Best practices for Symantec AntiVirus Corporate Edition 9.x Auto-Protect on a Microsoft Exchange server

Article:TECH100684  |  Created: 2004-01-24  |  Updated: 2005-01-08  |  Article URL http://www.symantec.com/docs/TECH100684
Article Type
Technical Solution


Environment

Issue



This document provides best practice recommendations for Symantec AntiVirus Corporate Edition Auto-Protect running on a Microsoft Exchange server.


Solution



There are three supported methods of installing Symantec AntiVirus 9.0 on a Microsoft Exchange server: as a stand-alone server, as a client in a designated client group, and as an unmanaged client. Symantec recommends the stand-alone server configuration because it has the least potential for error.


The stand-alone server configuration
As a best practice, Symantec Technical Support recommends installing Symantec AntiVirus as a server in its own server group.

When Symantec AntiVirus is installed as a server in its own server group, the Symantec AntiVirus Auto-Protect scanning options can be set to exclude the Microsoft Exchange directory structure and the temporary processing folder for the antivirus scanner for Exchange (such as Symantec Mail Security for Microsoft Exchange). If Auto-Protect scans the Exchange directory structure or the antivirus processing folder, it can cause false positive virus detections, unexpected behavior on the Exchange server, or damage to the Exchange databases. This is true of all antivirus programs running on Exchange servers. For more information, see the Microsoft Knowledge Base article XGEN: Recommendations for Troubleshooting an Exchange Computer with Antivirus Software Installed - ID Q245822.

Additionally, the Symantec AntiVirus server does not include the Symantec Email Proxy that is part of Internet E-Mail Auto-Protect. The Symantec Email Proxy monitors the standard mail ports by default, and can cause performance degradation or failure if installed on an Exchange server.

Configuring Symantec AntiVirus as a stand-alone server
If Symantec AntiVirus is not yet installed on the Exchange server:
  1. Install the server software by clicking "Deploy AntiVirus Server" from the installation menu.
  2. When you are prompted to enter a server group name, give it a descriptive name that you can easily recognize as the group of Exchange servers.
  3. Start the System Center.
  4. Unlock the server group in the System Center, right-click the new server icon in the left pane, and then click "Make Server a Primary Server."

If Symantec AntiVirus server is already installed on the Exchange server:
  1. Start the System Center
  2. Right-click "System Hierarchy" in the left pane, and then click New > Server Group.
  3. Give this new server group a descriptive name that describes the group as Exchange servers only.
  4. Select the Exchange server, which appears under the group with other Symantec AntiVirus servers, and drag the server to the folder for the new server group.
  5. If the System Center prompts you to make this server a member of the new group, click Yes or OK.
  6. Unlock the server group in the System Center, right-click the new server icon in the left pane, and then click "Make Server a Primary Server."

Once the server is in its own server group, set up exclusions for real-time protection and scheduled scans. For additional instructions, read the document Preventing Symantec AntiVirus Corporate Edition 9.x from scanning the Microsoft Exchange directory structure.

Configure the Virus Definition Manager for this server or server group to update using LiveUpdate (default), and then update the virus definitions.

Updating the primary server in your main server group
  1. Right-click the Exchange server group in the System Center and click All Tasks > Symantec AntiVirus > Virus Definition Manager.
  2. Choose "Update primary server of the group only."
  3. Click "Configure..." and then ensure that the update schedule is enabled.
    Symantec technical support recommends setting the schedule for daily updating.
  4. Click "Source," and then click LiveUpdate or "Another protected server."
    To choose another server, select the primary server of your main server group.
  5. Click OK until you return to the main Symantec System Center window.


The managed-client configuration

WARNING: If you configure Symantec AntiVirus Corporate Edition 9.x as a client on a Microsoft Exchange server or any SMTP server, be sure not to install Internet E-Mail Auto-Protect. This feature monitors the standard mail ports, and can cause performance degradation or failure if installed on mail servers. For additional detail regarding this process, read the document Installing Symantec AntiVirus 9.0 clients without E-Mail Auto-Protect plug-ins.

To install Symantec AntiVirus as a managed client on an Exchange server, it must be placed in a client group specifically for the Exchange server or servers. Client groups can be configured differently from other clients on the same server. You can create a client group for your Exchange server or servers. You can then configure the settings at the client group level, so that the exclusion will apply to all Exchange servers in the group. For instructions on how to create client groups, read the document Creating and managing client groups in Symantec System Center 6.0.

Once you have created the client group, you can configure that group to exclude the appropriate files and folders.

You can then install the Symantec AntiVirus client to the Exchange server and allow it to be managed by a server in your server group. Once the client is installed, assign that client to the client group you created for your Exchange server(s). This allows the client to be managed by and to receive virus definitions from the server, but also allows it to have settings specific to your Exchange servers. If you add a new Exchange server in the future, you can simply install the client software to it in a managed state, then assign it to this same client group.

For instructions on configuring Symantec AntiVirus to exclude the necessary folders, read the document Preventing Symantec AntiVirus Corporate Edition 9.x from scanning the Microsoft Exchange directory structure.


The unmanaged-client configuration

WARNING: If you configure Symantec AntiVirus Corporate Edition 9.x as a client on a Microsoft Exchange server or any SMTP server, be sure not to install Internet E-Mail Auto-Protect. This feature monitors the standard mail ports, and can cause performance degradation or failure if installed on mail servers. For additional detail regarding this process, read the document Installing Symantec AntiVirus 9.0 clients without E-Mail Auto-Protect plug-ins.


If Symantec AntiVirus is already installed on the Exchange server as a managed client, uninstall Symantec AntiVirus, restart the computer, and reinstall Symantec AntiVirus as an unmanaged client. If Symantec AntiVirus is not installed, then install it as an unmanaged client.


Note: To install Symantec AntiVirus as an unmanaged client, you must use the installation CD. If you use the installation files from an installed Symantec AntiVirus server or use the NT client rollout installer, the client will automatically retrieve configuration information from the selected parent server and become a managed client.

When the unmanaged client is installed, schedule LiveUpdate to retrieve updates from Symantec. If a Symantec antivirus product for Exchange is also installed, disable the LiveUpdate schedule for that product, and configure Symantec AntiVirus Corporate Edition to run LiveUpdate. The virus definitions downloaded by Symantec AntiVirus and the antivirus products for Exchange are exactly the same and are downloaded to the same location, so only one application should run LiveUpdate. The virus definitions are shared by all installed Symantec antivirus products.

To schedule LiveUpdate to run from an unmanaged Symantec AntiVirus client
  1. Start the Symantec AntiVirus client.
  2. On the File menu, click Schedule Updates.
  3. Select "Enable scheduled automatic updates," and then click Schedule.
  4. Under Frequency, select Daily.
  5. Select the desired time for LiveUpdate to run automatically.
  6. Confirm the changes.
  7. Exit Symantec AntiVirus.






Legacy ID



2004052415562048


Article URL http://www.symantec.com/docs/TECH100684


Terms of use for this information are found in Legal Notices