Video Screencast Help

SAV for Linux: A (Somewhat) Illustrated Guide Part 2

Created: 28 Dec 2012 • Updated: 31 Dec 2012 | 15 comments
Language Translations
Mick2009's picture
+17 17 Votes
Login to vote

Linux is Growing Ever More Popular

Over the past twenty years, the Linux OS has secured a foothold in the market.  Now its popularity is growing faster than ever before.  Estimates indicate that five percent of all computers are running some disto of Linux, including more than 90% of today's most powerful supercomputers.  

The number of questions about Symantec AntiVirus for Linux (the current protection client for Linux which ships with Symantec Endpoint Protection) keeps growing, too.  So, following on SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide, here is a second article in the series which describes the various ways to configure your SAVFL client.

 

Choices, choices, choices....

SAV for Linux uses a local configuration database to store configuration data for the product.  This is a binary file rather than text-based, so changing settings is not as easy as editing an .ini or .cfg file, and there's really no setting that can be changed through the savtray GUI.  Other tools are necessary.

SAVFL can be configured from the command line, by dropping on a GRC.DAT file, or by changing settings using an unsupported tool called xsymcfg.

Be extremely careful when performing any manual configuration: invalid entries or typos may cause SAVFL to stop functioning correctly, potentially resulting in the infection of a key Linux server! 

 

Command Line

The Symantec AntiVirus for Linux Implementation Guide has an extensive section on "Using the sav CLI to interact with Symantec AntiVirus"

You can use the sav CLI to perform the following tasks:

  • enable and disable Auto-Protect
  • start and schedule LiveUpdates and view the current LiveUpdate schedule
  • start and stop manual scans
  • create, delete, enable, and disable scheduled scans
  • view a list of scheduled scans and detailed information about each scan
  • display items and act on items in the local Quarantine
  • roll back to a previous version of virus and security risk definitions
  • use the latest version of local virus and security risk definitions
  • display general product information

There is a symcfg command line tool which can change the settings of SAVFL: symcfg can be used to display, create, remove, and change the value of data that is stored in the product's settings database.

For example: suppose it is desired to check what settings are present regarding the scheduled LiveUpdate task.  Using sudo, from the /opt/Symantec/symantec_antivirus directory, use the command ./symcfg -r list -k 'Symantec Endpoint Protection\AV\PatternManager'

The results are displayed on screen.  These can also be piped out to a text file if needed.

 

To disable LiveUpdate, change the Enabled value from 1 to 0:

./symcfg add -k '\Symantec Endpoint Protection\AV\PatternManager\Schedule' -v Enabled -t REG_DWORD -d 0

Re-enable it:
 
./symcfg add -k '\Symantec Endpoint Protection\AV\PatternManager\Schedule' -v Enabled -t REG_DWORD -d 1

 

Be very careful when adding or deleting anything via symcfg!  Values will be overwritten or removed without any "Are you sure?" prompt.

 

GRC.DAT

Back in the SAV 10.1 days, there way a file called GRC.DAT which served roughly as the equivalent of the sylink.xml file in today's SEP 11 and SEP 12.1.  This file could be copied from the correct Windows or NetWare SAV server and dropped onto Windows SAV clients, and the various settings would be set or restored.  This same technology was built into SAV for Linux: instead of being copied from the SAV server, though, the GRC.DAT files are built using a ConfigEd.exe tool on a Windows machine.

Here is an overview of how the process works:  

How to configure Symantec AntiVirus for Linux using a GRC.DAT file
Article URL http://www.symantec.com/docs/TECH93386 
 

... and here is a proposed enhancement request for an updated ConfigEd tool.  The existing tool offers only partial functionality unless it is installed on a Windows-based SAV machine.

Update Configuration Editor (ConfigEd) Tool for SAVFL
https://www-secure.symantec.com/connect/ideas/update-configuration-editor-configed-tool-savfl

Once a GRC.DAT file is ready, it is copied into the /var/symantec directory.  Be sure that ownership and permissions on the file are not restrictive!  A valid GRC.DAT will be processed automatically after a few minutes, or it can be processed immediately if a command is run:

sudo /opt/Symantec/symantec_antivirus/symcfg add -k 'Symantec Endpoint Protection\AV\ProductControl' -v ProcessGRCNow -d 1 -t REG_DWORD

The GRC.DAT file disappears when it has been successfully read and inserted into the SAVFL client's configuration database.

 

xsymcfg

The unsupported xsymcfg tool is located in /opt/Symantec/symantec_antivirus/unsupported directory.  Just in case this article has not been clear, this tool is handy but it is unsupported.  Use it at your own risk, because Technical Support will not be able to help reverse any damage done if xsymcfg is used incorrectly.  The only option will be to uninstall SAVFL and re-install it using the default settings. 

Here is what xsymcfg looks like:

 

In brief, it operates just like the Registry on a windows computer.  Using this graphical tool to change key values will alter the way that SAVFL behaves.

For example, from the Symantec AntiVirus for Linux Implementation Guide:

By default, the maximum number of items that can be added to a manual scan that is generated from the command line interface is 100. You can use symcfg to change the DWORD value VirusProtect6\MaxInput to increase this limit. To remove the limit entirely, you must set it to 0.

To change that value, just open up HKEY_CURRENT_USER, Symantec Endpoint Protection, AV in xsymcfg.  Right-click on MaxInput and chose to Modify.  Change the value to 0 and click OK.

 

Final Notes

Many thanks for reading!  Please do add comments and feedback below.

Linux admins may wish to cast their support for these proposed enhancement requests:

Managed SEP client for Linux
https://www-secure.symantec.com/connect/ideas/managed-sep-client-linux

Create a tool to verify the minimum requirements for SAVFL - Sav For Linux
https://www-secure.symantec.com/connect/ideas/create-tool-verify-minimum-requirements-savfl-sav-linux

Remote Deployment Tool for SAVFL
https://www-secure.symantec.com/connect/ideas/remote-deployment-tool-savfl

 

Comments 15 CommentsJump to latest comment

.Brian's picture

Nice article on SAVFL (in addition to the first one), Mick. Keep 'em coming!

I've seen some good things on the horizon in regards to managed SAVFL clients. Can't wait!

 

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

+2
Login to vote
Mithun Sanghavi's picture

Hello,

Awesome Article.. This is an Article which gives great insight into the SAV FL.

Keep such Articles coming..Great one MICK...!!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+2
Login to vote
MeloSep's picture

Nice one Mick, well done :D

 

+1
Login to vote
Ashish-Sharma's picture

Amazing Artical.....It would not be Bad if everyone say you SAVFL Guru...........

 

yesyes

Thanks In Advance

Ashish Sharma

 

 

+1
Login to vote
Matthias_Jahncke's picture

Quality stuff, as always! Keep them coming Mick!

 

+1
Login to vote
Mick2009's picture

Readers of this artiocle may also be interested in....

SAV for Linux: A (Somewhat) Illustrated Guide Part 3
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-3

With thanks and best regards,

Mick

+2
Login to vote
John Santana's picture

Thanks Mick !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

+1
Login to vote
Mick2009's picture

Part 4 is  now available...

SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-4-savfl-reporter

With thanks and best regards,

Mick

+1
Login to vote
Samir Ahmed's picture

Hi Mick ,
 

Thanks for your article.

+1
Login to vote
Skas's picture

HI Mick, 

your guide is useful like water in a desert. wink

As is written, ConfigEd can run with all its functionality only on Windows-based SAV machine: i want to know if ConfigEd can also run on Windows-based SEPM machine.

I have 1 Windows server with SEPM  and the other machines are Linux clients: i really would like to use ConfigEd to edit GRC.DAT instead of using the command line interface.

thanks,
Skas

0
Login to vote
Mick2009's picture

Hi Skas,

Thanks for the kind words.  One bit of good news: this autumn, there is expected to be a managed SEP for Linux client released with SEP 12.1 RU5.  This will make it far easier to arrange for Linux machine sto receive the correct policies uniformly, report their events back to the SEPM, etc.

Looking forward to that!  &: )

Mick

With thanks and best regards,

Mick

0
Login to vote
Skas's picture

Well this autumn unfortunately is too far frown

I'll need to configure Linux clients on the next week and i just want to know if SEP license is enough to run ConfigEd or if i absolutely need SAV Windows-base licence to edit my GRC.DAT.

0
Login to vote
Mick2009's picture

Unfortunately, that configed tool only runs 100% when installed on a computer that also has SAV.

With thanks and best regards,

Mick

0
Login to vote