Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Configuring SAV for Linux

Created: 29 Oct 2012 • Updated: 31 Oct 2012 | 11 comments

Our initial install of SAVLinux (SEP12) on OES/SLES Linux is scanning all files and as such really bogging down backups.  We do need the real time scanning due to an infestation of ALS.Bursted.B that we are fighting.

ConfigEd.exe is refusing to see our existing Symantec infrastructure (still on 10 until we figure the migration to a new AV server), so the GRC.DAT option is looking dim, and then not finding any samples of that text file that have meaningful content or documentation explaining the keys within it, has killed that option.

./symcfg -r list -k .....   leads me to a couple of promising keys

Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\FileType       0       REG_DWORD
Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\Exts   XLS,DOT,DOC,XLT,HTML,HTT,HTM,VBS,JS,SHS,PPT,MSO,POT,RTF,MDB,JTD,HLP,INF,INI,HTA,MP?,OBD,OBT,PPS,SMM,VSD,VST,XL?,VSS,JSE,VBE,SH,SHB,WSF,WSH,PL,PM,CSH,EXE,COM,BIN,OVL,SYS,DLL,OCX,VXD,BAT,BTM,CSC,PIF,386,CLA,OV?,DRV,SCR,ACM,ACV,ADT,AX,CPL REG_SZ

I am assuming that 'FileType'=0 is 'All Files'  and am guessing that =1 would be use the list in 'Exts'.  Can someone confirm this.

I see that the 'Exts' are all in caps, does that mean that SAV will parse them for both cases, or do I have to reenter them in in lower case as well as this is Linux that cares about such things and I am not in a good position to test/gamble right now to be sure.

We really need documentation of the details of at least the more commonly used keys as to what are acceptable values and what gotchas there may be with them. 

I have exhausted SAV_Linux_Impl.pdf & SAV_Linux_Client.pdf that came with the product and it all I've been able to find so far.  This issue is way beyond those two basic documents as well as being beyond './symcfg -h' 

Andy in Toronto

Comments 11 CommentsJump to latest comment

AndyKonecny's picture

Also,

- is there a way to ensure that rtvscand does not use the first processor?  One of our servers gets nailed to unusable by SAV when the backup(Syncsort) kicks in without maxing CPU.  Running on OES2sp3 / SLES10sp4

- how fast do changes made with symcfg actually become effective? i.e. are they real time?

Brɨan's picture

Your best bet is to open a case with support to get detailed info on this.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AndyKonecny's picture

Pete

If you had actually read my post, you would have seen that I've already exhausted the documents you've posted to me. It makes you look like a mindless automation (who typos as bad as I do) or that Symantec doesn't want real answers to be available to their customers.

Interesting that these forums inhibit Firefox's built in spell check, allowing my typos to get past. At least there a different spell checker available in this interface.

Mick2009's picture

Hi Andy,

Here's an article that may be of interest: it has info on how to create exlusions.

SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide
https://www-secure.symantec.com/connect/articles/sav-linux-scanning-best-practices-somewhat-illustrated-guide

Also, a post from Security Response that may be of interest:

Threats to AutoCAD
https://www-secure.symantec.com/connect/blogs/threats-autocad

Are the Windows machines in your network running SEP 12.1 or SAV 10?  I am not sure I have a complete picture.  If it is SAV 10, then the ConfigEd tool you mention can create a full GRC.dat.  (Run it on a SAV 10 machine.)  If not then the ConfigEd tool will not have access to its full functionality. 

Please do cast a vote for this proposed enhancement request:

Update Configuration Editor (ConfigEd) Tool for SAVFL
https://www-secure.symantec.com/connect/ideas/update-configuration-editor-configed-tool-savfl

Please do keep this thread up-to-date with your progress!

With thanks and best regards,

Mick

With thanks and best regards,

Mick

AndyKonecny's picture

Hi Mick

I had already read that not yet illustrated guide, and while it helped in understanding a few things, it didn't have what I was looking for.  I did miss the recommendation of disabling /sys and /proc, so that's the next thing now that I understand how to implement.

The Windows side is still SAV 10, but I don't do the full GRC.dat on any of the systems I could get at, something clearly a problem there, especially considering I was RDPed in to the SAV server.  (Side note, we are looking for a migration tool to take the SAV10 config off of old server 2003 and migrate to a new virtualized 2008 and are still coming up blank)

I have cast my vote, along with what else is needed for these times when ConfigEd tool is not an option.

Monday evening I took a bit of gamble(with winds of Sandy howling around) and went with the assumptions of:
- 'FileType' key =1 means use the contents of the 'Exts' key
- that the 'Exts' doesn't care about case (i.e. I don't have to enter in both cases as might otherwise be needed in the Linux world)
- that these changes take effect in less than an hour.

It appears that those assumptions were valid, but that is mainly based on the drop of CPU usage of rtvscand during a backup while the ALS.Bursted.B keeps getting caught. (at least that number is dropping as the local guys continue to fix the systems that were effected.)  It would still be the right thing to have those assumptions publicly validated by Symantec as a part of normal documentation (key name with acceptable value ranges and what they do).

AndyKonecny's picture

Without being able to use ConfigEd (someone else is working on that issue),  i.e. doing this through symcfg

What is the action number that corresponds to Deleting a found virus?

I can see (as per below) that the Action of 'Clean risk' is a 5, and that the Action of 'Quarantine risk' is a 1. What would delete be? I see only 4 option, so there is no clear spread between 5 and 1, and I'm not about to randomly guess on this, lest I trip over the self destruct code(or something similarly damaging)

\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\FirstAction    5    REG_DWORD
\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\SecondAction    1    REG_DWORD

And yes, I have been looking at the Windows Registry for the same items, but the management (ability to change) isn't working properly at the moment with others working on that problem.

Mick2009's picture

Hi Andy,

"Thumbs up" for sharing your findings via the above posts. 

This is a pain point: many of those values in the SAVFL registry are undocumented, probably because the tool for manipulating them is officially "unsupported." 

In the Symantec/symantec_antivirus/unsupported directory there is a tool called xsymcfg.  This tool, when launched as a root user, will display a graphical interface for changing the values that configure the SAVFL client.

This is a "use at your own risk" tool, but one that has come in handy for many admins.    If there is sufficient interest I will feature it in the next part of my somewhat illustrated guide.

 

With thanks and best regards,

Mick

AndyKonecny's picture

Hey Mike, 

Is not symcfg supported?  It is certainly one of the first tools listed for "Using Symantec AntiVirus for Linux" in SAV_Linux_Imlp.pdf  and the meanings of the keys are critical to the use of THE first tool listed for manipulating SAVFL's configuration.

I think this critical lack is more a symptom of Symantec's apparent fixation on supporting Microsoft products (after all they need so much and that has been a most profitable business) that they appear to be challenged by the other options out there (yes Virginia, there are non-Microsoft options for everything Microsoft does).

Thanx for pointing out the GUI version of symcfg. It certainly makes it a lot quicker to figure out the keys I need to work with, though given its unsupported status, I'll stick to the CLI version for actual changes unless I have an emergency and need to walk someone else through a change.

I'm still occasionally getting a server go non-responsive when under full backup load since adding SAVFL, but at least it looks like I've moved the threshold beyond the daily load of just the incrementals overnight.  But it still isn't leaving any any hints in any logs, might just have to increase resources allocated to these systems a bit to see if that helps (+1 CPU, +1GB RAM, just have to love virtualization)

I have been big on sharing such results as I've been doing. This industry changes way too fast to keep them hidden. For many years you could Google my name and only get my content/references, now there's a musician (he is the one with long hair) by the same name intermixed with mine.

Andy Konecny of
KonecnyConsulting.ca in Toronto

AndyKonecny's picture

additional settings of note on these Novell Open Enterprise Server (OES) boxes

I added more  "NoScanDir"s   /dev      /var     /usr/novell/sys/._NETWARE     /media/nss/*/./NETWARE

these were in part based on running through http://www.novell.com/support/kb/doc.php?id=7006996  though I'm not sure if I got the syntax of that last one or if I have to do this for each and every volume or if that wild card will work, fingers Xed.

Mick2009's picture

Just adding a link to this new article:

SAV for Linux: A (Somewhat) Illustrated Guide Part 2
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-2

With thanks and best regards,

Mick