Installing and configuring Symantec AntiVirus for Macintosh Corporate Edition for the first time
|Article:TECH105442|||||Created: 2008-01-21|||||Updated: 2009-01-05|||||Article URL http://www.symantec.com/docs/TECH105442|
This document describes the procedure for installing Symantec AntiVirus for Macintosh Corporate Edition on a network that has no current Symantec AntiVirus software. This is intended to be a brief overview of the install and configuration process. While you can begin to install and use the Symantec AntiVirus for Macintosh software after reading this article, it is by no means inclusive of all information available. When applicable, specific Knowledge Base articles are referenced that provide more in depth information to the install and configuration process for the user to refer to.
Installing and configuring the Symantec Administration Console for Macintosh
Installing the Symantec Administration Console for Macintosh (SACM) requires the Mac OS X Server operating system. Installing to Mac OS X Client is not a supported configuration. When installing to Mac OS X Server, make sure that the following services are running:
- Apache Web Server
It is important to note that the only supported versions of these services for use with the SACM are the versions that ship with Mac OS X Server itself. Do not upgrade the versions of Apache, PHP or MySQL that are included with Mac OS X Server unless upgraded by Apple in Mac OS X Server updates and upgrades.
Ensure that the root password for MySQL has been set before installing the SACM. When setting the Root password, make sure that at least for the time of the install of the SACM that it does not have any extended characters such as a $, etc. Using complex passwords can cause issues when attempting to configure MySQL via the SACM Installation Assistant. If policy requires a complex password, temporarily change to a non-complex password for the install to complete successfully and then it can be changed back. The SACM only requires Root access once while installing to set up the MySQL database tables and to create the SACM user for modifying the SACM database.
Using SSL with the Administration Console for Macintosh requires a Certificate Authority-signed certificate. Self-signed certificates will not work.
Once installation is complete, the SACM is accessable at http://
Specific information on installing the SACM can be found in the Knowledge Base article Installing Symantec Administration Console for Macintosh server.
Creation of the Symantec Client Administration package
The install of the SACM will also create a client installer package for use on client systems to set up communication between the client and the SACM. This file is located on the server in /Library/Application Support/Symantec/SMac/Symantec Administration Client.pkg. The installer package will need to be run on each client that will be managed by the SACM and communications are performed by a UDP broadcast package from the server to the client and the client will then pull updates from the SACM upon receipt of the broadcast package. These packets are very small, around 128 bytes and should not cause any major traffic issues on a network beyond the usual UDP broadcast traffic. If UDP is disabled on a network, clients managed by a SACM will poll the SACM every 5 minutes for updated information.
Specific information on the install of the Client Administration Package can be found in the Knowledge Base article Installing Symantec Administration Console for Macintosh client.
Installing and configuring the LiveUpdate Administration Utility for Macintosh
While clients will be able to check for updates for preference sets and commands from the SACM, the SACM itself is not responsible for hosting, nor does it distribute updated virus definitions for client systems. By default, client systems will access external Symantec LiveUpdate servers for virus definition updates. To alleviate outbound network traffic to an external source, an internal LiveUpdate server can be set up and configured to distribute both virus definitions and program updates. Once the LiveUpdate Administration Utility is installed and configured, new LiveUpdate preferences can be created and deployed to clients to point them towards the internal LiveUpdate server. Virus definitions, once updated fully distribute as micro-defs and should maintain a low level of traffic on your network when clients update.
Specific information on the LiveUpdate Administration Utility and how to install and configure can be found in links off the main Knowledge Base article How to set up an internal LiveUpdate server for Symantec AntiVirus for Macintosh 10 clients.
If this is a mixed environment and the Network Administrator wishes to use the Windows LiveUpdate Administrator to create an internal LiveUpdate server for all clients, Macintosh and Windows, this can also be done using the LiveUpdate Administrator 2.1 software for Windows. For more information on how to accomplish this, please see the Knowledge Base document Using the LiveUpdate Administration Utility on a PC to download updates for Symantec AntiVirus 10 for Macintosh clients.
Creating and distributing client preference sets and sending commands
Creating and distributing client preferences are done via the SACM console in the Client Preferences tab. Here the Administrator can create preferences for:
- Auto-Protect - Auto-Protect scan behaviors for enabling or disabling Auto-Protect, compressed file scan, automatic repair of files and moving files that cannot be repaired to Quarantine can be set here. The "Safe Zones" setting can also be configured to set Auto-Protect to scan for new and modified files on all mounted volumes, or to exclude specific folder paths, or to only scan specific folder paths. Also, the "Mount Scan" options can get set here to enable scanning of newly mounted volumes and the types of volumes to be scanned.
- LiveUpdate - If an internal LiveUpdate server is to be set up, a new LiveUpdate preference set to point clients to the new server can be created here. Specific information for pointing clients to the internal LiveUpdate server can be found in the Knowledge Base document How to set up clients to download updates from the internal LiveUpdate server.
- Symantec AntiVirus - These are options for scanning with the Symantec AntiVirus application. Similar to the Auto-Protect options, compressed file scans can be enabled or disabled, along with repair and Quarantine options. In addition, any scan results for reports and on scheduled scans can be modified along with a setting to remind the user if virus definitions are out of date.
Setting Schedules for LiveUpdate and scans of the client system
Schedules to run LiveUpdate and/or manual scans for threats can also be sent from the SACM to the client machines via the "Send Commands" tab and running a custom script from the Command drop down menu. Schedules are sent down to client systems from the SACM as a script that runs the Symsched terminal command on the client. This command is run silently in the background of the client system and the user will not see any terminal command being processed. These scripts can also be saved within the SACM for future reference for when new clients are added to the environment, or if the schedule needs to be resent to clients for whatever reason. It would be best practice to schedule LiveUpdate at least once a week on Fridays for all systems, and if the Administrator wishes to use scheduled scans, to set these scans as to not interfere with backups and other processor or drive-intensive activities that can cause conflicts and high CPU usage. Further information on setting scheduled commands to users can be found in the Knowledge Base article How to remotely schedule LiveUpdate and virus scans on Symantec AntiVirus 10.0 clients.
Creating groups and assigning clients to groups
For organization, clients reporting to a SACM can be divided into groups. This will help for logical organization of clients and when an Administrator wishes to send specific commands and preferences to specific groups of clients with ease. To create these groups, the Administrator will want to go to the Maintenance tab in the SACM and select the "Manage Groups" link to create a new group. Once the groups the Administrator requires have been created, clients can be moved into the group or groups from the Send Commands tab. Clients can be moved into groups, between groups, or removed from groups altogether via the command dropdown on this screen. If the Administrator chooses to go with groups, it is best to organize clients logically into either roles, such as accounting, graphics department, or by the client type which could include desktops, laptops, or servers. Then send down to these groups preferences and schedules that are appropriate for these systems as determined by the Administrator.
Deploying Symantec AntiVirus to client systems
Once the SACM has been successfully installed, configured and appropriate preferences and schedules have been set, the Administrator is ready to deploy Symantec AntiVirus for Macintosh to client systems. Deployment is a two step process involving the Symantec Administration Client package, and the Symantec AntiVirus for Macintosh client software. It does not matter what order the installs take place in. Installing only the Symantec Administration Client package will allow the client to listen for commands and report status to the SACM, but will not provide any antivirus protection. Conversely, installing Symantec AntiVirus for Macintosh will provide threat protection, but it will stand as an unmanaged client and not report to the SACM install.
- The Symantec Administration Client package
The Symantec Administration Client package facilitates communication from the server to the client systems. The server will broadcast out a very small packet (around 128 bytes) via UDP to all managed clients or selected clients depending on what clients or groups the Administrator chooses in the SACM Send Commands tab. Clients will "hear" this broadcast and then touch the SACM server to pull down any preference changes waiting for them and report back successfully the preference change and/or SACM command for clients to run (scan, LiveUpdate, restart, etc.). If UDP is turned off in the network, clients will heartbeat in automatically every 5 minutes to check for new preferences and commands to run. A restart is required once the install is complete on the client.
- Symantec AntiVirus for Macintosh
This is the actual antivirus package for the Macintosh to perform manual scans and to perform active scans with Auto-Protect for threats on the client system. The only options available to the user are to scan within archives, to run LiveUpdate, or to start a manual scan of the system. Two preference panes are also installed by default with version 10.2, and are available to be downloaded and installed for version 10.1.x. These preference panes control the Symantec QuickMenu in the menubar to allow for ready access to installed Symantec applications, and to configure Auto-Protect locally. Administrator-level access is required to make changes in these preference panes. While a restart is not required after the install, the user will need to log out and log back into their account to complete the install process.
To install these packages it is easiest to use a tool such as Apple Remote Desktop to distribute these files to be installed on each client system remotely. There is a method to deploy Symantec AntiVirus to client systems from the SACM provided the Symantec Administration Client package has already been installed on the target client. Information on installing Symantec AntiVirus in this manner can be found in the Knowledge Base article How to remotely deploy Symantec AntiVirus for Macintosh 10 using the Symantec Administration Console. Alternatively, the packages can be installed locally on each workstation, and even be added to a drive image for deployment to new systems being added to an existing environment. The steps to do this can be found in the Knowledge Base article Information on using Symantec AntiVirus as part of a drive image can be found in the Knowledge Base article How to configure Symantec AntiVirus for Macintosh for deployment as part of a drive image. The Symantec Administration Client package is located on the SACM server in /Library/Application Support/Symantec/SMac/Symantec Administration Client.pkg. The Symantec AntiVirus for Macintosh installer is located on the root of the Symantec AntiVirus for Macintosh CD or CD image.
Symantec AntiVirus for Macintosh is now installed, configured and deployed to your network environment.
Article URL http://www.symantec.com/docs/TECH105442