Cool Solutions

OPEN CALL: Pushing out Symantec AntiVirus Corporate Edition 10.0

coolguys

By:

April 28, 2006 12:00 am

Reads: 9208

Comments:0

Score:0

Itay M. wrote: I’ve read the nice article ‘Pushing out McAfee Virus Scan 8.0‘ – it is really helpful. I was wondering if you could open a new thread with a similar – but yet different subject – ‘Pushing out Symantec AntiVirus Corporate Edition 10.0′ – using ZENworks of course.

Symantec has zero (yes, zero) articles regarding the deployment procedure of SAV CE (=for clients) 10.0 .
Maybe Cool Solutions will soon have more info about this issue than Symantec does.

OPEN CALL: If you have experiences to share on this topic, let us know.

Experiences

Shane Schlosser

SERVER Side:

We just deployed SAV CE 10 and have had a few issues on our NetWare servers. The server side seems to be a bit flaky, make sure to un-install any old versions of SAV CE on a NetWare server before installing the new version, then install the new version as a fresh install in a new server group. If you don’t, the “upgrade” will hang and the server will show as disabled in the system console and you will probably get an abend in RTVSCAN.NLM. See this link for Symantec’s response to the issue.

I have also had a number of problems with servers disappearing from the server group in the Symantec console and having to un-install and re-install SAV to the NetWare server. I’ve also had a few abends with RTVSCAN.NLM ad different times on the server. Still working on these issues with Symantec.

CLIENT Side:

I deployed SAV through ZENworks for Desktops by running the setup.exe that came with SAV with the following commands:

SETUP.EXE /s /v”/qb RUNLIVEUPDATE=0″

This ran a totally silent install of the SAV client on the workstation.

The ZENworks application I used to deploy checked to see if the “C:\Program Files\Symantec AntiVirus\DoScan.exe” file existed on the local drive, if it did NOT then the application would run. The DOSCAN.EXE file is new with SAV 10 so the application would upgrade older versions of SAV and install on systems that did not have SAV installed at all.

We have had very good success with the client side with only one small issue. The SAV client installs with a default “Quick Scan” on system startup. Now this scan can be anything but “Quick” so you will want to remove it. Here is Symantec’s take on the issue.

I didn’t discover this issue until we had deployed it out to most of our workstations so I made a ZENworks app to push the registry changes out to fix the problem.

Even with these issues I really like having the real time spyware and adware protection, we’ve cleaned up a lot of workstations on our network since deploying SAV 10.

Geoffrey Carman

SAV CE is quite easy to push out. You basically run the MSI file.
Using ZENworks for Desktops to push it out is pretty easy. We have been running the 10
installer right over top 8.0 or 9.0 clients.

The interesting part is switching the Management server for the clients.

There are two ways to do it.

One, from sys:\sav\Clt-inst\WIN32 grab the GRC.DAT file from
the server you want the client to attach to, and drop the file in:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5
for WinXP clients.

Or use GRCDrop.exe from Symantec. This tool, when run, will grab the GRC.DAT provided and set you to the
right server.

What is nice is that it is aware of Win 9x, and 2K and XP (the paths
are different for each OS).

Grant C. Ballard

We obviously use ZENworks for Desktops to push out SAV. We have had nothing but troubles with SAV until this version which appears to be leaps and bounds better.

What we do (or are in the process of doing) is the following:

1) Remove the old SAV/NAV
There is a nonnav.bat utility that Symantec has on their website that will do this. I rewrote it into a ZENworks object because it was much more elegant (I can make it available if needed). We check to make sure that no one’s logged in before we run this (by checking for a registry key that only exists when a user’s logged in) because this removal process can take some serious time. I use rtvstop.exe (from Symantec’s nonav) and pskill.exe (from Sysinternals) to hopefully kill the various processes. Finally, we only let this utility run during off hours so it doesn’t kick off when they boot their PC in the morning. Disadvantage to this method is that you have to communicate to the user to log out (not shutdown, lock their workstation, etc.)

2) Install the new SAV 10 (if there is no current version).
This AO checks for an existence of SAV/NAV. It looks in various locations for rtvscan.exe (and there’s about four or five possibly places depending on versions, other symantec software installed, etc.). If there is a version, I don’t install, (because I want to remove SAV first) otherwise I force run a silent MSI install. Caveat here is it won’t install on a locked down workstation. I still need to figure out what reg keys it needs rights to.

Why do we remove SAV/NAV? Well, because we have lots of different versions out there. We have some running retail versions. Some versions won’t uninstall. We wanted to get as fresh a machine as possible.

Final thoughts: We also had to push a reghack (prior to the install) to keep a daily quick-scan from grinding our machines to a halt. (Note, this scan doesn’t show up in scheduled scans. It’s something Symantec forces on you). Reghack follows:

Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks]
"CreatedUserQuickScan"=dword:00000001
"CopiedDefaultScanOptions"=dword:00000001

I hope this info is helpful to somebody. We have spent many hours trying different ways and have found this to be the best for us.

Frank Neill

A lot depends on how you want it installed (whether you want the firewall installed or just the Anti-virus program). It also depends on whether you want it to be managed or unmanaged. We are currently using the unmanaged format without the Norton Firewall but rather choose to use the XP firewall at this time. In order to do this, on CD4 there is a \SAV folder that has a setup.exe and an Symantec Antivirus.msi that can be pushed out with ZENworks. If you use the Setup.exe, you can modify the setup.ini in the cmdline= for the installer switches that will allow you to install silently.

Sami Kapanen

Actually we have found Symantec’s own SSC / ClientRemote distribution method to be so easy that we didn’t use ZENworks with this one. See Symantec Knowledgebase ID 2005041514162248 “Symantec AntiVirus 10.0 installation walk-through for administrators” for detailed information.

Mark Nielsen

Here’s a really decent article from Symantec, called “Installing Symantec Client Security using command-line parameters.”

J. ter Meer

Hello Itay M.,

I use ZENworks and I love it. But in my opinion you need not do this in ZENworks.
If you have a w2k advanced or other w2k server or above you can deploy them
in the nav console there and deploy for future machines using imaging (ZENworks or
ghost).

I have Corp 9 and the following should work for 10 as well.
(Note: since Corp 8 there is no msi packager available anymore shipped with
Corp.)

In case you still want to deploy the client and you have a w2k
server with nav configured:

  1. Configure your client on the w2k server in the nav console.
  2. Copy the config file and the client install dir from the server to your
    novell server. (Search on date of files, if I remember it correctly it had a .dat)
  3. Create an mst with an msi packager (you can try to edit the one in the
    client dir).
  4. Deploy msi with ZENworks 4 or above.

In case you want to deploy the client and you have no w2k server
with nav configured:

  1. Make an client install dir on your Novell server.
  2. Configure your client on a test machine w2k (install server software on
    client).
  3. Copy the config file in your previously made client install dir. (Search on date of files, if I remember it correctly it had a .dat)
  4. Create an mst with an msi packager (you can try to edit the one in the
    client dir).
  5. Deploy msi with ZENworks 4 or above.

(Most documentation is made available on the CD.)

Important: If there is another kind of antivirus software installed, make sure you
uninstall it first with a snapshot.

John Vahl

I am not sure with 10, but we are currently testing 9.03 for deployment. There have been several changes made to the deployment from 8.01. We are using ZENworks 3.2 at our sites, deploying from NetWare 5.1 Servers. We run a mixed-client environment of Windows 98 Second Edition and Windows XP. Symantec AntiVirus Corporate Edition 10 Client requires Windows 2000 or newer. It will not, according to the System Requirements, run on Windows 98. For this reason, we are not currently looking at deploying Version 10 at this time.

The installation of the new version is much simpler with this version. When SAVCE is installed on the Server, it creates a \Clt-inst\WIN32 Directory. You can either create an application to run setup or, as we did, create an MSI installer, set to run with just progress. It will automatically upgrade from Norton AntiVirus Corporate Edition 7.6x or Symantec AntiVirus Corporate Edition 8.x or 9.x. It will NOT upgrade any other product, or even non-Corporate Versions of Norton AntiVirus. We have created a Distribution Script for Uninstalling Norton AntiVirus 5 and 2001(7). The Script was created to work on Windows 98, so some changes will need to be made, if you need it.

  rem NAV 2001 Uninstall
     @C:\windows\Command\Start.exe /w "C:\Windows\NavUStub.exe" C:\Windows\IsUninst.exe -a -m -f"C:\Program Files\Norton AntiVirus\nav95.isu" -c"C:\Program Files\Norton AntiVirus\NAVINS95.DLL"

     rem NAV-5 Uninstall
     @C:\windows\Command\Start.exe /w "C:\Windows\isuninst.exe" C:\WINDOWS\IsUnist.exe -a -m -f"C:\Program Files\Norton Antivirus\nav95.isu" -c"C:\Program Files\Norton AntiVirus\NAVINST95.DLL"


END

Other Gotchas:

  1. The Client install will not prompt for reboot, at least not in Progress Mode. It will reboot the computer without asking.
  2. Make sure you install the Symantec System Center, Quarantine Server, etc., before installing the Server Version of the Software on your 1st Server.
  3. If upgrading to a new version, uninstall the old versions of Symantec System Center and Quarantine Server first, it will not upgrade them. You should also do a SYS:\SAV\VPSTART.NLM /REMOVE on any NetWare Servers, prior to upgrade.
  4. To use VDTM method of Virus Definition Deployment (recommended), make sure the Server getting the Definitions from Symantec has at least one client, then, you can have additional Servers get their Definitions from that server (saving your internet bandwidth).
  5. LiveUpdate only updates on Wednesday, around 12 AM – 2 PM, it is better to use the FTP Method, which gets them almost daily.
  6. The option in Virus Definition Manager to Download Product Updates using LiveUpdate doesn’t work; the button was left from an older version that would do that.
  7. Don’t have the client scan the network if your servers have SAVCE running, it doubles the work, and the traffic.
  8. Don’t scan the GroupWise Domain or Post Office Directories (causes Performance problems).
  9. Perform as many configuration options as possible on the Server Group.
  10. If you run on a non-WINS Environment on any version of the Corporate Edition, Central Quarantine Server will not receive reports unless you put the server’s IP Address in the Quarantine Configuration.
  11. All client settings from the Server it is installed from will transfer during installation. If you want to transfer the computer to a different Parent Server, just drag and drop it.

Brian Schonecker

Gotcha’s w/ SAV CE 10:

As of June 6, 2005 Symantec recommends _not_ installing SAV CE on NetWare servers because of periodic abend issues on the _install_.
Turn off scheduled server scans on all your NetWare servers. You’ll get an abend nearly every time.

Siraj Matin

For us the best way to push out Symantec AntiVirus Corporate Edition 10.0 to the desktops is to use the login script. When SAV CE 10 is installed to servers walking the tree, it will make/modify the login script and all you have to do is:

Client

  1. Make the users member of the group (SymantecAntiVirusUser).

    To force install, modify F:\LOGIN\NAV\VP_LOGIN.INI
    change the WinNT=NONE to WinNT=FORCE and also add Win95=FORCE 16Bit=FORCE

    Example

    [Installer]
    Win32=\\server-name\SYS\SAV\CLT-INST\WIN32\Setup.EXE
     
    [InstallOptions]
    WinNT=FORCE
    Win95=FORCE
    16Bit=FORCE
     
    [ClientNumber]
    BuildNumber=016703E8
  2. Make sure the (SymantecAntiVirusUser) group have rights to SAV.

Server

  1. If problems with the servers disappearing from the server group:
    Use the Symantec System Center Version: 10.0.0.359 , it will find all the servers.
  2. If server ABEND in RTVSCAN.NLM when installing:
    Install SAV CE 10 and and make sure the HOSTS and HOSTNAME file in the etc directory have the correct syntax and IP address as the server.
  3. Modify \\SERVER-NAME\SYS\SAV\vpsrvcli.inf so the group right gets assigned
    under the [DSOBJECTS]{NDS} section change these lines:

    GROUPMEMBERS=SymantecAntiVirusAdmin
    GROUPMEMBERS=SymantecAntiVirusUser
    GROUPPRIMS=SymantecAntiVirusAdmin,$HOME$,RWFCDSA
    GROUPPRIMS=SymantecAntiVirusAdmin,SYS:\LOGIN\NAV,RWFCDSA
    GROUPPRIMS=SymantecAntiVirusUser,$HOME$,RF
    GROUPPRIMS=SymantecAntiVirusUser,$HOME$\ALERT,RWFC
    GROUPPRIMS=SymantecAntiVirusUser,SYS:\LOGIN\NAV,RWFCM
    GROUPPRIMS=SymantecAntiVirusUser,SYS:\LOGIN\NAV\VPTEMP,RWFCM
    GROUPPRIMS=SymantecAntiVirusUser,SYS:\LOGIN\NAV\I2_LDVP.TMP,RWFCM
    GROUPPRIMS=SymantecAntiVirusUser,SYS:\LOGIN\NAV\I2_LDVP.VDB,RWFCM

    to this syntax in order to work correctly:

    ; BY MATIN
    GROUPMEMBERS=SymantecAntiVirusAdmin
    GROUPMEMBERS=SymantecAntiVirusUser
    rights SYS:\SAV RWFCDSA /GROUP="SymantecAntiVirusAdmin"
    rights SYS:\LOGIN\NAV RWFCDSA /GROUP="SymantecAntiVirusAdmin"
    rights SYS:\SAV RF /GROUP="SymantecAntiVirusUser"
    rights SYS:\SAV\ALERT RWFC /GROUP="SymantecAntiVirusUser"
    rights SYS:\LOGIN\NAV RWFCM /GROUP="SymantecAntiVirusUser"
    rights SYS:\LOGIN\NAV\VPTEMP RWFCM /GROUP="SymantecAntiVirusUser"
    rights SYS:\LOGIN\NAV\I2_LDVP.TMP RWFCM /GROUP="SymantecAntiVirusUser"
    rights SYS:\LOGIN\NAV\I2_LDVP.VDB RWFCM /GROUP="SymantecAntiVirusUser"

If you copy the CD to your local drive and change VP_LOGIN.INI and VPSRVCLI.INF files before you install it, then you don’t need to change them on every server on which you install SAV CE 10.

John Leppert

Very good information already posted here.

I’d just like to add here that during my upgrades, a few of my NetWare
6.5sp3 servers abended running Symantec’s removal program :
sys:sav\vpstart /remove.

I think if you can’t afford the chance of an abend, do a manual
uninstall of the older version.

My experience with SAV is to always remove the old version from your
servers and re-install fresh the new version. Too often I’ve run into
problems by trying to just do an upgrade on NetWare servers and end up
having to remove and re-install at a later time anyway.

Symantec support recommends it as well.

Eric Ho

We have used ZENworks for Desktops 4.0.1 to rollout SAV CE 9.x before. It has worked great. I believe that the rollout for SAV CE 10 is pretty much the same.

Our environment is : ZfD 4.0.1 IR5. WOL was configured. All workstations were imported properly. SAV servers were configured. All SAV clients will be configured as Manageable.

Here is how to do it.

Before starting please read Document ID: 2004021813253548 from Symantec web site.

  1. Modify MSI package with MS Orca. Please check MS site for details regarding the Orca.
  2. Create a workstation policy package, then associate it with all workstation objects.
    1. Policy Package configure as path to : \\Server\PathtoEXEfile; Parameter as : /s /V”REBOOT=ReallySuppress /QN”; Working Directory as : C:\Windows\System32
    2. Default Package Schedule as : Even; System Startup. Policy run as impersonation as: System. SAV policy itself as: Default package schedule.
  3. Configure WOL policy to wake up all target workstations at night.

We did have a minor problem. The “Outdated definition error” msg box popped up after the installation. However, we worked around it by restarting the PC after the installation (the deployment was at night so it was no problem to restart the PC). We had our Symantec server push down the new definition. All clients were configured as manageable. We had contacted Symantec tech support, and they suggested that we should embed the new definition within the package.

Philip Hurley

Good stuff posted here already. Here are some very important Symantec knowledgebase articles you should read about deploying SAVCE clients, either 9 or 10 using the newest Symantec System Center. Please note: I have documentation that these articles have changed within a week to reflect NetWare-specific instructions that were left out of earlier versions of the articles:

I have no experience yet with installing remotely by IP address, but I have succeeded in pushing both SAVCE 10 and 9.x with the login script.

Rob Aronson

I had big problems with a deployment. Servers and server groups disappeared after install, and a login scan brought my desktops to their knees.

I did a manual uninstall on my servers before I installed, then used the grcdrop from the unsupported tools directory to re-register the clients under the server. Use the info from the Symantec website to update the registry before you try to install the client that’s already posted in the solutions.

Ben Beneke

I had terrible problems installing to a NetWare 6 SP5 Server. Both
updating and uninstall/reinstall abended the server.

Last week Symantec released SAVCE 10.1 new version to correct the abend
problem.

Server install went fine and new SSC works ok but I’m still having issues
with live update of server and pushing updated client out. The login script
method doesn’t work; however push install via IP works.

Alisia Prince

In our shop I started with the .msi based install in the
..\vphome\CLT-INST\WIN32 folder of my Primary Server. Then, I used the
Admin Studio Tuner to build an .mst file to go with it. I pushed this out
with ZENworks. Simple, in theory…

In practice:

1. We found that sometimes version 8 (and lower) of SAV CE doesn’t
remove properly during the install process (it’s supposed to remove any old
version and install the new one without reboot). So, we decided that
removing SAV 8 or lower would be best done manually to make sure that if
there is a problem, you know about it before you try to push out version 10.

2. SAV 10 uses PKI encryption for communication between the parent
server and the clients. If the public key on the client in the C:\Program Files\Symantec
AntiVirus\pki\roots is different than the one on the parent,
no communication will take place. You must update the client version to
match. I did this by updating my install folder and then simply pushing out
a SAV fix object that deleted the incorrect key file and replaced it with
the correct version.

3. SAV 10 is NOT happy on NetWare servers. I followed all of the Symantec
instructions for the proper removal and install of SAV products on our NW
6.5sp3 servers and ended up with servers that could not communicate with the
primary. I’m not sure what the problem was, but for us it was a show
stopper for NW servers and they were all rolled back to version 9. I
suspect that it’s related to the PKI communication. I’m not sure when SAV
will have a fix for this.

4. If you want your primary server to communicate with your older
clients while you are migrating, you must specifically configure the SAV
console to allow communcation with down version clients. The new SSC
considers this insecure. This option is a little buried in the menus. At
the server group level it is in Server Tuning Options under All
Tasks/Symantec Antivirus. There are some other new options in this menu as
well, so they might come in useful too.

Mike Romanowich

Server Installation Problems with SAV CE 10.

NetWare 6.0 & 6.5 – Symantec just released SAV 10.0.1.1000 to help with the ABEND issues. Uninstall old versions, then re-install this version.

NetWare 5.1 SP8 - I had some real problems getting the server to show up in the SSC. I placed many calls to Symantec which only led me to more frustration as they had me un-install and re-install SAV about a dozen times. Finally I was able to get to level 2, where someone suggested applying the TCP Update for NetWare 5.1. I updated the server and rebooted. Once rebooted, RTVScan.nlm abended. Uninstalled SAV from server, then rebooted again. Once it came up clean, I re-installed SAV and crossed my fingers as I watched it load. Once it loaded, I was able to view it in Symantec System Center. Make sure that you un-install SAV first before rebooting to apply the TCP Update changes.

Also make sure that these modules are not loaded when you do the install:

  • Aio.nlm (PowerChute Battery Backup)
  • Ofa.nlm (Open File Agent)
  • Ofm.nlm (Open File Manager)

Clients: If you migrate all of your servers to SAV 10.0 first, then your clients, make sure that you enable the servers to manage older clients. That way your clients will still receive updates even if they aren’t upgraded.

  1. In Symantec System Center – Right-Click Server | All Tasks | Symantec AntiVirus | Server Tuning Options
  2. Check the check box “Allow the server to manage 9.x clients and earlier……”

Jeremy Mlazovsky

I wrote a couple of
AutoIt scripts
which make deployment of SAV CE v10 a lot easier. I compile the scripts into stand-alone .exes and launch them via ZENworks.

I created a ZENworks app for installing the client. The app downloads the script files and the subdirectory containing the SAV CE install files to the local hard drive. Then it runs InstallSAVCE.au3, which punches a hole in the XP SP2 firewall so that the SAV CE client can communicate properly with the SAV CE server. Then it installs the client.

The second script, DownloadXDB.au3, is optional. It will attempt to download the newest virus definition file from Symantec’s FTP site and install it. I run this app immediately after installing the SAV CE client so that the newest defs are installed right away.

Matt Keys

I deployed SAV CE 10 through standard imaging. We ordered roughly 300 computers and pushed out the exact same image of WinXP with the latest client, ZENworks, GroupWise, SAV 10, etc. I assumed after the imaging was complete, all of the clients would be pointing to the same parent server, however this is not the case. In an effort to fix the problem, I used the GRCDrop tool in our login script to push the grc.dat file at each login but this didn’t work either. The grc.dat is dropped as it should, but the clients are still “lost.” It’s like they never import in the new .dat file. When I view the servers under the Symantec System Console, nothing is there except the ones I’ve installed manually. I suggest pushing SAV10 out via .MSI snapshot (silent) as described in the above posts. Of course, GRCDrop is unsupported by Symantec.

UPDATE: I found the solution to the problem. Upon installation of the client it installs a specific identifying number (GUID). When you image, that number doesn’t change and they can’t talk to the console. To fix the problem, delete the following registry key and reboot to obtain a new GUID from the server.

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\GUID

George Rawson

We went from running NAV on a Win2000 server to running SAV on a Win2003 server. Since our servers have different names, our older clients are managed by the old server.

One thing to note when installing the SAV client from your server ..\vphome\CLT-INST\WIN32 is that the client will automatically be managed by that server.

By creating a ZENworks application object that uses the .msi from the new server, our 8.0 and 9.0 clients that used to be managed by the old server automatically begin to communicate with the new server.

Chris Staples

We have been running SAV CE 8.0 and are now upgrading to SAV CE 10.0.1.

I have experienced problems getting our NetWare servers to show up in SSC. In my case, I have a Windows server running AMS (alert management server) and SSC installed. Network administrators also have SSC installed on their workstations. I have found if my NetWare servers can ping my windows server by FQDN prior to install, I have 100% success of them showing up in our administrative workstations running SSC.

We are pushing our clients by creating a ZENworks application object from the Symantec .msi located in the sav directory on each parent server. We push them over existing clients. I have tried other methods but this seems to give us the most control and flexibility especially with logging.

I had an issue with AMS alert actions not working. Internet email was not getting generated when a virus was detected but test messages would work. I found the \HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Common “AMSonLogEvents” and “ForwardLogs” registry key values were set to (0). Changing the values to (1) forwarded alert actions to the parent server which generated the internet email. I changed the GRC.dat file located on the parent server to reflect the registry changes in both the client install and sav directories to ensure that new and existing installations would receive the changes.

We have found the new client version (10.0.1.100) has been extremely effective in detecting spyware on client workstations. The client tamper seems to be worthless since it detects our ZENworks management agent and other Novell processes as a threat. We chose the lesser of two evils and disabled it.

Mike Sperano

I want to add to this.

ZENworks works great to push out Symantec – I used a combination of Shane Schlosser & Eric Ho To come up with this:

Path to file:
(pahth to set up file)\SETUP.EXE

Parameters:
/s /v”/qb RUNLIVEUPDATE=0″
Working Directory as :
C:\Windows\System32

This worked great on most computers but we were still having problems on many. Symantec would start the install and then through up and error about making sure the file exist and that it can be accessed. After lots of pain, I realized that I had upgraded most of the computers for zen 4 to zen 6.5 with new zfdagents, the problem was supposed to be fixed with the new agent and indeed it is, if you install the agent fresh not after and older agent was installed. This TID describes the problem that happened.

What I did was make two applications with registry pushed, one to remove the entry and another to put the correct one back. This solved my Symantec problem and also Disconnected Network Drive Problem and a few other msi app push related issues. Hope this helps.

Gil Lalo

Don’t use ZENworks for this. Symantec has a lovely client installation utility. Also, if you are using imaging (ZEN or another product such as Ghost), PCs imaged with the SAV client will automatically sync up to the AV server.

Allen Platt

I still have not seen an actual functioning login script in this open call, so I submit this as what we use in our login scripts. Using this along with the update to the .INI file that Siraj Matin supplied and you have a foolproof deployment method.

Copy to a document program, do a replace on SERVERNAME with your actual Server Name, then do the same with your actual .CN path.

Once you have double checked the accuracy of the script for your environment, place into your login script for your users container.

Enjoy!

;###### Symantec AntiVirus Corporate Edition SECTION START #######
IF MEMBER OF ".CN=SymantecAntiVirusUser.OU=CONTAINER1.OU=CONTAINER2.O=ORGANIZATION" THEN
MAP INS S1:=SERVERNAME\SYS:\LOGIN\NAV
#OSVER
IF "%ERROR_LEVEL" = "0" THEN
IF "%OS" = "WIN95" OR "%OS" = "WIN98" THEN
#VP_Log32 /p=\\SERVERNAME\SYS\LOGIN\NAV
END
ELSE
IF "%ERROR_LEVEL" = "1" THEN
#PUSHPOP +T \\SERVERNAME\SYS\LOGIN\NAV\VPTEMP
MAP T:=SERVERNAME\SYS:
#LOGINVER
#VP_Log16 /p=T:LOGIN\NAV /l=enu /n="%ERROR_LEVEL"
IF "%ERROR_LEVEL" = "1" THEN
#TSRINIT /Q T:\LOGIN\NAV\VPSCAN16.BAT T:\LOGIN\NAV
#TSRINIT /Q \\SERVERNAME\SYS\LOGIN\NAV\PUSHPOP -T: \\SERVERNAME\SYS\LOGIN\NAV\VPTEMP
ELSE
#PUSHPOP -T: \\SERVERNAME\SYS\LOGIN\NAV\VPTEMP
END
ELSE
IF "%ERROR_LEVEL"="3" OR  "%ERROR_LEVEL"="2" OR "%ERROR_LEVEL"="17" THEN
#\\SERVERNAME\SYS\LOGIN\NAV\OSVER
IF "%ERROR_LEVEL" = "1" THEN
#PUSHPOP +T \\SERVERNAME\SYS\LOGIN\NAV\VPTEMP
MAP T:=SERVERNAME\SYS:
#VP_Log16 /p=T:LOGIN\NAV /l=enu /n="4"
#TSRINIT /Q \\SERVERNAME\SYS\LOGIN\NAV\PUSHPOP -T: \\SERVERNAME\SYS\LOGIN\NAV\VPTEMP
ELSE
@VP_Log32 /p=\\SERVERNAME\SYS\LOGIN\NAV
 
END
END
END
MAP DEL S1:
END
;###### Symantec AntiVirus Corporate Edition SECTION END  #######

Kevin Brady

We created a batch file to distribute the application and used a ZENworks
application object to run the batch file. The batch file is below.

The users had SAV 8; we did not remove it; ran this as an upgrade. The
NETWORKTYPE=1 because we are Managed.

We did not set the application object to force a reboot; just let the
SAV 10 app do it when it was done.

As most of our users are Power Users, we used a policy to make them
Local Admins for the install. We tried running it as Secure System
User, but the app ignored that and ran with the privileges of the logged-in user.

Nothing fancy, but it seems to be getting the job done.

@echo off

echo Please do not close this window
echo The new AntiVirus Client is being installed.  This will take
approximately 5 minutes.
echo Your PC will automatically reboot upon completion

msiexec.exe /i "\\DCCCWAPPS01\VOL1\ZENAPPS\SAV10_CLIENT\Symantec
AntiVirus.msi" NETWORKTYPE=1 /qn

Grant Sauer

Deployment of Symantec Antivirus version 10 via NAL:

Performed this process today and it works – however I ran across one glitch relating to local WS permissions.

In order to push via NAL do the following:

  1. Create a simple app object pointing to setup.exe in the vol:SAV/clt-inst/win32 dir (this will allow the install to pickup GRC.DAT) and associate with users or test user and refresh the NAL on the WS. Use the /s /v/qn
  2. App object settings: force run, run once, normal run under environment, do not prompt on restart. The gotcha I ran across is that it won’t install with elevated permissions via NAL i.e. setting the run as unsecure or secure system user. As a result in order to install the user needs to be part of the local administrator’s group which we accomplished via DLU.

If your users already have administrative rights on the local WS then you’re in business. If they don’t, you can use a temporary DLU until the install goes through then remove the DLU – not the best solution but it does work.

If anyone has discovered how to get Symantec AV 10 to install using the ZENworks – run as unsecure or secure system user, please post your findings.

Tim Brenan

Here is how we deploy SAV 10.

  1. Create a simple app.
  2. Under Run options add this post launch script:

    xcopy (your Drive
    path:)\SAV\Clt-inst\WIN32 C:\(Local temp dir)\SAV /C /E /I /R /Y/D

    If you use the clt-inst\win32 Directory on your server you will get the
    correct GRC.dat file for the parent server

  3. Then add a post run script
    (network drive
    Letter:)\SAV_10\SAVINST.bat

this is our bat file

@echo off
P:\SAV_10\SAV10.exe 

The SAV10.exe is an Autoit script that we created. The Autoit script
calls the install that was copied to the local system and uses RUN AS
and your local admin account to run Setup.exe.

This gets around the admin problem. Then we set the App to force run
and you get a nice splash screen that tells the user that the AV is being
upgraded and it blocks their mouse and keyboard input so the user can’t
mess your install up and the PC will reboot when completed.

We also added these reg keys to the APP to prevent a quick scan after
the install:

hkey current
user\Software\Intel\LANDESK\VirusProtect6\CurrentVersion\Custom Tasks\

Dword CopiedDefaultScanOption  Value 1

Dword CreatedUserQuickScan     Value 1

I believe these were used in an earlier posting as well, and are on the
Symantec web site.

Here is a sample of the Autoit script. We also added a file version
check. (; Checks to see if SAV exists IfNotExist, C:\\Program
Files\\Symantec Antivirus\\doscan.exe, Goto, FileNotExist)

This will make the upgrade or deploy stop if the SAV has been upgraded.
Sometimes this is an issue if there are multiple users on one PC.

;
; AutoIt Version: 2.x
; Language:       English
; Platform:       Win2000
; Author:         
;
; Script Function:
;	Custom Symantec Install.
;

BlockInput, On

; Checks to see if SAV exists 
IfNotExist, C:\\Program Files\\Symantec Antivirus\\doscan.exe, Goto,
FileNotExist
Exit

;Put up splash screen and lock keyboard and mouse
FileNotExist:
SplashTextOn, 800, 600,  Symantec AntiVirus 10 Install version
10.01.1000, We are currently upgrading the anti-virus software on your
pc. \n We have locked your keyboard and mouse until the upgrade process
is complete.\n Your computer will reboot when the install is complete.
\n\n\n If you have any problems please contact \n the  Help Desk
xxx-xxxx .
Sleep, 2000

Run, c:\\winnt\\system32\\cmd.exe 

WinWaitActive, c:\\winnt\\system32\\cmd.exe 
Send, cd\\
Send, {ENTER}
Sleep, 2000
Send, runas /user:(yourLocal admin account) "Drivers\\SAV\\setup.exe /S
/v/qn"
Send, {ENTER}
Sleep, 3000
Send, (Local admin account Password)
Send, {ENTER}
Sleep, 20000
Sleep, 20000
;sleep multiple times to keep splash screen up until reboot
Sleep, 20000
Sleep, 20000
Sleep, 20000
Sleep, 20000
Sleep, 20000
Sleep, 20000
Sleep, 20000
Sleep, 20000
Sleep, 20000
Sleep, 20000
Sleep, 20000
Exit

Hope this is of use.

Glenn Davison

We use the Symantec .msi to push the client out in our login script, but
when upgrading servers from SAVCE 9 to 10 we had several of them not show
up after upgrading. After checking both Novell and Symantec’s
knowledgebases, and a call to Symantec, here’s our guideline to ensure
that your servers will appear in the Symantec System Center.

The problem is caused by a communication problem between the Primary AV
server, the target server, and the Symantec System Center (SSC)
workstation. The installation will fail to install the Symantec PKI
information on the target server which hides it from the Symantec Primary
Server so it cannot join the group. You can verify this problem by
checking the SYS:\SAV\PKI\ROOTS folder on the target server. If there’s
not a valid PKI file located here, then the server will never appear in
the SSC. Symantec has a knowledge base article on this, but doesn’t say
how to fix the problem!

To correct the problem we followed these steps:

  1. Uninstall SAVCE 10 from the target server ( load
    sys:sav\vpstart.nlm /remove )
  2. Verify that all previous installations of SAVCE have been removed.

    Verify that SYS:\SAV, SYS:\NAV, SYS:\LOGIN\NAV, and SYS:\IAMS2
    have all been removed.
    Also verify that all Symantec Admin and User groups have been
    removed from target server’s container in the eDirectory tree
    (both Norton and Symantec if you used earlier versions).

  3. Verify that the files have been purged from the target server’s
    volume ( purge /a)
  4. Perform DSREPAIR on the target server until clean.
  5. Check the communications between the target server, primary SAVCE
    server, and the SSC workstation using
    NSLOOKUP on each to resolve the names of the other
    servers/workstations.
  6. Verify the addresses of each computer (target, primary SAVCE, and
    SSC workstation) in your DNS.
  7. Clear up any DNS issues, or add manual entries in the
    SYS:\ETC\HOSTS files on the target server, primary SAVCE server, and the
    SSC workstation ( Windows (or WINNT) /System32/drivers/etc ) for
    each of these computers.
    NOTE: If your target server is a NetWare 5.1 SP8 server and the
    Unix Service Handler User in your tree, you may need to reference TID
    10055418.
  8. Verify again with NSLOOKUP.
    It is very important that the SSC workstation used for the
    installation resolve correctly on both the target server and the primary
    SAVCE server.
  9. I would recommend you use SAVCE 10.0.2. You can download it from the
    Symantec web site. This includes both Maintenance updates 1 and 2.
  10. Install the target using the SSC (Tools | AV Server Rollout)
  11. Start the vpstart install process on the target server ( load
    sys:sav\deploy0\vpstart.nlm /install )
    NOTE: the “deploy0″ path is a change from the 10.0.0 and prior
    versions (we skipped the 10.0.1 so it may be there as well).

Once SAVCE has started on the target server, refresh the group on the SSC
or start a server Discovery ( Tools | Discovery Service…) and see if the
server reappears in the SSC.

If not, you still have a communication error and need to repeat the
process, making sure to add the manual entries to the SYS:ETC\HOSTS file.

Also, once the server is installed properly, don’t forget to re-add your
users and admins to the Symantec groups so they can access the
installation files.

Patrick Hasenjager

I was using the Symantec System Center Console to install the client on all my workstations. This process became cumbersome and somewhat of a security risk. What if I forgot to install it during the imaging process?

I have begun using the MSI included in the SAV\Clt-Inst\WIN32 folder on the server. I have created a custom MST file that copies the GRC.dat file for the client group to “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5″ I have also copied all files from the latest definitions into the VDefHub.zip file (located in the installation directory). This allows the current definitions to be used instead of the older default definitions.

IMPORTANT: The definitions are included (on Windows servers) in the \\servername\VPHOME\I2_LDVP.VDB\VD######.vdb folder. You cannot use the ones from a NetWare server, as not all files are included.

I have set this up as a ZENworks application that is installed on first boot. I no longer have to even think about the virus protection – it simply installs the software without any user intervention.

Larry Duccini

Anyone having soft abends with SAV10 during startup? It loads fine when I start it manually.

Martin Rother

We pushed SAV CE depending on the installed version with the login script. This way we can be sure that on any PC the newest version is installed.

You just need a programm called kix32 Then you can access the registry.

A simple Batch job calls the kix-script:
call kix32.exe %LOGONSERVER%\NETLOGON\sav.kix

And the kix script looks like:

$SAVVERS = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\{46B63F23-2B4A-4525-A827-688026BE5E40}
","DisplayVersion")
if $SAVVERS = "10.0.2000.2"
  ? "The newest version of Symantec Antivirus is installed."
  exit
endif
? "Symantec Antivirus is getting silently installed."
shell "cmd /c %LOGONSERVER%\NETLOGON\savinstall.bat"

And you can install in silent mode without reboot with the following parameters:
call \\SAVSERVER\vphome\CLT-INST\WIN32\SETUP.EXE /s /v”/qn REBOOT=ReallySuppress”

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS