Best practices for Symantec AntiVirus 10.x Auto-Protect on a Microsoft Exchange server

Article:TECH101178  |  Created: 2005-01-01  |  Updated: 2006-01-02  |  Article URL http://www.symantec.com/docs/TECH101178
Article Type
Technical Solution


Environment

Issue




This document gives the best practices for Symantec Client Security 3.0 and Symantec AntiVirus Corporate Edition 10.0 Auto-Protect running on a Microsoft Exchange server.


Solution




There are three supported methods of installing Symantec AntiVirus 10.0 on a Microsoft Exchange server: as a stand-alone server, as a client in a designated client group, and as an unmanaged client. Symantec recommends the stand-alone server configuration because it has the least potential for error.

You cannot install the Symantec Client Firewall portion of Symantec Client Security on a Microsoft Exchange server.

The stand-alone server configuration
As a best practice, Symantec Technical Support recommends installing Symantec AntiVirus as a server in its own server group.

When Symantec AntiVirus is installed as a server in its own server group, the Symantec AntiVirus Auto-Protect scanning options can be set to exclude the Microsoft Exchange directory structure and the temporary processing folder for the antivirus scanner for Exchange (such as Symantec Mail Security for Microsoft Exchange). If Auto-Protect scans the Exchange directory structure or the antivirus processing folder, it can cause false positive virus detections, unexpected behavior on the Exchange server, or damage to the Exchange databases. This is true of all antivirus programs running on Exchange servers.
For more information, see the Microsoft Knowledge Base article XGEN: Recommendations for Troubleshooting an Exchange Computer with Antivirus Software Installed - ID Q245822.

Additionally, the Symantec AntiVirus server does not include the Symantec Email Proxy that is part of Internet E-Mail Auto-Protect. The Symantec Email Proxy monitors the standard mail ports by default, and can cause performance degradation or failure if installed on an Exchange server.

If there is more than one Exchange server, and they are in the same server group, be sure to back up the PKI folder on the primary server.
For more information, read the document Installing Symantec or Norton AntiVirus Corporate Edition on mail servers.

To configure Symantec AntiVirus as a stand-alone server if it is not yet installed on the Exchange server
  1. Install the server software, either from the Symantec System Center or from the CD.
  2. When you are prompted to enter a server group name, give it a descriptive name that you can easily recognize as the group of Exchange servers.
  3. In the Symantec System Center, unlock the server group, right-click the new server icon in the left pane, and then click Make Server a Primary Server.
  4. Click Yes to confirm the change.

To configure Symantec AntiVirus as a stand-alone server if it is already installed on the Exchange server
  1. Start the System Center.
  2. In the left pane, right-click System Hierarchy and then click New > Server Group.
  3. Give this new server group a descriptive name that describes the group as Exchange servers only.
  4. Select the Exchange server, which appears under the group with other Symantec AntiVirus servers, and drag the server to the folder for the new server group.
  5. If the System Center prompts you to make this server a member of the new group, click Yes or OK.
  6. Unlock the server group in the System Center, right-click the new server icon in the left pane, and then click Make Server a Primary Server.
  7. Click Yes to confirm the change.
    The warning states that you must copy the server group certificate to the primary server. This is not true when you are installing the first server in a server group. You only need to copy the certificate manually if there is already an existing primary server in the server group, and you promote a different server to be the primary.

Once the server is in its own server group, set up exclusions for real-time protection and scheduled scans.
For additional instructions, read the document Preventing Symantec AntiVirus 10.x from scanning the Microsoft Exchange directory structure.


Configure the Virus Definition Manager for this server or server group to update using LiveUpdate (default), and then update the virus definitions.

To update the primary server in your main server group
  1. Right-click the Exchange server group in the System Center and click All Tasks > Symantec AntiVirus > Virus Definition Manager.
  2. Select Update primary server of the group only.
  3. Click Configure, and then ensure that the update schedule is enabled.
    Symantec technical support recommends setting the schedule to update daily.
  4. Click Source, and then click LiveUpdate or Another protected server.
    To choose another server, select the primary server of your main server group.
  5. Click OK until you return to the main Symantec System Center window.


The managed client configuration


WARNING: If you configure Symantec AntiVirus Corporate Edition 10.x as a client on a Microsoft Exchange server or any SMTP server, be sure not to install Internet E-Mail Auto-Protect. This feature monitors the standard mail ports, and can cause performance degradation or failure if installed on mail servers. For additional detail regarding this process, read the document Installing Symantec Client Security 3.0 clients without E-Mail Auto-Protect plug-ins.


To install Symantec AntiVirus as a managed client on an Exchange server, it must be placed in a client group specifically for the Exchange server or servers. Client groups can be configured differently from other clients on the same server. You can create a client group for your Exchange server or servers. You can then configure the settings at the client group level, so that the exclusion will apply to all Exchange servers in the group.
For instructions on how to create client groups, read the document Creating and managing client groups in Symantec Client Security 3.0.

Once you have created the client group, you can configure that group to exclude the appropriate files and folders.

You can then install the Symantec AntiVirus client to the Exchange server and allow it to be managed by a server in your server group. Once the client is installed, assign that client to the client group that you created for your Exchange server(s). This allows the client to be managed by and to receive virus definitions from the serve, but also allows it to have settings specific to your Exchange servers. If you add a new Exchange server in the future, you can simply install the client software to it in a managed state, then assign it to this same client group.

If you have Symantec Client Security, you must install only the Symantec AntiVirus client, and you must not install the E-Mail Auto-Protect plug-ins.
For instructions, read the document Installing Symantec Client Security 3.0 clients without E-Mail Auto-Protect plug-ins.

For instructions on configuring Symantec AntiVirus to exclude the necessary folders, read the document Preventing Symantec AntiVirus 10.x from scanning the Microsoft Exchange directory structure.


The unmanaged client configuration

WARNING: If you configure Symantec AntiVirus Corporate Edition 10.x as a client on a Microsoft Exchange server or any SMTP server, be sure not to install Internet E-Mail Auto-Protect. This feature monitors the standard mail ports, and can cause performance degradation or failure if installed on mail servers.
For additional detail regarding this process, read the document Installing Symantec Client Security 3.0 clients without E-Mail Auto-Protect plug-ins.



If Symantec AntiVirus is already installed on the Exchange server as a managed client, uninstall Symantec AntiVirus, restart the computer, and reinstall Symantec AntiVirus as an unmanaged client. If Symantec AntiVirus is not installed, then install it as an unmanaged client.

If you have Symantec Client Security, you must install only the Symantec AntiVirus client, and you must not install the E-Mail Auto-Protect plug-ins.
For instructions, read the document Installing Symantec Client Security 3.0 clients without E-Mail Auto-Protect plug-ins.


Note: To install Symantec AntiVirus as an unmanaged client, you must use the installation CD. If you use the installation files from an installed Symantec AntiVirus server or use the NT client rollout installer, the client will automatically retrieve configuration information from the selected parent server and become a managed client.



For instructions on configuring Symantec AntiVirus to exclude the necessary folders, read the document Preventing Symantec AntiVirus 10.x from scanning the Microsoft Exchange directory structure.

When the unmanaged client is installed, schedule LiveUpdate to retrieve updates from Symantec. If a Symantec antivirus product for Exchange is also installed, disable the LiveUpdate schedule for that product, and configure Symantec AntiVirus Corporate Edition to run LiveUpdate. The virus definitions downloaded by Symantec AntiVirus and the antivirus products for Exchange are exactly the same and are downloaded to the same location, so only one application should run LiveUpdate. The virus definitions are shared by all installed Symantec AntiVirus products.

To schedule LiveUpdate to run from an unmanaged Symantec AntiVirus client
  1. Start the Symantec AntiVirus client.
  2. On the File menu, click Schedule Updates.
  3. Select Enable scheduled automatic updates, and then click Schedule.
  4. Under Frequency, click Daily.
  5. Select the desired time for LiveUpdate to run automatically.
  6. Confirm the changes.
  7. Exit Symantec AntiVirus.






Legacy ID



2005040112500448


Article URL http://www.symantec.com/docs/TECH101178


Terms of use for this information are found in Legal Notices