Search

Question/Issue:
You need an explanation of the Symantec Gateway Security 300 Series' AntiVirus policy enforcement feature and instructions to implement it with Symantec AntiVirus Corporate Edition 9.x.

Symptoms:
Configuring AntiVirus policy enforcement You need an explanation of the Symantec Gateway Security 300 Series' AntiVirus policy enforcement feature and instructions to implement it with Symantec AntiVirus Corporate Edition 9.x.

Solution:
What is AntiVirus policy enforcement?
The AntiVirus policy enforcement feature of the Symantec Gateway Security 300 Series appliance checks the antivirus policy of computers that make connections through your appliance. The policy is compared against the policy used on your primary and secondary AV servers. These AV servers are the computers on which you configure the policy that you want all of your clients to use. If you have Symantec AntiVirus Corporate Edition servers in your network, you can use them as the primary AV server and secondary AV server to set the policy for your clients. If your clients are unmanaged, you can specify one of the clients as the primary AV server. AntiVirus policy enforcement supports outbound connections and VPN client connections only.

The appliance checks with the AV server for policy changes at intervals that you specify (the default is 10 minutes). Once a client connects, the appliance checks the client policy at a user-defined interval (default setting is 8 hours) to verify that the client adopts the new policy of the AV server. If the client does not update its policy within 8 hours of the change on the AV server, the client is noncompliant. The appliance generates a log message and communication for the client may be blocked. Clients that are blocked can still connect to the Symantec AntiVirus Corporate Edition server or Symantec LiveUpdate in order to update their virus definitions.

You determine whether to enforce antivirus compliance for local clients using computer groups. All local clients belong to computer groups. For each computer group, you enable or disable AntiVirus policy enforcement. The default AntiVirus policy enforcement status for all computer groups is disabled. See page 64 of the Symantec Gateway Security 300 Series Administrator's Guide for more information on computer groups.

If content filtering and antivirus policy enforcement are enabled at the same time, content filtering takes precedence over antivirus policy enforcement processing for outbound traffic only. If a content filtering violation occurs and a client is blocked from viewing content, a message is logged and no antivirus policy enforcement rules are processed.

Special considerations
Before configuring the Symantec Gateway Security 300 Series appliance, make sure you do the following:

• Include your AntiVirus policy enforcement needs in your strategy for group assignments. Determine those clients whose virus definitions will be checked and those (if any) that will be allowed conditional or unconditional network access. Then assign users to the appropriate access or VPN groups and select whether you will warn or block noncompliant clients who attempt to access the local network.
  
  

  ---

  Note: You must place UNIX/Linux clients or clients with an unsupported AV client in a computer group without AntiVirus policy enforcement.

  ---

  
  
• If you plan to use Symantec AntiVirus Corporate Edition servers, obtain the name of the primary and (optionally) the secondary servers used in your network. 106 Advanced network traffic control Configuring AntiVirus policy enforcement
• If your network is comprised of clients that are unmanaged and access LiveUpdate directly for their AV updates, decide which client to designate as the primary AV server. The server should always be turned on, have an active Symantec antivirus client, and have a connection to the Internet to download virus definition updates.
• If your network topology includes a configuration in which client workstations are located behind an enclave firewall, and if the firewall performs address transforms, which changes the client's actual IP address, the security gateway is unable to communicate with the client (as is required to validate client virus definitions). In this configuration, the security gateway contacts the firewall, not the client.
• Ensure that traffic is not being blocked by a personal firewall. You must allow UDP/Port 2967 on all personal firewalls. This is set by default in Symantec Client VPN version 8.0. Configuring AntiVirus policy enforcement Configuring AntiVirus policy enforcement for a Symantec AntiVirus Corporate Edition environment and a client-only network is similar.

Configuring AntiVirus policy enforcement
Configuring AntiVirus policy enforcement for a Symantec AntiVirus Corporate Edition environment and a client-only network are similar tasks.

Configuring for Symantec AntiVirus Corporate Edition servers involves the following tasks:

• Defining the location of the primary and (optionally) a secondary Symantec AntiVirus server and verifying that a client has the Symantec AntiVirus Corporate Edition client installed and that the virus definitions and the scanning engine on client computers are up-to-date. See page 106 of the Symantec Gateway Security 300 Series Administrator's Guide for more information.
• Enabling AntiVirus policy enforcement for Computer or VPN Groups. See page 107 of the Symantec Gateway Security 300 Series Administrator's Guide for more information.

Configuring for networks with unmanaged antivirus clients (without Symantec AntiVirus Corporate Edition) involves the following tasks:
Defining the location of the policy master client and verifying that it has a supported Symantec antivirus client installed and that the virus definitions and the scanning engine on client computers are up-to-date.
Enabling AntiVirus policy enforcement for Computer or VPN Groups.See page 107 of the Symantec Gateway Security 300 Series Administrator's Guide for more information.
Configuring the AV clients. See page 109 of the Symantec Gateway Security 300 Series Administrator's Guide for more information.

To configure antivirus policy enforcement

1. In the left pane of the SGMI, click Antivirus Policy.
2. In the Primary AV Server text box, in the right pane, under Server Location, type the IP address or fully qualified domain name of your primary antivirus server or master client.
3. Optionally, in the Secondary AV Server text box, type the IP address or fully qualified domain name of a backup antivirus server, if supported in your environment.
4. In the Query AV Server Every text box, type an interval (in minutes) for the appliance to query the antivirus server for updated virus definitions.
5. To force a manual update, click Query Server.
6. Under Policy Validation, next to Verify AV Client is Active, select one of the following:
   • Latest Product Engine
     To check a client's antivirus configuration to ensure it uses a supported Symantec antivirus product with the latest product scan engine.
   • Any Version
     To check a client's antivirus configuration to verify that a the correct version of a supported Symantec antivirus product is installed on the client's workstation.
7. To enable the appliance to validate whether a client is using the latest virus definitions, check Verify Latest Virus Definitions.
8. In the Query Clients Every text box, type an interval (in minutes) for the appliance to query clients to validate whether they are using updated virus definitions.
9. Click Save.

Enabling AntiVirus policy enforcement
AntiVirus policy enforcement is enforced at the computer group and VPN group level. To enable AntiVirus policy enforcement, you first select a group, and then enable AntiVirus policy enforcement once for all members of that group. You also decide whether you want to warn or to deny WAN access to clients if their antivirus configuration is not compliant with expected security policies.

To enable antivirus policy enforcement for computer groups

1. In the left pane of the SGMI, click Firewall.
2. On the Computer Groups tab, under Security Policy, on the Computer Group drop-down list, select the computer group for which you want to enable AntiVirus policy enforcement.
3. Under Antivirus Policy Enforcement, check Enable Antivirus Policy Enforcement, and then do one of the following:
   • To log warnings for clients with out-of-date virus definitions, click Warn Only.
   • To completely block connections from clients with out-of-date virus definitions, click Block Connections.
4. Click Save.
5. Repeat steps 2 through 6 to enable AntiVirus policy enforcement for each computer group.

To enable antivirus policy enforcement for VPN groups

---

Note: Enabling AntiVirus policy enforcement for VPN groups is for WAN clients only. You enable AntiVirus policy enforcement for LAN VPN clients through Computer groups in the Firewall section of the SGMI.

---

1. In the left pane of the Security Gateway Management Interface (SGMI), click VPN.
2. On the Client Tunnels tab, under Group Tunnel Definition, on the VPN Group drop-down list, select the VPN group for which you want to enable AntiVirus policy enforcement.
3. Under WAN Client Policy, check Enable Antivirus Policy Enforcement, and then do one of the following:
   • To log warnings for clients with out-of-date virus definitions, click Warn Only.
   • To completely block connections from clients with out-of-date virus definitions, click Block Connections.
4. Click Save.
5. Repeat steps 2 through 6 to enable AntiVirus policy enforcement for each desired VPN group.

Configuring the antivirus clients
If the clients on your network are unmanaged and use LiveUpdate to install current virus definitions and engines, you must configure each client before it can be validated using AntiVirus policy enforcement. Each client that you want to validate with AntiVirus policy enforcement must have a supported Symantec antivirus product installed in unmanaged mode.
When you uninstall the client software, the registry keys that are created by this procedure are also removed.

---

CAUTION: Do not use this procedure for clients managed by a Symantec AntiVirus server.

---

To configure the AV clients

1. Install or configure each client's supported Symantec antivirus product in unmanaged mode.
2. Insert the Symantec Gateway Security 300 Series CD-ROM into the CD-ROM drive on a client computer.
3. In the Tools folder, copy SGS300_AVpe_client_Activation.reg to the client's desktop.
4. Double-click the file.
5. Repeat steps 2-4 for each client that you want to be validated using AntiVirus policy enforcement.

Monitoring antivirus status
The AV Server Status and Client Status sections of the AntiVirus Policy section of the SGMI, lets you obtain an operational status of the primary and secondary AntiVirus server and clients configured in your network.
Any changes you make to the configuration of the primary or secondary antivirus server, once saved, are reflected in the AV Server Status field.

Log messages
When you enable AntiVirus policy enforcement and a client connection is denied (either because it is blocked or warned), a message is logged. You can view these log messages periodically to monitor your traffic.

To view AntiVirus policy enforcement log messages

1. In the left pane of the Security Gateway Management Interface (SGMI), click Logging/Monitoring.
2. On the View Log tab, click Refresh.

Verifying AntiVirus policy enforcement operation
After you have enabled AntiVirus policy enforcement, you can test its operation by disabling Symantec AntiVirus Corporate Edition in a client workstation and then attempting to connect to the local network. If antivirus policy enforcement is properly
configured, in the absence of enabled Symantec antivirus software, all connection attempts should be blocked or warned.

The status of the secondary antivirus server is not displayed unless the primary server is unreachable.

---

Note: The client workstation does not receive any notification that network access is blocked and a message is logged.

---

To test antivirus policy enforcement operation

1. Uninstall Symantec AntiVirus Corporate Edition from a client workstation that has been configured as part of an computer group with AntiVirus policy enforcement enabled, with connections blocked.
2. Open a Web browser and attempt to connect to www.symantec.com.
   The connection attempt should fail and all communication through the firewall should be blocked.
3. From the left pane of the SGMI, click Logging/Monitoring.
4. Click View Log and check for a warning message indicating that all connection attempts for the particular client are blocked due to policy noncompliance.
   If this message is present, then your AntiVirus policy enforcement feature is correctly configured and operational.
5. If you are able to connect to www.symantec.com, recheck your AntiVirus policy enforcement configuration settings and group assignments. Make sure that you removed Symantec AntiVirus Corporate Edition from the client workstation, and that the client is a member of group with AntiVirus policy enforcement enabled, with connections blocked. Retry steps 1 through 4 above.

If you use Symantec AntiVirus Corporate Edition 10 or Symantec Client Security 3.0, read the following Symantec Knowledge Base article:

• Antivirus Policy Enforcement fails after upgrade to Symantec AntiVirus 10 server

References:
If you use Symantec AntiVirus Corporate Edition 10 or Symantec Client Security 3.0, read the following Symantec Knowledge Base article:

• Antivirus Policy Enforcement fails after upgrade to Symantec AntiVirus 10 server

 

Document ID: 2004041409163454
Last Modified: 10/03/2007
Date Created: 04/14/2004
Product(s): Symantec Gateway Security 300 Series
Release(s): 320, 360, 360R

Site Index · Legal Notices · Privacy Policy · Contact Us · Global Sites