If your antivirus software has outdated signature files, then it’s completely worthless because new viruses will pass right by it. When you have a network with dozens or hundreds of workstations, keeping up with all of the virus signature files across your network can be a full-time job. Symantec has released the Symantec System Center (SSC) to help deal with this management nightmare.

This powerful tool will allow you to centrally manage Norton AntiVirus Corporate Edition on Windows 2000 workstations or servers, Windows NT workstations or servers, Windows XP workstations, Windows 95/98/ME, and NetWare servers. Once you have installed the SSC, you can view in a single Microsoft Management Console (MMC) screen all workstations and servers that you have chosen to manage.

Benefits of SSC
If your virus software is currently decentralized, you have to go to each computer to verify that the latest virus definitions file has been downloaded or to see if the computer is infected with a virus. You also have to make sure that the user did not change any of the settings inside the program, such as what action to take when a virus is found or what to do if that action fails. In addition to this maintenance, you must install the antivirus program on each client separately from a CD or the network.

You can overcome all of these time-consuming obstacles by using SSC. For clients running Windows NT/2000/XP, you can rollout the Norton AntiVirus client software. You can use SSC to lock the configuration settings of NAV on the client. This will ensure that the client computer remains protected at all times, because the user cannot change items that are locked.

Without having to physically go to each client computer, you can view all clients from your desk. You can check to see if there is a virus present on any computer, the date of the last virus definitions file, who is logged on to the computer, the date of the last scan, and the IP address of the computer. At a glance, you can quickly see the computers on which a virus has been detected. You can click on the heading at the top of each column to sort the information. To pull up information about a specific client, simply highlight the client and right-click your mouse to pull up a menu as shown in Figure A.

Figure A
Here are the client options for SSC.

From the menu, you can delete the client from the display, check the properties, look at the logged information about viruses, or pull up the Norton AntiVirus menu. The type of information logged by SSC includes viruses detected, a scan history, and an event log. The Norton AntiVirus menu has several options allowing you to do such things as manually scan the client, schedule a scan, check the real-time protection options, view the virus definitions manager, or clear the virus status. If a computer is infected, the file can be sent to a Quarantine Server.

Using the SSC, you can automatically update all managed computers with the latest virus definitions file. You can configure the clients to check the server on a schedule to see if there is a new virus definitions file to load. As you install additional clients with NAV software, they will automatically be registered with the server you specify.

Installing SSC
The recommended specification for installing SSC on a server in an enterprise is a dual Pentium 600 MHz with 1 GB of RAM, 60 to 100 GB of drive space, and a 100-MB NIC card. A server with these specifications can manage up to 3,000 clients and push down virus definitions files in less than one hour. If you are going to install SSC on a Novell Server, you will be able to manage only 1,000 clients.

You must set up the parent server before you install the client software. To set up a server to run the SSC, install the Norton AntiVirus Corporate Edition CD-ROM in your server. When the main splash screen appears, choose Install Norton AntiVirus To Servers. The first time you run SSC, the console will ping the network to find all available NAV servers. When the servers respond, they will be added to the console. Managed client computers start being added once their parent server is selected in the console tree.

Once the server is installed, you’ll have to configure several items. If you already have clients loaded with NAV software, you’ll have to reinstall NAV on each of the clients, choosing the Managed option when prompted, as shown in Figure B, and specifying the parent server.

Figure B
You must reinstall NAV on all of the workstations to use SSC.

If you decide to change the parent server later, you can do this without having to reinstall all of the clients. You must copy the Grc.dat file from the one of the following folders of the intended parent server (based on the target client’s platform): NAV\Clt-inst\Win32, NAV\Clt-inst\Win16, or NAV\Clt-inst\DOS.

Paste the Grc.dat file into one of the following folders on the client:

  • For Windows 9x\Me: C:\Program Files\Norton AntiVirus
  • For Windows NT: C:\Winnt\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5
  • For Windows 2000\XP: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.x

Pasting this file can be accomplished manually, via batch file, or through a login script. When you only have one server running SSC, there is a single point of failure. Your clients will still be protected as of their latest virus definitions file.

Configuring SSC
Once you have SSC up and running, the clients will get their settings and virus definition updates from the server. You have to configure these options. You can be flexible with the items you allow the user to modify, or you can lock it down to where the user can change nothing. When the NAV program is launched from the client, the items that can’t be changed will be locked.

To discover computers on the network, SSC sends out an IP and IPX ping packet to a remote computer. If the remote computer responds successfully, it will provide the server with information, such as the date of the virus definitions file and when the computer was last infected. This discovery service requires the use of Windows Internet Naming Service (WINS). If you’re in an environment that does not have a WINS server, such as a native Windows 2000 network, you will have to run the Importer tool first.

The Importer tool, Importer.exe, is a command-line utility you can use to add computers running Norton AntiVirus Corporate Edition for servers to the Symantec System Center console. This utility will import the names and IP addresses of computers located in non-WINS environments.

Once the computer name and IP address are imported, entries are created in the registry under the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AddressCache

You must then run a local discovery or intense discovery after importing the data file.

There are several different discovery methods available.

  • Load from cache only: This discovery method simply refreshes the information it already has.
  • Local discovery: This method sends a broadcast ping on the local subnet. It generates less ping noise, but it is limited to the local subnet.
  • Intense discovery: This method attempts to resolve all computers that it finds in Network Neighborhood into a network address. After it finds the network address, it sends a ping to the address.
  • Advanced discovery: Using advanced discovery, you can specify the IP range and subnet mask to search.

By default, the discovery cycle is set to run every 480 minutes (eight hours).

Virus definitions rollouts
The virus definitions file contains bits of code that are found in actual viruses. These bits of code are matched against files on your computer and if a match is found, the file is considered infected. In order for this process to happen quickly, the virus definitions file is loaded on each client computer. As new viruses are introduced, the definitions file becomes outdated and must be renewed. Using SSC, the virus definitions file can be updated and tracked on the parent server.

If a new definitions file is causing problems, you can use SSC to revert back to a previous version. You can also control the version that is used on all servers and clients in a group. If a user downloads a definitions file that you have not approved, you can force the use of the file that you specify.

An enterprise server running Windows NT on a 100-Mbps network can deliver a virus definitions file to a client in less than one second.

Alert manager
The alert management system (AMS) allows virus events to generate alerts through pagers, e-mail, and other means.

AMS alert configuration requires that you perform three steps. First, select an alert in the Alert Actions dialog box. Next, select the alert action you want to configure for that alert. The alert action is the response AMS sends you when an alert parameter is detected. Finally, configure the alert action you selected. For example, you could have a Send Page alert action notify you when a virus is detected with the name of the virus, virus type, and actions taken on the infected file.

There are no default alert actions for any of the alerts, so you must configure the ones you want. You can configure more than one action for each alert. If you choose to have AMS send a pager message when an alert event is generated, the AMS server must have a modem. The different types of alert methods are listed below:

  • Message box: The message box alert action displays a message box on the computer from which you configure the action. You can select whether the message box sounds a beep when it appears and whether the message box always appears on the screen until cleared.
  • Broadcast: The broadcast alert action sends a broadcast message to all computers logged onto the server.
  • Send Internet mail: This alert action will send an e-mail message to the address you specify. You must have an SMTP server at your site for this to work.
  • Send page: This alert action sends a page to the number you specify. As mentioned above, your AMS server must have a modem in order to use this method.
  • Run program: The run program alert action runs a program on the computer for which you configure the alert action. The program can be run from a remote computer, as long as the path is specified, and the program can also be a batch file.
  • Write to Windows NT event log: This method allows you to write an event to the Windows NT application log.
  • Send SNMP trap: Alerts generated through SNMP traps can be sent to any third-party SNMP management console.
  • Load an NLM: This action can load a NetWare loadable module (NLM) on a selected NetWare server. The NLM could do a variety of things, such as monitor who is using the infected file or backup server information.

Troubleshooting
If your computer is running slower after installing the Norton AntiVirus Corporate Edition client, make sure that the computer meets the minimum requirements. You can also try to reduce the programs launched on startup to only those that are required, since each program consumes resources. It is not recommended, however, that you disable the realtime scan settings. Scanning to check for modified files may consume fewer resources, but the computer would be more vulnerable to virus infection.

If you’re running Norton AntiVirus Corporate Edition for Windows NT/2000 on the same server as Microsoft Exchange, you can have significant problems. Norton AntiVirus Corporate Edition can detect the components of a virus in the Edb.log file. If this happens and the file is quarantined or deleted, Microsoft Exchange might then stop responding.

To prevent this from happening, be sure to exclude both the temporary directory used by Microsoft Exchange and the Microsoft Exchange database folder from scanning. If Microsoft Exchange has already stopped responding, run Isinteg and Eseutil to repair the problems. Be sure to consult your Microsoft Exchange documentation before running these utilities.

Get a handle on virus protection
The Symantec System Center can help you implement an enterprise-wide antivirus program. Once it is running, it saves you an enormous amount of time. The convenience of having a complete virus solution available from a single location makes your job as an administrator much easier. It also gives you the reassurance that your servers and clients are protected; without having to physically go to each computer to verify that fact.