Symantec System Center 10.0 walk-through for administrators

Article:TECH101233  |  Created: 2005-01-19  |  Updated: 2006-01-02  |  Article URL http://www.symantec.com/docs/TECH101233
Article Type
Technical Solution


Issue



This document discusses what Symantec System Center does and how to configure some of the most common settings.


Solution



This walk-through of the most common settings in Symantec System Center assumes that you have the System Center, its snap-ins, and at least one Symantec AntiVirus server installed. If you do not see some of the menus mentioned here, it is possible that you do not have the proper snap-ins installed. For assistance with installing snap-ins, read Cannot find Symantec AntiVirus configuration menu after installing Symantec System Center.

Documentation about the functions and usage of Symantec System Center in Symantec AntiVirus Corporate Edition 10.x can be found in the Symantec AntiVirus Administrator's Guide and the Symantec AntiVirus Corporate Edition Installation Guide, which are located in the \Docs folder of CD 1. Additional documents about Symantec AntiVirus Corporate Edition and its various components are available online in PDF format.


Note: Client groups are a feature that was introduced in System Center 5.0, and revised in version 6.0 to improve their functionality.
For more information about using client groups, read Creating and managing client groups in Symantec Client Security 3.0.


Hide details for Install Symantec System Center
Install Symantec System Center
Please read the section Installing the Symantec System Center in the Symantec AntiVirus Corporate Edition Installation Guide located in the \Docs folder of CD 1, or online in PDF format for help installing the Symantec System Center.


Hide details for Select a primary server
Select a primary server
Computers running older versions of Norton AntiVirus Corporate Edition can be a member of the server group, but they cannot act as primary servers with version 10.0 of the System Center.

To select a primary server
  1. Open the System Center.
  2. Under System Hierarchy in the left pane, there is a folder icon with a lock on it. This is the server group folder. The default name is Symantec AntiVirus1. Right-click it, and unlock the server group. Enter your user name and password, if prompted.
  3. You should now see your AV servers under the server group. If you have not chosen a primary server, right-click the server that you want for your primary, and click Make Server a Primary Server. The primary server has a small circle with a blue arrow in it (see the References section of this document for more information on icons in the System Center).
  4. To configure:
    • If you click the server group folder on the left, your AV servers will appear in the right pane. Configuration settings made at the server group level will be set for all of the servers and clients in that server group, including clients in client groups (indicated by the Groups folder under the server group folder).
    • If you click a server on the left, the clients managed by that server will appear on the right. Configuration settings made at the primary server level will affect all servers and clients in the group, but will not include clients in client groups. Configuration settings made at other servers besides the primary will be set for the server and clients under that server, but not for other servers, clients under those servers, or clients in client groups.



Hide details for Use the Discovery Service
Use the Discovery Service
If you do not see some of your servers or clients, you can use the Discovery Service, which sends a ping packet to find computers that have Symantec AntiVirus or Norton AntiVirus Corporate Edition installed. More detailed information about the discovery service, how it works, and how to perform various types of discovery scans can be found in the Symantec AntiVirus Administrator's Guide in the section titled Discovering computers and refreshing the console. Two of the numerous methods of running discovery scans are presented below.

To use the Discovery Service with IP addresses
  1. In the Symantec System Center console, in the left pane, select any node below the console root.
  2. On the Tools menu, click Discovery Service.
  3. In the Discovery Service Properties window, on the Advanced tab, check Enable IP Discovery.
    Once Enable IP Discovery is checked, an IP Discovery session runs whenever you run an Intense Discovery. To run Intense Discovery without also running IP Discovery, uncheck Enable IP Discovery.
  4. In the Scan Type list, select one of the following:
    • IP Subnet: The console broadcasts to each subnet.
    • IP Address: The console pings every computer in the range of IP addresses.
  5. In the Beginning of range and End of range boxes, type the addresses.
  6. If you clicked IP Subnet, type the subnet mask to refine the search.
IP Address search results appear in the Machine list box. IP Subnet search results are displayed in the Symantec System Center console status bar.

To use the Discovery Service without IP addresses
  1. In the Symantec System Center console, on the Tools menu, click Discovery Service.
  2. In the Discovery Service Properties window, on the General tab, select one of the following options:
    • Load from cache only: This is the quickest method. The Symantec System Center reads the list of servers and clients stored in the local cache.
      See Types of Discovery on page 24 of the Symantec AntiVirus Administrator's Guide.
    • Local Discovery: Broadcasts to the Symantec System Center console local subnet. Servers respond immediately with information about themselves and their clients. Each server group will appear in the console (unless filtered using the View menu). Load from cache only will run as well.
      See Types of Discovery on page 24 of the Symantec AntiVirus Administrator's Guide.
    • Intense Discovery: This is the most thorough method. If you have a large network, the discovery process may take a long time. The Symantec System Center serially pings every server in the Network Neighborhood. Server names appear in the message area of the Symantec System Center console as they are found during the discovery process. Intense Discovery also performs the same local subnet broadcast as Local Discovery. Load from cache only and Local Discovery will run as well. For Intense Discovery, you can limit the search to NetWare or Windows NT-based servers only, or search for both. See Types of Discovery on page 24 of the Symantec AntiVirus Administrator's Guide.
  3. Under Discovery Cycle, select the Interval in minutes, if necessary.
  4. If you want to immediately run discovery, click Run Discovery Now, and then click Close. Only one discovery can run at a time.
  5. Under Intense Discovery Properties, specify the number of intense discovery threads. You can choose any number of threads between 2 and 50. This setting affects Intense Discovery sessions only. Each discovery thread is an independent search for servers and clients. To maintain the most up-to-date discovery information, select a lower discovery interval and a higher number of discovery threads.
  6. If you want to clear all server and client information out of the active memory and address cache, and immediately run Discovery based on the current discovery settings, under Cache Information, click Clear Cache Now. When you clear the cache, unlocked server groups will be locked unless the password for the server group has been saved.


Note: Running a discovery locks the server group. Unlock the server group and wait a few minutes for the client machines to respond. If, after running the Discovery Service, you still do not see your clients you may be experiencing a network communication issue.



Hide details for Configure client and server virus definition updates
Configure client and server virus definition updates
Using the Symantec System Center console, you can view the version number of the virus definitions files at the Symantec AntiVirus server, server group, client group, and individual Symantec AntiVirus client level.

Interactive tutorial

To verify the version number of the virus definitions files currently in use
  1. In the Symantec System Center console, right-click a server group, client group, Symantec AntiVirus server, or client, and then click Properties.
  2. On the Symantec AntiVirus tab, in the Virus Definitions box, the file version is listed as a numerical date, followed by a version number.


Note: Once virus definitions files are updated on a computer, it may take several minutes before the information is available from the console.

Update virus definitions on servers
There are several methods for updating virus definitions files on servers:
    • Virus Definition Transport Method
    • LiveUpdate
    • Intelligent Updater
    • Central Quarantine polling

For more information about how these different methods work, see Virus definitions files update methods in the Symantec AntiVirus Administrator's Guide. For more information about how to configure these methods see Updating virus definitions files on Symantec AntiVirus servers in the Symantec AntiVirus Administrator's Guide.

Update virus definitions files on Symantec AntiVirus clients
You can update the virus definitions files on Symantec AntiVirus clients using any of the following:
    • Virus Definition Transport Method
    • LiveUpdate
    • Intelligent Updater See Specifying multiple internal LiveUpdate servers for failover support.
    • Central Quarantine polling (Updating servers using Central Quarantine polling.)

For more information about how these different methods work, see Virus definitions files update methods in the Symantec AntiVirus Administrator's Guide. For more information about how to configure these methods, see Updating virus definitions files on Symantec AntiVirus clients in the Symantec AntiVirus Administrator's Guide.

The Virus Definition Manager
The Virus Definition Manager screen allows you to configure how the computers in your network receive virus definition updates.

To access the Virus Definition Manager
In the Symantec System Center console, right-click the server group > All Tasks > Symantec AntiVirus > Virus Definition Manager.

The first thing to examine is the update schedule for the primary server. By default, the primary server will run LiveUpdate silently at 8:00 PM every Friday. However, it is recommended that LiveUpdate be run daily at 8:30 am GMT to ensure that the network is optimally protected. To change the time, the day of the week, or to set it to run daily, click the top Configure button. Set the time that you want, and then click OK. The other servers get their definitions from the primary server. Servers check with the primary server every five minutes for virus definitions and configuration changes. This value is hard-coded and cannot be changed.

In the bottom half of the Virus Definition Manager screen, "Update virus definitions from parent server" should be checked. Under the Settings button, the default of "Check for updates every 60 minutes" is recommended in most cases. This is how often clients check in with their parent server.

If "Schedule client for automatic updates using LiveUpdate" is checked, then the clients will try to update using the Internet. This is not needed for managed clients that get their updates from a parent server, and can cause excessive bandwidth use if checked unintentionally.

The rest of the settings are optional, but checking "Do not allow client to manually launch LiveUpdate" will prevent managed laptop users from being able to get definitions when they are not attached to the server. For information on managing mobile clients, read the document Best practices for managing laptop and mobile clients with Symantec AntiVirus Corporate Edition.

Hide details for Configure Auto-Protect (real-time virus scanning) Options
Configure Auto-Protect (real-time virus scanning) Options

Interactive tutorial

Overview of some Auto-Protect Options
Server and Client Auto-Protect Options are accessed from different levels in the System Center hierarchy by right-clicking the desired level.
  • Setting these options at the server group level affects all computers in the server group, including those in client groups.
  • Setting these options at the primary server level will affect all computers in the server group that are not in client groups.
  • Setting these options at the individual server level will affect only those computers managed by that particular server.

In the server Realtime Protection Options, you can set options for those computers running the AntiVirus server. In the client Realtime Protection Options, you can set options for those computers running the Symantec AntiVirus client.

The File System tab
"Enable file system realtime protection" should always be checked. In addition, unless your users have a legitimate business need to disable their virus protection, we strongly recommend that you click on the lock icon so that it appears as locked. This prevents users from disabling File System Realtime Protection through the AntiVirus client program interface.


Note: Any option that is not locked can be changed by the user.

The default values under the Advanced button should not be changed unless you are advised by a Symantec technician to do so.

In the File types section, Symantec recommends leaving the setting at All types. The most common choice for the actions on both Macro and Non-Macro viruses is "Clean virus from file," then "Quarantine infected file."

In the Options section, the "Display message on infected computer" causes a message box to appear on any computer on which Symantec AntiVirus finds a virus. The "Exclude selected files and folders" box should be checked if you have large databases, such as SQL, or a local email server like Microsoft Exchange. Certain third-party software packages will also suggest excluding their software from being scanned. Usually, these exclusions will only be set for the server in the Server Realtime Protection Options. However, it can be set on each individual server.

For more information on these topics, see the following documents:
Preventing Symantec AntiVirus 10.x from scanning the Microsoft Exchange directory structure
Best practices for Symantec AntiVirus Corporate Edition RealTime Protection on a Microsoft Exchange Server
Can Symantec AntiVirus Corporate Edition scan an SQL database?

The Drive Types section contains a list of different drive types that Symantec AntiVirus scans. Check any of these boxes that you want Symantec AntiVirus to scan on your computer. If all the computers on your network have virus protection, then you do not need to have Network checked. Each computer will scan all of its own files, so scanning across the network is not necessary and may slow network performance. Symantec recommends that you uncheck and lock the Network box. For maximum protection, we recommend checking and locking the Floppy and CD-ROM options.

The Internet E-mail tab
An administrator can configure the settings for the client computer's email virus scanning policies. The Lotus Notes and Microsoft Exchange plug-ins have been present in our AntiVirus products for quite some time now, but the Internet E-mail tab is a new feature introduced in Version 9.0. With all of these plug-ins, the real-time protection of the client desktop/file system is extended to included emails as they are downloaded. This enables the Realtime protection to prevent infected emails or attachments from being downloaded, and thus reduce the chance of infection from malicious emails.

Administrators should note that the client system can be configured to send email notifications to the originator of the email or to one or more designated third parties (such as the local administrator account). By default, both of these features are unselected. Symantec do not recommend using sender notifications, as most virus-infected emails have spoofed sender email addresses, and consequently all that is achieved by sending a notification to that address is that the recipient (if the address was even valid) will be notified of an email that they never sent. Since this could be construed to be unsolicited mail, system administrators should consider the ramifications of such a decision prior to deploying this sort of configuration throughout their organization.

Configuring Auto-Protect scans
More detailed information about configuring Auto-Protect scans and how they work, can be found in the Symantec AntiVirus Administrator's Guide in the section titled Configuring Auto-Protect scans. In particular, the following tasks are discussed:
    • Configuring Auto-Protect for files
    • Configuring Auto-Protect email scanning
    • Specifying exclusions
    • Configuring Auto-Protect settings
    • Locking and unlocking Auto-Protect options

Hide details for Configure Client Administrator Only Options
Configure Client Administrator Only Options
The Client Administrator Only Options screen is where you can choose to have the clients show the gold shield icon in the System Tray and whether users are alerted when the virus definitions are outdated. Both of these options are unchecked by default. The Security tab allows you to alter or disallow the required password for uninstalling AV client and to lock the ability of the users to unload Symantec AntiVirus services. Both of these options are enabled by default.

Interactive tutorial




Hide details for Configure Quarantine Options
Configure Quarantine Options
On the Quarantine Options screen, you can choose whether to allow your clients to forward copies of their quarantined files to a Quarantine server, if you are using Central Quarantine. See the document How to set up the Symantec Central Quarantine for Symantec AntiVirus Corporate Edition for information about this feature. If you are not using Central Quarantine, you can allow your clients to submit files to Symantec Security Response for analysis through the Scan and Deliver feature.

In the "When new virus definitions arrive" section of the Quarantine Options screen, you can choose whether clients scan their local quarantines when new definitions are downloaded. By default, this feature is turned on and will result in virus alerts being generated for every quarantined file that could not be repaired, each time new definitions arrive. Symantec recommends that you set this option to "Do nothing," so that you are only alerted about newly discovered viruses.

Interactive tutorial





Hide details for Configure Scheduled Scans
Configure Scheduled Scans
The next options to configure are Scheduled Scans. These can be accessed from different levels in the System Center hierarchy by right-clicking the desired level. This information is located in the Symantec AntiVirus Administrator's Guide in the section Understanding scheduled scans on page 113.


Notes:
  • Scan configuration settings made at the primary server level will affect all servers and clients in the group, but will not include clients in client groups. Scan configuration settings made at other servers besides the primary will be set for the server and clients under that server, but not for other servers, clients under those servers, or clients in client groups.
  • When you exclude a folder, Symantec AntiVirus cannot protect the affected computer from infected files in the folder. When you exclude a threat category, Symantec AntiVirus cannot protect the affected computer from threats that are included in the category. See Enabling expanded threat categories.



To schedule a scan for a server group
  1. In the Symantec System Center console, do one of the following:
    • In the console tree, click System Hierarchy. In the right pane, Shift+click or Ctrl+click to select multiple server groups, and then right-click the selection.
    • Right-click a server group.
    • Right-click a server.
  2. Click All Tasks > Symantec AntiVirus > Scheduled Scans.
  3. In the Scheduled Scans dialog box, on the Server Group Scans tab, click New.
  4. In the Scheduled Scan dialog box, under Name, type a name for the scan.
  5. Ensure that Enable scan is checked.
  6. Set a frequency for the scan.
  7. Set a time for the scan. You can type any time in increments of 1 minute or use the drop-down list to select a time in 15-minute increments.
  8. Click Advanced.
  9. In the Advanced Schedule Options dialog box, check Handle Missed Events Within, and then set the time limit within which you want the scan to run. For example, you may want a weekly scan to run only if it is within three days after the scheduled time for the missed event.
  10. Click OK.
  11. In the Scheduled Scan dialog box, click Scan Settings.
  12. In the Select Items dialog box, click Options.
  13. In the Scheduled Scans Options dialog box, you can:
    • Select file types or extensions to scan.
    • Assign primary and secondary actions for detected viruses, blended threats, and some other threats. If deleting a threat in an expanded threat category can cause a system failure, the only available action is to log it.
    • Enable scanning for threats that are in memory.
      See Scanning for in memory threats.
    • Enable expanded threat scanning and exclude threat categories from the scan if necessary.
      Display a warning message on infected computers.
    • Exclude files and folders from the scan. (Not available for multiple clients or servers.)
    • Set throttling options. (Setting CPU utilization)
  14. Click Advanced.
  15. In the Scan Advanced Options dialog box, you can:
    • Display a scan progress window on a computer that is being scanned.
    • Close a scan progress window on a computer when the scan completes.
    • Back up infected files before you attempt to repair them as a data safety precaution. The files are encrypted and backed up to the Quarantine directory. Once the file is backed up, it must be restored before it can be accessed again.

      Note: Symantec AntiVirus does not back up threats other than viruses, such as adware or spyware, when you delete them. Once you delete the file, Symantec AntiVirus cannot restore it.
    • Set options for scanning compressed files.
  16. Click OK until you return to the main screen in the Symantec System Center console.

For more information about the various scan options see Configuring scheduled scans on page 167 of the Symantec AntiVirus Administrator's Guide.

To schedule scans for Symantec AntiVirus clients
  1. In the Symantec System Center console, right-click a server or individual client, and then click All Tasks > Symantec AntiVirus > Scheduled Scans.
  2. In the Scheduled Scans dialog box, on the Client Scans tab, click New.
  3. In the Scheduled Scan dialog box, under Name, type a name for the scan.
  4. Set a frequency for the scan.
  5. Set a time for the scan. You can type any time in increments of 1 minute or use the drop-down list to select a time in 15-minute increments.
  6. Click Advanced.
  7. In the Advanced Schedule Options dialog box, check Handle missed events within, and then set the time limit within which you want the scan to run. (For example, you may want a weekly scan to run only if it is within three days after the scheduled time for the missed event.)
  8. Click OK.
  9. In the Scheduled Scan dialog box, click Scan Settings.
  10. Select the folders to scan.

    Note: This option is not available if you are scanning multiple computers because folders are specific to each computer.
  11. Click Options.
  12. In the Scheduled Scan Options dialog box, you can:
    • Select file types and extensions to scan.
    • Assign primary and secondary actions for detected viruses. If deleting a threat can cause a system failure, the only available action is to log the threat.
    • Select file types or extensions to scan.
    • Enable scanning for threats that are in memory. (Scanning for in memory threats)
    • Enable expanded threat scanning and exclude threat categories from the scan if necessary.

      Note: When you exclude a folder, Symantec AntiVirus cannot protect the affected computer from infected files in the folder. When you exclude a threat category, Symantec AntiVirus cannot protect the affected computer from threats that are included in the category. See Configuring inclusions and exclusions on page 121 of the Symantec AntiVirus Administrator's Guide.
    • Display a warning message on infected computers.
    • Exclude files and folders from the scan. (Not available for multiple clients or servers.)
    • Set throttling options. (Setting CPU utilization)
  13. Click Advanced.
  14. In the Scan Advanced Options dialog box, you can:
    • Set options for scanning compressed files.
    • Back up files infected by viruses or blended threats before attempting to repair them as a data safety precaution. The files are encrypted before Symantec AntiVirus backs them up. The files get backed up to the Quarantine directory. Once the file is backed up, it must be restored before it can be accessed again. Symantec AntiVirus does not back up threats other than viruses and blended threats; for example, Symantec AntiVirus does not back up spyware or adware files.
    • Determine whether a progress dialog box appears on the computer while the scan runs. You can configure the progress dialog box to close automatically when the scan has completed. You can also display or hide a Stop button on the remote computer. When this option is disabled, the scan cannot be stopped from the remote computer.





References
This document is specific to the version of Symantec System Center that ships with Symantec AntiVirus Corporate Edition 10.0 and Symantec Client Security 3.0.
To find out which version of Symantec System Center you are using, read the document Determining the version of Symantec System Center.





Legacy ID



2005041908415548


Article URL http://www.symantec.com/docs/TECH101233


Terms of use for this information are found in Legal Notices