SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter
The Story So Far....
This is the fourth in an informal series of articles intended to help admins make the best use of Symantec AntiVirus for Linux (SAV for Linux, or SAVFL), keeping those boxes protected from today's many emerging threats without killing the CPU or the network bandwidth.
- SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide covers the importance of auto-protect scanning, necessary scan exclusions and how to test them
- SAV for Linux: A (Somewhat) Illustrated Guide Part 2 provides examples of the various different ways in which SAVFL can be configured (by command line, by GRC.DAT and by xsymcfg).
- SAV for Linux: A (Somewhat) Illustrated Guide Part 3 focused on how to keep SAV for Linux up-to-date.
By popular demand, this new installment will focus on how to get some data and events from those isolated, unmanaged SAVFL clients into the Symantec AV's central management and reporting tool, the Symantec Endpoint Protection Manager (SEPM). This is possible through an optional tool called SAVFL Reporter.
A Reporter? Like Clark Kent?
SAVFL Reporter is an optional component that can forward certain system events and data to another computer, so that the information from the Linux machine will be displayed in the SEPM's reports. It's not anything to do with a newspaper reporter.
(If you wish to press for an analogy even weirder than when I compared LiveUpdate Administrator 2.x to a refrigerator, then think of SAVFL as Peter Parker rather than a Clark Kent.... )
(Full SEP Client)
(SAVFL with SAVFL Reporter)
|All-powerful (many protection technologies)||Mighty, but limited (AntiVirus only)|
|Staff member (appears in SEPM's list of official, managed clients)||Freelance (intentionally unmanaged- does not appear in SEPM list of clients)|
|Reporter (lots of information, the full story)||Photographer (can provide a picture/some information)|
So: SAVFL with SAVFL Reporter is not the same as a managed SEP for Linux client.
Installing SAVFL and SAVFL Reporter will not cause the Linux machines to be displayed on the SEPM's clients tab. They will not be able to roll out policies to the Linux clients from the SEPM or install the SAVFL client to unmanaged Linux boxes remotely. All those limitations are by design: SAVFL was originally written to be a stand-alone, unmanaged program. Peter Parker (to pay one last visit to our analogy) is really just a kid under that superhero suit. In due course he will grow and mature. Please vote on the following proposed enhancement request to express your support for that day.
Managed SEP client for Linux
OK, Close the Comic Books. What Data does SAVFL Reporter Document?
The following data will be forwarded to the Symantec Endpoint Protection Manager:
- Inventory (Computer Status) logs, which include Parent Server Name, Server Group Name, Client Name, Client Group, Product Version, ScanEngine Version, Last Check-in Time, User Name, Virus Definition Date, Virus Definition Sequence, Virus Definition Revision, Virus Definition Version, IsInfected, IP Address, Running Status, AutoProtect On/Off, TimeZone.
- Scan logs, which are generated by SAV for Linux as logging events.
- Virus (Risk) logs, which are generated by SAV for Linux as logging events.
Here's an example of how this Linux machine info appears in the SEPM's logs:
Using various filters, it is possible to generate a list of all the Linux machines that are configured to report in to this SEPM, view their definitions date (as illustrated, above), see when they have been scanned, what threats were found, and so on.
It's also possible to configure notifications which can be triggered by the incoming SAVFL Reporter data. So if there's an outbreak on your Linux file server, the admin's smartphone can get a "Alert!!" email from the SEPM, enabling her to grab her cape, spring into action and save the day.
Here's a configuration of a Single Risk Event that will act upon events from a SAVFL client.....
Enough Comic Book References, OK?
Sorry about that. I like superheroes.
Here's an example "Single Risk Event" that I generated. Note that it's letting me know about an infected file quarantined on an Ubuntu machine,
Looks Good. I'm Not Seeing Anything Here, Though.
SAVFL Reporter is not automatically installed when SAVFL is installed. It's a separate, optional tool on the install CD/ .iso.
How to get SAVFL Reporter Working?
Make sure that your SAVFL version is MR10 or above, and that you have Perl in place on the Linux machine. Then just follow the documents to install and configure it on each Linux box. Here's the official details:
Symantec AntiVirus for Linux (SAVFL) Reporter 1.0.10 Release Notes
Article URL http://www.symantec.com/docs/DOC3474
Once installed, configure the SEPM details, frequency, and so forth in the /etc/reporterd.ini configuration file.
One important point: the SEPM needs to be configured to accept these legacy logs. This only needs to be done once:
How to enable the 12.1 Symantec Endpoint Protection Manager (SEPM) to receive logging from legacy clients.
Article URL http://www.symantec.com/docs/TECH157463
Symantec Antivirus for Linux (SAVFL) with SAVFL Reporter is not able to upload the logs to the Symantec Endpoint Protection Manager (SEPM).
Article URL http://www.symantec.com/docs/TECH164020
Run a few eicar test files on the Linux box, once you have it set up! A search of your SEPM's Risk report should show the detection, a few minutes later. Quickly reacting to attempted infections on your non-Windows servers can soon make you the hero of your corporate IT department.
Many thanks for reading! Please do add comments and feedback below.