SAV for Linux: A (Somewhat) Illustrated Guide Part 2
Linux is Growing Ever More Popular
Over the past twenty years, the Linux OS has secured a foothold in the market. Now its popularity is growing faster than ever before. Estimates indicate that five percent of all computers are running some disto of Linux, including more than 90% of today's most powerful supercomputers.
The number of questions about Symantec AntiVirus for Linux (the current protection client for Linux which ships with Symantec Endpoint Protection) keeps growing, too. So, following on SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide, here is a second article in the series which describes the various ways to configure your SAVFL client.
Choices, choices, choices....
SAV for Linux uses a local configuration database to store configuration data for the product. This is a binary file rather than text-based, so changing settings is not as easy as editing an .ini or .cfg file, and there's really no setting that can be changed through the savtray GUI. Other tools are necessary.
SAVFL can be configured from the command line, by dropping on a GRC.DAT file, or by changing settings using an unsupported tool called xsymcfg.
Be extremely careful when performing any manual configuration: invalid entries or typos may cause SAVFL to stop functioning correctly, potentially resulting in the infection of a key Linux server!
The Symantec AntiVirus for Linux Implementation Guide has an extensive section on "Using the sav CLI to interact with Symantec AntiVirus"
You can use the sav CLI to perform the following tasks:
- enable and disable Auto-Protect
- start and schedule LiveUpdates and view the current LiveUpdate schedule
- start and stop manual scans
- create, delete, enable, and disable scheduled scans
- view a list of scheduled scans and detailed information about each scan
- display items and act on items in the local Quarantine
- roll back to a previous version of virus and security risk definitions
- use the latest version of local virus and security risk definitions
- display general product information
There is a symcfg command line tool which can change the settings of SAVFL: symcfg can be used to display, create, remove, and change the value of data that is stored in the product's settings database.
For example: suppose it is desired to check what settings are present regarding the scheduled LiveUpdate task. Using sudo, from the /opt/Symantec/symantec_antivirus directory, use the command ./symcfg -r list -k 'Symantec Endpoint Protection\AV\PatternManager'
The results are displayed on screen. These can also be piped out to a text file if needed.
To disable LiveUpdate, change the Enabled value from 1 to 0:
./symcfg add -k '\Symantec Endpoint Protection\AV\PatternManager\Schedule' -v Enabled -t REG_DWORD -d 0
./symcfg add -k '\Symantec Endpoint Protection\AV\PatternManager\Schedule' -v Enabled -t REG_DWORD -d 1
Be very careful when adding or deleting anything via symcfg! Values will be overwritten or removed without any "Are you sure?" prompt.
Back in the SAV 10.1 days, there way a file called GRC.DAT which served roughly as the equivalent of the sylink.xml file in today's SEP 11 and SEP 12.1. This file could be copied from the correct Windows or NetWare SAV server and dropped onto Windows SAV clients, and the various settings would be set or restored. This same technology was built into SAV for Linux: instead of being copied from the SAV server, though, the GRC.DAT files are built using a ConfigEd.exe tool on a Windows machine.
Here is an overview of how the process works:
How to configure Symantec AntiVirus for Linux using a GRC.DAT file
Article URL http://www.symantec.com/docs/TECH93386
... and here is a proposed enhancement request for an updated ConfigEd tool. The existing tool offers only partial functionality unless it is installed on a Windows-based SAV machine.
Update Configuration Editor (ConfigEd) Tool for SAVFL
Once a GRC.DAT file is ready, it is copied into the /var/symantec directory. Be sure that ownership and permissions on the file are not restrictive! A valid GRC.DAT will be processed automatically after a few minutes, or it can be processed immediately if a command is run:
sudo /opt/Symantec/symantec_antivirus/symcfg add -k 'Symantec Endpoint Protection\AV\ProductControl' -v ProcessGRCNow -d 1 -t REG_DWORD
The GRC.DAT file disappears when it has been successfully read and inserted into the SAVFL client's configuration database.
The unsupported xsymcfg tool is located in /opt/Symantec/symantec_antivirus/unsupported directory. Just in case this article has not been clear, this tool is handy but it is unsupported. Use it at your own risk, because Technical Support will not be able to help reverse any damage done if xsymcfg is used incorrectly. The only option will be to uninstall SAVFL and re-install it using the default settings.
Here is what xsymcfg looks like:
In brief, it operates just like the Registry on a windows computer. Using this graphical tool to change key values will alter the way that SAVFL behaves.
For example, from the Symantec AntiVirus for Linux Implementation Guide:
By default, the maximum number of items that can be added to a manual scan that is generated from the command line interface is 100. You can use symcfg to change the DWORD value VirusProtect6\MaxInput to increase this limit. To remove the limit entirely, you must set it to 0.
To change that value, just open up HKEY_CURRENT_USER, Symantec Endpoint Protection, AV in xsymcfg. Right-click on MaxInput and chose to Modify. Change the value to 0 and click OK.
Many thanks for reading! Please do add comments and feedback below.
Linux admins may wish to cast their support for these proposed enhancement requests:
Managed SEP client for Linux
Create a tool to verify the minimum requirements for SAVFL - Sav For Linux
Remote Deployment Tool for SAVFL