Readme.txt file for Symantec On-Demand Protection 2.6

Article:TECH139733  |  Created: 2010-09-14  |  Updated: 2010-09-14  |  Article URL
Article Type
Technical Solution


Readme.txt file for Symantec On-Demand Protection 2.6


+ README for Symantec On-Demand v2.6                       +
+ Copyright (C) 2005 Symantec Corporation                  +

* Symantec On-Demand v2.6                         *

| CONTENTS                                         |
|                                                  |
| 1. Product Name and Version                      |
| 2. System Requirements                           |
| 3. Supported Platforms and Third Party Support   |
| 4. Release Notes                                 |
| 5. Documentation and Online Help                 |
| 6. Contact Information                           |                 

1. Product Name and Version
Release Date: December 19, 2005:

Symantec On-Demand version 2.6 Build 2230

2. System Requirements
Symantec On-Demand 2.6 Minimum System Requirements


Symantec On-Demand Agent delivers endpoint security from any web
application that runs a web server and has enough hard disk
space to store the binaries for the Symantec On-Demand package.
Some types of web applications that can deliver Symantec On-Demand include:

  * Webmail
  * Web Portal applications such as
    a. ERP (Enterprise Resource Planning)
    b. CRM (Customer Relationship Management)
    c. HR (Human Resources)
  * Enterprise switches with Captive Portal/Proxy


This section describes the minimum requirements for installing
and running the Symantec On-Demand Manager, the policy editor
and manager used to generate the Symantec On-Demand Agent,
which is then uploaded to the On-Demand Web Application.
In normal practice, this software is installed on the
administrator's desktop, where the agent is generated and
then uploaded to the web application from where the On-Demand
Agent is delivered (e.g. SSL VPN, Human Resources web application,

Hardware and Software Requirements for the On-Demand Manager

To run the On-Demand Manager, you need a Windows 2000 or
Windows XP workstation, or a Windows Server 2003 meeting the
following specifications:

* Pentium 633MHz or faster
* 128 MB RAM
* 20 MB available hard disk space
* Administrator privileges
* Java Runtime Environment (JRE) version 1.4.2 or later.

For Symantec On-Demand agents (standalone or combined),
less than 1 MB of hard disk space is required for the download
of the virtual agent. Once the agent is downloaded, it
uncompresses and installs on the endpoint, requiring a total
of 5 MB of hard disk space.

In the case of the Virtual Desktop, since the underlying
file system and registry are virtualized and encrypted,
more space is required after the agent is downloaded.
Furthermore, if the user runs an application which access
user data from the Regular Desktop, even more space may
be required, since the data files themselves are virtualized
and encrypted.

Running the Virtual Desktop on Client Computers
The Virtual Desktop runs on computers meeting the following

* Pentium 633MHz or faster
* 128 MB RAM
* 25 MB MINIMUM available hard disk space required for Agent to download.
  Note that more space may be required for your system to run smoothly
  after Agent is downloaded, because user data files mustbe virtualized
  for successful launch of certain applications.
* Windows Server 2003, Windows 2000 Pro,
  Windows 2000 Server, Windows XP, Windows NT4 (SP6)
* Browser: Internet Explorer 5.0 or later, Netscape 6.0 or later,
  Opera 7.2 or later, Firefox 1.0 or later
* Java Runtime Environment (JRE) version 1.4.2 or later, or Microsoft
  Java Virtual Machine (JVM) version 5.0 or later

Running Symantec Host Integrity on Client Computers
Symantec Host Integrity runs on computers meeting the following

* Pentium 633MHz or faster
* 128 MB RAM
* 5 MB available hard disk space required for Agent to download
* Windows Server 2003, Windows 2000 Pro, Windows
  2000 Server, Windows XP, Windows NT4 (SP6), Windows 98, Windows Me
* Browser: Internet Explorer 5.0 or later, Netscape 6.0 or later,
  Opera 7.2 or later, Firefox 1.0 or later
* Java Runtime Environment (JRE) version 1.4.2 or later, or
  Microsoft Java Virtual Machine (JVM) version 5.0 or later

Running the Cache Cleaner on Client Computers
The Cache Cleaner runs under the following environments:

* Pentium 633MHz or faster
* Windows 98, Windows Me: 64 MB RAM
* Windows Server 2003, Windows 2000 Server,
  Windows 2000 Pro, Windows XP, Windows NT4 (SP6): 128 MB RAM
* 5 MB available hard disk space required for Agent to download
* Browser: Internet Explorer 5.0, 5.5, 6.0, Netscape 6.0 or
  later, Opera 7.2 or later, Firefox 1.0 or later
* Java Runtime Environment (JRE) version 1.4.2 or later,
  or Microsoft Java Virtual Machine (JVM) version 5.0 or later

* PowerPC 600Mhz or faster
* MacOS X, 10.2 and later
* 128 MB RAM
* 5 MB available hard disk space required for Agent to download
* Browser: Safari 1.0 or later, Internet Explorer 5.2 or later
* Java Runtime Environment (JRE) version 1.4.2 or later

* Pentium 633MHz or faster
* 128 MB RAM
* Linux Red Hat 9.0, Enterprise Server 3 and Fedora (core 3)
* 5 MB available hard disk space required for Agent to download
* Browser: Mozilla 1.2 and later
* Java Runtime Environment (JRE) version 1.4.2 or later

3. Supported Platforms and Third Party Support

* Supported Platforms*

Please refer to "System Requirements" above for information about
supported platforms.


If you obtained this product from a hardware or software
company other than Symantec Corporation directly, your software
license as well as all service and support should be obtained
through that vendor. Check the Addendum provided with the package
for service and support information.

4. Release Notes

*New Functionality*

This section describes new features in Symantec On-Demand. 
These new features have been added since the August 2005 release of
Sygate On-Demand v2.5, Maintenance Release 2.


• Enforcement for Internet Information Services (IIS) Web Server:
  Prevents bypass of on-demand security for Outlook Web
  Access (and other web applications deployed with IIS).
• Gateway Enforcer Integration: The Symantec Gateway
  Enforcer acts as a gateway between an external and internal network.  
  Previously the Gateway Enforcer could interact only with
  Agents generated by other Symantec products (SSE, SNAC and SEP).
  In this release, the On-Demand Agent has been modified so that it
  too can communicate with the Gateway Enforcer.

• Remediation URL: An alternative to the Failure URL, this feature
  allows administrators to route users to a URL that
  provides the ability to remediate the condition(s) that
  caused Host Integrity to fail.  The Host Integrity module
  can also dynamically generate a formatted string that
  describes the reason for the failure.
• Continuation URL: A supplement to the Remediation URL,
  the Continuation URL provides another option for endpoint
  users to take when Host Integrity fails. When this feature is
  enabled, endpoint users can choose to continue to other tasks
  or to less secure server resources rather than remediating. 
• Popup messages: Administrators can now enable and disable
  Host Integrity failure popup windows that appear after the
  initial popup is displayed. This feature allows administrators
  to use Host Integrity to monitor and log compliance without
  disrupting the endpoint user’s session.
• Host Integrity failure message enhancements: The failure
  popup window now displays more information to explain exactly
  which rule groups or rules have failed, the logical relationships
  between rules that fail, and hints to help users understand
  the precise cause of the Host Integrity failure.
• New custom error message text box: Administrators can more
  easily add a custom error message that is displayed by the Agent
  when a Host Integrity check fails.
• Custom checks for weak passwords and administrator privileges:
  The custom check fails if the user on the endpoint has a
  weak or blank password or if the user has an account with
  administrator privileges, which can present more of a risk
  to network security.
• System tray icon enhancements on Agent: As before, if Host
  Integrity is the only module enabled, administrators can display
  the Host Integrity system tray icon menu on the Agent. The
  system tray icon now contains a new menu item, Check HI, so that
  users can check Host Integrity again if the first check fails.
  The system tray icon also shows the status of the check when
  it is pending, fails, or passes.
• Remediation for Host Integrity Only: In 2.5, if the first Host
  Integrity check failed, the Host Integrity module exited
  after displaying the failure URL, and users had to download
  Symantec On-Demand again after remediation. In 2.6, if Host
  Integrity is the only module being used and polling is enabled,
  Host Integrity will install a tray icon even if the first check
  fails. After users remediate, they can click the Check
  HI menu item on the Host Integrity tray icon’s popup menu to
  initiate another check.
• New ruleset for antispyware: The Host Integrity module now
  supports the use of an antispyware ruleset, including a
  predefined list of popular antispyware software.
• Reverse Logic for custom file and registry checks: Allows
  administrators to require the absence of specified files
  and registry keys on endpoint machines (in addition
  to the existing functionality of requiring the presence
  of specified files and/or keys).
• GUI reorganization: The Host Integrity Ruleset page now has
  three tabs instead of two. The new Host Integrity tab contains
  the settings that apply to the entire module as opposed to
  individual rules or rulesets.


• Access to Persistent Desktop data without reconnecting to
  web server: (Offline access after the first download.) 
  In this release, the Persistent Desktop has been enhanced to
  allow endpoint users access to Persistent Desktop data offline.
  With the new feature Enable offline access enabled, after the
  Virtual Desktop module is downloaded and launched, a Persistent
  Desktop link is added to the Start menu.  After the Virtual
  Desktop module exits, the link and relevant data files are
  kept on the endpoint system. Users can click this link to
  start the Virtual Desktop module offline. Users can also
  choose to exit the Persistent Desktop and remove all data. 
• Support for Juniper Windows Secure Application Manager
  (WSAM): In previous releases, the Sygate/Juniper integration
  supported only JSAM (Java Secure Application Manager). 
  This release of Symantec On-Demand supports Windows Secure
  Application Manager (WSAM) as well. WSAM is supported by
  both the API and Custom User Interface integrations, and
  works on the Juniper IVE 4.2, 5.0 and 5.1 platforms.

Malicious Code Prevention
• New whitelists for authorized modules and drivers:
  The authorized modules whitelist is used for user mode
  applications and modules for key-loggers and screen scrapers,
  and the authorized drivers whitelist is used for kernel mode
  drivers. Administrators can add, remove or edit items from
  these lists, and save, import and export lists for later use.
• Administrators can now control what actions to take when malware
  is detected:  In previous releases, if the Malicious Code
  Prevention module detected a keylogger or screen scraper
  on an endpoint machine, it displayed a message asking the user to
  specify the desired action. In Symantec On-Demand 2.6,
  administrators can now select among five actions to take if malware is
   o Ask user to take action (Authorized Modules and Authorized Drivers)
   o Allow automatically (Authorized Modules only)
   o Block automatically (Authorized Modules only)
   o Terminate current program automatically (Authorized Modules only)
   o Quit Symantec On-Demand session automatically (Authorized Modules
     and Authorized Drivers)

• Location switching for Mac and Linux: In previous releases,
  the Adaptive Policies module supported location switching on
  Windows platforms only. Location switching is now supported
  for Red Hat Linux and Mac OS X as well.
• Location switching based on URL: Administrators can now enter
  a URL as a criterion for location switching.  If the
  On-Demand launch URL contains the URL specified, then
  the location switching passes; otherwise it will fail.

• Cache Cleaner ALL option now supports the cleaning of
  more types of data previously supported by session-based
  cleaning only. In previous releases, if administrators specified ALL  
  in the History Cleanup section, the Cache Cleaner cleaned history
  items from the browser only. In 2.6, the History cleanup
  settings are now called Cache cleanup settings, and when
  configured to clean All, the Cache Cleaner module will clean data of
  all of the types supported by session cleaning.
• The Cache Cleaner can now clean the history of the AOL
  toolbar for Internet Explorer, and the Yahoo toolbar for Firefox  
  (both ALL and Session). The Cache Cleaner also now blocks indexing by
  Google Desktop Search during the Cache Cleaner session,
  but cannot remove all indexes at the end of the Cache Cleaner session.


• Administrators can now determine what to do if a previously
  downloaded Symantec On-Demand module is still running: In  
  previous releases, the download applet either launched a
  second version of the module or displayed an error message
  based on whether the Agent was customized for a particular
  partner version of Symantec On-Demand. In 2.6, this behavior
  can be specified by administrators via the user interface.
• The Java download module now displays a progress bar on its
  HTML page to show the current download percentage.  In previous
  releases, no indication of download status was provided.

Clean Logs on Endpoint Machines
• Specify Cleaning of Logs via Symantec On-Demand Manager
  user interface: In previous versions, administrators could specify
  whether to clean all Symantec On-Demand log files from endpoint
  machines only by editing setup.xml This option can now be selected
  in the Symantec On-Demand Manager user interface.

*Known Bugs/Issues*

(Bug # 16667) Host Integrity: When Virtual Desktop and Cache Cleaner
are not downloaded, some files related to the Host Integrity module
are not deleted.

(Bug # 100440) Host Integrity: With the new Remediation URL,
the Host Integrity module can dynamically generate a formatted
string that describes the reason for the failure, which can
be interpreted on the Web server to route users to the appropriate
remediation content.  If you specify a large enough
number of rules so that the string exceeds 2047 characters,
the Firefox browser will fail.  Other browsers may also have
difficulty handling extremely long URLs.

(Bug # 17344) Virtual Desktop: When you disable saving to network drive,
you cannot map a network drive in the Virtual Desktop. The problem only
occurs in windows NT, and occurs in both user and admin modes.  

(Bug # 100181) If you have an older version of Sun JRE (i.e version 1.3.1)
installed on Windows 2003/Win2k/XP server (which is not supported)
and if you try to install Symantec On-Demand, a pop-up message will
display asking you to install a supported version of JRE. If you
click "Yes", it will install Sun JRE 1.4.2_04 and then continue to
install the On-Demand Manager. But, if you remove the old JRE 1.3.1
from the system prior to launching the On-Demand Manager, the Manager
will not launch and an error message will display.

(Bug # 100660) Malicious Code Prevention: MSN 5.0 is detected as
malware in NT4.0 but not in XP.

(Bug # 100711: Host Integrity: Using the Opera 8.5 browser, changes
made to Host Integrity rules might not be detected right away.  This
is because Opera 8.5 looks first to its cache to find setup.xml, and
the cached version may not be the most recent.  Cleaning the browser
history will solve the problem in the short term, and in the longer
term the problem is solved by Opera 8.5's cache time limits.

(Bug # 100748) Virtual Desktop: If you attempt to launch Windows
Update from within the Virtual Desktop, you will receive an error
and WindowsUpdate will fail.

(Bug # 100810) Virtual Desktop: Some Windows hotkeys do not work
from withinthe Virtual Desktop. The following hotkeys are known
to be affected:
-- win + F1
-- win + tab
-- win + ctrl + f
-- win + shift + m
-- win + break
-- win + L
-- win + d
-- win + r

(Bug # 100811) Cache Cleaner: in Windows 98, the Session cleanup
setting does not clean all session history when using Netscape
8 or firefox 1.0.6.

(Bug # 12942) On-Demand Agent: the Agent loads slowly if
you are using a dial-up modem. The following times are
typical when using a 57.6Kbps modem with the IE browser:

1. Install HI: about 60 seconds
2. Install CC: about 60 seconds
3. Install VD: about 95 seconds
4. Install VD, CC, MC: about about 120 seconds
5. All modules (HI, CD, VD, AP, CC, MC): about 180 seconds

(Bug #100881) Cache Cleaner: Using Firefox 1.5 with "Close all other
browser instances" enabled, the Cache Cleaner will exit automatically.
The workaround is to disable this feature when you are using
Firefox 1.5.

(Bug #100880) Cache Cleaner: The Cache Cleaner occasionally
erases all typed URLs even if you select "Session" instead of
"all" for the IE browser.

(Bug #100878) Cache Cleaner: Using Firefox 1.5, the browser
history and URLs are removed even when you disable the Cache
Cleaner using the system tray icon.

(Bug #100877) Adaptive Locations: Occasionally, when you are
using older, slower hardware, a new location will not be
successfully added into setup.xml using the On-Demand Manager.
The workaround: delete this newlocation and create another one.

(Bug #100874) Virtual Dekstop Whitelists: An entry with a comma
in its path will be divided into two entries when being loaded
from a file. This is because the file format (CSV) used to load
these entries uses the comma as its delimiter.

(Bug #100873) Cache Cleaner: the Cache Cleaner module sometimes
quits automatically when using Firefox 1.5 on Windows XP.

(Bug #100871) Cache Cleaner: In both Internet Explorer and
Firefox 1.5,the Cache Cleaner module sometimes only works
the first time it is installed on a Windows NT machine.

(Bug #100865) Connection Control: When you add a new domain for
the first time and then use the Edit button to edit it, you cannot
close the Edit window. This happens only in the "Priority
allow" and the "Allow" sections. The workaround is to add another

(bug #100853) Connection Control: If you enter a number in the
first or last part of the area to enter IP addresses,
the comma-separated list in the multi-IP box cannot be used. 
You must close out and get a fresh dialog via the "Add" button
to use the comma-separated multi-IP entry box.

1. SOM->Locations->Office->VD->CCN.
2. Add IP "" and "" to block IP list.
3. Edit "".
4. Empty the editbox for Start IP.
5. Type "" into the editbox for multiple IP at the
   bottom of the dialog box.
6. OK. A message saying "Invalid entry" is displayed.

(Bug # 100876) Cache Cleaner: On the Mac operating systems,
the Cache Cleaner module will always clean the session
password regardless of whether the ‘session’ or ‘all’
option is selected.

(Bug # 100870) Virtual Desktop: On Windows NT 4.0,if
you have no “psapi.dll” installed, the Virtual Desktop
does not function correctly.

(Bug # 100808) Host Integrity: Non-English versions of McAfee
VirusScan 7.1 and 8.0 may fail Host Integrity checks in languages
other than English or French.

*Known Fixes*

(Bug # 1188) Windows 98 using JVM will now always redirect
the browser to the Success URL.

(Bug # 16061) Cache Cleaner: If you select "Session" as the
Cache Cleaning setting, the Cache Cleaner doesn't clean the
typed URL using Opera 7.2 & 7.5.

(Bug # 16061) Cache Cleaner: If you select "Session" as the
Cache Cleaning setting, the Cache Cleaner doesn't clean the
typed URL using Opera 7.2 & 7.5.

(Bug # 16343) Cache Cleaner: Cache Cleaner intermittently
doesn't clean browser history when History Cleanup Settings
is set to ALL using Internet Explorer.

(Bug # 100570) Cache Cleaner will crash when entering a
location that enables the Host Integrity and Cache Cleaner
modules and runs Host Integrity only once.

(Bug # 16925) Agents will pass Host Integrity if you have
multiple Service Pack rules even if the endpoint machine does
not have the have the service packs installed.

(Bug # 16992) SSL VPN popups fail to appear even when popup
blocking is disabled.

(Bug # 100261) Virtual Desktop will crash if you enter too many
characters in the descriptions of the Favorites.

(Bug # 100323) Host Integrity cannot be launched if the paths
of any of the file custom rules are longer than 600 characters.

(Bug # 100336) The On-Demand Manager cannot route users to the
correct DNS Server if DNS is configured manually, but it is
correct when the IP Address assigned by a DHCP Server.

(Bug # 100449) Host Integrity: module fails when checking
the file version in a Custom rule.

(Bug # 100451) Host Integrity: If you enable the "Disable
the failure popup message box” feature, the "Remediation" URL
will display even if you have not selected that option.

(Bug # 100506) Virtual Desktop is not removing all saved
usernames and passwords.

(Bug # 100555) Adaptive Policies:  if you duplicate a
location and then close the On-Demand Manager, the On-Demand Manager
will not open again.

(Bug # 100572) Host Integrity: At the end of the
inactivity period, the Host Integrity module doesn't exit.

(Bug # 100576) Host Integrity: Failure URL fail to
launch when using Host Integrity as a standalone module.

(Bug # 100577) Host Integrity: Disabling antispyware
checking causes exception.

(Bug # 100649) Symantec On-Demand fails to hook into
imapi.exe and msiexec.exe

(Bug # 100655) Virtual Desktop: The tray icon will
disappear after switching to the normal desktop if you click "exit"
before typing password and switching to Virtual Desktop.

(Bug # 100656) Applet cannot be downloaded in NT
system using Firefox1.0.6 and Netscape 7.2.

(Bug # 100685) The "Powered-Keylogger" can record
keystrokes entered from the Virtual Desktop.

(Bug # 100720) The Juniper API Integration method
doesn't support IVE 5.1R4.

(Bug # 100763) Able to modify system ETC Host file
within the Virtual Desktop.

5. Documentation Online Help

Refer to the following links for updates of the 2.6 online help system:

Symantec On-Demand Manager Online help

Refer to the following links for updates of the 2.6 documentation formatted in PDF:

Symantec On-Demand Frequently Asked Questions

Symantec On-Demand QuickStart Guide

Symantec On-Demand Manager Administration Guide
           If you are using a partner build, please contact Enterprise Support at the
           email address or telephone number in the following section.

6. Contact Information

Symantec Corporation provides a wide variety of service and
Support programs. Contact Enterprise Support through its web site,
by email, or by telephone.

Web site:     
Email address:
Toll free number:       (877) TECH-800 (832-4800)
Int'l Toll free number: +0 800 8324-8000

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices