Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology Support Services

Agenda Symantec AntiVirus Corporate Edition 10 –New Features –Spyware Detection and Removal Test Results –Deployment Plans Managed SAV –Definition –Benefits –How It Works –Implementation –Management –Requirements

SAVCE 10 New Features –Real-time protection to reduce the risk of spyware reaching the system –Automatic removal for easy disposal of security risks –Side-effect repair to clean up registry entries, files, and browser settings after hard-to-find spyware infection –Control over spyware settings via existing Symantec™ AntiVirus Corporate Edition management interface (for managed SAV)

First Impressions Mixed –Symantec’s first effort in this arena –Expect them to get major feedback and adapt –Not at this point a comprehensive spyware protection tool, but a good additional measure How Effective is This New Feature?

Testing Performed by both NUIT and Kellogg Information Systems (Zach McHenry and Nick Bennett) Test Environment included: –Windows XP SP2 –Isolated Port –Short duration tests – infect, monitor, assess impact –Monitoring Equipment (Kellogg)

How Effective is This New Feature? Example of a Test Session: –Access various Web sites and allow ActiveX queries to load and install –Seek out trojans/viruses and infect the machine –Click on popups offering help with processor performance, spyware removal, etc. –Install programs known to have spyware –Install P2P programs Within 30 minutes: –Many Popups –Search Toolbars –Startup page changed –Some sites redirected to “search” sites

How Effective is This New Feature? What Did SAVCE 10 Do? –During the infection phase: SAVCE notified us of adware/spyware/malware infections and would either quarantine them or leave them alone. Sometimes these Symantec notifications could not be stopped except by pressing a “Repair Now” button. That, at times, caused SAVCE to freeze. –Rebooted in safe mode: Ran a full scan – found 90 infections –Rebooted in normal mode: Opened IE Nonstop popups and SAVCE notifications

How Effective is This New Feature? Summary observations about SAVCE: –Detected and corrected a lot of spyware. –Notifications are persistent and will at times require IT intervention. Many of these notifications are cryptic: “Access Denied: Quarantine Succeeded?” –Good prevention and correction tool for moderate cases. –Any significant malware removal will require trained IT support; other tools may be more effective in some of these cases.

Recommendations SAVCE good as an additional tool Users will be more aware of extent of their infections Monitor SAVCE performance and provide feedback to Symantec Educate users about the cause of these infections

Deployment Plans SAVCE 10 and configuration instructions were distributed to UNITS for testing on 8/4/2005 – feedback is due 8/12/2005 General Availability before the end of August Managed SAV update available for deployment after we receive feedback on client

Questions About SAVCE 10 Mark Reynolds

Managed SAV- Definition A managed Symantec AntiVirus (SAV) environment creates two-way communication between your clients and your parent server. This allows for direct oversight and management of client configuration and virus definitions.

Managed SAV- Benefits More timely and controlled distribution of virus definitions Allows for oversight of all managed client’s antivirus protection and status Eliminates the need for individual computer visits to manually update or verify virus definitions Downloads occur in the background This software is available at no additional cost (NU site-licensed)

Managed SAV- How it works “Push” and “Pull” technology- on demand administrators can: –Initiate a server push of new virus definitions –Start a virus sweep of all managed clients On the hour clients will check-in to: –Pull new virus definitions and configuration changes –Report current individual status to server

Managed SAV- Implementation Install server version of SAV Install Symantec System Center Console Convert clients to managed: Login scripts or manual install on each client Determine virus definition source: LiveUpdate vs. Intelligent Updater

Managed SAV- Management Management through Symantec System Center Console View and modify client configuration and status Verify clients virus definitions Push updates or start a virus sweep

Managed SAV- Requirements Server –Windows XP Professional; Windows 2000 Professional/Server/Advanced Server; Windows Server 2003 –Static IP addresses (recommended) –Can be an existed file server or domain controller Client firewall –For full functionality, desktop firewall software needs to have port 2967/UDP open

Examples School of Communication –Large user base –Difficult and time consuming to visit all machines as often as needed for antivirus updates Crown –Small user base, but high profile –Needed to decrease lag time and increase security

Bottom line Installation of this service will reduce client visits and increase your overall security baseline. This is not a complete solution. It is still important to: –Educate your users –Regularly update both operating systems and applications –Consider both software and hardware based firewalls –Use strong passwords on all accounts –Disable unnecessary services

Questions About Managed SAV Michael Satut More information on SAV –\\chocolate.tss.northwestern.edu\NAVAdmin\Docs\\chocolate.tss.northwestern.edu\NAVAdmin\Docs