Archive for the ‘AntiVirus’ Category

SCCM 2007 R3 Deployment – Hurdles and Barriers

We are piloting a deployment of SCCM 2007 R3 as part of our evaluation of Forefront Endpoint Protection 2010.  I thought I would have SCCM up in a day to a day and a half… Ha!  If you are planning to do something similar, schedule a good four+ days for initial configuration (unless you are the Windows equivalent of Bruce Lee).

Troubles:

  • Complex PKI certificate requirements.  You need to create a Windows PKI server template just to deploy one signing cert to the site management server!  These certs cannot use the next-generation crypto (CNG) templates that came with Server 2008… you must use Server 2003 templates (CAPI).
  • Logging shortcommings.  I suppose veteran SCCM folks will think I am daft.  After all, SCCM makes more logs that just about any other MS product.  However, the logs are long on data, short on information.  I wasted over a day troubleshooting client to management point communications that turned out to be related to permissions problems with a cert in the SCCM server  system account’s “My” certificates store.  The problem was that I used drag/drop in the cert MMC to install the cert, but that method did not set cert permissions properly.  After exporting/importing the cert, then setting permissions as detailed here:
    http://www.zerohoursleep.com/2010/11/a-fatal-error-occurred-when-attempting-to-access-the-ssl-server-credential-private-key/
    I was able to get IIS to bind reliably to the cert, and clients started to check in.  The SCCM client and server logs were no help with this.
  • Reporting Services – Since I last configured reporting on SQL 2005, things have gotten easier.  However, RTM releases still are not reliable enough.  I discovered we needed SQL 2008 R2 CU4 or later to get SCCM to work reliably with reporting services.
  • Schema Extensions – Never fun.  The process is well documented on Tech Net, but it’s still a pain.
  • Server installation prerequisites – There are many prereqs for SCCM.  The documentation lists them reliably.  What is not mentioned is that the server role prereqs need to be installed simultaneously.  If BITS, WebDAV, and ASP.NET are not installed at the same time, SCCM will fail to function after installation.

All that being said, the product has made great strides since I last looked at it (When it was called SMS 2003).  Integration with WSUS is a plus, as is the “Advanced Client” which uses a simple client pull over HTTPS to fetch configurations and submit status.  Good stuff… less dependency on RPCs and File/Print Sharing.

Update:

Migrating Symantec AntiVirus management servers

Well, it has been a fun week of migrating our Symantec AntiVirus servers from old, dying Dell 5th-gen PowerEdge servers onto bleeding-edge ESX virtual machines. Here are some of the highlights:

Firewall changes:
In moving the servers, we had to assign new IP addresses in our protected 102.0 subnet. Thus, I had to research the firewall exceptions required for access to the servers. It seems the two required ports are:
TCP port 2967 (Inboud) – for Symantec AntiVirus service (RtVscan.exe), for AV definition push updates, and client monitoring
UDP port 38293 (Inbound) – for Intel PDS service (pds.exe), allows retrieval of AV policy settings
(initial rules were not correct, resulting in clients falling out of the mangement cycle)

LiveUpdate changes:
I have been wanting to change the address of our internal LiveUpdate server for awhile… we are now using http://liveupdate.uvm.edu as the primary distribution server, with http://norton1.uvm.edu, http://norton2.uvm.edu, and http://liveupdate.symantecliveupdate.com as backups. “liveupdate.uvm.edu” is a round-robin record that alternates between norton1 and norton2. We are considering a load balancing implementation instead, but this probably is unnecessary given the presence of “backup servers” in the liveupdate.hst file distributed to clients.
The only real problem here was that many of the file types in the LiveUpdate download directory were not of recognized “MIME Types” (i.e. they were not html, xml, zip, txt, audio/video, or MS Office files). I had to add the following extensions to the IIS configs before clients could successfully retrieve updates:
.x00, .ieg, .m25, .ia64ap, .x86, .lin
Once these MIME types were added and I had run an “iisreset”, LiveUpdate started to function normally.

Reporting Services
Migration of reporting services is a total PIA. I am trying to migrate the back-end database to an external SQL 2005 server from SQL 2000 in addition to re-installing the Reporting Services binaries on the new Norton2 server. Here are the steps taken so far:

  • detach the SymReport database from the old server, copy the files to the new server and attach
  • change ownership of the database back to its original setting
  • change the compatibility level of the database to “9.0″ (SQL 2005)
  • install the new SQL native client on the SAV hosts
  • launch the Reporting services installer setup.exe. Note: do not launch from the autorun setup menu on the SAV CD! You must use the reporting services setup.exe or the advanced install options that we need will not be available.
  • supply the credentials necessary to connect to the new SQL 2005 DB. Also, specify alternative credentials for the db user, datasource name, and db name. Use the DB name that was imported into the SQL 2005 server, and get the username that was previously used from the DB security tabs.
  • After install, the reporting server should smoothly reconnect to the existing DB. You can check that this is happening in the SQL activity monitor pane.

Unfortunately, ran into some problems with the Reporting Agent on the primary SAV server (it is running a remote agent). The agent slowly hogs up all the memory on the box and is creating a CPU-bound condition (very bad news on an ESX host). I has no success trying to troubleshoot the situation, and I was not having fun… Using sysinternal tools I was able to watch the ReportingAgentLauncher thrash the heck out of some temp files that it was creating, but it never did anything with these files. I believe there must have been some bad configuration information being fed to the SAV server from the reporting database, and that this was creating a loop. So untimately I fixed the situation with the following “solution”:

  • Uninstall reporting services
  • Reinstall with a new database (thus abandoning old report data)

Voila… reporting services are running normall, we have our first production SQL 2005 database, and our second set of production ESX guests.

Additional SAV installer builder instructions, updated script

Upon reviewing my earlier notes on building installers, it appears that I left out some useful info on how to build the darned administrative installation point that I am using to wrap up the patched installer. Since I had the “opportunity” to work on a v10.1.0.400 installer today, I will take this opportunity to actually document my installer builder process:

  • open a CMD shell, CD to the SAV directory on the Symantec installation media
  • extract the MSI files to a local “administrative installation point”:
    msiexec /a "Symantec Antivirus.msi"
    
  • Now, extract any patches downloaded from Symantec and CD to the directory that has the MSP patch file. Execute the following:
    msiexec /p "SAVCE-[version].msp" /a [path to admin install point] 
  • Now, copy the setup.exe, setup.ini, msi installer files, and that .ini file with the funny name from the SAV source directory into the “administrative installation point” directory used above.
  • Edit the “setup.ini” file in your admin install point. Modify the product version string to more closely match the version just overlayed onto the installer.
  • Copy in your custom SAV installer script. (In our case, we use “instsav.cmd”). Generally I just copy his out of the last production installer. Also grab the sav-managed.txt and sav-unmanaged.txt files from the previous installer. These just contain informational text to be pasted into the self-extracting archive prompt dialogs.
  • Now you can wrap the whole directory into a self-extracting archive, which spawns “instsav.cmd” when extraction is complete. Of late, I have been using WinRAR. Since the 10.0.1 builds, I have been extracting the archive to “%SYSTEMDRIVE%\SAVInst”, with the option to leave the extracted files in place after installation (thus creating a local installation source). You may note that the instsav.cmd installation script uses this directory path to launch the setup.exe program.

Also note that I have made some significant changes to the instsav.cmd script. Mostly I just deleted unused sections of the script… version 10.1 does not appear to bog down the computer doing “startup scans” and “Definition scans” as earlier versions did, so I am removing the custom registry key imports that halted these scans. Also, I changed the IF NOT ERRORLEVEL 1 clauses to use the syntax “IF %ERRORLEVEL% GEQ 1″ instead, as this seems rather easier to understand from a logical perspective, IMO. Anyway, here is the script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
:begin
@ECHO OFF
ECHO - Symantec Antivirus installation script for the University of Vermont
ECHO - version 2.6, by JGM, 2006-05-15
ECHO - This Window will close automatically when installation has completed.
REM Script can be altered to allow for either managed or unmanaged client installations.
REM For managed installs, UN-comment the "goto endFirewall" line below, and uncomment the appropriate "setup" command line.
REM For unmanaged installs, COMMENT OUT the "goto endFirewall" line below, and uncomment the appropriate "setup" command line.
REM History:
REM V2.3 - changed "reg import" commands to "regedit /s" commands for Windows 2000 compatibility.
REM v2.5 - changed setup to generate MSI error log (/le option), and to run out of %SystemDrive%\SAVInst dir created by RAR extractor.
REM v2.6 - removed the "removeStartScan.reg" procedure after the :endFirewall tag, and an experiment for v10.1.x distribution, cleaned up un-used sections, substituted "IF %errorlevel% GEQ 1" instead of "IF NOT errorlevel 1" as a experiment.
REM If performing an unmanaged AntiVirus client installation, uncomment the following line:
GOTO endFirewall
:OSVer
REM Determine if host is running a Windows XP build:
set OSVer=notXP
ver | find /i "xp" && set OSVer=XP
IF NOT %OSVer%==XP GOTO unsupported ELSE goto spLevel
:spLevel
REM Determines Service Pack Version via registry query:
set SPVer=0
REM systeminfo |find "Service Pack 1" && set SPVer=1
REM systeminfo |find "Service Pack 2" && set SPVer=2
reg QUERY HKLM\SYSTEM\CurrentControlSet\Control\Windows /v CSDVersion | find "0x200" && set SPVer=2
IF NOT %SPVer%==2 GOTO unsupported ELSE GOTO addRules
:addRules
ECHO.
ECHO.
REM Adds firewall exceptions for Windows XP SP2 hosts:
ECHO - You have Windows XP Service Pack 2!  Let's Go...
ECHO - Please wait while firewall exception rules are added...
ECHO Adding exception for Symantec Realtime Virus Scan to allow managmenet of SAV Client
@netsh firewall add portopening protocol = UDP port = 2967 name = "Symantec RTVScan" mode = ENABLE scope = CUSTOM addresses = LocalSubnet,127.0.0.1,132.198.0.0/16 profile = ALL
IF %errorlevel% GEQ 1 (
	GOTO failRuleAdd
	) ELSE (
	ECHO Firewall rule added successfully.
	)
@netsh firewall add portopening protocol = UDP port = 38293 name = "Intel PDS (Symantec AV)" mode = ENABLE scope = CUSTOM addresses = LocalSubnet,127.0.0.1,132.198.0.0/16 profile = ALL
IF %errorlevel% GEQ 1 (
	GOTO failRuleAdd
	) ELSE (
	ECHO Firewall rule added successfully.
	)
GOTO endFirewall
:unsupported
ECHO.
ECHO.
ECHO Your system is not running XP with Service Pack 2.
ECHO You do not need firewall exceptions added to your system.
GOTO endFirewall
:endFirewall
ECHO.
ECHO.
ECHO Deleting log files from previous installations...
@del /f /s /q "%ALLUSERSPROFILE%\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs"
IF %errorlevel% GEQ 0 (
	ECHO No previous Symantec AV log files needed to be deleted.
	) ELSE (
	ECHO Symantec AV Log files successfully deleted.
	)
@del /f /s /q "%ALLUSERSPROFILE%\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs"
IF %errorlevel% GEQ 0 (
	ECHO No previous Windows 2000/XP Norton AV log files needed to be deleted.
	) ELSE (
	ECHO Norton 2000/XP AV Log files successfully deleted.
	)
ECHO.
ECHO.
ECHO Proceeding with SAV install...
REM One of the following two "setup" lines MUST BE COMMENTED OUT!
REM installation string for an UNMANAGED client install (intended for off-campus users):
"%SystemDrive%\SAVInst\setup" /s /qn /V"/qb /le %SystemDrive%\SAVInst\install.err REMOVE=Pop3Smtp,NotesSnapin ADDLOCAL=SAVMain,SAVUI,SAVHelp,QClient,OutlookSnapin NETWORKTYPE=2 RUNLIVEUPDATE=0 SYMPROTECTDISABLED=1"
REM installation string for a MANAGED client install (intended for systems that are frequently on-campus):
REM "%SystemDrive%\SAVInst\setup" /s /qn /V"/qb /le %SystemDrive%\SAVInst\install.err REMOVE=Pop3Smtp,NotesSnapin ADDLOCAL=SAVMain,SAVUI,SAVHelp,QClient,OutlookSnapin NETWORKTYPE=1 SERVERNAME=NORTON2 RUNLIVEUPDATE=0 SYMPROTECTDISABLED=1"
ECHO.
ECHO.
ECHO Product setup complete.
GOTO end
:failRuleAdd
ECHO.
ECHO.
ECHO Firewall exceptions script failed!
ECHO Symantec AntiVirus NOT INSTALLED.
ECHO Take your system to Walk-in help.
pause
GOTO end
:end

SAV 10.0.2.2020 release, and install script updates

I made some more changes to the script and installer package:

- Decided to converge on the “Administative Install” method for wrapping the patches into the installer. This prevents the installed SAV instance from interfering with the patch portion of the install script. Features like “autoprotect” were preventing “msiexec /p” from working. Also, msiexec /p seems just plain unpredictable if the system has not been rebooted. I just don’t feel like injecting actions into the “RunOnce” registry key, or attempting to force a reboot.

- Added “AUTOPROTECT=OFF” to the msi options portion of the setup.exe line in the install script. This will prevent the SAV autoprotect from giving us grief while installation completes.

- Used WinRAR options to extract archive files to a specified directory: %SystemDrive%\SAVInst.
(this will cause a local cache of the install files to be maintained on the system)
(NOTE: We may wish to add a script line to delete the contents of this archive on reinstall)

- Mod the setup.ini file to contain a higher version number for the product being installed than the default (this should allow the setup.exe to install over existing SAV10 installs)

- Added an error logging option to the MSI options portion of the setup.exe line in the script (-le %SystemDrive%\SAVInst\install.err)

- Prefixed the setup.exe line with %SystemDrive\SAVinst\ to force run out of the directory created by the WinRAR extractor.

SAV 10 installer, redux

What a pain! Our testers still report problems with SAV 10.0.1 installers. High CPU, disk thrashing, scheduled scans kicking off without permission…

Several fixes. First off, I generated a fancy new install script:

:begin
@ECHO OFF
ECHO – Symantec Antivirus installation script for the University of Vermont

  • ECHO – version 2.1, by JGM, 2005-10-17
    ECHO – This Window will close automatically when installation has completed.
    REM Script can be altered to allow for either managed or unmanaged client installations.
    REM For managed installs, UN-comment the “goto endFirewall” line below, and uncomment the appropriate “setup” command line.
    REM For unmanaged installs, COMMENT OUT the “goto endFirewall” line below, and uncomment the appropriate “setup” command line.

    REM If performing an unmanaged AntiVirus client installation, uncomment the following line:
    REM GOTO endFirewall

    :OSVer
    REM Determine if host is running a Windows XP build:
    set OSVer=notXP
    ver | find /i “xp” && set OSVer=XP
    IF NOT %OSVer%==XP GOTO unsupported ELSE goto spLevel

    :spLevel
    REM Determines Service Pack Version via registry query:
    set SPVer=0
    REM systeminfo |find “Service Pack 1″ && set SPVer=1
    REM systeminfo |find “Service Pack 2″ && set SPVer=2
    reg QUERY HKLM\SYSTEM\CurrentControlSet\Control\Windows /v CSDVersion | find “0×200″ && set SPVer=2
    IF NOT %SPVer%==2 GOTO unsupported ELSE GOTO addRules

    :addRules
    ECHO.
    ECHO.
    REM Adds firewall exceptions for Windows XP SP2 hosts:
    ECHO – You have Windows XP Service Pack 2! Let’s Go…
    ECHO – Please wait while firewall exception rules are added…
    ECHO Adding exception for Symantec Realtime Virus Scan to allow managmenet of SAV Client
    netsh firewall add portopening protocol = UDP port = 2967 name = “Symantec RTVScan” mode = ENABLE scope = CUSTOM addresses = LocalSubnet,127.0.0.1,132.198.0.0/16 profile = ALL
    netsh firewall add portopening protocol = UDP port = 38293 name = “Intel PDS (Symantec AV)” mode = ENABLE scope = CUSTOM addresses = LocalSubnet,127.0.0.1,132.198.0.0/16 profile = ALL
    IF NOT errorlevel 1 (
    ECHO All firewall rules added successfully.
    ) ELSE (
    GOTO failRuleAdd
    )
    GOTO endFirewall

    :unsupported
    ECHO.
    ECHO.
    ECHO Your system is not running XP with Service Pack 2.
    ECHO You do not need firewall exceptions added to your system.
    GOTO endFirewall

    :endFirewall
    REM If installing an unmanaged AntiVirus client, installation may begin here.
    ECHO.
    ECHO.
    ECHO Altering registry to remove and prevent automatic system scans…
    reg import RemoveStartScan.reg
    IF NOT errorlevel 1 (
    ECHO Registry settings imported successfully.
    ) ELSE (
    GOTO failRSS
    )
    ECHO.
    ECHO.
    ECHO Deleting log files from previous installations…
    del /f /q “%ALLUSERSPROFILE%\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs\*.*”
    IF NOT errorlevel 1 (
    ECHO Symantec AV Log files successfully deleted.
    ) ELSE (
    ECHO No previous Symantec AV log files needed to be deleted.
    )
    del /f /q “%ALLUSERSPROFILE%\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs\*.*”
    IF NOT errorlevel 1 (
    ECHO Norton 200/XP AV Log files successfully deleted.
    ) ELSE (
    ECHO No previous Windows 2000/XP Norton AV log files needed to be deleted.
    )
    del /f /q “%PrograFiles%\Norton AntiVirus\Logs\*.*”
    IF NOT errorlevel 1 (
    ECHO Windows 9x Log files successfully deleted.
    ) ELSE (
    ECHO No previous Windows 9x Norton AV log files needed to be deleted.
    )
    ECHO.
    ECHO.
    ECHO Proceeding with SAV install…
    REM One of the following two “setup” lines MUST BE COMMENTED OUT!
    REM installation string for an UNMANAGED client install (intended for off-campus users):
    REM setup /s /qn /V”/qr REMOVE=Pop3Smtp,NotesSnapin ADDLOCAL=SAVMain,SAVUI,SAVHelp,QClient,OutlookSnapin NETWORKTYPE=2 RUNLIVEUPDATE=1″
    REM **This does not work!*** IF NOT errorlevel 1 GOTO setupFail
    REM installation string for a MANAGED client install (intended for systems that are frequently on-campus):
    setup /s /qn /V”/qr REMOVE=Pop3Smtp,NotesSnapin ADDLOCAL=SAVMain,SAVUI,SAVHelp,QClient,OutlookSnapin NETWORKTYPE=1 SERVERNAME=NORTON2 RUNLIVEUPDATE=1″
    REM **This does not work!*** IF NOT errorlevel 1 GOTO setupFail
    ECHO.
    ECHO.
    ECHO Product setup complete,
    ECHO Now attempting registry alterations to prevent Definitions scans…
    reg import DefwatchQSOff.reg
    IF NOT errorlevel 1 (
    ECHO Registry settings imported successfully.
    ) ELSE (
    GOTO FailPDQS
    )
    GOTO end

    :failRuleAdd
    ECHO.
    ECHO.
    ECHO Firewall exceptions script failed!
    ECHO Symantec AntiVirus NOT INSTALLED.
    ECHO Take your system to Walk-in help.
    pause
    GOTO end

    :failRSS
    ECHO.
    ECHO.
    ECHO “RemoveStartScan” registry import failed!
    ECHO Symantec AntiVirus NOT INSTALLED.
    ECHO Take your system to Walk-in help.
    pause
    GOTO end

    :setupFail
    ECHO.
    ECHO.
    ECHO Oh No! Symantec setup program failed to complete!
    ECHO Symantec AntiVirus NOT INSTALLED.
    ECHO Take your system to Walk-in help.
    pause
    GOTO end

    :failPDQS
    ECHO.
    ECHO.
    ECHO “DefwatchQSOff” registry import failed,
    ECHO but Symantec AntiVirus has been installed.
    ECHO If you experience major system performance degradation,
    ECHO please take your system to Walk-in help.
    pause
    GOTO end

    :end

  • Changes from previous scripts are:

    1. integration of managed and unmanaged installer scripts in same file – change the comments to change the install method.
    2. attempts at error capturing using IF/Then/Goto
    3. integration of script into one file (sans .reg import files)
    4. added DefwatchQSOff.reg import to the script, moved to end of script
    5. Now using “removestartscan.reg” to kill startup scans… seems to work.
    6. not allowing installation of POP3SMTP plugin
    7. using “setup.exe” with command line options, rather than msiexec. This avoids the need to create separate installers for upgrade vs. new install
    8. Integrated 10.0.1.1007 patch into the installer (by extracting original .MSI to an “administrative install point”, then using the msiexec patch commands on the admin install point).

    Norton1 LiveUpdate server complaints

    LiveUpdate complaints from the end-users… cannot run LiveUpdate, LiveUpdate logs indicate a specific file was “unavailable on the server”.

    FTP into Norton1.uvm.edu does reveal that the file is not actually there. The quick fix here is to resynch the LiveUpdate directory from SYmantec. To do this:

    1. On Norton1, Launch “LiveUpdate Administration Utility”.
    2. Go to Tools>Options, then select “Retrieve new and previously downloaded updates”, then “ok”.
    3. Click “retrieve”, wait for the process to complete.
    4. Change the previously set option back to “New updates only”.

    Now test out LiveUpdate to see if the missing file has been restored.

    SAV 10.0.1 – building client installers

    Symantec just extended us the honor of downloading SAV v10.0.1 (Maintenance Release 1 for SAV 10). This build is supposed to fix a bunch of performance complaints. Now that we have it, I suppose we should think in earnest about getting clients to install the new version.

    I have been concerned about the apparent need to provide two installers… one for upgrades, and one for new installations. This is an issue that came up with SAV 9, mp2. Fortunately, I was able to find a decent thread on installation techniques at Novell “Cool Solutions”:
    http://www.novell.com/coolsolutions/tip/15090.html

    I have changed our installed to run the installer using “setup.exe” (an install shield program), instead of “msiexec”. When using setup.exe, the installer appear to deal well with existing installations.

    I have also added an additional .bat to the installer script… RemoveStartupScan.bat. This runs “reg.exe” to import a .reg file obtained from Symantec. The reg settings included disable the startup “quick scan” (DoScan.exe) that has been irritating Symantec clients since the release of 10.0. Symantec says that DoScan has been “fixed” with 10.0.1, but I still do not like it.

    Finally, I am allowing installation of the Pop3Smtp component, although I suspect that we will just have to rip it out again in the near future. I thought we might give it a chance for now.

    SAV10 migration steps

    Starting the SAV10 server infrastructure process…

    1. Download and install LU Admin v1.5.4, required to fetch SAV10 updates for our internal LiveUpdate FTP server. Installed over existing version, purged and re-downloaded alll current SAV/NAV related files, and also updates for Symantec products commonly used at UVM. note: needed to set the LU Admin tool to “download previously retrieved updates” during the initial download… otherwise it refuses to get new definitions!
    2. Uninstall Quarantine, Quarantine Console, and Symantec System Center on Norton1, Norton2.
    3. Attempt to run SAV installer by running setup.exe at the root of the SAV10 CD… setup appears to run, but all it actually does is remove files from the server! Aargh! Attempt to use the “Server Deployment” tool to push updates to Norton1 and Norton2… the wizard forces me to re-create the “UVM Antivirus 1″ group, and to specify a username/password for the group… I do this. The wizard then copies installer files to the hosts, and then hangs for half an hour. I am forced to cancel the installation.
    4. reboot both systems, then attempt to run the regualr installer again. This time, the installer works (although SAV is now installed in the default “%systemdrive%\program files\Symantec AntiVirus” folder, instead of the original folder from the SAV 9 install. Hmmm….
    5. install Central Quarantine on Norton1. Install system center and quarantine console on norton1 and norton2
    6. Upon launching SSC, there are now two “UVM AntiVirus 1″ groups, each with one of the NORTON parent servers. The group with NORTON1 is non-functional, as it reports that NORTON1 is DOWN (even though Norton1 appears to be running all of its Symantec services). Aargh!
    7. Fix hangs when attempting to view NORTON1 history files by archiving old (and probably corrupt log files. To do this, I stop the SAV service, then remove all files from c:\documents and settings\all users\application data\symantec\symantec antivirus corporate edition\7.5\logs.
    8. SSC listing of NORTON1 system status as “down” could be the result of server overload… see symantec KB article:

      http://service1.symantec.com/SUPPORT/ent-security.nsf/529c2f9adcf33a1088256e22005026f1/6a0fbf5fc81a6c9588256d6c0060fa5e?OpenDocument&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=9.0&src=ent&pcode=sav_ce&dtype=corp&svy=&prev=&miniver=savce_9.0

      nope… that did not help at all…

    9. called Symantec tech support. They speculated that the upgrade of the “UVM AntiVirus 1″ server group was botched. The workaround was to first move the functioning “Norton2″ server to a new, separate server group. Next, we remove the HKLM\software\intel\landesk\virusprotect6\domaindata registry key (after backing up the registry). This effectively lobotomizes Norton1, and makes it forget that it is the primary server in the AV group. After a reboot, the UVM AV 1 group is again accessible via SSC. We re-promote NORTON1 to primary server of the group, and move Norton2 back in. Our AV group policies are totally shot, so I need to rebuild all policies. Joy.
    10. Scheduled tasks on the operating systems have stopped running. Reason is that path to .exe files changed with the upgrade. I have updated all of the executable paths.
    11. Roaming services have been implemented… this will allow SAV 9+ clients to load balance between NORTON1 and NORTON2 parent servers.
    12. Important SAV10 server settings… new feature is “performance tuning”… I needed to activate management of back-level SAV clients. Also, I set options to skip over clients that are not checking in with the parent server. This will allow faster push of updated definitions as they become avialable.

    Norton1 – service crash… fixes and post-crash changes

    Norton1 shut itself off late last week. Stefanie had a look at it and managed to get it back on it’s feet:

    • SYSTEM volume was almot full on Norton1. Stef found scads of MSFTPSVC log files and deleted them.
    • SAV service would not restart… apparently due to corrupt virus definitions. Repaired by following advice at Symantec KB:
      http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002102209110448?Open&src=ent&docid=2002080708594148&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=9.0&osv=&osv_lvl=
    • We set the IIS service to keep it’s logs on the D: (vol1) drive instead of SYSTEM. Geoff will work on a script to purge logs >1 week old
    • We set the FTP service idle connection timeout from 900 seconds to 120 seconds to cut down on hacker locking FTP service connections.

    RESOLVED that we need to look at changes to services on Norton1/2:

    • auto purging to old quarantine files
    • auto purging of AV service events for faster loading of log viewers
    • load balancing of client across Norton1/2 for better performance/reliability
    • potential benefits of upgrade to SAV 10.0