What's new in Symantec AntiVirus 10.0 and Symantec Client Security 3.0 Maintenance Release 1 Maintenance Patch 1

Article:TECH101546  |  Created: 2005-01-04  |  Updated: 2005-01-27  |  Article URL http://www.symantec.com/docs/TECH101546
Article Type
Technical Solution

Product(s)

Environment

Issue



Symantec AntiVirus 10.0 and Symantec Client Security 3.0 Maintenance Release 1 Maintenance Patch 1 includes new and improved features for computers that run Windows. This document describes the new features in this release.


Solution



About this patch

This Symantec Client Security patch contains enhanced handling for security risks. These changes are largely transparent to the user. This patch also allows you to upgrade your existing Symantec AntiVirus 10.0.1.1000 clients and servers with these new capabilities without having to install a full build.

Auto-Protect blocking of security risks
A Block Security Risks checkbox has been added to Auto-Protect in Symantec AntiVirus to control the time at which Auto-Protect reacts to certain security risks. In cases where blocking security risks will not affect the stability of a computer, Auto-Protect can be configured to block the risks. If Symantec determines that blocking a security risk could compromise a computer's stability, then Auto-Protect allows the risk to install and immediately takes the action that is configured for the risk, regardless of whether the Block Security Risks checkbox is enabled.

When you enable Block Security Risks, the action that is set for a security risk's category takes precedence over the action that is set for the individual security risk. For example, if the adware category is set to Log only, then this feature is disabled for all instances of adware, even if you have configured an exception so that a specific piece of adware is to be quarantined.

If you disable Block Security Risks, Auto-Protect detects the security risks after they are installed or run, and handles them using the actions you have configured. Events are logged regardless of whether Block Security Risks is enabled or disabled.

Block Security Risks can be enabled in the following locations:

  • the Client Auto-Protect Options dialog box in the Symantec System Center
  • the Server Auto-Protect Options dialog box in the Symantec System Center
  • the Symantec AntiVirus File System Auto-Protect dialog box in the Symantec AntiVirus user interface

Administrators can lock the Block Security Risks setting in Symantec System Center.


Note: If Scan for Security Risks is disabled, the checkbox for Block Security Risks can still be checked, but the Block Security Risks setting is ignored until Scan for Security Risks is reenabled.


Security risk repair after restarts
Symantec Client Security is able to perform additional repairs after a system restart.

In some cases, Symantec Client Security cannot repair all the changes that are made by a security risk until you restart the computer. Some of the possible reasons include the following:
  • The repair involves running processes that cannot be terminated, causing their binaries to be locked on the disk.
  • The risk has files open for exclusive read, write, or delete privileges that cannot be deleted without a restart.
  • The repair affects a Layered Service Provider.

Symantec Client Security notifies the user that a restart is necessary through the scan results window, if the user interface is enabled for that scan. Users may either restart immediately or postpone the restart until it is convenient.

Results of the repairs are logged to the Event log. Users can see the results of the repairs in the scan status window or the Risk History window and can right-click risks to see repair details.


Note: The repair will not be complete until after the restart.



Layered Service Provider repairs
Symantec Client Security can repair the effects of security risks that affect a Layered Service Provider (LSP) when that LSP cannot be removed from a chain of services without breaking a service until a restart occurs. For example, removing an LSP might break network connectivity and require a second restart to restore network access.

An LSP is a system driver that is typically integrated directly into the TCP/IP layer and manipulates the data that is transmitted in some way. For example, an LSP could be use to encrypt the data.

Users can see the results in the scan status window or the Risk History window, and can right-click risks to see repair details.

Hosts file repairs
Symantec Client Security can detect and repair security risk modifications to hosts files, which are used to map host names to IP addresses.

Hosts files may be used maliciously by virus and other security risk authors. For example, entries in the hosts file can be used to block users from visiting virus removal Web sites or to redirect the user to a counterfeit or malicious Web site.

The results of hosts file repairs are logged to the Event log. Users can see the results in the scan status window or the Risk History window, and can right-click risks to see repair details.

Directory remediation
Symantec Client Security detects and removes folders that are placed on your computer by security risks. If the configured action for the risk is Delete or Quarantine and the folder is empty, Symantec Client Security removes the folder automatically. If directory remediation is needed in the repair of a risk, users can right-click the risk to see that in the risk details.




References
For deployment directions, read Applying Symantec AntiVirus 10.0 and Symantec Client Security 3.0 Maintenance Release 1 Maintenance Patch 1.





Legacy ID



2005100416170148


Article URL http://www.symantec.com/docs/TECH101546


Terms of use for this information are found in Legal Notices