SolutionBase: Protect your workstations from spyware with Symantec's Client Security

If only preventing spyware were as easy as it is to stop viruses. Symantec's Client Security combines antivirus and antispyware in one centrally managed solution. Here's how it works.

There are two ways to handle antispyware clients. Provide an antispyware client on its own that either includes its own central management system or that integrates into an existing management console. Or, make the antispyware component an integral part of an antivirus solution. Both have pros and cons. In the bundled scenario, it's possible that you have selected an antivirus vendor that does not provide antispyware, or, for some reason, you don't want to use that vendor's antispyware offering. On the plus side, it's a whole lot easier to manage a single desktop-protection infrastructure!

Symantec, though their Symantec Client Security offering, has taken the bundled approach. I will go over much of Symantec Client Security in this article and show you how to get this product up and running in a centrally managed way and protecting your desktops from spyware infestations.

System requirements

SCS, like all software, requires certain minimum system requirements in order to function as you expect. As your client base grows, you may need more horsepower, but this section goes over the minimum specifications suggested by Symantec.


As is typical with most antispyware clients, Symantec Client Security does not impose overwhelming system requirements. In fact, a system running at a speed of greater than 150MHz with 128MB or RAM and 115MB of available disk space is the minimum configuration recommended by Symantec. On the operating system side, you're somewhat limited, but if you're running a newer operating system, you're in good shape since SCS supports Windows 2000 Pro and both Windows XP Home and Pro. Regardless of your operating system, you do need to be running Internet Explorer 5.5 SP2 or greater.


On the server side, Symantec's requires vary depending on which components you want to install, but are also fairly minimal for lower-end applications. Obviously, as you scale up client support, you should also expect to scale up your server specifications. Symantec supports both Windows and NetWare servers for the server side.

On the Windows side, Symantec's Security Management Server requires Windows 2000 (any edition), Windows XP Pro, or any edition of Windows Server 2003, with at least 64MB of RAM and 111 MB of disk space installed in a machine with a 150MHz or faster processor.

For NetWare users, you minimally need NetWare 5.x SP8, NetWare 6 SP5, or NetWare 6.5 SP2 with 15MB of available RAM for Symantec's antivirus NLMs. You also need a 150MHz or faster computer with 116MB of available hard drive space.

Management workstation

Like many of today's desktop management applications, Symantec's client tools can be installed on any number of workstations, which is particularly useful for your IT staff. I generally recommend installing management tools on your Symantec servers, too. In this case, the requirements for the management tools are ridiculously low. For the management tools to operate, any version of Windows 2000 or better will work as long as you have 36MB of disk space and 32MB of available RAM. You also need the Microsoft Management Console since Symantec's management application uses it.

Network security considerations

In any client/server type installation, the network plays the integral role of providing a communications channel. As such, you need to make sure that any security policies you have in place are modified to support the needs of Symantec Client Security. Specifically, Symantec wants ports 1,024 to 5,000 open at both the clients and the server. Of course, you don't need to provide carte blanche access. To keep a lid on things, just open up these ports between specific machines or networks. Further, in order to provide for remote installation, you need to have TCP port 139 open in the same fashion. Finally, at the server-side of the equation, open UDP ports 38,293 and 1,024 to 5,000 open to allow discovery to take place.

Additionally, the firewalls included with Windows XP and Windows Server 2003 can interfere with SCS's ability to do its job. For example, when these operating system-provided firewalls are enabled, you may have problems installing or deploying the Symantec software.

Installation options

You have a number of installation options to consider when you decide to deploy Symantec Client Security. For example, you can opt to install the Symantec System Center, which installs the following, by default:

  • Symantec AntiVirus snap-in: Manages Symantec's antivirus client, which includes antispyware scanning capabilities.
  • Symantec Client Firewall Administrator: Manages Symantec's client-based firewall.
  • AV Server Rollout tool: Allows you to push the antivirus server install to other servers in your organization.
  • Client Remote Install tool: Provides you with the capability to remotely install the SCS client on Windows computers in your organization.

For this article, I will be performing a default installation of Symantec Client Security on a Windows Server 2003 system.

Installation--Symantec Client Security

To get started, double-click the setup.exe file from your distribution media. This opens the screen shown below in Figure A. Choose the option Install Symantec Client Security.

Figure A

Choose Install Symantec Client Security.

From the next menu, Figure B, choose the Install Symantec Client Security option to get started with the main product installation.

Figure B

Choose Install Symantec Client Security again.

First, you need to accept the license agreement and click Next. I have not provided a screen shot for this step. You've probably seen a license agreement or two in your time!

On the next screen shown in Figure C, you have your first decision to make: is this going to be a client installation or a server installation? If you really wanted to, you could just walk from workstation to workstation and perform a client install. I wouldn't recommend it, though. It's a whole lot easier to manage all of your clients from a single location. As such, choose Server Install and click Next.

Figure C

Choose Server Install.

Now, you can opt for a complete installation, or pick and choose what you want. As you can see in Figure D, I've opted to perform a complete installation, which installs the product to C:\Program Files\Symantec Client Security and installs Antivirus User interface and help as well as the Quarantine Client.

Figure D

A complete installation installs everything you need to get started with the Symantec product.

Next, you need to either create a new Server Group--a group of protected server--or join an existing server group. Since this is a new installation of Symantec Client Security, I don't have an existing server group. I've accepted the default name of "Symantec AntiVirus 1" for this group.

Also on this screen, Figure E, you need to provide the administrative username and password for this group. The default username is "admin", and I provided the password. Click Next when you're ready.

Figure E

Provide a server group and an administrative username and password to use to manage Symantec Client Security.

If you create a new group, on the screen shown in Figure F the installer asks you to verify the password you entered on the previous screen.

Figure F

Type your password again.

During the installation, you can opt-in to a couple of options, both described here:

  • Auto-Protect: This is a process that stays running all the time, watching your computer to look for nefarious activity. I highly recommend you run Auto-Protect wherever possible.
  • LiveUpdate: LiveUpdate is Symantec's automatic product and definition update service.

Take both of these like I've done in Figure G. You'll be glad you did!

Figure G

I've installed these options since they help provide the maximum protection from unwanted items on my network.

Now, the installer has enough information to move forward. The next screen, which is not shown, just asks you to click the button marked Install to finish the process. When the installation is finished, click the Finish button.

If you opted to do a LiveUpdate after the installation completed, you will perform this operation now. Click Next to continue through the process as shown in Figure H.

Figure H

Click Next to make sure you have the most current software installed.

All you've done at this point is install the actual scanning tools and limited management software. In the next section, I'll go over the installation of the Symantec System Center, a centralized management console.

Installation--management component

You do need to install the management software to your Symantec servers and to the workstations of the IT folks that will manage the service. For this article, I'm installing the management component just to the Symantec server itself. Symantec's documentation indicates that the management component should be installed first, but I've never had any trouble installing it after other services.

To get started, double-click setup.exe file from the distribution media. From the main menu (shown earlier in Figure A), click "Install Administrator Tools".

From the resulting menu, Figure I, select "Install Symantec System Center".

Figure I

Choose the System Center option to install the components needed to manage a full-featured antivirus/antispyware solution.

On the next screen, accept the license agreement and click Next. I haven't shown this screen here.

Component selection in the management console is fairly straightforward. By default, everything except the Alert Management System Console is selected, and this default selection is what I am covering in this article, as you can see in Figure J. The Alert Management System Console (AMS) is Symantec's centralized alerting system. Click Next to continue.

Figure J

The default installation is good for most organizations.

Note: If you decide to use AMS, be sure to carefully read the documentation that comes with Symantec Client Security. If you don't follow the recommendations from Symantec, you could run into problems as you promote and demote primary and secondary servers.

By default, the management console is installed to C:\Program Files\Symantec\Symantec System Client as seen in Figure K. You can change this by clicking the Change button and choosing a new folder. Click next when you're done.

Figure K

Choose your install folder.

After you've made all of your selections, click the Install button shown in Figure L to make the installer work its magic.

Figure L

Click the Install button to perform the installation of the management console.

When the installer has completed its task, click the Finish button. You will need to restart the system to finish the installation, though.

First-time administrative requirement

Before you can do a whole lot, you need to identify which Symantec server will lead the group you created during the installation. Even if you have only a single Symantec server you need to explicitly identify it as a primary server. To do this, start the Symantec System Center console from Start | All Programs | Symantec System Center Console | Symantec System Center Console. Provide the username and password you designated during the installation.

Before you can manage a server group, you need to unlock it. Under Symantec System Center | System Hierarchy, right-click your server group and, from the shortcut menu, choose Unlock Server Group. In the resulting authentication window shown in Figure M, provide the username and password you created during the product installation.

Figure M

If you like, you can choose to have the management tool remember these credentials and automatically unlock your server group.

Browse to your server. In this example, shown in Figure N, my Symantec server lives under Symantec System Center | System Hierarchy | Symantec AntiVirus 1.

Figure N

The only thing that should be different for you is the name of the server group (if you provided a different one during installation).

Right-click your server and choose Make Server a Primary Server from the shortcut menu. A message will appear warning you that, if you already have a primary server, all primary server operations will be transferred to this server, and secondary servers will be updated according and the event collection could be interrupted while this transition is underway.

Centralized client deployment preparation

Before you get started with client deployment, you should determine how clients will receive their definition updates. Symantec recommends that you use what they called VDTM--Virus Definition Transport Method--for definition updates. Under VDTM, the primary server in a group is configured to retrieve updates from Symantec or from another internal LiveUpdate server.

By default, when you create a new server group, the primary server is configured to propagate definitions to clients every week between Thursday and Friday and within 480 minutes of 8:00 PM. The nice part about VDTM is that it conserves bandwidth to the Internet. Only the primary server in a group may need to contact Symantec. All other traffic can stay internal.

If you want to change your group's VDTM settings, right-click your server, and choose All Tasks | Symantec AntiVirus | Virus Definition Manager. In Figure O, I have provided a look at the VDTM configuration windows, but, for this article, I am sticking with the defaults.

Figure O

There are a lot of different ways you can handle definition distribution.
Pick the method that works best for your organization. Take note of the Continuous LiveUpdate option, which provides, as you might expect, more complete protection, but can create more network traffic.

Now, before you start to deploy clients, you should also configure scan schedule and Auto-Protect settings.

We'll start with scan schedules. Configure a scan schedule by right-clicking your server group and selecting All Tasks | Symantec AntiVirus | Server Scheduled Scans from the resulting shortcut menus. This opens the "server group name Schedule Scans" window (Top screen in Figure P). In this window, click the New button to create a new schedule (Middle screen in Figure P).

Figure P

Pick frequency, time, and more.

From this new scan window, you can choose the frequency and time of day to run a scan. If you choose to do a weekly scan, a day picker shows up. You can also choose the type of scan: Quick, Full, Or Custom. A full scan scans everything, including the boot sector, executables in RAM, and all files and folders. A quick scan, on the other hand, looks a RAM and only at common infection locations.

Deploying clients

Now, with the brunt of the basic configuration out of the way, let's deploy a client. Symantec provides you with a tool called ClientRemote Install for this purpose. In order to use this tool, you need to have domain administrative rights with the currently logged in user account. Refer to the Symantec documentation for information on what to do if you need to deploy the client to workgroup machines that are not a part of a domain.

To use it, from the management console, go to Tools | ClientRemote Install. This starts a wizard that helps you deploy the client to one or more computers in your organization.

Your first task is to tell ClientRemote Install where your client installation files are stored as shown in Figure Q. If you selected the default location for the client security program, choose Default location here. Otherwise, select the blank box's radio button and provide the location of the files. Click Next when you're ready.

Figure Q

If you have the client files in a different location, click the Browse button and provide that location.

On the next screen, you can associate a workstation with a Symantec server. If you have multiple Symantec servers, you'll need to decide with which one you want to associate a client. To associate a client with an antivirus server, in the "Available Computers" windows, browse for the desired client and single-click it. Next, browse for the Symantec server with which this client will work and click the Add button as seen in Figure R.

Figure R

Create your association and click Add.

After a few seconds (or more, depending on your network and speed of your clients and such), your client selection will appear under the Symantec server in the right-hand column as you can see in Figure S. Note that this does not install the Symantec client on the machine. It just creates a logical connection between a client and server. You can make as many associations as you like in this step. Click Finish.

Figure S

This client is now associated with this Symantec server.

After you make all of your associations and click Finish, an installation status window pops up like the one in Figure T. Since the previous step only made client/server associations, this step is responsible for actually installing the client on the systems you specified. Click Done when the installation is complete.

Figure T

If all is well, click Done.

When you go back to the management console and click on a Symantec server, you'll see the client as one of its management entities as you can see in Figure U.

Figure U

Note the status columns that tell you the exact client state.

From here, you can update your definitions to bring your software and definitions current. You can also enable continuous updates by, from the management console, changing your virus definition manager settings.