Best practices for configuring Symantec AntiVirus Corporate Edition 10.x
|Article:TECH101213|||||Created: 2005-01-13|||||Updated: 2011-06-27|||||Article URL http://www.symantec.com/docs/TECH101213|
This page gives the best practices for Symantec AntiVirus Corporate Edition 10.x when it runs on a network.
This page covers best practices for installation, setup, and ongoing maintenance.
Installation and setup
There are a number of decisions that you must make at the time that you set up Symantec AntiVirus on your network. The following recommendations can help streamline the setup process and ensure that it can be maintained over time.
Disable security risk programs from other vendors
Symantec AntiVirus 10.x scans for security risks that are associated with adware and spyware, run in real time, and might cause conflicts with similar products of other vendors. Before you migrate or install antivirus servers and clients, disable or remove similar products that other vendors offer, especially those products that run in real time.
Plan your installation or migration
Before you begin to install or migrate the Symantec Client Security client, server, and administration upgrades, you should have a solid understanding of your network topology and a streamlined plan to maximize the protection of the resources on your network during the upgrade. Migrating your entire network to the current version rather than managing multiple versions of Symantec Client Security is strongly recommended. Migration steps depend on your current configuration.
If you are migrating from a previous version of Symantec or Norton AntiVirus, read the document for your product version:
- Migrating to Symantec AntiVirus 10.1 Corporate Edition
- Migrating to Symantec AntiVirus 10.1 Small Business Edition
- Migrating to Symantec AntiVirus Corporate Edition 10.0
For help with installing Symantec AntiVirus for the first time, read the document for your product version:
- Symantec AntiVirus 10.1 Corporate Edition installation walk-through for administrators.
- Symantec AntiVirus 10.1 installation walk-through for small business administrators
- Symantec AntiVirus 10.0 installation walk-through for administrators
Back up the pki folder structure after deployment
After you deploy your Symantec AntiVirus servers, back up the pki directory and all its subdirectories on the primary server. If your primary server becomes corrupted, you can re-create it if you have the backup files to restore. You can recover from such a disaster more quickly if you install a secondary management server in your server group.
For details, read Steps to minimize recovery time in the event of a server failure.
Omit unnecessary components
Symantec AntiVirus contains a number of components designed for network scalability, but in most cases these tools are not required. If you do not need a particular component, there is no reason to install it.
- The LiveUpdate Administration Utility is completely optional. For many corporate customers, it is unnecessary. The default method of definitions distribution, the Virus Definition Transport Method, is robust and easy to use. You should only use the LiveUpdate Administration Utility if specific circumstances require it.
- Central Quarantine is also optional and is not needed in smaller environments. If you choose to install and use Central Quarantine, the computer must have 128 MB of RAM available just for Central Quarantine. It should not be run on a computer that has only 128 MB of RAM and should not be run on a computer that is running other server applications, such as Exchange, SQL, or Domino.
Check time synchronization
Use a system clock synchronization method in your computer networks. By default, the system clocks of all management console computers, servers, and clients must be within the default of 24 hours plus or minus of the system time on the primary management server. If this time requirement is not met, servers and clients will not authenticate the Symantec System Center logged on user and communications will fail.
For details, read About login certificates in Symantec Client Security 3.x and Symantec AntiVirus Corporate Edition 10.x.
Configure LiveUpdate for your network
If you have a proxy server in your environment, you may need to give LiveUpdate explicit proxy settings.
To do so, readHow to configure LiveUpdate to connect through a proxy server.
If you use a firewall, you may need to configure it to allow LiveUpdate to access the Internet.
For information, read Settings needed to configure your firewall for LiveUpdate.
Ensure that Symantec AntiVirus does not interfere with other Symantec antivirus products
- If you have Symantec AntiVirus Corporate Edition and a Symantec product for Microsoft Exchange both installed on an Exchange server, you must set certain exclusions within Symantec AntiVirus Corporate Edition. Exclude both the temporary directory for the Symantec product for Microsoft Exchange and the Exchange Database directories.
For complete information, read Preventing Symantec AntiVirus Corporate Edition 10.0 from scanning the Microsoft Exchange directory structure.
Note: Symantec AntiVirus 10.1 automatically excludes Microsoft Exchange files and folders. For more information, read About automatic exclusions of Microsoft Exchange server files and folders in Symantec AntiVirus 10.1 and Symantec Client Security 3.1.
- If you have Symantec AntiVirus Corporate Edition and a Symantec product for Domino both installed on a Domino server, then you must configure the Symantec product for Domino to use a custom Temp directory, then exclude that directory in the Symantec AntiVirus Auto-Protect options.
For additional information, read Preventing Symantec AntiVirus Corporate Edition from scanning the temporary folder for Symantec products for Domino.
- If you have Symantec AntiVirus Corporate Edition and Symantec AntiVirus for SMTP Gateways or Symantec Mail Security 4.0 for SMTP both installed on a server, then you must exclude the Queues directory in the Symantec AntiVirus Auto-Protect options.
For additional information, read Preventing a scan of the Queues folder by Symantec AntiVirus Corporate Edition.
- If, on the same computer, you have installed multiple Symantec programs that use the virus definitions, such as Symantec AntiVirus along with a Symantec product for Exchange or Domino, it is good practice to use only Symantec AntiVirus Corporate Edition to update the definitions. If you allow multiple programs to run LiveUpdate and attempt to update the definitions, the definitions may become corrupted.
For details, read Configuring LiveUpdate for multiple Symantec products installed on the same computer.
WARNING: If you install Symantec AntiVirus Corporate Edition 10.x client on an Exchange server, a Domino server, or any SMTP server, be sure not to install the Internet E-Mail Tools components. This feature monitors the standard mail ports and can cause performance degradation or failure if installed on mail servers.
For details about this process, read Installing Symantec Client Security 3.x clients or Symantec AntiVirus Corporate Edition 10.x clients without E-Mail Auto-Protect plug-ins.
Special considerations for Symantec AntiVirus 10.x on a server
Before you install Symantec AntiVirus 10.x onto a server, read the documents that apply to your situation:
- Installing Symantec or Norton AntiVirus Corporate Edition on mail servers
Failure to set the correct exclusions may result in data loss.
- Antivirus exclusions that should be set on a Microsoft 2000 or 2003 Domain Controller
- Best practice for Symantec AntiVirus Corporate Edition on a Microsoft IIS server
- Symantec AntiVirus Corporate Edition and Terminal Server support
- Can Symantec AntiVirus Corporate Edition scan a SQL database?
Symantec AntiVirus is designed to be a largely automated solution, but like all systems, it does require regular maintenance to ensure that it is working correctly. The following suggestions help to ensure that your network is protected constantly and to discover any problems before they cause critical failures.
Scan for viruses regularly
Symantec recommends that you perform regularly scheduled virus scans on all computers in your network. This full scan should occur at a time that minimizes the performance impact on your users, such as overnight or during weekends. Note that any exclusions that you have configured for Auto-Protect should be included as part of the configuration for any scheduled scans.
Schedule regular maintenance
Symantec recommends that you perform a number of maintenance tasks to ensure that Symantec AntiVirus is configured and working correctly. The frequency of maintenance depends on the size and complexity of the network. On a small network, quarterly maintenance may suffice, while very large networks may need biweekly attention. Your maintenance schedule should include the following activities:
- Confirm that all clients appear correctly in Symantec System Center.
- Confirm that virus definitions are propagating to all clients.
- Empty local Quarantines and Central Quarantine.
- Review logs for anomalies.
- Use the Audit Network function in the Symantec System Center to confirm that all clients on the network have antivirus protection.
For help with this, read How to find unprotected computers on a network using the Audit Network feature in the Symantec System Center.
Note: During a global virus outbreak, telephone hold times for Technical Support may be greatly extended. Without routine maintenance, a virus outbreak is the most likely way that issues with Symantec AntiVirus will be discovered. Symantec strongly recommends performing the maintenance regularly in order to maintain network security at all times and to prevent difficulty in getting help with any potential issues.
Article URL http://www.symantec.com/docs/TECH101213