Symantec AntiVirus 10.1 Corporate Edition

Question/Issue:
This document discusses the installation process for Symantec AntiVirus 10.1 Corporate Edition when no previous versions of Symantec Client Security, Symantec AntiVirus, or Norton AntiVirus Corporate Edition exist on the network.


Solution:

Before you begin:
This document is meant only for installations in which no previous version of Symantec AntiVirus, Symantec Client Security, or Norton AntiVirus exists on the network or on individual computers. If previous versions of Symantec antivirus products are already installed, read Migrating to Symantec AntiVirus 10.1 Corporate Edition.

If you use Symantec AntiVirus 10.1 Business Pack, read Symantec AntiVirus 10.1 installation walk-through for small business administrators.



The installation of Symantec AntiVirus on a network involves the following steps, which must be completed in a specific order:
  • Plan the network
  • Install Symantec System Center
  • Install the primary management server
  • Unlock the server group and designate the primary server
  • Back up the server group root certificate
  • Install management servers from Symantec System Center
  • Configure your server group
  • Install clients


Plan the network
The best layout of the Symantec AntiVirus architecture depends on the topology of your network. Plan the layout geographically, with servers at each physical location, to reduce traffic over wide area connections. To draw logical rather than physical distinctions, such as different rules for different departments, use client groups rather than server groups. Note that a Symantec AntiVirus server does not need to be a network server; it can be a Windows 2000 or XP Professional workstation.

On servers such as mail servers, database servers, Web servers, and file servers, you should usually install the client version of Symantec AntiVirus. By placing Symantec AntiVirus clients on these heavier-traffic computers, you eliminate bandwidth overhead, system resources, and potential downtime in the event of problems. The Symantec AntiVirus client installation is supported on a Windows Server only when the Internet Email Tools or email plug-ins are not installed. If you install Symantec AntiVirus client with Internet Email Tools or email plug-ins on a Windows server, high memory usage or other unpredictable behavior may occur.
For details, read Compatibility of Symantec AntiVirus email plug-ins with Microsoft Windows Server operating systems.

Mail servers require special consideration to prevent data loss.
For more information, read Installing Symantec or Norton AntiVirus Corporate Edition on mail servers.

Symantec recommends that you install a secondary management server in your server group for disaster recovery purposes. If you do not install a secondary server and your primary server fails, you will not be able to access the server group from Symantec System Center. You should always back up the Pki folder, as described in the section "Back up the server group root certificate." If your primary server becomes corrupted, you can restore it if you have the backup files.

Typical architecture resembles the following:
  • Primary management servers in each server group receive virus definitions from Symantec Security Response by using LiveUpdate.
  • Secondary servers receive the definitions from the primary server by using the Virus Definition Transport Method.
  • Clients receive virus definitions from the secondary servers by using the Virus Definition Transport Method.

Symantec System Center is the console from which you can control all of Symantec AntiVirus. It can be placed on any supported Windows computer on the network. To minimize server traffic, consider placing Symantec System Center on a convenient workstation rather than on a server.


Additional considerations
The following is a list of critical information that you need to know for a successful installation:
  • The system clocks on all management console computers, servers, and clients must be within the default of ±24 hours of the system time on the primary management server. If this time requirement is not met, servers and clients cannot authenticate and communications will fail.
  • Symantec AntiVirus 10.1 scans in real time for any security risks that are associated with adware and spyware. This functionality can cause conflicts with similar products from other vendors. Before you install antivirus servers and clients, disable or remove similar products from other vendors, especially those products that scan in real time.


Install Symantec System Center
After you know where each component of Symantec AntiVirus will be installed, the first step is to install Symantec System Center.

Note: Before you install Symantec System Center on a Windows Terminal Server, the Terminal Server must be in Remote Administration mode. After you install Symantec System Center and restart the computer, you can put the Terminal Server in Application mode. When Symantec System Center is installed on a Terminal Server, open Symantec System Center locally. Do not connect to Symantec System Center by using a terminal session.


In addition to Symantec System Center, the following management components are installed by default:
  • Symantec AntiVirus snap-in
Required if you want to centrally manage antivirus protection.
  • AntiVirus Server Rollout tool
Adds the ability to push the antivirus server installation to remote computers. This tool is also available on the Symantec AntiVirus CD.
  • ClientRemote Install tool
Adds the ability to push the Symantec AntiVirus client installation to remote computers. This tool is also available on the Symantec AntiVirus CD.
  • Symantec Endpoint Compliance Snap-in
Adds the ability to manage Symantec Endpoint Compliance, if you choose to install it.
  • Reporting Snap-in
Adds the ability to manage Reporting if you install a Reporting server.

If you elect not to install any of these management components with Symantec System Center, you can run the Symantec System Center installation later and select them.

To install Symantec System Center
  1. Do one of the following:
    • If you are installing from the CD and Autorun is enabled on the computer, insert the Symantec AntiVirus CD into the CD-ROM drive.
    • If you are accessing the files from the CD on a network resource, or if Autorun is disabled on the computer, then in the root folder of the CD, double-click Setup.exe.
  2. In the Symantec AntiVirus panel, click Install Symantec AntiVirus > Install Symantec System Center.
  3. In the Welcome panel, click Next.
  4. In the License Agreement panel, click I accept the terms in the license agreement, and then click Next.
    If Microsoft Management Console 1.2 or later is not installed on the computer, a message indicates that you must allow it to be installed.
  5. In the Select Components panel, check any of the following components that you plan to install:
    • Alert Management System Console
    • Symantec AntiVirus Snap-In
    • Symantec Endpoint Compliance Snap-in
    • AV Server Rollout Tool
    • ClientRemote Install Tool
    • Reporting Snap-in
    If these components are not present on the computer, all of them except Alert Management System Console are checked automatically.
  6. Click Next.
  7. In the Destination Folder panel, do one of the following:
    • To accept the default destination folder, click Next.
    • Click Change, locate and select a destination folder, click OK, and then click Next.
  8. In the Ready to Install the Program panel, click Install.
    You might be prompted to restart the computer if the Microsoft Management Console is installed.
  9. In the InstallShield Wizard Completed panel, click Finish.
  10. When you are asked to restart the computer, click Yes.


Install the primary management server
After you install Symantec System Center and restart the computer, install the primary management server.

To install the primary management server
  1. From the Symantec AntiVirus CD, run Setup.exe.
  2. In the Symantec AntiVirus panel, click Install Symantec AntiVirus > Install Symantec AntiVirus Server.
  3. Make sure that Server Program and Reporting Agents are checked, and then click Next.
  4. In the Create Server Group User panel, in the Username box, type the user name that will be used to administer the server group, and then click Next.
  5. Follow and complete the prompts until installation completes.
  6. After installation finishes, restart the computer.


Unlock the server group and designate the primary server
Interactive tutorial
After you install Symantec System Center, designate the first server in the server group as the primary server. The existence of a primary server allows you to deploy other servers and clients from Symantec System Center.

To unlock the new server group and designate the primary server
  1. Start Symantec System Center.
  2. In the left pane, right-click the new server group, and then click Unlock.
  3. In the Login dialog box, type the user name that you entered when you installed the primary management server, type the password, and then click OK.
  4. Right-click the server, and then click Make server a primary server.
  5. If you see a prompt for the name or the IP address of the Reporting server, click Cancel.
    The location of the Reporting server is passed to Symantec System Center when you install the Reporting server.

Back up the server group root certificate
This step is quick but vital. You must back up the server group root certificate after you unlock the server group for the first time. Otherwise, the server group and its settings will not be recoverable if the primary management server fails.

To back up the certificate
  1. In Windows Explorer, open the Symantec AntiVirus program folder.
  2. Copy the Pki folder to removable media.
    The contents of the Pki folder should be only a few KB in size.
  3. Store the Pki folder in a safe location.
    In the event of a catastrophic server failure, you will need these files to recover client/server communication.
    For more information, read Steps to minimize recovery time in the event of a server failure.

Install management servers from Symantec System Center
You can install management servers for the rest of the network from Symantec System Center, which is the easiest installation method. You can also install servers from the CD.

To install a management server from Symantec System Center
  1. In the Symantec System Center console, in the left pane, expand Symantec System Center.
  2. On the Tools menu, click AntiVirus Server Rollout.
    AntiVirus Server Rollout is available only if you selected the Server Rollout component when you installed Symantec System Center. This component is selected for installation by default.
  3. In the Welcome panel, click Install Symantec AntiVirus server, and then click Next.
  4. In the License Agreement panel, click I agree, and then click Next.
  5. In the Select Items panel, ensure that Server program and Reporting Agents are checked, and then click Next.
  6. In the Select Computers panel, under Network, select the computers to which you want to install the server, and then click Add.
  7. Click Next.
  8. In the Server Summary panel, do one of the following:
    • To accept the default Symantec AntiVirus installation path, click Next.
    • To change the path, select a computer, and then click Change Destination. In the Change Destination dialog box, select a destination, click OK, and then click Next.
  9. In the Enter Password for the Server Group panel, type the user name and password, and then click OK.
  10. In the Server Startup Options panel, click Automatic startup, and then click Next.
  11. In the Using the Symantec System Center Program panel, click Next.
  12. In the Setup Summary panel, read the message, and then click Finish.
  13. In the Setup Progress panel, view the status of the server installation, and then click Close when the installation is finished.
  14. Restart the newly installed server.


To install a management server onto Novell NetWare servers
  1. In the Symantec System Center console, in the left pane, expand Symantec System Center.
  2. On the Tools menu, click AntiVirus Server Rollout.
    AntiVirus Server Rollout is available only if you selected the Server Rollout component when you installed Symantec System Center. This component is selected for installation by default.
  3. In the Welcome panel, click Install Symantec AntiVirus server, and then click Next.
  4. In the License Agreement panel, click I agree, and then click Next.
  5. In the Select Items panel, ensure that Server program is checked, and then click Next.
  6. In the Select Computers window, double-click NetWare services.
  7. Browse "Novell directory services" until you are at the SYS: volume object level.
    If the Novell Client is not installed on the Windows computer, this option does not appear. To install a management server to NDS, the Novell Client must be installed.
  8. Select the server's SYS: volume object, and then click Add.
    You are prompted to enter a tree name, a user name, and a password.
    The default user name that you see is "Administrator" instead of "Admin." Typically, you must change this name in order to log in correctly.
    For further instructions on how to find and select the server's SYS volume object, read the following document: How to "walk the tree" when installing Symantec AntiVirus Corporate Edition to NetWare servers.
  9. Click Next.
  10. In the Server Summary panel, do one of the following:
    • To accept the default Symantec AntiVirus installation path, click Next.
    • To change the path, select a computer, and then click Change Destination. In the Change Destination dialog box, select a destination, click OK, and then click Next.
  11. In the Select Symantec AntiVirus Server Group panel, under Symantec AntiVirus Server Group, type a name for a new server group, and then click Next.
  12. In the Enter Password for the Server Group panel, type a user name, type and retype a password for the user name, and then click OK.
    The user name that you type is the user name that administers the server group.
  13. In the Server Startup Options panel, click Automatic startup, and then click Next.
  14. In the Using the Symantec System Center Program panel, click Next.
  15. In the Setup Summary panel, read the message, and then click Finish.
  16. In the Setup Progress panel, view the status of the server installation, and then click Close when the installation finishes.

    WARNING: Do not skip the next step. If you do, Symantec AntiVirus will not be loaded automatically, and client login installations will fail.

  17. At the NetWare console, type the following command to load the Symantec AntiVirus NLMs:

    load sys:sav\deploy0\vpstart.nlm /install


Configure the server group
If you configure the server group before you install new clients, the clients are automatically configured to include virus definitions update and scan schedules when you install them.

Configure updates and protection
The configuration of updates and protection involves the following tasks:
  • Configure the Virus Definition Transport Method (VDTM) for a server group.
  • Configure scan schedules.
  • Configure Auto-Protect scans.

Configure VDTM for a server group
The easiest way to keep servers and clients updated with the latest virus definitions is to use the Virus Definition Transport Method (VDTM). To use VDTM, you configure the primary management server in a server group to retrieve the latest virus definitions from either Symantec or an internal LiveUpdate server. The definitions then automatically propagate to all other servers and clients in the group.

Note: After you create a server group, VDTM by default is configured on the primary management server to randomly distribute virus definitions to clients every week between Thursday and Friday, within 480 minutes of 8:00 PM. If this schedule is satisfactory, you do not need to configure VDTM.


With VDTM, the other servers and clients in the group do not access the Internet; this preserves Internet gateway bandwidth. Typically, the internal LiveUpdate server is used only in very large networks to preserve additional Internet gateway bandwidth when you have a large number of primary servers that access the Internet.

To configure VDTM for a server group
  1. In the Symantec System Center console, right-click a server, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager.
  2. In the Virus Definition Manager dialog box, do both of the following:
    • Under How Servers Retrieve Virus Definitions Updates, click Update the Primary Server of this Server Group only.
    • Under How Clients Retrieve Virus Definitions Updates, click Update virus definitions from parent server.
  3. Click Configure.
  4. In the Configure Primary Server Updates dialog box, click Source.
  5. In the Setup Connection dialog box, in the "Update definition file via" list, click LiveUpdate (Win32)/FTP(NetWare), and then click OK.
  6. In the Configure Primary Server Updates dialog box, do both of the following:
    • Click Update Now to retrieve the virus definitions files from the primary management server immediately.
    • Click Schedule For Automatic Updates, click Schedule, and then specify a frequency and time at which the server checks for updates on the primary management server.
  7. Click OK until you return to the Symantec System Center main window.
  8. Right-click System Hierarchy, and then click Refresh.

Configure scan schedules
A scan schedule defines when all clients and servers in a server group scan hard disks for viruses and other threats. You should schedule these scans to run during off hours, when employees are least likely to be affected.

To configure scan schedules
  1. In Symantec System Center, right-click a server group.
  2. Click All Tasks > Symantec AntiVirus > Server Scheduled Scans.
  3. In the Scheduled Scans dialog box, on the Server Group Scans tab, click New.
  4. In the Scheduled Scan dialog box, under Name, type a name for the scan.
  5. Explore and configure other settings that are available with the Scan Settings and Advanced buttons.
  6. Click OK until you return to the main window in the Symantec System Center console.

Configure Auto-Protect scans
Auto-Protect scans files as you open them and scans email attachments as they are sent and received. Servers scan the file system only; clients scan the file system and email attachments. You can also set Threat Tracer for clients to identify any computers that spread viruses to network shares.

To configure Auto-Protect scans for server file systems
  1. In the Symantec System Center console, right-click the server group that you need to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options.
  2. In the Server Auto-Protect Options dialog box, on the File System tab, check Enable Auto-Protect, and then click Advanced.
  3. In the Server Auto-Protect Advanced dialog box, verify that the options under Threat Tracer are checked.
  4. Click OK.
  5. In the Server Auto-Protect Options dialog box, click OK.

To configure Auto-Protect scans for client file systems and email attachments
  1. In the Symantec System Center console, right-click the server group that you need to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.
  2. In the Client Auto-Protect Options dialog box, on the File System tab, check Enable Auto-Protect, click the lock icon so that it is locked, and then click Advanced.
  3. In the Auto-Protect Advanced Options dialog box, familiarize yourself with the various settings, and verify that the options under Threat Tracer are checked.
  4. Click OK.
  5. On the tab that corresponds to your email system, check Enable Auto-Protect.
    Your tab options are as follows:
    • Internet E-mail
    • Lotus Notes®
    • Microsoft® Exchange
  6. Click OK.


Install clients
You have two primary options for installing client software: You can install the software from Symantec System Center, or you can install the software from the installation CD. For additional methods of client installation, read the Installation Guide.

Disable the Windows XP firewall
Windows XP includes a firewall that can interfere with Symantec AntiVirus installation communications between servers and clients. On any servers or clients run Windows XP, you must disable the Windows XP firewall before you install Symantec AntiVirus client software.
See the following Microsoft Knowledge Base articles for more information:
Installing client software by using Symantec System Center
When you install clients from Symantec System Center, the clients are automatically managed.

To install client software by using Symantec System Center
  1. In the Symantec System Center console, in the left pane, right-click the server group that you created when you installed the antivirus server.
  2. If necessary, click Unlock Server Group, and then unlock the server group.
  3. In the left pane, click the primary management server so that it remains selected.
  4. On the Tools menu, click ClientRemote Install.
    ClientRemote Install is available only if you selected the ClientRemote Install tool when you installed Symantec System Center. This component is selected for installation by default.
  5. In the Welcome panel, click Next.
  6. In the Select Install Source Location panel, click Default Location, and then click Next.
  7. In the Select Computers panel, under AntiVirus Servers on the right side, select a computer to act as the parent server (your primary management server).
  8. Under Available Computers on the left side, expand Microsoft windows network, expand a group, and then select a client computer.
  9. Click Add.
    The client computer moves under the AntiVirus parent server in the right pane.
  10. Add all of the client computers that you need to manage, and then click Finish.
  11. In the Status of Remote Client Installation(s) panel, after the remote installation has finished, click Done.
  12. Restart the client computers.
  13. After a few minutes, in the Symantec System Center console, on the Actions menu, click Refresh.
  14. The client computer appears in the right pane when the client software is fully installed, which may take up to a minute.

Installing client software from the CD
You can install the client software from the Symantec AntiVirus CD. The following procedure shows how to install the software onto one client. You can install software onto single computers, and you can deploy the software onto multiple clients from the CD.

To install the client software from the CD
  1. Insert the Symantec AntiVirus CD into the CD-ROM drive.
    If Autorun is disabled on the computer, then in the root folder of the CD, double-click Setup.exe.
  2. In the Symantec AntiVirus panel, click Install Symantec AntiVirus, and then in the next panel click Install Symantec AntiVirus.
  3. In the Welcome panel, click Next.
  4. In the License Agreement panel, click I accept the terms in the license agreement, and then click Next.
  5. In the Client Server Options panel, click Client Install, and then click Next.
  6. In the Setup Type panel, click Complete, and then click Next.
  7. In the Network Setup Type panel, click Managed, and then click Next.
  8. In the Select Server panel, do one of the following:
    • Next to Server Name, type the host name of the primary antivirus server that you installed and configured.
    • Click Browse, select the primary antivirus server that you installed and configured, and then click OK.
  9. Click Next.
  10. In the Ready to Install the Program panel, click Install.
  11. In the Installing Symantec AntiVirus panel, after the installation has finished, click Finish.
  12. Click Yes to restart the client computer.


Install Reporting (optional)
For information on installation and configuration of Reporting, read Chapter 4 of the installation guide, which is located in the \Docs folder of the installation CD or online here.
Labels: