Information for Desktop SAV Administrators:

 

 

General information:

 

1)      Your main interface into viewing the activity of your desktops is via the Symantec System Center Console (SSC). You will need a special account to use this software. Please see the CSS/CSI/WST group for accounts. The SSC software is part of the Symantec software CD.

 

2)      Symantec maintains logs on the individual clients. These are detailed logs, and some of this information might not be sent back to the central server (if user is off the network, or away from the lab network, this information might not reach our central server). If you are reviewing issues, take a look at:

                       

                        For XP:

 

                  C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs

 

 

                        For Vista:

 

                                    C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs

 

           

 

3)      Additional logs are available to the Admins for historical tracking. This area is limited to read only access to the desktop SAV admin members. Please see the CSS/CSI/WST group if you need access. If you have been granted access, simply map to the following windows share:

 

‘\\prt-av-clust\av_logs’

 

This share contains several folders and files:

 

                        Root level – Daily log files with all the activity for a particular day. The files are named YYYY-MM-DD.log.

 

                        Folder: By_computer

 

                                    Detailed logging for a specific computer. There is a separate file for each computer

 

                   Folder: SCAN-LOG

                                   

                                    Detailed logging per day for just scan activity. Note – There are several kinds of scans.

 

a)                          Forward from server :Defwatch is a mini scan performed when a machine starts up, or new signature files get loaded.

b)                          Forward from server:Scheduled are the weekly scheduled scans from the central server.

c)                          Forward from server:Manual are scans initiated from the individual client machine.

 

Folder: By_OU

 

            Detailed virus activity broken down by the various FERMI domain root level OUs.

 

Folder: by_Virus

 

            Detailed virus activity grouped by the virus name as reported by Symantec.

 

4)      Key registry entries when diagnosing potential infections:

 

 Check these keys for suspicious entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKEY_CLASSES_ROOT\comfile\shell\open\command

HKEY_CLASSES_ROOT\piffile\shell\open\command

HKEY_CLASSES_ROOT\exefile\shell\open\command

HKEY_CLASSES_ROOT\txtfile\shell\open\command

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

With this branch selected, look in the right pane for the value: Userinit
This value should contain only C:\WINDOWS\system32\userinit.exe, and have no additional programs specified after the comma.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
With this branch selected, look in the right pane for the value: load
This value should be blank.

If you suspect that a system is infected, then examine each of these keys. Determine whether Value Name or Value Data, including the (Default) value, refers to a suspicious file.

 

For more details, click here.

 

 

 

Quarantine Folder

 

We configure the desktops to use a local quarantine folder instead of a central server. In the event Symantec cannot repair or delete an unwanted virus, the suspect file is placed in the quarantine folder. Normally, you should never delete or manipulate files in the local quarantine folders. Generally you use the SAV interface to remove unwanted files from the quarantine area.

 

 

 

 

 

If you are the local admin of the client machine, you can access the quarantined files in the event you need to retrieve them or send copies onto computer security or Symantec for further analysis. Since these are potential virus files, much care should be taken. (Please note, when Symantec performs full scans, the quarantine area is also reviewed, but Symantec will report the suspect file from its original location, not the quarantine folder location.

 

The quarantine folder is located at:

 

    For XP:

 

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

 

 

    For Vista:

 

C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

 

 

 

 

How to do a Manual install of the SAV client software: click here