Readme.txt file for Symantec AntiVirus 10.1 Details: ==================================================================================== Symantec AntiVirus(TM) Corporate Edition README.TXT Date: March 2006 Copyright (c) 2006 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, LiveUpdate, Norton AntiVirus, Symantec AntiVirus, Symantec Packager, and Symantec System Center are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections 12.212 and DFARS Section 227.7202. ==================================================================================== ==================================================================================== README FILE Please review this document in its entirety before you install or roll out Symantec AntiVirus, or call for technical support. It contains information that is not included in the Symantec AntiVirus documentation or the online Help. ==================================================================================== ==================================================================================== TABLE OF CONTENTS This document contains the following sections: INSTALLATION AND UNINSTALLATION ISSUES - Reporting installation does not support a second instance of MSDE - Deploying reporting agents on remote legacy management servers - Uninstalling managed client computers that were migrated from Symantec AntiVirus 8.0.1 or 8.1.1 may fail - Symantec Packager is unsupported - Symantec AntiVirus cannot be added to a software installation Group Policy Object for Active Directory(R) deployment if the same version of Symantec AntiVirus is already installed - Restart may be necessary for Central Quarantine, Symantec System Center, and Alert Management System(2) installations - Communication problem when you uninstall a Symantec AntiVirus server that is on the same computer as the Symantec System Center - The SERVERNAME client installation MSI property must be a valid name - The Server Name field during managed client installation must be a valid name - Upgrading Symantec AntiVirus 10 requires additional rights MIGRATION ISSUES - Invalid definitions on computers migrating from Symantec AntiVirus Corporate Edition 8.0, Symantec Client Security 1.0, and supported versions of Norton AntiVirus Corporate Edition - After migrating from Symantec AntiVirus 8.1.1 and 8.0.1, Rtvscan is disabled until reboot - Symantec AntiVirus 8.0 and 8.1.1 client computers migrated using ClientRemote require a restart to load definitions - Migrating from Symantec AntiVirus server 8.1.1 on Windows 2000 using the Symantec System Center may not work - Migrating to the current release - When migrating from Symantec AntiVirus version 8.1.1, do not update servers simultaneously - Migrating from Symantec AntiVirus server version 7.6 to version 10.1 is not supported on NetWare 5.1.8 - Updating to a new parent server during client migration by using Grc.dat - Unmanaged to managed client migration is unsupported - Version 7.6.1 migration fails with opened client or server user interfaces DEPLOYMENT ISSUES - Logging switches added to vpremote.dat when using the ClientRemote tool will be overridden by defaults - Deploying user-based installation packages with elevated privileges fails PATCH-RELATED ISSUES - Unique vpremote.dat and vpremote.exe files used to deploy patches and full releases MANAGEMENT-RELATED ISSUES - A manual scan on a remote client computer continuously tries to remove security risks found on the computer if you click the Remove Risks Now button - Back up the \pki directory on your primary server - Unregistered file extensions for non-hidden files are resolved with the FixFileTypes tool - Rolling back server system dates disables servers - Stopping Symantec processes causes instability - SAVRoam /nearest command requires administrator rights on Windows - Deleting locked and empty server groups - Group settings are applied to out-of-sync clients - Symantec System Center prompts restricted users for server group certificate - Changing the management mode of a client - Users are no longer allowed to modify scheduled LiveUpdates - Information about a user's logon domain is not available until restart - Setting for allowing clients to modify LiveUpdate schedules is locked - When your client email applications use a single Inbox file - Only locked settings are propagated to clients - Simple host name resolution is required to manage Symantec AntiVirus servers and clients - Dragging and dropping servers after changing Login Certificate Settings results in loss of communication - Time out-of-sync error when you promote a server to primary server ANTIVIRUS CLIENT AND SERVER ISSUES - Daily updates for virus and security risk definitions now available - Handling of encrypted POP3 and SMTP email - Turning off encrypted email handling may not take effect until you log out of Windows and log back in - Security risk exceptions migrated to version 10.1 do not display their risk impact ratings - Starting Symantec AntiVirus or Symantec System Center using the Run As command with restricted permissions is not supported - Windows System Restore may fail when Tamper Protection is enabled - Global Risk Exclusions settings are retained when client computers are moved to a different client group - Cookies are not scanned - Internet E-mail Auto-Protect port changes are ignored - Adding a file to the Quarantine and removing it from its original location - Scanning files by type is no longer available - Do not use third-party security risk scanners when Tamper Protection is enabled - Setting Client Tracking options - Auto-Protect option to scan for security risks does not apply to computers that run earlier versions of Symantec AntiVirus REPORTING ISSUES - Modify the Log Sender Agent's configuration so that event aggregation is more effective - Reporting Upload directory might not be removed during uninstallation - Running a reporting server on Windows Server 2003 without Service Pack 1 installed is not supported - Reporting database tuning cannot be configured when agents are running - Changing a reporting server host name when agents are running - Changing reporting server port or host name requires Alert Agent configuration - Reporting handles resumable scan events as separate scans - ThreatCon status on the reporting home page does not update if Internet Explorer is not set to display animations - DBCS characters cause problems when used in the reporting server name - Global date format affects report filtering - Images in reports are cached rather than recreated when a report is regenerated - CGI errors when accessing the reporting console - When querying large amounts of data, you might need to increase timeout parameters - Time values in daily distribution reports may not reflect Daylight Savings Time (DST) - Scan information in reporting may appear inconsistent with scan histories information - Viewing reporting data on Japanese operating systems - Parent servers appear to be missing in Virus Definition Distribution reports - Use default date separator for full risk report - Reporting filter for past 24 hours is determined on page load - Auto-refresh on logs pages and the Alert Events page does not reset time filters if logged into reporting for more than one day NETWARE INFORMATION - Custom installation directories limitation - Auto-Protect option to scan for security risks does not apply to computers that run NetWare - Quick Scans not supported on NetWare - Configuring exceptions for security risks - NetWare servers may fail to communicate during server group drag and drop operations - Secure Console requires search path additions for installation or upgrade - Proceeding with an upgrade if a timeout occurs waiting for Symantec AntiVirus to shut down - The NetWare log file is now stored in SYS:install.log - The Install command no longer attempts to repair a damaged installation - Regenerating certificates - A Symantec AntiVirus server upgrade on NetWare defaults to bindery mode - Secondary server installations and migrations may fail if the IPX protocol is bound 64-BIT SUPPORT - Antivirus client is the only feature that is supported - LiveUpdate is the only virus definitions files update method supported - Managing 64-bit clients with the Symantec System Center - Side effects repair limitations DOCUMENTATION ISSUES - Symantec AntiVirus Reference Guide was not updated for the current release - Reporting User's Guide contains incorrect name for report filter - Reporting User's Guide contains wording errors - Reporting Userˇ¦s Guide is missing a note about Virus Definition Distribution reports - Correction to Network Scanning Options in the Auto-Protect Scan Options table in Administrator's Guide OTHER ISSUES - Installing Symantec VPN Sentry - XP SP2 firewall status incorrectly reported as enabled after restart - 16-bit files used by Symantec AntiVirus components - About security risks - About cookies - Security risk best practices - Notice - Central Quarantine performance considerations LICENSE AGREEMENTS ==================================================================================== ==================================================================================== INSTALLATION AND UNINSTALLATION ISSUES ==================================================================================== ----------------------------------------------------------------- Reporting installation does not support a second instance of MSDE ----------------------------------------------------------------- You should not install reporting with a second instance of MSDE. If you want to use more than one instance of a reporting database, use Microsoft SQL Server. -------------------------------------------------------------- Deploying reporting agents on remote legacy management servers -------------------------------------------------------------- To deploy reporting agents on remote legacy management servers, you must use third-party installation utilities such as SMS. The .msi file that is used for remote deployment is located on the installation CD. The directory and file names are \Reporting\Agents\Reporting Agents.msi ------------------------------------------------------------------------------------ Uninstalling managed client computers that were migrated from Symantec AntiVirus 8.0.1 or 8.1.1 may fail ------------------------------------------------------------------------------------ For managed clients that were migrated from Symantec AntiVirus 8.0.1 or 8.1.1, if you attempt to uninstall the client using Add/Remove programs, the default uninstallation password is not accepted. If you encounter this problem, you can use the Symantec System Center to change the default uninstallation password from symantec to a new password, and then uninstall the client computer. -------------------------------- Symantec Packager is unsupported -------------------------------- The use of Symantec Packager and PMI files is unsupported. ------------------------------------------------------------------------------------ Symantec AntiVirus cannot be added to a software installation Group Policy Object for Active Directory(R) deployment if the same version of Symantec AntiVirus is already installed ------------------------------------------------------------------------------------ You cannot create a Group Policy Object (GPO) package for software installation when the same version of the application is installed on the computer. Create the Symantec AntiVirus installation GPO before you install Symantec AntiVirus to the server. ------------------------------------------------------------------------------------ Restart may be necessary for Central Quarantine, Symantec System Center, and Alert Management System(2) installations ------------------------------------------------------------------------------------ A restart may be necessary for Central Quarantine because it updates system files. A restart may also be necessary for the Symantec System Center since it requires the update of Microsoft(R) Management Console plug-ins. Antivirus management server installations also require a restart before you can configure alerts if you install the Alert Management System(2) software. ------------------------------------------------------------------------------------ Communication problem when you uninstall a Symantec AntiVirus server that is on the same computer as the Symantec System Center ------------------------------------------------------------------------------------ If you uninstall a Symantec AntiVirus server that is on the same computer as the Symantec System Center, and then reinstall the server, it cannot communicate with the Symantec System Center. To work around this issue, you can uninstall both the Symantec AntiVirus server and the Symantec System Center, then install them again. -------------------------------------------------------------------- The SERVERNAME client installation MSI property must be a valid name -------------------------------------------------------------------- The SERVERNAME property specifies the name of an existing parent server that will manage the client. It must be a name. Do not use an IP address for this property. ------------------------------------------------------------------------------- The Server Name field during managed client installation must be a valid name ------------------------------------------------------------------------------- The Server Name field during managed client installation specifies the name of an existing parent server that will manage the client. It must be a name. Do not use an IP address for this field. If you only know the IP address, click the Browse button, then click the Find Computer button to search by IP address. ---------------------------------------------------------- Upgrading Symantec AntiVirus 10 requires additional rights ---------------------------------------------------------- Upgrading Symantec AntiVirus 10 requires modification of the cached install package or the upgrade will fail. If Symantec AntiVirus 10 is detected, the installation will fail unless the user is an administrator of the local machine. Note that enabling MSI to run with elevated privileges is not sufficient in this case. In addition to installing as a local administrator, the modification can be made in either of the following ways: - Temporarily grant users write rights to the Windows\Installer directory for the duration of the upgrade. - Run the Tools\Sav9UninstallFix tool under the credentials of an account with write access to Windows\Installer, then execute the upgrade with the property SAV10UNINSTALLFIXRUN=1 on the command line. ==================================================================================== MIGRATION ISSUES ==================================================================================== ------------------------------------------------------------------------------------ Invalid definitions on computers migrating from Symantec AntiVirus Corporate Edition 8.0, Symantec Client Security 1.0, and supported versions of Norton AntiVirus Corporate Edition ------------------------------------------------------------------------------------ Migrating from Symantec AntiVirus Corporate Edition 8.0, Symantec Client Security 1.0, and supported versions of Norton AntiVirus Corporate Edition to the current release leaves the client computers and the servers that acquire their definitions by the Virus Definition Transport Method (VDTM) temporarily unprotected due to invalid definitions. Newly migrated clients and servers immediately attempt to retrieve valid definitions by their configured method until they succeed. To ensure that these clients computers and servers are fully protected during migration, configure them to retrieve definitions by LiveUpdate, and then run LiveUpdate before migrating them. After migration is complete, you can reconfigure the client computers and servers to use VDTM. If reconfiguration before migration is impossible, you can minimize the time that they are unprotected by assigning them to a parent management server or primary server that runs the current release and has valid definitions. Once the client computers and servers retrieve the valid definitions, they remain protected after subsequent restarts. Clients computers and servers running Symantec AntiVirus Corporate Edition 8.1 and later or Symantec Client Security 1.1 and later are protected throughout migration. ------------------------------------------------------------------------------------ After migrating from Symantec AntiVirus 8.1.1 and 8.0.1, Rtvscan is disabled until reboot ------------------------------------------------------------------------------------ Rtvscan, the main Symantec AntiVirus service, is disabled after you migrate from Symantec AntiVirus releases 8.1.1 and 8.0.1. You must reboot the computer after migrating to be protected from viruses and security risks. ------------------------------------------------------------------------------------ Symantec AntiVirus 8.0 and 8.1.1 client computers migrated using ClientRemote require a restart to load definitions ------------------------------------------------------------------------------------ When migrating clients from versions 8.0 and 8.1.1 to the current release using the ClientRemote Install Utility, the client computer will not load its virus and security risk definitions until you restart the computer. ------------------------------------------------------------------------------------ Migrating from Symantec AntiVirus server 8.1.1 on Windows 2000 using the Symantec System Center may not work ------------------------------------------------------------------------------------ If you use the AntiVirus Server Rollout tool from the Symantec System Center to deploy the current release to Symantec AntiVirus servers that are running Symantec AntiVirus 8.1.1, the migration could fail. If you encounter this problem, you can either migrate these servers using the Server Rollout tool from the software CD or from a remote machine. -------------------------------- Migrating to the current release -------------------------------- When you migrate from the Symantec AntiVirus 10.0 to 10.1, restarting servers and client computers is recommended to activate new features in the current release, but it is not required. If you do not restart, you are still protected from viruses and other security risks by Auto-Protect scanning, and you can still manage the servers and client computers. The following features will not operate until the computer is restarted: Servers: Tamper protection Clients: Tamper protection and POP3 email protection ------------------------------------------------------------------------------------ When migrating from Symantec AntiVirus version 8.1.1, do not update servers simultaneously ------------------------------------------------------------------------------------ Updating the servers in a server group simultaneously from version 8.1.1 to version 10.1 using the AntiVirus Server Rollout tool updates the servers successfully, but it creates separate server groups and causes the Symantec System Center to lose communication with the secondary servers. You should migrate each server individually from version 8.1.1 to version 10.1. ------------------------------------------------------------------------------------ Migrating from Symantec AntiVirus server version 7.6 to version 10.1 is not supported on NetWare 5.1.8 ------------------------------------------------------------------------------------ Migrating the Symantec AntiVirus server from version 7.6 to version 10.1 is not supported on NetWare 5.1.8. You must uninstall version 7.6 before you install version 10.1. ------------------------------------------------------------------------ Updating to a new parent server during client migration by using Grc.dat ------------------------------------------------------------------------ If you migrate a client from a previous version to the current version and you are assigning the client to a new parent server, you must add the name of the new parent server to the RoamManagingParentLevel0 entry in the Grc.dat file that you include. This entry is a comma-delimited list of available parent servers. If the name of the new server is not added to this list, the migrating client will not use the new server that you specified. ---------------------------------------------------- Unmanaged to managed client migration is unsupported ---------------------------------------------------- The migration of an unmanaged client to a managed client is not supported. To resolve this issue, when a managed client is installed over an unmanaged client, you can copy a Grc.dat file (which specifies that the client be managed by a specific parent server) into the appropriate directory. The client installation chapter in the installation guide describes how to perform this conversion. -------------------------------------------------------------------------- Version 7.6.1 migration fails with opened client or server user interfaces -------------------------------------------------------------------------- If you migrate version 7.6.1 servers or clients, and if the user interface is open, the migration fails. To migrate version 7.6.1 servers and clients to the latest version, close the user interfaces before you begin migration. ==================================================================================== DEPLOYMENT ISSUES ==================================================================================== ------------------------------------------------------------------------------------ Logging switches added to vpremote.dat when using the ClientRemote tool will be overridden by defaults ------------------------------------------------------------------------------------ The default logging switch in the ClientRemote deployment tool overrides the /l*v switch when it is added to vpremote.dat and run from the command line. By default, an installation log is always created and placed in the %windir%\temp directory. ------------------------------------------------------------------------- Deploying user-based installation packages with elevated privileges fails ------------------------------------------------------------------------- By setting the Active Directory group policy for Always Install With Elevated Privileges, users without administrator rights can install Windows Installer packages. If you install per machine, this setting permits installation to succeed. If you install per user, this setting causes the installation to fail. ==================================================================================== PATCH-RELATED ISSUES ==================================================================================== ------------------------------------------------------------------------------------ Unique vpremote.dat and vpremote.exe files used to deploy patches and full releases ------------------------------------------------------------------------------------ The vpremote.dat and vpremote.exe files that accompany patches and are used for deploying the patches by the ClientRemote Install Utility are different from the vpremote.dat and vpremote.exe files that are used with ClientRemote to deploy full releases of Symantec AntiVirus and Symantec Client Security. Symantec recommends that you roll out patches from a unique folder so that you do not need to remove the default vpremote.dat and vpremote.exe files that accompany the ClientRemote Install Utility before you install a patch. The custom vpremote.dat shipped with the Symantec patch must be present in the same folder as the .msp file to install a Symantec patch using the ClientRemote. ==================================================================================== MANAGEMENT-RELATED ISSUES ==================================================================================== ------------------------------------------------------------------------------------ A manual scan on a remote client computer continuously tries to remove security risks found on the computer if you click the Remove Risks Now button ------------------------------------------------------------------------------------ If you click the Remove Risks Now button in the Remove Risks dialog box after a manual scan run from the Symantec System Center has discovered a security risk on a remote client computer, Symantec AntiVirus tries to remove the risk over and over again and does not allow you to close the dialog box. To work around this issue, close the dialog box by clicking the Do not remove button and then continue on to the Remove Risk Required dialog box. ------------------------------------------------- Back up the \pki directory on your primary server ------------------------------------------------- If you have a server group that contains one server only, that server is a primary server and manages all clients in the server group. If for some reason you have to reinstall server software on the primary server, you will lose all communications with your clients. The reason is that you created a new server group root certificate that the clients do not trust. To mitigate this potential problem, always install a secondary server in your server group so that you can unlock your server group. Further, always back up the entire \pki subdirectory that is located in the directory that contains your server software. If you have the \pki subdirectory available to restore after your reinstall server software, you can reestablish client communications. For detailed procedures, contact your Symantec technical support representative. ------------------------------------------------------------------------------------ Unregistered file extensions for non-hidden files are resolved with the FixFileTypes tool ------------------------------------------------------------------------------------ Symantec AntiVirus includes file extensions for non-hidden files that are not registered on Windows operating systems. To mark these file types as hidden, on the Symantec AntiVirus CD, in the \Tools\FixFileTypes folder, run FixFileTypes.exe. ------------------------------------------------- Rolling back server system dates disables servers ------------------------------------------------- If you roll back the system date on your primary server to a date that precedes the server group root certificate creation date, you will not be able to use your server. ---------------------------------------------- Stopping Symantec processes causes instability ---------------------------------------------- If you stop Symantec processes that run in the background, the computers on which you stop the processes will become unstable. For a list of Symantec processes, refer to the reference guide that is located on your installation CD. ----------------------------------------------------------------- SAVRoam /nearest command requires administrator rights on Windows ----------------------------------------------------------------- SAVRoam is typically configured to look for a new parent server after an amount of time and after a computer restarts. However, the command-line command SAVRoam /nearest lets you force SAVRoam to look for a new parent server immediately. To use this command, users must have administrator rights on Windows computers. --------------------------------------- Deleting locked and empty server groups --------------------------------------- If you have a server group that contains a primary server only, and if you uninstall the server, you cannot unlock the server group and delete it. To delete the server group: 1. In the Symantec System Center console, click Tools > Discovery Service. 2. In the Discovery Services Properties dialog box, click Clear Cache Now. ------------------------------------------------- Group settings are applied to out-of-sync clients ------------------------------------------------- By default, clients that have system clocks set more than 24 hours plus or minus of the time set on the primary management server do not let administrators directly configure settings. For example, you cannot right-click on an out-of-sync client in the Symantec System Center and view the client logs. Out-of-sync clients, however, do accept settings that administrators apply to groups. For example, if you right-click a group in the Symantec System Center and change the Client Auto-Protect setting, the out-of-sync client accepts the new setting. The reason that you cannot directly configure client settings is because the system uses the Login certificate, which is valid for a specified time only. You can change the times in the Symantec System Center with Configure login certificate settings at the group level. The reason that the out-of-sync clients accept group-level changes is because the system uses the server certificate, which is valid for five years. For more information about certificates, refer to the Reference Guide in the Docs folder on the installation CD. ---------------------------------------------------------------------------- Symantec System Center prompts restricted users for server group certificate ---------------------------------------------------------------------------- When you first unlock a server group, the Symantec System Center prompts you to copy the server group root certificate to the Symantec System Center directory structure. If you subsequently log on to the computer that runs the Symantec System Center with administrator rights and unlock the server group, you are not prompted to copy the server group root certificate. If you subsequently log on to the same computer with low-level user rights, you are always prompted to copy the server group root certificate. ---------------------------------------- Changing the management mode of a client ---------------------------------------- In Chapter 2 of the administrator's guide, in the procedure for changing an unmanaged client to a managed client, steps 5 and 6 are no longer necessary. If the pki\roots folder on the client is empty, then the new parent server now automatically copies the server group root certificate and places it in the pki\roots folder on the client after you copy the Grc.dat file to the client and restart the client. If the pki\roots folder on the client contains its previous server group root certificate, you should delete it before you copy the new Grc.dat file to the client. ----------------------------------------------------------- Users are no longer allowed to modify scheduled LiveUpdates ----------------------------------------------------------- The "Do not allow client to modify LiveUpdate schedule" option has been disabled on the Virus Definition Manager dialog box in the Symantec System Center. When you check the Do not allow client to manually launch LiveUpdate option or the Schedule client for automatic updates using LiveUpdate option, users are not allowed to modify any scheduled LiveUpdates that you configure. This automatic locking ensures that LiveUpdates that administrators schedule are always propagated to clients and cannot be modified by users. ---------------------------------------------------------------------- Information about a user's logon domain is not available until restart ---------------------------------------------------------------------- After an initial client software installation, the user's logon domain information does not appear in the Symantec System Center until the client computer is restarted. After a restart, this information is available in the Symantec System Center Symantec AntiVirus View, the network audit results, the Event Log, the Risk History, and the Tamper History. In the Symantec AntiVirus user interface, it is available in the Event Log, the Risk History, and the Tamper History. --------------------------------------------------------------------- Setting for allowing clients to modify LiveUpdate schedules is locked --------------------------------------------------------------------- The Virus Definition Manager window in the Symantec System Center contains the following setting, which is locked and dimmed: - Do not allow client to modify LiveUpdate schedule When both of the following settings are disabled, the locked setting is automatically unchecked and disabled: - Schedule client for automatic updates using LiveUpdate - Do not allow client to manually launch LiveUpdate When one or both of these settings are checked and enabled, the locked setting is automatically checked and enabled. If this setting was not locked, client users could create or modify schedules that conflict with the group policy and would not receive group-scheduled virus definitions updates. ----------------------------------------------------------- When your client email applications use a single Inbox file ----------------------------------------------------------- If your clients use email applications that store all email in a single file, such as Outlook Express, Eudora, Mozilla, and Netscape, you might want to exclude the Inbox file from manual and scheduled scans. If Symantec AntiVirus catches a virus in the Inbox file during a manual or scheduled scan, and the action configured for the virus is Quarantine, Symantec AntiVirus quarantines the entire Inbox and users cannot access their email. Although regularly excluding a file from scanning is not recommended as a general practice, excluding the Inbox file from being scanned prevents it from being quarantined while still allowing a virus to be detected. If Symantec AntiVirus finds a virus when you open an email message rather than when you download the message or during a scan, it can safely quarantine or delete the message without causing a problem for the entire Inbox. ---------------------------------------------- Only locked settings are propagated to clients ---------------------------------------------- To change settings on clients, you must lock the settings in the Symantec System Center. If you change a setting for clients, and if that setting is not locked, the change does not occur on the clients. This feature also affects client installations by using the ClientRemote feature in the Symantec System Center. Only changed settings that are locked are configured on clients during installation. ------------------------------------------------------------------------------------ Simple host name resolution is required to manage Symantec AntiVirus servers and clients ------------------------------------------------------------------------------------ You must have simple host name resolution configured in your environment to manage Symantec AntiVirus servers and clients. Fully qualified domain name resolution is not required. ------------------------------------------------------------------------------------ Dragging and dropping servers after changing Login Certificate Settings results in loss of communication ------------------------------------------------------------------------------------ In the Symantec System Center, when you increase the time interval set for the two options in the Login Certificate Settings dialog box to more than one day (24 hours) to account for time out-of-sync issues between servers and clients, and then drag and drop a server into a new server group, communication between the server and the Symantec System Center is lost. This does not occur if your actual time discrepancy is 24 hours or less. ------------------------------------------------------------------ Time out-of-sync error when you promote a server to primary server ------------------------------------------------------------------ When you promote a server to primary in the Symantec System Center, you might get a login certificate time out-of-sync error. In most instances, you can work around this issue by clearing the cache, and then running a new Discovery. You can then promote the server to be a primary server. ==================================================================================== ANTIVIRUS CLIENT AND SERVER ISSUES ==================================================================================== ------------------------------------------------------------------- Daily updates for virus and security risk definitions now available ------------------------------------------------------------------- In the past, virus and security risk definitions were available for weekly updates. Symantec AntiVirus 10.x clients can now perform daily updates to their definitions by using the Symantec LiveUpdate server. After an organization uses the Symantec LiveUpdate server or Symantec FTP site to download these definitions to a central LiveUpdate server in the organization, the definitions can be deployed and will run on any computer that has a currently supported version of Symantec AntiVirus installed on it. ----------------------------------------- Handling of encrypted POP3 and SMTP email ----------------------------------------- The "Allow encrypted POP3 connections" and "Allow encrypted SMTP connections" options for sending and receiving encrypted POP3 and SMTP email are on by default. When this functionality is enabled, unencrypted email is scanned, and encrypted email is allowed to pass through without being scanned or blocked. To disable these options, you can use either the Client Auto-Protect advanced options for Internet Email in the Symantec System Center or the advanced Internet Email Auto-Protect options in the Symantec AntiVirus client user interface. When these options are disabled, unencrypted email is scanned when sent or received, but encrypted email is blocked. If you re-enable the options and then attempt to send encrypted email, the email will be blocked until you restart Outlook or Outlook Express. ------------------------------------------------------------------------------------ Turning off encrypted email handling may not take effect until you log out of Windows and log back in ------------------------------------------------------------------------------------ In some cases, if you turn off the handling of encrypted email for SMTP and POP3 in the Symantec AntiVirus user interface, the change does not take effect until you have logged out of Windows and logged in again. If you need to be sure that your change took effect immediately, log out and back in again. ------------------------------------------------------------------------------------ Security risk exceptions migrated to version 10.1 do not display their risk impact ratings ------------------------------------------------------------------------------------ The Select Security Risks dialog box in the Symantec System Center and in the Symantec AntiVirus user interface does not display risk impact ratings for security risks if an exception was created for the risk in the previous version of Symantec Client Security. To get the Symantec System Center to display the risk impact ratings for such a risk, use version 10.1 to remove the risk from the list of exceptions, and then recreate the exception. ------------------------------------------------------------------------------------ Starting Symantec AntiVirus or Symantec System Center using the Run As command with restricted permissions is not supported ------------------------------------------------------------------------------------ You cannot use the Run As command from the Start menu to open the Symantec AntiVirus user interface or the Symantec System Center if you attempt to run it as Current user and also have the "Protect my computer and data from unauthorized program activity" checkbox checked. This scenario is not supported. ----------------------------------------------------------------- Windows System Restore may fail when Tamper Protection is enabled ----------------------------------------------------------------- Restoring a computer to a Windows restore point may not succeed when Tamper Protection is enabled. At the end of the restore operation, Windows may give a message that restore did not complete and that no files have been changed on the system. To work around this issue, use F8 to restart the computer in safe mode, perform the system restore, and then restart the computer. ------------------------------------------------------------------------------------ Global Risk Exclusions settings are retained when client computers are moved to a different client group ------------------------------------------------------------------------------------ If you move a client computer assigned to a client group to a different client group, the computer will retain the Global Risk Exclusions settings from its original group. To work around this issue, you can do the following: 1. In the Symantec System Center, right-click the client group that the client computer has been moved to and click All Tasks > Global Risk Exclusions. 2. In the Global Security Risk Exclusions dialog box, on the Client tab, click OK. The previous settings will be deleted from the client computer and the settings for the new client group will take their place. ----------------------- Cookies are not scanned ----------------------- Cookies are not scanned for viruses, threats, or security risks. ----------------------------------------------------- Internet E-mail Auto-Protect port changes are ignored ----------------------------------------------------- The antivirus client Auto-Protect feature for Internet E-mail Advanced Options lets you change the ports for POP3 and SMTP. The defaults for these ports are 110 and 25. The antivirus client ignores changes to these defaults. This issue applies to all email programs that use POP3 and SMTP, including Microsoft Outlook. If you change these defaults with the antivirus client but your email program uses the defaults, Auto-Protect still scans for risks in your email traffic. If your email program does not use the defaults and you change the Auto-Protect ports to match the ports used by your email program, Auto-Protect does not scan for risks in your email traffic. -------------------------------------------------------------------------- Adding a file to the Quarantine and removing it from its original location -------------------------------------------------------------------------- The option to "Remove file from original location" in the Add File to Quarantine dialog box does not work after you turn Auto-Protect off. When you use the Quarantine View icon to add a file to the Quarantine, and you uncheck the option to remove the file from its original location, the file is still removed. --------------------------------------------- Scanning files by type is no longer available --------------------------------------------- Scanning files by type is no longer an option when you configure any scan. All types of files are scanned. Any previously configured scan that is migrated to the current version will also scan all file types. ------------------------------------------------------------------------------- Do not use third-party security risk scanners when Tamper Protection is enabled ------------------------------------------------------------------------------- The antivirus clients and servers have a real-time feature called Tamper Protection that protects Symantec processes and internal objects from unauthorized access and tampering. If you run third-party security risk scanners that detect and defend against unwanted adware and spyware, these scanners generally touch Symantec processes. Tamper Protection then generates tens and possibly hundreds of alerts and log entries. If you want to use third-party security risk scanners, disable Tamper Protection. ------------------------------- Setting Client Tracking options ------------------------------- In the Symantec System Center, when you set Client Tracking options in the Server Tuning Options dialog box, the changes do not take effect until you restart the Rtvscan service on the server that you are configuring. ------------------------------------------------------------------------------------ Auto-Protect option to scan for security risks does not apply to computers that run earlier versions of Symantec AntiVirus ------------------------------------------------------------------------------------ When you configure Auto-Protect options in the Symantec System Center, the option to Scan for Security Risks does not apply to computers that run earlier versions of Symantec AntiVirus. ==================================================================================== REPORTING ISSUES ==================================================================================== ------------------------------------------------------------------------------------ Modify the Log Sender Agent's configuration so that event aggregation is more effective ------------------------------------------------------------------------------------ You should set the Log Sender Agent's aggregation period to a value that is equal to or greater than the agent's run schedule. If the value is greater than the run schedule, it should be a multiple of the run schedule value. For example, if the run schedule is 10 minutes, the aggregation value might be 30 minutes. To configure the Log Sender Agent's run schedule and aggregation periods: 1. In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the primary management server on which the Log Sender is running. 2. Click All Tasks > Reporting Configuration > Configure Reporting Agents. 3. Under Log Sender, make sure the value for Aggregate redundant events every is equal to or greater than the Process logs every value. If the value is greater, it should be a multiple of the Process logs every value. 4. Click OK. --------------------------------------------------------------------- Reporting Upload directory might not be removed during uninstallation --------------------------------------------------------------------- Before uninstalling the reporting server, you should stop the agent service by using Windows Administrative Tools > Services. If you do not stop the agent service, the \Program Files\Symantec\Reporting Server\Upload directory might not be removed during the uninstallation. The directory is not removed in order to preserve any new data uploaded by the agents during the uninstallation. If no new data was uploaded during the uninstallation, the uninstallation process removes the Upload directory. ------------------------------------------------------------------------------------ Running a reporting server on Windows Server 2003 without Service Pack 1 installed is not supported ------------------------------------------------------------------------------------ To use a reporting server on Windows Server 2003 Standard/Enterprise, you must have Service Pack 1 installed on the computer. Without Service Pack 1, the reporting server will still install, but will not function properly. The Windows XP operating system is not supported at all for use as a reporting server. You can install a reporting server on Windows XP, but it will not function properly. ---------------------------------------------------------------------- Reporting database tuning cannot be configured when agents are running ---------------------------------------------------------------------- If the reporting agents are processing data, and you attempt to modify the Database Tuning options in reporting, you might get an error message such as "You do not have permission to execute this operation." Wait for a period of time before trying to modify the options again, or do the following: 1. Disable the Log Reader (Events) and the Log Reader (Computer Status) on the Agent Configuration page. 2. Modify the tuning options. 3. Re-enable the agents. ------------------------------------------------------------- Changing a reporting server host name when agents are running ------------------------------------------------------------- If you change the host name of a reporting server after the reporting agents have been running, the reporting agents will fail to upload your files to the reporting server. To fix this problem, do the following: 1. In the Symantec System Center console, under System Hierarchy, right-click the server or server group, and then click All Tasks > Reporting Configuration > Configure Reporting Server. 2. In the Reporting Server Options dialog box, enter the correct URL for the reporting server. 3. Click OK. ------------------------------------------------------------------------------ Changing reporting server port or host name requires Alert Agent configuration ------------------------------------------------------------------------------ If you change the reporting server port or the host name, you should modify the reporting URL option in the Alert Agent configuration. You must modify this option if you are writing alert events to the alert database or sending alert notification emails. Otherwise the alert events will not be available on the Alert Events page and the incorrect URL will be included in notification emails. To modify the Alert Agent URL option: 1. On the Admin tab, select Agent Configuration. 2. Click the Edit icon next to the Alert Agent. 3. Under What mail notification parameters would you like, in the Reporting URL text box, enter the correct URL. 4. Click Save. --------------------------------------------------------- Reporting handles resumable scan events as separate scans --------------------------------------------------------- Reporting does not interpret Scan suspended and Scan resumed events for resumable scans. For all other scans, Scan start and Scan completed are treated as a single scan. But for resumable scans, Scan start and Scan completed are interpreted as separate scans. You will see two scans rather than one in scan reports and logs. Check the Symantec AntiVirus logs for detailed information about resumable scans. ------------------------------------------------------------------------------------ ThreatCon status on the reporting home page does not update if Internet Explorer is not set to display animations ------------------------------------------------------------------------------------ When using Internet Explorer, you must have the browser set to play animations in Web pages to see updates to the ThreatCon status. To set this option, do the following: 1. Open Internet Explorer. 2. Click Tools > Internet Options. 3. On the Advanced tab, under Multimedia, check Play animations in web pages. 4. Click OK. --------------------------------------------------------------------- DBCS characters cause problems when used in the reporting server name --------------------------------------------------------------------- Internet Explorer 6.x and earlier versions do not support DBCS host names. If your reporting server has a host name that includes DBCS characters, you cannot log into the reporting server by using the URL with those DBCS characters. You can work around this issue by logging into the reporting server using either of the following methods: - Use the IP address of the reporting server. - Type localhost/reporting directly into your browser. Also, if you are using DBCS characters in the reporting server name, the hyperlinks in email notifications that link to the reporting server will not work. To work around this issue, modify the Alert Agent configuration as follows: 1. On the Admin tab, select Agent Configuration. 2. Click the Edit icon next to the Alert Agent. 3. Under What mail notification parameters would you like, in the Reporting URL text box, enter the correct URL using the IP address rather than the host name. 4. Click Save. ------------------------------------------- Global date format affects report filtering ------------------------------------------- The global date format is set on the GUI Configuration, General Parameters page. By default the global format is MDY. If you change the global date format to a format that does not include a year designation (such as MD), any reports that you create will show information for the current year only. Even if you specify a Time range filter on the report for more than one year or for a different year, the report data will only include information for the current year. ------------------------------------------------------------------------------- Images in reports are cached rather than recreated when a report is regenerated ------------------------------------------------------------------------------- Images included in reports, such as bar charts, pie charts, or spider graphs, might be cached in the browser. The caching occurs if IIS is configured to handle these images as static content. This behavior is the default. The caching occurs to reduce network bandwidth and page display latency. However, images in reports might not be recreated when a report is rerun. You can set up IIS and/or Internet Explorer to make sure the images are recreated every time a report is run. To configure IIS so that images in reports are dynamic, do the following: 1. Run Administrative Tools > Internet Services Manager. 2. Navigate to Default Web Site > Reporting. 3. Right-click Reporting, and then in the menu, select Properties. 4. On the HTTP Headers tab, check Enable Content Expiration. 5. Select Expire Immediately. 6. Click OK. You do not need to re-start IIS. The change applies immediately. To configure Internet Explorer so that images in reports are dynamic, do the following: 1. In Internet Explorer, click Tools > Internet Options. 2. On the General tab, under Temporary Internet files, click Settings. 3. Under Check for newer versions of stored pages, select Every visit to the page. 4. Click OK. 5. In the Internet Options dialog, click OK. 6. Repeat this procedure in each browser that you are using to view reports. ----------------------------------------------- CGI errors when accessing the reporting console ----------------------------------------------- On rare occasions on certain operating systems, you may see the following CGI error: The specified CGI application misbehaved by not returning a complete set of HTTP headers. In many cases, refreshing Internet Explorer will eliminate this error. If refreshing does not help, it may be related to querying large amounts of data and you may need to increase the timeout values on your computer. See the following readme item: When querying large amounts of data, you might need to increase timeout parameters. ---------------------------------------------------------------------------------- When querying large amounts of data, you might need to increase timeout parameters ---------------------------------------------------------------------------------- When running reports or generating logs with large amounts of data and you get database errors, you might want to set the MS SQL server connection and command timeouts. The reporting defaults for these values are as follows: ConnectionTimeout: 300 seconds (5 minutes) CommandTimeout: 300 seconds (5 minutes) To change the timeouts, use any text editor to add the following settings in the Reporter.php file (where xxx is the number of seconds): $CommandTimeout = xxxx; $ConnectionTimeout = xxxx; If you specify zero, or leave the field blank, the default settings are used. When running reports or generating logs with large amounts of data, and you get CGI or terminated process errors, you might want to change any of the following timeouts: - The max_execution_time in the php.ini file (default is 300 seconds) - The Transaction timeout (default is 60 seconds) - The IIS Connection timeout (default is 120 seconds) - The CGI timeout (default is 300 seconds) To change the max_execution_time, open the php.ini file in any text editor and increase the timeout. To change the Transaction timeout, do the following: 1. Run Administrative Tools > Component Services. 2. In the left pane, expand the tree, and then right-click My Computer and select Properties. 3. On the Options tab, set the Connection Timeout. 4. Click OK. To change the IIS Connection timeout, do the following: 1. Stop IIS. 2. Run Administrative Tools > Internet Services Manager. 3. Right-click Default Web Site and select Properties. 4. Change the Connection timeout. 5. Click OK. 6. Restart IIS. To change the CGI timeout, do the following: 1. Stop IIS. 2. Run Administrative Tools > Internet Services Manager. 3. Make sure the Enable direct metabase edit option is selected. 4. Do one of the following: - For IIS 5.0, modify the CGI timeout in the Internet Services Manager application. - For IIS 6.0, modify the CGI timeout in the metabase.xml file using any text editor. 5. Restart IIS. ------------------------------------------------------------------------------------ Time values in daily distribution reports may not reflect Daylight Savings Time (DST) ------------------------------------------------------------------------------------ All time values in the reporting database are stored in GMT and converted to local time before display. The conversion to local time uses the DST setting for the day that the report is generated instead of the day that the event occurred. Events in the daily distribution reports that occurred prior to the changeover to DST will appear in standard time. Other reports handle the time difference correctly and show the time converted to DST. ------------------------------------------------------------------------------------ Scan information in reporting may appear inconsistent with scan histories information ------------------------------------------------------------------------------------ Two scan report types in reporting, Computers by Last Scan Time and Computers Not Scanned, may show information that is inconsistent with what you see when viewing scan information in Symantec System Center and the Symantec AntiVirus user interface. For example, if client information is purged from the Symantec AntiVirus logs, that information will not appear in the reports. However, the information is available in the scan histories in Symantec System Center and the Symantec AntiVirus user interface. ---------------------------------------------------- Viewing reporting data on Japanese operating systems ---------------------------------------------------- When using a Japanese operating system to run a reporting server, you must ensure that default Guest account for the Internet Information Service (IIS) is enabled and has at least the default Guest account permissions. If it does not, you will see a Log Sender error with HTTP 401 access denied message. If this occurs, open User Management, enable the account, and ensure that it has at least the default permissions. ---------------------------------------------------------------------------- Parent servers appear to be missing in Virus Definition Distribution reports ---------------------------------------------------------------------------- In Virus Definition Distribution reports, a parent server is not listed unless it has clients. To view information about virus definitions on parent servers, do the following: 1. On the Logs tab, click Logs > Computer Status Logs. 2. Select the desired Time range, and then click Advanced Settings. 3. In the Computer Type drop-down box, select Only parent servers. 4. Click View Log. ----------------------------------------------- Use default date separator for full risk report ----------------------------------------------- If you change the date separator on the Admin > GUI Configuration > General page to a hyphen (-), dates in the full risk report will be incorrect. Instead, use the slash separator (/), which is the default. ------------------------------------------------------------- Reporting filter for past 24 hours is determined on page load ------------------------------------------------------------- The start of the "Past 24 hours" time range (for report pages, log pages, and alert events page) begins for each page when that page is first accessed in reporting. The start time and end time for the past 24 hours does not reset if you refresh the page. To make sure the past 24 hours range starts now, do one of the following: -Navigate to another page in reporting and then return to the desired page. -On the report, log, or Alert Events page, select a different time range and then reselect "Past 24 hours." ------------------------------------------------------------------------ Auto-refresh on logs pages and the Alert Events page does not reset time filters if logged into reporting for more than one day ------------------------------------------------------------------------ The Auto-refresh parameter on the logs pages and the Alert Events page resets the start and end of time ranges (except "Past 24 hours") if you are logged in for less than 24 hours. If you are logged in for more than 24 hours, start and end times for time ranges do not reset. To make sure the time range starts now, do one of the following: -Navigate to another page in reporting and then return to the desired page. -On the log page or Alert Events page, select a different time range and then select the desired time range. =================================================================================== NETWARE INFORMATION AND ISSUES =================================================================================== ------------------------------------------ Custom installation directories limitation ------------------------------------------ Installing Symantec AntiVirus into NetWare directories that contain more than eight characters in the directory name can cause problems. Use a directory with a name that is eight or fewer characters for installation. ------------------------------------------------------------------------------------ Auto-Protect option to scan for security risks does not apply to computers that run NetWare ------------------------------------------------------------------------------------ When you configure Server Auto-Protect options in the Symantec System Center, the option to Scan for Security Risks does not apply to computers that run NetWare. ------------------------------------ Quick Scans not supported on NetWare ------------------------------------ Quick Scans are not supported on computers that run NetWare. ----------------------------------------- Configuring exceptions for security risks ----------------------------------------- When you configure scan options in the Symantec System Center for Auto-Protect and other scans, if the parent server or primary server runs NetWare, the Available risks list in the Select risks dialog box is empty and you cannot configure exceptions. To work around this issue, use a computer running Windows as your primary or parent server, or configure exceptions directly on the computers managed by the NetWare parent and primary servers. ------------------------------------------------------------------------------------ NetWare servers may fail to communicate during server group drag and drop operations ------------------------------------------------------------------------------------ Under some circumstances, NetWare servers configured with both IP and IPX protocols may fail to communicate during drag and drop server group operations. This is due to protocol and address resolution failures. A workaround is as follows: 1. Disable the IPX protocol bindings from server(s) being moved and the primary server of the new server group. 2. Restart both servers and verify network communication and name resolution by typing: Ping on both server consoles. 3. Perform the move. After server drag and drop operations have been completed, IPX protocol bindings can be reenabled on servers that require this protocol. ------------------------------------------------------------------------- Secure Console requires search path additions for installation or upgrade ------------------------------------------------------------------------- The NetWare Secure Console feature locks down a file server so that it can only load NLMs from the SYS:SYSTEM directory or any search path. Consequently, this can prevent a Symantec AntiVirus installation or upgrade from running. To resolve this, you must add both the Symantec AntiVirus and the temporary deployment directory, for example, SYS:SAV\Deploy0, to the search path before loading vpstart for the installation or upgrade, and then launch VPStart from the temporary deployment directory by using the /update command line. The temporary deployment directory can be removed from the search path after the installation or upgrade is complete. The temporary deployment directory is a subdirectory of the target directory for installation and will normally be called Deploy0, for example, the full path name is SYS:SAV\Deploy0. If a directory with this name already exists, the deployment process will try ten alternate names, first by using sequential numbers, for example, Deploy1, Deploy2, and so on, then by using random numbers. The easiest way to perform an upgrade with NetWare Secure Console is to perform the deployment and allow the vpstart launch to fail. At this point, all necessary files reside on the server and you now know the path of the temporary deployment directory. To proceed, add this directory to the search path in addition to the target directory, then rerun vpstart using the command: load \vpstart /update For example: load sys:sav\deploy0\vpstart /update ------------------------------------------------------------------------------------ Proceeding with an upgrade if a timeout occurs while waiting for Symantec AntiVirus to shut down ------------------------------------------------------------------------------------ In rare circumstances, Symantec AntiVirus for NetWare may take a very long time to shut down, resulting in a timeout during the upgrade process. To complete the upgrade, find the temporary deployment directory on the server and run vpstart /update from it. In most cases, this will be the Deploy0 subdirectory, so the command would be as follows: load sys:sav\deploy0\vpstart /update ----------------------------------------------------- The NetWare log file is now stored in SYS:install.log ----------------------------------------------------- The NetWare installation log file is now SYS:\install.log. This is used for installations, upgrades, and uninstallations. ----------------------------------------------------------------------- The install command no longer attempts to repair a damaged installation ----------------------------------------------------------------------- The /install command-line parameter no longer repairs damaged installations. Please note that repairing damaged installations is not supported and may result in incorrect operation of the product. Symantec recommends that you uninstall the product, and then reinstall it if the installation is damaged. In most cases, installation damage is the result of damaged registry files, for example, the computer cannot load Symantec AntiVirus. Damaged registry files cannot be repaired, but they can be rebuilt. To rebuild a damaged registry, you need to do the following: - Regenerate the default registry file. - Repopulate the address cache. - Update the DomainGUID for secure communications. To regenerate the default registry file: 1. At the server console, type: unload vpreg.nlm 2. Delete the SYS:SYSTEM\VPREG directory. 3. At the server console, type: load sys:sav\vpstart /regrepair To repopulate the address cache, type: load sys:sav\vpstart runsection ResolveAddress The method for updating the DomainGUID entry varies depending on the server type. If this is a primary server, the domain GUID can be extracted from the file names of the certificate files on the server. In this case, type the command: load sys:sav\vpstart runsection SetDomainGUID However, if this is a secondary server, the DomainGUID must match the parent's DomainGUID. In this case, a different command must be used. To do this: 1. Edit the SetDomainGUID section of the install.ini file. 2. Replace the SetDomainGuid=cert line with SetDomainGuid=parent. 3. Save the file. 4. Type: load sys:sav\vpstart runsection SetDomainGUID ------------------------- Regenerating certificates ------------------------- If you need to regenerate certificates, you can do so by using a runsection diagnostic command. Please note that regenerating certificates can result in all clients and other servers refusing to communicate with the server. To regenerate certificates: 1. Shut down Symantec AntiVirus for NetWare. 2. Type: load sys:sav\vpstart runsection CertGen ----------------------------------------------------------------------- A Symantec AntiVirus server upgrade on NetWare defaults to bindery mode ----------------------------------------------------------------------- If the previous version of Symantec AntiVirus server was installed using NDS, upgrades to the current version will default to bindery mode. This can be verified by checking the install.log file located at the root of the sys directory for the message: ActionsBinderyInstallScript ----------------------------------------------------------------------------------- Secondary server installations and migrations may fail if the IPX protocol is bound ----------------------------------------------------------------------------------- Under some circumstances, NetWare servers configured with both IP and IPX protocols may fail to communicate during server installations and migrations. This is due to protocol and address resolution failures. A workaround is as follows: 1. Disable the IPX protocol bindings from server(s). 2. Restart the secondary server(s) and verify network communication and name resolution by typing: Ping on the secondary server(s) consoles. 3. Unload the Symantec AntiVirus server. 4. Re-run the generation of server certificates by typing: vpstart runsection certgen 5. Run network discovery on the Symantec System Center console to ensure that the servers appear. IPX protocol bindings can then be enabled on servers that require this protocol. =================================================================================== 64-BIT SUPPORT =================================================================================== ------------------------------------------------------ Antivirus client is the only feature that is supported ------------------------------------------------------ The antivirus client provides antivirus and security risk protection for clients and servers, and is the only feature supported for this release. All other components, products, and tools are not supported. ---------------------------------------------------------------------- LiveUpdate is the only virus definitions files update method supported ---------------------------------------------------------------------- LiveUpdate is the only virus definitions files update method supported. All other update methods, including the Virus Definition Transport Method, are not supported. ------------------------------------------------------- Managing 64-bit clients with the Symantec System Center ------------------------------------------------------- To manage 64-bit clients with the Symantec System Center, configure the client settings so that the clients do not receive automatic virus definitions updates. The easiest way to configure the client settings is to configure a client group and place your 64-bit clients in this group. You can rely on users to click LiveUpdate, or you can set a LiveUpdate schedule for the group by using the Symantec System Center. To manage 64-bit clients with the Symantec System Center: 1. Create a client group. 2. Right-click the client group. 3. Uncheck Inherit settings from Server Group. 4. Right-click the client group, and then select All Tasks > Symantec AntiVirus > Virus Definition Manager. 5. In the Virus Definition Manager dialog box, uncheck Update virus definitions from parent server. 6. Do one or both of the following: - Uncheck Do not allow client to manually launch LiveUpdate. - Check Schedule client for automatic updates using LiveUpdate, click Schedule, specify a schedule, and then click OK. 7. Click OK. After you install 64-bit client software, drag the client computers into this client group. ------------------------------- Side effects repair limitations ------------------------------- 64-bit antivirus clients support side effect repair only for 32-bit viruses and security risks that have infected the WOW64 portions of the 64-bit operating systems on AMD(R)/64 and EM64T hardware. 64-bit antivirus clients do not currently support the repair of 64-bit viruses and security risks on the 64-bit native operating system facilities outside of WOW64 on AMD/64 and EM64T hardware. =================================================================================== DOCUMENTATION ISSUES =================================================================================== -------------------------------------------------------------------------- Symantec AntiVirus Reference Guide was not updated for the current release -------------------------------------------------------------------------- The Reference Guide located in the Docs folder on the product CD contains an obsolete chapter titled Antivirus protection and email servers. The Reference Guide accessed by the online help no longer contains this chapter. Exchange files and folders are automatically excluded from scans in this release. See the Symantec AntiVirus Administrator's Guide for information about Exchange server exclusions from scans. The chapter titled Event Log entries in both Reference Guides also contains out-of-date information. See the Symantec Knowledge Base for more recent information. ---------------------------------------------------------------- Reporting User's Guide contains incorrect name for report filter ---------------------------------------------------------------- The section titled Creating computer status reports includes a description of a filter setting called Virus definition date. The filter name should be changed to Definition date. ---------------------------------------------- Reporting User's Guide contains wording errors ---------------------------------------------- The chapter "Configuring reporting agents" contains the following incorrect references: - "Reporter Configuration" should be "Reporting Configuration." - "Reporter URL" should be "Reporting URL." ------------------------------------------------------------------------------------ Reporting Userˇ¦s Guide is missing a note about Virus Definition Distribution reports ------------------------------------------------------------------------------------ In the chapter "Using reports," in the section "About reports," the following note should be included in the bulleted list: - In Virus Definition Distribution reports, a parent server is not listed unless it has clients. To view information about virus definitions on parent servers, use the Computer Status Logs page and select Only parent servers for the Computer type. ------------------------------------------------------------------------------------ Correction to Network Scanning Options in the Auto-Protect Scan Options table in Administratorˇ¦s Guide ------------------------------------------------------------------------------------ The section in the "Available options" column of the Network Scanning Options row of the Auto-Protect Scan Options table in Chapter 4 of the Symantec AntiVirus Administrator's Guide that begins "Uncheck Enable scanning to stop Auto-Protect from scanning network drives", and ends with "Trust files on remote computers running Auto-Protect is enabled by default when network scanning is enabled", is incorrect. The section should read as follows: Uncheck Enable Scanning to stop Auto-Protect from scanning network drives. When scanning is enabled on network drives, Symantec AntiVirus scans files as they are accessed by a client computer from a server or by one server from another server. When network scanning is enabled, you can also enable Auto-Protect to trust remote versions of Auto-Protect and to use a network cache. The Trust remote Auto-Protects option keeps Auto-Protect from performing duplicate scanning while network scanning is enabled. If this option is enabled on both the client and the server, the client Auto-Protect checks to see that the server's Auto-Protect settings provide at least as high a level of security as its own Auto-Protect settings. If this is so, the local computer trusts the Auto-Protect scan on the remote computer and does not rescan the file. For example, when client A requests access to a file on a network drive on server B, client A's Auto-Protect checks to see if it should trust the Auto-Protect on server B. If server B's Auto-Protect is trustworthy, client A Auto-Protect does not scan the file again. If server B's Auto-Protect is not trustworthy, client A's Auto-Protect does scan the file. Trust remote Auto-Protects is enabled by default when network scanning is enabled. Uncheck Trust remote Auto-Protects if you want to disable the trust feature and allow duplicate scanning. You may not consider it necessary to check the Enable Scanning option if you have enabled Auto-Protect on all of your servers since the implementations of Auto-Protect on your servers will scan files whenever clients request them. If you do enable network scanning, and you do not use the Trust remote Auto-Protects option, you should be aware that the repeat Auto-Protect scanning is likely to reduce network performance on the client computer because the client computers will pull the files across the network to do their scans. =================================================================================== OTHER ISSUES =================================================================================== ------------------------------ Installing Symantec VPN Sentry ------------------------------ Migration of Symantec VPN Sentry for clients running Check Point SecureClient is not supported. You should uninstall previous versions before you install the current version of Symantec VPN Sentry. Installing the current version of Symantec VPN Sentry over a previous version may result in a failed installation with no error message. Before you install Symantec VPN Sentry, you must disable the Check Point SecureClient. To install Symantec VPN Sentry on clients running Check Point SecureClient, do the following: 1. Disable the Check Point SecureClient. 2. Uninstall any previous version of Symantec VPN Sentry. 3. Install the current version of Symantec VPN Sentry. 4. Enable the Check Point SecureClient. -------------------------------------------------------------------- XP SP2 firewall status incorrectly reported as enabled after restart -------------------------------------------------------------------- In a specific circumstance, the Windows Firewall might temporarily report itself as enabled when it actually is not. This occurs when the following installation sequence has occurred: 1. XP SP1 is installed. 2. Symantec AntiVirus is installed and is configured to disable Windows Firewall default). 3. XP SP2 is installed. In this case, the Windows Security Center correctly displays Windows Firewall as disabled after a one minute wait. -------------------------------------------------- 16-bit files used by Symantec AntiVirus components -------------------------------------------------- The following 16-bit files are included with Symantec AntiVirus as part of the virus definitions files that are distributed with each installation and definitions update. Although the current version of Symantec AntiVirus is not supported on 16-bit operating systems, these 16-bit virus definitions files are provided for backwards compatibility with legacy versions of Symantec AntiVirus that might still be in use. Files that are associated with NetWare protection are stored on the computer on which the Symantec System Center is installed. These files are pushed to NetWare servers that might support 16-bit NetWare clients. These 16-bit files are only executed on the target computers that receive these files; the files are not executed on the managing computer. Installations and updates on supported Windows platforms might include: Directories: C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub\ C:\Program Files\Symantec\Quarantine\Server\Signatures\\ Files: ECBOOTIL.VXD NAVENG.VXD NAVEX15.VXD Files used for legacy client check-in through Windows NT domain login scripts are stored on the computers on which Symantec AntiVirus Server is installed. These 16-bit files are executed on clients checking in to the Symantec AntiVirus Server; the files are not executed on the Server machine. Directory on the Symantec AntiVirus Server: C:\Program Files\Symantec Client Security\Symantec AntiVirus\Logon Files: NBPSHPOP.EXE OSVER.EXE 16-bit files that are pushed from the Symantec System Center to supported NetWare platforms might include: Directory on the managing computer: C:\Program Files\Symantec\Symantec System Center\Deployment\Server Rollout\ SERVER\NETWARE\LOGIN\ Files: CTL3D.DLL DY_LOH.DLL I2_LDVP.DLL LDRTSC16.386 MSCOMSTF.DLL MSDETSTF.DLL MSINSSTF.DLL MSSHLSTF.DLL MSUILSTF.DLL NAVAPI16.DLL SETUP.EXE VPCCC16.EXE VPDNUI.EXE VPDN_FTP.EXE VPDOWN.EXE VPREMOVE.EXE WPUSHPOP.EXE -------------------- About security risks -------------------- When possible, installers for security risks are detected and removed prior to them loading adware and spyware programs on a system. This is an effective approach when the installer application is solely used for delivery of security risks to a host machine. Nonetheless, more general purpose installers may very well be used in conjunction with spyware or adware and cannot be blocked given the broad range of application types they serve. When it is not possible to block the security risk installer, the spyware or adware application is allowed to load into the system for several reasons. Firstly, interruption of a partially installed spyware program may put the host in an unstable state, leaving the user with error messages or residual files and folders left on the machine. If the installation is completed prior to removal, all aspects of the security risk can be analyzed and properly removed such that the host is left in a safe, predictable state. Secondly, spyware and adware programs behave in a fashion that can be very similar to a normal application as opposed to the more obvious, unusual behavior that malware typically exhibits. Thus, in order to ensure accurate detection, the program is allowed to load before it is fully identified and subsequently removed or quarantined. Lastly, security risks are potentially desirable programs and how acceptable they are is determined by the preferences of the user or administrator. Given this, ensuring such applications are not automatically blocked is essential. Despite the fact that a security risk program may be momentarily loaded on a system, little can be accomplished by such a program given the additional security measures in place on a properly protected host. For example, customers using SCS/NIS benefit from the protection of robust firewalls that will block any attempts for the application to phone home or otherwise transmit data without the user's consent. Thus, in the brief time between the security risk being loaded and before its removal, the risk of any unauthorized action being taken is extremely small. We believe this approach to similar to that of our major competitors and have not seen evidence yet of an approach that is effective at achieving accurate detection and removal without full analysis of a security risk program such as adware or spyware. ------------- About cookies ------------- Cookies are a widely used technology for maintaining information during and across Web site sessions. There are a few major forms of cookies, each with a separate intent and usage. The first major difference among cookies is whether or not they remain on your system after you visit a Web site. If they remain (as part of a small text file), they are called "persistent" cookies which can be used by the Web site to help tailor your experience the next time you visit based on your previous actions. If they do not, they are called "session" or temporary cookies and are deleted after you close your browser. The second major distinction among cookies is that of first party versus third party cookies. First party cookies are presented by the Web site you are visiting and are only used by that Web site. Third party or tracking cookies are presented and used by one or many Web site to track basic online behavior within and across Web sites, typically for online marketing purposes. While there is a general acceptance of most types of cookies, third party cookies have been considered objectionable by some since they have the potential to disclose information such as Web browsing behavior or more personal data to marketers. While there have been privacy concerns since the introduction of cookies in 1996, early concerns were eventually alleviated as understanding of the technology grew and Web browsers gave users the ability to clearly state their preference for handling cookies. Specifically, popular Web browsers today such as Internet Explorer allow users to set their privacy preferences, including detailed handling of third party cookies, and the default settings prevent practices such as personally identifiable information being tracked without a user's explicit consent. Alongside the ready availability of features to control use of the third party cookies, forthcoming legislation has made that cookies will not be included within the scope of regulated software or features. The leading Federal bill, the SPY ACT or H.R. 29, was recently amended to exclude third party cookies from the scope of regulation so as to not unfairly restrict online commerce. Given the ease at which customers can control cookies within today's Web browsers as well as the widespread nature of more serious security risks such as spyware, Symantec does not detect the presence of cookies on a system today in order to better focus customers on the most pressing security issues. ---------------------------- Security risk best practices ---------------------------- - If a customer does not take an aggressive stance against Spyware or Adware removal Symantec recommends that Real-Time scanning be turned off for that category. - Removing spyware/adware may require a process to be terminated (for instance a Web browser), in some cases the system must be rebooted to completely clean it. - Administrator can allow end-user to choose when to terminate/reboot. - If end-user delays this action, real-time protection will continue to find the security risk. - This acts as an aggressive reminder. ------------------------------------------------------ Notice - Central Quarantine performance considerations ------------------------------------------------------ The configurable limit on the number of samples allowed in Central Quarantine has been increased in release 9.0.4 and 2.0.4 from 2500 to 5000 samples; however, there are performance aspects to consider. First, the workload on the Central Quarantine server increases dramatically as the number of samples is increased. Under a heavy load, it can take the Quarantine Console viewer (even on another machine) a long time to load the list. Second, the Central Quarantine server can take a significant amount of processor overhead and all this activity is very disk-intensive on the server. Thus, increasing the limit above 2500 may incur relative performance degradation on the Central Quarantine server. =================================================================================== SYMANTEC SOFTWARE LICENSE AGREEMENT Symantec AntiVirus SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES ("SYMANTEC") IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS "YOU" OR "YOUR") ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE "AGREE" OR "YES" BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE "I DO NOT AGREE" OR "NO" BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE. 1. License: The software and documentation that accompanies this license (collectively the "Software") is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a "License Module") that accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Software, Your rights and obligations with respect to the use of this Software are as follows. You may: A. use the number of copies of the Software as have been licensed to You by Symantec under a License Module. If the Software is part of a suite containing multiple Software titles, the total number of copies You may use, in any combination of Software titles, may not exceed the total number of copies indicated in the License Module. Your License Module shall constitute proof of Your right to make such copies. If no License Module accompanies, precedes, or follows this license, You may make one copy of the Software You are authorized to use on a single computer; B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of Your computer and retain the original for archival purposes; C. use the Software on a network, provided that You have a licensed copy of the Software for each computer that can access the Software over that network; D. use the Software in accordance with any written agreement between You and Symantec; and E. after written consent from Symantec, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software and the transferee agrees in writing to the terms of this license. You may not: A. copy the printed documentation that accompanies the Software; B. sublicense, rent, or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; C. use the Software as part of a facility management, timesharing, service provider, or service bureau arrangement; D. use a previous version or copy of the Software after You have received and installed a disk replacement set or an upgraded version. Upon upgrading the Software, all copies of the prior version must be destroyed; E. use a later version of the Software than is provided herewith unless You have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version; F. use, if You received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which You have not received permission in a License Module; nor G. use the Software in any manner not authorized by this license. 2. Content Updates: Certain Software utilize content that is updated from time to time (including but not limited to the following Software: antispam software utilize updated antispam rules; antivirus software utilize updated virus definitions; content filtering software utilize updated URL lists; some firewall software utilize updated firewall rules; policy compliance software utilize updated policy compliance updates; and vulnerability assessment products utilize updated vulnerability signatures; these updates are collectively referred to as "Content Updates"). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates that Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to obtain Content Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You; provided, however, that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. This License does not otherwise permit the licensee to obtain and use Content Updates. 3. Limited Warranty: Symantec warrants that the media on which the Software is distributed will be free from defects for a period of thirty (30) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY. 4. Disclaimer of Damages: SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software. 5. U.S. Government Restricted Rights: RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are "Commercial Items," as that term is defined in 48 C.F.R. section 2.101, consisting of "Commercial Computer Software" and "Commercial Computer Software Documentation," as such terms are defined in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014, United States of America. 6. Export Regulation: Certain Symantec products are subject to export controls by the U.S. Department of Commerce (DOC), under the Export Administration Regulations (EAR) (see www.bxa.doc.gov). Violation of U.S. law is strictly prohibited. Licensee agrees to comply with the requirements of the EAR and all applicable international, national, state, regional and local laws, and regulations, including any applicable import and use restrictions. Symantec products are currently prohibited for export or re-export to Cuba, North Korea, Iran, Iraq, Libya, Syria and Sudan or to any country subject to applicable trade sanctions. Licensee agrees not to export, or re-export, directly or indirectly, any product to any country outlined in the EAR, nor to any person or entity on the DOC Denied Persons, Entities and Unverified Lists, the U.S. Department of State's Debarred List, or on the U.S. Department of Treasury's lists of Specially Designated Nationals, Specially Designated Narcotics Traffickers, or Specially Designated Terrorists. Furthermore, Licensee agrees not to export, or re-export, Symantec products to any military entity not approved under the EAR, or to any other entity for any military purpose, nor will it sell any Symantec product for use in connection with chemical, biological, or nuclear weapons or missiles capable of delivering such weapons. 7. General: If You are located in North America or Latin America, this Agreement will be governed by the laws of the State of California, United States of America. Otherwise, this Agreement will be governed by the laws of England and Wales. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals, and representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment, or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. Software and documentation is delivered Ex Works California, U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS 2000). This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any reason, please write to: (i) Symantec Customer Service, 555 International Way, Springfield, OR 97477, U.S.A., (ii) Symantec Customer Service Center, PO BOX 5689, Dublin 15, Ireland, or (iii) Symantec Customer Service, 1 Julius Ave, North Ryde, NSW 2113, Australia. 8. Additional Uses and Restrictions: A. If the Software You have licensed is a specified Symantec AntiVirus for a corresponding third party product or platform, You may only use that specified Software with the corresponding product or platform. You may not allow any computer to access the Software other than a computer using the specified product or platform. In the event that You wish to use the Software with a certain product or platform for which there is no specified Software, You may use Symantec AntiVirus Scan Engine. B. If the Software you have licensed is Symantec AntiVirus utilizing Web Server optional licensing as set forth in the License Module, the following additional use(s) and restriction(s) apply: i) You may use the Software only with files that are received from third parties through a web server; ii) You may use the Software only with files received from less than 10,000 unique third parties per month; and iii) You may not charge or assess a fee for use of the Software for Your internal business. C. If the Software You have licensed is Symantec Client Security, this Software utilizes the Standard Template Library, a C++ library of container classes, algorithms, and iterators. Copyright (c) 1996-1999. Silicon Graphics Computer Systems, Inc. Copyright (c) 1994. Hewlett-Packard Company. ==================================================================================== Sun Microsystems, Inc. Binary Code License Agreement READ THE TERMS OF THIS AGREEMENT AND ANY PROVIDED SUPPLEMENTAL LICENSE TERMS (COLLECTIVELY "AGREEMENT") CAREFULLY BEFORE OPENING THE SOFTWARE MEDIA PACKAGE. BY OPENING THE SOFTWARE MEDIA PACKAGE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ACCESSING THE SOFTWARE ELECTRONICALLY, INDICATE YOUR ACCEPTANCE OF THESE TERMS BY SELECTING THE "ACCEPT" BUTTON AT THE END OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL THESE TERMS, PROMPTLY RETURN THE UNUSED SOFTWARE TO YOUR PLACE OF PURCHASE FOR A REFUND OR, IF THE SOFTWARE IS ACCESSED ELECTRONICALLY, SELECT THE "DECLINE" BUTTON AT THE END OF THIS AGREEMENT. 1. LICENSE TO USE. Sun grants you a non-exclusive and non-transferable license for the internal use only of the accompanying software and documentation and any error corrections provided by Sun (collectively "Software"), by the number of users and the class of computer hardware for which the corresponding fee has been paid. 2. RESTRICTIONS. Software is confidential and copyrighted. Title to Software and all associated intellectual property rights is retained by Sun and/or its licensors. Except as specifically authorized in any Supplemental License Terms, you may not make copies of Software, other than a single copy of Software for archival purposes. Unless enforcement is prohibited by applicable law, you may not modify, decompile, or reverse engineer Software. Licensee acknowledges that Licensed Software is not designed or intended for use in the design, construction, operation or maintenance of any nuclear facility. Sun Microsystems, Inc. disclaims any express or implied warranty of fitness for such uses. No right, title or interest in or to any trademark, service mark, logo or trade name of Sun or its licensors is granted under this Agreement. 3. LIMITED WARRANTY. Sun warrants to you that for a period of ninety (90) days from the date of purchase, as evidenced by a copy of the receipt, the media on which Software is furnished (if any) will be free of defects in materials and workmanship under normal use. Except for the foregoing, Software is provided "AS IS". Your exclusive remedy and Sun's entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for Software. 4. DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. 5. LIMITATION OF LIABILITY. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event will Sun's liability to you, whether in contract, tort (including negligence), or otherwise, exceed the amount paid by you for Software under this Agreement. The foregoing limitations will apply even if the above stated warranty fails of its essential purpose. 6. Termination. This Agreement is effective until terminated. You may terminate this Agreement at any time by destroying all copies of Software. This Agreement will terminate immediately without notice from Sun if you fail to comply with any provision of this Agreement. Upon Termination, you must destroy all copies of Software. 7. Export Regulations. All Software and technical data delivered under this Agreement are subject to US export control laws and may be subject to export or import regulations in other countries. You agree to comply strictly with all such laws and regulations and acknowledge that you have the responsibility to obtain such licenses to export, re-export, or import as may be required after delivery to you. 8. U.S. Government Restricted Rights. If Software is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), then the Government's rights in Software and accompanying documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201 through 227.7202-4 (for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-DOD acquisitions). 9. Governing Law. Any action related to this Agreement will be governed by California law and controlling U.S. federal law. No choice of law rules of any jurisdiction will apply. 10. Severability. If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with the provision omitted, unless omission would frustrate the intent of the parties, in which case this Agreement will immediately terminate. 11. Integration. This Agreement is the entire agreement between you and Sun relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party. ==================================================================================== JAVA(TM) 2 RUNTIME ENVIRONMENT (J2RE), STANDARD EDITION, VERSION 1.4.2_X SUPPLEMENTAL LICENSE TERMS These supplemental license terms ("Supplemental Terms") add to or modify the terms of the Binary Code License Agreement (collectively, the "Agreement"). Capitalized terms not defined in these Supplemental Terms shall have the same meanings ascribed to them in the Binary Code License Agreement. These Supplemental Terms shall supersede any inconsistent or conflicting terms in the Binary Code License Agreement, or in any license contained within the Software. 1. Software Internal Use and Development License Grant. Subject to the terms and conditions of this Agreement, including, but not limited to Section 4 (Java Technology Restrictions) of these Supplemental Terms, Sun grants you a non-exclusive, non-transferable, limited license without fees to reproduce internally and use internally the binary form of the Software complete and unmodified for the sole purpose of designing, developing, testing, and running your Java applets and applications intended to run on Java-enabled general purpose desktop computers and servers ("Programs"). 2. License to Distribute Software. Subject to the terms and conditions of this Agreement, including, but not limited to Section 4 (Java Technology Restrictions) of these Supplemental Terms, Sun grants you a non-exclusive, non-transferable, limited license to reproduce and distribute the Software, provided that (i) you distribute the Software complete and unmodified (unless otherwise specified in the applicable README file) and only bundled as part of, and for the sole purpose of running, your Programs, (ii) the Programs add significant and primary functionality to the Software, (iii) you do not distribute additional software intended to replace any component(s) of the Software (unless otherwise specified in the applicable README file), (iv) you do not remove or alter any proprietary legends or notices contained in the Software, (v) you only distribute the Software subject to a license agreement that protects Sun's interests consistent with the terms contained in this Agreement, and (vi) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software. (vi) include the following statement as part of product documentation (whether hard copy or electronic), as a part of a copyright page or proprietary rights notice page, in an "About" box or in any other form reasonably designed to make the statement visible to users of the Software: "This product includes code licensed from RSA Security, Inc.", and (vii) include the statement, "Some portions licensed from IBM are available at http://oss.software.ibm.com/ icu4j/". 3. License to Distribute Redistributables. Subject to the terms and conditions of this Agreement, including but not limited to Section 4 (Java Technology Restrictions) of these Supplemental Terms, Sun grants you a non-exclusive, non-transferable, limited license to reproduce and distribute those files specifically identified as redistributable in the Software "README" file ("Redistributables") provided that: (i) you distribute the Redistributables complete and unmodified (unless otherwise specified in the applicable README file), and only bundled as part of Programs, (ii) you do not distribute additional software intended to supersede any component(s) of the Redistributables (unless otherwise specified in the applicable README file), (iii) you do not remove or alter any proprietary legends or notices contained in or on the Redistributables, (iv) you only distribute the Redistributables pursuant to a license agreement that protects Sun's interests consistent with the terms contained in the Agreement, (v) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software, (vi) include the following statement as part of product documentation (whether hard copy or electronic), as a part of a copyright page or proprietary rights notice page, in an "About" box or in any other form reasonably designed to make the statement visible to users of the Software: "This product includes code licensed from RSA Security, Inc.", and (vii) include the statement, "Some portions licensed from IBM are available at http://oss.software.ibm.com/icu4j/". 4. Java Technology Restrictions. You may not modify the Java Platform Interface ("JPI", identified as classes contained within the "java" package or any subpackages of the "java" package), by creating additional classes within the JPI or otherwise causing the addition to or modification of the classes in the JPI. In the event that you create an additional class and associated API(s) which (i) extends the functionality of the Java platform, and (ii) is exposed to third party software developers for the purpose of developing additional software which invokes such additional API, you must promptly publish broadly an accurate specification for such API for free use by all developers. You may not create, or authorize your licensees to create, additional classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun" or similar convention as specified by Sun in any naming convention designation. 5. Notice of Automatic Software Updates from Sun. You acknowledge that the Software may automatically download, install, and execute applets, applications, software extensions, and updated versions of the Software from Sun ("Software Updates"), which may require you to accept updated terms and conditions for installation. If additional terms and conditions are not presented on installation, the Software Updates will be considered part of the Software and subject to the terms and conditions of the Agreement. 6. Notice of Automatic Downloads. You acknowledge that, by your use of the Software and/or by requesting services that require use of the Software, the Software may automatically download, install, and execute software applications from sources other than Sun ("Other Software"). Sun makes no representations of a relationship of any kind to licensors of Other Software. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE OTHER SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. Trademarks and Logos. You acknowledge and agree as between you and Sun that Sun owns the SUN, SOLARIS, JAVA, JINI, FORTE, and iPLANET trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE, and iPLANET-related trademarks, service marks, logos and other brand designations ("Sun Marks"), and you agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http://www.sun.com/policies/trademarks. Any use you make of the Sun Marks inures to Sun's benefit. 8. Source Code. Software may contain source code that is provided solely for reference purposes pursuant to the terms of this Agreement. Source code may not be redistributed unless expressly provided for in this Agreement. 9. Termination for Infringement. Either party may terminate this Agreement immediately should any Software become, or in either party's opinion be likely to become, the subject of a claim of infringement of any intellectual property right. For inquiries please contact: Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. (LFI#124423/Form ID#011801) ==================================================================================== END OF FILE ==================================================================================== Knowledge Base X Search Advanced Search Options Other Support Resources * Support Forums Ask an expert. Join collaborative product discussions within our Forum community. * Manage Cases Online Submit and manage your support cases using MySupport. * Contact Technical Support Find the support phone number for your region. Was this article helpful to you? Yes No If any information was unclear, or the information you were seeking was not provided, please let us know. Your feedback will help us improve this service. (Enter comment here) NOTE: Comments entered here will NOT receive support services. If you need Symantec Enterprise product support, please click here. Symantec.com Support Home | Supported Products A to Z