Novell Home

ZENworks and Virus-scan Products

Novell Cool Solutions: Trench

Digg This - Slashdot This

Posted: 22 Jan 2002
 

Version: ZENworks 2

OPEN CALL: If you have any experiences to share involving ZENworks 3.2 and these virus-scan products, please let us know. This series was written for ZENworks for Desktops 2, and while many of them probably apply to ZfD 3 and 3.2, it would be nice to know for sure. E-mail us at zwmag@novell.com

We know this topic is very hot for a lot of you. This page and the one specifically about McAfee Updates continue to receive many hits each month. As one person recently wrote: "Very useful page, getting feedback regarding how admins have actually solved the problems raised in a real production environment." If you've got something to add, we hope to hear from you soon!


Virus ProtectionWe've posted quite a few solutions for distributing McAfee Updates via ZENworks, and this topic has proven to be very popular with ZENworks administrators around the world. However, we've also had a number of questions from folks who use other Virus-Protection products, and we thought it would be useful to find solutions for them as well.

We have a power user in Canada who has already offered some ideas about Symantec's NAV program, which helped him fight off the Melissa virus a long while ago. Here are some other ideas from helpful ZEN'ers in the community. Thanks to all of you, we've got some great suggestions for a number of other products. If you have other ideas, please send them our way.


Command AntiVirus

Product of Command Software Systems.


Sande Nissen from Northfield, MN

Virus ProtectionYou asked for feedback about the automatic updating of other antivirus packages. We have figured this out for Command AntiVirus for Windows 95/98, a.k.a. CSAV95, a.k.a. F-PROT Professional.

As with McAfee, Command AntiVirus has the ability to update itself, and that's the best way to do it. You enable this by changing a few settings in the SETUP.INI file that's in the network installation directory. (We have separate network installation directories, one for new installations, and another for these updates.) The SETUP.INI file is completely documented by comments within it. The settings changes you need to make are InstallSilent=YES and SetupType=Upgrade. With this, the user should see a notification dialog but receive no prompts until the end. (If the user does get prompted, check other settings in this file, especially the Launch* settings.)

Now, if you run SETUP.EXE from this network installation directory, it will update any components of Command AntiVirus that are out of date, including the virus signatures. It will also prompt the user for a reboot if one is needed, which it usually is. We use a ZENworks application that just runs SETUP.EXE to push virus updates monthly. By letting Command AntiVirus update itself, it will unload and reload its scheduler (F-Agent) and real-time checker (DVP95) correctly. In fact, that's the only way we found that works. Any attempt to change the virus definition files with these components loaded always resulted in freeze-ups, in our testing.

CSAV has several other built-in ways for doing virus definition updates, including an administrator's package called CSS Central. We fiddled with each of them, but either they didn't work reliably, or they were more trouble than the straightforward approach outlined above.

If you have any questions you may contact Sande at snissen@acs.carleton.edu

Nick Brown

Virus ProtectionAlthough I had success pushing out the Command anti-virus software updates via ZENworks, I have now managed to fully automate the downloads of the definition files and the full Command anti-virus product on a regular basis.

Using ZENworks was fine, with a small problem - you had to run the loader / setup program (depending if you were updating the definition files or the full product) at each login, which could be time consuming for the users (especially to reinstall the full product). So I started to look at the Csscentral application which Command also supplies, and which is designed to use as a downloading tool for their updates.

  1. Install Csscentral onto your Administrator's workstation.
  2. From the 'update' menu select 'configure ftp' and set up the IP address / FTP / HTTP download site address (ftp.command.com for U.S. / ftp.command.co.uk for U.K.) (a second backup address can be entered on the 'secondary ftp site' tab, and I used IP on the first and FTP on the second).
  3. Also enter your username and password (as supplied by Command).
  4. Now click on the 'local configuration' tab and enter a 'staging directory' (this should be a local directory for storing the downloaded EXE file), and an 'automatic update directory' (the network directory your program files are stored, usually ending ...\CSS). You may also at this point set up scheduling dates / times from the 'next download time' button if you wish to automate downloads.
  5. Now click 'configure platforms' from the 'update' menu and select your operating system tab.
  6. Now this is the interesting bit! If you select the 'signature file updates' tick box, the definition files (*.DEF), which are used to update your protection from new viruses, will auto download in conjuction with your scheduled settings (set in 'next download time' above).
    Or you can download them straight away by also clicking on the 'download button' here. Similarly you can download / schedule downloads of the full Command product by using the 'product updates' section on the same screen.
  7. Once the download(s) have completed the 'file management menu' will display the resulting *.EXE file (in your staging directory), this will now need to be 'deployed' into your 'automatic update directory' for the users to access. They will need to run the Loader32.exe program to force the initial run, for which I used a Snapshot/Zenworks.

Also, as Sande Nissen described in an earlier article, you can edit the SETUP.INI file in your 'automatic update directory' with certain parameters. If this is edited before the users run the Loader.exe to update then the changes will affect the local user's version of the program. One setting of particular interest was the 'AutoUpdateDir=' setting. If you find this line within the file and set it to access the 'automatic update directory' as set within the Csscentral program earlier, the local Command anti-virus software will access this directory on each launch and check for more recent versions of the definition files / the full product. i.e. - AutoUpdateDir=\\Server\F-Instal.95\Css\

For the first Login of each subsequent day the local Command software will look to this directory, and, if the Csscentral download has changed the resulting latest sub-directory (listed in ...\Css\Cssfiles.ini, which it should each time there is a newer version) it will automatically update the definition files / product files as a background job.

The downloaded *.EXE file can also be manually 'deployed' to other networked sites manually from Csscentral.

Using this method we are scheduling downloads of the DEF files weekly (which are set to automatically deploy making them full automated) and doing 'manual' downloads of the full product monthly.

Checking the definition file dates from the 'help', 'about command antivirus' menu from the local machine(s) will ensure the users are receiving regular updates.

If you have any questions you may contact Nick at nick.brown@gwent-ha.wales.nhs.uk


Dr.Solomon's AntiVirus Toolkit (by NAI)

Product of Network Associates (NAI). For more information, see their website.


Geoffrey Carman

Virus ProtectionYou requested info on using ZEN to distribute virus updates. Here is how we do Dr. Solomon's Anti-Virus Toolkit. As it turns out, the updater is pretty dumb. It copies all the files to the %TARGET_PATH%\UPDATE and then adds at the top of AUTOEXEC.BAT a line to call UPDATE.BAT that copies all the files over on the next reboot. Then when it is done, it deletes that line from the AUTOEXEC.BAT file, and re-calls AUTOEXEC.BAT and you go on.

So snAppShot before, run the install, edit autoexec.bat to comment out the line. Reboot. Edit Autoexec.bat, UNcomment the line, and snAppShot again.

And ta-da... It works. You have to clean up the extra drek that rebooting and running things add (MRU Streams Registry entries, WM log files, etc...) but those are all normal things.

If you have any questions you may contact Geoff at geoffc@myrealbox.com


Inoculan

Product of Computer Associates International. For more information, see their website.


Tommy Mikkelsen

Virus ProtectionHow to distribute Inoculan signature updates to WinNT.

Well, this one is a simple one.

  1. When you download the signature file from http://www.cheyenne.com, and you click on the downloaded file, you are prompted with a choice asking you to unpack the files to a directory. Select a directory on your file-server called inuupd.
  2. Now for the magic part. Create a ZEN-App with the following entry under the files section:
    copy inoupd\*.* c:\inoculan\
  3. Make this app run once and forced run. Make sure the version number equals the signature version.
  4. If you want this to take place right away, flag the app to reboot the Workstation, or leave it as is to make this update active next time the user reboots his/her workstation.
  5. Next time a new signature is released from Cheyenne, all you have to do is to unpack it into the same directory, and change the version-number on your app.

If you have any questions you may contact Tommy at tom@support.organisator.dk

Dave Bullamore

Virus ProtectionWe recently upgraded to ZEN 2 and use it distribute Inoculan signature file updates to secure NT workstations. Because the files are in use and the users do not have admin privileges, we configured the app object to "run as secure system user" and then issue a "#net stop "cheyenne inoculan anti-virus server" in the pre-distribution script and a "#net start "cheyenne inoculan anti-virus server" in the post-distribution script. The files get updated and become effective immediately whereas before it required a reboot with ZEN 1.1.

If you have any questions you may contact Dave at dave.bullamore@rexhealth.com

Karl West

Virus ProtectionWe currently use Inoculan 4.0 for our anti-virus and this is how we keep it up to date.

  1. I ran a snAppShot of a standard installation without the automatic update that checks the web site for new signatures every 30 days.
  2. Once I did that, I converted the file names from the .fil extensions to the real names.
  3. I signed up for the e-news which tells me when new signatures are released. Then as I receive the update notifications from CAI, I download the zips and tell it where to place the files, I use the same location as the snAppShot. This does a couple of things. If a user needs to install the software he can run it from the NAL window and get the complete update, program and virus signature.
  4. I also created a second app that is set to force run upon version number change in the application object in NDS. I set the requirements to check for the existance of the Inoculan on the local drive each time a user logs in and forces down the signature update before the user starts his day. This protects us for any users who might be off-line during updates. This also keeps our internet traffic down to one download as opposed to 300.

If you have any questions you may contact Karl at karl.west@walkerparking.com

Per-Anders Jansson

Virus ProtectionInoculan distribution with NAL.

In our approach we use three application objects:

  1. The client install/run application.

    The application object was created with snAppShot and includes a shortcut to the executable after installation (c:\program files\cheyenne\ antivirus\inocu95.exe).

  2. For signature file updates we use an application object with a shortcut to the Update95.exe file (somewhere on a file server) containing the new signature. This is a setup program, but the users only have to click through a few default pages and reboot. We have marked the object Run Once so it will disappear after use. When a new signature file arrives we simply overwrite the old file on the server and increase the serial number in the distribution tab, making the application icon re-appear.
  3. The third application object is used for user notification on new signature files or virus alerts. It is an object with a shortcut to notepad which opens a textfile with whatever message we want to deliver. Force Run and Run Once. We just increase the serial number in the distribution tab when we want to show it to our users.

This is not a very high-tech solution, but it works great for our 500 clients and insures that everyone have access to the latest signature files.

Corey Reynolds

Virus ProtectionThere is an easy way of updating Inoculan/Cheyenne Antivirus clients using ZEN. First, follow Computer Associates instructions on setting up the AVUPDATE utility at the URL:http://www3.ca.com/support/

But instead of putting the AVUPDATE command in the login script as CAI suggests, make an application object to call AVUPDATE! (Hey, that's what ZEN is for!) This gives you complete control of when the update is performed. I know I have people in my office who NEVER logout, so putting anything in the login script is futile for them. It also prevents AVUPDATE from running needlessly every time a user logs in.

The one thing to remember with AVUPDATE is that it always asks the user if they want to reboot - you can't change this option. So it works best if you schdule the first run for the next morning - before people start working on documents that they could lose if they hit the "reboot now" button. There may be some users who like to press the reboot button and then complain they lost everything. For these users, exclude them from the application object and update them manually.

When you're ready to update, dump the client update files into the exact directory that CAI says - or this won't work! And then change the version number in the application object properties. Then sit back and relax - because you're using ZEN!

If some virus emergency arises and you need to update everyone immediately, you can use ZEN to force the user to reboot - which you can't do with AVUPDATE.

If you have any questions you may contact Corey at corey.reynolds@keen.ca

Jim Koerner

Virus ProtectionYou were looking for tips for Antivirus programs. I have one for Inoculan for NT Client. If you check the AOT file I attached, it is very simple to update Inoculan NT clients via ZENworks.

Basically I download the latest Signature file, copy the files to my distribution point, and then bump up my 'Application Version' for the application object. People log in and get the files copied to the Inoculan update directory on their machine and then the Inoculan realtime monitor will update the client on the next startup.

The 95/98 client uses AVupdate.exe so I just put it in the Script but the same could be done for a 95/98 Client.

Here's the AOT.

If you have any questions you may contact Jim at koerner@reimelt.com

Andre Kivits

Virus ProtectionI read in an article that you wanted ideas about how to distribute Inoculate/Inoculan over a network. So here is the answer, for NT workstations, using a Novell 4.11 server.

The NT server is running Inoculate 4.0 and is directly connected to the internet. I've configured Inoculate to download only the NT sigs on the 20th of every month at 8:00 am. ( I only have NT workstations running here.) These files will be downloaded into c:\inoculan\getbbs\nintel\ready

  1. Configure the IPX/SPX gateway for NetWare on the NT Server.

  2. Make a public update directory on the Novell server and write it down. (Ya need that later.) For example: (\\srv\vol1\data\updates\winnt\inoculan)

  3. Make with the Administrator an NT server user and grant him all the rights on all the Novell servers' update directories (if ya have more than one).

  4. Then configure on the NT server a batch file which will copy all the sig files to the update directories on the Novell servers.
    For example:
    • Deleting backup directories:
      del \\srv\vol1\data\updates\winnt\inoculan\backup\*.*
    • Copying old files to the backup directory:
      copy \\srv\vol1\data\updates\winnt\inoculan\*.*
      \\srv\vol1\data\updates\winnt\inoculan\backup
    • Copying all sigs to NetWare update directories:
      copy c:\inoculan\getbbs\nintel\ready \\srv\vol1\data\updates\winnt\inoculan

  5. Schedule this batch using AT or WINAT for the 20th of every month at 8:30.

NOW ZENWORKS RULES..... HIHIHIHIIHIHI

I thought the best way to to update is when the workstations are idle. So I scheduled a screensaver with the Novell Scheduler (centrally done on the server with client config in the workstation policy. It can also be done locally.) When the screensaver gets active on the workstation, it will run a batch file.

For example:
C:\inoculan\ntupd86.exe \\srv\vol1\data\updates\winnt\inoculan c:\inoculan

When user touches his mouse or keys he will see that the sigs are updated.

This procedure can also be done on 98/95 workstations using avupdate.exe.

I hope this will help ya some.

If you have any questions you may contact Andre at virtual_liberty@hotmail.com

Jacob Steenhagen

Virus ProtectionThis is in response to your request about distibuting virus signatures. Here we use InocuLAN. I've used three different methods to distribute these signatures in the past, so I'll describe them all so each individual can choose which one they like best.

The Batch File method

This ZIP file contains an avupdate.bat file as well as an avupdate.inf file as well as instructions for updating the signatures.

The initial install will be the most difficult as your Cheyenne AntiVirus may be installed in a different location than mine is. Basically what the file does is copy the files to a temporary location on the hard drive and update/create wininit.ini to move the files on the next reboot.

This is convenient in that there is minimal interuption to the user, but the signatures still remain close to current. The downside is that it takes two reboots (one to run the .bat file and put the update into the "queue", and another to actually perform the update).

Download the BAT file.

The ZEN App object method

This ZIP has an AXT file in it that does basically the same thing as the BAT file listed above. It also suffers from the same drawbacks. However, it can get a more up-to-date signature, as simply refreshing NAL will grab newer signatures if they are available. It also has the advantage of not opening up a DOS Window.

Download the AXT.

The 95update method

I would personally consider this the best method. The initial setup is the easiest of the three, but its true convenience lies in the workarounds it can easily facilitate.

As a part of each installation of the client, a file is created in the Install Directory (Program Files) called 95update.exe. This program simply takes one parameter which is the location of the signature files. This can be any path, including UNC. When this program is run, it looks at %1 and checks the signature version there against the local version. If it's a newer signature, it shuts down RTM, does the update, and bring RTM back up, all without a reboot.

The true power comes when you use AutoDownload. I have an NT server here with a dedicated connection to the Internet. I have its AutoDownload setup to download and make available signatures for both Windows NT and Windows 95 every day at 5 AM. I then point my %1 (using the Command Line parameters option in the APP object) to \\Exchange3\cheyupd$\English\WIN95\Ready (Exchange3 is, of course, the PC Name).

Now when my users come in and log in between 6AM and 8AM, any new signatures are installed automatically on their PC (in the case of the ones at 6, it all happens while I'm still in bed sleeping... :O)

If you have any questions you may contact Jacob at jsteenhagen@acutex.net

Thomas Veilleux

Virus Protection

Automatic Update of Inoculan using ZENworks - for Win 9x

For those who wish to install Inoculan anti-virus and DAT update using ZEN, here's one idea.



  1. For Windows 9X, create a package that is an automatic Run, and put the AVupdate.exe and DAT file under a folder on the server.
  2. Configure your INI file for AVupdate to give the path to the update files on your server. You can also give your anti-virus settings using the registry, so in that way, all user have the same configuration and even if they change it, it will revert back to corporate settings.

It's going to update your Inoculan files every morning when users log on.

If you have any questions you may contact Thomas at Thomas_Veilleux@hotmail.com


NOD32 (ESET, LLC)

Established in 1999, ESET, LLC is a software and consulting company focusing in the area of computer security with special emphasis on anti-virus protection, prevention and education. For more information, see http://www.nod32.com/

Bradley Jerome

In regards to updating virus scanners, I used to use McAfee on our network but always had trouble with computers freezing when they were updated. So to fix this I found a virus scanner called NOD32. It was very easy to set up and when set up with the admin section (admin section does not have to be installed on workstations) it allows you to create a mirror download site on your network. You point all of the workstations to this mirror directory to update, and guess what? No freezing.

You can also specify when to update -- anywhere between 1 to 24 hours. It comes with a lot of security options as well as coming in most flavours. You can download it at www.nod32.com

If you have any questions you may contact Bradley at bradj@stmichaels.qld.edu.au


Norton AntiVirus (NAV)

Product of Symantec. For more information, see their website.


Jim Stasik

Virus ProtectionDistributing NAV updates and config changes:

Distributing virus updates is pretty simple. A simple snAppShot usually does the trick, however with the config changes there needs to be a reboot for the changes to take effect. This is due to the fact that the file gets read on startup.

Rob Canis

Virus ProtectionFor updating Norton virus files, I have a cool way that I do things. I have a NAL object that pushes out the update files to all my users at once... here's the way it works...

First I get the navupdate and extract it to a network drive my users can get to. Once that's done, I have a app object that copies those files to c:\program files\common files\symentec shared\virusdefs\incoming. Everything else is done automatically once those files hit the user's drive. Then, when new viruses come out, I extract the files and bump the version number up on the app object! It's a cool way to do it, and saves me a ton of work, and best of all, I control it instead of hoping that liveupdate runs.

Brian Dann

Virus ProtectionWe distribute the NAV updates simply by creating a object that is set to force run on all users, which executes the latest SARC update file from a location on the network. By using the /q (for quiet) switch, and choosing not to show distribution, the update is applied without the user knowing. When a new update comes out, I just change the version field to the name of the new update file and the object runs again on next login.

If you have any questions you may contact Brian at bdann@mwe.com

Nick Gastuch

Virus ProtectionThis is in regards to the question of distributing Norton AntiVirus updates. Are these software updates for the application or AntiVirus signature updates? Norton signature updates can be installed silently without user intervention by adding /q to the command line of the executable.

If you have any questions you may contact Nick at ngastuch@ryland.com

Brian Hampson

Virus ProtectionThis is in response to the open call for using ZEN to push AV. We use NAV Corporate Edition here. The basic definition updates all just work using NAV's SSC, but if you need to reinstall the app, it's a pain, since you have to have admin privileges on the NT workstation to install.

Here comes ZEN. You can actually prepackage an install of NAV, using their packager, and then you simply associate a hardware policy with the workstation, to run in the middle of the night, with a disable on completion. Voila...whole AV update rolled out, without ANYONE knowing any different. I also run a hardware policy that runs lupdate -all weekly so that it grabs all the updates that symantec puts out without telling you :)

Really simple.

Chuck Carroll

Virus ProtectionRegarding updating NAV: In the "Ask the Experts" column, June 7, there was a question about updating NAV without prompting the user. This can be done with the command line switch "/q". I create simple app objects that call the virus update excecutables, (usually named for their release date, for example, "0619i32.exe".), and then under the environment tab, put a "/q" in the command line parameters. Associate the object with the workstations or users, and the update will run silently with no prompt.

You could also run this from the login script, but that way, you would have to leave it there for a number of days in order to be sure that all the machines get updated. Actually, you'd never really be sure that the machines update that way, as someone could be on a long vacation. Also, there is a slight delay when the excecutable runs, and this would happen every time users login, so I've found it better to just use this simple NAL app, and set it to run once for the associated containers.

If you have any questions you may contact Chuck at Carroll@arrowstreet.com

Debbie Carraway NEW

Virus ProtectionWe recently encountered a problem with Norton AntiVirus Corporate Edition 7.02 (NAV), which does not currently work with Windows NT 4.0 roaming profiles under certain conditions. The suggested workaround is to restart the NAV service, or restart the computer.

While Symantec is working on a fix, I used ZENWorks to create the following workaround:

First, I made an app object that uses sc.exe from the Windows NT Resource Kit to set the Norton AntiVirus service to start manually, rather than automatically (sc.exe config "Norton AntiVirus Server" start= demand). It runs as "secure system user", and I assigned it force-run/run-once to affected workstations.

Then, I made 3 app objects that run as "secure system user". Using sc.exe, one app starts the NAV service and one stops it (START_NAV and STOP_NAV). Another app uses the freeware GNU port sleep.exe to pause for 10 seconds(SLEEP_10).

Running as a secure system user makes these apps faceless, allows sc.exe to configure/start/stop the service, and prevents the end user from prematurely quitting sleep.exe.

The NAV app object itself uses NALRUNW from the ZENWorks 2 Administrator's toolkit in the Launch scripts to run these apps. The pre-launch script runs START_NAV and SLEEP_10. This starts the NAV service and allows enough time for the service to start up before the user can start a virus scan.

The NAV termination script runs STOP_NAV and SLEEP_10. As long as the service has stopped, the user's roaming profile will copy correctly when they log out.

One thing to look out for is that the NAV app object must run as a regular user, not as an unsecure system user; otherwise the termination script will start as soon as NAV has launched, rather than when it has closed; and the service would stop before the user has finished using the application.

If you have any questions you may contact Debbie at debbie_carraway@ncsu.edu



Additional Questions

If you have any ideas for these, please chime in.

Q: Paul S. wrote: Just wondering if any ZEN'ers have managed to remove NAI's VirusScan 4.0.3a and install VirusScan 4.5.0 within the same ZEN-app-snAppShot for NT4WKS.

I've tried this myself, and when applying the snAppShot to another workstation all settings for VirusScan are lost and the default SystemScan is disabled and can't be enabled.

I'd be real grateful for any feedback, as I would like to find out if anyone managed to upgrade to 4.5 using ZEN?

A: Hey, Paul, check out Zaheer Hasan's solution in Distributing McAfee Updates. Could be just what you need...

NEW Q: Joe Sears wrote: I am having a problem with Norton AV. We usually install the def update with a silent install on the exe that comes from Symantec. The problem we are seeing is the PC name is getting wiped out. This is not a big deal on Win9x PC's, as they don't really use the name for anything on our network. The real problem is on our WinNT Workstations. With no PC name they cannot be logged into at all.

I was wondering if anyone has seen this and can confirm that it is the Norton Update that is causing the trouble.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell