USING THE

SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE

CONTRACT BETWEEN YOU AND THE LICENSOR. BY

OPENING THIS PACKAGE, BREAKING THE SEAL,

CLICKING ON THE “AGREE” OR “YES” BUTTON OR

OTHERWISE INDICATING ASSENT

ELECTRONICALLY, OR LOADING THE SOFTWARE,

YOU AGREE TO THE TERMS AND CONDITIONS OF

THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE

TERMS AND CONDITIONS, CLICK ON THE “I DO NOT

AGREE”, “NO” BUTTON, OR OTHERWISE INDICATE

REFUSAL AND MAKE NO FURTHER USE OF THE

SOFTWARE.

1. License:

The software and documentation that accompanies this license (collectively the “Software”) is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the quantity of the Software for which

You have paid the applicable license fees after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a “License

Module”) that accompanies, precedes, or follows this license, Your rights and obligations with respect to the use of licensed copies of this Software are as follows:

You may:

A. use the Software in the manner described in the

Software documentation and in accordance with the

License Module. If the Software is part of an offering containing multiple Software titles, the aggregate number of copies You may use may not exceed the aggregate number of licenses indicated in the License

Module, as calculated by any combination of licensed

Software titles in such offering. Your License Module shall constitute proof of Your right to make such copies. If no License Module accompanies, precedes, or follows this license, You may make one copy of the

Software You are authorized to use on a single machine;

B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of

Your computer and retain the original for archival purposes;

C. use the Software on a network or to protect a network such as at the gateway or on a mail server, provided that You have a license to the Software for each computer that can access the network;

D. after written consent from Symantec, transfer the

Software on a permanent basis to another person or entity, provided that You retain no copies of the

Software and the transferee agrees to the terms of this license; and

E. use the Software in accordance with any additional permitted uses set forth in Section 8, below.

You may not:

A. copy the printed documentation which accompanies the Software;

B. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software;

C. use a previous version or copy of the Software after

You have received a disk replacement set or an upgraded version. Upon upgrading the Software, all copies of the prior version must be destroyed;

D. use a later version of the Software than is provided herewith unless You have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version;

E. use, if You received the software distributed on media containing multiple Symantec products, any

Symantec software on the media for which You have not received a permission in a License Module;

F. use the Software in any manner not authorized by this license; nor

G. use the Software in any manner that contradicts any additional restrictions set forth in Section 8, below.

2. Content Updates:

Certain Software utilize content which is updated from time to time (including but not limited to the following

Software: antivirus software utilize updated virus definitions; content filtering software utilize updated

URL lists; some firewall software utilize updated firewall rules; and vulnerability assessment products utilize updated vulnerability data; these updates are collectively referred to as “Content Updates”). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates which Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to obtain Content

Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to

You; provided, however, that if You purchase maintenance hereunder that includes particular

Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such

Content Updates as requiring separate purchase. This

License does not otherwise permit Licensee to obtain and use Content Updates.

3. Limited Warranty:

Symantec warrants that the media on which the

Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the

Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to

Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free.

THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU

OF ALL OTHER WARRANTIES, WHETHER EXPRESS

OR IMPLIED, INCLUDING THE IMPLIED

WARRANTIES OF MERCHANTABILITY, FITNESS FOR

A PARTICULAR PURPOSE AND NONINFRINGEMENT

OF INTELLECTUAL PROPERTY RIGHTS. THIS

WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS.

YOU MAY HAVE OTHER RIGHTS, WHICH VARY

FROM STATE TO STATE AND COUNTRY TO

COUNTRY.

4. Disclaimer of Damages:

SOME STATES AND COUNTRIES, INCLUDING

MEMBER COUNTRIES OF THE EUROPEAN

ECONOMIC AREA, DO NOT ALLOW THE LIMITATION

OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR

CONSEQUENTIAL DAMAGES SO THE BELOW

LIMITATION OR EXCLUSION MAY NOT APPLY TO

YOU.

TO THE MAXIMUM EXTENT PERMITTED BY

APPLICABLE LAW AND REGARDLESS OF WHETHER

ANY REMEDY SET FORTH HEREIN FAILS OF ITS

ESSENTIAL PURPOSE, IN NO EVENT WILL

SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL,

CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES,

INCLUDING ANY LOST PROFITS OR LOST DATA

ARISING OUT OF THE USE OR INABILITY TO USE

THE SOFTWARE EVEN IF SYMANTEC HAS BEEN

ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED

THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether You accept the Software.

5. U.S. Government Restricted Rights:

RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are

“Commercial Items”, as that term is defined in 48

C.F.R. section 2.101, consisting of “Commercial

Computer Software” and “Commercial Computer

Software Documentation”, as such terms are defined in

48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48

C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal

Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec

Corporation, 20330 Stevens Creek Blvd., Cupertino, CA

95014, United States of America.

6. Export Regulation:

Export, re-export of this Software is governed by the laws and regulations of the United States and import laws and regulations of certain other countries Export or re-export of Software to any entity on the Denied

Parties List and other lists promulgated by various agencies of the United States Federal Government is strictly prohibited.

7. General:

If You are located in North America or Latin America, this Agreement will be governed by the laws of the

State of California, United States of America.

Otherwise, this Agreement will be governed by the laws of England. This Agreement and any related

License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals and representations with respect to its subject matter; and

(ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. The original of this

Agreement has been written in English and English is

the governing language of this Agreement. Software and documentation is delivered Ex Works California,

U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS

2000). This Agreement may only be modified by a

License Module which accompanies this license or by a written document which has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact

Symantec for any reason, please write to: (i) Symantec

Customer Service, 555 International Way, Springfield,

OR 97477, U.S.A. or (ii) Symantec Customer Service

Center, PO BOX 5689, Dublin 15, Ireland.

8. Additional Restrictions for Specified

Software:

A. If the Software You have licensed is a specified

Symantec AntiVirus™ for a third party product or platform, You may only use that specified Software with the corresponding product or platform. You may not allow any computer to access the Software other than a computer using the specified product or platform. In the event that You wish to use the

Software with a certain product or platform for which there is no specified Software, You may use Symantec

AntiVirus Scan Engine.

B. If the Software You have licensed is Symantec

AntiVirus for Web Servers, the following additional use(s) and restriction(s) apply: i) You may use the Software only with files that are received from third parties through a web server; ii) You may use the Software only with files received from less than 10,000 unique third parties per month; and iii) You may not charge or assess a fee for use of the

Software for Your internal business.

C. If the Software You have licensed is Symantec Web

Security, independent of version or operating platform designation, upon the expiration of Your right to acquire Content Updates, the filtering definitions corresponding with all previous Content Updates will be entirely deleted and will no longer be available for use with the Software. Upon the expiration of Your right to acquire Content Updates, access to updated virus definitions will no longer be available, however,

You may continue to use virus definitions previously acquired.

D. If the Software You have licensed is Symantec

AntiVirus Corporate Edition, You may not use the

Software on or with devices on Your network running embedded operating systems specifically supporting network attached storage functionality without separately licensing a version of such Software specifically licensed for a specific type of network attached storage device under a License Module.

E. If the Software You have licensed is Symantec

AntiVirus for EMC® Celerra™ File Server, You may use the Software only with EMC Celerra servers and only if

You have a license to the Software for each Celerra

AntiVirus Agent (CAVA) associated with each such server. You may not allow any computer to access the

Software other than an EMC Celerra server.

EMC and Celerra are trademarks or registered trademarks of EMC Corporation in the U.S. and other countries.

Contents

Technical support

Chapter 1 Introducing the Symantec AntiVirus Scan Engine

About the Symantec AntiVirus Scan Engine ................................................... 15

The Symantec AntiVirus Scan Engine solution ...................................... 16

What’s new in version 4.3 .......................................................................... 17

Where to start ...................................................................................................... 18

Considerations for implementation .................................................................. 20

About Symantec AntiVirus Scan Engine deployment ........................... 20

How the scan engine works with the client application ........................ 21

About automatic load balancing ................................................................ 22

About supported protocols ................................................................................. 22

About the native protocol ........................................................................... 23

About the Internet Content Adaptation Protocol (ICAP) ....................... 23

About remote procedure call (RPC) ........................................................... 23

About virus protection ........................................................................................ 24

How viruses are detected ............................................................................ 25

Testing virus detection capabilities .......................................................... 27

Chapter 2 Installing the Symantec AntiVirus Scan Engine

System requirements .......................................................................................... 29

Windows 2000 Server/Server 2003 .......................................................... 29

Solaris ............................................................................................................ 30

Red Hat Linux ............................................................................................... 30

Preparing for installation ................................................................................... 31

Upgrading from a previous version .......................................................... 31

Running other antivirus products on the Symantec AntiVirus

Scan Engine server .............................................................................. 33

Installing the Symantec AntiVirus Scan Engine ............................................ 33

Installing on Windows 2000 Server/Server 2003 ................................... 34

Installing on Solaris and Linux .................................................................. 35

Stopping and restarting the Symantec AntiVirus Scan Engine service ..... 37

Uninstalling the Symantec AntiVirus Scan Engine ....................................... 38

10 Contents

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Symantec AntiVirus Scan Engine administration

About the administrative interface .................................................................. 39

Built-in HTTP server ................................................................................... 40

Virtual administrator account password ................................................. 40

Accessing the administrative interface ........................................................... 41

About the main administration page ........................................................ 42

Changing the administration settings ............................................................. 45

Activating product licenses

About licensing .................................................................................................... 49

License warning and grace periods ........................................................... 50

Removing license files ................................................................................ 50

Activating a license ............................................................................................. 51

Checking the license status ................................................................................ 53

Configuring the Symantec AntiVirus Scan Engine

About configuring the Symantec AntiVirus Scan Engine ............................. 55

Selecting the communication protocol ............................................................ 56

Configuring the Symantec AntiVirus Scan Engine native protocol ............ 57

How the scan engine works with the native protocol ............................ 57

Native protocol configuration options ..................................................... 57

Configuring ICAP ................................................................................................. 59

How the scan engine works with ICAP ..................................................... 60

ICAP configuration options ........................................................................ 61

Enabling data trickle ................................................................................... 64

Configuring RPC .................................................................................................. 66

How the scan engine works with RPC ...................................................... 66

RPC configuration options ......................................................................... 68

Notifying requesting users that a virus was found ................................ 72

Quarantining unrepairable infected files ................................................ 74

Editing the service startup properties ...................................................... 75

Allocating resources ............................................................................................ 77

Setting scanning and blocking policies

About scanning and blocking policies .............................................................. 83

Specifying processing limits .............................................................................. 84

Specifying limits for container files ......................................................... 85

Specifying processing limits that apply to all files ................................ 87

Configuring antivirus settings .......................................................................... 88

Changing the Bloodhound sensitivity level ............................................. 89

Specifying file types to scan ...................................................................... 90

Contents 11

Chapter 7

Chapter 8

Chapter 9

Establishing a mail filter policy ......................................................................... 94

Mail filter policy settings ............................................................................ 94

Configuring and using logging

About Symantec AntiVirus Scan Engine logging .........................................107

Logging destinations .................................................................................108

Logging levels .............................................................................................109

Configuring local logging .................................................................................112

Specifying the local logging level ............................................................113

Changing the log file location ..................................................................115

Changing the message string file location .............................................116

Logging events to the Windows Application Event Log ..............................116

Activating SNMP and SMTP logging ..............................................................117

Activating SNMP logging .........................................................................118

Activating SMTP logging ..........................................................................120

Specifying the alert bind address ............................................................122

Managing the local logs ....................................................................................123

Obtaining summary data from the local logs ................................................125

Interpreting summary data from the local logs ....................................127

Generating scanning statistics from the billing logs ...................................127

Interpreting scanning statistics ..............................................................129

Understanding the 95th percentile bandwidth measurement ...........130

Configuring LiveUpdate

About LiveUpdate ..............................................................................................131

Updating virus definitions ...............................................................................132

Scheduling LiveUpdate to update virus definitions automatically ...132

Updating virus definitions manually .....................................................133

Scheduling LiveUpdate via the command line ..............................................133

Setting up your own LiveUpdate server .........................................................135

Customizing log entries

About the message string file ..........................................................................137

Editing the message string file ........................................................................138

Preserving customized text during an upgrade ............................................138

About the 1000-series message strings ..........................................................139

About the 2000-series message strings ..........................................................145

About the 4000-series message strings ..........................................................149

Editing the ICAP access denied message .......................................................151

12 Contents

Chapter 10 Integrating the Symantec AntiVirus Scan Engine with SESA

About SESA .........................................................................................................153

Configuring logging to SESA ...........................................................................154

Configuring SESA to recognize the Symantec AntiVirus

Scan Engine ........................................................................................155

Installing the local SESA Agent ...............................................................156

Configuring the scan engine to log events to SESA .............................161

Scan engine events that are logged to SESA .................................................162

Interpreting scan engine events in SESA ......................................................163

Uninstalling the SESA integration components ...........................................163

Uninstalling the local SESA Agent .................................................................163

Chapter 11 Using the Symantec AntiVirus Scan Engine command-line scanner

About the Symantec AntiVirus Scan Engine command-line scanner .......165

Setting up a computer to submit files for scanning .....................................166

Command-line scanner syntax and usage .....................................................167

Specifying what to scan ............................................................................167

Supported options .....................................................................................169

Specifying the scan engine IP address and port ...................................170

Specifying the antivirus scanning mode ................................................171

Obtaining detailed scanning results .......................................................172

Requesting recursive scanning ...............................................................175

Disposing of infected files when an error occurs .................................175

Appendix A Editing the configuration file

Editing the Symantec AntiVirus Scan Engine configuration file ..............177

Updating the configuration file during an upgrade .....................................178

Configuration options .......................................................................................179

Changing protocol-specific settings via the configuration file ..........179

Changing resource allocation via the configuration file .....................184

Configuring logging options via the configuration file .......................188

Changing the administration settings via the configuration file ......192

Specifying processing limits via the configuration file .......................194

Changing the antivirus settings via the configuration file .................195

Blocking MIME partial message content via the configuration file ..198

Activating mail message body updates via the configuration file .....198

Scheduling LiveUpdate to occur automatically via the configuration file ...............................................................................199

Changing the LiveUpdate base time .......................................................199

Extracting all streams from OLE structured storage documents for scanning ........................................................................................200

Contents 13

Appendix B Reviewing scanning statistics from the command line

Using the getstat utility ....................................................................................201

Interpreting getstat utility data ......................................................................202

Appendix C Return codes

Native protocol return codes ...........................................................................205

ICAP version 0.95 return codes .......................................................................206

CAP version 1.0 return codes ...........................................................................207

RPC return codes ...............................................................................................207

Appendix D Using the silent install feature

About the silent install feature ........................................................................209

Creating the response file ................................................................................210

Creating the response file for Windows 2000 Server/Server 2003 ...210

Creating the response file for Solaris and Linux ..................................211

Initiating the silent installation using the response file .............................213

Using the silent install feature for uninstallation ........................................214

Index

CD Replacement Form

14 Contents

Chapter

1

Introducing the Symantec

AntiVirus Scan Engine

This chapter includes the following topics:

About the Symantec AntiVirus Scan Engine

Where to start

Considerations for implementation

About supported protocols

About virus protection

About the Symantec AntiVirus Scan Engine

The Symantec AntiVirus Scan Engine, formerly marketed as CarrierScan Server, is a carrier-class virus scanning and repair engine. The Symantec AntiVirus

Scan Engine features all of the key virus-scanning technologies available in the complete line of Symantec antivirus products, making the Symantec AntiVirus

Scan Engine one of the most effective virus solutions available for detecting and preventing virus attacks.

The Symantec AntiVirus Scan Engine provides virus scanning and repair capabilities to any application on an IP network, regardless of platform, using one of three protocols. Any application can pass files to the Symantec AntiVirus

Scan Engine for scanning, which in turn scans the files for viruses and returns a cleaned file if necessary.

16 Introducing the Symantec AntiVirus Scan Engine

About the Symantec AntiVirus Scan Engine

The Symantec AntiVirus Scan Engine accepts scan requests from client applications using one of three protocols. The scan engine has its own native protocol and also can accept scan requests via a proprietary implementation of the remote procedure call (RPC) protocol and the Internet Content Adaptation

Protocol (ICAP).

The Symantec AntiVirus Scan Engine software development kit (SDK) is available for custom integration. You can create a custom integration via a client-side application program interface (API) C library using version 1.0 of

ICAP, presented in RFC 3507 (April 2003). Symantec also has developed connector code for some third-party applications for seamless integration with the Symantec AntiVirus Scan Engine.

The Symantec AntiVirus Scan Engine solution

The Symantec AntiVirus Scan Engine satisfies the following key needs of

Internet infrastructure organizations:

Scalability: The Symantec AntiVirus Scan Engine can run on existing computers in your organization’s infrastructure or on one or more separate computers on the network. Additional computers that run the scan engine can easily be added at any time to handle increased loads. The Symantec

AntiVirus Scan Engine API provides automatic load balancing for multiple scan engines that are running on the network.

Robustness: If the scan engine goes down for any reason, it automatically restarts, making the Symantec AntiVirus Scan Engine ideal for Internet environments that are always on.

Speed: The Symantec AntiVirus Scan Engine uses the Symantec AntiVirus™ engine, which is one of the fastest in the industry.

Virus protection: In addition to the virus protection capabilities available in all Symantec antivirus products, the Symantec AntiVirus Scan Engine offers controls to help prevent denial of service attacks that are caused by container files that are overly large or that contain multiple embedded compressed files.

Serviceability: Virus definitions for the Symantec AntiVirus Scan Engine can be automatically updated, without interruption in virus scanning, on all platforms. The Symantec AntiVirus Scan Engine supports Symantec

LiveUpdate™ technology.

Introducing the Symantec AntiVirus Scan Engine

About the Symantec AntiVirus Scan Engine

17

Manageability: The Symantec AntiVirus Scan Engine can be remotely managed from any computer on your network via a Web-based administrative interface. The Symantec AntiVirus Scan Engine provides full-featured logging and SMTP (simple mail transfer protocol) and SNMP

(simple network management protocol) alerting capability for a full range of activity, making it manageable in large environments.

Multiple protocol support: The Symantec AntiVirus Scan Engine accepts scan requests from client applications using one of three protocols:

The Symantec AntiVirus Scan Engine native protocol

The Internet Content Adaptation Protocol (ICAP), version 0.95

(proprietary implementation) and version 1.0 of ICAP, presented in

RFC 3507 (April 2003)

A proprietary implementation of remote procedure call (RPC)

Ease of integration: The Symantec AntiVirus Scan Engine runs on Sun

®

Solaris

®

, Red Hat

®

Linux

®

, and Microsoft

®

Windows

®

2000 Server and

Windows Server 2003 platforms. Because the scan engine can run on a separate computer on the network, it can easily be deployed in any environment that is running any set of platforms. If you want to use ICAP version 1.0 to do your own integration, a client-side API can be used to add virus scanning to any C or C++ application. To make integration with some third-party applications convenient and easy, Symantec also provides a number of connectors for the Symantec AntiVirus Scan Engine.

Billing support: The Symantec AntiVirus Scan Engine maintains bandwidth utilization statistics and file-scanning statistics to facilitate different billing schemes.

What’s new in version 4.3

The Symantec AntiVirus Scan Engine version 4.3 includes the following new features:

New client-side API using ICAP version 1.0: The underlying protocol in the

Symantec AntiVirus Scan Engine client-side API is now ICAP 1.0. If you have purchased the Symantec AntiVirus Scan Engine software development kit, the client-side API can be used to add virus scanning to any C or C++ application.

Command-line scanner: The Symantec AntiVirus Scan Engine now includes a command-line scanner, which is a multi-platform utility that lets you send files to be scanned for viruses via the command line. You can repair infected files and delete those that are unrepairable.

18 Introducing the Symantec AntiVirus Scan Engine

Where to start

Upgrade installation support: You now can install an upgrade to the

Symantec AntiVirus Scan Engine over an existing installation (without first uninstalling the previous version). Any configuration changes and customizations that have been made are preserved during the upgrade.

Upgraded logging features: Logging for each logging destination is activated individually by selecting a desired logging level for that destination.

Selecting the logging level lets you choose the types of events for which log messages are separated. You can select a different logging level for each logging destination.

Dynamic thread pool for antivirus scanning: The pool of scanning threads that is available to the Symantec AntiVirus Scan Engine for antivirus scanning now dynamically adjusts to the load that is being processed to measure system resources. You can change a number of parameters to control the dynamic thread pool.

Data trickle user comforting for ICAP: This feature prevents a user who downloads a large file from the Internet from receiving a session time-out error by trickling small amounts of the file to the user while the file is being scanned.

POST transaction antivirus scanning for ICAP 1.0: The Symantec AntiVirus

Scan Engine now scans files that are being posted to the Internet. The antivirus scanning and logging policies that are configured on the scan engine now also apply to POST transactions as well.

Client identification logging and notification for RPC: If you are using RPC, the Symantec AntiVirus Scan Engine now logs identifying information when a client requests a file that is found to be infected. A notification message informs users that a virus was detected in a file that they attempted to retrieve and indicates the disposition of the file.

Where to start

The Symantec AntiVirus Scan Engine Implementation Guide contains all of the instructions necessary to install and maintain the Symantec AntiVirus Scan

Engine. Follow these steps to ensure that you use the scan engine’s capabilities effectively:

Become familiar with the design and features of the software.

See “Introducing the Symantec AntiVirus Scan Engine” on page 15.

Introducing the Symantec AntiVirus Scan Engine

Where to start

19

Decide how to deploy the Symantec AntiVirus Scan Engine on your network to meet your specific requirements. If you plan to use ICAP version 1.0 to create a custom implementation of the scan engine and have purchased the

Symantec AntiVirus Scan Engine SDK, the Symantec AntiVirus Scan Engine

Software Developer’s Guide contains additional information on deploying the scan engine using this protocol. If you have purchased a specific connector for the Symantec AntiVirus Scan Engine, check the accompanying documentation for additional information on that particular implementation of the scan engine.

See “Considerations for implementation” on page 20.

Install the Symantec AntiVirus Scan Engine. Verify that your system meets the minimum requirements before installing.

See “Installing the Symantec AntiVirus Scan Engine” on page 29.

Activate the licenses for key features for the Symantec AntiVirus Scan

Engine, including antivirus scanning functionality and virus definitions updates, through the Symantec AntiVirus Scan Engine administrative interface.

See “Activating product licenses” on page 49.

Review the configuration information in Chapters 5–11 of this guide to fully customize the Symantec AntiVirus Scan Engine to meet your needs. This includes configuring LiveUpdate™, so that the scan engine always has the necessary information to detect and remove newly discovered viruses.

Configure the client applications that will send files for scanning to the

Symantec AntiVirus Scan Engine. If you purchased the Symantec AntiVirus

Scan Engine SDK, the Symantec AntiVirus Scan Engine Software Developer’s

Guide provides this information. If you have purchased a specific connector for the Symantec AntiVirus Scan Engine, see the documentation for that connector for instructions on configuring the client application.

20 Introducing the Symantec AntiVirus Scan Engine

Considerations for implementation

Considerations for implementation

The Symantec AntiVirus Scan Engine can be easily implemented into an existing infrastructure. The Symantec AntiVirus Scan Engine runs on Solaris,

Red Hat Linux, and Windows 2000 Server/Server 2003 platforms.

See “About Symantec AntiVirus Scan Engine deployment” on page 20.

Symantec provides connectors for some third-party products for seamless integration with the Symantec AntiVirus Scan Engine.

See “How the scan engine works with the client application” on page 21.

For custom integration using ICAP version 1.0, the Symantec AntiVirus Scan

Engine features a client-side API, which streamlines the integration of antivirus scanning for any C or C++ application. The Symantec AntiVirus Scan Engine API provides scheduling across any number of computers that are running the

Symantec AntiVirus Scan Engine.

See “About automatic load balancing” on page 22.

About Symantec AntiVirus Scan Engine deployment

In a typical configuration, files are passed to the Symantec AntiVirus Scan

Engine via a socket over the network because the scan engine is running on a separate computer. Depending on the network setup, client applications

(applications that have been configured to pass files to the scan engine for scanning) can pass a full path rather than the actual file to the Symantec

AntiVirus Scan Engine. For example, files to be scanned may be located on a drive that can be mounted over the network, such as a shared drive in Windows or a network file system (NFS) drive. If the client application and the scan engine have access to a shared directory, the client application can place the file in the shared directory and pass the full path to the Symantec AntiVirus Scan Engine, which can access the file directly.

For cases in which the client application is running on the same computer as the

Symantec AntiVirus Scan Engine, the client application can pass the file name to the scan engine, and the scan engine can open the file and scan it in place on the computer.

Introducing the Symantec AntiVirus Scan Engine

Considerations for implementation

21

One example of a typical integration of the Symantec AntiVirus Scan Engine is shown in

Figure 1-1

. Integration scenarios are discussed in detail in Symantec

CarrierScan Server Version 2.0: A Symantec White Paper, which is available on the Symantec Web site.

Figure 1-1 Typical integration of the Symantec AntiVirus Scan Engine

How the scan engine works with the client application

The Symantec AntiVirus Scan Engine is designed to be easily integrated into any environment to provide antivirus scanning for any application. Client applications are configured to pass files, via one of three protocols, to the

Symantec AntiVirus Scan Engine, which scans the files for viruses and returns cleaned files if necessary.

Depending on the protocol that is used, the Symantec AntiVirus Scan Engine can be configured to scan only certain file types that are passed to it by client applications. In other cases, the client application must decide what to scan and what to do with the results.

If you want to use ICAP to do your own integration, a client-side API can be used to add virus scanning to any C or C++ application. To make integration with some third-party applications convenient and easy, Symantec also provides a

22 Introducing the Symantec AntiVirus Scan Engine

About supported protocols number of connectors for the Symantec AntiVirus Scan Engine. Other software companies may develop connectors for the Symantec AntiVirus Scan Engine to provide antivirus scanning for their own products.

If you have purchased the Symantec AntiVirus Scan Engine with a connector, you may need to configure the Symantec AntiVirus Scan Engine to work with the connector. You may need to configure the third-party application to add virus scanning as well. You will need the information that is contained in the

Symantec AntiVirus Scan Engine Implementation Guide and any additional documentation that is included with the connector.

About automatic load balancing

The Symantec AntiVirus Scan Engine API provides scheduling across any number of computers that are running the Symantec AntiVirus Scan Engine.

Client applications that pass files to the scan engine benefit from load-balanced virus scanning without any additional effort. The API determines the appropriate Symantec AntiVirus Scan Engine (when multiple scan engines are used) to receive the next file to be scanned, based on the scheduling algorithm.

If a Symantec AntiVirus Scan Engine is unreachable or goes down during a scan, another scan engine is called and the faulty scan engine is taken out of rotation for a period of time. If all of the scan engines are out of rotation, the faulty scan engines are called again. The API does not stop trying to contact the scan engine unless five engines are not functioning, or it appears that a file that is being scanned might have caused more than one engine to go down.

Note: If you are using the Symantec AntiVirus Scan Engine as a plug-in using

RPC or ICAP, load balancing across multiple scan engines may be configurable, depending on the implementation. See the plug-in documentation.

About supported protocols

The Symantec AntiVirus Scan Engine lets client applications send scan requests using one of three protocols:

The native protocol

The Internet Content Adaptation Protocol (ICAP)

A proprietary remote procedure call (RPC) protocol

The protocol can be changed at any time.

See “Selecting the communication protocol” on page 56.

Introducing the Symantec AntiVirus Scan Engine

About supported protocols

23

About the native protocol

In the default configuration, the Symantec AntiVirus Scan Engine implements a simple TCP/IP protocol to provide antivirus functionality to client applications.

This protocol is text-based, like HTTP or SMTP, and uses standard ASCII commands and responses to communicate between client and server.

To scan a file, a client connects to IP port 7777 (the default), sends the file to be scanned, and then reads the results of the scan. After receiving the scan results, the client and server disconnect and must initiate new connections to scan subsequent files.

See “Configuring the Symantec AntiVirus Scan Engine native protocol” on page 57.

About the Internet Content Adaptation Protocol (ICAP)

ICAP is a lightweight protocol for executing a remote procedure call on HTTP messages. ICAP is part of an evolving architecture that lets corporations, carriers, and ISPs dynamically scan, change, and augment Web content as it flows through ICAP servers. The protocol lets ICAP clients pass HTTP messages to ICAP servers for adaptation (some sort of transformation or other processing, such as virus scanning). The server executes its transformation service on messages and responds to the client, usually with modified messages. The adapted messages may be either HTTP requests or HTTP responses.

In a typical integration, a caching proxy server retrieves requested information from the Web. At the same time, it caches the information (stores a copy on disk), and, where possible, serves multiple requests for the same Web content from the cache. A caching proxy server can use ICAP to communicate with the

Symantec AntiVirus Scan Engine and request scan and repair of content that is retrieved from the Web. The Symantec AntiVirus Scan Engine uses the proprietary version 0.95 implementation and version 1.0 of ICAP, presented in

RFC 3507 (April 2003), depending on the requesting client.

See “Configuring ICAP” on page 59.

About remote procedure call (RPC)

Remote procedure call (RPC) is a client/server infrastructure that increases the interoperability and portability of an application by letting the application be distributed over multiple platforms. The use of RPC frees the developer from having to be familiar with various operating system and network interfaces and simplifies the development of applications that span multiple operating systems and network protocols. Complexity is significantly reduced by keeping the

24 Introducing the Symantec AntiVirus Scan Engine

About virus protection semantics of a remote call the same whether or not the client and server are located on the same computer.

The Symantec AntiVirus Scan Engine uses a proprietary virus scanning protocol with the MS-RPC protocol (for Windows 2000 Server/Server 2003 platforms only) to interface with client applications. Any appropriate client can use RPC to communicate with the Symantec AntiVirus Scan Engine and request scanning and repairing of files.

See “Configuring RPC” on page 66.

About virus protection

The Symantec AntiVirus Scan Engine features all of the virus scanning technologies that are available in Symantec antivirus products. The Symantec

AntiVirus Scan Engine detects viruses, worms, and Trojan horses in all major file types (for example, Windows files, DOS files, and Microsoft Word and Excel files). The Symantec AntiVirus Scan Engine also includes a decomposer that handles most compressed and archive file formats and nested levels of files. You can configure the scan engine to limit scanning to certain file types based on file extension.

To protect against container files that can cause denial of service attacks (for example, container files that are overly large, that contain large numbers of embedded compressed files, or that have been designed to use resources maliciously and degrade performance), the Symantec AntiVirus Scan Engine lets you specify the maximum amount of time that the scan engine devotes to decomposing a container file and its contents, the maximum file size for individual files in a container file, and the maximum number of nested levels to be decomposed for scanning.

The Symantec AntiVirus Scan Engine also detects mobile code such as Java™,

ActiveX

®

, and stand-alone script-based threats. The Symantec AntiVirus Scan

Engine utilizes Symantec antivirus technologies, including Bloodhound™, for heuristic detection of new or unknown viruses; NAVEX™, which provides protection from new classes of viruses automatically via LiveUpdate; and

Striker, for the detection of polymorphic viruses.

If you would like to know whether the Symantec AntiVirus Scan Engine or any other Symantec product protects against a specific virus, visit the Symantec

Security Response™ Web site at: http://securityresponse.symantec.com

The Symantec AntiVirus Scan Engine technology is supported by the Symantec

Security Response team. These Symantec engineers work 24 hours per day,

7 days per week, tracking new virus outbreaks and identifying new virus threats.

Introducing the Symantec AntiVirus Scan Engine

About virus protection

25

How viruses are detected

When Symantec engineers identify a new virus, information about the virus (a virus signature) is stored in a virus definitions file. Virus definitions files are updated periodically via the Symantec automated LiveUpdate feature. When the

Symantec AntiVirus Scan Engine scans for viruses, it searches for these virus signatures. To supplement the detection of virus infections by virus signature, the Symantec AntiVirus Scan Engine includes Bloodhound technology, which heuristically detects new or unknown viruses based on the general characteristics exhibited by known viruses.

About Bloodhound heuristic technology

Symantec engineers have developed two types of heuristics for the detection of unknown viruses. The first, Bloodhound, is capable of detecting upwards of

80 percent of new and unknown executable file viruses. The second,

Bloodhound-Macro, detects and repairs over 90 percent of new and unknown macro viruses. Bloodhound requires minimal overhead since it examines only programs and documents that meet stringent prerequisites. In most cases,

Bloodhound can determine in microseconds whether a file or document is likely to be infected by a virus. If it determines that a file is not able to be infected, it immediately moves to the next file.

Bloodhound and executable viruses

Bloodhound uses artificial intelligence (AI) technology to isolate and locate the various logical regions of each application that it is told to scan. It analyzes the program logic in each of these regions for virus-like behavior and simulates this behavior to determine whether the program is a virus.

Bloodhound and macro viruses

Symantec Bloodhound-Macro technology uses a hybrid heuristic scheme to detect and repair more than 90 percent of all new and unknown macro viruses automatically. For example, every time that the Symantec AntiVirus Scan

Engine scans a Microsoft Word document, Bloodhound-Macro sets up a complete virtual environment into which it loads the document. The macros that are contained in the document are run as they would be in the word processing application.

Bloodhound-Macro monitors the macros as they run to see if they copy themselves from the host document to another virtual document. Bloodhound-

Macro also runs the copied macros and verifies that they can further propagate.

26 Introducing the Symantec AntiVirus Scan Engine

About virus protection

About NAVEX technology

NAVEX is a technology that lets the Symantec Security Response team update the antivirus scanning component of the Symantec AntiVirus Scan Engine during routine virus definitions updates. This means that no inline revisions or time-consuming upgrades are necessary to ensure that your antivirus protection stays current, regardless of platform, even against new virus threats.

The antivirus scanning component is made up of dozens of complex search algorithms, CPU emulators, and other program logic. The scanning component examines a file to determine whether it contains viruses. The scanning component scans files and disks for virus fingerprints (unique sequences of bytes that are known to be contained in viruses). These fingerprints are stored in the virus definitions files that are downloaded at least once per week. The scanning component also repairs infected files.

Occasionally, a new virus or class of viruses emerges that cannot be detected by existing scanning components. These viruses require new algorithms for detection and, consequently, a new scanning component. With the NAVEX technology, Symantec engineers can quickly upgrade the Symantec AntiVirus scanning components with no extra cost or effort required.

Striker technology

Striker technology identifies polymorphic computer viruses, which are the most complex and difficult viruses to detect. Like an encrypted virus, a polymorphic virus includes a scrambled virus body and a decryption routine that first gains control of the computer and then decrypts the virus body. However, a polymorphic virus also adds a mutation engine that generates randomized decryption routines that change each time that a virus infects a new program.

As a result, no two polymorphic viruses are the same.

Each time that Striker scans a new program file, it loads the file into a selfcontained virtual computer. The program executes in this virtual computer as if it were running on a real computer. The polymorphic virus runs and decrypts itself. Striker then scans, detects, and repairs the virus.

LiveUpdate

LiveUpdate ensures that your network is not at risk of infection by newly discovered viruses. Updated virus definitions files, which contain the necessary information to detect and eliminate viruses, are supplied by Symantec at least every week and whenever a new virus threat is discovered. The Symantec

AntiVirus Scan Engine can be configured to poll the Symantec LiveUpdate servers to determine whether updated virus definitions have been posted. If new virus definitions are available, the Symantec AntiVirus Scan Engine downloads

Introducing the Symantec AntiVirus Scan Engine

About virus protection

27 the files and installs them in the proper location. Virus protection stays current without any interruption in protection.

Testing virus detection capabilities

If you want to verify the virus detection capabilities of the Symantec AntiVirus

Scan Engine, visit the following Web site: http://www.eicar.org

The site provides a link to a test virus that should be detected by all major antivirus vendors.

Warning: Carefully read the disclaimers on the site prior to downloading the test file into your environment. Any attempts to test antivirus software with real or dummy viruses should be handled with extreme care.

If your computer already has antivirus software, you must disable the autoprotect mode of the antivirus software before downloading the test file.

28 Introducing the Symantec AntiVirus Scan Engine

About virus protection

Chapter

2

Installing the Symantec

AntiVirus Scan Engine

This chapter includes the following topics:

System requirements

Preparing for installation

Installing the Symantec AntiVirus Scan Engine

Stopping and restarting the Symantec AntiVirus Scan Engine service

Uninstalling the Symantec AntiVirus Scan Engine

System requirements

Before you attempt to install the Symantec AntiVirus Scan Engine, verify that your server meets the system requirements.

Windows 2000 Server/Server 2003

Windows 2000 Server with Service Pack 3 or Windows Server 2003

Pentium III 500 MHz or higher

256 MB of RAM or higher

25 MB of hard disk space

1 network interface card (NIC) running TCP/IP with a static IP address

Internet connection for LiveUpdate of virus definitions

30 Installing the Symantec AntiVirus Scan Engine

System requirements

Microsoft Internet Explorer 6.0 (with Service Pack 1) or later or Netscape

Navigator 7.01 or later, with a Java 2 run-time environment (version 1.4 or later) installed, for Web-based administration

Note: The Web browser can be installed on any computer on your network that can access the server that is running the Symantec AntiVirus Scan

Engine.

Solaris

Solaris 7 or later

Sun Ultra 10 or higher

SPARC

®

400 MHz or higher

256 MB of RAM or higher

35 MB of hard disk space

1 network interface card (NIC) running TCP/IP with a static IP address

Internet connection for LiveUpdate of virus definitions

Netscape Navigator 7.01 or later, with a Java 2 run-time environment

(version 1.4 or later) installed, for Web-based administration

Note: The Web browser can be installed on any computer on your network that can access the server that is running the Symantec AntiVirus Scan

Engine.

Red Hat Linux

Red Hat Linux version 7.3 or later

Pentium III 500 MHz or higher

256 MB of RAM or higher

25 MB of hard disk space

1 network interface card (NIC) running TCP/IP with a static IP address

Internet connection for LiveUpdate of virus definitions

Installing the Symantec AntiVirus Scan Engine

Preparing for installation

31

Netscape Navigator 7.01 or later, with a Java 2 run-time environment

(version 1.4 or later) installed, for Web-based administration

Note: The Web browser can be installed on any computer on your network that can access the server that is running the Symantec AntiVirus Scan

Engine.

Preparing for installation

Before installing the Symantec AntiVirus Scan Engine, consider the following:

If you are upgrading from version 4.0.X or later of the Symantec AntiVirus

Scan Engine, you can install the upgrade over the existing installation

(without first uninstalling the previous version). If you are upgrading from an earlier version of the Symantec AntiVirus Scan Engine or Symantec

CarrierScan Server, you must uninstall the previous version first.

Another antivirus product should be run to protect the server that is running the Symantec AntiVirus Scan Engine.

Upgrading from a previous version

The Symantec AntiVirus Scan Engine version 4.3 installer checks to see which version (if any) of the scan engine is already installed, then does the following:

If no previous version of the scan engine is detected, a full installation is performed.

If an earlier version (any version earlier than 4.0.X) is detected, you are directed to first uninstall the previous version, and the installation is cancelled. (To uninstall earlier versions of the Symantec AntiVirus Scan

Engine or CarrierScan Server, see the documentation for that product.)

If an upgrade is possible, no option is presented at installation to uninstall the previous version. If you are running version 4.0.X and want a full, clean installation, you must uninstall the previous version before running the installer.

32 Installing the Symantec AntiVirus Scan Engine

Preparing for installation

Installing the upgrade over the existing installation preserves any customizations that you have made to the files and message catalogs in

Table 2-1 .

Table 2-1

File and message catalogs preserved during upgrade

File or message catalog Description symcscan.cfg

policy.cfg, subjects.cfg, sizes.cfg, domains.cfg, and filenames.cfg

symcsmsg.dat

symcsinf.htm and symcsinf.msg (ICAP only)

Existing local logs and billing logs

Any changes that you have made to the Symantec

AntiVirus Scan Engine configuration file are preserved. If you have customized any configuration options, your customizations are written to the new configuration file

(for those options that are still used in the upgrade).

Note: Scan engine logging options have changed in version

4.3. Because in many cases the previous configuration options do not map to the new options, any customizations that you have made to the logging options are not preserved. You must reconfigure logging after installing the upgrade.

If you have a mail filter policy in effect (that is, you are filtering mail by message size, attachment file name or size, message origin, or subject line), your mail policy entries are retained.

If you have customized any of the message strings contained in the message string file, the customizations are retained. New message strings that are specific to the upgrade (those with new message ID numbers) are appended to the file.

Note: If an existing message string (one with an existing message ID) has been changed as part of the upgrade to the Symantec AntiVirus Scan Engine, the existing message string is commented out in the message string file so that any customizations are preserved in the file. The updated message is appended to the file, but is not commented out.

If you have customized any message strings in the message string file, you should check the string file after installing the upgrade to reconcile any new text with your customized text.

If you have customized the ICAP access denied message, your changes are retained.

Existing local log files and billing log files are not deleted.

Installing the Symantec AntiVirus Scan Engine

Installing the Symantec AntiVirus Scan Engine

33

Running other antivirus products on the Symantec AntiVirus Scan

Engine server

By design, the Symantec AntiVirus Scan Engine scans only files from client applications that are configured to pass files to the scan engine. The Symantec

AntiVirus Scan Engine does not protect the computer on which it is running.

Because the server on which the Symantec AntiVirus Scan Engine is running handles viruses, the server is vulnerable (if the server has no real-time virus protection of the operating system).

To achieve comprehensive virus protection with the Symantec AntiVirus Scan

Engine, it is important to protect the Symantec AntiVirus Scan Engine server from virus attacks. To protect the host computer, run an antivirus program such as Symantec AntiVirus Corporate Edition on the server that is running the

Symantec AntiVirus Scan Engine.

Warning: To prevent a conflict between the Symantec AntiVirus Scan Engine and the antivirus product that is running on the host computer, you must configure the antivirus product on the host computer so that it does not scan the temporary directory that is used by the Symantec AntiVirus Scan Engine for scanning.

Installing the Symantec AntiVirus Scan Engine

The Symantec AntiVirus Scan Engine should be installed on a computer that meets the system requirements.

See “System requirements” on page 29.

Ensure that your server’s operating system software and applicable updates are installed, configured, and working correctly before you install the Symantec

AntiVirus Scan Engine. Consult your server’s documentation for more information.

Once you have installed the Symantec AntiVirus Scan Engine, you must activate all applicable product licenses. You must also activate your subscription to virus definitions updates. The antivirus scanning features are not active until you activate the licenses.

See “Activating product licenses” on page 49.

If you are installing multiple Symantec AntiVirus Scan Engines, you may want to take advantage of the silent install feature for the scan engine.

See “Using the silent install feature” on page 209.

34 Installing the Symantec AntiVirus Scan Engine

Installing the Symantec AntiVirus Scan Engine

Installing on Windows 2000 Server/Server 2003

Only a single instance of the Symantec AntiVirus Scan Engine can be run on

Windows 2000 Server/Server 2003 computers.

To install the Symantec AntiVirus Scan Engine on Windows 2000 Server/

Server 2003

1 Log on to the computer on which you plan to install Symantec AntiVirus

Scan Engine as administrator or as a user with administrator rights.

2 Copy the ScanEngine.exe file from the CD onto the computer.

3

Run the .exe file.

4 Indicate that you agree with the terms of the Symantec license agreement, then click Next.

If you do not indicate that you agree, the installation is cancelled.

5 Select the location in which to install the Symantec AntiVirus Scan Engine, then click Next.

The default location is C:\Program Files\Symantec\Scan Engine.

6 Select one of the following communication protocols:

NATIVE

ICAP

RPC

If you select RPC as the communication protocol, type the IP address for the RPC client, and then type the account name and password to identify the account (with Backup Operator privileges on the RPC client) on which the Symantec AntiVirus Scan Engine will run.

If the Symantec AntiVirus Scan Engine is to support multiple RPC clients, you can add additional clients through the scan engine administrative interface. Only one RPC client can be specified at installation.

The default account is LocalSystem. If you accept the default account, you do not need to enter the password. Use the following format for the account name: domain\username. Make sure that the account has the appropriate permissions. You will not receive an error message if the account does not have appropriate permissions.

See “Editing the service startup properties” on page 75.

7 Click Next.

Installing the Symantec AntiVirus Scan Engine

Installing the Symantec AntiVirus Scan Engine

35

8

Select the port number on which the Web-based administrative interface listens.

The default port number is 8004. To disable, type 0.

Note: If you disable the administrative interface, you must configure the

Symantec AntiVirus Scan Engine by editing the configuration file.

See “Editing the configuration file” on page 177.

9

Type a password for the virtual administrative account that you will use to manage the Symantec AntiVirus Scan Engine.

10 Confirm the password by typing it again.

11 Click Next.

12 Follow the on-screen prompts to complete the installation.

When the installation is complete, the Symantec AntiVirus Scan Engine is installed as a Windows 2000/2003 service and is listed as Symantec

AntiVirus Scan Engine in the Services Control Panel. The Symantec

AntiVirus Scan Engine starts automatically when the installation is complete. Significant installation activities are recorded in the Windows

Application Event Log.

Installing on Solaris and Linux

The Solaris version of the Symantec AntiVirus Scan Engine is distributed as a self-extracting, self-installing shell archive (shar) named ScanEngine.sh.

Note: If you are installing the Symantec AntiVirus Scan Engine on Red Hat

Linux version 7.3, you must first install the C++ compatible libraries. These libraries are included in the Red Hat Linux distribution. They are contained in the compat-libstdc++6.2-2.9.0.16 RPM. If these libraries are not installed, the scan engine will not install.

To install the Symantec AntiVirus Scan Engine on Solaris and Linux

1 Log on as root to the computer on which you plan to install the Symantec

AntiVirus Scan Engine.

2 Copy the distribution file, ScanEngine.sh, from the CD onto the computer.

3 Change directories to the location in which you copied the distribution file.

4

Type the following command, then press Enter:

sh ./ScanEngine.sh

36 Installing the Symantec AntiVirus Scan Engine

Installing the Symantec AntiVirus Scan Engine

5

Indicate that you agree with the terms of the Symantec license agreement, then press Enter.

If you indicate No, the installation is cancelled.

6

Indicate whether to create the avdefs group.

The avdefs group has access rights to the directory that contains the virus definitions that are used by the Symantec AntiVirus Scan Engine. If you have previously installed a Symantec product on the computer, this group might already exist. If so, this option is not available.

7

Select the location in which to install the Symantec AntiVirus Scan Engine, then press Enter.

The default location is /opt/SYMCScan.

8

Select the location for the SymShared directory.

The SymShared directory contains the virus definitions that are used by the

Symantec AntiVirus Scan Engine to scan for viruses. The default location is

/opt/Symantec. If you have multiple Symantec products installed on the computer, this directory lets the products share virus definitions. If you have previously installed a Symantec product on the computer, this directory might already exist. If so, this option is not available.

9

Select the protocol to be used by the Symantec AntiVirus Scan Engine, then click Next.

10 Select the port number on which the Web-based administrative interface listens.

The default port number is 8004. To disable, type 0.

Note: If you disable the administrative interface, you must configure the

Symantec AntiVirus Scan Engine by editing the configuration file.

See “Editing the configuration file” on page 177.

11 Type a password for the virtual administrative account that you will use to manage the Symantec AntiVirus Scan Engine.

12 Confirm the password by typing it again.

The installer proceeds from this point with the installation. The Symantec

AntiVirus Scan Engine starts automatically as a daemon (service) when the installation is complete. A transcript of the installation is saved as

/var/log/SYMCScan-install.log for later review.

Installing the Symantec AntiVirus Scan Engine

Stopping and restarting the Symantec AntiVirus Scan Engine service

37

To ensure that the Symantec AntiVirus Scan Engine daemon is running on

Solaris and Linux

1 Type the following command:

ps -ea | grep sym

2 Press Enter.

You should see a list of processes similar to the following:

5358 ?0:00 symcscan

If nothing is displayed, the Symantec AntiVirus Scan Engine daemon did not start.

3 If the Symantec AntiVirus Scan Engine daemon did not start, type the following command:

/etc/init.d/symcscan restart

Stopping and restarting the Symantec AntiVirus

Scan Engine service

You might need to stop and restart the Symantec AntiVirus Scan Engine service.

Stopping and restarting the Symantec AntiVirus Scan Engine service results in a lost connection to client applications that are in the process of submitting a file for scanning. The client application must reestablish the connection and resubmit the file for scanning.

Instructions for stopping and restarting the Symantec AntiVirus Scan Engine service differ depending on the operating system that you are running. If you are running the Symantec AntiVirus Scan Engine on Windows 2000 Server/

Server 2003, stop and start service in the Services Control Panel.

To stop and restart the Symantec AntiVirus Scan Engine service on Solaris and Linux

1 Log on to the computer as root.

2 At the command prompt, do one of the following:

To stop the service, type the following command:

/etc/init.d/symcscan stop

To start the service, type the following command:

/etc/init.d/symcscan start

To stop and immediately restart the service, type the following command:

/etc/init.d/symcscan restart

38 Installing the Symantec AntiVirus Scan Engine

Uninstalling the Symantec AntiVirus Scan Engine

Uninstalling the Symantec AntiVirus Scan Engine

Use the following instructions for uninstalling the Symantec AntiVirus Scan

Engine.

Uninstalling the Symantec AntiVirus Scan Engine does not remove the license keys for the Symantec AntiVirus Scan Engine. If you are uninstalling the

Symantec AntiVirus Scan Engine permanently, you must manually uninstall the license keys. If you must manually remove the license keys, contact Symantec

Service and Support.

Uninstall the Symantec AntiVirus Scan Engine

Uninstallation instructions differ depending on the operating system that you are running.

To uninstall the Symantec AntiVirus Scan Engine on Windows 2000 Server/

Server 2003

1

Log on to the computer as administrator or as a user with administrator rights.

2 In the Add/Remove Programs Control Panel, click Symantec AntiVirus Scan

Engine.

3 Click Change/Remove.

4 Follow the on-screen prompts to complete the uninstallation.

To uninstall the Symantec AntiVirus Scan Engine on Solaris

1

Log on to the computer as root.

2 At the command prompt, type the following command:

pkgrm SYMCScan

3 Press Enter.

4 Follow the on-screen prompts to complete the uninstallation.

To uninstall the Symantec AntiVirus Scan Engine on Red Hat Linux

1 Log on to the computer as root.

2

At the command prompt, type the following command:

rpm -e SYMCScan

3

Press Enter.

Chapter

3

Symantec AntiVirus Scan

Engine administration

This chapter includes the following topics:

About the administrative interface

Accessing the administrative interface

Changing the administration settings

About the administrative interface

The Symantec AntiVirus Scan Engine is managed through a Web-based interface. This interface is provided through a built-in HTTP server. The

Symantec AntiVirus Scan Engine administrative interface is accessed via a Web browser on any computer on your network that can access the server that is running the Symantec AntiVirus Scan Engine.

The administrative interface is accessed using a virtual administrative account that is created at installation. The administrative interface lets you manage the

Symantec AntiVirus Scan Engine.

In order for changes that have been made through the administrative interface to take effect, you must restart the Symantec AntiVirus Scan Engine service.

When you are making changes to the Symantec AntiVirus Scan Engine configuration, remember that stopping and restarting the Symantec AntiVirus

Scan Engine service results in a lost connection to client applications that are in the process of submitting files for scanning. (The client application must reestablish the connection and resubmit the file for scanning.) You may want to schedule configuration changes for times when scanning is at a minimum.

Although it is possible for multiple administrative interface sessions to be active at one time for a single Symantec AntiVirus Scan Engine, this practice is

40 Symantec AntiVirus Scan Engine administration

About the administrative interface strongly discouraged. Having more than one user logged in at the same time can cause possible race conditions, as well as result in conflicting configuration changes being submitted.

Built-in HTTP server

The built-in HTTP server that provides the administrative interface is independent of any existing HTTP server that may be installed on your server and is not a general purpose Web server. During the installation process, you are prompted for the TCP/IP port number on which this built-in HTTP server listens. The port number that you specify must be exclusive to the Symantec

AntiVirus Scan Engine administrative interface and must not already be in use by any other program or service.

Because the built-in HTTP server is not a general purpose Web server, do not use port number 80 (the default port number for general purpose Web servers).

Unless you have a compelling reason to do otherwise, use the default setting

(8004). If you select a port number other than the default, do not forget which port number you chose.

Note: The built-in HTTP server port number differs from the port number on which the Symantec AntiVirus Scan Engine listens for client applications to pass files for scanning. This port number is exclusive to the Symantec AntiVirus

Scan Engine administrative interface.

Virtual administrator account password

A virtual administrative account is created at installation. You are also prompted to provide a password for this account during installation. Do not forget the password for this account because the virtual administrative account is the only account that you can use to manage the Symantec AntiVirus Scan

Engine. You can change the password via the administrative interface, but you must have the old password to change it.

Symantec AntiVirus Scan Engine administration

Accessing the administrative interface

41

Accessing the administrative interface

The administrative interface is accessed using a suitable Web browser. When you log on to the administrative interface, the password for the virtual administrative account is unencrypted. For security reasons, you should access the administrative interface using a switch or via a secure segment of the network.

Warning: Although it is possible for multiple administrative interface sessions to be active at one time for a single Symantec AntiVirus Scan Engine, this practice is strongly discouraged. Having more than one user logged in at the same time can cause possible race conditions, as well as result in conflicting configuration changes being submitted.

To access the administrative functions

1

Launch a Web browser on any computer on your network that can access the server that is running the Symantec AntiVirus Scan Engine.

2 Visit the following URL: http://<servername>:<port>/ where <servername> is the host name or IP address of the server that is running the Symantec AntiVirus Scan Engine and <port> is the port number that you selected during installation for the built-in Web server

(8004 is the default port number.)

3 In the Log on dialog box, in the Password box, type the password for the administrative account.

4 Click Log on.

The Symantec AntiVirus Scan Engine main administration page displays.

42 Symantec AntiVirus Scan Engine administration

Accessing the administrative interface

About the main administration page

The main administration page displays command buttons in the left pane and the Symantec AntiVirus Scan Engine Status page in the right pane.

Command buttons

Status

The command buttons

The command buttons in the left pane of the main administration page let you navigate to Symantec AntiVirus Scan Engine administrative functions. Clicking a command button causes the tabs for that function to appear in the right pane of the browser window.

The command buttons let you access the features in Table 3-1 .

Table 3-1 Command button functions

Command button Description

Status

Configuration

Blocking Policy

Lets you examine system metrics that have been calculated since the last restart.

To return to the main administration page from anywhere in the

Symantec AntiVirus Scan Engine administrative interface, on the

Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Status.

Lets you set up the Symantec AntiVirus Scan Engine for your network and configure the scan engine appropriately to provide scanning for client applications.

Lets you specify what to scan and what to block and set limits to protect server resources.

Symantec AntiVirus Scan Engine administration

Accessing the administrative interface

43

Table 3-1

Command button functions

Command button Description

Reporting

LiveUpdate

Licensing

Log Off

Lets you examine scanning statistics or log data.

Lets you update virus definitions files to ensure that your network remains protected against newly discovered viruses.

Lets you claim new license keys and check the status of the license keys that have already been installed.

Automatically logs you off of the administrative interface.

Password reentry is required to access the interface.

The Status pane

The Status pane on the main administration page displays system metrics that are calculated since the last time that the Symantec AntiVirus Scan Engine was restarted manually (rather than restarted through the administrative interface).

Metrics that are displayed in the Status pane are calculated from temporarily stored data. When the Symantec AntiVirus Scan Engine is manually shut down, the memory clears and the counts start over.

The top portion of the Status pane contains general information regarding scan engine operation. The following information displays in the top portion of the

Status pane:

Current status of the Symantec AntiVirus Scan Engine

Version number of the Symantec AntiVirus Scan Engine that is running

Protocol currently in use by the Symantec AntiVirus Scan Engine

IP address and port number to which the Symantec AntiVirus Scan Engine is bound

Date and revision number of the virus definitions that are currently in use by the Symantec AntiVirus Scan Engine

Date and time that the scan engine was last started

Total time that the scan engine has been running since the last restart

The status of any license keys that have been installed

The system metrics in the bottom portion of the Status pane provide a summary of virus scanning activity since the last manual restart. To obtain more detailed data on the virus scanning activity, you must activate the desired logging capabilities and use the Reporting features of the Symantec AntiVirus Scan

44 Symantec AntiVirus Scan Engine administration

Accessing the administrative interface

Engine. The following system metrics display in the bottom portion of the

Status pane:

Total viruses found

Total viruses repaired

This number can be different than the total number of viruses found because some malicious code cannot be repaired.

Total requests for scanning

Total number of files that have been scanned

The total number of files that have been scanned is not strictly a physical file count. The total includes the number of files as well as additional objects within container files that were scanned. Some containers, such as

MIME-encoded messages and Microsoft Office documents, have additional embedded objects that are not files but that may be scanned depending on the files that you have selected for scanning (the extension list settings).

Total megabytes of data scanned

You can update the system metrics on the Status pane or reset the counts to zero through the administrative interface.

To update the display at any time

At the bottom of the page, click Refresh.

To reset the counts to zero at any time

At the bottom of the page, click Reset Statistics.

Symantec AntiVirus Scan Engine administration

Changing the administration settings

45

Changing the administration settings

You can configure the administrative settings that are listed in

Table 3-2 for the

Symantec AntiVirus Scan Engine administrative interface and the virtual administrator account.

Table 3-2 Administration settings

Option Description

HTTP bind address The Symantec AntiVirus Scan Engine is managed through a Webbased interface, which is provided through a built-in HTTP server.

The HTTP server binds to all interfaces by default. You can restrict administrative access to a specific interface by entering the appropriate bind address.

HTTP port number The Web-based interface binds to a TCP/IP port number. You are prompted to provide an HTTP port number during installation, but the port number can be changed through the administrative interface.

Administrator password

The Symantec AntiVirus Scan Engine is managed using a virtual administrative account. The virtual administrative account is known only to the Symantec AntiVirus Scan Engine. It is not a system account. You are prompted to provide a password for this account at installation. The password for this account can be changed at any time through the Symantec AntiVirus Scan Engine administrative interface.

Do not forget the password that you enter for this account because the virtual administrative account is the only account that can be used to manage the Symantec AntiVirus Scan Engine. If you forget the password for the virtual administrative account, you must clear the adminpassword variable in the configuration file, and then log on to the administrative interface to enter a new password. (You won’t need a password.)

See “Editing the Symantec AntiVirus Scan Engine configuration file” on page 177.

Administrator timeout

The Symantec AntiVirus Scan Engine requires the administrator to log on to the administrative interface to access the administrative functions. The Symantec AntiVirus Scan Engine is configured to automatically log the administrator off after a selected period of inactivity by default. The default period of inactivity is five minutes. You can change the default time-out period.

46 Symantec AntiVirus Scan Engine administration

Changing the administration settings

To change the administration settings

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Admin tab, in the HTTP bind address box, type a bind address, if necessary.

By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by typing the appropriate bind address.

3 In the HTTP port number box, type a new port number.

The default setting is port 8004. The port number must be exclusive to the

Symantec AntiVirus Scan Engine interface and must not already be in use by any other program or service. Do not use port number 80. To disable the administrative interface, type 0.

4 In the New Password box, type the new password for the virtual administrative account.

5 In the Confirm box, type the new password again to verify that you typed it correctly.

6 In the Administrator timeout box, type the period of inactivity, in seconds, after which the administrator is automatically logged off.

The default setting is 300 seconds (5 minutes).

7 Click Confirm Changes to save the configuration.

Symantec AntiVirus Scan Engine administration

Changing the administration settings

47

8

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

48 Symantec AntiVirus Scan Engine administration

Changing the administration settings

Chapter

4

Activating product licenses

This chapter includes the following topics:

About licensing

Activating a license

Checking the license status

About licensing

Key features for the Symantec AntiVirus Scan Engine, including antivirus scanning functionality and virus definitions updates, are activated by license.

Licenses are initially installed following product installation through the

Symantec AntiVirus Scan Engine administrative interface. When a license expires, for example, when a virus definitions update subscription expires, a new license must be installed to renew the subscription. When no license is installed, limited functionality is available. A license affects the relevant behavior only. For example, when no antivirus scanning license is installed, an administrator can access the administrative interface to view and modify settings and run reports, but no antivirus scanning is performed. When no virus definitions update license is installed, new virus definitions updates are not downloaded to keep protection current.

See “Activating a license” on page 51.

50 Activating product licenses

About licensing

License warning and grace periods

When a license is within 30 days of the expiration date, it is considered to be in a warning period. After a license expires, the licensed feature continues to operate for a specified period of time. This is the grace period. If the grace period expires with no license renewal, all record of the license is removed and the product becomes unlicensed.

The Symantec AntiVirus Scan Engine can be configured to generate log entries to indicate that a license is in the warning period or the grace period. Log entries are generated every 24 hours during the period.

See “About Symantec AntiVirus Scan Engine logging” on page 107.

You can view detailed information on the status of all installed Symantec

AntiVirus Scan Engine licenses at any time by clicking Licensing on the

Symantec AntiVirus Scan Engine main administration page.

See “Checking the license status” on page 53.

The Symantec AntiVirus Scan Engine Status page, which is located in the left pane on the main administration page, also contains a License status entry that indicates whether any installed license is in either a grace or warning period.

Removing license files

Symantec AntiVirus Scan Engine licenses are not uninstalled automatically when the product is uninstalled. The license files remain in place, so that if you must uninstall and reinstall the Symantec AntiVirus Scan Engine for any reason, the license is intact on reinstall. Each installed license is stored in a separate file in the shared license directory that contains the licenses for all

Symantec products that are activated by license. The license files must be removed manually. If you must remove a license file, contact Symantec Service and Support.

Activating product licenses

Activating a license

51

Activating a license

Both the Symantec AntiVirus Scan Engine antivirus scanning functionality and your subscription to the virus definitions updates are activated by license. A separate license must be installed for each feature. If you purchase additional product features from Symantec as they become available for the Symantec

AntiVirus Scan Engine, these features will be activated with a new license.

To activate a license, you must have the serial number required for activation.

The serial number is printed on the Symantec Serial Number Certificate for the product.

Note: The Symantec Serial Number Certificate is not part of the Symantec

AntiVirus Scan Engine software distribution package. The Symantec Serial

Number Certificate is mailed separately and should arrive in the same time frame as your software.

Activate a license

Activating a license is a two-step process. You must complete both steps to activate a license:

Obtain the license file from Symantec by completing the online form. You must have a serial number to complete the online form. Once you complete the online form, you receive the license file via email from Symantec. (The complete license file is provided as an attachment to the email.)

Install the license file that you receive via the Symantec AntiVirus Scan

Engine administrative interface.

52 Activating product licenses

Activating a license

To obtain the license file

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Licensing.

2 On the Install tab, click the link to access Symantec’s Licensing and

Registration Web page.

3 Follow the instructions on the Web page to complete the online licensing form.

You must have the appropriate serial number to complete the form.

The license file is returned via email as an attachment. Make sure that the email address you provide on the online form is appropriate so that the license file will be accessible.

To install the license file

1 When you receive the email message from Symantec that contains the license file, save the file that is attached to the email message to the computer from which you will access the Symantec AntiVirus Scan Engine administrative interface.

2 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Licensing.

Activating product licenses

Checking the license status

53

3

Do one of the following:

On the Install tab, click Browse to browse to the location of the license file.

The path to the file should appear in the box to the left of the Browse button.

Open the license file using a text editor, such as Notepad, and copy and paste the entire contents of the file into the field on the Install tab.

Make sure that you use a text editor such as Notepad to open the file.

Because the license file is an XML file, browsers such as Microsoft

Internet Explorer add extra code as they open the license file. If the license file is altered in any way, it will not install.

4 Click Confirm Changes.

The software indicates whether the license was installed successfully.

5 Click Continue.

If the license was installed successfully, clicking Continue returns you to the

Status tab so that you can verify the updated license status. If the license did not install, clicking Continue returns you to the Install tab so that you can attempt the installation again.

Checking the license status

You can access detailed information on the Symantec AntiVirus Scan Engine product licenses at any time by clicking Licensing on the Symantec AntiVirus

Scan Engine main administration page and viewing the Status tab. For any installed license, you can check the license expiration date, the number of days remaining in the warning or grace period (if applicable), and the number of nodes licensed. A fulfillment ID for each installed license also appears on the

Status tab. You will need to supply the fulfillment ID to Symantec Service and

Support if you have questions regarding your license.

54 Activating product licenses

Checking the license status

The license information that is displayed is described in Table 4-1 .

Table 4-1

License status information

Column

Licensed feature

Expiration date

Nodes

Fulfillment ID

Description

Each installed license is listed according to the feature that is activated by the license.

The expiration date for each license is displayed. If the license is in either the warning period or the grace period, a warning message is also displayed in this column.

The number of licensed nodes is displayed for each installed license.

The fulfillment ID is the identification number for your license. Provide this number to Symantec Service and

Support if you have questions regarding your license.

Note: You can also check the status of your licenses from the Symantec

AntiVirus Scan Engine Status page, which is located in the left pane on the main administration page. The Status page displays a License status entry that indicates whether any installed license is in either a grace or warning period.

However, for more detailed information, you must click Licensing.

To check the license status

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Licensing.

2 On the Status tab, review the license information that is displayed.

Chapter

5

Configuring the Symantec

AntiVirus Scan Engine

This chapter includes the following topics:

About configuring the Symantec AntiVirus Scan Engine

Selecting the communication protocol

Configuring the Symantec AntiVirus Scan Engine native protocol

Configuring ICAP

Configuring RPC

Allocating resources

About configuring the Symantec AntiVirus Scan

Engine

You can set up the Symantec AntiVirus Scan Engine for your network and configure the scan engine to provide scanning services for client applications.

You can do the following:

Change the protocol that the scan engine uses to communicate with the client applications for which it is providing scanning services and configure any protocol-specific settings.

Allocate server and scan engine resources for operation of the Symantec

AntiVirus Scan Engine.

56 Configuring the Symantec AntiVirus Scan Engine

Selecting the communication protocol

Selecting the communication protocol

You can change the communication protocol that the scan engine uses to communicate with the client applications for which it is providing scanning services.

See “About supported protocols” on page 22.

You can choose from the following protocols:

The Symantec AntiVirus Scan Engine native protocol: The Symantec

AntiVirus Scan Engine uses its own native protocol by default. The native protocol is a simple TCP/IP protocol, which is text-based like HTTP or SMTP, and uses standard ASCII commands and responses to communicate between client and server.

See “Configuring the Symantec AntiVirus Scan Engine native protocol” on page 57.

The Internet Content Adaptation Protocol (ICAP): ICAP is a lightweight protocol for executing a remote procedure call on HTTP messages. The

Symantec AntiVirus Scan Engine supports both the proprietary 0.95 implementation of ICAP and version 1.0, presented in RFC 3507 (April

2003). The Symantec AntiVirus Scan Engine determines which is appropriate for the request based on the header data that is provided by the client application.

See “Configuring ICAP” on page 59.

Remote procedure call (RPC): The Symantec AntiVirus Scan Engine can be configured for Windows 2000 Server/2003 Server to use a proprietary virus scanning protocol with the MS-RPC protocol to interface with client applications. If you are running the Symantec AntiVirus Scan Engine on

Solaris or Linux, this option does not appear on the administrative interface.

See “Configuring RPC” on page 66.

After you select a protocol, you must provide protocol-specific configuration information. The configuration options differ depending on the protocol that you select.

Configuring the Symantec AntiVirus Scan Engine

Configuring the Symantec AntiVirus Scan Engine native protocol

57

Configuring the Symantec AntiVirus Scan Engine native protocol

In its default configuration, the Symantec AntiVirus Scan Engine implements a simple TCP/IP protocol to provide antivirus functionality to client applications.

How the scan engine works with the native protocol

The Symantec AntiVirus Scan Engine protocol is text-based like HTTP or SMTP and uses standard ASCII commands and responses to communicate between client and server. To submit a file for scanning, a client connects to the specified

IP port, sends the file to be scanned, and reads the results of the scan. After the scan results are received, the connection is terminated. A new connection is initiated for each file to be scanned.

Native protocol configuration options

If you select the native protocol, you must configure certain protocol-specific options. The configuration options for the native protocol are described in

Table

5-1 .

Table 5-1 Protocol-specific options for the native protocol

Option

Scan engine bind address

Port number

Description

By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by entering the appropriate bind address. You can use 127.0.0.1 (the loopback interface) to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan Engine.

The specified port number must be exclusive to the Symantec

AntiVirus Scan Engine. The default port number is 7777. If you change the port number, use a number that is greater than 1024 that is not in use by any other program or service. If you are installing more than one instance of the Symantec AntiVirus Scan

Engine on a single computer, each Scan Engine service must have a unique port number.

58 Configuring the Symantec AntiVirus Scan Engine

Configuring the Symantec AntiVirus Scan Engine native protocol

Table 5-1

Protocol-specific options for the native protocol

Option Description

Local scan directory You only need to provide a local scan directory when you are using local file scanning options (that is, the client application and the

Symantec AntiVirus Scan Engine are running on the same computer and files are scanned in place on the computer) and you want to limit the Symantec AntiVirus Scan Engine so that only files under a particular directory can be scanned. If a local scan directory is not specified (which is the default), any file can be scanned. The directory that you specify must already exist.

If you are running the Symantec AntiVirus Scan Engine on Windows 2000

Server/Server 2003 and you change the protocol setting to the native protocol, you might need to change the service startup properties to identify an account that has sufficient permissions on which the Symantec AntiVirus Scan Engine will run.

See “Editing the service startup properties” on page 75.

To configure the native protocol

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Protocol tab, click Native protocol.

The configuration settings display for the selected protocol.

3 In the Scan Engine bind address box, type a bind address, if necessary.

By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by typing the appropriate bind

Configuring the Symantec AntiVirus Scan Engine

Configuring ICAP

59 address. Use 127.0.0.1 (the loopback interface) to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan

Engine.

4 In the Port number box, type the TCP/IP port number to be used by client applications to pass files to the scan engine for scanning.

The default setting is port 7777.

5 In the Local scan directory box, type a local scan directory, if necessary.

Any file can be scanned by default (when no local scan directory is specified). If you specify a directory for local scanning and you have client antivirus software installed to protect the computer that is running the

Symantec AntiVirus Scan Engine, you must exclude the local scan directory from real-time scanning and from all scheduled and manually invoked scans by the client antivirus software before passing files to the Symantec

AntiVirus Scan Engine for scanning.

6 Click Confirm Changes to save the configuration.

7 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Configuring ICAP

The Symantec AntiVirus Scan Engine can be configured to use ICAP to communicate with clients that are running either ICAP version 0.95

(proprietary) or ICAP version 1.0, presented in RFC 3507 (April 2003). Any appropriate client can use ICAP to communicate with the Symantec AntiVirus

Scan Engine to request the scanning and repairing of files.

The Symantec AntiVirus Scan Engine software development kit (SDK) is also available for custom integration using version 1.0 of ICAP. The Symantec

AntiVirus Scan Engine client-side application program interface (API) C library streamlines the addition of virus scanning to any C or C++ application.

60 Configuring the Symantec AntiVirus Scan Engine

Configuring ICAP

How the scan engine works with ICAP

Multiple client applications that use different versions of ICAP (either version

0.95 or 1.0) can be configured to pass files to a single Symantec AntiVirus Scan

Engine. When ICAP is used as the communication protocol for the scan engine, the scan engine determines the appropriate version of ICAP to use, based on the header data that is passed in with each scan request from the client application.

The manner in which the Symantec AntiVirus Scan Engine determines whether to scan a file differs depending on which version of ICAP is used.

When ICAP 0.95 is the communication protocol, each time the Symantec

AntiVirus Scan Engine is contacted by an ICAP client to scan a file, a small amount of file data is transferred to the Symantec AntiVirus Scan Engine. This data contains the file name, the HTTP header, and the first few bytes of the file to be scanned. The scan engine examines this data to determine whether to scan the file. If the file type is one that the scan engine is configured to scan, the scan engine requests the remainder of the file from the client and scans it. If the scan engine is not configured to scan the file extension or does not recognize the file extension, the scan engine examines the first few bytes of the file’s contents to determine whether the file could contain a virus. Based on this examination, the scan engine might scan the file even if it is not configured to scan the file type.

ICAP 1.0 lets the Symantec AntiVirus Scan Engine initially provide information to the ICAP client on which file types are to be scanned, based on the scan engine configuration. Based on this information, the ICAP client forwards either the entire file to the scan engine for scanning (if the file extension is one that is identified for scanning) or the first few bytes of the file to the scan engine for preview (if the file extension is unknown or is not one that was identified for scanning). The scan engine examines the first few bytes of the file to determine whether the file could contain a virus. Based on this examination, the scan engine might request and scan a file even when it is not identified for scanning.

When the client application is using ICAP version 1.0 as the communication protocol, the Symantec AntiVirus Scan Engine now scans all POST transactions

(files that are being posted to the Internet) for viruses. The scanning and logging policies that are configured on the scan engine now apply to POST transactions as well.

When a virus is detected in a POST transaction, the posting client does not receive an error message indicating that a virus was found. The only manner in which a user can determine that a virus was found in a POST transaction is to examine the actual information that was posted to the destination Web site. For example, if the user attempted to post an email message with an attachment that was infected and could not be repaired, the email message would be posted, but the attachment would be replaced with a text file indicating that an infected file was deleted.

Configuring the Symantec AntiVirus Scan Engine

Configuring ICAP

61

ICAP configuration options

If you select ICAP as the protocol to be used by the Symantec AntiVirus Scan

Engine, you must configure certain ICAP-specific options. The configuration options for ICAP are described in

Table 5-2

.

You must also configure the ICAP client to work with the Symantec AntiVirus

Scan Engine.

Table 5-2 Protocol-specific options for ICAP

Option

Scan Engine bind address

Port number

HTML message displayed for infected files

Description

By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by entering the appropriate bind address. You can use 127.0.0.1 (the loopback interface) to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan Engine.

The port number must be exclusive to the Symantec AntiVirus

Scan Engine. The default port number is 1344. If you change the port number, use a number that is greater than 1024 that is not in use by any other program or service. If you are installing more than one instance of the Symantec AntiVirus Scan Engine on a single computer, each scan engine service must have a unique port number.

The Symantec AntiVirus Scan Engine includes a default HTML message to display to users when access to a file is denied because it contains a virus. You can customize this message by specifying an alternate path and file name or by editing the existing file. If you choose to edit the existing file, you do not have to change this setting.

Note: If you are using ICAP 1.0, depending on the ICAP client for which the scan engine is providing scan and repair services, you might need to adjust the ICAP response from the scan engine when a file is blocked because it is infected and cannot be repaired.

The default setting is to send a replacement file when an unrepairable file is blocked. However, some ICAP 1.0 applications are configured to receive an ICAP 403 response instead. You can adjust this setting by editing the configuration file.

See “Configuring ICAP via the configuration file” on page 181.

62 Configuring the Symantec AntiVirus Scan Engine

Configuring ICAP

Table 5-2

Option

ICAP scan policy

Data trickle

Protocol-specific options for ICAP

Description

When an infected file is found, the Symantec AntiVirus Scan

Engine can do any of the following:

Scan only: Deny access to the infected file, but do nothing to the infected file.

Scan and delete: Delete all infected files, including files that are embedded in archive files without attempting repair.

Scan and repair files: Attempt to repair infected files, but do nothing to files that cannot be repaired.

Scan and repair or delete: Attempt to repair infected files, and delete any unrepairable files from archive files.

Note: If you are using the data trickle feature, the ICAP scan policy can only be set to Scan only. When you enable data trickle, the

ICAP scan policy is automatically reset to Scan only.

When a user attempts to download an extremely large or complex file from the Internet, antivirus scanning can cause a delay during which the requesting browser (and thus the user) receives no feedback on the progress of the download. You can use the data trickle feature to provide users with a quicker download response and avoid potential session time-out errors. When data trickle is enabled, the requested file is sent (trickled) to the user in small amounts at regular intervals until the scan is complete.

See “Enabling data trickle” on page 64.

Configuring the Symantec AntiVirus Scan Engine

Configuring ICAP

63

To configure ICAP

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Protocol tab, click ICAP.

The configuration settings display for the selected protocol.

3 In the Scan Engine bind address box, type a bind address, if necessary.

By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by typing the appropriate bind address. Use 127.0.0.1 (the loopback interface) to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan

Engine.

4 In the Port number box, type the TCP/IP port number to be used by client applications to pass files to the Symantec AntiVirus Scan Engine for scanning.

The default setting for ICAP is port 1344.

5 In the HTML message displayed for infected files box, type the path and file name to supply an alternate HTML file, if necessary.

6 In the ICAP scan policy list, select how you want the Symantec AntiVirus

Scan Engine to handle infected files.

The default setting is Scan and repair or delete.

7 Click Confirm Changes to save the configuration.

64 Configuring the Symantec AntiVirus Scan Engine

Configuring ICAP

8

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Enabling data trickle

When a user attempts to download an extremely large or complex file from the

Internet, a period of time elapses while antivirus scanning takes place during which the browser (and thus the user) receives no feedback on the progress of the download. Without feedback, the user might try to click the browser Refresh button several times even though the download is working properly. In some instances, the browser can time out waiting for the scan to complete. The

Symantec AntiVirus Scan Engine data trickle feature provides users with a quicker download response and avoids potential session time-out errors. When data trickle is enabled, the requested file is sent (trickled) to the user in small amounts at regular intervals until the scan is complete.

The data trickle feature is only available when you are using ICAP as the communication protocol. Data trickling is available for versions 0.95 and 1.0 of

ICAP. The ICAP scan policy must be set to Scan only. (When you enable data trickle, the ICAP scan policy is automatically reset to Scan only.) In the Scan only configuration, infected files cannot be deleted or repaired.

Using data trickle can compromise virus integrity. Serious consideration should be given to a number of factors before you use the data trickle feature.

See “Warnings and limitations about data trickle” on page 66.

To enable data trickle

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Protocol tab, under ICAP Protocol Configuration, check Enable

Trickle.

The ICAP protocol configuration settings display only when ICAP is selected as the communication protocol. Data trickling is disabled by default.

Configuring the Symantec AntiVirus Scan Engine

Configuring ICAP

65

3

In the Trickle Timeout box, type the number of seconds that the scan process will run before data trickling begins.

Data trickling is not invoked if scanning is complete before the trickle timeout elapses. The default setting is 5 seconds. The maximum setting is 86,400 seconds (24 hours).

4

Click Confirm Changes to save the configuration.

5 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

How data trickle works

When a user downloads a file, the Symantec AntiVirus Scan Engine stores a copy of the requested file in a buffer and begins the scanning process. While the copy is being scanned, a small portion of the original, unscanned file is sent to the user via the client application. The trickled data triggers the File Download or Save File As dialog box, which provides the user with a quicker download response. After the user enters a file location and clicks Save in the File

Download or Save File As dialog box, the file is trickled to the user in small amounts at regular intervals until the scan is complete which prevents the browser from timing out. The browser indicates how much of the file has been trickled so far.

If no virus is detected during the scan, data trickling stops, and the remainder of the file is sent to the user.

If a virus is detected, data trickling stops, and no additional data is sent to the user. The user receives no notification that the file might be incomplete or that it might contain a virus. However, Symantec AntiVirus Scan Engine logging regarding virus detection functions normally when data trickling is active. A log message about the virus detection is sent to all active logging destinations.

Note: Data trickling is not invoked during scanning of POST transaction data.

66 Configuring the Symantec AntiVirus Scan Engine

Configuring RPC

Warnings and limitations about data trickle

Enabling data trickle can compromise antivirus integrity. Symantec does not recommend using the data trickle feature for the following reasons:

The data that is trickled to the user might contain a virus.

Note: If you enable data trickle, you should install an antivirus program such as Symantec AntiVirus Corporate Edition that provides real-time virus scanning. If the trickled data is infected, the real-time virus scanning feature will detect the virus immediately.

For FTP downloads that use optimizers, when a broken connection is detected, the optimizer resumes the download from the point in which the disconnection occurred. This results in downloading the remainder of the file and possibly reconstructing an infected file.

ICAP requires that a return code message be included in the first line of the file header. When data trickling begins, ICAP return code 200 (OK) is embedded in the trickled data file. Because the file has not been scanned, this message might be inaccurate. The trickled data file might contain a virus.

When data trickling is enabled, the ICAP scan policy is set to Scan only. You cannot configure your scanning policy to repair or delete infected files when data trickle is enabled.

The user receives no notification that the trickled data file is incomplete or infected.

Configuring RPC

The Symantec AntiVirus Scan Engine can be configured to use RPC to interface with appropriate clients (for Windows 2000 Server/Server 2003). Any appropriate client application can use RPC to communicate with the Symantec

AntiVirus Scan Engine and request the scanning and repairing of files.

How the scan engine works with RPC

To use RPC, the Symantec AntiVirus Scan Engine must be installed on a computer that is running Windows 2000 Server/Server 2003 and must be located in the same domain as the RPC clients for which it will provide scanning and repair services. A single Symantec AntiVirus Scan Engine can support multiple RPC clients. For sites with larger scan volumes, multiple Symantec

AntiVirus Scan Engines also can be used to support one or more RPC clients.

Configuring the Symantec AntiVirus Scan Engine

Configuring RPC

67

A connection is maintained between each RPC client and the Symantec

AntiVirus Scan Engine. The Symantec AntiVirus Scan Engine monitors the connection with each RPC client by checking the connection at a configured time interval. If the scan engine determines that the connection is not active, it tries to reconnect. (The number of times that the scan engine tries to reestablish the connection can also be configured.) If the Symantec AntiVirus Scan Engine makes the maximum number of tries with no reply from any RPC client, the scan engine shuts down.

Logging to the RPC client logging subsystem

Certain Symantec AntiVirus Scan Engine events are logged to the RPC client’s logging subsystem. The following scan engine events are logged automatically:

Unrepairable infections

Container violations

Scans that are aborted because the antivirus scanning license is expired

User identification and notification when a virus is found

When a virus is found in a file that is requested from an RPC network-attachedstorage client, the Symantec AntiVirus Scan Engine automatically obtains (for logging purposes) identification information about the user who requested the infected file. The identification information includes the security identifier of the user and the IP address and host name of the requesting computer. This information is included in all related log messages that are sent to all active logging destinations for the scan engine. This feature provides administrators with as much information as possible when a virus is found.

Note: The Symantec AntiVirus Scan Engine can obtain only the information that is made available from the RPC client. In some cases, all or some of this information is not available. The information that is obtained is reported in the related log entries. Any identification information that is not obtained from the

RPC client is omitted from the log messages and from the user notification window.

You also can configure the Symantec AntiVirus Scan Engine to notify the requesting user that the retrieval of a file failed because a virus was found. The notification message only displays if the user is using a Windows computer. The notification messages includes the date and time of the event, the file name of the infected file, the virus name and ID, and the manner in which the infected file was handled (for example, the file was repaired or deleted).

68 Configuring the Symantec AntiVirus Scan Engine

Configuring RPC

To use the user notification feature, the Windows Messenger service must be running on the computer that is running the Symantec AntiVirus Scan Engine as well as the user’s computer.

See “Notifying requesting users that a virus was found” on page 72.

RPC configuration options

If you select RPC as the protocol to be used by the Symantec AntiVirus Scan

Engine, you must configure certain RPC-specific settings. The configuration options for RPC is described in

Table 5-3 .

You must also configure the RPC client to work with the Symantec AntiVirus

Scan Engine.

Table 5-3 Protocol-specific options for RPC

Option Description

RPC client IP addresses

A single Symantec AntiVirus Scan Engine can support one or more

RPC clients. Clients must be located in the same domain as the scan engine. You must provide the IP address of each RPC client.

Check RPC connection every __ seconds

The Symantec AntiVirus Scan Engine maintains a connection with the RPC client. The Symantec AntiVirus Scan Engine can be configured to check the RPC connection with the client periodically to ensure that the connection is active. The default value is 20 seconds.

Maximum number of reconnect attempts

The Symantec AntiVirus Scan Engine can be configured to make a specified number of attempts to reestablish a lost connection with the RPC client. If the maximum number of attempts is made to reestablish the connection with no reply from the client, the

Symantec AntiVirus Scan Engine shuts down. By default, the

Symantec AntiVirus Scan Engine is configured to try to reconnect with the RPC client indefinitely.

Note: Do not set a maximum number of reconnect attempts if the scan engine is providing scanning for multiple RPC clients. Use the default setting so that the Symantec AntiVirus Scan Engine tries indefinitely to reconnect to the RPC clients.

Configuring the Symantec AntiVirus Scan Engine

Configuring RPC

69

Table 5-3

Option

RPC scan policy

Quarantine unrepairable files

Protocol-specific options for RPC

Description

When an infected file is found, the Symantec AntiVirus Scan

Engine can do any of the following:

Scan only: Deny access to the infected file, but do nothing to the infected file.

Scan and repair files: Attempt to repair infected files and deny access to any unrepairable files.

Scan and repair or delete: Attempt to repair infected files, and delete any unrepairable files from archive files.

Note: If you plan to quarantine infected files that cannot be repaired, you must select Scan and repair or delete.

You can quarantine unrepairable infected files using the Symantec

Central Quarantine version 3.0. The Symantec Central Quarantine software is included on the Symantec AntiVirus Scan Engine distribution CD along with supporting documentation.

For more information, see the separate Symantec Central

Quarantine document (CentQuar.pdf) also included on the CD.

See “Quarantining unrepairable infected files” on page 74.

If you change the protocol setting to RPC through the administrative interface

(rather than uninstalling and reinstalling the scan engine), you might need to change the service startup properties to identify an account with sufficient permissions on which the Symantec AntiVirus Scan Engine will run. You might also need to change the service startup properties if you edit the list of RPC clients.

See “Editing the service startup properties” on page 75.

70 Configuring the Symantec AntiVirus Scan Engine

Configuring RPC

Configure RPC

To configure RPC, you must do the following:

Provide an IP address for each RPC client for which the Symantec AntiVirus

Scan Engine will provide scanning services. You can add or delete RPC clients from this list at any time.

Configure the additional RPC-specific options.

To edit the list of RPC clients

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Protocol tab, click RPC.

The configuration settings are displayed for the selected protocol.

3 To add an RPC client to the list of RPC clients, do the following:

In the IP address box, type an IP address for an RPC client for which the

Symantec AntiVirus Scan Engine will provide scanning services.

Click Add.

The list of RPC clients updates to reflect your changes.

4 To delete an RPC client from the list of RPC clients, do the following:

In the list of RPC clients, select the IP address of the RPC client to be deleted.

You can select more than one entry by pressing Enter and selecting the desired entries.

Click Delete.

5 Click Confirm Changes to save the configuration.

6

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Configuring the Symantec AntiVirus Scan Engine

Configuring RPC

71

To configure additional RPC-specific options

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Protocol tab, click RPC.

The configuration settings are displayed for the selected protocol.

3 In the Check RPC connection every box, type how frequently the Symantec

AntiVirus Scan Engine checks the RPC connection with the RPC client to ensure that the connection is active.

The default interval is 20 seconds.

72 Configuring the Symantec AntiVirus Scan Engine

Configuring RPC

4

In the Maximum number of reconnect attempts box, type the maximum number of attempts that the Symantec AntiVirus Scan Engine will make to reestablish a lost connection with the RPC client.

The default setting is 0, which causes the Symantec AntiVirus Scan Engine to try indefinitely to reestablish a connection. Use the default setting if the scan engine is providing scanning for multiple RPC clients.

5

In the RPC scan policy list, select how you want the Symantec AntiVirus

Scan Engine to handle infected files.

The default setting is Scan and repair or delete.

6

Click Confirm Changes to save the configuration.

7 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Notifying requesting users that a virus was found

You can configure the Symantec AntiVirus Scan Engine to notify the requesting user that the retrieval of a file from an RPC-network-attached storage client failed because a virus was found. The notification message includes the date and time of the event, the file name of the infected file, the virus name and ID, the manner in which the infected file was handled (for example, the file was repaired or deleted). The notification message also includes information about the Symantec AntiVirus Scan Engine that detected the infection, including the

IP address and the port number and the date and revision number of the virus definitions that were used to detect the virus.

The user notification feature is only available when the requesting user’s computer is a Windows computer and is in the same domain as the Symantec

AntiVirus Scan Engine. The Windows Messenger service must be running on the computer that is running the Symantec AntiVirus Scan Engine, as well as on the user’s computer. If the notification information cannot be delivered to the requesting user, a failure message is logged.

Configuring the Symantec AntiVirus Scan Engine

Configuring RPC

73

To notify requesting users that a virus was found

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Logging tab, under Log Windows Messenger, check Enable Windows

Messenger Logging.

User notification is disabled by default.

3 Click Confirm Changes to save the configuration.

4

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

74 Configuring the Symantec AntiVirus Scan Engine

Configuring RPC

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Quarantining unrepairable infected files

When you are using the RPC protocol, you can quarantine unrepairable infected files. The quarantining of infected files is handled using the separately installed

Symantec Central Quarantine.

The Symantec AntiVirus Scan Engine forwards infected items that cannot be repaired to the Symantec Central Quarantine. Typically, heuristically detected viruses that cannot be eliminated by the current set of virus definitions are forwarded to the Quarantine and isolated so that the viruses cannot spread.

From the Quarantine, the infected items can be submitted to Symantec Security

Response for analysis. If a new virus is identified, new virus definitions are posted.

Note: You must select Scan and repair or delete as the RPC scan policy to forward files to the Quarantine. Once a copy of an infected file is forwarded to the Central Quarantine, the original infected file is deleted. If submission to the

Central Quarantine is not successful, the original file is not deleted, and an error message is returned to the RPC client. In this case, access to the infected file is denied.

The Symantec Central Quarantine is installed separately. It must be installed on a computer that is running Windows 2000 Server/Server 2003 in accordance with the supporting documentation. The Symantec Central Quarantine software and supporting documentation is included on the Symantec AntiVirus Scan

Engine distribution CD.

For more information, see the separate Symantec Central Quarantine document

(CentQuar.pdf).

If you plan to quarantine infected files that cannot be repaired, you must configure the Symantec AntiVirus Scan Engine to quarantine infected files and provide information for contacting the Symantec Quarantine Server.

Configuring the Symantec AntiVirus Scan Engine

Configuring RPC

75

To quarantine unrepairable infected files

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Protocol tab, under RPC specific configuration, check Quarantine

unrepairable files.

3

In the Quarantine Server box, type the host name or the IP address for the computer on which the Symantec Quarantine Server is installed.

4 In the Quarantine Port box, type the TCP/IP port number to be used by the

Symantec AntiVirus Scan Engine to pass files to the Central Quarantine.

This setting must match the port number that is selected at installation for the Symantec Quarantine Server.

5 Click Confirm Changes to save the configuration.

6

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Editing the service startup properties

If the Symantec AntiVirus Scan Engine is installed on Windows 2000 Server/

Server 2003 and you change the protocol setting to RPC or the native protocol through the administrative interface, you might need to change the service startup properties to identify an account that has the appropriate permissions.

The selected account must provide the Symantec AntiVirus Scan Engine with access to and appropriate permissions on the RPC clients (for RPC) or to any shared drives or UNC paths for which scanning services are to be provided (for the native protocol).

76 Configuring the Symantec AntiVirus Scan Engine

Configuring RPC

For RPC, this account must have Backup Operator privileges on the RPC clients.

For the native protocol, this account should have access to any shared drives or

UNC paths for which scanning is to be provided and should have Change permission if infected files that cannot be repaired are to be deleted.

Note: If you select RPC at installation, you are prompted for the account name and password for this account as part of the installation process, and you do not need to edit the service startup properties manually. This step is only necessary if you change protocols after installation through the administrative interface

(rather than uninstalling and reinstalling).

To edit the service startup properties for Windows 2000 Server/Server 2003

1 In the Windows 2000/2003 Control Panel, click Administrative Tools.

2 Click Services.

3 In the list of services, right-click Symantec AntiVirus Scan Engine, then click Properties.

4

In the Properties dialog box, on the Log On tab, click This Account.

5 Type the account name and password for the account on which the

Symantec AntiVirus Scan Engine will run.

Use the following format for the account name: domain\username.

6 Click OK.

7

Stop and restart the Symantec AntiVirus Scan Engine service.

Configuring the Symantec AntiVirus Scan Engine

Allocating resources

77

Allocating resources

You can allocate resources for the operation of the Symantec AntiVirus Scan

Engine. You can specify the settings that are listed in

Table 5-4

.

Table 5-4 Resource settings

Option Description

Temporary directory for virus scanning

The Symantec AntiVirus Scan Engine stores files in a temporary directory for virus scanning. To support sites with large, specialized disk configuration, the location of this temporary directory can be specified. The disk space that is required for this directory varies depending on the volume of files to be scanned.

Scan engine performance depends on this directory being able to accommodate potentially large numbers of large files during periods of peak use.

For Linux and Solaris, the default temporary directory is /tmp/ savetmp.

For Windows 2000 Server/Server 2003, the default temporary directory is determined at installation. The temporary directory for the Symantec AntiVirus Scan Engine defaults to the temporary directory that is set for one of the following environment variables

(listed in the order in which they are checked):

System tmp

System temp

User tmp (the user that is performing the installation)

User temp (the user that is performing the installation)

If none of these variables has a value assigned, the temporary directory is the installation directory.

78 Configuring the Symantec AntiVirus Scan Engine

Allocating resources

Table 5-4

Option

Maximum number of threads allowed for scanning

Threshold number of queued requests

Log or send alerts for maximum load every __ minutes

Resource settings

Description

You can specify the maximum number of threads that are allowed for concurrent scanning.

The pool of scanning threads that are available to the Symantec

AntiVirus Scan Engine for antivirus scanning dynamically adjusts to the load that is being processed. You can change a number of additional related parameters in the configuration file. Usage may be the only method for determining the optimal settings for these parameters. Scan engine performance is dependent on scan volume, the number of client applications making requests, available memory and disk space, and the number of scanning threads.

See “Controlling the dynamic thread pool” on page 185.

When the number of scan requests exceeds the maximum number of scanning threads that are allowed, scan requests are queued until a thread becomes available. The threshold number of queued requests is configurable for the Symantec AntiVirus Scan Engine.

Note: If you are using the RPC protocol and are supporting multiple RPC clients, the Symantec AntiVirus Scan Engine creates a separate pool of threads for each RPC client. (The RPC clients do not share a common pool of threads.) Thus, the number of available threads for scanning that you select for this setting is applied to each RPC client individually.

When the number of queued requests to the Symantec AntiVirus

Scan Engine exceeds the specified threshold, the scan engine is at maximum load. The Symantec AntiVirus Scan Engine can be configured to log periods of time when it is at maximum load and to generate Load Exceeded log entries at a prescribed interval.

The Symantec AntiVirus Scan Engine continues to queue all incoming requests after the threshold is exceeded.

The alert interval is the number of minutes between log entries generated to indicate that maximum load has been exceeded.

Maximum load is exceeded when the number of requests to the

Symantec AntiVirus Scan Engine exceeds the specified threshold number of queued requests. If you change the alert interval, the

Symantec AntiVirus Scan Engine might remain at maximum load for a period of time. Select an interval that will be informative but will not result in an excessive number of log entries.

Note: For logging to occur when the scan engine is at maximum load, the logging level for the desired logging destination must be

set to Warning or higher. See “Logging levels” on page 109.

Configuring the Symantec AntiVirus Scan Engine

Allocating resources

79

Table 5-4

Option

Virus definition product name

In-memory file processing limits

Resource settings

Description

Solaris and Linux permit multiple instances of the Symantec

AntiVirus Scan Engine on the same computer. If you are running more than one scan engine on a single computer, the product name must be unique for each Scan Engine service so that both scan engines receive updated virus definitions via LiveUpdate.

This option only appears if you are running the scan engine on

Solaris or Linux.

The Symantec AntiVirus Scan Engine can decompose and scan the contents of container files in memory, which eliminates the latency imposed by on-disk scanning. This feature can improve performance in environments in which large volumes of container and archive file formats are routinely submitted for scanning. You can limit the resources consumed for in-memory file processing by specifying the following:

The maximum amount of RAM (in megabytes) used for the in-memory file system

The maximum file size (in megabytes) that can be stored in the in-memory file system

To allocate resources for the Symantec AntiVirus Scan Engine

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2

On the Resources tab, under System settings, type the temporary directory to be used for virus scanning.

If you have client antivirus software installed to protect the computer that is running the Symantec AntiVirus Scan Engine, you must exclude the temporary directory from real-time scanning and from all scheduled and

80 Configuring the Symantec AntiVirus Scan Engine

Allocating resources manually invoked scans by the client antivirus software before passing files to the Symantec AntiVirus Scan Engine for scanning.

3 In the Maximum number of threads allowed for scanning box, type the maximum number of scanning threads that are permitted for concurrent scanning.

The default setting and the maximum recommended value is 128.

4 In the Threshold number of queued requests box, type the threshold number of queued requests above which the Symantec AntiVirus Scan

Engine is considered to be at maximum load.

The default setting is 100.

5 If you have chosen to generate log messages when maximum load is exceeded, in the Log or send alerts for maximum load every box, type the desired alert interval in minutes.

The default setting is five minutes.

6 If you are running more than one instance of the Symantec AntiVirus Scan

Engine on Solaris or Linux, under Advanced settings, type an alternate virus definition product name in the box provided.

The default is SCANENGINE_43. If you are running the Symantec AntiVirus

Scan Engine on Windows 2000 Server/Server 2003, this setting does not appear on the administrative interface.

7 Under Server resources, in the Maximum RAM used for in-memory file system box, type the maximum amount of RAM that can be used for the inmemory file system.

The default setting is 16 MB.

Configuring the Symantec AntiVirus Scan Engine

Allocating resources

81

8

In the Maximum file size stored in in-memory file system box, type the maximum file size that can be stored in the in-memory file system.

The default setting is 3 MB. Files that exceed the specified size are written to disk.

9

Click Confirm Changes to save the configuration.

10 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

82 Configuring the Symantec AntiVirus Scan Engine

Allocating resources

Chapter

6

Setting scanning and blocking policies

This chapter includes the following topics:

About scanning and blocking policies

Specifying processing limits

Configuring antivirus settings

Establishing a mail filter policy

About scanning and blocking policies

You can establish scanning and blocking policies for the Symantec AntiVirus

Scan Engine. Some scanning and blocking policy features differ depending on the protocol that you are using.

Depending on a number of factors, such as scan volume, the number of client applications making requests, available memory and disk space, and the selected number of scanning threads, you may need to impose restrictions on resources to maximize performance and security. Settings that provide maximum security also consume more resources. You can configure settings to restrict the amount of resources that handle certain types of files, adjust the sensitivity of heuristic virus detection, and specify the file types to be scanned.

You can establish a blocking policy to further limit the handling and scanning of certain files. Files that meet the established criteria are blocked immediately, which limits the resources that are expended by the Symantec AntiVirus Scan

Engine. For example, you can specify a maximum file name length, so that files that exceed the established limit are automatically rejected. If the Symantec

AntiVirus Scan Engine is providing scanning services for email client applications, you can establish a mail policy to filter email and email

84 Setting scanning and blocking policies

Specifying processing limits attachments based on a number of attributes. (The mail policy settings are applied to all MIME-encoded messages and do not affect nonMIME-encoded file types.)

Note: You can use some scanning and blocking policy settings during a virus outbreak to further protect your network. Once you have information on the characteristics of a new virus, you can use this information to block the infected attachment or email immediately, before virus definitions for the new virus have been posted. Or you can scan all file types rather than limiting the file types that are scanned for viruses for maximum coverage.

Specifying processing limits

You can impose restrictions on the amount of resources that can be used to handle individual files. These processing limits can be used to help you manage your resources and to protect your network against denial of service attacks.

You can specify processing limits that apply to the following:

Large container files: The Symantec AntiVirus Scan Engine uses a decomposer to extract all of the embedded files from a container file, scan all of the files, and reassemble the container file once scanning is complete.

For particularly large container files, this process can tie up a significant amount of resources. You can set limits to control the resources expended on large container files.

See “Specifying limits for container files” on page 85.

All files: Other types of limits can be applied to all files, such as the maximum number of bytes to be read in determining whether a file is

MIME-encoded.

See “Specifying processing limits that apply to all files” on page 87.

Setting scanning and blocking policies

Specifying processing limits

85

Specifying limits for container files

Certain container files (specifically container files that are large, that contain large numbers of embedded compressed files, or that have been designed to maliciously use resources and degrade performance) can cause a denial of service attack. To protect against these types of files, limits can be imposed on the Symantec AntiVirus Scan Engine decomposer for handling container files.

You can specify the following:

The maximum amount of time, in seconds, that is spent decomposing a container file and its contents

The maximum file size, in bytes, for individual files in a container file

The maximum number of nested levels to be decomposed for scanning

You can use some or all of these limits to control how the Symantec AntiVirus

Scan Engine handles container files. When any of these maximum values is met or exceeded for a given file, the Symantec AntiVirus Scan Engine stops processing the file and generates a log entry. You can specify whether to allow or deny access to files for which an established limit has been met or exceeded and for which processing has stopped. Access is denied by default.

Warning: If you plan to allow access to files for which a container violation has occurred, keep in mind that when a limit is met or exceeded, the Symantec

AntiVirus Scan Engine stops processing the file, and antivirus scanning is not completed. Allowing access to a file that has not been fully scanned can potentially expose your network to viruses and other malicious content.

If you allow access to files for which a container limit violation has occurred and the scan engine finds a virus before processing stops, the scan engine will not repair the file, even if under normal circumstances the infection could be repaired. In this case, the file is handled as though the infection is unrepairable.

In addition to establishing resource limits for container files, you can block access to all or certain types of malformed container files. Computer viruses and malicious programs sometimes create intentionally malformed files. These distortions are recognized by the scan engine. If the scan engine can identify the container type, in many cases the scan engine can repair the container file. In other cases, the container type cannot be determined and the distortion can be used as criteria to reject potentially infected files. You can choose to allow access to all malformed containers, block only those for which the container type cannot be identified, or block access to all malformed containers. The scan engine is configured by default to block only those containers for which the container type cannot be identified.

86 Setting scanning and blocking policies

Specifying processing limits

To specify limits for container files

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2 On the Limits tab, under Container file processing limits, in the Time to extract file meets or exceeds box, type the maximum time that the scan engine can spend extracting a single container file.

The default setting is 180 seconds (3 minutes). To disable this setting (so that no limit is imposed), type 0.

Note: This setting does not apply to .hqx and .amg files.

3 In the Maximum extract size of the file meets or exceeds box, type the maximum file size, in bytes, for individual files in a container file.

The default setting is 100 MB. To disable this setting (so that no limit is imposed), type 0.

Setting scanning and blocking policies

Specifying processing limits

87

4

In the Number of nested levels of files within container file meets or exceeds box, type the maximum number of nested levels of files that are decomposed within a container file.

The default setting is 10 levels. The maximum value for this setting is 50.

5

Select whether to allow or deny access to container files for which one or more limits are exceeded.

Access is denied by default.

6

Under Malformed container file processing, select one of the following to specify how the scan engine handles malformed container files:

Allow access to all malformed containers

Deny access if container type cannot be identified

This is the default setting.

Deny access to all malformed containers

7 Click Confirm Changes to save the configuration.

8

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Specifying processing limits that apply to all files

You can specify the following processing limits to apply to all files (rather than just to container files):

The maximum file name length, in bytes, for a given file (available for the native protocol only)

The maximum number of bytes that are read when determining whether a file is MIME-encoded

88 Setting scanning and blocking policies

Configuring antivirus settings

To specify limits for all files

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2 On the Limits tab, under File name length limits, in the File name length exceeds box, type the maximum file name length, in bytes, for a file name.

The default setting is 1024 bytes. To disable this setting (so that no limit is imposed), type 0. This feature is available for the native protocol only.

3 Under NonMIME threshold, in the No determination after reading box, type the maximum number of bytes that are read by the scan engine to determine whether a file is MIME-encoded.

The default setting is 200000 bytes. If the Symantec AntiVirus Scan Engine reads the maximum number of bytes with no determination, the file is considered to be nonMIME-encoded.

4 Click Confirm Changes to save the configuration.

5

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Configuring antivirus settings

You can configure certain aspects of antivirus scanning, including the file types to be scanned. You can change the following settings:

Bloodhound sensitivity level: To supplement the detection of virus infections by virus signature, the Symantec AntiVirus Scan Engine includes the Symantec patented Bloodhound technology, which heuristically detects new or unknown viruses based on characteristics generally exhibited by viruses. The sensitivity of the Bloodhound technology can be adjusted.

See “Changing the Bloodhound sensitivity level” on page 89.

File types to scan: Viruses are found only in file types that contain executable code. Bandwidth and time can be saved by limiting the files to be scanned to only those file types that can contain viruses. You can control which file types are scanned by specifying the file extensions that you want

Setting scanning and blocking policies

Configuring antivirus settings

89 to scan (using an inclusion list) or by specifying those extensions that you do not want to scan (using an exclusion list), or you can scan all file types regardless of extension.

See “Specifying file types to scan” on page 90.

Changing the Bloodhound sensitivity level

The Symantec AntiVirus Scan Engine includes the Symantec patented

Bloodhound technology, which heuristically detects new or unknown viruses.

The sensitivity of the Bloodhound technology can be adjusted.

Note: Increasing the Bloodhound sensitivity level may lead to occasional false positives.

For more information about Symantec AntiVirus Scan Engine virus detection capabilities, see

“How viruses are detected” on page 25.

To change the Bloodhound sensitivity level

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2 On the AntiVirus tab, under Heuristic scanning, select the Bloodhound sensitivity level.

The default Bloodhound sensitivity setting is Medium. You can select from low to high sensitivity, or you can turn off heuristic detection.

3 Click Confirm Changes to save the configuration.

4

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

90 Setting scanning and blocking policies

Configuring antivirus settings

Specifying file types to scan

You can control which file types are scanned by specifying extensions that you do not want to scan (using an exclusion list) or by specifying extensions that you want to scan (using an inclusion list), or you can scan all file types regardless of extension. Inclusion and exclusion lists by definition do not scan all file types; thus, new types of viruses might not always be detected. Scanning all files regardless of extension is the most secure setting but imposes the heaviest demand on resources.

Note: During virus outbreaks, you might want to scan all files even if you normally control the file types that are scanned with the inclusion or exclusion list.

The Symantec AntiVirus Scan Engine is configured by default to scan all files except those with extensions that are listed in a prepopulated exclusion list. The default exclusion list contains those file types that are unlikely to contain viruses, but you can edit this list.

Using an inclusion list to control which types of files are scanned is the least secure setting. Only those files types that are specifically listed in an inclusion list are scanned; thus, with an inclusion list, there is an almost limitless number of possible file extensions that are not scanned. For this reason, the inclusion list is not prepopulated, but you can choose to populate this list if you want to limit the file types that are scanned using an inclusion list.

If you use either the inclusion or the exclusion list to control the file types that are scanned (rather than scanning all files), the manner in which the list is applied differs depending on which of the following protocols are in use by the

Symantec AntiVirus Scan Engine:

Native protocol, RPC, and ICAP version 1.0: The inclusion or exclusion list is used by the Symantec AntiVirus Scan Engine only to determine which files to scan of those that are embedded in archival file formats (for example, .zip or .lzh files). All top-level files that are sent to the Symantec AntiVirus Scan

Engine are scanned regardless of file extension.

Note: If you are using the native protocol, RPC, or ICAP version 1.0 and want to control the file types that are scanned at the top level, you must provide logic or take advantage of existing mechanisms on the client side to send only certain file types to the Symantec AntiVirus Scan Engine for scanning.

The logic on the client side controls the types of files that are scanned at the top level, and the extension list setting controls which embedded files are scanned.

Setting scanning and blocking policies

Configuring antivirus settings

91

ICAP version 0.95: The inclusion or exclusion list applies to all files that are sent to the Symantec AntiVirus Scan Engine for scanning. The extension list is consulted for both top-level files and embedded files that are contained in archival file formats (for example, .zip or .lzh files).

Specify which file types to scan

You can scan all files regardless of extension, or you can control which file types are scanned by specifying extensions that you do not want to scan or that you want to scan. The Symantec AntiVirus Scan Engine is configured by default to scan all files except those with extensions that are listed in the prepopulated exclusion list.

To scan all files regardless of extension

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2

On the AntiVirus tab, under File types to be scanned, click Scan all files

regardless of extension.

3 Click Confirm Changes to save the configuration.

4 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

92 Setting scanning and blocking policies

Configuring antivirus settings

To scan all files except for those with extensions that are in the exclusion list

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2 On the AntiVirus tab, under File types to be scanned, click Scan all files

except those with the following extensions.

3 Edit the exclusion list to add extensions that you do not want to scan or delete extensions that you want to scan.

Use a period with each extension in the list. Separate each extension with a semicolon (for example, .com;.doc;.bat). To exclude files with no extension, use two adjacent semicolons (for example, .com;.exe;;).

4 To restore the default extension list, click Restore default lists.

5 Click Confirm Changes to save the configuration.

Setting scanning and blocking policies

Configuring antivirus settings

93

6

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

To scan only files with extensions that are in the inclusion list

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2

On the AntiVirus tab, under File types to be scanned, click Scan files with

the following extensions.

3 Edit the inclusion list to add extensions that you want to scan or delete extensions that you do not want to scan.

The inclusion list is blank by default. Use a period with each extension in the list. Separate each extension with a semicolon (for example,

.com;.doc;.bat). To scan files that have no extensions, use two adjacent semicolons (for example, .com;.exe;;).

4 Click Confirm Changes to save the configuration.

5 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

94 Setting scanning and blocking policies

Establishing a mail filter policy

Establishing a mail filter policy

If the Symantec AntiVirus Scan Engine is providing scanning services for email client applications, you can establish a mail policy to filter mail and mail attachments based on a number of attributes. These mail policy settings are applied to all MIME-encoded messages.

Mail policy settings do not affect nonMIME-encoded file types that might be passed to the Symantec AntiVirus Scan Engine for scanning. When a mail filter policy is in effect, the mail filter settings, including the updating of mail messages to indicate that a virus has been found, are applied only to MIMEencoded messages.

Note: The mail filter policy settings are not available if you are using RPC. If you are using ICAP, the mail filter policy settings do not apply if you have selected

Scan only as the scan policy. If you are using the native protocol, the mail policy settings do not apply when AVSCAN is the scan policy.

See “Mail filter policy settings” on page 94.

You can add text to the body of MIME-encoded messages to warn recipients that a virus was found in an attachment or that an attachment was deleted because it violated the mail filter policy. The default text indicates that an attachment was infected and repaired, or deleted because it could not be repaired, or that an attachment was deleted due to a mail policy violation. Variables can be used to include the file names of the affected attachments. You can customize the text that is added by editing the Symantec AntiVirus Scan Engine message string file, symcsmsg.dat.

See “Inserting text into MIME-encoded messages” on page 104.

Mail filter policy settings

You can use the mail policy settings to impose general restrictions on email. You can also use some mail filters during a virus outbreak to further protect your network. For example, once you have information on the characteristics of a new virus, you can use this information to block the infected attachment or email. You can use the file name or file size option if you know the exact name or size of an infected attachment. This lets you protect your network immediately, before virus definitions for the new virus have been posted.

Setting scanning and blocking policies

Establishing a mail filter policy

95

You can filter mail based on the settings in

Table 6-1 .

Table 6-1

Mail filter settings

Filtering option Description

Total message size

Subject line

Message origin

Attachment file name

Specify a maximum size for messages so that messages that exceed the maximum mail size are rejected.

See “Filtering mail by total message size” on page 97.

Specify one or more subject lines that are known to be threats so that messages with these subject lines are rejected.

See “Filtering mail by subject line” on page 97.

Specify one or more domains or complete email addresses that are known to be threats so that messages from these domains are rejected.

See “Filtering mail by message origin” on page 99.

Specify one or more file names that are known to be threats, and select whether messages that contain attachments with these file names should be rejected, or delivered with the attachment deleted.

See “Filtering mail by attachment file name” on page 100.

Attachment file size Specify file sizes of attachments, and select whether messages that contain attachments of the specified size should be rejected, or delivered with the attachment removed.

See “Filtering mail by attachment file size” on page 102.

Partial messages Reject messages that have been broken down into a number of smaller, partial messages for transmission.

See “Blocking MIME partial message content” on page 103.

96 Setting scanning and blocking policies

Establishing a mail filter policy

Setting scanning and blocking policies

Establishing a mail filter policy

97

Filtering mail by total message size

You can specify a maximum size for mail messages. The maximum size includes the entire message including any attachments. Messages that exceed the maximum mail size are rejected.

A value of 0 (the default value) disables message blocking.

To filter mail by total message size

1

On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2 On the Mail tab, under Blocking by total message size, type a maximum size

(in bytes) that the scan engine will accept.

Type 0 (the default value) to disable message blocking (no maximum size).

Messages that are larger than the specified size are rejected.

3 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.

4

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Filtering mail by subject line

To filter mail by subject, you specify one or more subject lines (or strings to be found within subject lines) that are known to be threats. Messages with these subject lines are rejected.

Subject strings that you specify are matched against the subject line of each email. Wildcard characters can be used when you are not sure of the exact subject line. Any white space (tabs or spaces) at the beginning of the subject line is ignored. Any white space that you enter at the beginning of your search string

(the text that you enter for the subject line filter) is also ignored.

98 Setting scanning and blocking policies

Establishing a mail filter policy

You can filter mail by subject line during a virus outbreak to further protect your network. In the case of a new email-borne virus, if you know the subject line or part of the subject line of the infected message, you can use this information to block infected email. You can protect your network immediately, before virus definitions for the new virus have been posted.

Note: Entries that you make for this setting through the administrative interface are encoded and saved automatically as Unicode/UTF-8.

To filter mail by subject line

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2 On the Mail tab, under Blocking by subject line, type a text string to block.

Type as many subject lines to block as needed, one per line. Search strings are not case sensitive. Use the following wildcard characters as needed:

A question mark (?) to represent a single character.

An asterisk (*) to represent zero or more characters.

A backslash (\) as an escape character. For example, precede ? or * with

\ to match a literal ? or * in a file name. To match a literal \, use \\.

3 To remove a subject from the list, select it and press Delete.

4

To filter mail messages that have blank subject lines, check Block messages

with empty subject lines.

5 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.

6 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Setting scanning and blocking policies

Establishing a mail filter policy

99

Filtering mail by message origin

To filter mail by message origin, you specify one or more domain names that are known to be threats. The domain name search string that you enter is matched against addresses in the From header of the email message. If the search string matches an address, the message is rejected.

You can use this filter to block mail from specific email addresses, as well as from a specific domain. The following wildcard characters can be used to control exactly what you want to block:

Using *@somedomain.com blocks [email protected] but does not block [email protected].

Using *@*somedomain.com or *somedomain.com blocks [email protected] and [email protected].

Using [email protected] (to block a specific email address) blocks only email from [email protected] and does not block [email protected] or [email protected].

To filter mail by message origin

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2 On the Mail tab, under Blocking by message origin, type a domain or email address to block.

Type as many domains or addresses to block as needed, one per line. Search strings are not case sensitive. Use the following wildcard characters as needed:

A question mark (?) to represent a single character.

An asterisk (*) to represent zero or more characters.

A backslash (\) as an escape character. For example, precede ? or * with

\ to match a literal ? or * in a file name. To match a literal \, use \\.

3 To remove a domain name from the list, select it and press Delete.

4

When you have finished establishing the mail policy, click Confirm Changes to save the configuration.

100 Setting scanning and blocking policies

Establishing a mail filter policy

5

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Filtering mail by attachment file name

When you filter mail by attachment file name, you specify one or more file names that are known to be threats and specify how the Symantec AntiVirus

Scan Engine will handle messages that contain attachments with any of the file names listed. The scan engine can reject the entire message or deliver the message with the attachment removed. Any attachments that do not match the listed file names are not removed and are delivered with the message.

For each full file name that you want to filter, you type a separate text string. If the text string that you type matches the file name of any attachment, the message is handled accordingly.

Wildcard characters can be used when you are not sure of an exact file name or want to block all attached files with a specific extension. For example, to block all attachments with the word virus in the file name, type *virus* as the search string. To block all attachments with the .exe extension, type *.exe.

Note: You can filter mail by attachment file name during a virus outbreak to further protect your network. In the case of a new email-borne virus, if you know the file name of the infected attachment, you can use this information to block the infected email. You can protect your network immediately, before virus definitions for the new virus have been posted.

Setting scanning and blocking policies

Establishing a mail filter policy

101

To filter mail by attachment file name

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2 On the Mail tab, under Blocking by attachment file name, type an attachment file name to block.

Type as many file names to block as needed, one per line. Search strings are not case sensitive. Use the following wildcard characters as needed:

A question mark (?) to represent a single character.

An asterisk (*) to represent zero or more characters.

A backslash (\) as an escape character. For example, precede ? or * with

\ to match a literal ? or * in a file name. To match a literal \, use \\.

3

Select one of the following to specify how the scan engine will handle messages that contain an attachment with a specified file name:

Delete the attachment: The scan engine removes any attachments with a specified file name and delivers the remainder of the message, including attachments with file names that do not match a specified file name. The mail message is not updated to indicate that an attachment has been deleted due to a mail policy violation unless you activate the mail message update feature.

See “Inserting text into MIME-encoded messages” on page 104.

Reject the message: The scan engine rejects any message that contains an attachment with a specified file name.

4

To remove a file name from the list, select it and press Delete.

5 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.

6 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

102 Setting scanning and blocking policies

Establishing a mail filter policy

Filtering mail by attachment file size

When you filter mail by attachment file size, you specify one or more file sizes that are known to be threats and specify how the Symantec AntiVirus Scan

Engine will handle messages that contain attachments of any of the listed file sizes. The scan engine can be configured to reject the entire message or deliver the message with the attachment removed. Any attachments that do not match a specified size are not removed and are delivered with the message.

Note: You can filter mail by attachment file size during a virus outbreak to further protect your network. In the case of a new email-borne virus, if you know the exact size of the infected attachment, you can use this information to block potentially infected email messages. You can protect your network immediately, before virus definitions for the new virus have been posted.

To filter mail by attachment file size

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2 On the Mail tab, under Blocking by attachment file size, type an attachment file size (in bytes) to block.

Type as many file sizes to block as needed, one per line.

3 Select one of the following to specify how the scan engine will handle messages that contain attachments of a size that you have specified:

Delete the attachment: The scan engine deletes any attachments of a specified size and delivers the remainder of the message, including attachments that do not match a specified size. The mail message is not updated to indicate that an attachment has been deleted due to a mail policy violation unless you activate the mail message update feature.

See “Inserting text into MIME-encoded messages” on page 104.

Reject the message: The scan engine rejects any message that contains an attachment of a specified size.

4 To remove a file size from the list, select it and press Delete.

5 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.

Setting scanning and blocking policies

Establishing a mail filter policy

103

6

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Blocking MIME partial message content

The Symantec AntiVirus Scan Engine must have a MIME-encoded message in its entirety to effectively scan it for viruses. Some email software applications break large messages down into a number of smaller, more manageable, partial messages for transmission. These messages are typically transmitted separately and reassembled before delivery to the recipient. In these cases, because it has been broken down into a number of partial messages, the entire message

(including all attachments) is not available to the scan engine for scanning. The

Symantec AntiVirus Scan Engine is configured by default to reject partial messages because they cannot be effectively scanned for viruses.

To block MIME partial message content

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2 On the Mail tab, under Blocking MIME partial message content, check Block

MIME partial message content.

The scan engine is configured by default to block partial messages.

3 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.

104 Setting scanning and blocking policies

Establishing a mail filter policy

4

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Inserting text into MIME-encoded messages

The Symantec AntiVirus Scan Engine can be configured to add text to the body of a MIME-encoded message to warn the recipient of the message that an attachment was infected. The mail message body also is updated when an attachment is deleted because of a mail policy violation.

The default text indicates that an attachment contained a virus and was repaired, or that it was deleted because it contained a virus that could not be repaired or that violated the mail policy. The text can be customized. The default message text is:

ALERT!!! This email contained one or more infected files. The following attachments were infected and have been repaired: <listofinfectedfiles>. The following infected attachments were deleted: <listofdeletedfiles>. The following attachments were blocked because of mail policy violations: <listofblockedfiles>. You may wish to contact the sender to inform them about their infections. Thank you, Your ISP

------------ Original message text follows ------------

Note: Even when the mail message update feature is not activated, the Symantec

AntiVirus Scan Engine attaches a text file to mail messages in place of each attachment that is deleted because it cannot be repaired. The text file that is inserted is called DELETEDN.TXT, where N is a sequence number. For example, if two attachments are deleted, the replacement files are called DELETED0.TXT and DELETED1.TXT. The name of the file and the text that is contained in the file can be customized by editing the message string file, symcmsgs.dat.

Setting scanning and blocking policies

Establishing a mail filter policy

105

To insert text into MIME-encoded messages

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Blocking Policy.

2 On the Mail tab, under Updating mail message body, check Add text to body

of infected MIME-encoded messages to warn recipient of infections.

The default text will be used when this feature is activated unless you customize the text.

3 When you have finished establishing the mail policy, click Confirm Changes to save the configuration.

4

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

106 Setting scanning and blocking policies

Establishing a mail filter policy

Chapter

7

Configuring and using logging

This chapter includes the following topics:

About Symantec AntiVirus Scan Engine logging

Configuring local logging

Logging events to the Windows Application Event Log

Activating SNMP and SMTP logging

Managing the local logs

Obtaining summary data from the local logs

Generating scanning statistics from the billing logs

About Symantec AntiVirus Scan Engine logging

The Symantec AntiVirus Scan Engine provides a number of logging destinations. Logging to each available logging destination (for example, SNMP,

SMTP, or the Windows Application Event Log) can be activated individually by selecting a desired logging level for that destination. Selecting the logging level lets you choose the types of events for which log messages are generated. You can select a different logging level for each logging destination.

108 Configuring and using logging

About Symantec AntiVirus Scan Engine logging

Logging destinations

The Symantec AntiVirus Scan Engine lets you log to the following logging destinations:

Local logs: If you are running the Symantec AntiVirus Scan Engine on

Solaris or Linux, the default logging destination is to the local logs. The default location for the local logs for Solaris and Linux is /var/log/. The default location for the local logs for Windows 2000 Server/Server 2003 is

C:\Program Files\Symantec\Scan Engine\.

See “Configuring local logging” on page 112.

Windows Application Event Log: If you are running the Symantec AntiVirus

Scan Engine on Windows 2000 Server/Server 2003, the default logging destination is the Application Event Log.

See “Logging events to the Windows Application Event Log” on page 116.

SNMP and SMTP destinations: In addition to the local logging that is maintained by the Symantec AntiVirus Scan Engine, you can select SNMP

(Simple Network Management Protocol) or SMTP (Simple Mail Transfer

Protocol) as a separate logging destination. You can activate SNMP and

SMTP logging individually by providing the appropriate destination information.

See “Activating SNMP and SMTP logging” on page 117.

Billing logs: Billing logs contain scan volume data for the total number of files that are scanned and the average speed of processing. Scanning statistics for the billing logs are maintained automatically by the Symantec

AntiVirus Scan Engine. Billing information is logged to a billing log file, symcsbps.dat.

See “Generating scanning statistics from the billing logs” on page 127.

SESA: If you are running the Symantec Enterprise Security Architecture

(SESA), you can choose to log events regarding Symantec AntiVirus Scan

Engine antivirus activity to SESA. SESA includes an event management system that employs data collection services for events that are generated on computers that are managed by Symantec security products. SESA lets administrators view and manage the security data within a central location, the SESA Console.

See “Integrating the Symantec AntiVirus Scan Engine with SESA” on page 153.

RPC client logging subsystem (RPC only): If you are using RPC as the communication protocol, the Symantec AntiVirus Scan Engine logs certain events to the RPC client logging subsystem. Logging to the RPC client is in addition to the other available logging destinations.

See “Logging to the RPC client logging subsystem” on page 67.

Configuring and using logging

About Symantec AntiVirus Scan Engine logging

109

Logging levels

Logging for each logging destination is activated individually by selecting the desired logging level for that destination. You can select a different logging level for each logging destination. Selecting the logging level lets you choose the types of events for which log messages are generated.

Note: Although you can select a logging level for SESA, not all events for a given level are forwarded to SESA. Only a subset of scan engine events can be logged to SESA when logging to SESA is activated.

See “Scan engine events that are logged to SESA” on page 162.

Table 7-1 shows the events for which log messages are generated at each logging

level. Each logging level builds upon the previous levels (that is, each successive level includes the events of the logging levels below it as well as additional events).

Table 7-1 Events by logging level

Logging level

None

Error

Events logged at the logging level

No events are logged at this logging level.

Server crash

Virus definitions update error

License expired

Logging failure (SMTP/SNMP/RPC user notification)

Entries for this event are not logged to SMTP and

SNMP logging destinations, even if SNMP or

SMTP logging is active at this logging level.

RPC retry

Entries for this event are not logged to SMTP and

SNMP logging destinations, even if SNMP or

SMTP logging is active at this logging level.

110 Configuring and using logging

About Symantec AntiVirus Scan Engine logging

Table 7-1

Logging level

Warning

Information

Verbose

Events by logging level

Events logged at the logging level

All events logged at the Error logging level

Infection found

License about to expire

Threshold number of queued requests exceeded

Virus definitions rollback

Processing violation

Entries for this event are not logged to SMTP and

SNMP logging destinations, even if SNMP or

SMTP logging is active at this logging level.

Mail policy violation

Entries for this event are not logged to SMTP and

SNMP logging destinations, even if SNMP or

SMTP logging is active at this logging level.

All events logged at the Error logging level

All events logged at the Warning logging level

Server start

Server stop

Virus definitions update success

All events logged at the Error logging level

All events logged at the Warning logging level

All events logged at the Information logging level

All files scanned

Note: The Verbose logging level is not available for

SMTP, SNMP, and SESA logging.

Note: The Verbose logging level should be selected only for debugging purposes. Activating this logging level for general logging degrades performance significantly.

Configuring and using logging

About Symantec AntiVirus Scan Engine logging

111

Table 7-2 describes each individual logging event.

Table 7-2

Logging events

Logging event

Server crash

Virus definition update error

License expired

Logging failure (SMTP/SNMP/

RPC user notification)

RPC retry

Infection found

License about to expire

Description

Logs all instances of scan engine crashes.

Logs all errors that occur in virus definitions updates.

Logs each 24-hour period following a Symantec

AntiVirus Scan Engine license expiration.

Note: Log entries for an expired license are generated only during the grace period following the license expiration date. If the grace period expires before the license is renewed, all record of the existing license is removed and the product or feature becomes unlicensed.

Logs all errors in sending to SMTP/SNMP/pop-up window logging destinations that result in no log message being sent (for example, neither the primary nor the secondary SMTP server was available).

Note: Because the broadcast nature of SNMP prevents the detection of transmission failure, no log entry is generated when an SNMP message is not received because the SNMP console is down or the IP address for the SNMP console is entered incorrectly.

Note: Windows pop-up messages are generated only when you have selected RPC as the communication protocol and you have enabled user notification when a virus is found.

Logs attempts to reestablish a lost connection with an

RPC client.

Note: A log entry is generated after five attempts to connect. By default, the Symantec AntiVirus Scan

Engine is configured to try to reconnect with an RPC client indefinitely.

Logs all infections found in scanned files.

Logs each 24-hour period when a Symantec AntiVirus

Scan Engine license is about to expire (that is, the license is within 30 days of its expiration date).

112 Configuring and using logging

Configuring local logging

Table 7-2

Logging events

Logging event

Threshold number of queued requests exceeded

Virus definitions rollback

Processing violation

Mail policy violation

Server start

Server stop

Virus definition update

Log all files scanned

Description

Logs all instances when the threshold number of queued requests is exceeded for the scan engine.

Log entries are generated based on the selected alert interval.

Logs all instances in which the scan engine was able to revert to the previous virus definitions after a virus definitions update failure.

Logs all processing violations for scanned container files.

See “Specifying limits for container files” on page 85.

Logs all mail policy violations for scanned files.

Logs all instances of scan engine startup.

Logs all instances of scan engine shutdown.

Logs all instances of scan engine virus definitions updates.

Logs all files scanned.

Note: This logging event is only available at the

Verbose logging level. The Verbose logging level should be selected only for debugging purposes.

Activating this logging level for general logging purposes degrades performance significantly.

Configuring local logging

You can change the types of events that are logged to the local logs and change the locations of key logging files. You can do any of the following:

Change the local logging level: The default logging destination for Solaris and Linux is the local logs. You can select the types of scan engine events that are logged to the local logs by changing the local logging level. The default logging level for the local logs is Warning (Solaris and Linux only).

See “Specifying the local logging level” on page 113.

Configuring and using logging

Configuring local logging

113

Change the log file location: To accommodate sites with specialized disk configuration, the location of the Symantec AntiVirus Scan Engine log files can be changed. The disk space that is required for the log files varies depending on scan volume and associated activity. The specified location must be large enough to accommodate these files.

See “Changing the log file location” on page 115.

Change the message string file location: The message text for Symantec

AntiVirus Scan Engine log entries and SMTP insert messages is contained in an ASCII text file. You can change the location and file name of this file. You can customize the message text by editing this string file.

See “Changing the message string file location” on page 116.

Specifying the local logging level

If you are running the Symantec AntiVirus Scan Engine on Solaris or Linux, the default logging destination is the local logs. You can change the types of scan engine events that are logged to the local logs by selecting the appropriate local logging level. The default logging level for the local logs for Solaris and Linux is

Warning. Logging to the local logs is not activated by default for Windows 2000

Server/Server 2003.

To specify the local logging level

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Logging tab, under Log file location, select the Local Logging level from the list.

The default logging level for Solaris and Linux is Warning. The default setting for Windows 2000 Server/Server 2003 is None. Select Verbose only if you have been instructed to do so for debugging purposes by Symantec

Technical Service and Support.

114 Configuring and using logging

Configuring local logging

See “Logging levels” on page 109.

3 Click Confirm Changes to save the configuration.

4 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Configuring and using logging

Configuring local logging

115

Changing the log file location

You can change the location of the local and billing log files. The file names for the log files cannot be changed. The default location for the log files for Solaris and Linux is /var/log/. The default location for the log files for Windows 2000

Server/Server 2003 is C:\Program Files\Symantec\Scan Engine\.

The disk space that is required for the log files varies depending on the scan volume and associated activity. The specified location must be large enough to accommodate these files. If you change the log file location, old log files are left in the old directory and are not removed during uninstallation. Old logs must be removed manually.

To change the log file location

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Logging tab, under Log file location, in the Log file path location box, type the path to the new location for the log file.

The default location for Solaris and Linux is /var/log/. The default location for Windows 2000 Server/Server 2003 is C:\Program Files\Symantec\Scan

Engine\.

3 Click Confirm Changes to save the configuration.

You must restart the Symantec AntiVirus Scan Engine service for this change to take effect. Data that was logged prior to restarting the service is contained in the previous log file and is not parsed for Symantec AntiVirus

Scan Engine reporting purposes.

4 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

116 Configuring and using logging

Logging events to the Windows Application Event Log

Changing the message string file location

The message text for Symantec AntiVirus Scan Engine log entries and SMTP insert messages is contained in an ASCII text file. You can change the location and file name of this file. The message text can be customized by editing the string file.

To change the message string file location

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Logging tab, under Logging properties, in the Path and filename for message string file box, type a new path and file name.

The default location for Solaris and Linux is

/opt/SYMCScan/etc/symcsmsg.dat. The default location for Windows 2000

Server/Server 2003 is C:\Program Files\Symantec\Scan

Engine\symcsmg.dat.

3 Click Confirm Changes to save the configuration.

4 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Logging events to the Windows Application Event

Log

If you are running the Symantec AntiVirus Scan Engine on Windows 2000

Server/Server 2003, the Application Event Log is the default logging destination. You can change the types of events that are logged to the

Application Event Log by selecting the appropriate Windows logging level. The default logging level for the Windows Application Event Log is Warning

(Windows 2000 Server/Server 2003 only).

Configuring and using logging

Activating SNMP and SMTP logging

117

To log events to the Windows Application Event Log

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Logging tab, under Log Windows, in the Windows Logging level list, select the appropriate logging level.

The default logging level for the Windows Application Event Log is Warning

(Windows 2000 Server/Server 2003 only).

See “Logging levels” on page 109.

3 Click Confirm Changes to save the configuration.

4 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Activating SNMP and SMTP logging

The Symantec AntiVirus Scan Engine provides SMTP (Simple Mail Transfer

Protocol) and SNMP (Simple Network Management Protocol) logging capabilities. SNMP or SMTP logging can be activated individually by selecting the appropriate logging level for SNMP or SMTP logging and providing the appropriate destination information.

To activate SNMP logging, you must select the logging level and provide the

SNMP community string and the IP address for a primary SNMP console for receiving the log messages. A second SNMP console can be identified if one is available. Log messages are sent to both the primary and secondary SNMP consoles in all cases.

See “Activating SNMP logging” on page 118.

118 Configuring and using logging

Activating SNMP and SMTP logging

To activate SMTP logging, you must select the logging level and identify a primary SMTP server for forwarding the log messages. You must also specify the email addresses of the recipients and the local domain for the Symantec

AntiVirus Scan Engine. A second SMTP server also can be identified if one is available.

See “Activating SMTP logging” on page 120.

If you have activated SNMP or SMTP logging and are running multiple

Symantec AntiVirus Scan Engines, you also may need to set an alert bind address for each scan engine so that you can identify the originating scan engine for each SNMP and SMTP log message.

See “Specifying the alert bind address” on page 122.

Activating SNMP logging

To activate SNMP logging, you must provide the SNMP community string and an IP address for a primary SNMP console for receiving the log messages. You can specify a second SNMP console if one is available. Log messages are sent to both the primary and secondary SNMP consoles in all cases.

If you need the Management Information Base file to configure SNMP logging, the file (symcscan.mib) is located in the MIB directory as part of the Symantec

AntiVirus Scan Engine distribution.

You must select the types of events for which SNMP log messages will be generated.

See “Logging levels” on page 109.

Configuring and using logging

Activating SNMP and SMTP logging

119

To activate SNMP logging for the Symantec AntiVirus Scan Engine

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Logging tab, under Log SNMP, select the SNMP logging level from the

SNMP Logging level list.

SNMP logging is not activated by default (the SNMP logging level is set to

None). The Verbose logging level is not available for SNMP logging.

See “Logging levels” on page 109.

3 In the Primary server IP address box, type the IP address of the primary

SNMP console to receive log messages.

4 In the Secondary server IP address box, type the IP address of a secondary

SNMP console to receive log messages if one is available.

120 Configuring and using logging

Activating SNMP and SMTP logging

5

In the SNMP Community box, type the SNMP community string.

The default setting is public.

6

Click Confirm Changes to save the configuration.

7 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Activating SMTP logging

To activate SMTP logging, you must identify a primary SMTP server for forwarding log messages. You must also specify the email addresses of the recipients and the local domain for the Symantec AntiVirus Scan Engine. You also can specify a second SMTP server if one is available.

You must select the types of events for which SMTP log messages will be generated.

See “Logging levels” on page 109.

Configuring and using logging

Activating SNMP and SMTP logging

121

To activate SMTP logging for the Symantec AntiVirus Scan Engine

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2 On the Logging tab, under Log SMTP, select the SMTP logging level from the

SMTP Logging level list.

SMTP logging is not activated by default (the SMTP logging level is set to

None). The Verbose logging level is not available for SMTP logging.

See “Logging levels” on page 109.

3 In the Primary server IP address box, type the IP address of the primary

SMTP server that will forward the log messages.

122 Configuring and using logging

Activating SNMP and SMTP logging

4

In the Secondary server IP address box, type the IP address of a secondary

SMTP server (if one is available) that will forward the log messages if communication with the primary SMTP server fails.

5 In the SMTP Domain box, type the local domain for the Symantec AntiVirus

Scan Engine.

The domain name is added to the From field for SMTP messages so that

SMTP log messages that are generated by the Symantec AntiVirus Scan

Engine originate from ScanServer@<servername>.<domainname>, where

<servername> is the name of the computer that is running the Symantec

AntiVirus Scan Engine and <domainname> is the domain name that is supplied here.

6 In the Recipient email addresses box, type the email addresses of the recipients of the SMTP log messages.

Separate each email address with a comma or space.

7 Click Confirm Changes to save the configuration.

8 Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Specifying the alert bind address

If you have activated SNMP or SMTP logging and are running multiple

Symantec AntiVirus Scan Engines, you can set an alert bind address for each scan engine to identify the originating scan engine for each SNMP and SMTP log message. The alert bind address of the originating scan engine is appended to all

SNMP and SMTP log messages as a means of identification.

Setting the alert bind address is only necessary if you have configured multiple scan engines to listen on the loopback interface (127.0.0.1) and each scan engine logs messages to the same SNMP or SMTP destination. Because the IP address on which the scan engine listens is used in SNMP and SMTP messages to identify the originating scan engine, it is not possible to determine which scan engine originated the log message when more than one is using the loopback

Configuring and using logging

Managing the local logs

123 interface. You can set a unique alert bind address for each scan engine to provide a method for identifying each scan engine.

To specify the alert bind address

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2

On the Logging tab, under Logging properties, in the Alert bind address box, type a bind address to identify the computer on which the Symantec

AntiVirus Scan Engine is running.

3 Click Confirm Changes to save the configuration.

4

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Managing the local logs

You can download the local log file in a selected format to a remote computer and save the data to a file, or you can clear the local log file.

You can download the log file in a comma-separated value (CSV) format for export to a file or in an HTML table format that displays in the browser window.

This lets you save or review log data in a usable format. The amount of data that can be downloaded is limited so as not to overwhelm the browser or the server.

You can download one or two megabytes of data. The data that is returned are the most recent log entries.

Note: If you attempt to download large log files during periods of peak usage,

Symantec AntiVirus Scan Engine performance might be impacted.

You also can clear the Symantec AntiVirus Scan Engine log file. This lets you keep the log file at a manageable size. Clearing the log file erases all of the log entries in the file. To retain access to the log data, download the log and export

124 Configuring and using logging

Managing the local logs the data to another file prior to clearing the log file. Logging continues from the date and time that you clear the logs.

Warning: For Windows 2000 Server/Server 2003, clearing the log file causes all of the application logs to be cleared, not just those for the Symantec AntiVirus

Scan Engine.

Manage log files

You can download or clear the log file.

To download the log file

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Reporting.

2

On the Download tab, under Downloading log files, select the amount of data, in megabytes, to download.

The size of the download is limited to 1 or 2 MB so that the amount of data that is returned does not overwhelm the browser or your server.

3 In the Download format list, select one of the following:

CSV: You can open the text file directly or save the file to a specified location.

Table: The data displays in the browser window in an HTML table format.

Sample HTML table output

4

Click Download Logfile.

Configuring and using logging

Obtaining summary data from the local logs

125

To clear the log file

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Reporting.

2 On the Download tab, click Clear Logs.

3 Confirm that you want to clear the application log.

For Windows 2000 Server/Server 2003, clearing the log file causes all of the application logs to be cleared, not just those for the Symantec AntiVirus

Scan Engine.

Obtaining summary data from the local logs

You can obtain summary data from the local logs for a given period of time. For the reported period, you can review the number of times that the scan engine started, the total number of viruses that were found, and the total number of viruses that were repaired. You can also review the virus types that were found during the reported period and the number of times that each type was found.

126 Configuring and using logging

Obtaining summary data from the local logs

To obtain summary data from the local logs

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Reporting.

2 On the Summary tab, type the start and end dates for the range on which you want to report.

Use the date format for your operating system locale.

3 Click Load Logs.

The log data for the requested period displays in the browser window.

Configuring and using logging

Generating scanning statistics from the billing logs

127

Interpreting summary data from the local logs

Sample summary data from the local logs is shown in

Figure 7-1 .

Figure 7-1 Sample Summary report

Date and time that the report is generated

Total number of server starts, viruses found, and viruses repaired for the reported period

Virus types that were found by the scan engine during the reported period and the number of each type found

Clicking a column heading sorts summary results alphabetically or by ascending or descending frequency of occurrence

Generating scanning statistics from the billing logs

The Symantec AntiVirus Scan Engine maintains scanning statistics to support billing for antivirus scanning that is based on megabits-per-second-per-month and file-based billing schemes. Each time that a file is scanned, the Symantec

AntiVirus Scan Engine submits scan statistics to an encrypted data file. You can examine these scanning statistics.

If you bill customers based on bandwidth consumption, you can use this bandwidth metering component to measure the number of megabits-persecond-per-month that are scanned by each Symantec AntiVirus Scan Engine.

The scan engine implements the 95th percentile bandwidth measurement scheme, making it easy for you to add an additional charge for antivirus scanning to existing megabits-per-second-per-month-based billing statements.

See “Understanding the 95th percentile bandwidth measurement” on page 130.

128 Configuring and using logging

Generating scanning statistics from the billing logs

The Symantec AntiVirus Scan Engine also tracks each file that is scanned for file-based billing schemes.

Billing information is logged to a billing log file, symcsbps.dat. The default location for the file for Solaris and Linux is /var/log/symcsbps.dat. The default location for Windows 2000 Server/Server 2003 is C:\Program

Files\Symantec\Scan Engine\symcsbps.dat. If you specified a different directory for the log files, the billing log file is located in that directory. The Symantec

AntiVirus Scan Engine maintains scanning statistics for the previous eight months.

To generate scanning statistics from the billing logs

1

On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Reporting.

2 On the Statistics tab, type the start and end dates for the range on which you want to report.

3 Click Generate Report.

The data for the requested period displays in the browser window.

Configuring and using logging

Generating scanning statistics from the billing logs

129

Interpreting scanning statistics

The scanning statistics that are maintained by the Symantec AntiVirus Scan

Engine support billing for antivirus scanning based on megabits-per-secondper-month and file-based billing schemes. You can examine these scanning statistics for a given time range in one of two ways. You can retrieve data via the

Statistics tab on the Symantec AntiVirus Scan Engine administrative interface

(recommended), or you can use the getstat utility, which also is included with the Symantec AntiVirus Scan Engine, to obtain statistical data via the command line.

See “Generating scanning statistics from the billing logs” on page 127.

A sample report that was generated through the administrative interface is shown in

Figure 7-2

.

Figure 7-2 Sample Statistics report

Total number of files that were scanned for the reported period

95th percentile bandwidth measurement for the reported period

Number of files that were scanned for each 30-minute period

Calculated average

KPS for each 30minute period

(identified by start time)

Clicking a column heading sorts the entries by that criteria

The total number of files that were scanned should not be interpreted strictly as a physical file count. This total includes the number of files as well as additional objects within container files that were scanned. Some containers, such as

MIME-encoded messages and Microsoft Office documents, have additional embedded objects that are not files but that may be scanned depending on the files that you have selected for scanning (the extension list settings). The total does not include any objects within container files that were not scanned because the object’s extension did not match those that were selected for scanning.

130 Configuring and using logging

Generating scanning statistics from the billing logs

For each 30-minute period that is in the specified date range, the total number of files that were scanned and the average KPS scanned for that 30-minute increment are reported. The 30-minute time periods are reported in Greenwich

Mean Time (GMT).

Note: The getstat utility reports the 95th percentile bandwidth measurement as a bits-per-second (bps) measurement rather than a kilobytes-per-second (KPS) measurement as through the interface. For more information about how the

95th percentile measurement is calculated, see

“Understanding the 95th percentile bandwidth measurement” on page 130.

Understanding the 95th percentile bandwidth measurement

The 95th percentile bandwidth measurement is based on a bits-per-second (bps) measurement. The Symantec AntiVirus Scan Engine tallies the number of bits for each file that is scanned in 30-minute increments. The average bps scanned for each 30-minute period is calculated and saved to the billing file. (Data is saved to the billing file every five minutes to prevent the loss of data in the event that the scan engine crashes.) The Symantec AntiVirus Scan Engine logs the average bps that are scanned for 48, 30-minute periods per day.

To make a data retrieval request, you specify a date range for which to view scan engine utilization. When a request is made, the data entries for each 30-minute period in the specified date range are sorted from highest to lowest average bps scanned. Of these entries, the top 5 percent (with the highest average bandwidth scanned) represent spikes in usage and are discarded. The next highest reading is considered the 95th percentile bandwidth measurement.

Note: The 95th percentile bandwidth measurement scheme is designed for billing for maximum bandwidth use and assumes that a system is used continuously rather than being shut down and restarted routinely.

Chapter

8

Configuring LiveUpdate

This chapter includes the following topics:

About LiveUpdate

Updating virus definitions

Scheduling LiveUpdate via the command line

Setting up your own LiveUpdate server

About LiveUpdate

LiveUpdate ensures that your network is not at risk of infection by newly discovered viruses. For Solaris and Linux, the Symantec AntiVirus Scan Engine features Symantec Java LiveUpdate technology, which is found in other

Symantec antivirus products for these platforms. For Windows 2000 Server/

Server 2003, a LiveUpdate client is installed with the Symantec AntiVirus Scan

Engine. On all platforms, the Symantec AntiVirus Scan Engine can be updated with the latest virus definitions without any interruption of virus scanning.

Note: To run LiveUpdate on Solaris or Linux, you must have the Java Runtime

Environment version 1.3.1 or later installed.

Updated virus definitions files, which contain the necessary information to detect and eliminate viruses, are supplied by Symantec at least every week and whenever a new virus threat is discovered. When new virus definitions files are available, the LiveUpdate technology automatically downloads the proper files and installs them in the proper location. If an error occurs, the Symantec

AntiVirus Scan Engine attempts to roll back to the previous virus definitions and continue scanning. If the rollback is unsuccessful, scanning is disabled.

132 Configuring LiveUpdate

Updating virus definitions

You can update virus definitions files and schedule LiveUpdate to run automatically so that you always have the most up-to-date protection.

See “Updating virus definitions” on page 132.

You can also schedule LiveUpdate via the command line, if necessary.

See “Scheduling LiveUpdate via the command line” on page 133.

Updating virus definitions

You can schedule LiveUpdate to run automatically by scheduling LiveUpdate, and you can force LiveUpdate to run immediately to obtain updated virus definitions when necessary.

You can also get the date and revision number of the virus definitions updates that the Symantec AntiVirus Scan Engine is currently using. These display automatically on the LiveUpdate tab. You might need to know the current version that the scan engine is using for Symantec Service and Support. You can also determine the status of the last LiveUpdate attempt.

Scheduling LiveUpdate to update virus definitions automatically

Scheduling LiveUpdate to occur automatically at a specified time interval ensures that the Symantec AntiVirus Scan Engine always has the most current virus definitions. You should schedule LiveUpdate so that you do not have to remember to update virus definitions regularly.

Note: When you install a valid virus definitions update content license for the

Symantec AntiVirus Scan Engine (for the first time or after the previous virus definitions update content license expired), an initial LiveUpdate attempt occurs automatically. Subsequent LiveUpdate attempts will occur automatically only if you schedule LiveUpdate.

When LiveUpdate is scheduled, LiveUpdate is invoked at the specified time interval relative to the LiveUpdate base time. The default LiveUpdate base time is the time that the scan engine was installed. You can change the LiveUpdate base time by editing the configuration file.

See “Changing the LiveUpdate base time” on page 199.

If you change the scheduled LiveUpdate interval, the interval adjusts based on the LiveUpdate base time.

Configuring LiveUpdate

Scheduling LiveUpdate via the command line

133

To schedule LiveUpdate to update virus definitions automatically

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click LiveUpdate.

2 In the Enable scheduled updates list, select the desired interval.

This setting is Off by default.

3 Click Confirm Changes to save the configuration.

Updating virus definitions manually

When necessary, you can run LiveUpdate manually to force an immediate update of virus definitions. If you have scheduled LiveUpdate, the next scheduled LiveUpdate attempt occurs as directed.

To update virus definitions manually

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click LiveUpdate.

2 Click LiveUpdate Now.

The screen refreshes to indicate whether the LiveUpdate was successful. It may take a few minutes for the screen to refresh.

Scheduling LiveUpdate via the command line

You can also schedule LiveUpdate via the command line to ensure that the

Symantec AntiVirus Scan Engine always has the most current virus definitions.

On Solaris and Linux, virus definitions updates can be scheduled using the UNIX cron scheduler and a shell script.

The cslive.exe client can be run from the command line to update virus definitions for the Symantec AntiVirus Scan Engine for Windows 2000 Server/

Server 2003.

134 Configuring LiveUpdate

Scheduling LiveUpdate via the command line

Schedule LiveUpdate via the command line

You can schedule LiveUpdate on UNIX and Windows platforms via the command line.

To schedule LiveUpdate via the UNIX cron scheduler (Solaris and Linux)

1

Create a user called symantec.

2 Open the /etc/group file and type symantec at the end of the avdefs line.

For more information, see the group man pages.

3 Change directories to /etc/cron.d.

4 Create a file called cron.allow.

This file contains the list of users who are allowed to use cron services.

5 Add the following line to the file:

symantec

For more information, see the cron and crontab man pages.

6 Run crontab -e symantec, and type the following line:

0 * * * * /usr/bin/sh /opt/SYMCScan/bin/liveupdate.sh -virusdefs -silent >

/dev/null

The cron scheduler will run the LiveUpdate script once per hour. For more information, see the cron and crontab man pages.

To run LiveUpdate on Windows 2000 Server/Server 2003

At the command prompt, type one of the following commands:

■ cslive.exe /virusdefs /silent: Run LiveUpdate in silent mode (displays no prompting or display indicator).

■ cslive.exe /virusdefs: Run LiveUpdate and display a progress indicator.

LiveUpdate should be scheduled to run periodically (at least weekly) by using the

Windows at command. For example: at 02:00 every:M C:\Program Files\Symantec\Scan Engine\cslive.exe /virusdefs

/silent

This command runs LiveUpdate every Monday at 2:00 A.M. with no user intervention (/silent).

Configuring LiveUpdate

Setting up your own LiveUpdate server

135

Setting up your own LiveUpdate server

Depending on your network setup and the number of Symantec AntiVirus Scan

Engines that you have installed on your network, you might want to set up your own LiveUpdate server rather than have each scan engine on your network contact Symantec servers.

For more information, see the LiveUpdate Administration Utility, which is included on the Symantec AntiVirus Scan Engine CD.

If you set up your own LiveUpdate server, you will need to edit the LiveUpdate configuration for the Symantec AntiVirus Scan Engine to point to the local

LiveUpdate server. For Solaris and Linux, the Symantec AntiVirus Scan Engine

LiveUpdate configuration file contains the configuration options for

LiveUpdate. (The default location is /etc/liveupdate.conf.) For Windows 2000

Server/Server 2003, a LiveUpdate client, cslive.exe, is installed with the

Symantec AntiVirus Scan Engine. Contact Symantec Service and Support for more information.

136 Configuring LiveUpdate

Setting up your own LiveUpdate server

Chapter

9

Customizing log entries

This chapter includes the following topics:

About the message string file

Editing the message string file

Preserving customized text during an upgrade

About the 1000-series message strings

About the 2000-series message strings

About the 4000-series message strings

Editing the ICAP access denied message

About the message string file

Symantec AntiVirus Scan Engine log entries can be customized by editing the message string file.

The message string numbers in the file identify the classification of the message string. The message strings are numbered as follows:

1000 series: Message strings that are numbered in this manner are used to build the SNMP, SMTP, and local log entries. Log entries are generated for many activities, including startup, shutdown, virus definitions updates, infections found, and so on.

See Table 9-1, “Message string definitions,” on page 139.

138 Customizing log entries

Editing the message string file

2000 series: Message strings that are numbered in this manner are used to update email messages when an infected attachment is found and repaired or deleted (because it cannot be repaired). This type of message notifies the recipient of a scanned email message that one or more attachments that were contained in the message were infected. Variables can be used to customize these log messages.

See Table 9-2, “Default message text for MIME-encoded messages,” on page 146.

4000 series: Message strings that are numbered in this manner are used to build other log entries.

See Table 9-4, “Default log text,” on page 149.

Editing the message string file

Unless you have changed the location and file name of this file, the default location for Solaris and Linux is /opt/SYMCScan/etc/symcsmsg.dat. For

Windows 2000 Server/Server 2003, the default location is C:\Program

Files\Symantec\Scan Engine\symcsmg.dat.

To edit the Symantec AntiVirus Scan Engine message string file

1 Locate the Symantec AntiVirus Scan Engine message string file and open it with a text editor.

2 Make your changes to the file.

3 Save the changes to the file.

4

Stop and restart the Symantec AntiVirus Scan Engine.

Preserving customized text during an upgrade

You can upgrade the Symantec AntiVirus Scan Engine from 4.0.X or later without first uninstalling the previous version. Installing the upgrade over the existing installation preserves any customizations that you have made to the message string file, symcsmsg.dat.

Changes that occur to the message string file as a result of an upgrade are handled in the following manner:

New message strings that are specific to the upgrade (those with new message ID numbers) are appended to the message string file.

If an existing message string (one with an existing message ID) has been changed as part of the upgrade to the Symantec AntiVirus Scan Engine, the existing message string is commented out in the message string file so that

Customizing log entries

About the 1000-series message strings

139

■ any customizations are preserved in the file. The updated message is appended to the file, but is not commented out.

If you have customized any message strings in the message string file, you should edit the string file after installing the upgrade to reconcile the new text with your customized text.

About the 1000-series message strings

In most cases, you will not need to edit the message strings, but you can customize log messages for the Symantec AntiVirus Scan Engine if necessary.

Double-byte characters are supported for the scan engine message string text.

For each message string file entry, the text that follows the space after the string number and before the *** can be edited.

Each string file entry that is used in generating Symantec AntiVirus Scan

Engine log messages is described in

Table 9-1

.

Table 9-1 Message string definitions

Number Default message text

1001

1002

1003

1004

1005

1006

Description

Scan Engine IP address:<IPaddress>

Scan Engine port number:<portnumber>

Scan Engine virus fingerprint date (revision) :<virus fingerprintdate>

Scan Engine threshold queue size:<queuesize>

The IP address of the Symantec

AntiVirus Scan Engine that is the subject of the log message

The port number of the Symantec

AntiVirus Scan Engine that is the subject of the log message

The date on which the virus definitions that are the subject of the log message were created (for virus update or update error) along with the virus definitions revision number

The threshold queue size for the

Symantec AntiVirus Scan Engine that is the subject of the log message

Scan Engine number of queued items:<queueditems>

The number of queued scan requests for the Symantec AntiVirus Scan Engine at the time of the reported event

Date/time of event:<date/time> The date and time of the reported event

(Symantec AntiVirus Scan Engine crash, startup, shutdown, and so on)

140 Customizing log entries

About the 1000-series message strings

Table 9-1

Message string definitions

Number Default message text

1007

1008

1009

1010

1011

1012

1013

1014

1015

1016

1017

1018

1019

Description

System uptime (in seconds):<time>

Scan Engine Crash Alert

The Scan Engine has crashed.

The amount of time (at the time of the log entry) that the Symantec AntiVirus

Scan Engine has been running since the last crash or since startup

Subject of the Symantec AntiVirus Scan

Engine Crash Alert

Message body text for the Symantec

AntiVirus Scan Engine Crash Alert

Scan Engine Startup Alert

The Scan Engine has just started up.

Message body text for the Symantec

AntiVirus Scan Engine Startup Alert

Scan Engine Shutdown Alert

Subject of the Symantec AntiVirus Scan

Engine Startup Alert

The Scan Engine has been manually shut down.

Scan Engine Virus Definition

Update Alert

Subject of the Symantec AntiVirus Scan

Engine Shutdown Alert

Message body text for the Symantec

AntiVirus Scan Engine Shutdown Alert

Subject of the Symantec AntiVirus Scan

Engine Virus Definition Update Alert

The Scan Engine has updated its virus definitions.

Message body text for the Symantec

AntiVirus Scan Engine Virus Definition

Update Alert

Scan Engine Queue Overflow Subject of the Symantec AntiVirus Scan

Engine Load Exceeded Alert

The Scan Engine queue is backing up due to a large number of requests.

Message body text for the Symantec

AntiVirus Scan Engine Load Exceeded

Alert

Scan Engine Virus Definition

Error Alert

There was an error loading/ finding the Scan Engine virus definitions. All scanning will be disabled.

Subject of the Symantec AntiVirus Scan

Engine Virus Definition Error Alert, which is issued when an error occurs in updating the virus definitions and scanning is disabled

Message body text for the Symantec

AntiVirus Scan Engine Virus Definition

Update Error Alert, which is issued when an error occurs in updating the virus definitions and scanning is disabled

Customizing log entries

About the 1000-series message strings

141

Table 9-1

Message string definitions

Number Default message text

1020

1021

1022

1023

1024

1025

1026

1027

Description

Scan Engine Virus Definitions

Update Failure Alert

There was an error loading/ finding new Scan Engine virus definitions. Scanning will continue using the original definitions.

Subject of the Symantec AntiVirus Scan

Engine Virus Definitions Update Failure

Alert, which is issued when an error occurs in updating the virus definitions, but scanning continues using the previous virus definitions

Message body text for the Symantec

AntiVirus Scan Engine Virus Definitions

Update Failure Alert, which is issued when an error occurs in updating the virus definitions, but scanning continues using the previous virus definitions

Scan Engine Virus Definitions

Update and Rollback Failure

Alert

Subject of the Symantec AntiVirus Scan

Engine Virus Definitions Update and

Rollback Failure Alert, which is issued when an error occurs in updating the virus definitions and rollback to previous virus definitions is unsuccessful

There was an error loading/ finding new Scan Engine virus definitions. An attempt to roll back to the previous definitions has also failed. All scanning will be disabled.

Message body text for the Symantec

AntiVirus Scan Engine Virus Definitions

Update and Rollback Failure Alert, which is issued when an error occurs in updating the virus definitions and rollback to previous virus definitions is unsuccessful

Scan Engine Infection Found

Alert

The Scan Engine has resumed scanning using its previous virus definitions.

Message body text for the log entry that is issued when an error occurs in updating the virus definitions which states that scanning will continue using previous virus definitions

Scan Engine Non-repairable

Infection Found Alert

Subject of the Symantec AntiVirus Scan

Engine Infection Found Alert

The infection that has been found cannot be repaired.

Subject of the Symantec AntiVirus Scan

Engine Nonrepairable Infection Found

Alert

Message body text for the Symantec

AntiVirus Scan Engine Nonrepairable

Infection Found Alert

142 Customizing log entries

About the 1000-series message strings

Table 9-1

Message string definitions

Number Default message text

1028

1029

1030

1031

1032

1033

1035

Description

Virus name:

Virus ID:

Disposition:

Message body text that states the virus name for both the Infection Found Alert and Nonrepairable Infection Found Alert

The Symantec AntiVirus Scan Engine automatically inserts the virus name.

Message body text that states the virus

ID number for both the Infection Found

Alert and Nonrepairable Infection Found

Alert

The Symantec AntiVirus Scan Engine automatically inserts the virus ID.

Message body text that states the disposal method of the infected file for both the Infection Found Alert and

Nonrepairable Infection Found Alert

The Symantec AntiVirus Scan Engine automatically inserts the disposal method for the file.

An infection has been found but no repair has been attempted.

Message body text for the Infection

Found Alert when the Symantec

AntiVirus Scan Engine is configured to scan files but not to attempt repairs

The infection has been found and repaired.

Message body text for the Infection

Found Alert when the infected file can be repaired and the Symantec AntiVirus

Scan Engine is configured to repair infected files

The infection has been found and the infected file has been deleted.

Message body text for the Infection

Found Alert when the Symantec

AntiVirus Scan Engine is configured to delete infected files

Scan Engine mail policy initialization error

Subject of the Symantec AntiVirus Scan

Engine mail policy initialization error log entry

Customizing log entries

About the 1000-series message strings

143

Table 9-1

Message string definitions

Number Default message text

1036

1037

1038

1039

1040

1041

1042

1043

Description

There was an error loading/ finding the Scan Engine mail policy configuration files. Please correct the problem and restart the Scan Engine.

Message text for the Symantec AntiVirus

Scan Engine Mail Policy Initialization

Error log entry, which is issued when a mail policy configuration file is missing

Symantec AntiVirus Scan Engine

Logging Stopped

Message text for the log entry that is issued when logging stops for the

Symantec AntiVirus Scan Engine because the scan engine has been shut down or has crashed

A license is about to expire: Message body text for the Scan Engine

Licensing Alert when a Symantec

AntiVirus Scan Engine license is about to expire (within 30 days of its expiration date)

A license has expired:

Scan Engine Licensing Alert

Feature Name:

Message body text for the Scan Engine

Licensing Alert when a Symantec

AntiVirus Scan Engine license has expired

This alert is generated only while the scan engine is operating in the grace period.

Subject of the Scan Engine Licensing

Alert

Message body text that states the feature name for the license that is the subject of the Scan Engine Licensing Alert

Expiration Date:

Consult the License Status page for more information.

Message body text that states the expiration date for the license that is the subject of the Scan Engine Licensing

Alert

Additional message body text for the

Scan Engine Licensing Alert, which is issued when a Symantec AntiVirus Scan

Engine license has expired or is about to expire

144 Customizing log entries

About the 1000-series message strings

Table 9-1

Message string definitions

Number Default message text

1046 Virus definitions successfully rolled back to previous definitions.

1050

1051

1060

1061

1062

BAD_FILE_NAME

/BAD_COMPONENT_NAME

Client SID:

Client IP:

Client Computer:

Description

Message text for the log entry that is issued when an error occurs in updating the virus definitions and the rollback to previous virus definitions is successful

Message text that replaces <file name> in which the Symantec AntiVirus Scan

Engine was unable to determine proper character encoding

Message text that replaces <file name> for a file within a container for which the

Symantec AntiVirus Scan Engine was unable to determine proper character encoding

Message text that provides the Security

Identifier of the user who requested an infected file from an RPC client

This log entry is used only when you have selected RPC as the communication protocol, and the RPC client is running an appropriate operating system and version.

Message text that provides the IP address of the computer from which an infected file was requested

This log entry is used only when you have selected RPC as the communication protocol, and the RPC client is running an appropriate operating system and version.

Text that provides the host name of the computer from which an infected file was requested

This log entry is used only when you have selected RPC as the communication protocol, and the RPC client is running an appropriate operating system and version.

Customizing log entries

About the 2000-series message strings

145

Table 9-1

Message string definitions

Number Default message text

1101 CLEAN

1102

1103

1104

1105

1110

NOT REPAIRED

PARTIALLY REPAIRED

REPAIRED

BLOCKED

DELETED

Description

Message body text that appears to the right of Disposition to indicate that no virus has been found

Message body text that appears to the right of Disposition to indicate that a virus has been found, but the infected file has not been repaired

Message body text that appears to the right of Disposition to indicate that multiple viruses have been found, but not all of the viruses could be eliminated from the infected file

Message body text that appears to the right of Disposition to indicate that a virus has been found and the file has been repaired

Message body text that appears to the right of Disposition to indicate that a virus has been found and the file was blocked

Message body text that appears to the right of Disposition to indicate that a virus has been found, but the file could not be repaired and has been deleted

About the 2000-series message strings

The 2000-series strings are used to update email messages when an infected attachment is found and repaired or deleted because it cannot be repaired.

These message strings are intended to notify the recipient of a scanned email message that one or more attachments that were contained in the message were infected.

Note: To add this type of message to MIME-encoded messages, the Symantec

AntiVirus Scan Engine must be configured to update messages in this manner.

See “Inserting text into MIME-encoded messages” on page 104.

146 Customizing log entries

About the 2000-series message strings

The message strings that are used to update MIME-encoded messages are described in

Table 9-2 .

Table 9-2

Default message text for MIME-encoded messages

Number Default message text

2000

2001

2002

2003

Description

ALERT!!! This e-mail contained one or more infected files. The following attachments were infected and have been repaired: <listofinfectedfiles>.

The following infected attachments were deleted: <listofdeletedfiles>.

The following infected attachments were blocked because of Mail Policy violations: <listofblockedfiles>. You may wish to contact the sender to notify them about their infected files.

Thank you.

---- Original message text follows ----

This message text is inserted into the body of MIME-encoded, textonly messages when an infected attachment is found and repaired or deleted from the message. Message strings 2000 and 2001 should be identical so that the inserted message is consistent.

<listofinfectedfiles> is generated by the variable **R; <listofdeletedfiles> is generated by the variable **D; and

<listofblockedfiles> is generated by the variable **P.

See Table 9-3, “Variables for customizing message strings,” on page 149.

Repeat of message string 2000 Message text that is inserted into the body of MIME-encoded messages that contain HTML when an infected attachment is found and repaired or deleted from the message. Default message text is the same for message strings 2000 and

2001. These two messages should be consistent.

No attachments are in this category.

Text that is inserted into message string 2000 or 2001 when no attachments are applicable for the variables **D, **R, or **P.

Mail Policy Block (Attachment Name) Text that replaces the <virusname> variable in message string 4000 when an attachment is deleted because it violates the mail policy that was established for attachment file names.

Customizing log entries

About the 2000-series message strings

147

Table 9-2

Default message text for MIME-encoded messages

Number Default message text

2004

2005

2006

2007

2008

2009

Description

Mail Policy Block (Attachment Size)

Mail Policy Block (Message Size)

Mail Policy Block (Subject Block)

Mail Policy Block (Domain Block)

Text that replaces the <virusname> variable in message string 4000 when an attachment is deleted because it violates the mail policy that was established for attachment file size.

Text that replaces the <virusname> variable in message string 4000 when an email message is blocked because it violates the mail policy for message size.

Text that replaces the <virusname> variable in message string 4000 when an email message is blocked because it violates the mail policy for subject lines.

Text that replaces the <virusname> variable in message string 4000 when an email message is blocked because it violates the mail policy for message origin.

Mail Policy Block (Partial Mime Block) Text that replaces the <virusname> variable in message string 4000 when an email message is blocked because it violates the mail policy for partial MIME message content.

Mail Policy Block (Can’t delete attachment, blocking message)

Text that replaces the <virusname> variable in message string 4000 when an email message is blocked because the attachment that violated the mail policy could not be deleted.

148 Customizing log entries

About the 2000-series message strings

Table 9-2

Default message text for MIME-encoded messages

Number Default message text

2010

2011

Description

DELETED**C.TXT

File name for the file that is substituted in a MIME-encoded message for any attachment that is deleted because it contains an unrepairable virus.

When a message contains more than one infected file, a separate

DELETED**C.TXT file is created for each file. The files are numbered sequentially beginning with 0 and use the **C variable in the file name.

Note: If you are using the native protocol, AVSCANREPAIRDELETE must be used for DELETED**C.TXT to replace deleted files. If you are using ICAP, the scan policy must be set to Scan and repair or delete. The

Symantec AntiVirus Scan Engine must be configured to delete any infected attachments from MIMEencoded messages.

file attachment: The file attached to this email was removed because it is infected with the <virusname> virus.

Text that is contained in the

DELETED**C.TXT file, which is substituted in a MIME-encoded message for any attachment that is deleted because it contains an unrepairable virus.

Customizing log entries

About the 4000-series message strings

149

Several variables can be used to customize the 2000 and 2001 message strings.

These variables are described in

Table 9-3

.

Table 9-3

Variables for customizing message strings

Variable

**N

<br>

**R

**D

**I

**P

Description

Moves to the next line (text only)

Moves to the next line (HTML only)

Displays a list of all of the infected attachments that have been repaired for a message

Displays a list of all of the infected attachments that have been deleted for a message because they could not be repaired

Displays a list of all of the infected attachments that were identified for a message, whether they were deleted or repaired

Displays a list of all of the attachments that were deleted for a message because of mail policy violations

About the 4000-series message strings

The 4000-series message strings are used in log entries (when logging options are enabled). These message strings are described in

Table 9-4

.

Table 9-4

Default log text

Number Default log text

4000

4001

4002

Description

A mail policy violation has been detected.<filename:virus name>

A virus was detected or an attachment or mail message was blocked because of a mail policy violation.

Appropriate logging must be enabled.

A file has been received and scanned.

<filename>

A file was scanned.

The Verbose logging level must be selected to induce logging for every file that is scanned.

Error trying to send an SMTP/SNMP/

POPUP alert.

Delivery of an SMTP, SNMP, or

POPUP log message failed, for example, if the SMTP server was unreachable.

150 Customizing log entries

About the 4000-series message strings

Table 9-4

Default log text

Number Default log text

4005

4010

4011

4012

4013

4014

4015

4016

4017

Description

The Scan Engine was unable to notify the filer that the scan had completed after the maximum number of retries.

Filer at <IPaddress>

The Symantec AntiVirus Scan

Engine successfully completed a scan after the maximum number of retries but was unable to notify the

RPC client.

was is

Used in message string 4012 to indicate that a file was infected but is no longer infected because it has been repaired.

Used in message string 4012 to indicate that a file was infected and is still infected because no repair has been attempted or it cannot be repaired.

File %s %s infected with virus %s.

A license is about to expire. Feature:

%s, expiration date: %s.

A license has expired. Feature: %s, expiration date: %s.

Container limit exceeded (container depth)

Used when an infection is found to indicate the name of the infected file, whether the file was or is still infected, and the virus name.

Used when a license is about to expire to indicate the feature activated by the license and the expiration date of the license.

Used when a license has expired to indicate the feature that is activated by the license and the expiration date of the license.

Used when the specified maximum number of nested levels to be decomposed for scanning is exceeded.

Container limit exceeded (extract time)

Container limit exceeded (file size)

Used when the specified maximum amount of time that is spent decomposing a container file and its contents is exceeded.

Used when the specified maximum file size for individual files in a container file is exceeded.

Customizing log entries

Editing the ICAP access denied message

151

Table 9-4

Default log text

Number Default log text

4018

4019

A container limit violation has been detected.

An Error occurred while trying to replace an infected file with the repaired copy. File: <filename>

4020

4030

4031

4032

4033

Malformed Container (File not scanned)

Detect viruses

Repair viruses

Delete viruses

Repair or delete viruses

Description

Used when a container limit violation has occurred.

Used when an error occurs in replacing an infected file with the repaired copy to indicate the file name.

Used when the Symantec AntiVirus

Scan Engine detects a malformed container and is configured to reject malformed containers.

Rule defined exclusively for logging events to SESA to scan files.

Rule defined exclusively for logging events to SESA to scan files and repair infected files.

Rule defined exclusively for logging events to SESA to scan and delete infected files.

Rule defined exclusively for logging events to SESA to scan files, repair infected files when possible, and delete infected files that cannot be repaired.

Editing the ICAP access denied message

When ICAP is being used, the Symantec AntiVirus Scan Engine displays an

HTML text message to a user when a requested file is blocked. Access to a file is blocked when the file contains a virus and cannot be repaired. The default text indicates that access is denied because the file contained a virus.

For Solaris and Linux, the default location and file name of the HTML file is

/opt/SYMCScan/etc/symcsinf.htm. For Windows 2000 Server/Server 2003, the default location and file name of the file is C:\Program Files\Symantec\Scan

Engine\SYMCSINF.htm.

152 Customizing log entries

Editing the ICAP access denied message

You can customize the text that is displayed in one of the following ways:

Edit the ICAP access denied HTML file.

Specify an alternate HTML file.

See “Configuring ICAP” on page 59.

The default text that is contained in the ICAP access denied message is described

in Table 9-5

.

Table 9-5 Default text for ICAP access denied message

Default text Description

The content you just requested had a problem and was blocked by the Symantec

AntiVirus Scan Engine based on local administrator settings. Contact your local administrator for further information.

Text contained in the symcsinf.htm file, which is displayed to the user when a requested file contains a virus and cannot be repaired

To edit the ICAP access denied message

1 Locate the Symantec AntiVirus Scan Engine ICAP access denied HTML file and open it with a text editor.

2 Make your changes to the file.

3 Save the file.

4

Stop and restart the Symantec AntiVirus Scan Engine.

Chapter

10

Integrating the Symantec

AntiVirus Scan Engine with

SESA

This chapter includes the following topics:

About SESA

Configuring logging to SESA

Scan engine events that are logged to SESA

Interpreting scan engine events in SESA

Uninstalling the SESA integration components

Uninstalling the local SESA Agent

About SESA

In addition to local logging for the Symantec AntiVirus Scan Engine, you can also choose to log virus-related events to the Symantec Enterprise Security

Architecture (SESA). SESA is an underlying software infrastructure and a common user interface framework. It integrates multiple Symantec Enterprise

Security products and third-party products to provide a central point of control of security within an organization. It provides a common management framework for SESA-enabled security products, such as the Symantec AntiVirus

Scan Engine, that protect your IT infrastructure from malicious code, intrusions, and blended threats.

SESA helps you increase your organization’s security posture by simplifying the task of monitoring and managing the multitude of security-related events and

154 Integrating the Symantec AntiVirus Scan Engine with SESA

Configuring logging to SESA products that exist in today’s corporate environments. SESA includes an event management system that employs data collection services for events generated on computers that are managed by Symantec security products. The event categories and classes include antivirus, content filtering, network security, and systems management. The range of events varies depending on the Symantec applications that are installed and managed by SESA.

You can monitor and manage these security-related events through the SESA

Console. The SESA Console is the common user interface that provides manageable integration of security technologies (Symantec or otherwise),

Symantec Security Services, and Symantec Security Response. You can query, filter, and sort data to reduce the security-related events that you see through the SESA Console, which allows you to focus on threats that require your attention. You can configure alert notifications in response to events, and generate, save, and print tabular and graphical reports of event status, based on filtered views that you have created.

The Symantec Enterprise Security Architecture is purchased and installed separately. SESA must be installed and working properly before you configure the Symantec AntiVirus Scan Engine to log events to SESA.

For more information, see the SESA documentation.

Configuring logging to SESA

The logging of virus-related events to the Symantec Enterprise Security

Architecture (SESA) is in addition to the local logging features for the Symantec

AntiVirus Scan Engine. Logging to SESA is activated independently of local logging. If you have purchased SESA, you can choose to send a subset of the virus-related events logged by the scan engine to SESA.

See “Scan engine events that are logged to SESA” on page 162.

To configure logging to SESA, you must complete the following steps:

Configure SESA to recognize the Symantec AntiVirus Scan Engine. In order for SESA to receive events from the scan engine, you must run the SESA

Integration Wizard that is specific to the Symantec AntiVirus Scan Engine on each computer that is running the SESA Manager. The SESA integration

Wizard installs the appropriate integration components for identifying the individual security product (in this case, the Symantec AntiVirus Scan

Engine) to SESA.

See “Configuring SESA to recognize the Symantec AntiVirus Scan Engine” on page 155.

Integrating the Symantec AntiVirus Scan Engine with SESA

Configuring logging to SESA

155

Install a local SESA Agent on the computer that is running the Symantec

AntiVirus Scan Engine. The local SESA Agent handles the communication between the scan engine and SESA.

See “Installing the local SESA Agent” on page 156.

Configure the Symantec AntiVirus Scan Engine (through the scan engine administrative interface) to communicate with the local SESA Agent and to log virus-related events to SESA.

See “Configuring the scan engine to log events to SESA” on page 161.

Configuring SESA to recognize the Symantec AntiVirus Scan Engine

To configure SESA to receive events from the Symantec AntiVirus Scan Engine, run the SESA Integration Wizard that is specific to the Symantec AntiVirus

Scan Engine on each computer that is running the SESA Manager. The SESA

Integration Wizard installs the appropriate integration components for identifying the Symantec AntiVirus Scan Engine to SESA. You must run the

SESA Integration Wizard for each SESA Manager computer to which you are forwarding events from the Symantec AntiVirus Scan Engine.

Each product that interfaces with SESA has a unique set of integration components. The integration components for all products that interface with

SESA are available when you purchase SESA and are not distributed with the individual security products. Thus, the SESA Integration component is not part of the Symantec AntiVirus Scan Engine software distribution package.

To configure SESA to recognize the Symantec AntiVirus Scan Engine

1 On the computer on which the SESA Manager is installed, insert the

Symantec AntiVirus Scan Engine distribution CD into the CD-ROM drive.

2

At the command prompt, change directories on the CD to the

Tools\SESA_SIPI_Installers\SAVSE\ Directory.

3 At the command prompt, type:

java -jar setup.jar

The SESA Integration Wizard starts.

4

Click Next until you see the SESA Domain Administrator Information window.

156 Integrating the Symantec AntiVirus Scan Engine with SESA

Configuring logging to SESA

5

In the SESA Domain Administrator Information window, type the specific information about the SESA Domain Administrator and the SESA Directory.

SESA Domain Administrator

Name

SESA Domain Administrator

Password

IP Address of SESA Directory

SSL Port

The name of the SESA Directory Domain

Administrator account.

The password for the SESA Directory Domain

Administrator account.

The IP address of the computer on which the SESA

Directory is installed (may be the same as the SESA

Manager IP address if both are installed on the same computer).

If you are using authenticated SSL instead of SESA default, anonymous SSL, you must enter the host name of the SESA Directory computer. For example, mycomputer.com.

For more information on SESA default, anonymous

SSL and upgrading to authenticated SSL, see the

Symantec Enterprise Security Architecture

Installation Guide.

The number of the SESA Directory secure port. The default port number is 636.

6 Follow the on-screen instructions to install the appropriate SESA integration components and complete the SESA Integration Wizard.

7

Repeat steps 1 through 6 on each SESA Manager computer to which you are forwarding Symantec AntiVirus Scan Engine events.

Installing the local SESA Agent

The local SESA Agent handles the communication between the Symantec

AntiVirus Scan Engine and SESA and is installed on the same computer that is running the Symantec AntiVirus Scan Engine. The local SESA Agent is provided as part of the software distribution package for the Symantec AntiVirus Scan

Engine. A separate install package for installing the Agent, agentinstaller, is located in the SESA_agent directory on the distribution CD for the Symantec

AntiVirus Scan Engine.

If you have more than one SESA-enabled product installed on a single computer, these products can share a local SESA Agent. However, each product must register with the Agent. Thus, even if an Agent has already been installed on the computer for another SESA-enabled security product, you must run the installer to register the Symantec AntiVirus Scan Engine with the Agent.

Integrating the Symantec AntiVirus Scan Engine with SESA

Configuring logging to SESA

157

The local SESA Agent is preconfigured to listen on the IP address 127.0.0.1 and port number 8086. The scan engine uses this information to communicate with the Agent. If you must change the IP address or port number for the Agent, you must do so through the SESA Console. (Once an Agent is installed, it is controlled through the SESA Console, even though it is running on the computer that is running the security product.) If you change the IP address or port number for the Agent, you must also update, through the Symantec AntiVirus

Scan Engine administrative interface, the information that the scan engine uses to contact the Agent.

Note: To install the local SESA Agent, you must have Java Runtime Environment version 1.3.1 or later already installed. If not, the SESA Agent installation will fail.

See the SESA documentation for more information.

See “Configuring the scan engine to log events to SESA” on page 161.

Install the local SESA Agent

The installation procedures differ depending on the operating system on which the local SESA Agent will be installed.

To install the local SESA Agent on Windows 2000 Server/Server 2003

1 Log on to the computer on which you have installed the Symantec AntiVirus

Scan Engine as administrator or as a user with administrator rights.

2 Copy the agentinstaller.exe file from the Symantec AntiVirus Scan Engine distribution CD onto the computer.

3 Run the .exe file.

4 Indicate that you agree with the terms of the Symantec license agreement, then click Next.

If you do not indicate that you agree, the installation is aborted.

5 Select the Symantec AntiVirus Scan Engine from the list of products to register with SESA.

Note: You can register only one product at a time. If you are installing the local SESA Agent to work with more than one Symantec product, you must run the installer again for each product.

6 Select the location in which to install the local Agent, then click Next.

The default location is C:\Program Files\Symantec\SESA.

158 Integrating the Symantec AntiVirus Scan Engine with SESA

Configuring logging to SESA

7

In the Primary SESA Manager IP address or host name box, type the IP address or host name of the computer on which the primary SESA Manager is running.

If SESA is configured to use Anonymous SSL (the default setting), type the

IP address of the primary SESA Manager. If SESA is configured to use

Authenticated SSL, type the host name of the primary SESA Manager (for example, computer.company.com).

8

In the Primary SESA Manager port number box, type the port number on which the SESA Manager listens.

The default port number is 443.

9

If you are running a Secondary SESA Manager that is to receive events from the scan engine, do the following:

In the Secondary SESA Manager IP address or host name box, type the

IP address or host name of the computer on which the Secondary SESA

Manager is running.

In the Secondary SESA Manager port number box, type the port number on which the Secondary SESA Manager listens.

The default port number is 443.

10 In the Organizational unit distinguished name box, type the organizational unit distinguished name to which the Agent will belong.

If the organizational unit is unknown or not yet configured, this setting can be left blank. Use the format shown in the example: ou=Europe,ou=Locations,dc=SES,o=symc_ses

The domain(s) (dc=) portion of the path should correspond to the domain that is managed by the selected SESA Management Server.

11 Select one of the following to indicate whether the local SESA Agent should start automatically whenever the computer is restarted.

Start SESA Agent automatically: The local SESA Agent starts automatically each time the computer is restarted.

Start SESA Agent automatically: You must manually restart the local

SESA Agent each time the computer is restarted.

12 Indicate whether the local SESA Agent should start immediately after the installation finishes.

If you indicate No, you must manually start the local SESA Agent after the installation is complete.

The installer proceeds from this point with the installation. When the installation is complete, the Agent is installed as a Windows 2000/2003 service and is listed as SESA AgentStart Service in the Services Control Panel.

Integrating the Symantec AntiVirus Scan Engine with SESA

Configuring logging to SESA

159

To install the local SESA Agent on Solaris and Linux

1 Log on as root to the computer on which you have installed the Symantec

AntiVirus Scan Engine.

2 Copy the agentinstaller.sh file from the Symantec AntiVirus Scan Engine distribution CD onto the computer.

3

Change directories to the location in which you copied the file.

4 Type the following command, then press Enter:

sh ./agentinstaller.sh

5 Indicate that you agree with the terms of the Symantec license agreement, then press Enter.

If you indicate No, the installation is aborted.

6 Select the Symantec AntiVirus Scan Engine from the list of products to register with SESA.

Note: You can register only one product at a time. If you are installing the

Agent to work with more than one Symantec product, you must run the installer again for each product.

7 Select the location in which to install the local SESA Agent, then click Next.

The default location is /opt/Symantec/SESA.

8 Type the IP address or host name of the computer on which the primary

SESA Manager is running.

If SESA is configured to use Anonymous SSL (the default setting), type the

IP address of the primary SESA Manager. If SESA is configured to use

Authenticated SSL, type the host name of the primary SESA Manager (for example, computer.company.com).

9 Type the port number on which the SESA Manager listens.

The default port number is 443.

10 If you are running a Secondary SESA Manager that is to receive events from the scan engine, do the following:

Type the IP address or host name of the computer on which the

Secondary SESA Manager is running.

Type the port number on which the Secondary SESA Manager listens.

The default port number is 443.

160 Integrating the Symantec AntiVirus Scan Engine with SESA

Configuring logging to SESA

11 Type the organizational unit distinguished name to which the Agent will belong.

If the organizational unit is unknown or not yet configured, this setting can be left blank. Use the format shown in the example: ou=Europe,ou=Locations,dc=SES,o=symc_ses

The domain(s) (dc=) portion of the path should correspond to the domain that is managed by the selected SESA Management Server.

12 Indicate whether the local SESA Agent should start automatically whenever the computer is restarted.

If you indicate No, you must manually restart the local SESA Agent each time the computer is restarted.

13 Indicate whether the local SESA Agent should start immediately after the installation finishes.

If you indicate No, you must manually start the local SESA Agent after the installation is complete.

The installer proceeds from this point with the installation. Unless you indicated otherwise during the installation, the local SESA Agent starts automatically when the installation is complete.

Stopping and restarting the local SESA Agent service

You may need to stop and restart the local SESA Agent.

Stop and restart the local SESA Agent service

Instructions for stopping and restarting the local service differ depending on the operating system that you are running. For Windows 2000 Server/Server

2003, you can stop and start the service in the Services Control Panel.

To stop and restart the local SESA Agent service on Solaris

At the command prompt, do one of the following:

To stop the service, type the following command:

/etc/init.d/sesagentd stop

To start the service, type the following command:

/etc/init.d/sesagentd start

Integrating the Symantec AntiVirus Scan Engine with SESA

Configuring logging to SESA

161

To stop and restart the local SESA Agent service on Linux

At the command prompt, do one of the following:

To stop the service, type the following command:

/etc/init.d/sesagentd stop

To start the service, type the following command:

/etc/init.d/sesagentd start

Configuring the scan engine to log events to SESA

After you have installed the local SESA Agent to handle communication between the Symantec AntiVirus Scan Engine and SESA, you must configure the

Symantec AntiVirus Scan Engine to communicate with the Agent by specifying the IP address and port number on which the Agent listens. You also can change the types of events that are logged to SESA. These settings are located on the

Symantec AntiVirus Scan Engine administrative interface.

To configure the scan engine to log events to SESA

1 On the Symantec AntiVirus Scan Engine administrative interface, in the left pane, click Configuration.

2

On the Logging tab, under Symantec Enterprise Security Architecture, in the SESA Logging level list, select the appropriate logging level.

Logging to SESA is not activated by default.

See “Logging levels” on page 109.

3 In the SESA agent IP address box, type the IP address on which the local

SESA Agent listens.

The default setting is 127.0.0.1 (the loopback interface), which restricts connections to the same computer.

4 In the Port box, type the TCP/IP port number on which the local SESA Agent listens.

The port number that you enter here must match the port number on which the local SESA Agent listens. The default port is 8086.

5 Click Confirm Changes to save the configuration.

6

Do one of the following:

Click Continue to make additional changes to the Symantec AntiVirus

Scan Engine configuration.

If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save/No Restart, your changes will be lost.

162 Integrating the Symantec AntiVirus Scan Engine with SESA

Scan engine events that are logged to SESA

Click Restart to save your changes and restart the scan engine service now.

Click Save/No Restart to save your changes. (Changes will not take effect until the service is restarted.)

Scan engine events that are logged to SESA

You can choose a logging level to specify the types of events that are logged to

SESA. However, for each logging level, the events that are logged to SESA are a subset of the events that are normally logged by the Symantec AntiVirus Scan

Engine for that logging level. When you activate logging to SESA, only certain events are forwarded to SESA.

See “Logging levels” on page 109.

No events are logged to SESA at the Error logging level.

Table 10-1 lists the

Symantec AntiVirus Scan Engine events that are forwarded to SESA when the logging level is Warning.

Table 10-1 Events that are logged to SESA at the Warning logging level

Logging option

Infection found

Description

Logs all infections found in scanned files

Table 10-2 lists the Symantec AntiVirus Scan Engine events that are forwarded

to SESA when the logging level is Information.

Table 10-2 Events that are logged to SESA at the Information logging level

Logging option

Infection found

Server start

Server stop

Virus definition update

Description

Logs all infections found in scanned files

Logs all instances of scan engine startup

Logs all instances of scan engine shutdown

Logs all instances of scan engine virus definitions updates

Integrating the Symantec AntiVirus Scan Engine with SESA

Interpreting scan engine events in SESA

163

Interpreting scan engine events in SESA

SESA provides extensive event management capabilities. SESA provides common logging of normalized event data for SESA-enabled security products like the Symantec AntiVirus Scan Engine. The event categories and classes include antivirus, content filtering, network security, and systems management.

SESA also provides centralized reporting capabilities, including graphical reports. Currently, the events forwarded to SESA by the Symantec AntiVirus

Scan Engine take advantage of the existing SESA infrastructure for antivirusrelated events.

You can create alert notifications for certain events, including those generated by the Symantec AntiVirus Scan Engine. Notifications include pagers, SNMP traps, email, and operating system event logs. You can define the notification recipients, day and time ranges when specific recipients are notified, and custom data to accompany the notification messages.

For more information about interpreting events in SESA and on SESA’s event management capabilities, see the SESA documentation.

Uninstalling the SESA integration components

If the Symantec AntiVirus Scan Engine is no longer forwarding messages to

SESA, you can uninstall the SESA integration components from each computer that is running the SESA Manager.

To uninstall the SESA integration components

On the taskbar, click Start > Run, then type:

java -jar setup.jar -uninstall

Uninstalling the local SESA Agent

The local SESA Agent is automatically uninstalled when you uninstall the

Symantec AntiVirus Scan Engine. If more than one product is using the Agent, the uninstall script will remove only the Symantec AntiVirus Scan Engine registration and leave the Agent in place. If no other security products are using the Agent, the uninstall script will uninstall the Agent as well.

164 Integrating the Symantec AntiVirus Scan Engine with SESA

Uninstalling the local SESA Agent

Chapter

11

Using the Symantec

AntiVirus Scan Engine command-line scanner

This chapter includes the following topics:

About the Symantec AntiVirus Scan Engine command-line scanner

Setting up a computer to submit files for scanning

Command-line scanner syntax and usage

About the Symantec AntiVirus Scan Engine command-line scanner

The Symantec AntiVirus Scan Engine command-line scanner is a multi-platform utility that works in conjunction with version 4.0.4 or later of the Symantec

AntiVirus Scan Engine that is running on Windows 2000 Server/Server 2003,

Solaris, or Linux platforms. The command-line scanner acts as a client to the

Symantec AntiVirus Scan Engine through the scan engine application programming interface (API), which uses version 1.0 of the Internet Content

Adaptation Protocol (ICAP), presented in RFC 3507 (April 2003).

The command-line scanner lets you send files to the Symantec AntiVirus Scan

Engine to be scanned for viruses. The command-line scanner also lets you do the following:

Repair infected files and delete those that are unrepairable.

Recurse subdirectories for scanning multiple files.

Output information on command-line scanner and scan engine operation.

166 Using the Symantec AntiVirus Scan Engine command-line scanner

Setting up a computer to submit files for scanning

Setting up a computer to submit files for scanning

You can send files to the Symantec AntiVirus Scan Engine via the command line from the computer on which the Symantec AntiVirus Scan Engine is running or from a different computer. You can send files from a computer with a different operating system than the computer on which the scan engine is installed.

Note: Because files are sent to the Symantec AntiVirus Scan Engine for scanning, you can only specify files or directories for which you have appropriate permissions. To send files, you must have read access to the files. To repair (replace) or delete files, you must have permission to modify or delete files, as well as access to the directory in which the files are located.

The Symantec AntiVirus Scan Engine has been tested on the following platforms:

Windows 2000 Server and Windows Server 2003

Solaris 7 or later

Red Hat Linux version 7.3 or later

Note: To use the command-line scanner, you must select ICAP as the communication protocol for the Symantec AntiVirus Scan Engine.

If you are sending files from the same computer on which the Symantec

AntiVirus Scan Engine is running, you do not need to install any additional files for the command-line scanner. The appropriate files are installed automatically during the installation of the scan engine.

If you plan to submit files for scanning from a different computer using the command-line scanner, you must copy certain files to an appropriate directory on each computer from which you plan to submit files to the scan engine.

Using the Symantec AntiVirus Scan Engine command-line scanner

Command-line scanner syntax and usage

167

You can obtain the files from the following locations:

In the Symantec AntiVirus Scan Engine distribution package, in the toplevel Command_Line_Scanner directory

On the computer on which the Symantec AntiVirus Scan Engine is installed, in the Symantec AntiVirus Scan Engine installation directory, in the savsecls subdirectory

Note: The savsecls files are further organized into subdirectories by operating system. Use the files for the operating system of the computer from which you plan to submit files for scanning.

To set up a computer to submit files for scanning

1 Copy the entire contents of the directory for the appropriate operating system.

2

On the computer from which you plan to submit files for scanning, place the files in a directory location that is in the command prompt path.

Command-line scanner syntax and usage

The command-line scanner uses the following general syntax: savsecls [-options] <path> [<path>...]

Specifying what to scan

The <path> parameter lets you specify one or more files or directories to scan, separated by spaces. Use the absolute or relative path. If the specified path is to a file, the file is scanned. If the path is to a directory, all of the files in the directory are scanned.

Note: Do not use a path with symbolic linking. The scan engine will not follow a symbolic link to a file.

You can specify any combination of files and directories. Separate multiple entries with a space. For example: savsecls [-options] <pathtofile1> <pathtofile2> <pathtofile3>

168 Using the Symantec AntiVirus Scan Engine command-line scanner

Command-line scanner syntax and usage

You can specify any mounted file system, mount point, or mapped drive. For example:

C:\Work\Scantest.exe

/tim/export/home/

For both Windows and UNIX, follow the rules for your operating system for handling path names (including using special characters, quotation marks, or wildcard characters as necessary).

Note: If you have specified a directory for scanning and want to descend into subdirectories to scan additional files, you must also use the -recurse option.

See “Requesting recursive scanning” on page 175.

Because files are actually sent to the Symantec AntiVirus Scan Engine for scanning, you can only specify files or directories for which you have appropriate permissions. To send files, you must have read access to the files. To repair (replace) or delete files, you must have permission to modify or delete the files, as well as access to the directory in which the files are located.

If you do not specify a path, input data is read from STDIN and sent to the scan engine for scanning. After the scan, the data (either the original file, if it was clean, or the repaired file) is written to STDOUT. If a file is infected and cannot be repaired, no data is written to STDOUT.

Note: The command-line scanner handles DBCS-encoded names. These are converted to Unicode/UTF-8 before they are passed to the scan engine and are converted back to the locale of the server after scanning.

Using the Symantec AntiVirus Scan Engine command-line scanner

Command-line scanner syntax and usage

169

Supported options

The options that are supported by the command-line scanner are described in

Table 11-3 .

Table 11-3

Supported options for the command-line scanner

Option

-server

-mode

-verbose

Description

Specify one or more scan engines for scanning files. Separate multiple entries with a semicolon. If you do not specify a scan engine, the server option defaults to the local host that is listening on the default port.

The format for each scan engine is <IPaddress:port>, where

IPaddress is the DNS name or IP address of the computer on which the scan engine is running, and port is the port number on which the scan engine listens.

Note: When more than one scan engine is specified, the load balancing and failover features of the API are activated automatically.

See “Specifying the scan engine IP address and port” on page 170.

Optionally override the default antivirus scanning mode. If you do not specify a scanning mode, the scan policy defaults to scanrepairdelete (the repair of infected files is attempted, and files that cannot be repaired are deleted). This is the recommended setting.

If you do not want to use the default antivirus scanning mode, you can specify one of the following:

■ scan: Files are scanned, but no repair is attempted. Infected files are not deleted.

scanrepair: The repair of infected files is attempted. Files that cannot be repaired are not deleted.

See “Specifying the antivirus scanning mode” on page 171.

Report detailed information on the file that is scanned. When this option is used, a line of output is printed to STDOUT for each file that is scanned. The information includes both the name of the file and the result of the scan, including the final disposition of the file.

See “Using the -verbose option” on page 172.

170 Using the Symantec AntiVirus Scan Engine command-line scanner

Command-line scanner syntax and usage

Table 11-3

Option

-details

-timing

-recurse

-onerror

Supported options for the command-line scanner

Description

Report detailed information regarding infections or violations that are found. When this option is used, a block of text is printed to

STDOUT for each file that is scanned. The output text indicates the name of the file that was scanned, detailed information about the infection or violation (for those files that are infected or violate an established policy), and the result of the scan (also provided for the -verbose option).

Note: If you use the -details option, you do not need to use the

-verbose option also. The output for the -verbose option is duplicated as part of the output for the -details option.

See “Using the -details option” on page 173.

Report the time required to scan a file. When this option is used, a line of output is printed to STDOUT for each file that is scanned.

The output includes the name of the file that was scanned and the time that the scan engine required to scan the file.

See “Using the -timing option” on page 174.

Recursively descend into subdirectories inside each path that is specified on the command line.

See “Requesting recursive scanning” on page 175.

Specify the disposition of a file that has been modified (repaired) by the scan engine when an error occurs in replacing the file. The default setting is to delete the file.

You can specify one of the following:

■ leave: The original (infected) file is left in place.

delete: The original (infected) file is deleted, even though the replacement data is unavailable.

See “Disposing of infected files when an error occurs” on page 175.

Specifying the scan engine IP address and port

The -server option lets you specify one or more scan engines for scanning files.

If you do not specify a scan engine, the server option defaults to the local host that is listening on the default port.

The format for each scan engine entry is <IPaddress:port>, where IPaddress is the DNS name or IP address of the computer on which the scan engine is running, and port is the port number on which the scan engine listens. You only

Using the Symantec AntiVirus Scan Engine command-line scanner

Command-line scanner syntax and usage

171 need to specify the port number if the scan engine is installed on a port other than the default. (The default port number for ICAP is 1344.) For example: savsecls -server 192.168.0.100 c:\temp savsecls -server 192.168.0.100:5555 c:\temp

You can specify multiple scan engines. Separate multiple entries with a semicolon. For example: savsecls -server 192.168.0.100:1344;192.168.0.101:1344 c:\temp

When more than one scan engine is specified, the load balancing and failover features of the API are activated automatically. The Symantec AntiVirus Scan

Engine API provides scheduling across any number of computers that are running the Symantec AntiVirus Scan Engine. The API determines the appropriate Symantec AntiVirus Scan Engine (when multiple scan engines are used) to receive the next file to be scanned, based on the scheduling algorithm.

If a Symantec AntiVirus Scan Engine is unreachable or stops responding during a scan, another scan engine is called and the faulty scan engine is taken out of rotation for 30 seconds. If all of the scan engines are out of rotation, the faulty scan engines are called again. The API does not stop trying to contact the scan engine unless five engines are not functioning or it appears that a file that is being scanned might have caused more than one engine to stop responding.

Specifying the antivirus scanning mode

The -mode option lets you override the default antivirus scanning mode for the command-line scanner. The default scanning mode is scanrepairdelete. The repair of infected files is attempted, and files that cannot be repaired are deleted.

You do not need to specify an antivirus scanning mode to use the default setting.

Scanrepairdelete is the recommended setting.

To override the default antivirus scanning mode, you can specify one of the following using the -mode option:

■ scan: Files are scanned, but no repair is attempted. Infected files are not deleted.

■ scanrepair: The repair of infected files is attempted. Files that cannot be repaired are not deleted.

For example: savsecls -server 192.168.0.100:1344 -mode scanrepair c:\temp

172 Using the Symantec AntiVirus Scan Engine command-line scanner

Command-line scanner syntax and usage

When files are sent to the scan engine for scanning via the command-line scanner, the command-line scanning mode always overrides the scan policy configuration on the Symantec AntiVirus Scan Engine (this includes scanning of files that are embedded in container files). If you do not specify a scanning mode using the -mode option, the default setting (scanrepairdelete) applies.

Obtaining detailed scanning results

Several options let you obtain detailed information regarding a scan.

Note: If you are using pipe mode to send a file for scanning via the command line, these options are not available.

Using the -verbose option

The -verbose option lets you obtain more detailed information on each file that is scanned. For example: savsecls -server 192.168.0.100:1344 -verbose c:\work\filea c:\work\fileb c:\work\filec c:\work\filed

When this option is used, a line of output is printed to STDOUT for each file. The information includes the name of the file that was scanned and the result of the scan, including the final disposition of the file.

Table 11-4 lists the possible scan result codes.

Table 11-4

Possible scan result codes for the -verbose option

Result code

-2

-1

0

Description

An error occurred within the Symantec AntiVirus Scan

Engine. The file was not scanned.

An error occurred within the command-line scanner. The file was not scanned.

The file was successfully scanned and is clean. A clean file result can mean any one of the following:

The file was clean to start with.

The file was infected and repaired.

The file was a container file and contained infected embedded files that were repaired or deleted.

Using the Symantec AntiVirus Scan Engine command-line scanner

Command-line scanner syntax and usage

173

Table 11-4

Result code

1

2

Possible scan result codes for the -verbose option

Description

The file was successfully scanned, was not able to be repaired, and was not deleted. (A not-clean result can mean that the file was unrepairable or that the scan policy did not permit repair.)

The file was successfully scanned, was not able to be repaired, and was deleted. (A not-clean result can mean that the file was unrepairable or that the scan policy did not permit repair.)

The output when four files (for example, a, b, c, and d) are scanned should look similar to the following: c:\work\filea -1 c:\work\fileb 2 c:\work\filec 2 c:\work\filed 0

Using the -details option

The -details option lets you obtain detailed information regarding the infections or violations that are found. For example: savsecls -server 192.168.0.100:1344 -details c:\work\filea c:\work\fileb c:\work\filec c:\work\filed

When this option is used, a block of text is printed to STDOUT for each file that is infected or violates an established policy. The output text indicates the name of the file that was scanned, detailed information about the infection or the violation, and the result of the scan (also provided for the -verbose option).

The output includes the following:

Problem name: Virus name or container violation description

Problem ID: Virus ID for viruses or pseudo-ID for policy violations

Disposition: Infected, repaired, or deleted

Note: The output data for disposition mirrors information that is returned by the Symantec AntiVirus Scan Engine for each infection or violation that is identified and might not reflect the final disposition of the file. The final disposition of the file is indicated by the code for the scan results (which is also displayed when you use the -verbose option).

174 Using the Symantec AntiVirus Scan Engine command-line scanner

Command-line scanner syntax and usage

The output when four files (for example, a, b, c, and d) are scanned and files c and d are found to be infected with the Kakworm.c virus should look similar to the following: c:\work\filec 2

Kakworm.c

2832

Infected c:\work\filed 2

Kakworm.c

2832

Infected

Using the -timing option

The -timing option lets you examine the time required to scan each file. For example: savsecls -server 192.168.0.100:1344 -timing c:\work\filea c:\work\fileb c:\work\filec c:\work\filed

When this option is used, a line of output is printed to STDOUT for each file that is scanned. The output includes the name of the file that was scanned and the time that the scan engine required to scan the file.

The reported scan time is calculated as the elapsed time between the opening and closing of the connection with the scan engine and is reported with millisecond accuracy.

The output when four files (for example, a, b, c, and d) are scanned should look similar to the following: c:\work\filea 0.018s

c:\work\fileb 0.013s

c:\work\filec 0.43s

c:\work\filed 0.03s

Using the Symantec AntiVirus Scan Engine command-line scanner

Command-line scanner syntax and usage

175

Requesting recursive scanning

The -recurse option lets you recursively descend into subdirectories inside each path that is specified on the command line. By default, the command-line scanner does not recursively search directories for files to send to the Symantec

AntiVirus Scan Engine for scanning. You must use the -recurse option to do so.

For example: savsecls -server 192.168.0.100:1344 -recurse c:\winnt

Note: This option does not apply when you are using pipe mode.

Disposing of infected files when an error occurs

The -onerror option lets you specify how to dispose of an infected file that has been modified (repaired) by the scan engine when an error occurs in replacing the file. The default setting is to delete the file.

You can specify one of the following:

■ leave: The original (infected) file is left in place.

■ delete: The original (infected) file is deleted, even though the replacement data is unavailable.

For example: savsecls -server 192.168.0.100:1344 -onerror delete c:\temp

Note: This option does not apply when you are using pipe mode.

176 Using the Symantec AntiVirus Scan Engine command-line scanner

Command-line scanner syntax and usage

Appendix

A

Editing the configuration file

This chapter includes the following topics:

Editing the Symantec AntiVirus Scan Engine configuration file

Updating the configuration file during an upgrade

Configuration options

Editing the Symantec AntiVirus Scan Engine configuration file

In addition to using the Web-based administrative interface, you can change the

Symantec AntiVirus Scan Engine settings by editing the configuration file, symcscan.cfg.

The configuration options for the Symantec AntiVirus Scan Engine can be configured through the Web-based administrative interface. Under regular circumstances, you should not need to edit the configuration file.

For Solaris and Linux, the default location for the configuration file is

/opt/SYMCScan/etc/symcscan.cfg. For Windows 2000 Server/Server 2003, the default location for the configuration file is C:\Program Files\Symantec\Scan

Engine\symcscan.cfg.

Note: In editing the configuration file, all high-ASCII and double-byte characters must be written in UTF-8 encoding.

178 Editing the configuration file

Updating the configuration file during an upgrade

To edit the Symantec AntiVirus Scan Engine configuration file

1 Locate the Symantec AntiVirus Scan Engine configuration file.

If you are running more than one copy of the Symantec AntiVirus Scan

Engine on a computer, ensure that you have the appropriate configuration file.

2 Open the configuration file with a text editor.

3 Make your changes to the configuration file.

See “Configuration options” on page 179.

4 Save the file.

5

Stop and restart the Symantec AntiVirus Scan Engine.

Updating the configuration file during an upgrade

You can upgrade the Symantec AntiVirus Scan Engine from 4.0.X or later without first uninstalling the previous version. Installing the upgrade over the existing installation preserves changes that you have made to the configuration file, symcscan.cfg.

Note: Scan engine logging options have changed in version 4.3. Because in many cases the previous configuration options do not map to the new options, any customizations that you have made to the logging options are not preserved.

You must reconfigure logging after installing the upgrade.

Changes that occur to the configuration file as a result of an upgrade are handled in the following manner:

A new configuration file replaces the existing configuration file.

If you have customized any values in the existing configuration file, those values are brought forward to replace the default settings in the new configuration file so that your changes are not altered during the upgrade.

Configuration options that are made obsolete by the upgrade are not transferred to the new configuration file.

Editing the configuration file

Configuration options

179

Configuration options

The configuration options are grouped by their appearance on the interface rather than the order in which they appear in the configuration file.

Warning: Several configuration options in the configuration file are not discussed in this chapter and should not be changed. Changing these options can detrimentally affect product performance. For example, the installation directory (InstallDir) is specified at installation, and the product will not function if you change this value in the configuration file.

Changing protocol-specific settings via the configuration file

You can change the communication protocol that the scan engine uses to communicate with the client applications for which it provides scanning services.

After you select the appropriate protocol, you must provide protocol-specific configuration information. The configuration options differ depending on the protocol that you select.

See “Selecting the communication protocol” on page 56.

Changing the communication protocol

You can change the communication protocol that the scan engine uses to communicate with the client applications.

To change the communication protocol

At Protocol=, type one of the following:

NATIVE: Use the native protocol.

ICAP: Use ICAP.

RPC: Use RPC.

180 Editing the configuration file

Configuration options

Specifying a bind address and port number

The Symantec AntiVirus Scan Engine binds to an IP address and port number.

By default, the Symantec AntiVirus Scan Engine binds to all interfaces. You can restrict access to a specific interface by entering the appropriate bind address.

The default port number setting for the native protocol is port 7777. The default port number setting for ICAP is port 1344.

Note: This setting is applicable to the native protocol and ICAP.

To specify a bind address and port number

1 At BindAddress=, type the IP address on which the Symantec AntiVirus

Scan Engine listens.

Use 127.0.0.1 (the loopback interface) to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan Engine.

2 At Port=, replace the existing port number with the new number.

If you change the port number, use a number that is greater than 1024 that is not in use by any other program or service.

Specifying a directory for local file scanning

You only need to provide a local scan directory when you are using local file scanning options and you want to limit the Symantec AntiVirus Scan Engine so that only files under a particular directory can be scanned. If a local scan directory is not specified (which is the default), any file can be scanned.

To specify a directory for local file scanning

At LocalScanDir=, type the appropriate directory structure.

The specified directory must already exist.

Editing the configuration file

Configuration options

181

Configuring ICAP via the configuration file

If you select ICAP as the protocol to be used by the Symantec AntiVirus Scan

Engine, you must configure several ICAP-specific options.

To configure ICAP via the configuration file

1 At ICAPInfectionHTMLFile=, replace the existing path and file name with a new path and file name, if necessary.

The Symantec AntiVirus Scan Engine includes a default HTML message to display to users when access to a file is denied because it contains a virus.

You can customize this message by specifying an alternate path and file name or by editing the existing file. If you choose to edit the existing file, you do not have to change this setting.

2 At ICAPActionPolicy=, type one of the following to specify how to handle infected files:

SCAN: Deny access to the infected file, but do nothing to the infected file.

SCANDELETE: Delete all infected files without attempting repairs.

SCANREPAIR: Attempt to repair infected files, but do nothing to files that cannot be repaired.

SCANREPAIRDELETE: Attempt to repair infected files, and delete any unrepairable files from archive files.

3

At ICAPResponse=, type one of the following to specify the scan engine response when a file is blocked because it is unrepairable (ICAP 1.0 only):

0: Send an ICAP 403 response.

1: Send a replacement file.

Depending on the ICAP 1.0 application for which the scan engine is providing scan and repair services, you might need to adjust this setting.

The default setting is to send a replacement file (the file specified for

ICAPInfectionHTMLfile) when a file is blocked because it is unrepairable.

However, some ICAP 1.0 applications are configured to receive the ICAP 403 response instead.

182 Editing the configuration file

Configuration options

4

At ICAPPreviewAll=, type one of the following to indicate whether the scan engine should preview content:

0: Request content for only those files that are to be scanned based on the established configuration for which file types to scan.

1: Request preview content (fixed preview size) for all files, including those not indicated for scanning based on the established configuration for which file types to scan. This is the default setting to ensure that all file types that might contain viruses are scanned.

Configuring data trickle

When a user attempts to download an extremely large or complex file from the

Internet, antivirus scanning can cause a delay during which the requesting browser (and thus the user) receives no feedback on the progress of the download. When ICAP is used as the communication protocol, you can use the data trickle feature to provide users with a quicker download response and avoid potential session time-out errors. When data trickle is enabled, the requested file is sent (trickled) to the user in small amounts at regular intervals until the scan is complete. You can change the amount of time that elapses before data trickling begins.

Note: Data trickling can compromise antivirus integrity. Before enabling the data trickle feature, be sure that you read and understand all of the risks.

See “Warnings and limitations about data trickle” on page 66.

Configure data trickle

You can enable or disable data trickle, and you can change the trickle time-out period (the time that elapses before data trickling begins).

To enable data trickle

At ICAPTrickleEnabled=, type one of the following:

1: Enable data trickle.

0: Disable data trickle.

The default setting is 0 (disabled).

To change the trickle time-out period

At ICAPTrickleTimeout=, type the number of seconds to elapse before data trickling begins.

The default setting is 5 seconds.

Editing the configuration file

Configuration options

183

Configuring RPC via the configuration file

If you select RPC as the protocol to be used by the Symantec AntiVirus Scan

Engine, you must configure several RPC-specific options.

To configure RPC via the configuration file

1 At RPCClient=, type the IP address for each RPC client for which the

Symantec AntiVirus Scan Engine is to provide scanning services.

Use the format <IPaddress>;<IPaddress>;<IPaddress>, where <IPaddress> is a single IP address for a supported RPC client.

2 At RPCActionPolicy=, type one of the following to specify how to handle infected files:

SCAN: Deny access to the infected file, but do nothing to the infected file.

SCANREPAIR: Attempt to repair infected files, but do nothing to files that cannot be repaired.

SCANREPAIRDELETE: Attempt to repair infected files, and delete any unrepairable files from archive files.

3 At RPCConnectionCheckInterval=, type (in seconds) the interval at which the Symantec AntiVirus Scan Engine checks to ensure that the connection to the RPC client is still active.

The default interval is 20 seconds.

4 At RPCMaxReconnectAttempts=, type the maximum number of attempts the Symantec AntiVirus Scan Engine will make to reestablish a lost connection to the RPC client.

The default setting is 0, which causes the Symantec AntiVirus Scan Engine to try indefinitely to reestablish a connection.

Notifying requesting users that a virus was found

When a virus is found in a file that is requested from an RPC network-attachedstorage client, you can configure the Symantec AntiVirus Scan Engine to notify the requesting user that the retrieval of the file failed because a virus was found.

The user notification feature is only available when RPC is selected as the communication protocol and the requesting user’s computer is in the same domain as the Symantec AntiVirus Scan Engine.

To notify requesting users that a virus was found

At LogPopup=, type 1 to enable notification that a virus has been found.

The default setting is 0 (disabled).

184 Editing the configuration file

Configuration options

Quarantining unrepairable infected files

When you are using the RPC protocol, you can quarantine unrepairable infected files using the Symantec Central Quarantine. The Symantec Central Quarantine software is included on the Symantec AntiVirus Scan Engine distribution CD.

The Symantec AntiVirus Scan Engine forwards infected items that cannot be repaired to the Symantec Central Quarantine. Typically, heuristically detected viruses that cannot be eliminated by the current set of virus definitions are forwarded to the Quarantine and isolated so that the viruses cannot spread.

See “Quarantining unrepairable infected files” on page 74.

To quarantine unrepairable infected files

1 At QuarantineInUse=, type 1 to quarantine unrepairable infected files.

The default setting is 0 (files are not quarantined).

2 At QuarantineServer=, type the host name or the IP address for the computer on which the Symantec Quarantine Server is installed.

3 At QuarantinePort, type the TCP/IP port number to be used by the Symantec

AntiVirus Scan Engine to pass files to the Central Quarantine.

This setting must match the port number that is selected at installation for the Symantec Quarantine Server.

Changing resource allocation via the configuration file

You can change basic configuration options for the operation of the Symantec

AntiVirus Scan Engine.

See “Allocating resources” on page 77.

Changing the temp directory location

The Symantec AntiVirus Scan Engine must store files in a temporary directory for virus scanning. To support sites with large, specialized disk configuration, the location of this temporary directory can be specified. The default temporary directory for Linux and Solaris is /tmp/navtemp. The default temporary directory for Windows 2000 Server/Server 2003 is determined at installation.

To specify a different location for the temporary directory

At TempDir=, replace the existing path with the new path.

Editing the configuration file

Configuration options

185

Controlling the dynamic thread pool

The pool of scanning threads that is available to the Symantec AntiVirus Scan

Engine for antivirus scanning dynamically adjusts to the load being processed.

You can change several parameters to control the dynamic thread pool.

Note: To disable dynamic thread pool management and use a fixed thread pool size, use the desired number of scanning threads for the fixed thread pool for both the MinThreads and MaxThreads parameters. Use the same number for both parameters.

The configuration file parameters for controlling the dynamic thread pool are:

MinThreads: The minimum number of scanning threads that is created at start-up time and the minimum to keep alive regardless of the load that is being processed

The default setting is 16. You can increase this number if a typical load cannot be satisfied by the default setting of 16. This number cannot be larger than the value entered for the MaxThreads parameter.

MaxThreads: The maximum number of scanning threads that can be created regardless of the load that is being processed

The default setting is 128. The default value (128) is the maximum recommended value for this parameter. Increasing the value beyond 128 can make the software unstable. The MaxThreads value cannot be smaller than the value entered for the MinThreads parameter.

GrowThreadCount: The number of scanning threads to add when the load that is being processed cannot be handled by the existing threads

The default setting is 4. The GrowThreadCount value must be larger than the ShrinkThreadCount value and should not be close to the MaxThreads value. Reasonable values are in the range of 2 to 32.

Note: Creating new threads consumes resources. You should create new threads (GrowThreadCount) and keep them as long as possible. You should remove threads (ShrinkThreadCount) more slowly than you add threads so that you do not consume additional resources, thus creating new threads again in a short period of time.

ShrinkThreadCount: The number of scanning threads to remove when more threads are running than are needed for the load that is being processed

The default setting is 2. The ShrinkThreadCount value must be smaller than the GrowThreadCount value.

186 Editing the configuration file

Configuration options

BusyRequestCount: The number of queued requests (waiting to be processed by scanning threads) that triggers the creation of more scanning threads

The default setting is 4. The BusyRequestCount value cannot be less than 2 and must be less than the LoadMaximumQueuedClients value.

See “Changing the threshold number of queued requests” on page 187.

IdleThreadCount: The number of idle scanning threads that triggers the removal of scanning threads

The default setting is 4.

SecondsBetweenChecks: The number of seconds between evaluations of the thread pool activity

The default setting is 5 seconds. This value cannot be smaller than 2.

Note: Because thread pool activity is checked at the frequency specified for the SecondsBetweenChecks parameter, changes to the thread pool size occur at the same frequency.

To control the dynamic thread pool

1

At MinThreads=, type the minimum number of scanning threads to be created at start-up time and to keep alive regardless of load.

The default setting is 16. Do not use a value that is larger than the value entered for the MaxThreads parameter.

2

At MaxThreads=, type the maximum number of scanning threads to be created regardless of load.

The default setting and the maximum recommended value is 128. Do not use a value that is smaller than the value entered for the MinThreads parameter.

3

At GrowThreadCount=, type the number of scanning threads to add when the load that is being processed cannot be handled by the existing threads.

The default setting is 4. Use a value that is larger than the

ShrinkThreadCount value. Do not use a value that is close to the

MaxThreads value. Reasonable values are in the range of 2 to 32.

4

At ShrinkThreadCount=, type the number of scanning threads to remove when more threads are running than are needed.

The default setting is 2. Use a value that is smaller than the

GrowThreadCount value.

Editing the configuration file

Configuration options

187

5

At BusyRequestCount=, type the number of queued requests (waiting to be processed by scanning threads) that will trigger the creation of more scanning threads.

The default setting is 4. Do not use a value that is less than 2. This value must be less than the LoadMaximumQueuedClients value.

See “Changing the threshold number of queued requests” on page 187.

6 At IdleThreadCount, type the number of idle scanning threads that will trigger the removal of scanning threads.

The default setting is 4.

7 At SecondsBetweenChecks=, type the number of seconds between evaluations of thread pool activity.

The default setting is 5 seconds. Do not use a value that is less than 2.

Changing the threshold number of queued requests

When the number of queued requests to the Symantec AntiVirus Scan Engine exceeds the specified threshold, the scan engine is at maximum load.

To change the threshold number of queued requests to the Symantec

AntiVirus Scan Engine

At LoadMaximumQueuedClients=, type the maximum number of queued requests.

The default setting is 100.

Specifying an alert interval

The alert interval is the number of minutes between log entries that are generated to indicate that maximum load has been exceeded.

To change the alert interval

At LoadExceededAlertInterval=, replace the existing interval with the new interval.

The default setting is five minutes.

188 Editing the configuration file

Configuration options

Changing the virus definition product name

If you are running more than one scan engine on a single computer, the product name must be unique for each service so that both scan engines receive updated virus definitions via LiveUpdate. This option is applicable only if you are running the scan engine on Solaris or Linux.

To change the virus definition product name

At DefinitionProductName=, type the new virus definition product name.

Limiting resources for in-memory file processing

You can limit the resources that are consumed for in-memory file processing by specifying the maximum amount of RAM (in bytes) to be used for the in-memory file system and the maximum file size (in bytes) that can be stored in the inmemory file system.

To limit resources for in-memory file processing

1 At InMemoryFileSystemSize=, type the maximum amount of RAM that can be used for the in-memory file system.

The default setting is 16000000 (~16 MB).

2 At MaxInMemoryFileSize=, type the maximum file size that can be stored in the in-memory file system.

Files that exceed the specified size are written to disk. The default setting is

3000000 (~3 MB).

Configuring logging options via the configuration file

You can activate logging for selected scan engine activities to a number of logging destinations and change the location of log files.

See “Configuring local logging” on page 112.

Specifying a different location for the local log files

To accommodate sites with specialized disk configuration, the location of the

Symantec AntiVirus Scan Engine local log files can be changed.

To specify a different location for the local log files

At LogDir=, replace the existing location with the new location.

Editing the configuration file

Configuration options

189

Changing the location and file name of the message string file

The message text for Symantec AntiVirus Scan Engine log entries and SMTP insert messages is contained in an ASCII text file. You can change the location and file name of this file.

To change the path and file name of the message string file

At StringFile=, replace the existing path and file name with a new path and file name.

Specifying what to log for each logging destination

The Symantec AntiVirus Scan Engine provides a number of logging destinations. Logging to each available logging destination (for example, SNMP,

SMTP, or the Windows Application Event Log) is activated individually by selecting a desired logging level for that destination. Selecting the logging level lets you choose the types of events for which log messages are generated.

In the configuration file, the logging levels are:

None: Do not log any messages to the specified logging destination.

Error: Log Error messages to the specified logging destination.

Warning: Log Warning and Error messages to the specified logging destination.

Information: Log Information, Warning, and Error messages to the specified logging destination.

Verbose: Log Information, Warning, and Error messages and a message for each file that is scanned to the specified logging destination.

See “Logging levels” on page 109.

Specify what to log for each logging destination

You can select a different logging level for each logging destination.

To specify what to log for local logging

At LogLocal, select the desired logging level for local logging.

The default logging level for Solaris and Linux is Warning. The default logging level for Windows 2000 Server/Server 2003 is None. Select Verbose only if you have been instructed to do so for debugging purposes by

Symantec Technical Service and Support.

190 Editing the configuration file

Configuration options

To specify what to log for logging to the Windows Application Event Log

At LogWindows, select the desired logging level for logging to the Windows

Event Log.

The default logging level is Warning (Windows 2000 Server/Server 2003 only). Select Verbose only if you have been instructed to do so for debugging purposes by Symantec Technical Service and Support.

To specify what to log for SESA logging

At LogSESA, select the desired logging level for SESA logging.

Logging to SESA is not activated by default. Select Verbose only if you have been instructed to do so for debugging purposes by Symantec Technical

Service and Support.

To specify what to log for SNMP logging

At LogSNMP, select the desired logging level for SNMP logging.

SNMP logging is not activated by default. The Verbose logging level is not available for SNMP logging.

To specify what to log for SMTP logging

At LogSMTP, select the desired logging level for SMTP logging.

SMTP logging is not activated by default. The Verbose logging level is not available for SMTP logging.

Configuring the scan engine to log events to SESA

If you are running SESA, you must configure the Symantec AntiVirus Scan

Engine to communicate with the local Agent by specifying the IP address and port number on which the Agent listens.

In the configuration file, the SESA logging delivery parameters are:

SESAIP=

SESAPort=

See “Integrating the Symantec AntiVirus Scan Engine with SESA” on page 153.

Editing the configuration file

Configuration options

191

To configure the scan engine to log events to SESA

1 At SESAIP, type the IP address on which the local SESA Agent listens.

The default setting is 127.0.0.1 (the loopback interface), which restricts connections to the same computer.

2 At SESAPort, type the TCP/IP port number on which the local SESA Agent listens.

The port number that you enter here must match the port number on which the SESA Agent listens. The default setting is port 8086.

Configuring SNMP and SMTP logging via the configuration file

If you have activated SNMP or SMTP logging, you must provide the appropriate information for message delivery.

See “Activating SNMP and SMTP logging” on page 117.

Configure SNMP and SMTP logging via the configuration file

In the configuration file, the SNMP logging delivery parameters are:

SNMPPrimary=

SNMPSecondary=

SNMPCommunityString=

In the configuration file, the SMTP logging delivery parameters are:

SMTPPrimary=

SMTPSecondary=

SMTPRecipList=

SMTPDomain=

To configure SNMP logging via the configuration file

1 At SNMPPrimary=, type the IP address of the primary SNMP console that will receive log messages.

2 At SNMPSecondary=, type the IP address of a secondary SNMP console that will receive messages.

You do not have to specify a secondary SNMP console.

3 At SNMPCommunityString=, type the SNMP community string.

The default setting is public.

192 Editing the configuration file

Configuration options

To configure SMTP logging via the configuration file

1 At SMTPPrimary=, type the IP address of the primary SMTP server that will forward log messages.

2 At SMTPSecondary=, type the IP address of a secondary SMTP server that will forward log messages if communication with the primary SMTP server fails.

You do not have to specify a secondary SMTP server.

3 At SMTPRecipList=, type the email addresses for the recipients of SMTP log messages.

Separate multiple addresses with a comma or space.

4 At SMTPDomain=, type the local domain for the Symantec AntiVirus Scan

Engine.

The domain name is added to the From field for SMTP log messages, so that

SMTP log messages that are generated by the Symantec AntiVirus Scan

Engine originate from ScanServer@<servername>.<domainname>, where

<servername> is the name of the computer that is running the Symantec

AntiVirus Scan Engine and <domainname> is the SMTPDomain that you supply here.

Specifying an alert bind address for SNMP and SMTP logging

If you have activated SNMP or SMTP logging and are running multiple

Symantec AntiVirus Scan Engines, you can set an alert bind address for each scan engine to identify the originating scan engine for each SNMP and SMTP log message. The alert bind address of the originating scan engine is appended to all

SNMP and SMTP log messages as a means of identification.

To specify an alert bind address for SNMP and SMTP logging

At AlertBindAddress=, type a bind address to identify the computer on which the Symantec AntiVirus Scan Engine is running.

Changing the administration settings via the configuration file

You can configure settings for the Symantec AntiVirus Scan Engine administrative interface and the virtual administrator account.

See “Changing the administration settings” on page 45.

Editing the configuration file

Configuration options

193

Specify a bind address and port number for the administrative interface

The administrative interface binds to an IP address and port number. By default, this Web interface binds to all interfaces. You can restrict access to a specific interface by entering the appropriate bind address. The default port number is

8004.

To specify a bind address and port number for the administrative interface

1 At AdminBindAddress=, type the IP address on which the Web interface listens.

2 At AdminPort=, replace the existing port number with the new number.

If you change the port number, use a number that is greater than 1024 that is not in use by any other program or service. If the port number is not set, the interface is not enabled.

Clearing the password for the administrator account

The Symantec AntiVirus Scan Engine is managed using a virtual administrative account. You are prompted to provide a password for this account at installation. The password for this account can be changed at any time through the Symantec AntiVirus Scan Engine administrative interface.

Note: You cannot change the password via the configuration file because the password is encrypted in the configuration file. If you forget the password for the virtual administrative account, clear the AdminPassword variable in the configuration file, and then log on to the administrative interface (no password is needed) to enter a new password.

To clear the password for the administrator account

At AdminPassword=, delete the encrypted password.

194 Editing the configuration file

Configuration options

Changing the administrator time-out period

The Symantec AntiVirus Scan Engine is configured by default to automatically log off the administrator after a selected period of inactivity. The default period of inactivity is five minutes (300 seconds). You can change the default time-out period.

To change the administrator time-out period

At AdminPortTimeout=, type the amount of time (in seconds) after which the Symantec AntiVirus Scan Engine automatically logs off the administrator.

Specifying processing limits via the configuration file

You can impose restrictions on the amount of resources that can be used to handle individual files. These processing limits can be used to help you manage your resources and to protect your network against denial of service attacks.

See “Specifying processing limits” on page 84.

Specify processing limits

You can specify processing limits that apply to the following:

Large container files: You can set limits to control the resources that are expended on large container files.

All files: Other types of limits can be applied to all files, such as the maximum number of bytes to be read in determining whether a file is

MIME-encoded.

To specify processing limits for large container files via the configuration file

1 At MaxExtractTime=, do one of the following:

Type the maximum allowable amount of time, in seconds, for decomposing a container file and its contents.

Type 0 to disable this variable.

The default setting is 180 seconds (3 minutes).

2 At MaxExtractSize=, do one of the following:

Type the maximum allowable file size, in bytes, for each file within a container file to be decomposed.

Type 0 to disable this variable.

The default setting is 100 MB.

Editing the configuration file

Configuration options

195

3

At MaxExtractDepth= type the maximum allowable number of nested levels of files within a container file to be handled by the decomposer.

The default setting is 10 levels. The maximum value that can be entered is

50.

4

At LimitChoiceStopCont=, type one of the following:

0: Allow access to container files for which one or more limits are exceeded.

1: Deny access to container files for which one or more limits are exceeded. This is the default setting.

5 At RejectMalformedContainers=, type one of the following:

0: Allow access to all malformed containers.

1: Deny access if container type cannot be identified.

This is the default setting.

2: Deny access to all malformed containers.

To specify processing limits that apply to all files via the configuration file

1

At MaxFileNameLength=, do one of the following:

Type the maximum allowable file name length, in bytes, for a given file.

Type 0 to disable this variable.

The default setting is 1024 bytes.

Note: This feature is functional for the native protocol only.

2 At NonMIMEThreshold=, type the maximum number of bytes that can be read to determine whether a file is MIME-encoded.

The default setting is 200000 bytes.

Changing the antivirus settings via the configuration file

You can configure certain aspects of antivirus scanning, including the file types to be scanned.

See “Configuring antivirus settings” on page 88.

196 Editing the configuration file

Configuration options

Changing the Bloodhound sensitivity level

To supplement the detection of virus infections by virus signature, the

Symantec AntiVirus Scan Engine includes the Symantec patented Bloodhound technology, which heuristically detects new or unknown viruses. The sensitivity of the Bloodhound technology can be adjusted.

To change the Bloodhound sensitivity level

At BloodhoundLevel=, type one of the following:

1: Low sensitivity

2: Medium sensitivity

3: High sensitivity

0: Off

Specifying which file types to scan

Viruses are found only in file types that contain executable code. Bandwidth and time can be saved by limiting the files to be scanned to only those file types that can contain viruses. You can control which file types are scanned by specifying those extensions that you do not want to scan (using an exclusion list) or by specifying those extensions that you want to scan (using an inclusion list), or you can scan all file types regardless of extension.

Specify which file types to scan

The default exclusion list is preconfigured to contain the file extensions for file types that are not likely to contain viruses, but you can edit the default list. The

Symantec AntiVirus Scan Engine is configured by default to scan all file types except those that are contained in the exclusion list.

To scan all files regardless of extension

At ExtensionPolicy=, type 0.

To scan only files with extensions that are in the inclusion list

1 At ExtensionPolicy=, type 1.

2 Edit the ExtensionList (the inclusion list) to add extensions that you want to scan or delete extensions that you do not want to scan.

Use a period with each extension in the list. Separate each extension with a semicolon (for example, .com;.doc;.bat). To scan files that have no extension, use two adjacent semicolons (for example, .com;.exe;;).

Editing the configuration file

Configuration options

197

To scan all files except those with extensions that are in the exclusion list

1 At ExtensionPolicy=, type 2.

2 Edit the ExclusionList to add extensions that you do not want to scan or delete extensions that you want to scan.

Use a period with each extension in the list. Separate each extension with a semicolon (for example, .com;.doc;.bat). To exclude files that have no extension, use two adjacent semicolons (for example, .com;.exe;;).

Specifying whether to scan top-level files

The Symantec AntiVirus Scan Engine is configured by default to scan all toplevel files. In limited circumstances, you can choose to open top-level files as container files (without scanning) and scan only the contents of the file.

Warning: This setting should only be changed from the default setting when the

Symantec AntiVirus Scan Engine is providing virus scan and repair services in an email-only environment (that is, no other types of files are being scanned).

You can safely bypass scanning of the top-level file in an email environment because the top-level file is a container file that is not subject to virus infection.

Not scanning top-level files when other types of files are being scanned can leave your network vulnerable to virus attack.

To specify whether to scan top-level files

At ScanTopLevel=, type one of the following:

0: Open the top-level file as a container file and scan only the contents of the file (do not scan the top-level file).

1: Scan all top-level files.

This is the default setting.

198 Editing the configuration file

Configuration options

Blocking MIME partial message content via the configuration file

The Symantec AntiVirus Scan Engine must have a MIME-encoded message in its entirety to effectively scan it for viruses. Some email software applications break large messages down into a number of smaller, more manageable, partial messages for transmission. The Symantec AntiVirus Scan Engine is configured by default to reject partial messages because they cannot be effectively scanned for viruses.

To block MIME partial message content

At RejectPartialMessages=, type one of the following:

0: Block partial messages.

This is the default setting.

1: Allow access to partial messages.

Activating mail message body updates via the configuration file

You can add text to the bodies of MIME-encoded messages to warn recipients that a virus was found in an attachment or that an attachment was deleted because it violated the mail filter policy. The default text indicates that an attachment was infected and repaired or deleted because it could not be repaired, or that an attachment was deleted because it violated the mail policy.

See “Inserting text into MIME-encoded messages” on page 104.

To activate mail message body updates

At UpdateMailBody=, type one of the following:

1: Activate mail message body updates.

0: Deactivate mail message body updates.

Editing the configuration file

Configuration options

199

Scheduling LiveUpdate to occur automatically via the configuration file

You can schedule LiveUpdate to run automatically to obtain updated virus definitions. Scheduling LiveUpdate to occur automatically at a specified time interval ensures that the Symantec AntiVirus Scan Engine always has the most current virus definitions. You should schedule LiveUpdate so that you do not have to remember to update virus definitions regularly.

Warning: Scheduling LiveUpdate to occur automatically should be handled through the Symantec AntiVirus Scan Engine administrative interface (rather than by editing the configuration file). Entering an invalid value in the configuration file can result in LiveUpdate not functioning properly, which can leave your network vulnerable to virus attack because the Symantec AntiVirus

Scan Engine is not receiving updated virus definitions files.

Schedule LiveUpdate to occur automatically

At LiveUpdateSchedule=, type the frequency at which LiveUpdate is attempted.

Specify the desired value in seconds. For example, to schedule LiveUpdate to occur once every hour, type 3600. Do not schedule LiveUpdate attempts more frequently than every 5 minutes (300 seconds). LiveUpdate is not scheduled by default.

Changing the LiveUpdate base time

You can change the relative start point, or LiveUpdate base time, from which to calculate scheduled LiveUpdate attempts. If you change the LiveUpdate base time, LiveUpdate attempts are scheduled every LiveUpdateSchedule seconds following the base time. The default LiveUpdate base time is the time at which the Symantec AntiVirus Scan Engine was installed.

The LiveUpdate base time is specified in UTC seconds since 00:00:00 January 1,

1970.

To change the LiveUpdate base time

At LiveUpdateBaseTime=, type the relative start point, in UTC seconds, from which LiveUpdate attempts are scheduled.

200 Editing the configuration file

Configuration options

Extracting all streams from OLE structured storage documents for scanning

Certain Microsoft files, such as Microsoft Word and Excel documents, are OLE

(object linking and embedding) structured storage documents. OLE is a compound document standard developed by Microsoft that enables objects to be created with one application and linked or embedded in a second application. In this type of structured storage document, data is stored in a number of streams.

Only certain streams typically contain content that can contain viruses. The

Symantec AntiVirus Scan Engine is configured by default to extract and scan only those streams that are likely to contain viruses. For maximum protection, you can choose to extract and scan all streams, but performance might be negatively impacted depending on the number (and content) of files to be scanned.

To extract and scan all streams from OLE structured storage documents for scanning

At ExtractNativeOLEStreamsOnly=, type 0.

The default setting is 1, which limits scanning to only those streams that are likely to contain viruses.

Appendix

B

Reviewing scanning statistics from the command line

This chapter includes the following topics:

Using the getstat utility

Interpreting getstat utility data

Using the getstat utility

The Symantec AntiVirus Scan Engine maintains scanning statistics so that

Internet service providers can bill for antivirus scanning based on several billing schemes. Each time that a file is scanned, the Symantec AntiVirus Scan Engine submits scan statistics to the billing subsystem, which maintains an encrypted data file. You can access this information through the administrative interface.

See “Generating scanning statistics from the billing logs” on page 127.

You can also use the getstat utility, which is provided with the Symantec

AntiVirus Scan Engine, to obtain statistics for a given date range via the command line. For Solaris and Linux, the default location for the getstat utility is /opt/SYMCScan/bin/getstat. For Windows 2000 Server/Server 2003, the default location is C:\Program Files\Symantec\Scan Engine\getstat.

202 Reviewing scanning statistics from the command line

Interpreting getstat utility data

To use the getstat utility

1 Change directories to the directory in which the getstat tool is located.

2 Type a command using the following format: getstat.exe symcsbps.dat <endingdate> <numberofdays> where <endingdate> is the last day of the billing cycle (the last day in the time range for which you want information on scan engine usage), and

<numberofdays> is the number of days in the billing cycle (or the number of days for which you want to view usage statistics). If the symcsbps.dat file is not located in the same directory as the getstat utility, you must include the path to the log file in the command as well. Use the format MM/DD/YYYY for the <endingdate> entry.

For example, if you type

getstat.exe symcsbps.dat 11/27/2001 30

the generated report includes usage information for the 30-day period ending on 11/27/01.

Interpreting getstat utility data

A sample getstat utility report is shown below.

95th-percentile bandwidth measurement for reported period

Calculated average bps for each 30-minute period (shown in chronological order)

Total number of files that were scanned for the reported period

Number of files that were scanned for each 30-minute period (shown in chronological order)

The total number of files that were scanned should not be interpreted strictly as a physical file count. This total includes the number of files as well as additional objects within container files that were scanned. Some containers, such as

MIME-encoded messages and Microsoft Office documents, have additional embedded objects that are not files but that can be scanned depending on the

ExtensionList settings. The total does not include objects within container files

Reviewing scanning statistics from the command line

Interpreting getstat utility data

203 that were not scanned because the object’s extension did not match those in the

ExtensionList setting.

For each 30-minute period in the specified date range, the total number of files that were scanned and the average bits per second that were scanned for that

30-minute increment are reported. The 30-minute time periods are reported in

Greenwich Mean Time (GMT).

204 Reviewing scanning statistics from the command line

Interpreting getstat utility data

Appendix

C

Return codes

This chapter includes the following topics:

Native protocol return codes

ICAP version 0.95 return codes

CAP version 1.0 return codes

RPC return codes

Native protocol return codes

The following return codes are generated for the native protocol:

200 Command okay.

201 Output file available.

203 Local output file available.

220 Symantec AntiVirus Scan Engine ready.

221 Service closing transmission channel.

230 File scanned.

420 Service not available, closing transmission channel.

430 File not acceptable at this time.

500 Syntax error, command unrecognized.

501 Syntax error in parameters.

502 Command not implemented.

503 Bad sequence of commands.

504 Unsupported protocol version.

206 Return codes

ICAP version 0.95 return codes

530 File not acceptable.

531 File unscannable.

532 Output file unavailable.

533 Error scanning file.

534 File name exceeds configured length.

535 Maximum Extract Time exceeded - scan incomplete.

536 Maximum Extract Depth exceeded - scan incomplete.

537 Maximum Extract Size exceeded - scan incomplete.

538 Malformed container file found. File not scanned.

539 Aborted - no AV scanning license.

ICAP version 0.95 return codes

The following return codes are generated for ICAP version 0.95:

100 Continue

200 OK

201 Created

204 No content necessary.

400 Bad request.

403 Forbidden. Infected and not repaired.

404 Not found.

405 Method not implemented.

420 Container extract time violation. File not scanned.

425 Container size violation. File not scanned.

430 Container depth violation. File not scanned.

431 Malformed container found. File not scanned.

432 Mail policy violation. File not scanned.

500 Internal server error.

503 Service unavailable/overloaded.

505 ICAP version not supported.

531 Container type cannot be repaired.

Return codes

CAP version 1.0 return codes

207

533 Error scanning file.

539 Aborted - no AV scanning license.

CAP version 1.0 return codes

The following return codes are generated for ICAP version 1.0:

100 Continue

200 OK

201 Created

204 No content necessary.

400 Bad request.

403 Forbidden. Infected and not repaired.

404 Not found.

405 Method not implemented.

408 Request timeout.

500 Internal server error.

503 Service unavailable/overloaded.

505 ICAP version not supported.

533 Error scanning file.

539 Aborted - no AV scanning license.

551 Resource unavailable.

RPC return codes

The following return codes are generated for RPC:

Infection found, repaired

Infection found, repair failed

Infection found, repair failed, file quarantined

Infection found, repair failed, quarantine failed

Infection found

Maximum Extract Size exceeded, scan incomplete

Maximum Extract Time exceeded, scan incomplete

208 Return codes

RPC return codes

Maximum Extract Depth exceeded, scan incomplete

Aborted - No AV scanning license

Internal server error

Infection found, repair failed, read-only file

Appendix

D

Using the silent install feature

This chapter includes the following topics:

About the silent install feature

Creating the response file

Initiating the silent installation using the response file

Using the silent install feature for uninstallation

About the silent install feature

The silent install feature lets you automate the installation of the Symantec

AntiVirus Scan Engine. You can use the silent install feature when you are installing multiple Symantec AntiVirus Scan Engines with identical input values for installation. The silent install feature lets you capture the required input values for installation in a response file. You can use the response file for subsequent installations to read in the values so that the installations are silent

(freeing you from having to repeatedly supply input values for each installation).

Implementing the silent install feature is a two-step process:

Create a response file to capture your input values for installation.

Run the install program to read the response file and perform the install silently using the same responses that you specified in the response file.

210 Using the silent install feature

Creating the response file

Creating the response file

The response file contains the input values for the required responses for installation of the Symantec AntiVirus Scan Engine. You can create different response files for different installation scenarios, for example, different protocols, installation directories, or RPC clients.

The procedures for creating the response file differ for Windows 2000 Server/

Server 2003, Solaris, and Linux.

Creating the response file for Windows 2000 Server/Server 2003

For Windows 2000 Server/Server 2003, you must run the installation once to create the response file. The Symantec AntiVirus Scan Engine is initially installed with the /r switch so that your responses are captured in the response file. Ensure that the scan engine is not already installed before you begin.

To create the response file for Windows 2000 Server/Server 2003

1 Change directories to the location of the Symantec AntiVirus Scan Engine installation program, ScanEngine.exe.

2

At the command prompt, type:

ScanEngine /r

The installation proceeds as a normal (non-silent) install.

3 During the installation, respond to each dialog box with the desired input value for the silent installation.

When the installation completes, the response file is written to the disk.

Note: On Windows 2000 Server/Server 2003 only, the password that you enter for the virtual administrative account is stored in the response file unencrypted. Protect the response file accordingly to prevent the password from being compromised.

By default, the response file, setup.iss, is written to the WinNT directory. To specify a different name and location for the response file, use the /f1 switch.

For example, the following command writes a response file, install_savse.iss, to the temporary directory C:\Temp:

ScanEngine /r /f1"C:\Temp\install_savse.iss"

Note: Quotes must be used around the path and file name to handle an embedded space.

Using the silent install feature

Creating the response file

211

Creating the response file for Solaris and Linux

For Solaris and Linux, you can create the response file before you install the

Symantec AntiVirus Scan Engine.

A default response file, named response, is included as part of the Symantec

AntiVirus Scan Engine software distribution package. The response file is a text file that is preconfigured to contain the default settings for the scan engine installation options. You must edit this response file so that it contains the desired input values for the silent installation.

Note: Do not delete any of the parameters in the response file. The installer must read a value for each parameter.

The input values contained in the response file are listed in

Table D-1 .

Table D-1

Input values in the response file

Input value

SCANPort

Protocol

AdminPort

AdminPassword

InstallDir

LogDir

Description

Port number on which the Symantec AntiVirus Scan Engine listens. This port number must be exclusive to the Symantec

AntiVirus Scan Engine. The default port number differs depending on the protocol selected.

NATIVE: 7777

ICAP: 1344

Communication protocol used by the scan engine. Use NATIVE or ICAP.

Port number on which the Web-based administrative interface listens. The default port number is 8004.

Password for the virtual administrative account that you will use to manage the Symantec AntiVirus Scan Engine.

Note: You must use the GenEncryptPW utility, which is included in the scan engine distribution, to generate an encrypted password. Use the encrypted string that is returned

by the utility for this value. See “Generating an encrypted password” on page 213.

Location in which to install the Symantec AntiVirus Scan

Engine. The default location is /opt/SYMCScan.

Location in which to place the Symantec AntiVirus Scan Engine log files. The default location is /var/log.

212 Using the silent install feature

Creating the response file

Table D-1

Input value

SymShared

Input values in the response file

CreateAVDefsGroup

Description

Location of the SymShared directory. The default location is

/opt/Symantec.

Note: The SymShared directory contains the virus definitions that are used by the Symantec AntiVirus Scan Engine to scan for viruses. If you have multiple Symantec products installed on the computer, this directory lets the products share virus definitions. If you have previously installed a Symantec

AntiVirus product on the computer, this directory might already exist.

Boolean value that indicates whether to create the avdefs group. Use 0 if the group already exists, or use 1 to create the group.

The avdefs group has access rights to the directory that contains the virus definitions that are used by the Symantec

AntiVirus Scan Engine. If you have previously installed a

Symantec product on the computer, this group might already exist.

To create the response file for Solaris and Linux

1

Locate the response file, response, on the Symantec AntiVirus Scan Engine distribution CD and copy it to the /tmp directory on the computer that you are using.

For the silent installation to initiate, the response file must be located in the

/tmp directory.

2

Rename the file to no-ask-questions and open the file.

3 Supply the desired input value for each parameter.

Changes should be made only to the right of the equal sign (=).

4 At AdminPassword=, copy and paste the encrypted string that was generated by the GenEncryptPW utility.

Ensure that you copy the encrypted string in its entirety.

See “Generating an encrypted password” on page 213.

5

Save the file.

Using the silent install feature

Initiating the silent installation using the response file

213

Generating an encrypted password

The GenEncryptPW utility is included in the scan engine distribution so that you can protect the administrative password for managing the Symantec

AntiVirus Scan Engine. This utility encrypts the specified password and returns an encrypted string. You must copy the encrypted string in its entirety and paste it in the appropriate location in the response file.

To generate an encrypted password

1 Locate the GenEncryptPW utility on the Symantec AntiVirus Scan Engine distribution CD and copy it to the computer that you are using.

2

At the command prompt, type GenEncryptPW <password>, where

<password> is the password that you will use to access the Symantec

AntiVirus Scan Engine administrative interface.

The utility returns an encrypted string.

3

Save the entire encrypted string that is returned by the GenEncryptPW utility.

Initiating the silent installation using the response file

The procedures for initiating the silent installation differ for Windows 2000

Server/Server 2003, Solaris, and Linux.

The silent installation on Solaris and Linux initiates automatically if the installer finds the response file in the correct location. The existence of the noask-questions file in the /tmp directory tells the installer to perform a silent installation using the input values that are contained in the file. Before you begin the installation, ensure that the appropriate response file, titled no-askquestions, is located in the /tmp directory.

To initiate a silent installation on Windows 2000 Server/Server 2003, you must run the installation program using the /s switch to read the response file. The installation proceeds silently, using the input values that are contained in the response file.

Note: If you initiate a Symantec AntiVirus Scan Engine silent installation in which RPC is the selected communication protocol (Windows 2000 Server/

Server 2003 only), the RPC password that you enter is stored in the response file unencrypted. Protect the response file accordingly to prevent the password from being compromised.

214 Using the silent install feature

Using the silent install feature for uninstallation

To initiate a silent installation on Windows 2000 Server/Server 2003

1 Change directories to the location of the Symantec AntiVirus Scan Engine installation program, ScanEngine.exe.

2 At the command prompt, type:

ScanEngine /s /f1"C:\WinNT\setup.iss"

This command shows the default response file, setup.iss, in its default location, the WinNT directory. You will need to substitute appropriately if you have changed the response file name and location. For example:

ScanEngine /s /f1"C:\Temp\install_savse.iss"

The silent installation proceeds automatically from this point using the input values that are contained in the response file.

Using the silent install feature for uninstallation

You also can automate the uninstallation for the Symantec AntiVirus Scan

Engine on Windows 2000 Server/Server 2003. The procedures for using the silent uninstallation are the same as for the silent installation.

Using the silent install feature for uninstallation

You must create a second response file for uninstallation. After you have created the response file, you can initiate the silent uninstallation by running the installation program with the /s switch to read the response file.

Note: When you create the response file for the silent uninstallation, use the /f1 switch to specify a different name and location for the response file (rather than allowing the default settings), so you can easily distinguish the uninstallation response file from any response files that you have saved for silent installation.

To create the uninstallation response file

At the command prompt, type:

ScanEngine /r /f1"C:\Temp\ScanEngine_uninstall.iss"

To initiate the silent uninstallation

At the command prompt, type:

ScanEngine /s /f1"C:\Temp\ScanEngine_uninstall.iss"

Index

A

access denied message, customizing (ICAP) 151

administrative interface

accessing 41

changing settings for 45

description of 39, 42

administrator

password, configuring 45 time-out, configuring 45

alert bind address, configuring 122

alert interval, configuring 78

antivirus scanning

command-line scanner 165

description of 24

specifying file types for 88

testing detection capabilities 27

B

billing logs

description of 108

generating scanning statistics from 127

interpreting scanning statistics 129

bind address, configuring

for administrative interface 45

for ICAP 61

for native protocol 57

Bloodhound sensitivity, configuring 89

C

command buttons 42

command-line scanner

description 165

installation 166

obtaining detailed scanning results

details on infections found 173

disposition of each file scanned 172

scanning time for each file 174

options

description 169

disposing of infected files on error 175

command-line scanner (continued) options (continued)

obtaining detailed scanning results 172

recursive scanning 175

specifying the scan engine 170

specifying the scanning mode 171

specifying what to scan 167 syntax and usage 167

configuration file

configuration options 179

editing 177

updating during upgrade 178

container file limits, specifying 84

D

data trickle

description 65

enabling 64

warnings and limitations 66

denial of service attacks, protection against 84

dynamic thread pool

configuring 185

configuring maximum number of threads 78

parameters 185

F

file types, specifying for scanning 90

filtering email

blocking partial messages 103

by attachment file name 100

by attachment file size 102

by maximum mail size 97

by message origin 99

by subject 97

G

getstat utility

interpreting data 202

using 201

216 Index

H

HTML alerts, customizing (ICAP) 151

I

ICAP

access denied message, customizing 151

configuration options 61

configuring 59

access denied message 61 bind address 61

data trickle 62

ICAP scan policy 62

port number 61

description 23

return codes 206

infected files, disposing of 175

in-memory file processing limits, configuring 79

installing

command-line scanner 166

on Linux 35 on Solaris 35

on Windows 2000 Server/Server 2003 33

preparing for 31

SESA Agent 156

SESA Integration Wizard 155

silent installation 209

upgrading from previous versions 31

L

levels, for logging 109

licensing

activating license 51

checking license status 53

discussion 49

removing licenses 50 warning and grace periods 50

Linux

installing 35

stopping and starting service 37, 161

system requirements 30

uninstalling 38

LiveUpdate

configuring 132

configuring LiveUpdate server 135

description of 131

scheduling via command line 133

load balancing 22

local logging configuring

local logging level 113

log file location 115

message string file location 116

managing local logs 123

local SESA Agent, installing 156

logging

clearing local logs 123

configuring local logging 112

customizing log entries 139

description of logging events 111

downloading logs 123

log file location, changing 115

logging destinations 107

logging levels 109

obtaining summary data 125

SESA 153

SESA logging levels 162

SMTP logging, configuring 120

SNMP logging, configuring 118

Windows Event Log 116

M

mail filter policy

blocking partial messages 103

by attachment file name 100

by attachment file size 102

by mail subject 97 by maximum mail size 97

by message origin 99

configuring 94

MIME augmentation 104

malformed container files, blocking access 85

message string file

configuring location of 116

customizing message strings 139

description of 137

editing 138

MIME augmentation

configuring 104

customizing message text 145

N

native protocol

configuring 57

discussion of 23

return codes 205

P

partial messages, blocking 103

port number, configuring

for administrative interface 45

for ICAP 61

for native protocol 57

protocol

configuring 56

ICAP 23

native 22

RPC 23

Q

quarantining infected files 74

queue size, configuring 78

R

recursive scanning, requesting 175

return codes

ICAP 206

native protocol 205

RPC 207

RPC

configuring 66

discussion of 23

notifying users when a virus is found 72

quarantining unrepairable files 74

return codes 207

S

scan engine, specifying 170

scanning threads

configuring maximum 78

thread pool configuration 185

scanning, via command line

obtaining scanning results 172

requesting recursive scanning 175

specifying the scanning mode 171

specifying what to scan 167

service, starting and stopping 37

service startup properties, editing 75

SESA Integration Wizard, installing 155

SESA, logging to

configuring 154

configuring the scan engine 161

discussion 155

installing the local Agent 156

Index 217

SESA, logging to (continued)

logging levels 162

running the SESA Integration Wizard 155

silent installation creating the response file

Solaris and Linux 211

Windows 210

discussion 209

initiating install 213

using for uninstall 214

SMTP logging

alert bind address 122

configuring 120

SNMP logging

alert bind address 122

configuring 118

Solaris

installing 35

stopping and starting service 37, 160

system requirements 30

uninstalling 38

statistics, from billing logs

interpreting 129

obtaining 127

using the getstat utility 201

Status pane 43

summary log data

interpreting 127

obtaining 125

syntax for the command-line scanner 167

system requirements 29

T

temporary directory, specifying 77

thread pool

configuring 185

configuring maximum number of threads 78

parameters 185

U

uninstalling Symantec AntiVirus Scan Engine 38

upgrading from previous versions 31

user notification of virus found (RPC) 72

218 Index

V

virus definitions

product name, configuring 79

updating 132

virus detection

description of technology 24

testing 27

virus notification message, RPC 72

W

Windows 2000 Server/Server 2003

installing 34

system requirements 29

uninstalling 38

Windows Event Log, configuring logging to 116

Symantec AntiVirus™ Scan Engine

CD Replacement Form

CD REPLACEMENT: After your 60-Day Limited Warranty, if your CD becomes unusable, fill out and return 1) this form, 2) your damaged CD, and 3) your payment (see pricing below, add sales tax if applicable), to the address below to receive replacement CD. DURING THE 60-DAY LIMITED WARRANTY PERIOD, THIS SERVICE IS FREE.

You must be a registered customer in order to receive CD replacements.

FOR CD REPLACEMENT

Please send me: _______ CD Replacement(s)

Name ______________________________________________________________________________________________________

Company Name _____________________________________________________________________________________________

_________________________________________________________________________

City _______________________ State ____________ Zip/Postal Code ___________________________________________

Country* __________________ Daytime Phone ________________________________________________________________

Software Purchase Date______________________________________________________________________________________

*This offer limited to U.S., Canada, and Mexico. Outside North America, contact your local Symantec office or distributor.

Briefly describe the problem: _________________________________________________________________________________

CD Replacement Price

Sales Tax (See Table)

Shipping & Handling

TOTAL DUE

$ 10.00

______

$ 9.95

______

SALES TAX TABLE: AZ (5%), CA (7.25%), CO (3%), CT (6%), DC (5.75%), FL (6%), GA (4%),

IA (5%), IL (6.25%), IN (5%), KS (4.9%), LA (4%), MA (5%), MD (5%), ME (6%), MI (6%),

MN (6.5%), MO (4.225%), NC (6%), NJ (6%), NY (4%), OH (5%), OK (4.5%), PA (6%), SC

(5%), TN (6%), TX (6.25%), VA (4.5%), WA (6.5%), WI (5%). Please add local sales tax (as well as state sales tax) in AZ, CA, FL, GA, MO, NY, OH, OK, SC, TN, TX, WA, WI.

FORM OF PAYMENT ** (Check One):

___ Check (Payable to Symantec) Amount Enclosed $ __________ ______ Visa _____ Mastercard _____ AMEX

Credit Card Number ______________________________________________________ Expires _________________________

Name on Card (please print) ___________________________________ Signature ___________________________________

**U.S. Dollars. Payment must be made in U.S. dollars drawn on a U.S. bank.

MAIL YOUR CD REPLACEMENT ORDER TO:

Symantec Corporation

Attention: Order Processing

555 International Way

Springfield, OR 97477 (800) 441-7234

Please allow 2-3 weeks for delivery within the U.S.

Symantec and Symantec AntiVirus are trademarks of Symantec Corporation.

Other brands and products are trademarks of their respective holder/s.

© 2003 Symantec Corporation. All rights reserved. Printed in the U.S.A.

219

220

advertisement

Key Features

  • Scalability
  • Robustness
  • Speed
  • Virus protection
  • Serviceability
  • Manageability

Frequently Answers and Questions

What is the Symantec AntiVirus Scan Engine?
The Symantec AntiVirus Scan Engine is a carrier-class virus scanning and repair engine that provides virus scanning and repair capabilities to any application on an IP network, regardless of platform.
How does the Symantec AntiVirus Scan Engine work with the client application?
The Symantec AntiVirus Scan Engine accepts scan requests from client applications using one of three protocols: its own native protocol, a proprietary implementation of the remote procedure call (RPC) protocol, and the Internet Content Adaptation Protocol (ICAP).
What are the system requirements for the Symantec AntiVirus Scan Engine?
The system requirements for the Symantec AntiVirus Scan Engine vary depending on the operating system. Refer to the documentation for detailed information.

Related manuals

Download PDF

advertisement

Table of contents