Windows 2000 Domain Controllers
& Symantec AntiVirus Corporate Edition
Here are the procedures and settings recommended by Virginia Tech's Microsoft Implementation Group (MIG) (http://vtmig.w2k.vt.edu) for installing Symantec AntiVirus on Windows 2000 Domain Controllers (DC), especially DCs that are a part of Virginia Tech's centralized Active Directory (Hokies) (http://www.computing.vt.edu/infrastructure_services/hokies_domain/). The procedure outlined below includes installing Symantec AntiVirus Corporate Edition (SAVCE), installing the latest version of Symantec LiveUpdate (LUD), and using the unsupported Symantec ConfigEd utility to generate a SAVCE settings file (grc.dat) that can be manually applied on each DC to be protected. It is necessary to use the ConfigEd and grc.dat method to schedule a virus scan that will run independent of user logon status. The ConfigEd utility does not install itself, but is an interactive standalone GUI (graphical user interface) application used to generate the settings file. Grc.dat is the text output of the ConfigEd utility.
Caution: This information is intended for Domain Administrators only and contains advanced configuration methods. Back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in the instructions. If you need assistance, contact 4Help by using the Help Request Form or by calling (540) 231-HELP (4357).
Contents
Goals of Recommended Procedures and Settings
Here are the goals for antivirus protection for Windows 2000 Domain Controllers that shaped the tools and procedures defined in this document:
- No continuous listening network ports
- Daily LUD
- Daily scheduled scans regardless of whether or not a person is logged into the console
- Notification to Windows event logs of threats found
- Threats reported only and not contained or stopped by SAVCE
Limitations of These Procedures
Here are descriptions of features that impede a simple solution to the goals outlined above:
Terminal Services
The SAVCE GUI does not work well using Terminal Services in two ways:
- SAVCE system tray icon does not show up when service is running
- SAVCE GUI is sometimes out of sync with console's GUI.
Therefore, console access is recommended for controlling SAVCE with the GUI.
Scheduled Scans
Scheduled scans programmed in the SAVCE GUI will only run when a person is logged on because its information is stored in the "HKEY_CURRENT_USER" portion of the registry.
Therefore, you must schedule an Administrative Scheduled Scan that runs when no one is logged onto the computer. Its information is stored in the "HKEY_LOCAL_MACHINE" portion of the registry.
ConfigEd and grc.dat Method
The ConfigEd and grc.dat method works well, but may require some manual configuration. For instructions, see Manually Adding, Editing, or Removing Scheduled Symantec AntiVirus 9.0.3 Administrative Scans on Windows 2000 Domain Controllers (http://answers.vt.edu/kb/entry/2799/).
Installing & Performing Advanced SAVCE Configuration
ConfigEd Component Availability
ConfigEd is an unsupported, non-installing tool available via the SAVCE CD-ROM in the \Tools\Nosuprt\ConfigEd folder. For information about obtaining a copy of this CD, go to the Software Distribution (https://www.ita.vt.edu) site.
Installation and Configuration Process
To install and configure SAVCE for your domain controllers, here is a general roadmap for what you need to do, along with links to specific instructions:
Symantec Antivirus and Change Management
If you have a CMS (Change Management System) implemented on your DCs, contact MIG for some extended tips on quieting changes that may occur because of Symantec Antivirus. For contact information, go to the Staff section on the Virginia Tech Microsoft Implementation Group (VTMIG) site.
|
