Nav2005 Instructor Guide
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Nav2005 Instructor Guide as PDF for free.
More details
- Words: 13,618
- Pages: 148
Supporting Symantec Norton Antivirus 2005 Student Guide
Supporting Symantec Norton AntiVirus 2005 July 16, 2004
Copyright Notice Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder/s. Copyright © 2003 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014. Authorized Symantec courseware materials contain a yellow Symantec watermark on the front side of each page. Use of unauthorized courseware materials is strictly prohibited and should be reported to Symantec Corporation immediately.
Trademarks Symantec, the Symantec logo, Intruder Alert, NetProwler, Raptor, VelociRaptor, Symantec Desktop Firewall, Symantec Enterprise VPN, Symantec Enterprise Firewall, Symantec Ghost, Symantec pcAnywhere, RaptorMobile, NetRecon, Enterprise Security Manager, NAV, Norton AntiVirus, Symantec System Center, Symantec Web Security, Mail-Gear and I-Gear are trademarks of Symantec Corporation. Windows is a registered trademark of Microsoft Corporation. Pentium is a registered trademark of Intel Corporation. Other product names mentioned in this manual may be trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America. 10987654321
ii
Supporting Symantec Norton AntiVirus 2005
Preface Course Overview Course description This is a training program to support the latest release of Norton AntiVirus. It is estimated that this training will be a 1-day instructor-led hands-on program designed for the global technical support organizations. The Norton AntiVirus 2005 course is divided into eight sections. The instructor's lecture is followed by lab exercises in which students apply knowledge gained throughout the course.
Intended audience This course is intended for those that have responsibility for supporting, installing, and configuring Norton AntiVirus.
Course prerequisites It is assumed that the following prerequisites have been met: ■
Working knowledge of Microsoft Windows Operating Systems
■
Working knowledge of computer security practices and software
■
Students have read the Norton AntiVirus 2005 User’s Guide
Course objectives After you complete this course, you will be able to do the following: ■
Install Norton AntiVirus 2005
■
Troubleshoot installation of NAV 2005
■
Identify the components of NAV 2005
■
Configure the new features of NAV 2005
■
Understand techniques for troubleshooting NAV 2005 Issues
■
Monitor NAV activities via reporting section
■
Understand the install-over matrix for NAV 2005
■
Update NAV using LiveUpdate
■
Configure the side effects engine
■
Use and configure Internet Worm Protection
■
Configure SymProtect
■
Understand UI refresh options
course title variable
iii
Preface
Conventions This guide uses the typographical conventions shown in the following table: Convention
Purpose
Example
Bold text
Names of buttons, dialog box options, dialog box names, menu names and options, keys, field names and field entries
On the Tools menu, click Options. The Options dialog box appears. In the Name field, type JSmith.
Italicized text
Cross-references to other sections or documents, to emphasize text, a directory path or file name, or the first use of a glossary term.
The user must type the group’s name.
Keys connected by the Keys pressed plus sign simultaneously.
Ctrl+Alt+Delete
Keys not connected by Keys pressed sequentially. the plus sign
Esc 0 2 7
Monospaced bold
Text typed at the command line.
ping 10.0.0.1
Text displayed at the command line
Reply from 10.0.0.1 Bytes=32 time=1ms
font Monospaced font
Monospaced Variable text typed at the italicized font command line.
iv
\Windows\Program Files
ping ip_address
course title variable
Unit
1
Introduction Overview Description Norton AntiVirus 2005 (code name Hannibal) is the 11th version of Norton AntiVirus.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the units of this document
■
Understand the focus of this document
Supporting Symantec Norton AntiVirus 2005
1
Unit 1
Introduction
Security Threats Norton AntiVirus 2005 addresses threats from viruses, worms, and Trojan Horse programs. In addition, Norton AntiVirus 2005 protects against expanded threats such as spyware, hacker tools, and adware. New to Norton AntiVirus 2005 is Internet Worm Protection, which is a modified firewall program that offers intrusion detection capabilities, port blocking, and Trojan Horse traffic detection. Below is the list of security threats addressed by Norton AntiVirus 2005 and the product modules that deal with them:
Table 1: Security Threats
2
Threat
Product Module
Viruses
AutoProtect, Manual Scans
Hacktools
AutoProtect, Manual Scans
Trackware
AutoProtect, Manual Scans
Dialers
AutoProtect, Manual Scans
Remote Access Programs
AutoProtect, Manual Scans
Adware
AutoProtect, Manual Scans, Internet Worm Protection
Joke Programs
AutoProtect, Manual Scans
Supporting Symantec Norton AntiVirus 2005
Security Threats
Security Threats
Security Threats Viruses Hacktools Trackware Dialers Rem ote Access Program s Adware Joke program s
2 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 1
Introduction
About This Course Symantec product training manuals have historically been very in-depth, inclusive document which are good for reference material. This document breaks from that tradition somewhat. This course focuses on the “nuts and bolts” of Norton AntiVirus 2005. By this we mean the files that make up the components, their dependencies, interactions, etc. Also, focus will be on troubleshooting the product from a technician’s point of view. This course includes several labs which are designed to promote troubleshooting skills. These labs will include a file that, when opened, will cause indeterminate problems on the target computer. The student will then need to rely upon the knowledge and logic gained from this course to troubleshoot the issue.
4
Supporting Symantec Norton AntiVirus 2005
About This Course
About This Course
About This Course “Nuts and bolts” of NAV 2005 Troubleshooting “Break-fix” labs
3 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 1
Introduction
What is New To Norton AntiVirus 2005 Norton AntiVirus has new features and components that address outstanding issues. Below is a list of new items: ■
Internet Worm Protection
■
Symantec Process Protection (SymProtect)
■
User Interface Improvements
■
New icon and tray icon
■
Generic Side Effects Repair
■
Virus Definition Authentication
More information regarding these features is included later in the course.
6
Supporting Symantec Norton AntiVirus 2005
What is New To Norton AntiVirus 2005
What is New to Norton AntiVirus 2005
W hat is New to Norton AntiVirus 2005
Internet W orm Protection Sym antec Process Protection (Sym Protect) User Interface Im provem ents New icon and tray icon Generic Side Effects Repair Virus Definition Authentication
4 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 1
8
Introduction
Supporting Symantec Norton AntiVirus 2005
Unit
2
Supporting Norton AntiVirus Installation Overview Description Installation issues represent the largest single group of support issues for Norton AntiVirus. This unit will give you insight to Norton AntiVirus 2005, as well as the issues surrounding installation.
Objectives After you complete this unit, you will be able to do the following: ■
Understand system requirements for installation
■
Describe the installation options for Norton AntiVirus
■
Locate key installed file locations and registry keys
■
Detail the order of component installation
■
Discuss the installation technologies used in Norton AntiVirus
■
Understand the difference between installation and configuration issues
■
Know the logic behind troubleshooting installation issues
■
Troubleshoot installation issues
Supporting Symantec Norton AntiVirus 2005
1
Unit 2
Supporting Norton AntiVirus Installation
System Requirements To use Norton AntiVirus, your computer must have one of the following Windows operating systems: ■
Windows 98/SE/Me
■
Windows 2000 Professional
■
Windows XP Home or Professional Editions
■
Windows XP Tablet PC or Media Center Editions
Installation of Norton AntiVirus is not supported on NEC PC98, Windows 95/NT 4.x, Macintosh, Linux, or server versions of Windows 2000/2003/XP computers. Note: If you are planning to upgrade your Windows operating system from Windows 98/Me to Windows 2000/XP, you must uninstall Norton AntiVirus first and then reinstall after the upgrade is complete.
Windows 98/98SE/Me ■
150-MHz processor
■
32 MB of RAM
■
125 MB of available hard disk space
■
CD-ROM or DVD-ROM drive
■
VGA video
■
Internet Explorer 5.5 or later
Windows 2000 Professional Edition ■
150-MHz or higher processor
■
64 MB of RAM
■
85 MB of available hard disk space
■
CD-ROM or DVD-ROM drive
■
Internet Explorer 5.5 or later
Windows XP Editions
2
■
300-MHz or higher processor
■
128 MB of RAM
■
85 MB of available hard disk space
■
CD-ROM or DVD-ROM drive
■
Internet Explorer 6.0
■
If you are installing on Windows 2000/XP, you must install with administrator privileges.
Supporting Symantec Norton AntiVirus 2005
System Requirements
System Requirements
System Requirem ents Supported operating system s: – – – –
W indows W indows W indows W indows
98/SE/M e 2000 Professional XP Hom e or Professional Editions XP Tablet PC or M edia Center Editions
M ust uninstall and reinstall NAV to upgrade from W in98/M e to W in2K/XP
2 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 2
Supporting Norton AntiVirus Installation
Supported Email clients Email scanning is supported for any POP3-compatible and SMTP-compatible email client including: ■
Microsoft Outlook Express version 4, 5, 6
■
Microsoft Outlook 97/98/2000/XP/2003
■
Netscape Messenger version 4, Netscape Mail version 4, 6, 7
■
Eudora Light version 3, Eudora Pro version 4, Eudora 5, Eudora 6.0, Eudora 6.0J
■
Pegasus 3
■
IncrediMail XE
■
Becky! Internet Mail 1.x, 2.0
■
AL-Mail32 1.11
■
Datula 1.x
■
PostPet 2.1, 2.06, 3.0
Unsupported Email clients Norton AntiVirus does not support the following email clients: ■
IMAP
■
AOL
■
POP3s with Secure Sockets Layer (SSL)
■
Web-based email such as Hotmail and Yahoo! Mail
■
Lotus Notes
Note: Norton AntiVirus does not support email connections that use Secure Sockets Layer (SSL). SSL is a security protocol designed to provide secure communications on the Internet. If you use an SSL connection, Norton AntiVirus cannot scan emails received using that connection.
Supported Instant Messenger clients The following instant messenger programs are supported:
4
■
AOL Instant Messenger, version 4.7 or later
■
Yahoo! Messenger, version 5.0 or later
■
Windows Messenger, versions 4.6, 5.0
■
MSN Instant Messenger, Versions 4.6, 4.7, 6.0, 6.1
Supporting Symantec Norton AntiVirus 2005
System Requirements
System Requirements (cont.)
System Requirem ents (cont.) Em ail scanning supported for any POP3com patible and SM TP-com patible em ail client AOL, Yahoo, W indows, and M SN instant m essenger clients supported Em ail connections using SSL are NOT supported
3 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 2
Supporting Norton AntiVirus Installation
Installation Options Installation from CD Installation from CD is the most common way of installing Norton AntiVirus 2005. Installation runs from the Autorun file on the CD automatically. If the installation doesn’t start automatically, you can open the CD and double-click the NAVSETUP.EXE file.
Installation from download Downloads are wrapped in a package form a third-party organization. For more information regarding the downloaded package, please refer to the third-party documentation. After the package has been downloaded and unwrapped you can install Norton AntiVirus 2005 in the same manner as from the CD.
Install Over If you have a previous installation of Norton AntiVirus 2003 or 2004, Norton AntiVirus 2005 automatically removes the earlier version. If your version is earlier than 2003, you must uninstall it before installing the Norton AntiVirus 2005. If you have Norton AntiVirus 2004, Norton AntiVirus 2004 Pro, Norton AntiVirus 2003, or Norton AntiVirus 2003 Pro, you can transfer your existing option settings to Norton AntiVirus 2005.
6
Supporting Symantec Norton AntiVirus 2005
Installation Options
Installation Options
Installation Options Install from CD Install from download Install over – Earlier version of NAV 2003 or 2004 autom atically rem oved – Option settings transferred from NAV 2003/2004, N AV Pro 2003/2004
4 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 2
Supporting Norton AntiVirus Installation
Key File Locations The list of file locations below is based on the default Norton AntiVirus 2005 installation. Files may be located in different directories if a custom installation has taken place. The files themselves are not listed in this unit. Key files for product modules will be included in the section detailing the particular module.
Norton AntiVirus 2005 directories C:\Program Files\Norton AntiVirus C:\Program Files\Norton AntiVirus\IWP C:\Program Files\Common Files\Symantec Shared C:\Program Files\Common Files\Symantec Shared\CCPD-LC C:\Program Files\Common Files\Symantec Shared\Decomposers C:\Program Files\Common Files\Symantec Shared\Help C:\Program Files\Common Files\Symantec Shared\IDS C:\Program Files\Common Files\Symantec Shared\LiveReg C:\Program Files\Common Files\Symantec Shared\Script Blocking C:\Program Files\Common Files\Symantec Shared\Security Center C:\Program Files\Common Files\Symantec Shared\SPBBC C:\Program Files\Common Files\Symantec Shared\SymcData C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\20040407.001 C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\BinHub C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\incoming C:\Program Files\Common Files\Symantec Shared\SymSetup C:\Program Files\Common Files\Symantec Shared\VirusDefs C:\Program Files\Common Files\Symantec Shared\VirusDefs\20040616.017 C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub C:\Program Files\Common Files\Symantec Shared\VirusDefs\incoming C:\Program Files\Common Files\Symantec Shared\VirusDefs\Savrt C:\Program Files\Common Files\Symantec Shared\VirusDefs\TextHub C:\WINDOWS\system32\
8
Supporting Symantec Norton AntiVirus 2005
Key File Locations
Key file locations
Key File Locations
5 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
9
Unit 2
Supporting Norton AntiVirus Installation
Component Installation The order of component installation for Norton AntiVirus 2005 is important since, if a component does not install properly, components installed after with dependencies on that component may be corrupted. Also, knowing the order of component installation is valuable to troubleshooting installation issues.
10
Supporting Symantec Norton AntiVirus 2005
Component Installation
Component installation
Com ponent Installation If one com ponent doesn’t install properly, dependent com ponents installed subsequently m ay be corrupted Knowing order of com ponent installation m ay be useful for troubleshooting
6 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
11
Unit 2
Supporting Norton AntiVirus Installation
Order of Component Installation This section will give the order of Norton AntiVirus component installation in order from first to last:
MSREDIST.MSI This is the Microsoft Installer. Norton AntiVirus 2005 uses MSI version 2.0. If the computer doesn’t have this version, it will be installed.
LUSetup.exe This installs LiveUpdate 2.5. LiveUpdate is the primary update technology for Norton AntiVirus.
VCSetup.exe This installs LiveReg 4.0. LiveReg is the technology responsible for users’ virus definitions subscription.
Sevinst.exe This installs Symevent. Symevent is responsible for the kernel mode driver that allows AutoProtect to hook into the Operating System’s files system.
PARENT.MSI Installs things such as the configuration wizard and Norton AntiVirus registry keys, as well as checking for any licensed Symantec Products on the computer.
SYMLT.MSI This installs Symantec licensing technology.
ccCommon.msi This installs the common client. Common client is responsible for Norton AntiVirus settings, logging activity, etc.
SPBBC.MSI This is responsible for installing SymProtect. SymProtect is the technology responsible for protecting Symantec processes and files from unauthorized modification.
IDS.MSI This is responsible for installing the intrusion detection technology included in Internet Worm Protection.
IWP.MSI This is responsible for installing Internet Worm Protection. Internet Worm Protection protects against incoming traffic on known ports and with known signatures.
12
Supporting Symantec Norton AntiVirus 2005
Component Installation
Order of Component Installation
Order of Com ponent Installation 1. M SREDIST.M SI 2. LUSetup.exe 3. VCSetup.exe 4. Sevinst.exe 5. PARENT.M SI 6. SYM LT.M SI 7. ccCom m on.m si 8. SPBBC.M SI
7 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
13
Unit 2
Supporting Norton AntiVirus Installation
SCSSDist.MSI This is responsible for Symantec Consumer Security Services, a version of Norton AntiVirus distributed in cooperation with certain Internet Service Providers. SCSSDist.MSI should not run in Norton AntiVirus 2005.
SYMWMIAV.MSI This is responsible for installing the Norton Windows Management Instrumentation update, which allows the Windows Security Center to accurately report the status of Norton AntiVirus.
NAV.MSI This is responsible for installing Norton AntiVirus components such as autoprotect, email scanning, and Instant Messenger Protection.
ScrBlock.MSI This is responsible for installing the Script Blocking components of Norton AntiVirus.
Help.MSI This is responsible for installing Norton AntiVirus help files.
14
Supporting Symantec Norton AntiVirus 2005
Component Installation
Order of Component Installation (cont.)
Order of Com ponent Installation (cont.) 9. IDS.M SI 10. IW P.M SI 11. SCSSDist.M SI 12. SYM W M IAV.M SI 13. NAV.M SI 14. ScrBlock.M SI 15. Help.M SI
8 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
15
Unit 2
Supporting Norton AntiVirus Installation
Major Registry Keys Major registry keys are responsible for essential to functionality and/or settings of product components. If a key is changed or deleted and results in changed or discontinued functionality of Norton AntiVirus 2005, then the key is considered a major key for this course.
Important registry keys for Norton AntiVirus 2005 ■
HKEY_LOCAL_MACHINE\\software\Symantec\Installed Apps
■
HKEY_LOCAL_MACHINE\\software\Symantec\Shared Defs
■
HKEY_LOCAL_MACHINE\\software\Symantec\Symsetup\refcounts
■
HKEY_LOCAL_MACHINE\\software\Symantec\CommonClient
The Symantec MSI keys for Components, Products, Features, and Upgrade codes under these. ■
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer
■
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer
Note: Search for one of the MSI packages by name in the registry (example: nav.msi.) It will find the package name under one of the installer keys. The GUID for this product will appear on the left hand pane of the registry editor. This is a universal GUID for this package. If you search for and delete al instances of this GUID, you will uncouple this product from the MSI. This is essentially the manual way of cleaning up orphaned install packages; this is what the MSI cleanup utility does automatically when it is able to.
16
Supporting Symantec Norton AntiVirus 2005
Major Registry Keys
Major Registry Keys
M ajor Registry Keys HKEY_LOCAL_MACHINE\ Software\Symantec\ Installed Apps HKEY_LOCAL_MACHINE\ Software\Symantec\ Shared Defs HKEY_LOCAL_MACHINE\ Software\Symantec\ Symsetup\refcounts HKEY_LOCAL_MACHINE\ Software\Symantec\ Common Client
9 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
17
Unit 2
Supporting Norton AntiVirus Installation
Installation Technologies
18
Supporting Symantec Norton AntiVirus 2005
Installation Technologies
Installation Technologies
Installation Technologies Navsetup W indows Installer
10 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
19
Unit 2
Supporting Norton AntiVirus Installation
NavSetup NavSetup.exe is the NAV version of SymSetup. SymSetup is responsible for controlling MSIbased installations. The primary functions of NavSetup are: ■
Perform all pre-install launch condition checking and prompt for any unmet conditions.
■
Displays all install UI panels; including the wizard pages, progress pages and any error dialogs.
■
Call each child (MSI) install in the correct order.
■
Keep track of all products installed during installation and remove them during uninstall.
Main reasons for NavSetup: ■Avoid
Nested installs. A nested installation runs another Windows Installer package during a currently running installation. With the addition of Internet Worm Protection there could be the potential for nesting. MSI has many issues with this and NavSetup allows us to maintain a parallel hierarchy between MSI installations.
■Have
more control over User Interface. This keeps MSI dialogues as silent as possible.
■Simplifying
Upgrade Installs. Symsetup will have the ability to uninstall previous products PRIOR to calling the install of the new product.
The installer will check the client machine prior to making any changes to make sure that it meets all requirements. The following checks are made:
20
■
Check for Internet Explorer 5.01 Service Pack 2 – only on install
■
Check for Minimum Operating System – only on install
■
Check for Admin user rights– both install and uninstall
■
Check PC98 – only on install
■
Check for Server Operating System – only on install
■
Check for Multiple Terminal Services users – both install and uninstall
■
Check for LiveUpdate running – both install and uninstall
■
Check for running Norton AntiVirus windows – both install and uninstall
■
Check for Corporate Norton AntiVirus on the system – install only
■
Check for Services and Files marked for deletion – install only
■
Check for newer versions of Norton AntiVirus – install only
■
Check for old versions that cannot be installed over – install only
■
Check for other AntiVirus products – install only (this does not prevent the user from installing, it only warns them).
Supporting Symantec Norton AntiVirus 2005
Installation Technologies
Navsetup
Navsetup NAV version of Sym Setup Controls M SI-based installations Perform s pre-install launch condition checking Displays all install UI panels Calls each child install in correct order Keeps track of all products installed to accom m odate uninstalls 11 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
21
Unit 2
Supporting Norton AntiVirus Installation
Where to look for indicators The following registry keys will indicate successful installations of Norton AntiVirus: Reboot Key If an application requires the computer to be rebooted right after installation: Key = HKLM\Software\Symantec\Norton AntiVirus\ Value = (String) “reboot” Data = “” Success Key On a successful installation: Key = HKLM\Software\Symantec\Norton AntiVirus\ Value = (String) “install” Data = (String) “success” Version Key On a successful installation: Key = HKLM\Software\Symantec\Norton AntiVirus\ Value = (String) “version” Data = (String) “X.Y.Z”
22
Supporting Symantec Norton AntiVirus 2005
Installation Technologies
Where to look for indicators
W here to look for indicators HKEY_LOCAL_MACHINE\ Software\Symantec\ Norton AntiVirus Value=(Sting)”reboot” Data=“ “ Value=(Sting)”install” Data=(String)“success” Value=(String)”version” Data=(String)“x.y.x“
12 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
23
Unit 2
Supporting Norton AntiVirus Installation
Windows Installer The Microsoft Installer (MSI) handles the installation of all Norton AntiVirus 2005 components. MSI is only concerned with installation; it doesn’t do preinstall checks such as those done by NavSetup.exe. MSI installers only check to see that NavSetup.exe launched the MSI. In Norton AntiVirus 2005, users are unable to run the MSI files as stand-alone executables. NavSetup.exe must be used to control the MSI packages.
Error shown when trying to launch an MSI file directly:
24
Supporting Symantec Norton AntiVirus 2005
Installation Technologies
Windows Installer
W indows Installer Handles installation of NAV 2005 com ponents Doesn’t do preinstall checks like NavSetup User are not able to run M SI files as standalone executables, m ust use NavSetup
13 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
25
Unit 2
Supporting Norton AntiVirus Installation
Understanding Installation versus Configuration Issues What is an installation issue? An installation issue is any issue that arises from a failed, partially failed, or corrupt installation of Norton AntiVirus 2005. Installation issues are caused by software bugs or environmental problems, for example.
What is a configuration issue? A configuration issue is any issue that arises from a settings or environmental issue. Configuration issues can be caused by user settings, for example.
26
Supporting Symantec Norton AntiVirus 2005
Understanding Installation versus Configuration Issues
Understanding Installation vs. Configuration Issues
Understanding Installation vs. Configuration Issues Installation issues arise from failed or corrupt installations Configuration issues arise from settings or environm ent problem s
14 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
27
Unit 2
Supporting Norton AntiVirus Installation
Installation Troubleshooting Logic What to look for
28
■
Environmental issues such as low system resources, RAM, etc.
■
Installation errors
Supporting Symantec Norton AntiVirus 2005
Installation Troubleshooting Logic
Installation Troubleshooting Logic
Installation Troubleshooting Logic Environmental issues Installer engine errors
15 – 2004 Symantec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
29
Unit 2
30
Supporting Norton AntiVirus Installation
Supporting Symantec Norton AntiVirus 2005
Unit
3
Components and Functions of Norton AntiVirus Overview Description Norton AntiVirus has become more feature-rich as new versions have been released. These features have been developed in response to the continued complexity of threats and user environments. In addition to such standard features as Email Protection and Script Blocking, new features and components such as Internet Worm Protection, Generic Side Effects Repair Engine, and SymProtect (Symantec Process Protection) reflect Symantec’s continued commitment to leading the way in the area of antivirus technology. This unit will discuss the features and components of Norton AntiVirus as well as how they interact with other product modules and how to troubleshoot them.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the technical details of the components and features of Norton AntiVirus 2005
■
Detail how the various modules in Norton AntiVirus 2005 interact with each other as well as the operating system
■
Understand the logic behind troubleshooting Norton AntiVirus
■
Troubleshoot Norton AntiVirus product issues
Supporting Symantec Norton AntiVirus 2005
1
Unit 3
2
Components and Functions of Norton AntiVirus
Supporting Symantec Norton AntiVirus 2005
Learning Objectives
Learning Objectives Understand the technical details of the components and features of Norton AntiVirus 2005 Detail how the various modules in Norton AntiVirus 2005 interact with each other as well as the operating system Understand the logic behind troubleshooting Norton AntiVirus Troubleshoot Norton AntiVirus product issues
Supporting Symantec Norton AntiVirus 2005
3
Unit 3
Components and Functions of Norton AntiVirus
Norton AntiVirus Components and Features As stated previously, Norton AntiVirus has become more complex as more is expected of it. Not only is Norton AntiVirus called on to address increasing security concerns, but it is also expected to be more robust and tamper-proof. The following sections detail the technologies and features that Norton AntiVirus contains to accomplish those goals.
4
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Components and Features
Components and Features
Supporting Symantec Norton AntiVirus 2005
5
Unit 3
Components and Functions of Norton AntiVirus
AutoProtect Auto-Protect is the real-time scanner component of Norton AntiVirus. Whenever a file on your system is accessed, it’s scanned by Auto-Protect. This is the module that makes sure that your system stays protected, as long as you have up-to-date virus definitions.
What AutoProtect does AutoProtect loads into memory when the operating system loads, thus protecting the user at all times. AutoProtect scans any file that is accessed on the computer, as well as any time removable media such as floppy disks or compact disks are inserted, the Internet is accessed, or files are received or created.
6
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
AutoProtect
AutoProtect What AutoProtect does
Supporting Symantec Norton AntiVirus 2005
7
Unit 3
Components and Functions of Norton AntiVirus
How AutoProtect works Below is a flowchart showing how AutoProtect works to provide real-time protection:
AutoProtect files Symevent.sys - Kernel-mode driver for NT-based operating systems. Savrt.sys - Kernel-mode driver for NT-based operating systems. Navapsvc.exe - File responsible for starting the AutoProtect service. Navapw32.dll - Norton AntiVirus Agent for AutoProtect. Apwcmdnt.dll - Command library for AutoProtect for NT-based operating systems. Symevnt.386 - Kernel-mode driver for 9x-based operating systems. Savrt.vxd - Kernel-mode driver for 9x-based operating systems. Apwcmd9x.dll - Command library for AutoProtect for 9x-based operating systems.
8
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
AutoProtect
AutoProtect How AutoProtect works AutoProtect files
Supporting Symantec Norton AntiVirus 2005
9
Unit 3
Components and Functions of Norton AntiVirus
AutoProtect Repair Modes NT: - Auto-repair: AP will try to repair the infected file. If it fails to repair it, it will deny access to the file. - Repair then quarantine: AP will try to repair the infected file. If it fails to repair it, it will try to quarantine it. If it then fails to quarantine it, it will deny access to the file - Deny access: AP just denies access to the infected file. It doesn’t try to repair or quarantine the file. 9x: - Auto-repair: AP will try to repair the infected file. If it fails to repair it, it will prompt the user for action. - Repair then quarantine: AP will try to repair the infected file. If it fails to repair it, it will try to quarantine it. If it then fails to quarantine it, it will prompt the user for action. - Deny access: AP just denies access to the infected file. It doesn’t try to repair or quarantine the file. - Ask me what to do: AP will prompt the user for action.
AutoProtect interactions and dependencies Key dependencies ■
Remote Procedure Call Service (RPCSS)
Asynchronous scanning AutoProtect has the ability to scan within compressed files in real-time. Unlike uncompressed files that are scanned synchronously in kernel-mode level (preventing any subsequent file I/O from occurring until we’ve given the green light), it will actually be an asynchronous scan done in the user-mode level. To close any vulnerability gaps due to the delayed scan being done at the user-mode level, subsequent opens for the file are blocked (pending a time-out) until the scan is complete. Should an open occur while scanning a file, a system tray alert informs the user that the application requesting the open may appear hung until the scan is complete.
Asynchronous scanning files
10
■
Savrt32.dll - Compressed scanning engine.
■
navapsvc.exe - Norton AntiVirus Auto-Protect Service
■
navapw32.dll - Norton AntiVirus Agent
■
NAVAPW32.exe - AutoProtect
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
AutoProtect
AutoProtect Repair modes Dependencies Asynchronous scanning Asynchronous scanning files
Supporting Symantec Norton AntiVirus 2005
11
Unit 3
Components and Functions of Norton AntiVirus
Email Protection What Email Protection does Email Protection scans incoming and outgoing emails, protecting the user’s computer as well as other computers from threats.
How Email Protection works Email protection inserts itself between the email client and the email server. The Symantec Redirector plugs into the email client and passes the information onto the common client email proxy, which sends the data on to the email server, and vice versa.
Within the ccEmlPxy service, emails will be sent to one of two separate temp sessions.
12
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Email Protection
Email Protection What Email Protection does How Email Protection works
Supporting Symantec Norton AntiVirus 2005
13
Unit 3
Components and Functions of Norton AntiVirus
With the temp files, Navemail.dll filters the message. ccEmlPxy reads the Email and filters it.
14
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Email Protection
Email Protection How Email Protection works
Supporting Symantec Norton AntiVirus 2005
15
Unit 3
Components and Functions of Norton AntiVirus
Email Protection files ■
ccAVMail.dll - Email Protection scanner.
■
ccEmlPxy.dll - Email Protection proxy.
Email Protection interactions and dependencies Key dependencies ■
16
ccApp - Common Client
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Email Protection
Email Protection Email Protection files Email Protection dependencies
Supporting Symantec Norton AntiVirus 2005
17
Unit 3
Components and Functions of Norton AntiVirus
Instant Messenger Protection Instant Messenger Protection is the real-time scanning technology for supported Instant Messenger programs in Norton AntiVirus.
What Instant Messenger Protection does Scans for and detects viruses in instant messenger attachments.
Instant Messenger Protection files and services ■
ccAPP.EXE - Responsible for Instant Messenger protection. All other modules are either direct or indirect plug-ins to ccAPP.
■
ccIMSCAN.DLL - Plugs into ccAPP.EXE ■
■
ccIMSCAN.DLL is responsible for configuring and un-configuring all 3 clients (Yahoo, MSN, and AOL Instant Messengers) Works with MSN Instant Messenger to scan file downloads
■
ccIMSCAN.EXE - The file used in the command line with AIM & YIM to scan file downloads
■
OptionsUI - Enables or disables Clients by sending a message to ccIMSCAN.DLL
■
ScanMgr - Does all Instant Messenger scanning ■
ccIMSCAN.DLL & ccIMSCAN.EXE use ScanMgr
Instant Messenger Protection interactions and dependencies Key dependencies
18
■
ccApp.exe - Common Client.
■
ccScan.dll - Common Client scan engine.
■
ScanMgr.dll - Symantec scan manager.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Instant Messenger Protection
Instant Messenger Protection What Instant Messenger Protection does Instant Messenger Protection files and services Instant Messenger dependencies
Supporting Symantec Norton AntiVirus 2005
19
Unit 3
20
Components and Functions of Norton AntiVirus
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Instant Messenger Protection
Instant Messenger Protection Instant Messenger Protection overview
Supporting Symantec Norton AntiVirus 2005
21
Unit 3
Components and Functions of Norton AntiVirus
Script Blocking In today’s interconnected world, fast moving viruses can travel faster than the cure for these viruses, typically delivered in the form of “signatures” or “virus definitions”. Script Blocking is a proactive technology that detects certain types of viruses without the need for signatures: customers will now have protection against certain types of viruses even before virus definitions have been made available.
What Script Blocking does Script Blocking technology monitors scripts and alerts users of virus-like malicious behavior, stopping script-based viruses before they can infect a system.
How Script Blocking works Script blocking diverts scripts from the usual Windows Scripting Host to 3 DLL files of our own, which determine if a script must be blocked, allowed, or if it a trusted script. Script Blocking files
22
■
ScrAuth.dll - Responsible for authorizing scripts and creating alerts.
■
ScrBlock.dll - Responsible for blocking unauthorized scripts.
■
ScrTrust.dll - Responsible for identifying trusted scripts, such as scripts that have been shown to be benign by Script Blocking.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Script Blocking
Script Blocking What Script Blocking does How Script Blocking works
Supporting Symantec Norton AntiVirus 2005
23
Unit 3
Components and Functions of Norton AntiVirus
Scanning Norton AntiVirus 2005 has several methods of scanning, but for purposes of this section we will concentrate on manual scans. Information on real-time, Instant Messenger, and Email scans will be discussed in separate sections.
What Scanning does Scanning detects viruses and other threats manually and in real-time.
How Scanning works Scanner files ■
Scan Manager (scanmgr.dll) - This component is used to perform the actual virus scan.
■
Scan Task Library (scantask.lib) - This library loads, saves, and parses NAV Task (.scan) files. This is important for scheduled scans.
■
Options Library (navopt32.lib) - This library reads the options file (NavOpts.dat).
Scanning interactions and dependencies Key dependencies ■
Scan Task library (ScanTask.lib)
■
Options library (NavOpt32.lib)
Pre-Install Scanner (Prescan.exe) The Pre-Install Scanner is dependant on 3 Symantec components: ■
ccScanS.dll
■
ecmldr32.dll
■
Virus Definitions
Since the goal of the pre-install scanner is to get Norton AntiVirus installed on the customer’s machine, the Pre-Install scanner will not scan files contained in archives. This eliminates the need for the Decomposer DLL’s and significantly reduces the dependencies list. Prescan.exe interacts directly with navscan.dll to begin the scan. Navscan.dll in turn interacts with navapi.dll and the virus definitions to scan the user’s computer.
24
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Scanning
Scanning What scanning does How scanning works Scanning dependencies Preinstall scanner
Supporting Symantec Norton AntiVirus 2005
25
Unit 3
Components and Functions of Norton AntiVirus
Decomposer Decomposer is the component responsible for uncompressing compressed files, so they can then be scanned by NAV. Supported file types: ■
AMG
■
ARJ
■
CAB
■
DAT
■
EXE
■
GZ
■
HQX
■
HTML
■
LHA, LZH
■
MIME
■
OLE (DOC, XLS, etc)
■
RAR
■
RTF
■
TAR
■
UUE
■
ZIP
Decomposer files: Since the decomposer is only responsible for decompressing files to be scanned by the scan engine, there are 16 decomposer files, each responsible for decompressing one of the file types above.
Decomposer Limitations
26
■
Decomposer can only scan up to 10 levels of compression. If there is an infection beyond 10 levels of compression, NAV will not detect it.
■
Decomposer cannot open password protected compressed files.
■
Decomposer cannot modify certain file types (CAB, ARJ, etc.) This means NAV can detect infection inside these files, but will not be able to repair/quarantine any infection.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Decomposer
Decomposer Decomposer responsibility File types Limitations
Supporting Symantec Norton AntiVirus 2005
27
Unit 3
Components and Functions of Norton AntiVirus
Quarantine Quarantine is a “safe” place to store virus-infected files without infecting other files on the computer. When NAV quarantines a file, it puts a wrapper around the file so that no other application can access it, and then stores it in the Quarantine folder. In technical terms, it encrypts the data using the MD5 hashing algorithm. By default, Quarantine backs up an infected item before it attempts to repair it. (This option can be turned off in the Miscellaneous options.) From the Quarantine console, the user can also submit an infected file to Symantec Security Response for analysis.
What Quarantine does Quarantine separates files form the Operating System, storing and encrypting them so that they cannot infect the computer.
How Quarantine works Quarantine files
28
■
qconres.dll - Norton AntiVirus QConsole Resource dll
■
qconsole.exe - Norton AntiVirus Quarantine Console
■
qspak32.dll - Norton AntiVirus Quarantine File Storage
■
quar32.dll - Norton AntiVirus Quarantine
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Slide title
Quarantine What quarantine does Quarantine files
Supporting Symantec Norton AntiVirus 2005
29
Unit 3
Components and Functions of Norton AntiVirus
Microsoft Office Plugin The Microsoft Office Plugin allows Norton AntiVirus to scan Microsoft Office files as they are opened. Below is what to look for regarding the Microsoft Office Plugin: ■
You should disable the office plugin if you suspect it is causing problems with word, excel, power point, etc. You can do this from the Norton AntiVirus options menu.
■
If you have Norton AntiVirus uninstalled you can unregister and rename the officeav.dll file to ensure the plugin is not causing a problem.
It is important to remember that if you disable the Microsoft Office Plugin, AutoProtect still scans Microsoft Office documents in real time.
30
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Microsoft Office Plugin
Office Plugin What to look for
Supporting Symantec Norton AntiVirus 2005
31
Unit 3
Components and Functions of Norton AntiVirus
Windows XP Service Pack 2 While Symantec generally doesn’t include information considering product updates from other companies in its training material, we will make an exception here. Service Pack 2 for Microsoft Windows XP is not only an operating system update primarily concerned with security, it also includes new tools with which Norton AntiVirus 2005 (as well as older versions) will interact directly. Below is a list of selected features of Windows XP Service Pack 2, as well as how Norton Antivirus will interact with those features. Features included in Window XP Service Pack 2:
32
■
Windows Security Center - Security software status indicator.
■
Network Protection Technologies - Changes to the firewall included in Windows XP.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Service Pack 2
Windows XP SP 2 Overview Features – Windows Security Center – Network Protection Technologies
Supporting Symantec Norton AntiVirus 2005
33
Unit 3
Components and Functions of Norton AntiVirus
Windows Security Center Windows Security Center is a tool designed to indicate the status of the firewall and antivirus software installed on their computer, as well as the status of Microsoft Windows Updates. This tool is designed to indicate these status report in a one-window, easily understood interface. Information included will be whether antivirus software is installed, and the status of firewall and Microsoft Updates.
How Norton AntiVirus interacts with Microsoft Security Center Taxman is the codename for the component that is the Norton Windows Management Instrumentation provider which will be specific to Windows XP Service Pack 2. The Norton Windows Management Instrumentation is a method that provides Windows Security Center to display the appropriate security status for the Symantec consumer security products. Symantec Security Center is installed in part as the executable SYMWSC.EXE.
Norton Antivirus Installed files and their responsibilities
34
■
SYMWSC.EXE - Symantec Windows Security Service that speaks to the plug-ins and reports this information to the Windows Management Instrumentation.
■
SSCNAV.DLL - Symantec Security Center Plug-in for Norton AntiVirus.
■
WSCHLPR.DLL - Allows Norton AntiVirus to integrate its status into the Windows Security Center.
■
SSCOPTS.DAT - Stores Windows Security Center options for displaying Norton AntiVirus security status.
■
SYMWSCNO.EXE – Symantec Windows Security Center user interface component.
■
SYMSCWB.DLL - Symantec Security Center helper file.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Windows Security Center
Windows Security Center Norton AntiVirus Interaction Norton AntiVirus files and responsibilities
Supporting Symantec Norton AntiVirus 2005
35
Unit 3
Components and Functions of Norton AntiVirus
Network Protection The most important detail included in the network protection technologies included in service pack 2 is that the Windows Firewall will be turned on by default. Windows Firewall is the descendant of the original Windows XP firewall, the Internet Connection Firewall. Users have previously been required to turn this firewall on if they wanted to use the feature, as it has been turned off by default.
36
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Network Protection
Network Protection Windows Firewall
Supporting Symantec Norton AntiVirus 2005
37
Unit 3
Components and Functions of Norton AntiVirus
Activity Logs Activity logs provide the ability to see events such as alerts, application activities, and threat activities that have happened in Norton AntiVirus 2005. These logs are invaluable troubleshooting tools for technicians, as the logs allow them to see exactly what has happened in an environment.
What Activity Logs do Activity Logs store event data for later viewing. Even if Norton AntiVirus won’t load, it’s possible to determine an events sequence by reading the logs. Categories of information stored in Norton AntiVirus 2005 logs: ■
Symantec Resource Protection activities: ■
■
■
Alerts
Internet Worm Protection activities: ■
Connections
■
Activities
■
Worm Detection
■
System
■
Alerts
Norton AntiVirus activities: ■
Threat alerts
■
Application activities
■
Alerts
Activity Log files and services Statushp.dll - The Norton AntiVirus status helper module. Manages waiting event threads. NAVSTATS.dll - The Norton AntiVirus Status object. Manages all events. AVVirus.log - Stores threat alert data. AVApp.log - Stores application activity data. AVError.log - Stores application error data.
Activity Log interactions and dependencies Key dependencies ccApp - The common client user session. ccSettings - Common client settings manager.
38
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Activity Logs
Activity Logs What Activity Logs do Files and services Interaction and dependencies
Supporting Symantec Norton AntiVirus 2005
39
Unit 3
Components and Functions of Norton AntiVirus
Expanded Threat Detection The purpose of Expanded Threat Detection is to accurately alert users of different types of threats on their system during a scan (this includes any component using the scan manager – Instant Messenger Protection, Email Protection, Manual Scan, Context/shell extension scans, etc). Instead of only alerting users about virus infections, this feature will alert users when spyware and other threats are on a user’s system.
What Expanded Threat Detection does Expanded Threat Detection works in the same ways as other Norton Antivirus detections, with AutoProtect and manual scans detecting expanded threats as well as viruses, worms, and Trojan Horses.
How Expanded Threat Detection works Expanded Threat Detection uses definitions of known threats for detection. As new threats are made known to Symantec definitions of those threats are made available via LiveUpdate.
40
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Expanded Threat Detection
Expanded Threat Detection What Expanded Threat Detection does How Expanded Threat Detection works
Supporting Symantec Norton AntiVirus 2005
41
Unit 3
Components and Functions of Norton AntiVirus
Common Error Display Common Error Display allows Symantec Products to share error displays between products. With the dependence on the common client this saves a great deal of development work, as well as making support easier across the consumer product line.
What Common Error Display does
42
■
Uniquely identifies each error displayed to the user.
■
Makes all errors appear with a uniform display to the user.
■
Replaces script errors with the new common error display.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Common Error Display
Common Error Display What Common Error Display is What Common Error Display does
Supporting Symantec Norton AntiVirus 2005
43
Unit 3
Components and Functions of Norton AntiVirus
How Common Error Display works
Common Error Display provides links in the error dialogue to Symantec Knowledge Base documents that give the solution to the issue.
44
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Common Error Display
Common Error Display How Common Error Display works
Supporting Symantec Norton AntiVirus 2005
45
Unit 3
Components and Functions of Norton AntiVirus
Common Client This section will give you an overview of the Common Client, and how it interacts with Norton AntiVirus. For in-depth information on common client, please refer to the Shared Technology courseware.
What Common client does Common client controls different modules and settings for Norton AntiVirus as well as other Symantec products.
How Common Client works Below is a graphic showing how Common Client works with Symantec products:
46
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Common Client
Common Client What Common Client does How Common Client works
Supporting Symantec Norton AntiVirus 2005
47
Unit 3
Components and Functions of Norton AntiVirus
Digital Rights Management This course will provide an overview of Digital Rights Managements as it pertains to Norton AntiVirus 2005. In-depth information will be included in the Shared Technology courseware.
Digital Rights Management files NavProd.dll – Is the DRM product plug-in. This ccApp plug-in is responsible for the DRM integration with Norton AntiVirus 2005.
48
Supporting Symantec Norton AntiVirus 2005
Digital Rights Management
Digital Rights Management
Digital Rights Management Digital Rights Management overview Digital Rights Management files
Supporting Symantec Norton AntiVirus 2005
49
Unit 3
Components and Functions of Norton AntiVirus
Potential Points of Failure You should consider the dependencies (Operating System and other Symantec modules) to be the points of failure. Knowing how to step through the program sequentially and validating the dependencies is the easiest way to spot a problem. Included here is an example:
AutoProtect What enables it to be real-time? ■
Symevnt (Symantec Event Manager) works as a file filter for all I/O activity to the CPU. When symevnt traps an I/O request it talks to the CCEvntmgr which is loaded as a service. The event manager looks for subscribers (Any product that is registered with CCapp) to send notice of the event. In this case, the product dll is registered and has loaded the scan manager (scanmgr.dll) to manage the event.
■
The scan manager determines if the file is compressed asks AP to scan the file. If the file is compressed the asynchronous scanner is called as well as the decomposer. The scanners use the Virus Definition files that is defined in the registry (HKEY_LOCAL_MACHINE\Software\Symante\Shared Defs\...) or by usage.dat.
■
If the file is infected the result occurs based on options (CCSetMgr,Navopts.dat). If the option is to display something for the user, CCAlert is used to create the alert.
■
Once the user interacts with the message, it is returned to the scan manager, CCsetmgr and to CCevntmgr. If the program file handling the event is also supposed to log the activity, a log will be created for the event.
Since there are many factors in this example - any of them potentially failing - it is important to know what succeeded and what did not. You can isolate the components somewhat and test them on their own, such as; scanning a file with the manual scanner would validate the integrity (to some extent) of the definitions, the scan manager, Options, and the Common Client Components. Any of the modules included in Norton AntiVirus 2005 can be looked at in a similar fashion. Taking the components of each module and isolating them can accurately determine most issues.
50
Supporting Symantec Norton AntiVirus 2005
Potential Points of Failure
Potential Points of Failure
Potential Points of Failure Logic Example
Supporting Symantec Norton AntiVirus 2005
51
Unit 3
Components and Functions of Norton AntiVirus
Troubleshooting Functionality This section is design to give students a look into what they should look for in troubleshooting Norton AntiVirus product modules.
AutoProtect ■
Verify that AutoProtect is enabled with Norton AntiVirus.
■
Verify that the AutoProtect service (NAVAPSVC) is enabled.
■
Test AutoProtect with EICAR.COM virus test file (available at http://www.eicar.org/ anti_virus_test_file.htm).
Email Protection ■
To test Email Protection, send EICAR via an email to verify that Email Protection is working.
Instant Messenger Protection ■
To test Instant Messenger Protection, send EICAR via an Instant Message to verify that Instant Messenger Protection is working.
■
Verify that Instant Messenger Protection is enabled for the particular client type.
Script Blocking ■
To trigger an alert, run the file registry.js. This file is installed and can be copied from any Windows 98 computer. Registry.js is an example of a file that modifies registry keys via a script. This behavior is considered potentially malicious by Script blocking and should trigger an alert.
■
If the Script Blocking folder is moved from the default location, such as a customer might do in the case of a manual uninstall, certain scripts will not execute on the system. To troubleshoot this, set Windows Explorer folder options to show common tasks in the folder. This should cause objects not to appear within explorer. To repair this, re-install Windows Script Host 5.6. This will reinstall the system DLL’s responsible for executing scripts and will reregister them.
Scans
52
■
Manual scan- If the manual scan fails or continuously scans the same directory, rescan smaller volumes of files using the right-click context menu scanner. This will allow you to identify a problematic file or folder by process-of-elimination. Once the problematic file or directory is found, verify system and administrator access (should be full with no denies).
■
Verify that the problematic file or directory is not encrypted and is not password protected as either of these conditions will cause problems for the decomposer.
■
Verify that the media scanned isn’t removable media that has been locked.
Supporting Symantec Norton AntiVirus 2005
Troubleshooting Functionality
Troubleshooting
Troubleshooting Functionality Product modules
Supporting Symantec Norton AntiVirus 2005
53
Unit 3
Components and Functions of Norton AntiVirus
Decomposer ■
Once the problematic file or directory is found, verify system and administrator access (should be full with no denies).
■
Verify that the problematic file or directory is not encrypted and is not password protected as either of these conditions will cause problems for the decomposer.
■
Verify that any compressed file can be opened by the Operating System or Winzip and scanned by Norton AntiVirus. If it cannot be scanned successfully the file should be submitted to Security Response.
Quarantine ■
Verify that the definitions for quarantine exist within the usage.dat file (the date of the latest virus definitions should be listed). If it does not, an error will occur when opening quarantine.
■
If there are problems displaying the contents of quarantine, you can access them directly through explorer. The contents will be encrypted but you can see if there are files or if it is empty. If there are files you can delete them using explorer and should be able to open quarantine within Norton AntiVirus.
Microsoft Office Plugin ■
You should disable the office plugin if you suspect it is causing problems with word, excel, power point, etc. You can do this from the Norton AntiVirus options menu.
■
If you have Norton AntiVirus uninstalled you can unregister and rename the officeav.dll file to ensure the plugin is not causing a problem.
Common Error Display
54
■
Make sure the standard Common Client services are running.
■
To test the Common Error Display stop the AutoProtect service (NAVAPSVC) and try to enable AP through the interface.
Supporting Symantec Norton AntiVirus 2005
Troubleshooting Functionality
Troubleshooting
Troubleshooting Functionality Product Modules
Supporting Symantec Norton AntiVirus 2005
55
Unit 3
56
Components and Functions of Norton AntiVirus
Supporting Symantec Norton AntiVirus 2005
Unit
4
Internet Worm Protection Overview Description Internet Worm Protection prevents network worms and other Internet threats from attacking your computer. A worm is similar to a virus, but is a self-contained program that can replicate itself over a computer network. Internet Worm Protection can detect a worm on the network before it copies itself onto your computer.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the main methods of Internet Worm Protection
■
Describe how the main methods of Internet Worm Protection work
■
Configure Internet Worm Protection
■
Troubleshoot Internet Worm Protection
Supporting Symantec Norton AntiVirus 2005
1
Unit 4
Internet Worm Protection
Internet Worm Protection Overview Internet Worm Protection uses several methods to protect the user. Below is a list of those components as well as what they do: Port blocking - Monitors the behavior of outgoing network traffic to establish whether an incoming connection is suspicious. Trojan horse detection - Detects if a connection is being attempted on a port that is commonly used by Trojan horse applications. If the connection matches a Trojan horse rule, Internet Worm Protection issues an alert. Auto blocking - Blocks repeated Internet attacks. When Internet Worm Protection detects an attack, it automatically blocks any further communication from the attacker’s computer. The attacker’s IP address is blocked for 30 minutes. Internet Worm Protection lets you manually remove an attacker’s IP address from the list at any time. General rules - Internet Worm Protection uses a set of rules to monitor and handle all traffic and applications on the network. These rules control how Internet Worm Protection guards your computer from malicious incoming traffic, programs, and Trojan horses. Internet Worm Protection should provide adequate protection for most users. If the default protection is not appropriate, you can add, modify, or remove rules in the rules wizard. Traffic analysis - Monitors network traffic for malicious activity. If such activity is detected, Internet Worm Protection blocks the traffic, logs the event, and issues an alert. Exploit detection - Prevents another computer from exploiting bugs in your computer’s software. Worms use these bugs to transfer infected files onto your computer. Threat level - Scans an application for known viruses, and determines whether a program is malicious.
2
Supporting Symantec Norton AntiVirus 2005
Internet Worm Protection Overview
Internet Worm Protection Overview
Internet W orm Protection Overview Port blocking Trojan horse detection Auto blocking General rules Traffic analysis Exploit detection Threat level
2 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 4
Internet Worm Protection
How Internet Worm Protection Works Event types Internet Worm Protection differs from Norton Personal Firewall in that Norton Personal Firewall includes more features, such as enhanced logging abilities, Home Networking, etc. Below is a list of the event types Internet Worm Protection handles: Listen events - Listen events are triggered when an application opens a port for “listening”. Examples are FTP and web servers, and multiplayer internet games. IP traffic events - IP events are triggered by incoming traffic to open ports. Usually a listen event is generated before the traffic is received so the user has already permitted or blocked the application. However, IP events can occur in cases where the agent wasn’t running when the app tried to listen. This frequently happen at system startup. Trojan Horse (Security Alert) events - Trojan Horse events are generated when an app tries to open a port for listening on a port that we know is commonly used by Trojan Horse apps. The traffic matches a Trojan Horse rule that is installed on the machine and creates a specific event type. Users can also make their own firewall rules that can generate these events. Both event types are generically called Security Alerts and are handled in the same way. IDS events - If traffic analyzed by the IDS engine is determined to be malicious the traffic is blocked and an IDS event is triggered.
Internet Worm Protection files and services IWP agent (IWP.DLL) - The IWP agent is a ccApp plug-in that connects to SymFirewallAgent and IDS, monitors for subscription changes, monitors for IDS updates, and implements the IWP alerting logic. The alert logic component integrates the SymFirewallAgent, ALE engine, Threat Level and the Alert UI’s together. Note: The IWP agent is a ccApp (Common Client) plugin and as such is dependent on Common Client loading. NavProd.dll - The NAV product plug in is a ccApp product plug-in that makes sure IWP.dll is loaded, but only if it is installed. Note: The NAV product plugin is a ccApp (Common Client) plugin and as such is dependent on Common Client loading.
4
Supporting Symantec Norton AntiVirus 2005
How Internet Worm Protection Works
How Internet Worm Protection Works
How Internet W orm Protection W orks Internet W orm Protection handles: Listen events IP traffic events Trojan Horse (Security Alert) events IDS events
3 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 4
Internet Worm Protection
SymFwAgt.DLL - The Symantec Firewall Agent. AutoBlock - Auto Block is a feature that prevents the users’ machine from being flooded by attacks from one machine. When we detect an attack from the network we can add the attacker’s IP to a list that the firewall will automatically reject. The IP will remain in this list for a predetermined amount of time (30 minutes). After that time Auto Block removes it from the list and we will allow traffic from that IP again. ccALE.dll - Symantec Application Lookup Engine. ccFWSetg.dll - Symantec Firewall Settings Engine ccRuleIO.dll - Symantec Firewall Rules Engine NPFMntor.exe - Norton AntiVirus Firewall Install Monitor TLevel.dll - Responsible for determining the threat level of a file.
6
Supporting Symantec Norton AntiVirus 2005
How Internet Worm Protection Works
How Internet Worm Protection Works (cont.)
How Internet W orm Protection W orks (cont.) Internet W orm Protection files and services: IW P agent NavProd.dll Sym FwAgt.DLL AutoBlock ccALE.dll ccFW Setg.dll ccRuleIO .dll NPFM ntor.exe TLevel.dll 4 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 4
Internet Worm Protection
Configuring Internet Worm Protection Internet Worm Protection’s default settings for basic inbound port blocking and network monitoring provide reliable network protection against worms and other malicious activity. This section will detail some of the Internet Worm Protection configuration options. Full configuration details are included in the Norton AntiVirus 2005 User’s Guide, the prerequisite reading for this course.
Types of rules
8
■
Exclusions - Exclude and include worm signatures from detection.
■
Application rules - Control an application’s access to the Internet.
■
General rules - Use rules to monitor network traffic for worms, malicious incoming traffic, programs, and Trojan horses.
■
Trojan rules - Detect varieties of Trojan horses.
■
AutoBlock rules - Block malicious attacks.
Supporting Symantec Norton AntiVirus 2005
Configuring Internet Worm Protection
Configuring Internet Worm Protection
Configuring Internet W orm Protection Exclusions Application rules General rules Trojan rules AutoBlock rules
5 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
9
Unit 4
Internet Worm Protection
Troubleshooting Internet Worm Protection Since Internet Worm Protection is a new product component, it remains to be seen where the majority of support issues will occur. It is important to rely upon the troubleshooting logic of knowing the important files and validating their dependencies. The important Internet Worm Protection files are mentioned earlier in this unit.
10
Supporting Symantec Norton AntiVirus 2005
Troubleshooting Internet Worm Protection
Troubleshooting Internet Worm Protection
Troubleshooting Internet W orm Protection Know im portant files and their dependencies New product; rem ains to be seen where m ajority of support issues will occur
6 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
11
Unit 4
12
Internet Worm Protection
Supporting Symantec Norton AntiVirus 2005
Unit
5
Generic Side Effects Repair Engine Overview Description The Generic Side Effects Repair Engine is a new feature of Norton AntiVirus 2005. It is designed to remove side effects of threat attacks in the Windows registry, batch files, the startup folder, and.ini files.
Objectives After you complete this unit, you will be able to do the following: ■
Describe how the Generic Side Effects Repair Engine handles side effects found during scans
■
Describe the registry keys cleaned
■
Detail the load points cleaned
■
Know what type of information is stored in the Generic Side Effects Repair Engine activity logs
■
Troubleshoot Generic Side Effects Repair Engine issues
Supporting Symantec Norton AntiVirus 2005
1
Unit 5
Generic Side Effects Repair Engine
Manual and Preinstall Scans The scan manager loads a SymInterface Generic Side Effects Repair Engine scanning object (ccGSE.dll) and uses the existing scan engine to handle any infections found during a side effects scan. The entire Generic Side Effects Repair Engine scan take place before handling any of the infections detected to ensure all possible side effects for a particular infection are detected. After the Generic Side Effects Repair Engine scan is complete the side effects and infections are handled. Memory side-effects are not automatically handled since the user needs to be warned before processes are terminated. Generic Side Effects Repair Engine scans start in the background when new virus definitions are downloaded. The user interface will only be displayed if an infection is detected. There will be an option to disable this functionality on the LiveUpdate panel of options. In the Common UI all side effects and their current state will be reflected in the filename tooltip box that is displayed when the filename column is clicked on. Quarantine will record all successfully removed registry and file side effects for an infected item and if the item is repaired and restored the side-effects will be restored as well. The user will be able to see the side effects by going to the properties of an item in the quarantine console and clicking on the new Side Effects panel. There is a flag in the engines that can be set by the virus definitions to indicate a side effect removal should not be attempted. This flag is exposed via ccScan. If this flag is detected the side effects for the infection will be left alone. The item will be displayed in a separate UI that informs users they need to download the fix tool to remove this infection.
2
Supporting Symantec Norton AntiVirus 2005
Manual and Preinstall Scans
Manual and Preinstall Scans
M anual and Preinstall Scans Scan m anager loads Generic Side Effects Repair Engine Detects all possible side effects for a particular infection Scan starts when new virus definitions are downloaded Quarantine records all rem oved registry and file side effects 2 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 5
Generic Side Effects Repair Engine
Generic Side Effects Repair files and services
4
■
ccGSE.dll - Generic Side Effects Repair scanning engine
■
ccScan.dll - Common Client scan engine.
■
probeGSE.dll - Generic Side Effects Repair scanner
■
SPBBCDrv.sys - Generic Side Effects Repair driver.
Supporting Symantec Norton AntiVirus 2005
Manual and Preinstall Scans
Generic Side Effects Repair files and services
Generic Side Effects Repair files and services ccGSE.dll: Generic Side Effects Repair scanning engine ccScan.dll: Com m on Client scan engine probeGSE.dll: Generic Side Effects Repair scanner SPBBCDrv.sys: Generic Side Effects Repair driver
3 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 5
Generic Side Effects Repair Engine
Load Points Cleaned Registry keys ■
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
■
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
■
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Startup folder ■
c:\documents and settings\all users\desktop\startup
■
c:\documents and settings\all users\desktop\startup\launch.bat
.INI files ■
c:\windows\system\win.ini
Processes Processes terminated by the Generic Side Effects Repair engine are treated differently than effects at the load points. Users are prompted to stop the processes so that they know what programs are stopping.
6
Supporting Symantec Norton AntiVirus 2005
Load Points Cleaned
Load Points Cleared
Load Points Cleared
Registry keys Startup folder .INI files
4 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 5
Generic Side Effects Repair Engine
Generic Side Effects Repair Engine Activity Logs Side effect actions are logged to the activity logger under the Threat alerts category. Process terminations are logged into the Application category.
Activity Log Files ■
8
ccLgView.exe - The common client file responsible for all activity log views.
Supporting Symantec Norton AntiVirus 2005
Generic Side Effects Repair Engine Activity Logs
Generic Side Effects Repair Engine Activity Logs
Generic Side Effects Repair Engine Activity Logs Activity logged to ccLgView.exe Side effect actions logged under Threat alerts Process term inations logged under Application
5 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
9
Unit 5
Generic Side Effects Repair Engine
Troubleshooting Generic Side Effects Repair Engine Since Side Effects Repair is a new product component, it remains to be seen where the majority of support issues will occur. It is important to rely upon the troubleshooting logic of knowing the important files and validating their dependencies. The important Side Effects Repair files are mentioned earlier in this unit.
10
Supporting Symantec Norton AntiVirus 2005
Troubleshooting Generic Side Effects Repair Engine
Troubleshooting Generic Side Effects Repair Engine
Troubleshooting Generic Side Effects Repair Engine Know im portant files and their dependencies New product; rem ains to be seen where m ajority of support issues will occur
6 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
11
Unit 5
12
Generic Side Effects Repair Engine
Supporting Symantec Norton AntiVirus 2005
Unit
6
SymProtect Overview Description Many worms today are so-called “retro” worms. These attack security software to prevent detection or removal. Processes are terminated, files deleted, registry keys removed, in an attempt to prevent the user from responding. To meet this threat Norton AntiVirus 2005 includes SymProtect, to protect our software from these attacks.
Objectives After you complete this unit, you will be able to do the following: ■
Understand what SymProtect does
■
Discuss how SymProtect works
■
Identify and use SymProtect logs
Supporting Symantec Norton AntiVirus 2005
1
Unit 6
SymProtect
SymProtect Overview SymProtect is a technology which prevents modification or deletion of Symantec files, processes, and registry keys by unauthorized applications. It does not prevent anyone from reading our assets so as to avoid interfering with normal operations such as Backup. Authorized applications have full access, so they do not require any changes to continue to work. In order to be protected by SymProtect, a Symantec application provides a list of files, registry keys to be protected. Any .EXE carrying a Symantec Digital Signature is automatically protected. Once activated, SymProtect prevents any unauthorized application from modifying or deleting any of these protected resources. There are a number of ways an application can be authorized to make changes. The following authorization methods are used by Norton AntiVirus 2005: ■
Digitally signed by Symantec
Applications which are signed with a Symantec digital signature are free to access all protect assets. This will cover a great deal of legacy products, since we have been signing binaries for a while. Intelligent Updaters are signed. All fix tools should also be signed. ■
Running from a pre-registered path
An administrator can pre-configure a path, or set of paths, such that applications that run from those locations are authorized. This might be a network share location, or a location on the local disk where they deliver software to. ■
Has a pre-registered name
The product can register the name of authorized software. This can be used to authorize System Restore or Windows XP’s Backup program, %SystemRoot%\system32\ntbackup.exe.
2
Supporting Symantec Norton AntiVirus 2005
SymProtect Overview
SymProtect Overview
Sym Protect Overview Prevents m odification or deletion of Sym antec files, processes, and reg keys Only authorized applications can m ake changes: – Sym antec Digital Signature – Running from a pre-registered path – Has a pre-registered nam e
2 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 6
SymProtect
Symantec Processes Protected by SymProtect All Symantec Processes are protected by SymProtect.
4
Supporting Symantec Norton AntiVirus 2005
SymProtect Overview
Symantec Processes Protected by SymProtect
Sym antec Processes Protected by Sym Protect All Sym antec processes are protected by Sym Protect
3 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 6
SymProtect
SymProtect Files SymProtect files
6
■
SPBBCDrv.sys - The SymProtect driver.
■
SPBBCEvt.dll - DLL responsible for handling SymProtect events.
■
SPBBCSvc.exe - The Symprotect executable. Responsible for the Symprotect service.
■
UpdMgr.exe - Handles SymProtect updates.
Supporting Symantec Norton AntiVirus 2005
SymProtect Overview
SymProtect Files
Sym Protect Files SPBBCDrv.sys: Sym Protect driver SPBBCEvt.dll: responsible for handling Sym Protect events SPBBCSvc.exe: Sym protect executable UpdM gr.exe: Handles Sym Protect updates
4 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 6
SymProtect
Troubleshooting SymProtect Since SymProtect is a new product component, it remains to be seen where the majority of support issues will occur. It is important to rely upon the troubleshooting logic of knowing the important files and validating their dependencies. The important SymProtect files are mentioned earlier in this unit.
8
Supporting Symantec Norton AntiVirus 2005
Troubleshooting SymProtect
Troubleshooting SymProtect
Troubleshooting Sym Protect Know im portant files and their dependencies New product; rem ains to be seen where m ajority of support issues will occur
5 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
9
Unit 6
10
SymProtect
Supporting Symantec Norton AntiVirus 2005
Unit
7
Improvements to the User Interface Overview Description The Norton AntiVirus 2005 contains much the same functionality as in the previous version. Some changes have been made, however, that will enhance the user experience and provide added safety. This unit addresses those features.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the new features of the Norton AntiVirus user interface
■
Recognize the screens of the Norton AntiVirus user interface
Supporting Symantec Norton AntiVirus 2005
1
Unit 7
Improvements to the User Interface
New User Interface Features The main status screen of Norton AntiVirus 2005 includes the biggest change users can expect. If all the status items are within accepted parameters, the main status screen will show green instead of yellow.
2
Supporting Symantec Norton AntiVirus 2005
New User Interface Features
New User Interface Features
New User Interface Features
Status screen appears green if status OK 2 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 7
Improvements to the User Interface
User Interface Emphasis and Prioritization Emphasis in the User Interface will be placed on items that are in violation or are in danger of becoming so. For instance, if Automatic LiveUpdate is disabled, the User Interface will turn yellow and emphasis will be placed on that feature, as shown below:
If items are in violation, such as the subscription being expired, the User Interface will turn red and emphasis will be placed on that feature, as shown below:
4
Supporting Symantec Norton AntiVirus 2005
New User Interface Features
User Interface Emphasis and Prioritization
User Interface Em phasis and Prioritization
Em phasis placed on item s in danger 3 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 7
6
Improvements to the User Interface
Supporting Symantec Norton AntiVirus 2005
Unit
8
Troubleshooting Norton AntiVirus Overview Description Norton AntiVirus product modules have become increasingly secure throughout the last several versions. It isn’t enough for an antivirus software suite to simply detect viruses during manual scans. Software now has to detect viruses entering a computer by any of a number of ways, as well as protect itself from harm. As Norton AntiVirus becomes more secure it is necessary to become more familiar with troubleshooting product issues. Since processes and files have become more robust, the opportunities for a technician to make modifications has declined. It is therefor more important than ever to be as educated as possible regarding what can possibly be responsible for an error or loss of functionality.
Objectives After you complete this unit, you will be able to do the following: ■
Troubleshoot the various modules of Norton AntiVirus 2005
■
Understand the potential causes of Norton AntiVirus 2005 issues
■
Troubleshoot Norton AntiVirus uninstallation
Supporting Symantec Norton AntiVirus 2005
1
Unit 8
Troubleshooting Norton AntiVirus
Troubleshooting Logic You should consider the dependencies (Operating System and other Symantec modules) to be the points of failure. Knowing how to step through the program sequentially and validating the dependencies is the easiest way to spot a problem. Included here is an example:
AutoProtect What enables it to be real-time? ■
Symevnt (Symantec Event Manager) works as a file filter for all I/O activity to the CPU. When symevnt traps an I/O request it talks to the CCEvntmgr which is loaded as a service. The event manager looks for subscribers (Any product that is registered with CCapp) to send notice of the event. In this case, the product dll is registered and has loaded the scan manager (scanmgr.dll) to manage the event.
■
The scan manager determines if the file is compressed, and then asks AutoProtect to scan the file. If the file is compressed the asynchronous scanner is called as well as the decomposer. The scanners use the Virus Definition files that is defined in the registry (HKEY_LOCAL_MACHINE\Software\Symante\Shared Defs\...) or by usage.dat.
■
If the file is infected the result occurs based on options (CCSetMgr,Navopts.dat). If the option is to display something for the user, CCAlert is used to create the alert.
■
Once the user interacts with the message, it is returned to the scan manager, CCsetmgr and to CCevntmgr. If the program file handling the event is also supposed to log the activity, a log will be created for the event.
Since there are many actors in this example - any of them potentially failing - it is important to know what succeeded and what did not. You can isolate the components somewhat and test them on their own, such as; scanning a file with the manual scanner would validate the integrity (to some extent) of the definitions, the scan manager, Options, and the Common Client Components. Any of the modules included in Norton AntiVirus 2005 can be looked at in a similar fashion. Taking the components of each module and isolating them can accurately determine most issues.
2
Supporting Symantec Norton AntiVirus 2005
Troubleshooting Logic
Troubleshooting Logic
Troubleshooting Logic Consider all dependencies as possible points of failure Isolate com ponents and test them on their own
2 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 8
Troubleshooting Norton AntiVirus
Uninstallation Troubleshooting Logic This section was intended to include a detailed description of a complete Norton AntiVirus uninstall. Given the sensitive nature of Digital Rights Management, and the tamperresistance of SymProtect, some points to remember will suffice.
Always use the Add/Remove Programs list first The Windows Installer (MSI) will remove the proper registry keys, files, directories, and services to uninstall Norton AntiVirus 2005. Always try this method before moving on.
Digital Rights Management All of the Digital Rights Management keys are encrypted, so they aren’t readily apparent to inspection. Also, removal of or tampering with them results in a loss of Digital Rights Management functionality. This is important to a user who intends to reinstall Norton AntiVirus, since they will need to contact support to re-activate the product.
SymProtect Process Protection means that it will be impossible to turn off certain Symantec services, remove or rename certain files, etc. This represents a challenge to the traditional manual uninstall, since items that have been necessary to totally remove the product are no longer available for deletion. The solution for this problem is the Norton AntiVirus removal tool. This tool will remove the appropriate registry keys, files, etc. to remove Norton AntiVirus, leaving things such as Digital Rights Management so that the user won’t have to reactivate.
4
Supporting Symantec Norton AntiVirus 2005
Uninstallation Troubleshooting Logic
Uninstallation Troubleshooting Logic
Uninstallation Troubleshooting Logic Always use Add/Rem ove Program s list first Digital Rights M anagem ent keys are encrypted and rem oving or tam pering with them m ay prevent reinstalls Sym Protect m ay prevent deletion of som e item s during uninstall Use Norton AntiVirus rem oval tool
3 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 8
Troubleshooting Norton AntiVirus
Troubleshooting product modules When troubleshooting Norton AntiVirus, it is imperative to look at the items below corresponding to the proper product module:
AutoProtect ■
Verify that AutoProtect is enabled with Norton AntiVirus.
■
Verify that the AutoProtect service (NAVAPSVC) is enabled.
■
Test AutoProtect with EICAR.COM virus test file (available at http://www.eicar.org/ anti_virus_test_file.htm).
Email Protection ■
To test Email Protection, send EICAR via an email to verify that Email Protection is working.
Instant Messenger Protection ■
To test Instant Messenger Protection, send EICAR via an Instant Message to verify that Instant Messenger Protection is working.
■
Verify that Instant Messenger Protection is enabled for the particular client type.
Script Blocking ■
To trigger an alert, run the file registry.js. This file is installed and can be copied from any Windows 98 computer. Registry.js is an example file of one that modifies registry keys via a script. This behavior is considered potentially malicious by Script blocking and should trigger an alert.
■
If the Script Blocking folder is moved from the default location, such as a customer might do in the case of a manual uninstall, certain scripts will not execute on the system. To troubleshoot this, set explorer folder options to show common tasks in the folder. This should cause objects not to appear within explorer. To repair this, re-install Windows Script Host 5.6. This will reinstall the system DLL’s responsible for executing scripts and will reregister them.
Scans
6
■
Manual scan- If the manual scan fails or continuously scans the same directory, rescan smaller volumes of files using the right-click context scanner. This will allow you to identify a problematic file or folder by process-of-elimination. Once the problematic file or directory is found, verify system and administrator access (should be full with no denies).
■
Verify that the problematic file or directory is not encrypted and is not password protected as either of these conditions will cause problems for the decomposer.
Supporting Symantec Norton AntiVirus 2005
Troubleshooting product modules
Troubleshooting product modules
Troubleshooting product m odules AutoProtect Em ail Protection Instant M essenger Protection Script Blocking Scans
4 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 8
Troubleshooting Norton AntiVirus
Decomposer ■
Once the problematic file or directory is found, verify system and administrator access (should be full with no denies).
■
Verify that the problematic file or directory is not encrypted and is not password protected as either of these conditions will cause problems for the decomposer.
■
Verify that any compressed file can be opened by the Operating System or Winzip and scanned by Norton AntiVirus. If it cannot be scanned successfully the file should be submitted to Security Response.
Quarantine ■
Verify that the definitions for quarantine exist within the usage.dat file. If it does not, an error will occur when opening quarantine.
■
If there are problems displaying the contents of quarantine, you can access them directly through explorer. The contents will be encrypted but you can see if there are files or if it is empty. If there are files you can delete them using explorer and should be able to open quarantine within Norton AntiVirus.
Microsoft Office Plugin ■
You should disable the office plugin if you suspect it is causing problems with Word, Excel, PowerPoint, etc. You can do this from the Norton AntiVirus options menu.
■
If you have Norton AntiVirus uninstalled you can unregister and rename the officeav.dll file to ensure the plugin is not causing a problem.
Common Error Display
8
■
Make sure the standard Common Client services are running.
■
To test the Common Error Display stop the AutoProtect service (NAVAPSVC) and try to enable AP through the interface.
Supporting Symantec Norton AntiVirus 2005
Troubleshooting product modules
Troubleshooting product modules (cont.)
Troubleshooting product m odules (cont.) Decom poser Quarantine M icrosoft Office Plugin Com m on Error Display
5 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
9
Unit 8
10
Troubleshooting Norton AntiVirus
Supporting Symantec Norton AntiVirus 2005
Supporting Symantec Norton AntiVirus 2005 July 16, 2004
Copyright Notice Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder/s. Copyright © 2003 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014. Authorized Symantec courseware materials contain a yellow Symantec watermark on the front side of each page. Use of unauthorized courseware materials is strictly prohibited and should be reported to Symantec Corporation immediately.
Trademarks Symantec, the Symantec logo, Intruder Alert, NetProwler, Raptor, VelociRaptor, Symantec Desktop Firewall, Symantec Enterprise VPN, Symantec Enterprise Firewall, Symantec Ghost, Symantec pcAnywhere, RaptorMobile, NetRecon, Enterprise Security Manager, NAV, Norton AntiVirus, Symantec System Center, Symantec Web Security, Mail-Gear and I-Gear are trademarks of Symantec Corporation. Windows is a registered trademark of Microsoft Corporation. Pentium is a registered trademark of Intel Corporation. Other product names mentioned in this manual may be trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America. 10987654321
ii
Supporting Symantec Norton AntiVirus 2005
Preface Course Overview Course description This is a training program to support the latest release of Norton AntiVirus. It is estimated that this training will be a 1-day instructor-led hands-on program designed for the global technical support organizations. The Norton AntiVirus 2005 course is divided into eight sections. The instructor's lecture is followed by lab exercises in which students apply knowledge gained throughout the course.
Intended audience This course is intended for those that have responsibility for supporting, installing, and configuring Norton AntiVirus.
Course prerequisites It is assumed that the following prerequisites have been met: ■
Working knowledge of Microsoft Windows Operating Systems
■
Working knowledge of computer security practices and software
■
Students have read the Norton AntiVirus 2005 User’s Guide
Course objectives After you complete this course, you will be able to do the following: ■
Install Norton AntiVirus 2005
■
Troubleshoot installation of NAV 2005
■
Identify the components of NAV 2005
■
Configure the new features of NAV 2005
■
Understand techniques for troubleshooting NAV 2005 Issues
■
Monitor NAV activities via reporting section
■
Understand the install-over matrix for NAV 2005
■
Update NAV using LiveUpdate
■
Configure the side effects engine
■
Use and configure Internet Worm Protection
■
Configure SymProtect
■
Understand UI refresh options
course title variable
iii
Preface
Conventions This guide uses the typographical conventions shown in the following table: Convention
Purpose
Example
Bold text
Names of buttons, dialog box options, dialog box names, menu names and options, keys, field names and field entries
On the Tools menu, click Options. The Options dialog box appears. In the Name field, type JSmith.
Italicized text
Cross-references to other sections or documents, to emphasize text, a directory path or file name, or the first use of a glossary term.
The user must type the group’s name.
Keys connected by the Keys pressed plus sign simultaneously.
Ctrl+Alt+Delete
Keys not connected by Keys pressed sequentially. the plus sign
Esc 0 2 7
Monospaced bold
Text typed at the command line.
ping 10.0.0.1
Text displayed at the command line
Reply from 10.0.0.1 Bytes=32 time=1ms
font Monospaced font
Monospaced Variable text typed at the italicized font command line.
iv
\Windows\Program Files
ping ip_address
course title variable
Unit
1
Introduction Overview Description Norton AntiVirus 2005 (code name Hannibal) is the 11th version of Norton AntiVirus.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the units of this document
■
Understand the focus of this document
Supporting Symantec Norton AntiVirus 2005
1
Unit 1
Introduction
Security Threats Norton AntiVirus 2005 addresses threats from viruses, worms, and Trojan Horse programs. In addition, Norton AntiVirus 2005 protects against expanded threats such as spyware, hacker tools, and adware. New to Norton AntiVirus 2005 is Internet Worm Protection, which is a modified firewall program that offers intrusion detection capabilities, port blocking, and Trojan Horse traffic detection. Below is the list of security threats addressed by Norton AntiVirus 2005 and the product modules that deal with them:
Table 1: Security Threats
2
Threat
Product Module
Viruses
AutoProtect, Manual Scans
Hacktools
AutoProtect, Manual Scans
Trackware
AutoProtect, Manual Scans
Dialers
AutoProtect, Manual Scans
Remote Access Programs
AutoProtect, Manual Scans
Adware
AutoProtect, Manual Scans, Internet Worm Protection
Joke Programs
AutoProtect, Manual Scans
Supporting Symantec Norton AntiVirus 2005
Security Threats
Security Threats
Security Threats Viruses Hacktools Trackware Dialers Rem ote Access Program s Adware Joke program s
2 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 1
Introduction
About This Course Symantec product training manuals have historically been very in-depth, inclusive document which are good for reference material. This document breaks from that tradition somewhat. This course focuses on the “nuts and bolts” of Norton AntiVirus 2005. By this we mean the files that make up the components, their dependencies, interactions, etc. Also, focus will be on troubleshooting the product from a technician’s point of view. This course includes several labs which are designed to promote troubleshooting skills. These labs will include a file that, when opened, will cause indeterminate problems on the target computer. The student will then need to rely upon the knowledge and logic gained from this course to troubleshoot the issue.
4
Supporting Symantec Norton AntiVirus 2005
About This Course
About This Course
About This Course “Nuts and bolts” of NAV 2005 Troubleshooting “Break-fix” labs
3 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 1
Introduction
What is New To Norton AntiVirus 2005 Norton AntiVirus has new features and components that address outstanding issues. Below is a list of new items: ■
Internet Worm Protection
■
Symantec Process Protection (SymProtect)
■
User Interface Improvements
■
New icon and tray icon
■
Generic Side Effects Repair
■
Virus Definition Authentication
More information regarding these features is included later in the course.
6
Supporting Symantec Norton AntiVirus 2005
What is New To Norton AntiVirus 2005
What is New to Norton AntiVirus 2005
W hat is New to Norton AntiVirus 2005
Internet W orm Protection Sym antec Process Protection (Sym Protect) User Interface Im provem ents New icon and tray icon Generic Side Effects Repair Virus Definition Authentication
4 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 1
8
Introduction
Supporting Symantec Norton AntiVirus 2005
Unit
2
Supporting Norton AntiVirus Installation Overview Description Installation issues represent the largest single group of support issues for Norton AntiVirus. This unit will give you insight to Norton AntiVirus 2005, as well as the issues surrounding installation.
Objectives After you complete this unit, you will be able to do the following: ■
Understand system requirements for installation
■
Describe the installation options for Norton AntiVirus
■
Locate key installed file locations and registry keys
■
Detail the order of component installation
■
Discuss the installation technologies used in Norton AntiVirus
■
Understand the difference between installation and configuration issues
■
Know the logic behind troubleshooting installation issues
■
Troubleshoot installation issues
Supporting Symantec Norton AntiVirus 2005
1
Unit 2
Supporting Norton AntiVirus Installation
System Requirements To use Norton AntiVirus, your computer must have one of the following Windows operating systems: ■
Windows 98/SE/Me
■
Windows 2000 Professional
■
Windows XP Home or Professional Editions
■
Windows XP Tablet PC or Media Center Editions
Installation of Norton AntiVirus is not supported on NEC PC98, Windows 95/NT 4.x, Macintosh, Linux, or server versions of Windows 2000/2003/XP computers. Note: If you are planning to upgrade your Windows operating system from Windows 98/Me to Windows 2000/XP, you must uninstall Norton AntiVirus first and then reinstall after the upgrade is complete.
Windows 98/98SE/Me ■
150-MHz processor
■
32 MB of RAM
■
125 MB of available hard disk space
■
CD-ROM or DVD-ROM drive
■
VGA video
■
Internet Explorer 5.5 or later
Windows 2000 Professional Edition ■
150-MHz or higher processor
■
64 MB of RAM
■
85 MB of available hard disk space
■
CD-ROM or DVD-ROM drive
■
Internet Explorer 5.5 or later
Windows XP Editions
2
■
300-MHz or higher processor
■
128 MB of RAM
■
85 MB of available hard disk space
■
CD-ROM or DVD-ROM drive
■
Internet Explorer 6.0
■
If you are installing on Windows 2000/XP, you must install with administrator privileges.
Supporting Symantec Norton AntiVirus 2005
System Requirements
System Requirements
System Requirem ents Supported operating system s: – – – –
W indows W indows W indows W indows
98/SE/M e 2000 Professional XP Hom e or Professional Editions XP Tablet PC or M edia Center Editions
M ust uninstall and reinstall NAV to upgrade from W in98/M e to W in2K/XP
2 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 2
Supporting Norton AntiVirus Installation
Supported Email clients Email scanning is supported for any POP3-compatible and SMTP-compatible email client including: ■
Microsoft Outlook Express version 4, 5, 6
■
Microsoft Outlook 97/98/2000/XP/2003
■
Netscape Messenger version 4, Netscape Mail version 4, 6, 7
■
Eudora Light version 3, Eudora Pro version 4, Eudora 5, Eudora 6.0, Eudora 6.0J
■
Pegasus 3
■
IncrediMail XE
■
Becky! Internet Mail 1.x, 2.0
■
AL-Mail32 1.11
■
Datula 1.x
■
PostPet 2.1, 2.06, 3.0
Unsupported Email clients Norton AntiVirus does not support the following email clients: ■
IMAP
■
AOL
■
POP3s with Secure Sockets Layer (SSL)
■
Web-based email such as Hotmail and Yahoo! Mail
■
Lotus Notes
Note: Norton AntiVirus does not support email connections that use Secure Sockets Layer (SSL). SSL is a security protocol designed to provide secure communications on the Internet. If you use an SSL connection, Norton AntiVirus cannot scan emails received using that connection.
Supported Instant Messenger clients The following instant messenger programs are supported:
4
■
AOL Instant Messenger, version 4.7 or later
■
Yahoo! Messenger, version 5.0 or later
■
Windows Messenger, versions 4.6, 5.0
■
MSN Instant Messenger, Versions 4.6, 4.7, 6.0, 6.1
Supporting Symantec Norton AntiVirus 2005
System Requirements
System Requirements (cont.)
System Requirem ents (cont.) Em ail scanning supported for any POP3com patible and SM TP-com patible em ail client AOL, Yahoo, W indows, and M SN instant m essenger clients supported Em ail connections using SSL are NOT supported
3 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 2
Supporting Norton AntiVirus Installation
Installation Options Installation from CD Installation from CD is the most common way of installing Norton AntiVirus 2005. Installation runs from the Autorun file on the CD automatically. If the installation doesn’t start automatically, you can open the CD and double-click the NAVSETUP.EXE file.
Installation from download Downloads are wrapped in a package form a third-party organization. For more information regarding the downloaded package, please refer to the third-party documentation. After the package has been downloaded and unwrapped you can install Norton AntiVirus 2005 in the same manner as from the CD.
Install Over If you have a previous installation of Norton AntiVirus 2003 or 2004, Norton AntiVirus 2005 automatically removes the earlier version. If your version is earlier than 2003, you must uninstall it before installing the Norton AntiVirus 2005. If you have Norton AntiVirus 2004, Norton AntiVirus 2004 Pro, Norton AntiVirus 2003, or Norton AntiVirus 2003 Pro, you can transfer your existing option settings to Norton AntiVirus 2005.
6
Supporting Symantec Norton AntiVirus 2005
Installation Options
Installation Options
Installation Options Install from CD Install from download Install over – Earlier version of NAV 2003 or 2004 autom atically rem oved – Option settings transferred from NAV 2003/2004, N AV Pro 2003/2004
4 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 2
Supporting Norton AntiVirus Installation
Key File Locations The list of file locations below is based on the default Norton AntiVirus 2005 installation. Files may be located in different directories if a custom installation has taken place. The files themselves are not listed in this unit. Key files for product modules will be included in the section detailing the particular module.
Norton AntiVirus 2005 directories C:\Program Files\Norton AntiVirus C:\Program Files\Norton AntiVirus\IWP C:\Program Files\Common Files\Symantec Shared C:\Program Files\Common Files\Symantec Shared\CCPD-LC C:\Program Files\Common Files\Symantec Shared\Decomposers C:\Program Files\Common Files\Symantec Shared\Help C:\Program Files\Common Files\Symantec Shared\IDS C:\Program Files\Common Files\Symantec Shared\LiveReg C:\Program Files\Common Files\Symantec Shared\Script Blocking C:\Program Files\Common Files\Symantec Shared\Security Center C:\Program Files\Common Files\Symantec Shared\SPBBC C:\Program Files\Common Files\Symantec Shared\SymcData C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\20040407.001 C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\BinHub C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\incoming C:\Program Files\Common Files\Symantec Shared\SymSetup C:\Program Files\Common Files\Symantec Shared\VirusDefs C:\Program Files\Common Files\Symantec Shared\VirusDefs\20040616.017 C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub C:\Program Files\Common Files\Symantec Shared\VirusDefs\incoming C:\Program Files\Common Files\Symantec Shared\VirusDefs\Savrt C:\Program Files\Common Files\Symantec Shared\VirusDefs\TextHub C:\WINDOWS\system32\
8
Supporting Symantec Norton AntiVirus 2005
Key File Locations
Key file locations
Key File Locations
5 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
9
Unit 2
Supporting Norton AntiVirus Installation
Component Installation The order of component installation for Norton AntiVirus 2005 is important since, if a component does not install properly, components installed after with dependencies on that component may be corrupted. Also, knowing the order of component installation is valuable to troubleshooting installation issues.
10
Supporting Symantec Norton AntiVirus 2005
Component Installation
Component installation
Com ponent Installation If one com ponent doesn’t install properly, dependent com ponents installed subsequently m ay be corrupted Knowing order of com ponent installation m ay be useful for troubleshooting
6 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
11
Unit 2
Supporting Norton AntiVirus Installation
Order of Component Installation This section will give the order of Norton AntiVirus component installation in order from first to last:
MSREDIST.MSI This is the Microsoft Installer. Norton AntiVirus 2005 uses MSI version 2.0. If the computer doesn’t have this version, it will be installed.
LUSetup.exe This installs LiveUpdate 2.5. LiveUpdate is the primary update technology for Norton AntiVirus.
VCSetup.exe This installs LiveReg 4.0. LiveReg is the technology responsible for users’ virus definitions subscription.
Sevinst.exe This installs Symevent. Symevent is responsible for the kernel mode driver that allows AutoProtect to hook into the Operating System’s files system.
PARENT.MSI Installs things such as the configuration wizard and Norton AntiVirus registry keys, as well as checking for any licensed Symantec Products on the computer.
SYMLT.MSI This installs Symantec licensing technology.
ccCommon.msi This installs the common client. Common client is responsible for Norton AntiVirus settings, logging activity, etc.
SPBBC.MSI This is responsible for installing SymProtect. SymProtect is the technology responsible for protecting Symantec processes and files from unauthorized modification.
IDS.MSI This is responsible for installing the intrusion detection technology included in Internet Worm Protection.
IWP.MSI This is responsible for installing Internet Worm Protection. Internet Worm Protection protects against incoming traffic on known ports and with known signatures.
12
Supporting Symantec Norton AntiVirus 2005
Component Installation
Order of Component Installation
Order of Com ponent Installation 1. M SREDIST.M SI 2. LUSetup.exe 3. VCSetup.exe 4. Sevinst.exe 5. PARENT.M SI 6. SYM LT.M SI 7. ccCom m on.m si 8. SPBBC.M SI
7 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
13
Unit 2
Supporting Norton AntiVirus Installation
SCSSDist.MSI This is responsible for Symantec Consumer Security Services, a version of Norton AntiVirus distributed in cooperation with certain Internet Service Providers. SCSSDist.MSI should not run in Norton AntiVirus 2005.
SYMWMIAV.MSI This is responsible for installing the Norton Windows Management Instrumentation update, which allows the Windows Security Center to accurately report the status of Norton AntiVirus.
NAV.MSI This is responsible for installing Norton AntiVirus components such as autoprotect, email scanning, and Instant Messenger Protection.
ScrBlock.MSI This is responsible for installing the Script Blocking components of Norton AntiVirus.
Help.MSI This is responsible for installing Norton AntiVirus help files.
14
Supporting Symantec Norton AntiVirus 2005
Component Installation
Order of Component Installation (cont.)
Order of Com ponent Installation (cont.) 9. IDS.M SI 10. IW P.M SI 11. SCSSDist.M SI 12. SYM W M IAV.M SI 13. NAV.M SI 14. ScrBlock.M SI 15. Help.M SI
8 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
15
Unit 2
Supporting Norton AntiVirus Installation
Major Registry Keys Major registry keys are responsible for essential to functionality and/or settings of product components. If a key is changed or deleted and results in changed or discontinued functionality of Norton AntiVirus 2005, then the key is considered a major key for this course.
Important registry keys for Norton AntiVirus 2005 ■
HKEY_LOCAL_MACHINE\\software\Symantec\Installed Apps
■
HKEY_LOCAL_MACHINE\\software\Symantec\Shared Defs
■
HKEY_LOCAL_MACHINE\\software\Symantec\Symsetup\refcounts
■
HKEY_LOCAL_MACHINE\\software\Symantec\CommonClient
The Symantec MSI keys for Components, Products, Features, and Upgrade codes under these. ■
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer
■
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer
Note: Search for one of the MSI packages by name in the registry (example: nav.msi.) It will find the package name under one of the installer keys. The GUID for this product will appear on the left hand pane of the registry editor. This is a universal GUID for this package. If you search for and delete al instances of this GUID, you will uncouple this product from the MSI. This is essentially the manual way of cleaning up orphaned install packages; this is what the MSI cleanup utility does automatically when it is able to.
16
Supporting Symantec Norton AntiVirus 2005
Major Registry Keys
Major Registry Keys
M ajor Registry Keys HKEY_LOCAL_MACHINE\ Software\Symantec\ Installed Apps HKEY_LOCAL_MACHINE\ Software\Symantec\ Shared Defs HKEY_LOCAL_MACHINE\ Software\Symantec\ Symsetup\refcounts HKEY_LOCAL_MACHINE\ Software\Symantec\ Common Client
9 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
17
Unit 2
Supporting Norton AntiVirus Installation
Installation Technologies
18
Supporting Symantec Norton AntiVirus 2005
Installation Technologies
Installation Technologies
Installation Technologies Navsetup W indows Installer
10 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
19
Unit 2
Supporting Norton AntiVirus Installation
NavSetup NavSetup.exe is the NAV version of SymSetup. SymSetup is responsible for controlling MSIbased installations. The primary functions of NavSetup are: ■
Perform all pre-install launch condition checking and prompt for any unmet conditions.
■
Displays all install UI panels; including the wizard pages, progress pages and any error dialogs.
■
Call each child (MSI) install in the correct order.
■
Keep track of all products installed during installation and remove them during uninstall.
Main reasons for NavSetup: ■Avoid
Nested installs. A nested installation runs another Windows Installer package during a currently running installation. With the addition of Internet Worm Protection there could be the potential for nesting. MSI has many issues with this and NavSetup allows us to maintain a parallel hierarchy between MSI installations.
■Have
more control over User Interface. This keeps MSI dialogues as silent as possible.
■Simplifying
Upgrade Installs. Symsetup will have the ability to uninstall previous products PRIOR to calling the install of the new product.
The installer will check the client machine prior to making any changes to make sure that it meets all requirements. The following checks are made:
20
■
Check for Internet Explorer 5.01 Service Pack 2 – only on install
■
Check for Minimum Operating System – only on install
■
Check for Admin user rights– both install and uninstall
■
Check PC98 – only on install
■
Check for Server Operating System – only on install
■
Check for Multiple Terminal Services users – both install and uninstall
■
Check for LiveUpdate running – both install and uninstall
■
Check for running Norton AntiVirus windows – both install and uninstall
■
Check for Corporate Norton AntiVirus on the system – install only
■
Check for Services and Files marked for deletion – install only
■
Check for newer versions of Norton AntiVirus – install only
■
Check for old versions that cannot be installed over – install only
■
Check for other AntiVirus products – install only (this does not prevent the user from installing, it only warns them).
Supporting Symantec Norton AntiVirus 2005
Installation Technologies
Navsetup
Navsetup NAV version of Sym Setup Controls M SI-based installations Perform s pre-install launch condition checking Displays all install UI panels Calls each child install in correct order Keeps track of all products installed to accom m odate uninstalls 11 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
21
Unit 2
Supporting Norton AntiVirus Installation
Where to look for indicators The following registry keys will indicate successful installations of Norton AntiVirus: Reboot Key If an application requires the computer to be rebooted right after installation: Key = HKLM\Software\Symantec\Norton AntiVirus\ Value = (String) “reboot” Data = “” Success Key On a successful installation: Key = HKLM\Software\Symantec\Norton AntiVirus\ Value = (String) “install” Data = (String) “success” Version Key On a successful installation: Key = HKLM\Software\Symantec\Norton AntiVirus\ Value = (String) “version” Data = (String) “X.Y.Z”
22
Supporting Symantec Norton AntiVirus 2005
Installation Technologies
Where to look for indicators
W here to look for indicators HKEY_LOCAL_MACHINE\ Software\Symantec\ Norton AntiVirus Value=(Sting)”reboot” Data=“ “ Value=(Sting)”install” Data=(String)“success” Value=(String)”version” Data=(String)“x.y.x“
12 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
23
Unit 2
Supporting Norton AntiVirus Installation
Windows Installer The Microsoft Installer (MSI) handles the installation of all Norton AntiVirus 2005 components. MSI is only concerned with installation; it doesn’t do preinstall checks such as those done by NavSetup.exe. MSI installers only check to see that NavSetup.exe launched the MSI. In Norton AntiVirus 2005, users are unable to run the MSI files as stand-alone executables. NavSetup.exe must be used to control the MSI packages.
Error shown when trying to launch an MSI file directly:
24
Supporting Symantec Norton AntiVirus 2005
Installation Technologies
Windows Installer
W indows Installer Handles installation of NAV 2005 com ponents Doesn’t do preinstall checks like NavSetup User are not able to run M SI files as standalone executables, m ust use NavSetup
13 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
25
Unit 2
Supporting Norton AntiVirus Installation
Understanding Installation versus Configuration Issues What is an installation issue? An installation issue is any issue that arises from a failed, partially failed, or corrupt installation of Norton AntiVirus 2005. Installation issues are caused by software bugs or environmental problems, for example.
What is a configuration issue? A configuration issue is any issue that arises from a settings or environmental issue. Configuration issues can be caused by user settings, for example.
26
Supporting Symantec Norton AntiVirus 2005
Understanding Installation versus Configuration Issues
Understanding Installation vs. Configuration Issues
Understanding Installation vs. Configuration Issues Installation issues arise from failed or corrupt installations Configuration issues arise from settings or environm ent problem s
14 – 2004 Sym antec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
27
Unit 2
Supporting Norton AntiVirus Installation
Installation Troubleshooting Logic What to look for
28
■
Environmental issues such as low system resources, RAM, etc.
■
Installation errors
Supporting Symantec Norton AntiVirus 2005
Installation Troubleshooting Logic
Installation Troubleshooting Logic
Installation Troubleshooting Logic Environmental issues Installer engine errors
15 – 2004 Symantec Corporation, All Rights Reserved
Supporting Symantec Norton AntiVirus 2005
29
Unit 2
30
Supporting Norton AntiVirus Installation
Supporting Symantec Norton AntiVirus 2005
Unit
3
Components and Functions of Norton AntiVirus Overview Description Norton AntiVirus has become more feature-rich as new versions have been released. These features have been developed in response to the continued complexity of threats and user environments. In addition to such standard features as Email Protection and Script Blocking, new features and components such as Internet Worm Protection, Generic Side Effects Repair Engine, and SymProtect (Symantec Process Protection) reflect Symantec’s continued commitment to leading the way in the area of antivirus technology. This unit will discuss the features and components of Norton AntiVirus as well as how they interact with other product modules and how to troubleshoot them.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the technical details of the components and features of Norton AntiVirus 2005
■
Detail how the various modules in Norton AntiVirus 2005 interact with each other as well as the operating system
■
Understand the logic behind troubleshooting Norton AntiVirus
■
Troubleshoot Norton AntiVirus product issues
Supporting Symantec Norton AntiVirus 2005
1
Unit 3
2
Components and Functions of Norton AntiVirus
Supporting Symantec Norton AntiVirus 2005
Learning Objectives
Learning Objectives Understand the technical details of the components and features of Norton AntiVirus 2005 Detail how the various modules in Norton AntiVirus 2005 interact with each other as well as the operating system Understand the logic behind troubleshooting Norton AntiVirus Troubleshoot Norton AntiVirus product issues
Supporting Symantec Norton AntiVirus 2005
3
Unit 3
Components and Functions of Norton AntiVirus
Norton AntiVirus Components and Features As stated previously, Norton AntiVirus has become more complex as more is expected of it. Not only is Norton AntiVirus called on to address increasing security concerns, but it is also expected to be more robust and tamper-proof. The following sections detail the technologies and features that Norton AntiVirus contains to accomplish those goals.
4
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Components and Features
Components and Features
Supporting Symantec Norton AntiVirus 2005
5
Unit 3
Components and Functions of Norton AntiVirus
AutoProtect Auto-Protect is the real-time scanner component of Norton AntiVirus. Whenever a file on your system is accessed, it’s scanned by Auto-Protect. This is the module that makes sure that your system stays protected, as long as you have up-to-date virus definitions.
What AutoProtect does AutoProtect loads into memory when the operating system loads, thus protecting the user at all times. AutoProtect scans any file that is accessed on the computer, as well as any time removable media such as floppy disks or compact disks are inserted, the Internet is accessed, or files are received or created.
6
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
AutoProtect
AutoProtect What AutoProtect does
Supporting Symantec Norton AntiVirus 2005
7
Unit 3
Components and Functions of Norton AntiVirus
How AutoProtect works Below is a flowchart showing how AutoProtect works to provide real-time protection:
AutoProtect files Symevent.sys - Kernel-mode driver for NT-based operating systems. Savrt.sys - Kernel-mode driver for NT-based operating systems. Navapsvc.exe - File responsible for starting the AutoProtect service. Navapw32.dll - Norton AntiVirus Agent for AutoProtect. Apwcmdnt.dll - Command library for AutoProtect for NT-based operating systems. Symevnt.386 - Kernel-mode driver for 9x-based operating systems. Savrt.vxd - Kernel-mode driver for 9x-based operating systems. Apwcmd9x.dll - Command library for AutoProtect for 9x-based operating systems.
8
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
AutoProtect
AutoProtect How AutoProtect works AutoProtect files
Supporting Symantec Norton AntiVirus 2005
9
Unit 3
Components and Functions of Norton AntiVirus
AutoProtect Repair Modes NT: - Auto-repair: AP will try to repair the infected file. If it fails to repair it, it will deny access to the file. - Repair then quarantine: AP will try to repair the infected file. If it fails to repair it, it will try to quarantine it. If it then fails to quarantine it, it will deny access to the file - Deny access: AP just denies access to the infected file. It doesn’t try to repair or quarantine the file. 9x: - Auto-repair: AP will try to repair the infected file. If it fails to repair it, it will prompt the user for action. - Repair then quarantine: AP will try to repair the infected file. If it fails to repair it, it will try to quarantine it. If it then fails to quarantine it, it will prompt the user for action. - Deny access: AP just denies access to the infected file. It doesn’t try to repair or quarantine the file. - Ask me what to do: AP will prompt the user for action.
AutoProtect interactions and dependencies Key dependencies ■
Remote Procedure Call Service (RPCSS)
Asynchronous scanning AutoProtect has the ability to scan within compressed files in real-time. Unlike uncompressed files that are scanned synchronously in kernel-mode level (preventing any subsequent file I/O from occurring until we’ve given the green light), it will actually be an asynchronous scan done in the user-mode level. To close any vulnerability gaps due to the delayed scan being done at the user-mode level, subsequent opens for the file are blocked (pending a time-out) until the scan is complete. Should an open occur while scanning a file, a system tray alert informs the user that the application requesting the open may appear hung until the scan is complete.
Asynchronous scanning files
10
■
Savrt32.dll - Compressed scanning engine.
■
navapsvc.exe - Norton AntiVirus Auto-Protect Service
■
navapw32.dll - Norton AntiVirus Agent
■
NAVAPW32.exe - AutoProtect
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
AutoProtect
AutoProtect Repair modes Dependencies Asynchronous scanning Asynchronous scanning files
Supporting Symantec Norton AntiVirus 2005
11
Unit 3
Components and Functions of Norton AntiVirus
Email Protection What Email Protection does Email Protection scans incoming and outgoing emails, protecting the user’s computer as well as other computers from threats.
How Email Protection works Email protection inserts itself between the email client and the email server. The Symantec Redirector plugs into the email client and passes the information onto the common client email proxy, which sends the data on to the email server, and vice versa.
Within the ccEmlPxy service, emails will be sent to one of two separate temp sessions.
12
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Email Protection
Email Protection What Email Protection does How Email Protection works
Supporting Symantec Norton AntiVirus 2005
13
Unit 3
Components and Functions of Norton AntiVirus
With the temp files, Navemail.dll filters the message. ccEmlPxy reads the Email and filters it.
14
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Email Protection
Email Protection How Email Protection works
Supporting Symantec Norton AntiVirus 2005
15
Unit 3
Components and Functions of Norton AntiVirus
Email Protection files ■
ccAVMail.dll - Email Protection scanner.
■
ccEmlPxy.dll - Email Protection proxy.
Email Protection interactions and dependencies Key dependencies ■
16
ccApp - Common Client
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Email Protection
Email Protection Email Protection files Email Protection dependencies
Supporting Symantec Norton AntiVirus 2005
17
Unit 3
Components and Functions of Norton AntiVirus
Instant Messenger Protection Instant Messenger Protection is the real-time scanning technology for supported Instant Messenger programs in Norton AntiVirus.
What Instant Messenger Protection does Scans for and detects viruses in instant messenger attachments.
Instant Messenger Protection files and services ■
ccAPP.EXE - Responsible for Instant Messenger protection. All other modules are either direct or indirect plug-ins to ccAPP.
■
ccIMSCAN.DLL - Plugs into ccAPP.EXE ■
■
ccIMSCAN.DLL is responsible for configuring and un-configuring all 3 clients (Yahoo, MSN, and AOL Instant Messengers) Works with MSN Instant Messenger to scan file downloads
■
ccIMSCAN.EXE - The file used in the command line with AIM & YIM to scan file downloads
■
OptionsUI - Enables or disables Clients by sending a message to ccIMSCAN.DLL
■
ScanMgr - Does all Instant Messenger scanning ■
ccIMSCAN.DLL & ccIMSCAN.EXE use ScanMgr
Instant Messenger Protection interactions and dependencies Key dependencies
18
■
ccApp.exe - Common Client.
■
ccScan.dll - Common Client scan engine.
■
ScanMgr.dll - Symantec scan manager.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Instant Messenger Protection
Instant Messenger Protection What Instant Messenger Protection does Instant Messenger Protection files and services Instant Messenger dependencies
Supporting Symantec Norton AntiVirus 2005
19
Unit 3
20
Components and Functions of Norton AntiVirus
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Instant Messenger Protection
Instant Messenger Protection Instant Messenger Protection overview
Supporting Symantec Norton AntiVirus 2005
21
Unit 3
Components and Functions of Norton AntiVirus
Script Blocking In today’s interconnected world, fast moving viruses can travel faster than the cure for these viruses, typically delivered in the form of “signatures” or “virus definitions”. Script Blocking is a proactive technology that detects certain types of viruses without the need for signatures: customers will now have protection against certain types of viruses even before virus definitions have been made available.
What Script Blocking does Script Blocking technology monitors scripts and alerts users of virus-like malicious behavior, stopping script-based viruses before they can infect a system.
How Script Blocking works Script blocking diverts scripts from the usual Windows Scripting Host to 3 DLL files of our own, which determine if a script must be blocked, allowed, or if it a trusted script. Script Blocking files
22
■
ScrAuth.dll - Responsible for authorizing scripts and creating alerts.
■
ScrBlock.dll - Responsible for blocking unauthorized scripts.
■
ScrTrust.dll - Responsible for identifying trusted scripts, such as scripts that have been shown to be benign by Script Blocking.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Script Blocking
Script Blocking What Script Blocking does How Script Blocking works
Supporting Symantec Norton AntiVirus 2005
23
Unit 3
Components and Functions of Norton AntiVirus
Scanning Norton AntiVirus 2005 has several methods of scanning, but for purposes of this section we will concentrate on manual scans. Information on real-time, Instant Messenger, and Email scans will be discussed in separate sections.
What Scanning does Scanning detects viruses and other threats manually and in real-time.
How Scanning works Scanner files ■
Scan Manager (scanmgr.dll) - This component is used to perform the actual virus scan.
■
Scan Task Library (scantask.lib) - This library loads, saves, and parses NAV Task (.scan) files. This is important for scheduled scans.
■
Options Library (navopt32.lib) - This library reads the options file (NavOpts.dat).
Scanning interactions and dependencies Key dependencies ■
Scan Task library (ScanTask.lib)
■
Options library (NavOpt32.lib)
Pre-Install Scanner (Prescan.exe) The Pre-Install Scanner is dependant on 3 Symantec components: ■
ccScanS.dll
■
ecmldr32.dll
■
Virus Definitions
Since the goal of the pre-install scanner is to get Norton AntiVirus installed on the customer’s machine, the Pre-Install scanner will not scan files contained in archives. This eliminates the need for the Decomposer DLL’s and significantly reduces the dependencies list. Prescan.exe interacts directly with navscan.dll to begin the scan. Navscan.dll in turn interacts with navapi.dll and the virus definitions to scan the user’s computer.
24
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Scanning
Scanning What scanning does How scanning works Scanning dependencies Preinstall scanner
Supporting Symantec Norton AntiVirus 2005
25
Unit 3
Components and Functions of Norton AntiVirus
Decomposer Decomposer is the component responsible for uncompressing compressed files, so they can then be scanned by NAV. Supported file types: ■
AMG
■
ARJ
■
CAB
■
DAT
■
EXE
■
GZ
■
HQX
■
HTML
■
LHA, LZH
■
MIME
■
OLE (DOC, XLS, etc)
■
RAR
■
RTF
■
TAR
■
UUE
■
ZIP
Decomposer files: Since the decomposer is only responsible for decompressing files to be scanned by the scan engine, there are 16 decomposer files, each responsible for decompressing one of the file types above.
Decomposer Limitations
26
■
Decomposer can only scan up to 10 levels of compression. If there is an infection beyond 10 levels of compression, NAV will not detect it.
■
Decomposer cannot open password protected compressed files.
■
Decomposer cannot modify certain file types (CAB, ARJ, etc.) This means NAV can detect infection inside these files, but will not be able to repair/quarantine any infection.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Decomposer
Decomposer Decomposer responsibility File types Limitations
Supporting Symantec Norton AntiVirus 2005
27
Unit 3
Components and Functions of Norton AntiVirus
Quarantine Quarantine is a “safe” place to store virus-infected files without infecting other files on the computer. When NAV quarantines a file, it puts a wrapper around the file so that no other application can access it, and then stores it in the Quarantine folder. In technical terms, it encrypts the data using the MD5 hashing algorithm. By default, Quarantine backs up an infected item before it attempts to repair it. (This option can be turned off in the Miscellaneous options.) From the Quarantine console, the user can also submit an infected file to Symantec Security Response for analysis.
What Quarantine does Quarantine separates files form the Operating System, storing and encrypting them so that they cannot infect the computer.
How Quarantine works Quarantine files
28
■
qconres.dll - Norton AntiVirus QConsole Resource dll
■
qconsole.exe - Norton AntiVirus Quarantine Console
■
qspak32.dll - Norton AntiVirus Quarantine File Storage
■
quar32.dll - Norton AntiVirus Quarantine
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Slide title
Quarantine What quarantine does Quarantine files
Supporting Symantec Norton AntiVirus 2005
29
Unit 3
Components and Functions of Norton AntiVirus
Microsoft Office Plugin The Microsoft Office Plugin allows Norton AntiVirus to scan Microsoft Office files as they are opened. Below is what to look for regarding the Microsoft Office Plugin: ■
You should disable the office plugin if you suspect it is causing problems with word, excel, power point, etc. You can do this from the Norton AntiVirus options menu.
■
If you have Norton AntiVirus uninstalled you can unregister and rename the officeav.dll file to ensure the plugin is not causing a problem.
It is important to remember that if you disable the Microsoft Office Plugin, AutoProtect still scans Microsoft Office documents in real time.
30
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Microsoft Office Plugin
Office Plugin What to look for
Supporting Symantec Norton AntiVirus 2005
31
Unit 3
Components and Functions of Norton AntiVirus
Windows XP Service Pack 2 While Symantec generally doesn’t include information considering product updates from other companies in its training material, we will make an exception here. Service Pack 2 for Microsoft Windows XP is not only an operating system update primarily concerned with security, it also includes new tools with which Norton AntiVirus 2005 (as well as older versions) will interact directly. Below is a list of selected features of Windows XP Service Pack 2, as well as how Norton Antivirus will interact with those features. Features included in Window XP Service Pack 2:
32
■
Windows Security Center - Security software status indicator.
■
Network Protection Technologies - Changes to the firewall included in Windows XP.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Service Pack 2
Windows XP SP 2 Overview Features – Windows Security Center – Network Protection Technologies
Supporting Symantec Norton AntiVirus 2005
33
Unit 3
Components and Functions of Norton AntiVirus
Windows Security Center Windows Security Center is a tool designed to indicate the status of the firewall and antivirus software installed on their computer, as well as the status of Microsoft Windows Updates. This tool is designed to indicate these status report in a one-window, easily understood interface. Information included will be whether antivirus software is installed, and the status of firewall and Microsoft Updates.
How Norton AntiVirus interacts with Microsoft Security Center Taxman is the codename for the component that is the Norton Windows Management Instrumentation provider which will be specific to Windows XP Service Pack 2. The Norton Windows Management Instrumentation is a method that provides Windows Security Center to display the appropriate security status for the Symantec consumer security products. Symantec Security Center is installed in part as the executable SYMWSC.EXE.
Norton Antivirus Installed files and their responsibilities
34
■
SYMWSC.EXE - Symantec Windows Security Service that speaks to the plug-ins and reports this information to the Windows Management Instrumentation.
■
SSCNAV.DLL - Symantec Security Center Plug-in for Norton AntiVirus.
■
WSCHLPR.DLL - Allows Norton AntiVirus to integrate its status into the Windows Security Center.
■
SSCOPTS.DAT - Stores Windows Security Center options for displaying Norton AntiVirus security status.
■
SYMWSCNO.EXE – Symantec Windows Security Center user interface component.
■
SYMSCWB.DLL - Symantec Security Center helper file.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Windows Security Center
Windows Security Center Norton AntiVirus Interaction Norton AntiVirus files and responsibilities
Supporting Symantec Norton AntiVirus 2005
35
Unit 3
Components and Functions of Norton AntiVirus
Network Protection The most important detail included in the network protection technologies included in service pack 2 is that the Windows Firewall will be turned on by default. Windows Firewall is the descendant of the original Windows XP firewall, the Internet Connection Firewall. Users have previously been required to turn this firewall on if they wanted to use the feature, as it has been turned off by default.
36
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Network Protection
Network Protection Windows Firewall
Supporting Symantec Norton AntiVirus 2005
37
Unit 3
Components and Functions of Norton AntiVirus
Activity Logs Activity logs provide the ability to see events such as alerts, application activities, and threat activities that have happened in Norton AntiVirus 2005. These logs are invaluable troubleshooting tools for technicians, as the logs allow them to see exactly what has happened in an environment.
What Activity Logs do Activity Logs store event data for later viewing. Even if Norton AntiVirus won’t load, it’s possible to determine an events sequence by reading the logs. Categories of information stored in Norton AntiVirus 2005 logs: ■
Symantec Resource Protection activities: ■
■
■
Alerts
Internet Worm Protection activities: ■
Connections
■
Activities
■
Worm Detection
■
System
■
Alerts
Norton AntiVirus activities: ■
Threat alerts
■
Application activities
■
Alerts
Activity Log files and services Statushp.dll - The Norton AntiVirus status helper module. Manages waiting event threads. NAVSTATS.dll - The Norton AntiVirus Status object. Manages all events. AVVirus.log - Stores threat alert data. AVApp.log - Stores application activity data. AVError.log - Stores application error data.
Activity Log interactions and dependencies Key dependencies ccApp - The common client user session. ccSettings - Common client settings manager.
38
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Activity Logs
Activity Logs What Activity Logs do Files and services Interaction and dependencies
Supporting Symantec Norton AntiVirus 2005
39
Unit 3
Components and Functions of Norton AntiVirus
Expanded Threat Detection The purpose of Expanded Threat Detection is to accurately alert users of different types of threats on their system during a scan (this includes any component using the scan manager – Instant Messenger Protection, Email Protection, Manual Scan, Context/shell extension scans, etc). Instead of only alerting users about virus infections, this feature will alert users when spyware and other threats are on a user’s system.
What Expanded Threat Detection does Expanded Threat Detection works in the same ways as other Norton Antivirus detections, with AutoProtect and manual scans detecting expanded threats as well as viruses, worms, and Trojan Horses.
How Expanded Threat Detection works Expanded Threat Detection uses definitions of known threats for detection. As new threats are made known to Symantec definitions of those threats are made available via LiveUpdate.
40
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Expanded Threat Detection
Expanded Threat Detection What Expanded Threat Detection does How Expanded Threat Detection works
Supporting Symantec Norton AntiVirus 2005
41
Unit 3
Components and Functions of Norton AntiVirus
Common Error Display Common Error Display allows Symantec Products to share error displays between products. With the dependence on the common client this saves a great deal of development work, as well as making support easier across the consumer product line.
What Common Error Display does
42
■
Uniquely identifies each error displayed to the user.
■
Makes all errors appear with a uniform display to the user.
■
Replaces script errors with the new common error display.
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Common Error Display
Common Error Display What Common Error Display is What Common Error Display does
Supporting Symantec Norton AntiVirus 2005
43
Unit 3
Components and Functions of Norton AntiVirus
How Common Error Display works
Common Error Display provides links in the error dialogue to Symantec Knowledge Base documents that give the solution to the issue.
44
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Common Error Display
Common Error Display How Common Error Display works
Supporting Symantec Norton AntiVirus 2005
45
Unit 3
Components and Functions of Norton AntiVirus
Common Client This section will give you an overview of the Common Client, and how it interacts with Norton AntiVirus. For in-depth information on common client, please refer to the Shared Technology courseware.
What Common client does Common client controls different modules and settings for Norton AntiVirus as well as other Symantec products.
How Common Client works Below is a graphic showing how Common Client works with Symantec products:
46
Supporting Symantec Norton AntiVirus 2005
Norton AntiVirus Components and Features
Common Client
Common Client What Common Client does How Common Client works
Supporting Symantec Norton AntiVirus 2005
47
Unit 3
Components and Functions of Norton AntiVirus
Digital Rights Management This course will provide an overview of Digital Rights Managements as it pertains to Norton AntiVirus 2005. In-depth information will be included in the Shared Technology courseware.
Digital Rights Management files NavProd.dll – Is the DRM product plug-in. This ccApp plug-in is responsible for the DRM integration with Norton AntiVirus 2005.
48
Supporting Symantec Norton AntiVirus 2005
Digital Rights Management
Digital Rights Management
Digital Rights Management Digital Rights Management overview Digital Rights Management files
Supporting Symantec Norton AntiVirus 2005
49
Unit 3
Components and Functions of Norton AntiVirus
Potential Points of Failure You should consider the dependencies (Operating System and other Symantec modules) to be the points of failure. Knowing how to step through the program sequentially and validating the dependencies is the easiest way to spot a problem. Included here is an example:
AutoProtect What enables it to be real-time? ■
Symevnt (Symantec Event Manager) works as a file filter for all I/O activity to the CPU. When symevnt traps an I/O request it talks to the CCEvntmgr which is loaded as a service. The event manager looks for subscribers (Any product that is registered with CCapp) to send notice of the event. In this case, the product dll is registered and has loaded the scan manager (scanmgr.dll) to manage the event.
■
The scan manager determines if the file is compressed asks AP to scan the file. If the file is compressed the asynchronous scanner is called as well as the decomposer. The scanners use the Virus Definition files that is defined in the registry (HKEY_LOCAL_MACHINE\Software\Symante\Shared Defs\...) or by usage.dat.
■
If the file is infected the result occurs based on options (CCSetMgr,Navopts.dat). If the option is to display something for the user, CCAlert is used to create the alert.
■
Once the user interacts with the message, it is returned to the scan manager, CCsetmgr and to CCevntmgr. If the program file handling the event is also supposed to log the activity, a log will be created for the event.
Since there are many factors in this example - any of them potentially failing - it is important to know what succeeded and what did not. You can isolate the components somewhat and test them on their own, such as; scanning a file with the manual scanner would validate the integrity (to some extent) of the definitions, the scan manager, Options, and the Common Client Components. Any of the modules included in Norton AntiVirus 2005 can be looked at in a similar fashion. Taking the components of each module and isolating them can accurately determine most issues.
50
Supporting Symantec Norton AntiVirus 2005
Potential Points of Failure
Potential Points of Failure
Potential Points of Failure Logic Example
Supporting Symantec Norton AntiVirus 2005
51
Unit 3
Components and Functions of Norton AntiVirus
Troubleshooting Functionality This section is design to give students a look into what they should look for in troubleshooting Norton AntiVirus product modules.
AutoProtect ■
Verify that AutoProtect is enabled with Norton AntiVirus.
■
Verify that the AutoProtect service (NAVAPSVC) is enabled.
■
Test AutoProtect with EICAR.COM virus test file (available at http://www.eicar.org/ anti_virus_test_file.htm).
Email Protection ■
To test Email Protection, send EICAR via an email to verify that Email Protection is working.
Instant Messenger Protection ■
To test Instant Messenger Protection, send EICAR via an Instant Message to verify that Instant Messenger Protection is working.
■
Verify that Instant Messenger Protection is enabled for the particular client type.
Script Blocking ■
To trigger an alert, run the file registry.js. This file is installed and can be copied from any Windows 98 computer. Registry.js is an example of a file that modifies registry keys via a script. This behavior is considered potentially malicious by Script blocking and should trigger an alert.
■
If the Script Blocking folder is moved from the default location, such as a customer might do in the case of a manual uninstall, certain scripts will not execute on the system. To troubleshoot this, set Windows Explorer folder options to show common tasks in the folder. This should cause objects not to appear within explorer. To repair this, re-install Windows Script Host 5.6. This will reinstall the system DLL’s responsible for executing scripts and will reregister them.
Scans
52
■
Manual scan- If the manual scan fails or continuously scans the same directory, rescan smaller volumes of files using the right-click context menu scanner. This will allow you to identify a problematic file or folder by process-of-elimination. Once the problematic file or directory is found, verify system and administrator access (should be full with no denies).
■
Verify that the problematic file or directory is not encrypted and is not password protected as either of these conditions will cause problems for the decomposer.
■
Verify that the media scanned isn’t removable media that has been locked.
Supporting Symantec Norton AntiVirus 2005
Troubleshooting Functionality
Troubleshooting
Troubleshooting Functionality Product modules
Supporting Symantec Norton AntiVirus 2005
53
Unit 3
Components and Functions of Norton AntiVirus
Decomposer ■
Once the problematic file or directory is found, verify system and administrator access (should be full with no denies).
■
Verify that the problematic file or directory is not encrypted and is not password protected as either of these conditions will cause problems for the decomposer.
■
Verify that any compressed file can be opened by the Operating System or Winzip and scanned by Norton AntiVirus. If it cannot be scanned successfully the file should be submitted to Security Response.
Quarantine ■
Verify that the definitions for quarantine exist within the usage.dat file (the date of the latest virus definitions should be listed). If it does not, an error will occur when opening quarantine.
■
If there are problems displaying the contents of quarantine, you can access them directly through explorer. The contents will be encrypted but you can see if there are files or if it is empty. If there are files you can delete them using explorer and should be able to open quarantine within Norton AntiVirus.
Microsoft Office Plugin ■
You should disable the office plugin if you suspect it is causing problems with word, excel, power point, etc. You can do this from the Norton AntiVirus options menu.
■
If you have Norton AntiVirus uninstalled you can unregister and rename the officeav.dll file to ensure the plugin is not causing a problem.
Common Error Display
54
■
Make sure the standard Common Client services are running.
■
To test the Common Error Display stop the AutoProtect service (NAVAPSVC) and try to enable AP through the interface.
Supporting Symantec Norton AntiVirus 2005
Troubleshooting Functionality
Troubleshooting
Troubleshooting Functionality Product Modules
Supporting Symantec Norton AntiVirus 2005
55
Unit 3
56
Components and Functions of Norton AntiVirus
Supporting Symantec Norton AntiVirus 2005
Unit
4
Internet Worm Protection Overview Description Internet Worm Protection prevents network worms and other Internet threats from attacking your computer. A worm is similar to a virus, but is a self-contained program that can replicate itself over a computer network. Internet Worm Protection can detect a worm on the network before it copies itself onto your computer.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the main methods of Internet Worm Protection
■
Describe how the main methods of Internet Worm Protection work
■
Configure Internet Worm Protection
■
Troubleshoot Internet Worm Protection
Supporting Symantec Norton AntiVirus 2005
1
Unit 4
Internet Worm Protection
Internet Worm Protection Overview Internet Worm Protection uses several methods to protect the user. Below is a list of those components as well as what they do: Port blocking - Monitors the behavior of outgoing network traffic to establish whether an incoming connection is suspicious. Trojan horse detection - Detects if a connection is being attempted on a port that is commonly used by Trojan horse applications. If the connection matches a Trojan horse rule, Internet Worm Protection issues an alert. Auto blocking - Blocks repeated Internet attacks. When Internet Worm Protection detects an attack, it automatically blocks any further communication from the attacker’s computer. The attacker’s IP address is blocked for 30 minutes. Internet Worm Protection lets you manually remove an attacker’s IP address from the list at any time. General rules - Internet Worm Protection uses a set of rules to monitor and handle all traffic and applications on the network. These rules control how Internet Worm Protection guards your computer from malicious incoming traffic, programs, and Trojan horses. Internet Worm Protection should provide adequate protection for most users. If the default protection is not appropriate, you can add, modify, or remove rules in the rules wizard. Traffic analysis - Monitors network traffic for malicious activity. If such activity is detected, Internet Worm Protection blocks the traffic, logs the event, and issues an alert. Exploit detection - Prevents another computer from exploiting bugs in your computer’s software. Worms use these bugs to transfer infected files onto your computer. Threat level - Scans an application for known viruses, and determines whether a program is malicious.
2
Supporting Symantec Norton AntiVirus 2005
Internet Worm Protection Overview
Internet Worm Protection Overview
Internet W orm Protection Overview Port blocking Trojan horse detection Auto blocking General rules Traffic analysis Exploit detection Threat level
2 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 4
Internet Worm Protection
How Internet Worm Protection Works Event types Internet Worm Protection differs from Norton Personal Firewall in that Norton Personal Firewall includes more features, such as enhanced logging abilities, Home Networking, etc. Below is a list of the event types Internet Worm Protection handles: Listen events - Listen events are triggered when an application opens a port for “listening”. Examples are FTP and web servers, and multiplayer internet games. IP traffic events - IP events are triggered by incoming traffic to open ports. Usually a listen event is generated before the traffic is received so the user has already permitted or blocked the application. However, IP events can occur in cases where the agent wasn’t running when the app tried to listen. This frequently happen at system startup. Trojan Horse (Security Alert) events - Trojan Horse events are generated when an app tries to open a port for listening on a port that we know is commonly used by Trojan Horse apps. The traffic matches a Trojan Horse rule that is installed on the machine and creates a specific event type. Users can also make their own firewall rules that can generate these events. Both event types are generically called Security Alerts and are handled in the same way. IDS events - If traffic analyzed by the IDS engine is determined to be malicious the traffic is blocked and an IDS event is triggered.
Internet Worm Protection files and services IWP agent (IWP.DLL) - The IWP agent is a ccApp plug-in that connects to SymFirewallAgent and IDS, monitors for subscription changes, monitors for IDS updates, and implements the IWP alerting logic. The alert logic component integrates the SymFirewallAgent, ALE engine, Threat Level and the Alert UI’s together. Note: The IWP agent is a ccApp (Common Client) plugin and as such is dependent on Common Client loading. NavProd.dll - The NAV product plug in is a ccApp product plug-in that makes sure IWP.dll is loaded, but only if it is installed. Note: The NAV product plugin is a ccApp (Common Client) plugin and as such is dependent on Common Client loading.
4
Supporting Symantec Norton AntiVirus 2005
How Internet Worm Protection Works
How Internet Worm Protection Works
How Internet W orm Protection W orks Internet W orm Protection handles: Listen events IP traffic events Trojan Horse (Security Alert) events IDS events
3 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 4
Internet Worm Protection
SymFwAgt.DLL - The Symantec Firewall Agent. AutoBlock - Auto Block is a feature that prevents the users’ machine from being flooded by attacks from one machine. When we detect an attack from the network we can add the attacker’s IP to a list that the firewall will automatically reject. The IP will remain in this list for a predetermined amount of time (30 minutes). After that time Auto Block removes it from the list and we will allow traffic from that IP again. ccALE.dll - Symantec Application Lookup Engine. ccFWSetg.dll - Symantec Firewall Settings Engine ccRuleIO.dll - Symantec Firewall Rules Engine NPFMntor.exe - Norton AntiVirus Firewall Install Monitor TLevel.dll - Responsible for determining the threat level of a file.
6
Supporting Symantec Norton AntiVirus 2005
How Internet Worm Protection Works
How Internet Worm Protection Works (cont.)
How Internet W orm Protection W orks (cont.) Internet W orm Protection files and services: IW P agent NavProd.dll Sym FwAgt.DLL AutoBlock ccALE.dll ccFW Setg.dll ccRuleIO .dll NPFM ntor.exe TLevel.dll 4 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 4
Internet Worm Protection
Configuring Internet Worm Protection Internet Worm Protection’s default settings for basic inbound port blocking and network monitoring provide reliable network protection against worms and other malicious activity. This section will detail some of the Internet Worm Protection configuration options. Full configuration details are included in the Norton AntiVirus 2005 User’s Guide, the prerequisite reading for this course.
Types of rules
8
■
Exclusions - Exclude and include worm signatures from detection.
■
Application rules - Control an application’s access to the Internet.
■
General rules - Use rules to monitor network traffic for worms, malicious incoming traffic, programs, and Trojan horses.
■
Trojan rules - Detect varieties of Trojan horses.
■
AutoBlock rules - Block malicious attacks.
Supporting Symantec Norton AntiVirus 2005
Configuring Internet Worm Protection
Configuring Internet Worm Protection
Configuring Internet W orm Protection Exclusions Application rules General rules Trojan rules AutoBlock rules
5 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
9
Unit 4
Internet Worm Protection
Troubleshooting Internet Worm Protection Since Internet Worm Protection is a new product component, it remains to be seen where the majority of support issues will occur. It is important to rely upon the troubleshooting logic of knowing the important files and validating their dependencies. The important Internet Worm Protection files are mentioned earlier in this unit.
10
Supporting Symantec Norton AntiVirus 2005
Troubleshooting Internet Worm Protection
Troubleshooting Internet Worm Protection
Troubleshooting Internet W orm Protection Know im portant files and their dependencies New product; rem ains to be seen where m ajority of support issues will occur
6 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
11
Unit 4
12
Internet Worm Protection
Supporting Symantec Norton AntiVirus 2005
Unit
5
Generic Side Effects Repair Engine Overview Description The Generic Side Effects Repair Engine is a new feature of Norton AntiVirus 2005. It is designed to remove side effects of threat attacks in the Windows registry, batch files, the startup folder, and.ini files.
Objectives After you complete this unit, you will be able to do the following: ■
Describe how the Generic Side Effects Repair Engine handles side effects found during scans
■
Describe the registry keys cleaned
■
Detail the load points cleaned
■
Know what type of information is stored in the Generic Side Effects Repair Engine activity logs
■
Troubleshoot Generic Side Effects Repair Engine issues
Supporting Symantec Norton AntiVirus 2005
1
Unit 5
Generic Side Effects Repair Engine
Manual and Preinstall Scans The scan manager loads a SymInterface Generic Side Effects Repair Engine scanning object (ccGSE.dll) and uses the existing scan engine to handle any infections found during a side effects scan. The entire Generic Side Effects Repair Engine scan take place before handling any of the infections detected to ensure all possible side effects for a particular infection are detected. After the Generic Side Effects Repair Engine scan is complete the side effects and infections are handled. Memory side-effects are not automatically handled since the user needs to be warned before processes are terminated. Generic Side Effects Repair Engine scans start in the background when new virus definitions are downloaded. The user interface will only be displayed if an infection is detected. There will be an option to disable this functionality on the LiveUpdate panel of options. In the Common UI all side effects and their current state will be reflected in the filename tooltip box that is displayed when the filename column is clicked on. Quarantine will record all successfully removed registry and file side effects for an infected item and if the item is repaired and restored the side-effects will be restored as well. The user will be able to see the side effects by going to the properties of an item in the quarantine console and clicking on the new Side Effects panel. There is a flag in the engines that can be set by the virus definitions to indicate a side effect removal should not be attempted. This flag is exposed via ccScan. If this flag is detected the side effects for the infection will be left alone. The item will be displayed in a separate UI that informs users they need to download the fix tool to remove this infection.
2
Supporting Symantec Norton AntiVirus 2005
Manual and Preinstall Scans
Manual and Preinstall Scans
M anual and Preinstall Scans Scan m anager loads Generic Side Effects Repair Engine Detects all possible side effects for a particular infection Scan starts when new virus definitions are downloaded Quarantine records all rem oved registry and file side effects 2 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 5
Generic Side Effects Repair Engine
Generic Side Effects Repair files and services
4
■
ccGSE.dll - Generic Side Effects Repair scanning engine
■
ccScan.dll - Common Client scan engine.
■
probeGSE.dll - Generic Side Effects Repair scanner
■
SPBBCDrv.sys - Generic Side Effects Repair driver.
Supporting Symantec Norton AntiVirus 2005
Manual and Preinstall Scans
Generic Side Effects Repair files and services
Generic Side Effects Repair files and services ccGSE.dll: Generic Side Effects Repair scanning engine ccScan.dll: Com m on Client scan engine probeGSE.dll: Generic Side Effects Repair scanner SPBBCDrv.sys: Generic Side Effects Repair driver
3 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 5
Generic Side Effects Repair Engine
Load Points Cleaned Registry keys ■
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
■
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
■
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Startup folder ■
c:\documents and settings\all users\desktop\startup
■
c:\documents and settings\all users\desktop\startup\launch.bat
.INI files ■
c:\windows\system\win.ini
Processes Processes terminated by the Generic Side Effects Repair engine are treated differently than effects at the load points. Users are prompted to stop the processes so that they know what programs are stopping.
6
Supporting Symantec Norton AntiVirus 2005
Load Points Cleaned
Load Points Cleared
Load Points Cleared
Registry keys Startup folder .INI files
4 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 5
Generic Side Effects Repair Engine
Generic Side Effects Repair Engine Activity Logs Side effect actions are logged to the activity logger under the Threat alerts category. Process terminations are logged into the Application category.
Activity Log Files ■
8
ccLgView.exe - The common client file responsible for all activity log views.
Supporting Symantec Norton AntiVirus 2005
Generic Side Effects Repair Engine Activity Logs
Generic Side Effects Repair Engine Activity Logs
Generic Side Effects Repair Engine Activity Logs Activity logged to ccLgView.exe Side effect actions logged under Threat alerts Process term inations logged under Application
5 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
9
Unit 5
Generic Side Effects Repair Engine
Troubleshooting Generic Side Effects Repair Engine Since Side Effects Repair is a new product component, it remains to be seen where the majority of support issues will occur. It is important to rely upon the troubleshooting logic of knowing the important files and validating their dependencies. The important Side Effects Repair files are mentioned earlier in this unit.
10
Supporting Symantec Norton AntiVirus 2005
Troubleshooting Generic Side Effects Repair Engine
Troubleshooting Generic Side Effects Repair Engine
Troubleshooting Generic Side Effects Repair Engine Know im portant files and their dependencies New product; rem ains to be seen where m ajority of support issues will occur
6 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
11
Unit 5
12
Generic Side Effects Repair Engine
Supporting Symantec Norton AntiVirus 2005
Unit
6
SymProtect Overview Description Many worms today are so-called “retro” worms. These attack security software to prevent detection or removal. Processes are terminated, files deleted, registry keys removed, in an attempt to prevent the user from responding. To meet this threat Norton AntiVirus 2005 includes SymProtect, to protect our software from these attacks.
Objectives After you complete this unit, you will be able to do the following: ■
Understand what SymProtect does
■
Discuss how SymProtect works
■
Identify and use SymProtect logs
Supporting Symantec Norton AntiVirus 2005
1
Unit 6
SymProtect
SymProtect Overview SymProtect is a technology which prevents modification or deletion of Symantec files, processes, and registry keys by unauthorized applications. It does not prevent anyone from reading our assets so as to avoid interfering with normal operations such as Backup. Authorized applications have full access, so they do not require any changes to continue to work. In order to be protected by SymProtect, a Symantec application provides a list of files, registry keys to be protected. Any .EXE carrying a Symantec Digital Signature is automatically protected. Once activated, SymProtect prevents any unauthorized application from modifying or deleting any of these protected resources. There are a number of ways an application can be authorized to make changes. The following authorization methods are used by Norton AntiVirus 2005: ■
Digitally signed by Symantec
Applications which are signed with a Symantec digital signature are free to access all protect assets. This will cover a great deal of legacy products, since we have been signing binaries for a while. Intelligent Updaters are signed. All fix tools should also be signed. ■
Running from a pre-registered path
An administrator can pre-configure a path, or set of paths, such that applications that run from those locations are authorized. This might be a network share location, or a location on the local disk where they deliver software to. ■
Has a pre-registered name
The product can register the name of authorized software. This can be used to authorize System Restore or Windows XP’s Backup program, %SystemRoot%\system32\ntbackup.exe.
2
Supporting Symantec Norton AntiVirus 2005
SymProtect Overview
SymProtect Overview
Sym Protect Overview Prevents m odification or deletion of Sym antec files, processes, and reg keys Only authorized applications can m ake changes: – Sym antec Digital Signature – Running from a pre-registered path – Has a pre-registered nam e
2 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 6
SymProtect
Symantec Processes Protected by SymProtect All Symantec Processes are protected by SymProtect.
4
Supporting Symantec Norton AntiVirus 2005
SymProtect Overview
Symantec Processes Protected by SymProtect
Sym antec Processes Protected by Sym Protect All Sym antec processes are protected by Sym Protect
3 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 6
SymProtect
SymProtect Files SymProtect files
6
■
SPBBCDrv.sys - The SymProtect driver.
■
SPBBCEvt.dll - DLL responsible for handling SymProtect events.
■
SPBBCSvc.exe - The Symprotect executable. Responsible for the Symprotect service.
■
UpdMgr.exe - Handles SymProtect updates.
Supporting Symantec Norton AntiVirus 2005
SymProtect Overview
SymProtect Files
Sym Protect Files SPBBCDrv.sys: Sym Protect driver SPBBCEvt.dll: responsible for handling Sym Protect events SPBBCSvc.exe: Sym protect executable UpdM gr.exe: Handles Sym Protect updates
4 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 6
SymProtect
Troubleshooting SymProtect Since SymProtect is a new product component, it remains to be seen where the majority of support issues will occur. It is important to rely upon the troubleshooting logic of knowing the important files and validating their dependencies. The important SymProtect files are mentioned earlier in this unit.
8
Supporting Symantec Norton AntiVirus 2005
Troubleshooting SymProtect
Troubleshooting SymProtect
Troubleshooting Sym Protect Know im portant files and their dependencies New product; rem ains to be seen where m ajority of support issues will occur
5 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
9
Unit 6
10
SymProtect
Supporting Symantec Norton AntiVirus 2005
Unit
7
Improvements to the User Interface Overview Description The Norton AntiVirus 2005 contains much the same functionality as in the previous version. Some changes have been made, however, that will enhance the user experience and provide added safety. This unit addresses those features.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the new features of the Norton AntiVirus user interface
■
Recognize the screens of the Norton AntiVirus user interface
Supporting Symantec Norton AntiVirus 2005
1
Unit 7
Improvements to the User Interface
New User Interface Features The main status screen of Norton AntiVirus 2005 includes the biggest change users can expect. If all the status items are within accepted parameters, the main status screen will show green instead of yellow.
2
Supporting Symantec Norton AntiVirus 2005
New User Interface Features
New User Interface Features
New User Interface Features
Status screen appears green if status OK 2 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 7
Improvements to the User Interface
User Interface Emphasis and Prioritization Emphasis in the User Interface will be placed on items that are in violation or are in danger of becoming so. For instance, if Automatic LiveUpdate is disabled, the User Interface will turn yellow and emphasis will be placed on that feature, as shown below:
If items are in violation, such as the subscription being expired, the User Interface will turn red and emphasis will be placed on that feature, as shown below:
4
Supporting Symantec Norton AntiVirus 2005
New User Interface Features
User Interface Emphasis and Prioritization
User Interface Em phasis and Prioritization
Em phasis placed on item s in danger 3 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 7
6
Improvements to the User Interface
Supporting Symantec Norton AntiVirus 2005
Unit
8
Troubleshooting Norton AntiVirus Overview Description Norton AntiVirus product modules have become increasingly secure throughout the last several versions. It isn’t enough for an antivirus software suite to simply detect viruses during manual scans. Software now has to detect viruses entering a computer by any of a number of ways, as well as protect itself from harm. As Norton AntiVirus becomes more secure it is necessary to become more familiar with troubleshooting product issues. Since processes and files have become more robust, the opportunities for a technician to make modifications has declined. It is therefor more important than ever to be as educated as possible regarding what can possibly be responsible for an error or loss of functionality.
Objectives After you complete this unit, you will be able to do the following: ■
Troubleshoot the various modules of Norton AntiVirus 2005
■
Understand the potential causes of Norton AntiVirus 2005 issues
■
Troubleshoot Norton AntiVirus uninstallation
Supporting Symantec Norton AntiVirus 2005
1
Unit 8
Troubleshooting Norton AntiVirus
Troubleshooting Logic You should consider the dependencies (Operating System and other Symantec modules) to be the points of failure. Knowing how to step through the program sequentially and validating the dependencies is the easiest way to spot a problem. Included here is an example:
AutoProtect What enables it to be real-time? ■
Symevnt (Symantec Event Manager) works as a file filter for all I/O activity to the CPU. When symevnt traps an I/O request it talks to the CCEvntmgr which is loaded as a service. The event manager looks for subscribers (Any product that is registered with CCapp) to send notice of the event. In this case, the product dll is registered and has loaded the scan manager (scanmgr.dll) to manage the event.
■
The scan manager determines if the file is compressed, and then asks AutoProtect to scan the file. If the file is compressed the asynchronous scanner is called as well as the decomposer. The scanners use the Virus Definition files that is defined in the registry (HKEY_LOCAL_MACHINE\Software\Symante\Shared Defs\...) or by usage.dat.
■
If the file is infected the result occurs based on options (CCSetMgr,Navopts.dat). If the option is to display something for the user, CCAlert is used to create the alert.
■
Once the user interacts with the message, it is returned to the scan manager, CCsetmgr and to CCevntmgr. If the program file handling the event is also supposed to log the activity, a log will be created for the event.
Since there are many actors in this example - any of them potentially failing - it is important to know what succeeded and what did not. You can isolate the components somewhat and test them on their own, such as; scanning a file with the manual scanner would validate the integrity (to some extent) of the definitions, the scan manager, Options, and the Common Client Components. Any of the modules included in Norton AntiVirus 2005 can be looked at in a similar fashion. Taking the components of each module and isolating them can accurately determine most issues.
2
Supporting Symantec Norton AntiVirus 2005
Troubleshooting Logic
Troubleshooting Logic
Troubleshooting Logic Consider all dependencies as possible points of failure Isolate com ponents and test them on their own
2 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
3
Unit 8
Troubleshooting Norton AntiVirus
Uninstallation Troubleshooting Logic This section was intended to include a detailed description of a complete Norton AntiVirus uninstall. Given the sensitive nature of Digital Rights Management, and the tamperresistance of SymProtect, some points to remember will suffice.
Always use the Add/Remove Programs list first The Windows Installer (MSI) will remove the proper registry keys, files, directories, and services to uninstall Norton AntiVirus 2005. Always try this method before moving on.
Digital Rights Management All of the Digital Rights Management keys are encrypted, so they aren’t readily apparent to inspection. Also, removal of or tampering with them results in a loss of Digital Rights Management functionality. This is important to a user who intends to reinstall Norton AntiVirus, since they will need to contact support to re-activate the product.
SymProtect Process Protection means that it will be impossible to turn off certain Symantec services, remove or rename certain files, etc. This represents a challenge to the traditional manual uninstall, since items that have been necessary to totally remove the product are no longer available for deletion. The solution for this problem is the Norton AntiVirus removal tool. This tool will remove the appropriate registry keys, files, etc. to remove Norton AntiVirus, leaving things such as Digital Rights Management so that the user won’t have to reactivate.
4
Supporting Symantec Norton AntiVirus 2005
Uninstallation Troubleshooting Logic
Uninstallation Troubleshooting Logic
Uninstallation Troubleshooting Logic Always use Add/Rem ove Program s list first Digital Rights M anagem ent keys are encrypted and rem oving or tam pering with them m ay prevent reinstalls Sym Protect m ay prevent deletion of som e item s during uninstall Use Norton AntiVirus rem oval tool
3 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
5
Unit 8
Troubleshooting Norton AntiVirus
Troubleshooting product modules When troubleshooting Norton AntiVirus, it is imperative to look at the items below corresponding to the proper product module:
AutoProtect ■
Verify that AutoProtect is enabled with Norton AntiVirus.
■
Verify that the AutoProtect service (NAVAPSVC) is enabled.
■
Test AutoProtect with EICAR.COM virus test file (available at http://www.eicar.org/ anti_virus_test_file.htm).
Email Protection ■
To test Email Protection, send EICAR via an email to verify that Email Protection is working.
Instant Messenger Protection ■
To test Instant Messenger Protection, send EICAR via an Instant Message to verify that Instant Messenger Protection is working.
■
Verify that Instant Messenger Protection is enabled for the particular client type.
Script Blocking ■
To trigger an alert, run the file registry.js. This file is installed and can be copied from any Windows 98 computer. Registry.js is an example file of one that modifies registry keys via a script. This behavior is considered potentially malicious by Script blocking and should trigger an alert.
■
If the Script Blocking folder is moved from the default location, such as a customer might do in the case of a manual uninstall, certain scripts will not execute on the system. To troubleshoot this, set explorer folder options to show common tasks in the folder. This should cause objects not to appear within explorer. To repair this, re-install Windows Script Host 5.6. This will reinstall the system DLL’s responsible for executing scripts and will reregister them.
Scans
6
■
Manual scan- If the manual scan fails or continuously scans the same directory, rescan smaller volumes of files using the right-click context scanner. This will allow you to identify a problematic file or folder by process-of-elimination. Once the problematic file or directory is found, verify system and administrator access (should be full with no denies).
■
Verify that the problematic file or directory is not encrypted and is not password protected as either of these conditions will cause problems for the decomposer.
Supporting Symantec Norton AntiVirus 2005
Troubleshooting product modules
Troubleshooting product modules
Troubleshooting product m odules AutoProtect Em ail Protection Instant M essenger Protection Script Blocking Scans
4 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
7
Unit 8
Troubleshooting Norton AntiVirus
Decomposer ■
Once the problematic file or directory is found, verify system and administrator access (should be full with no denies).
■
Verify that the problematic file or directory is not encrypted and is not password protected as either of these conditions will cause problems for the decomposer.
■
Verify that any compressed file can be opened by the Operating System or Winzip and scanned by Norton AntiVirus. If it cannot be scanned successfully the file should be submitted to Security Response.
Quarantine ■
Verify that the definitions for quarantine exist within the usage.dat file. If it does not, an error will occur when opening quarantine.
■
If there are problems displaying the contents of quarantine, you can access them directly through explorer. The contents will be encrypted but you can see if there are files or if it is empty. If there are files you can delete them using explorer and should be able to open quarantine within Norton AntiVirus.
Microsoft Office Plugin ■
You should disable the office plugin if you suspect it is causing problems with Word, Excel, PowerPoint, etc. You can do this from the Norton AntiVirus options menu.
■
If you have Norton AntiVirus uninstalled you can unregister and rename the officeav.dll file to ensure the plugin is not causing a problem.
Common Error Display
8
■
Make sure the standard Common Client services are running.
■
To test the Common Error Display stop the AutoProtect service (NAVAPSVC) and try to enable AP through the interface.
Supporting Symantec Norton AntiVirus 2005
Troubleshooting product modules
Troubleshooting product modules (cont.)
Troubleshooting product m odules (cont.) Decom poser Quarantine M icrosoft Office Plugin Com m on Error Display
5 – 2004 Sym antec C orporation, All Rights R eserved
Supporting Symantec Norton AntiVirus 2005
9
Unit 8
10
Troubleshooting Norton AntiVirus
Supporting Symantec Norton AntiVirus 2005
Related Documents
Nav2005 Instructor Guide
November 2019 12
Instructor Experiment Guide
December 2019 9
Instructor Experiment Guide Tabla
December 2019 7
95 Evoc Instructor Guide
April 2020 4
Shared Tech Instructor Lab Guide
November 2019 4