There are two ways to handle antispyware clients. Provide an
antispyware client on its own that either includes its own central management
system or that integrates into an existing management console. Or, make the
antispyware component an integral part of an antivirus solution. Both have pros
and cons. In the bundled scenario, it’s possible that you have selected an
antivirus vendor that does not provide antispyware, or, for some reason, you
don’t want to use that vendor’s antispyware offering. On the plus side, it’s a
whole lot easier to manage a single desktop-protection infrastructure!
Symantec, though their Symantec Client Security offering,
has taken the bundled approach. I will go over much of Symantec Client Security
in this article and show you how to get this product up and running in a
centrally managed way and protecting your desktops from spyware infestations.
SCS, like all software, requires certain minimum system
requirements in order to function as you expect. As your client base grows, you
may need more horsepower, but this section goes over the minimum specifications
suggested by Symantec.
As is typical with most antispyware clients, Symantec Client
Security does not impose overwhelming system requirements. In fact, a system
running at a speed of greater than 150MHz with 128MB or RAM and 115MB of
available disk space is the minimum configuration recommended by Symantec. On
the operating system side, you’re somewhat limited, but if you’re running a
newer operating system, you’re in good shape since SCS supports Windows 2000
Pro and both Windows XP Home and Pro. Regardless of your operating system, you
do need to be running Internet Explorer 5.5 SP2 or greater.
On the server side, Symantec’s requires vary depending on
which components you want to install, but are also fairly minimal for lower-end
applications. Obviously, as you scale up client support, you should also expect
to scale up your server specifications. Symantec supports both Windows and
NetWare servers for the server side.
On the Windows side, Symantec’s Security Management Server
requires Windows 2000 (any edition), Windows XP Pro, or any edition of Windows
Server 2003, with at least 64MB of RAM and 111 MB of disk space installed in a
machine with a 150MHz or faster processor.
For NetWare users, you minimally need NetWare 5.x SP8,
NetWare 6 SP5, or NetWare 6.5 SP2 with 15MB of available RAM for Symantec’s
antivirus NLMs. You also need a 150MHz or faster computer with 116MB of
available hard drive space.
Like many of today’s desktop management applications,
Symantec’s client tools can be installed on any number of workstations, which
is particularly useful for your IT staff. I generally recommend installing
management tools on your Symantec servers, too. In this case, the requirements
for the management tools are ridiculously low. For the management tools to
operate, any version of Windows 2000 or better will work as long as you have
36MB of disk space and 32MB of available RAM. You also need the Microsoft
Management Console since Symantec’s management application uses it.
Network security considerations
In any client/server type installation, the network plays
the integral role of providing a communications channel. As such, you need to
make sure that any security policies you have in place are modified to support
the needs of Symantec Client Security. Specifically, Symantec wants ports 1,024
to 5,000 open at both the clients and the server. Of course, you don’t need to
provide carte blanche access. To keep a lid on things, just open up these ports
between specific machines or networks. Further, in order to provide for remote
installation, you need to have TCP port 139 open in the same fashion. Finally,
at the server-side of the equation, open UDP ports 38,293 and 1,024 to 5,000
open to allow discovery to take place.
Additionally, the firewalls included with Windows XP and
Windows Server 2003 can interfere with SCS’s ability to do its job. For
example, when these operating system-provided firewalls are enabled, you may
have problems installing or deploying the Symantec software.
You have a number of installation options to consider when
you decide to deploy Symantec Client Security. For example, you can opt to
install the Symantec System Center, which installs the following, by default:
AntiVirus snap-in: Manages Symantec’s antivirus client, which includes
antispyware scanning capabilities.
Client Firewall Administrator: Manages Symantec’s client-based firewall.
Server Rollout tool: Allows you to push the antivirus server install to
other servers in your organization.
Remote Install tool: Provides you with the capability to remotely install
the SCS client on Windows computers in your organization.
For this article, I will be performing a default
installation of Symantec Client Security on a Windows Server 2003 system.
Installation–Symantec Client Security
To get started, double-click the setup.exe file from your
distribution media. This opens the screen shown below in Figure A. Choose the
option Install Symantec Client Security.
|Choose Install Symantec Client Security.|
From the next menu, Figure B, choose the Install
Symantec Client Security option to get started with the main product
|Choose Install Symantec Client Security again.|
First, you need to accept the license agreement and click
Next. I have not provided a screen shot for this step. You’ve probably seen a
license agreement or two in your time!
On the next screen shown in Figure C, you have your first
decision to make: is this going to be a client installation or a server
installation? If you really wanted to,
you could just walk from workstation to workstation and perform a client
install. I wouldn’t recommend it, though. It’s a whole lot easier to manage all
of your clients from a single location. As such, choose Server Install and
|Choose Server Install.|
Now, you can opt for a complete installation, or pick and
choose what you want. As you can see in Figure D, I’ve opted to perform a
complete installation, which installs the product to C:\Program Files\Symantec
Client Security and installs Antivirus User interface and help as well as the
|A complete installation installs everything you need to get started with
the Symantec product.
Next, you need to either create a new Server Group–a group
of protected server–or join an existing server group. Since this is a new
installation of Symantec Client Security, I don’t have an existing server
group. I’ve accepted the default name of “Symantec AntiVirus 1” for
Also on this screen, Figure E, you need to provide the
administrative username and password for this group. The default username is “admin”,
and I provided the password. Click Next when you’re ready.
|Provide a server group and an administrative username and password to use
to manage Symantec Client Security.
If you create a new group, on the screen shown in Figure F
the installer asks you to verify the password you entered on the previous
|Type your password again.|
During the installation, you can opt-in to a couple of
options, both described here:
This is a process that stays running all the time, watching your computer
to look for nefarious activity. I highly recommend you run Auto-Protect
LiveUpdate is Symantec’s automatic product and definition update service.
Take both of these like I’ve done in Figure G. You’ll be
glad you did!
|I’ve installed these options since they help provide the maximum protection
from unwanted items on my network.
Now, the installer has enough information to move forward.
The next screen, which is not shown, just asks you to click the button marked
Install to finish the process. When the installation is finished, click the
If you opted to do a LiveUpdate after the installation
completed, you will perform this operation now. Click Next to continue through
the process as shown in Figure H.
|Click Next to make sure you have the most current software installed.|
All you’ve done at this point is install the actual scanning
tools and limited management software. In the next section, I’ll go over the
installation of the Symantec System Center, a centralized management console.
You do need to install the management software to your
Symantec servers and to the workstations of the IT folks that will manage the
service. For this article, I’m installing the management component just to the
Symantec server itself. Symantec’s documentation indicates that the management
component should be installed first, but I’ve never had any trouble installing
it after other services.
To get started, double-click setup.exe file from the distribution
media. From the main menu (shown earlier in Figure A), click “Install
From the resulting menu, Figure I, select “Install
Symantec System Center”.
|Choose the System Center option to install the components needed to manage
a full-featured antivirus/antispyware solution.
On the next screen, accept the license agreement and click
Next. I haven’t shown this screen here.
Component selection in the management console is fairly
straightforward. By default, everything except the Alert Management System
Console is selected, and this default selection is what I am covering in this
article, as you can see in Figure J. The Alert Management System Console (AMS)
is Symantec’s centralized alerting system. Click Next to continue.
|The default installation is good for most organizations.|
Note: If you decide to use AMS, be sure to carefully
read the documentation that comes with Symantec Client Security. If you don’t
follow the recommendations from Symantec, you could run into problems as you
promote and demote primary and secondary servers.
By default, the management console is installed to C:\Program
Files\Symantec\Symantec System Client as seen in Figure K. You can change this
by clicking the Change button and choosing a new folder. Click next when you’re
|Choose your install folder.|
After you’ve made all of your selections, click the Install
button shown in Figure L to make the installer work its magic.
|Click the Install button to perform the installation of the management
When the installer has completed its task, click the Finish
button. You will need to restart the system to finish the installation, though.
First-time administrative requirement
Before you can do a whole lot, you need to identify which
Symantec server will lead the group you created during the installation. Even
if you have only a single Symantec server you need to explicitly identify it as
a primary server. To do this, start the Symantec System Center console from
Start | All Programs | Symantec System Center Console | Symantec System Center
Console. Provide the username and password you designated during the installation.
Before you can manage a server group, you need to unlock it.
Under Symantec System Center | System Hierarchy, right-click your server group
and, from the shortcut menu, choose Unlock Server Group. In the resulting
authentication window shown in Figure M, provide the username and password you
created during the product installation.
|If you like, you can choose to have the management tool remember these credentials and
automatically unlock your server group.
Browse to your server. In this example, shown in Figure N,
my Symantec server lives under Symantec System Center | System Hierarchy |
Symantec AntiVirus 1.
|The only thing that should be different for you is the name of the server
group (if you provided a different one during installation).
Right-click your server and choose Make Server a
Primary Server from the shortcut menu. A message will appear warning you
that, if you already have a primary server, all primary server operations will
be transferred to this server, and secondary servers will be updated according
and the event collection could be interrupted while this transition is
Centralized client deployment preparation
Before you get started with client deployment, you should
determine how clients will receive their definition updates. Symantec
recommends that you use what they called VDTM–Virus Definition Transport
Method–for definition updates. Under VDTM, the primary server in a group is
configured to retrieve updates from Symantec or from another internal
By default, when you create a new server group, the primary
server is configured to propagate definitions to clients every week between
Thursday and Friday and within 480 minutes of 8:00 PM. The nice part about VDTM
is that it conserves bandwidth to the Internet. Only the primary server in a
group may need to contact Symantec. All other traffic can stay internal.
If you want to change your group’s VDTM settings,
right-click your server, and choose All Tasks | Symantec AntiVirus | Virus
Definition Manager. In Figure O, I have provided a look at the VDTM
configuration windows, but, for this article, I am sticking with the defaults.
|There are a lot of different ways you can handle definition distribution.|
Pick the method that works best for your organization. Take note of the
Continuous LiveUpdate option, which provides, as you might expect, more
complete protection, but can create more network traffic.
Now, before you start to deploy clients, you should also
configure scan schedule and Auto-Protect settings.
We’ll start with scan schedules. Configure a scan schedule
by right-clicking your server group and
selecting All Tasks | Symantec AntiVirus | Server Scheduled Scans from the
resulting shortcut menus. This opens the “server group name Schedule Scans” window (Top screen in Figure
P). In this window, click the New button to create a new schedule (Middle
screen in Figure P).
|Pick frequency, time, and more.|
From this new scan window, you can choose the frequency and
time of day to run a scan. If you choose to do a weekly scan, a day picker
shows up. You can also choose the type of scan: Quick, Full, Or Custom. A full
scan scans everything, including the boot sector, executables in RAM, and all
files and folders. A quick scan, on the other hand, looks a RAM and only at
common infection locations.
Now, with the brunt of the basic configuration out of the
way, let’s deploy a client. Symantec provides you with a tool called
ClientRemote Install for this purpose. In order to use this tool, you need to
have domain administrative rights with the currently logged in user account.
Refer to the Symantec documentation for information on what to do if you need
to deploy the client to workgroup machines that are not a part of a domain.
To use it, from the management console, go to Tools |
ClientRemote Install. This starts a wizard that helps you deploy the client to
one or more computers in your organization.
Your first task is to tell ClientRemote Install where your
client installation files are stored as shown in Figure Q. If you selected the
default location for the client security program, choose Default location
here. Otherwise, select the blank box’s radio button and provide the location
of the files. Click Next when you’re ready.
|If you have the client files in a different location, click the Browse
button and provide that location.
On the next screen, you can associate a workstation with a
Symantec server. If you have multiple Symantec servers, you’ll need to decide
with which one you want to associate a client. To associate a client with an
antivirus server, in the “Available Computers” windows, browse for
the desired client and single-click it. Next, browse for the Symantec server
with which this client will work and click the Add button as seen in Figure R.
|Create your association and click Add.|
After a few seconds (or more, depending on your network and
speed of your clients and such), your client selection will appear under the
Symantec server in the right-hand column as you can see in Figure S. Note that
this does not install the Symantec client on the machine. It just creates a
logical connection between a client and server. You can make as many
associations as you like in this step. Click Finish.
|This client is now associated with this Symantec server.|
After you make all of your associations and click Finish, an
installation status window pops up like the one in Figure T. Since the previous
step only made client/server associations, this step is responsible for
actually installing the client on the systems you specified. Click Done when
the installation is complete.
|If all is well, click Done.|
When you go back to the management console and click on a
Symantec server, you’ll see the client as one of its management entities as you
can see in Figure U.
|Note the status columns that tell you the exact client state.|
From here, you can update your definitions to bring your
software and definitions current. You can also enable continuous updates by,
from the management console, changing your virus definition manager settings.