Skip Ribbon Commands
Skip to main content

Distribution

:

Application Configuration Notes: Symantec AntiVirus

Documentation and logs for UVM OS and application distribution methodologies
For SAV, we provide both MANAGED and UNMANGED installation methods.  Documentation on how to launch the installer in unattended mode from the command line is provided by Symantec in the documentation PDFs included on the SAV product CD (See "SAVInst.pdf", appendix A).
 
For UNMANAGED installs, we use the setup.exe provided with the product:
  • /s and /qn are used to suppress UIO output from the Symantec setup.exe program.
  • Use the /V:"" switch to pass quote-delimited parameters to the msiexec program that is called by setup.exe. 
    • /qb - forces the MSIEXEC UI into "basic" mode where installtion shows progress only, no prompting.
    • The "ADDLOCAL" pubic variable allows us to install only the components that we want (SMTP/POP3 scanners and Lotus Notes plugin are not installed). At present, we specify "ADDLOCAL=SAVMain,SAVUI,SAVHelp,QClient,OutlookSnapin"
    •  "NETWORKTYPE" distinguishes a managed instlaler from an unmanaged installer.  "1" is MANAGED, "2" is UNMANAGED.
    • "SERVERNAME" specifies the SAV management server to which the client will report.  Use either "NORTON1" or "NORTON2".
    • RUNLIVEUPDATE=0 and SYMPROTECTDISABLED=1 are used to suppress undesirable behaviour following client installation.  Liveupdate and SymProtect will run following reboot.

For MANAGED installs, we need to wrap the setup.exe into a shell script which updates the Windows firewall rules to allow management of the product.  An "installSAV.cmd" has been placed in the application installation directory.  It contains the following commands:


REM Adds firewall rules to allow management of application by UVM Servers
netsh firewall add allowedprogram program="%ProgramFiles%\Symantec AntiVirus\Rtvscan.exe" name="Symantec Antivirus" mode=ENABLE scope=CUSTOM addresses=132.198.102.0/255.255.255.0 profile=ALL
netsh firewall add allowedprogram program="%ProgramFiles%\Common Files\Symantec Shared\ccApp.exe" name="Symantec Email" mode=ENABLE scope=CUSTOM addresses=132.198.0.0/255.255.0.0 profile=ALL

REM Installs desired components in managed mode:
start /wait .\setup.exe /s /qn /V"/qb ADDLOCAL=SAVMain,SAVUI,SAVHelp,QClient,OutlookSnapin NETWORKTYPE=1 SERVERNAME=NORTON2 RUNLIVEUPDATE=0 SYMPROTECTDISABLED=1"

REM Removes overly permissive firewall rules created by the application installer:
netsh firewall delete allowedprogram program="%ProgramFiles%\Symantec AntiVirus\Rtvscan.exe" profile=CURRENT
netsh firewall delete allowedprogram program="%ProgramFiles%\Common Files\Symantec Shared\ccApp.exe" profile=CURRENT


The first set of "NETSH" commands in the script first create program exceptions in the "DOMAIN" and "STANDARD" firewall profiles.  We then call the installer.  The installer adds additional firewall exceptions to the "CURRENT" firewall domain.  These exceptions are overly permissive as they allow ANY server to manage the client.  We call a second set of NETSH commands to clear these exceptions after installation.

To apply patches to the installer, we could take one of three approaches:

  1. Use the "PATCH" public variable under "msiexec" to install the patch at the same time as initial deployment (i.e. setup.exe /s /qn /V"PATCH=SAVPATCH.msp")
    • Pro: Allows the patch to be integrated at install time, thus avoiding bugs and vulnerabilities.  Reduces the need for reboots.  Maintains self-healing capabilities of MSI.
    • Con: Not overly compatible with Symantec's "Setup.exe" routine... unreliable
  2. Call msiexec.exe after Symantec's setup.exe has comleted to apply the patch (i.e. msiexec /p "SAVPATCH.msp")
    • Pro: Maintains self-healing capabilities of the MSI
    • Con: Two-step install process takes more time, requires a reboot to complete, and may generate faults when rtvscan is terminated by the patch engine.  Seems to work, but appears unreliable.
  3. Create an "administrative installation point" and then apply the patch into this directory.  Drop the Symantec setup.exe and associated support files into this source directory, and then build our installer from here.
    • Pro: Most compact installation package generated as source is compressed with LZMA.  Applies patch during initial install avoiding two-step process and reboots.  Seems highly reliable.
    • Con:  May break MSI application healing and re-install features.

All things considered, I am going with the third option.  Here is how we do it:

  1. Extract the Symantec MSI installer package to an "Administraive Install Point":
    msiexec /a "Symantec Antivirus.msi"
  2. Apply the patch to the administrative install point:
    msiexec /p "SAVCE_patch.msp" /a "<path to admin install point>\Symantec Antivirus.msi"
  3. Copy all of the contents of the admin install point into your SAV build directory.  Write over any existing files of the same name.  Delete the "Data1.cab" file in the source directory as this is now redundant data which will break the installer.
  4. Call "setup.exe" within your installer in the same way as you would have in the past.