Home » Symantec Manuals » Computer Software » Symantec 10551441 » Manual Viewer

Symantec 10551441 Administration Guide - Page 174

Defining Symantec AntiVirus actions for handling suspicious files

UPC - 037648270472

Add to My Manuals
Save this manual to your list of manuals

Page 174 highlights

174 Responding to virus outbreaks Preparing for a virus outbreak Defining Symantec AntiVirus actions for handling suspicious files By default, Symantec AntiVirus performs the following actions when it identifies a suspicious file: ■ Symantec AntiVirus attempts to repair the file. ■ If the file cannot be repaired with the current set of virus definitions files, the infected file is moved to the Quarantine on the local computer. In addition, the Symantec AntiVirus client makes a log entry of the threat event in its log. The Symantec AntiVirus client data is forwarded to a primary server. You can view log data from the Symantec System Center console. You can perform the following additional actions to complete your virus handling strategy: ■ Define different repair actions based on virus type. For example, you can have Symantec AntiVirus automatically fix macro viruses, but ask what action to take when a program file virus is detected. ■ Assign a backup action for files that Symantec AntiVirus cannot repair, such as deleting the infected file. ■ Receive virus alerts, such as a page or email message, if you are using AMS2. ■ Configure the local Quarantine to forward infected files to the Central Quarantine. You can configure the Central Quarantine to attempt a repair based on its set of virus definitions files (which may be more up-to-date than the definitions on the local computer), or automatically forward samples of infected files to Symantec Security Response for analysis. See "About the Alert Management System" on page 61. For more information, see the Symantec Central Quarantine Administrator's Guide. Automatically purging suspicious files from local Quarantines When Symantec AntiVirus scans a suspicious file, it places the file in the local Quarantine folder on the affected computer. The Quarantine purge feature automatically deletes files in the Quarantine that exceed a specified age. Registry settings for Quarantine purge are located in this registry key: \\HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Quarantine

Section	Page
Symantec AntiVirus™ Corporate Edition Administrator’s Guide	1
Contents	5
Section 1. Managing Symantec AntiVirus	11
1. Managing Symantec AntiVirus	13
About managing Symantec AntiVirus	13
Managing with the Symantec System Center	14
Using console views	15
Saving console settings	16
Understanding Symantec System Center icons	17
Discovering computers and refreshing the console	19
Auditing computers	31
About clients and servers	37
About primary servers	37
About secondary servers	38
About parent servers	38
About server and client groups	38
Deciding whether to manage with server groups and/or client groups	39
Server and client group scenario	40
Managing with server groups	41
Creating server groups	41
Locking and unlocking server groups	42
Working with server group passwords	43
Renaming server groups	45
Selecting a primary server for a server group	45
Changing primary and parent servers	46
Moving a server to a different server group	46
Viewing server groups	47
Deleting server groups	48
Enhancing server group security	48
How the access list works	48
Implementing enhanced server group security	49
Managing with client groups	53
Creating new client groups	53
Adding clients to a client group	53
Configuring settings and running tasks at the client group level	54
Finding client group settings	54
Moving clients in client groups	54
Viewing client groups	54
Filtering the client group view	56
Renaming client groups	57
Deleting client groups	57
Configuring clients directly	58
Changing an unmanaged client into a managed client (and the reverse)	58
How settings propagate	59
New Grc.dat files overwrite old Grc.dat files	60
2. Setting up the Alert Management System	61
About the Alert Management System	61
How Alert Management System works	62
Configuring alert actions	63
Alert configuration tasks	63
Configuring alert action messages	64
Speeding up alert configuration	66
Configuring the Message Box alert action	68
Configuring the Broadcast alert action	69
Configuring the Run Program alert action	69
Configuring the Load An NLM alert action	70
Configuring the Send Internet Mail alert action	71
Configuring the Send Page alert action	72
Configuring the Send SNMP Trap alert action	74
Configuring the Write To Event Log alert action	77
Working with configured alerts	77
Testing configured alert actions	78
Deleting an alert action from an alert	78
Exporting alert actions to other computers	78
Using the Alert Management System Alert Log	80
Viewing detailed alert information	82
Filtering the Alert Log display list	83
Forwarding alerts from unmanaged clients	84
Section 2. Configuring Symantec AntiVirus	87
3. Scanning for viruses and other threats	89
About threats	89
About scans in Symantec AntiVirus	91
Understanding Auto-Protect scans	92
Understanding scheduled scans	92
Understanding manual scans	92
Selecting computers to scan	93
Configuring Auto-Protect scans	96
Configuring Auto-Protect for files	96
Configuring Auto-Protect email scanning for groupware applications	105
Configuring Auto-Protect scanning for Internet email	106
How to specify exclusions	108
Configuring Auto-Protect settings	109
How to lock and unlock Auto-Protect options	110
Configuring manual scans	110
How to specify exclusions	113
Deleting files and folders that are left on computers by threats	113
Configuring scheduled scans	113
Scheduling scans for server groups or individual Symantec AntiVirus servers	114
Scheduling scans for Symantec AntiVirus clients	116
Setting options for missed scheduled scans	119
Editing, deleting, or disabling a scheduled scan	119
Running a scheduled scan on demand	120
Deleting files and folders that are left on computers by threats	121
Handling Symantec AntiVirus clients with intermittent connectivity	121
Configuring scan options	123
How to assign primary actions and secondary actions for detected viruses	123
How to assign primary actions and secondary actions for other detected threats	124
Controlling the user experience	125
Scanning for in-memory threats	132
Excluding files from scanning	132
Selecting file types and extensions to scan for viruses	134
Enabling expanded threat categories	139
Setting options for scanning compressed files	141
Configuring HSM settings	141
Setting CPU utilization	144
4. Updating virus definitions files	145
About virus definitions files	145
Virus definitions files update methods	146
Best practice: Using the Virus Definition Transport Method and LiveUpdate together	147
Best practice: Using Continuous LiveUpdate on 64-bit computers	147
Updating virus definitions files on Symantec AntiVirus servers	148
Updating and configuring Symantec AntiVirus servers using the Virus Definition Transport Method	148
Updating servers using LiveUpdate	154
Updating servers with Intelligent Updater	157
Updating servers using Central Quarantine polling	157
Minimizing network traffic and handling missed updates	158
Updating virus definitions files on Symantec AntiVirus clients	160
Updating virus definitions files on Symantec AntiVirus clients immediately	162
Configuring managed clients to use an internal LiveUpdate server	163
Enabling and configuring Continuous LiveUpdate for managed clients	164
Setting LiveUpdate usage policies	165
Controlling virus definitions files	166
Verifying the version number of virus definitions files	167
Viewing the threat list	167
Rolling back virus definitions files	167
Testing virus definitions files	168
Update scenarios	169
About scanning after updating virus definitions files	169
5. Responding to virus outbreaks	171
About responding to virus outbreaks	171
Preparing for a virus outbreak	172
Creating a virus outbreak plan	172
Defining Symantec AntiVirus actions for handling suspicious files	174
Automatically purging suspicious files from local Quarantines	174
Handling a virus outbreak on your network	175
Using virus alerts and messages	176
Running a virus sweep	176
Tracking virus alerts using Event Logs and Histories	177
Tracking submissions to Symantec Security Response with Central Quarantine Console	177
6. Managing roaming clients	179
About roaming clients	179
Roaming client components	180
How roaming works	181
Implementing roaming	181
Analyzing and mapping your Symantec AntiVirus network	182
Identifying servers for each hierarchical level	183
Creating a list of 0 level Symantec AntiVirus servers	183
Creating a hierarchical list of Symantec AntiVirus servers	184
Configuring roaming client support options from the Symantec System Center console	184
Configuring additional roaming client support for roam servers	187
Configuring additional server types for roaming clients	189
Command-line options	189
Registry values	191
7. Working with Histories and Event Logs	193
About Histories and Event Logs	193
Sorting and filtering History and Event Log data	194
Viewing Histories	197
Working with Threat Histories	198
Working with Scan Histories	200
Understanding Event Log icons	202
Forwarding client logs to parent servers	203
Configuring log forwarding options	203
Configuring log events to forward	204
Best practice: Configuring events to forward for sometimes managed clients	206
Reviewing the forwarding status file	207
Deleting Histories and Event Logs	207

Match case Limit results 1 per page

174

Responding to virus outbreaks

Preparing for a virus outbreak

Defining Symantec AntiVirus actions for handling suspicious files

By default, Symantec AntiVirus performs the following actions when it

identifies a suspicious file:

■

Symantec AntiVirus attempts to repair the file.

■

If the file cannot be repaired with the current set of virus definitions files,

the infected file is moved to the Quarantine on the local computer. In

addition, the Symantec AntiVirus client makes a log entry of the threat

event in its log. The Symantec AntiVirus client data is forwarded to a

primary server. You can view log data from the Symantec System Center

console.

You can perform the following additional actions to complete your virus

handling strategy:

■

Define different repair actions based on virus type. For example, you can

have Symantec AntiVirus automatically fix macro viruses, but ask what

action to take when a program file virus is detected.

■

Assign a backup action for files that Symantec AntiVirus cannot repair, such

as deleting the infected file.

■

Receive virus alerts, such as a page or email message, if you are using AMS

■

Configure the local Quarantine to forward infected files to the Central

Quarantine. You can configure the Central Quarantine to attempt a repair

based on its set of virus definitions files (which may be more up-to-date than

the definitions on the local computer), or automatically forward samples of

infected files to Symantec Security Response for analysis.

See

“About the Alert Management System”

on page 61.

For more information, see the

Symantec Central Quarantine Administrator’s

Guide

Automatically purging suspicious files from local Quarantines

When Symantec AntiVirus scans a suspicious file, it places the file in the local

Quarantine folder on the affected computer. The Quarantine purge feature

automatically deletes files in the Quarantine that exceed a specified age.

Registry settings for Quarantine purge are located in this registry key:

\\HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\

CurrentVersion\Quarantine