Symantec AntiVirus 4.3 for Microsoft SharePoint (10332857) for PC, Unix, Linux
Contents
1. At StringFile replace the existing path and file name with a new path and file name Specifying what to log for each logging destination The Symantec AntiVirus Scan Engine provides a number of logging destinations Logging to each available logging destination for example SNMP SMTP or the Windows Application Event Log is activated individually by selecting a desired logging level for that destination Selecting the logging level lets you choose the types of events for which log messages are generated In the configuration file the logging levels are m None Do not log any messages to the specified logging destination m Error Log Error messages to the specified logging destination m Warning Log Warning and Error messages to the specified logging destination m Information Log Information Warning and Error messages to the specified logging destination m Verbose Log Information Warning and Error messages and a message for each file that is scanned to the specified logging destination See Logging levels on page 109 Specify what to log for each logging destination You can select a different logging level for each logging destination To specify what to log for local logging AtLogLocal select the desired logging level for local logging The default logging level for Solaris and Linux is Warning The default logging level for Windows 2000 Server Server 2003 is None Select Verbose only if you have b2. To edit the ICAP access denied message 1 Locate the Symantec AntiVirus Scan Engine ICAP access denied HTML file and open it with a text editor 2 Make your changes to the file 3 Save the file 4 Stop and restart the Symantec AntiVirus Scan Engine Integrating the Symantec AntiVirus Scan Engine with SESA This chapter includes the following topics m About SESA m Configuring logging to SESA m Scan engine events that are logged to SESA m Interpreting scan engine events in SESA m Uninstalling the SESA integration components m Uninstalling the local SESA Agent About SESA In addition to local logging for the Symantec AntiVirus Scan Engine you can also choose to log virus related events to the Symantec Enterprise Security Architecture SESA SESA is an underlying software infrastructure and a common user interface framework It integrates multiple Symantec Enterprise Security products and third party products to provide a central point of control of security within an organization It provides a common management framework for SESA enabled security products such as the Symantec AntiVirus Scan Engine that protect your IT infrastructure from malicious code intrusions and blended threats SESA helps you increase your organization s security posture by simplifying the task of monitoring and managing the multitude of security related events and 154 Integrating the Symantec AntiVirus Scan Engine with SESA Configurin
3. 200 Command okay 201 Output file available 203 Local output file available 220 Symantec AntiVirus Scan Engine ready 221 Service closing transmission channel 230 File scanned 420 Service not available closing transmission channel 430 File not acceptable at this time 500 Syntax error command unrecognized 501 Syntax error in parameters 502 Command not implemented 503 Bad sequence of commands 504 Unsupported protocol version 206 Return codes ICAP version 0 95 return codes 530 File not acceptable 531 File unscannable 532 Output file unavailable 533 Error scanning file 534 File name exceeds configured length 535 Maximum Extract Time exceeded scan incomplete 536 Maximum Extract Depth exceeded scan incomplete 537 Maximum Extract Size exceeded scan incomplete 538 Malformed container file found File not scanned 539 Aborted no AV scanning license ICAP version 0 95 return codes The following return codes are generated for ICAP version 0 95 100 Continue 200 OK 201 Created 204 No content necessary 400 Bad request 403 Forbidden Infected and not repaired 404 Not found 405 Method not implemented 420 Container extract time violation File not scanned 425 Container size violation File not scanned 430 Container depth violation File not scanned 431 Malformed container found File not scanned 432 Mail policy violation File not scanned 500 Internal server error 503 S
4. Anew configuration file replaces the existing configuration file If you have customized any values in the existing configuration file those values are brought forward to replace the default settings in the new configuration file so that your changes are not altered during the upgrade Configuration options that are made obsolete by the upgrade are not transferred to the new configuration file Editing the configuration file 179 Configuration options Configuration options The configuration options are grouped by their appearance on the interface rather than the order in which they appear in the configuration file Warning Several configuration options in the configuration file are not discussed in this chapter and should not be changed Changing these options can detrimentally affect product performance For example the installation directory InstallDir is specified at installation and the product will not function if you change this value in the configuration file Changing protocol specific settings via the configuration file You can change the communication protocol that the scan engine uses to communicate with the client applications for which it provides scanning services After you select the appropriate protocol you must provide protocol specific configuration information The configuration options differ depending on the protocol that you select See Selecting the communication protocol on page 56
5. For more information about interpreting events in SESA and on SESA s event management capabilities see the SESA documentation Uninstalling the SESA integration components If the Symantec AntiVirus Scan Engine is no longer forwarding messages to SESA you can uninstall the SESA integration components from each computer that is running the SESA Manager To uninstall the SESA integration components On the taskbar click Start gt Run then type java jar setup jar uninstall Uninstalling the local SESA Agent The local SESA Agent is automatically uninstalled when you uninstall the Symantec AntiVirus Scan Engine If more than one product is using the Agent the uninstall script will remove only the Symantec AntiVirus Scan Engine registration and leave the Agent in place If no other security products are using the Agent the uninstall script will uninstall the Agent as well 164 Integrating the Symantec AntiVirus Scan Engine with SESA Uninstalling the local SESA Agent Using the Symantec AntiVirus Scan Engine command line scanner This chapter includes the following topics m About the Symantec AntiVirus Scan Engine command line scanner m Setting up a computer to submit files for scanning m Command line scanner syntax and usage About the Symantec AntiVirus Scan Engine command line scanner The Symantec AntiVirus Scan Engine command line scanner is a multi platform utility that works in conjunction with version 4 0 4
6. Introducing the Symantec AntiVirus Scan Engine About the Symantec AntiVirus Scan Engine 0 0 ceceseseseesesesseeeeeeeeeseeeees 15 The Symantec AntiVirus Scan Engine solution cccceseseseeeeeeeeees 16 What s New in Version 4 3 seccersnnicuspnesinncnijocirerani 17 Where to start sorrienni E Ee E ESA a EEEE 18 Considerations for implementation 00 0 0 ccccecsceseseeseeesceecscsseeeseeeeseseeesseeees 20 About Symantec AntiVirus Scan Engine deployment cceeeee 20 How the scan engine works with the client application 0 00 21 About automatic load balancing cc ceeseesesceeeseseeeeseeseeeseeeeeeseeseeesees 22 About supported protocols ccccccccscssesssscescsseseescescssesecssssesecsecseeseceesscseesesseeees 22 About the native protocol ccc cc cceccsessessescesesecsecssesessesscseesessessesseseeaeees 23 About the Internet Content Adaptation Protocol ICAP e 23 About remote procedure call RPC cccecescssessesseseescsscssessesessesseseeeesees 23 About virus protection c ccc ccecssssescescsscsscseeseesceecsecsecssseceecsecseesecacsaeseesecseeees 24 How viruses are detected cecceccscssssesesseceseeeeseseeseseeeeceseeecseseeesaeeeeseseeees 25 Testing virus detection capabilities 0 0 0 eceseseeeeseseeeeeesseeeseeeeeeeeeees 27 Installing the Symantec AntiVirus Scan Engine SYSLEMMPEGUITEMENUS seprei e a a R 29 Windows 2000 Server Server 2003 i ccccc
7. Mail Policy Block Can t delete attachment blocking message Text that replaces the lt virusname gt variable in message string 4000 when an email message is blocked because the attachment that violated the mail policy could not be deleted 147 148 Customizing log entries About the 2000 series message strings Table 9 2 Default message text for MIME encoded messages 2010 DELETED C TXT File name for the file that is substituted in a MIME encoded message for any attachment that is deleted because it contains an unrepairable virus When a message contains more than one infected file a separate DELETED C TXT file is created for each file The files are numbered sequentially beginning with 0 and use the C variable in the file name Note If you are using the native protocol AVSCANREPAIRDELETE must be used for DELETED C TXT to replace deleted files If you are using ICAP the scan policy must be set to Scan and repair or delete The Symantec AntiVirus Scan Engine must be configured to delete any infected attachments from MIME encoded messages 2011 file attachment The file attached to this email was removed because it is infected with the lt virusname gt virus Text that is contained in the DELETED C TXT file which is substituted in a MIME encoded message for any attachment that is deleted because it contains an unrepairable virus Customizing log entries 149 About the
8. 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Licensing Status Install Licensed feature Expiration date Antivirus scanning 2002 1 1 19 0 Virus definition updates 2002 1 1 19 0 Fulfillment ID 9876543210 8034837705 ian 2 Onthe Status tab review the license information that is displayed Configuring the Symantec AntiVirus Scan Engine This chapter includes the following topics About configuring the Symantec AntiVirus Scan Engine Selecting the communication protocol Configuring the Symantec AntiVirus Scan Engine native protocol Configuring ICAP Configuring RPC Allocating resources About configuring the Symantec AntiVirus Scan Engine You can set up the Symantec AntiVirus Scan Engine for your network and configure the scan engine to provide scanning services for client applications You can do the following Change the protocol that the scan engine uses to communicate with the client applications for which it is providing scanning services and configure any protocol specific settings Allocate server and scan engine resources for operation of the Symantec AntiVirus Scan Engine 56 Configuring the Symantec AntiVirus Scan Engine Selecting the communication protocol Selecting the communication protocol You can change the communication protocol that the scan engine uses to communicate with the client applications for which i
9. C If the Software You have licensed is Symantec Web Security independent of version or operating platform designation upon the expiration of Your right to acquire Content Updates the filtering definitions corresponding with all previous Content Updates will be entirely deleted and will no longer be available for use with the Software Upon the expiration of Your right to acquire Content Updates access to updated virus definitions will no longer be available however You may continue to use virus definitions previously acquired D If the Software You have licensed is Symantec AntiVirus Corporate Edition You may not use the Software on or with devices on Your network running embedded operating systems specifically supporting network attached storage functionality without separately licensing a version of such Software specifically licensed for a specific type of network attached storage device under a License Module E If the Software You have licensed is Symantec AntiVirus for EMC Celerra File Server You may use the Software only with EMC Celerra servers and only if You have a license to the Software for each Celerra AntiVirus Agent CAVA associated with each such server You may not allow any computer to access the Software other than an EMC Celerra server EMC and Celerra are trademarks or registered trademarks of EMC Corporation in the U S and other countries Contents Technical support Chapter 1 Chapter 2
10. Symantec AntiVirus Scan Engine Implementation Guide 9 symantec Symantec AntiVirus Scan Engine Implementation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Documentation version 4 3 PN 10143971 Copyright Notice Copyright 2000 2003 Symantec Corporation All Rights Reserved Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation NO WARRANTY The technical documentation is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use Any use of the technical documentation or the information contained therein is at the risk of the user Documentation may include technical or other inaccuracies or typographical errors Symantec reserves the right to make changes without prior notice No part of this publication may be copied without the express written permission of Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 Trademarks Symantec and the Symantec logo are U S registered trademarks of Symantec Corporation CarrierScan Server Bloodhound LiveUpdate NAVEX Symantec AntiVirus and Symantec Security Response are trademarks of Symantec Corporation Sun Sun Microsystems the Sun logo Sun Enterprise Java Ultra and Solaris are trademarks or registered tradem
11. m Scan and repair or delete Attempt to repair infected files and delete any unrepairable files from archive files Note If you are using the data trickle feature the ICAP scan policy can only be set to Scan only When you enable data trickle the ICAP scan policy is automatically reset to Scan only Data trickle When a user attempts to download an extremely large or complex file from the Internet antivirus scanning can cause a delay during which the requesting browser and thus the user receives no feedback on the progress of the download You can use the data trickle feature to provide users with a quicker download response and avoid potential session time out errors When data trickle is enabled the requested file is sent trickled to the user in small amounts at regular intervals until the scan is complete See Enabling data trickle on page 64 Configuring the Symantec AntiVirus Scan Engine 63 Configuring ICAP To configure ICAP 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration On the Protocol tab click ICAP The configuration settings display for the selected protocol Protocol Resources Logging Admin Select communication protocol C Native protocol ICAP C RPC ICAP Protocol Configuration Scan Engine bind address o Port number fas HTML message displayed for infected files C Program Files SymanteciSca ICAP scan policy Scan and
12. At UpdateMailBody type one of the following m 1 Activate mail message body updates m 0 Deactivate mail message body updates Editing the configuration file 199 Configuration options Scheduling LiveUpdate to occur automatically via the configuration file You can schedule LiveUpdate to run automatically to obtain updated virus definitions Scheduling LiveUpdate to occur automatically at a specified time interval ensures that the Symantec AntiVirus Scan Engine always has the most current virus definitions You should schedule LiveUpdate so that you do not have to remember to update virus definitions regularly Warning Scheduling LiveUpdate to occur automatically should be handled through the Symantec AntiVirus Scan Engine administrative interface rather than by editing the configuration file Entering an invalid value in the configuration file can result in LiveUpdate not functioning properly which can leave your network vulnerable to virus attack because the Symantec AntiVirus Scan Engine is not receiving updated virus definitions files Schedule LiveUpdate to occur automatically At LiveUpdateSchedule type the frequency at which LiveUpdate is attempted Specify the desired value in seconds For example to schedule LiveUpdate to occur once every hour type 3600 Do not schedule LiveUpdate attempts more frequently than every 5 minutes 300 seconds LiveUpdate is not scheduled by default Changing the LiveUpdate ba
13. Consult the manual before using this feature Special steps are required in addition to application configuration SESA Logging level None hi SESA agent IP address 127 0 0 1 Port 8086 Logging properties Path and filename for message string file C Program Files Symantec Sca Alert bind address Help Confirm Changes 2 Onthe Logging tab under Log SMTP select the SMTP logging level from the SMTP Logging level list SMTP logging is not activated by default the SMTP logging level is set to None The Verbose logging level is not available for SMTP logging See Logging levels on page 109 3 Inthe Primary server IP address box type the IP address of the primary SMTP server that will forward the log messages 121 122 Configuring and using logging Activating SNMP and SMTP logging 4 Inthe Secondary server IP address box type the IP address of a secondary SMTP server if one is available that will forward the log messages if communication with the primary SMTP server fails 5 Inthe SMTP Domain box type the local domain for the Symantec AntiVirus Scan Engine The domain name is added to the From field for SMTP messages so that SMTP log messages that are generated by the Symantec AntiVirus Scan Engine originate from ScanServer lt servername gt lt domainname gt where lt servername gt is the name of the computer that is running the Symantec AntiVirus Scan Engine and lt domainname gt is the domain name that
14. Note To install the local SESA Agent you must have Java Runtime Environment version 1 3 1 or later already installed If not the SESA Agent installation will fail See the SESA documentation for more information See Configuring the scan engine to log events to SESA on page 161 Install the local SESA Agent The installation procedures differ depending on the operating system on which the local SESA Agent will be installed To install the local SESA Agent on Windows 2000 Server Server 2003 1 Logon tothe computer on which you have installed the Symantec AntiVirus Scan Engine as administrator or as a user with administrator rights 2 Copy the agentinstaller exe file from the Symantec AntiVirus Scan Engine distribution CD onto the computer 3 Runthe exe file 4 Indicate that you agree with the terms of the Symantec license agreement then click Next If you do not indicate that you agree the installation is aborted 5 Select the Symantec AntiVirus Scan Engine from the list of products to register with SESA Note You can register only one product at a time If you are installing the local SESA Agent to work with more than one Symantec product you must run the installer again for each product 6 Select the location in which to install the local Agent then click Next The default location is C Program Files Symantec SESA 157 158 Integrating the Symantec AntiVirus Scan Engine with SESA Configuring lo
15. SESA is in addition to the local logging features for the Symantec AntiVirus Scan Engine Logging to SESA is activated independently of local logging If you have purchased SESA you can choose to send a subset of the virus related events logged by the scan engine to SESA See Scan engine events that are logged to SESA on page 162 To configure logging to SESA you must complete the following steps m Configure SESA to recognize the Symantec AntiVirus Scan Engine In order for SESA to receive events from the scan engine you must run the SESA Integration Wizard that is specific to the Symantec AntiVirus Scan Engine on each computer that is running the SESA Manager The SESA integration Wizard installs the appropriate integration components for identifying the individual security product in this case the Symantec AntiVirus Scan Engine to SESA See Configuring SESA to recognize the Symantec AntiVirus Scan Engine on page 155 Integrating the Symantec AntiVirus Scan Engine with SESA 155 Configuring logging to SESA m Install a local SESA Agent on the computer that is running the Symantec AntiVirus Scan Engine The local SESA Agent handles the communication between the scan engine and SESA See Installing the local SESA Agent on page 156 m Configure the Symantec AntiVirus Scan Engine through the scan engine administrative interface to communicate with the local SESA Agent and to log virus related events to SESA Se
16. account at installation The password for this account can be changed at any time through the Symantec AntiVirus Scan Engine administrative interface Do not forget the password that you enter for this account because the virtual administrative account is the only account that can be used to manage the Symantec AntiVirus Scan Engine If you forget the password for the virtual administrative account you must clear the adminpassword variable in the configuration file and then log on to the administrative interface to enter a new password You won t need a password See Editing the Symantec AntiVirus Scan Engine configuration file on page 177 Administrator timeout The Symantec AntiVirus Scan Engine requires the administrator to log on to the administrative interface to access the administrative functions The Symantec AntiVirus Scan Engine is configured to automatically log the administrator off after a selected period of inactivity by default The default period of inactivity is five minutes You can change the default time out period 46 Symantec AntiVirus Scan Engine administration Changing the administration settings To change the administration settings 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration On the Admin tab in the HTTP bind address box type a bind address if necessary By default the Symantec AntiVirus Scan Engine binds to all interface
17. definitions that are used by the Symantec AntiVirus Scan Engine If you have previously installed a Symantec product on the computer this group might already exist If so this option is not available Select the location in which to install the Symantec AntiVirus Scan Engine then press Enter The default location is opt SYMCScan Select the location for the SymShared directory The SymShared directory contains the virus definitions that are used by the Symantec AntiVirus Scan Engine to scan for viruses The default location is opt Symantec If you have multiple Symantec products installed on the computer this directory lets the products share virus definitions If you have previously installed a Symantec product on the computer this directory might already exist If so this option is not available Select the protocol to be used by the Symantec AntiVirus Scan Engine then click Next Select the port number on which the Web based administrative interface listens The default port number is 8004 To disable type 0 Note If you disable the administrative interface you must configure the Symantec AntiVirus Scan Engine by editing the configuration file See Editing the configuration file on page 177 Type a password for the virtual administrative account that you will use to manage the Symantec AntiVirus Scan Engine Confirm the password by typing it again The installer proceeds from this point with the installatio
18. you specify one or more subject lines or strings to be found within subject lines that are known to be threats Messages with these subject lines are rejected Subject strings that you specify are matched against the subject line of each email Wildcard characters can be used when you are not sure of the exact subject line Any white space tabs or spaces at the beginning of the subject line is ignored Any white space that you enter at the beginning of your search string the text that you enter for the subject line filter is also ignored 98 Setting scanning and blocking policies Establishing a mail filter policy You can filter mail by subject line during a virus outbreak to further protect your network In the case of a new email borne virus if you know the subject line or part of the subject line of the infected message you can use this information to block infected email You can protect your network immediately before virus definitions for the new virus have been posted Note Entries that you make for this setting through the administrative interface are encoded and saved automatically as Unicode UTF 8 To filter mail by subject line 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking Policy On the Mail tab under Blocking by subject line type a text string to block Type as many subject lines to block as needed one per line Search strings are not case sensiti
19. AntiVirus Scan Engine configuration remember that stopping and restarting the Symantec AntiVirus Scan Engine service results in a lost connection to client applications that are in the process of submitting files for scanning The client application must reestablish the connection and resubmit the file for scanning You may want to schedule configuration changes for times when scanning is at a minimum Although it is possible for multiple administrative interface sessions to be active at one time for a single Symantec AntiVirus Scan Engine this practice is 40 Symantec AntiVirus Scan Engine administration About the administrative interface strongly discouraged Having more than one user logged in at the same time can cause possible race conditions as well as result in conflicting configuration changes being submitted Built in HTTP server The built in HTTP server that provides the administrative interface is independent of any existing HTTP server that may be installed on your server and is not a general purpose Web server During the installation process you are prompted for the TCP IP port number on which this built in HTTP server listens The port number that you specify must be exclusive to the Symantec AntiVirus Scan Engine administrative interface and must not already be in use by any other program or service Because the built in HTTP server is not a general purpose Web server do not use port number 80 the default port number
20. Changing the communication protocol You can change the communication protocol that the scan engine uses to communicate with the client applications To change the communication protocol At Protocol type one of the following m NATIVE Use the native protocol m ICAP Use ICAP m RPC Use RPC 180 Editing the configuration file Configuration options Specifying a bind address and port number The Symantec AntiVirus Scan Engine binds to an IP address and port number By default the Symantec AntiVirus Scan Engine binds to all interfaces You can restrict access to a specific interface by entering the appropriate bind address The default port number setting for the native protocol is port 7777 The default port number setting for ICAP is port 1344 Note This setting is applicable to the native protocol and ICAP To specify a bind address and port number 1 At BindAddress type the IP address on which the Symantec AntiVirus Scan Engine listens Use 127 0 0 1 the loopback interface to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan Engine 2 At Port replace the existing port number with the new number If you change the port number use a number that is greater than 1024 that is not in use by any other program or service Specifying a directory for local file scanning You only need to provide a local scan directory when you are using local file scanning options and y
21. Engine has been Message body text for the Symantec manually shut down AntiVirus Scan Engine Shutdown Alert 1014 Scan Engine Virus Definition Subject of the Symantec AntiVirus Scan Update Alert Engine Virus Definition Update Alert 1015 The Scan Engine has updated its Message body text for the Symantec virus definitions AntiVirus Scan Engine Virus Definition Update Alert 1016 Scan Engine Queue Overflow Subject of the Symantec AntiVirus Scan Engine Load Exceeded Alert 1017 The Scan Engine queue is Message body text for the Symantec backing up due to a large number AntiVirus Scan Engine Load Exceeded of requests Alert 1018 Scan Engine Virus Definition Subject of the Symantec AntiVirus Scan Error Alert Engine Virus Definition Error Alert which is issued when an error occurs in updating the virus definitions and scanning is disabled 1019 There was an error loading Message body text for the Symantec finding the Scan Engine virus AntiVirus Scan Engine Virus Definition definitions All scanning willbe Update Error Alert which is issued when disabled an error occurs in updating the virus definitions and scanning is disabled Table 9 1 Message string definitions Customizing log entries About the 1000 series message strings 1020 Scan Engine Virus Definitions Subject of the Symantec AntiVirus Scan Update Failure Alert Engine Virus Definitions Update Failure Alert which is issued when an error occurs in upd
22. Java 2 run time environment version 1 4 or later installed for Web based administration Note The Web browser can be installed on any computer on your network that can access the server that is running the Symantec AntiVirus Scan Engine Preparing for installation Before installing the Symantec AntiVirus Scan Engine consider the following If you are upgrading from version 4 0 X or later of the Symantec AntiVirus Scan Engine you can install the upgrade over the existing installation without first uninstalling the previous version If you are upgrading from an earlier version of the Symantec AntiVirus Scan Engine or Symantec CarrierScan Server you must uninstall the previous version first Another antivirus product should be run to protect the server that is running the Symantec AntiVirus Scan Engine Upgrading from a previous version The Symantec AntiVirus Scan Engine version 4 3 installer checks to see which version if any of the scan engine is already installed then does the following If no previous version of the scan engine is detected a full installation is performed If an earlier version any version earlier than 4 0 X is detected you are directed to first uninstall the previous version and the installation is cancelled To uninstall earlier versions of the Symantec AntiVirus Scan Engine or CarrierScan Server see the documentation for that product If an upgrade is possible no option is presented at
23. Policy On the AntiVirus tab under Heuristic scanning select the Bloodhound sensitivity level The default Bloodhound sensitivity setting is Medium You can select from low to high sensitivity or you can turn off heuristic detection Click Confirm Changes to save the configuration Do one of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted 90 Setting scanning and blocking policies Configuring antivirus settings Specifying file types to scan You can control which file types are scanned by specifying extensions that you do not want to scan using an exclusion list or by specifying extensions that you want to scan using an inclusion list or you can scan all file types regardless of extension Inclusion and exclusion lists by definition do not scan all file types thus new types of viruses might not always be detected Scanning all files regardless of extension is the most secure setting but imposes the heaviest demand on resources Note During virus outbreaks you might want to scan all files even if you normally contro
24. Red Hat Linux and Microsoft Windows 2000 Server and Windows Server 2003 platforms Because the scan engine can run ona separate computer on the network it can easily be deployed in any environment that is running any set of platforms If you want to use ICAP version 1 0 to do your own integration a client side API can be used to add virus scanning to any C or C application To make integration with some third party applications convenient and easy Symantec also provides a number of connectors for the Symantec AntiVirus Scan Engine Billing support The Symantec AntiVirus Scan Engine maintains bandwidth utilization statistics and file scanning statistics to facilitate different billing schemes What s new in version 4 3 The Symantec AntiVirus Scan Engine version 4 3 includes the following new features New client side API using ICAP version 1 0 The underlying protocol in the Symantec AntiVirus Scan Engine client side API is now ICAP 1 0 If you have purchased the Symantec AntiVirus Scan Engine software development kit the client side API can be used to add virus scanning to any C or C application Command line scanner The Symantec AntiVirus Scan Engine now includes a command line scanner which is a multi platform utility that lets you send files to be scanned for viruses via the command line You can repair infected files and delete those that are unrepairable 18 Introducing the Symantec AntiVirus Scan Engine
25. SESA Note You can register only one product at a time If you are installing the Agent to work with more than one Symantec product you must run the installer again for each product Select the location in which to install the local SESA Agent then click Next The default location is opt Symantec SESA Type the IP address or host name of the computer on which the primary SESA Manager is running If SESA is configured to use Anonymous SSL the default setting type the IP address of the primary SESA Manager If SESA is configured to use Authenticated SSL type the host name of the primary SESA Manager for example computer company com Type the port number on which the SESA Manager listens The default port number is 443 If you are running a Secondary SESA Manager that is to receive events from the scan engine do the following m Type the IP address or host name of the computer on which the Secondary SESA Manager is running m Type the port number on which the Secondary SESA Manager listens The default port number is 443 160 Integrating the Symantec AntiVirus Scan Engine with SESA Configuring logging to SESA 11 Type the organizational unit distinguished name to which the Agent will belong If the organizational unit is unknown or not yet configured this setting can be left blank Use the format shown in the example ou Europe ou Locations dc SES o symc_ses The domain s dc portion of the path should correspo
26. SESA Logging level None X SESA agent IP address 127 0 0 1 Port 8086 Logging properties Path and filename for message string file C Program Files Symantec Sca Alert bind address Help Confirm Changes 2 Onthe Logging tab under Log SNMP select the SNMP logging level from the SNMP Logging level list SNMP logging is not activated by default the SNMP logging level is set to None The Verbose logging level is not available for SNMP logging See Logging levels on page 109 3 Inthe Primary server IP address box type the IP address of the primary SNMP console to receive log messages SNMP console to receive log messages if one is available In the Secondary server IP address box type the IP address of a secondary 119 120 Configuring and using logging Activating SNMP and SMTP logging 5 Inthe SNMP Community box type the SNMP community string The default setting is public 6 Click Confirm Changes to save the configuration 7 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Activating SMTP
27. SMTP log message The alert bind address of the originating scan engine is appended to all SNMP and SMTP log messages as a means of identification To specify an alert bind address for SNMP and SMTP logging At AlertBindAddress type a bind address to identify the computer on which the Symantec AntiVirus Scan Engine is running Changing the administration settings via the configuration file You can configure settings for the Symantec AntiVirus Scan Engine administrative interface and the virtual administrator account See Changing the administration settings on page 45 Editing the configuration file 193 Configuration options Specify a bind address and port number for the administrative interface The administrative interface binds to an IP address and port number By default this Web interface binds to all interfaces You can restrict access to a specific interface by entering the appropriate bind address The default port number is 8004 To specify a bind address and port number for the administrative interface 1 At AdminBindAddress type the IP address on which the Web interface listens 2 At AdminPort replace the existing port number with the new number If you change the port number use a number that is greater than 1024 that is not in use by any other program or service If the port number is not set the interface is not enabled Clearing the password for the administrator account The Symantec AntiVi
28. Scan Engine to pass files to the Central Quarantine This setting must match the port number that is selected at installation for the Symantec Quarantine Server Changing resource allocation via the configuration file You can change basic configuration options for the operation of the Symantec AntiVirus Scan Engine See Allocating resources on page 77 Changing the temp directory location The Symantec AntiVirus Scan Engine must store files in a temporary directory for virus scanning To support sites with large specialized disk configuration the location of this temporary directory can be specified The default temporary directory for Linux and Solaris is tmp navtemp The default temporary directory for Windows 2000 Server Server 2003 is determined at installation To specify a different location for the temporary directory At TempDir replace the existing path with the new path Editing the configuration file Configuration options Controlling the dynamic thread pool The pool of scanning threads that is available to the Symantec AntiVirus Scan Engine for antivirus scanning dynamically adjusts to the load being processed You can change several parameters to control the dynamic thread pool Note To disable dynamic thread pool management and use a fixed thread pool size use the desired number of scanning threads for the fixed thread pool for both the MinThreads and MaxThreads parameters Use the same number for bot
29. Table 11 3 Supported options for the command line scanner server Specify one or more scan engines for scanning files Separate multiple entries with a semicolon If you do not specify a scan engine the server option defaults to the local host that is listening on the default port The format for each scan engine is lt IPaddress port gt where IPaddress is the DNS name or IP address of the computer on which the scan engine is running and port is the port number on which the scan engine listens Note When more than one scan engine is specified the load balancing and failover features of the API are activated automatically See Specifying the scan engine IP address and port on page 170 mode Optionally override the default antivirus scanning mode If you do not specify a scanning mode the scan policy defaults to scanrepairdelete the repair of infected files is attempted and files that cannot be repaired are deleted This is the recommended setting If you do not want to use the default antivirus scanning mode you can specify one of the following m scan Files are scanned but no repair is attempted Infected files are not deleted m scanrepair The repair of infected files is attempted Files that cannot be repaired are not deleted See Specifying the antivirus scanning mode on page 171 verbose Report detailed information on the file that is scanned When this option is used a line of output is pr
30. Table 9 2 Default message text for MIME encoded messages on page 146 m 4000 series Message strings that are numbered in this manner are used to build other log entries See Table 9 4 Default log text on page 149 Editing the message string file Unless you have changed the location and file name of this file the default location for Solaris and Linux is opt SYMCScan etc symcsmsg dat For Windows 2000 Server Server 2003 the default location is C Program Files Symantec Scan Engine symcsmg dat To edit the Symantec AntiVirus Scan Engine message string file 1 Locate the Symantec AntiVirus Scan Engine message string file and open it with a text editor 2 Make your changes to the file 3 Save the changes to the file 4 Stop and restart the Symantec AntiVirus Scan Engine Preserving customized text during an upgrade You can upgrade the Symantec AntiVirus Scan Engine from 4 0 X or later without first uninstalling the previous version Installing the upgrade over the existing installation preserves any customizations that you have made to the message string file symcsmsg dat Changes that occur to the message string file as a result of an upgrade are handled in the following manner m New message strings that are specific to the upgrade those with new message ID numbers are appended to the message string file m If an existing message string one with an existing message ID has been changed as part of the upgr
31. Where to start Upgrade installation support You now can install an upgrade to the Symantec AntiVirus Scan Engine over an existing installation without first uninstalling the previous version Any configuration changes and customizations that have been made are preserved during the upgrade Upgraded logging features Logging for each logging destination is activated individually by selecting a desired logging level for that destination Selecting the logging level lets you choose the types of events for which log messages are separated You can select a different logging level for each logging destination Dynamic thread pool for antivirus scanning The pool of scanning threads that is available to the Symantec AntiVirus Scan Engine for antivirus scanning now dynamically adjusts to the load that is being processed to measure system resources You can change a number of parameters to control the dynamic thread pool Data trickle user comforting for ICAP This feature prevents a user who downloads a large file from the Internet from receiving a session time out error by trickling small amounts of the file to the user while the file is being scanned POST transaction antivirus scanning for ICAP 1 0 The Symantec AntiVirus Scan Engine now scans files that are being posted to the Internet The antivirus scanning and logging policies that are configured on the scan engine now also apply to POST transactions as well Client identification loggin
32. encoded file types that might be passed to the Symantec AntiVirus Scan Engine for scanning When a mail filter policy is in effect the mail filter settings including the updating of mail messages to indicate that a virus has been found are applied only to MIME encoded messages Note The mail filter policy settings are not available if you are using RPC If you are using ICAP the mail filter policy settings do not apply if you have selected Scan only as the scan policy If you are using the native protocol the mail policy settings do not apply when AVSCAN is the scan policy See Mail filter policy settings on page 94 You can add text to the body of MIME encoded messages to warn recipients that a virus was found in an attachment or that an attachment was deleted because it violated the mail filter policy The default text indicates that an attachment was infected and repaired or deleted because it could not be repaired or that an attachment was deleted due to a mail policy violation Variables can be used to include the file names of the affected attachments You can customize the text that is added by editing the Symantec AntiVirus Scan Engine message string file symcsmsg dat See Inserting text into MIME encoded messages on page 104 Mail filter policy settings You can use the mail policy settings to impose general restrictions on email You can also use some mail filters during a virus outbreak to further protect
33. for general purpose Web servers Unless you have a compelling reason to do otherwise use the default setting 8004 If you select a port number other than the default do not forget which port number you chose Note The built in HTTP server port number differs from the port number on which the Symantec AntiVirus Scan Engine listens for client applications to pass files for scanning This port number is exclusive to the Symantec AntiVirus Scan Engine administrative interface Virtual administrator account password A virtual administrative account is created at installation You are also prompted to provide a password for this account during installation Do not forget the password for this account because the virtual administrative account is the only account that you can use to manage the Symantec AntiVirus Scan Engine You can change the password via the administrative interface but you must have the old password to change it Symantec AntiVirus Scan Engine administration 41 Accessing the administrative interface Accessing the administrative interface The administrative interface is accessed using a suitable Web browser When you log on to the administrative interface the password for the virtual administrative account is unencrypted For security reasons you should access the administrative interface using a switch or via a secure segment of the network Warning Although it is possible for multiple administrative inte
34. in the left pane click Blocking Policy On the AntiVirus tab under File types to be scanned click Scan files with the following extensions Edit the inclusion list to add extensions that you want to scan or delete extensions that you do not want to scan The inclusion list is blank by default Use a period with each extension in the list Separate each extension with a semicolon for example com doc bat To scan files that have no extensions use two adjacent semicolons for example com exe Click Confirm Changes to save the configuration Do one of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted 94 Setting scanning and blocking policies Establishing a mail filter policy Establishing a mail filter policy If the Symantec AntiVirus Scan Engine is providing scanning services for email client applications you can establish a mail policy to filter mail and mail attachments based on a number of attributes These mail policy settings are applied to all MIME encoded messages Mail policy settings do not affect nonMIME
35. information To activate SNMP logging you must select the logging level and provide the SNMP community string and the IP address for a primary SNMP console for receiving the log messages A second SNMP console can be identified if one is available Log messages are sent to both the primary and secondary SNMP consoles in all cases See Activating SNMP logging on page 118 118 Configuring and using logging Activating SNMP and SMTP logging To activate SMTP logging you must select the logging level and identify a primary SMTP server for forwarding the log messages You must also specify the email addresses of the recipients and the local domain for the Symantec AntiVirus Scan Engine A second SMTP server also can be identified if one is available See Activating SMTP logging on page 120 If you have activated SNMP or SMTP logging and are running multiple Symantec AntiVirus Scan Engines you also may need to set an alert bind address for each scan engine so that you can identify the originating scan engine for each SNMP and SMTP log message See Specifying the alert bind address on page 122 Activating SNMP logging To activate SNMP logging you must provide the SNMP community string and an IP address for a primary SNMP console for receiving the log messages You can specify a second SNMP console if one is available Log messages are sent to both the primary and secondary SNMP consoles in all cases If you need th
36. logging To activate SMTP logging you must identify a primary SMTP server for forwarding log messages You must also specify the email addresses of the recipients and the local domain for the Symantec AntiVirus Scan Engine You also can specify a second SMTP server if one is available You must select the types of events for which SMTP log messages will be generated See Logging levels on page 109 Configuring and using logging Activating SNMP and SMTP logging To activate SMTP logging for the Symantec AntiVirus Scan Engine 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration Protocol Resources Logging Admin Log file location Local Logging level None Log file path location le Program Files Symantec Scan Engine Log Windows Windows Logging level Waming z Log SMTP SMTP Lagging level None gt Primary server IP address i Secondary server IP address sid SMTP Domain Recipient email addresses Enter one or more addresses Separated by a comma or space gt Log SNMP SNMP Logging level None z Primary server IP address Co i Secondary server IP address ss SNMP Community founic Symantec Enterprise Security Architecture Ifyou are using the Symantec Enterprise Security Architecture SESA for centralized logging and reporting you can configure SAVSE to forward virus events to SESA through an agent that runs on the SAVSE server
37. may go to www symantec com techsupp ent enterprise html select the product that you wish to register and from the Product Home Page select the Licensing and Registration link Contacting Technical Support Customers with a current support agreement may contact the Technical Support group via phone or online at www symantec com techsupp Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at www secure symantec com platinum When contacting the Technical Support group please have the following Customer Service Product release level Hardware information Available memory disk space NIC information Operating system Version and patch level Network topology Router gateway and IP address information Problem description m Error messages log files m Troubleshooting performed prior to contacting Symantec m Recent software configuration changes and or network changes To contact Enterprise Customer Service online go to www symantec com select the appropriate Global Site for your country then choose Service and Support Customer Service is available to assist with the following types of issues Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information features language availability local dealers Latest information on product updates and upgrades Information on upgrade insuranc
38. midi mov mo vie mp2 mp3 mpe mpeg mpg mpga pbm pcx pdf pgm png pnm ppm ps qt ra ram Restore default lists Alltop level files sent to Symantec AntiVirus Scan Engine are scanned regardless of file extension These extension lists apply to files that are embedded in container files Help Confirm Changes Edit the exclusion list to add extensions that you do not want to scan or delete extensions that you want to scan Use a period with each extension in the list Separate each extension with a semicolon for example com doc bat To exclude files with no extension use two adjacent semicolons for example com exe To restore the default extension list click Restore default lists Click Confirm Changes to save the configuration 6 Setting scanning and blocking policies 93 Configuring antivirus settings Do one of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted To scan only files with extensions that are in the inclusion list 1 On the Symantec AntiVirus Scan Engine administrative interface
39. no extension use two adjacent semicolons for example com exe Editing the configuration file 197 Configuration options To scan all files except those with extensions that are in the exclusion list 1 At ExtensionPolicy type 2 2 Edit the ExclusionList to add extensions that you do not want to scan or delete extensions that you want to scan Use a period with each extension in the list Separate each extension with a semicolon for example com doc bat To exclude files that have no extension use two adjacent semicolons for example com exe Specifying whether to scan top level files The Symantec AntiVirus Scan Engine is configured by default to scan all top level files In limited circumstances you can choose to open top level files as container files without scanning and scan only the contents of the file Warning This setting should only be changed from the default setting when the Symantec AntiVirus Scan Engine is providing virus scan and repair services in an email only environment that is no other types of files are being scanned You can safely bypass scanning of the top level file in an email environment because the top level file is a container file that is not subject to virus infection Not scanning top level files when other types of files are being scanned can leave your network vulnerable to virus attack To specify whether to scan top level files At ScanTopLevel type one of the followi
40. number of requests exceeded queued requests is exceeded for the scan engine Log entries are generated based on the selected alert interval Virus definitions rollback Logs all instances in which the scan engine was able to revert to the previous virus definitions after a virus definitions update failure Processing violation Logs all processing violations for scanned container files See Specifying limits for container files on page 85 Mail policy violation Logs all mail policy violations for scanned files Server start Logs all instances of scan engine startup Server stop Logs all instances of scan engine shutdown Virus definition update Logs all instances of scan engine virus definitions updates Log all files scanned Logs all files scanned Note This logging event is only available at the Verbose logging level The Verbose logging level should be selected only for debugging purposes Activating this logging level for general logging purposes degrades performance significantly Configuring local logging You can change the types of events that are logged to the local logs and change the locations of key logging files You can do any of the following m Change the local logging level The default logging destination for Solaris and Linux is the local logs You can select the types of scan engine events that are logged to the local logs by changing the local logging level The default logging
41. of the following using the mode option m scan Files are scanned but no repair is attempted Infected files are not deleted m scanrepair The repair of infected files is attempted Files that cannot be repaired are not deleted For example savsecls server 192 168 0 100 1344 mode scanrepair c temp 172 Using the Symantec AntiVirus Scan Engine command line scanner Command line scanner syntax and usage When files are sent to the scan engine for scanning via the command line scanner the command line scanning mode always overrides the scan policy configuration on the Symantec AntiVirus Scan Engine this includes scanning of files that are embedded in container files If you do not specify a scanning mode using the mode option the default setting scanrepairdelete applies Obtaining detailed scanning results Several options let you obtain detailed information regarding a scan Note If you are using pipe mode to send a file for scanning via the command line these options are not available Using the verbose option The verbose option lets you obtain more detailed information on each file that is scanned For example savsecls server 192 168 0 100 1344 verbose c work filea c work fileb c work filec c work filed When this option is used a line of output is printed to STDOUT for each file The information includes the name of the file that was scanned and the result of the scan including the final disp
42. or C application 60 Configuring the Symantec AntiVirus Scan Engine Configuring ICAP How the scan engine works with ICAP Multiple client applications that use different versions of ICAP either version 0 95 or 1 0 can be configured to pass files to a single Symantec AntiVirus Scan Engine When ICAP is used as the communication protocol for the scan engine the scan engine determines the appropriate version of ICAP to use based on the header data that is passed in with each scan request from the client application The manner in which the Symantec AntiVirus Scan Engine determines whether to scan a file differs depending on which version of ICAP is used When ICAP 0 95 is the communication protocol each time the Symantec AntiVirus Scan Engine is contacted by an ICAP client to scan a file a small amount of file data is transferred to the Symantec AntiVirus Scan Engine This data contains the file name the HTTP header and the first few bytes of the file to be scanned The scan engine examines this data to determine whether to scan the file If the file type is one that the scan engine is configured to scan the scan engine requests the remainder of the file from the client and scans it If the scan engine is not configured to scan the file extension or does not recognize the file extension the scan engine examines the first few bytes of the file s contents to determine whether the file could contain a virus Based on this examination t
43. or delete files you must have permission to modify or delete files as well as access to the directory in which the files are located The Symantec AntiVirus Scan Engine has been tested on the following platforms m Windows 2000 Server and Windows Server 2003 m Solaris 7 or later m Red Hat Linux version 7 3 or later Note To use the command line scanner you must select ICAP as the communication protocol for the Symantec AntiVirus Scan Engine If you are sending files from the same computer on which the Symantec AntiVirus Scan Engine is running you do not need to install any additional files for the command line scanner The appropriate files are installed automatically during the installation of the scan engine If you plan to submit files for scanning from a different computer using the command line scanner you must copy certain files to an appropriate directory on each computer from which you plan to submit files to the scan engine Using the Symantec AntiVirus Scan Engine command line scanner 167 Command line scanner syntax and usage You can obtain the files from the following locations m Inthe Symantec AntiVirus Scan Engine distribution package in the top level Command_Line_Scanner directory m Onthe computer on which the Symantec AntiVirus Scan Engine is installed in the Symantec AntiVirus Scan Engine installation directory in the savsecls subdirectory Note The savsecls files are further organized into
44. or later of the Symantec AntiVirus Scan Engine that is running on Windows 2000 Server Server 2003 Solaris or Linux platforms The command line scanner acts as a client to the Symantec AntiVirus Scan Engine through the scan engine application programming interface API which uses version 1 0 of the Internet Content Adaptation Protocol ICAP presented in RFC 3507 April 2003 The command line scanner lets you send files to the Symantec AntiVirus Scan Engine to be scanned for viruses The command line scanner also lets you do the following m Repair infected files and delete those that are unrepairable m Recurse subdirectories for scanning multiple files Output information on command line scanner and scan engine operation 166 Using the Symantec AntiVirus Scan Engine command line scanner Setting up a computer to submit files for scanning Setting up a computer to submit files for scanning You can send files to the Symantec AntiVirus Scan Engine via the command line from the computer on which the Symantec AntiVirus Scan Engine is running or from a different computer You can send files from a computer with a different operating system than the computer on which the scan engine is installed Note Because files are sent to the Symantec AntiVirus Scan Engine for scanning you can only specify files or directories for which you have appropriate permissions To send files you must have read access to the files To repair replace
45. subdirectories by operating system Use the files for the operating system of the computer from which you plan to submit files for scanning To set up a computer to submit files for scanning 1 Copy the entire contents of the directory for the appropriate operating system 2 On the computer from which you plan to submit files for scanning place the files in a directory location that is in the command prompt path Command line scanner syntax and usage The command line scanner uses the following general syntax savsecls options lt path gt lt path gt Specifying what to scan The lt path gt parameter lets you specify one or more files or directories to scan separated by spaces Use the absolute or relative path If the specified path is to a file the file is scanned If the path is to a directory all of the files in the directory are scanned Note Do not use a path with symbolic linking The scan engine will not follow a symbolic link to a file You can specify any combination of files and directories Separate multiple entries with a space For example savsecls options lt pathtofile1 gt lt pathtofile2 gt lt pathtofile3 gt 168 Using the Symantec AntiVirus Scan Engine command line scanner Command line scanner syntax and usage You can specify any mounted file system mount point or mapped drive For example C Work Scantest exe tim export home For both Windows and UNIX follow the ru
46. the password that you will use to access the Symantec AntiVirus Scan Engine administrative interface The utility returns an encrypted string 3 Save the entire encrypted string that is returned by the GenEncryptPW utility Initiating the silent installation using the response file The procedures for initiating the silent installation differ for Windows 2000 Server Server 2003 Solaris and Linux The silent installation on Solaris and Linux initiates automatically if the installer finds the response file in the correct location The existence of the no ask questions file in the tmp directory tells the installer to perform a silent installation using the input values that are contained in the file Before you begin the installation ensure that the appropriate response file titled no ask questions is located in the tmp directory To initiate a silent installation on Windows 2000 Server Server 2003 you must run the installation program using the s switch to read the response file The installation proceeds silently using the input values that are contained in the response file Note If you initiate a Symantec AntiVirus Scan Engine silent installation in which RPC is the selected communication protocol Windows 2000 Server Server 2003 only the RPC password that you enter is stored in the response file unencrypted Protect the response file accordingly to prevent the password from being compromised 214 Using the sil
47. the scan engine service now Click Save No Restart to save your changes Changes will not take effect until the service is restarted 48 Symantec AntiVirus Scan Engine administration Changing the administration settings Activating product licenses This chapter includes the following topics m About licensing m Activating a license m Checking the license status About licensing Key features for the Symantec AntiVirus Scan Engine including antivirus scanning functionality and virus definitions updates are activated by license Licenses are initially installed following product installation through the Symantec AntiVirus Scan Engine administrative interface When a license expires for example when a virus definitions update subscription expires a new license must be installed to renew the subscription When no license is installed limited functionality is available A license affects the relevant behavior only For example when no antivirus scanning license is installed an administrator can access the administrative interface to view and modify settings and run reports but no antivirus scanning is performed When no virus definitions update license is installed new virus definitions updates are not downloaded to keep protection current See Activating a license on page 51 50 Activating product licenses About licensing License warning and grace periods When a license is within 30 days of the expiratio
48. to SMTP and SNMP logging destinations even if SNMP or SMTP logging is active at this logging level m Mail policy violation Entries for this event are not logged to SMTP and SNMP logging destinations even if SNMP or SMTP logging is active at this logging level Information All events logged at the Error logging level All events logged at the Warning logging level Server start Server stop Virus definitions update success Verbose All events logged at the Error logging level All events logged at the Warning logging level All events logged at the Information logging level All files scanned Note The Verbose logging level is not available for SMTP SNMP and SESA logging Note The Verbose logging level should be selected only for debugging purposes Activating this logging level for general logging degrades performance significantly Configuring and using logging About Symantec AntiVirus Scan Engine logging Table 7 2 describes each individual logging event Table 7 2 Logging events Server crash Logs all instances of scan engine crashes Virus definition update error Logs all errors that occur in virus definitions updates License expired Logs each 24 hour period following a Symantec AntiVirus Scan Engine license expiration Note Log entries for an expired license are generated only during the grace period following the license expiration date If the grace period expires before the licens
49. trickle you should install an antivirus program such as Symantec AntiVirus Corporate Edition that provides real time virus scanning If the trickled data is infected the real time virus scanning feature will detect the virus immediately m For FTP downloads that use optimizers when a broken connection is detected the optimizer resumes the download from the point in which the disconnection occurred This results in downloading the remainder of the file and possibly reconstructing an infected file m ICAP requires that a return code message be included in the first line of the file header When data trickling begins ICAP return code 200 OK is embedded in the trickled data file Because the file has not been scanned this message might be inaccurate The trickled data file might contain a virus m When data trickling is enabled the ICAP scan policy is set to Scan only You cannot configure your scanning policy to repair or delete infected files when data trickle is enabled m The user receives no notification that the trickled data file is incomplete or infected Configuring RPC The Symantec AntiVirus Scan Engine can be configured to use RPC to interface with appropriate clients for Windows 2000 Server Server 2003 Any appropriate client application can use RPC to communicate with the Symantec AntiVirus Scan Engine and request the scanning and repairing of files How the scan engine works with RPC To use RPC the Symantec Ant
50. users that a virus was found You can configure the Symantec AntiVirus Scan Engine to notify the requesting user that the retrieval of a file from an RPC network attached storage client failed because a virus was found The notification message includes the date and time of the event the file name of the infected file the virus name and ID the manner in which the infected file was handled for example the file was repaired or deleted The notification message also includes information about the Symantec AntiVirus Scan Engine that detected the infection including the IP address and the port number and the date and revision number of the virus definitions that were used to detect the virus The user notification feature is only available when the requesting user s computer is a Windows computer and is in the same domain as the Symantec AntiVirus Scan Engine The Windows Messenger service must be running on the computer that is running the Symantec AntiVirus Scan Engine as well as on the user s computer If the notification information cannot be delivered to the requesting user a failure message is logged Configuring the Symantec AntiVirus Scan Engine Configuring RPC To notify requesting users that a virus was found 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration 2 Onthe Logging tab under Log Windows Messenger check Enable Windows Messenger Logging User notification is d
51. will receive messages You do not have to specify a secondary SNMP console 3 AtSNMPCommunityString type the SNMP community string The default setting is public 192 Editing the configuration file Configuration options To configure SMTP logging via the configuration file 1 At SMTPPrimary type the IP address of the primary SMTP server that will forward log messages At SMTPSecondary type the IP address of a secondary SMTP server that will forward log messages if communication with the primary SMTP server fails You do not have to specify a secondary SMTP server At SMTPRecipList type the email addresses for the recipients of SMTP log messages Separate multiple addresses with a comma or space At SMTPDomaine type the local domain for the Symantec AntiVirus Scan Engine The domain name is added to the From field for SMTP log messages so that SMTP log messages that are generated by the Symantec AntiVirus Scan Engine originate from ScanServer lt servername gt lt domainname gt where lt servername gt is the name of the computer that is running the Symantec AntiVirus Scan Engine and lt domainname gt is the SMTPDomain that you supply here Specifying an alert bind address for SNMP and SMTP logging If you have activated SNMP or SMTP logging and are running multiple Symantec AntiVirus Scan Engines you can set an alert bind address for each scan engine to identify the originating scan engine for each SNMP and
52. your network For example once you have information on the characteristics of a new virus you can use this information to block the infected attachment or email You can use the file name or file size option if you know the exact name or size of an infected attachment This lets you protect your network immediately before virus definitions for the new virus have been posted Setting scanning and blocking policies 95 Establishing a mail filter policy You can filter mail based on the settings in Table 6 1 Table 6 1 Mail filter settings Total message size Specify a maximum size for messages so that messages that exceed the maximum mail size are rejected See Filtering mail by total message size on page 97 Subject line Specify one or more subject lines that are known to be threats so that messages with these subject lines are rejected See Filtering mail by subject line on page 97 Message origin Specify one or more domains or complete email addresses that are known to be threats so that messages from these domains are rejected See Filtering mail by message origin on page 99 Attachment file name Specify one or more file names that are known to be threats and select whether messages that contain attachments with these file names should be rejected or delivered with the attachment deleted See Filtering mail by attachment file name on page 100 Attachment file size Speci
53. 1 that were scanned for J each 30 minute period shown in chronological order Total Files Scanned Data Measured Time Range Total Files The total number of files that were scanned should not be interpreted strictly as a physical file count This total includes the number of files as well as additional objects within container files that were scanned Some containers such as MIME encoded messages and Microsoft Office documents have additional embedded objects that are not files but that can be scanned depending on the ExtensionList settings The total does not include objects within container files Reviewing scanning statistics from the command line 203 Interpreting getstat utility data that were not scanned because the object s extension did not match those in the ExtensionList setting For each 30 minute period in the specified date range the total number of files that were scanned and the average bits per second that were scanned for that 30 minute increment are reported The 30 minute time periods are reported in Greenwich Mean Time GMT 204 Reviewing scanning statistics from the command line Interpreting getstat utility data Appendix Return codes This chapter includes the following topics Native protocol return codes ICAP version 0 95 return codes CAP version 1 0 return codes RPC return codes Native protocol return codes The following return codes are generated for the native protocol
54. 2 At MaxThreads type the maximum number of scanning threads to be created regardless of load The default setting and the maximum recommended value is 128 Do not use a value that is smaller than the value entered for the MinThreads parameter 3 At GrowThreadCount type the number of scanning threads to add when the load that is being processed cannot be handled by the existing threads The default setting is 4 Use a value that is larger than the ShrinkThreadCount value Do not use a value that is close to the MaxThreads value Reasonable values are in the range of 2 to 32 4 At ShrinkThreadCount type the number of scanning threads to remove when more threads are running than are needed The default setting is 2 Use a value that is smaller than the GrowThreadCount value Editing the configuration file 187 Configuration options 5 At BusyRequestCount type the number of queued requests waiting to be processed by scanning threads that will trigger the creation of more scanning threads The default setting is 4 Do not use a value that is less than 2 This value must be less than the LoadMaximumQueuedClients value See Changing the threshold number of queued requests on page 187 6 At IdleThreadCount type the number of idle scanning threads that will trigger the removal of scanning threads The default setting is 4 7 At SecondsBetweenChecks type the number of seconds between evaluations of thread pool activity The def
55. 4000 series message strings Several variables can be used to customize the 2000 and 2001 message strings These variables are described in Table 9 3 Table 9 3 Variables for customizing message strings N Moves to the next line text only lt br gt Moves to the next line HTML only R Displays a list of all of the infected attachments that have been repaired for a message D Displays a list of all of the infected attachments that have been deleted for a message because they could not be repaired I Displays a list of all of the infected attachments that were identified for a message whether they were deleted or repaired P Displays a list of all of the attachments that were deleted for a message because of mail policy violations About the 4000 series message strings The 4000 series message strings are used in log entries when logging options are enabled These message strings are described in Table 9 4 Table 9 4 Default log text 4000 A mail policy violation has been A virus was detected or an detected lt filename virus name gt attachment or mail message was blocked because of a mail policy violation Appropriate logging must be enabled 4001 A file has been received and scanned A file was scanned lt filename gt The Verbose logging level must be selected to induce logging for every file that is scanned 4002 Error trying to send an SMTP SNMP Delivery of an SMTP SNMP or POPUP alert PO
56. 70 specifying the scanning mode 171 specifying what to scan 167 syntax and usage 167 configuration file configuration options 179 editing 177 updating during upgrade 178 container file limits specifying 84 D data trickle description 65 enabling 64 warnings and limitations 66 denial of service attacks protection against 84 dynamic thread pool configuring 185 configuring maximum number of threads 78 parameters 185 F file types specifying for scanning 90 filtering email blocking partial messages 103 by attachment file name 100 by attachment file size 102 by maximum mail size 97 by message origin 99 by subject 97 G getstat utility interpreting data 202 using 201 Index H HTML alerts customizing ICAP 151 ICAP access denied message customizing 151 configuration options 61 configuring 59 access denied message 61 bind address 61 data trickle 62 ICAP scan policy 62 port number 61 description 23 return codes 206 infected files disposing of 175 in memory file processing limits configuring 79 installing command line scanner 166 on Linux 35 on Solaris 35 on Windows 2000 Server Server 2003 33 preparing for 31 SESA Agent 156 SESA Integration Wizard 155 silent installation 209 upgrading from previous versions 31 L levels for logging 109 licensing activating license 51 checking license status 53 discussion 49 removing licenses 50 warning and grace periods 50 Linux installing 35 stopping and starti
57. D See Quarantining unrepairable infected files on page 74 If you change the protocol setting to RPC through the administrative interface rather than uninstalling and reinstalling the scan engine you might need to change the service startup properties to identify an account with sufficient permissions on which the Symantec AntiVirus Scan Engine will run You might also need to change the service startup properties if you edit the list of RPC clients See Editing the service startup properties on page 75 70 Configuring the Symantec AntiVirus Scan Engine Configuring RPC Configure RPC To configure RPC you must do the following Provide an IP address for each RPC client for which the Symantec AntiVirus Scan Engine will provide scanning services You can add or delete RPC clients from this list at any time Configure the additional RPC specific options To edit the list of RPC clients 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration On the Protocol tab click RPC The configuration settings are displayed for the selected protocol To add an RPC client to the list of RPC clients do the following m Inthe IP address box type an IP address for an RPC client for which the Symantec AntiVirus Scan Engine will provide scanning services m Click Add The list of RPC clients updates to reflect your changes To delete an RPC client from the list of R
58. E Dd addressiesk Bind port 7777 Date of virus definitions rev no 2003 08 14 17 Datatime server startat Thu Sep 25 160734 2003 Server up time 0 Days O Hours 46 Minutes 41 Seconds License status Valid Command buttons Statistics since last restart or reset Total viruses fount 0 Total viruses repaired 0 Total requests 0 Total fies scanned 0 Total MB scanned 0 Reset Statutes Retesh Abou SAVSE Status The command buttons The command buttons in the left pane of the main administration page let you navigate to Symantec AntiVirus Scan Engine administrative functions Clicking a command button causes the tabs for that function to appear in the right pane of the browser window The command buttons let you access the features in Table 3 1 Table 3 1 Command button functions Status Lets you examine system metrics that have been calculated since the last restart To return to the main administration page from anywhere in the Symantec AntiVirus Scan Engine administrative interface on the Symantec AntiVirus Scan Engine administrative interface in the left pane click Status Configuration Lets you set up the Symantec AntiVirus Scan Engine for your network and configure the scan engine appropriately to provide scanning for client applications Blocking Policy Lets you specify what to scan and what to block and set limits to protect server resources Symantec AntiVirus Scan Engine ad
59. E Attempt to repair infected files and delete any unrepairable files from archive files At ICAPResponse type one of the following to specify the scan engine response when a file is blocked because it is unrepairable ICAP 1 0 only m 0 Send an ICAP 403 response m 1 Send a replacement file Depending on the ICAP 1 0 application for which the scan engine is providing scan and repair services you might need to adjust this setting The default setting is to send a replacement file the file specified for ICAPInfectionHTMLfile when a file is blocked because it is unrepairable However some ICAP 1 0 applications are configured to receive the ICAP 403 response instead 182 Editing the configuration file Configuration options 4 AtICAPPreviewAll type one of the following to indicate whether the scan engine should preview content m 0 Request content for only those files that are to be scanned based on the established configuration for which file types to scan m 1 Request preview content fixed preview size for all files including those not indicated for scanning based on the established configuration for which file types to scan This is the default setting to ensure that all file types that might contain viruses are scanned Configuring data trickle When a user attempts to download an extremely large or complex file from the Internet antivirus scanning can cause a delay during which the requesting browser and thus th
60. ESA Agent listens The default port is 8086 5 Click Confirm Changes to save the configuration 6 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost 162 Integrating the Symantec AntiVirus Scan Engine with SESA Scan engine events that are logged to SESA m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Scan engine events that are logged to SESA You can choose a logging level to specify the types of events that are logged to SESA However for each logging level the events that are logged to SESA area subset of the events that are normally logged by the Symantec AntiVirus Scan Engine for that logging level When you activate logging to SESA only certain events are forwarded to SESA See Logging levels on page 109 No events are logged to SESA at the Error logging level Table 10 1 lists the Symantec AntiVirus Scan Engine events that are forwarded to SESA when the logging level is Warning Table 10 1 Events that are logged to SESA at the Warning logging level Infection found Logs all infections found in scanned files Table 10 2 lists the Symantec AntiVirus Scan
61. Engine events that are forwarded to SESA when the logging level is Information Table 10 2 Events that are logged to SESA at the Information logging level Infection found Logs all infections found in scanned files Server start Logs all instances of scan engine startup Server stop Logs all instances of scan engine shutdown Virus definition update Logs all instances of scan engine virus definitions updates Integrating the Symantec AntiVirus Scan Engine with SESA 163 Interpreting scan engine events in SESA Interpreting scan engine events in SESA SESA provides extensive event management capabilities SESA provides common logging of normalized event data for SESA enabled security products like the Symantec AntiVirus Scan Engine The event categories and classes include antivirus content filtering network security and systems management SESA also provides centralized reporting capabilities including graphical reports Currently the events forwarded to SESA by the Symantec AntiVirus Scan Engine take advantage of the existing SESA infrastructure for antivirus related events You can create alert notifications for certain events including those generated by the Symantec AntiVirus Scan Engine Notifications include pagers SNMP traps email and operating system event logs You can define the notification recipients day and time ranges when specific recipients are notified and custom data to accompany the notification messages
62. In the default configuration the Symantec AntiVirus Scan Engine implements a simple TCP IP protocol to provide antivirus functionality to client applications This protocol is text based like HTTP or SMTP and uses standard ASCII commands and responses to communicate between client and server To scan a file a client connects to IP port 7777 the default sends the file to be scanned and then reads the results of the scan After receiving the scan results the client and server disconnect and must initiate new connections to scan subsequent files See Configuring the Symantec AntiVirus Scan Engine native protocol on page 57 About the Internet Content Adaptation Protocol ICAP ICAP is a lightweight protocol for executing a remote procedure call on HTTP messages ICAP is part of an evolving architecture that lets corporations carriers and ISPs dynamically scan change and augment Web content as it flows through ICAP servers The protocol lets ICAP clients pass HTTP messages to ICAP servers for adaptation some sort of transformation or other processing such as virus scanning The server executes its transformation service on messages and responds to the client usually with modified messages The adapted messages may be either HTTP requests or HTTP responses In a typical integration a caching proxy server retrieves requested information from the Web At the same time it caches the information stores a copy on disk and wher
63. NG ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO CASE SHALL SYMANTEC S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE The disclaimers and limitations set forth above will apply regardless of whether You accept the Software 5 U S Government Restricted Rights RESTRICTED RIGHTS LEGEND All Symantec products and documentation are commercial in nature The software and software documentation are Commercial Items as that term is defined in 48 C F R section 2 101 consisting of Commercial Computer Software and Commercial Computer Software Documentation as such terms are defined in 48 C F R section 252 227 7014 a 5 and 48 C F R section 252 227 7014 a 1 and used in 48 C F R section 12 212 and 48 C F R section 227 7202 as applicable Consistent with 48 C F R section 12 212 48 C F R section 252 227 7015 48 C F R section 227 7202 through 227 7202 4 48 C F R section 52 227 14 and other relevant sections of the Code of Federal Regulations as applicable Symantec s computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users according to the terms and conditions contained in this license agreement Manufacturer is Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 United S
64. PC clients do the following m Inthe list of RPC clients select the IP address of the RPC client to be deleted You can select more than one entry by pressing Enter and selecting the desired entries m Click Delete Click Confirm Changes to save the configuration Do one of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Configuring the Symantec AntiVirus Scan Engine 71 Configuring RPC To configure additional RPC specific options 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration 2 On the Protocol tab click RPC The configuration settings are displayed for the selected protocol Protocol Resources Logging Admin Select communication protocol C Native protocol C ICAP RPC RPC specific configuration RPC Clients list Edit RPC client list 10 113 8 102 IP address Add Delete Check RPC connection every 20 seconds Maximum number of reconnect attempts jo RPC scan policy Scan and repair or delete 7 l Quarantine unrepairable files Quaran
65. PUP log message failed for example if the SMTP server was unreachable 150 Customizing log entries About the 4000 series message strings Table 9 4 Default log text 4005 The Scan Engine was unable to notify the filer that the scan had completed after the maximum number of retries Filer at lt IPaddress gt The Symantec AntiVirus Scan Engine successfully completed a scan after the maximum number of retries but was unable to notify the RPC client 4010 was Used in message string 4012 to indicate that a file was infected but is no longer infected because it has been repaired 4011 Used in message string 4012 to indicate that a file was infected and is still infected because no repair has been attempted or it cannot be repaired 4012 File s s infected with virus s Used when an infection is found to indicate the name of the infected file whether the file was or is still infected and the virus name 4013 A license is about to expire Feature s expiration date s Used when a license is about to expire to indicate the feature activated by the license and the expiration date of the license 4014 A license has expired Feature s expiration date s Used when a license has expired to indicate the feature that is activated by the license and the expiration date of the license 4015 Container limit exceeded container depth Used when the specifi
66. Policy Block Attachment Name Text that replaces the lt virusname gt variable in message string 4000 when an attachment is deleted because it violates the mail policy that was established for attachment file names Table 9 2 2004 Customizing log entries About the 2000 series message strings Default message text for MIME encoded messages Mail Policy Block Attachment Size Text that replaces the lt virusname gt variable in message string 4000 when an attachment is deleted because it violates the mail policy that was established for attachment file size 2005 Mail Policy Block Message Size Text that replaces the lt virusname gt variable in message string 4000 when an email message is blocked because it violates the mail policy for message size 2006 Mail Policy Block Subject Block Text that replaces the lt virusname gt variable in message string 4000 when an email message is blocked because it violates the mail policy for subject lines 2007 Mail Policy Block Domain Block Text that replaces the lt virusname gt variable in message string 4000 when an email message is blocked because it violates the mail policy for message origin 2008 Mail Policy Block Partial Mime Block Text that replaces the lt virusname gt variable in message string 4000 when an email message is blocked because it violates the mail policy for partial MIME message content 2009
67. Server Server 2003 platforms See About Symantec AntiVirus Scan Engine deployment on page 20 Symantec provides connectors for some third party products for seamless integration with the Symantec AntiVirus Scan Engine See How the scan engine works with the client application on page 21 For custom integration using ICAP version 1 0 the Symantec AntiVirus Scan Engine features a client side API which streamlines the integration of antivirus scanning for any C or C application The Symantec AntiVirus Scan Engine API provides scheduling across any number of computers that are running the Symantec AntiVirus Scan Engine See About automatic load balancing on page 22 About Symantec AntiVirus Scan Engine deployment In a typical configuration files are passed to the Symantec AntiVirus Scan Engine via a socket over the network because the scan engine is running ona separate computer Depending on the network setup client applications applications that have been configured to pass files to the scan engine for scanning can pass a full path rather than the actual file to the Symantec AntiVirus Scan Engine For example files to be scanned may be located on a drive that can be mounted over the network such as a shared drive in Windows or a network file system NFS drive If the client application and the scan engine have access to a shared directory the client application can place the file in the shared directory and pass t
68. Statistics Summary Downloading log files Limit download to last 1 z megabytes Download format esv Download Logfile Clearing logs To clear logs _ Clear Logs tep 3 Inthe Download format list select one of the following m CSV You can open the text file directly or save the file to a specified location m Table The data displays in the browser window in an HTML table format Configuring and using logging 125 Obtaining summary data from the local logs 4 Click Download Logfile DATE Sample HTML table Fri Aug 15 output 16 48 08 2003 Fri Aug 15 6 48 07 2003 Fri Aug 15 6 48 07 2003 Fri Aug 15 16 48 07 2003 Fri Aug 15 6 48 07 2003 Fri Aug 15 6 48 07 2003 Fri Aug 15 16 48 06 2003 TYPE ACTION File world 707 com was infected with virus Another World 707 The infection has been found and repaired File vs8dumb 1 exe was infected with virus W95 Horn 1862 The infection has been found and the infected file has been deleted File vs7dumb3 exe was infected with virus Trojan Horse The infection has been found and the infected file has been deleted File vs7dumb 1 exe was infected with virus Trojan Horse The infection has been found and the infected file has been deleted File npad97 dot was infected with virus WM NPAD Variant The infection has been found and repaired File npad95 2 dot was infected with virus WM NPAD Variant The infection has been found and the infected file
69. Virus Scan Engine Configuring RPC To use the user notification feature the Windows Messenger service must be running on the computer that is running the Symantec AntiVirus Scan Engine as well as the user s computer See Notifying requesting users that a virus was found on page 72 RPC configuration options If you select RPC as the protocol to be used by the Symantec AntiVirus Scan Engine you must configure certain RPC specific settings The configuration options for RPC is described in Table 5 3 You must also configure the RPC client to work with the Symantec AntiVirus Scan Engine Table 5 3 Protocol specific options for RPC RPC client IP A single Symantec AntiVirus Scan Engine can support one or more addresses RPC clients Clients must be located in the same domain as the scan engine You must provide the IP address of each RPC client Check RPC The Symantec AntiVirus Scan Engine maintains a connection with connectionevery___ the RPC client The Symantec AntiVirus Scan Engine can be seconds configured to check the RPC connection with the client periodically to ensure that the connection is active The default value is 20 seconds Maximum number The Symantec AntiVirus Scan Engine can be configured to make a of reconnect specified number of attempts to reestablish a lost connection with attempts the RPC client If the maximum number of attempts is made to reestablish the connection with no reply from the clien
70. ade to the Symantec AntiVirus Scan Engine the existing message string is commented out in the message string file so that Customizing log entries 139 About the 1000 series message strings any customizations are preserved in the file The updated message is appended to the file but is not commented out m Ifyou have customized any message strings in the message string file you should edit the string file after installing the upgrade to reconcile the new text with your customized text About the 1000 series message strings In most cases you will not need to edit the message strings but you can customize log messages for the Symantec AntiVirus Scan Engine if necessary Double byte characters are supported for the scan engine message string text For each message string file entry the text that follows the space after the string number and before the can be edited Each string file entry that is used in generating Symantec AntiVirus Scan Engine log messages is described in Table 9 1 Table 9 1 Message string definitions 1001 Scan Engine IP The IP address of the Symantec address lt IPaddress gt AntiVirus Scan Engine that is the subject of the log message 1002 Scan Engine port The port number of the Symantec number lt portnumber gt AntiVirus Scan Engine that is the subject of the log message 1003 Scan Engine virus fingerprint The date on which the virus definitions date revision lt virus that are the subj
71. adjusted To change the Bloodhound sensitivity level At BloodhoundLevel type one of the following m 1 Low sensitivity m 2 Medium sensitivity m 3 High sensitivity m 0 Off Specifying which file types to scan Viruses are found only in file types that contain executable code Bandwidth and time can be saved by limiting the files to be scanned to only those file types that can contain viruses You can control which file types are scanned by specifying those extensions that you do not want to scan using an exclusion list or by specifying those extensions that you want to scan using an inclusion list or you can scan all file types regardless of extension Specify which file types to scan The default exclusion list is preconfigured to contain the file extensions for file types that are not likely to contain viruses but you can edit the default list The Symantec AntiVirus Scan Engine is configured by default to scan all file types except those that are contained in the exclusion list To scan all files regardless of extension At ExtensionPolicy type 0 To scan only files with extensions that are in the inclusion list 1 At ExtensionPolicy type 1 2 Edit the ExtensionList the inclusion list to add extensions that you want to scan or delete extensions that you do not want to scan Use a period with each extension in the list Separate each extension with a semicolon for example com doc bat To scan files that have
72. an change the location and file name of this file The message text can be customized by editing the string file To change the message string file location 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration 2 Onthe Logging tab under Logging properties in the Path and filename for message string file box type a new path and file name The default location for Solaris and Linux is opt SYMCScan etc symcsmsg dat The default location for Windows 2000 Server Server 2003 is C Program Files Symantec Scan Engine symcsmg dat 3 Click Confirm Changes to save the configuration 4 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Logging events to the Windows Application Event Log If you are running the Symantec AntiVirus Scan Engine on Windows 2000 Server Server 2003 the Application Event Log is the default logging destination You can change the types of events that are logged to the Application Event Log by selecting the appropriate Windows logging level The default log
73. an specify processing limits that apply to the following m Large container files The Symantec AntiVirus Scan Engine uses a decomposer to extract all of the embedded files from a container file scan all of the files and reassemble the container file once scanning is complete For particularly large container files this process can tie up a significant amount of resources You can set limits to control the resources expended on large container files See Specifying limits for container files on page 85 m All files Other types of limits can be applied to all files such as the maximum number of bytes to be read in determining whether a file is MIME encoded See Specifying processing limits that apply to all files on page 87 Setting scanning and blocking policies 85 Specifying processing limits Specifying limits for container files Certain container files specifically container files that are large that contain large numbers of embedded compressed files or that have been designed to maliciously use resources and degrade performance can cause a denial of service attack To protect against these types of files limits can be imposed on the Symantec AntiVirus Scan Engine decomposer for handling container files You can specify the following m The maximum amount of time in seconds that is spent decomposing a container file and its contents m The maximum file size in bytes for individual files in a container fi
74. arantine software and supporting documentation is included on the Symantec AntiVirus Scan Engine distribution CD For more information see the separate Symantec Central Quarantine document CentQuar pdf If you plan to quarantine infected files that cannot be repaired you must configure the Symantec AntiVirus Scan Engine to quarantine infected files and provide information for contacting the Symantec Quarantine Server Configuring the Symantec AntiVirus Scan Engine 75 Configuring RPC To quarantine unrepairable infected files 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration On the Protocol tab under RPC specific configuration check Quarantine unrepairable files In the Quarantine Server box type the host name or the IP address for the computer on which the Symantec Quarantine Server is installed In the Quarantine Port box type the TCP IP port number to be used by the Symantec AntiVirus Scan Engine to pass files to the Central Quarantine This setting must match the port number that is selected at installation for the Symantec Quarantine Server Click Confirm Changes to save the configuration Do one of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be los
75. arks of Sun Microsystems Inc in the United States and other countries SPARC is a registered trademark of SPARC International Inc Products bearing SPARC trademarks are based on an architecture developed by Sun Microsystems Inc Microsoft ActiveX Windows Windows NT and the Windows Logo are registered trademarks of Microsoft Corporation in the United States and other countries Intel and Pentium are registered trademarks of Intel Corporation Red Hat is a registered trademark of Red Hat Software Inc in the United States and other countries Linux is a registered trademark of Linus Torvalds NetApp Data ONTAP NetCache Network Appliance and Web Filer are registered trademarks or trademarks of Network Appliance Inc in the United States and other countries Adobe Acrobat and Acrobat Reader are trademarks of Adobe Systems Incorporated THIS PRODUCT IS NOT ENDORSED OR SPONSORED BY ADOBE SYSTEMS INCORPORATED PUBLISHERS OF ADOBE ACROBAT Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged A modified version of a freeware SNMP library is used in this software This software is Copyright 1988 1989 by Carnegie Mellon University All Rights Reserved Permission to use copy modify and distribute this software and its documentation for any purpose and without fee is hereby granted provided that the above copyright notice appear in all co
76. at The default location for the file for Solaris and Linux is var log symcsbps dat The default location for Windows 2000 Server Server 2003 is C Program Files Symantec Scan Engine symcsbps dat If you specified a different directory for the log files the billing log file is located in that directory The Symantec AntiVirus Scan Engine maintains scanning statistics for the previous eight months To generate scanning statistics from the billing logs 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Reporting 2 Onthe Statistics tab type the start and end dates for the range on which you want to report Download Statistics Summary Enter start date 2 23 02 Enter end date 3 25 02 Generate Report Total files scanned 95th percentile kilobytes per second Day Date 30min start time Average KPS Files 3 Click Generate Report The data for the requested period displays in the browser window Configuring and using logging 129 Generating scanning statistics from the billing logs Interpreting scanning statistics Total number of files that were scanned for the reported period 95th percentile bandwidth measurement for the reported period The scanning statistics that are maintained by the Symantec AntiVirus Scan Engine support billing for antivirus scanning based on megabits per second per month and file based billing schemes You can examine these sca
77. ating the virus definitions but scanning continues using the previous virus definitions 1021 There was an error loading Message body text for the Symantec finding new Scan Engine virus AntiVirus Scan Engine Virus Definitions definitions Scanning will Update Failure Alert which is issued continue using the original when an error occurs in updating the definitions virus definitions but scanning continues using the previous virus definitions 1022 Scan Engine Virus Definitions Subject of the Symantec AntiVirus Scan Update and Rollback Failure Engine Virus Definitions Update and Alert Rollback Failure Alert which is issued when an error occurs in updating the virus definitions and rollback to previous virus definitions is unsuccessful 1023 There was an error loading Message body text for the Symantec finding new Scan Engine virus AntiVirus Scan Engine Virus Definitions definitions An attempt to roll Update and Rollback Failure Alert which back to the previous definitions is issued when an error occurs in has also failed All scanning will updating the virus definitions and be disabled rollback to previous virus definitions is unsuccessful 1024 Scan Engine Infection Found Subject of the Symantec AntiVirus Scan Alert Engine Infection Found Alert 1025 The Scan Engine has resumed Message body text for the log entry that scanning using its previous virus is issued when an error occurs in definitions updating the virus definitions which state
78. ation of the remote procedure call RPC protocol and the Internet Content Adaptation Protocol ICAP The Symantec AntiVirus Scan Engine software development kit SDK is available for custom integration You can create a custom integration via a client side application program interface API C library using version 1 0 of ICAP presented in RFC 3507 April 2003 Symantec also has developed connector code for some third party applications for seamless integration with the Symantec AntiVirus Scan Engine The Symantec AntiVirus Scan Engine solution The Symantec AntiVirus Scan Engine satisfies the following key needs of Internet infrastructure organizations m Scalability The Symantec AntiVirus Scan Engine can run on existing computers in your organization s infrastructure or on one or more separate computers on the network Additional computers that run the scan engine can easily be added at any time to handle increased loads The Symantec AntiVirus Scan Engine API provides automatic load balancing for multiple scan engines that are running on the network m Robustness If the scan engine goes down for any reason it automatically restarts making the Symantec AntiVirus Scan Engine ideal for Internet environments that are always on m Speed The Symantec AntiVirus Scan Engine uses the Symantec AntiVirus engine which is one of the fastest in the industry m Virus protection In addition to the virus protection capabilities available i
79. ault setting is 5 seconds Do not use a value that is less than 2 Changing the threshold number of queued requests When the number of queued requests to the Symantec AntiVirus Scan Engine exceeds the specified threshold the scan engine is at maximum load To change the threshold number of queued requests to the Symantec AntiVirus Scan Engine At LoadMaximumQueuedClients type the maximum number of queued requests The default setting is 100 Specifying an alert interval The alert interval is the number of minutes between log entries that are generated to indicate that maximum load has been exceeded To change the alert interval At LoadExceededAlertinterval replace the existing interval with the new interval The default setting is five minutes 188 Editing the configuration file Configuration options Changing the virus definition product name If you are running more than one scan engine on a single computer the product name must be unique for each service so that both scan engines receive updated virus definitions via LiveUpdate This option is applicable only if you are running the scan engine on Solaris or Linux To change the virus definition product name At DefinitionProductName type the new virus definition product name Limiting resources for in memory file processing You can limit the resources that are consumed for in memory file processing by specifying the maximum amount of RAM in bytes t
80. aw While Symantec continues to own the Software You will have certain rights to use the quantity of the Software for which You have paid the applicable license fees after Your acceptance of this license This license governs any releases revisions or enhancements to the Software that the Licensor may furnish to You Except as may be modified by an applicable Symantec license certificate license coupon or license key each a License Module that accompanies precedes or follows this license Your rights and obligations with respect to the use of licensed copies of this Software are as follows You may A use the Software in the manner described in the Software documentation and in accordance with the License Module If the Software is part of an offering containing multiple Software titles the aggregate number of copies You may use may not exceed the aggregate number of licenses indicated in the License Module as calculated by any combination of licensed Software titles in such offering Your License Module shall constitute proof of Your right to make such copies If no License Module accompanies precedes or follows this license You may make one copy of the Software You are authorized to use on a single machine B make one copy of the Software for archival purposes or copy the Software onto the hard disk of Your computer and retain the original for archival purposes C use the Software on a network or to protect a net
81. ax See Table IA 5 IL 6 25 IN 5 KS 4 9 LA 4 MA 5 MD 5 ME 6 MI 6 Shipping amp Handling 9 95 MN 6 5 MO 4 225 NC 6 NJ 6 NY 4 OH 5 OK 4 5 PA 6 SC TOTAL DUE 5 TN 6 TX 6 25 VA 4 5 WA 6 5 WI 5 Please add local sales tax as well as state sales tax in AZ CA FL GA MO NY OH OK SC TN TX WA WI FORM OF PAYMENT Check One ___ Check Payable to Symantec Amount Enclosed Visa Mastercard AMEX Credit Card Number Expires Name on Card please print Signature U S Dollars Payment must be made in U S dollars drawn on a U S bank MAIL YOUR CD REPLACEMENT ORDER TO Symantec Corporation Attention Order Processing 555 International Way Springfield OR 97477 800 441 7234 Please allow 2 3 weeks for delivery within the U S Symantec and Symantec AntiVirus are trademarks of Symantec Corporation Other brands and products are trademarks of their respective holder s 2003 Symantec Corporation All rights reserved Printed in the U S A symantec 220
82. canned should not be interpreted strictly as a physical file count This total includes the number of files as well as additional objects within container files that were scanned Some containers such as MIME encoded messages and Microsoft Office documents have additional embedded objects that are not files but that may be scanned depending on the files that you have selected for scanning the extension list settings The total does not include any objects within container files that were not scanned because the object s extension did not match those that were selected for scanning 130 Configuring and using logging Generating scanning statistics from the billing logs For each 30 minute period that is in the specified date range the total number of files that were scanned and the average KPS scanned for that 30 minute increment are reported The 30 minute time periods are reported in Greenwich Mean Time GMT Note The getstat utility reports the 95th percentile bandwidth measurement as a bits per second bps measurement rather than a kilobytes per second KPS measurement as through the interface For more information about how the 95th percentile measurement is calculated see Understanding the 95th percentile bandwidth measurement on page 130 Understanding the 95th percentile bandwidth measurement The 95th percentile bandwidth measurement is based on a bits per second bps measurement The Symantec AntiVirus Scan Eng
83. cccccscsscssssscscssssscscsssssessssseseees 29 SOLAL IS sieren re eA E TA savas sta E S 30 Red Hat Linux s2tcccscvses decectiezai a a RAE AEE 30 Preparing for installation 0 0 eccsessssssseseecseseseseseesessseseecseseseseseseeseneceseeseaees 31 Upgrading from a previous version ccccsssesssesesesesesesesesssssseceseseecsesens 31 Running other antivirus products on the Symantec AntiVirus Scan Engine Server prenon a A EAEE 33 Installing the Symantec AntiVirus Scan Engine s sssssssssesesesnesesesereseseeesese 33 Installing on Windows 2000 Server Server 20038 ccsssesssesesesssesesees 34 Installing on Solaris and Linux 0 ccc ceescssesesesceseseeceseseeeeseeeeseeeeeseeees 35 Stopping and restarting the Symantec AntiVirus Scan Engine service 37 Uninstalling the Symantec AntiVirus Scan Engine ececeseeeeeseeeeeees 38 10 Contents Chapter 3 Chapter 4 Chapter 5 Chapter 6 Symantec AntiVirus Scan Engine administration About the administrative interface Built in HTTP server 0 Virtual administrator account password Accessing the administrative interface cccceesssesesesesescsessesesesesesssesesesees About the main administration page ccccceccsesseceseeseceseeseseeeeeseeeteees Changing the administration settings 0 ccccssseseeeesesseeeseeeeeeseeeeseeeeees Activating product licenses About licensing meeen feeccsveitevsaene crass EE E R License warning an
84. ch scans the files for viruses and returns cleaned files if necessary Depending on the protocol that is used the Symantec AntiVirus Scan Engine can be configured to scan only certain file types that are passed to it by client applications In other cases the client application must decide what to scan and what to do with the results If you want to use ICAP to do your own integration a client side API can be used to add virus scanning to any C or C application To make integration with some third party applications convenient and easy Symantec also provides a 22 Introducing the Symantec AntiVirus Scan Engine About supported protocols number of connectors for the Symantec AntiVirus Scan Engine Other software companies may develop connectors for the Symantec AntiVirus Scan Engine to provide antivirus scanning for their own products If you have purchased the Symantec AntiVirus Scan Engine with a connector you may need to configure the Symantec AntiVirus Scan Engine to work with the connector You may need to configure the third party application to add virus scanning as well You will need the information that is contained in the Symantec AntiVirus Scan Engine Implementation Guide and any additional documentation that is included with the connector About automatic load balancing The Symantec AntiVirus Scan Engine API provides scheduling across any number of computers that are running the Symantec AntiVirus Scan Engine Client ap
85. cking policy to further limit the handling and scanning of certain files Files that meet the established criteria are blocked immediately which limits the resources that are expended by the Symantec AntiVirus Scan Engine For example you can specify a maximum file name length so that files that exceed the established limit are automatically rejected If the Symantec AntiVirus Scan Engine is providing scanning services for email client applications you can establish a mail policy to filter email and email 84 Setting scanning and blocking policies Specifying processing limits attachments based on a number of attributes The mail policy settings are applied to all MIME encoded messages and do not affect nonMIME encoded file types Note You can use some scanning and blocking policy settings during a virus outbreak to further protect your network Once you have information on the characteristics of a new virus you can use this information to block the infected attachment or email immediately before virus definitions for the new virus have been posted Or you can scan all file types rather than limiting the file types that are scanned for viruses for maximum coverage Specifying processing limits You can impose restrictions on the amount of resources that can be used to handle individual files These processing limits can be used to help you manage your resources and to protect your network against denial of service attacks You c
86. container file processing select one of the following to specify how the scan engine handles malformed container files m Allow access to all malformed containers m Deny access if container type cannot be identified This is the default setting m Deny access to all malformed containers Click Confirm Changes to save the configuration Do one of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Specifying processing limits that apply to all files You can specify the following processing limits to apply to all files rather than just to container files The maximum file name length in bytes for a given file available for the native protocol only The maximum number of bytes that are read when determining whether a file is MIME encoded 88 Setting scanning and blocking policies Configuring antivirus settings To specify limits for all files 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking Policy On the Limits tab under File name length limits in the File name length
87. d cannot be repaired Another World 707 The infection has been found and repaired Another World 707 The infection has been found and repaired Clicking a column heading sorts summary results alphabetically or by ascending or descending frequency of occurrence Generating scanning statistics from the billing logs The Symantec AntiVirus Scan Engine maintains scanning statistics to support billing for antivirus scanning that is based on megabits per second per month and file based billing schemes Each time that a file is scanned the Symantec AntiVirus Scan Engine submits scan statistics to an encrypted data file You can examine these scanning statistics If you bill customers based on bandwidth consumption you can use this bandwidth metering component to measure the number of megabits per second per month that are scanned by each Symantec AntiVirus Scan Engine The scan engine implements the 95th percentile bandwidth measurement scheme making it easy for you to add an additional charge for antivirus scanning to existing megabits per second per month based billing statements See Understanding the 95th percentile bandwidth measurement on page 130 128 Configuring and using logging Generating scanning statistics from the billing logs The Symantec AntiVirus Scan Engine also tracks each file that is scanned for file based billing schemes Billing information is logged to a billing log file symcsbps d
88. d grace periods Removing license files oo cescssssesssesecesesesesssesssssecescsesesesessessesseesecseseas Activating a license 2 ci eacesildeeciddwisacidiinanih addenda Checking the license Status cccccesesessssesesesseseseeceseeceseseeceseeeeseseeseseeeseseseeas Configuring the Symantec AntiVirus Scan Engine About configuring the Symantec AntiVirus Scan Engine ccceeeeees 55 Selecting the communication Protocol 0 cececesseseseseeseseecsceseeeeseeeeeeseeeesees 56 Configuring the Symantec AntiVirus Scan Engine native protocol 57 How the scan engine works with the native protocol ceceee 57 Native protocol configuration Options ccccccseseeeseseseesesesseesesesesesees 57 Configuring ICAP icra ae aE A A EEEE E eee eee 59 How the scan engine works with ICAP ssssssssssessssssesessssesesssrsesesresesesee 60 ICAP configuration Option Snos a e EEA 61 Enabling data trickle cccccceccesssesssssseseeceseseeseseeceseeeseseeeseseseeseeesseeseees 64 Configuring ra e ORAE OEA TAEAE T tates 66 How the scan engine works with RPC s ssssssessssssessssssssessssesessssrsesessesesesse 66 RPC configuration Options sse rE AE NA AA 68 Notifying requesting users that a virus was found ss ssssssessssssessseeseese 72 Quarantining unrepairable infected files 0 0 ceeseseseeeeeseseeteteeeeeees 74 Editing the service startup Properties 0 cccecesseseseeseceseeeeseteeeeseeeteee
89. d on the command line See Requesting recursive scanning on page 175 onerror Specify the disposition of a file that has been modified repaired by the scan engine when an error occurs in replacing the file The default setting is to delete the file You can specify one of the following m leave The original infected file is left in place m delete The original infected file is deleted even though the replacement data is unavailable See Disposing of infected files when an error occurs on page 175 Specifying the scan engine IP address and port The server option lets you specify one or more scan engines for scanning files If you do not specify a scan engine the server option defaults to the local host that is listening on the default port The format for each scan engine entry is lt I Paddress port gt where IPaddress is the DNS name or IP address of the computer on which the scan engine is running and port is the port number on which the scan engine listens You only Using the Symantec AntiVirus Scan Engine command line scanner 171 Command line scanner syntax and usage need to specify the port number if the scan engine is installed on a port other than the default The default port number for ICAP is 1344 For example savsecls server 192 168 0 100 c temp savsecls server 192 168 0 100 5555 c temp You can specify multiple scan engines Separate multiple entries with a semicolon For exam
90. determine which scan engine originated the log message when more than one is using the loopback Configuring and using logging 123 Managing the local logs interface You can set a unique alert bind address for each scan engine to provide a method for identifying each scan engine To specify the alert bind address 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration 2 Onthe Logging tab under Logging properties in the Alert bind address box type a bind address to identify the computer on which the Symantec AntiVirus Scan Engine is running 3 Click Confirm Changes to save the configuration 4 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Managing the local logs You can download the local log file in a selected format to a remote computer and save the data to a file or you can clear the local log file You can download the log file in a comma separated value CSV format for export to a file or in an HTML table format that displays in the browser window This le
91. e Configuring the scan engine to log events to SESA on page 161 Configuring SESA to recognize the Symantec AntiVirus Scan Engine To configure SESA to receive events from the Symantec AntiVirus Scan Engine run the SESA Integration Wizard that is specific to the Symantec AntiVirus Scan Engine on each computer that is running the SESA Manager The SESA Integration Wizard installs the appropriate integration components for identifying the Symantec AntiVirus Scan Engine to SESA You must run the SESA Integration Wizard for each SESA Manager computer to which you are forwarding events from the Symantec AntiVirus Scan Engine Each product that interfaces with SESA has a unique set of integration components The integration components for all products that interface with SESA are available when you purchase SESA and are not distributed with the individual security products Thus the SESA Integration component is not part of the Symantec AntiVirus Scan Engine software distribution package To configure SESA to recognize the Symantec AntiVirus Scan Engine 1 On the computer on which the SESA Manager is installed insert the Symantec AntiVirus Scan Engine distribution CD into the CD ROM drive 2 Atthe command prompt change directories on the CD to the Tools SESA_SIPI_Installers SAVSE Directory 3 At the command prompt type java jar setup jar The SESA Integration Wizard starts 4 Click Next until you see the SESA Domain Administrator Info
92. e SESA agent IP address 127 0 01 Port 8086 Logging properties Path and filename for message string file C Program Files SymanteciSca Alert bind address Help Confirm Changes 3 Click Confirm Changes to save the configuration 4 Doone of the following Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost Click Restart to save your changes and restart the scan engine service now Click Save No Restart to save your changes Changes will not take effect until the service is restarted Configuring and using logging 115 Configuring local logging Changing the log file location You can change the location of the local and billing log files The file names for the log files cannot be changed The default location for the log files for Solaris and Linux is var log The default location for the log files for Windows 2000 Server Server 2003 is C Program Files Symantec Scan Engine The disk space that is required for the log files varies depending on the scan volume and associated activity The specified location must be large enough to accommodate these files If you change the log file location old log files are left in the old directory and are not removed during uninstallation Old logs must be removed manually T
93. e configuring 78 R recursive scanning requesting 175 return codes ICAP 206 native protocol 205 RPC 207 RPC configuring 66 discussion of 23 notifying users when a virus is found 72 quarantining unrepairable files 74 return codes 207 S scan engine specifying 170 scanning threads configuring maximum 78 thread pool configuration 185 scanning via command line obtaining scanning results 172 requesting recursive scanning 175 specifying the scanning mode 171 specifying what to scan 167 service starting and stopping 37 service startup properties editing 75 SESA Integration Wizard installing 155 SESA logging to configuring 154 configuring the scan engine 161 discussion 155 installing the local Agent 156 Index 217 SESA logging to continued logging levels 162 running the SESA Integration Wizard 155 silent installation creating the response file Solaris and Linux 211 Windows 210 discussion 209 initiating install 213 using for uninstall 214 SMTP logging alert bind address 122 configuring 120 SNMP logging alert bind address 122 configuring 118 Solaris installing 35 stopping and starting service 37 160 system requirements 30 uninstalling 38 statistics from billing logs interpreting 129 obtaining 127 using the getstat utility 201 Status pane 43 summary log data interpreting 127 obtaining 125 syntax for the command line scanner 167 system requirements 29 T temporary directory specifying 77 thread poo
94. e Management Information Base file to configure SNMP logging the file symcscan mib is located in the MIB directory as part of the Symantec AntiVirus Scan Engine distribution You must select the types of events for which SNMP log messages will be generated See Logging levels on page 109 Configuring and using logging Activating SNMP and SMTP logging To activate SNMP logging for the Symantec AntiVirus Scan Engine 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration Protocol Resources Logging Admin Log file location Local Logging level None Log file path location le Program Files Symantec Scan Engine Log Windows Windows Logging level Waming z Log SMTP SMTP Lagging level None gt Primary server IP address i Secondary server IP address sid SMTP Domain Recipient email addresses z Enter one or more addresses separated by a comma or space gt Log SNMP SNMP Logging level None pa Primary server IP address Secondary server IP address SNMP Community public Symantec Enterprise Security Architecture Ifyou are using the Symantec Enterprise Security Architecture SESA for centralized logging and reporting you can configure SAVSE to forward virus events to SESA through an agent that runs on the SAVSE server Consult the manual before using this feature Special steps are required in addition to application configuration
95. e Symantec AntiVirus Scan Engine includes a default HTML message to display to users when access to a file is denied because it contains a virus You can customize this message by specifying an alternate path and file name or by editing the existing file If you choose to edit the existing file you do not have to change this setting Note If you are using ICAP 1 0 depending on the ICAP client for which the scan engine is providing scan and repair services you might need to adjust the ICAP response from the scan engine when a file is blocked because it is infected and cannot be repaired The default setting is to send a replacement file when an unrepairable file is blocked However some ICAP 1 0 applications are configured to receive an ICAP 403 response instead You can adjust this setting by editing the configuration file See Configuring ICAP via the configuration file on page 181 61 62 Configuring the Symantec AntiVirus Scan Engine Configuring ICAP Table 5 2 Protocol specific options for ICAP ICAP scan policy When an infected file is found the Symantec AntiVirus Scan Engine can do any of the following m Scan only Deny access to the infected file but do nothing to the infected file m Scan and delete Delete all infected files including files that are embedded in archive files without attempting repair m Scan and repair files Attempt to repair infected files but do nothing to files that cannot be repaired
96. e and maintenance contracts Information on Symantec Value License Program Advice on Symantec s technical support options Nontechnical presales questions Missing or defective CD ROMs or manuals Symantec Corporation Software License Agreement Enterprise Antivirus Software THIS LICENSE AGREEMENT SUPERSEDES THE LICENSE AGREEMENT CONTAINED IN THE SOFTWARE INSTALLATION AND DOCUMENTATION SYMANTEC CORPORATION AND OR ITS SUBSIDIARIES SYMANTEC IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE REFERENCED BELOW AS YOU OR YOUR ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR BY OPENING THIS PACKAGE BREAKING THE SEAL CLICKING ON THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY OR LOADING THE SOFTWARE YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS CLICK ON THE I DO NOT AGREE NO BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE 1 License The software and documentation that accompanies this license collectively the Software is the proprietary property of Symantec or its licensors and is protected by copyright l
97. e for Windows 2000 Server Server 2003 For Windows 2000 Server Server 2003 you must run the installation once to create the response file The Symantec AntiVirus Scan Engine is initially installed with the r switch so that your responses are captured in the response file Ensure that the scan engine is not already installed before you begin To create the response file for Windows 2000 Server Server 2003 1 Change directories to the location of the Symantec AntiVirus Scan Engine installation program ScanEngine exe 2 At the command prompt type ScanEngine r The installation proceeds as a normal non silent install 3 During the installation respond to each dialog box with the desired input value for the silent installation When the installation completes the response file is written to the disk Note On Windows 2000 Server Server 2003 only the password that you enter for the virtual administrative account is stored in the response file unencrypted Protect the response file accordingly to prevent the password from being compromised By default the response file setup iss is written to the WinNT directory To specify a different name and location for the response file use the f1 switch For example the following command writes a response file install_savse iss to the temporary directory C Temp ScanEngine r f1 C Temp install_savse iss Note Quotes must be used around the path and file name to handle an
98. e is activated unless you customize the text 3 When you have finished establishing the mail policy click Confirm Changes to save the configuration 4 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted 106 Setting scanning and blocking policies Establishing a mail filter policy Configuring and using logging This chapter includes the following topics About Symantec AntiVirus Scan Engine logging Configuring local logging Logging events to the Windows Application Event Log Activating SNMP and SMTP logging Managing the local logs Obtaining summary data from the local logs Generating scanning statistics from the billing logs About Symantec AntiVirus Scan Engine logging The Symantec AntiVirus Scan Engine provides a number of logging destinations Logging to each available logging destination for example SNMP SMTP or the Windows Application Event Log can be activated individually by selecting a desired logging level for that destination Selecting the logging level lets you choose the types of events for which
99. e is renewed all record of the existing license is removed and the product or feature becomes unlicensed Logging failure SMTP SNMP RPC user notification Logs all errors in sending to SMTP SNMP pop up window logging destinations that result in no log message being sent for example neither the primary nor the secondary SMTP server was available Note Because the broadcast nature of SNMP prevents the detection of transmission failure no log entry is generated when an SNMP message is not received because the SNMP console is down or the IP address for the SNMP console is entered incorrectly Note Windows pop up messages are generated only when you have selected RPC as the communication protocol and you have enabled user notification when a virus is found RPC retry Logs attempts to reestablish a lost connection with an RPC client Note A log entry is generated after five attempts to connect By default the Symantec AntiVirus Scan Engine is configured to try to reconnect with an RPC client indefinitely Infection found Logs all infections found in scanned files License about to expire Logs each 24 hour period when a Symantec AntiVirus Scan Engine license is about to expire that is the license is within 30 days of its expiration date 111 112 Configuring and using logging Configuring local logging Table 7 2 Logging events Threshold number of queued Logs all instances when the threshold
100. e limits are exceeded m 1 Deny access to container files for which one or more limits are exceeded This is the default setting 5 At RejectMalformedContainers type one of the following m0 Allow access to all malformed containers m 1 Deny access if container type cannot be identified This is the default setting m 2 Deny access to all malformed containers To specify processing limits that apply to all files via the configuration file 1 At MaxFileNameLengthe do one of the following m Type the maximum allowable file name length in bytes for a given file m Type 0 to disable this variable The default setting is 1024 bytes Note This feature is functional for the native protocol only 2 At NonMIMEThreshold type the maximum number of bytes that can be read to determine whether a file is MIME encoded The default setting is 200000 bytes Changing the antivirus settings via the configuration file You can configure certain aspects of antivirus scanning including the file types to be scanned See Configuring antivirus settings on page 88 196 Editing the configuration file Configuration options Changing the Bloodhound sensitivity level To supplement the detection of virus infections by virus signature the Symantec AntiVirus Scan Engine includes the Symantec patented Bloodhound technology which heuristically detects new or unknown viruses The sensitivity of the Bloodhound technology can be
101. e local SESA Agent should start automatically whenever the computer is restarted m Start SESA Agent automatically The local SESA Agent starts automatically each time the computer is restarted m Start SESA Agent automatically You must manually restart the local SESA Agent each time the computer is restarted Indicate whether the local SESA Agent should start immediately after the installation finishes If you indicate No you must manually start the local SESA Agent after the installation is complete The installer proceeds from this point with the installation When the installation is complete the Agent is installed as a Windows 2000 2003 service and is listed as SESA AgentStart Service in the Services Control Panel Integrating the Symantec AntiVirus Scan Engine with SESA 159 Configuring logging to SESA To install the local SESA Agent on Solaris and Linux 1 10 Log on as root to the computer on which you have installed the Symantec AntiVirus Scan Engine Copy the agentinstaller sh file from the Symantec AntiVirus Scan Engine distribution CD onto the computer Change directories to the location in which you copied the file Type the following command then press Enter sh agentinstaller sh Indicate that you agree with the terms of the Symantec license agreement then press Enter If you indicate No the installation is aborted Select the Symantec AntiVirus Scan Engine from the list of products to register with
102. e possible serves multiple requests for the same Web content from the cache A caching proxy server can use ICAP to communicate with the Symantec AntiVirus Scan Engine and request scan and repair of content that is retrieved from the Web The Symantec AntiVirus Scan Engine uses the proprietary version 0 95 implementation and version 1 0 of ICAP presented in RFC 3507 April 2003 depending on the requesting client See Configuring ICAP on page 59 About remote procedure call RPC Remote procedure call RPC is a client server infrastructure that increases the interoperability and portability of an application by letting the application be distributed over multiple platforms The use of RPC frees the developer from having to be familiar with various operating system and network interfaces and simplifies the development of applications that span multiple operating systems and network protocols Complexity is significantly reduced by keeping the 24 Introducing the Symantec AntiVirus Scan Engine About virus protection semantics of a remote call the same whether or not the client and server are located on the same computer The Symantec AntiVirus Scan Engine uses a proprietary virus scanning protocol with the MS RPC protocol for Windows 2000 Server Server 2003 platforms only to interface with client applications Any appropriate client can use RPC to communicate with the Symantec AntiVirus Scan Engine and request scanning and repai
103. e resources for the Symantec AntiVirus Scan Engine 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration On the Resources tab under System settings type the temporary directory to be used for virus scanning If you have client antivirus software installed to protect the computer that is running the Symantec AntiVirus Scan Engine you must exclude the temporary directory from real time scanning and from all scheduled and 80 Configuring the Symantec AntiVirus Scan Engine Allocating resources manually invoked scans by the client antivirus software before passing files to the Symantec AntiVirus Scan Engine for scanning Protocol Resources Logging Admin System settings Temporary directory for virus scanning C WVINNT TEMP Maximum number of threads allowed for scanning 128 Threshold number of queued requests 100 When this number is exceeded Symantec Anti Vins Scan Engine is at maximum load Log or send alerts for maximum load every 5 minutes Server resources Limit the amount of server resources consumed for in memory file processing Maximum RAM used for in memory file system 16 megabytes Maximum file size stored in in memory file system 3 megabytes Help Confirm Changes 3 Inthe Maximum number of threads allowed for scanning box type the maximum number of scanning threads that are permitted for concurrent scanning The default setting and the maximum reco
104. e retained New message strings that are specific to the upgrade those with new message ID numbers are appended to the file Note If an existing message string one with an existing message ID has been changed as part of the upgrade to the Symantec AntiVirus Scan Engine the existing message string is commented out in the message string file so that any customizations are preserved in the file The updated message is appended to the file but is not commented out If you have customized any message strings in the message string file you should check the string file after installing the upgrade to reconcile any new text with your customized text symcsinf htm and symcsinf msg ICAP only If you have customized the ICAP access denied message your changes are retained Existing local logs and billing logs Existing local log files and billing log files are not deleted Installing the Symantec AntiVirus Scan Engine 33 Installing the Symantec AntiVirus Scan Engine Running other antivirus products on the Symantec AntiVirus Scan Engine server By design the Symantec AntiVirus Scan Engine scans only files from client applications that are configured to pass files to the scan engine The Symantec AntiVirus Scan Engine does not protect the computer on which it is running Because the server on which the Symantec AntiVirus Scan Engine is running handles viruses the server is vulnerable if the server has no real time virus
105. e user receives no feedback on the progress of the download When ICAP is used as the communication protocol you can use the data trickle feature to provide users with a quicker download response and avoid potential session time out errors When data trickle is enabled the requested file is sent trickled to the user in small amounts at regular intervals until the scan is complete You can change the amount of time that elapses before data trickling begins Note Data trickling can compromise antivirus integrity Before enabling the data trickle feature be sure that you read and understand all of the risks See Warnings and limitations about data trickle on page 66 Configure data trickle You can enable or disable data trickle and you can change the trickle time out period the time that elapses before data trickling begins To enable data trickle At ICAPTrickleEnabled type one of the following m 1 Enable data trickle m O Disable data trickle The default setting is 0 disabled To change the trickle time out period AtICAPTrickleTimeout type the number of seconds to elapse before data trickling begins The default setting is 5 seconds Editing the configuration file 183 Configuration options Configuring RPC via the configuration file If you select RPC as the protocol to be used by the Symantec AntiVirus Scan Engine you must configure several RPC specific options To configure RPC via the configu
106. ect of the log message fingerprintdate gt were created for virus update or update error along with the virus definitions revision number 1004 Scan Engine threshold queue The threshold queue size for the size lt queuesize gt Symantec AntiVirus Scan Engine that is the subject of the log message 1005 Scan Engine number of queued The number of queued scan requests for items lt queueditems gt the Symantec AntiVirus Scan Engine at the time of the reported event 1006 Date time of event lt date time gt The date and time of the reported event Symantec AntiVirus Scan Engine crash startup shutdown and so on 140 Customizing log entries About the 1000 series message strings Table 9 1 Message string definitions 1007 System uptime in The amount of time at the time of the seconds lt time gt log entry that the Symantec AntiVirus Scan Engine has been running since the last crash or since startup 1008 Scan Engine Crash Alert Subject of the Symantec AntiVirus Scan Engine Crash Alert 1009 The Scan Engine has crashed Message body text for the Symantec AntiVirus Scan Engine Crash Alert 1010 Scan Engine Startup Alert Subject of the Symantec AntiVirus Scan Engine Startup Alert 1011 The Scan Engine has just started Message body text for the Symantec up AntiVirus Scan Engine Startup Alert 1012 Scan Engine Shutdown Alert Subject of the Symantec AntiVirus Scan Engine Shutdown Alert 1013 The Scan
107. ectories to the directory in which the getstat tool is located 2 Type acommand using the following format getstat exe symcsbps dat lt endingdate gt lt numberofdays gt where lt endingdate gt is the last day of the billing cycle the last day in the time range for which you want information on scan engine usage and lt numberofdays gt is the number of days in the billing cycle or the number of days for which you want to view usage statistics If the symcsbps dat file is not located in the same directory as the getstat utility you must include the path to the log file in the command as well Use the format MM DD YYYY for the lt endingdate gt entry For example if you type getstat exe symcsbps dat 11 27 2001 30 the generated report includes usage information for the 30 day period ending on 11 27 01 Interpreting getstat utility data 95th percentile bandwidth measurement 7 22 for reported period Calculated average bps mie for each 30 minute period shown in chronological order Asample getstat utility report is shown below lolx an gt getstat exe symcsbps dat 11 27 2000 30 SETSTAT utility Copyright C 2000 Symantec Corporation average bits per second 2707 80 files scanned 8 Total number of ice seu Maani ata files that were gt 5 er Second i H scanned for the Measured Time Range Average Bits S reported period 2000 to 321 10 s Tue 2000 to 2707 00 Number of files Tue N 2000 to 1066 7
108. ed maximum number of nested levels to be decomposed for scanning is exceeded 4016 Container limit exceeded extract time Used when the specified maximum amount of time that is spent decomposing a container file and its contents is exceeded 4017 Container limit exceeded file size Used when the specified maximum file size for individual files in a container file is exceeded Table 9 4 Default log text Customizing log entries 151 Editing the ICAP access denied message 4018 A container limit violation has been detected Used when a container limit violation has occurred 4019 An Error occurred while trying to replace an infected file with the repaired copy File lt filename gt Used when an error occurs in replacing an infected file with the repaired copy to indicate the file name 4020 Malformed Container File not scanned Used when the Symantec AntiVirus Scan Engine detects a malformed container and is configured to reject malformed containers 4030 Detect viruses Rule defined exclusively for logging events to SESA to scan files 4031 Repair viruses Rule defined exclusively for logging events to SESA to scan files and repair infected files 4032 Delete viruses Rule defined exclusively for logging events to SESA to scan and delete infected files 4033 Repair or delete viruses Rule defined exclusively for logging e
109. een instructed to do so for debugging purposes by Symantec Technical Service and Support 190 Editing the configuration file Configuration options To specify what to log for logging to the Windows Application Event Log At LogWindows select the desired logging level for logging to the Windows Event Log The default logging level is Warning Windows 2000 Server Server 2003 only Select Verbose only if you have been instructed to do so for debugging purposes by Symantec Technical Service and Support To specify what to log for SESA logging At LogSESA select the desired logging level for SESA logging Logging to SESA is not activated by default Select Verbose only if you have been instructed to do so for debugging purposes by Symantec Technical Service and Support To specify what to log for SNMP logging AtLogSNMP select the desired logging level for SNMP logging SNMP logging is not activated by default The Verbose logging level is not available for SNMP logging To specify what to log for SMTP logging At LogSMTP select the desired logging level for SMTP logging SMTP logging is not activated by default The Verbose logging level is not available for SMTP logging Configuring the scan engine to log events to SESA If you are running SESA you must configure the Symantec AntiVirus Scan Engine to communicate with the local Agent by specifying the IP address and port number on which the Agent listens In the conf
110. eland respectively ICC INCOTERMS 2000 This Agreement may only be modified by a License Module which accompanies this license or by a written document which has been signed by both You and Symantec Should You have any questions concerning this Agreement or if You desire to contact Symantec for any reason please write to i Symantec Customer Service 555 International Way Springfield OR 97477 U S A or ii Symantec Customer Service Center PO BOX 5689 Dublin 15 Ireland 8 Additional Restrictions for Specified Software A If the Software You have licensed is a specified Symantec AntiVirus for a third party product or platform You may only use that specified Software with the corresponding product or platform You may not allow any computer to access the Software other than a computer using the specified product or platform In the event that You wish to use the Software with a certain product or platform for which there is no specified Software You may use Symantec AntiVirus Scan Engine B If the Software You have licensed is Symantec AntiVirus for Web Servers the following additional use s and restriction s apply i You may use the Software only with files that are received from third parties through a web server ii You may use the Software only with files received from less than 10 000 unique third parties per month and iii You may not charge or assess a fee for use of the Software for Your internal business
111. embedded space Using the silent install feature 211 Creating the response file Creating the response file for Solaris and Linux For Solaris and Linux you can create the response file before you install the Symantec AntiVirus Scan Engine A default response file named response is included as part of the Symantec AntiVirus Scan Engine software distribution package The response file is a text file that is preconfigured to contain the default settings for the scan engine installation options You must edit this response file so that it contains the desired input values for the silent installation Note Do not delete any of the parameters in the response file The installer must read a value for each parameter The input values contained in the response file are listed in Table D 1 Table D 1 Input values in the response file SCANPort Port number on which the Symantec AntiVirus Scan Engine listens This port number must be exclusive to the Symantec AntiVirus Scan Engine The default port number differs depending on the protocol selected m NATIVE 7777 E ICAP 1344 Protocol Communication protocol used by the scan engine Use NATIVE or ICAP AdminPort Port number on which the Web based administrative interface listens The default port number is 8004 AdminPassword Password for the virtual administrative account that you will use to manage the Symantec AntiVirus Scan Engine Note You must use the GenE
112. emoved Any attachments that do not match a specified size are not removed and are delivered with the message Note You can filter mail by attachment file size during a virus outbreak to further protect your network In the case of a new email borne virus if you know the exact size of the infected attachment you can use this information to block potentially infected email messages You can protect your network immediately before virus definitions for the new virus have been posted To filter mail by attachment file size 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking Policy 2 Onthe Mail tab under Blocking by attachment file size type an attachment file size in bytes to block Type as many file sizes to block as needed one per line 3 Select one of the following to specify how the scan engine will handle messages that contain attachments of a size that you have specified m Delete the attachment The scan engine deletes any attachments of a specified size and delivers the remainder of the message including attachments that do not match a specified size The mail message is not updated to indicate that an attachment has been deleted due to a mail policy violation unless you activate the mail message update feature See Inserting text into MIME encoded messages on page 104 m Reject the message The scan engine rejects any message that contains an attachment of a specif
113. ent install feature Using the silent install feature for uninstallation To initiate a silent installation on Windows 2000 Server Server 2003 1 Change directories to the location of the Symantec AntiVirus Scan Engine installation program ScanEngine exe 2 At the command prompt type ScanEngine s f1 C WinNT setup iss This command shows the default response file setup iss in its default location the WinNT directory You will need to substitute appropriately if you have changed the response file name and location For example ScanEngine s f1 C Temp install_savse iss The silent installation proceeds automatically from this point using the input values that are contained in the response file Using the silent install feature for uninstallation You also can automate the uninstallation for the Symantec AntiVirus Scan Engine on Windows 2000 Server Server 2003 The procedures for using the silent uninstallation are the same as for the silent installation Using the silent install feature for uninstallation You must create a second response file for uninstallation After you have created the response file you can initiate the silent uninstallation by running the installation program with the s switch to read the response file Note When you create the response file for the silent uninstallation use the f1 switch to specify a different name and location for the response file rather than allowing the default settings so you ca
114. ervice unavailable overloaded 505 ICAP version not supported 531 Container type cannot be repaired Return codes 207 CAP version 1 0 return codes 533 Error scanning file 539 Aborted no AV scanning license CAP version 1 0 return codes The following return codes are generated for ICAP version 1 0 100 Continue 200 OK 201 Created 204 No content necessary 400 Bad request 403 Forbidden Infected and not repaired 404 Not found 405 Method not implemented 408 Request timeout 500 Internal server error 503 Service unavailable overloaded 505 ICAP version not supported 533 Error scanning file 539 Aborted no AV scanning license 551 Resource unavailable RPC return codes The following return codes are generated for RPC Infection found repaired Infection found repair failed Infection found repair failed file quarantined Infection found repair failed quarantine failed Infection found Maximum Extract Size exceeded scan incomplete Maximum Extract Time exceeded scan incomplete 208 Return codes RPC return codes m Maximum Extract Depth exceeded scan incomplete m Aborted No AV scanning license m Internal server error m Infection found repair failed read only file Appendix Using the silent install feature This chapter includes the following topics About the silent install feature m Creating the response file m Initiating the silent installation using the resp
115. erving customized text during an upgrade cecececeeseseseeseseteeeeeeeees 138 About the 1000 series message strings cccccscecesesseceseeeesesceeeseseeeeseeeeseees 139 About the 2000 series message strings cccssseesesseseseeseseeeeeseeeeeeseeeeseees 145 About the 4000 series message strings ccccesseesesseseeeeeseteeeeseteeseseeeeseees 149 Editing the ICAP access denied message eseeeessesesesseceseeseceseeeeseeeeeaeeees 151 11 12 Contents Chapter 10 Integrating the Symantec AntiVirus Scan Engine with SESA ADOUtSES A iiss E TE EE E OE E Configuring logging to SESA Configuring SESA to recognize the Symantec AntiVirus Scam Engine sopor sra E EEE ERE EEVEE 155 Installing the local SESA Agent esssensesesessesoseseeseseersesesessssrsrsssseseses 156 Configuring the scan engine to log events to SESA w eceecceseseseseseeeees 161 Scan engine events that are logged to SESA sssssssssssnssssssesessreseseseessseseeseses 162 Interpreting scan engine events in SESA sseesesessssssesessssesesrersesssesesersrsesees 163 Uninstalling the SESA integration components ssesesessssssesessesesseseseesee 163 Uninstalling the local SESA Agent sssssssssssesessssesesssseseseseeeeseseensseseseesrsesesesses 163 Chapter 11 Using the Symantec AntiVirus Scan Engine command line scanner About the Symantec AntiVirus Scan Engine command line scanner 165 Setting up a comp
116. es NAVEX which provides protection from new classes of viruses automatically via LiveUpdate and Striker for the detection of polymorphic viruses If you would like to know whether the Symantec AntiVirus Scan Engine or any other Symantec product protects against a specific virus visit the Symantec Security Response Web site at http securityresponse symantec com The Symantec AntiVirus Scan Engine technology is supported by the Symantec Security Response team These Symantec engineers work 24 hours per day 7 days per week tracking new virus outbreaks and identifying new virus threats Introducing the Symantec AntiVirus Scan Engine 25 About virus protection How viruses are detected When Symantec engineers identify a new virus information about the virus a virus signature is stored in a virus definitions file Virus definitions files are updated periodically via the Symantec automated LiveUpdate feature When the Symantec AntiVirus Scan Engine scans for viruses it searches for these virus signatures To supplement the detection of virus infections by virus signature the Symantec AntiVirus Scan Engine includes Bloodhound technology which heuristically detects new or unknown viruses based on the general characteristics exhibited by known viruses About Bloodhound heuristic technology Symantec engineers have developed two types of heuristics for the detection of unknown viruses The first Bloodhound is capable of detect
117. ets you examine the time required to scan each file For example savsecls server 192 168 0 100 1344 timing c work filea c work fileb c work filec c work filed When this option is used a line of output is printed to STDOUT for each file that is scanned The output includes the name of the file that was scanned and the time that the scan engine required to scan the file The reported scan time is calculated as the elapsed time between the opening and closing of the connection with the scan engine and is reported with millisecond accuracy The output when four files for example a b c and d are scanned should look similar to the following c work filea 0 018s c work fileb 0 013s c work filec 0 43s c work filed 0 03s Using the Symantec AntiVirus Scan Engine command line scanner 175 Command line scanner syntax and usage Requesting recursive scanning The recurse option lets you recursively descend into subdirectories inside each path that is specified on the command line By default the command line scanner does not recursively search directories for files to send to the Symantec AntiVirus Scan Engine for scanning You must use the recurse option to do so For example savsecls server 192 168 0 100 1344 recurse c winnt Note This option does not apply when you are using pipe mode Disposing of infected files when an error occurs The onerror option lets you specify how to dispose of an infected file t
118. exceeds box type the maximum file name length in bytes for a file name The default setting is 1024 bytes To disable this setting so that no limit is imposed type 0 This feature is available for the native protocol only Under NonMIME threshold in the No determination after reading box type the maximum number of bytes that are read by the scan engine to determine whether a file is MIME encoded The default setting is 200000 bytes If the Symantec AntiVirus Scan Engine reads the maximum number of bytes with no determination the file is considered to be nonMIME encoded Click Confirm Changes to save the configuration Do one of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now Click Save No Restart to save your changes Changes will not take effect until the service is restarted Configuring antivirus settings You can configure certain aspects of antivirus scanning including the file types to be scanned You can change the following settings Bloodhound sensitivity level To supplement the detection of virus infections by virus signature the Symantec AntiVirus Scan Engine includes the Symantec patented Bloodhound technology whic
119. f data scanned You can update the system metrics on the Status pane or reset the counts to zero through the administrative interface To update the display at any time At the bottom of the page click Refresh To reset the counts to zero at any time At the bottom of the page click Reset Statistics Symantec AntiVirus Scan Engine administration 45 Changing the administration settings Changing the administration settings You can configure the administrative settings that are listed in Table 3 2 for the Symantec AntiVirus Scan Engine administrative interface and the virtual administrator account Table 3 2 Administration settings HTTP bind address The Symantec AntiVirus Scan Engine is managed through a Web based interface which is provided through a built in HTTP server The HTTP server binds to all interfaces by default You can restrict administrative access to a specific interface by entering the appropriate bind address HTTP port number The Web based interface binds to a TCP IP port number You are prompted to provide an HTTP port number during installation but the port number can be changed through the administrative interface Administrator password The Symantec AntiVirus Scan Engine is managed using a virtual administrative account The virtual administrative account is known only to the Symantec AntiVirus Scan Engine It is not a system account You are prompted to provide a password for this
120. fault temporary directory is tmp savetmp For Windows 2000 Server Server 2003 the default temporary directory is determined at installation The temporary directory for the Symantec AntiVirus Scan Engine defaults to the temporary directory that is set for one of the following environment variables listed in the order in which they are checked m System tmp m System temp m User tmp the user that is performing the installation m User temp the user that is performing the installation If none of these variables has a value assigned the temporary directory is the installation directory 78 Configuring the Symantec AntiVirus Scan Engine Allocating resources Table 5 4 Resource settings Maximum number You can specify the maximum number of threads that are allowed of threads allowed for concurrent scanning for scanning The pool of scanning threads that are available to the Symantec AntiVirus Scan Engine for antivirus scanning dynamically adjusts to the load that is being processed You can change a number of additional related parameters in the configuration file Usage may be the only method for determining the optimal settings for these parameters Scan engine performance is dependent on scan volume the number of client applications making requests available memory and disk space and the number of scanning threads See Controlling the dynamic thread pool on page 185 When the number of scan requests exceeds t
121. features Symantec Java LiveUpdate technology which is found in other Symantec antivirus products for these platforms For Windows 2000 Server Server 2003 a LiveUpdate client is installed with the Symantec AntiVirus Scan Engine On all platforms the Symantec AntiVirus Scan Engine can be updated with the latest virus definitions without any interruption of virus scanning Note To run LiveUpdate on Solaris or Linux you must have the Java Runtime Environment version 1 3 1 or later installed Updated virus definitions files which contain the necessary information to detect and eliminate viruses are supplied by Symantec at least every week and whenever a new virus threat is discovered When new virus definitions files are available the LiveUpdate technology automatically downloads the proper files and installs them in the proper location If an error occurs the Symantec AntiVirus Scan Engine attempts to roll back to the previous virus definitions and continue scanning If the rollback is unsuccessful scanning is disabled 132 Configuring LiveUpdate Updating virus definitions You can update virus definitions files and schedule LiveUpdate to run automatically so that you always have the most up to date protection See Updating virus definitions on page 132 You can also schedule LiveUpdate via the command line if necessary See Scheduling LiveUpdate via the command line on page 133 Updating virus definitions Yo
122. fies polymorphic computer viruses which are the most complex and difficult viruses to detect Like an encrypted virus a polymorphic virus includes a scrambled virus body and a decryption routine that first gains control of the computer and then decrypts the virus body However a polymorphic virus also adds a mutation engine that generates randomized decryption routines that change each time that a virus infects a new program As a result no two polymorphic viruses are the same Each time that Striker scans a new program file it loads the file into a self contained virtual computer The program executes in this virtual computer as if it were running on a real computer The polymorphic virus runs and decrypts itself Striker then scans detects and repairs the virus LiveUpdate LiveUpdate ensures that your network is not at risk of infection by newly discovered viruses Updated virus definitions files which contain the necessary information to detect and eliminate viruses are supplied by Symantec at least every week and whenever a new virus threat is discovered The Symantec AntiVirus Scan Engine can be configured to poll the Symantec LiveUpdate servers to determine whether updated virus definitions have been posted If new virus definitions are available the Symantec AntiVirus Scan Engine downloads Introducing the Symantec AntiVirus Scan Engine 27 About virus protection the files and installs them in the proper location Virus protect
123. following attachments were infected and have been repaired lt listofinfectedfiles gt The following infected attachments were deleted lt listofdeletedfiles gt The following infected attachments were blocked because of Mail Policy violations lt listofblockedfiles gt You may wish to contact the sender to notify them about their infected files Thank you Original message text follows This message text is inserted into the body of MIME encoded text only messages when an infected attachment is found and repaired or deleted from the message Message strings 2000 and 2001 should be identical so that the inserted message is consistent lt listofinfectedfiles gt is generated by the variable R lt listofdeletedfiles gt is generated by the variable D and lt listofblockedfiles gt is generated by the variable P See Table 9 3 Variables for customizing message strings on page 149 2001 Repeat of message string 2000 Message text that is inserted into the body of MIME encoded messages that contain HTML when an infected attachment is found and repaired or deleted from the message Default message text is the same for message strings 2000 and 2001 These two messages should be consistent 2002 No attachments are in this category Text that is inserted into message string 2000 or 2001 when no attachments are applicable for the variables D R or P 2003 Mail
124. found The user notification feature is only available when RPC is selected as the communication protocol and the requesting user s computer is in the same domain as the Symantec AntiVirus Scan Engine To notify requesting users that a virus was found At LogPopupe type 1 to enable notification that a virus has been found The default setting is 0 disabled 184 Editing the configuration file Configuration options Quarantining unrepairable infected files When you are using the RPC protocol you can quarantine unrepairable infected files using the Symantec Central Quarantine The Symantec Central Quarantine software is included on the Symantec AntiVirus Scan Engine distribution CD The Symantec AntiVirus Scan Engine forwards infected items that cannot be repaired to the Symantec Central Quarantine Typically heuristically detected viruses that cannot be eliminated by the current set of virus definitions are forwarded to the Quarantine and isolated so that the viruses cannot spread See Quarantining unrepairable infected files on page 74 To quarantine unrepairable infected files 1 At QuarantineInUse type 1 to quarantine unrepairable infected files The default setting is 0 files are not quarantined 2 At QuarantineServer type the host name or the IP address for the computer on which the Symantec Quarantine Server is installed 3 At QuarantinePort type the TCP IP port number to be used by the Symantec AntiVirus
125. fy file sizes of attachments and select whether messages that contain attachments of the specified size should be rejected or delivered with the attachment removed See Filtering mail by attachment file size on page 102 Partial messages Reject messages that have been broken down into a number of smaller partial messages for transmission See Blocking MIME partial message content on page 103 96 Setting scanning and blocking policies Establishing a mail filter policy Limits AntiVirus Mail Blocking by total message size Block messages that are larger than esses bytes Blocking by subject line Block messages with any of the following subject lines one per line E I Block messages with empty subject lines Blocking by message origin Block messages that originate from the following email addresses or domains one per line ji jeers com xy Blocking by attachment file name Block attachments with any of the following file names one per line When a matching attachment is found Delete the attachment C Rejectthe message Blocking by attachment file size Block attachments that match any ofthe file sizes specified below one per line in bytes When a matching attachment is found Delete the attachment C Reject the message Updating mail message body M Add text to body of infected MIME encoded messages to warn recipient of infections Blocking MIME partial message conten
126. g and notification for RPC If you are using RPC the Symantec AntiVirus Scan Engine now logs identifying information when a client requests a file that is found to be infected A notification message informs users that a virus was detected in a file that they attempted to retrieve and indicates the disposition of the file Where to start The Symantec AntiVirus Scan Engine Implementation Guide contains all of the instructions necessary to install and maintain the Symantec AntiVirus Scan Engine Follow these steps to ensure that you use the scan engine s capabilities effectively Become familiar with the design and features of the software See Introducing the Symantec AntiVirus Scan Engine on page 15 Introducing the Symantec AntiVirus Scan Engine Where to start Decide how to deploy the Symantec AntiVirus Scan Engine on your network to meet your specific requirements If you plan to use ICAP version 1 0 to create a custom implementation of the scan engine and have purchased the Symantec AntiVirus Scan Engine SDK the Symantec AntiVirus Scan Engine Software Developer s Guide contains additional information on deploying the scan engine using this protocol If you have purchased a specific connector for the Symantec AntiVirus Scan Engine check the accompanying documentation for additional information on that particular implementation of the scan engine See Considerations for implementation on page 20 Install the Symantec An
127. g documentation Except as contained in this notice the name of a copyright holder shall not be used in advertising or otherwise to promote the sale use or other dealings in this Software without prior written authorization of the copyright holder IBM software disclaimer THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Printed in the United States of America 10 9 8 765 43 2 1 Technical support As part of Symantec Security Response the Symantec global Technical Support group maintains support centers throughout the world The Technical Support group s primary role is to respond to specific questions on product feature function installation and configuration as well as to author content for our Web accessible Knowledge Base The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion For example the Technical S
128. g logging to SESA products that exist in today s corporate environments SESA includes an event management system that employs data collection services for events generated on computers that are managed by Symantec security products The event categories and classes include antivirus content filtering network security and systems management The range of events varies depending on the Symantec applications that are installed and managed by SESA You can monitor and manage these security related events through the SESA Console The SESA Console is the common user interface that provides manageable integration of security technologies Symantec or otherwise Symantec Security Services and Symantec Security Response You can query filter and sort data to reduce the security related events that you see through the SESA Console which allows you to focus on threats that require your attention You can configure alert notifications in response to events and generate save and print tabular and graphical reports of event status based on filtered views that you have created The Symantec Enterprise Security Architecture is purchased and installed separately SESA must be installed and working properly before you configure the Symantec AntiVirus Scan Engine to log events to SESA For more information see the SESA documentation Configuring logging to SESA The logging of virus related events to the Symantec Enterprise Security Architecture
129. gain in a short period of time m ShrinkThreadCount The number of scanning threads to remove when more threads are running than are needed for the load that is being processed The default setting is 2 The ShrinkThreadCount value must be smaller than the GrowThreadCount value 185 186 Editing the configuration file Configuration options m BusyRequestCount The number of queued requests waiting to be processed by scanning threads that triggers the creation of more scanning threads The default setting is 4 The BusyRequestCount value cannot be less than 2 and must be less than the LoadMaximumQueuedClients value See Changing the threshold number of queued requests on page 187 m IdleThreadCount The number of idle scanning threads that triggers the removal of scanning threads The default setting is 4 m SecondsBetweenChecks The number of seconds between evaluations of the thread pool activity The default setting is 5 seconds This value cannot be smaller than 2 Note Because thread pool activity is checked at the frequency specified for the SecondsBetweenChecks parameter changes to the thread pool size occur at the same frequency To control the dynamic thread pool 1 At MinThreads type the minimum number of scanning threads to be created at start up time and to keep alive regardless of load The default setting is 16 Do not use a value that is larger than the value entered for the MaxThreads parameter
130. ge speed of processing Scanning statistics for the billing logs are maintained automatically by the Symantec AntiVirus Scan Engine Billing information is logged to a billing log file symcsbps dat See Generating scanning statistics from the billing logs on page 127 SESA If you are running the Symantec Enterprise Security Architecture SESA you can choose to log events regarding Symantec AntiVirus Scan Engine antivirus activity to SESA SESA includes an event management system that employs data collection services for events that are generated on computers that are managed by Symantec security products SESA lets administrators view and manage the security data within a central location the SESA Console See Integrating the Symantec AntiVirus Scan Engine with SESA on page 153 RPC client logging subsystem RPC only If you are using RPC as the communication protocol the Symantec AntiVirus Scan Engine logs certain events to the RPC client logging subsystem Logging to the RPC client is in addition to the other available logging destinations See Logging to the RPC client logging subsystem on page 67 Logging levels Configuring and using logging About Symantec AntiVirus Scan Engine logging Logging for each logging destination is activated individually by selecting the desired logging level for that destination You can select a different logging level for each logging destination Selecting the logging level lets
131. gging to SESA 10 11 12 In the Primary SESA Manager IP address or host name box type the IP address or host name of the computer on which the primary SESA Manager is running If SESA is configured to use Anonymous SSL the default setting type the IP address of the primary SESA Manager If SESA is configured to use Authenticated SSL type the host name of the primary SESA Manager for example computer company com In the Primary SESA Manager port number box type the port number on which the SESA Manager listens The default port number is 443 If you are running a Secondary SESA Manager that is to receive events from the scan engine do the following m Inthe Secondary SESA Manager IP address or host name box type the IP address or host name of the computer on which the Secondary SESA Manager is running m Inthe Secondary SESA Manager port number box type the port number on which the Secondary SESA Manager listens The default port number is 443 In the Organizational unit distinguished name box type the organizational unit distinguished name to which the Agent will belong If the organizational unit is unknown or not yet configured this setting can be left blank Use the format shown in the example ou Europe ou Locations dc SES o symc_ses The domain s dc portion of the path should correspond to the domain that is managed by the selected SESA Management Server Select one of the following to indicate whether th
132. gine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Quarantining unrepairable infected files When you are using the RPC protocol you can quarantine unrepairable infected files The quarantining of infected files is handled using the separately installed Symantec Central Quarantine The Symantec AntiVirus Scan Engine forwards infected items that cannot be repaired to the Symantec Central Quarantine Typically heuristically detected viruses that cannot be eliminated by the current set of virus definitions are forwarded to the Quarantine and isolated so that the viruses cannot spread From the Quarantine the infected items can be submitted to Symantec Security Response for analysis If a new virus is identified new virus definitions are posted Note You must select Scan and repair or delete as the RPC scan policy to forward files to the Quarantine Once a copy of an infected file is forwarded to the Central Quarantine the original infected file is deleted If submission to the Central Quarantine is not successful the original file is not deleted and an error message is returned to the RPC client In this case access to the infected file is denied The Symantec Central Quarantine is installed separately It must be installed on a computer that is running Windows 2000 Server Server 2003 in accordance with the supporting documentation The Symantec Central Qu
133. ging level for the Windows Application Event Log is Warning Windows 2000 Server Server 2003 only Configuring and using logging 117 Activating SNMP and SMTP logging To log events to the Windows Application Event Log 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration 2 On the Logging tab under Log Windows in the Windows Logging level list select the appropriate logging level The default logging level for the Windows Application Event Log is Warning Windows 2000 Server Server 2003 only See Logging levels on page 109 3 Click Confirm Changes to save the configuration 4 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Activating SNMP and SMTP logging The Symantec AntiVirus Scan Engine provides SMTP Simple Mail Transfer Protocol and SNMP Simple Network Management Protocol logging capabilities SNMP or SMTP logging can be activated individually by selecting the appropriate logging level for SNMP or SMTP logging and providing the appropriate destination
134. h heuristically detects new or unknown viruses based on characteristics generally exhibited by viruses The sensitivity of the Bloodhound technology can be adjusted See Changing the Bloodhound sensitivity level on page 89 File types to scan Viruses are found only in file types that contain executable code Bandwidth and time can be saved by limiting the files to be scanned to only those file types that can contain viruses You can control which file types are scanned by specifying the file extensions that you want Setting scanning and blocking policies 89 Configuring antivirus settings to scan using an inclusion list or by specifying those extensions that you do not want to scan using an exclusion list or you can scan all file types regardless of extension See Specifying file types to scan on page 90 Changing the Bloodhound sensitivity level The Symantec AntiVirus Scan Engine includes the Symantec patented Bloodhound technology which heuristically detects new or unknown viruses The sensitivity of the Bloodhound technology can be adjusted Note Increasing the Bloodhound sensitivity level may lead to occasional false positives For more information about Symantec AntiVirus Scan Engine virus detection capabilities see How viruses are detected on page 25 To change the Bloodhound sensitivity level 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking
135. h parameters The configuration file parameters for controlling the dynamic thread pool are m MinThreads The minimum number of scanning threads that is created at start up time and the minimum to keep alive regardless of the load that is being processed The default setting is 16 You can increase this number if a typical load cannot be satisfied by the default setting of 16 This number cannot be larger than the value entered for the MaxThreads parameter m MaxThreads The maximum number of scanning threads that can be created regardless of the load that is being processed The default setting is 128 The default value 128 is the maximum recommended value for this parameter Increasing the value beyond 128 can make the software unstable The MaxThreads value cannot be smaller than the value entered for the MinThreads parameter m GrowThreadCount The number of scanning threads to add when the load that is being processed cannot be handled by the existing threads The default setting is 4 The GrowThreadCount value must be larger than the ShrinkThreadCount value and should not be close to the MaxThreads value Reasonable values are in the range of 2 to 32 Note Creating new threads consumes resources You should create new threads GrowThreadCount and keep them as long as possible You should remove threads ShrinkThreadCount more slowly than you add threads so that you do not consume additional resources thus creating new threads a
136. has been deleted File npad95 1 dot was infected with virus WM Npad EE The infection has been found and repaired Be oslo a ga a a g To clear the log file 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Reporting 2 On the Download tab click Clear Logs 3 Confirm that you want to clear the application log For Windows 2000 Server Server 2003 clearing the log file causes all of the application logs to be cleared not just those for the Symantec AntiVirus Scan Engine Obtaining summary data from the local logs You can obtain summary data from the local logs for a given period of time For the reported period you can review the number of times that the scan engine started the total number of viruses that were found and the total number of viruses that were repaired You can also review the virus types that were found during the reported period and the number of times that each type was found 126 Configuring and using logging Obtaining summary data from the local logs To obtain summary data from the local logs 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Reporting 2 On the Summary tab type the start and end dates for the range on which you want to report Use the date format for your operating system locale Download Statistics Summary Enter start date 2 26 02 Enter end date 3 28 02 Load Logs Report generated Total
137. hat has been modified repaired by the scan engine when an error occurs in replacing the file The default setting is to delete the file You can specify one of the following m leave The original infected file is left in place m delete The original infected file is deleted even though the replacement data is unavailable For example savsecls server 192 168 0 100 1344 onerror delete c temp Note This option does not apply when you are using pipe mode 176 Using the Symantec AntiVirus Scan Engine command line scanner Command line scanner syntax and usage Appendix Editing the configuration file This chapter includes the following topics m Editing the Symantec AntiVirus Scan Engine configuration file m Updating the configuration file during an upgrade m Configuration options Editing the Symantec AntiVirus Scan Engine configuration file In addition to using the Web based administrative interface you can change the Symantec AntiVirus Scan Engine settings by editing the configuration file symcscan cfg The configuration options for the Symantec AntiVirus Scan Engine can be configured through the Web based administrative interface Under regular circumstances you should not need to edit the configuration file For Solaris and Linux the default location for the configuration file is opt SYMCScan etc symcscan cfg For Windows 2000 Server Server 2003 the default location for the configuration file i
138. he scan engine might scan the file even if it is not configured to scan the file type ICAP 1 0 lets the Symantec AntiVirus Scan Engine initially provide information to the ICAP client on which file types are to be scanned based on the scan engine configuration Based on this information the ICAP client forwards either the entire file to the scan engine for scanning if the file extension is one that is identified for scanning or the first few bytes of the file to the scan engine for preview if the file extension is unknown or is not one that was identified for scanning The scan engine examines the first few bytes of the file to determine whether the file could contain a virus Based on this examination the scan engine might request and scan a file even when it is not identified for scanning When the client application is using ICAP version 1 0 as the communication protocol the Symantec AntiVirus Scan Engine now scans all POST transactions files that are being posted to the Internet for viruses The scanning and logging policies that are configured on the scan engine now apply to POST transactions as well When a virus is detected in a POST transaction the posting client does not receive an error message indicating that a virus was found The only manner in which a user can determine that a virus was found in a POST transaction is to examine the actual information that was posted to the destination Web site For example if the user attem
139. he email m Install the license file that you receive via the Symantec AntiVirus Scan Engine administrative interface 52 Activating product licenses Activating a license To obtain the license file 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Licensing Status Install You must obtain a license for key product features and for the virus definition update subscription Step 1 Complete the license form located at https Micensing symantec com A license file will be emailed to you Step 2 Do one of the following and then click Confirm Changes e Browse to the location of the license file Copy and paste the contents of the license file in the text box Browse Z Help Confirm Changes On the Install tab click the link to access Symantec s Licensing and Registration Web page Follow the instructions on the Web page to complete the online licensing form You must have the appropriate serial number to complete the form The license file is returned via email as an attachment Make sure that the email address you provide on the online form is appropriate so that the license file will be accessible To install the license file 1 When you receive the email message from Symantec that contains the license file save the file that is attached to the email message to the computer from which you will access the Symantec AntiVirus Scan Engine administrative inte
140. he full path to the Symantec AntiVirus Scan Engine which can access the file directly For cases in which the client application is running on the same computer as the Symantec AntiVirus Scan Engine the client application can pass the file name to the scan engine and the scan engine can open the file and scan it in place on the computer Introducing the Symantec AntiVirus Scan Engine 21 Considerations for implementation One example of a typical integration of the Symantec AntiVirus Scan Engine is shown in Figure 1 1 Integration scenarios are discussed in detail in Symantec CarrierScan Server Version 2 0 A Symantec White Paper which is available on the Symantec Web site Figure 1 1 Typical integration of the Symantec AntiVirus Scan Engine Web based email ASP Vusr bin perl use CGI Squery new CGI Stestfile Squery gt param testfile Symantec e e AntiVirus ends repairedfie Scan Engines to Web server 7 SMTP server forwards email to the Internet file Foo exe and passes il it to CGI script is Home 1 User sends a file Foaexe to HTML based email system as an attachment user How the scan engine works with the client application The Symantec AntiVirus Scan Engine is designed to be easily integrated into any environment to provide antivirus scanning for any application Client applications are configured to pass files via one of three protocols to the Symantec AntiVirus Scan Engine whi
141. he licenses for all Symantec products that are activated by license The license files must be removed manually If you must remove a license file contact Symantec Service and Support Activating product licenses 51 Activating a license Activating a license Both the Symantec AntiVirus Scan Engine antivirus scanning functionality and your subscription to the virus definitions updates are activated by license A separate license must be installed for each feature If you purchase additional product features from Symantec as they become available for the Symantec AntiVirus Scan Engine these features will be activated with a new license To activate a license you must have the serial number required for activation The serial number is printed on the Symantec Serial Number Certificate for the product Note The Symantec Serial Number Certificate is not part of the Symantec AntiVirus Scan Engine software distribution package The Symantec Serial Number Certificate is mailed separately and should arrive in the same time frame as your software Activate a license Activating a license is a two step process You must complete both steps to activate a license m Obtain the license file from Symantec by completing the online form You must have a serial number to complete the online form Once you complete the online form you receive the license file via email from Symantec The complete license file is provided as an attachment to t
142. he maximum number of scanning threads that are allowed scan requests are queued until a thread becomes available The threshold number of queued requests is configurable for the Symantec AntiVirus Scan Engine Note If you are using the RPC protocol and are supporting multiple RPC clients the Symantec AntiVirus Scan Engine creates a separate pool of threads for each RPC client The RPC clients do not share a common pool of threads Thus the number of available threads for scanning that you select for this setting is applied to each RPC client individually Threshold number When the number of queued requests to the Symantec AntiVirus of queued requests Scan Engine exceeds the specified threshold the scan engine is at maximum load The Symantec AntiVirus Scan Engine can be configured to log periods of time when it is at maximum load and to generate Load Exceeded log entries at a prescribed interval The Symantec AntiVirus Scan Engine continues to queue all incoming requests after the threshold is exceeded Log or send alerts The alert interval is the number of minutes between log entries for maximum load generated to indicate that maximum load has been exceeded every _ minutes Maximum load is exceeded when the number of requests to the Symantec AntiVirus Scan Engine exceeds the specified threshold number of queued requests If you change the alert interval the Symantec AntiVirus Scan Engine might remain at maximum load for a peri
143. hing a mail filter policy 5 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Filtering mail by attachment file name When you filter mail by attachment file name you specify one or more file names that are known to be threats and specify how the Symantec AntiVirus Scan Engine will handle messages that contain attachments with any of the file names listed The scan engine can reject the entire message or deliver the message with the attachment removed Any attachments that do not match the listed file names are not removed and are delivered with the message For each full file name that you want to filter you type a separate text string If the text string that you type matches the file name of any attachment the message is handled accordingly Wildcard characters can be used when you are not sure of an exact file name or want to block all attached files with a specific extension For example to block all attachments with the word virus in the file name type virus as the search string To block all attachments with the exe e
144. iVirus Scan Engine must be installed on a computer that is running Windows 2000 Server Server 2003 and must be located in the same domain as the RPC clients for which it will provide scanning and repair services A single Symantec AntiVirus Scan Engine can support multiple RPC clients For sites with larger scan volumes multiple Symantec AntiVirus Scan Engines also can be used to support one or more RPC clients Configuring the Symantec AntiVirus Scan Engine 67 Configuring RPC A connection is maintained between each RPC client and the Symantec AntiVirus Scan Engine The Symantec AntiVirus Scan Engine monitors the connection with each RPC client by checking the connection at a configured time interval If the scan engine determines that the connection is not active it tries to reconnect The number of times that the scan engine tries to reestablish the connection can also be configured If the Symantec AntiVirus Scan Engine makes the maximum number of tries with no reply from any RPC client the scan engine shuts down Logging to the RPC client logging subsystem Certain Symantec AntiVirus Scan Engine events are logged to the RPC client s logging subsystem The following scan engine events are logged automatically m Unrepairable infections m Container violations m Scans that are aborted because the antivirus scanning license is expired User identification and notification when a virus is found When a virus is found in a file that
145. ick Confirm Changes to save the configuration 4 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted 91 92 Setting scanning and blocking policies Configuring antivirus settings To scan all files except for those with extensions that are in the exclusion list 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking Policy On the AntiVirus tab under File types to be scanned click Scan all files except those with the following extensions Limits AntiVirus Mail Heuristic scanning Bloodhound sensitivity level to detect new viruses Medium w File types to be scanned Scan all files regardless of extension Scan files with the following extensions Begin each extension with a period and separate each entry with a semicolon Scan all files except those with the following extensions Begin each extension with a period and separate each entry with a semicolon aif aifc aiff asc au avi bmp eps gif ief jp e jpeg jpg kar latex log mid
146. ied size 4 Toremove a file size from the list select it and press Delete 5 When you have finished establishing the mail policy click Confirm Changes to save the configuration 6 Setting scanning and blocking policies Establishing a mail filter policy Do one of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Blocking MIME partial message content The Symantec AntiVirus Scan Engine must have a MIME encoded message in its entirety to effectively scan it for viruses Some email software applications break large messages down into a number of smaller more manageable partial messages for transmission These messages are typically transmitted separately and reassembled before delivery to the recipient In these cases because it has been broken down into a number of partial messages the entire message including all attachments is not available to the scan engine for scanning The Symantec AntiVirus Scan Engine is configured by default to reject partial messages because they cannot be effectively scanned for viruses To block MIME
147. iguration information The configuration options differ depending on the protocol that you select Configuring the Symantec AntiVirus Scan Engine 57 Configuring the Symantec AntiVirus Scan Engine native protocol Configuring the Symantec AntiVirus Scan Engine native protocol In its default configuration the Symantec AntiVirus Scan Engine implements a simple TCP IP protocol to provide antivirus functionality to client applications How the scan engine works with the native protocol The Symantec AntiVirus Scan Engine protocol is text based like HTTP or SMTP and uses standard ASCII commands and responses to communicate between client and server To submit a file for scanning a client connects to the specified IP port sends the file to be scanned and reads the results of the scan After the scan results are received the connection is terminated A new connection is initiated for each file to be scanned Native protocol configuration options If you select the native protocol you must configure certain protocol specific options The configuration options for the native protocol are described in Table 5 1 Table 5 1 Protocol specific options for the native protocol Scan engine bind address By default the Symantec AntiVirus Scan Engine binds to all interfaces You can restrict access to a specific interface by entering the appropriate bind address You can use 127 0 0 1 the loopback interface to let only clients that a
148. iguration file the SESA logging delivery parameters are m SESAIP m SESAPort See Integrating the Symantec AntiVirus Scan Engine with SESA on page 153 Editing the configuration file 191 Configuration options To configure the scan engine to log events to SESA 1 At SESAIP type the IP address on which the local SESA Agent listens The default setting is 127 0 0 1 the loopback interface which restricts connections to the same computer 2 AtSESAPort type the TCP IP port number on which the local SESA Agent listens The port number that you enter here must match the port number on which the SESA Agent listens The default setting is port 8086 Configuring SNMP and SMTP logging via the configuration file If you have activated SNMP or SMTP logging you must provide the appropriate information for message delivery See Activating SNMP and SMTP logging on page 117 Configure SNMP and SMTP logging via the configuration file In the configuration file the SNMP logging delivery parameters are m SNMPPrimary m SNMPSecondary m SNMPCommunityString In the configuration file the SMTP logging delivery parameters are m SMTPPrimary m SMTPSecondary m SMTPRecipList m SMTPDomain To configure SNMP logging via the configuration file 1 AtSNMPPrimary type the IP address of the primary SNMP console that will receive log messages 2 At SNMPSecondary type the IP address of a secondary SNMP console that
149. in the Services Control Panel To stop and restart the Symantec AntiVirus Scan Engine service on Solaris and Linux 1 Log on to the computer as root 2 At the command prompt do one of the following m To stop the service type the following command etc init d symcscan stop m To start the service type the following command etc init d symcscan start m To stop and immediately restart the service type the following command etc init d symcscan restart 38 Installing the Symantec AntiVirus Scan Engine Uninstalling the Symantec AntiVirus Scan Engine Uninstalling the Symantec AntiVirus Scan Engine Use the following instructions for uninstalling the Symantec AntiVirus Scan Engine Uninstalling the Symantec AntiVirus Scan Engine does not remove the license keys for the Symantec AntiVirus Scan Engine If you are uninstalling the Symantec AntiVirus Scan Engine permanently you must manually uninstall the license keys If you must manually remove the license keys contact Symantec Service and Support Uninstall the Symantec AntiVirus Scan Engine Uninstallation instructions differ depending on the operating system that you are running To uninstall the Symantec AntiVirus Scan Engine on Windows 2000 Server Server 2003 1 Log onto the computer as administrator or as a user with administrator rights 2 Inthe Add Remove Programs Control Panel click Symantec AntiVirus Scan Engine 3 Click Change Remove 4 Follow the o
150. ine administrative interface in the left pane click Configuration On the Logging tab under Log file location select the Local Logging level from the list The default logging level for Solaris and Linux is Warning The default setting for Windows 2000 Server Server 2003 is None Select Verbose only if you have been instructed to do so for debugging purposes by Symantec Technical Service and Support 113 114 Configuring and using logging Configuring local logging See Logging levels on page 109 Protocol Resources Logging Admin Log file location Local Logging level None bd Log file path location C Program Files SymanteciScan Engine Log Windows Windows Logging level Warning z Log SMTP SMTP Logging level None Primary server IP address Secondary server IP address SMTP Domain Recipient email addresses Enter one or more addresses separated by a comma or space oi i gt Log SNMP SNMP Logging level None Primary server IP address Secondary server IP address CSS SNMP Community Jousic Symantec Enterprise Security Architecture Ifyou are using the Symantec Enterprise Security Architecture SESA for centralized logging and reporting you can configure SAVSE to forward virus events to SESA through an agent that runs on the SAVSE server Consult the manual before using this feature Special steps are required in addition to application configuration SESA Logging level Non
151. ine tallies the number of bits for each file that is scanned in 30 minute increments The average bps scanned for each 30 minute period is calculated and saved to the billing file Data is saved to the billing file every five minutes to prevent the loss of data in the event that the scan engine crashes The Symantec AntiVirus Scan Engine logs the average bps that are scanned for 48 30 minute periods per day To make a data retrieval request you specify a date range for which to view scan engine utilization When a request is made the data entries for each 30 minute period in the specified date range are sorted from highest to lowest average bps scanned Of these entries the top 5 percent with the highest average bandwidth scanned represent spikes in usage and are discarded The next highest reading is considered the 95th percentile bandwidth measurement Note The 95th percentile bandwidth measurement scheme is designed for billing for maximum bandwidth use and assumes that a system is used continuously rather than being shut down and restarted routinely Configuring LiveUpdate This chapter includes the following topics m About LiveUpdate m Updating virus definitions m Scheduling LiveUpdate via the command line m Setting up your own LiveUpdate server About LiveUpdate LiveUpdate ensures that your network is not at risk of infection by newly discovered viruses For Solaris and Linux the Symantec AntiVirus Scan Engine
152. ing upwards of 80 percent of new and unknown executable file viruses The second Bloodhound Macro detects and repairs over 90 percent of new and unknown macro viruses Bloodhound requires minimal overhead since it examines only programs and documents that meet stringent prerequisites In most cases Bloodhound can determine in microseconds whether a file or document is likely to be infected by a virus If it determines that a file is not able to be infected it immediately moves to the next file Bloodhound and executable viruses Bloodhound uses artificial intelligence AI technology to isolate and locate the various logical regions of each application that it is told to scan It analyzes the program logic in each of these regions for virus like behavior and simulates this behavior to determine whether the program is a virus Bloodhound and macro viruses Symantec Bloodhound Macro technology uses a hybrid heuristic scheme to detect and repair more than 90 percent of all new and unknown macro viruses automatically For example every time that the Symantec AntiVirus Scan Engine scans a Microsoft Word document Bloodhound Macro sets up a complete virtual environment into which it loads the document The macros that are contained in the document are run as they would be in the word processing application Bloodhound Macro monitors the macros as they run to see if they copy themselves from the host document to another virtual document Bloodho
153. installation to uninstall the previous version If you are running version 4 0 X and want a full clean installation you must uninstall the previous version before running the installer 32 Installing the Symantec AntiVirus Scan Engine Preparing for installation Installing the upgrade over the existing installation preserves any customizations that you have made to the files and message catalogs in Table 2 1 Table 2 1 File and message catalogs preserved during upgrade symcscan cfg Any changes that you have made to the Symantec AntiVirus Scan Engine configuration file are preserved If you have customized any configuration options your customizations are written to the new configuration file for those options that are still used in the upgrade Note Scan engine logging options have changed in version 4 3 Because in many cases the previous configuration options do not map to the new options any customizations that you have made to the logging options are not preserved You must reconfigure logging after installing the upgrade policy cfg subjects cfg sizes cfg domains cfg and filenames cfg If you have a mail filter policy in effect that is you are filtering mail by message size attachment file name or size message origin or subject line your mail policy entries are retained symcsmsg dat If you have customized any of the message strings contained in the message string file the customizations ar
154. inted to STDOUT for each file that is scanned The information includes both the name of the file and the result of the scan including the final disposition of the file See Using the verbose option on page 172 170 Using the Symantec AntiVirus Scan Engine command line scanner Command line scanner syntax and usage Table 11 3 Supported options for the command line scanner details Report detailed information regarding infections or violations that are found When this option is used a block of text is printed to STDOUT for each file that is scanned The output text indicates the name of the file that was scanned detailed information about the infection or violation for those files that are infected or violate an established policy and the result of the scan also provided for the verbose option Note If you use the details option you do not need to use the verbose option also The output for the verbose option is duplicated as part of the output for the details option See Using the details option on page 173 timing Report the time required to scan a file When this option is used a line of output is printed to STDOUT for each file that is scanned The output includes the name of the file that was scanned and the time that the scan engine required to scan the file See Using the timing option on page 174 recurse Recursively descend into subdirectories inside each path that is specifie
155. ion stays current without any interruption in protection Testing virus detection capabilities If you want to verify the virus detection capabilities of the Symantec AntiVirus Scan Engine visit the following Web site http www eicar org The site provides a link to a test virus that should be detected by all major antivirus vendors Warning Carefully read the disclaimers on the site prior to downloading the test file into your environment Any attempts to test antivirus software with real or dummy viruses should be handled with extreme care If your computer already has antivirus software you must disable the auto protect mode of the antivirus software before downloading the test file 28 Introducing the Symantec AntiVirus Scan Engine About virus protection Installing the Symantec AntiVirus Scan Engine This chapter includes the following topics System requirements Preparing for installation Installing the Symantec AntiVirus Scan Engine Stopping and restarting the Symantec AntiVirus Scan Engine service Uninstalling the Symantec AntiVirus Scan Engine System requirements Before you attempt to install the Symantec AntiVirus Scan Engine verify that your server meets the system requirements Windows 2000 Server Server 2003 Windows 2000 Server with Service Pack 3 or Windows Server 2003 Pentium III 500 MHz or higher 256 MB of RAM or higher 25 MB of hard disk space 1 network interface card NIC runni
156. iration date the number of days remaining in the warning or grace period if applicable and the number of nodes licensed A fulfillment ID for each installed license also appears on the Status tab You will need to supply the fulfillment ID to Symantec Service and Support if you have questions regarding your license 54 Activating product licenses Checking the license status The license information that is displayed is described in Table 4 1 Table 4 1 License status information Licensed feature Each installed license is listed according to the feature that is activated by the license Expiration date The expiration date for each license is displayed If the license is in either the warning period or the grace period a warning message is also displayed in this column Nodes The number of licensed nodes is displayed for each installed license Fulfillment ID The fulfillment ID is the identification number for your license Provide this number to Symantec Service and Support if you have questions regarding your license Note You can also check the status of your licenses from the Symantec AntiVirus Scan Engine Status page which is located in the left pane on the main administration page The Status page displays a License status entry that indicates whether any installed license is in either a grace or warning period However for more detailed information you must click Licensing To check the license status
157. irus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted 82 Configuring the Symantec AntiVirus Scan Engine Allocating resources Setting scanning and blocking policies This chapter includes the following topics m About scanning and blocking policies m Specifying processing limits m Configuring antivirus settings m Establishing a mail filter policy About scanning and blocking policies You can establish scanning and blocking policies for the Symantec AntiVirus Scan Engine Some scanning and blocking policy features differ depending on the protocol that you are using Depending on a number of factors such as scan volume the number of client applications making requests available memory and disk space and the selected number of scanning threads you may need to impose restrictions on resources to maximize performance and security Settings that provide maximum security also consume more resources You can configure settings to restrict the amount of resources that handle certain types of files adjust the sensitivity of heuristic virus detection and specify the file types to be scanned You can establish a blo
158. is supplied here 6 Inthe Recipient email addresses box type the email addresses of the recipients of the SMTP log messages Separate each email address with a comma or space 7 Click Confirm Changes to save the configuration 8 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Specifying the alert bind address If you have activated SNMP or SMTP logging and are running multiple Symantec AntiVirus Scan Engines you can set an alert bind address for each scan engine to identify the originating scan engine for each SNMP and SMTP log message The alert bind address of the originating scan engine is appended to all SNMP and SMTP log messages as a means of identification Setting the alert bind address is only necessary if you have configured multiple scan engines to listen on the loopback interface 127 0 0 1 and each scan engine logs messages to the same SNMP or SMTP destination Because the IP address on which the scan engine listens is used in SNMP and SMTP messages to identify the originating scan engine it is not possible to
159. is requested from an RPC network attached storage client the Symantec AntiVirus Scan Engine automatically obtains for logging purposes identification information about the user who requested the infected file The identification information includes the security identifier of the user and the IP address and host name of the requesting computer This information is included in all related log messages that are sent to all active logging destinations for the scan engine This feature provides administrators with as much information as possible when a virus is found Note The Symantec AntiVirus Scan Engine can obtain only the information that is made available from the RPC client In some cases all or some of this information is not available The information that is obtained is reported in the related log entries Any identification information that is not obtained from the RPC client is omitted from the log messages and from the user notification window You also can configure the Symantec AntiVirus Scan Engine to notify the requesting user that the retrieval of a file failed because a virus was found The notification message only displays if the user is using a Windows computer The notification messages includes the date and time of the event the file name of the infected file the virus name and ID and the manner in which the infected file was handled for example the file was repaired or deleted 68 Configuring the Symantec Anti
160. is to support multiple RPC clients you can add additional clients through the scan engine administrative interface Only one RPC client can be specified at installation The default account is LocalSystem If you accept the default account you do not need to enter the password Use the following format for the account name domain username Make sure that the account has the appropriate permissions You will not receive an error message if the account does not have appropriate permissions See Editing the service startup properties on page 75 Click Next 10 11 12 Installing the Symantec AntiVirus Scan Engine 35 Installing the Symantec AntiVirus Scan Engine Select the port number on which the Web based administrative interface listens The default port number is 8004 To disable type 0 Note If you disable the administrative interface you must configure the Symantec AntiVirus Scan Engine by editing the configuration file See Editing the configuration file on page 177 Type a password for the virtual administrative account that you will use to manage the Symantec AntiVirus Scan Engine Confirm the password by typing it again Click Next Follow the on screen prompts to complete the installation When the installation is complete the Symantec AntiVirus Scan Engine is installed as a Windows 2000 2003 service and is listed as Symantec AntiVirus Scan Engine in the Services Control Panel The Symantec AntiVir
161. isabled by default Protocol Resources Logging Admin Log file location Local Logging level None Log file path location C Program Files Symantec Scan Engine Log Windows Windows Logaing level Waming gt Log Windows Messenger I Enable Windows Messenger Logging Log SMTP SMTP Logging level None Primary server IP address a Secondary server IP address m SNMP Community urs Symantec Enterprise Security Architecture Ifyou are using the Symantec Enterprise Security Architecture SESA for centralized logging and reporting you can configure SAVSE to forward virus events to SESA through an agent that runs on the SAVSE server Consult the manual before using this feature Special steps are required in addition to application configuration SESA Logging level None hd SESA agent IP address 127 0 0 1 Port 8086 Logging properties Path and filename for message string file C Program Files SymanteciSca Alert bind address Help Confirm Changes 3 Click Confirm Changes to save the configuration 4 Doone of the following Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost 73 74 Configuring the Symantec AntiVirus Scan Engine Configuring RPC m Click Restart to save your changes and restart the scan en
162. iveUpdate in silent mode displays no prompting or display indicator m cslive exe virusdefs Run LiveUpdate and display a progress indicator LiveUpdate should be scheduled to run periodically at least weekly by using the Windows at command For example at 02 00 every M C Program Files Symantec Scan Engine cslive exe virusdefs silent This command runs LiveUpdate every Monday at 2 00 A M with no user intervention silent Configuring LiveUpdate 135 Setting up your own LiveUpdate server Setting up your own LiveUpdate server Depending on your network setup and the number of Symantec AntiVirus Scan Engines that you have installed on your network you might want to set up your own LiveUpdate server rather than have each scan engine on your network contact Symantec servers For more information see the LiveUpdate Administration Utility which is included on the Symantec AntiVirus Scan Engine CD If you set up your own LiveUpdate server you will need to edit the LiveUpdate configuration for the Symantec AntiVirus Scan Engine to point to the local LiveUpdate server For Solaris and Linux the Symantec AntiVirus Scan Engine LiveUpdate configuration file contains the configuration options for LiveUpdate The default location is etc liveupdate conf For Windows 2000 Server Server 2003 a LiveUpdate client cslive exe is installed with the Symantec AntiVirus Scan Engine Contact Symantec Service and Support for more informati
163. l configuring 185 configuring maximum number of threads 78 parameters 185 U uninstalling Symantec AntiVirus Scan Engine 38 upgrading from previous versions 31 user notification of virus found RPC 72 218 Index V virus definitions product name configuring 79 updating 132 virus detection description of technology 24 testing 27 virus notification message RPC 72 W Windows 2000 Server Server 2003 installing 34 system requirements 29 uninstalling 38 Windows Event Log configuring logging to 116 219 Symantec AntiVirus Scan Engine CD Replacement Form CD REPLACEMENT After your 60 Day Limited Warranty if your CD becomes unusable fill out and return 1 this form 2 your damaged CD and 3 your payment see pricing below add sales tax if applicable to the address below to receive replacement CD DURING THE 60 DAY LIMITED WARRANTY PERIOD THIS SERVICE IS FREE You must be a registered customer in order to receive CD replacements FOR CD REPLACEMENT Please send me CD Replacement s Name Company Name Street Address No P O Boxes Please City State Zip Postal Code ee Country Daytime Phone Software Purchase Date This offer limited to U S Canada and Mexico Outside North America contact your local Symantec office or distributor Briefly describe the problem CD Replacement Price 10 00 SALES TAX TABLE AZ 5 CA 7 25 CO 3 CT 6 DC 5 75 FL 6 GA 4 Sales T
164. l the file types that are scanned with the inclusion or exclusion list The Symantec AntiVirus Scan Engine is configured by default to scan all files except those with extensions that are listed in a prepopulated exclusion list The default exclusion list contains those file types that are unlikely to contain viruses but you can edit this list Using an inclusion list to control which types of files are scanned is the least secure setting Only those files types that are specifically listed in an inclusion list are scanned thus with an inclusion list there is an almost limitless number of possible file extensions that are not scanned For this reason the inclusion list is not prepopulated but you can choose to populate this list if you want to limit the file types that are scanned using an inclusion list If you use either the inclusion or the exclusion list to control the file types that are scanned rather than scanning all files the manner in which the list is applied differs depending on which of the following protocols are in use by the Symantec AntiVirus Scan Engine m Native protocol RPC and ICAP version 1 0 The inclusion or exclusion list is used by the Symantec AntiVirus Scan Engine only to determine which files to scan of those that are embedded in archival file formats for example zip or lzh files All top level files that are sent to the Symantec AntiVirus Scan Engine are scanned regardless of file extension No
165. lated the mail policy The text can be customized The default message text is ALERT This email contained one or more infected files The following attachments were infected and have been repaired lt listofinfectedfiles gt The following infected attachments were deleted lt listofdeletedfiles gt The following attachments were blocked because of mail policy violations lt listofblockedfiles gt You may wish to contact the sender to inform them about their infections Thank you Your ISP Note Even when the mail message update feature is not activated the Symantec AntiVirus Scan Engine attaches a text file to mail messages in place of each attachment that is deleted because it cannot be repaired The text file that is inserted is called DELETEDN TXT where N is a sequence number For example if two attachments are deleted the replacement files are called DELETEDO TXT and DELETED1 TXT The name of the file and the text that is contained in the file can be customized by editing the message string file symcmsgs dat Setting scanning and blocking policies 105 Establishing a mail filter policy To insert text into MIME encoded messages 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking Policy 2 Onthe Mail tab under Updating mail message body check Add text to body of infected MIME encoded messages to warn recipient of infections The default text will be used when this featur
166. le m The maximum number of nested levels to be decomposed for scanning You can use some or all of these limits to control how the Symantec AntiVirus Scan Engine handles container files When any of these maximum values is met or exceeded for a given file the Symantec AntiVirus Scan Engine stops processing the file and generates a log entry You can specify whether to allow or deny access to files for which an established limit has been met or exceeded and for which processing has stopped Access is denied by default Warning If you plan to allow access to files for which a container violation has occurred keep in mind that when a limit is met or exceeded the Symantec AntiVirus Scan Engine stops processing the file and antivirus scanning is not completed Allowing access to a file that has not been fully scanned can potentially expose your network to viruses and other malicious content If you allow access to files for which a container limit violation has occurred and the scan engine finds a virus before processing stops the scan engine will not repair the file even if under normal circumstances the infection could be repaired In this case the file is handled as though the infection is unrepairable In addition to establishing resource limits for container files you can block access to all or certain types of malformed container files Computer viruses and malicious programs sometimes create intentionally malformed files These distor
167. le data trickle 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration 2 On the Protocol tab under ICAP Protocol Configuration check Enable Trickle The ICAP protocol configuration settings display only when ICAP is selected as the communication protocol Data trickling is disabled by default Configuring the Symantec AntiVirus Scan Engine 65 Configuring ICAP 3 Inthe Trickle Timeout box type the number of seconds that the scan process will run before data trickling begins Data trickling is not invoked if scanning is complete before the trickle time out elapses The default setting is 5 seconds The maximum setting is 86 400 seconds 24 hours 4 Click Confirm Changes to save the configuration 5 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted How data trickle works When a user downloads a file the Symantec AntiVirus Scan Engine stores a copy of the requested file in a buffer and begins the scanning process While the copy is being scanned a small portion of the
168. les for your operating system for handling path names including using special characters quotation marks or wildcard characters as necessary Note If you have specified a directory for scanning and want to descend into subdirectories to scan additional files you must also use the recurse option See Requesting recursive scanning on page 175 Because files are actually sent to the Symantec AntiVirus Scan Engine for scanning you can only specify files or directories for which you have appropriate permissions To send files you must have read access to the files To repair replace or delete files you must have permission to modify or delete the files as well as access to the directory in which the files are located If you do not specify a path input data is read from STDIN and sent to the scan engine for scanning After the scan the data either the original file if it was clean or the repaired file is written to STDOUT If a file is infected and cannot be repaired no data is written to STDOUT Note The command line scanner handles DBCS encoded names These are converted to Unicode UTF 8 before they are passed to the scan engine and are converted back to the locale of the server after scanning Using the Symantec AntiVirus Scan Engine command line scanner 169 Command line scanner syntax and usage Supported options The options that are supported by the command line scanner are described in Table 11 3
169. level for the local logs is Warning Solaris and Linux only See Specifying the local logging level on page 113 Configuring and using logging Configuring local logging Change the log file location To accommodate sites with specialized disk configuration the location of the Symantec AntiVirus Scan Engine log files can be changed The disk space that is required for the log files varies depending on scan volume and associated activity The specified location must be large enough to accommodate these files See Changing the log file location on page 115 Change the message string file location The message text for Symantec AntiVirus Scan Engine log entries and SMTP insert messages is contained in an ASCII text file You can change the location and file name of this file You can customize the message text by editing this string file See Changing the message string file location on page 116 Specifying the local logging level If you are running the Symantec AntiVirus Scan Engine on Solaris or Linux the default logging destination is the local logs You can change the types of scan engine events that are logged to the local logs by selecting the appropriate local logging level The default logging level for the local logs for Solaris and Linux is Warning Logging to the local logs is not activated by default for Windows 2000 Server Server 2003 To specify the local logging level 1 On the Symantec AntiVirus Scan Eng
170. ling multiple Symantec AntiVirus Scan Engines you may want to take advantage of the silent install feature for the scan engine See Using the silent install feature on page 209 34 Installing the Symantec AntiVirus Scan Engine Installing the Symantec AntiVirus Scan Engine Installing on Windows 2000 Server Server 2003 Only a single instance of the Symantec AntiVirus Scan Engine can be run on Windows 2000 Server Server 2003 computers To install the Symantec AntiVirus Scan Engine on Windows 2000 Server Server 2003 1 7 Log on to the computer on which you plan to install Symantec AntiVirus Scan Engine as administrator or as a user with administrator rights Copy the ScanEngine exe file from the CD onto the computer Run the exe file Indicate that you agree with the terms of the Symantec license agreement then click Next If you do not indicate that you agree the installation is cancelled Select the location in which to install the Symantec AntiVirus Scan Engine then click Next The default location is C Program Files Symantec Scan Engine Select one of the following communication protocols m NATIVE m ICAP m RPC If you select RPC as the communication protocol type the IP address for the RPC client and then type the account name and password to identify the account with Backup Operator privileges on the RPC client on which the Symantec AntiVirus Scan Engine will run If the Symantec AntiVirus Scan Engine
171. ll feature for uninstallation cceeeseeeeeteteeees 214 CD Replacement Form 13 14 Contents Introducing the Symantec AntiVirus Scan Engine This chapter includes the following topics About the Symantec AntiVirus Scan Engine Where to start Considerations for implementation About supported protocols About virus protection About the Symantec AntiVirus Scan Engine The Symantec AntiVirus Scan Engine formerly marketed as CarrierScan Server is a carrier class virus scanning and repair engine The Symantec AntiVirus Scan Engine features all of the key virus scanning technologies available in the complete line of Symantec antivirus products making the Symantec AntiVirus Scan Engine one of the most effective virus solutions available for detecting and preventing virus attacks The Symantec AntiVirus Scan Engine provides virus scanning and repair capabilities to any application on an IP network regardless of platform using one of three protocols Any application can pass files to the Symantec AntiVirus Scan Engine for scanning which in turn scans the files for viruses and returns a cleaned file if necessary 16 Introducing the Symantec AntiVirus Scan Engine About the Symantec AntiVirus Scan Engine The Symantec AntiVirus Scan Engine accepts scan requests from client applications using one of three protocols The scan engine has its own native protocol and also can accept scan requests via a proprietary implement
172. lled to protect the computer that is running the Symantec AntiVirus Scan Engine you must exclude the local scan directory from real time scanning and from all scheduled and manually invoked scans by the client antivirus software before passing files to the Symantec AntiVirus Scan Engine for scanning 6 Click Confirm Changes to save the configuration 7 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Configuring ICAP The Symantec AntiVirus Scan Engine can be configured to use ICAP to communicate with clients that are running either ICAP version 0 95 proprietary or ICAP version 1 0 presented in RFC 3507 April 2003 Any appropriate client can use ICAP to communicate with the Symantec AntiVirus Scan Engine to request the scanning and repairing of files The Symantec AntiVirus Scan Engine software development kit SDK is also available for custom integration using version 1 0 of ICAP The Symantec AntiVirus Scan Engine client side application program interface API C library streamlines the addition of virus scanning to any C
173. log messages are generated You can select a different logging level for each logging destination 108 Configuring and using logging About Symantec AntiVirus Scan Engine logging Logging destinations The Symantec AntiVirus Scan Engine lets you log to the following logging destinations Local logs If you are running the Symantec AntiVirus Scan Engine on Solaris or Linux the default logging destination is to the local logs The default location for the local logs for Solaris and Linux is var log The default location for the local logs for Windows 2000 Server Server 2003 is C Program Files Symantec Scan Engine See Configuring local logging on page 112 Windows Application Event Log If you are running the Symantec AntiVirus Scan Engine on Windows 2000 Server Server 2003 the default logging destination is the Application Event Log See Logging events to the Windows Application Event Log on page 116 SNMP and SMTP destinations In addition to the local logging that is maintained by the Symantec AntiVirus Scan Engine you can select SNMP Simple Network Management Protocol or SMTP Simple Mail Transfer Protocol as a separate logging destination You can activate SNMP and SMTP logging individually by providing the appropriate destination information See Activating SNMP and SMTP logging on page 117 Billing logs Billing logs contain scan volume data for the total number of files that are scanned and the avera
174. ls of files within container file meets or exceeds 10 When a processing limit is met or exceeded O Deny access to the file and generate a log entry Allow access tothe file and generate a log entry Malformed container file processing When a malformed container file is identified Allow access to all malformed containers O Deny access if container type cannot be identified C Deny access to all malformed containers File name length limits Stop the Symantec Antivirus Scan Engine from processing a file if the following limit is exceeded File name length exceeds 1024 bytes NonMIME threshold Identify a file as nonMIME if the following limit is exceeded No determination after reading 200000 bytes Help Confirm Changes In the Maximum extract size of the file meets or exceeds box type the maximum file size in bytes for individual files in a container file The default setting is 100 MB To disable this setting so that no limit is imposed type 0 Setting scanning and blocking policies 87 Specifying processing limits In the Number of nested levels of files within container file meets or exceeds box type the maximum number of nested levels of files that are decomposed within a container file The default setting is 10 levels The maximum value for this setting is 50 Select whether to allow or deny access to container files for which one or more limits are exceeded Access is denied by default Under Malformed
175. ministration Accessing the administrative interface Table 3 1 Command button functions Reporting Lets you examine scanning statistics or log data LiveUpdate Lets you update virus definitions files to ensure that your network remains protected against newly discovered viruses Licensing Lets you claim new license keys and check the status of the license keys that have already been installed Log Off Automatically logs you off of the administrative interface Password reentry is required to access the interface The Status pane The Status pane on the main administration page displays system metrics that are calculated since the last time that the Symantec AntiVirus Scan Engine was restarted manually rather than restarted through the administrative interface Metrics that are displayed in the Status pane are calculated from temporarily stored data When the Symantec AntiVirus Scan Engine is manually shut down the memory clears and the counts start over The top portion of the Status pane contains general information regarding scan engine operation The following information displays in the top portion of the Status pane m Current status of the Symantec AntiVirus Scan Engine m Version number of the Symantec AntiVirus Scan Engine that is running m Protocol currently in use by the Symantec AntiVirus Scan Engine m IP address and port number to which the Symantec AntiVirus Scan Engine is bound m Date and revision number of the
176. ministrative interface rather than uninstalling and reinstalling To edit the service startup properties for Windows 2000 Server Server 2003 1 2 3 In the Windows 2000 2003 Control Panel click Administrative Tools Click Services In the list of services right click Symantec AntiVirus Scan Engine then click Properties In the Properties dialog box on the Log On tab click This Account Type the account name and password for the account on which the Symantec AntiVirus Scan Engine will run Use the following format for the account name domain username Click OK Stop and restart the Symantec AntiVirus Scan Engine service Allocating resources Configuring the Symantec AntiVirus Scan Engine 77 Allocating resources You can allocate resources for the operation of the Symantec AntiVirus Scan Engine You can specify the settings that are listed in Table 5 4 Table 5 4 Resource settings Temporary directory The Symantec AntiVirus Scan Engine stores files in a temporary for virus scanning directory for virus scanning To support sites with large specialized disk configuration the location of this temporary directory can be specified The disk space that is required for this directory varies depending on the volume of files to be scanned Scan engine performance depends on this directory being able to accommodate potentially large numbers of large files during periods of peak use For Linux and Solaris the de
177. mmended value is 128 4 Inthe Threshold number of queued requests box type the threshold number of queued requests above which the Symantec AntiVirus Scan Engine is considered to be at maximum load The default setting is 100 5 Ifyou have chosen to generate log messages when maximum load is exceeded in the Log or send alerts for maximum load every box type the desired alert interval in minutes The default setting is five minutes 6 Ifyou are running more than one instance of the Symantec AntiVirus Scan Engine on Solaris or Linux under Advanced settings type an alternate virus definition product name in the box provided The default is SCANENGINE_43 If you are running the Symantec AntiVirus Scan Engine on Windows 2000 Server Server 2003 this setting does not appear on the administrative interface 7 Under Server resources in the Maximum RAM used for in memory file system box type the maximum amount of RAM that can be used for the in memory file system The default setting is 16 MB Configuring the Symantec AntiVirus Scan Engine 81 Allocating resources 8 Inthe Maximum file size stored in in memory file system box type the maximum file size that can be stored in the in memory file system The default setting is 3 MB Files that exceed the specified size are written to disk 9 Click Confirm Changes to save the configuration 10 Do one of the following m Click Continue to make additional changes to the Symantec AntiV
178. n The Symantec AntiVirus Scan Engine starts automatically as a daemon service when the installation is complete A transcript of the installation is saved as var log SYMCScan install log for later review Installing the Symantec AntiVirus Scan Engine 37 Stopping and restarting the Symantec AntiVirus Scan Engine service To ensure that the Symantec AntiVirus Scan Engine daemon is running on Solaris and Linux 1 Type the following command ps ea grep sym 2 Press Enter You should see a list of processes similar to the following 5358 0 00 symcscan 5359 0 00 symcscan If nothing is displayed the Symantec AntiVirus Scan Engine daemon did not start 3 Ifthe Symantec AntiVirus Scan Engine daemon did not start type the following command etc init d symcscan restart Stopping and restarting the Symantec AntiVirus Scan Engine service You might need to stop and restart the Symantec AntiVirus Scan Engine service Stopping and restarting the Symantec AntiVirus Scan Engine service results in a lost connection to client applications that are in the process of submitting a file for scanning The client application must reestablish the connection and resubmit the file for scanning Instructions for stopping and restarting the Symantec AntiVirus Scan Engine service differ depending on the operating system that you are running If you are running the Symantec AntiVirus Scan Engine on Windows 2000 Server Server 2003 stop and start service
179. n all Symantec antivirus products the Symantec AntiVirus Scan Engine offers controls to help prevent denial of service attacks that are caused by container files that are overly large or that contain multiple embedded compressed files m Serviceability Virus definitions for the Symantec AntiVirus Scan Engine can be automatically updated without interruption in virus scanning on all platforms The Symantec AntiVirus Scan Engine supports Symantec LiveUpdate technology Introducing the Symantec AntiVirus Scan Engine 17 About the Symantec AntiVirus Scan Engine Manageability The Symantec AntiVirus Scan Engine can be remotely managed from any computer on your network via a Web based administrative interface The Symantec AntiVirus Scan Engine provides full featured logging and SMTP simple mail transfer protocol and SNMP simple network management protocol alerting capability for a full range of activity making it manageable in large environments Multiple protocol support The Symantec AntiVirus Scan Engine accepts scan requests from client applications using one of three protocols m The Symantec AntiVirus Scan Engine native protocol m The Internet Content Adaptation Protocol ICAP version 0 95 proprietary implementation and version 1 0 of ICAP presented in RFC 3507 April 2003 m A proprietary implementation of remote procedure call RPC Ease of integration The Symantec AntiVirus Scan Engine runs on Sun Solaris
180. n be used to help you manage your resources and to protect your network against denial of service attacks See Specifying processing limits on page 84 Specify processing limits You can specify processing limits that apply to the following m Large container files You can set limits to control the resources that are expended on large container files m All files Other types of limits can be applied to all files such as the maximum number of bytes to be read in determining whether a file is MIME encoded To specify processing limits for large container files via the configuration file 1 At MaxExtractTime do one of the following m Type the maximum allowable amount of time in seconds for decomposing a container file and its contents m Type 0 to disable this variable The default setting is 180 seconds 3 minutes 2 At MaxExtractSize do one of the following m Type the maximum allowable file size in bytes for each file within a container file to be decomposed m Type 0 to disable this variable The default setting is 100 MB Editing the configuration file 195 Configuration options 3 At MaxExtractDepth type the maximum allowable number of nested levels of files within a container file to be handled by the decomposer The default setting is 10 levels The maximum value that can be entered is 50 4 AtLimitChoiceStopCont type one of the following m 0 Allow access to container files for which one or mor
181. n date it is considered to be ina warning period After a license expires the licensed feature continues to operate for a specified period of time This is the grace period If the grace period expires with no license renewal all record of the license is removed and the product becomes unlicensed The Symantec AntiVirus Scan Engine can be configured to generate log entries to indicate that a license is in the warning period or the grace period Log entries are generated every 24 hours during the period See About Symantec AntiVirus Scan Engine logging on page 107 You can view detailed information on the status of all installed Symantec AntiVirus Scan Engine licenses at any time by clicking Licensing on the Symantec AntiVirus Scan Engine main administration page See Checking the license status on page 53 The Symantec AntiVirus Scan Engine Status page which is located in the left pane on the main administration page also contains a License status entry that indicates whether any installed license is in either a grace or warning period Removing license files Symantec AntiVirus Scan Engine licenses are not uninstalled automatically when the product is uninstalled The license files remain in place so that if you must uninstall and reinstall the Symantec AntiVirus Scan Engine for any reason the license is intact on reinstall Each installed license is stored in a separate file in the shared license directory that contains t
182. n easily distinguish the uninstallation response file from any response files that you have saved for silent installation To create the uninstallation response file Atthe command prompt type ScanEngine r f1 C Temp ScanEngine_uninstall iss To initiate the silent uninstallation Atthe command prompt type ScanEngine s f1 C Temp ScanEngine_uninstall iss A access denied message customizing ICAP 151 administrative interface accessing 41 changing settings for 45 description of 39 42 administrator password configuring 45 time out configuring 45 alert bind address configuring 122 alert interval configuring 78 antivirus scanning command line scanner 165 description of 24 specifying file types for 88 testing detection capabilities 27 B billing logs description of 108 generating scanning statistics from 127 interpreting scanning statistics 129 bind address configuring for administrative interface 45 for ICAP 61 for native protocol 57 Bloodhound sensitivity configuring 89 c command buttons 42 command line scanner description 165 installation 166 obtaining detailed scanning results details on infections found 173 disposition of each file scanned 172 scanning time for each file 174 options description 169 disposing of infected files on error 175 command line scanner continued options continued obtaining detailed scanning results 172 recursive scanning 175 specifying the scan engine 1
183. n screen prompts to complete the uninstallation To uninstall the Symantec AntiVirus Scan Engine on Solaris 1 Log onto the computer as root 2 At the command prompt type the following command pkgrm SYMCScan 3 Press Enter 4 Follow the on screen prompts to complete the uninstallation To uninstall the Symantec AntiVirus Scan Engine on Red Hat Linux 1 Log onto the computer as root 2 At the command prompt type the following command rpm e SYMCScan 3 Press Enter Symantec AntiVirus Scan Engine administration This chapter includes the following topics m About the administrative interface m Accessing the administrative interface m Changing the administration settings About the administrative interface The Symantec AntiVirus Scan Engine is managed through a Web based interface This interface is provided through a built in HTTP server The Symantec AntiVirus Scan Engine administrative interface is accessed via a Web browser on any computer on your network that can access the server that is running the Symantec AntiVirus Scan Engine The administrative interface is accessed using a virtual administrative account that is created at installation The administrative interface lets you manage the Symantec AntiVirus Scan Engine In order for changes that have been made through the administrative interface to take effect you must restart the Symantec AntiVirus Scan Engine service When you are making changes to the Symantec
184. name The mail message is not updated to indicate that an attachment has been deleted due to a mail policy violation unless you activate the mail message update feature See Inserting text into MIME encoded messages on page 104 m Reject the message The scan engine rejects any message that contains an attachment with a specified file name To remove a file name from the list select it and press Delete When you have finished establishing the mail policy click Confirm Changes to save the configuration Do one of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted 101 102 Setting scanning and blocking policies Establishing a mail filter policy Filtering mail by attachment file size When you filter mail by attachment file size you specify one or more file sizes that are known to be threats and specify how the Symantec AntiVirus Scan Engine will handle messages that contain attachments of any of the listed file sizes The scan engine can be configured to reject the entire message or deliver the message with the attachment r
185. ncryptPW utility which is included in the scan engine distribution to generate an encrypted password Use the encrypted string that is returned by the utility for this value See Generating an encrypted password on page 213 InstallDir Location in which to install the Symantec AntiVirus Scan Engine The default location is opt SYMCScan LogDir Location in which to place the Symantec AntiVirus Scan Engine log files The default location is var log 212 Using the silent install feature Creating the response file Table D 1 Input values in the response file SymShared Location of the SymShared directory The default location is opt Symantec Note The SymShared directory contains the virus definitions that are used by the Symantec AntiVirus Scan Engine to scan for viruses If you have multiple Symantec products installed on the computer this directory lets the products share virus definitions If you have previously installed a Symantec AntiVirus product on the computer this directory might already exist CreateAVDefsGroup Boolean value that indicates whether to create the avdefs group Use 0 if the group already exists or use 1 to create the group The avdefs group has access rights to the directory that contains the virus definitions that are used by the Symantec AntiVirus Scan Engine If you have previously installed a Symantec product on the computer this group might already exist To create the re
186. nd to the domain that is managed by the selected SESA Management Server 12 Indicate whether the local SESA Agent should start automatically whenever the computer is restarted If you indicate No you must manually restart the local SESA Agent each time the computer is restarted 13 Indicate whether the local SESA Agent should start immediately after the installation finishes If you indicate No you must manually start the local SESA Agent after the installation is complete The installer proceeds from this point with the installation Unless you indicated otherwise during the installation the local SESA Agent starts automatically when the installation is complete Stopping and restarting the local SESA Agent service You may need to stop and restart the local SESA Agent Stop and restart the local SESA Agent service Instructions for stopping and restarting the local service differ depending on the operating system that you are running For Windows 2000 Server Server 2003 you can stop and start the service in the Services Control Panel To stop and restart the local SESA Agent service on Solaris Atthe command prompt do one of the following m To stop the service type the following command etc init d sesagentd stop m To start the service type the following command etc init d sesagentd start Integrating the Symantec AntiVirus Scan Engine with SESA 161 Configuring logging to SESA To stop and restart the local SESA Agent ser
187. ng m 0 Open the top level file as a container file and scan only the contents of the file do not scan the top level file m 1 Scan all top level files This is the default setting 198 Editing the configuration file Configuration options Blocking MIME partial message content via the configuration file The Symantec AntiVirus Scan Engine must have a MIME encoded message in its entirety to effectively scan it for viruses Some email software applications break large messages down into a number of smaller more manageable partial messages for transmission The Symantec AntiVirus Scan Engine is configured by default to reject partial messages because they cannot be effectively scanned for viruses To block MIME partial message content At RejectPartialMessages type one of the following m 0 Block partial messages This is the default setting m 1 Allow access to partial messages Activating mail message body updates via the configuration file You can add text to the bodies of MIME encoded messages to warn recipients that a virus was found in an attachment or that an attachment was deleted because it violated the mail filter policy The default text indicates that an attachment was infected and repaired or deleted because it could not be repaired or that an attachment was deleted because it violated the mail policy See Inserting text into MIME encoded messages on page 104 To activate mail message body updates
188. ng TCP IP with a static IP address Internet connection for LiveUpdate of virus definitions 30 Installing the Symantec AntiVirus Scan Engine System requirements Solaris Red Hat Linux Microsoft Internet Explorer 6 0 with Service Pack 1 or later or Netscape Navigator 7 01 or later with a Java 2 run time environment version 1 4 or later installed for Web based administration Note The Web browser can be installed on any computer on your network that can access the server that is running the Symantec AntiVirus Scan Engine Solaris 7 or later Sun Ultra 10 or higher SPARC 400 MHz or higher 256 MB of RAM or higher 35 MB of hard disk space 1 network interface card NIC running TCP IP with a static IP address Internet connection for LiveUpdate of virus definitions Netscape Navigator 7 01 or later with a Java 2 run time environment version 1 4 or later installed for Web based administration Note The Web browser can be installed on any computer on your network that can access the server that is running the Symantec AntiVirus Scan Engine Red Hat Linux version 7 3 or later Pentium III 500 MHz or higher 256 MB of RAM or higher 25 MB of hard disk space 1 network interface card NIC running TCP IP with a static IP address Internet connection for LiveUpdate of virus definitions Installing the Symantec AntiVirus Scan Engine 31 Preparing for installation Netscape Navigator 7 01 or later with a
189. ng service 37 161 system requirements 30 uninstalling 38 LiveUpdate configuring 132 configuring LiveUpdate server 135 description of 131 scheduling via command line 133 load balancing 22 local logging configuring local logging level 113 log file location 115 message string file location 116 managing local logs 123 local SESA Agent installing 156 logging clearing local logs 123 configuring local logging 112 customizing log entries 139 description of logging events 111 downloading logs 123 log file location changing 115 logging destinations 107 logging levels 109 obtaining summary data 125 SESA 153 SESA logging levels 162 SMTP logging configuring 120 SNMP logging configuring 118 Windows Event Log 116 mail filter policy blocking partial messages 103 by attachment file name 100 by attachment file size 102 by mail subject 97 by maximum mail size 97 by message origin 99 configuring 94 MIME augmentation 104 malformed container files blocking access 85 message string file configuring location of 116 customizing message strings 139 description of 137 editing 138 MIME augmentation configuring 104 customizing message text 145 native protocol configuring 57 discussion of 23 return codes 205 P partial messages blocking 103 port number configuring for administrative interface 45 for ICAP 61 for native protocol 57 protocol configuring 56 ICAP 23 native 22 RPC 23 Q quarantining infected files 74 queue siz
190. ngine was unable to determine proper character encoding 1060 Client SID Message text that provides the Security Identifier of the user who requested an infected file from an RPC client This log entry is used only when you have selected RPC as the communication protocol and the RPC client is running an appropriate operating system and version 1061 Client IP Message text that provides the IP address of the computer from which an infected file was requested This log entry is used only when you have selected RPC as the communication protocol and the RPC client is running an appropriate operating system and version 1062 Client Computer Text that provides the host name of the computer from which an infected file was requested This log entry is used only when you have selected RPC as the communication protocol and the RPC client is running an appropriate operating system and version Table 9 1 Message string definitions Customizing log entries 145 About the 2000 series message strings 1101 CLEAN Message body text that appears to the right of Disposition to indicate that no virus has been found 1102 NOT REPAIRED Message body text that appears to the right of Disposition to indicate that a virus has been found but the infected file has not been repaired 1103 PARTIALLY REPAIRED Message body text that appears to the right of Disposition to indicate that multiple viru
191. nning statistics for a given time range in one of two ways You can retrieve data via the Statistics tab on the Symantec AntiVirus Scan Engine administrative interface recommended or you can use the getstat utility which also is included with the Symantec AntiVirus Scan Engine to obtain statistical data via the command line See Generating scanning statistics from the billing logs on page 127 A sample report that was generated through the administrative interface is shown in Figure 7 2 Figure 7 2 Sample Statistics report Download Statistics Summary Number of files Enter start date 2 23 02 Enter end date 3 25 02 that were scanned for each 30 minute period Generate Report Total files scanned 157303 95th percentile kilobytes per second 1413 m Calculated average Day Date 30min starttime Files _ Average KPS KPS for each 30 Tue Feb 25 2002 16 0 18630 minute period Tue Feb 25 2002 15 30 9953 identified by start Sat Mar 8 2002 8 30 9755 time Thu Feb 27 2002 18 30 953 Tue Mar 4 2002 1 30 9441 Sat Mar 1 2002 22 0 9401 Wed Feb 26 2002 16 0 5978 Thu Mar 6 2002 5 0 9302 Clicking a column Sat Mar 2 2002 23 0 6660 i Fri Mar 7 2002 6 0 6181 heading sorts the Mon Feb 24 2002 15 30 7841 entries by that Wed Mar 5 2002 2 30 5798 criteria Fri Feb 28 2002 19 30 6100 Mon Mar 3 2002 0 30 5440 Fri Feb 28 2002 20 30 3063 The total number of files that were s
192. o be used for the in memory file system and the maximum file size in bytes that can be stored in the in memory file system To limit resources for in memory file processing 1 AtInMemoryFileSystemSize type the maximum amount of RAM that can be used for the in memory file system The default setting is 16000000 16 MB 2 At MaxInMemoryFileSize type the maximum file size that can be stored in the in memory file system Files that exceed the specified size are written to disk The default setting is 3000000 3 MB Configuring logging options via the configuration file You can activate logging for selected scan engine activities to a number of logging destinations and change the location of log files See Configuring local logging on page 112 Specifying a different location for the local log files To accommodate sites with specialized disk configuration the location of the Symantec AntiVirus Scan Engine local log files can be changed To specify a different location for the local log files At LogDir replace the existing location with the new location Editing the configuration file 189 Configuration options Changing the location and file name of the message string file The message text for Symantec AntiVirus Scan Engine log entries and SMTP insert messages is contained in an ASCII text file You can change the location and file name of this file To change the path and file name of the message string file
193. o change the log file location 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration On the Logging tab under Log file location in the Log file path location box type the path to the new location for the log file The default location for Solaris and Linux is var log The default location for Windows 2000 Server Server 2003 is C Program Files Symantec Scan Engine Click Confirm Changes to save the configuration You must restart the Symantec AntiVirus Scan Engine service for this change to take effect Data that was logged prior to restarting the service is contained in the previous log file and is not parsed for Symantec AntiVirus Scan Engine reporting purposes Do one of the following Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost Click Restart to save your changes and restart the scan engine service now Click Save No Restart to save your changes Changes will not take effect until the service is restarted 116 Configuring and using logging Logging events to the Windows Application Event Log Changing the message string file location The message text for Symantec AntiVirus Scan Engine log entries and SMTP insert messages is contained in an ASCII text file You c
194. od of time Select an interval that will be informative but will not result in an excessive number of log entries Note For logging to occur when the scan engine is at maximum load the logging level for the desired logging destination must be set to Warning or higher See Logging levels on page 109 Configuring the Symantec AntiVirus Scan Engine 79 Allocating resources Table 5 4 Resource settings Virus definition Solaris and Linux permit multiple instances of the Symantec product name AntiVirus Scan Engine on the same computer If you are running more than one scan engine on a single computer the product name must be unique for each Scan Engine service so that both scan engines receive updated virus definitions via LiveUpdate This option only appears if you are running the scan engine on Solaris or Linux In memory file The Symantec AntiVirus Scan Engine can decompose and scan the processing limits contents of container files in memory which eliminates the latency imposed by on disk scanning This feature can improve performance in environments in which large volumes of container and archive file formats are routinely submitted for scanning You can limit the resources consumed for in memory file processing by specifying the following m The maximum amount of RAM in megabytes used for the in memory file system m The maximum file size in megabytes that can be stored in the in memory file system To allocat
195. olations that are found For example savsecls server 192 168 0 100 1344 details c work filea c work fileb c work filec c work filed When this option is used a block of text is printed to STDOUT for each file that is infected or violates an established policy The output text indicates the name of the file that was scanned detailed information about the infection or the violation and the result of the scan also provided for the verbose option The output includes the following m Problem name Virus name or container violation description m Problem ID Virus ID for viruses or pseudo ID for policy violations m Disposition Infected repaired or deleted Note The output data for disposition mirrors information that is returned by the Symantec AntiVirus Scan Engine for each infection or violation that is identified and might not reflect the final disposition of the file The final disposition of the file is indicated by the code for the scan results which is also displayed when you use the verbose option 174 Using the Symantec AntiVirus Scan Engine command line scanner Command line scanner syntax and usage The output when four files for example a b c and d are scanned and files c and d are found to be infected with the Kakworm c virus should look similar to the following c work filec 2 Kakworm c 2832 Infected c work filed 2 Kakworm c 2832 Infected Using the timing option The timing option l
196. on 136 Configuring LiveUpdate Setting up your own LiveUpdate server Customizing log entries This chapter includes the following topics About the message string file Editing the message string file Preserving customized text during an upgrade About the 1000 series message strings About the 2000 series message strings About the 4000 series message strings Editing the ICAP access denied message About the message string file Symantec AntiVirus Scan Engine log entries can be customized by editing the message string file The message string numbers in the file identify the classification of the message string The message strings are numbered as follows 1000 series Message strings that are numbered in this manner are used to build the SNMP SMTP and local log entries Log entries are generated for many activities including startup shutdown virus definitions updates infections found and so on See Table 9 1 Message string definitions on page 139 138 Customizing log entries Editing the message string file m 2000 series Message strings that are numbered in this manner are used to update email messages when an infected attachment is found and repaired or deleted because it cannot be repaired This type of message notifies the recipient of a scanned email message that one or more attachments that were contained in the message were infected Variables can be used to customize these log messages See
197. ons on which the Symantec AntiVirus Scan Engine will run See Editing the service startup properties on page 75 To configure the native protocol 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration 2 On the Protocol tab click Native protocol The configuration settings display for the selected protocol Protocol Resources Logging Admin Select communication protocol Native protocol C ICAP Native protocol configuration Scan Engine bind address Port number 7777 Local scan directory Help Confirm Changes 3 Inthe Scan Engine bind address box type a bind address if necessary By default the Symantec AntiVirus Scan Engine binds to all interfaces You can restrict access to a specific interface by typing the appropriate bind Configuring the Symantec AntiVirus Scan Engine 59 Configuring ICAP address Use 127 0 0 1 the loopback interface to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan Engine 4 Inthe Port number box type the TCP IP port number to be used by client applications to pass files to the scan engine for scanning The default setting is port 7777 5 Inthe Local scan directory box type a local scan directory if necessary Any file can be scanned by default when no local scan directory is specified If you specify a directory for local scanning and you have client antivirus software insta
198. onse file m Using the silent install feature for uninstallation About the silent install feature The silent install feature lets you automate the installation of the Symantec AntiVirus Scan Engine You can use the silent install feature when you are installing multiple Symantec AntiVirus Scan Engines with identical input values for installation The silent install feature lets you capture the required input values for installation in a response file You can use the response file for subsequent installations to read in the values so that the installations are silent freeing you from having to repeatedly supply input values for each installation Implementing the silent install feature is a two step process m Create a response file to capture your input values for installation m Run the install program to read the response file and perform the install silently using the same responses that you specified in the response file 210 Using the silent install feature Creating the response file Creating the response file The response file contains the input values for the required responses for installation of the Symantec AntiVirus Scan Engine You can create different response files for different installation scenarios for example different protocols installation directories or RPC clients The procedures for creating the response file differ for Windows 2000 Server Server 2003 Solaris and Linux Creating the response fil
199. or G use the Software in any manner that contradicts any additional restrictions set forth in Section 8 below 2 Content Updates Certain Software utilize content which is updated from time to time including but not limited to the following Software antivirus software utilize updated virus definitions content filtering software utilize updated URL lists some firewall software utilize updated firewall rules and vulnerability assessment products utilize updated vulnerability data these updates are collectively referred to as Content Updates You shall have the right to obtain Content Updates for any period for which You have purchased maintenance except for those Content Updates which Symantec elects to make available by separate paid subscription or for any period for which You have otherwise separately acquired the right to obtain Content Updates Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You provided however that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase This License does not otherwise permit Licensee to obtain and use Content Updates 3 Limited Wa
200. or the Scan Engine Licensing Alert when a Symantec AntiVirus Scan Engine license has expired This alert is generated only while the scan engine is operating in the grace period 1040 Scan Engine Licensing Alert Subject of the Scan Engine Licensing Alert 1041 Feature Name Message body text that states the feature name for the license that is the subject of the Scan Engine Licensing Alert 1042 Expiration Date Message body text that states the expiration date for the license that is the subject of the Scan Engine Licensing Alert 1043 Consult the License Status page for more information Additional message body text for the Scan Engine Licensing Alert which is issued when a Symantec AntiVirus Scan Engine license has expired or is about to expire 144 Customizing log entries About the 1000 series message strings Table 9 1 Message string definitions 1046 Virus definitions successfully Message text for the log entry that is rolled back to previous issued when an error occurs in updating definitions the virus definitions and the rollback to previous virus definitions is successful 1050 BAD_FILE_ NAME Message text that replaces lt file name gt in which the Symantec AntiVirus Scan Engine was unable to determine proper character encoding 1051 BAD_COMPONENT_NAME Message text that replaces lt file name gt for a file within a container for which the Symantec AntiVirus Scan E
201. original unscanned file is sent to the user via the client application The trickled data triggers the File Download or Save File As dialog box which provides the user with a quicker download response After the user enters a file location and clicks Save in the File Download or Save File As dialog box the file is trickled to the user in small amounts at regular intervals until the scan is complete which prevents the browser from timing out The browser indicates how much of the file has been trickled so far If no virus is detected during the scan data trickling stops and the remainder of the file is sent to the user If a virus is detected data trickling stops and no additional data is sent to the user The user receives no notification that the file might be incomplete or that it might contain a virus However Symantec AntiVirus Scan Engine logging regarding virus detection functions normally when data trickling is active A log message about the virus detection is sent to all active logging destinations Note Data trickling is not invoked during scanning of POST transaction data 66 Configuring the Symantec AntiVirus Scan Engine Configuring RPC Warnings and limitations about data trickle Enabling data trickle can compromise antivirus integrity Symantec does not recommend using the data trickle feature for the following reasons m The data that is trickled to the user might contain a virus Note If you enable data
202. osition of the file Table 11 4 lists the possible scan result codes Table 11 4 Possible scan result codes for the verbose option 2 An error occurred within the Symantec AntiVirus Scan Engine The file was not scanned 1 An error occurred within the command line scanner The file was not scanned 0 The file was successfully scanned and is clean A clean file result can mean any one of the following m The file was clean to start with m The file was infected and repaired m The file was a container file and contained infected embedded files that were repaired or deleted Using the Symantec AntiVirus Scan Engine command line scanner 173 Command line scanner syntax and usage Table 11 4 Possible scan result codes for the verbose option 1 The file was successfully scanned was not able to be repaired and was not deleted A not clean result can mean that the file was unrepairable or that the scan policy did not permit repair 2 The file was successfully scanned was not able to be repaired and was deleted A not clean result can mean that the file was unrepairable or that the scan policy did not permit repair The output when four files for example a b c and d are scanned should look similar to the following c work filea 1 c work fileb 2 c work filec 2 c work filed 0 Using the details option The details option lets you obtain detailed information regarding the infections or vi
203. ou want to limit the Symantec AntiVirus Scan Engine so that only files under a particular directory can be scanned If a local scan directory is not specified which is the default any file can be scanned To specify a directory for local file scanning AtLocalScanDir type the appropriate directory structure The specified directory must already exist Editing the configuration file 181 Configuration options Configuring ICAP via the configuration file If you select ICAP as the protocol to be used by the Symantec AntiVirus Scan Engine you must configure several ICAP specific options To configure ICAP via the configuration file 1 At ICAPInfectionHTMLFile replace the existing path and file name with a new path and file name if necessary The Symantec AntiVirus Scan Engine includes a default HTML message to display to users when access to a file is denied because it contains a virus You can customize this message by specifying an alternate path and file name or by editing the existing file If you choose to edit the existing file you do not have to change this setting At ICAPActionPolicy type one of the following to specify how to handle infected files m SCAN Deny access to the infected file but do nothing to the infected file m SCANDELETE Delete all infected files without attempting repairs m SCANREPAIR Attempt to repair infected files but do nothing to files that cannot be repaired m SCANREPAIRDELET
204. partial message content 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking Policy On the Mail tab under Blocking MIME partial message content check Block MIME partial message content The scan engine is configured by default to block partial messages When you have finished establishing the mail policy click Confirm Changes to save the configuration 103 104 Setting scanning and blocking policies Establishing a mail filter policy 4 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Inserting text into MIME encoded messages The Symantec AntiVirus Scan Engine can be configured to add text to the body of a MIME encoded message to warn the recipient of the message that an attachment was infected The mail message body also is updated when an attachment is deleted because of a mail policy violation The default text indicates that an attachment contained a virus and was repaired or that it was deleted because it contained a virus that could not be repaired or that vio
205. pies and that both that copyright notice and this permission notice appear in supporting documentation and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific written prior permission CMU software disclaimer CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE A set of Unicode handling libraries is used in this software This software is Copyright c 1995 2002 International Business Machines Corporation and others All rights reserved Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute and or sell copies of the Software and to permit persons to whom the Software is furnished to do so provided that the above copyright notice s and this permission notice appear in all copies of the Software and that both the above copyright notice s and this permission notice appear in supportin
206. ple savsecls server 192 168 0 100 1344 192 168 0 101 1344 c temp When more than one scan engine is specified the load balancing and failover features of the API are activated automatically The Symantec AntiVirus Scan Engine API provides scheduling across any number of computers that are running the Symantec AntiVirus Scan Engine The API determines the appropriate Symantec AntiVirus Scan Engine when multiple scan engines are used to receive the next file to be scanned based on the scheduling algorithm If a Symantec AntiVirus Scan Engine is unreachable or stops responding during a scan another scan engine is called and the faulty scan engine is taken out of rotation for 30 seconds If all of the scan engines are out of rotation the faulty scan engines are called again The API does not stop trying to contact the scan engine unless five engines are not functioning or it appears that a file that is being scanned might have caused more than one engine to stop responding Specifying the antivirus scanning mode The mode option lets you override the default antivirus scanning mode for the command line scanner The default scanning mode is scanrepairdelete The repair of infected files is attempted and files that cannot be repaired are deleted You do not need to specify an antivirus scanning mode to use the default setting Scanrepairdelete is the recommended setting To override the default antivirus scanning mode you can specify one
207. plications that pass files to the scan engine benefit from load balanced virus scanning without any additional effort The API determines the appropriate Symantec AntiVirus Scan Engine when multiple scan engines are used to receive the next file to be scanned based on the scheduling algorithm If a Symantec AntiVirus Scan Engine is unreachable or goes down during a scan another scan engine is called and the faulty scan engine is taken out of rotation for a period of time If all of the scan engines are out of rotation the faulty scan engines are called again The API does not stop trying to contact the scan engine unless five engines are not functioning or it appears that a file that is being scanned might have caused more than one engine to go down Note If you are using the Symantec AntiVirus Scan Engine as a plug in using RPC or ICAP load balancing across multiple scan engines may be configurable depending on the implementation See the plug in documentation About supported protocols The Symantec AntiVirus Scan Engine lets client applications send scan requests using one of three protocols m The native protocol m The Internet Content Adaptation Protocol ICAP m A proprietary remote procedure call RPC protocol The protocol can be changed at any time See Selecting the communication protocol on page 56 Introducing the Symantec AntiVirus Scan Engine 23 About supported protocols About the native protocol
208. protection of the operating system To achieve comprehensive virus protection with the Symantec AntiVirus Scan Engine it is important to protect the Symantec AntiVirus Scan Engine server from virus attacks To protect the host computer run an antivirus program such as Symantec AntiVirus Corporate Edition on the server that is running the Symantec AntiVirus Scan Engine Warning To prevent a conflict between the Symantec AntiVirus Scan Engine and the antivirus product that is running on the host computer you must configure the antivirus product on the host computer so that it does not scan the temporary directory that is used by the Symantec AntiVirus Scan Engine for scanning Installing the Symantec AntiVirus Scan Engine The Symantec AntiVirus Scan Engine should be installed on a computer that meets the system requirements See System requirements on page 29 Ensure that your server s operating system software and applicable updates are installed configured and working correctly before you install the Symantec AntiVirus Scan Engine Consult your server s documentation for more information Once you have installed the Symantec AntiVirus Scan Engine you must activate all applicable product licenses You must also activate your subscription to virus definitions updates The antivirus scanning features are not active until you activate the licenses See Activating product licenses on page 49 If you are instal
209. pted to post an email message with an attachment that was infected and could not be repaired the email message would be posted but the attachment would be replaced with a text file indicating that an infected file was deleted ICAP configuration options Configuring the Symantec AntiVirus Scan Engine Configuring ICAP If you select ICAP as the protocol to be used by the Symantec AntiVirus Scan Engine you must configure certain ICAP specific options The configuration options for ICAP are described in Table 5 2 You must also configure the ICAP client to work with the Symantec AntiVirus Scan Engine Table 5 2 Protocol specific options for ICAP Scan Engine bind address By default the Symantec AntiVirus Scan Engine binds to all interfaces You can restrict access to a specific interface by entering the appropriate bind address You can use 127 0 0 1 the loopback interface to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan Engine Port number The port number must be exclusive to the Symantec AntiVirus Scan Engine The default port number is 1344 If you change the port number use a number that is greater than 1024 that is not in use by any other program or service If you are installing more than one instance of the Symantec AntiVirus Scan Engine ona single computer each scan engine service must have a unique port number HTML message displayed for infected files Th
210. ration file 1 At RPCClient type the IP address for each RPC client for which the Symantec AntiVirus Scan Engine is to provide scanning services Use the format lt IPaddress gt lt IPaddress gt lt IPaddress gt where lt IPaddress gt is a single IP address for a supported RPC client 2 At RPCActionPolicy type one of the following to specify how to handle infected files m SCAN Deny access to the infected file but do nothing to the infected file m SCANREPAIR Attempt to repair infected files but do nothing to files that cannot be repaired m SCANREPAIRDELETE Attempt to repair infected files and delete any unrepairable files from archive files 3 At RPCConnectionCheckIinterval type in seconds the interval at which the Symantec AntiVirus Scan Engine checks to ensure that the connection to the RPC client is still active The default interval is 20 seconds 4 AtRPCMaxReconnectAttempts type the maximum number of attempts the Symantec AntiVirus Scan Engine will make to reestablish a lost connection to the RPC client The default setting is 0 which causes the Symantec AntiVirus Scan Engine to try indefinitely to reestablish a connection Notifying requesting users that a virus was found When a virus is found in a file that is requested from an RPC network attached storage client you can configure the Symantec AntiVirus Scan Engine to notify the requesting user that the retrieval of the file failed because a virus was
211. re running on the same computer connect to the Symantec AntiVirus Scan Engine Port number The specified port number must be exclusive to the Symantec AntiVirus Scan Engine The default port number is 7777 If you change the port number use a number that is greater than 1024 that is not in use by any other program or service If you are installing more than one instance of the Symantec AntiVirus Scan Engine on a single computer each Scan Engine service must have a unique port number 58 Configuring the Symantec AntiVirus Scan Engine Configuring the Symantec AntiVirus Scan Engine native protocol Table 5 1 Protocol specific options for the native protocol Local scan directory You only need to provide a local scan directory when you are using local file scanning options that is the client application and the Symantec AntiVirus Scan Engine are running on the same computer and files are scanned in place on the computer and you want to limit the Symantec AntiVirus Scan Engine so that only files under a particular directory can be scanned If a local scan directory is not specified which is the default any file can be scanned The directory that you specify must already exist If you are running the Symantec AntiVirus Scan Engine on Windows 2000 Server Server 2003 and you change the protocol setting to the native protocol you might need to change the service startup properties to identify an account that has sufficient permissi
212. red Message body text for the Infection Found Alert when the infected file can be repaired and the Symantec AntiVirus Scan Engine is configured to repair infected files 1033 The infection has been found and the infected file has been deleted Message body text for the Infection Found Alert when the Symantec AntiVirus Scan Engine is configured to delete infected files 1035 Scan Engine mail policy initialization error Subject of the Symantec AntiVirus Scan Engine mail policy initialization error log entry Table 9 1 Message string definitions Customizing log entries 143 About the 1000 series message strings 1036 There was an error loading finding the Scan Engine mail policy configuration files Please correct the problem and restart the Scan Engine Message text for the Symantec AntiVirus Scan Engine Mail Policy Initialization Error log entry which is issued when a mail policy configuration file is missing 1037 Symantec AntiVirus Scan Engine Logging Stopped Message text for the log entry that is issued when logging stops for the Symantec AntiVirus Scan Engine because the scan engine has been shut down or has crashed 1038 A license is about to expire Message body text for the Scan Engine Licensing Alert when a Symantec AntiVirus Scan Engine license is about to expire within 30 days of its expiration date 1039 A license has expired Message body text f
213. repair or delete x I Enable Trickle Trickle Timeout S Help Confirm Changes In the Scan Engine bind address box type a bind address if necessary By default the Symantec AntiVirus Scan Engine binds to all interfaces You can restrict access to a specific interface by typing the appropriate bind address Use 127 0 0 1 the loopback interface to let only clients that are running on the same computer connect to the Symantec AntiVirus Scan Engine In the Port number box type the TCP IP port number to be used by client applications to pass files to the Symantec AntiVirus Scan Engine for scanning The default setting for ICAP is port 1344 In the HTML message displayed for infected files box type the path and file name to supply an alternate HTML file if necessary In the ICAP scan policy list select how you want the Symantec AntiVirus Scan Engine to handle infected files The default setting is Scan and repair or delete Click Confirm Changes to save the configuration 64 Configuring the Symantec AntiVirus Scan Engine Configuring ICAP 8 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Resta
214. rface On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Licensing Activating product licenses 53 Checking the license status 3 Doone of the following m On the Install tab click Browse to browse to the location of the license file The path to the file should appear in the box to the left of the Browse button m Open the license file using a text editor such as Notepad and copy and paste the entire contents of the file into the field on the Install tab Make sure that you use a text editor such as Notepad to open the file Because the license file is an XML file browsers such as Microsoft Internet Explorer add extra code as they open the license file If the license file is altered in any way it will not install 4 Click Confirm Changes The software indicates whether the license was installed successfully 5 Click Continue If the license was installed successfully clicking Continue returns you to the Status tab so that you can verify the updated license status If the license did not install clicking Continue returns you to the Install tab so that you can attempt the installation again Checking the license status You can access detailed information on the Symantec AntiVirus Scan Engine product licenses at any time by clicking Licensing on the Symantec AntiVirus Scan Engine main administration page and viewing the Status tab For any installed license you can check the license exp
215. rface sessions to be active at one time for a single Symantec AntiVirus Scan Engine this practice is strongly discouraged Having more than one user logged in at the same time can cause possible race conditions as well as result in conflicting configuration changes being submitted To access the administrative functions 1 Launch a Web browser on any computer on your network that can access the server that is running the Symantec AntiVirus Scan Engine 2 Visit the following URL http lt servername gt lt port gt where lt servername gt is the host name or IP address of the server that is running the Symantec AntiVirus Scan Engine and lt port gt is the port number that you selected during installation for the built in Web server 8004 is the default port number Password rrssazesaazes Log on Cancel Host name server1 brightcorp com 3 Inthe Log on dialog box in the Password box type the password for the administrative account 4 Click Log on The Symantec AntiVirus Scan Engine main administration page displays 42 Symantec AntiVirus Scan Engine administration Accessing the administrative interface About the main administration page The main administration page displays command buttons in the left pane and the Symantec AntiVirus Scan Engine Status page in the right pane 9 symantec Symantec AntiVirus Scan Engine Current status Running Version mmber 43011 Protocolinuse NATIV
216. ring of files See Configuring RPC on page 66 About virus protection The Symantec AntiVirus Scan Engine features all of the virus scanning technologies that are available in Symantec antivirus products The Symantec AntiVirus Scan Engine detects viruses worms and Trojan horses in all major file types for example Windows files DOS files and Microsoft Word and Excel files The Symantec AntiVirus Scan Engine also includes a decomposer that handles most compressed and archive file formats and nested levels of files You can configure the scan engine to limit scanning to certain file types based on file extension To protect against container files that can cause denial of service attacks for example container files that are overly large that contain large numbers of embedded compressed files or that have been designed to use resources maliciously and degrade performance the Symantec AntiVirus Scan Engine lets you specify the maximum amount of time that the scan engine devotes to decomposing a container file and its contents the maximum file size for individual files in a container file and the maximum number of nested levels to be decomposed for scanning The Symantec AntiVirus Scan Engine also detects mobile code such as Java ActiveX and stand alone script based threats The Symantec AntiVirus Scan Engine utilizes Symantec antivirus technologies including Bloodhound for heuristic detection of new or unknown virus
217. rmation window 156 Integrating the Symantec AntiVirus Scan Engine with SESA Configuring logging to SESA 5 Inthe SESA Domain Administrator Information window type the specific information about the SESA Domain Administrator and the SESA Directory SESA Domain Administrator The name of the SESA Directory Domain Name Administrator account SESA Domain Administrator The password for the SESA Directory Domain Password Administrator account IP Address of SESA Directory The IP address of the computer on which the SESA Directory is installed may be the same as the SESA Manager IP address if both are installed on the same computer If you are using authenticated SSL instead of SESA default anonymous SSL you must enter the host name of the SESA Directory computer For example mycomputer com For more information on SESA default anonymous SSL and upgrading to authenticated SSL see the Symantec Enterprise Security Architecture Installation Guide SSL Port The number of the SESA Directory secure port The default port number is 636 6 Follow the on screen instructions to install the appropriate SESA integration components and complete the SESA Integration Wizard 7 Repeat steps 1 through 6 on each SESA Manager computer to which you are forwarding Symantec AntiVirus Scan Engine events Installing the local SESA Agent The local SESA Agent handles the communication between the Symantec AntiVirus Scan Engine and SESA and is in
218. rranty Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty 60 days from the date of delivery of the Software to You Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error free THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY 4 Disclaimer of Damages SOME STATES AND COUNTRIES INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL CONSEQUENTIAL INDIRECT OR SIMILAR DAMAGES INCLUDI
219. rt to save your changes Changes will not take effect until the service is restarted Enabling data trickle When a user attempts to download an extremely large or complex file from the Internet a period of time elapses while antivirus scanning takes place during which the browser and thus the user receives no feedback on the progress of the download Without feedback the user might try to click the browser Refresh button several times even though the download is working properly In some instances the browser can time out waiting for the scan to complete The Symantec AntiVirus Scan Engine data trickle feature provides users with a quicker download response and avoids potential session time out errors When data trickle is enabled the requested file is sent trickled to the user in small amounts at regular intervals until the scan is complete The data trickle feature is only available when you are using ICAP as the communication protocol Data trickling is available for versions 0 95 and 1 0 of ICAP The ICAP scan policy must be set to Scan only When you enable data trickle the ICAP scan policy is automatically reset to Scan only In the Scan only configuration infected files cannot be deleted or repaired Using data trickle can compromise virus integrity Serious consideration should be given to a number of factors before you use the data trickle feature See Warnings and limitations about data trickle on page 66 To enab
220. rus Scan Engine is managed using a virtual administrative account You are prompted to provide a password for this account at installation The password for this account can be changed at any time through the Symantec AntiVirus Scan Engine administrative interface Note You cannot change the password via the configuration file because the password is encrypted in the configuration file If you forget the password for the virtual administrative account clear the AdminPassword variable in the configuration file and then log on to the administrative interface no password is needed to enter a new password To clear the password for the administrator account At AdminPassword delete the encrypted password 194 Editing the configuration file Configuration options Changing the administrator time out period The Symantec AntiVirus Scan Engine is configured by default to automatically log off the administrator after a selected period of inactivity The default period of inactivity is five minutes 300 seconds You can change the default time out period To change the administrator time out period At AdminPortTimeout type the amount of time in seconds after which the Symantec AntiVirus Scan Engine automatically logs off the administrator Specifying processing limits via the configuration file You can impose restrictions on the amount of resources that can be used to handle individual files These processing limits ca
221. s You can restrict access to a specific interface by typing the appropriate bind address In the HTTP port number box type a new port number Protocol Resources Logging Alerting Admin HTTP bind address 152 34 56 49 HTTP port number 8004 Administrator password New Password Confirm Administrator timeout 600 seconds Help Confirm Changes The default setting is port 8004 The port number must be exclusive to the Symantec AntiVirus Scan Engine interface and must not already be in use by any other program or service Do not use port number 80 To disable the administrative interface type 0 In the New Password box type the new password for the virtual administrative account In the Confirm box type the new password again to verify that you typed it correctly In the Administrator timeout box type the period of inactivity in seconds after which the administrator is automatically logged off The default setting is 300 seconds 5 minutes Click Confirm Changes to save the configuration Symantec AntiVirus Scan Engine administration 47 Changing the administration settings 8 Doone of the following Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost Click Restart to save your changes and restart
222. s 75 Allocating resources oea hance ee oo eae ns 77 Setting scanning and blocking policies About scanning and blocking policies 0 cccceescsseseseeceseseeeeseeeeseseeeeseeeseeaes 83 Specifying processing limits cccseseseseetesseeeeescsesesesessseseessseeeseseseseseees 84 Specifying limits for container files eceeseseseeseseeeeeseeeseseeseseees 85 Specifying processing limits that apply to all files 0 eee 87 Configuring antivirus Settings cesscsessesececscesesesesesssssseesesesssesesesetseeseees Changing the Bloodhound sensitivity level Specifying file types to scan w e eceecesesssssssseeeseseseseseseseeeseseesseseseseseeeseees Chapter 7 Chapter 8 Chapter 9 Contents Establishing a mail filter Policy cccccecesssesessssssessceseeeseseseseeesseeseeseeseseeees 94 Mail filter policy settings ccccccsesesesssesessssssesecesescseseseseseesesseseeseesesees 94 Configuring and using logging About Symantec AntiVirus Scan Engine logging cccceeeeeereteeeeeees 107 Logging destinations cceessesesessssesesseceseeseseeeseseseeseseeeeseeeseeneeseeeees 108 Logging leyelS on EE eon een aes 109 Configuring local logging oo ceeccssssesessssssssssecesecesesesesesseesseeessscseseseseseeeees 112 Specifying the local logging level cccecssesssssstsesseeeeeeseseseseeeeeeees 113 Changing the log file location cccccsesesssssesesesesesseseeeseeeseseseseseseseees 115 Changing
223. s C Program Files Symantec Scan Engine symcscan cfg Note In editing the configuration file all high ASCII and double byte characters must be written in UTF 8 encoding 178 Editing the configuration file Updating the configuration file during an upgrade To edit the Symantec AntiVirus Scan Engine configuration file 1 Locate the Symantec AntiVirus Scan Engine configuration file If you are running more than one copy of the Symantec AntiVirus Scan Engine on a computer ensure that you have the appropriate configuration file Open the configuration file with a text editor Make your changes to the configuration file See Configuration options on page 179 Save the file Stop and restart the Symantec AntiVirus Scan Engine Updating the configuration file during an upgrade You can upgrade the Symantec AntiVirus Scan Engine from 4 0 X or later without first uninstalling the previous version Installing the upgrade over the existing installation preserves changes that you have made to the configuration file symcscan cfg Note Scan engine logging options have changed in version 4 3 Because in many cases the previous configuration options do not map to the new options any customizations that you have made to the logging options are not preserved You must reconfigure logging after installing the upgrade Changes that occur to the configuration file as a result of an upgrade are handled in the following manner
224. s filter to block mail from specific email addresses as well as from a specific domain The following wildcard characters can be used to control exactly what you want to block Using somedomain com blocks smith somedomain com but does not block smith someserver somedomain com Using somedomain com or somedomain com blocks smith somedomain com and smith someserver somedomain com Using smith somedomain com to block a specific email address blocks only email from smith somedomain com and does not block adam_smith somedomain com or smith someserver somedomain com To filter mail by message origin 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking Policy On the Mail tab under Blocking by message origin type a domain or email address to block Type as many domains or addresses to block as needed one per line Search strings are not case sensitive Use the following wildcard characters as needed m A question mark to represent a single character m An asterisk to represent zero or more characters m A backslash as an escape character For example precede or with to match a literal or in a file name To match a literal use To remove a domain name from the list select it and press Delete When you have finished establishing the mail policy click Confirm Changes to save the configuration 100 Setting scanning and blocking policies Establis
225. s that scanning will continue using previous virus definitions 1026 Scan Engine Non repairable Subject of the Symantec AntiVirus Scan Infection Found Alert Engine Nonrepairable Infection Found Alert 1027 The infection that has been Message body text for the Symantec found cannot be repaired AntiVirus Scan Engine Nonrepairable Infection Found Alert 141 142 Customizing log entries About the 1000 series message strings Table 9 1 Message string definitions 1028 Virus name Message body text that states the virus name for both the Infection Found Alert and Nonrepairable Infection Found Alert The Symantec AntiVirus Scan Engine automatically inserts the virus name 1029 Virus ID Message body text that states the virus ID number for both the Infection Found Alert and Nonrepairable Infection Found Alert The Symantec AntiVirus Scan Engine automatically inserts the virus ID 1030 Disposition Message body text that states the disposal method of the infected file for both the Infection Found Alert and Nonrepairable Infection Found Alert The Symantec AntiVirus Scan Engine automatically inserts the disposal method for the file 1031 An infection has been found but no repair has been attempted Message body text for the Infection Found Alert when the Symantec AntiVirus Scan Engine is configured to scan files but not to attempt repairs 1032 The infection has been found and repai
226. s via the configuration file 195 Blocking MIME partial message content via the configuration file 198 Activating mail message body updates via the configuration file 198 Scheduling LiveUpdate to occur automatically via the configuration file oo cee eseeseessesseecececsscsesesesesseseeeeeseseseseeeeees Changing the LiveUpdate base time Extracting all streams from OLE structured storage documents FOP SCANMING osieecxsectetew cress E AN ester a 200 Appendix B Appendix C Appendix D Index Contents Reviewing scanning statistics from the command line Using the getstat utility 00 ceccesesesseseseeeeseseeeeseseeseseeeeseseeeeseeeeseseeetaeeees Interpreting getstat utility data Return codes Native protocol return codes ceecccccesseseseseesesesseceseeeeseseeeeseaeeeeseeeeseseneeseeees ICAP version 0 95 return codes CAP version 1 0 return codes RPG return codes 40i 20 0 his genannten clea see es Using the silent install feature About the silent install feature 0 0 ecccececeseseseeeeseseseceseeeeeseseseeeetetseseeeeaeaes 209 Creating the response file 0 ceccesesessssssssssssesecesesesesessssseeeeseseesesesessseseees 210 Creating the response file for Windows 2000 Server Server 2003 210 Creating the response file for Solaris and Linux ceeeseseeeeeeees 211 Initiating the silent installation using the response file cece 213 Using the silent insta
227. se time You can change the relative start point or LiveUpdate base time from which to calculate scheduled LiveUpdate attempts If you change the LiveUpdate base time LiveUpdate attempts are scheduled every LiveUpdateSchedule seconds following the base time The default LiveUpdate base time is the time at which the Symantec AntiVirus Scan Engine was installed The LiveUpdate base time is specified in UTC seconds since 00 00 00 January 1 1970 To change the LiveUpdate base time At LiveUpdateBaseTime type the relative start point in UTC seconds from which LiveUpdate attempts are scheduled 200 Editing the configuration file Configuration options Extracting all streams from OLE structured storage documents for scanning Certain Microsoft files such as Microsoft Word and Excel documents are OLE object linking and embedding structured storage documents OLE is a compound document standard developed by Microsoft that enables objects to be created with one application and linked or embedded in a second application In this type of structured storage document data is stored in a number of streams Only certain streams typically contain content that can contain viruses The Symantec AntiVirus Scan Engine is configured by default to extract and scan only those streams that are likely to contain viruses For maximum protection you can choose to extract and scan all streams but performance might be negatively impacted depending on
228. server starts 0 Total viruses found 0 Total viruses repaired 0 Virus types found Virus Count 3 Click Load Logs The log data for the requested period displays in the browser window Configuring and using logging Generating scanning statistics from the billing logs Interpreting summary data from the local logs Date and time that the report is generated Sample summary data from the local logs is shown in Figure 7 1 Figure 7 1 Sample Summary report Download Statistics Summary Enter start date 2 26 02 Enter end date 3 28 02 Load Logs Report generated Thu Mar 28 11 16 40 EST 2002 Total server starts 0 Total viruses found 159 Total number of server starts viruses found and viruses repaired for the reported period Virus types that were found by the scan engine during the reported period and the number of each type found Total viruses repaired 79 Virus types found Virus Count Bloodhound WordMacro The infection has been found and repaired Bloodhound WordMacro The infection has been found and repaired Cascade 1 The infection has been found and repaired Cascade 1 The infection has been found and repaired Trojan Horse The infection that has been found cannot be repaired Trojan Horse The infection that has been found cannot be repaired Gergana 182 The infection that has been found cannot be repaired Gergana 182 The infection that has been foun
229. ses have been found but not all of the viruses could be eliminated from the infected file 1104 REPAIRED Message body text that appears to the right of Disposition to indicate that a virus has been found and the file has been repaired 1105 BLOCKED Message body text that appears to the right of Disposition to indicate that a virus has been found and the file was blocked 1110 DELETED Message body text that appears to the right of Disposition to indicate that a virus has been found but the file could not be repaired and has been deleted About the 2000 series message strings The 2000 series strings are used to update email messages when an infected attachment is found and repaired or deleted because it cannot be repaired These message strings are intended to notify the recipient of a scanned email message that one or more attachments that were contained in the message were infected Note To add this type of message to MIME encoded messages the Symantec AntiVirus Scan Engine must be configured to update messages in this manner See Inserting text into MIME encoded messages on page 104 146 Customizing log entries About the 2000 series message strings The message strings that are used to update MIME encoded messages are described in Table 9 2 Table 9 2 2000 Default message text for MIME encoded messages ALERT This e mail contained one or more infected files The
230. sponse file for Solaris and Linux 1 Locate the response file response on the Symantec AntiVirus Scan Engine distribution CD and copy it to the tmp directory on the computer that you are using For the silent installation to initiate the response file must be located in the tmp directory Rename the file to no ask questions and open the file Supply the desired input value for each parameter Changes should be made only to the right of the equal sign At AdminPassword copy and paste the encrypted string that was generated by the GenEncryptPW utility Ensure that you copy the encrypted string in its entirety See Generating an encrypted password on page 213 Save the file Using the silent install feature 213 Initiating the silent installation using the response file Generating an encrypted password The GenEncryptPW utility is included in the scan engine distribution so that you can protect the administrative password for managing the Symantec AntiVirus Scan Engine This utility encrypts the specified password and returns an encrypted string You must copy the encrypted string in its entirety and paste it in the appropriate location in the response file To generate an encrypted password 1 Locate the GenEncryptPW utility on the Symantec AntiVirus Scan Engine distribution CD and copy it to the computer that you are using 2 At the command prompt type GenEncryptPW lt password gt where lt password gt is
231. stalled on the same computer that is running the Symantec AntiVirus Scan Engine The local SESA Agent is provided as part of the software distribution package for the Symantec AntiVirus Scan Engine A separate install package for installing the Agent agentinstaller is located in the SESA_agent directory on the distribution CD for the Symantec AntiVirus Scan Engine If you have more than one SESA enabled product installed on a single computer these products can share a local SESA Agent However each product must register with the Agent Thus even if an Agent has already been installed on the computer for another SESA enabled security product you must run the installer to register the Symantec AntiVirus Scan Engine with the Agent Integrating the Symantec AntiVirus Scan Engine with SESA Configuring logging to SESA The local SESA Agent is preconfigured to listen on the IP address 127 0 0 1 and port number 8086 The scan engine uses this information to communicate with the Agent If you must change the IP address or port number for the Agent you must do so through the SESA Console Once an Agent is installed it is controlled through the SESA Console even though it is running on the computer that is running the security product If you change the IP address or port number for the Agent you must also update through the Symantec AntiVirus Scan Engine administrative interface the information that the scan engine uses to contact the Agent
232. t M Block MIME partial message content Help Confirm Changes Setting scanning and blocking policies Establishing a mail filter policy Filtering mail by total message size You can specify a maximum size for mail messages The maximum size includes the entire message including any attachments Messages that exceed the maximum mail size are rejected A value of 0 the default value disables message blocking To filter mail by total message size 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking Policy On the Mail tab under Blocking by total message size type a maximum size in bytes that the scan engine will accept Type 0 the default value to disable message blocking no maximum size Messages that are larger than the specified size are rejected When you have finished establishing the mail policy click Confirm Changes to save the configuration Do one of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Filtering mail by subject line To filter mail by subject
233. t m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Editing the service startup properties If the Symantec AntiVirus Scan Engine is installed on Windows 2000 Server Server 2003 and you change the protocol setting to RPC or the native protocol through the administrative interface you might need to change the service startup properties to identify an account that has the appropriate permissions The selected account must provide the Symantec AntiVirus Scan Engine with access to and appropriate permissions on the RPC clients for RPC or to any shared drives or UNC paths for which scanning services are to be provided for the native protocol 76 Configuring the Symantec AntiVirus Scan Engine Configuring RPC For RPC this account must have Backup Operator privileges on the RPC clients For the native protocol this account should have access to any shared drives or UNC paths for which scanning is to be provided and should have Change permission if infected files that cannot be repaired are to be deleted Note If you select RPC at installation you are prompted for the account name and password for this account as part of the installation process and you do not need to edit the service startup properties manually This step is only necessary if you change protocols after installation through the ad
234. t the Symantec AntiVirus Scan Engine shuts down By default the Symantec AntiVirus Scan Engine is configured to try to reconnect with the RPC client indefinitely Note Do not set a maximum number of reconnect attempts if the scan engine is providing scanning for multiple RPC clients Use the default setting so that the Symantec AntiVirus Scan Engine tries indefinitely to reconnect to the RPC clients Table 5 3 Configuring the Symantec AntiVirus Scan Engine 69 Configuring RPC Protocol specific options for RPC RPC scan policy When an infected file is found the Symantec AntiVirus Scan Engine can do any of the following m Scan only Deny access to the infected file but do nothing to the infected file m Scan and repair files Attempt to repair infected files and deny access to any unrepairable files m Scan and repair or delete Attempt to repair infected files and delete any unrepairable files from archive files Note If you plan to quarantine infected files that cannot be repaired you must select Scan and repair or delete Quarantine unrepairable files You can quarantine unrepairable infected files using the Symantec Central Quarantine version 3 0 The Symantec Central Quarantine software is included on the Symantec AntiVirus Scan Engine distribution CD along with supporting documentation For more information see the separate Symantec Central Quarantine document CentQuar pdf also included on the C
235. t is providing scanning services See About supported protocols on page 22 You can choose from the following protocols The Symantec AntiVirus Scan Engine native protocol The Symantec AntiVirus Scan Engine uses its own native protocol by default The native protocol is a simple TCP IP protocol which is text based like HTTP or SMTP and uses standard ASCII commands and responses to communicate between client and server See Configuring the Symantec AntiVirus Scan Engine native protocol on page 57 The Internet Content Adaptation Protocol ICAP ICAP is a lightweight protocol for executing a remote procedure call on HTTP messages The Symantec AntiVirus Scan Engine supports both the proprietary 0 95 implementation of ICAP and version 1 0 presented in RFC 3507 April 2003 The Symantec AntiVirus Scan Engine determines which is appropriate for the request based on the header data that is provided by the client application See Configuring ICAP on page 59 Remote procedure call RPC The Symantec AntiVirus Scan Engine can be configured for Windows 2000 Server 2003 Server to use a proprietary virus scanning protocol with the MS RPC protocol to interface with client applications If you are running the Symantec AntiVirus Scan Engine on Solaris or Linux this option does not appear on the administrative interface See Configuring RPC on page 66 After you select a protocol you must provide protocol specific conf
236. t the Symantec AntiVirus Scan Engine always has the most current virus definitions On Solaris and Linux virus definitions updates can be scheduled using the UNIX cron scheduler and a shell script The cslive exe client can be run from the command line to update virus definitions for the Symantec AntiVirus Scan Engine for Windows 2000 Server Server 2003 134 Configuring LiveUpdate Scheduling LiveUpdate via the command line Schedule LiveUpdate via the command line You can schedule LiveUpdate on UNIX and Windows platforms via the command line To schedule LiveUpdate via the UNIX cron scheduler Solaris and Linux 1 Create a user called symantec 2 Open the etc group file and type symantec at the end of the avdefs line For more information see the group man pages 3 Change directories to etc cron d 4 Create a file called cron allow This file contains the list of users who are allowed to use cron services 5 Add the following line to the file symantec For more information see the cron and crontab man pages 6 Run crontab e symantec and type the following line 0 usr bin sh opt SYMCScan bin liveupdate sh virusdefs silent gt dev null The cron scheduler will run the LiveUpdate script once per hour For more information see the cron and crontab man pages To run LiveUpdate on Windows 2000 Server Server 2003 Atthe command prompt type one of the following commands m cslive exe virusdefs silent Run L
237. tates of America 6 Export Regulation Export re export of this Software is governed by the laws and regulations of the United States and import laws and regulations of certain other countries Export or re export of Software to any entity on the Denied Parties List and other lists promulgated by various agencies of the United States Federal Government is strictly prohibited 7 General If You are located in North America or Latin America this Agreement will be governed by the laws of the State of California United States of America Otherwise this Agreement will be governed by the laws of England This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and i supersedes all prior or contemporaneous oral or written communications proposals and representations with respect to its subject matter and ii prevails over any conflicting or additional terms of any quote order acknowledgment or similar communications between the parties This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software The disclaimers of warranties and damages and limitations on liability shall survive termination The original of this Agreement has been written in English and English is the governing language of this Agreement Software and documentation is delivered Ex Works California U S A or Dublin Ir
238. te If you are using the native protocol RPC or ICAP version 1 0 and want to control the file types that are scanned at the top level you must provide logic or take advantage of existing mechanisms on the client side to send only certain file types to the Symantec AntiVirus Scan Engine for scanning The logic on the client side controls the types of files that are scanned at the top level and the extension list setting controls which embedded files are scanned Setting scanning and blocking policies Configuring antivirus settings m ICAP version 0 95 The inclusion or exclusion list applies to all files that are sent to the Symantec AntiVirus Scan Engine for scanning The extension list is consulted for both top level files and embedded files that are contained in archival file formats for example zip or lzh files Specify which file types to scan You can scan all files regardless of extension or you can control which file types are scanned by specifying extensions that you do not want to scan or that you want to scan The Symantec AntiVirus Scan Engine is configured by default to scan all files except those with extensions that are listed in the prepopulated exclusion list To scan all files regardless of extension 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking Policy 2 On the AntiVirus tab under File types to be scanned click Scan all files regardless of extension 3 Cl
239. the message string file location cccceseseseseseseeeteteeeees 116 Logging events to the Windows Application Event Log cesses 116 Activating SNMP and SMTP logging oo eeeseeteteeeeeeeeeeceeeseseaceeeeeeeeeeeee Activating SNMP logging oo eeeeeeees Activating SMTP logging occ Specifying the alert bind address Managing the local logs ceeeeseeseseeeeeeseees Obtaining summary data from the local logs Interpreting summary data from the local logs ceceeeseseeeeeseees 127 Generating scanning statistics from the billing logs oo eeseteeeeeeee 127 Interpreting Scanning statistics 0 ee eeseseeseeeeeeeeeseeeceeeeeeeeeseeneeeees 129 Understanding the 95th percentile bandwidth measurement 130 Configuring LiveUpdate About Live Update erheen a A E EE A A 131 Updating virus definitions 0 cccescscssseseseescesesessceseseseseseesesssseessecseseeees 132 Scheduling LiveUpdate to update virus definitions automatically 132 Updating virus definitions manually oo ceccesesseseseeeseseseseseseeees 133 Scheduling LiveUpdate via the command line 00 0 0 eeeeseeseseteeeeseeeeeees 133 Setting up your own LiveUpdate Server eeeessesesessesesetseceseeseseeeseeseeeeaees 135 Customizing log entries About the message string file oo cceesesesssecesesesesesssessssssesescsesesessseeseeees 137 Editing the message String file 0 eececesssesesessssessseeeseeesesesesesesesesseseeseees 138 Pres
240. the number and content of files to be scanned To extract and scan all streams from OLE structured storage documents for scanning At ExtractNativeOLEStreamsOnly type 0 The default setting is 1 which limits scanning to only those streams that are likely to contain viruses Appendix Reviewing scanning Statistics from the command line This chapter includes the following topics m Using the getstat utility m Interpreting getstat utility data Using the getstat utility The Symantec AntiVirus Scan Engine maintains scanning statistics so that Internet service providers can bill for antivirus scanning based on several billing schemes Each time that a file is scanned the Symantec AntiVirus Scan Engine submits scan statistics to the billing subsystem which maintains an encrypted data file You can access this information through the administrative interface See Generating scanning statistics from the billing logs on page 127 You can also use the getstat utility which is provided with the Symantec AntiVirus Scan Engine to obtain statistics for a given date range via the command line For Solaris and Linux the default location for the getstat utility is opt SYMCScan bin getstat For Windows 2000 Server Server 2003 the default location is C Program Files Symantec Scan Engine getstat 202 Reviewing scanning statistics from the command line Interpreting getstat utility data To use the getstat utility 1 Change dir
241. tiVirus Scan Engine Verify that your system meets the minimum requirements before installing See Installing the Symantec AntiVirus Scan Engine on page 29 Activate the licenses for key features for the Symantec AntiVirus Scan Engine including antivirus scanning functionality and virus definitions updates through the Symantec AntiVirus Scan Engine administrative interface See Activating product licenses on page 49 Review the configuration information in Chapters 5 11 of this guide to fully customize the Symantec AntiVirus Scan Engine to meet your needs This includes configuring LiveUpdate so that the scan engine always has the necessary information to detect and remove newly discovered viruses Configure the client applications that will send files for scanning to the Symantec AntiVirus Scan Engine If you purchased the Symantec AntiVirus Scan Engine SDK the Symantec AntiVirus Scan Engine Software Developer s Guide provides this information If you have purchased a specific connector for the Symantec AntiVirus Scan Engine see the documentation for that connector for instructions on configuring the client application 20 Introducing the Symantec AntiVirus Scan Engine Considerations for implementation Considerations for implementation The Symantec AntiVirus Scan Engine can be easily implemented into an existing infrastructure The Symantec AntiVirus Scan Engine runs on Solaris Red Hat Linux and Windows 2000
242. tine Server Quarantine Port Help Contirm Changes 3 Inthe Check RPC connection every box type how frequently the Symantec AntiVirus Scan Engine checks the RPC connection with the RPC client to ensure that the connection is active The default interval is 20 seconds 72 Configuring the Symantec AntiVirus Scan Engine Configuring RPC 4 Inthe Maximum number of reconnect attempts box type the maximum number of attempts that the Symantec AntiVirus Scan Engine will make to reestablish a lost connection with the RPC client The default setting is 0 which causes the Symantec AntiVirus Scan Engine to try indefinitely to reestablish a connection Use the default setting if the scan engine is providing scanning for multiple RPC clients 5 Inthe RPC scan policy list select how you want the Symantec AntiVirus Scan Engine to handle infected files The default setting is Scan and repair or delete 6 Click Confirm Changes to save the configuration 7 Doone of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Notifying requesting
243. tions are recognized by the scan engine If the scan engine can identify the container type in many cases the scan engine can repair the container file In other cases the container type cannot be determined and the distortion can be used as criteria to reject potentially infected files You can choose to allow access to all malformed containers block only those for which the container type cannot be identified or block access to all malformed containers The scan engine is configured by default to block only those containers for which the container type cannot be identified 86 Setting scanning and blocking policies Specifying processing limits To specify limits for container files 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking Policy On the Limits tab under Container file processing limits in the Time to extract file meets or exceeds box type the maximum time that the scan engine can spend extracting a single container file The default setting is 180 seconds 3 minutes To disable this setting so that no limit is imposed type 0 Note This setting does not apply to hqx and amg files Limits AntiVirus Mail Container file processing limits Stop processing a container file when any of the following limits is met or exceeded Time to extract file meets or exceeds 180 seconds Maximum extract size of file meets or exceeds 100 megabytes Number of nested leve
244. ts you save or review log data in a usable format The amount of data that can be downloaded is limited so as not to overwhelm the browser or the server You can download one or two megabytes of data The data that is returned are the most recent log entries Note If you attempt to download large log files during periods of peak usage Symantec AntiVirus Scan Engine performance might be impacted You also can clear the Symantec AntiVirus Scan Engine log file This lets you keep the log file at a manageable size Clearing the log file erases all of the log entries in the file To retain access to the log data download the log and export 124 Configuring and using logging Managing the local logs the data to another file prior to clearing the log file Logging continues from the date and time that you clear the logs Warning For Windows 2000 Server Server 2003 clearing the log file causes all of the application logs to be cleared not just those for the Symantec AntiVirus Scan Engine Manage log files You can download or clear the log file To download the log file 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Reporting 2 On the Download tab under Downloading log files select the amount of data in megabytes to download The size of the download is limited to 1 or 2 MB so that the amount of data that is returned does not overwhelm the browser or your server Download
245. u can schedule LiveUpdate to run automatically by scheduling LiveUpdate and you can force LiveUpdate to run immediately to obtain updated virus definitions when necessary You can also get the date and revision number of the virus definitions updates that the Symantec AntiVirus Scan Engine is currently using These display automatically on the LiveUpdate tab You might need to know the current version that the scan engine is using for Symantec Service and Support You can also determine the status of the last LiveUpdate attempt Scheduling LiveUpdate to update virus definitions automatically Scheduling LiveUpdate to occur automatically at a specified time interval ensures that the Symantec AntiVirus Scan Engine always has the most current virus definitions You should schedule LiveUpdate so that you do not have to remember to update virus definitions regularly Note When you install a valid virus definitions update content license for the Symantec AntiVirus Scan Engine for the first time or after the previous virus definitions update content license expired an initial LiveUpdate attempt occurs automatically Subsequent LiveUpdate attempts will occur automatically only if you schedule LiveUpdate When LiveUpdate is scheduled LiveUpdate is invoked at the specified time interval relative to the LiveUpdate base time The default LiveUpdate base time is the time that the scan engine was installed You can change the LiveUpdate base time b
246. und Macro also runs the copied macros and verifies that they can further propagate 26 Introducing the Symantec AntiVirus Scan Engine About virus protection About NAVEX technology NAVEX is a technology that lets the Symantec Security Response team update the antivirus scanning component of the Symantec AntiVirus Scan Engine during routine virus definitions updates This means that no inline revisions or time consuming upgrades are necessary to ensure that your antivirus protection stays current regardless of platform even against new virus threats The antivirus scanning component is made up of dozens of complex search algorithms CPU emulators and other program logic The scanning component examines a file to determine whether it contains viruses The scanning component scans files and disks for virus fingerprints unique sequences of bytes that are known to be contained in viruses These fingerprints are stored in the virus definitions files that are downloaded at least once per week The scanning component also repairs infected files Occasionally a new virus or class of viruses emerges that cannot be detected by existing scanning components These viruses require new algorithms for detection and consequently a new scanning component With the NAVEX technology Symantec engineers can quickly upgrade the Symantec AntiVirus scanning components with no extra cost or effort required Striker technology Striker technology identi
247. upport group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts Symantec technical support offerings include m A range of support options that give you the flexibility to select the right amount of service for any size organization m Telephone and Web support components that provide rapid response and up to the minute information m Upgrade insurance that delivers automatic software upgrade protection m Content Updates for virus definitions and security signatures that ensure the highest level of protection m Global support from Symantec Security Response experts which is available 24 hours a day 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program m Advanced features such as the Symantec Alerting Service and Technical Account Manager role offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs The specific features available may vary based on the level of support purchased and the specific product that you are using Licensing and registration If the product that you are implementing requires registration and or a license key the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www symantec com certificate Alternatively you
248. us Scan Engine starts automatically when the installation is complete Significant installation activities are recorded in the Windows Application Event Log Installing on Solaris and Linux The Solaris version of the Symantec AntiVirus Scan Engine is distributed as a self extracting self installing shell archive shar named ScanEngine sh Note If you are installing the Symantec AntiVirus Scan Engine on Red Hat Linux version 7 3 you must first install the C compatible libraries These libraries are included in the Red Hat Linux distribution They are contained in the compat libstdc 6 2 2 9 0 16 RPM If these libraries are not installed the scan engine will not install To install the Symantec AntiVirus Scan Engine on Solaris and Linux 1 Log on as root to the computer on which you plan to install the Symantec AntiVirus Scan Engine Copy the distribution file ScanEngine sh from the CD onto the computer Change directories to the location in which you copied the distribution file Type the following command then press Enter sh ScanEngine sh 36 Installing the Symantec AntiVirus Scan Engine Installing the Symantec AntiVirus Scan Engine 10 11 12 Indicate that you agree with the terms of the Symantec license agreement then press Enter If you indicate No the installation is cancelled Indicate whether to create the avdefs group The avdefs group has access rights to the directory that contains the virus
249. uter to submit files for scanning s sossos000000000005000000000 166 Command line scanner syntax and usage s sssesesessssesessssesesesreseseseesesesee 167 Specifying what to scan s seosessossesooressessrossoosessosooserseseosersessoseosensesseseose 167 Supported options sesasine anna A ANRE R EN 169 Specifying the scan engine IP address and port cceecsesesesseseeeeees 170 Specifying the antivirus scanning mode 20 0 0 esseseseseeeeeseseteteteeeees 171 Obtaining detailed scanning results 0 eeeceeseeseeeeceteeeeeeeeeeeeeees 172 Requesting recursive scanning uo eeececeseeseeeeeeeseeceeecceseeeeeaeereseeeeeneees 175 Disposing of infected files when an error occurs oo ceeseeeseteteteteeeees 175 Appendix A Editing the configuration file Editing the Symantec AntiVirus Scan Engine configuration file 177 Updating the configuration file during an upgrade 0 cecssesssesseseeeeees 178 Configuration options ccccccceessssesssssssscesesesessessssesesessesesesssesseeeseecseseseseeeeees 179 Changing protocol specific settings via the configuration file 179 Changing resource allocation via the configuration file 184 Configuring logging options via the configuration file 0 0 188 Changing the administration settings via the configuration file 192 Specifying processing limits via the configuration file 194 Changing the antivirus setting
250. ve Use the following wildcard characters as needed m A question mark to represent a single character m An asterisk to represent zero or more characters m A backslash as an escape character For example precede or with to match a literal or in a file name To match a literal use To remove a subject from the list select it and press Delete To filter mail messages that have blank subject lines check Block messages with empty subject lines When you have finished establishing the mail policy click Confirm Changes to save the configuration Do one of the following m Click Continue to make additional changes to the Symantec AntiVirus Scan Engine configuration If you click Continue and the current UI session times out before you save your changes by clicking Restart or Save No Restart your changes will be lost m Click Restart to save your changes and restart the scan engine service now m Click Save No Restart to save your changes Changes will not take effect until the service is restarted Setting scanning and blocking policies Establishing a mail filter policy Filtering mail by message origin To filter mail by message origin you specify one or more domain names that are known to be threats The domain name search string that you enter is matched against addresses in the From header of the email message If the search string matches an address the message is rejected You can use thi
251. vents to SESA to scan files repair infected files when possible and delete infected files that cannot be repaired Editing the ICAP access denied message When ICAP is being used the Symantec AntiVirus Scan Engine displays an HTML text message to a user when a requested file is blocked Access to a file is blocked when the file contains a virus and cannot be repaired The default text indicates that access is denied because the file contained a virus For Solaris and Linux the default location and file name of the HTML file is opt SYMCScan etc symcsinf htm For Windows 2000 Server Server 2003 the default location and file name of the file is C Program Files Symantec Scan Engine SYMCSINF htm 152 Customizing log entries Editing the ICAP access denied message You can customize the text that is displayed in one of the following ways m Edit the ICAP access denied HTML file m Specify an alternate HTML file See Configuring ICAP on page 59 The default text that is contained in the ICAP access denied message is described in Table 9 5 Table 9 5 Default text for ICAP access denied message The content you just requested had a Text contained in the symcsinf htm file problem and was blocked by the Symantec which is displayed to the user when a AntiVirus Scan Engine based on local requested file contains a virus and cannot administrator settings Contact your local be repaired administrator for further information
252. vice on Linux At the command prompt do one of the following m To stop the service type the following command etc init d sesagentd stop m To start the service type the following command etc init d sesagentd start Configuring the scan engine to log events to SESA After you have installed the local SESA Agent to handle communication between the Symantec AntiVirus Scan Engine and SESA you must configure the Symantec AntiVirus Scan Engine to communicate with the Agent by specifying the IP address and port number on which the Agent listens You also can change the types of events that are logged to SESA These settings are located on the Symantec AntiVirus Scan Engine administrative interface To configure the scan engine to log events to SESA 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Configuration 2 On the Logging tab under Symantec Enterprise Security Architecture in the SESA Logging level list select the appropriate logging level Logging to SESA is not activated by default See Logging levels on page 109 3 Inthe SESA agent IP address box type the IP address on which the local SESA Agent listens The default setting is 127 0 0 1 the loopback interface which restricts connections to the same computer 4 Inthe Port box type the TCP IP port number on which the local SESA Agent listens The port number that you enter here must match the port number on which the local S
253. virus definitions that are currently in use by the Symantec AntiVirus Scan Engine m Date and time that the scan engine was last started m Total time that the scan engine has been running since the last restart m The status of any license keys that have been installed The system metrics in the bottom portion of the Status pane provide a summary of virus scanning activity since the last manual restart To obtain more detailed data on the virus scanning activity you must activate the desired logging capabilities and use the Reporting features of the Symantec AntiVirus Scan 43 44 Symantec AntiVirus Scan Engine administration Accessing the administrative interface Engine The following system metrics display in the bottom portion of the Status pane Total viruses found Total viruses repaired This number can be different than the total number of viruses found because some malicious code cannot be repaired Total requests for scanning Total number of files that have been scanned The total number of files that have been scanned is not strictly a physical file count The total includes the number of files as well as additional objects within container files that were scanned Some containers such as MIME encoded messages and Microsoft Office documents have additional embedded objects that are not files but that may be scanned depending on the files that you have selected for scanning the extension list settings Total megabytes o
254. work such as at the gateway or on a mail server provided that You have a license to the Software for each computer that can access the network D after written consent from Symantec transfer the Software on a permanent basis to another person or entity provided that You retain no copies of the Software and the transferee agrees to the terms of this license and E use the Software in accordance with any additional permitted uses set forth in Section 8 below You may not A copy the printed documentation which accompanies the Software B sublicense rent or lease any portion of the Software reverse engineer decompile disassemble modify translate make any attempt to discover the source code of the Software or create derivative works from the Software C use a previous version or copy of the Software after You have received a disk replacement set or an upgraded version Upon upgrading the Software all copies of the prior version must be destroyed D use a later version of the Software than is provided herewith unless You have purchased corresponding maintenance and or upgrade insurance or have otherwise separately acquired the right to use such later version E use if You received the software distributed on media containing multiple Symantec products any Symantec software on the media for which You have not received a permission in a License Module F use the Software in any manner not authorized by this license n
255. xtension type exe Note You can filter mail by attachment file name during a virus outbreak to further protect your network In the case of a new email borne virus if you know the file name of the infected attachment you can use this information to block the infected email You can protect your network immediately before virus definitions for the new virus have been posted Setting scanning and blocking policies Establishing a mail filter policy To filter mail by attachment file name 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click Blocking Policy On the Mail tab under Blocking by attachment file name type an attachment file name to block Type as many file names to block as needed one per line Search strings are not case sensitive Use the following wildcard characters as needed m A question mark to represent a single character m An asterisk to represent zero or more characters m A backslash as an escape character For example precede or with to match a literal or in a file name To match a literal use Select one of the following to specify how the scan engine will handle messages that contain an attachment with a specified file name m Delete the attachment The scan engine removes any attachments with a specified file name and delivers the remainder of the message including attachments with file names that do not match a specified file
256. y editing the configuration file See Changing the LiveUpdate base time on page 199 If you change the scheduled LiveUpdate interval the interval adjusts based on the LiveUpdate base time Configuring LiveUpdate 133 Scheduling LiveUpdate via the command line To schedule LiveUpdate to update virus definitions automatically 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click LiveUpdate LiveUpdate Date of virus definitions 2002 03 21 40 Last LiveUpdate attempt Thu Mar 21 09 16 15 2002 Last LiveUpdate status Successful LiveUpdate Now Enable scheduled updates Once every four hours Help Confirm Changes 2 Inthe Enable scheduled updates list select the desired interval This setting is Off by default 3 Click Confirm Changes to save the configuration Updating virus definitions manually When necessary you can run LiveUpdate manually to force an immediate update of virus definitions If you have scheduled LiveUpdate the next scheduled LiveUpdate attempt occurs as directed To update virus definitions manually 1 On the Symantec AntiVirus Scan Engine administrative interface in the left pane click LiveUpdate 2 Click LiveUpdate Now The screen refreshes to indicate whether the LiveUpdate was successful It may take a few minutes for the screen to refresh Scheduling LiveUpdate via the command line You can also schedule LiveUpdate via the command line to ensure tha
257. you choose the types of events for which log messages are generated Note Although you can select a logging level for SESA not all events for a given level are forwarded to SESA Only a subset of scan engine events can be logged to SESA when logging to SESA is activated See Scan engine events that are logged to SESA on page 162 Table 7 1 shows the events for which log messages are generated at each logging level Each logging level builds upon the previous levels that is each successive level includes the events of the logging levels below it as well as additional events Table 7 1 Events by logging level None No events are logged at this logging level Error m Server crash m Virus definitions update error m License expired m Logging failure SMTP SNMP RPC user notification Entries for this event are not logged to SMTP and SNMP logging destinations even if SNMP or SMTP logging is active at this logging level m RPCretry Entries for this event are not logged to SMTP and SNMP logging destinations even if SNMP or SMTP logging is active at this logging level 109 110 Configuring and using logging About Symantec AntiVirus Scan Engine logging Table 7 1 Events by logging level Warning All events logged at the Error logging level Infection found License about to expire Threshold number of queued requests exceeded Virus definitions rollback Processing violation Entries for this event are not logged
Download Pdf Manuals
Related Search
Related Contents
Manual - Lindos Electronics New Line (descontinuado) 1 - 瀬戸市 Yamaha MP3 User's Manual Verwendung Ihres TomTom RIDER 2. English - EFOY Pro Whirlpool MH6600XM2 User's Manual Cisco Systems MDS 9100 Series Installation Manual Section 230900 - Instrumentation and Controls NASA-M5- https://telegra.ph/AC-Single-phase-Voltage-Drop-Calculator-d4f6fc76-11-16
- https://telegra.ph/Calculate-Current-from-Voltage-Drop-b0c3293c-11-16
- https://telegra.ph/Calculate-Wire-Resistor-from-Voltage-Drop-796946e9-11-16
- https://telegra.ph/Calculate-Length-from-Voltage-Drop-0fcc7c51-11-16
- https://telegra.ph/1-1-5-3-Concrete-Mix-Calculator-f0ce69c5-11-13
- https://telegra.ph/Concrete-Block-Calculator-9347f808-11-13
- https://telegra.ph/Calculate-Length-from-Voltage-Drop-25193408-11-17
- https://telegra.ph/DC-Voltage-Drop-Calculator-46405f5e-11-18
- https://telegra.ph/DC-Voltage-Drop-Calculator-6bd900ee-11-18
- https://telegra.ph/Calculate-Wire-Resistor-from-Voltage-Drop-c511a7b6-11-18