Norton Antivirus 2006 Instructor Guide
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Norton Antivirus 2006 Instructor Guide as PDF for free.
More details
- Words: 15,512
- Pages: 104
Symantec Norton AntiVirus 2006 Course Guide Support Readiness Training
September 2, 2005
Supporting Symantec Norton AntiVirus 2006 September 2, 2005
Copyright Notice Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder/s. Copyright © 2005 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014. Authorized Symantec courseware materials contain a yellow Symantec watermark on the front side of each page. Use of unauthorized courseware materials is strictly prohibited and should be reported to Symantec Corporation immediately.
Trademarks Symantec, the Symantec logo, Intruder Alert, NetProwler, Raptor, VelociRaptor, Symantec Desktop Firewall, Symantec Enterprise VPN, Symantec Enterprise Firewall, Symantec Ghost, Symantec pcAnywhere, RaptorMobile, NetRecon, Enterprise Security Manager, NAV, Norton AntiVirus, Symantec System Center, Symantec Web Security, Mail-Gear and I-Gear are trademarks of Symantec Corporation. Windows is a registered trademark of Microsoft Corporation. Pentium is a registered trademark of Intel Corporation. Other product names mentioned in this manual may be trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America. 10987654321
ii
Supporting Norton AntiVirus 2006
Preface Course overview Course description This is a training program to support the latest release of Norton AntiVirus. It is estimated that this training will be a one-day, instructor-led, hands-on program that is designed for the global technical support organizations. The Norton AntiVirus 2006 course is divided into eight sections. The instructor's lecture is followed by lab exercises in which students apply knowledge gained throughout the course.
Intended audience This course is intended for those who have responsibility for supporting, installing, and configuring Norton AntiVirus.
Course prerequisites It is assumed that the following prerequisites have been met: ■
Students have a working knowledge of Microsoft Windows operating systems.
■
Students have a working knowledge of computer security practices and software.
■
Students have read the Norton AntiVirus 2006 User’s Guide.
Course objectives After you complete this course, you will be able to do the following: ■
Install Norton AntiVirus 2006
■
Troubleshoot installation of Norton AntiVirus 2006
■
Identify the components of Norton AntiVirus 2006
■
Configure the new features of Norton AntiVirus 2006
■
Understand techniques for troubleshooting Norton AntiVirus 2006 issues
■
Monitor Norton AntiVirus activities via reporting section
■
Understand the install-over matrix for Norton AntiVirus 2006
■
Update Norton AntiVirus using LiveUpdate
■
Configure the side effects engine
■
Use and configure internet worm protection
■
Configure Behavior Blocking
■
Understand UI refresh options
Supporting Norton AntiVirus 2006
iii
Preface
Conventions This guide uses the typographical conventions shown in the following table: Convention
Purpose
Example
Bold text
Names of buttons, dialog box options, dialog box names, menu names and options, keys, field names and field entries
On the Tools menu, click Options. The Options dialog box appears. In the Name field, type JSmith.
Italicized text
Cross-references to other sections or documents, to emphasize text, a directory path or file name, or the first use of a glossary term.
The user must type the group’s name.
Keys connected by the Keys pressed plus sign simultaneously.
Ctrl+Alt+Delete
Keys not connected by Keys pressed sequentially. the plus sign
Esc 0 2 7
Monospaced bold
Text typed at the command line.
ping 10.0.0.1
Text displayed at the command line
Reply from 10.0.0.1 Bytes=32 time=1ms
font Monospaced font
Variable text typed at the Monospaced italicized font command line.
iv
\Windows\Program Files
ping ip_address
Supporting Norton AntiVirus 2006
Unit 1
Introduction to Norton AntiVirus 2006...............1 Introduction to Norton AntiVirus 2006 .................................................................2 What is new to Norton Antivirus 2006? ..................................................................4 Threats Norton AntiVirus protects against ............................................................6 Summary ...................................................................................................................8
Unit 2
Supporting Norton AntiVirus Installation ............9 System requirements ..............................................................................................10 Installation options ................................................................................................13 New installation features ........................................................................................14 Key file locations .....................................................................................................20 Component installation .........................................................................................21 Registry key locations of interest ...........................................................................22 Installation technologies ........................................................................................24 Installation versus configuration issues ................................................................26 Summary .................................................................................................................28
Unit 3
Norton AntiVirus 2006 components and functions29 Norton AntiVirus components and features ........................................................30 Auto-Protect ...........................................................................................................31 Email protection .....................................................................................................35 Instant messenger protection ................................................................................38 Scanning ..................................................................................................................40 Summary .................................................................................................................53
Unit 4
Internet Worm Protection................................55 Internet Worm Protection overview .....................................................................56 How Internet Worm Protection works .................................................................57 Configuring Internet Worm Protection ...............................................................59 Summary .................................................................................................................60
Unit 5
Generic Side Effects Repair Engine .................61 Manual and preinstallation scans ..........................................................................62 Load points cleaned ................................................................................................64 Generic Side Effects Repair Engine activity logs ...................................................65 Summary .................................................................................................................66
Unit 6
Behavior Blocking (SymProtect) ......................67 SymProtect overview ..............................................................................................68 Ways to Authorize an Application ........................................................................72 Log Viewer ..............................................................................................................73 Summary .................................................................................................................74
Unit 7
Improvements to the user interface..................75 New user interface features ....................................................................................76 Summary .................................................................................................................82
Supporting Norton AntiVirus 2006
v
1
Unit 8
Troubleshooting Norton AntiVirus 2006 ...........83 Basic troubleshooting logic ....................................................................................84 Removing Norton AntiVirus 2006 ........................................................................86 Troubleshooting product modules .......................................................................88 Troubleshooting install scenarios ..........................................................................94 Summary .................................................................................................................98
vi
Supporting Norton AntiVirus 2006
Unit
1
Introduction to Norton AntiVirus 2006 Overview Description Norton AntiVirus 2006 is the twelfth release of the Norton AntiVirus product line. This product is designed to protect stand alone personal computers against malicious code and other internet born threats. Customers can benefit from increased protection against these threats by upgrading to this release. This unit will highlight the new threats and benefits a customer receives in upgrading to this latest release.
Objectives In this unit we will cover the following: ■
Introduction to Norton AntiVirus 2006
■
New features in this release
■
Describe new consumer threats addressed by this release
Supporting Norton AntiVirus 2006
1
Unit 1
Introduction to Norton AntiVirus 2006
Introduction to Norton AntiVirus 2006 Norton AntiVirus 2006 is the twelfth release of the Norton AntiVirus product line. Customers will find many added benefits in upgrading or implementing Norton Antivirus 2006. The Norton AntiVirus 2006 release increases customer protection from internet-born worm viruses and includes updated pre-install scanning. The user interface has also been integrated with Norton Protection Center to improve user experience and functionality.
2
Supporting Norton AntiVirus 2006
Introduction to Norton AntiVirus 2006
Supporting Norton AntiVirus 2006
3
Unit 1
Introduction to Norton AntiVirus 2006
What is new to Norton Antivirus 2006? Previous versions of Norton Antivirus offered customers robust features that protected them from malicious software other internet threats. Norton Antivirus 2006 extends this protection to include the new features that protect them from new threats and vulnerabilities such as: ■
Behavior Blocking (SymProtect)
■
Home Page Protection
■
Norton Protection Center integration
■
Pre-install scanner
To improve the user experience Norton Antivirus also includes many user interface improvements.
4
Supporting Norton AntiVirus 2006
What is new to Norton Antivirus 2006?
Supporting Norton AntiVirus 2006
5
Unit 1
Introduction to Norton AntiVirus 2006
Threats Norton AntiVirus protects against Norton AntiVirus 2006 addresses threats from viruses, worms, and Trojan horse programs. In addition, Norton AntiVirus 2006 protects against expanded threats such as spyware, hacker tools, and adware. Included in Norton AntiVirus 2006 is Internet Worm Protection, which is a modified firewall program that offers intrusion detection capabilities, port blocking, and Trojan Horse traffic detection. The following list describes how customers can take action against these threats using Norton AntiVirus 2006.
Table 1: Norton Antivirus 2006 threat detection and response
6
Threat
Feature enabling detection and protection
Viruses and internet worms
Auto-Protect, Manual Scans, Internet Worm Protection
Hacktools
Auto-Protect, Manual Scans
Trackware
Auto-Protect, Manual Scans
Dialers
Auto-Protect, Manual Scans
Remote access programs
Auto-Protect, Manual Scans
Adware
Auto-Protect, Manual Scans
Joke programs
Auto-Protect, Manual Scans
Spyware
Auto-Protect, Manual Scans
Supporting Norton AntiVirus 2006
Threats Norton AntiVirus protects against
Supporting Norton AntiVirus 2006
7
Unit 1
Introduction to Norton AntiVirus 2006
Summary In this unit we covered the following:
8
■
Introduction to Norton AntiVirus 2006
■
New features in this release
■
Describe new consumer threats confronted by this release
Supporting Norton AntiVirus 2006
Unit
2
Supporting Norton AntiVirus Installation Overview Description This unit focuses on installation of Norton AntiVirus 2006. Installation issues represent the largest single group of support issues for Norton AntiVirus.
Objectives After you complete this unit, you will be able to do the following: ■
Describe system requirements for installation
■
Describe the installation options for Norton AntiVirus
■
Locate key installed file locations and registry keys
■
Describe the order of component installation
■
Discuss the installation technologies used in Norton AntiVirus
■
Define the difference between installation and configuration issues
■
Troubleshoot installation issues
Supporting Norton AntiVirus 2006
9
Unit 2
Supporting Norton AntiVirus Installation
System requirements Before installing Norton Antivirus 2006 customers should review the hardware and software requirements. These requirements are detailed in the following pages under the hardware and software sections.
Operating System requirements Norton Antivirus 2006 is only supported on the following operating systems: ■
Windows 2000 Professional
■
Windows XP Home or Professional, Tablet PC or Media Center Editions
Norton AntiVirus is not supported on NEC PC98, Windows 95/NT 4.x, Macintosh, Linux, or server versions of Windows 2000/2003/XP computers. Note: Norton AntiVirus 2005 is included on the media CD and will install on computers running Windows 98/ME. Norton AntiVirus 2006 is not supported on Windows 98/ME. If you upgrade your Windows operating system from Windows 98/Me to Windows 2000/XP, you must first uninstall Norton AntiVirus and then reinstall after the upgrade.
Hardware requirements Most software applications have specific hardware requirements as well as software requirements. The following chart illustrates the minimum hardware requirements for Norton Antivirus 2006. Platform performance is directly related to the robustness of the hardware and the resources taken from other applications running on a PC. Customers will find increased performance in Norton Antivirus with a more robust hardware and fewer superfluous programs running on their machine.
10
Windows 2000 Professional Edition
Windows XP editions
150-MHz processor
300-MHz processor
64 MB of RAM
256 MB of RAM
85 MB of available hard disk space
175 MB of available hard disk space
CD-ROM or DVD-ROM drive
CD-ROM or DVD-ROM drive
Internet Explorer 5.5 or later
Internet Explorer 6.0
Administrator privileges to install program
Administrator privileges to install program
Supporting Norton AntiVirus 2006
System requirements
Supported email client scanning Norton Antivirus 2006 supports antivirus scanning of the email clients that are compatible with the Symantec redirector plug and the ccEmlPxy module which will be discussed in detail in the following unit. Email scanning has been tested and is supported for the following POP3-compatible and SMTP-compatible (Simple Mail Transfer Protocol) email clients: ■
Outlook Express 4.0, 5.x, 6.x
■
Outlook 97/98/2000/XP/2003
■
Netscape Messenger 4.x
■
Netscape Mail 4.x, 6.x, 7.x
■
Eudora Light 3.0, Eudora Pro 4.0, Eudora 5.0, Eudora 6.0J
■
Pegasus Mail 3.0
■
IncrediMail XE
■
Becky! Internet Mail 1.x, 2.0
■
AL-Mail32 1.11
■
Datula 1.x
■
PostPet 2.1, 2.06, 3.0
■
Shuriken Pro 3
■
Mozilla Thunderbird 1.0
■
At-Mail
Email clients not supported Norton AntiVirus does not support the following email clients: ■
IMAP
■
AOL
■
POP3s with Secure Sockets Layer (SSL)
■
Web-based email such as Hotmail and Yahoo! Mail
■
Lotus Notes
Note: Norton AntiVirus does not support email connections that use Secure Sockets Layer (SSL). SSL is a security protocol designed to provide secure communications on the Internet. If you use an SSL connection, Norton AntiVirus automatically detects that connection and skips scanning it altogether.
Supported instant messenger scanning Supported instant messenger clients The following instant messenger programs are supported:
Supporting Norton AntiVirus 2006
11
Unit 2
Supporting Norton AntiVirus Installation
■
AOL Instant Messenger, version 4.7 or later
■
Yahoo! Messenger, version 5.0 or later
■
Windows Messenger, versions 4.6, 5.0
■
MSN Instant Messenger, Versions 4.6, 4.7, 6.X
Note: If a using an unsupported IM client such as ICQ, Auto-Protect scans any file transferred through instant messenger as soon as it is accessed. Therefore users with unsupported IM clients are protected as well.
12
Supporting Norton AntiVirus 2006
Installation options
Installation options Installation from CD Installation from CD is the most common way of installing Norton AntiVirus 2006. Installation runs from the Autorun file on the CD automatically. If the installation doesn’t start automatically, you can open the CD and double-click the Navsetup.exe file.
Installation from download Downloads are wrapped in a package from a third-party organization. After the package has been downloaded and unwrapped the install of Norton AntiVirus 2006 is the same as the CD.
Upgrade or install over If you have a previous installation of Norton AntiVirus 2004 or 2005, Norton AntiVirus 2006 automatically removes the earlier version. If your version is earlier than 2004, you must uninstall it before installing the Norton AntiVirus 2006.
Supporting Norton AntiVirus 2006
13
Unit 2
Supporting Norton AntiVirus Installation
New installation features Pre-flight check The 2006 version of SymSetup features a page that runs customers through a series of system constancy checks in an attempt to ensure a successful installation.
Pre-install scanner Beginning in Norton AntiVirus 2005, a pre-install scanner was included. That scanning component has been updated for Norton AntiVirus 2006. The purpose is to give the customer a simple, lightweight virus scanner capable of detecting and repairing viruses so that they may successfully install Norton AntiVirus.
Common Error Display SymSetup supports Common Error Display error messages. The Common Error Display (CED) messages work exactly the same way the product errors work. After alerting the user about an installation error, the software will direct the user to an online Knowledge Base article that will help the user to resolve the problem, as well as help Symantec track issues.
Previous Product Removal When the user is installing over an older version, which is two years old or older, the product provides the user with an assisted install over capability. There are some cases today where our product does provide the user with an assisted install over. Basic users do not know how or where to look for the uninstall tool. The installer is able to upgrade older Norton AntiVirus products. This is done by removing the previous product prior to installing the new one. Products that can be upgraded will include: ■
Norton AntiVirus 2004
■
Norton AntiVirus 2004 Professional Edition
■
Norton AntiVirus 2005
The installer will also be able to upgrade any of these products when they are installed within a suite product such as Norton Internet Security or Norton SystemWorks.
14
Supporting Norton AntiVirus 2006
New installation features
Pre-flight checks The installer checks the client machine prior to making any changes to make sure that it meets all requirements. The following checks are made: Check for Internet Explorer 5.01 Service Pack 2 Check for Minimum Operating System Check for Admin user rights Check for Server Operating System Check for Multiple Terminal Services users Check for LiveUpdate running Check for running Norton AntiVirus windows Check for Symantec AntiVirus Corp. Edition on the system Check for Services and Files marked for deletion Check for newer versions of Norton AntiVirus Check for old versions that cannot be installed over Check for other AntiVirus products Where to look for indicators The following registry keys will indicate successful installations of Norton AntiVirus: Reboot key- If an application requires the computer to be rebooted right after installation: Key = HKEY_LOCAL_MACHINE\Software\Symantec\Norton AntiVirus\ Value = (String) "reboot" Data = "" Success key - On a successful installation: Key = HKEY_LOCAL_MACHINE\Software\Symantec\Norton AntiVirus\ Value = (String) "install" Data = (String) "success" Version key - On a successful installation: Key = HKEY_LOCAL_MACHINE\Software\Symantec\Norton AntiVirus\ Value = (String) "version" Data = (String) "x.y.z"
Supporting Norton AntiVirus 2006
15
Unit 2
Supporting Norton AntiVirus Installation
Pre-install scanner How Pre-install Scanner works The diagram below shows how the Pre-install Scanner works:
1
SymSetup.exe loads the scanner, Prescan.exe.
2
The scanner uses the Norton AntiVirus plugin DLL file to start the scan.
3
The pre-install scan is run.
Note: The preinstall scanner does not scan files contained in archives. This eliminates the need for the decomposer DLL’s and significantly reduces the dependencies list.
Dependencies The Pre-Install Scanner is dependent on these Symantec components:
16
1
ccScanS.dll
2
ecmldr32.dll
3
Virus Definitions
4
ccEraser.dll
Supporting Norton AntiVirus 2006
New installation features
Operating System Support The Pre-Install Scanner runs on all operating systems supported by Norton AntiVirus 2006. In addition, the Pre-Install Scanner runs on Windows 98 and ME.
Supporting Norton AntiVirus 2006
17
Unit 2
Supporting Norton AntiVirus Installation
Common Error Display (CED) errors in installation The Common Error Display may give the following error messages, the following Knowledge Base documents define the Common Error Display process for the Norton AntiVirus Installer. The error message below is an example of the Common Error Display for Norton AntiVirus installation:
Error: “Install has failed (9999,171)” when attempting to install your Symantec product This is the first version of Norton AntiVirus to include CED. Below is a list of items we have solicited from customer to help diagnose installation issues. Gather the following information from the customer: ■
A copy of the installation log file
■
Information about previous versions of Symantec Software that were installed on the computer
■
A list of products that are installed on the computer
■
Information about which items load at startup
■
Information related to the computer’s configuration.
■
Upgrade MSI to version 3.1 Microsoft has recently released a new version of the Windows installer for the Windows 2000 and XP platform. The new version of the Windows Installer is available from Microsoft’s website, and it is also included on the Norton AntiVirus 2006 CD.
To uninstall the previous version
1
Use Add\Remove programs.
2
If Add/Remove Programs doesn’t work, use the SymNRT removal tool.
Error: "Uninstall has failed (9999,172)" when attempting to uninstall your Symantec product This is the first version of Norton AntiVirus to include CED. Below is a list of items we have solicited from customer to help diagnose installation issues. Gather the following information from the customer:
18
■
A copy of the installation log file
■
Information about previous versions of Symantec Software that were installed on the computer
■
A list of products that are installed on the computer Supporting Norton AntiVirus 2006
New installation features
■
Information about which items load at startup
■
Information related to the computer’s configuration.
To uninstall using the removal tool
Uninstall using the SymNRT removal tool.
Supporting Norton AntiVirus 2006
19
Unit 2
Supporting Norton AntiVirus Installation
Key file locations The list of file locations below is based on the default Norton AntiVirus 2006 installation. Files may be located in different directories if a custom installation has taken place. The files themselves are not listed in this unit. Key files for product modules will be included in the section detailing the particular module. Note: If Norton AntiVirus has been installed to a non-default location, the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ will list the install directory.
Norton AntiVirus 2006 directories C:\Program Files\Norton AntiVirus C:\Program Files\Norton AntiVirus\IWP C:\Program Files\Common Files\Symantec Shared C:\Program Files\Common Files\Symantec Shared\CCPD-LC C:\Program Files\Common Files\Symantec Shared\Decomposers C:\Program Files\Common Files\Symantec Shared\Help C:\Program Files\Common Files\Symantec Shared\IDS C:\Program Files\Common Files\Symantec Shared\LiveReg C:\Program Files\Common Files\Symantec Shared\Script Blocking C:\Program Files\Common Files\Symantec Shared\Security Center C:\Program Files\Common Files\Symantec Shared\SPBBC C:\Program Files\Common Files\Symantec Shared\SymcData C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\20040407.001 C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\BinHub C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\incoming C:\Program Files\Common Files\Symantec Shared\SymSetup C:\Program Files\Common Files\Symantec Shared\VirusDefs C:\Program Files\Common Files\Symantec Shared\VirusDefs\20040616.017 C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub C:\Program Files\Common Files\Symantec Shared\VirusDefs\incoming C:\Program Files\Common Files\Symantec Shared\VirusDefs\Savrt C:\Program Files\Common Files\Symantec Shared\VirusDefs\TextHub C:\WINDOWS\System32\
20
Supporting Norton AntiVirus 2006
Component installation
Component installation Understanding the order of component installation in Norton AntiVirus is important. Knowing this helps troubleshoot where an installation may have failed and the dependencies that might contribute to the problem.
Order of component installation The order of Norton AntiVirus 2006 component installation from first to last: 1
Msredist.msi - This is the Microsoft Installer. Norton AntiVirus 2006 uses MSI version 3.0. If the computer doesn’t have this version, it will be installed by Norton AntiVirus automatically.
2
Lusetup.exe - This installs LiveUpdate 2.7. LiveUpdate is the primary update technology for Norton AntiVirus.
3
Sevinst.exe - This installs Symevent. Symevent is responsible for the kernel mode driver that allows Auto-Protect to hook into the operating system.
4
Parent.msi - Installs things such as the configuration wizard and Norton AntiVirus registry keys, as well as checking for any licensed Symantec products on the computer.
5
Symlt.msi - This installs Symantec licensing technology.
6
ccCommon.msi - This installs the common client. Common client is responsible for Norton AntiVirus settings, logging activity, etc.
7
Spbbc.msi - This is responsible for installing SymProtect. SymProtect is the technology responsible for protecting Symantec processes and files from unauthorized modification.
8
Iwp.msi - This is responsible for installing Internet Worm Protection. Internet Worm Protection protects against incoming traffic on known ports and with known signatures.
9
Scssdist.msi - This is responsible for SCSS (Symantec Consumer Security Services,) a version of Norton AntiVirus distributed in cooperation with certain Internet Service Providers. SCSSDist.MSI doesn’t run in the retail version of Norton AntiVirus 2006.
Note: Scssdist.msi is, as stated, used in the SCSS version of Norton AntiVirus. How it is used is that it can be customized so that certain features and components, such as Internet Worm Protection, can be “turned off” prior to installation. These turned off items will not be installed in the SCSS version. 10 Symwmiav.msi - This is responsible for installing the Norton Windows Management Instrumentation update, which allows the Windows Security Center to accurately report the status of Norton AntiVirus. 11 Nav.msi - This is responsible for installing Norton AntiVirus components such as AutoProtect, email scanning, and instant messenger protection. 12 Help.msi - This is responsible for installing the Norton AntiVirus Help files.
Supporting Norton AntiVirus 2006
21
Unit 2
Supporting Norton AntiVirus Installation
Registry key locations of interest All of the Registry keys installed by Norton Antivirus 2006 are in some part responsible for proper functionality and/or settings of product components. Some registry keys can be verified and/or modified manually quicker than the more drastic fix of a a complete un-install and reinstall of the product. If a key is changed or deleted and this results in changed or discontinued functionality of Norton AntiVirus, then returning the e proper setting in the registry on customers machine would be the goal. The following are important registry keys for Norton AntiVirus 2006:
22
■
HKEY_LOCAL_MACHINE\Software\Symantec\Installed Apps - This key lists all of the Symantec Products and components installed on the computer, as well as their locations.
■
HKEY_LOCAL_MACHINE\Software\Symantec\Shared Defs - This key list the components of Norton AntiVirus that use definitions, as well as the name of the definition file used by each component and the definition files’ locations.
■
HKEY_LOCAL_MACHINE\Software\Symantec\Symsetup\refcounts - This key lists the GUID (Globally Unique Identifier, a unique 128-bit number that is produced to identify any particular Symantec component) for each component as well as the number of installations that have been counted by Digital Rights Management for each.
■
HKEY_LOCAL_MACHINE\Software\Symantec\CommonClient - This key lists the version of the Common Client that is installed.
Supporting Norton AntiVirus 2006
Registry key locations of interest
The Symantec MSI keys for components, products, features, and upgrade codes fall under the following keys: ■
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer - Version numbers of all software installed on the computer using MSI.
■
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer Every type of data regarding all Symantec products installed on the computer that a support agent could need. Included below is an example:
Supporting Norton AntiVirus 2006
23
Unit 2
Supporting Norton AntiVirus Installation
Installation technologies The following sections detail the technologies installed by Norton Antivirus 2006. These items include: Navsetup and the Microsoft Installer.
Navsetup Navsetup.exe is the Norton AntiVirus version of SymSetup, the primary installation executable for Norton AntiVirus, Norton Internet Security, and Norton SystemWorks. SymSetup is responsible for controlling MSI-based installations. The primary functions of Navsetup are:
24
■
Perform all pre-install launch condition checking and prompt for any unmet conditions.
■
Displays all install UI panels; including the wizard pages, progress pages and any error dialogs.
■
Call each child (MSI) install in the correct order.
■
Keep track of all products installed during installation and remove them during uninstall.
Supporting Norton AntiVirus 2006
Installation technologies
Microsoft Installer The Microsoft Installer (MSI) handles the installation of all Norton AntiVirus 2006 components. MSI is only concerned with installation; it doesn’t do pre-installation checks such as those done by Navsetup.exe. The MSI installers check to see only that Navsetup.exe launched the MSI. Note: In Norton AntiVirus 2006, users are unable to run the MSI files as stand-alone executables. Navsetup.exe must be used to control the MSI packages.
The error below is shown when trying to launch an MSI file directly:
Supporting Norton AntiVirus 2006
25
Unit 2
Supporting Norton AntiVirus Installation
Installation versus configuration issues Installation issues arise from failed or corrupted installations. Configuration issues arise from problems with settings or the environment.
Installation issues An installation issue is any issue that arises from a failed, partially failed, or corrupt installation of Norton AntiVirus. Installation issues are caused by things such as software bugs or environmental problems.The list of Knowledge Base documents below refers to some of the most common installation issues. Please be sure to refer to these documents after this course, to become familiar with the issues. Error: “Norton Antivirus has encountered as internal program error... (3009,1007)" while installing Norton Antivirus KB Document #2004102915394306 http://service1.symantec.com/SUPPORT/nav.nsf/docid/2004102915394306 Error: "Norton AntiVirus installation has failed. Do you want to try to install again?" KB Document # 2004091615042406 http://service1.symantec.com/SUPPORT/nav.nsf/docid/2004091615042406 Message: "Norton AntiVirus 2005 does not support the repair feature..." KB Document # 2004090712504306 http://service1.symantec.com/SUPPORT/nav.nsf/docid/2004090712504306
26
Supporting Norton AntiVirus 2006
Installation versus configuration issues
Configuration issues A configuration issue is any issue that arises from a settings or environmental issue. Configuration issues can be caused by things such as email scanning settings.
Supporting Norton AntiVirus 2006
27
Unit 2
Supporting Norton AntiVirus Installation
Summary In this unit we have covered the following:
28
■
Describe system requirements for installation
■
Describe the installation options for Norton AntiVirus
■
Locate key installed file locations and registry keys
■
Describe the order of component installation
■
Discuss the installation technologies used in Norton AntiVirus
■
Define the difference between installation and configuration issues
■
Understand some specific installation issues
Supporting Norton AntiVirus 2006
Unit
3
Norton AntiVirus 2006 components and functions Overview Description This unit will discuss the features and components of Norton AntiVirus, how they interact with other products and how to approach troubleshooting issues between them.
Objectives After you complete this unit, you will be able to do the following: ■
Define the components and features of Norton AntiVirus 2006
■
Detail modules in Norton AntiVirus 2006 and how they interact
■
Define logic behind troubleshooting some of these components
Supporting Norton AntiVirus 2006
29
Unit 3
Norton AntiVirus 2006 components and functions
Norton AntiVirus components and features As new versions of Norton AntiVirus have been released, the program has incorporated more complex features in response to the continued complexity of threats and user environments. Symantec’s continued commitment to leading the way in the area of antivirus technology has spawned new features and tools to combat these threats. Standard features as email protection and script blocking, components such as Internet Worm Protection, Generic Side Effects Repair Engine, and SymProtect (Symantec Process Protection) reflect this commitment. Norton AntiVirus is also expected to be more robust and tamper-proof. The following sections detail the technologies that Norton AntiVirus uses to accomplish these many challenging goals.
30
Supporting Norton AntiVirus 2006
Auto-Protect
Auto-Protect Auto-Protect is the real-time scanner component of Norton AntiVirus. Auto-Protect scans any file accessed by on your system. This insures that all files in any active state are inspected and verified before the user acts on them. This is the module that makes sure that your system is protected at all times. Auto-Protect can only sustain this level of protection if the system has current and up-to-date virus definitions.
What Auto-Protect does Auto-Protect loads into memory when the operating system loads, thus protecting the user at all times. Auto-Protect scans any file that is accessed on the computer. Auto-Protect is actively scanning all files on host PC which include: ■
Removable media such as floppy disks, zip disks, USB thumbnail drives or compact disks
■
Files accessed or download from the internet, including cached web files
■
New Files as they are created
■
Files that are received by POP mail clients
Supporting Norton AntiVirus 2006
31
Unit 3
Norton AntiVirus 2006 components and functions
How Auto-Protect works Auto-protect has slightly different file dependencies depending on what operating system it is installed.There are significant differences between the 9x and NT operating system architecture and function. Therefore, the files, dependencies and actions Auto-Protect takes are likely to be different. The following flowchart illustrates the Auto-Protect dependencies and how they provide real-time protection to the customer’s PC.
Table 3-1
Auto-Protect files and their functionsAuto-Protect repair modes
Windows NT based operating systems (Windows 2000, Windows XP versions)
Windows 9x based operating systems (Windows 98 / 98SE / ME versions)
symevent.sys symevnt.386 - Kernel-mode driver for operating system - Kernel-mode driver for operating system savrt.sys savvrt.vxd - Kernel-mode driver for operating system - Kernel-mode driver for operating system
32
navapsvc.exe - Starts the Auto-Protect service
navapsvc.exe - Starts the Auto-Protect service
navapw32.dll -Norton Antivirus agent for Auto-protect
apwcmd9x.dll - Command library for Auto-protect and Windows 9x based operating system
Supporting Norton AntiVirus 2006
Auto-Protect
Windows NT based operating systems (Windows 2000, Windows XP versions)
Windows 9x based operating systems (Windows 98 / 98SE / ME versions)
apwcmdnt.dll - Command library for Auto-protect and Windows NT based operating system When Auto-protect locates a suspicious file it can perform several actions on that file. In some cases it can repair the file, quarantine the file deny access to the file. The differences in operating system architecture can also effect these actions. The following Table 3-2
Auto-Protect repair actions
Windows NT based operating systems (Windows 2000, Windows XP versions)
Windows 9x based operating systems (Windows 98 / 98SE / ME versions)
Auto-repair - Auto-Protect will try to repair the infected file. If it fails to repair it, it will deny access to the file
Auto-repair - Auto-Protect will try to repair the infected file. If it fails to repair it, it will prompt the user for action.
Repair then quarantine: Auto-Protect will try to repair the infected file. If it fails to repair it, it will try to quarantine it. If it then fails to quarantine it, it will deny access to the file
Repair then quarantine: Auto-Protect will try to repair the infected file. If it fails to repair it, it will try to quarantine it. If it then fails to quarantine it, it will prompt the user for action
Deny access: Auto-Protect just denies access to the infected file. It doesn’t try to repair or quarantine the file.
Deny access: Auto-Protect just denies access to the infected file. It doesn’t try to repair or quarantine the file Ask me what to do: Auto-Protect will prompt the user for action
Auto-Protect interactions and dependencies In addition to the key files that are installed by Norton Antivirus 2006, there also exists a dependency on the Remote Procedure Call Service (RPCSS) by the product. This service is provided by Windows based platforms for miscellaneous RPC services and by default the service is active. The possibility does exist for a customer to manually disable it. Disabling the RPC service will cause inconsistent behavior and errors in the Norton Antivirus 2006 product.
Asynchronous scanning Auto-Protect has the ability to scan items contained compressed files in real-time. Uncompressed files are normally scanned in synchronous mode. Compressed files are locked and scanned in asynchronous mode (user mode) to close specific vulnerabilities. Subsequent attempts to open the file are blocked until a complete scan ended. Should an open occur while the item is being scanned, a system tray alert will notify the user that the file may appear locked until the complete compressed file scan is ended. The files performing this action include; Savrt32.dll, Navapsvc.exe, Navapw32.dll and Navapw32.exe.
Supporting Norton AntiVirus 2006
33
Unit 3
Norton AntiVirus 2006 components and functions
Troubleshooting AutoProtect Troubleshooting issues specific to AutoProtect can be quickly surmised in the following Knowledge Base (Document ID: 2003090910073206). Those familiar with Norton AntiVirus product will recognize the services and files being verified. Error: "Norton AntiVirus has encountered an internal program error” (4002, 519,517) To confirm that the Norton AntiVirus program files are set to load on startup.
1
In the Windows taskbar, click Start > Run. In the Open box, type MSCONFIG and click OK.
2
In the System Configuration Utility, click the Startup tab and verify that the following items are checked
3
4
■
ccApp
■
Symantec Core LC (only seen on english versions of Norton AntiVirus.),
■
ccEvtMgr
■
ccSetMgr.
If any of the entries that are listed are unchecked, check them. (If any of the entries that are listed in step 4 are missing, it indicates that Norton AntiVirus was not installed successfully. If you see this, go on to the section “To remove and reinstall Norton AntiVirus” and follow the instructions) Verify that the following items are checked: ■
SYMEVNT
■
SYMTDI
■
SAVRTPEL
■
SAVRT
If any entries above are unchecked, then check them.
Note: Missing entries indicate that Norton AntiVirus was not installed successfully. Remove and reinstall Norton AntiVirus.
34
5
Click Apply and click OK and restart the computer. If the error message continues go to the next solution.
6
To re-install the Symantec shared files (Symevent). This item can be download from the Symantec website. The Symevent installer file is sevinst.exe. When prompted, select “Save this Program to Disk,” and save the item to the C:\ location.
7
Click Start > Run. Type: C:\sevinst.exe /r on the run line, and then click OK
8
Close all programs, and then restart the computer. If you continue to see the error, then uninstall and re-install Norton AntiVirus
Supporting Norton AntiVirus 2006
Email protection
Email protection Email protection scans incoming and outgoing message traffic. Email is the most prolific distribution method for virus in any computer network. Therefore, protecting the customers computer from receiving or being the source of viruses is a significant task of Norton Antivirus 2006.
How email protection works Email protection inserts itself between the email client and the email server. This process consists of several key items which include the following: ■
ccAVMail.dll - Email Protection Scanner
■
ccEmlPxy.dll - Email protection proxy
■
ccApp - Common Client and a key dependency of the Email Protection Common Client
A Symantec redirector plugs into the email client and passes the information onto the common client email proxy known as ccEmlPxy. The common client in turn sends the data on to the email server as illustrated in Figure 3-1. Figure 3-1
Email proxy overview
When messages are passed to the ccEmlPxy service, email messages are sent to one of two separate temp sessions as illustrated in Figure 3-2. Figure 3-2
Supporting Norton AntiVirus 2006
Email proxy temporary file
35
Unit 3
Norton AntiVirus 2006 components and functions
Using the temp files, Navemail.dll filters the message and ccEmlPxy also reads the message and filters it as illustrated in Figure 3-3. ■
ccEmlpxy contains email filters. These filters each take a turn reading the email temp file and perform the necessary functions required to scan the item.
■
ccEmail does not care whether or not the temp file is modified by any of the filters
■
In Norton AntiVirus’s case, Navemail.dll uses scanmgr to perform a scan on the temp file. After any repairs, etc. are made, the file is passed to the other filters and then back to ccEmailPxy which sends the email to the client.
Figure 3-3
ccEmlPxy filter detail.
After ccEmPxy delivers the email to the client, the client then issues a quit command to the Server and both connections are dropped as illustrated in Figure 3-3. Figure 3-4
36
Completion of message scan and connection cleanup.
Supporting Norton AntiVirus 2006
Email protection
ccEmlPxy As you look at the information above, you will note that ccEmlPxy is shown repeatedly. You will also note that it does more than one thing: ■
ccEmlpxy contains email filters. These filters each take a turn reading the email temp file and perform the necessary functions required to scan the item.
■
ccEmlPxy interacts with the Redirector, Email server, and the Email client.
■
ccEmlPxy creates temp files which emails go into while they are scanned. It creates a separate file for each email.
■
ccEmlPxy then uses navemail.dll to scan the temp file.
■
Navemail.dll then sends it back to ccEmlPxy, which then sends it to the Email Client.
Note: What does this tell us about ccEmlPxy? That it can be considered a potential point of failure. If anything breaks during the email scanning process, ccEmlPxy is likely to be affected.
Supporting Norton AntiVirus 2006
37
Unit 3
Norton AntiVirus 2006 components and functions
Instant messenger protection Norton AntiVirus Instant messenger protection is the real-time scanning technology that protects users from malicious items in instant messenger attachments.
Instant messenger protection files and services Instant messenger protection detects viruses in instant messenger attachments. Instant messenger protection interacts with the common client and the following items: ■
ccApp.exe - Responsible for instant messenger protection. All other modules are either direct or indirect plug-ins to ccAPP.
■
ccImscan.dll - Plugs into ccApp.exe ■
■
ccImscan.dll is responsible for configuring and unconfiguring all three clients (Yahoo, MSN, and AOL Instant Messengers) Works with MSN Instant Messenger to scan file downloads
■
ccImscan.exe - Used in the command line with AIM and YIM to scan file downloads
■
OptionsUI - Enables or disables clients by sending a message to ccImscan.dll
■
ScanMgr performs all instant messenger scanning and uses ccImscan.dll and ccImscan.exe
Instant messenger protection interactions and dependencies Key dependencies include:
38
■
ccApp.exe - Common Client
■
ccScan.dll - Common Client scan engine
■
ScanMgr.dll - Symantec scan manager
Supporting Norton AntiVirus 2006
Instant messenger protection
Figure 3-5
Supporting Norton AntiVirus 2006
IM scanning within the common client
39
Unit 3
Norton AntiVirus 2006 components and functions
Scanning Norton AntiVirus 2006 has several methods of scanning, in this section we will focus on manual scans as this also describes Auto-Protect scan functions as well. Scanning detects viruses and other threats manually and in real-time.
How scanning works Scanning is performed by the following files and processes: ■
Scanmgr.dll - The scan manager dll is used to perform the actual virus scan.
■
Scantask.lib - The Scan Task Library loads, saves, and parses NAV Task (.scan) files which are important in scheduled scans.
■
Navopt32.lib - The options library reads the options file in Navopts.dat.
Scanning also has the following dependencies: ■
Scan Task library (Scantask.lib)
■
Options library (Navopt32.lib)
PreInstall scanner (prescan.exe) The goal of the preinstall scanner is to initiate Norton AntiVirus installed on the customer’s computer, The preinstall scanner does not scan files contained in archives. This eliminates the need for the decomposer DLL’s and significantly reduces the dependencies list. Prescan.exe interacts directly with ccEraser.dll & ccScanS.dll to begin the scan. ccScanS.dll, in turn interacts with ecmldr32.dll and the virus definitions to scan the users computer. Preinstall Scanner is dependent the following three Symantec components:
40
■
ccScanS.dll
■
Ecmldr32.dll
■
Virus definitions
Supporting Norton AntiVirus 2006
Scanning
Decomposer Decomposer is the component responsible for Uncompressed compressed files so the files they contain can scanned for malicious items. These compressed files are sometimes referred to as package files. The decomposer component supports the following file types: .amg
.hqx
rar
.arj
.html
.rtf
.cab
.lha
.tar
.dat
,lzh
.uue
.exe
MIME
.zip
.gz
OLE (.doc, .xls, etc.)
Decomposer files Since the decomposer is only responsible for decompressing files to be scanned by the scan engine, there are 16 decomposer objects, each is responsible it’s respective file types above.
Decomposer Limitations Decomposer also has limitations on the level and ability in dealing with some items; This limitations include the following: ■
Decomposer can only scan to 10 levels of compression.Or a package within a package, within a package, 10 levels deep, If there is an infection beyond 10 levels of compression, Norton AntiVirus will not be able to detect it.
■
Decomposer cannot open password protected compressed files.
■
Decomposer cannot modify certain file types (.cab, .arj, etc.) This means Norton AntiVirus can detect infection inside these files, but will not be able to repair or quarantine this type of package file.
Supporting Norton AntiVirus 2006
41
Unit 3
Norton AntiVirus 2006 components and functions
Quarantine Quarantine is a “safe” place to store virus-infected files without infecting other files on the computer. When Norton AntiVirus quarantines a file, it puts a wrapper around the file so that no other application can access it, and then stores it in the Quarantine folder.This encryption uses an MD5 hashing algorithm. Quarantine backs up an infected item before it attempts to repair it by default. Customers can adjust minor changes in this option. From the Quarantine console, the user can also submit an infected file to Symantec Security Response for analysis.
What Quarantine does Quarantine separates files from the Operating System, storing and encrypting them so that they cannot infect the computer in any way.
How Quarantine works Quarantine files
42
■
Qconres.dll Norton AntiVirus QConsole Resource DLL
■
Qconsole.exe Norton AntiVirus Quarantine Console
■
Qspak32.dll Norton AntiVirus Quarantine File Storage
■
Quar32.dll - Norton AntiVirus Quarantine
Supporting Norton AntiVirus 2006
Scanning
Microsoft Office plug-in The Microsoft Office plug-in allows Norton AntiVirus to scan Microsoft Office files as they are opened. Isolation of symptoms regarding the Norton Antivirus Microsoft Office Plugin: ■
You should disable the office plug-in if you suspect it is causing problems opening or saving word, excel, power point, or other Microsoft Office documents. You can disable the Office plug-in from the Norton AntiVirus options menu.
■
If you decide to uninstall Norton AntiVirus you should unregister and rename the Officeav.dll file to ensure this plug-in will not cause future issues.
■
If you disable the Microsoft Office plug-in, Auto-Protect still scans Microsoft Office documents in real time.
Supporting Norton AntiVirus 2006
43
Unit 3
Norton AntiVirus 2006 components and functions
Windows XP Service Pack 2 (SP2) Service Pack 2 for Microsoft Windows XP is not only an operating system update primarily concerned with security, it also includes new tools with which Norton AntiVirus 2006 (as well as older versions) will interact directly.
Key considerations in Windows XP SP 2 and Norton Antivirus 2006 Although Windows XP Service Pack 2 monitors your antivirus software, it has no antivirus capability itself. Your continued use of Norton AntiVirus is crucial to the security of your computer. Norton AntiVirus automatically detects and deletes worms, Trojan horses, and viruses without interrupting your work. Norton AntiVirus detects malicious code stored in compressed files and file archives and identifies and alerts you to the presence of spyware. Windows XP nor the integration of Windows XP SP offer this capability. The Windows Firewall is designed to monitor and control inbound network traffic only. It does not provide outbound traffic protection, intrusion detection and response, or privacy controls - all critical to securing your computer from outside attacks. The following features are features customers will benefit from by installing Window XP Service Pack 2: ■
Windows Security Center
■
Security software status indicator
■
Network Protection Technologies
■
Changes to the firewall included in Windows XP
The changes integrated by Windows XP SP2 are a positive step by Windows to improve security on this platform. Customers would be encouraged to install this product to improve platform security but, it does not replace any features or security provided by Norton Antivirus 2006.
Considerations when installing Windows XP SP 2 and other Symantec products Symantec products such as Norton Personal Firewall and Norton Internet Security control all outgoing network traffic. These items alert you to intrusion attempts and automatically block traffic coming from the attacker. In doing this products such as Norton Personal Firewall protect customers privacy by filtering confidential information (like phone numbers, credit card numbers, and bank account numbers) and by blocking cookies on a siteto-site basis. This task is very much like the Windows XP SP 2 firewall component. Therefore additional consideration must be given when Norton Personal Firewall and Norton Internet Security are installed on the same platform as Windows XP Sp2. Training courses on Norton Personal Firewall and Norton Internet Security cover these challenges in much greater detail. The following Knowledge Base documents also explain this challenge:
44
■
Windows XP Service Pack 2 and your Norton security products Document ID:2004070614110713
■
Documents about Windows XP Service Pack 2 and Symantec products Document ID:2004070708381013)
Supporting Norton AntiVirus 2006
Scanning
Windows Security Center Windows Security Center is a tool designed to indicate the status of the firewall and antivirus software installed on their computer, as well as the status of Microsoft Windows Updates. This tool is designed to indicate these status report in a one-window, easily understood interface. Information included will be whether antivirus software is installed, and the status of firewall and Microsoft Updates.
How Norton AntiVirus interacts with Microsoft Security Center A Norton Windows Management Instrumentation component provides information to the Microsoft Security Center. This Microsoft Security Center component is only in effect when Windows XP Service Pack 2 is installed. The Norton Windows Management Instrumentation provides the Symantec product status to the Windows Security Center. The Windows Security Center can then display this information correctly in it’s interface. The Norton Windows Management Instrumentation are a part of the executable Symwsc.exe.
Norton AntiVirus installed files and their responsibilities The following items are the key components to the interaction between Norton Antivirus and the Windows Security Center: ■
Symwsc.exe - Symantec Windows Security Service providing information to the Windows Management Instrumentation
■
Sscnav.dll - Symantec Security Center Plug-in for Norton AntiVirus
■
Wschlpr.dll - Allows Norton AntiVirus to integrate its status into the Windows Security Center
■
Sscopts.dat - Stores Windows Security Center options for displaying Norton AntiVirus security status
■
Symwscno.exe - Symantec Windows Security Center user interface component
■
Symscwb.dll - Symantec Security Center helper file
Supporting Norton AntiVirus 2006
45
Unit 3
Norton AntiVirus 2006 components and functions
Activity logs Activity logs provide the ability to see events such as alerts, application activities, and threat activities that occur in Norton AntiVirus 2006. Logs are an excellent troubleshooting tool.
What activity logs do Activity logs store event data for later viewing. Logs processes start collecting information before the Norton AntiVirus process starts. The following categories of information are stored in Norton AntiVirus 2006 logs: ■
Symantec Resource Protection activities ■
■
■
Alerts
Internet Worm Protection activities ■
Connections
■
Activities
■
Worm detection
■
System
■
Alerts
Norton AntiVirus activities ■
Threat alerts
■
Application activities
■
Alerts
Activity log files and services The following items are the key components in the operation of the logging functions:
46
■
Statushp.dll - The Norton AntiVirus status helper module. Manages waiting event threads
■
Navstats.dll - The Norton AntiVirus Status object. Manages all events
■
Avvirus.log - Stores threat alert data
■
Avapp.log - Stores application activity data
■
Averror.log - Stores application error data
■
ccApp - The common client user session
■
ccSettings - Common client settings manager
Supporting Norton AntiVirus 2006
Scanning
Security Risk detection The purpose of expanded threat detection is to accurately alert users about different types of threats that are found during a scan. Security Risk alerts include: ■
Viruses identified, repaired or quarantined
■
Instant messenger protection alerts
■
Email protection alerts
■
Manual Scan alerts a
■
Context/shell extension scan alerts
What Security Risk detection does Expanded threat detection works in the same ways as other Norton AntiVirus detections, with Auto-Protect and manual scans detecting expanded threats as well as viruses, worms, and Trojan horses.
Security Risk detection Security Risk Detection (formerly known as Expanded Threat Detection) uses definitions of known threats. Definitions of these threats are kept current through LiveUpdate.
Security Risk Exclusions Norton AntiVirus 2006 includes the ability to exclude threats. Spyware has always been difficult to define, and therefor there are many times that Security Risk Detection will detect something as Spyware, while a user considers it as legitimate software. This resulted in frustration on the part of the users, and exploitation on the part of Spyware developers. As a result, the Security Risk exclusion engines have been rewritten to support anomaly based exclusions. This means that in addition to excluding a specific file or path, the entire spyware risk can be added via a master list of all security threats. The diagram below shows the options for configuring exclusions:
Supporting Norton AntiVirus 2006
47
Unit 3
Norton AntiVirus 2006 components and functions
The diagram below shows the option to add an exclusion via an updated master list:
The diagram below shows the option to add an exclusion by browsing:
48
Supporting Norton AntiVirus 2006
Scanning
Common Error Display The Common Error Display allows Symantec products to share error displays between products. The Common Error Display can often identify the issue and provide a link to a Symantec Knowledge Base document in an error message. Thus giving a solution to the issue The Common Error Display performs the following: ■
Uniquely identifies each error displayed to the user
■
Makes all errors appear with a uniform display to the user
■
Replaces script errors with the new common error display
Figure 3-6
Supporting Norton AntiVirus 2006
Common Error Display decision tree
49
Unit 3
Norton AntiVirus 2006 components and functions
How the Common Error Display works The Common Error display is designed to allows Symantec shared products to share error displays. It also provides a method of effectively directing customers to the correct answer for their issue. Figure 3-6 describes the process of directing customers to logical support options in the goal of helping them resolving their problem.
50
Supporting Norton AntiVirus 2006
Scanning
Common Client Common client is a central control for modules and settings for Norton AntiVirus as well as many other Symantec products. This module allows a central client for many Symantec products. The following items are the key components to the interaction between Norton Antivirus 2006 and the Common Client module. ccApp.dll - Common Client application Agent NAVProd.dll - Norton AntiVirus Plug-in module Defalert.dll - Definitions agent NavApw32 - AutoProtect module ccIMscan.dll - Instant Messenger scanner module ccEmlPxy.dll - Email Proxy module ccRegMon.dll - Registry monitor The interaction between modules and the Common Client can be important in troubleshooting issues. Figure 3-7 illustrates the dependencies that the Common Client has in Norton Antivirus 2006. Figure 3-7
Supporting Norton AntiVirus 2006
Common Client dependencies in Norton AntiVirus 2006
51
Unit 3
52
Norton AntiVirus 2006 components and functions
Supporting Norton AntiVirus 2006
Summary
Summary In this unit we have covered the following: ■
Defined the components and features of Norton AntiVirus 2006
■
Detail ed modules in Norton AntiVirus 2006 and how they interact
■
Defined logic behind troubleshooting some of these components
Supporting Norton AntiVirus 2006
53
Unit 3
54
Norton AntiVirus 2006 components and functions
Supporting Norton AntiVirus 2006
Unit
4
Internet Worm Protection Overview Description Internet Worm Protection prevents network worms and other Internet threats from attacking your computer. A worm is similar to a virus, but is a self-contained program that can replicate itself over a computer network. Internet Worm Protection can detect and protect customers from worm viruses before they infect the cusotmer’s computer.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the main methods of Internet Worm Protection
■
Describe how the main methods of Internet Worm Protection work
■
Configure Internet Worm Protection
■
Troubleshoot Internet Worm Protection
Supporting Norton AntiVirus 2006
55
Unit 4
Internet Worm Protection
Internet Worm Protection overview Norton Antivirus 2006 Internet Worm Protection uses several methods to protect customers from these threats. The list below describes these methods as well as what they do:
56
■
Port blocking Monitors the behavior of outgoing network traffic to establish whether an incoming connection is suspicious.
■
Trojan horse detection Determines whether a connection is being attempted on a port that is commonly used by Trojan horse applications. If the connection matches a Trojan horse rule, Internet Worm Protection issues an alert.
■
Auto blocking Blocks repeated Internet attacks. When Internet Worm Protection detects an attack, it automatically blocks any further communication from the attacker’s computer. The attacker’s IP address is blocked for 30 minutes. Internet Worm Protection lets you manually remove an attacker’s IP address from the list at any time.
■
General rules Uses a set of rules to monitor and handle all traffic and applications on the network. These rules control how Internet Worm Protection guards your computer from malicious incoming traffic, programs, and Trojan horses. Internet Worm Protection should provide adequate protection for most users. If the default protection is not appropriate, you can add, modify, or remove rules in the rules wizard.
■
Traffic analysis Monitors network traffic for malicious activity. If such activity is detected, Internet Worm Protection blocks the traffic, logs the event, and issues an alert.
■
Exploit detection Prevents another computer from exploiting bugs in your computer’s software. Worms use these bugs to transfer infected files onto your computer.
■
Threat level Scans an application for known viruses, and determines whether a program is malicious
Supporting Norton AntiVirus 2006
How Internet Worm Protection works
How Internet Worm Protection works This section details the functionality of the Internet Worm Protection feature in Norton AntiVirus 2006.
Event types Internet Worm Protection differs from Norton Personal Firewall in that Norton Personal Firewall includes more features, such as enhanced logging abilities, Home Networking, and so forth. Internet Worm Protection handles the following event types: ■
Listen events Listen events are triggered when an application opens a port for “listening”. Examples are FTP and web servers, and multiplayer internet games.
■
IP traffic events IP events are triggered by incoming traffic to open ports. Usually a listen event is generated before the traffic is received so the user has already permitted or blocked the application. However, IP events can occur in cases where the agent wasn’t running when the app tried to listen. This frequently happen at system startup.
■
Trojan horse (security alert) events Trojan horse events are generated when an application tries to open a port for listening on a port that we know is commonly used by Trojan horse apps. The traffic matches a Trojan horse rule that is installed on the machine and creates a specific event type. Users can also make their own firewall rules that can generate these events. Both event types are generically called security alerts and are handled in the same way.
■
IDS events If traffic analyzed by the IDS engine is determined to be malicious the traffic is blocked and an IDS event is triggered.
Internet Worm Protection files and services The following is a list of the files that are associated with Internet Worm Protection, as well as their functions. ■
IWP agent (Iwp.dll) - The IWP agent is a ccApp plug-in that connects to SymFirewallAgent and IDS, monitors for subscription changes, monitors for IDS updates, and implements the IWP alerting logic. The alert logic component integrates the SymFirewallAgent, ALE engine, Threat Level and the Alert UIs together. Note: The IWP agent is a ccApp (Common Client) plug-in and as such is dependent on Common Client loading.
■
Navprod.dll - The Norton AntiVirus product plug-in is a ccApp product plug-in that makes sure Iwp.dll is loaded, but only if it is installed. Note: The Norton AntiVirus product plug-in is a ccApp (Common Client) plug-in and therefore is dependent on Common Client loading.
■
Symfwagt.dll - The Symantec Firewall Agent.
Supporting Norton AntiVirus 2006
57
Unit 4
58
Internet Worm Protection
■
AutoBlock - Prevents the users’ machine from being flooded by attacks from one machine. When we detect an attack from the network we can add the attacker’s IP to a list that the firewall will automatically reject. The IP will remain in this list for a predetermined amount of time (30 minutes). After that time Auto Block removes it from the list and we will allow traffic from that IP again.
■
ccAle.dll - The Symantec Application Lookup Engine.
■
ccFwsetg.dll -The Symantec Firewall Settings Engine.
■
ccRuleio.dll - The Symantec Firewall Rules Engine.
■
Npfmntor.exe - The Norton AntiVirus Firewall Install Monitor.
■
Tlevel.dll - Responsible for determining the threat level of a file.
Supporting Norton AntiVirus 2006
Configuring Internet Worm Protection
Configuring Internet Worm Protection Internet Worm Protection’s default settings for basic inbound port blocking and network monitoring provide reliable network protection against worms and other malicious activity. This section will detail some of the Internet Worm Protection configuration options. Full configuration details are included in the Norton AntiVirus 2006 User’s Guide, the prerequisite reading for this course. Internet Worm Protection includes the following types of rules: ■
Exclusions Exclude and include worm signatures from detection.
■
Application rules Control an application’s access to the Internet.
■
General rules Use rules to monitor network traffic for worms, malicious incoming traffic, programs, and Trojan horses.
■
Trojan rules Detect varieties of Trojan horses.
■
AutoBlock rules Block malicious attacks.
Supporting Norton AntiVirus 2006
59
Unit 4
Internet Worm Protection
Summary In this unit we covered the following:
60
■
Describe the main methods of Internet Worm Protection
■
Describe how the main methods of Internet Worm Protection work
■
Configure Internet Worm Protection
■
Describe how to troubleshoot Internet Worm Protection
Supporting Norton AntiVirus 2006
Unit
5
Generic Side Effects Repair Engine Overview Description The Generic Side Effects Repair Engine was a new feature of Norton AntiVirus 2005 that has been improved for 2006. This feature is designed to remove the side effects of threat attacks in the Windows registry, batch files, startup folder, ini file formats as well as memory attacks.
Objectives After you complete this unit, you will be able to do the following: ■
Describe how the Generic Side Effects Repair Engine handles side effects that are found during scans
■
Describe the registry keys that are cleaned
■
Detail the load points that are cleaned
■
Know what type of information is stored in the Generic Side Effects Repair Engine activity logs
■
Troubleshoot problems with the Generic Side Effects Repair Engine
Supporting Norton AntiVirus 2006
61
Unit 5
Generic Side Effects Repair Engine
Manual and preinstallation scans The scan manager loads a SymInterface Generic Side Effects Repair Engine scanning object (ccGse.dll) and uses the existing scan engine to handle any infections found during a side effects scan. The entire Generic Side Effects Repair Engine scan takes place before handling any of the infections detected to ensure all possible side effects for a particular infection are detected. After the Generic Side Effects Repair Engine scan is complete the side effects and infections are handled. Memory side-effects are not automatically handled since the user needs to be warned before processes are terminated. Generic Side Effects Repair Engine scans start in the background when new virus definitions are downloaded. The user interface is displayed only if an infection is detected. There is an option to disable this functionality on the LiveUpdate panel of options. In the Common UI all side effects and their current state are reflected in the filename tooltip box that is displayed when the filename column is clicked on. Quarantine records all successfully removed registry and file side effects for an infected item. If the item is repaired and restored the side-effects are restored as well. The user is able to see the side effects by going to the properties of an item in the quarantine console and clicking on the new Side Effects panel. There is a flag in the engines that can be set by the virus definitions to indicate a side effect removal should not be attempted. This flag is exposed via ccScan. If this flag is detected the side effects for the infection will be left alone. The item will be displayed in a separate UI that informs users they need to download the fix tool to remove this infection.
62
Supporting Norton AntiVirus 2006
Manual and preinstallation scans
Generic Side Effects Repair engine files and services The table below lists the core files used by the Generic Side Effects Repair feature. Table 5-1
GSER files
File name
Description
ccGser.dll
Generic Side Effects Repair scanning engine
ccScan.dll
Common Client scan engine
Probegse.dll
Generic Side Effects Repair scanner
Spbbcdrv.sys
Generic Side Effects Repair driver
.
Supporting Norton AntiVirus 2006
63
Unit 5
Generic Side Effects Repair Engine
Load points cleaned The following is a list of the common load points that are cleaned by the Generic Side Effects Repair Engine.
Registry keys ■
HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\Run
■
HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\RunOnce
■
HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\RunServices
■
HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
■
HKEY_USERS\<UserID>\Software\Microsoft\Windows NT\CurrentVersion\Windows
■
HKEY_USERS\<UserID>\Software\Mirabilis\ICQ\Agent\Apps
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
■
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
■
HKEY_LOCAL_MACHINE\Software\Classes\<extension>file\shell\open\command
Startup folder The following items are part of the startup folder load points. ■
C:\Documents and Settings\All Users\Desktop\Startup
■
C:\Documents and Settings\All Users\Desktop\Startup\Launch.bat
.ini files The following ini files are also checked as load points. ■
C:\Windows\System\Win.ini
■
C:\Windows\System\System.ini
■
C:\Windows\System\Wininit.ini
Processes Processes that are terminated by the Generic Side Effects Repair Engine are treated differently from effects at the load points. Users are prompted to stop the processes so that they know which programs are stopping.
64
Supporting Norton AntiVirus 2006
Generic Side Effects Repair Engine activity logs
Generic Side Effects Repair Engine activity logs Side-effect actions are logged to the activity logger under the threat alerts category. Process terminations are logged into the Application category. ccLgview.exe is the Common Client file that is responsible for all activity log views. Processes that are terminated are logged under in the PC’s application log.
Supporting Norton AntiVirus 2006
65
Unit 5
Generic Side Effects Repair Engine
Summary In this unit we have covered the following:
66
■
How the Generic Side Effects Repair Engine handles side effects that are found during scans
■
The registry keys that are cleaned
■
The load points that are cleaned
■
What type of information is stored in the Generic Side Effects Repair Engine activity logs
■
Troubleshoot problems with the Generic Side Effects Repair Engine
Supporting Norton AntiVirus 2006
Unit
6
Behavior Blocking (SymProtect) Overview Description Many computer viruses attack security software to prevent detection or removal. These threats are known as retroviruses. These programs terminate processes, delete files, or remove registry keys in an attempt to prevent the user from responding to the threat. To counter this threat, Symantec Consumer products include Behavior Blocking (known as SymProtect), to protect our software from attacks.
Objectives After you complete this unit, you will be able to do the following: ■
Understand what SymProtect does
■
Discuss how SymProtect works
■
Identify and use SymProtect logs
Supporting Norton AntiVirus 2006
67
Unit 6
Behavior Blocking (SymProtect)
SymProtect overview SymProtect is a technology which prevents modification or deletion of Symantec files, processes, and registry keys by unauthorized applications. To avoid interfering with normal operations, such as backup, SymProtect does not prevent the reading of our files and registry keys associated with our assets. Authorized applications have full access, so they do not require any changes to continue to work. In order to be protected by SymProtect, a Symantec application provides a list of files and registry keys that are to be protected. Any .eve file that carries a Symantec Digital Signature is automatically protected. When SymProtect is activated, it prevents any unauthorized application from modifying or deleting any of these protected resources. There are a number of ways that an application can be authorized to make changes. The following authorization methods are used by Norton AntiVirus 2006:
68
■
Digitally signed by Symantec Applications which are signed with a Symantec digital signature are free to access all protect assets. This will cover a great deal of legacy products, since we have been signing binaries for a while. Intelligent Updaters are signed. All fix tools should also be signed.
■
Running from a preregistered path An administrator can preconfigure a path, or set of paths, such that applications that run from those locations are authorized. This might be a network share location, or a location on the local disk on which software is delivered.
■
Possessing a preregistered name The product can register the name of the authorized software, such as System Restore or the Windows XP Backup program, %SystemRoot%\System32\Ntbackup.exe.
Supporting Norton AntiVirus 2006
SymProtect overview
How SymProtect works Manifest files In order for SymProtect to protect resources, their names need to be listed in an encrypted XML file known as a manifest. Items to exclude from protection are also listed in the manifest. There are separate manifest files for directories and named kernel objects. Below is an example of an XML manifest that details some of the directories SymProtect will protect. Figure 6-1
Supporting Norton AntiVirus 2006
Sample manifest file
69
Unit 6
Behavior Blocking (SymProtect)
SymProtect Logic Flow SymEvent is a kernel mode process. The kernel is the core of the operating system. It is the piece of software responsible for providing secure access to the machine's hardware and to various computer processes. Most applications do not run in kernel mode. SymEvent can intercept calls to and from the applications and the kernel. Figure 6-2 illustrates SymProtect logic flow in Norton AntiVirus. Figure 6-2
70
SymProtect Logic Flow
Supporting Norton AntiVirus 2006
SymProtect overview
SymProtect files Table 6-1 lists the core SymProtect files. Table 6-1
SymProtect Files
File name
Description
Spbbcdrv.sys
SymProtect driver
Spbbcevt.dll
Handles SymProtect events
Spbbcsvc.exe
Responsible for the SymProtect Service
Updmgr.exe
Handles SymProtect updates
Supporting Norton AntiVirus 2006
71
Unit 6
Behavior Blocking (SymProtect)
Ways to Authorize an Application Digitally signed by Symantec ■
Covers a great deal of legacy products
■
Intelligent Updaters are signed
■
All fix tools will be signed
Run from a pre-registered path Possess a pre-registered name
72
Supporting Norton AntiVirus 2006
Log Viewer
Log Viewer The events below are shown in the Norton AntiVirus 2006 log pertaining to SymProtect: Event and Field Description ■
Time - Date/time the event occurred
■
Actor - Cause of the event with full path
■
Target - Process name and ID, full path, registry key/value, or kernel object name
■
Action - Displays “Unauthorized access” entries
■
Reaction - Displays if unauthorized access was successfully blocked
Supporting Norton AntiVirus 2006
73
Unit 6
Behavior Blocking (SymProtect)
Summary In this unit we have covered the following:
74
■
Understand what SymProtect does
■
Discuss how SymProtect works
■
Read SymProtect Logs
Supporting Norton AntiVirus 2006
Unit
7
Improvements to the user interface Overview Description The Norton AntiVirus 2006 user interface contains much the same functionality as in the previous version. Some changes have been made, however, that will enhance the user experience and provide added safety. This unit addresses those features.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the new features of the Norton AntiVirus user interface
■
Recognize the screens of the Norton AntiVirus user interface
■
Use the Norton System Console
Supporting Norton AntiVirus 2006
75
Unit 7
Improvements to the user interface
New user interface features The main status pane of Norton AntiVirus 2006 includes the biggest change users can expect. If all the status items are within accepted parameters, the main status pane will appear green instead of yellow.
76
Supporting Norton AntiVirus 2006
New user interface features
Supporting Norton AntiVirus 2006
77
Unit 7
Improvements to the user interface
User interface emphasis and prioritization Emphasis in the user interface is placed on items that are in violation or are in danger of becoming so. For instance, if a full system scan has not recently been performed, the user interface turns yellow and emphasis is placed on that feature.
If items are in violation, such as when a subscription has expired, the user interface turns red and emphasis is placed on that feature.
78
Supporting Norton AntiVirus 2006
New user interface features
Supporting Norton AntiVirus 2006
79
Unit 7
Improvements to the user interface
Norton Protection Center Norton Protection Center is the latest revision of the Symantec Security Console. This is version 1.0 of the Protection Center
Norton Protection Center Images The following images detail various screens from the Norton Protection Center. Main UI:
Mini UI:
80
Supporting Norton AntiVirus 2006
New user interface features
Norton Protection Center Components ■
Norton Protection Center Client - The Norton Protection Center Clients are created with the context of a particular Windows and Norton user. They query the Norton Protection Center Server for the pertinent content to be displayed, apply a layout and a skin, and then display the content to the user.
■
Norton Protection Center Server - The Norton Protection Center Server is responsible for managing the various features and products, and for distributing that information as appropriate to each connected client.
■
Base Products - The base products consist of all the existing Symantec products.
Under the hood Figure 7-1
Supporting Norton AntiVirus 2006
Components of Norton Protection Center
81
Unit 7
Improvements to the user interface
Summary In this unit we have covered the following:
82
■
Understand what SymProtect does
■
Discuss how SymProtect works
■
Identify and use SymProtect logs
Supporting Norton AntiVirus 2006
Unit
8
Troubleshooting Norton AntiVirus 2006 Overview Description This unit focuses on troubleshooting Norton Antivirus 2006. In this unit we will be describing the steps necessary in isolation and correction of issues with this release of the product.
Objectives After you complete this unit, you will be able to do the following: ■
Troubleshoot Norton AntiVirus 2006 components
Supporting Norton AntiVirus 2006
83
Unit 8
Troubleshooting Norton AntiVirus 2006
Basic troubleshooting logic You should consider the dependencies (operating system and other Symantec modules) to be the points of failure. Knowledge of how to step through the program sequentially and the validation of the dependencies are the most effective ways to isolate issues. Here is an example of logical isolation of a problem: If a customer is faced with a persistent but non-specific AutoProtect error. You should consider the following. What enables Auto-Protect to function in real time? ■
Symevent (Symantec Event Manager) works as a file filter for all I/O activity to the CPU. When Symevnt traps an I/O request, it talks to the ccEvntmgr, which is loaded as a service. The event manager looks for subscribers (any products that are registered with ccApp) to send notice of the event. In this case, the product DLL is registered and has loaded the scan manager (Scanmgr.dll) to manage the event.
■
The scan manager determines if the file is compressed, and then asks Auto-Protect to scan the file. If the file is compressed, both the asynchronous scanner and the decomposer are called. The scanners use the virus definition file that is defined in the registry (HKEY_LOCAL_MACHINE\Software\Symante\Shared Defs\...) or by Usage.dat.
■
If the file is infected, the result occurs based on options (ccSetmgr, Navopts.dat). If the option is to display something to the user, ccAlert creates the alert.
■
After the user interacts with the message, it is returned to the scan manager, to ccSetmgr, and to ccEvntmgr. If the program file that is handling the event is also supposed to log the activity, a log is created for the event.
Since there are many factors in this example—any of them potentially failing—it is important to know what succeeded and what did not. You can isolate the components somewhat and test them on their own; for example, scanning a file with the manual scanner would validate the integrity (to some extent) of the definitions, the scan manager, options, and the Common Client components. In performing a simple manual scan check, you can isolate and possibly eliminate a significant number of AutoProtect dependencies. All of the modules that are included in Norton AntiVirus 2006 can be looked at in a similar fashion. Isolating the components of each module can effectively determine the cause of most issues.
84
Supporting Norton AntiVirus 2006
Basic troubleshooting logic
Supporting Norton AntiVirus 2006
85
Unit 8
Troubleshooting Norton AntiVirus 2006
Removing Norton AntiVirus 2006 This section was intended to include a detailed description of a complete uninstallation of Norton AntiVirus. Given the sensitive nature of Digital Rights Management, and the tamperresistance of SymProtect, the following points to remember will suffice:
86
■
Always use the Add/Remove Programs list first The Windows Installer (MSI) will remove the proper registry keys, files, directories, and services to uninstall Norton AntiVirus 2006. Always try this method before moving on.
■
Digital Rights Management All of the Digital Rights Management keys are encrypted, so they aren’t readily apparent to inspection. Also, removal of or tampering with them results in a loss of Digital Rights Management functionality. This is important to a user who intends to reinstall Norton AntiVirus because they will need to contact support to reactivate the product.
Supporting Norton AntiVirus 2006
Removing Norton AntiVirus 2006
Supporting Norton AntiVirus 2006
87
Unit 8
Troubleshooting Norton AntiVirus 2006
Troubleshooting product modules When troubleshooting Norton AntiVirus, it is imperative to look at the items below corresponding to the proper product module:
Auto-Protect Before troubleshooting AutoProtect you should make sure the following items are in place. ■
Verify that Auto-Protect is enabled with Norton AntiVirus.
■
Verify that the Auto-Protect service (Navapsvc) is enabled and started.
■
Test Auto-Protect with the Eicar.com virus test file. This file is available at http://www.eicar.org/anti_virus_test_file.htm
Error: “Norton AntiVirus has encountered an internal program error” (4002, 519,517) To confirm that the Norton AntiVirus program files are set to load on startup
1
Click Start > Run. In the Open box, type MSCONFIG and click OK.
2
In the System Configuration Utility, click the Startup tab.
3
Verify that the following items are checked: ■ ■
ccAppcc, EvtMgr, ccSetMgr Symantec Core LC (You will not see this entry if you have a non-English version of Norton AntiVirus.)
4
If any of the entries that are listed in step 4 are unchecked, check them. (If any of the entries that are listed in step 4 are missing, it indicates that Norton AntiVirus was not installed successfully. If you see this, go on to the section “To remove and reinstall Norton AntiVirus” and follow the instructions.)
5
Verify that the following items are checked; SYMEVNT, SYMTDI, SAVRTPEL and SAVRT If any entries that are listed in step 6 are unchecked, check them. (If any of the entries that are listed in step 6 are missing, it indicates that Norton AntiVirus was not installed successfully.)
6
Click Apply and OK.
7
Restart the computer. If you continue to see the error message, go to the next solution.
To re-install the Symantec shared files (Symevent)
88
1
Download the Symevent installer file Sevinst.exe.
2
When prompted, select “Save this Program to Disk,” and then select drive C as the download location.
3
Click Save. Click Close if prompted.
4
Click Start > Run. Type: C:\sevinst.exe /r in the open line, and then click OK
5
Close all programs, and then restart the computer. If you continue to see the error, then the next option would be to uninstall and reinstall Norton AntiVirus.
Supporting Norton AntiVirus 2006
Troubleshooting product modules
Email protection The most common symptom of a problem with Norton Antivirus email scanning protection will reveal itself by restricting users from sending of email. This symptom can be quickly isolated from a normal email connectivity issue by temporary disabling Norton AntiVirus email scanning and verifying that the user can send messages directly back to their own email address. To troubleshooting Email protection you should make sure the following items are in place. ■
To test email antivirus protection, send the Eicar.com virus test file as an attachment in an email message. This file is available at: http://www.eicar.org/anti_virus_test_file.htm
Given an “ERROR” in the NAV System Status screen, while using email program do the following:
1
Run LiveUpdate.
2
Turn AutoProtect off, then on again.
3
Make sure that all Symantec services are loading at startup and resend test message.
4
If problem persists in a re-test, Uninstall and reinstall Norton AntiVirus.
Given an error in the email client:
1
Verify that your email settings in Outlook or Outlook Express are configured correctly.
2
Contact your Internet Service Provider (ISP)if you require help configuring your outgoing (SMTP) and incoming (POP3) email settings with the current ISP address. This can happen if your firewall settings have been set to block all traffic for Norton AntiVirus, Outlook or Outlook Express. If Norton Personal Firewall or Norton Internet Security is installed, then Norton AntiVirus (ccApp.exe) is allowed by default. Read the section “Settings in NIS or NPF” in the document Error: “Your server has unexpectedly terminated the connection... “in Outlook Express for instructions on how to configure Outlook or Outlook Express. If you are using a firewall program from another company, then consult your software documentation or their technical support site for information on how to configure the program to give the following files Internet access: ■
Outlook Express: Msimn.exe
■
Outlook: Outlook.exe
■
Norton AntiVirus: ccApp.exe
Email program is set to hang up after sending Customers can isolate this issue by verifying that their Email program is not set to hang up after sending. This error message can appear if one of these email programs is configured to hang up after sending or receiving email. Programs that are known to have this setting are: ■
Microsoft Outlook 2000, XP
■
Microsoft Outlook Express 5.0, 6.0
Other email programs may do this as well. If you are using a different email program, please read that program's documents. To set Outlook 2000 so that it does not hang up after sending email
1
Open Outlook 2000 and in the Tools menu, click Options.
Supporting Norton AntiVirus 2006
89
Unit 8
Troubleshooting Norton AntiVirus 2006
2
On the Mail Delivery tab, uncheck the Hang up when finished sending, receiving, or updating check box and click OK.
3
Close all running programs, and then restart the computer.
4
Resend email. If the problem continues to happen, verify that the Windows temporary folder is configured correctly.
To set Outlook XP so that it does not hang up after sending email
1
Open Outlook XP and in the Tools menu, click Options.
2
On the Mail Setup tab, uncheck the Hang up when finished with a manual Send/Receive check box and click OK.
3
Close all running programs, and then restart the computer.
4
Resend email. If the problem continues to happen, verify that the Windows temporary folder is configured correctly.
To set Outlook Express 5.0 or 6.0 so that it does not hang up after sending email
1
Open Outlook Express and in the Tools menu click Options.
2
On the Connection tab, uncheck the Hang up after sending and receiving check box and click OK.
3
Close all running programs, and then restart the computer.
4
Resend email. If the problem continues to happen, verify that the Windows temporary folder is configured correctly.
Clearing an item hung in temporary files and folders Customers can also experience these symptoms if a message is hung in the temporary folder. This can occur from a corrupt message item or application error. The following steps can also provide a workaround that allows you to clear out problems after disabling the scanner. To clear and delete temporary files and folders
1
Exit all programs. If you are reading this document on the Web, you may leave your Web browser open.
2
On the Windows taskbar, click Start > Run. In the Run dialog box, enter the following text: %temp% and click OK. This will open the current user's Temp folder opens in Windows Explorer.
3
On the Edit menu, click Select All and press the Delete keyboard key. If you are asked to confirm the deletion, click Yes.
4
Temporarily disable your firewall, and try to send an email message. If you can send email, then a firewall rule is blocking Internet access by one or more of the Norton AntiVirus components.
5
Disable email scanning, send the problem email and then restart email scanning
Temporary disable email scanning and send a problem message In some special cases you may wish to temporary disable scanning to allow a message to be or sent or received. These steps should be used with the greatest care because it allows unscanned messages and attachments to be sent or received.
90
Supporting Norton AntiVirus 2006
Troubleshooting product modules
To temporary disable email scanning and send a problem email
1
Run LiveUpdate to make sure that you have the most recent virus definitions. Close your browser to disconnect from the Internet.
2
If you are using Microsoft Outlook or Outlook Express, then turn off the preview pane option: In Microsoft Outlook, on the View menu, uncheck Preview Pane, In Outlook Express, on the View menu, click Layout. Uncheck Show Preview Pane and Close any email programs that are open.
3
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton Internet Security or Norton SystemWorks, then start that program.
4
Click Options, Norton AntiVirus and Email. Uncheck Scan incoming Email and Scan outgoing Email.
5
If you are prompted to verify that your email program is not running, then click OK.
6
Click Options, and then click Auto-Protect. Make sure that “Start Auto-Protect when Windows starts up (recommended)” and “Enable Auto-Protect (recommended)” are selected. If they are selected, click OK, and then exit Norton AntiVirus. If they are not selected, then select each entry, click OK, exit Norton AntiVirus, and then restart the computer.
7
Start your email program, and then send your email. If you have a great deal of unprocessed email, this may take longer than usual.
8
When you are finished processing your email, close the email program, and then run a full system scan.
9
When the scan completes and you are sure that your computer is not infected, follow steps 4 to 7 to re-enable email scanning.
Instant messenger protection Before troubleshooting Instant message protection you should make sure the following items are in place. ■
To test instant messenger protection, send Eicar via an instant message to verify that instant messenger protection is working.
■
Verify that instant messenger protection is enabled for the particular client type.
Troubleshooting items:
1
Disable Norton AntiVirus Instant Messenger scanning to stop the error message
2
Update to the newest version of the IM client
3
Make sure that ccApp (ccIMSCAN.dll is the problem file) is loaded at startup
4
Re-enable IM scanning
Supporting Norton AntiVirus 2006
91
Unit 8
Troubleshooting Norton AntiVirus 2006
Scans If a manual scan fails or continuously scans the same directory, rescan smaller volumes of files using the right-click context scanner. This allows you to identify a problematic file or folder through the process of elimination. After you find the problematic file or directory, verify that system and administrator access are full with no denies. ■
Verify that the problematic file or directory is not encrypted or password-protected. Either of these conditions will cause problems for the decomposer.
Troubleshooting items:
1
Run LiveUpdate
2
Delete all of the files from the windows temporary folder
3
Disable the MS Office plug-in
4
Verify that NAV files are not running in compatibility mode (Windows XP)
5
Exclude compressed files from the scan (AutoProtect will scan them when they are accessed)
6
If problem persists the next available option is to uninstall and reinstall the product.
Decomposer ■
Once the problematic packaged file found, verify that system and administrator access are full with no denies.
■
Verify that the problematic file or directory is not encrypted or password protected. Either of these conditions will cause problems for the decomposer.
■
Verify that all compressed files can be opened by the operating system or WinZip and scanned by Norton AntiVirus. If a file cannot be scanned successfully, it should be submitted to Symantec Security Response.
Quarantine ■
Verify that the definitions for quarantine exist within the Usage.dat file. If it does not, an error will occur when opening quarantine.
■
If there are problems displaying the contents of quarantine, you can access them directly through Windows Explorer. The contents are encrypted, but you can see whether files exist or if quarantine is empty. If there are files you can delete them using explorer and should be able to open quarantine within Norton AntiVirus.
Microsoft Office plug-in
92
■
You should disable the Microsoft Office plug-in if you suspect that it is causing problems with Word, Excel, PowerPoint, and so forth. You can do this on the Norton AntiVirus Options menu.
■
If you uninstalled Norton AntiVirus, you can unregister and rename the Officeav.dll file to ensure that the plug-in is not causing a problem.
Supporting Norton AntiVirus 2006
Troubleshooting product modules
Common Error Display ■
Make sure that the standard Common Client services are running.
■
To test the Common Error Display, stop the Auto-Protect service (Navapsvc) and try to enable Auto-Protect through the interface.
■
To use CED to troubleshoot issues, click the link and follow the instructions in the KB document.
Supporting Norton AntiVirus 2006
93
Unit 8
Troubleshooting Norton AntiVirus 2006
Troubleshooting install scenarios The following items define some steps in troubleshooting or correcting install issues and problems:
Unsuccessful install attempt indicators When troubleshooting installation is best not to assume that the installation you may be guiding a customer over an install that has reminant fragments of a un-successful install remaining on the platform. The following scenario defines an error messages or file indications that verify this possibility. Error: “Install has failed (9999,171)" when attempting to install your Symantec product What to look for:
1
A copy of the installation log file
2
Information about previous versions of Symantec Software that were installed on the computer
3
A list of Symantec products that are installed on the computer
4
Information about which items load at start-up
5
Information related to the computer’s configuration
Uninstall the previous version If you have a previous version of your Symantec product on your PC please uninstall it via the Add\Remove programs at this time. Error: “The installation is missing the file instopts.dat...” when installing or uninstalling Norton AntiVirus Solution 1: Delete a registry key In some cases, simply deleting the following registry keys will fix this error. To delete a registry key and reinstall your Norton program
94
1
On the Windows taskbar, click Start > Run. In the Run dialog box, type regedit and click OK
2
In the Registry Editor, go to and select the key: HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows\Curren\Version\Uninstall\Symsetup
3
Press Delete, and then click Yes to confirm the deletion.
4
Repeat steps 4 and 5 for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec \Symsetup
5
On the Registry menu, click Exit.
6
Reinstall your Norton program. If this does not fix the problem, then go on to the next solution.
Supporting Norton AntiVirus 2006
Troubleshooting install scenarios
Solution 2: Run the Microsoft Windows Installer Clean Up utility and reinstall the Norton Antivirus program Follow these steps to download, install and run the Windows Installer Clean Up Utility to remove any left over components of your Norton program and then reinstall the program. To install and run the Microsoft Windows Installer Clean Up Utility and reinstall your Norton program
1
To download the program, click the Windows Installer Clean Up Utility.
2
Click Save to download the Msicuu2.exe file.
3
Save the file to your desktop.
4
If you see a prompt, click Close.
5
On the Windows desktop, double-click the file and then follow the steps in the Setup wizard to install the utility.
6
On the desktop, click Start > Programs > Windows Install Clean Up to run the utility.
7
Press and hold down the Ctrl key, while you click all entries in the list that begin with the following text: CC cc Norton Symantec Sym MSRedist
8
Click Remove to remove these entries
9
Restart the computer and reinstall the Norton AntiVirus program.
For detailed instructions, read the document Reinstalling your Symantec program after a failed installation or after you see error messages. If this does not fix the problem, then go on to the next solution. Solution 3: Reinstall the Microsoft Windows Installer, run the SymNRT removal utility and reinstall your program In some cases, the Microsoft Windows Installer must be reinstalled before installing your Norton program. Reinstall the Microsoft Windows Installer
1
For instructions on downloading and installing the latest version of the Microsoft Windows Installer, read the document Reinstalling the Microsoft Windows Installer, and then go on to the next section, “Running SymNRT and reinstalling your Norton program.”
2
Run SymNRT and reinstall your Norton program
3
Before reinstalling your Norton program, you must first run SymNRT.
To uninstall using SymNRT:
1
Close all open programs.
Supporting Norton AntiVirus 2006
95
Unit 8
Troubleshooting Norton AntiVirus 2006
2
Save the file SymNRT.exe to the Windows desktop.
3
When the download is finished, on the Windows desktop, double-click SymNRT.exe, and then follow the on-screen instructions. Restart the computer if prompted. ■
■
If you see the error "SymNRT: Invalid signature. This file is not signed." when running SymNRT, go to the document Error: "SymNRT: Invalid signature. This file is not signed so it won't run.” If you see the error “Symantec removal tool has encountered an error and needs to close,” try running the tool a second time. If that does not work, see Error: “Symantec removal tool has encountered an error and needs to close”
4
On your desktop, right-click SymNRT.exe, and then click Delete. Click Yes to confirm the deletion.
5
Answer Yes or No to this question: Have you ever had any of these programs installed (even if you later uninstalled or upgraded them):
6
■
Norton AntiVirus 2003 or earlier
■
Norton Internet Security 2003 or earlier
■
Norton Personal Firewall 2003 or earlier
■
Norton SystemWorks 2003 or earlier
Do one of the following: ■
■
If you answered Yes--you did at one time have one or more of these programs installed, then go on following section. If you answered No--you never had any Norton program that was version 2003 or earlier, your are done.
Error: "Norton AntiVirus has encountered an internal program error" (4002, 519,517) To confirm that the Norton AntiVirus program files are set to load on startup
1
On the Windows taskbar, click Start > Run.
2
In the Open box, type MSCONFIG and then click OK.
3
In the System Configuration Utility, click the Startup tab.
4
Verify that the following items are checked: ■ ■
96
ccApp Symantec Core LC (You will not see this entry if you have a non-English version of Norton AntiVirus.)
■
ccEvtMgr
■
ccSetMgr
5
If any of the entries that are listed in step 4 are unchecked, check them. (If any of the entries that are listed in step 4 are missing, it indicates that Norton AntiVirus was not installed successfully. If you see this, go on to the section "To remove and reinstall Norton AntiVirus" and follow the instructions.)
6
Verify that the following items are checked: ■
SYMEVNT
■
SYMTDI
Supporting Norton AntiVirus 2006
Troubleshooting install scenarios
■
SAVRTPEL
■
SAVRT
If any entries that are listed in step 6 are unchecked, check them. (If any of the entries that are listed in step 6 are missing, it indicates that Norton AntiVirus was not installed successfully.) 7
Click Apply.
8
Click OK.
9
Restart the computer. If you continue to see the error message, go to the next solution.
To re-install the Symantec shared files (Symevent)
1
Download the Symevent installer file Sevinst.exe.
2
When prompted, select "Save this Program to Disk," and then select drive C as the download location.
3
Click Save. Click Close if prompted.
4
Click Start > Run. Type: C:\sevinst.exe /r in the open line, and then click OK
5
Close all programs, and then restart the computer. If you continue to see the error, then perform the steps to Uninstall and reinstall Norton AntiVirus.
Supporting Norton AntiVirus 2006
97
Unit 8
Troubleshooting Norton AntiVirus 2006
Summary In this unit we covered the following: ■
98
Troubleshooting Norton Antivirus 2006 components
Supporting Norton AntiVirus 2006
September 2, 2005
Supporting Symantec Norton AntiVirus 2006 September 2, 2005
Copyright Notice Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder/s. Copyright © 2005 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014. Authorized Symantec courseware materials contain a yellow Symantec watermark on the front side of each page. Use of unauthorized courseware materials is strictly prohibited and should be reported to Symantec Corporation immediately.
Trademarks Symantec, the Symantec logo, Intruder Alert, NetProwler, Raptor, VelociRaptor, Symantec Desktop Firewall, Symantec Enterprise VPN, Symantec Enterprise Firewall, Symantec Ghost, Symantec pcAnywhere, RaptorMobile, NetRecon, Enterprise Security Manager, NAV, Norton AntiVirus, Symantec System Center, Symantec Web Security, Mail-Gear and I-Gear are trademarks of Symantec Corporation. Windows is a registered trademark of Microsoft Corporation. Pentium is a registered trademark of Intel Corporation. Other product names mentioned in this manual may be trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America. 10987654321
ii
Supporting Norton AntiVirus 2006
Preface Course overview Course description This is a training program to support the latest release of Norton AntiVirus. It is estimated that this training will be a one-day, instructor-led, hands-on program that is designed for the global technical support organizations. The Norton AntiVirus 2006 course is divided into eight sections. The instructor's lecture is followed by lab exercises in which students apply knowledge gained throughout the course.
Intended audience This course is intended for those who have responsibility for supporting, installing, and configuring Norton AntiVirus.
Course prerequisites It is assumed that the following prerequisites have been met: ■
Students have a working knowledge of Microsoft Windows operating systems.
■
Students have a working knowledge of computer security practices and software.
■
Students have read the Norton AntiVirus 2006 User’s Guide.
Course objectives After you complete this course, you will be able to do the following: ■
Install Norton AntiVirus 2006
■
Troubleshoot installation of Norton AntiVirus 2006
■
Identify the components of Norton AntiVirus 2006
■
Configure the new features of Norton AntiVirus 2006
■
Understand techniques for troubleshooting Norton AntiVirus 2006 issues
■
Monitor Norton AntiVirus activities via reporting section
■
Understand the install-over matrix for Norton AntiVirus 2006
■
Update Norton AntiVirus using LiveUpdate
■
Configure the side effects engine
■
Use and configure internet worm protection
■
Configure Behavior Blocking
■
Understand UI refresh options
Supporting Norton AntiVirus 2006
iii
Preface
Conventions This guide uses the typographical conventions shown in the following table: Convention
Purpose
Example
Bold text
Names of buttons, dialog box options, dialog box names, menu names and options, keys, field names and field entries
On the Tools menu, click Options. The Options dialog box appears. In the Name field, type JSmith.
Italicized text
Cross-references to other sections or documents, to emphasize text, a directory path or file name, or the first use of a glossary term.
The user must type the group’s name.
Keys connected by the Keys pressed plus sign simultaneously.
Ctrl+Alt+Delete
Keys not connected by Keys pressed sequentially. the plus sign
Esc 0 2 7
Monospaced bold
Text typed at the command line.
ping 10.0.0.1
Text displayed at the command line
Reply from 10.0.0.1 Bytes=32 time=1ms
font Monospaced font
Variable text typed at the Monospaced italicized font command line.
iv
\Windows\Program Files
ping ip_address
Supporting Norton AntiVirus 2006
Unit 1
Introduction to Norton AntiVirus 2006...............1 Introduction to Norton AntiVirus 2006 .................................................................2 What is new to Norton Antivirus 2006? ..................................................................4 Threats Norton AntiVirus protects against ............................................................6 Summary ...................................................................................................................8
Unit 2
Supporting Norton AntiVirus Installation ............9 System requirements ..............................................................................................10 Installation options ................................................................................................13 New installation features ........................................................................................14 Key file locations .....................................................................................................20 Component installation .........................................................................................21 Registry key locations of interest ...........................................................................22 Installation technologies ........................................................................................24 Installation versus configuration issues ................................................................26 Summary .................................................................................................................28
Unit 3
Norton AntiVirus 2006 components and functions29 Norton AntiVirus components and features ........................................................30 Auto-Protect ...........................................................................................................31 Email protection .....................................................................................................35 Instant messenger protection ................................................................................38 Scanning ..................................................................................................................40 Summary .................................................................................................................53
Unit 4
Internet Worm Protection................................55 Internet Worm Protection overview .....................................................................56 How Internet Worm Protection works .................................................................57 Configuring Internet Worm Protection ...............................................................59 Summary .................................................................................................................60
Unit 5
Generic Side Effects Repair Engine .................61 Manual and preinstallation scans ..........................................................................62 Load points cleaned ................................................................................................64 Generic Side Effects Repair Engine activity logs ...................................................65 Summary .................................................................................................................66
Unit 6
Behavior Blocking (SymProtect) ......................67 SymProtect overview ..............................................................................................68 Ways to Authorize an Application ........................................................................72 Log Viewer ..............................................................................................................73 Summary .................................................................................................................74
Unit 7
Improvements to the user interface..................75 New user interface features ....................................................................................76 Summary .................................................................................................................82
Supporting Norton AntiVirus 2006
v
1
Unit 8
Troubleshooting Norton AntiVirus 2006 ...........83 Basic troubleshooting logic ....................................................................................84 Removing Norton AntiVirus 2006 ........................................................................86 Troubleshooting product modules .......................................................................88 Troubleshooting install scenarios ..........................................................................94 Summary .................................................................................................................98
vi
Supporting Norton AntiVirus 2006
Unit
1
Introduction to Norton AntiVirus 2006 Overview Description Norton AntiVirus 2006 is the twelfth release of the Norton AntiVirus product line. This product is designed to protect stand alone personal computers against malicious code and other internet born threats. Customers can benefit from increased protection against these threats by upgrading to this release. This unit will highlight the new threats and benefits a customer receives in upgrading to this latest release.
Objectives In this unit we will cover the following: ■
Introduction to Norton AntiVirus 2006
■
New features in this release
■
Describe new consumer threats addressed by this release
Supporting Norton AntiVirus 2006
1
Unit 1
Introduction to Norton AntiVirus 2006
Introduction to Norton AntiVirus 2006 Norton AntiVirus 2006 is the twelfth release of the Norton AntiVirus product line. Customers will find many added benefits in upgrading or implementing Norton Antivirus 2006. The Norton AntiVirus 2006 release increases customer protection from internet-born worm viruses and includes updated pre-install scanning. The user interface has also been integrated with Norton Protection Center to improve user experience and functionality.
2
Supporting Norton AntiVirus 2006
Introduction to Norton AntiVirus 2006
Supporting Norton AntiVirus 2006
3
Unit 1
Introduction to Norton AntiVirus 2006
What is new to Norton Antivirus 2006? Previous versions of Norton Antivirus offered customers robust features that protected them from malicious software other internet threats. Norton Antivirus 2006 extends this protection to include the new features that protect them from new threats and vulnerabilities such as: ■
Behavior Blocking (SymProtect)
■
Home Page Protection
■
Norton Protection Center integration
■
Pre-install scanner
To improve the user experience Norton Antivirus also includes many user interface improvements.
4
Supporting Norton AntiVirus 2006
What is new to Norton Antivirus 2006?
Supporting Norton AntiVirus 2006
5
Unit 1
Introduction to Norton AntiVirus 2006
Threats Norton AntiVirus protects against Norton AntiVirus 2006 addresses threats from viruses, worms, and Trojan horse programs. In addition, Norton AntiVirus 2006 protects against expanded threats such as spyware, hacker tools, and adware. Included in Norton AntiVirus 2006 is Internet Worm Protection, which is a modified firewall program that offers intrusion detection capabilities, port blocking, and Trojan Horse traffic detection. The following list describes how customers can take action against these threats using Norton AntiVirus 2006.
Table 1: Norton Antivirus 2006 threat detection and response
6
Threat
Feature enabling detection and protection
Viruses and internet worms
Auto-Protect, Manual Scans, Internet Worm Protection
Hacktools
Auto-Protect, Manual Scans
Trackware
Auto-Protect, Manual Scans
Dialers
Auto-Protect, Manual Scans
Remote access programs
Auto-Protect, Manual Scans
Adware
Auto-Protect, Manual Scans
Joke programs
Auto-Protect, Manual Scans
Spyware
Auto-Protect, Manual Scans
Supporting Norton AntiVirus 2006
Threats Norton AntiVirus protects against
Supporting Norton AntiVirus 2006
7
Unit 1
Introduction to Norton AntiVirus 2006
Summary In this unit we covered the following:
8
■
Introduction to Norton AntiVirus 2006
■
New features in this release
■
Describe new consumer threats confronted by this release
Supporting Norton AntiVirus 2006
Unit
2
Supporting Norton AntiVirus Installation Overview Description This unit focuses on installation of Norton AntiVirus 2006. Installation issues represent the largest single group of support issues for Norton AntiVirus.
Objectives After you complete this unit, you will be able to do the following: ■
Describe system requirements for installation
■
Describe the installation options for Norton AntiVirus
■
Locate key installed file locations and registry keys
■
Describe the order of component installation
■
Discuss the installation technologies used in Norton AntiVirus
■
Define the difference between installation and configuration issues
■
Troubleshoot installation issues
Supporting Norton AntiVirus 2006
9
Unit 2
Supporting Norton AntiVirus Installation
System requirements Before installing Norton Antivirus 2006 customers should review the hardware and software requirements. These requirements are detailed in the following pages under the hardware and software sections.
Operating System requirements Norton Antivirus 2006 is only supported on the following operating systems: ■
Windows 2000 Professional
■
Windows XP Home or Professional, Tablet PC or Media Center Editions
Norton AntiVirus is not supported on NEC PC98, Windows 95/NT 4.x, Macintosh, Linux, or server versions of Windows 2000/2003/XP computers. Note: Norton AntiVirus 2005 is included on the media CD and will install on computers running Windows 98/ME. Norton AntiVirus 2006 is not supported on Windows 98/ME. If you upgrade your Windows operating system from Windows 98/Me to Windows 2000/XP, you must first uninstall Norton AntiVirus and then reinstall after the upgrade.
Hardware requirements Most software applications have specific hardware requirements as well as software requirements. The following chart illustrates the minimum hardware requirements for Norton Antivirus 2006. Platform performance is directly related to the robustness of the hardware and the resources taken from other applications running on a PC. Customers will find increased performance in Norton Antivirus with a more robust hardware and fewer superfluous programs running on their machine.
10
Windows 2000 Professional Edition
Windows XP editions
150-MHz processor
300-MHz processor
64 MB of RAM
256 MB of RAM
85 MB of available hard disk space
175 MB of available hard disk space
CD-ROM or DVD-ROM drive
CD-ROM or DVD-ROM drive
Internet Explorer 5.5 or later
Internet Explorer 6.0
Administrator privileges to install program
Administrator privileges to install program
Supporting Norton AntiVirus 2006
System requirements
Supported email client scanning Norton Antivirus 2006 supports antivirus scanning of the email clients that are compatible with the Symantec redirector plug and the ccEmlPxy module which will be discussed in detail in the following unit. Email scanning has been tested and is supported for the following POP3-compatible and SMTP-compatible (Simple Mail Transfer Protocol) email clients: ■
Outlook Express 4.0, 5.x, 6.x
■
Outlook 97/98/2000/XP/2003
■
Netscape Messenger 4.x
■
Netscape Mail 4.x, 6.x, 7.x
■
Eudora Light 3.0, Eudora Pro 4.0, Eudora 5.0, Eudora 6.0J
■
Pegasus Mail 3.0
■
IncrediMail XE
■
Becky! Internet Mail 1.x, 2.0
■
AL-Mail32 1.11
■
Datula 1.x
■
PostPet 2.1, 2.06, 3.0
■
Shuriken Pro 3
■
Mozilla Thunderbird 1.0
■
At-Mail
Email clients not supported Norton AntiVirus does not support the following email clients: ■
IMAP
■
AOL
■
POP3s with Secure Sockets Layer (SSL)
■
Web-based email such as Hotmail and Yahoo! Mail
■
Lotus Notes
Note: Norton AntiVirus does not support email connections that use Secure Sockets Layer (SSL). SSL is a security protocol designed to provide secure communications on the Internet. If you use an SSL connection, Norton AntiVirus automatically detects that connection and skips scanning it altogether.
Supported instant messenger scanning Supported instant messenger clients The following instant messenger programs are supported:
Supporting Norton AntiVirus 2006
11
Unit 2
Supporting Norton AntiVirus Installation
■
AOL Instant Messenger, version 4.7 or later
■
Yahoo! Messenger, version 5.0 or later
■
Windows Messenger, versions 4.6, 5.0
■
MSN Instant Messenger, Versions 4.6, 4.7, 6.X
Note: If a using an unsupported IM client such as ICQ, Auto-Protect scans any file transferred through instant messenger as soon as it is accessed. Therefore users with unsupported IM clients are protected as well.
12
Supporting Norton AntiVirus 2006
Installation options
Installation options Installation from CD Installation from CD is the most common way of installing Norton AntiVirus 2006. Installation runs from the Autorun file on the CD automatically. If the installation doesn’t start automatically, you can open the CD and double-click the Navsetup.exe file.
Installation from download Downloads are wrapped in a package from a third-party organization. After the package has been downloaded and unwrapped the install of Norton AntiVirus 2006 is the same as the CD.
Upgrade or install over If you have a previous installation of Norton AntiVirus 2004 or 2005, Norton AntiVirus 2006 automatically removes the earlier version. If your version is earlier than 2004, you must uninstall it before installing the Norton AntiVirus 2006.
Supporting Norton AntiVirus 2006
13
Unit 2
Supporting Norton AntiVirus Installation
New installation features Pre-flight check The 2006 version of SymSetup features a page that runs customers through a series of system constancy checks in an attempt to ensure a successful installation.
Pre-install scanner Beginning in Norton AntiVirus 2005, a pre-install scanner was included. That scanning component has been updated for Norton AntiVirus 2006. The purpose is to give the customer a simple, lightweight virus scanner capable of detecting and repairing viruses so that they may successfully install Norton AntiVirus.
Common Error Display SymSetup supports Common Error Display error messages. The Common Error Display (CED) messages work exactly the same way the product errors work. After alerting the user about an installation error, the software will direct the user to an online Knowledge Base article that will help the user to resolve the problem, as well as help Symantec track issues.
Previous Product Removal When the user is installing over an older version, which is two years old or older, the product provides the user with an assisted install over capability. There are some cases today where our product does provide the user with an assisted install over. Basic users do not know how or where to look for the uninstall tool. The installer is able to upgrade older Norton AntiVirus products. This is done by removing the previous product prior to installing the new one. Products that can be upgraded will include: ■
Norton AntiVirus 2004
■
Norton AntiVirus 2004 Professional Edition
■
Norton AntiVirus 2005
The installer will also be able to upgrade any of these products when they are installed within a suite product such as Norton Internet Security or Norton SystemWorks.
14
Supporting Norton AntiVirus 2006
New installation features
Pre-flight checks The installer checks the client machine prior to making any changes to make sure that it meets all requirements. The following checks are made: Check for Internet Explorer 5.01 Service Pack 2 Check for Minimum Operating System Check for Admin user rights Check for Server Operating System Check for Multiple Terminal Services users Check for LiveUpdate running Check for running Norton AntiVirus windows Check for Symantec AntiVirus Corp. Edition on the system Check for Services and Files marked for deletion Check for newer versions of Norton AntiVirus Check for old versions that cannot be installed over Check for other AntiVirus products Where to look for indicators The following registry keys will indicate successful installations of Norton AntiVirus: Reboot key- If an application requires the computer to be rebooted right after installation: Key = HKEY_LOCAL_MACHINE\Software\Symantec\Norton AntiVirus\ Value = (String) "reboot" Data = "" Success key - On a successful installation: Key = HKEY_LOCAL_MACHINE\Software\Symantec\Norton AntiVirus\ Value = (String) "install" Data = (String) "success" Version key - On a successful installation: Key = HKEY_LOCAL_MACHINE\Software\Symantec\Norton AntiVirus\ Value = (String) "version" Data = (String) "x.y.z"
Supporting Norton AntiVirus 2006
15
Unit 2
Supporting Norton AntiVirus Installation
Pre-install scanner How Pre-install Scanner works The diagram below shows how the Pre-install Scanner works:
1
SymSetup.exe loads the scanner, Prescan.exe.
2
The scanner uses the Norton AntiVirus plugin DLL file to start the scan.
3
The pre-install scan is run.
Note: The preinstall scanner does not scan files contained in archives. This eliminates the need for the decomposer DLL’s and significantly reduces the dependencies list.
Dependencies The Pre-Install Scanner is dependent on these Symantec components:
16
1
ccScanS.dll
2
ecmldr32.dll
3
Virus Definitions
4
ccEraser.dll
Supporting Norton AntiVirus 2006
New installation features
Operating System Support The Pre-Install Scanner runs on all operating systems supported by Norton AntiVirus 2006. In addition, the Pre-Install Scanner runs on Windows 98 and ME.
Supporting Norton AntiVirus 2006
17
Unit 2
Supporting Norton AntiVirus Installation
Common Error Display (CED) errors in installation The Common Error Display may give the following error messages, the following Knowledge Base documents define the Common Error Display process for the Norton AntiVirus Installer. The error message below is an example of the Common Error Display for Norton AntiVirus installation:
Error: “Install has failed (9999,171)” when attempting to install your Symantec product This is the first version of Norton AntiVirus to include CED. Below is a list of items we have solicited from customer to help diagnose installation issues. Gather the following information from the customer: ■
A copy of the installation log file
■
Information about previous versions of Symantec Software that were installed on the computer
■
A list of products that are installed on the computer
■
Information about which items load at startup
■
Information related to the computer’s configuration.
■
Upgrade MSI to version 3.1 Microsoft has recently released a new version of the Windows installer for the Windows 2000 and XP platform. The new version of the Windows Installer is available from Microsoft’s website, and it is also included on the Norton AntiVirus 2006 CD.
To uninstall the previous version
1
Use Add\Remove programs.
2
If Add/Remove Programs doesn’t work, use the SymNRT removal tool.
Error: "Uninstall has failed (9999,172)" when attempting to uninstall your Symantec product This is the first version of Norton AntiVirus to include CED. Below is a list of items we have solicited from customer to help diagnose installation issues. Gather the following information from the customer:
18
■
A copy of the installation log file
■
Information about previous versions of Symantec Software that were installed on the computer
■
A list of products that are installed on the computer Supporting Norton AntiVirus 2006
New installation features
■
Information about which items load at startup
■
Information related to the computer’s configuration.
To uninstall using the removal tool
Uninstall using the SymNRT removal tool.
Supporting Norton AntiVirus 2006
19
Unit 2
Supporting Norton AntiVirus Installation
Key file locations The list of file locations below is based on the default Norton AntiVirus 2006 installation. Files may be located in different directories if a custom installation has taken place. The files themselves are not listed in this unit. Key files for product modules will be included in the section detailing the particular module. Note: If Norton AntiVirus has been installed to a non-default location, the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\
Norton AntiVirus 2006 directories C:\Program Files\Norton AntiVirus C:\Program Files\Norton AntiVirus\IWP C:\Program Files\Common Files\Symantec Shared C:\Program Files\Common Files\Symantec Shared\CCPD-LC C:\Program Files\Common Files\Symantec Shared\Decomposers C:\Program Files\Common Files\Symantec Shared\Help C:\Program Files\Common Files\Symantec Shared\IDS C:\Program Files\Common Files\Symantec Shared\LiveReg C:\Program Files\Common Files\Symantec Shared\Script Blocking C:\Program Files\Common Files\Symantec Shared\Security Center C:\Program Files\Common Files\Symantec Shared\SPBBC C:\Program Files\Common Files\Symantec Shared\SymcData C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\20040407.001 C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\BinHub C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\incoming C:\Program Files\Common Files\Symantec Shared\SymSetup C:\Program Files\Common Files\Symantec Shared\VirusDefs C:\Program Files\Common Files\Symantec Shared\VirusDefs\20040616.017 C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub C:\Program Files\Common Files\Symantec Shared\VirusDefs\incoming C:\Program Files\Common Files\Symantec Shared\VirusDefs\Savrt C:\Program Files\Common Files\Symantec Shared\VirusDefs\TextHub C:\WINDOWS\System32\
20
Supporting Norton AntiVirus 2006
Component installation
Component installation Understanding the order of component installation in Norton AntiVirus is important. Knowing this helps troubleshoot where an installation may have failed and the dependencies that might contribute to the problem.
Order of component installation The order of Norton AntiVirus 2006 component installation from first to last: 1
Msredist.msi - This is the Microsoft Installer. Norton AntiVirus 2006 uses MSI version 3.0. If the computer doesn’t have this version, it will be installed by Norton AntiVirus automatically.
2
Lusetup.exe - This installs LiveUpdate 2.7. LiveUpdate is the primary update technology for Norton AntiVirus.
3
Sevinst.exe - This installs Symevent. Symevent is responsible for the kernel mode driver that allows Auto-Protect to hook into the operating system.
4
Parent.msi - Installs things such as the configuration wizard and Norton AntiVirus registry keys, as well as checking for any licensed Symantec products on the computer.
5
Symlt.msi - This installs Symantec licensing technology.
6
ccCommon.msi - This installs the common client. Common client is responsible for Norton AntiVirus settings, logging activity, etc.
7
Spbbc.msi - This is responsible for installing SymProtect. SymProtect is the technology responsible for protecting Symantec processes and files from unauthorized modification.
8
Iwp.msi - This is responsible for installing Internet Worm Protection. Internet Worm Protection protects against incoming traffic on known ports and with known signatures.
9
Scssdist.msi - This is responsible for SCSS (Symantec Consumer Security Services,) a version of Norton AntiVirus distributed in cooperation with certain Internet Service Providers. SCSSDist.MSI doesn’t run in the retail version of Norton AntiVirus 2006.
Note: Scssdist.msi is, as stated, used in the SCSS version of Norton AntiVirus. How it is used is that it can be customized so that certain features and components, such as Internet Worm Protection, can be “turned off” prior to installation. These turned off items will not be installed in the SCSS version. 10 Symwmiav.msi - This is responsible for installing the Norton Windows Management Instrumentation update, which allows the Windows Security Center to accurately report the status of Norton AntiVirus. 11 Nav.msi - This is responsible for installing Norton AntiVirus components such as AutoProtect, email scanning, and instant messenger protection. 12 Help.msi - This is responsible for installing the Norton AntiVirus Help files.
Supporting Norton AntiVirus 2006
21
Unit 2
Supporting Norton AntiVirus Installation
Registry key locations of interest All of the Registry keys installed by Norton Antivirus 2006 are in some part responsible for proper functionality and/or settings of product components. Some registry keys can be verified and/or modified manually quicker than the more drastic fix of a a complete un-install and reinstall of the product. If a key is changed or deleted and this results in changed or discontinued functionality of Norton AntiVirus, then returning the e proper setting in the registry on customers machine would be the goal. The following are important registry keys for Norton AntiVirus 2006:
22
■
HKEY_LOCAL_MACHINE\Software\Symantec\Installed Apps - This key lists all of the Symantec Products and components installed on the computer, as well as their locations.
■
HKEY_LOCAL_MACHINE\Software\Symantec\Shared Defs - This key list the components of Norton AntiVirus that use definitions, as well as the name of the definition file used by each component and the definition files’ locations.
■
HKEY_LOCAL_MACHINE\Software\Symantec\Symsetup\refcounts - This key lists the GUID (Globally Unique Identifier, a unique 128-bit number that is produced to identify any particular Symantec component) for each component as well as the number of installations that have been counted by Digital Rights Management for each.
■
HKEY_LOCAL_MACHINE\Software\Symantec\CommonClient - This key lists the version of the Common Client that is installed.
Supporting Norton AntiVirus 2006
Registry key locations of interest
The Symantec MSI keys for components, products, features, and upgrade codes fall under the following keys: ■
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer - Version numbers of all software installed on the computer using MSI.
■
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer Every type of data regarding all Symantec products installed on the computer that a support agent could need. Included below is an example:
Supporting Norton AntiVirus 2006
23
Unit 2
Supporting Norton AntiVirus Installation
Installation technologies The following sections detail the technologies installed by Norton Antivirus 2006. These items include: Navsetup and the Microsoft Installer.
Navsetup Navsetup.exe is the Norton AntiVirus version of SymSetup, the primary installation executable for Norton AntiVirus, Norton Internet Security, and Norton SystemWorks. SymSetup is responsible for controlling MSI-based installations. The primary functions of Navsetup are:
24
■
Perform all pre-install launch condition checking and prompt for any unmet conditions.
■
Displays all install UI panels; including the wizard pages, progress pages and any error dialogs.
■
Call each child (MSI) install in the correct order.
■
Keep track of all products installed during installation and remove them during uninstall.
Supporting Norton AntiVirus 2006
Installation technologies
Microsoft Installer The Microsoft Installer (MSI) handles the installation of all Norton AntiVirus 2006 components. MSI is only concerned with installation; it doesn’t do pre-installation checks such as those done by Navsetup.exe. The MSI installers check to see only that Navsetup.exe launched the MSI. Note: In Norton AntiVirus 2006, users are unable to run the MSI files as stand-alone executables. Navsetup.exe must be used to control the MSI packages.
The error below is shown when trying to launch an MSI file directly:
Supporting Norton AntiVirus 2006
25
Unit 2
Supporting Norton AntiVirus Installation
Installation versus configuration issues Installation issues arise from failed or corrupted installations. Configuration issues arise from problems with settings or the environment.
Installation issues An installation issue is any issue that arises from a failed, partially failed, or corrupt installation of Norton AntiVirus. Installation issues are caused by things such as software bugs or environmental problems.The list of Knowledge Base documents below refers to some of the most common installation issues. Please be sure to refer to these documents after this course, to become familiar with the issues. Error: “Norton Antivirus has encountered as internal program error... (3009,1007)" while installing Norton Antivirus KB Document #2004102915394306 http://service1.symantec.com/SUPPORT/nav.nsf/docid/2004102915394306 Error: "Norton AntiVirus installation has failed. Do you want to try to install again?" KB Document # 2004091615042406 http://service1.symantec.com/SUPPORT/nav.nsf/docid/2004091615042406 Message: "Norton AntiVirus 2005 does not support the repair feature..." KB Document # 2004090712504306 http://service1.symantec.com/SUPPORT/nav.nsf/docid/2004090712504306
26
Supporting Norton AntiVirus 2006
Installation versus configuration issues
Configuration issues A configuration issue is any issue that arises from a settings or environmental issue. Configuration issues can be caused by things such as email scanning settings.
Supporting Norton AntiVirus 2006
27
Unit 2
Supporting Norton AntiVirus Installation
Summary In this unit we have covered the following:
28
■
Describe system requirements for installation
■
Describe the installation options for Norton AntiVirus
■
Locate key installed file locations and registry keys
■
Describe the order of component installation
■
Discuss the installation technologies used in Norton AntiVirus
■
Define the difference between installation and configuration issues
■
Understand some specific installation issues
Supporting Norton AntiVirus 2006
Unit
3
Norton AntiVirus 2006 components and functions Overview Description This unit will discuss the features and components of Norton AntiVirus, how they interact with other products and how to approach troubleshooting issues between them.
Objectives After you complete this unit, you will be able to do the following: ■
Define the components and features of Norton AntiVirus 2006
■
Detail modules in Norton AntiVirus 2006 and how they interact
■
Define logic behind troubleshooting some of these components
Supporting Norton AntiVirus 2006
29
Unit 3
Norton AntiVirus 2006 components and functions
Norton AntiVirus components and features As new versions of Norton AntiVirus have been released, the program has incorporated more complex features in response to the continued complexity of threats and user environments. Symantec’s continued commitment to leading the way in the area of antivirus technology has spawned new features and tools to combat these threats. Standard features as email protection and script blocking, components such as Internet Worm Protection, Generic Side Effects Repair Engine, and SymProtect (Symantec Process Protection) reflect this commitment. Norton AntiVirus is also expected to be more robust and tamper-proof. The following sections detail the technologies that Norton AntiVirus uses to accomplish these many challenging goals.
30
Supporting Norton AntiVirus 2006
Auto-Protect
Auto-Protect Auto-Protect is the real-time scanner component of Norton AntiVirus. Auto-Protect scans any file accessed by on your system. This insures that all files in any active state are inspected and verified before the user acts on them. This is the module that makes sure that your system is protected at all times. Auto-Protect can only sustain this level of protection if the system has current and up-to-date virus definitions.
What Auto-Protect does Auto-Protect loads into memory when the operating system loads, thus protecting the user at all times. Auto-Protect scans any file that is accessed on the computer. Auto-Protect is actively scanning all files on host PC which include: ■
Removable media such as floppy disks, zip disks, USB thumbnail drives or compact disks
■
Files accessed or download from the internet, including cached web files
■
New Files as they are created
■
Files that are received by POP mail clients
Supporting Norton AntiVirus 2006
31
Unit 3
Norton AntiVirus 2006 components and functions
How Auto-Protect works Auto-protect has slightly different file dependencies depending on what operating system it is installed.There are significant differences between the 9x and NT operating system architecture and function. Therefore, the files, dependencies and actions Auto-Protect takes are likely to be different. The following flowchart illustrates the Auto-Protect dependencies and how they provide real-time protection to the customer’s PC.
Table 3-1
Auto-Protect files and their functionsAuto-Protect repair modes
Windows NT based operating systems (Windows 2000, Windows XP versions)
Windows 9x based operating systems (Windows 98 / 98SE / ME versions)
symevent.sys symevnt.386 - Kernel-mode driver for operating system - Kernel-mode driver for operating system savrt.sys savvrt.vxd - Kernel-mode driver for operating system - Kernel-mode driver for operating system
32
navapsvc.exe - Starts the Auto-Protect service
navapsvc.exe - Starts the Auto-Protect service
navapw32.dll -Norton Antivirus agent for Auto-protect
apwcmd9x.dll - Command library for Auto-protect and Windows 9x based operating system
Supporting Norton AntiVirus 2006
Auto-Protect
Windows NT based operating systems (Windows 2000, Windows XP versions)
Windows 9x based operating systems (Windows 98 / 98SE / ME versions)
apwcmdnt.dll - Command library for Auto-protect and Windows NT based operating system When Auto-protect locates a suspicious file it can perform several actions on that file. In some cases it can repair the file, quarantine the file deny access to the file. The differences in operating system architecture can also effect these actions. The following Table 3-2
Auto-Protect repair actions
Windows NT based operating systems (Windows 2000, Windows XP versions)
Windows 9x based operating systems (Windows 98 / 98SE / ME versions)
Auto-repair - Auto-Protect will try to repair the infected file. If it fails to repair it, it will deny access to the file
Auto-repair - Auto-Protect will try to repair the infected file. If it fails to repair it, it will prompt the user for action.
Repair then quarantine: Auto-Protect will try to repair the infected file. If it fails to repair it, it will try to quarantine it. If it then fails to quarantine it, it will deny access to the file
Repair then quarantine: Auto-Protect will try to repair the infected file. If it fails to repair it, it will try to quarantine it. If it then fails to quarantine it, it will prompt the user for action
Deny access: Auto-Protect just denies access to the infected file. It doesn’t try to repair or quarantine the file.
Deny access: Auto-Protect just denies access to the infected file. It doesn’t try to repair or quarantine the file Ask me what to do: Auto-Protect will prompt the user for action
Auto-Protect interactions and dependencies In addition to the key files that are installed by Norton Antivirus 2006, there also exists a dependency on the Remote Procedure Call Service (RPCSS) by the product. This service is provided by Windows based platforms for miscellaneous RPC services and by default the service is active. The possibility does exist for a customer to manually disable it. Disabling the RPC service will cause inconsistent behavior and errors in the Norton Antivirus 2006 product.
Asynchronous scanning Auto-Protect has the ability to scan items contained compressed files in real-time. Uncompressed files are normally scanned in synchronous mode. Compressed files are locked and scanned in asynchronous mode (user mode) to close specific vulnerabilities. Subsequent attempts to open the file are blocked until a complete scan ended. Should an open occur while the item is being scanned, a system tray alert will notify the user that the file may appear locked until the complete compressed file scan is ended. The files performing this action include; Savrt32.dll, Navapsvc.exe, Navapw32.dll and Navapw32.exe.
Supporting Norton AntiVirus 2006
33
Unit 3
Norton AntiVirus 2006 components and functions
Troubleshooting AutoProtect Troubleshooting issues specific to AutoProtect can be quickly surmised in the following Knowledge Base (Document ID: 2003090910073206). Those familiar with Norton AntiVirus product will recognize the services and files being verified. Error: "Norton AntiVirus has encountered an internal program error” (4002, 519,517) To confirm that the Norton AntiVirus program files are set to load on startup.
1
In the Windows taskbar, click Start > Run. In the Open box, type MSCONFIG and click OK.
2
In the System Configuration Utility, click the Startup tab and verify that the following items are checked
3
4
■
ccApp
■
Symantec Core LC (only seen on english versions of Norton AntiVirus.),
■
ccEvtMgr
■
ccSetMgr.
If any of the entries that are listed are unchecked, check them. (If any of the entries that are listed in step 4 are missing, it indicates that Norton AntiVirus was not installed successfully. If you see this, go on to the section “To remove and reinstall Norton AntiVirus” and follow the instructions) Verify that the following items are checked: ■
SYMEVNT
■
SYMTDI
■
SAVRTPEL
■
SAVRT
If any entries above are unchecked, then check them.
Note: Missing entries indicate that Norton AntiVirus was not installed successfully. Remove and reinstall Norton AntiVirus.
34
5
Click Apply and click OK and restart the computer. If the error message continues go to the next solution.
6
To re-install the Symantec shared files (Symevent). This item can be download from the Symantec website. The Symevent installer file is sevinst.exe. When prompted, select “Save this Program to Disk,” and save the item to the C:\ location.
7
Click Start > Run. Type: C:\sevinst.exe /r on the run line, and then click OK
8
Close all programs, and then restart the computer. If you continue to see the error, then uninstall and re-install Norton AntiVirus
Supporting Norton AntiVirus 2006
Email protection
Email protection Email protection scans incoming and outgoing message traffic. Email is the most prolific distribution method for virus in any computer network. Therefore, protecting the customers computer from receiving or being the source of viruses is a significant task of Norton Antivirus 2006.
How email protection works Email protection inserts itself between the email client and the email server. This process consists of several key items which include the following: ■
ccAVMail.dll - Email Protection Scanner
■
ccEmlPxy.dll - Email protection proxy
■
ccApp - Common Client and a key dependency of the Email Protection Common Client
A Symantec redirector plugs into the email client and passes the information onto the common client email proxy known as ccEmlPxy. The common client in turn sends the data on to the email server as illustrated in Figure 3-1. Figure 3-1
Email proxy overview
When messages are passed to the ccEmlPxy service, email messages are sent to one of two separate temp sessions as illustrated in Figure 3-2. Figure 3-2
Supporting Norton AntiVirus 2006
Email proxy temporary file
35
Unit 3
Norton AntiVirus 2006 components and functions
Using the temp files, Navemail.dll filters the message and ccEmlPxy also reads the message and filters it as illustrated in Figure 3-3. ■
ccEmlpxy contains email filters. These filters each take a turn reading the email temp file and perform the necessary functions required to scan the item.
■
ccEmail does not care whether or not the temp file is modified by any of the filters
■
In Norton AntiVirus’s case, Navemail.dll uses scanmgr to perform a scan on the temp file. After any repairs, etc. are made, the file is passed to the other filters and then back to ccEmailPxy which sends the email to the client.
Figure 3-3
ccEmlPxy filter detail.
After ccEmPxy delivers the email to the client, the client then issues a quit command to the Server and both connections are dropped as illustrated in Figure 3-3. Figure 3-4
36
Completion of message scan and connection cleanup.
Supporting Norton AntiVirus 2006
Email protection
ccEmlPxy As you look at the information above, you will note that ccEmlPxy is shown repeatedly. You will also note that it does more than one thing: ■
ccEmlpxy contains email filters. These filters each take a turn reading the email temp file and perform the necessary functions required to scan the item.
■
ccEmlPxy interacts with the Redirector, Email server, and the Email client.
■
ccEmlPxy creates temp files which emails go into while they are scanned. It creates a separate file for each email.
■
ccEmlPxy then uses navemail.dll to scan the temp file.
■
Navemail.dll then sends it back to ccEmlPxy, which then sends it to the Email Client.
Note: What does this tell us about ccEmlPxy? That it can be considered a potential point of failure. If anything breaks during the email scanning process, ccEmlPxy is likely to be affected.
Supporting Norton AntiVirus 2006
37
Unit 3
Norton AntiVirus 2006 components and functions
Instant messenger protection Norton AntiVirus Instant messenger protection is the real-time scanning technology that protects users from malicious items in instant messenger attachments.
Instant messenger protection files and services Instant messenger protection detects viruses in instant messenger attachments. Instant messenger protection interacts with the common client and the following items: ■
ccApp.exe - Responsible for instant messenger protection. All other modules are either direct or indirect plug-ins to ccAPP.
■
ccImscan.dll - Plugs into ccApp.exe ■
■
ccImscan.dll is responsible for configuring and unconfiguring all three clients (Yahoo, MSN, and AOL Instant Messengers) Works with MSN Instant Messenger to scan file downloads
■
ccImscan.exe - Used in the command line with AIM and YIM to scan file downloads
■
OptionsUI - Enables or disables clients by sending a message to ccImscan.dll
■
ScanMgr performs all instant messenger scanning and uses ccImscan.dll and ccImscan.exe
Instant messenger protection interactions and dependencies Key dependencies include:
38
■
ccApp.exe - Common Client
■
ccScan.dll - Common Client scan engine
■
ScanMgr.dll - Symantec scan manager
Supporting Norton AntiVirus 2006
Instant messenger protection
Figure 3-5
Supporting Norton AntiVirus 2006
IM scanning within the common client
39
Unit 3
Norton AntiVirus 2006 components and functions
Scanning Norton AntiVirus 2006 has several methods of scanning, in this section we will focus on manual scans as this also describes Auto-Protect scan functions as well. Scanning detects viruses and other threats manually and in real-time.
How scanning works Scanning is performed by the following files and processes: ■
Scanmgr.dll - The scan manager dll is used to perform the actual virus scan.
■
Scantask.lib - The Scan Task Library loads, saves, and parses NAV Task (.scan) files which are important in scheduled scans.
■
Navopt32.lib - The options library reads the options file in Navopts.dat.
Scanning also has the following dependencies: ■
Scan Task library (Scantask.lib)
■
Options library (Navopt32.lib)
PreInstall scanner (prescan.exe) The goal of the preinstall scanner is to initiate Norton AntiVirus installed on the customer’s computer, The preinstall scanner does not scan files contained in archives. This eliminates the need for the decomposer DLL’s and significantly reduces the dependencies list. Prescan.exe interacts directly with ccEraser.dll & ccScanS.dll to begin the scan. ccScanS.dll, in turn interacts with ecmldr32.dll and the virus definitions to scan the users computer. Preinstall Scanner is dependent the following three Symantec components:
40
■
ccScanS.dll
■
Ecmldr32.dll
■
Virus definitions
Supporting Norton AntiVirus 2006
Scanning
Decomposer Decomposer is the component responsible for Uncompressed compressed files so the files they contain can scanned for malicious items. These compressed files are sometimes referred to as package files. The decomposer component supports the following file types: .amg
.hqx
rar
.arj
.html
.rtf
.cab
.lha
.tar
.dat
,lzh
.uue
.exe
MIME
.zip
.gz
OLE (.doc, .xls, etc.)
Decomposer files Since the decomposer is only responsible for decompressing files to be scanned by the scan engine, there are 16 decomposer objects, each is responsible it’s respective file types above.
Decomposer Limitations Decomposer also has limitations on the level and ability in dealing with some items; This limitations include the following: ■
Decomposer can only scan to 10 levels of compression.Or a package within a package, within a package, 10 levels deep, If there is an infection beyond 10 levels of compression, Norton AntiVirus will not be able to detect it.
■
Decomposer cannot open password protected compressed files.
■
Decomposer cannot modify certain file types (.cab, .arj, etc.) This means Norton AntiVirus can detect infection inside these files, but will not be able to repair or quarantine this type of package file.
Supporting Norton AntiVirus 2006
41
Unit 3
Norton AntiVirus 2006 components and functions
Quarantine Quarantine is a “safe” place to store virus-infected files without infecting other files on the computer. When Norton AntiVirus quarantines a file, it puts a wrapper around the file so that no other application can access it, and then stores it in the Quarantine folder.This encryption uses an MD5 hashing algorithm. Quarantine backs up an infected item before it attempts to repair it by default. Customers can adjust minor changes in this option. From the Quarantine console, the user can also submit an infected file to Symantec Security Response for analysis.
What Quarantine does Quarantine separates files from the Operating System, storing and encrypting them so that they cannot infect the computer in any way.
How Quarantine works Quarantine files
42
■
Qconres.dll Norton AntiVirus QConsole Resource DLL
■
Qconsole.exe Norton AntiVirus Quarantine Console
■
Qspak32.dll Norton AntiVirus Quarantine File Storage
■
Quar32.dll - Norton AntiVirus Quarantine
Supporting Norton AntiVirus 2006
Scanning
Microsoft Office plug-in The Microsoft Office plug-in allows Norton AntiVirus to scan Microsoft Office files as they are opened. Isolation of symptoms regarding the Norton Antivirus Microsoft Office Plugin: ■
You should disable the office plug-in if you suspect it is causing problems opening or saving word, excel, power point, or other Microsoft Office documents. You can disable the Office plug-in from the Norton AntiVirus options menu.
■
If you decide to uninstall Norton AntiVirus you should unregister and rename the Officeav.dll file to ensure this plug-in will not cause future issues.
■
If you disable the Microsoft Office plug-in, Auto-Protect still scans Microsoft Office documents in real time.
Supporting Norton AntiVirus 2006
43
Unit 3
Norton AntiVirus 2006 components and functions
Windows XP Service Pack 2 (SP2) Service Pack 2 for Microsoft Windows XP is not only an operating system update primarily concerned with security, it also includes new tools with which Norton AntiVirus 2006 (as well as older versions) will interact directly.
Key considerations in Windows XP SP 2 and Norton Antivirus 2006 Although Windows XP Service Pack 2 monitors your antivirus software, it has no antivirus capability itself. Your continued use of Norton AntiVirus is crucial to the security of your computer. Norton AntiVirus automatically detects and deletes worms, Trojan horses, and viruses without interrupting your work. Norton AntiVirus detects malicious code stored in compressed files and file archives and identifies and alerts you to the presence of spyware. Windows XP nor the integration of Windows XP SP offer this capability. The Windows Firewall is designed to monitor and control inbound network traffic only. It does not provide outbound traffic protection, intrusion detection and response, or privacy controls - all critical to securing your computer from outside attacks. The following features are features customers will benefit from by installing Window XP Service Pack 2: ■
Windows Security Center
■
Security software status indicator
■
Network Protection Technologies
■
Changes to the firewall included in Windows XP
The changes integrated by Windows XP SP2 are a positive step by Windows to improve security on this platform. Customers would be encouraged to install this product to improve platform security but, it does not replace any features or security provided by Norton Antivirus 2006.
Considerations when installing Windows XP SP 2 and other Symantec products Symantec products such as Norton Personal Firewall and Norton Internet Security control all outgoing network traffic. These items alert you to intrusion attempts and automatically block traffic coming from the attacker. In doing this products such as Norton Personal Firewall protect customers privacy by filtering confidential information (like phone numbers, credit card numbers, and bank account numbers) and by blocking cookies on a siteto-site basis. This task is very much like the Windows XP SP 2 firewall component. Therefore additional consideration must be given when Norton Personal Firewall and Norton Internet Security are installed on the same platform as Windows XP Sp2. Training courses on Norton Personal Firewall and Norton Internet Security cover these challenges in much greater detail. The following Knowledge Base documents also explain this challenge:
44
■
Windows XP Service Pack 2 and your Norton security products Document ID:2004070614110713
■
Documents about Windows XP Service Pack 2 and Symantec products Document ID:2004070708381013)
Supporting Norton AntiVirus 2006
Scanning
Windows Security Center Windows Security Center is a tool designed to indicate the status of the firewall and antivirus software installed on their computer, as well as the status of Microsoft Windows Updates. This tool is designed to indicate these status report in a one-window, easily understood interface. Information included will be whether antivirus software is installed, and the status of firewall and Microsoft Updates.
How Norton AntiVirus interacts with Microsoft Security Center A Norton Windows Management Instrumentation component provides information to the Microsoft Security Center. This Microsoft Security Center component is only in effect when Windows XP Service Pack 2 is installed. The Norton Windows Management Instrumentation provides the Symantec product status to the Windows Security Center. The Windows Security Center can then display this information correctly in it’s interface. The Norton Windows Management Instrumentation are a part of the executable Symwsc.exe.
Norton AntiVirus installed files and their responsibilities The following items are the key components to the interaction between Norton Antivirus and the Windows Security Center: ■
Symwsc.exe - Symantec Windows Security Service providing information to the Windows Management Instrumentation
■
Sscnav.dll - Symantec Security Center Plug-in for Norton AntiVirus
■
Wschlpr.dll - Allows Norton AntiVirus to integrate its status into the Windows Security Center
■
Sscopts.dat - Stores Windows Security Center options for displaying Norton AntiVirus security status
■
Symwscno.exe - Symantec Windows Security Center user interface component
■
Symscwb.dll - Symantec Security Center helper file
Supporting Norton AntiVirus 2006
45
Unit 3
Norton AntiVirus 2006 components and functions
Activity logs Activity logs provide the ability to see events such as alerts, application activities, and threat activities that occur in Norton AntiVirus 2006. Logs are an excellent troubleshooting tool.
What activity logs do Activity logs store event data for later viewing. Logs processes start collecting information before the Norton AntiVirus process starts. The following categories of information are stored in Norton AntiVirus 2006 logs: ■
Symantec Resource Protection activities ■
■
■
Alerts
Internet Worm Protection activities ■
Connections
■
Activities
■
Worm detection
■
System
■
Alerts
Norton AntiVirus activities ■
Threat alerts
■
Application activities
■
Alerts
Activity log files and services The following items are the key components in the operation of the logging functions:
46
■
Statushp.dll - The Norton AntiVirus status helper module. Manages waiting event threads
■
Navstats.dll - The Norton AntiVirus Status object. Manages all events
■
Avvirus.log - Stores threat alert data
■
Avapp.log - Stores application activity data
■
Averror.log - Stores application error data
■
ccApp - The common client user session
■
ccSettings - Common client settings manager
Supporting Norton AntiVirus 2006
Scanning
Security Risk detection The purpose of expanded threat detection is to accurately alert users about different types of threats that are found during a scan. Security Risk alerts include: ■
Viruses identified, repaired or quarantined
■
Instant messenger protection alerts
■
Email protection alerts
■
Manual Scan alerts a
■
Context/shell extension scan alerts
What Security Risk detection does Expanded threat detection works in the same ways as other Norton AntiVirus detections, with Auto-Protect and manual scans detecting expanded threats as well as viruses, worms, and Trojan horses.
Security Risk detection Security Risk Detection (formerly known as Expanded Threat Detection) uses definitions of known threats. Definitions of these threats are kept current through LiveUpdate.
Security Risk Exclusions Norton AntiVirus 2006 includes the ability to exclude threats. Spyware has always been difficult to define, and therefor there are many times that Security Risk Detection will detect something as Spyware, while a user considers it as legitimate software. This resulted in frustration on the part of the users, and exploitation on the part of Spyware developers. As a result, the Security Risk exclusion engines have been rewritten to support anomaly based exclusions. This means that in addition to excluding a specific file or path, the entire spyware risk can be added via a master list of all security threats. The diagram below shows the options for configuring exclusions:
Supporting Norton AntiVirus 2006
47
Unit 3
Norton AntiVirus 2006 components and functions
The diagram below shows the option to add an exclusion via an updated master list:
The diagram below shows the option to add an exclusion by browsing:
48
Supporting Norton AntiVirus 2006
Scanning
Common Error Display The Common Error Display allows Symantec products to share error displays between products. The Common Error Display can often identify the issue and provide a link to a Symantec Knowledge Base document in an error message. Thus giving a solution to the issue The Common Error Display performs the following: ■
Uniquely identifies each error displayed to the user
■
Makes all errors appear with a uniform display to the user
■
Replaces script errors with the new common error display
Figure 3-6
Supporting Norton AntiVirus 2006
Common Error Display decision tree
49
Unit 3
Norton AntiVirus 2006 components and functions
How the Common Error Display works The Common Error display is designed to allows Symantec shared products to share error displays. It also provides a method of effectively directing customers to the correct answer for their issue. Figure 3-6 describes the process of directing customers to logical support options in the goal of helping them resolving their problem.
50
Supporting Norton AntiVirus 2006
Scanning
Common Client Common client is a central control for modules and settings for Norton AntiVirus as well as many other Symantec products. This module allows a central client for many Symantec products. The following items are the key components to the interaction between Norton Antivirus 2006 and the Common Client module. ccApp.dll - Common Client application Agent NAVProd.dll - Norton AntiVirus Plug-in module Defalert.dll - Definitions agent NavApw32 - AutoProtect module ccIMscan.dll - Instant Messenger scanner module ccEmlPxy.dll - Email Proxy module ccRegMon.dll - Registry monitor The interaction between modules and the Common Client can be important in troubleshooting issues. Figure 3-7 illustrates the dependencies that the Common Client has in Norton Antivirus 2006. Figure 3-7
Supporting Norton AntiVirus 2006
Common Client dependencies in Norton AntiVirus 2006
51
Unit 3
52
Norton AntiVirus 2006 components and functions
Supporting Norton AntiVirus 2006
Summary
Summary In this unit we have covered the following: ■
Defined the components and features of Norton AntiVirus 2006
■
Detail ed modules in Norton AntiVirus 2006 and how they interact
■
Defined logic behind troubleshooting some of these components
Supporting Norton AntiVirus 2006
53
Unit 3
54
Norton AntiVirus 2006 components and functions
Supporting Norton AntiVirus 2006
Unit
4
Internet Worm Protection Overview Description Internet Worm Protection prevents network worms and other Internet threats from attacking your computer. A worm is similar to a virus, but is a self-contained program that can replicate itself over a computer network. Internet Worm Protection can detect and protect customers from worm viruses before they infect the cusotmer’s computer.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the main methods of Internet Worm Protection
■
Describe how the main methods of Internet Worm Protection work
■
Configure Internet Worm Protection
■
Troubleshoot Internet Worm Protection
Supporting Norton AntiVirus 2006
55
Unit 4
Internet Worm Protection
Internet Worm Protection overview Norton Antivirus 2006 Internet Worm Protection uses several methods to protect customers from these threats. The list below describes these methods as well as what they do:
56
■
Port blocking Monitors the behavior of outgoing network traffic to establish whether an incoming connection is suspicious.
■
Trojan horse detection Determines whether a connection is being attempted on a port that is commonly used by Trojan horse applications. If the connection matches a Trojan horse rule, Internet Worm Protection issues an alert.
■
Auto blocking Blocks repeated Internet attacks. When Internet Worm Protection detects an attack, it automatically blocks any further communication from the attacker’s computer. The attacker’s IP address is blocked for 30 minutes. Internet Worm Protection lets you manually remove an attacker’s IP address from the list at any time.
■
General rules Uses a set of rules to monitor and handle all traffic and applications on the network. These rules control how Internet Worm Protection guards your computer from malicious incoming traffic, programs, and Trojan horses. Internet Worm Protection should provide adequate protection for most users. If the default protection is not appropriate, you can add, modify, or remove rules in the rules wizard.
■
Traffic analysis Monitors network traffic for malicious activity. If such activity is detected, Internet Worm Protection blocks the traffic, logs the event, and issues an alert.
■
Exploit detection Prevents another computer from exploiting bugs in your computer’s software. Worms use these bugs to transfer infected files onto your computer.
■
Threat level Scans an application for known viruses, and determines whether a program is malicious
Supporting Norton AntiVirus 2006
How Internet Worm Protection works
How Internet Worm Protection works This section details the functionality of the Internet Worm Protection feature in Norton AntiVirus 2006.
Event types Internet Worm Protection differs from Norton Personal Firewall in that Norton Personal Firewall includes more features, such as enhanced logging abilities, Home Networking, and so forth. Internet Worm Protection handles the following event types: ■
Listen events Listen events are triggered when an application opens a port for “listening”. Examples are FTP and web servers, and multiplayer internet games.
■
IP traffic events IP events are triggered by incoming traffic to open ports. Usually a listen event is generated before the traffic is received so the user has already permitted or blocked the application. However, IP events can occur in cases where the agent wasn’t running when the app tried to listen. This frequently happen at system startup.
■
Trojan horse (security alert) events Trojan horse events are generated when an application tries to open a port for listening on a port that we know is commonly used by Trojan horse apps. The traffic matches a Trojan horse rule that is installed on the machine and creates a specific event type. Users can also make their own firewall rules that can generate these events. Both event types are generically called security alerts and are handled in the same way.
■
IDS events If traffic analyzed by the IDS engine is determined to be malicious the traffic is blocked and an IDS event is triggered.
Internet Worm Protection files and services The following is a list of the files that are associated with Internet Worm Protection, as well as their functions. ■
IWP agent (Iwp.dll) - The IWP agent is a ccApp plug-in that connects to SymFirewallAgent and IDS, monitors for subscription changes, monitors for IDS updates, and implements the IWP alerting logic. The alert logic component integrates the SymFirewallAgent, ALE engine, Threat Level and the Alert UIs together. Note: The IWP agent is a ccApp (Common Client) plug-in and as such is dependent on Common Client loading.
■
Navprod.dll - The Norton AntiVirus product plug-in is a ccApp product plug-in that makes sure Iwp.dll is loaded, but only if it is installed. Note: The Norton AntiVirus product plug-in is a ccApp (Common Client) plug-in and therefore is dependent on Common Client loading.
■
Symfwagt.dll - The Symantec Firewall Agent.
Supporting Norton AntiVirus 2006
57
Unit 4
58
Internet Worm Protection
■
AutoBlock - Prevents the users’ machine from being flooded by attacks from one machine. When we detect an attack from the network we can add the attacker’s IP to a list that the firewall will automatically reject. The IP will remain in this list for a predetermined amount of time (30 minutes). After that time Auto Block removes it from the list and we will allow traffic from that IP again.
■
ccAle.dll - The Symantec Application Lookup Engine.
■
ccFwsetg.dll -The Symantec Firewall Settings Engine.
■
ccRuleio.dll - The Symantec Firewall Rules Engine.
■
Npfmntor.exe - The Norton AntiVirus Firewall Install Monitor.
■
Tlevel.dll - Responsible for determining the threat level of a file.
Supporting Norton AntiVirus 2006
Configuring Internet Worm Protection
Configuring Internet Worm Protection Internet Worm Protection’s default settings for basic inbound port blocking and network monitoring provide reliable network protection against worms and other malicious activity. This section will detail some of the Internet Worm Protection configuration options. Full configuration details are included in the Norton AntiVirus 2006 User’s Guide, the prerequisite reading for this course. Internet Worm Protection includes the following types of rules: ■
Exclusions Exclude and include worm signatures from detection.
■
Application rules Control an application’s access to the Internet.
■
General rules Use rules to monitor network traffic for worms, malicious incoming traffic, programs, and Trojan horses.
■
Trojan rules Detect varieties of Trojan horses.
■
AutoBlock rules Block malicious attacks.
Supporting Norton AntiVirus 2006
59
Unit 4
Internet Worm Protection
Summary In this unit we covered the following:
60
■
Describe the main methods of Internet Worm Protection
■
Describe how the main methods of Internet Worm Protection work
■
Configure Internet Worm Protection
■
Describe how to troubleshoot Internet Worm Protection
Supporting Norton AntiVirus 2006
Unit
5
Generic Side Effects Repair Engine Overview Description The Generic Side Effects Repair Engine was a new feature of Norton AntiVirus 2005 that has been improved for 2006. This feature is designed to remove the side effects of threat attacks in the Windows registry, batch files, startup folder, ini file formats as well as memory attacks.
Objectives After you complete this unit, you will be able to do the following: ■
Describe how the Generic Side Effects Repair Engine handles side effects that are found during scans
■
Describe the registry keys that are cleaned
■
Detail the load points that are cleaned
■
Know what type of information is stored in the Generic Side Effects Repair Engine activity logs
■
Troubleshoot problems with the Generic Side Effects Repair Engine
Supporting Norton AntiVirus 2006
61
Unit 5
Generic Side Effects Repair Engine
Manual and preinstallation scans The scan manager loads a SymInterface Generic Side Effects Repair Engine scanning object (ccGse.dll) and uses the existing scan engine to handle any infections found during a side effects scan. The entire Generic Side Effects Repair Engine scan takes place before handling any of the infections detected to ensure all possible side effects for a particular infection are detected. After the Generic Side Effects Repair Engine scan is complete the side effects and infections are handled. Memory side-effects are not automatically handled since the user needs to be warned before processes are terminated. Generic Side Effects Repair Engine scans start in the background when new virus definitions are downloaded. The user interface is displayed only if an infection is detected. There is an option to disable this functionality on the LiveUpdate panel of options. In the Common UI all side effects and their current state are reflected in the filename tooltip box that is displayed when the filename column is clicked on. Quarantine records all successfully removed registry and file side effects for an infected item. If the item is repaired and restored the side-effects are restored as well. The user is able to see the side effects by going to the properties of an item in the quarantine console and clicking on the new Side Effects panel. There is a flag in the engines that can be set by the virus definitions to indicate a side effect removal should not be attempted. This flag is exposed via ccScan. If this flag is detected the side effects for the infection will be left alone. The item will be displayed in a separate UI that informs users they need to download the fix tool to remove this infection.
62
Supporting Norton AntiVirus 2006
Manual and preinstallation scans
Generic Side Effects Repair engine files and services The table below lists the core files used by the Generic Side Effects Repair feature. Table 5-1
GSER files
File name
Description
ccGser.dll
Generic Side Effects Repair scanning engine
ccScan.dll
Common Client scan engine
Probegse.dll
Generic Side Effects Repair scanner
Spbbcdrv.sys
Generic Side Effects Repair driver
.
Supporting Norton AntiVirus 2006
63
Unit 5
Generic Side Effects Repair Engine
Load points cleaned The following is a list of the common load points that are cleaned by the Generic Side Effects Repair Engine.
Registry keys ■
HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\Run
■
HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\RunOnce
■
HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\RunServices
■
HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
■
HKEY_USERS\<UserID>\Software\Microsoft\Windows NT\CurrentVersion\Windows
■
HKEY_USERS\<UserID>\Software\Mirabilis\ICQ\Agent\Apps
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
■
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
■
HKEY_LOCAL_MACHINE\Software\Classes\<extension>file\shell\open\command
Startup folder The following items are part of the startup folder load points. ■
C:\Documents and Settings\All Users\Desktop\Startup
■
C:\Documents and Settings\All Users\Desktop\Startup\Launch.bat
.ini files The following ini files are also checked as load points. ■
C:\Windows\System\Win.ini
■
C:\Windows\System\System.ini
■
C:\Windows\System\Wininit.ini
Processes Processes that are terminated by the Generic Side Effects Repair Engine are treated differently from effects at the load points. Users are prompted to stop the processes so that they know which programs are stopping.
64
Supporting Norton AntiVirus 2006
Generic Side Effects Repair Engine activity logs
Generic Side Effects Repair Engine activity logs Side-effect actions are logged to the activity logger under the threat alerts category. Process terminations are logged into the Application category. ccLgview.exe is the Common Client file that is responsible for all activity log views. Processes that are terminated are logged under in the PC’s application log.
Supporting Norton AntiVirus 2006
65
Unit 5
Generic Side Effects Repair Engine
Summary In this unit we have covered the following:
66
■
How the Generic Side Effects Repair Engine handles side effects that are found during scans
■
The registry keys that are cleaned
■
The load points that are cleaned
■
What type of information is stored in the Generic Side Effects Repair Engine activity logs
■
Troubleshoot problems with the Generic Side Effects Repair Engine
Supporting Norton AntiVirus 2006
Unit
6
Behavior Blocking (SymProtect) Overview Description Many computer viruses attack security software to prevent detection or removal. These threats are known as retroviruses. These programs terminate processes, delete files, or remove registry keys in an attempt to prevent the user from responding to the threat. To counter this threat, Symantec Consumer products include Behavior Blocking (known as SymProtect), to protect our software from attacks.
Objectives After you complete this unit, you will be able to do the following: ■
Understand what SymProtect does
■
Discuss how SymProtect works
■
Identify and use SymProtect logs
Supporting Norton AntiVirus 2006
67
Unit 6
Behavior Blocking (SymProtect)
SymProtect overview SymProtect is a technology which prevents modification or deletion of Symantec files, processes, and registry keys by unauthorized applications. To avoid interfering with normal operations, such as backup, SymProtect does not prevent the reading of our files and registry keys associated with our assets. Authorized applications have full access, so they do not require any changes to continue to work. In order to be protected by SymProtect, a Symantec application provides a list of files and registry keys that are to be protected. Any .eve file that carries a Symantec Digital Signature is automatically protected. When SymProtect is activated, it prevents any unauthorized application from modifying or deleting any of these protected resources. There are a number of ways that an application can be authorized to make changes. The following authorization methods are used by Norton AntiVirus 2006:
68
■
Digitally signed by Symantec Applications which are signed with a Symantec digital signature are free to access all protect assets. This will cover a great deal of legacy products, since we have been signing binaries for a while. Intelligent Updaters are signed. All fix tools should also be signed.
■
Running from a preregistered path An administrator can preconfigure a path, or set of paths, such that applications that run from those locations are authorized. This might be a network share location, or a location on the local disk on which software is delivered.
■
Possessing a preregistered name The product can register the name of the authorized software, such as System Restore or the Windows XP Backup program, %SystemRoot%\System32\Ntbackup.exe.
Supporting Norton AntiVirus 2006
SymProtect overview
How SymProtect works Manifest files In order for SymProtect to protect resources, their names need to be listed in an encrypted XML file known as a manifest. Items to exclude from protection are also listed in the manifest. There are separate manifest files for directories and named kernel objects. Below is an example of an XML manifest that details some of the directories SymProtect will protect. Figure 6-1
Supporting Norton AntiVirus 2006
Sample manifest file
69
Unit 6
Behavior Blocking (SymProtect)
SymProtect Logic Flow SymEvent is a kernel mode process. The kernel is the core of the operating system. It is the piece of software responsible for providing secure access to the machine's hardware and to various computer processes. Most applications do not run in kernel mode. SymEvent can intercept calls to and from the applications and the kernel. Figure 6-2 illustrates SymProtect logic flow in Norton AntiVirus. Figure 6-2
70
SymProtect Logic Flow
Supporting Norton AntiVirus 2006
SymProtect overview
SymProtect files Table 6-1 lists the core SymProtect files. Table 6-1
SymProtect Files
File name
Description
Spbbcdrv.sys
SymProtect driver
Spbbcevt.dll
Handles SymProtect events
Spbbcsvc.exe
Responsible for the SymProtect Service
Updmgr.exe
Handles SymProtect updates
Supporting Norton AntiVirus 2006
71
Unit 6
Behavior Blocking (SymProtect)
Ways to Authorize an Application Digitally signed by Symantec ■
Covers a great deal of legacy products
■
Intelligent Updaters are signed
■
All fix tools will be signed
Run from a pre-registered path Possess a pre-registered name
72
Supporting Norton AntiVirus 2006
Log Viewer
Log Viewer The events below are shown in the Norton AntiVirus 2006 log pertaining to SymProtect: Event and Field Description ■
Time - Date/time the event occurred
■
Actor - Cause of the event with full path
■
Target - Process name and ID, full path, registry key/value, or kernel object name
■
Action - Displays “Unauthorized access” entries
■
Reaction - Displays if unauthorized access was successfully blocked
Supporting Norton AntiVirus 2006
73
Unit 6
Behavior Blocking (SymProtect)
Summary In this unit we have covered the following:
74
■
Understand what SymProtect does
■
Discuss how SymProtect works
■
Read SymProtect Logs
Supporting Norton AntiVirus 2006
Unit
7
Improvements to the user interface Overview Description The Norton AntiVirus 2006 user interface contains much the same functionality as in the previous version. Some changes have been made, however, that will enhance the user experience and provide added safety. This unit addresses those features.
Objectives After you complete this unit, you will be able to do the following: ■
Understand the new features of the Norton AntiVirus user interface
■
Recognize the screens of the Norton AntiVirus user interface
■
Use the Norton System Console
Supporting Norton AntiVirus 2006
75
Unit 7
Improvements to the user interface
New user interface features The main status pane of Norton AntiVirus 2006 includes the biggest change users can expect. If all the status items are within accepted parameters, the main status pane will appear green instead of yellow.
76
Supporting Norton AntiVirus 2006
New user interface features
Supporting Norton AntiVirus 2006
77
Unit 7
Improvements to the user interface
User interface emphasis and prioritization Emphasis in the user interface is placed on items that are in violation or are in danger of becoming so. For instance, if a full system scan has not recently been performed, the user interface turns yellow and emphasis is placed on that feature.
If items are in violation, such as when a subscription has expired, the user interface turns red and emphasis is placed on that feature.
78
Supporting Norton AntiVirus 2006
New user interface features
Supporting Norton AntiVirus 2006
79
Unit 7
Improvements to the user interface
Norton Protection Center Norton Protection Center is the latest revision of the Symantec Security Console. This is version 1.0 of the Protection Center
Norton Protection Center Images The following images detail various screens from the Norton Protection Center. Main UI:
Mini UI:
80
Supporting Norton AntiVirus 2006
New user interface features
Norton Protection Center Components ■
Norton Protection Center Client - The Norton Protection Center Clients are created with the context of a particular Windows and Norton user. They query the Norton Protection Center Server for the pertinent content to be displayed, apply a layout and a skin, and then display the content to the user.
■
Norton Protection Center Server - The Norton Protection Center Server is responsible for managing the various features and products, and for distributing that information as appropriate to each connected client.
■
Base Products - The base products consist of all the existing Symantec products.
Under the hood Figure 7-1
Supporting Norton AntiVirus 2006
Components of Norton Protection Center
81
Unit 7
Improvements to the user interface
Summary In this unit we have covered the following:
82
■
Understand what SymProtect does
■
Discuss how SymProtect works
■
Identify and use SymProtect logs
Supporting Norton AntiVirus 2006
Unit
8
Troubleshooting Norton AntiVirus 2006 Overview Description This unit focuses on troubleshooting Norton Antivirus 2006. In this unit we will be describing the steps necessary in isolation and correction of issues with this release of the product.
Objectives After you complete this unit, you will be able to do the following: ■
Troubleshoot Norton AntiVirus 2006 components
Supporting Norton AntiVirus 2006
83
Unit 8
Troubleshooting Norton AntiVirus 2006
Basic troubleshooting logic You should consider the dependencies (operating system and other Symantec modules) to be the points of failure. Knowledge of how to step through the program sequentially and the validation of the dependencies are the most effective ways to isolate issues. Here is an example of logical isolation of a problem: If a customer is faced with a persistent but non-specific AutoProtect error. You should consider the following. What enables Auto-Protect to function in real time? ■
Symevent (Symantec Event Manager) works as a file filter for all I/O activity to the CPU. When Symevnt traps an I/O request, it talks to the ccEvntmgr, which is loaded as a service. The event manager looks for subscribers (any products that are registered with ccApp) to send notice of the event. In this case, the product DLL is registered and has loaded the scan manager (Scanmgr.dll) to manage the event.
■
The scan manager determines if the file is compressed, and then asks Auto-Protect to scan the file. If the file is compressed, both the asynchronous scanner and the decomposer are called. The scanners use the virus definition file that is defined in the registry (HKEY_LOCAL_MACHINE\Software\Symante\Shared Defs\...) or by Usage.dat.
■
If the file is infected, the result occurs based on options (ccSetmgr, Navopts.dat). If the option is to display something to the user, ccAlert creates the alert.
■
After the user interacts with the message, it is returned to the scan manager, to ccSetmgr, and to ccEvntmgr. If the program file that is handling the event is also supposed to log the activity, a log is created for the event.
Since there are many factors in this example—any of them potentially failing—it is important to know what succeeded and what did not. You can isolate the components somewhat and test them on their own; for example, scanning a file with the manual scanner would validate the integrity (to some extent) of the definitions, the scan manager, options, and the Common Client components. In performing a simple manual scan check, you can isolate and possibly eliminate a significant number of AutoProtect dependencies. All of the modules that are included in Norton AntiVirus 2006 can be looked at in a similar fashion. Isolating the components of each module can effectively determine the cause of most issues.
84
Supporting Norton AntiVirus 2006
Basic troubleshooting logic
Supporting Norton AntiVirus 2006
85
Unit 8
Troubleshooting Norton AntiVirus 2006
Removing Norton AntiVirus 2006 This section was intended to include a detailed description of a complete uninstallation of Norton AntiVirus. Given the sensitive nature of Digital Rights Management, and the tamperresistance of SymProtect, the following points to remember will suffice:
86
■
Always use the Add/Remove Programs list first The Windows Installer (MSI) will remove the proper registry keys, files, directories, and services to uninstall Norton AntiVirus 2006. Always try this method before moving on.
■
Digital Rights Management All of the Digital Rights Management keys are encrypted, so they aren’t readily apparent to inspection. Also, removal of or tampering with them results in a loss of Digital Rights Management functionality. This is important to a user who intends to reinstall Norton AntiVirus because they will need to contact support to reactivate the product.
Supporting Norton AntiVirus 2006
Removing Norton AntiVirus 2006
Supporting Norton AntiVirus 2006
87
Unit 8
Troubleshooting Norton AntiVirus 2006
Troubleshooting product modules When troubleshooting Norton AntiVirus, it is imperative to look at the items below corresponding to the proper product module:
Auto-Protect Before troubleshooting AutoProtect you should make sure the following items are in place. ■
Verify that Auto-Protect is enabled with Norton AntiVirus.
■
Verify that the Auto-Protect service (Navapsvc) is enabled and started.
■
Test Auto-Protect with the Eicar.com virus test file. This file is available at http://www.eicar.org/anti_virus_test_file.htm
Error: “Norton AntiVirus has encountered an internal program error” (4002, 519,517) To confirm that the Norton AntiVirus program files are set to load on startup
1
Click Start > Run. In the Open box, type MSCONFIG and click OK.
2
In the System Configuration Utility, click the Startup tab.
3
Verify that the following items are checked: ■ ■
ccAppcc, EvtMgr, ccSetMgr Symantec Core LC (You will not see this entry if you have a non-English version of Norton AntiVirus.)
4
If any of the entries that are listed in step 4 are unchecked, check them. (If any of the entries that are listed in step 4 are missing, it indicates that Norton AntiVirus was not installed successfully. If you see this, go on to the section “To remove and reinstall Norton AntiVirus” and follow the instructions.)
5
Verify that the following items are checked; SYMEVNT, SYMTDI, SAVRTPEL and SAVRT If any entries that are listed in step 6 are unchecked, check them. (If any of the entries that are listed in step 6 are missing, it indicates that Norton AntiVirus was not installed successfully.)
6
Click Apply and OK.
7
Restart the computer. If you continue to see the error message, go to the next solution.
To re-install the Symantec shared files (Symevent)
88
1
Download the Symevent installer file Sevinst.exe.
2
When prompted, select “Save this Program to Disk,” and then select drive C as the download location.
3
Click Save. Click Close if prompted.
4
Click Start > Run. Type: C:\sevinst.exe /r in the open line, and then click OK
5
Close all programs, and then restart the computer. If you continue to see the error, then the next option would be to uninstall and reinstall Norton AntiVirus.
Supporting Norton AntiVirus 2006
Troubleshooting product modules
Email protection The most common symptom of a problem with Norton Antivirus email scanning protection will reveal itself by restricting users from sending of email. This symptom can be quickly isolated from a normal email connectivity issue by temporary disabling Norton AntiVirus email scanning and verifying that the user can send messages directly back to their own email address. To troubleshooting Email protection you should make sure the following items are in place. ■
To test email antivirus protection, send the Eicar.com virus test file as an attachment in an email message. This file is available at: http://www.eicar.org/anti_virus_test_file.htm
Given an “ERROR” in the NAV System Status screen, while using email program do the following:
1
Run LiveUpdate.
2
Turn AutoProtect off, then on again.
3
Make sure that all Symantec services are loading at startup and resend test message.
4
If problem persists in a re-test, Uninstall and reinstall Norton AntiVirus.
Given an error in the email client:
1
Verify that your email settings in Outlook or Outlook Express are configured correctly.
2
Contact your Internet Service Provider (ISP)if you require help configuring your outgoing (SMTP) and incoming (POP3) email settings with the current ISP address. This can happen if your firewall settings have been set to block all traffic for Norton AntiVirus, Outlook or Outlook Express. If Norton Personal Firewall or Norton Internet Security is installed, then Norton AntiVirus (ccApp.exe) is allowed by default. Read the section “Settings in NIS or NPF” in the document Error: “Your server has unexpectedly terminated the connection... “in Outlook Express for instructions on how to configure Outlook or Outlook Express. If you are using a firewall program from another company, then consult your software documentation or their technical support site for information on how to configure the program to give the following files Internet access: ■
Outlook Express: Msimn.exe
■
Outlook: Outlook.exe
■
Norton AntiVirus: ccApp.exe
Email program is set to hang up after sending Customers can isolate this issue by verifying that their Email program is not set to hang up after sending. This error message can appear if one of these email programs is configured to hang up after sending or receiving email. Programs that are known to have this setting are: ■
Microsoft Outlook 2000, XP
■
Microsoft Outlook Express 5.0, 6.0
Other email programs may do this as well. If you are using a different email program, please read that program's documents. To set Outlook 2000 so that it does not hang up after sending email
1
Open Outlook 2000 and in the Tools menu, click Options.
Supporting Norton AntiVirus 2006
89
Unit 8
Troubleshooting Norton AntiVirus 2006
2
On the Mail Delivery tab, uncheck the Hang up when finished sending, receiving, or updating check box and click OK.
3
Close all running programs, and then restart the computer.
4
Resend email. If the problem continues to happen, verify that the Windows temporary folder is configured correctly.
To set Outlook XP so that it does not hang up after sending email
1
Open Outlook XP and in the Tools menu, click Options.
2
On the Mail Setup tab, uncheck the Hang up when finished with a manual Send/Receive check box and click OK.
3
Close all running programs, and then restart the computer.
4
Resend email. If the problem continues to happen, verify that the Windows temporary folder is configured correctly.
To set Outlook Express 5.0 or 6.0 so that it does not hang up after sending email
1
Open Outlook Express and in the Tools menu click Options.
2
On the Connection tab, uncheck the Hang up after sending and receiving check box and click OK.
3
Close all running programs, and then restart the computer.
4
Resend email. If the problem continues to happen, verify that the Windows temporary folder is configured correctly.
Clearing an item hung in temporary files and folders Customers can also experience these symptoms if a message is hung in the temporary folder. This can occur from a corrupt message item or application error. The following steps can also provide a workaround that allows you to clear out problems after disabling the scanner. To clear and delete temporary files and folders
1
Exit all programs. If you are reading this document on the Web, you may leave your Web browser open.
2
On the Windows taskbar, click Start > Run. In the Run dialog box, enter the following text: %temp% and click OK. This will open the current user's Temp folder opens in Windows Explorer.
3
On the Edit menu, click Select All and press the Delete keyboard key. If you are asked to confirm the deletion, click Yes.
4
Temporarily disable your firewall, and try to send an email message. If you can send email, then a firewall rule is blocking Internet access by one or more of the Norton AntiVirus components.
5
Disable email scanning, send the problem email and then restart email scanning
Temporary disable email scanning and send a problem message In some special cases you may wish to temporary disable scanning to allow a message to be or sent or received. These steps should be used with the greatest care because it allows unscanned messages and attachments to be sent or received.
90
Supporting Norton AntiVirus 2006
Troubleshooting product modules
To temporary disable email scanning and send a problem email
1
Run LiveUpdate to make sure that you have the most recent virus definitions. Close your browser to disconnect from the Internet.
2
If you are using Microsoft Outlook or Outlook Express, then turn off the preview pane option: In Microsoft Outlook, on the View menu, uncheck Preview Pane, In Outlook Express, on the View menu, click Layout. Uncheck Show Preview Pane and Close any email programs that are open.
3
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton Internet Security or Norton SystemWorks, then start that program.
4
Click Options, Norton AntiVirus and Email. Uncheck Scan incoming Email and Scan outgoing Email.
5
If you are prompted to verify that your email program is not running, then click OK.
6
Click Options, and then click Auto-Protect. Make sure that “Start Auto-Protect when Windows starts up (recommended)” and “Enable Auto-Protect (recommended)” are selected. If they are selected, click OK, and then exit Norton AntiVirus. If they are not selected, then select each entry, click OK, exit Norton AntiVirus, and then restart the computer.
7
Start your email program, and then send your email. If you have a great deal of unprocessed email, this may take longer than usual.
8
When you are finished processing your email, close the email program, and then run a full system scan.
9
When the scan completes and you are sure that your computer is not infected, follow steps 4 to 7 to re-enable email scanning.
Instant messenger protection Before troubleshooting Instant message protection you should make sure the following items are in place. ■
To test instant messenger protection, send Eicar via an instant message to verify that instant messenger protection is working.
■
Verify that instant messenger protection is enabled for the particular client type.
Troubleshooting items:
1
Disable Norton AntiVirus Instant Messenger scanning to stop the error message
2
Update to the newest version of the IM client
3
Make sure that ccApp (ccIMSCAN.dll is the problem file) is loaded at startup
4
Re-enable IM scanning
Supporting Norton AntiVirus 2006
91
Unit 8
Troubleshooting Norton AntiVirus 2006
Scans If a manual scan fails or continuously scans the same directory, rescan smaller volumes of files using the right-click context scanner. This allows you to identify a problematic file or folder through the process of elimination. After you find the problematic file or directory, verify that system and administrator access are full with no denies. ■
Verify that the problematic file or directory is not encrypted or password-protected. Either of these conditions will cause problems for the decomposer.
Troubleshooting items:
1
Run LiveUpdate
2
Delete all of the files from the windows temporary folder
3
Disable the MS Office plug-in
4
Verify that NAV files are not running in compatibility mode (Windows XP)
5
Exclude compressed files from the scan (AutoProtect will scan them when they are accessed)
6
If problem persists the next available option is to uninstall and reinstall the product.
Decomposer ■
Once the problematic packaged file found, verify that system and administrator access are full with no denies.
■
Verify that the problematic file or directory is not encrypted or password protected. Either of these conditions will cause problems for the decomposer.
■
Verify that all compressed files can be opened by the operating system or WinZip and scanned by Norton AntiVirus. If a file cannot be scanned successfully, it should be submitted to Symantec Security Response.
Quarantine ■
Verify that the definitions for quarantine exist within the Usage.dat file. If it does not, an error will occur when opening quarantine.
■
If there are problems displaying the contents of quarantine, you can access them directly through Windows Explorer. The contents are encrypted, but you can see whether files exist or if quarantine is empty. If there are files you can delete them using explorer and should be able to open quarantine within Norton AntiVirus.
Microsoft Office plug-in
92
■
You should disable the Microsoft Office plug-in if you suspect that it is causing problems with Word, Excel, PowerPoint, and so forth. You can do this on the Norton AntiVirus Options menu.
■
If you uninstalled Norton AntiVirus, you can unregister and rename the Officeav.dll file to ensure that the plug-in is not causing a problem.
Supporting Norton AntiVirus 2006
Troubleshooting product modules
Common Error Display ■
Make sure that the standard Common Client services are running.
■
To test the Common Error Display, stop the Auto-Protect service (Navapsvc) and try to enable Auto-Protect through the interface.
■
To use CED to troubleshoot issues, click the link and follow the instructions in the KB document.
Supporting Norton AntiVirus 2006
93
Unit 8
Troubleshooting Norton AntiVirus 2006
Troubleshooting install scenarios The following items define some steps in troubleshooting or correcting install issues and problems:
Unsuccessful install attempt indicators When troubleshooting installation is best not to assume that the installation you may be guiding a customer over an install that has reminant fragments of a un-successful install remaining on the platform. The following scenario defines an error messages or file indications that verify this possibility. Error: “Install has failed (9999,171)" when attempting to install your Symantec product What to look for:
1
A copy of the installation log file
2
Information about previous versions of Symantec Software that were installed on the computer
3
A list of Symantec products that are installed on the computer
4
Information about which items load at start-up
5
Information related to the computer’s configuration
Uninstall the previous version If you have a previous version of your Symantec product on your PC please uninstall it via the Add\Remove programs at this time. Error: “The installation is missing the file instopts.dat...” when installing or uninstalling Norton AntiVirus Solution 1: Delete a registry key In some cases, simply deleting the following registry keys will fix this error. To delete a registry key and reinstall your Norton program
94
1
On the Windows taskbar, click Start > Run. In the Run dialog box, type regedit and click OK
2
In the Registry Editor, go to and select the key: HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows\Curren\Version\Uninstall\Symsetup
3
Press Delete, and then click Yes to confirm the deletion.
4
Repeat steps 4 and 5 for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec \Symsetup
5
On the Registry menu, click Exit.
6
Reinstall your Norton program. If this does not fix the problem, then go on to the next solution.
Supporting Norton AntiVirus 2006
Troubleshooting install scenarios
Solution 2: Run the Microsoft Windows Installer Clean Up utility and reinstall the Norton Antivirus program Follow these steps to download, install and run the Windows Installer Clean Up Utility to remove any left over components of your Norton program and then reinstall the program. To install and run the Microsoft Windows Installer Clean Up Utility and reinstall your Norton program
1
To download the program, click the Windows Installer Clean Up Utility.
2
Click Save to download the Msicuu2.exe file.
3
Save the file to your desktop.
4
If you see a prompt, click Close.
5
On the Windows desktop, double-click the file and then follow the steps in the Setup wizard to install the utility.
6
On the desktop, click Start > Programs > Windows Install Clean Up to run the utility.
7
Press and hold down the Ctrl key, while you click all entries in the list that begin with the following text: CC cc Norton Symantec Sym MSRedist
8
Click Remove to remove these entries
9
Restart the computer and reinstall the Norton AntiVirus program.
For detailed instructions, read the document Reinstalling your Symantec program after a failed installation or after you see error messages. If this does not fix the problem, then go on to the next solution. Solution 3: Reinstall the Microsoft Windows Installer, run the SymNRT removal utility and reinstall your program In some cases, the Microsoft Windows Installer must be reinstalled before installing your Norton program. Reinstall the Microsoft Windows Installer
1
For instructions on downloading and installing the latest version of the Microsoft Windows Installer, read the document Reinstalling the Microsoft Windows Installer, and then go on to the next section, “Running SymNRT and reinstalling your Norton program.”
2
Run SymNRT and reinstall your Norton program
3
Before reinstalling your Norton program, you must first run SymNRT.
To uninstall using SymNRT:
1
Close all open programs.
Supporting Norton AntiVirus 2006
95
Unit 8
Troubleshooting Norton AntiVirus 2006
2
Save the file SymNRT.exe to the Windows desktop.
3
When the download is finished, on the Windows desktop, double-click SymNRT.exe, and then follow the on-screen instructions. Restart the computer if prompted. ■
■
If you see the error "SymNRT: Invalid signature. This file is not signed." when running SymNRT, go to the document Error: "SymNRT: Invalid signature. This file is not signed so it won't run.” If you see the error “Symantec removal tool has encountered an error and needs to close,” try running the tool a second time. If that does not work, see Error: “Symantec removal tool has encountered an error and needs to close”
4
On your desktop, right-click SymNRT.exe, and then click Delete. Click Yes to confirm the deletion.
5
Answer Yes or No to this question: Have you ever had any of these programs installed (even if you later uninstalled or upgraded them):
6
■
Norton AntiVirus 2003 or earlier
■
Norton Internet Security 2003 or earlier
■
Norton Personal Firewall 2003 or earlier
■
Norton SystemWorks 2003 or earlier
Do one of the following: ■
■
If you answered Yes--you did at one time have one or more of these programs installed, then go on following section. If you answered No--you never had any Norton program that was version 2003 or earlier, your are done.
Error: "Norton AntiVirus has encountered an internal program error" (4002, 519,517) To confirm that the Norton AntiVirus program files are set to load on startup
1
On the Windows taskbar, click Start > Run.
2
In the Open box, type MSCONFIG and then click OK.
3
In the System Configuration Utility, click the Startup tab.
4
Verify that the following items are checked: ■ ■
96
ccApp Symantec Core LC (You will not see this entry if you have a non-English version of Norton AntiVirus.)
■
ccEvtMgr
■
ccSetMgr
5
If any of the entries that are listed in step 4 are unchecked, check them. (If any of the entries that are listed in step 4 are missing, it indicates that Norton AntiVirus was not installed successfully. If you see this, go on to the section "To remove and reinstall Norton AntiVirus" and follow the instructions.)
6
Verify that the following items are checked: ■
SYMEVNT
■
SYMTDI
Supporting Norton AntiVirus 2006
Troubleshooting install scenarios
■
SAVRTPEL
■
SAVRT
If any entries that are listed in step 6 are unchecked, check them. (If any of the entries that are listed in step 6 are missing, it indicates that Norton AntiVirus was not installed successfully.) 7
Click Apply.
8
Click OK.
9
Restart the computer. If you continue to see the error message, go to the next solution.
To re-install the Symantec shared files (Symevent)
1
Download the Symevent installer file Sevinst.exe.
2
When prompted, select "Save this Program to Disk," and then select drive C as the download location.
3
Click Save. Click Close if prompted.
4
Click Start > Run. Type: C:\sevinst.exe /r in the open line, and then click OK
5
Close all programs, and then restart the computer. If you continue to see the error, then perform the steps to Uninstall and reinstall Norton AntiVirus.
Supporting Norton AntiVirus 2006
97
Unit 8
Troubleshooting Norton AntiVirus 2006
Summary In this unit we covered the following: ■
98
Troubleshooting Norton Antivirus 2006 components
Supporting Norton AntiVirus 2006
Related Documents
Norton Antivirus 2006 Instructor Guide
November 2019 11
Norton Antivirus 2005 Nuevos
November 2019 7
Norton Antivirus 2007_updated
November 2019 13
Analisis De Norton Antivirus 2010
June 2020 7
Instructor Experiment Guide
December 2019 9