Endpoint Protection

 View Only

  • 1.  SAVFL - Only report Incidents (Viruses) but do not quarantine any file

    Posted Jul 03, 2013 01:22 PM

    Hello,

    We are running Symantec AntiVirus for Linux version 12.1. I am looking for a possibility to not quarantine any files recognized as virus by SAVFL. I only want them reported to a remote SEPM using SAV reporter. All my test viruses where quarantined (as expected) but I do not want them have quarantined. This is because we are afraid of false positives that could lead to quarantined and removed files absolutly essential for the system.

    Is there any possibility to only inform about possible threats but not to remove any file?

    Thank you for help!

    Have a nice day!



  • 2.  RE: SAVFL - Only report Incidents (Viruses) but do not quarantine any file

    Posted Jul 03, 2013 01:35 PM

    I'm not aware of this option existing.

    You can see the implementation guide for SAVFL on how to managed the quarantine:

    ftp://ftp.symantec.com/public/english_us_canada/products/symantec_antivirus/symantec_antivirus_corp/10.1/manuals/SAV_Linux_Impl.pdf

    Starts on page 38



  • 3.  RE: SAVFL - Only report Incidents (Viruses) but do not quarantine any file

    Posted Jul 04, 2013 04:18 AM

    Hi Brian81,

    Thank you for your reply.

    On the SEP distribution CD I found two manuals, explaining installation and configuration of SAVFL. Unfortunately I did not find any hint about how I could switch off the quarantining of files.

    Have a nice day!



  • 4.  RE: SAVFL - Only report Incidents (Viruses) but do not quarantine any file

    Broadcom Employee
    Posted Jul 04, 2013 04:40 AM

    from SAV client gui, set the actions as you want. You may want to remove the action quarantine.



  • 5.  RE: SAVFL - Only report Incidents (Viruses) but do not quarantine any file

    Posted Jul 04, 2013 05:01 AM

    Hi pete_4u2002,

    The SAV client maschine is a server running CentOS 6.4 without any graphics installed (no X-Window). Is there any possibility to remove the quarantine action using only the cli?

    Thank you!

    Have a nice day!



  • 6.  RE: SAVFL - Only report Incidents (Viruses) but do not quarantine any file

    Posted Jul 06, 2013 12:57 PM

    Hi Auco123,

    It is possible to set the action to "log only" rather than delete or quarantine.  Generally I recommend that admins leave it at the default, unless they are actively checking logs regularly. 

    You will need to change the "registry" to accomplish this.  Details on the various ways can be found in

    SAV for Linux: A (Somewhat) Illustrated Guide Part 2
    https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-2

    This thread lists the specific keys that need to be changed....

    https://www-secure.symantec.com/connect/forums/configuring-sav-linux

    Please update this thread with news if there is additional assistance you need, or confirm this this has worked for you!  &: )

    With thanks and best regards,

    Mick



  • 7.  RE: SAVFL - Only report Incidents (Viruses) but do not quarantine any file

    Posted Jul 08, 2013 10:21 AM

    Hi Mick,

    It seems that I need to know the keys to set the action to "log only" by using the symcfg tool. I did read all the information I got by issuing /opt/Symantec/symantec_antivirus/symcfg -r list -k '*' to the command line.  Unfortunately I could not guess the correct keys or their necessary values needed to change the behavior as described above.

    In the mentioned thread https://www-secure.symantec.com/connect/forums/configuring-sav-linux I only found the keys and values to exclude certain file directories or file extensions from scanning.

    Is there any hint what keys and values I need to set by using the symcfg tool to stop SAVFL to quarantine files considered to be viruses during scheduled scans?

    Thank you!

    Have a nice day!