e Trust Antivirus
Administrator Guide 7.1
G00417-1E
This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. (“CA”) at any time. This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the license for the software are permitted to have access to such copies. This right to print copies is limited to the period during which the license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproduced copies or to certify to CA that same have been destroyed. To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind, including without limitation, any implied warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or indirect, from the use of this documentation, including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised of such loss or damage. The use of any product referenced in this documentation and this documentation is governed by the end user’s applicable license agreement. The manufacturer of this documentation is Computer Associates International, Inc. Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.
2004 Computer Associates International, Inc. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contents
Chapter 1: About Computer Viruses Catching a Computer Virus .................................................................... 1-1 Computer Infection Symptoms ................................................................. 1-2 Effects of a Computer Infection................................................................. 1-3 Types of Viruses .............................................................................. 1-3 Characteristics of Viruses ...................................................................... 1-4 The Computer Associates Antivirus Solution .................................................... 1-5 Why Do You Need Antivirus Protection? .................................................... 1-6 How the Computer Associates Antivirus Software Works ........................................ 1-6 Protection Methods ........................................................................... 1-7 Keeping Your Machines Infection-Free .......................................................... 1-8 Suggestions for Staying Infection-Free ...................................................... 1-8 Product Components.......................................................................... 1-9 Using Window Views .................................................................... 1-11 Options ................................................................................. 1-11 NetWare Domain Management ............................................................... 1-12 Scanning for Unknown Infections ............................................................. 1-12 Heuristic Analysis ....................................................................... 1-12 Getting the Latest Signature Updates .......................................................... 1-13 If You Find an Infection ...................................................................... 1-13
Chapter 2: Getting Signature Updates Introducing Signature Updates ................................................................. Updates are Cumulative ................................................................... For Individual Users ...................................................................... For Anti-Virus Administrators ............................................................. Automate Your Distribution ............................................................... No Downtime for Updates ................................................................. Using Signature Update Options ............................................................... Signature Update Options .................................................................
2-1 2-1 2-1 2-2 2-2 2-2 2-3 2-3
Contents
iii
Using the Schedule Options ................................................................ 2-4 Using the Incoming Options ................................................................ 2-5 Using the Outgoing Options ............................................................... 2-14 Managing Signature Updates .................................................................. 2-16 How the Download Process Works ......................................................... 2-16 Monitoring Signature Downloads .......................................................... 2-18
Chapter 3: Using Scan and Selection Options Understanding the Common Scanning Options .................................................. 3-1 Using the Scan Options ........................................................................ 3-2 Scan Tab Options .......................................................................... 3-2 Using the Selection Options .................................................................... 3-5 Selection Tab Options ...................................................................... 3-5 Using the Command-Line Scanner Inocmd32 .................................................... 3-7 Scanner Options for Inocmd32 .............................................................. 3-8
Chapter 4: Using the Local Scanner Local Scanner Features ......................................................................... 4-1 Accessing Other Options from the Local Scanner View ........................................ 4-1 Local Scanner Options ..................................................................... 4-2 The Local Scanner Window ................................................................. 4-2 Using the Display Options ..................................................................... 4-5 Display Tab Options ....................................................................... 4-5 Using the Directory Options .................................................................... 4-6 Home Directories of Previous Versions ...................................................... 4-6 Directory Locations Displayed .............................................................. 4-6 Sending a File for Analysis ..................................................................... 4-7 Using the Send Analysis Information Options ................................................ 4-7 Using the Contact Information Option........................................................... 4-7 Virus Analysis Contact Information ......................................................... 4-8 Managing Infection Submissions ............................................................ 4-8 Using the Service Manager ..................................................................... 4-9 Services................................................................................... 4-9
Chapter 5: Using the Realtime Monitor Realtime Monitor Features ..................................................................... 5-1 Automatic Loading of the Realtime Monitor ................................................. 5-3
iv
Administrator Guide
Options Available from the Realtime Monitor Icon ........................................... Realtime Messaging ....................................................................... Using the Realtime Options .................................................................... Administering Realtime Settings ........................................................... Setting the Scan Direction .................................................................. Using the Realtime Selection Options ....................................................... Using Realtime Filters Options ............................................................. Using Realtime Advanced Options ......................................................... Using the Quarantine Option............................................................... Realtime Monitor Statistics .................................................................
5-3 5-4 5-4 5-4 5-4 5-5 5-5 5-7 5-8 5-9
Chapter 6: Scheduling Scan Jobs Schedule Scan Job Options ..................................................................... Scan Job Description Option ............................................................... Using the Schedule Options ................................................................ Using the Directories Option ............................................................... Using the Exclude Directories Option ....................................................... Managing Scheduled Scan Jobs ............................................................. Viewing the Results of a Scheduled Scan .................................................... Job Statistics for Scheduled Scan in Progress .................................................
6-1 6-2 6-2 6-3 6-3 6-3 6-4 6-4
Chapter 7: Viewing and Managing Logs Using the Log Viewer Window................................................................. The Log Viewer List ....................................................................... Viewing Log Summary and Detail Information .............................................. Managing Logs ............................................................................... Specifying Log Options for a Scan .......................................................... Logs in Standard Database Format.......................................................... Collecting System Metrics Information ......................................................
7-1 7-2 7-3 7-4 7-4 7-5 7-5
Chapter 8: Using the Administrator View Using the Administrator View Window ......................................................... Using the Admin Server ....................................................................... Admin Server Installation Considerations ................................................... Connecting to the Admin Server ............................................................ The Role of the Admin Server .............................................................. LDAP Support ............................................................................
Contents
8-1 8-2 8-2 8-2 8-5 8-6
v
Managing Configuration Settings ............................................................... 8-7 Using E-mail Policies ...................................................................... 8-8 Using Enforced Policies .................................................................... 8-9 Using Subnets ............................................................................ 8-14 About the Users Category ................................................................. 8-22 Managing Legacy Domains ................................................................... 8-23 Managing Machines with the Organization Tree ................................................ 8-24 Using the Organization Tree ............................................................... 8-24 Using Access Permissions ..................................................................... 8-30 Admin Server Access Considerations ....................................................... 8-30 Setting Access Permissions ................................................................ 8-34 Creating and Using Proxy Configuration Machines .............................................. 8-40 Proxy Server Considerations ............................................................... 8-40 How a Proxy Server Works ................................................................ 8-41 Distributing Signatures with Download Now ................................................... 8-42 Using Download Now in the Administrator View ........................................... 8-42 Using Download Now with Redistribution Servers .......................................... 8-43 Considerations for Scanning Network Drives ................................................... 8-44 Customizing Messages........................................................................ 8-45 Generating and Viewing Reports .............................................................. 8-45 Generating Reports ....................................................................... 8-45 Viewing Reports ......................................................................... 8-46 Scheduling the Generation of Reports ...................................................... 8-48
Chapter 9: Using the Remote Install Utility Running the Utility ............................................................................ 9-1 Local Machine Requirements ............................................................... 9-2 About the Installation Wizard .............................................................. 9-2 Using the Remote Install Interface .............................................................. 9-3 Starting the Remote Install Interface ......................................................... 9-3 Browsing the Network to Select Installation Targets........................................... 9-4 About the Installation Target List ........................................................... 9-4 Using the Toolbar ......................................................................... 9-6 Configuring the Installation Source ............................................................. 9-7 Setting Installation Source Properties ........................................................ 9-7 Setting License Source Properties ........................................................... 9-8 Removing the Installation Source Shares ..................................................... 9-9 Specifying Targets for Installation............................................................... 9-9 Installation Target Requirements ............................................................ 9-9 Adding New Targets ..................................................................... 9-10
vi
Administrator Guide
Editing Existing Targets .................................................................. Deleting Existing Targets ................................................................. Copying Target Information .............................................................. Using Paste and Paste Special ............................................................. Verifying Account Information ............................................................ Importing and Exporting the Target List ................................................... Configuring the Installation Control File ....................................................... About the ICF Configuration Dialog ....................................................... Running Installation Sessions ................................................................. About Installation Sessions................................................................ Logging Installation Sessions .............................................................. Starting Installation Sessions .............................................................. Stopping Installation Sessions ............................................................. Uninstalling the Remote Install Utility ..................................................... Remotely Installing on Windows 9x Machines .................................................. Using Setup.exe for Windows 9x ..........................................................
9-11 9-12 9-12 9-12 9-13 9-13 9-14 9-14 9-15 9-15 9-16 9-16 9-17 9-17 9-17 9-17
Chapter 10: Using Rescue Disk for Windows 9x Using the Rescue Disk Feature ................................................................ About Rescue Disk ....................................................................... Recovering from a Computer Virus ............................................................ Using the Rescue Disk Options ............................................................
10-1 10-1 10-4 10-4
Chapter 11: Using the Alert Manager Introducing Alert ............................................................................ Basic Components ........................................................................... Alert Features ........................................................................... Running the Alert Manager ................................................................... Configuring Alert ........................................................................ Creating and Editing Port Configurations .................................................. Using Alert Broadcast Option ............................................................. Using the Pager .......................................................................... Interpreting the Pager Message ............................................................ Using the SMTP Option .................................................................. Using the SNMP Option .................................................................. Using the Trouble Ticket .................................................................. Using Email ............................................................................. Using the Unicenter TNG Option .......................................................... Using the eTrust Audit Option ............................................................
Contents
11-1 11-2 11-2 11-3 11-3 11-3 11-4 11-4 11-4 11-4 11-4 11-5 11-5 11-5 11-5
vii
The Application Event Priority ............................................................. 11-5 Sample TNG Alert Scenarios............................................................... 11-6 Testing the Recipients ..................................................................... 11-7 Alert Activity and Event Logs ............................................................. 11-7 Event Log Destination .................................................................... 11-7 Using Alert with the Antivirus Software ........................................................ 11-7 Accessing the Alert Settings Options ....................................................... 11-8 Using Alert Report Options................................................................ 11-8 Using Alert Filter Options ................................................................. 11-9 Using Alert Policy in the Administrator View .................................................. 11-10 Using Local Alert Manager in UNIX and OS X Systems ......................................... 11-10
Chapter 12: Integrating with Unicenter Using WorldView ............................................................................ 12-1 Preparing for TNG Integration................................................................. 12-3 Using TRIX for Importing to the Repository ................................................. 12-3 Using InoUpTNG to Populate the View ..................................................... 12-3 Managing Antivirus Options in WorldView .................................................... 12-4 Integrating with WorldView ............................................................... 12-4
Appendix A: Installing the Antivirus Software for UNIX Before You Install ............................................................................ Web Browser............................................................................. Network Requirements ................................................................... Hardware Requirements .................................................................. Supported Operating Systems ............................................................. Installing the Antivirus Software for UNIX ..................................................... Installation Procedure..................................................................... Starting and Stopping Services ................................................................ Using the Web Browser ....................................................................... Using a Java™ Plug-in .................................................................... Removing the eTrust Antivirus Software ....................................................... Using Setup Switches .........................................................................
A-1 A-1 A-1 A-2 A-2 A-2 A-2 A-4 A-4 A-5 A-6 A-6
Appendix B: Installing and Starting eTrust Antivirus for Macintosh OS X Before You Install
viii
............................................................................. B-1
Administrator Guide
Network Requirements .................................................................... B-1 Hardware Requirements ................................................................... B-1 Supported Operating Systems .............................................................. B-1 Installing the eTrust Antivirus Software for OS X ................................................ B-2 Installation Procedure ..................................................................... B-2 Remote Installation Services ................................................................... B-6 Example Scripts ........................................................................... B-6 Starting eTrust Antivirus Services .............................................................. B-8 Services Tab .............................................................................. B-9 Options Tab .............................................................................. B-9 Launching eTrust Antivirus................................................................... B-10 Removing the eTrust Antivirus Software ....................................................... B-11
Appendix C: Installing the Antivirus Software for NetWare Before You Install ............................................................................. C-1 Using the Installation Program ................................................................. C-2 Installing eTrust Antivirus for NetWare ..................................................... C-2 Changing Server Installation Information ................................................... C-9 Removing eTrust Antivirus Software From a Server ......................................... C-10 Acting on Specific Servers ................................................................ C-10
Appendix D: Using the ETRUSTAV Console Program Using ETRUSTAV Menu
...................................................................... D-1
Appendix E: Using the Installation Command File The INOC6.ICF File ........................................................................... E-1 Path ..................................................................................... E-2 RPCMtAdn ............................................................................... E-3 Local Scanner ............................................................................. E-3 Distribution .............................................................................. E-7 Realtime ................................................................................. E-9 AdminServer ............................................................................ E-14 Scheduled Scanner ....................................................................... E-15 VirusAnalyze ............................................................................ E-19 Alert .................................................................................... E-20 NameClient ............................................................................. E-21 Startup .................................................................................. E-22
Contents
ix
Miscellaneous ............................................................................ E-22 EngineID ................................................................................ E-23 PurgeLog ................................................................................ E-23 InstallComponet.......................................................................... E-24 SystemSetting ............................................................................ E-25 Job Adjustment ........................................................................... E-26 PreAction ................................................................................ E-27 PostAction ............................................................................... E-27 The INOC6_NW.ICF File...................................................................... E-27 Path ..................................................................................... E-28 RPCMtAdn .............................................................................. E-30 Local Scanner ............................................................................ E-30 Distribution .............................................................................. E-35 Realtime ................................................................................. E-37 Scheduled Scanner........................................................................ E-41 VirusAnalyze ............................................................................ E-45 Alert .................................................................................... E-45 NameClient .............................................................................. E-46 Miscellaneous ............................................................................ E-47 EngineID ................................................................................ E-48 PurgeLog ................................................................................ E-48 InstallComponent ........................................................................ E-48 NovellSpecific ............................................................................ E-49
Appendix F: The InoDist.ini File Signature Update Options in the InoDist.ini File .................................................. F-1 [SOURCES] ................................................................................... F-1 [GET] .................................................................................... F-4 [POLICY] ................................................................................. F-4 [OSID].................................................................................... F-5 [ENGINEID] .............................................................................. F-5
Appendix G: ODBC Data Source Connection Setup Setup Procedure ............................................................................. G-1 CA InfoReports Installation ................................................................... G-4
x
Administrator Guide
Appendix H: Installing and Using eTrust Antivirus Scanner for a NetApp Filer Introduction .................................................................................. H-1 Scanning Process .......................................................................... H-2 Controlling the Process .................................................................... H-2 Installation Information ....................................................................... H-3 Managing the Scanner ......................................................................... H-5 Adding Another Filer to a Scanner .......................................................... H-5 Viewing Scanner Statistics ................................................................. H-7 Changing Antivirus Settings With the Realtime Monitor ...................................... H-7 Managing Custom Move and Copy Directories ............................................. H-14 Viewing the Virus Detection Log .......................................................... H-16 Managing the Scanner Remotely........................................................... H-17 Managing the Filer ........................................................................... H-18 Enabling and Disabling Virus Scanning .................................................... H-18 Specifying File Extensions to Scan Using vscan.............................................. H-18 Specifying Shares to Scan Using cifs ....................................................... H-20 Troubleshooting ............................................................................. H-22
Appendix I: Unattended Installation of eTrust Antivirus Viewing the Unattended Installation File ......................................................... I-1
Index
Contents
xi
Chapter
1
About Computer Viruses The threat of computer viruses and infections is a major security consideration for any computer user. A computer virus or infection is a computer program that can destroy information on your workstation. Similar to a biological virus, a computer virus can reproduce itself by attaching to other files, usually executable programs. When isolated (unexecuted, such as in a compressed file), computer viruses are not dangerous, but when they are opened, they can create havoc. To be classified as a virus, a suspicious file must have the ability to ■
Replicate itself
■
Attach itself to other executables
There are many types of infections, including file infections, macro viruses, worms, and trojan infections.
Catching a Computer Virus Infections can spread by e-mail or Internet downloads, diskette, or network connections. Occasionally, they are accidentally spread within packaged software products. Viruses cannot spread on their own and must be run (or executed) by someone to cause damage. Boot sector viruses spread when a user inadvertently boots a workstation from an infected floppy disk. Macro viruses can spread by simply opening an infected document. Unprotected machines that are connected to the Internet, the World Wide Web, and e-mail systems can become infected and spread infections rapidly. Malicious file attachments in unsolicited e-mails can proliferate and bring down your network.
About Computer Viruses
1–1
Computer Infection Symptoms
Computer Infection Symptoms Symptoms of infection vary depending upon the particular virus infecting your system. The following list contains some of the more common symptoms you are likely to encounter: ■
Your screen displays a message such as “Your PC is a turtle!”
■
Your screen displays strange graphic patterns, such as bouncing balls.
■
■
■
■
Files increase in size. Sometimes this is dramatic, causing the files to become too big to be loaded in memory. Frequently the change in size is small. The timestamp on a file is changed. You might notice a *.com or *.exe file with a timestamp more recent than when you loaded it. You get an error message about writing to a write-protected disk, even though your application is not attempting a write operation. It takes longer to load programs and the configuration of your computer has not changed.
■
Your computer seems to be running much slower than normal.
■
Your computer has less memory available than normal.
■
The same problems occur on several computers.
■
You get a “Bad command or file name” error even when you know the file should be on the disk.
■
You cannot access a drive that you know exists.
■
CHKDSK suddenly discovers bad sectors on more than one computer.
■
■
You have persistent problems on your computer, such as difficulty in copying files. Your computer locks up frequently.
If your computer exhibits one or more of these symptoms, you could have an infection. Since it can be difficult to determine if these symptoms are infectionrelated, the Computer Associates antivirus software helps you confirm whether or not your workstation is infected.
1–2
Administrator Guide
Effects of a Computer Infection
Effects of a Computer Infection Not all infections damage your computer. Some are just nuisances, continually reproducing themselves or displaying strange graphics or messages on your screen. Most viruses are stealthy, remaining hidden until they start running. If an infection does cause damage, the damage varies depending upon the particular infection in your system. In general, viruses can do the following damage to your computer: ■
Hang your computer
■
Erase, modify, and hide your files
■
Scramble data on your hard disk
■
Attack and scramble the File Allocation Table (FAT)
■
Attack and scramble the Partition Table
■
Format your hard disk
Types of Viruses Viruses are classified according to how the virus is transmitted and how it infects the computer. The following table lists common types of viruses and their effects. Virus Name
Description
boot sector viruses
These viruses overwrite the original boot sector of the disk (which contains code that is executed when the system is booted) with its own code so that the virus is always loaded into memory before anything else. This means that every time you start your computer, the virus is run. Once in memory, the virus can make your startup disk unusable or can spread to other disks.
master boot These viruses overwrite the master boot sector of the disk sector viruses (partition table). These viruses are difficult to detect because many disk examination tools do not let you see the partition sector, which is the first sector on a hard disk.
About Computer Viruses
1–3
Characteristics of Viruses
Virus Name
Description
macro viruses These viruses are written in the macro language of specific computer programs, such as a word processor or spreadsheet. Macro viruses infect files (not the boot sector or partition table), and can become memory resident when executed. They can be run when a program document is accessed, or triggered by user actions, such as certain keystrokes or menu choices. Macro viruses can be stored in files with any extension and are spread through file transfers, even over e-mail. file viruses
These viruses infect other programs when an infected program is run. They do not remain in memory, so they do not infect the system. Like memory resident viruses, non-resident viruses attach themselves to executable files. These viruses often change the file attribute information and the file size, time, and date information.
multipartite viruses
These viruses combine the characteristics of memory resident, file, and boot sector viruses.
Other types of infections and attacks include worms and distributed denial of service attacks (DDoS). Worms are similar to viruses, in that they make copies of themselves. Once a worm is executed, it seeks other systems to infect, rather than parts of systems. Distributed denial of service attacks plant hidden files on unsuspecting systems. The hidden files are then activated at a future time to cause malicious activity on another system.
Characteristics of Viruses The different types of viruses may exhibit different behavioral characteristics, based on how they function.
1–4
Virus Type
Behavior
memory resident
These viruses load themselves in memory and take over control of the operating system. Memory resident viruses attach themselves to executable files (such as *.exe, *.com, and *.sys files). These viruses often change the file attribute information and the file size, time, and date information.
Administrator Guide
The Computer Associates Antivirus Solution
Virus Type
Behavior
stealth
These viruses hide their presence. While all viruses try to conceal themselves in some way, stealth viruses make a greater effort at concealment. For example, a stealth virus can infect a program, adding bytes to the infected file. It then subtracts the directory entry of the infected file by the same number of bytes, giving the impression that the size of the file has not changed.
polymorphic
These viruses modify their appearance and change their signature (their identifiable code) periodically. For example, they could insert garbage code into the middle of a file execution, or change the order of execution. This allows the virus to escape signature scanning detection methods.
The Computer Associates Antivirus Solution The Computer Associates antivirus software is a powerful antivirus solution for your enterprise network or your individual workstation. It can protect your workstations running under Windows, UNIX, Macintosh OS X, and Netware. This software is certified by the International Computer Security Association (ICSA) to detect 100 percent of viruses in the wild. Features include the Windows-style user interface, integration with the Windows Explorer and free monthly virus signature updates from Computer Associates. Available options provide protection for the Lotus Notes and Microsoft Exchange messaging systems. Versions are also available for Novell NetWare, Linux, Solaris, HP-UX, and Macintosh OS X. Platform References
The term Windows refers to the Microsoft Windows operating system, including Windows 95, Windows 98, Windows NT, Windows 2000, Windows 2003, and Windows XP. Unless specifically designated, Windows refers to any Microsoft Windows operating system supported by the Computer Associates antivirus software. Linux refers to Linux on Intel machines and System 390, Solaris(refers only to Solaris running on Sun Sparc machines, and HP-UX refers only to HP-UX running on HP PA-RISC machines.
Automate Your Antivirus Protection
When the Computer Associates antivirus software solution is configured for your system or network, you can have automated antivirus protection. All signature updates, distribution, monitoring, scanning settings, and scanning operations can be configured to run without intervention. Signature updates can be collected on a scheduled basis and distributed to all machines in your antivirus network without the need for an administrator to manage every individual machine, and with no downtime on the workstation.
About Computer Viruses
1–5
How the Computer Associates Antivirus Software Works
Why Do You Need Antivirus Protection? Computer infections have become a major problem for managing network security and for individual users. The cost of lost data and the time spent restoring infected machines can be considerable if a virus infects your network or machine. Because shared drives and directories provide access to applications and information for all users on a network, one infected file on a computer can spread quickly over the entire network. Therefore, it is critical that all computers remain infection-free.
How the Computer Associates Antivirus Software Works The Computer Associates antivirus software uses a rule-based, polymorphic, analytical virus scanner to detect known viruses. In addition, the Realtime Monitor offers continuous virus protection while you work. The Realtime Monitor is a VxD (Virtual Device Driver) that provides native antivirus protection for Windows-based systems. Under UNIX, the Realtime Monitor uses the Computer Associates Event Notification Facility (CAIENF) to provide antivirus protection for UNIX-based systems. Under NetWare, the Realtime Monitor uses the NetWare FSHOOKS subsystem. Under OS X the Realtime Monitor uses a kernel extension (KEXT). Architecture
In a networked environment, using a client/server architecture, one or more centralized servers keep track of information about machines in your antivirus network, and can act as distribution points for configuration and signature updates. Scans can be run by a local machine, or an authorized administrator can manage machines remotely.
Discovery
All instances of the Computer Associates antivirus software that are running in your network can be discovered automatically.
Scanner
A rule-based scanning engine detects known viruses. Unknown viruses are detected using the Heuristic Scanner option.
1–6
Administrator Guide
Protection Methods
Notification
Extensive notification capabilities are integrated into the product. Microsoft Mail, alphanumeric and numeric pagers, Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP), Trouble Tickets (print queue), and network broadcast messages are all available on a Windows platform to make sure you are alerted when a virus is detected. The notification facility for UNIX and OS X allows messages to be sent to syslog. A user-specified script can be called to provide customized notification alerts.
Reporting
A sophisticated reporting mechanism logs all scanning operations, which can be reviewed for tracking and analysis.
Handling
You can decide how to handle an infected file before one is discovered, or after you perform a scan.
Signature Updates
Signature updates are made available on a regular basis by Computer Associates. You can automate the update process for the machines in your antivirus network. No downtime is experienced on the workstation during the update.
Propagate and Enforce Policy
Authorized administrators can set antivirus policy options, propagate them through the network, and enforce policy settings.
Protection Methods The Computer Associates antivirus software provides a variety of techniques for detecting computer infections. Many of these are transparent to the user. ■
■
■
■
Integrity Checking determines if the file size of a program has increased due to a virus attaching itself. This method is used primarily to check the integrity of the Critical Disk Area information. Rules-based Polymorphic Detection observes the actions of programs such as Call functions, to detect suspicious program behavior. Interrupt Monitoring observes all program system calls (for example, DOS) in an attempt to stop the sequence of calls which could indicate virus actions. Signature Scanning looks for a unique set of hexadecimal code, the virus signature, which a virus leaves within an infected file. By searching the program files armed with these codes, the signature scanner can detect that known virus.
About Computer Viruses
1–7
Keeping Your Machines Infection-Free
Keeping Your Machines Infection-Free While you can just detect and cure infections, the best way to keep your machine free of problems is to prevent infections from gaining access to your machine in the first place. The Computer Associates antivirus software provides a solid barrier against infections. The Realtime Monitor scans files as they enter or exit your workstation to and from other computers on your network. As part of real-time protection, files on your workstation are scanned for viruses each time a file is executed, accessed or opened. Critical Disk Area Protection (for Windows 95 and Windows 98) safeguards your workstation’s hard disk. The Critical Disk Area includes the master boot sector, partition table, CMOS RAM information and system files. Use the Rescue Disk feature to create a backup floppy disk of the critical disk area files.
Suggestions for Staying Infection-Free Here are some general suggestions to help keep your machine virus-free. ■
■ ■
■ ■
■
1–8
Administrator Guide
Set all of your executable files as read-only files. This reduces the chance of executable files becoming infected. Scan floppy disks for viruses before you copy any files from them. Use a backup tool such as BrightStor, to back up your workstation after you successfully scan it for viruses. This way, if a file is detected with an infection that cannot be cured, you can restore a backed up version of that file. Keep your environment current with the latest signature updates. Manage your shared directories by setting access rights and permissions so that users have the appropriate level of authority for the directory, such as read-only, rather than full control. On Windows, UNIX, and OS X systems, if the Heuristic Scanner engine finds a file that you suspect is infected and you want to send it to Computer Associates for analysis, use the automated Send for Analysis feature. If handling the file manually, always rename it with an extension of AVB, and use a compression utility before e-mailing it to anyone or putting it on a diskette.
Product Components
Product Components The Computer Associates antivirus software has a comprehensive set of components that provide maximum protection for your computing environment, from a single machine to the largest enterprise environments. The main components are described briefly below. Graphical User Interface—The graphical user interface provides a familiar Explorer/Finder-style interface for managing all aspects of antivirus protection. Use the different window views and options to display and control every type of scanning activity. Web-based User Interface—The Computer Associates antivirus software can be accessed through the Internet using a web browser. Use the interface as you would that of the native Windows interface, since its style and organization are identical. Local Scanner—Use the Local Scanner to manage scan options for a local machine. Realtime Monitor—Use the realtime scanning options to scan files on your workstation for infections each time a file is executed, accessed, or opened. You can monitor a workstation for virus-like behavior, such as unauthorized formatting of the hard disk. Users can configure realtime monitoring to detect known and unknown infections, and to specify what action to take when an infection is detected. Administrators can propagate realtime settings throughout the network, and enforce policy for this option. If an infected file is found, a window is displayed with the name of the infected file and the name of the virus. Scheduled Scanner—Use the Schedule Scan Job options to automate scanning on remote and local machines, so that the scan runs at a specific date and time, and optionally at repeated intervals. Shell Extension—The Shell Extension option integrates with your Windows operating system so you can conveniently right-click on any item on the desktop or in Explorer and run a scan using the Shell Scanner. Administrator View—Use the Administrator View options to perform administrative management of all machines in your antivirus network. Use these options for remote management, to propagate configurations, and to set and enforce antivirus policy for the enterprise. Admin Server—The Admin Server keeps track of all instances of the antivirus product that are running in your network. Authorized users can perform remote management functions based upon the automated discovery information provided by the Admin Server.
About Computer Viruses
1–9
Product Components
Client Agents—Client agents are available for most operating systems including Windows 3.x. Logs—Use the Log Viewer to see and manage logs for each type of scan operation, for viewing signature update log information, and for viewing and modifying scheduled scan options. The logs are compatible with standard database tools, and can be used to analyze the impact of infections on your enterprise. Remote Install Utility—Administrators can use this graphical user interface to roll out the product to Windows NT, Windows 2000, and Windows XP machines throughout the enterprise. Remote Install for Windows 9.x—A setup program (Setup.exe) is provided for updating Windows 9.x machines through a login script, when they log into a domain. Alert—A common component on Windows systems for sending messages from the Computer Associates antivirus software and other Computer Associates products to individuals in your organization, using different methods of communication. Messages with different levels of alert (status, warning, and error) can be sent to the system administrator, a hardware technician, or anyone else, in or out of the office. An individual or groups of people in different segments of the network can be notified. For more information, see the Alert help. You can also manage notification information for Alert from the Alert Settings that are integrated into the Computer Associates antivirus software GUI. Note: While the Alert component itself is not available under UNIX- or OS Xbased systems, the Computer Associates antivirus software hooks to userdefined scripts and syslog provide an equivalent level of notification flexibility. Inocmd32—The Command Line Scanner interface for use with all operating systems. Inocucmd—The Command Line Scanner only for use with the Rescue Disk feature for Windows 98/95.
1–10
Administrator Guide
Product Components
Examine—Utility for recovery for use with Windows 98/95. ETRUSTAV—A Netware only progam from which you can control many eTrust Antivirus operations from a netware server console.
Using Window Views The graphical user interface provides different views for managing scanning activity. Use the View menu options to display the available views. Local Scanner—Use this view to display the Local Scanner window and manage local scanning options. Log Viewer—Use this view to see and manage logging information. Administrator View—An authorized administrator can use this view to remotely manage all aspects of your antivirus network. Domain Manager for NetWare—Use this view to manage NetWare antivirus domains. Note: The available views depend on the options installed.
Options Available product options include: Microsoft Exchange Option—Provides integrated protection against infections in documents and files attached to e-mail messages and folders. Lotus Notes Option—Provides integrated protection against infections in documents and files attached to e-mail messages and Lotus Notes databases.
About Computer Viruses
1–11
NetWare Domain Management
NetWare Domain Management Note: The NetWare Domain Management option does not apply to machines running eTrust Antivirus 7.0 or 7.1 for NetWare. The NetWare Domain option applies only for the components needed to connect to and manage machines running InoculateIT 4.5 for Netware. When running InoculateIT 4.5 for Netware, it provides the ability to manage your Computer Associates antivirus software for NetWare domains through the Windows NT, Windows 2000, or Windows Server 2003 console.
Scanning for Unknown Infections Use the Heuristic Scanner option to scan for unknown infections. Even though the latest signature updates scan for 100 percent of the viruses that have been isolated and cataloged by the International Computer Security Association (ICSA), it is still possible to be infected by an unknown virus. You can use both signature recognition and the heuristic scanner to detect infections before they can attack your network. If an unknown infection is detected, you can use the Send for Analysis option to automatically compress the file and send it to Computer Associates for analysis.
Heuristic Analysis The Heuristic Scanner option uses heuristic analysis, an artificial intelligence technique used to scan files for viruses whose signatures have not yet been isolated and documented. Rather than use a fixed algorithm to scan for specific virus signatures, heuristic analysis uses alternative methods to detect virus-like patterns of behavior. Due to the increasing proliferation of new viruses, it can be useful to keep the Heuristic Scanner option in effect whenever you run a scan, and also when using the Realtime Monitor.
1–12
Administrator Guide
Getting the Latest Signature Updates
Getting the Latest Signature Updates The latest signature updates are available from the Computer Associates Internet support site at http://esupport.ca.com/public/antivirus/infodocs/virussig.asp
In the constant battle against disruptive and malicious infections, we continually update the signature files. Your environment should already be set for receiving the latest updates based on a schedule determined by your antivirus administrator. However, new and previously unknown infections appear suddenly, and can hit without warning. We recommend that you check the above support site regularly for the latest signature updates, especially when you hear about new infections and attacks. To protect your computing environment, be sure to stay current with the latest signature updates from Computer Associates. For your protection, Computer Associates does not use e-mail attachments as a standard vehicle to distribute maintenance, or product updates. Computer Associates does not send out unsolicited executable file updates. We do send out alerts that contain links to Computer Associates, which you can use to initiate the request for updates. This prevents the possibility of infectors that masquerade as antivirus updates.
If You Find an Infection If you find an infection, additional information is available on the Web about viruses, worms, and trojans at the Computer Associates Virus Information Center at http://www.ca.com/virusinfo/
Detailed information is available on the Web about the latest infections, along with specialized removal instructions at http://www.ca.com/virusinfo/virusalert.htm
About Computer Viruses
1–13
Chapter
2
Getting Signature Updates This chapter contains information about using the Signature Update options to get the latest signature updates and apply them to your system. It also discusses considerations for managing signature updates in an antivirus network.
Introducing Signature Updates The signature updates contain the latest versions of the signature files, which recognize and defend against the latest infections. Plus they contain the latest engine versions, which do the work of looking for infections, and they include program updates. When you set up a signature update, you specify when to perform the update and how to collect it. You can collect signature updates in different ways, including the use of a designated Redistribution Server, File Transfer Protocol (FTP), Universal Naming Convention (UNC) path, and from a path on the local machine. Computer Associates makes signature updates available on a regular basis. You can collect the updates using different methods, as described in this chapter.
Updates are Cumulative Signature updates are available for every supported version and platform. These updates are cumulative, so they contain everything from all previous file updates, plus the newest information on the latest infections. If you have missed a recent update, you only need to collect the latest signature file to have the most up-to-date protection. The signature updates that are appropriate for your configuration are available by default.
For Individual Users If you are an individual home user, you just collect the signature files from Computer Associates using one of the available source methods, and update your machine.
Getting Signature Updates
2–1
Introducing Signature Updates
For Anti-Virus Administrators If you are the antivirus administrator for an enterprise of any size, from a small office to the largest corporation, we recommend that you collect the updates from Computer Associates using one of the available source methods, and use the Signature Update options to make the updates available throughout your network. You can designate selected machines as signature redistribution servers. In addition, you can use the Administrator View to set policy options for signature updates.
Automate Your Distribution You can set the collection and distribution to work automatically, so that every machine in your antivirus network gets the latest signature updates in a timely manner, with no user intervention required. Coupled with the use of administrative policies to enforce usage standards for antivirus protection, this is one of the most powerful ways that you can protect your network environment from infection. Note: New infections appear constantly. Always use the latest signature files. Check the Computer Associates web support site at http://esupport.ca.com for the latest version of the signature updates, a list of newly detected infectors since the last update, and for other valuable information on protecting your environment. You can also subscribe to our newsletter and receive alerts about new signatures by free e-mail We recommend that you automate your configuration to get signature updates on a regular schedule. We provide regularly-scheduled signature updates every month, and more frequently as needed. The Computer Associates antivirus team makes updates available whenever significantly threatening infectors appear in the wild. The updates provide the latest detection and cure capability. Note: There is a distinction between detection and cure. Some infections can be detected, but not cured. For an infection for which a cure is not available, detection capability is provided. Additional detection and protection information is made available on the Computer Associates Web support site. As cures are discovered, they are added to the updates.
No Downtime for Updates When you do a signature update, no downtime is required for the workstation. The signature update runs seamlessly, without interfering with your work.
2–2
Administrator Guide
Using Signature Update Options
Using Signature Update Options Use the Signature Update options to specify how and when signature updates are collected from a distribution source. Use these options to set up when to collect the signature updates, where to get them, and which engine versions and platforms to get. Important! To have the signature updates distributed automatically on a machine, you must invoke the Enable Scheduled Download option on the Schedule tab. Note: See the online Help for detailed information about using all of the Signature Update options. On Windows systems, during a signature update, a download status icon is displayed in the system tray, and you can view information about the progress of the download.
Signature Update Options Use the following tabs for setting the Signature Update options. ■
Schedule
■
Incoming
■
Outgoing
To access these options, from the Local Scanner window, click the Signature Update Options button to display the Signature Update Options dialog, or use the Scanner menu to select Signature Update Options. Note: The Local Scanner window is not available under NetWare. The way to configure the signature update on a NetWare machine is via Admin View. For more information on Admin View, see the “Using the Administrator View” chapter. The signature updates that are appropriate for your configuration are available by default. If you are updating a local machine, you only have to specify where to get the updates, using the Incoming tab. Then you can use the Schedule tab to set a time for the signature update job, or you can get the signatures immediately.
Getting Signature Updates
2–3
Using Signature Update Options
The Signature Update options are used at different levels of the collection and distribution process by the different types of users. ■
■
■
As an individual user, you set these options to collect the signature updates from Computer Associates and make them available to update your local machine. An antivirus administrator uses these options to collect the signature updates from Computer Associates and make them available to machines designated as signature redistribution servers. Authorized administrators can use these options to collect the signature updates from signature redistribution servers and make the updates available to other machines in the network.
■
This distribution process can be automated.
■
Authorized administrators can set policy for these options.
See the “Using the Administrator View” chapter for more information on setting policy options.
Using the Schedule Options Use the Schedule tab to enable scheduled downloads, and to specify the date, time, and repeat values for the signature update. You can schedule a signature update job to run in different ways. ■
Download the signature update immediately
■
Schedule the signature update job to run once
■
Schedule the signature update job to be repeated at specified time intervals
Note: The options you specify on this Schedule tab apply only to the signature update job. They are distinct from the options of the similar Schedule tab that is used to schedule a scan job on a local machine. Download Now Use the Download Now button to perform an immediate signature update job. The settings on the Incoming tab are used for this job. The appropriate signature versions are available by default. This updates the signatures on the local machine. See the “Distributing Signatures with Download Now” section in the “Using the Administrator View” chapter for more information on using Download Now in a networked environment.
2–4
Administrator Guide
Using Signature Update Options
For remote installation on Windows and NetWare systems, the INOC6.ICF configuration file can be used to set the Download Now option to run after setup. Enable Scheduled Download Use the Enable Scheduled Download option to indicate that scheduled automatic downloads will be done. To have the signature updates distributed automatically on a machine, you must invoke this option. When this option is not in effect, the scheduled download feature is disabled. We recommend that you use this option to ensure that your signature files are updated regularly. Download Date and Time Use the Date option to specify the month, day and year for the job. The dropdown arrow displays a convenient calendar you can use to select a date. Use the Time option to specify the time of day for the job, in hours and minutes. The web browser GUI and OS X GUI does not display a calendar. Use the up or down arrows or keys to change the date or time. Repeat Every Use the Repeat options to specify how often to run a periodic signature update job. You can schedule a signature update job to run at a regularly scheduled time, specified by months, days, hours, or minutes. Note: The settings of the Date and Time options determine the first occurrence of the repeat signature update.
Using the Incoming Options Use the Incoming tab to display the Download Sources List and to indicate how and from where to download the updates. Use the Add button to display the Source Select dialog, where you can add to the list a download method and a source for the update. You can create multiple download sources if you need to. Perform Fast Download Use the Fast Download option to bring your signatures up to date without downloading information you already have.
Getting Signature Updates
2–5
Using Signature Update Options
When this option is selected, the download process analyzes your current signature information to determine what kind of update you need. If you only require an incremental update of the data files, then the appropriate files are downloaded and updated automatically. If an incremental update is not appropriate and a full update is necessary, then all the signature and engine files are downloaded and updated. This method provides shorter download times, by delivering the smallest amount of data that you need. You do not have to get the entire signature update if you have refreshed your signatures recently. The end result of either the incremental or the full update is the same complete virus protection on your machine. This option is useful for minor cumulative signature updates, such as from signature nn.01 to nn.04. However, if you are doing a major update, for example, from signature 1.01 to signature 2.01, the download provides the entire signature update even if this option is selected. So you always get the appropriate signature update for your circumstances. Download Sources List The Download Sources List is a list of sites to download signatures from. It displays information about the method and the source used by the download job. You can add items to the list and delete them. This list is designed to allow you to collect signature updates from multiple sources. The signature updates are collected from the sources in the order in which they are displayed on the list, from the top down. To change the order, highlight a method in the list and use the arrow buttons to move the item up or down in the list. Using the Source Select Options Use the Source Select dialog to specify a download method and other information for connecting to the download source. Note: The options on the Source Select dialog change depending on the Method option that you choose.
Choosing a Method
Different methods are available for connecting to a download source. Use the method that is appropriate for your configuration. The available methods are ■
2–6
Administrator Guide
Redistribution Server
Using Signature Update Options
■
FTP
■
UNC
■
Local Path
Note: A NetWare server can obtain signature updates from another computer using either FTP or UNC methods only. Using a Redistribution Server
Use the Redistribution Server method to download signature updates from a designated redistribution server in the network. With this method, you indicate a redistribution server in your network to get signature updates from. This machine makes the latest updates available after they have been collected from Computer Associates. This is the preferred method for most users in an enterprise environment. See the section, "Using the Outgoing Options," for more information on designating a redistribution server.
Considerations for Using the Redistribution Server Under UNIX
To use the Redistribution Server method to download signature updates to a UNIX system from a Windows system or another UNIX system, you must have Samba installed on your target UNIX machine. Samba is a free third-party software package that allows UNIX systems to interact with Windows and UNIX systems using the UNC method. It is distributed as part of some versions of UNIX, and it can also be obtained at www.samba.org. To download updates from a Windows Redistribution Server, you must use Samba version 2.0.7 or later. In addition, a UNIX system can serve as a Redistribution Server both for other UNIX systems and for Windows systems. To do this, the UNIX system must have Samba installed. The Samba daemon (smbd) must be running, and INOUPD$ must be defined as a share in the Samba configuration file (smb.conf). INOUPD$ cannot be password-protected. From the GUI, specify the UNIX machine as the Machine Name in the Source Select dialog on the Incoming tab of the Signature Update Options dialog.
Getting Signature Updates
2–7
Using Signature Update Options
Considerations for Using the Redistribution Server Under OS X
To use the Redistribution Server method to download signature updates to an OS X system from a Windows system or another UNIX system, you must have Samba (SMB) facilities that come with OS X. No special configuration is required. An OS X system can also serve as a Redistribution Server both for other OSX, UNIX and Windows systems. To do this, a share named INOUPD$ must be defined in the Samba configuration file (/etc/smb.conf). INOUPD$ cannot be password-protected. Here is an example entry: [INOUPD$] path = /Library/Application Support/eTrustAntivirus/ino/Outgoing guest ok = yes browseable = no read only = yes Note: There is a space between the words Application and Support.
Using FTP (Windows, Netware, UNIX, and OS X)
Use the FTP method to download signature updates from an FTP site.
We recommend that you use the FTP method for collecting signature updates from Computer Associates.
2–8
Option
Description
Method
FTP
Host Name
The name of the FTP site that is the source of the update. This is preset to the Computer Associates FTP server where the signature updates are available.
User Name
The user name for connecting to the source machine. For collecting signature updates from Computer Associates using the FTP method, this is preconfigured to the default of anonymous. This account has all the required rights and privileges needed to sign on and download the updates.
Password
The password associated with the user name on the source machine. For collecting signature updates from Computer Associates, enter your e-mail address in this field. For example,
[email protected].
Administrator Guide
Using Signature Update Options
Configuring a Netware Server for a Signature Distribution
Option
Description
Proxy Name
The name of the proxy machine. If your organization uses a proxy server, enter the address of the proxy server, and the port number it uses. For example, some_proxy.somecompany.com:80. This server must be a simple pass-through proxy server. Do not use an FTP-based proxy server or one that requires a login.
Remote Path
The FTP Path for the location of the source signature update files that you want to get. This is preset to the Computer Associates FTP server where the signature updates are available.
The following summarizes the procedure to configure a NetWare server to act as a signature distribution server to NetWare servers and other types of computers. 1.
Install the FTP Server function on your NetWare server.
2.
Run an FTP utility, for example Nwtftp-A for NetWare Version 6.x, to create an anonymous FTP user, if one does not exist.
3.
Modify the NetWare server FTP configuration file, for example, the ftpserv.cfg file under the sys:system\etc directory for NetWare Version 6.x, to allow anonymous access to the FTP server.
4.
Using the Admin Server, from the Incoming tab of the Signature Update Options window, select FTP as the signature distribution source method. For information on using the Admin Server, see “Using the Administrator View” chapter.
5.
On the Source Select dialog, enter your NetWare server name as the host name, “anonymous” for the user name, and then enter a password. Note: Be sure that the password is a well-formatted email address. Most FTP servers require an email address as the password when using anonymous FTP.
6.
In the same dialog, enter the Remote Path as the full path to the location from which the signature updates are to be downloaded. This can be specified in NetWare or UNIX standard format. For example: sys:/etrustav/ino/Outgoing or /sys/etrustav/ino/Outgoing
7.
In the same dialog, leave the Proxy Name field empty.
8.
In the same dialog, click OK to complete the configuration.
Getting Signature Updates
2–9
Using Signature Update Options
An alternative method to download signatures from a NetWare server from other types of computers is to identify the server, volume, and path of the NetWare server that contains the signatures and map a drive to that server. For example, if the full path to the location from which the signatures can be downloaded is sys:etrustav/ino/Outgoing from NetWare server named SERVER1, you can map a drive to sys:etrust/ino/Outgoing on SERVER1 using the DOS map command or the Map Network Drive option from the Tools menu in Windows Explorer. Using UNC
Use the UNC method to download signature updates from a networked machine by using the universal naming convention. A machine on the network can be directed to get updates from a shared directory on the network by specifying the UNC path to the share. This method is appropriate for machines on the same network, including those configured as signature redistribution servers.
Considerations for Using UNC
Option
Description
Method
UNC
Path
The name of the share where the signature update files are located, in the form \\machine_name\\share_name.
When you use the UNC path method to get signature updates, you must take certain considerations into account. For the Windows 9x family of operating systems, automated signature updates are subject to User Mode restrictions. When a machine running the Computer Associates antivirus software is configured to act as a signature redistribution server, a share named INOUPD$ is created on the local machine. This share is created with the following operating system access privileges: ■
Read Access to the share is granted to the Everyone group
■
The share is added to the NullSessionShares list
To use the UNC path method to download signature updates to a UNIX system from a Windows system or another UNIX system, you must have Samba installed on your target UNIX machine. Samba is a free third-party software package that allows UNIX systems to interact with Windows and UNIX systems using the UNC method. It is distributed as part of some versions of UNIX, and it can also be obtained at www.samba.org. To download updates from a Windows system, you must use Samba version 2.0.7 or later.
2–10
Administrator Guide
Using Signature Update Options
To use the UNC path method to download signature updates to an OS X system from a Windows system or another UNIX system, use the Samba (SMB) facilities that come with OS X. No special configuration is required. In addition, a Windows machine can also download signatures using UNC from a UNIX machine with Samba installed. The Samba daemon (smbd) must be running, and an appropriate share must be defined in the Samba configuration file (smb.conf). The share cannot be password-protected. From the GUI on the Windows machine, specify the share on the UNIX machine Source Select dialog on the Incoming tab of the Signature Update Options dialog, using the same syntax you would use to specify a share on a Windows machine. An OS X system can also provide signatures via UNC for other OS X, UNIX, and Windows systems. To do this a share must be defined in the Samba configuration file (/etc/smb.conf). The share cannot be password-protected. See the section about redistribution serves for an example smb.conf entry. Note the following considerations for using a shared directory: For this Situation
Note these Considerations
Windows NT, Windows 2000, and Windows Server 2003 machines
On Windows NT, Windows 2000, and Windows Server 2003 machines, the Computer Associates antivirus software Job Server initiates the signature update while running under the Local System account. When the signature update mechanism attempts a connection to the shared directory, the server cannot authenticate the user. This happens because a process running under the Local System account does not have a user associated with it. To allow processes running under the Local System account to access a shared directory, the server must add the share to the null session shares list. This list is maintained in the following registry value: Hive: HKEY_LOCAL_MACHINE
Subkey: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value: NullSessionShares
Note: When a machine is configured to act as a signature redistribution server, the INOUPD$ share is added to this registry value automatically.
Getting Signature Updates
2–11
Using Signature Update Options
For this Situation
Note these Considerations
When the signature update process is running in User Mode
The signature update process is running in User Mode under the following circumstances: ■ ■
On Windows 9x machines, always On Windows NT, Windows 2000, and Windows 2003 machines, When running from a login script When using a third party scheduler
Under these conditions the signature update process runs under the security context of the currently logged-on user. Therefore, it is subject to the access control rules for Microsoft shared directories, and one of the following conditions is required for the process to function properly: ■
■
The user must have access to the share with the same account they logged onto the machine with. The GUEST account on the server must be enabled, and it must not require a password.
In the case of NetWare, shares cannot be accessed. The UNC method for NetWare can only be used to download updates from one NetWare server to another, and the UNC convention is used to specify the location of the updates on the source server. For example, the following summarizes the procedure to download signature updates from a NetWare server to another NetWare server using UNC: 1.
From the Organization tree in the Administrator’s View of the Admin Server that is managing the NetWare machine, select the specific machine to which you wish to download signature updates.
2.
Right click and select the Configure Distribution Settings option.
3.
On the Incoming tab of the signature Update Options dialog, click Add.
4.
Select UNC method from the Source Select dialog and enter the pathname of the server you want to download from in UNC format. For example, to get updates from SYS:ETRUSTAV\INO\OUTGOING on server SERVER1, specify \\SERVER1\SYS\ETRUSTAV\INO\OUTGOING as the pathname of the source server. Note: The NetWare server to which the signature updates are being downloaded must be in the same tree as the source server. In addition, if the server to which the updates are being downloaded is in a different context from the source server, then the source server must be specified using its fully qualified name, for example, server1.xxx.yyy, or cn=server1.ouxxx.o=yyy.
2–12
Administrator Guide
Using Signature Update Options
5.
Using Local Path
Considerations for Using the Local Path
Create a username called inosigdown in the context of the source server (SERVER1 for this example). This username should have read-only and scan access to the directory from which the updates are to be obtained and not have access to any other directories or files elsewhere on the source server or in its context. The inosigdown user identity should not have a password. Because the user can only view files that are already public information, the lack of a password does not represent an access security risk.
Use this method when the signature updates are located on your machine or a mapped drive, and you want to update the signature files on your machine. You have the option to browse and select a directory path on the local machine, or a mapped drive. Option
Description
Method
Local Path
Path
The name of the directory where the signature updates reside. Under Windows, this includes the drive letter.
In addition to downloading signature updates from another UNIX system using Samba, a UNIX machine can also download signature updates from another UNIX machine using Local Path, with one of the two methods below. ■
■
NFS-mount the UNIX signature server. From the GUI, use the Local Path download method in the Source Select dialog on the Incoming tab of the Signature Update Options dialog, and enter the mount point specified in the smbmount command as the Path. Run the smb daemon on the UNIX signature server, and define a share in smb.conf for the location where the updates are to be found. Use the smbmount command on the client machine to mount the share. From the GUI, use the Local Path download method in the Source Select dialog on the Incoming tab of the Signature Update Options dialog, and enter the mount point as the Path.
OS X systems can download signatures from other OS X, Unix, or Windows systems using a local path that is a mount point of either an NFS or SMB server. ■
■
Mount the signature server using either the mount_nfs or mount_smbfs commands from a terminal window. From the eTrust Antivirus GUI, use the Local Path download method and use the mount point as the path. Mount the signature server using the Finder. From the eTrust Antivirus GUI, use the Local Path download method and use the mount point as the path. The mount point can be found under the /Volumes directory.
Getting Signature Updates
2–13
Using Signature Update Options
Using the Outgoing Options Use the Outgoing tab to display and configure the Redistribution Options for specifying a machine as a Redistribution Server, and to manage the signatures to download for redistribution. Note: NetWare machines cannot be used as Redistribution Servers. Using the Redistribution Options Use the Redistribution Options to designate a machine as a Signature Redistribution Server, and to make the updates available to other machines. Signature Redistribution Server
If the option for providing signature updates to other computers is checked, the local machine is designated as a signature redistribution server. This machine can then make the updates available to other machines. If this option is not selected, the redistribution options are not available. When this option is selected, the Outgoing directory, where the updates are stored, is made available as a shared directory. Most client machines do not act as redistribution servers. Note: The machine that makes the updates available to other machines must be running the Server version of the Computer Associates antivirus software.
Holding Time Before Redistribution
Use the Holding time option to indicate how many hours to wait until making the updates available for redistribution to other machines.
Signatures to Download for Redistribution
The list of signatures to download for redistribution displays information about the engine and platform versions that the signature update job collects. The signature versions that are made available should be appropriate for your configuration. If you need to, you can click in the box next to an item to include or exclude it from the list of signatures to download. You can also use the Select All and Clear All buttons to manage selection. The following information is displayed on the list of signatures to download: Field
Description
Engine
The type of antivirus engine to download. Note: The installation process automatically selects the appropriate scanning engine for your configuration. Most users do not need to change the selection.
2–14
Administrator Guide
Using Signature Update Options
Field
Description
Platform
The platform version to download.
See the online Help for detailed information and procedures for specifying signature update jobs. Considerations for Using UNIX and OS X Systems as a Redistribution Server
A UNIX system can serve as a Redistribution server both for other UNIX systems and for Windows systems. To do this, the UNIX system must have Samba installed. (Samba is a free third-party software package that allows UNIX systems to interact with Windows systems using the UNC method. It is distributed as part of some versions of UNIX, and it can also be obtained at www.samba.org.) The Samba daemon (smbd) must be running, and INOUPD$ must be defined as a share in the Samba configuration file (smb.conf). An OS X system can serve as a Redistribution Server for other OS X, UNIX, and Windows systems. To do this a share named INOUPD$ must be defined in the Samba configuration file (/etc/smb.conf). INOUPD$ cannot be passwordprotected. Here is an example entry: [INOUPD$] path = /Library/Application Support/eTrustAntivirus/ino/Outgoing guest ok = yes browseable = no read only = yes Note there is a space between the words Application and Support.
Getting Signature Updates
2–15
Managing Signature Updates
Managing Signature Updates Each machine can be set up to collect signature updates from a particular source, for a particular configuration, and at a particular time. When you specify how to collect the updates, you create an ordered source list of sites to download signatures from, the Download Sources List. You can indicate more than one method to use, and more than one location to get the updates from. When you connect to the first source on the list, the signature update is collected. If for some reason the collection fails or is unavailable, the next source on the list is automatically contacted, and so on down the list until all of the update files are collected. Note: Each attempt collects the appropriate items for your configuration, such as the operating system version of the signature. Signature Distribution
You can set up your network to collect and distribute signature updates in an efficient manner. Each machine that makes the signature updates available is called a signature redistribution server. You can have multiple signature redistribution machines. For example, one machine in your network can collect the updates from the Computer Associates FTP site. Other machines in different locations throughout your network can connect to that machine to get the latest updates. Those machines in turn can make the updates available to other machines in their subnets. Note: The role of the signature redistribution server is distinct from the role of the configuration proxy server. The signature redistribution server makes the signature update files available to other machines. The configuration proxy server is used to distribute policy settings throughout the network.
How the Download Process Works This section describes how the signature update job uses the Download Sources List and the list of signatures to download for redistribution to get the signature updates that you request. A signature update job is made up of the following: ■
Specify the schedule—when to download
■
Specify the source—where to download from
■
Specify the signatures—what to download
The signature update job uses the information in the Download Sources List and the list of signatures to download to satisfy your signature update request.
2–16
Administrator Guide
Managing Signature Updates
How the Download Sources List Works The Download Sources List indicates where to get the signature updates. You can have the signature update job connect to more than one source location. At the scheduled time for the job, your system will use the first method and source on the list to connect to the source. If for some reason the connection cannot be established, such as, for example, heavy network traffic, a connection failure, or a timeout, your system will go to the next method and source on the list. For example, after you collect the signature updates from Computer Associates, you can then make them available on one or more redistribution servers. Then a user in your network can connect to these sources to get the updates. The first source on the source list could be a departmental network server, indicated by the Redistribution Server method. The second source could be a server in a different department, also indicated by the Redistribution Server method. The third source on the list could be an internal company FTP site. Each source machine must be designated as a signature redistribution server. If the first source is unavailable, your system will automatically attempt to connect to the next source on the list. This process will continue until all of the specified signatures have been downloaded. The Download Sources List works with the list of signatures to download to get all of the specified signatures. How the List of Signatures to Download Works The list of signatures to download indicates which versions of the signature updates to get. The appropriate signature versions are available by default. You can select an entry in this list for each version of engine and platform that you require, or clear the selection of signatures that are not appropriate for your enterprise. When the signature update job runs, your system connects to the first source in the Download Sources List. Then the job goes down the list of entries in the list of signatures to download, and attempts to collect from that source all of the engine and platform versions that have been requested. The job collects all of the requested signature versions that are available from the first source before it connects to another source. If all of the requested signatures are collected from the first source, the job finishes. If you request a version of the signature update that is not available on the first source in the Download Sources List, your system queries the next source in that list for the requested version. This process continues until all of the requests are fulfilled for the different versions of the signature updates that are specified in the list of signatures to download.
Getting Signature Updates
2–17
Managing Signature Updates
Monitoring Signature Downloads On Windows systems, when a signature download is in progress, a signature download status icon is displayed in the system tray, next to the Realtime icon. During a download, you can right-click on this icon to view the status of the job. Monitoring Options
Antivirus Download Monitor
The following monitoring options are available when the signature download status icon is displayed: Option
Description
Show Incoming Status
Display the Antivirus Download Monitor, which shows the status of the job. When the Realtime Monitor is running, the Antivirus Download Monitor is displayed automatically when you invoke Download Now. The web browser GUI does not display the Antivirus Download Monitor.
Cancel Download
Cancel the signature download job. You can also use the Cancel button in the Antivirus Download Monitor dialog to cancel the signature download job.
The Antivirus Download Monitor displays information about the status of the signature download job. This includes messages about making the connections, and indications about the progress of the download. When a download completes successfully, a signatures downloaded successfully message is displayed. In addition, when the signatures are updated on the local machine, a popup message is displayed indicating that the signature and engine files are updated successfully. See the General Events and Distribution Events logs for additional signature download messages.
Download Attempts Repeated
2–18
If a signature download is unable to successfully download all the signature files, the download is attempted several times, to try to satisfy the request. If the attempt is unsuccessful, the download then runs at the next regularly scheduled download time.
Administrator Guide
Chapter
3
Using Scan and Selection Options This chapter describes the Scan and Selection options available in the user interface for the different scanning methods listed below. ■
Local scanning
■
Scheduled scanning
■
Real time scanning
■
For administrators setting Policy options using the Administrator View
This chapter also includes information for using the command-line scanner, Inocmd32.
Understanding the Common Scanning Options When you specify options for a scan, you indicate how the scan is performed and what actions to take if an infection is found. Whether you perform a local scan, a scheduled scan, or a real time scan, you can choose different settings for each type of operation. For example, the file action options control what happens when an infection is found. When you perform a local scan, you might have the file action set to Report Only. When you set options for a scheduled scan, you might have the file action set to Cure File. Note: It is important to understand that when you set a scanning option, it applies to the specific type of scan operation that you are setting up. The options in this chapter are common to each type of scan, so they are described here for your convenience. See the online Help for more information about all the scanning options. Note: Since some options apply only to one method of scanning and not to another, these exceptions are indicated where appropriate. See Using the Realtime Monitor, for information about options that are only available for the Realtime Monitor. See Scheduling Scan Jobs for information about options that are only available for scheduled scans.
Using Scan and Selection Options
3–1
Using the Scan Options
Using the Scan Options The Scan options are displayed on the Scan tab. Use these options to change the scan level, change the scanning engine and detection options, and to control how to treat an infection if one is found. These options can be used for local scanning, scheduled scanning, and real time scanning.
Scan Tab Options The options available on the Scan tab are described below. Direction The Direction option is only for real time scanning. See the “Using the Realtime Monitor” chapter for more information on the scan direction options. Scan Safety Level You can set the scan safety level to Secure or Reviewer mode. Use the Secure mode as the standard method for scanning files completely. If you suspect you have an infection that is not being detected by the Secure mode, you can use the Reviewer mode. The Reviewer mode can be used to detect viruses that are inactive or have been deliberately modified, such as in a virus testing laboratory. In addition, Reviewer mode runs significantly slower than Secure mode. Note: In unique circumstances, Reviewer mode can generate a false alarm. Therefore, if you are using this mode as your standard scanning option, use it with the Report Only option. Scanning Engine In the Detection group, the Scanning Engine option allows you to change the scanning engine, if a choice is available. The scanning engine is the specialized processor that does the work of looking for infections. The installation process automatically selects the appropriate scanning engine for your configuration. Most users do not need to change this option. It is primarily for advanced corporate users at large enterprises.
3–2
Administrator Guide
Using the Scan Options
Advanced Detection Options You can display additional detection options by clicking the Advanced button. The Advanced Detection Options dialog allows you to select scanning options for the Heuristic Scanner engine, and options for scanning NTFS and HFS+ file systems. The Heuristic Scanner engine scans files for viruses whose signatures have not yet been isolated and documented. Use the Scan Alternate Data Streams option to search for virus content in alternate data streams on NTFS and resources on HFS+ file systems. Note: For the Realtime Monitor, the Scanning Engine option and the other detection options are accessed from the Selection tab. Infection Treatment Options The infection treatment options determine how an infection is handled when it is found. You can set file actions and boot sector actions. For a local scan, you can set these options before you run the scan or after you run the scan. If you want to see if there are any infections before you decide what to do with an infected file, choose Report Only. If an infection is found, you can then choose any of the other actions. File Actions
You can treat an infection by setting a file action. The following file actions are available. File Action
Description
Report Only
Reports when an infection is found. If a virus is found, you can then choose what to do with the infected file.
Delete File
Delete an infected file.
Rename File
When an infected file is found, it is renamed with an AVB extension. Infected files with the same name are given incremental extensions in the form #.AVB (for example, FILE.0.AVB, FILE.1.AVB, and so on). After a file is renamed with an AVB-type of extension, it is not scanned subsequently.
Move File
Move an infected file from its current directory to the Move directory.
Using Scan and Selection Options
3–3
Using the Scan Options
File Action
Description
Cure File
Attempt to cure an infected file automatically. Click the File Options button to display the Cure Action Options to specify how the Cure File option performs. Even if the infected file is cured, we recommend that you delete the infected file and then restore the original file from a backup. If the infected file is from a software package, restore the file from the product installation disks.
Boot Sector Actions
On Windows systems, the boot sector actions determine what to do if a boot infection is found in the boot sector of a hard drive or floppy disk. Available actions are Report Only and Cure Boot Sector.
Using the Cure Action Options The Cure Action Options specify how to deal with macro viruses and Trojan infections, and what actions to perform before or after a cure is attempted. The following options are available on the Cure Action Options dialog.
3–4
Cure Action Options
Description
Action to Perform Before Cure
Copy the file to the Move directory before the cure is attempted.
Action to Perform If Cure Fails
If a cure fails, the infected file can be moved to the Move directory, renamed with an AVB extension or left alone by setting the No Action option.
Trojan/Worm Treatment
When a Trojan or Worm infection is found, the infected file can be deleted. This option is only available if System Cure is enabled.
Macro Viruses Treatment
You can choose to remove only infected macros from a file, or all macros from the file.
Administrator Guide
Using the Selection Options
Cure Action Options
Description
System Cure
Use the System Cure option to clean up the system after curing certain malicious infectors, like Trojans or Worms. Some infectors can damage, change, or add system files. For known infectors, this option fixes such damage to the system. For example, it can remove malicious registry entries, keys and files. Also, it can detect and delete files that have been dropped onto a system by a Trojan. Using this option can eliminate the need for separate utilities for cleaning an infected system, and minimizes the effort of cleaning the system manually. In some cases this option may require you to reboot the machine. (This option does not apply to UNIX, OS X, or Netware machines. It is available, however, in the web browser GUI when you create an Enforced Policy or manage a Windows machine in Admin View.)
Using the Selection Options Use the Selection options to choose types of objects to scan, types of file extensions to include or exclude from a scan, and types of compressed files to scan.
Selection Tab Options The options available on the Selection tab are described below. Objects to Scan You can choose to scan for viruses in memory, scan the boot sector of a hard drive or floppy disk, and scan files. When you scan files, the types of files that are scanned are determined by the types of extensions you select to include or exclude, as indicated by the Regular Files and Scan Compressed Files options. Note: For a real time scan, the Objects to Scan are not available. For a scheduled scan, this option is set to scan files, and is not available to be changed.
Using Scan and Selection Options
3–5
Using the Selection Options
Regular Files You can choose to scan files with all types of extensions, or select specific types of extensions to include or exclude. Scan Compressed Files If you want to scan compressed files, you must select the Scan Compressed Files option, and you must indicate the extensions for the types of compressed files. Supported Compressed File Types The currently supported compressed file types that can be scanned are: ■
ARJ
■
GZIP
■
ZIP/JAVA archive
■
LHA
■
CAB
■
MIME
■
RAR
■
TAR
■
UNIX compressed file (.Z)
■
TNEF encapsulated eMail files
Compressed File Scanning Options Additional options are available for managing compressed files. These can be used to improve scan performance. Click the Options button in the Scan Compressed Files group to display these options. The following Compressed File Options are available: ■
■
Stop scanning a compressed file archive when an infected file is found in it
■
Apply infection actions to an archive file (excluding the cure action)
■
3–6
Apply extension filter to files inside archives, to scan compressed files based on the list of regular files selected on the Selection tab
Administrator Guide
Scan compressed files by recognizing them by extension, which is faster than analyzing them by the contents of the archive
Using the Command-Line Scanner Inocmd32
■
Scan compressed files by analyzing the contents, which is slower than recognizing them by extension
Do Not Scan Migrated Files On Windows and NetWare systems, you can select to scan files that have been migrated to external storage. With this option in effect, files that have been backed up are not scanned. If this option is in effect and there is an entry in a directory for a file that has been backed up and moved off the local drive, the file is not scanned. If you want to scan migrated files, make sure that this option is not selected, so that files that have been backed up are restored to the local drive and scanned.
Using the Command-Line Scanner Inocmd32 On Windows systems, use the INOCMD32.EXE Command Line Scanner to perform scans from the command line. Scan results are displayed on the screen during the course of the scan, and are also saved in the scan log for viewing or printing at a later time. On UNIX systems, which are case-sensitive, and OS X systems use the command inocmd32. Note: On eTrust Antivirus 7.0 or 7.1 for NetWare, use the ETRUSTAV console application to perform scanning. For more information, see "Using the ETRUSTAV Console Program" appendix in this guide. The command syntax for INOCMD32 is: inocmd32 [-options] file|directory|drive
Each option is preceded by a dash - . Some options have associated action choices. Specify at least one file or directory to scan. On Windows systems, you can specify a drive to scan. Examples inocmd32 -ACT cure -SCA mf -LIS:myscan.txt c:\temp
This command invokes the INOCMD32 Command Line Scanner to scan the drive and directory c:\temp, sets the file action ACT to Cure, sets the special cure action SCA to Move File if Cure Fails, and sends the scan results to a file named myscan.txt. inocmd32 -NEX -ARC /home/myfiles
Using Scan and Selection Options
3–7
Using the Command-Line Scanner Inocmd32
This command invokes inocmd32 to scan the UNIX directory /home/myfiles and all subdirectories. Archive files will be scanned and will be identified by their contents rather than their names.
Scanner Options for Inocmd32 Option ENG engine
Description The type of engine to use. Ino--The Antivirus engine. Vet--The Vet engine.
MOD mod
Scan mode. Use MOD to set the scan Safety Level. Secure--Use the Secure mode as the standard method for scanning files completely. Reviewer--If you suspect you have an infection that is not being detected by the Secure mode, you can use the Reviewer mode. Default--Secure
3–8
Administrator Guide
Using the Command-Line Scanner Inocmd32
Option
Description
ACT action
Infected file action. Specify what to do with an infected file. Use one of the following action options. Cure--Attempt to cure an infected file automatically. Even if the infected file is cured, we recommend that you delete the infected file and then restore the original file from a backup. Rename--Automatically rename an infected file. With this option, an infected file is renamed with an AVB extension. Infected files with the same name are given incremental extensions in the form AV#. For example, FILE.AV0, FILE.AV1, and so on. After a file is renamed with an AVB-type of extension, it is not scanned subsequently. Delete--Delete an infected file. Move--Move an infected file from its current directory to the Move folder. Default--Report Only
EXE
Scan specified files only. The list of file extensions indicated by the Specified Extensions Only option for regular files in the GUI determines which files are scanned.
EXC
Exclude files from scanning. The list of file extensions indicated by the All Except the Specified Extensions option for regular files in the GUI determines which files are excluded from the scan.
ARC
Scan archive files. Use this option to scan compressed files.
NEX
Detect compressed files by content, not by file extension.
NOS
No subdirectory traverse. Use this option to exclude from the scan the subdirectories in the specified directory.
Using Scan and Selection Options
3–9
Using the Command-Line Scanner Inocmd32
Option
Description
FIL:pattern
Only scan files that match pattern. Use shell wildcard patterns to select files to scan. Example The pattern *.doc will scan only files with a .doc extension.
SCA action
Special Cure Action. Use this option when the ACT action is set to Cure. Use one of the following SCA actions. CB--Copy Before. A copy of the original file is made, and the copy is moved to the Move folder before the cure is attempted. RF--Rename if Cure Fails. If a file cannot be cured, it is renamed with an AVB extension. MF--Move if Cure Fails. If a cure fails, the infected file is moved from its current directory to the Move folder.
MCA action
Macro Cure Action. Use one of the following action options. RA--Remove All. All macros are removed from the infected file. RI--Remove Infected. Only the macros that contain infected code are removed from the infected file.
SPM mode
Special Mode. Use this option to run a scan with the Heuristic Engine, to scan for unknown viruses. The only available option for mode is H, for Heuristic.
SFI
3–10
Administrator Guide
Stop at first infection in archive. If this option is in effect and an infected file is found as files are extracted from a compressed file, no additional files in the archive are scanned.
Using the Command-Line Scanner Inocmd32
Option
Description
SMF
Scan migrated files on Windows and NetWare systems. Use this option to scan files that have been migrated to external storage. With this option in effect, files that have been backed up are restored to the local drive and scanned. If this option is not in effect, and there is an entry in a directory for a file that has been backed up and moved off the local drive, the file is not scanned.
SRF
Skip regular file scanning of archives. If you use this option, compressed files are not scanned.
BOO
Windows system boot sector scan. The default setting is to Report Only. Use the ACT option to set this option to cure boot sector infections.
MEM
On Windows systems, scan memory. Scan for infections in programs currently running in memory.
LIS:file
Use this option when you run a scan and send the scan result list to a specified file.
APP:file
Append scan report to file. Use this option when you run a scan and append the scan result list to an existing specified file.
SYS
On Windows systems, enable system cure. Use this option to invoke the system cure facility for any infected file(s) which are found and which have a system cure associated with them. Please refer to the virus encyclopedia on the Computer Associates web site for current information about viruses and associated system cures. Note that in some cases, you must reboot your computer for a system cure to take effect.
VER
Verbose mode. Use this option to display detailed scan information.
Using Scan and Selection Options
3–11
Using the Command-Line Scanner Inocmd32
3–12
Option
Description
COU
Activates the file counter. Use this option to return a message after 1000 files have been scanned. The message is repeated each time 1000 files are scanned.
COU:number
Activates the file counter and sets it to the value indicated. Use this option to return a message after the indicated number of files have been scanned. The message is repeated after the indicated number of files have been scanned.
SIG
Signature. Use this option to display signature version numbers.
SIG:dir
Signature directory. Use this option to display signature version numbers of engines in the specified directory.
HEL or ?
Display command line help.
Administrator Guide
Chapter
4
Using the Local Scanner The Local Scanner assures comprehensive antivirus protection for a workstation by providing you the ability to scan for infections on demand. This chapter briefly describes the main features of the Local Scanner. See the online Help for detailed descriptions of all of the Local Scanner options and procedures for using these features. Note: Local Scanner View is not available under NetWare. Use the ETRUSTAV console application for doing local scans on NetWare machines. For more information on the ETRUSTAV console application, see “Using the ETRUSTAV Console Program” appendix.
Local Scanner Features You can use the Local Scanner on a local machine whenever you want to check for infected drives, folders, files or disks. Before you run a scan you can set options for managing an infected file so that after you start the scan no further action is required. You can also set options to only report on the occurrence of an infection. This allows you to decide what action to take after the infection is found.
Accessing Other Options from the Local Scanner View The Local Scanner View is also the starting point for accessing the options for the different types of scans and other actions. From the Local Scanner View you can access the following options. ■
Local Scanner Options
■
Schedule Job Options
■
Realtime Monitor Options
■
Signature Update Options
■
Contact Options
■
Alert Settings
Using the Local Scanner
4–1
Local Scanner Features
Different View options are also available. You can switch to different views by choosing them from the View menu.
Local Scanner Options Use the following tabs for setting the Local Scanner options. ■
Scan
■
Selection
■
Display
■
Directory
■
Log
Because the Scan and Selection options are common to the different types of scanning methods, they are described in the “Using Scan and Selection Options” chapter. However, the Directory tab and the Log tab are only available from the Local Scanner window. See the “Viewing and Managing Logs” chapter for information on specifying the Log options. Note: While you can scan a network drive using the Local Scanner, it is not the most efficient use of network resources. See “Considerations for Scanning Network Drives” section in the “Using the Administrator View” chapter for more information on this topic.
The Local Scanner Window The Local Scanner window displays a list of items available for scanning on the left side of the window, and displays the contents of a selected item on the right side of the window. You can set options for what is displayed, and for how to manage scanning on the local machine. You can change the scanning options for a local scan by selecting the Local Scanner Options from the Scanner menu, or by clicking the Local Scanner Options button on the Local Scanner toolbar. After you specify the appropriate options, and select the item or items you want to scan, you start the scan by clicking the Start Scan button. Local Scanner Toolbar The Local Scanner toolbar provides buttons for starting a scan, stopping a scan, scheduling a scan, changing Local Scanner options, and changing Realtime Monitor options. You can also access the Signature Update options, Contact options, and the Alert Settings.
4–2
Administrator Guide
Local Scanner Features
Note: See the “Using Alert with the Antivirus Software” section in the “using the Alert manager” chapter for information about the Alert Settings. Status Bar The status bar at the bottom of the Local Scanner window displays information about the scan, including the name of the file being scanned, the engine used, the number of folders and files scanned, the number of infected files found, and the elapsed time for the scan. Scan Results List After a local scan is run, the bottom portion of the Local Scanner window displays the scan results list. This list displays the name of the infected file, including the drive, directory, any subdirectories, and the infection name. The list also indicates the status, which shows the type of action taken on a file. Also displayed are the infected object, infection type, detection method, and the engine used. After you run a scan with the file actions set to Report Only, you can right-click on a file in the results list and change the file action to delete, rename, move or cure the file. You can also view detailed information about the scan. In addition, when the Heuristic Scanner option finds a previously unknown infection, you can use the Send option to forward the file to Computer Associates for analysis. See the “Sending a File for Analysis” section for more information about using the Send option. Viewing Scan Result Summary
Use the Show Last Scan Summary button on the toolbar to display the Scan Result Summary for the most recent scan performed. This displays summary statistics about the scan. You can have this summary displayed automatically after each scan by selecting the Show summary dialog option on the Local Scanner Options Display tab.
Clear Last Scan Output
Use the Clear Last Scan Output button on the toolbar to clear the scan results list displayed at the bottom of the Scanner window.
Using the Local Scanner
4–3
Local Scanner Features
My Folders
Use the My Folders category to arrange folders and files that you scan frequently. By creating a customized list of favorites, you can easily select just the group of items that you want to scan. You can add folders from the main list by selecting an item and right clicking on it. On Windows systems, you can also select a folder from the right side of the Local Scanner window and drag and drop it to the My Folders category. Certain folders are displayed by default.
Move Folder
After a scan, you can highlight the Move Folder category to display information on the right side of the window about files that were put in the Move directory. If you need to manage a moved file, you can do it from the Local Scanner View with no need to access the file directly. You can right-click on an item and restore it to the original location, restore it to a different location with a different name, or delete it. These restore options allow you to recover information if you need it. You can rename a file and isolate it safely in a different location. You might want to use these options, for example, if you do not have another source for the data and you need to look at the file. Or you may have a file that you want to analyze. When a file is put in the Move Folder, it is given a unique name to identify it. So if you had infected files with the same names that were stored in different directories, they remain distinct if they are moved. The Restore and Cure option allows you to restore the selected item back to the original folder it was in, and cure it. This option is useful if you update the signature files after items have been put in the Move folder. If a cure is provided that you did not have available, you can get the latest signature update and use this option to restore and cure an infected item.
Scheduled Scan Jobs
4–4
Use the Scheduled Scan Jobs category to access the Scheduled Scan Job options. See the chapter “Scheduling Scan Jobs” for more information about scheduling.
Administrator Guide
Using the Display Options
Using the Display Options Use the Display options to specify the types of drives and files to display in the Local Scanner window. With these options you can tailor the display of objects so that you see only the types you are interested in scanning.
Display Tab Options The options available on the Display tab are described below. Drives and File Systems You can select to display different types of drives (or file systems under UNIX and OS X) in the Local Scanner window. ■
Local Hard Drive (always selected)
■
CD-ROM Drive
■
Network Drive
■
Floppy Drive
■
Removable Drive
If you select all of these options, all of the drives and file systems attached, remotely mounted, or mapped to the machine are displayed in the list in the Local Scanner. You can limit the types of drives or file systems to suit your needs. For example, if your workstation is on a network, you might be connected to a number of different machines, but you only want to do local scans for files on your hard drive. If you do not select the Network Drive option, the networked machines are not displayed in the Local Scanner window. Files
You can select to display only the types of files that you want to see in the Local Scanner window. You can show all files, or hide files based on the file extensions that you specify using the selection filters on the Selection tab. Note: You can specify the types of file extensions you want to include in a scan using the Regular Files option on the Selection tab. Then, on the Display tab, you have the option to hide all the types of files that will not be scanned, rather than show all files.
Show Scan Summary Dialog
For a local scan, if you select the Show summary after scan completes option, the Scan Result Summary is automatically displayed when a scan is finished. This summary includes information on the time the scan started and stopped, the number of files scanned, the number of infections found, the number of infections cured, and other statistics on file actions taken.
Using the Local Scanner
4–5
Using the Directory Options
Using the Directory Options The Directory options display the locations of the directories used by the Computer Associates antivirus software. In addition, the Rename Extension is displayed. The directory locations are listed on the Directory tab. Note: The Directory tab is displayed for the Local Scanner only.
Home Directories of Previous Versions Previous versions of the Computer Associates antivirus software used different default home directories. On a Windows system, if you upgrade from a previous release, you might have had an Inoculan home directory.
Directory Locations Displayed The information displayed on the Directory tab is described below. Directories Displayed The following directory locations are displayed on the Directory tab. Directory
Description
Home Directory
The directory where the Computer Associates antivirus software is installed.
Engine Directory
The directory where the engine is located.
Log Directory
The directory where the log files are stored.
Move Directory
The directory where infected files are moved.
Rename Extension The Directory tab displays the extension that is used to replace the original extension when an infected file is renamed. This feature is used when the file action is set to Rename File. Default: AVB Infected files with the same name are given incremental extensions in the form #.AVB (for example, FILE.0.AVB, FILE.1.AVB, and so on). After a file is renamed with an AVB-type of extension, it is not scanned subsequently.
4–6
Administrator Guide
Sending a File for Analysis
Sending a File for Analysis You can use the Send Analysis Information feature to send infected files to your antivirus administrator or to Computer Associates for further analysis. This includes contact information and other data about the infected system that can be useful for diagnosing and curing the infection. This option is only available when the Heuristic Scanner option is selected and an unknown infection is found. The signature files can recognize thousands of infections, but you might find a new one, or you might encounter a problematic file that requires investigation.
Using the Send Analysis Information Options If an unknown infection is detected by the Heuristic Scanner, you can right-click on the file in the scan results list and select the Send option to display the Send Analysis Information dialog. This dialog automates the sending process by zipping the infected file and sending it for analysis, along with the additional detailed contact information. A form is also submitted with information about the local machine, which can be useful for analyzing the problem file. The information about who to send the files to and who to contact is specified in the Contact Information option.
Using the Contact Information Option Use the Contact Information option to specify the contact information that is automatically sent when you send a file for analysis. You can see what information is sent on the Send Analysis Information options. An authorized antivirus administrator can set policy for the contact information that can be included or changed. Note: This option determines who the files are sent to for analysis. Access this option from the Local Scanner toolbar by clicking the Contact Options button.
Using the Local Scanner
4–7
Using the Contact Information Option
Virus Analysis Contact Information The Contact Information Option dialog has the following contact information options. Option
Description
Send E-mail Address
The e-mail address to send the infected files to. For sending problem files to Computer Associates for analysis, this is set to an e-mail address for the Computer Associates antivirus team. This address can be set to send the analysis information to a specified address in your organization.
Subject
The subject or title for the e-mail.
Reply E-mail Address
The e-mail address for replying to the sent e-mail.
Company Name
The name of the organization sending the infected files
Company Address
The address of the organization sending the infected files.
Contact Name
The name of the person in the organization to contact about the infected files.
Phone
The telephone number of the person in the organization to contact about this infection.
Site ID
The site ID of the organization.
SMTP Server
(Optional for Intranet environments) The name of the SMTP Server your network uses to send e-mail. In some environments the name of the mail server can be determined automatically from the DNS server. If you use a dial-up service for e-mail, for example, you must specify the SMTP Server.
Managing Infection Submissions An authorized administrator can change the default location for submitting an infected file to specify an internal address in your organization instead of having it sent to Computer Associates.
4–8
Administrator Guide
Using the Service Manager
For example, multiple infections of the same type can strike a large organization. By sending every problem file to an internal administrator, you can monitor the occurrence of infections. If the administrator already has a solution provided by Computer Associates, there might be no need to pass the infected file any further for analysis. The administrator can look at the problem and determine if it needs to be forwarded to Computer Associates.
Using the Service Manager The Service Manager provides a convenient way to access the Computer Associates antivirus services running on the local machine. It is similar to the Windows NT Services feature. This option can be used for managing background processes on the Windows 9x operating system or for managing daemons under UNIX. Click the Service Manager button on the toolbar to display the Manage the Services dialog. From this dialog you can start, stop, and view the status of the services. Note: Under normal circumstances, you do not need to stop or start these services.
Services The following services run on the local machine. The available services depend on the components installed. Note: While UNIX and OS X executables do not include the .exe extension, the names are otherwise the same. Service
Description
Admin Server
The Admin Server agent, InoNmSrv.exe.
RPC Server
The remote management agent, InoRpc.exe. When this dialog is accessed from the Administrator View, this service is not displayed in the list. For use with the Administrator View, this service must always be running because it provides communication services between machines in the antivirus network.
Using the Local Scanner
4–9
Using the Service Manager
4–10
Service
Description
Realtime Server
The realtime scanning agent, InoRT.exe. On Windows 9x this is InoRT9x.exe.
Job Server
The scheduled scan job and signature update scheduling agent, InoTask.exe.
Web Server
The agent that provides access to the Computer Associates antivirus software through a web browser and the native GUI interface on OS X, inoweb.
Administrator Guide
Chapter
5
Using the Realtime Monitor The Realtime Monitor provides a hands-free, continuous barrier against infections that stops them before they can spread. A variety of real time components protect all points of entry into the Computer Associates antivirus network or an individual workstation. The Realtime Monitor scans programs on a workstation or server each time a file is executed, accessed, or opened. On Windows systems, the Realtime Monitor is a VxD (Virtual Device Driver) program; on UNIX systems, the Realtime Monitor uses the Computer Associates Event Notification Facility; on NetWare systems, it uses the NetWare FSHOOKS subsystem, on OS X it is a kernel extension (KEXT). It also monitors the workstation for virus-like behavior, such as unauthorized formatting of a hard disk. You can monitor for known and unknown viruses, specify detection methods, and manage infected files. On Windows and OS X systems, if an infection is found, a window is displayed with the name of the infected file and the name of the infection. Administrators can propagate configurations for multiple machines when rolling out the product to the enterprise, and set and enforce real time policies. For more information on administering real time policies, see the “Using the Administrator View” chapter.
Realtime Monitor Features The options for realtime scanning are similar to the options for a local scan or a scheduled scan. In addition to the options that are common to all the scanning methods, the Realtime Monitor allows you to do the following: ■
Specify the direction for scanning
■
Exclude processes from real time scanning (not available for Windows 9x)
■
Exclude directories and files from real time scanning
■
Block all access to specified file extensions without scanning them
■
Set advanced protection options
■
On Windows systems, set quarantine options
Using the Realtime Monitor
5–1
Realtime Monitor Features
Note: Remember, the settings you choose for the Realtime Monitor settings apply only to the real time scan, not to a local scan. The Realtime Monitor features include: ■
■
■
■
■
■
5–2
Administrator Guide
Realtime Scanning Mode—All files going to and from a local drive are scanned for infections, including compressed files. With real time scanning in operation, infections do not spread through your network. You can also use the Heuristic Scanner capability with real time scanning. Quarantine—On Windows systems, users who try to copy infected files to a server are automatically suspended from the machine, isolating the infection before it can spread. Internet Protection—The newest source of infections is the Internet. As users gain nearly limitless access to computers on a world-wide basis, the chances of downloading infected files grows exponentially. With real time protection running, all file downloads, including compressed files, are automatically scanned before they can infect a machine. This feature works with browsers from Netscape and Microsoft. Groupware Messaging AntiVirus options—More than ever, companies are communicating electronically. As more data is being exchanged, more viruses are spreading by hiding in mail attachments and database files. Available messaging options can protect your Lotus Notes or Microsoft Exchange mail systems. Even attached zip files are scanned. Realtime Cure option—Cures an infected file and gives you the option of making a copy of the file before curing it. Pre-Scan Block options—Blocks all access to specified file extensions so that potentially dangerous files or extensions are not opened, copied, or executed by the user or the system.
Realtime Monitor Features
Automatic Loading of the Realtime Monitor Once you have configured the Realtime Monitor, on Windows systems, the Realtime Monitor is loaded each time the workstation is booted. The Realtime Monitor icon is displayed in the Windows system tray in the lower right corner of your screen. On UNIX and NetWare systems, when you install the antivirus software, you can determine if you want the Realtime Monitor to come up automatically when the system is booted. There is no system tray to display an icon on UNIX or Netware systems. On OS X systems when you install the antivirus software, the Realtime Monitor starts automatically and is configured to start automatically when the system is booted. The Realtime Monitor can be disabled in the Realtime Monitor Options dialog. There is no icon indicating the status of the Realtime Monitor. Note: On Windows systems, if the Realtime Monitor icon is not displayed, you can activate the Realtime Monitor from the Start menu.
Options Available from the Realtime Monitor Icon On Windows systems, you can access all of the Realtime Monitor options from the Realtime Monitor icon in the system tray, and manage how files are monitored. In addition, the following options are available. ■
■
■
■
Disable Realtime—Turn the real time monitoring interface off. Scanning still remains active. Monitor Outgoing Files, Monitor Incoming and Outgoing Files—Set the realtime monitor to scan files for viruses when they are closed or when they are opened and closed. Snooze—Temporarily turn Realtime Monitor off for a specified number of minutes. Animated Icon—Toggle the animation of the Realtime Monitor icon in the system tray on or off.
■
Launch Antivirus—Launch the Computer Associates antivirus software.
■
Download Signature Now—Run a signature update for the local machine.
■
About—Get information about your installed version of eTrust Antivirus.
■
Exit—Remove the Realtime Monitor icon from the system tray (real time monitoring remains active).
Using the Realtime Monitor
5–3
Using the Realtime Options
Realtime Messaging On Windows systems, if the Alert options are configured and active, messages can be sent by Broadcast, Microsoft Mail, Microsoft Exchange, SMTP, SNMP, Trouble Ticket, and Pager, whenever an action is taken. The messages also appear in the realtime scan log and the Windows NT Event Log or Windows 2000 Event Viewer. For more information, see the Alert help. Messages also can be sent when Quarantine is invoked. On UNIX and OS X systems, you can send information to a shell script that you write yourself. The script can then take any action you wish, such as sending an email to a specified address when a virus is detected. Also under UNIX and OS X, an event will cause a message to appear in the syslog files, as specified in /etc/syslog.conf. For more information about the script, see “Using Local Alert Manager in UNIX Systems” section, in the “Using the Alert Manager” chapter.
Using the Realtime Options Use the Realtime Monitor options to set scanning options for monitoring your workstation for infections each time a file is created, accessed, or opened. Note: The Realtime Monitor options that are common to all types of scans are described in the “Using Scan and Selection Options” chapter.
Administering Realtime Settings An authorized administrator can configure and propagate Realtime Monitor settings, and enforce policy for these settings. See the “Using the Administrator View” chapter for more information on this.
Setting the Scan Direction Use the following options to set the scan direction for real time scanning to monitor files. Right-click on the Realtime Monitor icon in the system tray to access these options. These direction options are also available when you select the Realtime button from the Local Scanner toolbar.
5–4
Administrator Guide
Using the Realtime Options
Option
Description
Outgoing Files
Monitor files sent out from a local drive. Outgoing files are files being copied from a local drive and files that are executed from a local drive. An outgoing file is scanned when the file is opened. If the file is found to be infected, you are denied access to it.
Incoming and Outgoing Files
Monitor both incoming files and outgoing files. An incoming file is scanned when the file is closed.
Using the Realtime Selection Options Most of the Realtime Selection options are common to all types of scans. The Select Scanning Engine option, other detection options, Regular Files, and Scan Compressed File options are described in the chapter Using Scan and Selection Options.
Using Realtime Filters Options Use the Realtime Filters Options to specify the types of files and processes to be monitored. Excluding Processes and Directories You can use the exclusion options to specify processes (executable programs running on the machine) and directories that you do not want the Realtime Monitor to scan. Note: When entering a name of a process to be excluded from Real time on a UNIX or OS X machine, the process to exclude must be entered with its full path name. Note: On NetWare systems, the process exclusion option can only be used to specify threads to be excluded, not individual NLMs.
Using the Realtime Monitor
5–5
Using the Realtime Options
You can add and remove these exclusions to suit your needs. On the Filters tab, click the Process or Directory buttons to modify these exclusion options. ■
■
When you exclude a process, all files accessed by the executable program running on the machine are not scanned. (Not available for Windows 9x.) When you exclude a directory, all subdirectories and files in that directory are not scanned. You can also indicate specific files to exclude.
When an item is in the exclusion list, it is not scanned by the Realtime Monitor. These settings do not affect other types of scans. Using Pre-Scan Block Options Use the Pre-Scan Block options to block access to specified file extensions. When a file extension is in the Block Extension List, any file with that extension is not scanned, and all access to the file is denied. The user cannot do anything with the file, including opening, copying or executing it, and neither can the system. This feature can be useful when an infector targets a certain type of file extension. For example, if there is a sudden proliferation of a new infector such as the one that attacks .VBS files, you can block all access to that type of file to limit your exposure to infection. To specify file extensions to block, click the Block button. This displays the Block Extension List. Here you can add file extensions to block. For example, VBS will block access to all .VBS files. Since it might not be practical to block all access to a certain type of file, use the Exempt From Blocking feature to allow access to specified files. You can exempt files from being blocked by clicking the Exempt button. This displays the Exempt From Blocking dialog. Use this feature to include a file in real time scanning even though the file extension is blocked by the Block Extension List. So if a file is in this exemption list, it is treated as a normal file, and it is scanned by the Realtime Monitor. Note: The available files and file types that you can use with the Pre-Scan Block features depend on the settings in effect on the Selection tab for the types of file extensions to scan.
5–6
Administrator Guide
Using the Realtime Options
Using Realtime Advanced Options Use the Realtime Advanced options tab to manage real time settings for protected areas and advanced protection options. Protected Areas The Realtime Monitor provides advanced and flexible protection options for different types of drive devices. On Windows systems, you can specify protected drive areas for monitoring. This option does not apply to UNIX machines. On UNIX systems, all drive types are always protected. Floppy Drive Protection
Floppy disks are a common source of infections. Use the Protect Floppy Drives option to scan a floppy disk as soon as it is accessed. When a file is opened or copied from the floppy, the file is scanned before it moves to the hard drive.
Network Drive Protection
Another little-understood but common way of spreading infections happens when files are copied from one mapped drive to another. All files moving between mapped drives can be scanned, even if no file passes through the hard drive of the local machine.
CD-ROM Protection
You can provide real time monitoring of files on CD-ROMs.
Advanced Protection Options The advanced protection options provide unique protection features for real time scanning. Scan Floppy Drive on Shutdown
Use the Scan Floppy Drive on Shutdown option to monitor floppy drives for infections when you shut down a machine. When you reboot a machine with a floppy disk in the drive, the boot sector of the floppy is used. If the floppy disk is infected, it would contaminate your system. With this option in effect, the boot sector of the floppy drive is scanned before the machine shuts down. This protects you from restarting the machine with a floppy disk that has an infected boot sector.
Using the Allow Fast Backup Option
Use the Allow Fast Backup option to copy files to tape during a backup session without having the Realtime Monitor scan them. For example, if you regularly scan the files of a hard drive before backing them up, you do not have to scan the same files again.
Using the Realtime Monitor
5–7
Using the Realtime Options
If this option is not in effect, the Realtime Monitor scans each file as it is copied to tape, thereby slowing the backup. If you scan files before performing a backup, you do not want to repeat the scan during the backup. With this option in effect, the Realtime Monitor skips files that the backup software opens. This increases backup performance. Limiting Popup Messages
Use the Realtime Pop up Messages option to have popup messages displayed when the Realtime Monitor finds multiple infections during a scan operation. If this option is not selected, no popup messages are displayed. You can limit the number of popup messages that are displayed. When the limit is reached, a message is displayed referring you to the real time scanning log for more information. This option also applies to Netware and OS X. For example, if the Realtime Monitor is scanning a compressed file that has 10 infected files, 10 messages would be displayed on the screen. If you set the limit to 3, only messages for the first three infections are displayed.
Using the Quarantine Option The Quarantine option prevents a user from performing potentially disastrous actions with an infected file. This ensures that an infection does not have a chance to spread to or from a server before the infected workstation can be cleaned. Click the Quarantine tab to display these options. Note: The Quarantine option is managed from Windows NT and Windows 2000 machines. This option cannot be managed from Windows 9x machines. This option does not apply to UNIX, OS X, or Netware machines. It is available, however, in the web browser GUI when you create an Enforced Policy or manage a Windows machine in Admin View. When it is activated, Quarantine stops a user from moving an infected file onto a server or executing an infected file at the server console. The user is blocked from any further access to the server for the length of time specified by the Quarantine time. A user can be quarantined for up to 24 hours. During the quarantine time, you have the opportunity to determine what the problem file is, isolate it, and clean the infected machine. A message can be sent listing the name of the user who tried to move an infected file, so that appropriate administrators can be notified. The name of a quarantined user is listed under the Quarantine tab in the Realtime Monitor options when a particular machine is selected in the list of machines. The administrator can grant the quarantined user access again by removing the name of the user from the Quarantine screen.
5–8
Administrator Guide
Using the Realtime Options
Note: The Administrator account on a Windows NT or Windows 2000 machine cannot be quarantined. However, a user with administrator rights can and will be quarantined when necessary. Quarantine Popup Messages For a Windows 9x machine to receive quarantine messages from the NT server, WinPopup must be running. To run WinPopup, open the Run box and enter Winpopup. You might want to add Winpopup to your Startup group if you are using Quarantine. (WinPopup will also work on Windows 3.x workstations). Duplicate User Names Because Quarantine blocks server access based on user name, the quarantine affects any users signed on with the same name. This is particularly important if a network has many people sharing the same user name, such as GUEST. If one user is signed on as GUEST and is quarantined during an attempt to copy an infected file, all other users named GUEST are quarantined also.
Realtime Monitor Statistics From the Realtime Monitor Options, you can display realtime monitor statistics by clicking the Statistics tab. These summary statistics provide cumulative information about Realtime Monitor activity, including the number of infections found, the number of files scanned, and file actions taken. Realtime Driver Status Displayed For Windows, in addition to summary statistics, the status of the real time drivers is displayed, to indicate if they are loaded or not loaded. These indicators can be useful for diagnostics. In addition, the driver name and version is provided in the Version Information dialog. Under UNIX, the status of ENF displays. However, no statistics display; only status. Under OS X, the status of the KEXT along with statistics display.
Filter Driver
The Filter Driver provides real time services for monitoring files. The status of this driver should always be indicated as loaded.
Using the Realtime Monitor
5–9
Using the Realtime Options
Floppy Driver
The Floppy Driver provides real time monitoring for all drives, including floppy and network drives. If this driver is loaded, you have real time protection for all file activity. For complete real time protection, reboot the machine to load this driver. Do this after installation, after major upgrades to the product, or if a driver update has been made available. However, rebooting is not required after installation. If you do not reboot after installation, this driver is not loaded. You still have real time protection, but not complete real time network protection. For example, if the Floppy Driver is not loaded, you do not have real time protection when copying files from a mapped drive to the hard drive. So for complete protection, this driver should be loaded.
5–10
Administrator Guide
Chapter
6
Scheduling Scan Jobs This chapter discusses the options for scheduling scan jobs using the Schedule Scan Job options. See the online Help for more information on using these options. Note: Because there is no Local Scan View under NetWare, scheduled scan jobs are scheduled from the Admin Server. For more information on the Admin Server, see “Using the Administrator View” chapter.
Schedule Scan Job Options Use the Schedule Scan Job options to specify when to schedule a scan job, and to specify the scanning options for the job to use. Use the following tabs for setting the Schedule Scan Job options. ■
Description
■
Scan
■
Selection
■
Schedule
■
Directories
■
Exclude Directories
Because the Scan and Selection options are common to the different types of scanning methods, they are described in the chapter “Using Scan and Selection Options.” Note: To display the Schedule Scan Job options from the Local Scanner window, first you must select an item or items to scan by checking the associated checkbox in the list of items on the left side of the window. Then click the Schedule Scan Job toolbar button to display the Schedule Scan Job options.
Scheduling Scan Jobs
6–1
Schedule Scan Job Options
You can schedule a scan job for any combination of selected categories, machines, and folders. An authorized administrator can set policy and schedule jobs on remote machines. See the chapter “Using the Administrator View” for more information on setting policy and on scanning network drives.
Scan Job Description Option Use the Description tab to provide a description of the scan job. This description is used to identify the scan job in the Scheduled Scanner list on the Log Viewer window. For an administrator using the Administrator View to create schedule policy, this option is on the Policy tab.
Using the Schedule Options Use the Schedule tab to specify the time and date for a scan, and to specify the schedule for periodic scan operations. You can schedule scan jobs to run in different ways. ■
Schedule a scan job to run when the machine is started
■
Schedule the scan job to run once
■
Schedule the scan job to be repeated at specified time intervals
Schedule at Startup
Use the Schedule at Startup option to run a scheduled scan when you start up the machine. When this option is selected, the other Schedule tab options are not available.
Date and Time
Use the Date option to specify the month, day and year for the job. On Windows systems, the drop-down arrow displays a convenient calendar you can use to select a date. Use the Time option to specify the time of day for the job, in hours and minutes.
Repeat Every
Use the Repeat options to specify how often to run a periodic scan job. You can schedule a scan job to run at a regularly scheduled time, specified by months, days, hours, or minutes. Administrators can use the Administrator View to create policy instances for scheduling scan jobs to run once a week on some machines, and once a day on other machines. You might also schedule frequent scans for drives or directories that have a lot of incoming and outgoing traffic. Or you might have a situation where you need to rapidly check suspect files, and you want to scan them every ten minutes. Note: The settings of the Date and Time options determine the first occurrence of the repeat scan.
6–2
Administrator Guide
Schedule Scan Job Options
CPU Usage Level
On Windows systems, you can specify the CPU usage level for a scheduled scan job by indicating low, medium, or high usage. During high production times, you might want a low level of CPU usage for a scan. During low production times, you might want to schedule a higher priority.
Using the Directories Option Use the Directories tab to specify directories that you want a scheduled job to scan. You can add directories to the list or delete them from the list. When you create a schedule by selecting an item in the list on the Local Scanner window and specifying the scheduled scan options, the directory location of the item you selected is displayed in the Directories list. You can use the Directories tab to add or delete items from the Directories list. You can also do this when you modify a scheduled scan job.
Using the Exclude Directories Option Use the Exclude Directories tab to specify directories that you do not want a scheduled job to scan. You can add directories to the list or delete them. As with the Directories tab, you can access this option when creating a schedule from the Local Scanner and when modifying a scheduled scan. Note: If you want to scan everything on your hard drive except for one directory, you can select to scan the C:\ drive on the list in the Local Scanner window, or the root directory on a UNIX system, and specify the options for the scheduled scan. Then you can use the Exclude Directories option to exclude just the directory you do not want to scan.
Managing Scheduled Scan Jobs After you specify the options for a scheduled scan job, the available scheduled scan jobs can be seen on the Local Scanner window. Select the Scheduled Scan Jobs category in the list on the left to display the summary list of scheduled jobs on the right. Each job is displayed in the list, with an indication of the status of the job, a Job ID number, Job Type, a description of the job, when the job is scheduled to run, and the file action specified for the job. Remotely scheduled jobs are not displayed. Modifying Schedule Job Options
You can modify the options of scheduled scan jobs – such as when the job runs, what it scans, and so on.
Scheduling Scan Jobs
6–3
Schedule Scan Job Options
When you create a new scheduled job, the options are displayed with a dialog title of Schedule New Scan Job. When you want to modify the options for an existing job, access them from the Local Scanner window. To do this, select the Scheduled Scan Jobs category in the list on the left to display the summary list of scheduled jobs on the right. Then right-click on a job, and choose Options. The options are then displayed with a dialog title of Modify Job Options. Stopping a Job
To stop a scheduled job that is in progress, select the Scheduled Scan Jobs category to display the summary list of scheduled jobs on the right. Then rightclick on a job, and select Stop.
Deleting a Job
To delete a scheduled job, select the Scheduled Scan Jobs category to display the summary list of scheduled jobs on the right. Then right-click on a job, and select Delete.
Viewing Job Properties
After a scheduled job has run, you can view the properties of the job from the Log Viewer window.
Viewing the Results of a Scheduled Scan Use the Log Viewer window to view the results of a scheduled scan. See the chapter “Viewing and Managing Logs” for more information on viewing log results. Authorized administrators can view the results of remotely scheduled scans using the Administrator View.
Job Statistics for Scheduled Scan in Progress While a scheduled scan job is in progress, you can view statistics about it on the Scheduled Job Statistics dialog. To do this, from the Local Scanner window, click the Job Statistics toolbar button. Also, from the Scanner menu, you can choose Scheduled Scan Job, and then Statistics. The Scheduled Job Statistics dialog displays the current directory that is being scanned, and the Job ID of the scheduled job that is running. Summary statistics are displayed, including the total number of infections found (cured, deleted, moved and renamed) and number of files scanned. The information is similar to the Scan Result Summary that you can display after a local scan. If a scheduled scan job is not running, statistics are not displayed in the dialog. After a scheduled scan is completed, use the Log Viewer to view information about the job.
6–4
Administrator Guide
Chapter
7
Viewing and Managing Logs There is no Log Viewer on NetWare. Logs on NetWare machines are viewed from Admin View on the Admin Server. For more information on the Admin Server, see “Using the Administrator View” chapter. This chapter discusses using the Log Viewer window to manage and view the different types of scanning logs for the local machine. You can view the results of all types of scanning operations, and display summary and detailed information about the results of each scan, including scans that are remotely initiated by an administrator from the Administrator View. See the online Help for more information on using the Log Viewer. This chapter also describes how to specify the Log options for a scan. It also contains information about using logs in standard database format, and collecting system metrics information. Notes: The Administrator View has its own features for displaying log information from remote machines. For more information on this, see the “Using the Administrator View” chapter. The container and branch terms are interchangeable.
Using the Log Viewer Window Use the Log Viewer window to select, view and manage the scanning activity logs. The Log Viewer window displays a list of different log categories on the left side. Highlight the category to display a summary list of the available logs on the right. Within each category, logs are listed by date and time they were created. When you highlight an item in the Log Viewer and right-click on it, different options are available to delete, print, view properties, or refresh the display of the log information. You can also use the menu options and toolbar buttons to access these options.
Viewing and Managing Logs
7–1
Using the Log Viewer Window
Note: To see the latest log information about a scan job, use the Refresh option to refresh the display of the selected item in the Log Viewer.
The Log Viewer List The Log Viewer list can contain logs for the following types of scan jobs. ■
Local Scanner
■
Realtime Scanner
■
Scheduled Scanner
■
General Events
■
Distribution Events
Local Scanner The Local Scanner category contains a list of logs that contain the results of the scan jobs that have run on your local machine. Realtime Scanner The Realtime Scanner category contains the Realtime Monitor scanning log for the local machine. Realtime scanning information is appended to the existing log, so there is only one log entry for each day. Scheduled Scanner The Scheduled Scanner category contains a list of scheduled scan jobs. For each job, there is a scan log that contains the results for each time that the job has run, listed by the scheduled date and time. If a job only runs one time, you have one result log. If the job runs periodically, there is a unique result log for each scan job. A user on a local machine can view the scheduled scan logs for the local machine, both locally initiated and remotely initiated. An authorized administrator can view scheduled scan logs for multiple machines, from the Administrator View. General Events The General Events category contains logging information of general events for each day. Operating system error codes can also be seen here. The following types of messages can be displayed.
7–2
Administrator Guide
Using the Log Viewer Window
Critical Message—This is the highest level message. It requires immediate attention once logged. This message could mean there is a virus detected, or there is a problem with the service, such as an error loading an engine. Warning Message—This second priority message provides non-critical warning information. Informational Message—This type of message provides information on events such as if the service has started or stopped and if no viruses have been found. Distribution Events The Distribution Events category contains logging information of signature update distribution events for each day. Events are recorded for any actions that occur during the signature update and distribution process. This includes details about connecting to a signature distribution source, starting and stopping a download, and information about whether the signature files have been downloaded successfully. Administrator View of Logs Administrators in a network environment can view all the types of logs, both locally initiated and remotely initiated, for multiple machines, using the Administrator View. For the administrator, logs are listed under each machine in a container in the Organization tree in the Administrator View. There are also summary logs for each Scan Job policy instance, with result information about each machine where the policy is applied.
Viewing Log Summary and Detail Information When you select a log category from the list on the left, log summary information is displayed on the right. The summary information for scans includes the date and time the scan ran, the number of files scanned, the number of files infected, the number of infections found, the number of scan errors, and the action applied to the scan. When you select a log in the list on the right, log detail information is displayed in the lower right pane. The details display result information about each file scanned. Each type of scan job has an identifying icon. See the online Help for more information on the logs.
Viewing and Managing Logs
7–3
Managing Logs
Managing Logs You can manage the type of information that is written to the log files, collect historical information, and use that information to analyze the impact of scanning activity.
Specifying Log Options for a Scan Use the Log options to specify options for managing scan logs. A result log is kept for each scan performed. These features allow you to collect the level of historical record of scanning activity that your organization requires. To access the Log options, from the Local Scanner window, display the Local Scanner options, and click the Log tab. Filtering File Information for Logs You can specify the types of events that are written to a log. Use the Filter options to specify whether information about a file is written to the list in the log. These options allow you to tailor your scan logs for the type of information you need. You can record information about ■
Infected files
■
Clean files that are examined and found not to be infected
■
Files that are skipped and not scanned
Check the Clean files option to put information in the log about files that are scanned and are not infected. Check the Infected files option to put information in the log about files found to be infected. Check the Skipped files option to put information in the log about files that have been excluded from the scan. Most users only want a record of infected files that are found. However, your organization might need to keep more detailed records of scanning activity. For example, you might want a record of whether a file has been scanned or not. If you specify the clean file option, every file that is examined for infection and found to be clean is listed in the log. By logging information about clean files, you have a record that a particular file was examined and found to be clean, not just a record of infected files. Similarly, the skipped files option keeps a record of files that are not examined in a scan, such as when your scan is set to skip a particular type of file extension. In addition, the information collected in the logs can be used to analyze scanning activity and results on an enterprise-wide basis. See the “Collecting System Metrics Information” section for more information on this.
7–4
Administrator Guide
Managing Logs
Keeping Log Files The Purge Log options allows you to control how many days your log files are kept and displayed in the Log View. On the Log Viewer toolbar, click the Purge Log options button, select the Delete all log files that are older than option, and use the Days field to specify the number of days you want your log files kept. After the indicated number of days has passed, the log files are deleted. For administrators, this option is also available from the Administrator View. Printing and Deleting Logs You can print or delete the logs, using options on the Log Viewer window. ■
■
■
To print a log, right-click on it in the list on the right, and choose the Print Log option. The web browser GUI does not support the option for printing logs. To delete a log, right-click on it in the list on the right, and select the Delete option. To delete all the logs in a category, right-click the category in the list on the left, and select the Delete All option.
Logs in Standard Database Format All log information is stored in a DB directory, in a file format that can be accessed by standard database tools, using the ODBC (Open DataBase Connectivity) standards. This type of log file is named by the month, day, year and time of day that it is created, and has an extension of .DBF(.dbf in UNIX and OS X systems). Finding Log Directory Location To find the path and name of the Log Directory, start eTrust Antivirus, from the Scanner menu select Local Scanner Options …, and click the Directory tab.
Collecting System Metrics Information On Windows systems, the system metrics features allow you to collect information about antivirus activity to analyze the impact of this activity across your enterprise. The following collection methods and features are available. ■
Collecting scan logs using scheduled jobs
■
Command line utility for login scripts or schedulers
■
Integrating with the TNG Data Transport Option
Viewing and Managing Logs
7–5
Managing Logs
■
Accessing log file information using standard databases
■
Monitoring Realtime statistics with the Performance Monitor
■
Purging collected records
You can create scheduled jobs to collect scan logs from individual machines or from groups of machines on the network. Log information can be collected incrementally or as a full collection of logs. This data is then stored in a centralized location. In addition, you can use the TNG Data Transport Option to schedule and collect log information. All log information is stored in a file format that can be accessed by standard database tools, using the ODBC (Open DataBase Connectivity) standards. Monitoring Realtime Activity Through the standard Windows NT, Windows 2000, and Windows Server 2003 Performance Monitor application, PERFMON, you can monitor realtime antivirus activity. The following realtime information can be monitored by the Performance Monitor, using counters. ■
Boot Virus Infections
■
Cure Errors
■
Cured Boot Virus Infections
■
Cured Files
■
Deleted Files
■
Found Virus
■
Infected Files
■
Moved Files
■
Renamed Files
■
Scan Error
■
Scanned Machine
■
Scanned Files
■
Scanned Files in Archives
For more information about monitoring activity, see the appropriate Windows Performance Monitor documentation.
7–6
Administrator Guide
Chapter
8
Using the Administrator View An authorized antivirus administrator can use the Administrator View to remotely manage all aspects of eTrust Antivirus. This chapter describes the use of the Administrator View window and other considerations for administering your antivirus network. From the Administrator View, you can do the following: ■ ■
Manage the logical organization of machines and user access to them Use security features to control access to the Administrator View remote management capabilities
■
Manage E-mail options using the Realtime Mail Options
■
Set and enforce system-wide policies
■
Manage and propagate configurations throughout the network
■
Manage the discovery of machines in your antivirus network
■
Configure distribution proxy machines
■
View Reports
The Administrator View features (Admin Server, Administrator Client) are not available from Windows 9x machines.
Using the Administrator View Window The Administrator View window provides an Explorer-type interface for remotely managing configuration settings and machines in your antivirus network. As the authorized antivirus administrator, you control the display of this window. Only an authorized user has access to this view. A user who performs scans on a local machine does not require this view. Therefore, access to this option can be restricted so that it is not available to most users. For authorized users of the Administrator View, you can use the Access Permissions to set the level of control that users are permitted.
Using the Administrator View
8–1
Using the Admin Server
From the Administrator View window you can manage the organization, or logical configuration, of all machines in your network that are running instances of the Computer Associates antivirus software. This allows you to manage machines, propagate policy, and enforce settings throughout the network in an efficient manner.
Using the Admin Server The Admin Server keeps track of all instances of Computer Associates antivirus software that are running on machines in your network. It stores this list of machines based upon the subnets that it is directed to query. It also keeps track of the status of user accounts and their access permissions. Through the discovery process, it monitors the presence of machines and any changes made to policy settings. All this information is then made available through the Administrator View.
Admin Server Installation Considerations To promote a machine to an Admin Server under Windows, select the Admin Server option. Under UNIX, answer "y" when asked if you want to run the Administrative Server on your computer. Under OS X select Customize on the Easy Install dialog, and then check Administrative Server on the Custom Install dialog. Preserving Admin Server Data If you reinstall the Admin Server, you have the option to preserve the policy configuration settings and Organization tree container information that is stored in the Admin Server.
Connecting to the Admin Server When you display the Administrator View for the first time in a session, you are requested to connect to an Admin Server. You must specify the name of the server and a valid user name and password for it. After you are connected, the Admin Server is displayed in the Administrator View window as the root item of the list on the left side of the window. See the “Using Access Permissions” section for more information about user accounts. You can also use the Connect to Admin Server button on the Administrator View toolbar to connect to a server.
8–2
Administrator Guide
Using the Admin Server
Note: When you are not connected to an Admin Server, nothing is displayed in the Administrator View. The following illustration shows an example of the Admin Server selected, with summary information about the Admin Server on the right.
You can customize the information about the Administrator by selecting the Admin Server Manager button from the toolbar. You can connect to more than one Admin Server, but the tree structure under each Admin Server is managed separately. You cannot apply a policy setting item from under one Admin Server to a machine under the control of another Admin Server. If you are setting up your antivirus network and connecting to an Admin Server for the first time, you must specify what subnets of your antivirus network that you want the Admin Server to discover. See the “Using Subnets” section for more information. After the subnet discovery options are specified, you or an authorized user can organize the machines in your antivirus network. Admin Server Expanded When you are connected to an Admin Server and expand it, the left side of the Administrator View window displays the following categories: ■
The Admin Server (the root category)
■
Configuration Settings
■
Legacy Domains
■
The Organization tree container
Using the Administrator View
8–3
Using the Admin Server
The following illustration shows an example of the root category of the Admin Server expanded.
An authorized user can use these categories to configure policy settings, manage legacy machines, create logical groupings of machines, add and remove machines from the Organization tree, and set access permissions. You can display available options by expanding a category in the list on the left side of the window, highlighting an item in the list, and right clicking on it. In addition, information is displayed on the right about items in the list. Options are also available from the toolbar and the menu bar. Admin Server Considerations The following should be considered when using the Admin Server. ■
■ ■
■
■
■
■
■
8–4
Administrator Guide
On Windows systems, the machine where the Admin Server resides must be running the Server version of the Computer Associates antivirus software. On Unix and OS X systems, you must have elected to install the Admin Server software. On Netware systems the Admin server is not available. You can have multiple Admin Servers in the same network. You must use a valid operating system account on the machine where the Admin Server resides in order to log in to the Admin Server and access the Administrator View to manage machines and policy settings. On Windows systems, the component for using the Administrator View is installed when you select the Administrator Client option at install time. On OS X systems, the Administrator View is enabled when you select to install the Admin server. To manage machines remotely with the Administrator View, TCP/IP must be installed and configured properly on the network and the machines involved. Access to functions that a user can perform in the Administrator View are controlled by an authorized administrator. You must have an account with operating system administrative authority on any machine that you want to add to a container in the Organization tree. The Admin Server and Administrator Client features are not available from Windows 9x machines.
Using the Admin Server
■
On OS X, the root user should be enabled prior to using the Admin Server for the first time. See Apple’s Netinfo Manager utility to enable the root user.
See the “Using Access Permissions” section for more information on managing access to the Admin Server. Specifying an Admin Server at Install Time You have the option to connect to an Admin Server at installation time. If you specify an Admin Server at installation time, a trusted security relationship is established so that machines are added to the root category of the Organization tree automatically, without the administrator having to specify a user name and password for each machine. When installing on UNIX systems, a trusted relationship is established through the root user. On OS X, a trusted relationship is established by requiring that the user installing the software must have administrative privilege. The installation proceeds without having to select an Admin Server.
The Role of the Admin Server The following steps summarize how the Admin Server is used to collect and configure a list of machines. Most of this is transparent to the user. 1.
Install the Admin Server component.
2.
Specify a subnet in the network, which the Admin Server queries, to initiate the discovery process.
3.
An elected machine in the subnet passes information back to the Admin Server about all the machines in the subnet that are running Computer Associates antivirus software.
4.
The Admin Server populates the instance of the subnet with a list of available machines, in the Administrator View.
5.
An authorized administrator then uses this list to create an organized logical configuration of machines in the network, using the Organization tree category, to suit the needs of the enterprise.
Using the Administrator View
8–5
Using the Admin Server
How the Admin Server Discovers Machines An authorized administrator specifies subnets for the Admin Server to query, using the Subnets category under the Configuration Settings. Then, through an election process which is transparent to the user, a machine in that subnet is elected to reply to the Admin Server. The elected machine replies to the Admin Server with information about machines in the subnet that are running the Computer Associates antivirus software. Each instance of the antivirus software listens on a specified port, and information about each machine is passed back to the Admin Server, including updates for any changes since the previous discovery. The discovered information is refreshed at a regular interval, which is specified as part of the properties of the subnet instance. Users can also use the refresh options to update the display. The information includes data about the version of the program that a machine is running, such as the release level, the machine name, realtime settings, policy settings, and other general data. From this information, the Admin Server creates a list of the available machines in the antivirus network. This list is used to dynamically populate the list of machines displayed in the Administrator View when you highlight an instance of a subnet. Additional information about the machines is also used for display in the Administrator View, such as access permissions and policy settings. This process also maintains current information about a machine after it is associated with a container in the Organization tree. See the “Using Subnets” section for more information on specifying subnet discovery and election options.
LDAP Support On Windows systems, you can access the Admin Server through the Lightweight Directory Access Protocol (LDAP). The Computer Associates OpenLDAP Server allows you to view information from the Admin Server in read-only mode, using any LDAP version 2-enabled browser. With the LDAP Server installed, you can connect to the Admin Server to view the machines in containers that the Admin Server is monitoring, including the policies applied to the branches of the Organization tree, subnet data, and legacy domains. LDAP Considerations The following prerequisites and considerations for using LDAP are required. ■
8–6
Administrator Guide
The LDAP Server must be installed on the same machine where the Admin Server is installed.
Managing Configuration Settings
■ ■
■
■
No other programs can use port 389 (for example, certificate servers). To install the LDAP Server, from the …/bin/support/ldap.x86 folder on the distribution source, run setup.exe. You must start the CA OpenLDAP server service on the Admin Server you wish to view. Point the LDAP browser to the Admin Server you wish to view and set the base DN (distinguished name) as branch=admin_server, where admin_server is the name of the Admin Server.
Managing Configuration Settings Use the Configuration Settings category to configure your Computer Associates antivirus network, and to specify policy settings that you can propagate to containers of machines that you select in the Organization tree of the Administrator View. The Configuration Settings contain the following categories: ■
E-mail Policies
■
Enforced Policies
■
Proxy Settings
■
Subnets
■
Users
The following illustration shows the Configuration Settings category expanded.
When you select a category in the list on the left side of the Administrator View window, summary information is displayed on the right side of the window.
Using the Administrator View
8–7
Managing Configuration Settings
Using E-mail Policies Use the E-mail Policies category to create policy settings for realtime mail scans for your Lotus Notes or Microsoft Exchange E-mail server. Using these features, you can enforce the Administrator-defined settings for virus scans on your E-mail servers. The following illustration shows the E-mail Policies category expanded.
Using the Realtime E-mail Settings Use the Realtime E-mail Settings to create policy settings for realtime mail scans of your E-mail server. You can set a variety of scanning options. Policy—Use the Policy Tab to label the policy instance and optionally lock the settings for remote machines. When you lock the settings, you prevent users from changing the settings that are propagated to remote machines. When policy settings are applied, they take precedence over the settings on a remote machine. Scan—Use the Scan tab to change the scan level, change the scanning engine, change detection options, and to control how to treat infection if one is found. Selection—Use the Selection tab to choose types of file extensions to include or exclude from a scan, and types of compressed files to scan. You can also use prescan block options to block the delivery of email attachments with a specific file ending (for the Microsoft Exchange option) or extension (for the Lotus Notes Domino option). Notification—For the Lotus Notes Domino Realtime Mail Option, you can set specific notification options to alert the mailbox owner, message sender, or system administrator when an infection is detected in the messaging system.
8–8
Administrator Guide
Managing Configuration Settings
Options—Use the Options tab to choose custom settings for scanning email on your Microsoft Exchange 2000 Server. You can select from the available options to fine-tune the performance of the antivirus software on your Microsoft Exchange 2000 Server. Misc—Use the Misc(ellaneous) tab to specify miscellaneous options for your Microsoft Exchange email scans. You can specify the log size, number of back logs to keep, and the detail level of the log. You can also activate the system event log, specify the timeout value, and enable background scanning from this tab.
Using Enforced Policies Use the Enforced Policies category to create policy settings that you apply to the containers in the Organization tree, and the machines in them, for the following options: ■
Alert
■
Realtime Scanner
■
Scheduled Jobs
■
Send for Analysis
■
Signature Distribution
The following illustration shows the Enforced Policies category expanded.
Using the Administrator View
8–9
Managing Configuration Settings
Using Enforced Policies Features Use the Enforced Policies features to push configuration settings down to machines in your antivirus network so that users cannot change the settings if they are not granted the permission to do so. Policy enforcement is a powerful feature that administrators can use to enforce the settings of the Computer Associates antivirus software throughout the enterprise or for selected containers of machines. By using this feature, you can be certain that user machines are running the appropriate scanning options, and that they are not changing critical options. You can set policy on any options that can be remotely configured. Enforcing Policy
You can enforce policy by applying a policy setting to a container. At subnet discovery time, the Admin Server receives information about each machine and the policy settings in effect for the container that the machine is in. If the Admin Server encounters a configuration that has been changed, it forces the correct options to be set. Policy settings take precedence over the settings on a local machine. That is, if a policy is applied to a container, the settings for that policy override the settings made by the user on the local machine.
Locking Settings on a Machine
The Lock Settings option allows you to control policy so that the user cannot change the policy settings on the machine where the policy is applied. The following table describes the Lock Settings option. Lock Settings
Description
Checked
If the Lock Settings option is in effect for a policy instance, during the discovery process the policy is pushed down to the container the machine is in, and the settings are locked on the local machine. The end user is not allowed to change the settings for that policy.
(Policy locked)
Not checked
If the Lock Settings option is not in effect for a policy (Policy not locked) instance, the policy is pushed down to the container the machine is in, but the end user can change the settings for that policy on the local machine. If the end user changes settings, the next time the discovery process updates the information for the machine, the settings are automatically changed back to the settings of the policy instance.
8–10
Administrator Guide
Managing Configuration Settings
Setting Policy Each policy category has options for the same settings as the options available to the end user from the Local Scanner window. To access these options, right-click on a category and select New to display the Policy options dialog. For each type of category, there is a policy tab, along with the tab options available for the category. When you create an instance of policy, you use the available tab options in the same way that an individual user would to specify scanning options. The difference is that the options you specify from the Administrator View can be applied to any machines in containers in the Organization tree, and you can control whether the end user can change the options. After you specify the policy settings, the instance of the policy is listed under the category, in the window on the left. You can expand the category to display each instance of the policy in the list. When you select the instance of the policy in the list on the left, different summary and information tabs are displayed on the right, showing the options in effect for that policy. You also have the option to edit your policy settings. See the online Help and the other chapters of this guide for more information about the different scanning options. See the “Using Alert with the Antivirus Software” section in the “Using the Alert Manager” chapter for information about the Alert Settings. Managing Policy After you create policy option settings, you can then apply the instance of the policy to a container in the Organization tree, and use right-click options to manage policy instances. You can apply policy using drag and drop or by specifying a branch. You can also access the policy setting options by highlighting a branch in the Organization tree and selecting an option from the toolbar, the Administration menu, or using right-click options (drag and drop is not available on OS X or in the web browser GUI).
Using the Administrator View
8–11
Managing Configuration Settings
The following illustration shows an example of the Realtime Scanner category selected, with two instances of real time policy available.
When you apply an instance of policy to a branch or container, the policy applies to all the sub-containers in that container, and to all the machines in the container. See the “Policy Precedence” section for more information. Note: You can refer to a container as a branch of the Organization tree. Right-Click Options for Policy
Right-click options are available when you highlight an instance of policy. When you right-click a policy instance and select the Branch option, you can assign the policy instance to a branch using the Assign to Branch option. To remove a policy from a branch, you can use the Remove from Branch option. Other options allow you to create a new policy, edit an existing one, refresh the display, and delete a policy instance. In addition, when you select a container in the Organization tree you can manage a policy instance by clicking an available policy tab in the right side of the window and right-clicking on the displayed settings. The options apply to the policy instance and are applied to the selected container.
8–12
Administrator Guide
Managing Configuration Settings
Drag and Drop Policy to Containers
If you select the policy category in the list on the left, the list of policy instances is displayed on the right. You can drag and drop an instance from the list on the right side of the window to a container in the list on the left side of the window, or use right-click options to assign the policy instance to a branch of the Organization tree. The web browser GUI and the OS X GUI do not support drag and drop functionality. See the online Help for detailed information about the policy option settings and procedures for managing them.
Policy Precedence You can apply policy to any container in the Organization tree. The Organization tree is a hierarchy list of containers, with each container having containers below it in the hierarchy. A policy has one of two precedence characteristics: ■
Inherited
■
Specified
A container inherits policy from the container that it is in. So policy applied to one container will apply to all the containers within it, and all the machines in the container. However, when you apply a policy to a specific container, it overrides the inherited policy. This type of policy is specified, or specific to the selected container. Note: A specified policy overrides an inherited policy. When the Admin Server does the discovery, it looks at the lowest level of container (a container that does not have another container in it) to see what policy is applied to it. If a policy is associated with the container, it is kept, and not changed by a policy applied to a container above it. The discovery process then continues up the Organization tree to the next container above. For example, if no policy is applied at the next container level, the Admin Server uses the policy applied at the container or branch at the container level above that one. Viewing Where Policy is Applied To see the instances of policy that are applied to a container or branch, highlight the instance of policy and click the Information tab on the right side of the window. This displays a list of all the branches and containers where the selected policy is applied.
Using the Administrator View
8–13
Managing Configuration Settings
If the policy is applied at the branch level, the branch name is listed. If the policy is applied to a branch or container within the branch, but not to the branch itself, the path of the branch and container are listed, in the form of branch/container.
Using Subnets Use the Subnets category to indicate to the Admin Server which subnet or subnets you want to discover and manage. When you specify a subnet, the Admin Server goes out and finds all instances of the Computer Associates antivirus software running in that subnet, and populates the Administrator View with the available machines. You can create more than one instance of subnets. Note: The subnets can be populated into subnet instances in the Administrator View by a network administrator with the proper access to the Subnets category, using the discovery options described below. After a subnet instance is discovered, you do not need to set up the subnet options again, because the information is refreshed based on the Repeat Every options for Discovery. Authorized users of the Administrator View can then manage the discovered machines and put them in containers in the Organization tree. Subnet Options Use the Subnet options to discover and manage a subnet. Specifying Subnets
To specify the subnets you want, in the Administrator View window, expand the list on the left to display the Configuration Settings, right-click on the Subnets category, and select New. In the Subnets dialog, specify the appropriate subnet and subnet mask. Other information is also displayed. The default label or description for a subnet is the IP address followed by the port number used for discovery. You can use the right-click Edit options to change the description. Note: If you are using the Administrator View on the machine where the Admin Server resides, the subnet of the Admin Server is automatically displayed in the subnet category.
8–14
Administrator Guide
Managing Configuration Settings
Default Organization for Subnet Discovery
When the Admin Server discovers machines, if it finds an approved server specified for a machine, the discovered machine is added to the category in the Organization tree that is specified in the Default Organization option. The default organization is the name of an existing container in the Organization tree where a discovered machine can be assigned if an approved server is specified for the machine at installation time. When the Computer Associates antivirus software is installed using the Remote Install Utility and the INOC6.ICF configuration file, an approved server can be specified for the local machine. By using this method, the discovered machine is placed in the container indicated by the Default Organization option. You do not have to drag a machine from the list of machines in the subnet to a category in the Organization tree. If an approved server is not specified for a machine, the machine is available in the list of machines for the subnet, but you have to drag it to a container manually. Use the Change button to change the container in the Organization tree that is specified by the Default Organization option. On UNIX and OS X systems, there is no remote install utility. You can use the InoSetApproved script, which is in the $CAIGLBL0000/ino/scripts directory, to specify an approved server. Do this by specifying the IP address or addresses of the approved servers as the arguments to the script, for example, InoSetApproved 123.123.123.123 234.234.234.234. On OS X, you can also approve admin servers in the eTrust Antivirus Preferences Options panel that is available under System Preferences panel. On NetWare, you can set an approved Admin Server using ETRUSTAV. In addition, the NetWare install uses inoc6.icf that can be preset to use an approved Admin Server, as under Windows.
Using the Administrator View
8–15
Managing Configuration Settings
Discovery Information
The Last Discovery field indicates the last time that the subnet was discovered. This shows when the latest information was provided to the Admin Server for the status of a machine. The type of information includes whether the machine is still active in the network, and what policy settings are applied to the container that the machine is in. If you have made changes to the container structure or the policy settings since the last time the subnet was discovered, you can use the refresh options to update the display of information in the Administrator View.
Conflicting Admin Server IP Address
If an IP address is displayed in the Conflicting Admin Server IP Address field, another Admin Server has discovered the same subnet you specified. The IP address displayed indicates the machine where the conflicting Admin Server resides. Information is also written to the Event Log. Contact the administrator of that subnet to avoid conflicts in policy settings. You want to avoid having two Admin Servers managing the same subnet. If two servers are discovering the same subnet, then conflicts in the policy settings would arise. For example, if one Admin Server discovers the subnet, the information displayed in the Administrator View will reflect the organization of containers and policy settings that have been applied under that Admin Server. If another Admin Server discovers the same subnet, it applies its own configuration and policy settings. Then when the first server does a discovery again, it would apply its own settings, and so on, and the process would be repeated. Not only would this cause unnecessary network traffic, it would defeat the purpose of creating and maintaining a consistent network antivirus policy.
Subnet Discovery
8–16
Use the Subnet Discovery tab to manage the subnet discovery process. You can choose to discover the subnet immediately, or use the Repeat Every options to set a frequency for discovery, which the Admin Server uses to keep the list of machines up to date.
Administrator Guide
Managing Configuration Settings
The Discovery tab includes the following Discovery Policy options. Option
Description
Port Number
The port that machines with the Computer Associates antivirus software installed listen on for communicating with the Admin Server. This is the User Datagram Protocol (UDP) port that is open on the client machine for the IP-directed broadcast discovery from the Admin Server. The port number used for the discovery process can be configured at installation time and must be set to a uniform value throughout the environment. The default is UDP port 42508. On OS X, the default port number may be set in the eTrust Antivirus Preferences Options panel that is available under System Preferences panel.
Maximum Missed Discoveries
Specify the maximum number of times that a machine can miss being discovered before it is removed from the list of discovered machines in the subnet, and from the Organization tree. This way, a machine that is temporarily unavailable can still be displayed as part of the antivirus network. If the discovery query to a machine does not receive a response after the specified number of maximum missed discoveries, the machine is then removed from the list of machines in the subnet, and from the Organization tree. If this option is set to zero, the machine is never removed. If a machine is removed and then rediscovered, it will be displayed in the same place in the Organization tree that it was in before.
Timeout After
Sets a time limit for the discovery, in seconds. If the discovery query does not receive a response from the network in the specified time, the discovery stops. This option applies to the discovery process as a whole, not to the response time from an individual machine. For example, if the option is set to 180 seconds, and there is no response that an instance of the Computer Associates antivirus software exists in the specified subnet, the discovery process does not continue.
Using the Administrator View
8–17
Managing Configuration Settings
Repeat Every Options
Use the Repeat Every options to specify the frequency of discovery of the subnet.
Election Method Options
Use the Election Method options to select different election techniques for discovery. The default is Free Election. The Admin Server uses the selected election method to broadcast to the subnet specified on the Subnet tab. The discovery finds machines in the specified subnet that are running the Computer Associates antivirus software. The discovery process is designed to be efficient, and is optimized to minimize network traffic. Important! The Election Method options are designed to accommodate different network configurations. How each method works is dependent upon the network configuration of your environment. You must choose a method that is appropriate for your network, and make modifications if needed. The following election methods are available. Option
Description
Free Election
Free Election is the default election method. With this method, you do not need to know about the configuration of the machines being discovered within the subnet. The Admin Server sends an IP-directed broadcast to the subnet. This forces an election between machines running the Computer Associates antivirus software. The winner of this election responds to the Admin Server with the list of machines within the subnet. If the Admin Server is not located in the subnet being discovered, it is possible for the IP-directed broadcast to be blocked by a network hardware component. If this is the case, you must reconfigure the network hardware so that the discovery port is open. This option does not require that you have the Computer Associates antivirus software installed on the machine specified in the IP address option on the Subnet tab. However, if the antivirus software is running on the specified machine, you can use the Test button to check if IP-directed broadcasts are being blocked.
Biased Election
8–18
Administrator Guide
Use the Biased Election method if you prefer to have a specific machine respond, and that machine is not always available. A biased election uses an IP-directed broadcast to attempt to discover this machine, to make it the elected machine. If this address is not available, the Free Election method is used.
Managing Configuration Settings
Option
Description
Specified Election
Use the Specified Election method to perform discovery with a machine that you know is running the Computer Associates antivirus software. Specify the machine you want to use in the IP address option on the Subnet tab. With this method, the IP-directed broadcast of the Free Election is removed and is not used. Instead, the Admin Server communicates directly with the specified machine. This machine responds to the Admin Server with the list of machines within the subnet. This option requires that you have the Computer Associates antivirus software running on the specified machine.
Sweep Election
Use the Sweep Election method to perform discovery by contacting every individual IP address in the subnet. The specific machines that are contacted are determined by the IP address and Mask that are specified on the Subnet tab. This method is intended for use when none of the other methods are appropriate. This would be the case, for example, when client machines are connected to the network through a VPN or a PPP connection. Also, Free Election is not possible if IP Directed Broadcasts are not permitted to the target subnet. And Specified Election is not possible if the specified machine can not predictably be relied upon to be running. In addition, Sweep Election is required to be used to discover subnets on a machine running Linux for System 390 where the virtual Linux machines are connected to the network via a point-to-point connection to the mainframe, rather than by direct Ethernet connections. If any of the other election methods are suitable for a subnet, it is preferable not to use Sweep Election. Sweep Election will result in a somewhat higher level of missed polls, and it puts a higher load on the Admin Server.
Note: The machine that is elected to be the responder to the Admin Server will be displayed in bold in the list of machines in the subnet.
Using the Administrator View
8–19
Managing Configuration Settings
Discovering Machines Outside Local Subnet
If you perform a discovery and it does not find machines that you know are running instances of the Computer Associates antivirus software, you may need to modify the network router configuration. During the discovery process using the default setting of Free Election, the Admin Server sends an IP-directed broadcast to the subnet being discovered. If the routers on the network do not allow these packets to pass, the discovery process will fail. To correct this problem, you can do the following. ■ ■
Use the Specified Election method instead of the Free Election method. Configure the network routers to allow IP-directed broadcasts over UDP port 42508.
Subnet Right-Click Options
When you right-click on the Subnets category or a subnet instance, you can create a new subnet instance, edit the options for an existing instance, delete an instance, update the discovery, and refresh the display. When you right-click a machine in the subnet list, you can assign it to a branch.
Subnet Summary Information
When the Subnet category, a subnet instance, or a machine in a subnet is highlighted, summary information is displayed about the item on the right side of the Administrator View window. This includes information about the product and signature versions running on the machines, the operating system version, and information about the last time a machine was discovered.
8–20
Administrator Guide
Managing Configuration Settings
Viewing Discovered Machines After the machines are discovered, highlight the instance of the subnet in the left side of the Administrator View window to see the list of discovered machines on the right. The following illustration shows an example of an instance of a subnet selected, with the discovered machines.
See the “Creating Logical Configurations of Machines” section for information on how to associate a machine with a container. Controlling Access to Subnet Options The authorized administrator of the antivirus software can grant access to the subnets and their options by setting access permissions in the Users category. Authorized users can change the frequency of discovery and other options. See the “Using Access Permissions” section for more information about setting permissions. The discovery process is independent of any policy settings. Similarly, you do not need any special access permissions to discover machines. A user does not need an operating system account on the machines that are discovered and displayed. However, to put a discovered machine into a container in the Organization tree, you must have operating system administrative authority on the machine you want to put into the container. After a machine has been put into a container, authorized administrators can move it to another container without needing administrator authority on the machine. The ability to move a machine is controlled by the access permissions granted to the user.
Using the Administrator View
8–21
Managing Configuration Settings
The discovery frequency can be set to run periodically to update the information about the discovered machines on a regular basis. After these options are set, most users of the Administrator View will not need to change them.
About the Users Category The Users category in the Administrator View contains a list of users who have been granted access permissions to the containers in the Organization tree. Use this category to define access rights for users and to conveniently view what access the user has. When you select the Users category, the list of users is displayed on the right. Users Category Selected The following illustration shows the Users category selected, with an example of a list of users on the right.
Note: Users are displayed in this list only after they are granted access permissions. Under Windows, the operating system administrator account and the account used to install the Admin Server are displayed automatically. On UNIX and OS X systems, the root user is displayed automatically.
8–22
Administrator Guide
Managing Legacy Domains
A User Selected
When you expand the Users category and select a user from the list on the left, summary information about that user is displayed on the right. You can see what access permissions and what authority the user has to make changes to Computer Associates antivirus software configurations. Note: You can also view user information by highlighting the Organization tree category or a container in it, and then clicking on the Permissions tab on the right side of the window. This displays a list of users and the setting for User Rights. See the “Using Access Permissions” section for more information about setting permissions.
Managing Legacy Domains Use the Legacy Domains category to manage existing domain names that were created for your antivirus network in 4.x versions of the Computer Associates antivirus software. Note: Under UNIX and OS X, if a Legacy Domain exists, it is displayed in the same level in the left-hand pane as the Organization Tree. Managing Legacy Domains, however, is not supported by the web browser GUI, OS X GUI, or UNIX-based Admin Server. The Admin Server populates the Legacy Domains category with the list of the existing domain names and machines that are running instances of the 4.x versions of the product. You have the option to manage these machines using the old domain names, but only the options of the previously-installed product version are available. Individual machines that were not defined to a domain are listed under the Single Server category. To manage options on a machine, you need a valid user ID and password on that machine.
Using the Administrator View
8–23
Managing Machines with the Organization Tree
Managing Machines with the Organization Tree Use the Organization tree category to create an organized tree display of containers of machines in your network that are running instances of the Computer Associates antivirus software. Then you can apply policy settings to the containers.
Using the Organization Tree After the Admin Server populates the list of available machines in the Subnets category, an authorized administrator can use the organization tree to create a logical configuration of machines in the network. You can create a completely flexible hierarchy that suits your environment. Each container or branch in the list is analogous to a list of directories or folders, with subdirectories or subfolders below them, and with machines in the subfolders below them. You can create any logical categories of containers that your organization requires. For example, you can make a configuration that mirrors the physical locations of machines, or you can divide machines into various categories by department, by function, by type of user, or any other arrangement that is needed. A machine can only be a member of one container at a time. Access to the Organization Tree and Containers You can control access to the containers in the Organization tree for other authorized users by assigning access permissions. If you have access permission of full control, but no user account on the machines in the branch, you still control the policy settings of the antivirus software on those machines, even though you do not have an operating system account on them. However, if you remove a machine from a branch and you want to put it back in a container, you need an operating system account with administrative authority on that machine to put it back in. See the “Using Access Permissions” section for more information about setting permissions.
8–24
Administrator Guide
Managing Machines with the Organization Tree
Sample Organization Tree
For an example of an Organization tree, we can create a container or branch called Accounting. Under that container you can make containers of every office that has an accounting department, such as Office A, Office B, and so on. Under each office you can then arrange the machines from each of those accounting departments. The following illustration shows a sample expanded Organization tree with containers and machines.
Note: These containers correspond to the domain concept used in 4.x versions of Computer Associates antivirus software. Creating Logical Configurations of Machines Before you can manage a machine, you must put it in a logical category, a container in the Organization tree. To do this, you select a machine from the list of machines in the instance of the subnet, and associate it with a container. Note: You must have administrator rights for the operating system, or root privileges in UNIX systems, on the machine that you want to put in a container in the Organization tree.
Using the Administrator View
8–25
Managing Machines with the Organization Tree
To create a container for the first time, right-click on the Organization tree category to create a new container in the list. You can then add containers and sub containers as needed. The containers in the list are like a list of directories or folders. You can create any number of containers and sub containers in any hierarchy you need, with any arrangement of machines in the containers. Drag and Drop Machines to Containers
To associate a machine with a container, highlight the instance of the subnet in the left side of the Administrator View window, and then select a machine in the right side of the window and drag and drop it to a container in the Organization tree on the left side of the window. You can also right-click on a machine in the left side of the window and assign it to a branch. The web browser and the OS X GUI do not support drag and drop functionality.
Granting Administrator Rights at Install Time
In some cases, to manage machines in a large network, you might want to grant administrator rights over many machines to the administrator of the Admin Server. An Admin Server administrator can be granted access to a client machine if the IP address of the Admin Server is specified on the client machine during installation time, using the INOC6.ICF configuration file. This creates a trusted relationship that allows an administrator to put machines in containers without requiring separate login and password information for each machine. For more information, see the “Using the Remote Install Utility” chapter and refer to the sample INOC6.ICF file provided with the product. On UNIX and OS X systems, you can use the InoSetApproved script, which is in the $CAIGLBL0000/ino/scripts directory, to specify an approved server after the antivirus software has been installed.. Do this by specifying the IP address or addresses of the approved servers as the arguments to the script, for example, InoSetApproved 123.123.123.123 234.234.234.234. On OS X, you can also approve admin servers in the eTrust Antivirus Preferences Options panel that is available under System Preferences panel. On NetWare, you can set an approved Admin Server using ETRUSTAV. In addition, the NetWare install uses inoc6.icf that can be preset to use an approved Admin Server, as under Windows.
Security for Accessing Windows 9x Machines
8–26
After Windows 9x machines have been discovered, a security method is provided to access them when you want to add them to containers in the Organization tree. You only need to use this method to assign the machine to a branch in the tree. After that, security is based on the permissions set for the branch.
Administrator Guide
Managing Machines with the Organization Tree
For Windows 9x machines, the Computer Associates antivirus software is not able to leverage user accounts that are managed by the operating system. Therefore an authentication file, Ino.sam, is stored on the Windows 9x machine. This file contains a list of username/password hash pairs. When authenticating to the Windows 9x machine, the password is entered by the user and a one-way hash is generated. If the generated hash value matches the one in the authentication file, access is granted. A utility program called InoPW.exe is provided to create and manage authentication files. After modification, the authentication file can be copied manually to the Antivirus install directory on Windows 9x machines or it can be placed into a directory that contains a copy of the installation image. If it is placed in the image directory the installation program will automatically copy the file to Windows 9x machines. Managing Machines and Containers Note: The term Container is used interchangeably with Branch. When you have the machines in your network arranged logically in the Organization tree, you can manage them and enforce configuration policy settings throughout the network in an efficient manner. You can easily apply policy settings to large groups of machines in a container hierarchy. After you have containers with machines, you can right-click on them to access additional management options, including creating proxy server machines. Other options allow you to find a computer in a container, create new containers, rename them, and delete them. You can also set policy on a selected container, assign a container to a branch, or remove it, and refresh the display. Cutting and Pasting Containers
You can use the Cut and Paste features to move a container from one branch to another. Any machines and policies associated with the container are retained in the move. You can right-click to select and cut a container on the right side of the window, and then highlight a container on the left where you want to paste it.
Right-Click Options for Machines
Right-click options are available when you highlight a machine in a container. These allow you to assign the machine to a branch, remove it from the branch, and manage the Computer Associates antivirus software services on the selected machine.
Point-to-Point Configuration
There are also right-click options that allow you to configure scanning settings on a selected machine. However, you are not creating policy settings when you use these right-click options.
Using the Administrator View
8–27
Managing Machines with the Organization Tree
When you highlight a machine and access these configuration settings, these right-click options apply only to the selected machine. This allows you to manage the settings of the machine on a point-to-point basis, by setting the same options that are available to a user from the Local Scanner window. See the online Help for more information on managing machines and containers. Viewing Policy on a Machine or Container Note: The term Container is used interchangeably with Branch. After instances of policy have been applied to a container or machine, you can select the item in the Organization tree and view the policy settings. For every type of policy setting applied to the item, you can click a tab on the right side of the window to see details about the policy settings. The following illustration shows an example of a selected machine in a container, with the tabs that indicate the policy settings applied to the machine. In this example, with the Realtime tab selected, information is displayed about the real time policy settings that are applied to the container that the selected machine is in.
8–28
Administrator Guide
Managing Machines with the Organization Tree
Viewing Logs on Remote Machines You can view log information for remote machines by expanding an entry for a machine. The types of logs are listed under each machine. Highlight a type of log on the left to see the log summary information for that machine on the right. For detailed information, click the log item in the upper right side of the window to see details in the lower right pane. Viewing Logs by Machine
The following illustration shows an example of a container and an expanded machine in the Organization tree, with the log categories for that machine.
You can view log information for both locally initiated and remotely initiated jobs and events. Viewing Scheduled Job Policy Logs
Administrators can also view log result statistics for scheduled jobs applied by policy instance. When you highlight an instance of a scheduled job policy, and click the log tab on the right side of the window, this log information is displayed. There is a log entry for the dispatch time for every time the job ran, with summary statistics on the number of machines the job ran on, with success count and error count statistics. Detailed information is also available for each machine the job ran on. Statistics for scans on each machine include the total number of files scanned, the total number of infections found, and the number of files cured.
Managing Scheduled Jobs with a Machine Selected When you highlight a machine in the Organization tree, and click the Job tab on the right side of the window, you can manage scheduled jobs that are listed for that machine. You can manage locally-initiated jobs and remotely scheduled jobs for the selected machine. When you select a Job from the Job tab, you can rightclick on it and modify the properties of the job, stop a job in progress, or delete the job.
Using the Administrator View
8–29
Using Access Permissions
Using Access Permissions Use the Access Permissions to specify which users of the Administrator View are allowed to manage the policy settings of the Computer Associates antivirus software running on machines in the Organization tree, and to manage Subnet options. This section discusses how you can use security features to control access to the Admin Server and the policy setting functions of the Administrator View, to allow authorized users to remotely manage machines in the antivirus network. Access Permissions apply to the following items. ■
Subnets
■
Containers
When you grant access permissions to a user, the permissions apply to the Subnets category and the Organization tree.
Admin Server Access Considerations Administrators and users can be granted access to the Admin Server and the Administrator View, based on existing user accounts on the machine where the Admin Server resides, and on available accounts in the network. Note: These access permissions apply to the Computer Associates antivirus software, and not to the management of the operating system of the machine where the Admin Server resides. Accounts with access to the Admin Server can be considered to fall into the following basic categories, which are described below. ■
■
■
The operating system administrator or root account on the machine where the Admin Server resides The account used to install the Admin Server (root user in UNIX systems, a user with administrative privilege on OS X) Authorized administrator accounts
These security features allow you to grant control to manage the antivirus software in your network as needed, including using a generic guest account, without compromising operating system security. Access permissions for authorized administrator accounts for the antivirus software are independent of the authority granted to the account by the operating system. Any valid designated account can access the Administrator View to manage the antivirus software, based upon the permissions granted to that account. These authorized administrator accounts can in turn grant permissions to other accounts.
8–30
Administrator Guide
Using Access Permissions
The authorized administrator decides what a user can do in the Administrator View by setting the access permissions, which are applied to the subnets and the containers in the Organization tree. These access permissions are stored in a security table which the Admin Server examines to decide whether the user has access and what they can do with policy settings. So when a user logs on to the Admin Server, the Admin Server knows who the user is, what access rights they have, and what actions they are allowed to perform. When a user logs on to the Admin Server machine, the product security table knows that it is an authorized user in two ways. ■
■
The user is known to the machine where the Admin Server resides because the user has a valid operating system account on that machine. Information is collected and passed to the server when the discovery process periodically updates the information about the machines in the subnets that are running instances of the Computer Associates antivirus software.
Operating System Administrator Account The operating system administrator or root account on the machine where the Admin Server resides is automatically granted full control of the root categories of the Subnets and the Organization tree. This account therefore has administrative control over both the Admin Server machine and the features available from the Administrator View. For Windows this is the Administrator account. For UNIX and OS X systems, this is an administrator account with root privileges. This administrator account on the Admin Server can in turn assign a user with a valid account on the Admin Server to an authorized administrator account. Admin Server Installer Account The account used to install the Admin Server is automatically granted full control of the root categories of the Subnets and the Organization tree. This is similar to the operating system administrator account. Because this account has authority to install software, it has operating system administrator authority. If the account used to install the Admin Server is different from the operating system administrator account, when you display the access permissions, you will also see this account in the list of user accounts. If the operating system administrator account is used to install the Admin Server, then a separate installer account will not be created. Note: UNIX systems do not use a separate account to install the antivirus
software. The product is installed by the root user.
Using the Administrator View
8–31
Using Access Permissions
Authorized Administrator Access The administrator account can grant access permissions to other accounts that have valid operating system accounts on the machine where the Admin Server resides, or to existing accounts on the network. We can refer to these accounts as authorized administrators for the antivirus network. To connect to the Admin Server machine, a user must have a valid account on the machine where the Admin Server resides. For a user to manage policy on machines in containers in the Organization tree, an authorized administrator must set access permissions for the account. The account that you use to connect to the Admin Server can be any valid account on that machine or in the network. Administrative authority is not required on the machine where the Admin Server resides for an authorized user to manage and apply policy settings in the Administrator View. The access permissions the administrator sets for a user account determine the ability that the user has to change policy settings. However, if you want to add a machine to a container from the list of machines in the subnet instance, you need administrative authority for the machine you want to add. These accounts do not have any special permission on the operating system where the Admin Server resides. Authorized administrators can be granted different levels of permissions within the antivirus software to manage policy settings, from full access permissions to all features of the Administrator View, to read-only access, based upon the needs of the enterprise. An authorized administrator has great flexibility in assigning these access permissions. When a user connects to the machine where the Admin Server resides, the system first checks to see that the user has a valid account on the machine. If it is valid, then access is granted to the functions of the Administrator View, based on the permissions set for that user by an authorized administrator.
8–32
Administrator Guide
Using Access Permissions
Creating a User Account You can create an account on the Admin Server that can act as a guest account for other users to sign on to the Admin Server and use the Administration View. For users that you want to have full access to the Administration View, you can grant them full control. However, this account should not be based on an account that has administrator rights to the operating system where the Admin Server resides. For example, on Windows NT or Windows 2000, you can use the Guest account on the machine where the Admin Server resides to create an account for authorized users to log on to the Admin Server as needed. You could copy the Guest account to a new account and give it a name of InoAdmin. Then use the Administrator View access permissions options to grant Full Control to this new account. When users log on to the Admin Server with this account, they are granted full control of the Administrator View and its features, but their access to the operating system is limited. Note: Whatever account you use as a model for a guest account will retain any operating system permissions that it already has. This method of using a guest account allows you to provide access to the Administrator View as needed, without the need to create a separate account for each remote administrator who wants to access the Admin Server. You can even create different types of generic accounts with different levels of access, and make them available to administrators as needed.
Using the Administrator View
8–33
Using Access Permissions
Setting Access Permissions The access permissions on an account determine the ability of the user to access the Organization tree, make changes to policy, and modify Subnet options. Right-click on the Users category, and select Access Permissions to display the Permission dialog. The Permission dialog shows a list of existing users. The following illustration shows a sample Permission dialog with the Administrator account on the machine where the Admin Server resides.
The Administrator account in the sample illustration has full control access rights. See the online Help for a procedure to create accounts with full access to the Administrator View. Note: The access permissions are applied to the user account. This grants the user access to the containers in the Organization tree and to the Subnet options.
8–34
Administrator Guide
Using Access Permissions
Applying Permissions Use the Permission dialog to add users and remove them, and to specify access rights for the selected user of the Administrator View. You can also select an existing user and change the access permissions. To add a new user to the list of users, click the Add button and select a user from the Add New Users dialog. This dialog contains a list of user accounts on the operating system of the machine where the Admin Server resides. You can also add users from the network by clicking the Simple Add button and specifying the user. The following illustration shows a sample Add New Users dialog.
From the list in the top portion of the window, you can select a user and click Add to add it to the list in the lower part of the dialog. When the user is displayed in the lower part of the dialog, you then highlight it and apply Access Rights from the drop-down list. Repeat this process to add users as needed.
Using the Administrator View
8–35
Using Access Permissions
The following illustration shows a sample dialog after a user has been added and assigned rights, with the user listed in the lower portion of the dialog. This user has been granted access rights with full control.
When you close the Add New Users dialog, the new user is listed in the Permissions dialog.
8–36
Administrator Guide
Using Access Permissions
The following illustration shows the Permission dialog with the new user added to the list of user accounts, with full control access permission.
Viewing Permissions You can easily view which users have access permissions, and the level of access that they have. To do this, expand the Organization tree to display the container you want to review and highlight the container. Then, on the right side of the window, select the Permissions tab. The Permissions tab displays a list of existing users and the current Rights for each user. Another way to do this is to simply highlight the Organization tree category itself, and then select the Permissions tab. You can also check the user rights by highlighting a user in the Users category.
Using the Administrator View
8–37
Using Access Permissions
Types of Access Access rights apply to the containers in the Organization tree and for Subnets. The following table lists the types of access and the associated permissions. Type of Access
Permissions
None
Selected user has no access. If you do not have access, you do not see the containers and machines in the Organization tree.
Read
Selected user has read access to the Organization tree and the Subnets category. Access to view an object in the list and its associated properties, but no access to make changes or move a machine to a different category.
Change
Selected user has change access to the Organization tree and the Subnets category. Access to see an object and its properties in the list, access to make changes to the policy settings applied to a container, and ability to move a machine to a different container.
Delete
Selected user has access rights to delete the selected item. Includes Change permissions. Cannot add users.
Full Control
Selected user has full control. Can add users and grant access for managing access permissions to other accounts.
User Rights Characteristics After access rights have been applied for a user, these rights have the following user rights characteristics. User—Indicates a user with access to the selected container, including the domain the user is in. Rights—Indicates the access rights that the user has for that container. Reason—User rights can be inherited or specified. Inherited—Indicates that the user rights applied to the container have been inherited from user rights applied at a higher level in the hierarchy, such as the root of the Organization tree. Specified—Indicates that the user rights applied to the container have been applied to this particular level of the hierarchy, such as the root of the Organization tree.
8–38
Administrator Guide
Using Access Permissions
Viewing User Rights
After the permissions are set, when you highlight a container in the list on the left, you can click on the Permissions tab on the right side of the window to see a list of users and the rights assigned to them. The characteristics of user rights are displayed in this list. These characteristics are also displayed when the access permissions are assigned.
Viewing User Rights from the Users Category
You can view user rights from the Users category of the list on the left side of the Administrator View. When you expand the Users category and select a user from the list on the left, the user rights characteristics are displayed on the right side of the window.
Access Example for Different Accounts The following example shows how different access rights can be assigned to different accounts. The following illustration shows a sample Organization tree with three containers, for Accounting, Sales, and Travel.
The following table describes an example of how different accounts can be assigned different access permissions. Authorized Administrator
User 1
User 2
Organization tree (root object)
Full Control
Change
Read
Accounting
Full Control
Change
Read
Sales
Full Control
Change
Read
Travel
Full Control
Change
Read
Container
All of the accounts in the example have access to the Organization tree. The authorized administrator has full control. This account can manage all the containers in the tree and can set policy for all the machines in the containers. User 1 has change access, and User 2 only has read access. Note that users have the same level of access to the Subnets category that they have to the Organization tree.
Using the Administrator View
8–39
Creating and Using Proxy Configuration Machines
Creating and Using Proxy Configuration Machines Use the Proxy Configuration option to designate proxy servers that you can use to efficiently manage configuration changes across your antivirus network. This option allows you to set and enforce configuration policy throughout the network in a hierarchical manner. By designating a machine as a proxy server, you create an efficient distribution mechanism across the network that minimizes the duplication of traffic. An authorized administrator can assign a machine as a proxy server from the list of available machines in a container in the Organization tree. This proxy server then acts as a distribution point, passing configuration changes to the machines in its container, and to subcontainers, based on the policy settings. After a proxy server is designated, an indicator is displayed in the icons for the container and for the machine.
Proxy Server Considerations Note the following considerations for proxy servers. ■
■
Any machine in a container in the Organization tree can be a proxy server, except for Windows 95 or Windows 98 machines. You can designate any number of machines as proxy servers.
By using proxy servers, you can apply configuration settings at the root level of the list of machines running the antivirus software, or at any subcontainer level in the list. The changed settings are efficiently distributed down through the network so that the Admin Server does not have to pass commands to each machine individually.
8–40
Administrator Guide
Creating and Using Proxy Configuration Machines
The role of the signature redistribution server is distinct from the role of the configuration proxy server. The signature redistribution server makes the signature update files available to other machines. The configuration proxy server is used to distribute policy settings throughout the network. Note: Proxy server here does not refer to an Internet proxy server. Proxy Override Option When you assign a machine as a proxy server, use the override option to control whether policy is passed down through the hierarchy if the proxy server for a branch is not available. Option
Description
Override in effect.
When the proxy server is not available, the proxy server above it in the hierarchy passes policy settings to the machines ordinarily served.
Override not in effect.
When the proxy server is not available, the proxy server above it in the hierarchy does not pass policy settings to the machines ordinarily served.
How a Proxy Server Works As the Admin Server goes down the list of machines, it finds the proxy and hands off the commands for configuration changes to that machine. Since the proxy distributes the changes down to the other machines in its container, the Admin Server can skip the rest of the machines in the container, and go on to look for the next machine to send the commands to. It finds the next proxy server and passes the commands to that proxy, and so on through the network. For example, if there are ten machines in a container, and one machine is designated as the proxy server, the Admin Server sends the information once—to that one proxy server. The proxy then passes the information to the nine remaining machines in its container group. This minimizes the number of times that the Admin Server has to send the commands, thereby improving the performance of the Admin Server, and the network in general.
Using the Administrator View
8–41
Distributing Signatures with Download Now
Sub-Proxy Machines The proxy server applies settings to the machines in its container. If there are sub containers in the container, the proxy server applies settings to the machines in those sub containers. However, if the sub container has a proxy server in it, the proxy server above it passes the information to the proxy server in the sub container, and then skips the rest of the machines and containers in that sub container.
Distributing Signatures with Download Now You can use the Download Now option for signature distribution in the Administrator View to get signature updates on demand and apply the updates throughout your antivirus network. This section describes considerations for using Download Now in a network environment.
Using Download Now in the Administrator View For users of the Administrator View in network environments, the Download Now option is available in different ways. Important! When you use Download Now in a network environment, you must be sure that each redistribution server is appropriately prepared to act as the source of the signature updates. The signature updates on a redistribution server must be up to date and available for redistribution. When you invoke the Download Now option in the Administrator View, the update is applied to multiple machines. How it behaves depends on the context in which it is invoked. See the section Policy Precedence for information on how policy takes precedence in a hierarchy of containers. You can use the Download Now option in the Administrator View in the following ways. ■
With a Signature Distribution policy selected
■
With a container in the Organization tree selected
■
With a specific machine in a branch selected
Note: The Download Now button is not available in the Signature Update policy dialog if the policy has not been applied to any branch. For example, it is not available when you create a new policy.
8–42
Administrator Guide
Distributing Signatures with Download Now
Using Download Now with a Signature Distribution Policy Select an instance of Signature Distribution policy in the Signature Distribution category, right-click on it and choose Edit. If the selected policy is assigned to a branch in the Organization tree, the policy dialog is displayed with the Download Now option available. When you click Download Now, the signature update goes to all of the machines in the branches where the policy is applied. The options in effect for the selected policy instance are used. Using Downlaod Now with a Container in the Organization Tree You can select a container or branch in the Organization tree, right-click on it, select Policy, and then select Distribution. This displays the Signature Update Policy dialog. If a policy is applied to the selected branch, the options for that policy are displayed, and the Download Now button is available. When you click Download Now, the update is done to all of the machines in that branch that have the policy applied. Branch Policy Considerations You can apply Download Now to a branch that has sub-branches in it. There may be sub-branches in the selected branch that have a different policy specified. A machine in a sub-branch with a different policy specified will not be updated. Using Download Now with a Machine in a Branch When you select a machine in a branch, right-click on it, and select Configure Distribution Settings, the Signature Update options for that machine are displayed. If you click Download Now, the settings in effect for that machine are applied only to that machine. This is not a policy setting.
Using Download Now with Redistribution Servers When you use Download Now in a network environment you must be sure that the signature updates are made available from a source that has the latest updates. You can apply Download Now to a branch that has many sub-branches. There may be more than one machine acting as a source for signature updates in those sub-branches. Also, Signature Update options may be configured differently for each branch. One sub-branch can use one list of sources, and another sub-branch may use another list of sources. Each branch might be getting updates from a different redistribution server.
Using the Administrator View
8–43
Considerations for Scanning Network Drives
When you invoke Download Now, each redistribution server must already have the latest updates. In addition, the holding time must be set to a value that makes the updates available in a timely manner. Note: You can organize machines that act as redistribution servers into a single container. This allows you to manage multiple redistribution servers efficiently. You can then apply policies and settings to the redistribution servers as a group When you invoke Download Now, the signature download starts on all the machines in the branch. This includes any machine that acts as a redistribution server in that branch. If the redistribution server already has the latest updates, the download process recognizes that the server does not need to be updated. If the holding time on this server is set to zero, then the other machines that depend on this redistribution server can get the signature download without delay. By updating the redistribution servers before you use Download Now, you can ensure that the latest signatures are distributed to your antivirus network.
Considerations for Scanning Network Drives Under Windows, a user can map to a network drive from a local machine and perform a scan. Similarly, under UNIX and OS X a remote file system can be mounted and scanned. This might be useful occasionally for scanning a specific file, but it is not the preferred method for managing network drives. When a local machine scans a network drive, a significant amount of network traffic occurs due to packets of information passing between the two machines. The preferred method for scanning a network drive is for a remote administrator to schedule a scan job on the network machine, using the Administrator View features. An instance of the Computer Associates antivirus software must reside on the machine to be scanned. Then you can remotely schedule the scan, which runs locally on the network machine. This method is more efficient and uses fewer network resources than running a local scan across the network.
8–44
Administrator Guide
Customizing Messages
Customizing Messages For Windows, the Computer Associates antivirus software displays messages that use Windows event codes. You can customize messages to add additional information. You can use this feature when an infection is found, or when signature files are out of date and you want the user to do an update. For example, when a message indicating an infection is displayed, you can customize it to add instructions to call the antivirus administrator, and show the name and telephone number of the appropriate contact. Note: You can use the Windows Nethelp utility to view messages.
Generating and Viewing Reports Use the Reports category to view antivirus reports from computers discovered by the Admin Server. Note: Reports are not available in the Web GUI or in the OS X GUI.
Generating Reports Reports are generated on the Admin Server and are viewed on the Admin View console. The virus detection reports are based on the data collected from client machines. To collect this data on client machines, you can configure your machines in the following ways: ■
■
Forwarding Logs from Client to Admin Server—On a client machine, set the Alert Options to forward logs to Admin Server (or the eTrust Antivirus proxy server if your network is setup to forward in an escalation hierarchy level). For generating reports per discovered virus, make sure to forward logs to the Admin Server and set the Custom Notification Module to the Virus Report category on the Alert Filter tab. In addition, select the service module from which specific messages you want reported. Forwarding Logs from Admin Server to Admin Server—On a machine performing as an Admin Server, set the Alert Options to forward logs to itself. For generating reports per discovered virus, make sure to forward logs to the Admin Server and set the Custom Notification Module to the Virus Report category on the Alert Filter tab. In addition, select the service module from which specific messages you want reported. Use the cfgReport.exe program to schedule the time interval for report generation. For more information on the cfgReport.exe program, see the “Scheduling the Generation of Reports” section.
Using the Administrator View
8–45
Generating and Viewing Reports
For more information on setting Report Alert options, see the “Using Alert Report Options” section of the “Using the Alert Manager” chapter.
Viewing Reports The reports can be viewed in the Admin View. You can choose to view two types of reports: ■
■
eTrust Antivirus Reports—For computers in your network that have been discovered by the Admin Server and have eTrust Antivirus installed on them. Domain Reports—For computers in your network grouped into domains that have been discovered by the Admin Server where eTrust Antivirus may have or have not have been installed.
You can view the following types of eTrust Antivirus Reports: ■
■
■
■
■
■
■
■
■
8–46
Administrator Guide
Virus Detections—A top-ten virus summary and a list of all viruses detected grouped into timeframes. Infected Machines—A top-ten computer summary and a list of all computers where a virus is detected grouped into timeframes. Infected Users—A top-ten user summary and a list of all users who accessed an infected file grouped into timeframes. Deployment—A list of all eTrust Antivirus installations grouped by operating system. Load Per Server—A display showing the load of eTrust Antivirus signature download assigned to that server. The report shows the number of computers that have each server listed as a primary or a secondary distribution source. Load Per Policy—A display showing the load of eTrust Antivirus signature download assigned to a policy. The report shows the number of computers that have each policy listed. Signatures—A display showing the number of computers that have each antivirus engine installed, and the engine name and count of computers that have the engine type installed, as well as the counts for each signature versions detected in the subnets. Signature Exception—A display showing summary-type information on three least outdated signature versions, compared to the signature version of the Admin Server machine, for each engine. Signature Exception Details—A display showing detailed information on computers with three least outdated signature versions, compared to the signature version of the Admin Server computer, for each engine.
Generating and Viewing Reports
■
Per Virus Reports—The Per Virus Reports category displays the following summary-types of information for each virus it finds: By Subnet—A display showing detailed information about the detected virus using the subnet category. By Branch—A display showing detailed information about the detected virus using the branch category. By User—A display showing detailed information about the detected virus using the user category. By Machine—A display showing detailed information about the detected virus using the machine. By Action—A display showing detailed information about the detected virus using the action category.
■
■
Per Machine Reports—The Per Machine Reports category displays summary-types of information for each virus found categorized by computer name. Per User Reports—The Per User Reports category displays summarytypes of information for each virus found categorized by user name.
You can view the following types of Domain Reports: ■
Protected Machines Report—The Protected Machines Report category displays the following summary-types of information for each computer discovered in your Microsoft network: ■ Domain Summary—A display showing summary-types of information about all discovered computers with details that include domain name, protected computers, and unprotected computers.
Protected Machines Total—A display showing information about the computers that have eTrust Antivirus installed in them with details including domain name, IP address, branch name, and antivirus version. ■
■ Unprotected Machines Total—A display showing information about the computers that do not have eTrust Antivirus installed in them with details including associated computer name and domain name. ■ Microsoft Windows Network—A display showing a list of computers, by domain name, that are protected and those that are not protected by eTrust Antivirus.
Using the Administrator View
8–47
Generating and Viewing Reports
Scheduling the Generation of Reports You can independently configure the time and interval for the Admin Server to schedule the generation of antivirus and domain reports. To schedule the times, manually run the cfgReport.exe program. It resides in the path \CA\eTrust Antivirus under the directory in which you installed eTrust Antivirus. The following illustration shows an example of the Reports Option dialog displayed after executing cfgReport.exe:
You can set the time when the reports can be generated in the Start Time field and how often reports are generated in the Repeat Every field. Use the Main tab to schedule the antivirus-type reports. Use the Domain tab to schedule the domain-type reports.
8–48
Administrator Guide
Chapter
9
Using the Remote Install Utility This chapter describes the Remote Install Utility. Use this utility to roll out the Computer Associates antivirus software and licensing software throughout the enterprise to Microsoft Windows NT, Windows 2000, and Windows XP systems only. Note: See “Remotely Installing on Windows 9x Machines” for information on remote installation and Windows 9x. Remote installation can be broken down into the following steps. ■ ■
■
■
Install the utility for the first time Configure the ICF files for the software with the desired installation options (if you want to change default options) Specify the installation targets and provide administrative account information for each target Start the process to install the antivirus software on the target machines
Running the Utility Note: This version of the Remote Install Utility can only install to Windows NT, Windows 2000, Windows 2003, or Windows XP systems running on an Intel x86, IA64, AMD64, or compatible processors. The first time that you use the Remote Install Utility, you can launch it from the product CD, or from the Product Explorer. This starts the wizard which installs the utility on the local machine. Local machine here refers to the machine where the Remote Install Utility is running.
Using the Remote Install Utility
9–1
Running the Utility
Local Machine Requirements The requirements for a local machine are listed below. ■
Microsoft Windows NT, Windows 2000, Windows Server 2003, or Windows XP. The Remote Install Utility must be executed on a machine running the Microsoft Windows NT, Windows 2000, Windows Server 2003, Windows XP, and 64-bit processor-based operating systems.
■
The server service must be active. The Remote Install Utility distributes the software through shared directories on the local machine. Therefore the local machine must have the ability to share directories as network resources.
■
The user currently logged on to the local machine must have administrative access rights. The Remote Install Utility needs to modify registry values and create shared resources for directories containing the installation source files. Note: If your local machine is running Windows XP, you must disable simple file sharing for the remote install utility to function. You can disable the simple file sharing feature from the Microsoft Explorer window. On the Tools menu, choose Folder Options and then click the View tab. In the Advanced Settings pane, clear the Use simple file sharing (recommended) check box.
About the Installation Wizard The installation wizard automatically installs the utility on the local machine, and sets up the directories and source files that you can use to perform remote installation of the antivirus software. You can re-run setup on a machine that already has the Remote Install Utility installed to add new source images. Installation Source Created Automatically The wizard automatically copies the CD image to the local hard drive. It also creates a default installation configuration for Windows NT Server and Windows NT Workstation. For the licensing information, you may need to configure the licensing directory. The locations for the utility and the source files can be modified at install time, but most users do not need to change the default directory settings.
9–2
Administrator Guide
Using the Remote Install Interface
See the section “Configuring the Installation Source” for more information on the installation source directories and licensing.
Using the Remote Install Interface This section describes the Remote Install Utility graphical interface. From this interface you can specify installation targets, start and stop installation sessions, edit installation source properties, and modify default configuration settings for the software to be installed on the remote machines.
Starting the Remote Install Interface After the utility has been installed the first time, you can launch it from the Start menu. The Remote Install Utility is made up of two sections: a network browser on the left and an installation target list on the right, as shown in the following screen sample.
In the sample screen, a machine running Windows NT Server is selected in the list on the left. A list of installation targets is displayed on the right. (Until machines are specified as targets, the list is empty.)
Using the Remote Install Utility
9–3
Using the Remote Install Interface
Browsing the Network to Select Installation Targets Use the network browser to select installation targets from the network. When browsing Windows NT, Windows 2000, Windows 2003, or Windows XP domains and workgroups, machines are grouped by operating system. This aids in the selection of valid installation targets. Expand a domain or workgroup, and then expand an operating system category to select the machine you want. If you already know the name of a target machine, you can enter it manually, without browsing. See the section “Specifying Targets for Installation” for more information on installation targets.
About the Installation Target List On the right side of the window, a list of specified target machines is displayed. The installation target list displays machines that are candidates for installation, along with their current status. If no machines have been specified as targets, nothing is displayed in the list. Installation Target Information The following information is displayed for each installation target on the installation target list.
9–4
Column
Description
Machine
The name of the machine where the antivirus software will be installed. Each machine can only appear once in the installation list.
Account
The account used to connect to the installation target machine. This account must have administrative privileges.
ICF File
The unattended response file containing the desired installation options. A sample ICF file named INOC6.ICF is included on the CD. See this file for a description of the configuration settings and available options. This file can also be edited from within the utility.
Status
The current status of the installation target.
Installation Progress
During the installation process, this field displays the function being performed currently, and its progress.
Administrator Guide
Using the Remote Install Interface
Target Status Information The status of the installation process for each installation target is displayed in the status column. These status values are described in the following table. Icon
Message
Description
Installing
Installation is being performed. The Installation Progress column contains detailed information about the current state while it is taking place.
Installation pending
This target has been selected for installation. It will begin installation after a currently installing target completes or is stopped manually.
Installation successful
The installation has completed successfully.
Installation failed [###]
The installation has failed with error code ###.
Installation stopped by user
The installation was stopped manually.
Verification successful
A test login was performed with the account information specified, and was successful.
Verification undetermined
The account information specified has not been tested for verification.
Verification failed [###]
A test login was performed with the account information specified, and failed with error code ###.
Note: Additional information for error codes can be obtained by using the Windows NET HELPMSG command.
Using the Remote Install Utility
9–5
Using the Remote Install Interface
Using the Toolbar Use the toolbar to access the most commonly used commands and features. The buttons on the toolbar are enabled and disabled depending on the items selected in the network browser and the installation target list. Therefore, some options will be unavailable, depending on what is selected.
The following table shows the toolbar buttons and their corresponding menu options, with descriptions of the action performed when a button or option is selected. Button
9–6
Administrator Guide
Menu Option
Description
File, Open
Open a previously saved target list, or import a target list generated in another application.
File, Save
Save the target list to a file.
Options, Installation Source
Configure installation source files.
Target, Add
Add a new installation target to the list.
Target, Edit
Edit the currently selected installation target.
Target, Delete
Delete the selected installation targets.
Edit, Copy
Copy the selected installation target to the Clipboard.
Edit, Paste
Apply all settings from the Clipboard to the selected targets.
Edit, Paste Special
Apply individual settings from the Clipboard to the selected targets.
Target, Verify Account
Verify the account information specified for the selected targets.
Target, Start Install
Start an installation session for the selected targets.
Target, Stop Install
Stop installing or cancel the pending installation of the selected targets.
Configuring the Installation Source
Configuring the Installation Source This section describes the installation source directories and files that are used by the utility to perform remote installs. Most users will not need to modify the default settings for these installation source properties. The installation executable is named SETUP.EXE. The licensing installation executable is named SILENT.BAT.
Setting Installation Source Properties The Computer Associates antivirus software is distributed to the installation targets from shared directories on the local machine. You can modify the installation source properties using the setup application, after the utility is installed on the local machine. From the Remote Install Utility menu bar, select Options, and then the Installation Source menu option or toolbar button to display the Install Setup Wizard dialog, as shown in the sample screen below.
To edit the installation source properties, select the desired item in the list of Available Installation sources and click the Next button.
Using the Remote Install Utility
9–7
Configuring the Installation Source
Installation Source Properties All of the installation source properties are required unless otherwise noted, and are described in the following table. Property
Description
Share Name
The name used when creating the read-only share that contains the installation source files. This share is created by the utility when an installation is started, and can optionally be removed when the utility exits. Note: This share is also added to the Null Session Shares list. This allows processes running under the local system account on remote machines to access the share without a login. This access is limited to read-only.
Share Path
The full path to the directory that will be shared.
Sub Directory
The directory under the share where the source files are located. This property is optional if the share path contains the installation image.
Exe Name
The name of the executable used to install the antivirus software.
Setting License Source Properties You may need to modify the licensing source properties. A sample for configuring the Windows NT (x86) source is shown below.
9–8
Property
Value
Share Name
INOREMOTE$
Share Path
C:\PROGRAM FILES\COMPUTER ASSOCIATES\ INOREMOTE
Sub Directory
\LICENSE
Exe Name
SILENT.BAT
Administrator Guide
Specifying Targets for Installation
Removing the Installation Source Shares At the time an installation session is started, the installation source directories are automatically specified as shared directories. When you finish the installation session and exit the utility, the designation of these directories as shares will be removed. If you prefer to keep the shares available, this feature can be deselected from the menu bar, by choosing Options and then selecting the Remove shares on exit menu option. A check next to this option indicates that it is enabled, and that the shares will be removed. Note: The shares created by the Remote Install Utility have been added to the NullSessionShares list. This allows processes running under the local system account on remote machines to access the share without a login. Although this access is limited to read-only, we recommend that you leave this feature enabled.
Specifying Targets for Installation Use the Remote Install interface to specify the installation targets. These are the machines where you want to install the antivirus software.
Installation Target Requirements The requirements for an installation target machine are listed below. ■
Microsoft Windows NT (x86) Remote installation targets must be running the Microsoft Windows NT, Windows 2000, Windows Server 2003, or Windows XP operating system on an Intel x86 or compatible processor.
■
Create hidden drive shares The Remote Install Utility accesses the ADMIN$ share of the installation target machine. This requires that you have the system policy configured to automatically create the ADMIN$ share when the system starts. A default installation of Windows NT, Windows 2000, Windows Server 2003, or Windows XP will have this policy enabled.
Using the Remote Install Utility
9–9
Specifying Targets for Installation
Adding New Targets Use the Installation Target dialog to provide machine, password, and ICF file information for the new target. You can access this dialog in one of the following ways. ■
■ ■
From the menu bar, choose Target, and then the Add option, or from the toolbar, click the Add target button. Press the Insert key on the keyboard. Double-click on a valid machine in the network browser tree on the left side of the Remote Install browser window. Expand the list of machines as needed.
This displays the Installation Target dialog, as shown in the following example.
In the example, the installation target is a machine named THE-Q. The Administrator account will be used to sign on to the machine. The install process will use an ICF file named NUMBER.ICF. Note: If an existing entry in the target list is selected, the new target will automatically inherit the settings of the selected item.
9–10
Administrator Guide
Specifying Targets for Installation
Installation Target Properties The installation target properties are described in the following table. Property
Description
Machine Name
The name of the machine where the software is to be installed. Each machine can only appear once in the installation list.
Admin Account
The account used to access the target machine. This account must have administrative privileges. This value can be specified in the form of USERNAME, DOMAIN\USERNAME, or MACHINE\USERNAME.
Admin Password
The password for the specified account.
ICF File
The unattended response file containing the desired installation options. A sample ICF file named INOC6.ICF is included on the CD. See Appendix B of this Administrator Guide for a description of the configuration settings and options available. Click the ‘…’ button to browse for the desired file. You can click the Create New button to display a configuration dialog that you can use to edit the ICF file from within the utility.
You can verify the account information at this time by clicking the Test Login button. The results of the login test are stored and displayed in the status column of the installation target list.
Editing Existing Targets You can modify existing installation targets using the Installation Target dialog. You can do this in one of the following ways. ■
■
Select the desired item in the list and then from the menu bar choose the Target option, and then the Edit option, or from the toolbar you can click the Edit target button. Double-click on the desired item in the list of installation targets.
This displays the Installation Target dialog, which you can use to edit the properties.
Using the Remote Install Utility
9–11
Specifying Targets for Installation
Although you can select multiple items from the list, the edit function can only be performed on a single selected item. To modify multiple selections, use the Paste and Paste Special commands to apply properties from one installation target to others.
Deleting Existing Targets Installation targets can be deleted in one of the following ways. ■
■
Select the desired items in the list and choose the Target menu option, and then select Delete, or use the Delete target toolbar button. Select the desired items in the list and press the Delete key.
Each of these actions displays a dialog to confirm that you want to delete the item.
Copying Target Information It is often necessary to enter the same information for multiple targets. Common properties can be copied between installation targets by using the Clipboard. To do this, select the installation target that contains the desired settings and choose the Edit menu option and then select Copy, or use the Copy toolbar button. The selected item will remain on the Clipboard until another item is copied or the copied item is deleted.
Using Paste and Paste Special To apply the settings from the item on the Clipboard to other items, select the desired items in the list and choose the Edit menu option, and then select Paste, or use the Paste toolbar button. This will apply all properties from the item on the Clipboard to the current list selection. It is sometimes desirable to apply only some of the properties of the Clipboard to the selected targets. Choose the Edit menu option and then Paste Special, or use the Paste Special toolbar button to display the Paste Special window where individual properties can be selected and applied. Note: The Delete, Paste and Paste Special commands do not have an undo feature. Make certain that you select the correct items before proceeding.
9–12
Administrator Guide
Specifying Targets for Installation
Verifying Account Information New installation targets and installation targets with modified account information will display a status of 'Verification undetermined.' To ensure that the installation will be initiated on all desired targets, you should perform a verification of the account information before starting an installation session. To verify the account information, select the desired items in the list and choose the Target menu option, and then select Verify Account, or use the Verify toolbar button. For each item selected, the Remote Install Utility connects to the ADMIN$ share of the target and verifies administrative access to the machine. If a connection exists with an account other than the one specified, the verification will fail due to a credential conflict (error 1219). Close the existing connection and retry the verification.
Importing and Exporting the Target List The target list can be saved for later use. Files are stored in a native format with all information encrypted. This provides secure storage of the sensitive information provided for each target. Besides the secure file format used natively by the utility, the installation target list can also be imported from a comma delimited ASCII text file. These files should be created using the following format: Machine,Account,Password,ICF This format allows for files to be created in software that is better suited to generating large lists (such as Microsoft Excel). When generating files in another editor, empty values for the Account, Password, and ICF properties should be stored as a set of double quotation marks (“”). Note: ASCII text files will store passwords “in the clear.” This means that they can be retrieved using any text editor (such as Notepad). We recommend that you delete the ASCII files after they are imported into the utility, and that you store the target list in the native file format.
Using the Remote Install Utility
9–13
Configuring the Installation Control File
Configuring the Installation Control File You can change the settings of the installation control file (ICF) to customize configuration settings for your enterprise. You can use the ICF Configuration dialog in the Remote Install interface to edit the sample ICF file, INOC6.ICF. You can also edit this file using a text editor. You can access an ICF file in several ways. ■
■ ■
From the Installation Target dialog, click the ‘…’ button to browse for the desired file, and open it. From the menu bar, choose Create ICF File. To modify an existing file, from the menu bar, choose Modify ICF File, select a file, and open it.
This displays the ICF Configuration dialog.
About the ICF Configuration Dialog The ICF Configuration dialog displays a list of groups and items on the left side of the dialog. When you highlight a group, descriptive information is displayed on the right. To make changes, expand a group and highlight an item. On the right side of the dialog, an explanation of the item is displayed. Below that are options that you can choose to modify value of the selected item. When you are done making changes, save the ICF file.
9–14
Administrator Guide
Running Installation Sessions
Running Installation Sessions This section describes the installation session process, and includes information on logging, and on starting and stopping sessions.
About Installation Sessions After the installation targets have been identified, and the installation sources have been configured, an installation session can be started for each target. Information about the installation session is displayed in the Installation Progress column of the list of target machines, on the right side of the Remote Install window. The installation session progresses through the following stages. ■
Verify account information and connect to the target machine.
■
Copy an installation helper service to the ADMIN$ share of the target.
■
Install and start the helper service.
■
■
Find a local drive that contains enough disk space to store the installation images. Copy the installation images for the antivirus software and licensing to the target.
■
Copy the unattended response file (ICF file) to the target.
■
Install the licensing software using the local copy of the installation image.
■
Install the antivirus software using the local copy of the installation image.
■
Remove the installation images from the target machine.
■
Stop and uninstall the installation helper service.
■
Remove the installation helper from the ADMIN$ share of the target.
■
Disconnect from the target machine.
Due to performance reasons, remote installation has been limited to five concurrent sessions. If more targets are selected, the first five will begin an installation session, and the remainder will display a status of Installation pending. As each installation session completes, the next pending target will be identified, and a new session will be started. Adjusting Number of Concurrent Sessions Advanced users can adjust the number of concurrent sessions by modifying the registry setting for MaxConcurrentInstalls to a value between 1 and 10.
Using the Remote Install Utility
9–15
Running Installation Sessions
The registry value can be found under the following registry key. HKEY_LOCAL_MACHINE SOFTWARE\ComputerAssociates\Antivirus\RemoteInstall \CurrentVersion\Settings Note: Changing this registry key may cause undetermined performance degradation on the local machine and network. Do not change this value unless adequate memory, processor power and network bandwidth are available.
Logging Installation Sessions If an unexpected error occurs, it is helpful to determine what operation was being performed at the time of the error. The Remote Install Utility can produce detailed logs of the installation process. To enable the installation logs, choose the Options menu, and then select Enable Logging. When this option is enabled, a directory named LOG is created under the directory where the utility was run. As the installations progress, a file is created for each installation target. Each log filename is made up of the machine_name of the target and a .log extension. These log files contain detailed information about the operations being performed from the local machine, as well as those executed by the remote installation helper service.
Starting Installation Sessions Installation can be performed to some or all targets in the list. To start installation sessions, select the desired items in the list and choose the Target menu option, and then select Start Install, or use the Install to Targets toolbar button. The Remote Install Utility verifies the account information, and if successful, changes the state of each target to Installation pending. After the account information has been verified, the first five pending targets will begin the installation process and their status will change to Installing. During the installation, the Installation Progress column displays the current stage of the installation. After a successful installation, the status column displays Installation successful. If the installation fails, the status column displays ‘Installation failed [###],’ where ### is the error code. Note: Additional information for error codes can be obtained by using the Windows NET HELPMSG command.
9–16
Administrator Guide
Remotely Installing on Windows 9x Machines
Stopping Installation Sessions You can stop the sessions of targets that have a status of Installing or Installation pending before they are completed. To stop an installation, select the desired items in the list and choose the Target menu option, and then select Stop Install, or use the Stop installation toolbar button. Items that are pending installation will have their status changed back to Verification successful, and the installations will not proceed. Items that are installing will have their status changed to Installation stopped by user, to signify that the installation was terminated manually. The installation process can be stopped up until the time when the setup program is launched on the target. Note: The Stop Install requests for machines that are in the Installing state, may not be processed immediately. The session will terminate when it reaches a state where it can end gracefully.
Uninstalling the Remote Install Utility The Remote Install Utility can be removed from the Control Panel by using the Add/Remove Programs option. In addition, if you need to uninstall the antivirus software, there is an option to remove the utility as well.
Remotely Installing on Windows 9x Machines You can remotely install the Computer Associates antivirus software on Windows 9x machines by using the Setup.exe utility in a login script. This utility checks to see if the software is installed on a machine.
Using Setup.exe for Windows 9x To remotely install on a Windows 9x machine, put setup.exe in the login script with one of the following options (setup.exe is located in …/bin/eav_s.win): Option
Description
/N
Checks to see if the machine has a version of the program installed. If the version on the machine is greater than or equal to the current version that you want to roll out, the program is not installed again.
Using the Remote Install Utility
9–17
Remotely Installing on Windows 9x Machines
Option
Description
/N-
The program that you want to roll out is installed regardless of the version that is installed on the machine.
Examples The following command checks for the version installed on the machine. setup.exe /N The following command installs the version you want to roll out. setup.exe /N-
9–18
Administrator Guide
Chapter
10
Using Rescue Disk for Windows 9x This chapter provides information about using the Rescue Disk feature to recover from an infection on Windows 9x workstations. Most infections can be managed using the Local Scanner. However, if a Windows 9x machine has a boot sector infection or an infection that damages the critical disk area files, use the Rescue Disk feature.
Using the Rescue Disk Feature The Rescue Disk feature allows you to easily make a backup of the critical disk areas of a Windows 9x workstation. In the event that the critical files on the hard disk of the workstation become corrupted by an infection, you can use the Rescue Disk to recover the machine and restore these files.
About Rescue Disk The Rescue Disk protects the critical disk areas of a workstation by backing up important system files. Using Different Engines for Rescue Disk When you create a Rescue disk, you have the option to choose different available engines. The features available on the rescue disk depend on the engine used to create the disk. A rescue disk created for the Antivirus engine has different features from a rescue disk created for the Vet engine. Whichever engine option you use, the disk provides the necessary backup and recovery information that you need. Rescue Disk with Antivirus Engine A Rescue Disk created for the Antivirus engine provides protection for critical disk areas that include the following: ■
Master Boot Record
Using Rescue Disk for Windows 9x
10–1
Using the Rescue Disk Feature
■
Boot Sector
■
Partition Table
■
CMOS Settings
■
I/O System file
■
Windows 9x system file
■
Windows 9x shell file (COMMAND.COM)
This Rescue Disk is bootable, and it contains a copy of INOCUCMD.EXE, the command line scanner. Rescue Disk with Vet Engine A Rescue Disk created for the Vet engine stores a copy of your drive templates, and other system information. It includes RESCUE.EXE, which provides recovery capability for use with the Vet engine. In Version 7.0 or later, this rescue disk is bootable. Use the RESCUE.EXE program only when you start the computer in DOS mode. Do not run it from Windows or from a command prompt box in Windows. If you are in Windows, select Start, and then select Shutdown. Then select the option to restart the computer in MS-DOS mode. Making and Maintaining a Rescue Disk After you install the Computer Associates antivirus software and re-boot your machine for the changes to take effect, you can then create a Rescue Disk. Creating a Rescue Disk
Click the Rescue Disk button on the Local Scanner toolbar to launch the Rescue Disk wizard. Use the Create a New Rescue Disk option to format the floppy disk and store the critical disk information of the workstation. Important! We strongly recommend you create a Rescue Disk. This extra precaution may be a critical part of recovery if an infection is encountered. After creating a Rescue Disk, label it clearly with an indication of the specific workstation it belongs to, and store it in a safe place.
Update and Verify Options
10–2
After you have created a Rescue Disk, you can use the Update and Verify options of the Rescue Disk Wizard to keep the information on the disk up-todate for the specific workstation. If you have an existing Rescue Disk, you can use the Update option. This is faster than using the Create option, because it updates the disk without having to reformat it. Use the Verify option to check to see if the Critical Disk information has been changed.
Administrator Guide
Using the Rescue Disk Feature
Keep Rescue Disk Upto-Date
It is very important to maintain an up-to-date Rescue Disk for your workstation. This preventive measure should be performed on a scheduled basis. You should create a Rescue Disk or update your existing disk under the following circumstances. ■
When you change your CMOS information (Antivirus engine only)
■
When you change your hardware configuration
■
■
What is on Rescue Disk for Antivirus Engine
When you change your system files, such as when you add new lines to the AUTOEXEC.BAT when installing a product (Antivirus engine only) When you upgrade your operating system
When you create a Rescue Disk for the Antivirus engine, the following occurs: ■
The Rescue Disk is formatted and made bootable
■
The files INOCUCMD.EXE and VIRSIG.DAT are copied
■
The HIMEM.SYS file is copied
■
A CONFIG.SYS file is created with the following two lines: –
FILES=40
–
DEVICE=HIMEM.SYS
■
AUTOEXEC.BAT is created to invoke INOCUCMD.EXE
■
The Rescue Disk is volume-labeled
■
The critical disk area information is backed up
When the Rescue Disk is created, the following critical disk area information is backed up to the floppy disk. File
Critical Disk Area Information
AUTOEXEC.SIG
AUTOEXEC.BAT file
BIOS.SIG
BIOS system file
BOOTSECT.SIG
Boot sector
CMOS.SIG
CMOS settings
CONFIG.SIG
CONFIG.SYS file
DOS.SIG
Windows 9x system file
INFO.SIG
Information about these files and their location on the hard disk
Using Rescue Disk for Windows 9x
10–3
Recovering from a Computer Virus
File
Critical Disk Area Information
PARTSECT.SIG
Partition table
SHELL.SIG
Windows 9x shell file (COMMAND.COM)
Note: This list gives you an indication of the type of information backed up. Additional associated files are written to the Rescue Disk that are not listed here.
Recovering from a Computer Virus If an infection is found in memory, or if the program prompts you to reboot, use the Rescue Disk.
Using the Rescue Disk Options Use the following options with a Rescue Disk created for the Antivirus engine. If you need to use the Rescue Disk to reboot your machine, the available options are described below. Follow the instructions on the screen after choosing one of these options. Scan for and Cure Boot Viruses Use the Scan for and Cure Boot Viruses option to check for damaged boot sector files only and restore them from the Rescue Disk if needed. Compare/Restore Boot Use the Compare/Restore Boot option to check if any critical disk area files on the hard disk have been changed by an infection, and to restore them from the Rescue Disk if needed Note: After you use the Rescue Disk to restore a workstation, use the Local Scanner to check again for infections. See the online help for procedures for using the Rescue Disk. Specialized infection removal information is available on the Computer Associates Virus Information Center at http://www.ca.com/virusinfo/
10–4
Administrator Guide
Chapter
11
Using the Alert Manager This chapter describes the use of the Alert Manager component. It contains information about the Alert Settings that are integrated into the Computer Associates antivirus software GUI. Alert runs on Windows NT, Windows XP, Windows 2000, and Windows 2003 systems. This chapter also describes the use of the Local Alert Manager in UNIX and OS X systems.
Introducing Alert Alert is a notification system that sends messages to people in your organization using various methods of communication. Alerts can be sent to the system administrator, a hardware technician, or anyone else, in or out of the office. An individual or groups of persons in different segments of the network can also be notified. In order to generate alerts you must tell Alert what information is necessary to communicate. For example, if you will be using the pager system, you will have to tell Alert what pager number to dial, and you will have to supply information about your modem. All of this information must be configured in the Alert program on your server. Alert does not generate its own messages. Alert routes any messages, errors, or warnings it receives from different sources, including the Computer Associates antivirus software, and distributes these alerts to specific destinations. For example, the Computer Associates antivirus software generates warning messages whenever a virus is detected. These warning messages are passed to Alert, which sends the notification. Alerts can be sent using the following methods. ■
■
■
Broadcasts Alert broadcasts can be sent to specific computers. Pager Numeric and alphanumeric. Email Microsoft Exchange or Lotus Notes.
Using the Alert Manager
11–1
Basic Components
Note: MS Exchange Mail Setup—You can use either the Alert Setup program or the Exchange Mail Setup option in the Alert Manager File menu to configure MS Exchange Mail for use with Alert. ■
■
■
■ ■
■
Trouble Tickets An alert can be printed through any print queue on your network. Simple Mail Transfer Protocol (SMTP) For sending email messages using the Internet. Simple Network Management Protocol (SNMP) managers Such as NetWare Management System (NMS) and HP OpenView. Local and remote Windows NT and Windows 2000 Event Log Notification. Unicenter TNG Option Send a message to the TNG console and/or WorldView repository when an alert is generated. eTrust Audit Send a message to the eTrust Audit Viewer or Security Monitor when an alert is generated.
Basic Components The basic components of Alert are briefly described below. ■
■
■
Alert Service This is the service that is responsible for the reception, processing, and distribution of Alert messages. ALBUILD.DLL This is the .DLL that acts as the channel between Alert and other applications. This should be located in the home directory where the Computer Associates antivirus software is installed. Alert Manager This is where you can configure how Alert sends its messages.
Alert Features The Alert features provide you with access to the latest information about your systems and enables you to receive messages from clients.
11–2
Administrator Guide
Running the Alert Manager
■ ■
■
Remote management and configuration of Alert Service Alerts from clients may be sent using IP in addition to the standard IPX protocol Messages containing full paths of any virus-ridden files
Running the Alert Manager You can run Alert from the program group of the Computer Associates antivirus software by selecting Alert Manager. You can use the Alert Manager to select a remote machine to manage Alert messages. Before you start Alert, you must establish a Service Account connection and select a remote machine.
Configuring Alert Alert allows you to configure default settings used by all applications that use the Alert Service. You can also enter configuration information specifically for an individual application, which will override the default Alert configuration. Each application that uses Alert is displayed as a leaf on the left-hand function tree.
Creating and Editing Port Configurations The Ports object, located under the Configuration object, contains communication port profiles. The following port configurations are used by the Pager and any function that utilizes serial port access: ■
■
■
■
■
Port The name of the communications port you want the pager message to be broadcast from. Baud Rate The baud rate being used by your modem. Parity The parity setting, none, odd, or even, of your modem. Data Bits The number of data bits, 7 or 8, that your modem uses. Stop Bits The number of stop bits, 1 or 2, that your modem uses.
Using the Alert Manager
11–3
Running the Alert Manager
Using Alert Broadcast Option Alert broadcasts can be sent to specific network users or groups. To learn how to add broadcast recipients, refer to the Alert online help.
Using the Pager The pager option is used to a send a numeric or alphanumeric pager message. When you highlight the Pager option, the current list of recipients appears. To learn how to add pager recipients, refer to the Alert online help. Note: Before you can add pager recipients, you need to configure your communications ports. Note: When sending an alphanumeric page, consult your pager manual for proper modem settings.
Interpreting the Pager Message There are several messages similar to the ones below that can be sent to an alphanumeric pager. Words that appear in italics will be filled in with an actual user name, workstation address, path and file name, virus name, or server name. ■ ■
Boot Virus Detected (username at workstation address) Manager Detected a Virus [virusname] in [path] (username at workstation address)
■
Infected File [servername/path] Detected
■
Infected File [path] Accessed by username at workstation address
Using the SMTP Option Use the SMTP option to provide information for Alert to send messages using SMTP (Simple Mail Transfer Protocol). You can enter an email address for a recipient and send the message over the Internet.
Using the SNMP Option You can use the SNMP option to send an SNMP ‘trap’ (message) to an SNMP manager. Examples of SNMP managers include NetWare Management System (NMS), HP OpenView, and IBM Netview. The Alert online help explains the SNMP fields on the SNMP Configuration screen, and how to use them.
11–4
Administrator Guide
Running the Alert Manager
Using the Trouble Ticket Trouble tickets are used to alert users through a printed document.
Using Email The email option is used to send email messages to specific users. Important! The Microsoft Exchange or Lotus Notes Client must be installed on your computer in order to be able to send messages or to enter configuration data on this screen. Consult the appropriate Windows documentation for instructions about how to set up your Email account.
Using the Unicenter TNG Option The Unicenter TNG Option makes it possible to send a message to the Unicenter TNG console and the WorldView repository, or both, when an alert is generated. Note: The Alert application must be running on both the Event Management machine as well as the WorldView machine. Refer to the online Alert help for directions on how to send a message to the Unicenter TNG Console, the WorldView repository, or both.
Using the eTrust Audit Option Use the eTrust Audit option to send a message to the eTrust Audit Viewer or Security Monitor when an alert is generated. Use the Recipients (Routers) dialog box to add a domain or an individual server to the recipient list.
The Application Event Priority All applications calling Alert specify one of the following Event Priorities: ■
Critical
■
Warning
■
Informational
Using the Alert Manager
11–5
Running the Alert Manager
Sample TNG Alert Scenarios Samples of how to tailor the Alert messages that are sent to the Unicenter TNG Console are described in the following examples. Example 1 If you want to send informational alerts to the Unicenter TNG Console using blue text, for example, configure a recipient as follows:
Option
Setting
Application Event Priority
Informational (display-only)
Severity
Informational
Color
Blue
Send to console
Selected
In the TNG WorldView group: Update object status in WorldView repository
Selected
Example 2 If you want to send error alerts to the Unicenter TNG Console using red text, and have the object status in the WorldView repository updated, configure another recipient as follows: Event Priority
Description
Application Event Priority
Critical (display-only)
Severity
Error
Color
Red
Send to console
Selected
In the TNG WorldView group: Update object status in WorldView repository
11–6
Administrator Guide
Selected
Using Alert with the Antivirus Software
Testing the Recipients You can use the Test toolbar button to test any of the Alert messaging functions without an actual “alarm” condition. See the Alert online help for information on how to do this. Note: You should test any features after the configuration has been completed. Be sure to inform any Alert recipients that a test is taking place.
Alert Activity and Event Logs While the current status of Alert is shown when the Alert Summary is highlighted in the Activity group, a historical listing is stored in the Activity Log. Similarly, every message that is generated by Alert is stored in the Event Log. You can view, print, or clear these logs. See the Alert online help for directions.
Event Log Destination You can configure the Event Log destination so that Alert will put an event for a selected server in the Event Log of that machine.
Using Alert with the Antivirus Software This section describes the integrated options in the Computer Associates antivirus software GUI that allow you to set options for managing the information that is passed to the Alert Manager on the local machine. Use these options in conjunction with Alert. These options allow you to tailor the notification information that is provided to Alert, to cut down on message traffic and minimize the dissemination of notifications that are not critical. The Alert options set on the local machine apply to that machine. Administrators can set Alert policy for multiple machines through the Administrator View. The following tabs are available for the Alert Settings dialogs: ■
Policy (Only for authorized users of the Administrator View)
■
Report
■
Filter
Using the Alert Manager
11–7
Using Alert with the Antivirus Software
Accessing the Alert Settings Options You can access the Alert Settings options from the Local Scanner toolbar by clicking the Alert Settings button.
Using Alert Report Options Use the Alert Report options to specify where to send notification information, and to manage how frequently to send messages. Using the Report To Options Use the Report To options to specify where to send the Alert report information. Local Alert Manager
Send notification information to the Alert Manager component on the local machine.
Event Log
Send notifications to the system event log of the local machine.
Forward To
Use the Forward To option to send the notification to a specified Machine Name that has the Computer Associates antivirus software installed. After the specified machine receives the notification, the information is managed depending on the Alert Settings for that machine. The machine that the notification is forwarded to can, in turn, distribute messages to other machines. This option can be used to pass information along in an escalation hierarchy, for example, or to send information to key personnel.
Machine Name
Specify the name of a machine to which you want notification information forwarded. This machine must have the Computer Associates antivirus software running on it.
Managing Report Criteria Use the Report Criteria options to manage how frequently messages from the General Event Log are reported, based on the settings for the Report To options. The Queue Up and Time Out After options work together. Messages are reported based on whichever limit is reached first. Queue Up Records
11–8
Use the Queue Up option to specify a number of message records to collect in the General Event Log. When the limit is reached, the information is reported as specified in the Report To options.
Administrator Guide
Using Alert with the Antivirus Software
Time Out After
After the specified number of minutes is reached, the information in the General Event Log is reported as specified in the Report To options, even if the number of messages has not reached the Queue-Up number.
Skip Older Than Days
Any record in the General Event Log that is older than the specified number of days is not reported.
Using Alert Filter Options Use the Alert Filter options to manage notification severity levels, and to customize sets of notification messages to be reported for the different Computer Associates antivirus service components. These options allow you to determine what types of messages should be passed to the Alert Manager. You can use Notification by Level of Severity or Custom Notification. Notification by Level of Severity You can choose to send notifications by their level of severity: Informational—This type of message provides information on events such as if the service has started or stopped and if no infections have been found. Warning—This second priority message provides non-critical warning information. Critical—This is the highest level message. It requires immediate attention once logged. This message could mean there is an infection detected, or there is a problem with the service, such as an error loading an engine. Custom Notification
Use the custom notification option to customize sets of notification messages for the different services. Choose one of the available service modules and select from a list of associated notification messages. Use these options to specify which messages you want to send as notifications. This limits the messages that are reported by Alert on Windows systems, or by the user-specified script on UNIX and OS X systems. For each service module, you can select specific messages that you want reported. The following service modules are available: ■
Local Scanner—For local scans.
■
Realtime Server—For the Realtime Monitor.
Using the Alert Manager
11–9
Using Alert Policy in the Administrator View
■
■ ■
List of Notification Messages
Job Server—For the scheduled scan job and signature update scheduling agent. Admin Server—For the Admin Server agent. Virus Report—For the antivirus and domain reports from computers discovered by the Admin Server
For each service selected, a different list of messages is available. The level of severity of each message is listed, along with the text of the message. You can use this list to select only the messages that you want to be passed to Alert, and in turn, reported by the different methods of communication specified by the configuration options in Alert. By choosing the types of messages, you can cut down on unwanted network message traffic. Only the messages that you determine to be of importance and warranting a notification will be passed along.
Using Alert Policy in the Administrator View The same Alert Settings options that are available from the Local Scanner are available for authorized users of the Administrator View. In the Administrator View, from the Configuration Settings, under the Enforced Policy category, you can select the Alert category to display the Alert Policy Options. Use the Alert Policy Options in the same way as you do for setting other policy options in the Administrator View. Create the settings you want, and then apply them to containers in the Organization tree. See the chapter ”Using the Administrator View” for more information on managing policy options.
Using Local Alert Manager in UNIX and OS X Systems Under UNIX and OS X, you can use the Local Alert Manager setting to send notification information to a shell script that you can write yourself. The script can then take any action you wish, such as sending an email to a specified address when the Computer Associates antivirus software detects a virus. Use the script InoSetAlert to specify the name of the script that you want to run when an alert is generated. For example, the command below causes /home/myfiles/myscript to be used as the alert script: InoSetAlert /home/myfiles/myscript
11–10
Administrator Guide
Using Local Alert Manager in UNIX and OS X Systems
The following command turns the feature off: InoSetAlert Under OS X you can also indicate an alert script to be run in the eTrust Antivirus Preference Options panel that can be run from System Preferences panel. The Computer Associates antivirus software will send specific information to the script, which it will receive as standard script arguments, for example, $1, $2, and so on. These arguments, in order, are: 1.
Time of the event (as a string, such as "10:15:20 AM 22-Jan-2001").
2.
Code number for the event. The code number for a virus detection by Realtime is 26.
3.
The severity of the event: (1=Information, 2=Warning, 3=Error).
4.
The name of the node on which the event occurred.
5.
The text of the message generated by the Computer Associates antivirus software.
Using the Alert Manager
11–11
Chapter
12
Integrating with Unicenter This chapter describes how the Computer Associates antivirus software integrates with Unicenter TNG on Windows NT, Windows 2000, or Windows 2003 platforms, and the scanning options available for managing a machine from a Business Process View in WorldView. As a Unicenter TNG option, the Computer Associates antivirus software works in conjunction with Unicenter TNG on the Enterprise, Local, and Workgroup Servers. The Unicenter TNG platform required is determined by the operating system of the server: ■
■
Unicenter TNG for Windows NT, 2000, or 2003 must be installed on all Windows NT- or 2000-based Enterprise, Local, and Workgroup Servers. The Unicenter TNG that corresponds to the hardware and operating system of the UNIX-based Enterprise, Local, or Workgroup Local Server must be installed on those servers.
Using WorldView Within Unicenter TNG, you can use WorldView to view, organize, and manage machines in your antivirus network. WorldView is made up of several tools to help you manage your IT resources. WorldView provides the Auto Discovery service, the Common Object Repository, the Class Wizard, the 3-D Real World Graphical User Interface, the 2-D Map Graphical User Interface, Business Process Views, and several browsing tools. Auto Discovery
Auto Discovery automatically detects and identifies all of the devices in your network and adds them to the Unicenter TNG Common Object Repository as managed objects. Once defined, they are displayed as part of your network configuration. You can view and monitor them through the 3-D World Interface, the 2-D Map, and other interfaces.
Integrating with Unicenter
12–1
Using WorldView
Real World Interface
The Real World Interface provides a 3-D Map to visually represent the distributed resources in your system. Through three-dimensional animation, you can visually represent objects and make them more realistic and manageable. This provides an easy and intuitive way to customize the display of your antivirus network.
2-D Map
The 2-D Map is a two-dimensional, graphical view of the logical structure of your enterprise. Use this interface to position objects on maps which provide full geographic detail. You will be able to place your resources into a logical hierarchy of networks, subnetworks, and segments, based on their logical relationships.
Business Process Views
The Unicenter TNG Business Process View is a simple, concise view of a logical grouping of managed objects that are related to a specific process. Use this to create a display of all your antivirus resources in a way that is most meaningful to your site. You can monitor the condition and status of objects, set triggers and thresholds, and intercept messages. These views can assist in the detection and prevention of problems, and provide an immediate, graphical view of the source of any problem.
Class Wizard
The Unicenter TNG WorldView Class Wizard is an easy-to-use facility that enables you to create or modify classes without writing any code. The Class Wizard can step you through the process of defining properties, creating popup menus to launch applications, or defining the appearance of objects on the 2-D or 3-D Maps.
WorldView Browsers
Unicenter TNG offers views of information stored in the Common Object Repository. These browsers consist of the Class Browser, the Object Browser, the Topology Browser, and ObjectView. You can customize any view of your enterprise according to its logical structure. You can view them through 3-D and 2-D Maps for iconic views, or through a selection of browsers for textual views. For more information about WorldView, refer to the Unicenter TNG documentation.
12–2
Administrator Guide
Preparing for TNG Integration
Preparing for TNG Integration To use the Computer Associates antivirus software with Unicenter TNG, you must import the appropriate class information to the Unicenter TNG repository. Do this after you have run Auto Discovery for your network. Then you can use the InoUpTNG utility to populate a Business Process View of your antivirus network.
Using TRIX for Importing to the Repository Use the Repository Import/Export program (TRIX) to invoke the import script that is provided with the Computer Associates antivirus product. This creates an Antivirus class. You can access the TRIX program from the Start menu, through the Unicenter TNG WorldView program group. Select Repository Import/Export to launch the TRIX interface. Then use TRIX to open the script file, TRIX0.TNG, and import it into the repository. This import script file is located in the directory where the Computer Associates antivirus software is installed. You must know the name of the repository you wish to connect to, and use a valid User ID and Password to sign on to the repository. TRIX can also be invoked by entering the following at the command prompt. trix
This starts TRIX.EXE. For more information about TRIX, refer to the Unicenter TNG documentation.
Using InoUpTNG to Populate the View After you have done the import to the repository, use the InoUpTNG utility to create the antivirus Business Process View and populate it with a display of the machines in your antivirus network. InoUpTNG discovers machines in your network based on the machine information in the TNG database, and the subnet discovery information in the Admin Server database. The utility uses the information from both of these sources to populate the WorldView repository.
Integrating with Unicenter
12–3
Managing Antivirus Options in WorldView
The TNG network must have been discovered and a machine must already exist in the TNG repository before you run InoUpTNG. The Subnet Discovery for the Admin Server must have been done also. Based on the machine information in the Admin Server database, InoUpTNG searches the TNG repository for matching machine objects. If InoUpTNG finds a matching machine in the TNG database, it creates an Antivirus object and links it to the machine. Then the object is displayed in the Business Process View. This provides the view of all the machines that are running instances of the Computer Associates antivirus software in your network. If there are multiple Admin Servers in your network, the utility discovers them. Conversely, if the machine is not already in the TNG database, then an object will not be created for it, and it will not be displayed in the view. See the section “Using Subnets” in the chapter “Using the Administrator View” for information on subnet discovery.
Managing Antivirus Options in WorldView After you have a Business Process View of your antivirus network, you can manage the scanning options for the machines in the view.
Integrating with WorldView When you right-click on a machine in the view, the standard Unicenter options for managing objects are available. In addition, the following options are available for managing the antivirus software on machines in the view. ■
Configure Realtime
■
Configure Distribution
■
Schedule Job
■
Display Logs
■
Configure Contact
■
Display Summary (for legacy machines)
■
Broadcast Configuration (for legacy machines)
■
Configure Service (for legacy machines)
These options allow you to set scanning options for the selected machine in the same way that a user sets the options on a local machine.
12–4
Administrator Guide
Managing Antivirus Options in WorldView
To view and modify options on a machine, you must have a valid user ID and password for the Admin Server that manages the machine. Managing Legacy Machines
When you select a legacy machine and right-click on it, you can select legacy options to manage that machine. These options display the dialogs for the older versions of the product. To manage options on a machine, you need a valid user ID and password on that machine.
Configure Realtime Use Configure Realtime to set the Realtime Monitor options for the selected machine. This displays the same options that are available for managing the Realtime Monitor on a local machine. See the chapter “Using the Realtime Monitor” for more information on using the realtime monitor options. Configure Distribution Use Configure Distribution to set Signature Update options for the selected machine. This displays the same options that are available for managing signature updates on a local machine. See the chapter “Getting Signature Updates” for more information on using the signature update options. Schedule Job Use Schedule Job to set Schedule Scan Job options. This displays the Remote Scan View, which provides access to the same options that are available for managing scheduled scan jobs on a local machine. You can create a new scheduled scan job or modify an existing job. Using the Remote Scan View
From the Remote Scan View, you can add a new scheduled scan job, edit an existing job, or delete a selected job. These are the same options that are available for managing scheduled scan jobs on a local machine. These options are available from the Options menu, and the toolbar buttons. You can also access these options by right-clicking on a job in the list on the left. In addition, when you highlight a job in the list on the left, you can right-click anywhere in the summary on the right to display the available options. The Remote Scan View displays the selected machine on the left side of the window. You can expand the machine to display jobs that are scheduled to run on the machine, if any.
Integrating with Unicenter
12–5
Managing Antivirus Options in WorldView
When you highlight a job in the list on the left side of the window, summary information about the job is displayed on the right. This displays the properties used for the job. See the chapter “Scheduling Scan Jobs” for more information on using the schedule scan job options. Display Logs Use Display Logs to view and manage log information for the selected machine. This displays the same view and options that are available from the Log Viewer on a local machine. See the chapter “Viewing and Managing Logs” for more information on using the Log Viewer. Configure Contact Use Configure Contact to set the Contact Information options for the selected machine. This displays the same options that are available for managing the contact information options on a local machine. See the section “Using the Contact Information Option” in the chapter “Using the Local Scanner” for more information on using the contact options. Display Summary Only available for legacy machines. Use Display Summary to display summary information for a selected machine that is running a 4.x version of the Computer Associates antivirus software. Broadcast Configuration Only available for legacy machines. Use Broadcast Configuration to manage broadcast configuration information for a selected machine that is running a 4.x version of the Computer Associates antivirus software. Configure Service Only available for legacy machines. Use Configure Service to manage antivirus services for a selected machine that is running a 4.x version of the Computer Associates antivirus software.
12–6
Administrator Guide
Appendix
A
Installing the Antivirus Software for UNIX Use the procedures in this chapter to install the eTrust Antivirus software on UNIX systems. Evaluate your system requirements, and then follow the steps described to install the product. See Appendix B for installing the eTrust Antivirus software on Macintosh OS X machines.
Before You Install Before you install the eTrust Antivirus software for UNIX you should evaluate the hardware and software requirements below to ensure that your site meets the minimum requirements necessary to install the product.
Web Browser To use the GUI interface on UNIX systems: ■
■
An HTTP server must be installed and running on the system where the eTrust Antivirus software is installed in order to be able to use the web browser GUI. To access the GUI interface, use either of these two preferred web browsers: –
Internet Explorer Version 5 or above
–
Netscape Navigator Version 4.5 or above
This can be installed either on the system where the eTrust Antivirus software is installed or on some remote system.
Network Requirements To use the eTrust Antivirus software, a TCP/IP network must be properly installed on your system.
Installing the Antivirus Software for UNIX
A–1
Installing the Antivirus Software for UNIX
Hardware Requirements Your UNIX administrative server must have at least 150 megabytes of free disk space Your browser must be running on a machine with an SVGA color monitor capable of 800x600 resolutions, 16 color minimum, 256 colors preferred
Supported Operating Systems Please refer to the README file on your installation disk for an updated list of the supported operating systems. The supported operating systems include: ■
Linux (Intel)— Red Hat 7.2, 7.3, 8.0, and Enterprise Linux 2.1 and 3.0; SuSE 7.2, 7.3, 8.0, 9.0 Professional, Desktop Linux 1.0, and SLES 7.0 and 8.0
■
Linux (S390)— Red Hat 7.2; SuSE 7.0, 7.2 and SLES 8.1
■
Solaris for Sparc— 2.6, 7, 8, and 9
■
HP-UX for PA-RISC— 11 and 11i
Note: On a Red Hat Linux system, in order to run the Realtime Monitor, you must rebuild the Linux kernel. To do this, you must download and install the kernel source code associated with your kernel.
Installing the Antivirus Software for UNIX Follow these steps to install the eTrust Antivirus software for UNIX:
Installation Procedure You must be a superuser to install the eTrust Antivirus software. 1.
On the target machine, create a directory from which you will run the installation program, and cd to that directory.
2.
Insert the eTrust Antivirus software for UNIX CD into the CD-ROM drive on your machine.
3.
Copy setup and the compressed tar file appropriate for your system to the current directory.
4.
Make sure that setup is executable. For example: chmod +x setup
5.
A–2
Administrator Guide
Run the setup script. For example:
Installing the Antivirus Software for UNIX
./setup 6.
The installation process will begin and you will be asked to respond to a few questions. If setup can identify the location of a previous installation of eTrust Antivirus, or another product that installs into the same directory tree, it will ask you to confirm that you want to continue the installation into the same location. Without uninstalling the previous installation, you do not have the option of installing into a new location. If setup cannot find a previous installation of eTrust Antivirus or related product, it will ask you where you wish to install the product. You may be asked if you want to run the Administrative Server on this system. Answer Yes if this system is to be an Administrative Server. Otherwise answer No. You will also be asked to read and accept the terms of the license agreement, if you want the product to start up automatically at boot time, and if you want to install ENF in order to get eTrust Antivirus real-time scanning capability. Respond Yes or No as appropriate.
7.
On a Red Hat Linux system, installing ENF involves rebuilding the Linux kernel from source code, which can take an extended period of time. In addition, doing this requires that the source code for the kernel be installed and available. This can be installed from the original Linux installation CD or downloaded from the Web. On SuSE Linux and other UNIX systems, the ENF installation is less timeconsuming and does not require the kernel to be rebuilt
8.
When the installation is complete, you can view the README file. Answer Yes or No as you choose.
Using fixhttpd The installation procedure automatically configures your HTTP server. However, if you install an HTTP server after installing the eTrust Antivirus software, you can still take advantage of the automatic configuration without having to repeat the installation procedure. To do this, use the command fixhttpd.
Installing the Antivirus Software for UNIX
A–3
Starting and Stopping Services
Starting and Stopping Services Enter the following command to start the eTrust Antivirus services. InoStart To stop the services, enter: InoStop
Using the Web Browser Follow these steps to access the eTrust Antivirus software on your server from your web browser. Note: If you experience odd behavior in your GUI interface, the problem may be your web browser. See the discussion about Using the Java™ Plug-in, below. 1.
Launch your web browser.
2.
Type the following URL in the address space, then click Go: http:///ino/
A–4
3.
The product screen will display and the product will load.
4.
When the Security Login dialog displays, as shown below, enter your User Name and Password in the appropriate fields.
Administrator Guide
Using the Web Browser
5.
The antivirus GUI displays in Local Scanner view, as shown below.
Using a Java™ Plug-in You may experience odd appearance and behavior in the GUI. If you are running your browser on a Windows system, you can correct this by installing a Java™ Plug-in on your Internet Explorer, if you have not already done so for other use. You can obtain a Java™ Plug-in at URL http://java.sun.com/products/plugin. The eTrust Antivirus supports plug-in versions 1.3.1 through 1.4.2. If you install a plug-in, then you should access the eTrust Antivirus Web Browser GUI using the URL http:///ino/inoplug.html, rather than the URL specified in Using the Web Browser section.
Installing the Antivirus Software for UNIX
A–5
Removing the eTrust Antivirus Software
Removing the eTrust Antivirus Software Before you remove the eTrust Antivirus software: ■
You must be super user
■
All antivirus services must be shut down
1.
To shut down the services, enter the following command: InoStop
Removing only the Antivirus Software
2.
To remove only the antivirus product when you have other Computer Associates software, such as CA-Unicenter TNG, installed under $CAIGLBL0000, enter the following command: InoDeinstall
3.
The InoDeinstall script executes. When the script exits, it will instruct you how to remove all remaining product files. Enter the command as indicated. Note: This command will not remove CAIENF if it is installed on your system. CAIENF may be needed by other components under $CAIGLBL0000.
Removing All Software Under $CAIGLBL0000
4.
If you have no other CA software installed under $CAIGLBL0000, or you do and you want to deinstall ALL of the software there, enter the following command: $CAIGLBL0000/scripts/deinstall. Follow the instructions that appear on the screen. Note: This script will remove CAIENF.
Using Setup Switches While the setup script is normally run interactively, just using the ./setup command and responding to questions, it also has a number of command-line switches and arguments. These can be used to pre-specify various installation options and/or to enable unattended installation. Other than switches, setup accepts a single argument, the location into which eTrust Antivirus is to be installed.
A–6
Administrator Guide
Using Setup Switches
The following table describes the available switches: Setup Switch
Description
-install
Run setup to install eTrust Antivirus (default).
-deinstall
Run setup to uninstall eTrust Antivirus. Same as running $CAIGLBL0000/ino/scripts/InoDeinstall
-admin
Install the Administrative Server.
-noadmin
Do not install the Administrative Server (default).
-enf
Install ENF (default).
-noenf
Do not install ENF.
-autostart
Configure eTrust Antivirus to automatically start up at boot time (default).
-noautostart
Configure eTrust Antivirus to not automatically start up at boot time.
-acceptloc
If setup determines that there is already an installation of eTrust Antivirus or a related product on the system, or if the environment variable CAIGLBL0000 is already set, automatically continue the installation into that location, even if a different location was specified in the setup command line.
-allowctrl
If eTrust Antivirus services are running, automatically shut them down and continue with the installation, rather than exit.
-express
Run an “express” installation, accepting the default values for all options.
Installing the Antivirus Software for UNIX
A–7
Appendix
B
Installing and Starting eTrust Antivirus for Macintosh OS X Use the procedures in this chapter to install the eTrust Antivirus software on Macintosh OS X systems. Evaluate your system requirements, and then follow the steps described to install the product.
Before You Install Before you install the eTrust Antivirus software for OS X you should evaluate the hardware and software requirements below to ensure that your site meets the minimum requirements necessary to install the product.
Network Requirements To use the eTrust Antivirus software, a TCP/IP network must be properly configured on your system.
Hardware Requirements Your OS X administrative server must have at least 150 megabytes of free disk space
Supported Operating Systems Please refer to the README file on your installation disk for an updated list of the supported operating systems. The supported Macintosh models and operating systems include: ■
■
OS X 10.2 and 10.3 operating system versions running on iBook G4, PowerBook G4, iMac, eMac, and PowerPC G4 PowerPC G5 running OS X version 10.3
Installing and Starting eTrust Antivirus for Macintosh OS X
B–1
Installing the eTrust Antivirus Software for OS X
Installing the eTrust Antivirus Software for OS X Follow these steps to install the eTrust Antivirus software for OS X:
Installation Procedure You must have administrator privilege to install the eTrust Antivirus software. 1.
On the target machine, insert the eTrust Antivirus software for OS X CD into the CD-ROM drive on your machine.
2.
Using the OS X system Finder, locate the install packages. For example, to install the client only version, select Trust_Antivirus_Client.mpkg. To install the client and the administrative server versions, select eTrust_Antivirus_Server.mpkg.
The install package is a self-extracting executable that runs when selected in the OS X Finder. 3.
B–2
Administrator Guide
Double-click on the installation package icon.
Installing the eTrust Antivirus Software for OS X
The installation process begins and you are asked to respond to a few prompts. Initially, the Authenticate dialog displays:
4.
On the Authenticate dialog, enter your username and password granted for administrator privilege, and then click OK. The Welcome screen displays:
5.
On the Welcome screen, click Continue. The Software License Agreement dialog displays.
6.
On the Software License agreement, click Continue, and if you agree to the terms of the software license agreement, click Agree on the popup display.
Installing and Starting eTrust Antivirus for Macintosh OS X
B–3
Installing the eTrust Antivirus Software for OS X
The Select a Destination dialog displays:
7.
On the Select a Destination screen, select a destination for installing the eTrust Antivirus software, and then click Continue. Note: The destination must be on the default root disk. The Easy Install dialog displays:
B–4
Administrator Guide
Installing the eTrust Antivirus Software for OS X
8.
On the Easy Install screen, click Install. The installation progress dialog displays.
9
You will be asked if you want to run eTrust Antivirus when OS X starts. Choose Yes or No, then click Continue.
A progress dialog displays, then you are prompted for your software license. 10 On the AVLicense dialog, select either the Trial Version or enter your License Key, then click Next. Note: The Trial Version is not selectable for the Administrative Server.
Installing and Starting eTrust Antivirus for Macintosh OS X
B–5
Remote Installation Services
A confirmation dialog displays. 11. On the confirmation dialog, click Done. A progress dialog displays. 12. When the eTrust Antivirus installation successfully completes, click Close.
Remote Installation Services To remotely distribute and install the eTrust Antivirus software to other Macintosh machines running OS X in your network, the following steps must be accomplished: 1.
The installation image must be transferred to the target computer.
2.
A marker file named unattended.marker must be created in the same directory where the meta package (not the dmg) file is copied to. This is needed in order to force the eTrust Antivirus installation software to not prompt for licensing information.
3.
The installer utility that installs the installation package on the target computer must be run.
4.
At a latter time the software license must be activated by running AVLicense. This utility can be found under the Applications directory in the CA/eTrust Antivirus folder.
You can create and customize scripts to perform a remote installation consisting of the above two steps. The following two example scripts provide those functions.
Example Scripts The first example script named RemoteInst.sh is run from the source computer and takes the target computer name as a parameter. It copies over the second example script ClientInst.sh, and the install image. It then runs the second script to complete the install. RemoteInst.sh Script Example #!/bin/sh # # validate that we have been given a target machine name # if [ $# != 1 ]; then echo "usage:"
B–6
Administrator Guide
Remote Installation Services
echo "remoteInst.sh " exit fi TARGET=$1 # # copy over our client install script # and the install image itself # scp clientInst.sh root@$TARGET:clientInst.sh scp eTrust_Antivirus.dmg root@$TARGET:eTrust_Antivirus.dmg # # now run the install script # ssh root@$TARGET ./clientInst.sh
ClientInst.sh Script Example #!/bin/sh # # get the name of the device for latter use and then eject it # DISKDEV=`hdid -nomount eTrust_Antivirus.dmg` hdiutil eject $DISKDEV
# # really mount this time and save the name of the instalation package # copy it over to current directory and eject device for a second time # MOUNT_POINT=`hdid eTrust_Antivirus.dmg | awk 'BEGIN { FS = "\t" } { print $NF }'` echo copying "$MOUNT_POINT"/eTrust_Antivirus_Client.mpkg cp -R "$MOUNT_POINT"/eTrust_Antivirus_Client.mpkg . cp -R "$MOUNT_POINT"/Packages . hdiutil eject $DISKDEV
# # Touch the marker file and run the install # echo Starting install of eTrust_Antivirus_Client.mpkg touch unattended.marker installer -pkg eTrust_Antivirus_Client.mpkg -target /
Installing and Starting eTrust Antivirus for Macintosh OS X
B–7
Starting eTrust Antivirus Services
echo Done install of eTrust_Antivirus_Client.mpkg
# # tidy up (note this script is small enough to get away with self annihilation) # rm –rf Packages rm -rf eTrust_Antivirus_Client.mpkg rm -f eTrust_Antivirus.dmg rm –f unattended.marker rm -f clientInst.sh
Note: The example scripts work when installing a client-only version of eTrust Antivirus. To install the Administrative Server version use eTrust_Antivirus_Server.mpkg in place of eTrust_Antivirus_Client.mpkg.
Starting eTrust Antivirus Services You can start and stop the eTrust Antivirus services from the System Preferences panel application as follows: 1.
Open the System Preferences, and then click on eTrust Antivirus icon in the Other section of the System Preferences panel. The eTrust Antivirus screen displays.
B–8
Administrator Guide
Starting eTrust Antivirus Services
The eTrust Antivirus panel consists of two tabbed-panels, the Services tab and the Options tab. Note: To make changes in either panel, you must have administrative privilege to unlock the panel.
Services Tab The installed eTrust Antivirus services and operational status display in the Service Status window. The services are either on or off. You can start or stop the eTrust Antivirus services and launch eTrust Antivirus from the Services tab. To make changes to the eTrust services, for example to stop them, first unlock the panel as follows: 1.
Select “Click the lock to make changes”, enter your administrator username and password on the Authenticate dialog, and then click OK.
2.
When you finish making changes, select “Click the lock to prevent further changes” to lock the panel.
Options Tab You can change the default language, define approved Admin Servers, set the administrator ports used in the discovery process, define an alert script, and launch eTrust Antivirus from the Options tab:
Installing and Starting eTrust Antivirus for Macintosh OS X
B–9
Launching eTrust Antivirus
Note: Before the language can be changed in the options panel, the services must be stopped.
Launching eTrust Antivirus You can begin to use your eTrust Antivirus software as follows: 1.
From a Finder window open the directory /Applications/CA/eTrust Antivirus.
2.
Click the eTrust Antivirus application icon. The antivirus GUI displays, in Local Scanner view, as shown below.
For information on running eTrust Antivirus and configuring options, click on the toolbar to display the online help.
B–10
Administrator Guide
Removing the eTrust Antivirus Software
Removing the eTrust Antivirus Software To remove the eTrust Antivirus software, use the Terminal application, and then run the uninstall script from the terminal application command line. The uninstall script is found in the path /Library/Application Support/eTrustAntivirus/scripts/deinstall. It must be run using sudo or when logged in as root.
Installing and Starting eTrust Antivirus for Macintosh OS X
B–11
Appendix
C
Installing the Antivirus Software for NetWare Use the procedures in this chapter to install the eTrust Antivirus software on NetWare® systems. Evaluate your system requirements, and then follow the steps described to install the product.
Before You Install Before you install eTrust AV for NetWare, we recommend that you consider the following to ensure a trouble-free installation: ■
■
The product supports NetWare versions 4.2, 5.0, 5.1, 6.0, and 6.5. For NetWare servers running versions 4.2, you must also install NetWare Service Pack 9. When specifying the default locations for installation of eTrust AV components, it is best if the locations used for HOME and ENG Path options are on the same volume. However, this is not a necessary requirement. In addition, the volume(s) used for HOME and ENG must have the LONG namespace added to them. To check if the LONG namespace exists on a volume, enter the VOLUMES command at the system console. If the LONG namespace exists, it is included in the list of namespaces for each volume you are installing. To add the namespace: 1.
Ensure that LONG.NAM is running. Enter the command LOAD LONG.NAME at the system console.
2.
At the system console, enter the command ADD NAMESPACE LONG TO VOLUME , where is the volume you are installing to.
Note: To detect the namespace change if you added the LONG namespace to a volume, disconnect any existing connections to the Netware server from the Windows computer where the installation is running. ■
■
NetWare servers must be running the Internet Protocol (IP). The Internet Packet Exchange (IPX) networking protocol is not supported. To manage a NetWare server running eTrust Antivirus 7.1, you must have an eTrust Antivirus 7.0 or 7.1 Administrative Server available on a Windows or UNIX system.
Installing the Antivirus Software for NetWare
C–1
Using the Installation Program
■
■ ■
■
■
The installation program for eTrust Antivirus for NetWare is run on a Windows computer. You must install the Novell NetWare client on the Windows computer before installing eTrust Antivirus. You must have administrator rights on your NetWare server. At the time of the installation, the Novell NetWare client does not have to be connected to the NetWare server, but the target servers must be network accessible from the Windows system. If you have InoculateIT or Inoculan 4.x on the target NetWare server, you can set the installation to automatically uninstall it. The default is not to uninstall it. In addition, the version 7.1 installation migrates any corresponding configuration settings from 4.x. You can modify the inoc6_nw.icf file to control the details of the installation on each target NetWare server. For information about the inoc6_nw.icf file, see the “Using the Installation Command File” chapter. If you have InoculateIT or Inoculan 4.x on the target NetWare server, you should not run it at the same time as eTrust Antivirus 7.1. The installation of eTrust Antivirus 7.1 will automatically stop 4.x, but if you have any statements in autoexec.ncf that would cause 4.x to start up at boot time, you should remove those statements after you install eTrust Antivirus 7.1, and before you restart your server.
Using the Installation Program The following information helps you get started with your eTrust Antivirus for NetWare installation. Note: For a successful installation, the target NetWare servers must be network accessible from the Windows system from which you are doing the installation. eTrust Antivirus for NetWare uses a setup wizard to guide you through the entire process, helping to ensure a smooth installation. Using the installation program, you can: ■
Install eTrust Antivirus for NetWare on NetWare servers
■
Remove eTrust Antivirus from NetWare servers
Installing eTrust Antivirus for NetWare To install eTrust Antivirus for NetWare:
C–2
1.
Insert the CD into the CD drive on your Windows machine. The installation process starts automatically.
2.
Select the eTrust Antivirus 7.1 for Netware option.
Administrator Guide
Using the Installation Program
3.
The Setup program begins loading. Click Next on the Welcome dialog and the License dialog appears.
4.
On the License dialog, click I Agree. The eTrust AV Installation dialog appears.
Note: If you have a list of saved servers from a previous installation, you can use the Load From button to load them as target servers. For example, if your list of saved target NetWare servers is named C:\domain01.ini, click Load From to automatically load the list from the C:\domain01.ini file. The Readme file contains updated information on eTrust AV for NetWare. Click View Readme to display this information. Use the Discover or Add button to build a new list of target NetWare servers. You can use the Discover button to search through your network to find your NetWare servers. For example, if you do not know which Netware servers you want to install on and you want to search through your entire network for the possibilities, click on Discover. However, if you already know your NetWare server names, tree and context information, click Add to identify them. If using the Add function, skip to step 8. Note: The discovery method is used for the eTrust Antivirus for NetWare installation procedure. This discovery mechanism has nothing to do with discovery of eTrust Antivirus clients by the Admin Server.
Installing the Antivirus Software for NetWare
C–3
Using the Installation Program
Using Discover Function to Build Target Server List
C–4
5.
Click Discover to search in your network for and build a new list of target NetWare servers. The Novell Directory Services dialog appears:
6.
On the Novell Directory Services dialog, the NetWare trees on your network display in the Trees list box under the tree node Novell Directory Services. You can expand the Trees list for displaying discovered NetWare server names, trees and context information. Select and enter the new NetWare servers and use the controls as the following table describes:
Administrator Guide
Using the Installation Program
Field/Controls
Description
Trees List Box
Expand the list to discover and select the target NetWare servers.
Set Username and Password button
Select Username and Password to preset the username and password that will be used for several or many servers that share the user name space without having to reenter the information for every server. When you set the username and password, they will be used for all subsequent servers that you put in the list of Servers to be added.
Set Username and Password button (Continued)
You may change the username and password at any time. The new settings will be used for all servers that you add to the list from that point on. If you do not preset the username and password, you will be prompted for one each time you select a server. In the Server Access dialog, enter the server username and password in the respective fields. You must confirm your password. Note: The username you use for the server must have NetWare administrative rights on that server in order for the installation to succeed. Note: The username and password you enter will be used later in the installation or uninstallation procedure. No connection is actually made to the NetWare server at the time you enter them in this dialog.
Installing the Antivirus Software for NetWare
C–5
Using the Installation Program
Field/Controls
Description
Add, Add All buttons
Select Add to put the selected server in the list of Servers to be added. Select Add All to add all servers under a selected context in a tree to the list of Servers to be added. Note: The Add and Add All functions place servers you select from the Trees list only to the Servers to be added list box. These servers are not ready to be added as target servers until you click OK and are then subsequently placed in the eTrust Antivirus Installation dialog.
Servers to be added List Box
Lists servers you selected from the Trees list. After clicking OK, these servers are placed in the eTrust Antivirus Installation dialog.
Remove button
7.
Select a server in the list of Servers to be added and click Remove to delete the server from the list.
When you have completed selecting and entering your information, click OK. The target NetWare server(s) displays in the list of Target Servers.
Note: You can save the list of servers in a file by clicking Save To. Saving the list lets you retrieve it later and add target NetWare servers or modify the installation without having to re-enter information.
C–6
Administrator Guide
Using the Installation Program
Using Add Function to Build Target Servers
8.
Click Add to add an individual target NetWare server. The New Server dialog appears:
9.
On the New Server dialog, enter the new target NetWare server information in the required fields and use the controls as the following table describes: Field/Controls
Description
Server Fields: Name, Tree, Context
Enter the name of the target NetWare server in the Name field. Enter the appropriate Tree and Context container information for the NetWare server in the respective fields.
Access Fields: Username, Password, Confirm Password
Enter your NetWare server username and password in the respective fields. You must confirm your password. Note: You must have NetWare administrative rights on the target server.
Install, Uninstall buttons
Select Install to install eTrust Antivirus for NetWare on the server specified. Select Uninstall to remove the product from the specified NetWare server.
Installing the Antivirus Software for NetWare
C–7
Using the Installation Program
Field/Controls
Description
Customize installation configuration field
Enter the name of a configuration file for the installation or click browse to select your file. Click Use Factory settings button to install the default .icf file.
Customize signature distribution field
In the .icf file, you can specify if you want a signature update at the end of the installation by entering the name of a signature distribution file or clicking browse to locate it. Click Use Factory settings to specify the default InoDist.ini file. For information about the InoDist.ini file, see “The InoDist.ini File” appendix.
10. When you have completed entering your information, click OK. The target NetWare server displays in the list as in the following example:
Note: You can save the list of servers in a file by clicking Save To. Saving the list lets you add target NetWare servers or modify the installation without having to re-enter information.
C–8
Administrator Guide
Using the Installation Program
11. After entering your target servers, click Finish. Clicking Finish causes the installation to start and act on the selected servers. The status of a successful installation displays as follows:
12. Click Close to complete your installation.
Changing Server Installation Information From the eTrust Antivirus Installation dialog, you can select a NetWare server in the list to either modify or remove it from the installation. Modifying Server Installation Information Select a server by clicking its name to modify its characteristics using the Edit button or remove it from the list using the Delete button. You can also copy installation settings from a server to create similar entries for another without having to enter new server information from scratch. Select a server by clicking its name. Click Edit to open the Edit Server dialog displaying the installation information for that server. You can enter new information in the appropriate fields, and then click OK to save your changes. Your updated server information displays on the Installation dialog.
Installing the Antivirus Software for NetWare
C–9
Using the Installation Program
Select a server by clicking its name. Click Copy to open the Add Server with Similar Profile dialog. On this dialog, you can change the server information by entering new information in the appropriate fields. Click OK to add this new server to the server list.
Removing eTrust Antivirus Software From a Server Select a server by clicking its name. Click Edit to open the Edit Server dialog for displaying the installation information for that server. You can remove the eTrust AV for NetWare software from that server by clicking Uninstall. Click OK to update the server information list.
Acting on Specific Servers Each target NetWare server in the list can be either checked or unchecked. You can switch this state by clicking the check box for each one. Clicking Finish causes the installation to start and act on the selected servers. Any unchecked server is not acted on by Finish, but remains in the list. Note: After successful installation, launch the eTrust Antivirus for NetWare by entering ETRUSTAV at the NetWare command prompt. See "Using the ETRUSTAV NetWare Console Program appendix.
C–10
Administrator Guide
Appendix
D
Using the ETRUSTAV Console Program After installing eTrust Antivirus (AV) for NetWare on a NetWare server, use the ETRUSTAV console program to take advantage of its features. The ETRUSTAV program invokes a menu from which you can control many eTrust AV operations on the server. From the NetWare command line, enter ETRUSTAV to start the program. Note: When running NetWare 4.x, enter LOAD ETRUSTAV. Note: To start all the eTrust AV services at the same time as starting ETRUSTAV, enter ETRUSTAV AUTOSTART, or LOAD ETRUSTAV AUTOSTART.
Using ETRUSTAV Menu Use the keyboard Up and Down arrow keys to navigate the ETRUSTAV menu items. The Enter key activates the selected menu option. You can exit the ETRUSTAV program and popup option screens by using the Escape key. Note: The default options for the ETRUSTAV program are set by the inoc6_nw.icf file during installation. For detailed information about the inoc6_nw.icf settings, see "Using the Installation Command File" chapter. The following table lists the ETRUSTAV menu selections: Menu Selection
Description/Available Options
Start All Services
Loads and starts all eTrust AV services.
Stop All Services
Stops and unloads all eTrust AV services.
Start Selected Service
Starts an individual eTrust AV service. If there are any services not already running, a popup menu item appears from which you can select the service to start.
Using the ETRUSTAV Console Program
D–1
Using ETRUSTAV Menu
Menu Selection
Description/Available Options
Stop Selected Service
Stops and unloads an individual eTrust AV service. If there are any services currently running, a popup menu item appears from which you can select the service to stop.
Configure Local Scanner
Scanning Options Safety level
Opens a popup menu from which you can modify Local Scanner Settings. From the Local Scanner Settings popup menu, you can view or modify Scanning Options or Selection Options. Specify the scan safety level: Secure—use as the standard method for scanning files completely. Reviewer—use if you suspect you have an infection that Secure mode is not detecting.
Scanning engine
Specify the antivirus engine to use in the scan: Inoculate IT—The Inoculate engine. Vet—The Vet engine
Heuristic Scanner
Use to specify the Heuristic Scanner to scan for unknown viruses: No— Do not use the Heuristic Scanner. Yes— Use the Heuristic Scanner
D–2
Administrator Guide
Using ETRUSTAV Menu
Menu Selection
Description/Available Options
File Action
Infected file action. Use to specify an action option for infected file: Cure—Attempt to cure an infected file automatically. Even if the file is cured, we recommend that you delete the infected file and restore the original file. Delete—Delete an infected file. Move—Move an infected file from its current directory to the Move folder. Rename—Automatically rename an infected file with an AVB extension. Assigns incremental extensions in the form #.AVB to infected files with the same name, for example, File.0.AVB, File.1.AVB, and so on. After a file is renamed with an AVB-type of extension, it is not subsequently scanned. Report Only—Report an infected file.
Cure Options
If Cure Fails—Use to specify the cure fail option when File Action is set to Cure: Copy File Before Cure—Make a copy of the original file and put it in the Move folder before attempting the cure. Move File—Move if cure fails. Move an infected file from its current directory to the Move folder if a cure fails. No Action—Do nothing if cure fails. Rename File—Rename if cure fails: Rename a file with an AVB extension if a cure fails. Macro Virus Treatment—Macro Cure Action. Use to specify a removal option for an infected file when File Action is set to Cure: Remove Infected Macros—Remove only the macros that contain infected code from the infected file. Remove All Macros—Remove all macros from the infected file.
Using the ETRUSTAV Console Program
D–3
Using ETRUSTAV Menu
Menu Selection
Description/Available Options
Selection Options Do not scan migrated files
Use to specify whether to scan files that have been migrated to external strorage: Yes— Do not scan migrated files. No— Scan migrated files
Scan Files With Extensions
Use to specify scanning of files with filename extensions: All Extensions—Scan all files. All Except the Specified Extensions— Scan all files except the files that have extensions specified in the Available Extensions list. The Available Extensions list is specified with the Edit Extension List option. Specified Extensions Only—Scan only the files that have extensions specified in the Available Extensions list. The Available Extensions list is specified with the Edit Extension List option.
Edit Extensions List
Use to specify the existing set of filename extensions. Note: You can view or modify the list only when the All Except the Specified Extensions or Specified Extensions Only selections are made from the Scan Files With Extensions option. You can edit extensions in the Available Extensions list by selecting an extension and using the F5, Delete or Insert key. Delete key: Use to delete a selected extension from the list: Yes—Deletes the selected filename extension(s) from the list. No—Keeps the filename extension(s) in the list. F5 key: You can use the F5 key to mark extensions for deletion from the list with the Delete key. Insert key: Use to add an extension to the list. Enter a filename extension in the Enter Extension field.
D–4
Administrator Guide
Using ETRUSTAV Menu
Menu Selection
Description/Available Options
Scan Compressed Files
Use to specify scanning of archived files: Yes—Scan compressed files. Note: Options for the type of archive file scanning and compressed file types are specified with the Compressed File and Archive types to support options. No—Do not scan compressed files.
Compressed File Options
Use to specify the options for scanning archived files: Note: You can view or modify the compressed file options only when the Scan Compressed Files option is set to Yes. Specify whether to filter files inside archives by extension. Specify whether to stop scanning an archive file when an infection is found. Determine a file's compression by its filename extension or contents. The default setting is by filename extension.
Archive types to support
Use to specify which types of archived files: Note: You can view or modify the types of archived files only when the Scan Compressed Files option is set to Yes. In the Compressed File Options List, specify the type of archived files for scanning. You can select Yes to include the file type or No to exclude the archived file type.
Run Local Scanner
Opens a popup menu from which you can specify a full pathname to scan.
Check Status of Scheduled Jobs
Displays the status of any scheduled scan job that is currently running. Information displayed is refreshed every second as the job progresses.
Check Status of Realtime Scanning
Displays the status of realtime scanning from the time the Realtime Monitor was started. Information displayed is refreshed every second.
Using the ETRUSTAV Console Program
D–5
Using ETRUSTAV Menu
Menu Selection
Description/Available Options
Display signature versions
Displays the current scan engine and signature versions for the eTrust AV engines installed on the server.
Advanced Check status of services Set discovery ports
Displays the status of all eTrust AV services. Use to display and specify the current port numbers that the discovery procedure uses for listening to broadcast messages. In the popup field: Select the Enter key to display the current port numbers that the discovery procedure uses for listening to broadcast messages. Enter POLL and specify a port value to set the port number on which the eTrust AV client listens for polls from the Admin Server. Enter SUBNET and specify a port value to set the port number that eTrust AV clients use to communicate within a subnet. Enter BOTH and specify a port value to use the same value for the port number on which the eTrust AV clients listen for polls from the Admin Server and the port number that eTrust AV clients use to communicate in a subnet.
Restore infected files in Move folder
D–6
Administrator Guide
Restores an infected file from the Move directory to its original location. After the command is entered, follow the onscreen instructions.
Using ETRUSTAV Menu
Menu Selection
Description/Available Options
Set approved Admin Server(s)
Use to display and specify the current set of approved eTrust AV Admin Servers. In the IP address(es) field popup: Select the Enter key to display the current set of approved eTrust Admin Servers. Set the eTrust AV Admin Servers at the specified IP addresses as approved for the NetWare server on which the command is run. Enter IP addresses in the format separated by a space. For example, entering IP addresses 192.168.130.2 192.168.130.10 causes the Admin Servers at those IP addresses to be set as approved eTrust AV Admin Servers.
Set eTrust AV environment variable
Use to specify an environment variable for eTrust AV. For example, entering AV_VAR1=1 would set the value of a hypothetical environment variable AV_VAR1 to 1. Note: eTrust AV environment variables are only used inside eTrust AV. They have no effect on other programs running on your server.
Using the ETRUSTAV Console Program
D–7
Appendix
E
Using the Installation Command File You can fully automate the installation process of your eTrust Antivirus software using the installation command file. Depending on the platform, you can use one of the following: ■
■
INOC6.ICF— used to automate the installation process to for installing eTrust Antivirus 7.1 for Windows. INOC6_NW.ICF— used to automate the installation process to for installing eTrust Antivirus 7.1 for NetWare.
This chapter discusses the options you can set in each file and provides a description of all options.
The INOC6.ICF File After you configure the settings, you place the revised INOC6.ICF file into the image directory and run the installation program. When the installation program starts, the INOC6.ICF file is loaded and the values you indicate as defaults are used. If the installation is run interactively, any questions that the installation process does not ask you are taken from the settings in the INOC6.ICF file. If you choose to run the installation program silently from a shared drive or a batch program, all the configuration settings are taken from the INOC6.ICF file. To run setup silently, use the setup program (found in \bin\eAV_s.Win) as follows: SETUP /s If you want to install this image on many machines in your enterprise, you can use the Remote Installation feature. Make sure that the settings in the INOC6.ICF file are appropriate for those machines and then let Remote Installation do the rest. For more information on using the Remote Install Utility, see Chapter 9 of this Administrator Guide.
Using the Installation Command File
E–1
The INOC6.ICF File
The following tables summarize the default settings for each option in the INOC6.ICF file, followed by a brief description of the option, and additional information on option variables.
Path Use the Path options to specify the default locations for installation of the various Antivirus components. [Path] HOME= MOVE=Move ENG= DB=DB OUTGOING=OUTGOING
Option
Description
HOME
The Home Directory Enter a full drive and path, or leave blank to install to the local program files directory. e.g: C:\AntiVirus
MOVE
The Move Directory This path is relative to the home path e.g: MOVE
ENG
The Engine Directory Enter a full drive and path, or leave blank to install to the local program files directory. DO NOT add this directory as a subdirectory of the Home Directory. e.g: C:\AV\Engine
DB
The Database Directory This path is relative to the home path e.g: DB
OUTGOING
The Signature Outgoing Directory This path is relative to the home path e.g: OUTGOING
E–2
Administrator Guide
The INOC6.ICF File
RPCMtAdn Use the RPCMtAdn options to specify the locations for the RPC master’s database files. [RPCMtAdn] DataBasePath=RPCMtDB JobPath=RPCMtJob
Option
Description
DataBasePath
The path that the RPC Master uses to store db files. Note: This path is relative to the home directory.
JobPath
The path that the RPC Master uses to store job files Note: This path is relative to the home directory.
Local Scanner Use the Local Scanner options to set the local scanner policy configuration. These options are the default local scanner settings for the installation. [Local Scanner] bScanCompressed=1 bScanMemory=0 bScanBootSector=1 bScanFiles=1 dwScanMode=1 dwAction=0 dwSpecialCureAction=3 dwMacroCureAction=0 dwSpecialMode=0 dwFileFilterType=0 bIsArcByExtension=1 dwArcTypesCount=10 pdwArcTypeList=1,2,3,4,6,7,8,9,10,11 pszSpecifiedList=|386|ADE|ADP|ADT|ASX|BAS|BAT|BIN|CBT|CHM|CLA|CMD|COM|CPL|CRT|CSC|DLL|DOC|DOT|DRV|E XE|HLP|HTA|HTM|HTT|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSO|MSP|MST|OCX|PCD|PIF|POT|PPT|PRF|REG|R TF|SCF|SCR|SCT|SHB|SHS|SYS|URL|VB|VBE|VBS|VSD|VSS|VST|VXD|WIZ|WSC|WSF|WSH|XLA|XLS|XLT|XLW| pszExcludedList=|BTR|DBF|SBF|DB|MDX|NDX|MDW|LDB| bScanAllFilesInArc=1 bStopAtFirstInfectionInArc=1 bScanMigratedFiles=0 dwEngineChoice=1 dwShowDriveFlags=31 bShowAllFiles=0 bLogCleanFiles=0 bLogInfectedFiles=1 bLogSkippedFiles=0 dwDaysToDeleteLogs=365 dwBootAction=0 bShowSummaryAfterScan=0
Using the Installation Command File
E–3
The INOC6.ICF File
Option
Description
bScanCompressed
Scan Compressed Files? 0-No 1-Yes
bScanMemory
Scan Memory for Viruses? 0-No 1-Yes
bScanBootSector
Scan for bootsector viruses? 0-No 1-Yes
bScanFiles
Scan files? (Set this to 0 and ScanBoot to 1 to scan boot sector only) 0-No 1-Yes
dwScanMode
Scan Type: 1 - Secure Scan 2 - Reviewer Scan
dwAction
Action to take when a virus is detected 0 - Report only 1 - Cure 2 - Rename 3 - Delete 4 - Move
dwSpecialCureAction
Bitmask that specifies action to take when a unclassified virus is detected: 1 - Copy Cure (Copy File to Move Directory before Cure) 2 - Rename File if Cure Fails 4 - Move File if Cure Fails 8 - Delete File if it is a Trojan or a Worm.
dwMacroCureAction
Cure Action for Macro Viruses: 0-Do Nothing 1-Remove All Macros 2-Remove Infected Macros Only
E–4
Administrator Guide
The INOC6.ICF File
Option
Description
dwSpecialMode
Bitmask to enable Advanced Virus Scanning techniques? 1 - Heuristics 2 - System Cure 4 - Scan NTFS Data Stream
dwFileFilterType
Specifies the type of files to scan by its extension 0-Scan all files 1-Scan files with default extensions (specified in pszExtList) 2-Scan all files except those with default extensions (specified in pszExcludeExtList)
bIsArcByExtension
Determine if it is an archive by the files extension? 0-No (determine by contents of file) 1-Yes
dwArcTypesCount
Number of files listed in pdwArcTypeList
pdwArcTypeList
Comma delimited list of archive extensions to scan: 1-ARJ 2-GZIP 3-JAVA archive 4-LHA archive 5-Microsoft Cabinet 6-Microsoft Compressed 7-MIME 8-UNIX to UNIX encoded files(UUEncode) 9-ZIP 10-RAR 11-Unix Compressed (Z) 12-Rich Text Format File (RTF) 13-TNEF encapsulated eMail files
pszSpecifiedList
List of default extensions. (Separate each item by "|")
Using the Installation Command File
E–5
The INOC6.ICF File
Option
Description
pszExcludedList
List of excluded extensions. (Separate each item by "|")
bScanAllFilesInArc
Scan all files in archive? 0-No 1-Yes
bStopAtFirstInfectionInArc
Stop scanning an archive file upon the first detection of a virus? 0-No 1-Yes
bScanMigratedFiles
Scan files that are migrated to external storage? 0-No 1-Yes (files need to be de-migrate them back to local disk)
dwEngineChoice
Pick one of the two engines: 1 - InoculateIT engine 2 - Vet engine
dwShowDriveFlags
Mask to determine which drives are shown: 1 - Hard Drive 2 - Compact Disk Drives 4 - Floppy Drive 8 - Network Drives 16 - Removable Drives
bShowAllFiles
File display options: 0-Show only those whose extensions are listed in pszSpecifiedList 1-Show All Files
bLogCleanFiles
Write to the log if a scan cleans a file? 0 - No 1 - Yes
bLogInfectedFiles
Write to the log if a scan detects an infected file? 0 - No 1 - Yes
E–6
Administrator Guide
The INOC6.ICF File
Option
Description
bLogSkippedFiles
Write to the log if files that are skipped by a scan? 0 - No 1 - Yes
dwDaystoDeleteLogs
How many days to hold a log before deleting it.
dwBootAction
When an infected boot sector is encountered: 0-Report Only 1-Cure Boot Sector
bShowSummaryAfterScan
Show summary dialog box after each scan? 0 - No 1 - Yes
Distribution Use the Distribution options to set configuration options for local signature retrieval and distribution. [Distribution] dwStateMask=0 tExecTime= byRepeatMonth=0 byRepeatDay=0 byRepeatHour=0 byRepeatMinute=0 dwRepeatTimesOnFail=3 dwRepeatMinutesOnFail=5 dwHoldTimeQueryInterval=60 bDownloadNow=0 dwPopupMessage=0 bHideIcon=0
Option
Description
dwStateMask
Distribution State 0-Off 1-Incoming(retrieve updates), 2-Outgoing (Allow others to retrieve updates from local machine) 3-Both
Using the Installation Command File
E–7
The INOC6.ICF File
Option
Description
tExecTime
The time to check for the latest signature files on remote servers. Format: MM/DD/YYYY,HH:MM:SS,DST (DST = 1 if the time is a daylight saving time, 0 otherwise.) e.g.12/04/1999,23:23:23,0
byRepeatMonth
Number of months between checks (0 to 12)
byRepeatDay
Number of days between checks (0 to 31)
byRepeatHour
Number of hours between checks (0 to 24)
byRepeatMinute
Number of minutes between checks (0 to 60)
dwRepeatTimesOnFail
The number of retries the job scheduler should perform if the signature download fails. This value is used with dwRepeatMinutesOnFail to determine how often to reattempt a download. Retries are done until: A successful download occurs The number of attempts has exceeded dwRepeatTimesOnFail. A regularly scheduled download occurs. Note: Set to zero to disable retries
E–8
dwRepeatMinutesOnFail
The number of minutes between retry attempts in the event of a failure. This value is used with dwRepeatTimesOnFail to determine how often to retry.
dwHoldTimeQueryInterval
How often, in minutes, the program checks the incoming directory to see if a new signature is available to copy to the Outgoing directory for distribution.
Administrator Guide
The INOC6.ICF File
Option
Description
bDownloadNow
Download a new signature immediately after install? (Requires inodist.ini file to contain a valid ftp site and proxy server) 0-No 1-Yes
dwPopupMessage
Display a popup message everytime signatures are updated? 0-No 1-Yes
bHideIcon
Hide the download icon in the system tray? 0-No 1-Yes
Realtime Use the Realtime options for the local realtime policy configuration. These options serve as the default realtime settings for the local installation. [Realtime] dwDirection=3 bFloppyDrive=1 bNetworkDrive=1 bCDRom=0 bFastBackup=1 bEnforcement=0 dwEnforceTime=90 pszExcludeProcessNames= pszExcludeDirs= dwScanMode=1 dwAction=0 dwBootAction=0 dwMacroCureAction=0 dwSpecialMode=0 dwSpecialCureAction=3 dwFileFilterType=0 pszExtList=|386|ADE|ADP|ADT|ASX|BAS|BAT|BIN|CBT|CHM|CLA|CMD|COM|CPL|CRT|CSC|DLL|DOC|DOT|DRV|EXE|HLP |HTA|HTM|HTT|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSO|MSP|MST|OCX|PCD|PIF|POT|PPT|PRF|REG|RTF|SCF |SCR|SCT|SHB|SHS|SYS|URL|VB|VBE|VBS|VSD|VSS|VST|VXD|WIZ|WSC|WSF|WSH|XLA|XLS|XLT|XLW| pszExcludeExtList=|BTR|DBF|SBF|DB|MDX|NDX|MDW|LDB| bScanArc=1 bIsArcByExtension=1 dwArcTypesCount=10 pdwArcTypeList=1,2,3,4,6,7,8,9,10,11 bScanAllFilesInArc=1 bStopAtFirstInfectionInArc=1 bScanOnShutDown=0 dwEngineChoice=1 dwPopUpMsgLimit=3 pszBlockExtList=
Using the Installation Command File
E–9
The INOC6.ICF File
pszBlockOverrideList= bEnableAnimation=1 kTime=5 kScanTime=1
Option
Description
dwDirection
Direction to Monitor 0-Realtime Disabled 1-Outgoing 3-Outgoing and Incoming
bFloppyDrive
Scan boot sector on floppy drives: 0-No 1-Yes
bNetworkDrive
Network Mapped drive Realtime: 0-No 1-Yes
bCDRom
Protect CDROMs: 0-No-Do not scan files on CD-Rom drives 1-Yes - Scan Files on CD-Rom drives
bFastBackup
Work with ARCserve NT to provide fast backup capability: 0-No 1-Yes
bEnforcement
Run Quarantine mode which blocks users access to this server when the user attempts to copy/move an infected file onto a server or to execute an infected file on the server. 0-No - Allow users to continue accessing the server. 1-Yes - Block user access to the server. Note: Lockout time can be modified by dwEnforceTime.
dwEnforceTime
Amount of time that quarantine should stay active blocking the users access if Enforcement is enabled and an access attempt has occurred. This value is specified in minutes and has a range of 1 to 1440 (24 hrs)
E–10
Administrator Guide
The INOC6.ICF File
Option
Description
pszExcludeProcessNames
The process images to exclude. (Separate each item by "|")
pszExcludeDirs
The directories to exclude. (Separate each item by "|")
dwScanMode
Scan Type: 1 - Secure Scan 2 - Reviewer Scan
dwAction
Action to take when a virus is detected 0 - Report only 1 - Cure 2 - Rename 3 - Delete 4 - Move
dwBootAction
When an infected boot sector is encountered: 0-Report Only 1-Cure Boot Sector
dwMacroCureAction
Cure Action for Macro Viruses: 0-Do Nothing 1-Remove All Macros 2-Remove Infected Macros Only
dwSpecialMode
Bitmask to enable Advanced Virus Scanning techniques? 1 - Heuristics 2 - System Cure 4 - Scan NTFS Data Stream
dwSpecialCureAction
Bitmask of action to take when a unclassified virus is detected 1 - Copy Cure (Copy File to Move Directory before Cure) 2 - Rename File if Cure Fails 4 - Move File if Cure Fails 8 - Delete File if it is a Trojan
Using the Installation Command File
E–11
The INOC6.ICF File
Option
Description
dwFileFilterType
Specifies the type of files to scan by its extension 0-Scan all files, 1-Scan files with default extensions (specified in pszExtList) 2-Scan all files except those with default extensions (specified in pszExcludeExtList)
pszExtList
List of default extensions. (Separate each item by "|")
pszExcludeExtList
List of excluded extensions. (Separate each item by "|")
bScanArc
Scan compressed files? 0-No 1-Yes
bIsArcByExtension
Determine if it is an archive by the files extension? 0-No (determine by contents of file) 1-Yes
dwArcTypesCount
Number of files listed in pdwArcTypeList
pdwArcTypeList
Comma delimited list of archive extensions to scan: 1-ARJ 2-GZIP 3-JAVA archive 4-LHA archive 5-Microsoft Cabinet 6-Microsoft Compressed 7-MIME 8-UNIX to UNIX encoded files(UUEncode) 9-ZIP 10-RAR 11-Unix Compressed (Z) 12-Rich Text Format File (RTF) 13-TNEF encapsulated eMail files
E–12
Administrator Guide
The INOC6.ICF File
Option
Description
bScanAllFilesInArc
Whether 'dwFilterType' applies to decompressed files within the archived file being scanned. 0-No 1-Yes
bStopAtFirstInfectionInArc
Stop scanning an archive file upon the first detection of a virus? 0-No 1-Yes
bScanOnShutDown
Scan the floppy disk boot sector for viruses on shutdown: 0-No 1-Yes
dwEngineChoice
Pick one of the two engines: 1-InoculateIT engine 2-Vet engine
dwPopUpMsgLimit
The maximum number of realtime pop up messages to display when many viruses are detected continuously.
pszBlockExtList
List of files to block execution of based on their extensions.(Separate each item by "|")
pszBlockOverrideList
List of files to override block on.(Separate each item by "|")
bEnableAnimation
Enable animated realtime icon? 0-No 1-Yes
kTime
Delay time used by the driver for incoming file scan.(Use caution when changing these values)
kScanTime
Delay time used by the driver for incoming file scan.(Use caution when changing these values)
Using the Installation Command File
E–13
The INOC6.ICF File
AdminServer Use the AdminServer options to set administrative server options, including start and stop times, log options, and directory locations. [AdminServer] Retries=1 JobPurgeDays=0 LogViolations=1 NoLegacy=0 EnforcePolicy=1 DatabasePathName=Tree PolicyPathName=Policy JobPathName=Jobs
Option
Description
Retries
The number of times that the Admin Server should retry a failed poll.
JobPurgeDays
The number of days that Scheduled Scan jobs are kept before they are purged from the Admin Server database. If 0, then Scheduled Scan job results are never automatically purged.
LogViolations
Log when a machine violating policy is found? 0-No 1-Yes
NoLegacy
E–14
Administrator Guide
If 1, then the Admin Server does not listen for any broadcasts from machines running 4.X version of this product. This will reduce the number of threads used by the Admin Server by two, and will result in less CPU utilization. However, 4.X machines will not appear in the Admin Server's database, and cannot be administered from the 7.0 GUI. If 0, then the Admin Server listens for 4.X broadcasts, and adds 4.X machines to the Admin Server database.
The INOC6.ICF File
Option
Description
EnforcePolicy
Enforce the policies set for a client machine? 0-No if a machine is found to violate policy, nothing is done. 1-Yes, the Admin Server will attempt to change the settings to comply with policy.
DatabasePathName
The directory the Admin Server's database will be placed in.
PolicyPathName
The directory the Admin Server's policy files will be placed in.
JobPathName
The directory the results of the scheduled scan jobs will be placed in.
Scheduled Scanner Use the Scheduled Scanner options to set the scheduled scanner policy configuration. These options serve as the default scheduler for the local installation. [Scheduled Scanner] byRepeatMonth=0 byRepeatDay=0 byRepeatHour=0 byRepeatMinute=0 wSpeedLevel=1 bTravelDir=1 dwInfectedBootAction=0 dwScanMode=1 dwAction=0 dwSpecialCureAction=3 dwMacroCureAction=0 dwSpecialMode=0 dwFileFilterType=0 pszExtList=|386|ADE|ADP|ADT|ASX|BAS|BAT|BIN|CBT|CHM|CLA|CMD|COM|CPL|CRT|CSC|DLL|DOC|DOT|DRV|EXE|HLP |HTA|HTM|HTT|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSO|MSP|MST|OCX|PCD|PIF|POT|PPT|PRF|REG|RTF|SCF |SCR|SCT|SHB|SHS|SYS|URL|VB|VBE|VBS|VSD|VSS|VST|VXD|WIZ|WSC|WSF|WSH|XLA|XLS|XLT|XLW| pszExcludeExtList=|BTR|DBF|SBF|DB|MDX|NDX|MDW|LDB| bScanArc=1 bIsArcByExtension=1 dwArcTypesCount=10 pdwArcTypeList=1,2,3,4,6,7,8,9,10,11 bScanAllFilesInArc=1 bStopAtFirstInfectionInArc=1 bScanMigratedFiles=0 bSkipScannedAsRegularFile=0 bInfectedBootAction=0 dwEngineChoice=1 pszIncludeDirs=*
Using the Installation Command File
E–15
The INOC6.ICF File
pszExcludeDirs=
Option
Description
byRepeatMonth
Number of months between checks (0 to 12).
byRepeatDay
Number of days between checks (0 to 31).
byRepeatHour
Number of hours between checks (0 to 24).
byRepeatMinute
Number of minutes between checks (0 to 60).
wSpeedLevel
Amount of CPU utilization that should be taken by scan.
bTravelDir
Traverse Sub Directories when performing scan: 0 - No 1 - Yes
dwInfectedBootAction
When an infected boot sector is encountered: 0-Report Only 1-Cure Boot Sector
dwScanMode
Scan Type 1 - Secure Scan 2 - Reviewer Scan
dwAction
Action to take when a virus is detected 0 - Report only 1 - Cure 2 - Rename 3 - Delete 4 - Move
dwSpecialCureAction
Bitmask of action to take when a unclassified virus is detected 1 - Copy Cure (Copy File to Move Directory before Cure) 2 - Rename File if Cure Fails 4 - Move File if Cure Fails 8 - Delete File if it is a Trojan or a Worm.
E–16
Administrator Guide
The INOC6.ICF File
Option
Description
dwMacroCureAction
Cure Action for Macro Viruses: 0-Do Nothing 1-Remove All Macros 2-Remove Infected Macros Only
dwSpecialMode
Bitmask to enable Advanced Virus Scanning techniques 1 - Heuristics 2 - System Cure 4 - Scan NTFS Data Stream
dwFileFilterType
Specifies the type of files to scan by its extension 0-Scan all files, 1-Scan files with default extensions (specified in pszExtList) 2-Scan all files except those with default extensions (specified in pszExcludeExtList)
pszExtList
List of default extensions. (Separate each item by "|")
pszExcludeExtList
List of excluded extensions. (Separate each item by "|")
bScanArc
Scan compressed files? 0-No 1-Yes
bIsArcByExtension
Determine if it is an archive by the files extension? 0-No (determine by contents of file) 1-Yes
dwArcTypesCount
Number of files listed in pdwArcTypeList.
Using the Installation Command File
E–17
The INOC6.ICF File
Option
Description
pdwArcTypeList
Comma delimited list of archive extensions to scan: 1-ARJ 2-GZIP 3-JAVA archive 4-LHA archive 5-Microsoft Cabinet 6-Microsoft Compressed 7-MIME 8-UNIX to UNIX encoded files(UUEncode) 9-ZIP 10-RAR 11-Unix Compressed (Z) 12-Rich Text Format File (RTF) 13-TNEF encapsulated eMail files
bScanAllFilesInArc
Whether 'dwFilterType' applies to decompressed files within the archived file being scanned.
bStopAtFirstInfectionInArc
Stop scanning an archive file upon the first detection of a virus? 0-No 1-Yes
bScanMigratedFiles
Scan files that are migrated to external storage? 0-No 1-Yes (files need to be restored to the local machine)
bSkipScannedAsRegularFile
Scan an archive as a regular file: 0-No 1-Yes
bInfectedBootAction
Cure an Infected boot sector: 0-No 1-Yes
E–18
Administrator Guide
The INOC6.ICF File
Option
Description
dwEngineChoice
Pick one of the two engines: 1 – InoculateIT engine 2 - Vet engine
pszIncludeDirs
Default directories to scan '*' means scan all hard drives on the machine
pszExcludeDirs
List of directories to exclude during scan. (Separate each item by "|")
VirusAnalyze Use the VirusAnalyze option to indicate where unclassified viruses should be sent for analysis. This is usually the local administrator, who can scan the file contents and then forward them to Computer Associates for further analysis. [VirusAnalyze]
[email protected] szSubject=New Virus is found!!! szReplyEMailAddr= szCompanyName=Your Company name szCompanyAddr=That company's address szPhone=(555)555-5555 szSiteID=Unknown Site ID szContactName=John Q. Public szSmtpServer=
Option
Description
szSendEMailAddr
The address where the virus sample should go. Note: If your network is inside a firewall,the address must resolve to an smtp server located inside the firewall.
szSubject
The subject of the email that contains the virus sample.
szReplyEMailAddr
The reply email address of the email that contains the virus sample.
szCompanyName
The name of the company where the virus sample is found.
szCompanyAddr
The address of the company where the virus sample is found.
Using the Installation Command File
E–19
The INOC6.ICF File
Option
Description
szPhone
The company or users phone number.
szSiteID
The site ID of your company.
szContactName
The company contact or administrator's name.
szSmtpServer
Name of the SMTP server used to send email messages.
Alert Use the Alert option to set options for installing the alert notification system. Additional setup options can be specified in the instalrt.ini file located in the setup image. [Alert] Local=0 EventLog=0 Custom=0 Error=0 Information=0 Warning=0 NotOlderThan=30 QueueSize=10 Timeout=5 Forward=0 Host=
Option
Description
Local
Send notification information to the Alert Manager component on the local machine? 0-No 1-Yes
EventLog
Send notifications to the system event log of the local machine? 0-No 1-Yes
Custom
Send specific messages? 0-No 1-Yes
E–20
Administrator Guide
The INOC6.ICF File
Option
Description
Error
Report all Error messages to alert? 0-No 1-Yes
Information
Report all Informational messages to alert? 0-No 1-Yes
Warning
Report all warning messages to alert? 0-No 1-Yes
NotOlderThan
Any record in the General Event Log that is older than the specified number of days is not reported.
QueueSize
The number of message records collected in the General Event Log before the information is reported as specified in the Report To options.
Timeout
The number of minutes before the information in the General Event Log is reported as specified in the Report To options.
Forward
Forward the notification to a specified Machine Name that has the Computer Associates antivirus software installed? 0-No 1-Yes
Host
Specify the name of a machine to forward the notification information to.
NameClient Use the NameClient options to provide a list of IP addresses of servers that are approved to poll the installation machine. [NameClient] ServerList=127.0.0.1 BroadcastPort=42508 PollBroadcastPort=42508
Option
Description
Using the Installation Command File
E–21
The INOC6.ICF File
Option
Description
ServerList
Contains the list of IP addresses of the servers that are approved to poll the machine. If the poll came from an approved server, the machine is automatically added to the tree. Otherwise, the machine is added to the database, but is not added to the tree, so that policy cannot be applied to the machine. (separated by commas)
BroadcastPort
The local port that receives polls from the Admin Server.
PollBroadcastPort
The local port that receives information from other machines in its subnet.
Startup Use the Startup option to run START.JOB during setup. Startup Job options are contained in the START.JOB file in the setup directory. This is a binary file that can be created on a machine already running the 7.0 program. Schedule the Start Job on that machine and then copy START.JOB from the Home directory to the setup directory. [Startup] bStartJob=0
Option
Description
bStartJob
Run Startup Job? 0-No 1-Yes - Run job on startup.
Miscellaneous This category is reserved for miscellaneous options. [Miscellaneous] StartServiceAfterSetup=1
Option
E–22
Administrator Guide
Description
The INOC6.ICF File
Option
Description
StartServiceAfterSetup
Do you want to start all services (except realtime service) right after Installation? 0 - No 1 - Yes
EngineID Use the EngineID option to specify which antivirus engines to install. [EngineID] dwEngIDs=3
Option
Description
dwEngIDs
Which engines would you like to install? 1 – InoculateIT Engine 2 - Vet Engine 3 - Both Engines
PurgeLog Use the PurgeLog options to indicate how often to purge old logs and files from the machine. [PurgeLog] dwPurgeLogDays=7 dwPurgeMoveDirDays=0
Option
Description
dwPurgeLogDays
Number of days to save a log before purging it from the client.
dwPurgeMoveDirDays
Number of days to save infected files in the move directory before purging it from the client. 0 - Do not automatically purge files.
Using the Installation Command File
E–23
The INOC6.ICF File
InstallComponet Use the InstallComponent options to indicate silent install settings. These settings are used when you run setup using the /s option. [InstallComponent] RealTime=1 JobScheduler=1 LocalScanner=1 AdminService=1 RemoteManagement=1 NetwareSupport=0 Alert=0 KeepOldSettingIfAny=0 Reboot=0 RebootDelay=240 CancelReboot=0 SilentInstallWithProgressBar=1 ShowSaveSettingDialog=1 WebAccess=0
Option
Description
RealTime
Install the Realtime Protector? 0-No 1-Yes
JobScheduler
Reserved for future use. The Job Scheduler is Always Installed (Default = 1)
LocalScanner
Reserved for future use. The Local Scanner is Always Installed (Default = 1)
AdminService
Install the Admin Server? 0-No 1-Yes
RemoteMangement
Install the Remote Manager (Admin Client)? 0-No 1-Yes
NetwareSupport
Install Netware Support? 0-No 1-Yes
Alert
Install CA-Alert? 0-No 1-Yes
E–24
Administrator Guide
The INOC6.ICF File
Option
Description
KeepOldSettingIfAny
Keep old setting if a former version is installed on the machine? 0-No 1-Yes
Reboot
Reboot the machine after silent install? 0-No 2-Yes
RebootDelay
Number of seconds to delay before rebooting after install. Note: Only used for remote install
CancelReboot
Allow the user to cancel the reboot after a silent install? 0-No 1-Yes
SilentInstallWithProgressBar
Install silently displaying a progress bar? 0-Do not display the progress bar 1-Display the progress bar
ShowSaveSettingDialog
Show save setting dialog? 0-No 1-Yes
WebAccess
Install Web access to administrative server? 0-No 1-Yes
SystemSetting Use the SystemSetting options to indicate system settings for locking configuration settings and running realmon.exe. [SystemSetting] ConfigLock=0 RemoteSessionRun=1 RemoteSessionStartup=1
Options
Description
Using the Installation Command File
E–25
The INOC6.ICF File
Options
Description
ConfigLock
Bit mask for locking configuration settings from user manipulation: 1-Lock Realtime 2-Lock Signature Distribution 4-Lock Analysis Info 65535-Don’t change settings
RemoteSessionRun
Allow realmon.exe to run in the system tray during a terminal server session? 0-No 1-Yes
RemoteSessionStartup
Allow realmon.exe to automatically startup in the system tray during a terminal server session? 0-No 1-Yes
Job Adjustment Use the JobAdjustment options to indicate default delay settings for a domain scheduled scan job. [Job Adjustment] RequestJobMaxWaitHour=8 RequestJobTimeOutMinutes=3 RequestJobEnabled=1
Option
Description
RequestJobMaxWaitHour
The maximum amount of hours allowed by the user to delay a policy job. (default = 8 hours)
RequestJobTimeOutMinutes
The amount of time the delay-job dialog should timeout if the user does not respond. (default = 3 minutes)
RequestJobEnabled
Allow the user to delay the policy job pushed to the local machine? 0-No 1-Yes
E–26
Administrator Guide
The INOC6_NW.ICF File
PreAction PreAction options are used to indicate which applications to run before file copy. Do not change the App1 setting. [PreAction] App1=silent.bat AppDir1=..\License
Options
Description
App1
Application to run before copy (DO NOT CHANGE!)
AppDir1
This path is relative to the build directory or you can set the full path where app1 is located.
PostAction PostAction options are used to indicate which applications to run after install. Do not change the setting for App1=. [PostAction] App1=50comupd /q:a App2=.\Lang\en\eAV61_en
Option
Description
App1
Application to run after install. You can add more applications to run in the PostAction, but DO NOT CHANGE the setting for App1=.
App2
Language Pack to run after install (DO NOT CHANGE!)
The INOC6_NW.ICF File You can pre-configure the installation process of your eTrust AV software using the installation command file, INOC6_NW.ICF. When the installation program starts, the INOC6_NW.ICF file loads using the values you indicate. The following tables summarize the default settings for each option in the INOC6_NW.ICF file, followed by a brief description of the option, and additional information about option variables.
Using the Installation Command File
E–27
The INOC6_NW.ICF File
Note: Although you can use the INOC6_NW.icf file for Windows and NetWare installations, the information contained in this chapter summarizes the settings for NetWare.
Path Use the Path options to specify the default locations for installation of the various eTrust AV components. [Path] HOME= MOVE=MOVE ENG= DB=DB OUTGOING=OUTGOING Note: The MOVE, DB, and OUTGOING settings have no effect under Novell. Their values are fixed as indicated in the following table:
E–28
Administrator Guide
The INOC6_NW.ICF File
Option
Description
HOME
The Home Directory—Enter a full volume and path, or leave blank to accept the default. The default is SYS:eTrustAV. For example, SYS:\AV.
MOVE
The Move Directory—This setting has no effect for NetWare. The directory is fixed to "HOME"\ino\Move. For example, if your Home Directory is SYS:\AV, your MOVE path is SYS:\AV\ino\Move.
ENG
The Engine Directory—Enter a full volume and path, or leave blank to accept the default. The default directory is "HOME"\AVEngine. For example, if your Home Directory is SYS:\AV, your ENG path is SYS:\AV\AVEngine.
DB
The Database Directory—This setting has no effect for NetWare. The directory is fixed to "HOME"\ino\DB. For example, if your Home Directory is SYS:\AV, your DB path is SYS:\AV\ino\DB.
OUTGOING
The Signature Outgoing Directory— This setting has no effect for NetWare. The directory is fixed to "HOME"\ino\Outgoing. For example, if your Home Directory is SYS:\AV, your OUTGOING path is SYS:\AV\ino\Outgoing.
Using the Installation Command File
E–29
The INOC6_NW.ICF File
RPCMtAdn Use the RPCMtAdn options to specify the locations for the RPC Policy Distribution Proxy’s database files. Note: NetWare ignores the DataBasePath and JobPath file settings. These locations are fixed as indicated in the following table: [RPCMtAdn] DataBasePath=RPCMtDB JobPath=RPCMtJob
Option
Description
DataBasePath
The path that the Proxy uses to store db files. This setting has no effect for NetWare. The path is fixed to "HOME"\ino\config\RPCMtAdn. For example, if your Home Directory is SYS:\AV, your DataBasePath path is SYS:\AV\ino\config\RPCMtAdn.
JobPath
The path that the Proxy uses to store job files. This setting has no effect for NetWare. The path is fixed to "HOME"\ino\config\RPCMtJob. For example, if your Home Directory is SYS:\AV, your JobPath path is SYS:\AV\ino\config\RPCMtJob.
Local Scanner Use the Local Scanner options to set the default values for Local Scan from the ETRUSTAV console application. For information about ETRUSTAV, see the ”Using the ETRUSTAV Console Program” chapter. [Local Scanner] bScanCompressed=1 bScanMemory=0 bScanBootSector=1 bScanFiles=1 dwScanMode=1 dwAction=0 dwSpecialCureAction=3 dwMacroCureAction=0 dwSpecialMode=0 dwFileFilterType=0 bIsArcByExtension=1 dwArcTypesCount=10 pdwArcTypeList=1,2,3,4,6,7,8,9,10,11,12,13
E–30
Administrator Guide
The INOC6_NW.ICF File
pszSpecifiedList=|386|ADE|ADP|ADT|ASX|BAS|BAT|BIN|CBT|CHM|CLA|CMD|COM|CPL|CRT| CSC|DLL|DOC|DOT|DRV|EXE|HLP|HTA|HTM|HTT|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI |MSO|MSP|MST|OCX|PCD|PIF|POT|PPT|PRF|REG|RTF|SCF|SCR|SCT|SHB|SHS|SYS|URL|VB|VB E|VBS|VSD|VSS|VST|VXD|WIZ|WSC|WSF|WSH|XLA|XLS|XLT|XLW| pszExcludedList=|BTR|DBF|SBF|DB|MDX|NDX|MDW|LDB| bScanAllFilesInArc=1 bStopAtFirstInfectionInArc=1 bScanMigratedFiles=0 dwEngineChoice=1 dwShowDriveFlags=31 bShowAllFiles=0 bLogCleanFiles=0 bLogInfectedFiles=1 bLogSkippedFiles=0 dwDaysToDeleteLogs=365 dwBootAction=0 bShowSummaryAfterScan=0 Option
Description
bScanCompressed
Scan Compressed Files? 0-No 1-Yes
bScanMemory
Scan Memory for Viruses? 0-No 1-Yes
bScanBootSector
Scan for bootsector viruses? 0-No 1-Yes
bScanFiles
Scan files? (Set this to 0 and ScanBoot to 1 to scan boot sector only) 0-No 1-Yes
dwScanMode
Scan Type: 1 - Secure Scan 2 - Reviewer Scan
dwAction
Action to take when a virus is detected 0 - Report only 1 - Cure 2 - Rename 3 - Delete 4 - Move
Using the Installation Command File
E–31
The INOC6_NW.ICF File
Option
Description
dwSpecialCureAction
Bitmask that specifies action to take when a unclassified virus is detected: 1 - Copy Cure (Copy File to Move Directory before Cure) 2 - Rename File if Cure Fails 4 - Move File if Cure Fails 8 - Delete File if it is a Trojan or a Worm.
dwMacroCureAction
Cure Action for Macro Viruses: 0-Do Nothing 1-Remove All Macros 2-Remove Infected Macros Only
dwSpecialMode
Bitmask to enable Advanced Virus Scanning techniques? 1 - Heuristics 2 - System Cure 4 - Scan NTFS Data Stream
dwFileFilterType
Specifies the type of files to scan by its extension 0-Scan all files 1-Scan files with default extensions (specified in pszExtList) 2-Scan all files except those with default extensions (specified in pszExcludeExtList)
bIsArcByExtension
Determine if it is an archive by the files extension? 0-No (determine by contents of file) 1-Yes
dwArcTypesCount
E–32
Administrator Guide
Number of files listed in pdwArcTypeList
The INOC6_NW.ICF File
Option
Description
pdwArcTypeList
Comma delimited list of archive extensions to scan: 1-ARJ 2-GZIP 3-JAVA archive 4-LHA archive 5-Microsoft Cabinet 6-Microsoft Compressed 7-MIME 8-UNIX to UNIX encoded files (UUEncode) 9-ZIP 10-RAR 11-Unix Compressed (Z) 12-Rich Text Format File (RTF) 13-TNEF encapsulated eMail files
pszSpecifiedList
List of default extensions. (Separate each item by "|")
pszExcludedList
List of excluded extensions. (Separate each item by "|")
bScanAllFilesInArc
Scan all files in archive? 0-No 1-Yes
bStopAtFirstInfectionInArc
Stop scanning an archive file upon the first detection of a virus? 0-No 1-Yes
bScanMigratedFiles
Scan files that are migrated to external storage? 0-No 1-Yes (files need to be de-migrate them back to local disk)
dwEngineChoice
Pick one of the two engines: 1 - InoculateIT engine 2 - Vet engine
Using the Installation Command File
E–33
The INOC6_NW.ICF File
Option
Description
dwShowDriveFlags
Mask to determine which drives are shown: 1 - Hard Drive 2 - Compact Disk Drives 4 - Floppy Drive 8 - Network Drives 16 - Removable Drives
bShowAllFiles
File display options: 0-Show only those whose extensions are listed in pszSpecifiedList 1-Show All Files
bLogCleanFiles
Write to the log if a scan cleans a file? 0 - No 1 - Yes
bLogInfectedFiles
Write to the log if a scan detects an infected file? 0 - No 1 - Yes
bLogSkippedFiles
Write to the log if files that are skipped by a scan? 0 - No 1 - Yes
dwDaystoDeleteLogs
How many days to hold a log before deleting it.
dwBootAction
When an infected boot sector is encountered: 0-Report Only 1-Cure Boot Sector
bShowSummaryAfterScan
Show summary dialog box after each scan? 0 - No 1 - Yes
E–34
Administrator Guide
The INOC6_NW.ICF File
Distribution Use the Distribution options to set configuration options for local signature retrieval and distribution. To configure a NetWare server to redistribute signature updates, see the ”Configuring NetWare Servers to Distribute Signature Updates” Appendix. [Distribution] dwStateMask=0 tExecTime= byRepeatMonth=0 byRepeatDay=0 byRepeatHour=0 byRepeatMinute=0 dwRepeatTimesOnFail=3 dwRepeatMinutesOnFail=5 dwHoldTimeQueryInterval=60 bDownloadNow=0 dwPopupMessage=0 bHideIcon=0
Option
Description
dwStateMask
Distribution State 0 - Off 1 - Incoming (retrieve updates) 2 - Outgoing (Allow others to retrieve updates from local machine) 3 - Incoming and Outgoing
tExecTime
The time to check for the latest signature files on remote servers: Format: MM/DD/YYYY,HH:MM:SS,DST (DST = 1 if the time is a daylight saving time, 0 otherwise.) For example, 12/04/1999,23:23:23,0
byRepeatMonth
Number of months between checks (0 to 12)
byRepeatDay
Number of days between checks (0 to 31)
byRepeatHour
Number of hours between checks (0 to 24)
byRepeatMinute
Number of minutes between checks (0 to 60)
Using the Installation Command File
E–35
The INOC6_NW.ICF File
Option
Description
dwRepeatTimesOnFail
The number of retries the job scheduler should perform if the signature download fails. Use this value with dwRepeatMinutesOnFail to determine how often to attempt a download. Retries are done until: ■
A successful download occurs
The number of attempts exceeds dwRepeatTimesOnFail ■
A regularly scheduled download occurs ■
Note: Set to zero to disable retries. dwRepeatMinutesOnFail
The number of minutes between retries in the event of a failure. This value is used with dwRepeatTimesOnFail to determine how often to retry.
dwHoldTimeQueryInterval
How often, in minutes, the program checks the Incoming directory to see if a new signature is available to copy to the Outgoing directory for distribution
bDownloadNow
Download a new signature immediately after install? (Requires inodist.ini file to contain a valid ftp site and proxy server) 0 - No 1 - Yes
E–36
dwPopupMessage
Does not apply to NetWare
bHideIcon
Does not apply to NetWare
dwTimeOut
Number of seconds without a response from the server before considering the download has a failure
Administrator Guide
The INOC6_NW.ICF File
Realtime Use the Realtime options for the local real-time policy configuration. These options serve as the default real-time settings for the local installation. [Realtime] dwDirection=3 bFloppyDrive=1 bNetworkDrive=1 bCDRom=0 bFastBackup=1 bEnforcement=0 dwEnforceTime=90 pszExcludeProcessNames= pszExcludeDirs= dwScanMode=1 dwAction=0 dwBootAction=0 dwMacroCureAction=0 dwSpecialMode=0 dwSpecialCureAction=3 dwFileFilterType=0 pszExtList=|386|ADE|ADP|ADT|ASX|BAS|BAT|BIN|CBT|CHM|CLA|CMD|COM|CPL|CRT|CSC|DL L|DOC|DOT|DRV|EXE|HLP|HTA|HTM|HTT|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSO|M SP|MST|OCX|PCD|PIF|POT|PPT|PRF|REG|RTF|SCF|SCR|SCT|SHB|SHS|SYS|URL|VB|VBE|VBS| VSD|VSS|VST|VXD|WIZ|WSC|WSF|WSH|XLA|XLS|XLT|XLW| pszExcludeExtList=|BTR|DBF|SBF|DB|MDX|NDX|MDW|LDB| bScanArc=1 bIsArcByExtension=1 dwArcTypesCount=10 pdwArcTypeList=1,2,3,4,6,7,8,9,10,11 bScanAllFilesInArc=1 bStopAtFirstInfectionInArc=1 bScanMigratedFiles=0 bScanOnShutDown=0 dwEngineChoice=1 dwPopUpMsgLimit=3 pszBlockExtList= pszBlockOverrideList= bEnableAnimation=1 kTime=5 kScanTime=1
Using the Installation Command File
E–37
The INOC6_NW.ICF File
Option
Description
dwDirection
Direction to Monitor: 0 - Realtime Disabled 1 - Outgoing 3 - Outgoing and Incoming
bFloppyDrive
Does not apply to NetWare
bNetworkDrive
Does not apply to NetWare
bCDRom
Does not apply to NetWare
bFastBackup
Does not apply to NetWare
bEnforcement
Does not apply to NetWare
dwEnforceTime
Does not apply to NetWare
pszExcludeProcessNames
The thread names to exclude. (Separate each item by "|")
pszExcludeDirs
The directories to exclude. (Separate each item by "|")
dwScanMode
Scan Type: 1 - Secure Scan 2 - Reviewer Scan
dwAction
Action to take when a virus is detected: 0 - Report only 1 - Cure 2 - Rename 3 - Delete 4 - Move
dwBootAction
Does not apply to NetWare
dwMacroCureAction
Cure Action for Macro Viruses: 0 - Do Nothing 1 - Remove All Macros 2 - Remove Infected Macros Only
dwSpecialMode
Bitmask to enable Advanced Virus Scanning techniques? 1 - Heuristics
E–38
Administrator Guide
The INOC6_NW.ICF File
Option
Description
dwSpecialCureAction
Bitmask of action to take when an unclassified virus is detected: 1 - Copy Cure (Copy File to Move Directory before Cure) 2 - Rename File if Cure Fails 4 - Move File if Cure Fails 8 - Delete File if it is a Trojan
dwFileFilterType
Specifies the type of files to scan by its extension: 0 - Scan all files 1 - Scan files with default extensions (specified in pszExtList) 2 - Scan all files except those with default extensions (specified in pszExcludeExtList)
pszExtList
List of default extensions. (Separate each item by "|")
pszExcludeExtList
List of excluded extensions. (Separate each item by "|")
bScanArc
Scan compressed files? 0 - No 1 - Yes
bIsArcByExtension
Determine if a file is an archive by its extension? 0 - No (determine by contents of file) 1 - Yes
dwArcTypesCount
Number of files listed in pdwArcTypeList
Using the Installation Command File
E–39
The INOC6_NW.ICF File
Option
Description
pdwArcTypeList
Comma delimited list of archive extensions to scan: 1 - ARJ 2 - GZIP 3 - JAVA archive 4 - LHA archive 5 - Microsoft Cabinet 6 - Microsoft Compressed 7 - MIME 8 - UNIX to UNIX encoded files (UUEncode) 9 - ZIP 10 - RAR 11 - Unix Compressed (Z) 12 - Rich Text Format File (RTF) 13 - TNEF encapsulated eMail files
bScanAllFilesInArc
Whether 'dwFilterType' applies to decompressed files in the archive file: 0 - No 1 - Yes
bStopAtFirstInfectionInArc
Stop scanning an archive file upon the first detection of a virus? 0 - No 1 - Yes
bScanMigratedFiles
Scan files that are migrated to external storage? 0 - No 1 - Yes (files need to be restored to the local machine)
bScanOnShutDown
Does not apply to NetWare
dwEngineChoice
Pick one of the two engines: 1 - InoculateIT engine 2 - Vet engine
E–40
dwPopUpMsgLimit
Does not apply to NetWare
pszBlockExtList
Block execution of list of files based on their extensions. (Separate each item by "|")
Administrator Guide
The INOC6_NW.ICF File
Option
Description
pszBlockOverrideList
List of files to override block on. (Separate each item by "|")
bEnableAnimation
Does not apply to NetWare
kTime
Does not apply to NetWare
kScanTime
Does not apply to NetWare
Scheduled Scanner Use the Scheduled Scanner options to set the scheduled scanner policy configuration. These options serve as the default scheduler for the local installation: [Scheduled Scanner] byRepeatMonth=0 byRepeatDay=0 byRepeatHour=0 byRepeatMinute=0 wSpeedLevel=1 bTravelDir=1 dwInfectedBootAction=0 dwScanMode=1 dwAction=0 dwSpecialCureAction=3 dwMacroCureAction=0 dwSpecialMode=0 dwFileFilterType=0 pszExtList=|386|ADE|ADP|ADT|ASX|BAS|BAT|BIN|CBT|CHM|CLA|CMD|COM|CPL|CRT|CSC|DL L|DOC|DOT|DRV|EXE|HLP|HTA|HTM|HTT|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSO|M SP|MST|OCX|PCD|PIF|POT|PPT|PRF|REG|RTF|SCF|SCR|SCT|SHB|SHS|SYS|URL|VB|VBE|VBS| VSD|VSS|VST|VXD|WIZ|WSC|WSF|WSH|XLA|XLS|XLT|XLW| pszExcludeExtList=|BTR|DBF|SBF|DB|MDX|NDX|MDW|LDB| bScanArc=1 bIsArcByExtension=1 dwArcTypesCount=10 pdwArcTypeList=1,2,3,4,6,7,8,9,10,11 bScanAllFilesInArc=1 bStopAtFirstInfectionInArc=1 bScanMigratedFiles=0 bSkipScannedAsRegularFile=0 bInfectedBootAction=0 dwEngineChoice=1 pszIncludeDirs=* pszExcludeDirs=
Using the Installation Command File
E–41
The INOC6_NW.ICF File
Option
Description
byRepeatMonth
Number of months between scans (0 to 12)
byRepeatDay
Number of days between scans (0 to 31)
byRepeatHour
Number of hours between scans (0 to 24)
byRepeatMinute
Number of minutes between scans (0 to 60)
wSpeedLevel
Does not apply to NetWare
bTravelDir
Traverse Subdirectories when performing scan: 0 - No 1 - Yes
dwInfectedBootAction
Does not apply to NetWare
dwScanMode
Scan Type: 1 - Secure Scan 2 - Reviewer Scan
dwAction
Action to take when a virus is detected: 0 - Report only 1 - Cure 2 - Rename 3 - Delete 4 - Move
dwSpecialCureAction
Bitmask of action to take when an unclassified virus is detected: 1 - Copy Cure (Copy File to Move Directory before Cure) 2 - Rename File if Cure Fails 4 - Move File if Cure Fails 8 - Delete File if it is a Trojan or a Worm.
dwMacroCureAction
Cure Action for Macro Viruses: 0 - Do Nothing 1 - Remove All Macros 2 - Remove Infected Macros Only
E–42
Administrator Guide
The INOC6_NW.ICF File
Option
Description
dwSpecialMode
Bitmask to enable Advanced Virus Scanning techniques: 1 - Heuristics
dwFileFilterType
Specifies the type of files to scan by its extension: 0 - Scan all files 1 - Scan files with default extensions (specified in pszExtList) 2 - Scan all files except those with default extensions (specified in pszExcludeExtList)
pszExtList
List of default extensions. (Separate each item by "|")
pszExcludeExtList
List of excluded extensions. (Separate each item by "|")
bScanArc
Scan compressed files? 0 - No 1 - Yes
bIsArcByExtension
Determine if a file is an archive by its extension? 0 - No (determine by contents of file) 1 - Yes
dwArcTypesCount
Number of files listed in pdwArcTypeList
Using the Installation Command File
E–43
The INOC6_NW.ICF File
Option
Description
pdwArcTypeList
Comma delimited list of archive extensions to scan: 1 - ARJ 2 - GZIP 3 - JAVA archive 4 - LHA archive 5 - Microsoft Cabinet 6 - Microsoft Compressed 7 - MIME 8 - UNIX to UNIX encoded files (UUEncode) 9 - ZIP 10 - RAR 11 - Unix Compressed (Z) 12 - Rich Text Format File (RTF) 13 - TNEF encapsulated eMail files
bScanAllFilesInArc
Whether 'dwFilterType' applies to decompressed files n the archive file: 0 - No 1 - Yes
bStopAtFirstInfectionInArc
Stop scanning an archive file upon the first detection of a virus? 0 - No 1 - Yes
bScanMigratedFiles
Scan files that are migrated to external storage? 0 - No 1 - Yes (files need to be restored to the local machine)
bSkipScannedAsRegularFile
Scan an archive as a regular file: 0 - No 1 - Yes
bInfectedBootAction
Does not apply to NetWare
dwEngineChoice
Pick one of the two engines: 1 - InoculateIT engine 2 - Vet engine
E–44
Administrator Guide
The INOC6_NW.ICF File
Option
Description
pszIncludeDirs
Default directories to scan
pszExcludeDirs
List of directories to exclude during scan. (Separate each item by "|")
VirusAnalyze Since there is no local scanner in the NetWare version of eTrust AV, and the options in this section all apply to operations that the local scanner can only perform on other platforms, this section of the file does not apply to NetWare.
Alert Use the Alert option to set options for installing the alert notification system. Specify additional setup options in the instalrt.ini file located in the setup image. [Alert] Local=0 EventLog=0 Custom=0 Error=0 Information=0 Warning=0 NotOlderThan=30 QueueSize=10 Timeout=5 Forward=0 Host= Option
Description
Local
Does not apply to NetWare
EventLog
Send notifications to the console of the local machine? 0 - No 1 - Yes
Custom
Send specific messages? 0 - No 1 - Yes
Error
Report all Error messages to alert? 0 - No 1 - Yes
Using the Installation Command File
E–45
The INOC6_NW.ICF File
Option
Description
Information
Report all Informational messages to alert? 0 - No 1 - Yes
Warning
Report all warning messages to alert? 0 - No 1 - Yes
NotOlderThan
Any record in the General Event Log older than the specified number of days is not reported.
QueueSize
The number of message records collected in the General Event Log before the information is reported as specified in the Report To options.
Timeout
The number of minutes before the information in the General Event Log is reported as specified in the Report To options.
Forward
Forward the notification to a specified Machine Name that has the CA antivirus software installed? 0 - No 1 - Yes
Host
Specify the name of a machine to which to forward the notification information
NameClient Use the NameClient options to provide a list of IP addresses of servers approved to poll the installation machine. [NameClient] ServerList=127.0.0.1 BroadcastPort=42508 PollBroadcastPort=42508
E–46
Administrator Guide
The INOC6_NW.ICF File
Option
Description
ServerList
Contains a comma-separated list of IP addresses of the Admin Servers approved to poll the machine. If the poll came from an approved Admin Server, the machine is automatically added to the Admin Server's tree. Otherwise, the machine is added to the database only, so that you cannot apply policy to the machine without proper authentication.
PollBroadcastPort
The local port that receives polls from the Admin Server.
BroadcastPort
The local port that receives polling information from other machines in its subnet.
Miscellaneous This category is for miscellaneous options. [Miscellaneous] StartServiceAfterSetup=1 StartServicesOnReboot=0
Option
Description
StartServiceAfterSetup
Do you want to start all services after Installation? 0 - No 1 - Yes
StartServicesOnReboot
Do you want to start all services at system startup? 0 - No 1 - Yes
Using the Installation Command File
E–47
The INOC6_NW.ICF File
EngineID Use the EngineID option to specify which antivirus engines to install. [EngineID] dwEngIDs=3
Option
Description
dwEngIDs
Which engines would you like to install? 1 – InoculateIT Engine 2 - Vet Engine 3 - Both Engines
PurgeLog Use the PurgeLog options to indicate how often to purge old logs and files from the machine. [PurgeLog] dwPurgeLogDays=7 dwPurgeMoveDirDays=0
Option
Description
dwPurgeLogDays
Number of days to save a log before purging
dwPurgeMoveDirDays
Number of days to save infected files in the Move directory before purging: 0 - Do not automatically purge files.
InstallComponent NetWare uses the KeepOldSettingIfAny value option during installation. The default value is 1, which keeps the old configuration settings if there is a previous installation of eTrust AV. A value of 1 also causes settings from a previous installation of InoculateIT 4.x to be migrated (if applicable) to the new installation. A value of 0 results in a fresh installation of eTrust AV with no settings carried over from a previous installation.
E–48
Administrator Guide
The INOC6_NW.ICF File
NovellSpecific This category is for Novell specific options. [NovellSpecific] Keep4XInstall=yes InstallArcAv=yes
Option
Description
Keep4XInstall
Use the Keep4XInstall option to preserve an InoculateIT 4.x installation. If this option is set to yes, the installation program does not remove the InoculateIT 4.x installation files. If this option is set to no, the installation program removes all InoculateIT 4.x installation files, with the exception of the Alert component.
InstallArcAv
Use the InstallArcAv option to install the ArcAV service. The valid values for this option are yes and no. If set to yes (the default), the service will be installed. If set to no, the service will not be installed and will be removed during a reinstall. Independent of this option, the ArcAV program (ArcAv.nlm) will be copied to the server so it can be installed (or removed) at a later time. The ArcAv service supports BrightStor ARCserve Backup for NetWare. ARCserve communicates with the ArcAV service when performing backups. ARCserve does not have to be installed on the same machine as ArcAV. If remote backups are performed on the server where ArcAV is running, then ArcAV is still used to support ARCserve.
Using the Installation Command File
E–49
Appendix
F
The InoDist.ini File
Signature Update Options in the InoDist.ini File The InoDist.ini file contains settings that specify how and when engine and signature updates are collected from a distribution source. Normally, you should use the Computer Associates antivirus software user interface to set signature update options. You can access them from the Scanner menu in the Local Scanner view, or from the Administrator’s View. However, you can review the settings in the InoDist.ini file to troubleshoot problems you may be having or to quickly check the current settings for signature update in your environment. The InoDist.ini file is installed in the ScanEngine directory, and can be viewed or edited using a text editor.
[SOURCES] The [SOURCES] section provides the names of the other sections in the InoDist.ini file that specify the connection for the signature download. There are three types of connection available from the user interface: FTP, UNC/Redistribution server, and Local Path. Refer to the Signature Source section below for more information about the options for each type of connection. Warning: The numeric values in the source list must be consecutive. Do not change the numeric order or create gaps in the numeric sequence.
The InoDist.ini File
F–1
[SOURCES]
[SOURCES] 1=SourceA 2=SourceB 3=SourceC
Option
Description
1=SourceA
First source. For example, 1=UNC_0
2=SourceB
Second source. For example, 2=UNC_1
3=SourceC
Third source. For example, 3=FTP_0
Signature Source For the signature sources described in the [SOURCES] section of the InoDist.ini file, a specific section exists to describe all the information necessary to download from the remote site. FTP When FTP is indicated as the download method, the following options are available: [SourceA] Method=FTP HostName=ftpav.ca.com UserName=anonymous
[email protected] FastConnection=0 ProxyName= UpdatePath=/pub/inoculan/scaneng/
Option
Description
Method=FTP
Use FTP as the download method.
HostName=ftpav.ca.com
The host name address.
UserName=anonymous
The user name for the FTP connection.
UserPassword=Somebody@somecomp The user password for the FTP any.com connection. FastConnection=0
Not currently in use, but should be set to zero.
ProxyName=
Connect to the internet through the proxy server indicated.
UpdatePath=/pub/inoculan/scaneng/ The update path.
F–2
Administrator Guide
[SOURCES]
UNC/Redistribution Server When UNC is indicated as the download method, the following options are available: [SourceB] Method=UNC Path=\\usprusd1\inoupd$ UserName=anonymous
[email protected] RedistGui=1
Option
Description
Method=UNC
Use UNC as the download method
Path=\\redist\inoupd$
The UNC path.
UserName=anonymous
The UNC user name.
UserPassword=Somebody@somecomp The user password. any.com RedistGui=1
1= Display the connection information in the user interface. 0= Do not display the connection information in the user interface. UNC servers display the full path name. Redistribution servers only display the server name.
Local When Local is indicated as the download method, the following options are available: [SourceC] Method=LOCAL Path=c:\test
Option
Description
Method
Use the local server as the download method.
Path
The local path.
The InoDist.ini File
F–3
[SOURCES]
[GET] You can use the [GET] section to identify which operating system platform and engine updates to download. If you set UpdateLocalSignatures=1 in the [POLICY] section, the [GET] section will be empty. You must set UpdateLocalSignatures=0 in the [POLICY] section for the [GET] section to be active. [GET] ;1=SIG_1_3 ;2=SIG_2_3 ;3=SIG_1_4
Option
Operating System and Engine Updates
1=SIG 1 3
Windows 9x/Me and InoculateIT
2=SIG 2 3
Windows 9x/Me and VET
3=SIG 1 4
Windows NT/2000 (x86) and InoculateIT
[POLICY] Use the [POLICY] options to identify actions to take during and after the signature download. [POLICY] UpdateLocalSignatures=1 SignatureHoldTime=0 MakeIncDownloading=1 IsDistributionServer=0
Option
Description
UpdateLocalSignatures=1
1 - Download signature files required to update the local machine, and use them to update the local machine, regardless of their inclusion in the [GET] section. 0 - Only download files listed in the [GET] section will be downloaded, and they will not be used to update the local machine.
SignatureHoldTime=0
F–4
Administrator Guide
Specify the number of hours to hold new signatures before making them available for download to other machines on the network.
[SOURCES]
Option
Description
MakeIncDownloading=1
You can indicate that only files that have changed should be downloaded. This results in a smaller signature update file, known as an incremental download. An incremental download provides complete virus protection, but may be faster than a full download. 1 - The download program will determine if a full update is necessary or if an incremental update can be used 0 - Perform a full download.
IsDistributionServer=0
1 -Maintain both full and incremental signature updates by downloading both and synchronizing them. If set to 1, this setting overrides the selection in MakeIncDownloading. Computer Associates recommends that all redistribution servers maintain both full and incremental update signatures.
[OSID] The [OSID] options map platform names with the identifiers used to post items on the web site. The values specified in this section appear in the signature set item section, in the Siglist.txt file found on the server, and in the user interface through a Platform.ini file. Items in this section are set automatically, based on the list of currently supported platforms. Do not change the items in the [OSID] section. [OSID] Linux (Intel)=8 Sun Solaris=9 ;Windows 3x/Netware=2 Windows 9x/ME=3 Windows NT/2000 (x86)=4
[ENGINEID] The [ENGINEID] options map the engine names listed in the signature set to an ID value. [ENGINEID] INOCULATEIT=1
VET=2
The InoDist.ini File
F–5
Appendix
G
ODBC Data Source Connection Setup In order to use an ODBC data source with the eTrust Antivirus reporting database you must connect your ODBC database to the eTrust Antivirus database through the InfoReports interface.
Setup Procedure 1.
Select Start, Settings, Control Panel.
2.
Select Administrative Tools.
3.
Select Data Sources (ODBC).
4.
Select the User DSN tab and click Add. Selecting the User DSN tab makes this data source accessible only by the current user. Select System DSN if you want all users to have access.
5.
In the Create New Data Source window, select Driver do Microsoft dBase(*.dbf).
ODBC Data Source Connection Setup
G–1
Setup Procedure
G–2
6.
Click Finish.
7.
Type a name in the Data Source Name field. This should be something descriptive such as Antivirus Database.
8.
Clear the Use Current Directory checkbox.
9.
Click Select Directory…
Administrator Guide
Setup Procedure
10. Browse to the C:\Program Files\CA\eTrust Antivirus\DB\Tree directory.
11. Click OK. 12. Click OK in the ODBC dBase Setup window.
13. Click OK to close the ODBC Administrator window. The ODBC connector is now set up. The Data Source Administrator can also be reached by running Start, Programs, Administrative Tools, Data Sources(ODBC).
ODBC Data Source Connection Setup
G–3
CA InfoReports Installation
CA InfoReports Installation CA InfoReports is on the CD under the \bin\support\report directory. You will be prompted to install the InfoSuite and the Admin server. Click OK to both. Select the pieces you want to install. You must install InfoReports at a minimum. You can install InfoReports Administrator, Sample Reports and On-Line Documentation if you desire. Reporting is easier if you copy the sample reports to the InfoReports working directory so you don’t have to browse for them. When you open a sample report to create a report, remember to select your new DSN as the data source. Select File/Print Preview to see the report.
G–4
Administrator Guide
Appendix
H
Installing and Using eTrust Antivirus Scanner for a NetApp Filer This appendix explains how to install and use the eTrust Antivirus Network Appliance Filer Scanner with a filer from Network Appliance™ (NetApp®).
Introduction The eTrust Antivirus Network Appliance Filer Scanner integrates with a NetApp filer and protects your data in real time from viruses. The virus scanner can automatically clean, delete, or quarantine infected files. The following diagram shows how the scanner works with the NetApp filer.
Installing and Using eTrust Antivirus Scanner for a NetApp Filer
H–1
Introduction
Scanning Process The process works like this: The filer detects when a client attempts to access a file that has not been scanned for viruses. The filer does this by checking its cache, where it stores the names of scanned files. If the file name is not in cache (and the file's extension is configured for scanning), it notifies the scanner and provides it with a path to the file. The scanner, then, opens a connection to the file, scans it for known viruses, and reports the results to the filer. (If possible, the scanner cleans an infected file.) Finally, the filer permits the client to access the file if it does not have a virus. The scanner supports ONTAP™ 6.2 and higher, which can support more than one filer with an antivirus scanner. Therefore, you can add multiple scanners to one filer and increase the scalability and performance. Increasing the number of scanners registered to a filer decreases the load to each scanner. This is because file requests are distributed evenly among the scanners to balance the load.
Controlling the Process When you enable the Data ONTAP virus-scanning process on the filer, the virusscanning application directs the filer to send file scanning requests, and it watches for the requests. Whenever the types of files you specify are opened or changed on the filer, Data ONTAP sends the scanner a request to scan the file. The Data ONTAP process can scan multiple filers from a single PC client if your virus-scanning application is configured to do it. You can configure the application with options on the eTrust Antivirus Realtime Monitor. The virus-scanning application automatically determines the Realtime Monitor settings during startup (or as they are changed). As it monitors the filer, it uses these settings to scan for infections whenever a file is executed, accessed, or opened. Authorized administrators can set policies for options from the administrator view of the Realtime Monitor.
H–2
Administrator Guide
Installation Information
Installation Information To install the eTrust Antivirus Network Appliance Filer Scanner, perform the following pre-installation tasks: ■
■
Ensure the filer is running Data ONTAP™ 6.2, or above, and is scanning for viruses. Ensure the scanner machine and the filer are members of the same domain.
Then, insert the product CD into the CD-ROM drive and follow the instructions. (If the product explorer does not start automatically, select Start, Run on the Windows task bar. Then browse/navigate to the Setup.exe file and run it.) During the installation, the wizard requests a domain administrator account. Specify an account with backup operator privileges on the filer and administrative privileges on the local computer.
Note: The installation wizard tries to start the scanner service during the installation. If the account does not have domain administrator privileges, the installation fails.
Installing and Using eTrust Antivirus Scanner for a NetApp Filer
H–3
Installation Information
Also, the wizard requests filer information to register the filer with the scanner. Only specify one filer during this installation. You can add more filers later with the console.
H–4
Administrator Guide
Managing the Scanner
Managing the Scanner This section describes how to control the scanner and its antivirus settings. A Microsoft Management Console (MMC) snap-in controls the scanner. You can use the MMC to configure which filers are registered to scanners and to manage the scanners remotely.
Adding Another Filer to a Scanner The installation wizard allowed you to configure one filer with a scanner. To add another filer to a scanner (register a filer with a scanner), use the following procedure. 1.
From the product program folder, launch Scanner Management (MMC snapin). The console window opens.
2.
In the left pane, expand Console Root, eTrust Antivirus NetApp Scanner. The AV Machines node appears.
Installing and Using eTrust Antivirus Scanner for a NetApp Filer
H–5
Managing the Scanner
3.
Select AV Machines. The list of managed scanner machines appears in the right pane. If your machine is not in the list, perform these actions to add the machine to the MMC: (a) right-click the AV Machines node and (b) select Administrator AV Machine. You can also add a remote scanner this way as long as the local machine has the required privileges.
H–6
4.
Double-click the machine. The Properties dialog appears.
5.
Use the Add button to add more filers to scan.
Administrator Guide
Managing the Scanner
Viewing Scanner Statistics To view scanner statistics, use the following procedure. 1.
Perform Steps 1 through 4 of the previous procedure.
2.
On the Properties dialog, select the Statistics tab.
Changing Antivirus Settings With the Realtime Monitor The following tabs and their options enable you to specify Realtime Monitor settings. Changing the Realtime Monitor settings for eTrust Antivirus on the local machine also changes the settings for the scanner. Not all of the Realtime Monitor options are available to the scanner. The following sections explain some of the options and show on the dialogs which options are not available to the scanner (labeled Not Applicable).
Installing and Using eTrust Antivirus Scanner for a NetApp Filer
H–7
Managing the Scanner
Scan Tab These Scan tab settings do not apply to the scanner, as shown in the following dialog:
H–8
■
Direction
■
Boot Sector Actions
Administrator Guide
Managing the Scanner
Cure File Action The System Cure setting does not apply to the scanner. (Click the File Options button on the Scan tab to access the following Cure Action Options dialog.) Note: If you select Move File or Copy File on the following dialog, you can no longer use the eTrust Antivirus GUI to manage infected files. (To manage these files, see the section in this chapter, "Managing Custom Move and Copy Directories.")
Installing and Using eTrust Antivirus Scanner for a NetApp Filer
H–9
Managing the Scanner
Selection Tab The scanner scans all files submitted by the filer. You can control the scanning of compressed files and which files to scan from this tab. (Select Scan Compressed Files and click Options or Choose Type.) Do this in the same way as when using eTrust Antivirus. The Regular Files setting in the following dialog does not apply to the scanner.
H–10
Administrator Guide
Managing the Scanner
Filters Tab The Filters setting does not apply to the scanner, as shown in the following dialog.
Installing and Using eTrust Antivirus Scanner for a NetApp Filer
H–11
Managing the Scanner
Advanced Tab The Advanced setting does not apply to the scanner, as shown in the following dialog.
H–12
Administrator Guide
Managing the Scanner
Quarantine Tab The Quarantine setting does not apply to the scanner, as shown in the following dialog.
Installing and Using eTrust Antivirus Scanner for a NetApp Filer
H–13
Managing the Scanner
Statistics Tab The Statistics settings are shared between the scanner and the local realtime settings of eTrust Antivirus running on the machine.
Managing Custom Move and Copy Directories The installation process creates the following registry values and sets these values to the location of the eTrust Antivirus Move directory. HKLM = HKEY_LOCAL_MACHINE. HKLM\SOFTWARE\ComputerAssociates\eTrust Antivirus NetApp Scanner
H–14
■
CopyDir
■
MoveDir
Administrator Guide
Managing the Scanner
Moving Infected Files to the Filer On the Cure Action Options dialog, if you specify Move File or Copy File, then the scanner, by default, moves infected files from the filer to the eTrust Antivirus Move directory on the local scanner machine (usually: Program Files\CA\eTrust Antivirus\Move). You can change this setting. To move infected files to the filer instead of the scanner, use Regedit to manually change the registry configuration values on the scanner machine. The new values override the Move and Copy directories of the Realtime Monitor. Directories must not have a trailing backslash and can point to local drives or mapped drives, or be specified as universal naming convention (UNC) paths. For example: HKLM\SOFTWARE\ComputerAssociates\eTrust Antivirus NetApp Scanner\MoveDir=\\f760\vol1\move
Managing Files in a Custom Move Directory Once you specify a custom Move directory, you cannot use the eTrust Antivirus GUI to manage its files. Instead, use the RestMove command line utility. It is in the installation directory of the scanner machine and has these characteristics: ■
Displays original file names and their infections
■
Supports standard DOS wildcards: * and ?
To display information about all files in the Move directory, enter the following command, pointing to the moved files, and specify the -i switch: RestMove \\f760\vol1\move\*.* -i
Example result: \\f760\vol1\move\31ed8c4e-b930-45f0-8c1e-35e1d3570cd6 Original file name: \\F760\VSCAN_ADMIN$\vol\vol1\sabra01\eicar2.com Infection name: EICAR test file Detected by engine 23.61.00, signature 23.61.50 on 6/16/2003, 1:06:11 PM
To restore the files to their original location, enter the RestMove command and do not use the -i switch. You can provide single paths for both the MoveDir and the CopyDir because the values are stored in single registry keys. Therefore, a scanner serving multiple filers can store moved and copied files in different locations.
Installing and Using eTrust Antivirus Scanner for a NetApp Filer
H–15
Managing the Scanner
Viewing the Virus Detection Log The scanner adds an entry to the Realtime Log database whenever it receives a file request for a file with a virus. The scanner also sends a message to the filer’s system console that notifies the filer administrator of the virus infection. To view the Realtime Log, open the Log Viewer and select Realtime Scanner.
H–16
Administrator Guide
Managing the Scanner
Managing the Scanner Remotely To manage scanner antivirus settings remotely with the Administrator's View (like other eTrust Antivirus options), perform the following procedure. 1.
Cause the admin server to discover all of the scanners.
2.
Put the scanners into a group.
Note: Be careful when choosing settings because the software applies the settings to both the eTrust Antivirus engine and the scanner running on the machine; and some of the realtime settings do not fit with both. 3.
Set realtime antivirus settings for the group.
4.
Push the policy to the selected filer’s scanner.
Installing and Using eTrust Antivirus Scanner for a NetApp Filer
H–17
Managing the Filer
Managing the Filer This section provides procedures to manage the filer and its environment. Common Internet file system (CIFS) virus protection is a feature of the filer's OS, Data ONTAP, which gives CIFS clients on-access virus scanning of files on a filer. On-access virus scanning is the scanning of a file before a CIFS client is allowed to open it. See the Antivirus Scanning Best Practices Guide from NetApp for more information about the filer.
Enabling and Disabling Virus Scanning To enable and disable virus scanning, enter the following command: vscan on [-f][on|off]
-f forces virus scanning to be enabled even if no virus scanning clients are available to scan files. Note: Turning on virus scanning when no clients are available to scan files causes the CIFS clients not to be able to access filer files.
Specifying File Extensions to Scan Using vscan A default list of file extensions is available when you enable vscan. Up to 255 file extensions can exist in the file extensions list. Note: The extension list on the filer processes before the extension list on the scanner machine that you establish through realtime configuration. For example if *.vbs is not configured on the filer for scanning, VBS-files do not pass to the scanner. Therefore, even if VBS files are configured for scanning on the scanner, they do not reach the scanner for processing. Also, if an extension is in the extension list on the filer but not specified in the realtime configuration option, the filer passes the corresponding files to the scanner, but the scanner ignores these scan requests. To control which files to scan, enter the following commands to change the default list of file type extensions.
To display the default list of file type extensions for the filer to scan, enter the following command: vscan extensions
H–18
Administrator Guide
Managing the Filer
To add to the default list of file type extensions for the filer to scan, enter the following command: vscan extensions add ext[,ext...]
where ext is the extension to add. Example: vscan extensions add txt
To replace the default list of file type extensions with a new list, enter the following command: vscan extensions set ext[,ext...]
where ext is the extension to set.
To remove file types from the default list of file type extensions, enter the following command: vscan extensions remove ext[,ext...]
where ext is the extension to remove.
To reset the file type extensions list to the default list, enter the following command: vscan extensions reset
Installing and Using eTrust Antivirus Scanner for a NetApp Filer
H–19
Managing the Filer
Specifying Shares to Scan Using cifs You can turn scanning on or off for shares that you specify, either for any access or for read-only access. Turning Scanning Off for Files in a Share The default state of a share is for virus scanning to be turned on. You can turn virus scanning off for files in a share. Some reasons to do this are: (1) when the users are restricted to trusted users, (2) the files are restricted to read-only mode, or (3) speed of access is more important than safety. To turn virus scanning off for files in a specified share, enter the following command: cifs shares -change share_name -novscan
where share_name is the name of the share for which you want to turn off virus scanning. Result: The virus-scanning application does not perform a virus scan when clients open files on this share. The setting is persistent after rebooting. Turning Scanning Off for Read-Only Access in a Share You can turn virus scanning off in a share for users who open files for read-only access to increase the speed of file access. The default state of a share is for virus scanning to be turned on. To turn virus scanning off for read-only access to files in a specified share, enter the following command: cifs shares -change share_name -novscanread
where share_name is the name of the share for which you want to turn off virus scanning. Result: The virus-scanning application does not perform a virus scan when clients open files on this share for read access. The setting is persistent after rebooting.
H–20
Administrator Guide
Managing the Filer
Turning Scanning On for Read-Only Access in a Share To turn virus scanning on for read-only access to files in a specified share, enter the following command: cifs shares -change share_name -vscanread
where share_name is the name of the share for which you want to turn on virus scanning. Result: The virus-scanning application does a virus scan when clients open files on this share for read access. The setting is persistent after rebooting. Adding a Share With Scanning Off You can create a share with virus scanning turned off. The default state of a share is for virus scanning to be turned on. To add a share that has virus scanning turned off, enter the following command: cifs shares -add share_name /path -novscan
where share_name is the name of the share that you want to create with virus scanning turned off, and where path specifies where you want the share created. Result: Data ONTAP creates a share with virus scanning turned off.
Installing and Using eTrust Antivirus Scanner for a NetApp Filer
H–21
Troubleshooting
Troubleshooting Problems often occur because of conflicting configuration settings between the NetApp filer and the Realtime Monitor. The following table presents a description of some problems with possible causes and solutions. Problem
Possible Cause
Installation fails
Domain account for the scan Run install and specify a service to use as logon valid domain logon account account is invalid for the service
Filer Admin: Filer does not scan files; MMC shows a constant count value of scanned files
Scanning of respective share vscan on is not activated cifs shares -change Filer excludes file type in list share_name -vscanread of files to scan vscan extensions add
CIFS/SMB client can access virus infected files from the filer
Filer has file type in list of files to scan, but scanner excludes file type in its list of files to scan
Possible Solution
ext[,ext...] Synchronize file selection lists of filer and scanner
Scanning of respective share vscan on is not activated on filer cifs shares -change share_name -vscanread Filer instructed to ignore scanning result vscan options mandatory_scan [on|off]
AV Scanner Admin: Permissions (access rights) Cannot start service not correctly set
Check that filer and scanner are in the same NT domain Check privileges of user starting service are correct (must be in Backup Services Group)
AV Scanner Admin: Filer has an existing session Stop active session on filer: connection that was not vscan scanners stop Started service scanner_IP cannot synchronize correctly disconnected with filer
H–22
Administrator Guide
Appendix
I
Unattended Installation of eTrust Antivirus You can install eTrust Antivirus that requires no interaction or response on your part. This process is called unattended installation. This appendix contains information on how to perform unattended installation of eTrust Antivirus.
Viewing the Unattended Installation File To perform unattended installation of eTrust Antivirus, run the command for your particular operating system contained in the UnattendedInstall.html file located in eAV v7.1\Doc\html directory on your product CD. In this file are commands to perform unattended installation for eTrust Antivirus 7.1 running on the following products or operating systems: ■
Windows
■
UNIX/Linux
■
NetWare
■
OS X
■
Scanner for NetApp Filer
Unattended Installation of eTrust Antivirus
I–1
Index TCP/IP, 8-4 users in, 8-21 using, 8-1 viewing logs, 8-28 window, 8-1
A access permissions admin server, 8-29 administrator view, 8-29 permission dialog, 8-34 types of rights, 8-37 add directory to scheduled scan, 6-3 admin server about, 1-9 access permissions, 8-29 configuring list of machines, 8-2 discovering machines, 8-5 guest account, 8-32 LDAP, 8-6 policy enforcement, 8-9 requirements, 8-4 security, 8-31 specified at install time, 8-5 subnets, 8-13 administering realtime settings, 5-4 administrator rights at install INOC6.ICF, 8-25 administrator view about, 1-9 access permissions, 8-29 admin server, 8-2 authorized users, 8-1 configuration settings, 8-7 container, 8-24 creating logical configurations, 8-23 download now, 8-41 E-Mail policies, 8-7 enforced policies, 8-9 managing scheduled jobs on machine, 8-28 organization tree, 8-23 policy setting, 8-9 security considerations, 8-29
Alert about, 1-10 activity log, 11-7 Alert Manager, 11-1 application event priority, 11-5 basic components, 11-2 broadcasts, 11-3 configuring, 11-3 event log, 11-7 pager, 11-4 sample TNG Alert scenarios, 11-6 trouble ticket, 11-4 using email, 11-5 using eTrust Audit option, 11-5 using SMTP option, 11-4 using SNMP option, 11-4 antivirus download monitor, 2-17 AUTOEXEC.BAT backup, 10-3
B backup AUTOEXEC.BAT, 10-3 boot sector, 10-3 CMOS, 10-3 CONFIG.SYS, 10-3 realtime monitor fast backup, 5-6 Windows 9x, 10-1 boot sector backup, 10-3 boot sector actions, 3-3 scan floppy before reboot, 5-6
Index–1
C
scheduled scan, 6-3 directory locations, 4-6
catching a computer virus, 1-1 characteristics of viruses, 1-4 clear last scan local scanner, 4-3 CMOS backup, 10-3 collecting system metrics, 7-5 command line scanner Inocmd32, 3-6 common scanning options, 3-1 components, 1-9 compressed files scanning, 3-5 computer virus symptoms, 1-2 CONFIG.SYS backup, 10-3 configuration Alert ports, 11-3 logical configuration of machines, 8-23 of Alert, 11-3 proxy configuration, 8-39 configuration settings categories, 8-7 connect to admin server, 8-2 connecting to admin server connecting to, 8-2 contact information option, 4-7 container drag and drop machine to, 8-25 in organization tree, 8-24 CPU usage level scheduled scan, 6-3 cure action options, 3-4
display options local scanner, 4-5 distribution of configuration changes, 8-39 time after download, 2-13 domain using legacy names, 8-22 download method FTP, 2-8 local path, 2-12 redistribution server, 2-7 source select dialog, 2-6 download now redistribution server considerations, 8-42 signature distribution in administrator view, 8-41 signature distribution policy and container, 8-42 signature update, 2-4 download signatures list how it works, 2-16 using, 2-13 download sources list how it works, 2-15 signature update, 2-5 drive protection options realtime monitor, 5-6
E editing Alert port configurations, 11-3 effects of computer virus, 1-3 E-Mail policies, 8-7 email, using with Alert, 11-5 enforced policies, 8-9 eTrust Audit, using with Alert, 11-5 event log, 11-7
D delete file action, 3-3 scheduled scan, 6-4 directories tab
Index–2
Administrator Guide
exclude directories tab scheduled scan, 6-3 exclude from scan realtime monitor, 5-5
F file action after using report only, 4-3 cure, 3-3 options, 3-3 filters realtime monitor, 5-4 floppy drive scan on shutdown, 5-6 FTP signature update, 2-8
INOC6.ICF administrator rights at install, 8-25 for remote install, 9-4 installation target, 9-11 options, D-1 Inocmd32 command line scanner, 3-6 InoDist.ini signature update options, E-1 InoSetAlert UNIX script, 11-10 InoSetApproved UNIX script, 8-14, 8-25
G guest account admin server, 8-32 quarantine, 5-8
H heuristic scanner heuristic scanner engine, 3-2 scan for unknown infections, 1-12
INOUPD$ registry value, 2-10 shared path, 2-9 installation target INOC6.ICF, 9-11 remote install utility, 9-4, 9-14 integrating with Unicenter TNG, 12-1 Internet Explorer Java Plug-in, A-5 interpreting pager message, 11-4
holding time for redistribution, 2-13
L
I
LDAP for Admin Server, 8-6
ICF file administrator rights at install, 8-25 installation target, 9-11 options, D-1 remote install, 9-4 incoming signature update, 2-5 incoming files realtime monitor, 5-4 incremental download, 2-6 infected file managing multiple infections, 4-8 sending for analysis, 4-7 inherited user rights, 8-37
legacy domains managing, 8-22 local machine signature update, 2-12 local scanner, 4-1 clear last scan, 4-3 display options, 4-5 features, 4-1 log viewer, 7-2 move folder, 4-4 my folders, 4-4 options, 4-2 scan results list, 4-3 scan tab options, 3-2 scanning network drive, 8-43 send analysis information, 4-7 service manager, 4-9
Index–3
show last scan summary, 4-3 status bar, 4-3 toolbar, 4-2 window, 4-2 lock settings, 8-10 log viewer local scan, 7-2 realtime scan, 7-2 scheduled scan, 7-2 window, 7-1 logical configuration creating hierarchy for network, 8-23 of machines in anti-virus network, 8-2 logs and collecting system metrics, 7-5 features, 7-1 filtering file information, 7-4 options, 7-4 remote install utility, 9-16 scheduled job policy logs, 8-28 using with ODBC, 7-5 viewing in administrator view, 8-28 viewing scan job result logs, 7-3
N Nethelp viewing Windows NT messages, 8-43 NetWare, 1-12 network drive scanning, 8-43 network management signature distribution in administrator view, 8-41 signature update options, 2-14 NTFS alternate data streams, 3-2 NullSessionShares, 2-9
O ODBC using with logs, 7-5 organization tree, 8-23 outgoing files realtime monitor, 5-4
M
outgoing options, 2-13
machine associate with container, 8-25
P
machines in anti-virus network, 8-6 macro virus treatment, 3-4 mapped drive scanning, 8-43
pager testing, 11-7 PERFMON, 7-6 Performance Monitor, 7-6
messages and Windows event codes, 8-43
permission dialog, 8-34
method. See download method
move folder local scanner, 4-4
policy drag and drop, 8-12 E-Mail policies, 8-7 lock settings, 8-10 policy enforcement, 8-9 policy settings, 8-9 signature distribution and download now, 8-42
move, file action, 3-3
port, Alert configuration, 11-3
my folders local scanner, 4-4
pre-scan block options, 5-5
modify scheduled job, 6-3 mounted drive scanning, 8-43
Index–4
Administrator Guide
point-to-point configuration, 8-26
protected areas realtime monitor, 5-6
proxy server configuration, 8-39 machine considerations, 8-39 override, 8-40
redistribution server download method, 2-7 download now, 8-42
Q
remote install utility INOC6.ICF, 9-4, D-1 installation target, 9-4, 9-14 logging, 9-16 removing installation source shares, 9-9 running installation sessions, 9-15 toolbar, 9-6 user interface, 9-3 using, 9-1
quarantine messages in Windows 9x, 5-8 multiple users with same name, 5-8 realtime monitor, 5-7
R realtime monitor about, 1-9 advanced tab, 5-6 animated icon, 5-3 drive protection options, 5-6 exclude from scan, 5-5 fast backup option, 5-6 features, 5-1 filters, 5-4 floppy drive and shutdown, 5-6 icon in system tray, 5-2 incoming and outgoing files, 5-4 incoming files, 5-4 outgoing files, 5-4 pre-scan block options, 5-5 protected areas, 5-6 quarantine, 5-7 realtime scanner log, 7-2 remove from active use, 5-3 scan direction, 5-4 snooze option, 5-3 UNIX, 1-6 using, 5-1 realtime scan options scan tab, 3-2 recipient pager testing, 11-7 recovery from virus for Windows 9x, 10-4 Windows 9x, 10-1 redistribution options, 2-13 download now and signature distribution policy, 8-42 time after download, 2-13
registry value for INOUPD$, 2-10
remote management administrator view, 8-1 rename extension, 4-6 rename, file action, 3-3 repeat scan schedule, 6-2 report only, file action, 3-3 rescue disk Windows 9x, 10-1 reviewer scan, 3-2 rights access permissions, 8-37 running Alert Manager, 11-3
S safety level, 3-2 Samba, 2-12 sample ICF file, 9-4, 9-14 scan direction realtime monitor, 5-4 scan job icons on log viewer, 7-3 logs, 7-3 schedule job, 6-1 scan options common, 3-1 local scanner, 4-1 scan tab, 3-2
Index–5
scan results list local scanner, 4-3
signature download antivirus download monitor, 2-17
scanner options using the command line scanner Inocmd32, 3-6
signature redistribution server download now and signature distribution policy, 8-42 options, 2-13
scanning engine, 3-2 scanning mapped and network drives, 8-43 scheduled jobs administrator view policy log, 8-28 machine in administrator view, 8-28 policy log for multiple machines, 8-28 scheduled scan CPU usage level, 6-3 delete, 6-4 directories tab, 6-3 exclude directories tab, 6-3 managing job, 6-3 modify, 6-3 on log viewer, 7-2 repeat scan, 6-2 scan tab options, 3-2 schedule scan job options, 6-1 scheduled job statistics, 6-4 scheduling a scan, 6-1 when to scan, 6-2 scheduling signature updates, 2-4
signature update support address, 1-13 signature update options accessing, 2-3 download now, 2-4 download now in administrator view, 8-41 download signatures list, 2-13 download sources list, 2-5 fast download, 2-6 FTP, 2-8 how it works, 2-15 incoming, 2-5 InoDist.ini, E-1 introducing, 2-1 local, 2-12 managing, 2-14 outgoing, 2-13 schedule, 2-4 source select, 2-6 sources, 2-5 using, 2-3
security admin server, 8-31 administrator view, 8-29 Windows 9x, 8-26
single server in legacy network, 8-22
selection options selection tab, 3-5
source select signature update, 2-6
send analysis information local scan, 4-7
sources signature update, 2-5
send option for unknown infections, 4-7 send analysis information, 4-7
specified user rights, 8-38
service manager local scanner, 4-9 setting policy administrator view, 8-9 shared path INOUPD$, 2-9 UNC, 2-9 show last scan summary local scanner, 4-3
Index–6
Administrator Guide
snooze option realtime monitor, 5-3
status bar local scanner, 4-3 submit infected file for analysis, 4-7 subnets, 8-13 suggestions for staying virus-free, 1-8 symptoms of a computer virus, 1-2 system cure, 3-4 system metrics collecting using logs, 7-5
T
V
TCP/IP for remote management, 8-4
views changing, 1-11
treatment options, 3-3
virus catching a computer virus, 1-1 characteristics, 1-4 effects, 1-3 protection methods, 1-7 recovery on Windows 9x, 10-4 signature updates, 1-13 symptoms, 1-2 types, 1-3
trouble ticket, 11-4 types of viruses, 1-3
U UNC shared path considerations, 2-9 Unicenter TNG option integration, 12-1 using with Alert, 11-5 UNIX access permissions, 8-29 alert notification, 11-10 approved server, 8-14, 8-25 CAIENF, 1-6 CPU usage level, cannot specify, 6-3 drive protection, 5-6 InoSetAlert script, 11-10 InoSetApproved, 8-14, 8-25 installing, 8-5 managing daemons, 4-9 mounting drives, 8-43 notification, 1-10 notification facility, 1-6 realtime monitor, 1-6, 5-2 redistribution server, 2-7, 2-14 root user, 8-21, 8-24, 8-29, A-2 root user installation, 8-30 service manager, 4-9 subnets, 8-14 syslog, 1-6 TCP/IP, A-1 using Local Path, 2-12 using the GUI interface, A-1 versions, 1-5 unknown infections, 1-12 user mode restrictions, 2-9 user rights access permissions, 8-37 characteristics, 8-37
W Web browser, 8-25 inoweb agent, 4-9 logs, 7-5 policy, 8-12 using to access Antivirus, 1-9 when to scan schedule, 6-2 window about views, 1-11 administrator view, 8-1 local scanner, 4-2 log viewer, 7-1 Windows 2000 UNC shared directory, 2-10 Windows 9x quarantine and popup messages, 5-8 rescue disk, 10-1 rescue disk wizard, 10-2 security, 8-26 shared path user mode restrictions, 2-9 Windows event codes and messages, 8-43 Windows NT UNC shared directory, 2-10 WinPopup, 5-8 WorldView, 12-1
users in administrator view, 8-21
Index–7
Index–1
