Endpoint Protection

Hi,

I am trying to configure SAV for Linux in such a manner that it will just detect and report on the malware found, but not perform any other action (delete, move to Quarantine, etc.) As we are new to SAV for Linux, I cannot seem to get a grip on how/where to make these config changes -- if anybody can shed some light on this issue, that would be great.

TIA,
Anthony Aykut

See page 70 in the SAV for Linux Implementation Guide

What you can configure on Linux by using a
GRC.DAT file:

http://seer.entsupport.symantec.com/docs/notes/manuals/sav_ce/sav_ce_10.1_mr5/sav_linux_impl.pdf.html

Hi,

Thanks, but not an option as (1) we don't have any Windows based SAV products installed and (2) as far as I can see this tool does not contain an option to specify/force the scanner *not* to move malware samples to Quarantine; thus this needs to be enabled somewhere else.

BR,
Anthony

You can use ConfigEd to configure a GRC.dat for SAV for Linux without a SAV System Center.  SAV_Linux_Impl.pdf says that SAV is required but I'm pretty sure it can be used standalone.  It does require a Windows-based machine.

Title: 'Management of Symantec AntiVirus (SAV) for Linux'
Document ID: 2007100513224548
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100513224548?Open&seg=ent

Chapter 5 of the SAV_Linux_Impl.pdf document goes into the settings.

sandra

You can use the Configed.exe tool which is located in the The tool is located in the /Tools/

Thanks... but weird,

I downloaded the tool from the link posted by sandra.g, above.
I can run the tool, but the Client Auto-Protect button is greyed out, so I can not see any of the options behind it.

I know it is asking for much but is there any way somone can create a GRC.dat for us, with those two actions set to 'Leave Alone'?
Or send us a 'vanilla' grc.dat that we can edit by hand somehow? I can see from some example grc.dat files on the internet that there are variables like D0, D1 ... D5 for the various options, I assume they are the settings - anyone know this?

Regards,
Anthony

there is grc.dat file that would be present in SAV directory on the server you can edit it..
You can open this file with a normal editor and its in plain readable format...so after reading few lines you would know where to edit it..

However since you are telling that Auto-Protect is greyed out that means it is not enabled..you need to troubleshoot that first and make sure it is ON.

Hi Vikram,

I really think the options are greyed out because the Symantec products it is looking for are not installed on my Windows box - the program also indicates this by way of a popup upon startup (see attached). So I am a bit puzzled how I can enable these options...

Anthony

Well..I haven't used this tool for a long time so I guess it would run only on a System that has SAV client installed on it.

You will need to have Symantec Antivirus installed in order to use the ConfigEd utility to it's fullest potential.

You can though configure those exclusions from the command line. You will not be able to set log only for threats that are considered greyware. You can use the following commands to set the exclusions for manual scans. This will not apply to scheduled scans or real time scans.

Hi Thomas,

Great! Some information we can try out and use -- will test this right away :)

We're using SAVFL to scan malware samples periodically,and the scanning is always manual - so this should work. I just want to check one thing with you; you mention the following:

"You will not be able to set log only for threats that are considered greyware."

By this, do you mean we need to scan for all or nothing, correct? If not, can you please explain wht this means -- what we want to achieve essentially is to scan a set of malware samples and write this to a report file, in the mean time also preserving the malware (so not deleting, cleaning or moving the malware samples to quarantine).

Thanks
Anthony

Hi Anthony,

When SAV scans a file and finds a threat, it classifies it in one of three categories (virus, macro virus, security risks). You currently cannot set the action level for security risks, so these will always be removed during a scan (unless excluded from scans). This is documented on page 75 of SAV_Linux_Impl.pdf.

If your threat is getting classified as a security risk then you won't be able to set it to log only.