How to set Hercules to Manually Restore Norton/Symantec Antivirus Services

How to set Hercules to Manually Restore
Norton/Symantec Antivirus Services
Back to an Active Status
Hercules v2.2.0
Citadel Security Software, Inc.
8750 North Central Expressway
Suite 100
Dallas, Texas 75231
(214) 520-9292
(214) 520-9293 FAX
www.citadel.com
Manually Restoring Norton/Symantec Antivirus Services
©2003 Citadel Security Software, Inc. All rights reserved. This document cannot, in whole or part, be copied,
photographed, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior
written consent from Citadel Security Software, Inc.
Hercules is copyrighted software of Citadel Security Software, Inc.
Hercules is a trademark of Citadel Security Software, Inc.
Windows is a registered trademark of Microsoft, Inc.
W3C® SOFTWARE NOTICE AND LICENSE
Copyright © 1994-2003 World Wide Web Consortium <http://www.w3.org/>,
(Massachusetts Institute of Technology <http://www.lcs.mit.edu/>, Institut
National de Recherche en Informatique et en Automatique <http://www.inria.fr/>, Keio University
<http://www.keio.ac.jp/>). All Rights Reserved.
http://www.w3.org/Consortium/Legal/
This W3C work (including software, documents, or other related items) is being provided by the copyright holders
under the following license. By obtaining, using and/or copying this work, you (the licensee) agree that you have read,
understood, and will comply with the following terms and conditions:
Permission to use, copy, modify, and distribute this software and its documentation, with or without modification, for
any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the
software and documentation or portions thereof, including modifications, that you make:
The full text of this NOTICE in a location viewable to users of the redistributed or derivative work.
Any pre-existing intellectual property disclaimers, notices, or terms and conditions. If none exist, a short notice of the
following form (hypertext is preferred, text is permitted) should be used within the body of any redistributed or
derivative code: "Copyright © 2003 World Wide
Web Consortium <http://www.w3.org/>, (Massachusetts Institute of Technology
<http://www.lcs.mit.edu/>, Institut National de Recherche en Informatique et en Automatique <http://www.inria.fr/>,
Keio University <http://www.keio.ac.jp/>). All Rights Reserved. http://www.w3.org/Consortium/Legal/"
Notice of any changes or modifications to the W3C files, including the date changes were made. (We recommend
you provide URIs to the location from which the code is derived.)
THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO
REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO,
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS,
TRADEMARKS OR OTHER RIGHTS. COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT,
INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR
DOCUMENTATION.
The name and trademarks of copyright holders may NOT be used in advertising or publicity pertaining to the software
without specific, written prior permission. Title to copyright in this software and any associated documentation will at
all times remain with copyright holders.
All other products are trademarks of their respective holders.
Support
When you purchase a Customer Support Agreement and register your Citadel software product, you are
eligible to receive technical support pursuant to the terms of the contract you purchased. Technical
support is available for registered users from Citadel’s technical support hot line (214) 750-2482, toll-free
(800) 962-0701, e-mail [email protected] or at www.citadel.com.
Business hours for telephone support are from 8:30 a.m. until 5:30 p.m. Monday through Friday, U.S.
Central Standard Time.
Please have the following information available:
ii
•
Hercules version number
•
The Hercules serial number
•
The type of hardware being used
Manually Restoring Norton/Symantec Antivirus Services
How to set Hercules to Manually Restore Norton/Symantec
Antivirus Services Back to an Active Status
1. You can create a custom remedy from scratch. To do this, open your Hercules Admin console
and expand the Policies section.
2. Click on the policy in which you wish to add the custom remedy. For this document, we will be
using the default policy.
3. Once the policy settings have loaded, right click on the policy folder and choose ‘Add Custom
Vulnerability…”. YES, we are adding a custom vulnerability. Remember, Hercules must have
vulnerability before it can remediate.
1
Manually Restoring Norton/Symantec Antivirus Services
4. A screen will appear asking for the name of the vulnerability, a description and the severity level.
You can input whatever you like. For this document, we are calling our custom vulnerability
‘Norton Antivirus Services’, our description will be ‘Not running’, and our severity level will be set
to Medium.
2
Manually Restoring Norton/Symantec Antivirus Services
5. Click the ‘Next’ button when you have finished inputting your info.
6. There will not be a need for any CVE or CAN identifiers for this vulnerability, so click ‘Next’ to
continue.
7. Again, no identifiers for BugTraq are necessary, so click ‘Finish’ to continue.
3
Manually Restoring Norton/Symantec Antivirus Services
8. You will be asked if you want to add a custom policy remedy for this newly created vuln. Click
‘Yes’.
9. You should now be at the ‘Add Custom Remedy’ screen. Your new vulnerability should already
be highlighted under the ‘Vulnerabilities’ window. If so, then click ‘Next’ to continue. If not, then
click on it to highlight and click ‘Next’.
10. Our remedy will work for all versions of windows, but you can create for any of the versions listed.
We will be choosing ‘All Windows’ for this document. Click ‘Finish’ to continue.
4
Manually Restoring Norton/Symantec Antivirus Services
11.
12.
13.
14.
You should now be at the Custom Remedy editor.
Set the recommendation level to ‘Recommended’.
Expand the ‘Action Definitions’ under Available actions.
Scroll the list all the way to the bottom.
5
Manually Restoring Norton/Symantec Antivirus Services
15. Expand ‘WindowsServiceManagement’.
16. Click on ‘WindowsChangeStartup’ and click the ‘Add’ button.
17. You should now have three properties listed each with a value of %UNKNOWN%.
18.
19.
20.
21.
22.
23.
24.
6
Click on the property ‘ServiceName’ to highlight it.
Click in the property value window at the bottom and delete the %UNKNOWN% value.
Type in ‘Norton Antivirus Server’ without the quotes.
Click on the property ‘StartType’ to highlight it.
Click in the property value window and delete the %UNKNOWN% value.
Type in ‘2’ without the quotes.
Click on the ‘RebootNow’ property and delete the %UNKNOWN% value. We will leave it blank
Manually Restoring Norton/Symantec Antivirus Services
25.
26.
27.
28.
Click the ‘Apply’ button to save changes to the first setting action.
Click ‘WindowsStartService’ and click the ‘Add’ button.
You should now have two action properties listed, again with values of %UNKNOWN%.
Click the property ‘ServiceName’ and change the value to ‘Norton Antivirus Server’ without the
quotes.
29. Click on the ‘RebootNow’ property and delete the %UNKNOWN% value. We will leave it blank
7
Manually Restoring Norton/Symantec Antivirus Services
30.
31.
32.
33.
34.
8
Click ‘Apply’ to save changes.
Click the ‘-‘ sign to contract the ‘WindowsServiceManagement’ section.
Expand ‘WindowsRegistryManagement’.
Click on ‘WindowsRegistrySetDWORD’ and click ‘Add’.
You should now have five action properties, each with a value of %UNKNOWN%.
Manually Restoring Norton/Symantec Antivirus Services
35. Click on property ‘Root’ and set the value to ‘2’ without quotes.
36. Click on property ‘Key’ and set the value to
‘SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan’
without the quotes.
37. Click on property ‘Value’ and set the value to 1.
38. Click on property ‘ValueName’ and set the value to ‘OnOff’ without quotes.
39. Click on the ‘RebootNow’ property and delete the %UNKNOWN% value. We will leave it blank
9
Manually Restoring Norton/Symantec Antivirus Services
40.
41.
42.
43.
10
Click ‘Apply’ to save the changes.
Review your settings before continuing.
Once you are certain your settings are correct, click the ‘OK’ button.
Your new remedy will now be listed in the Policy window.
Manually Restoring Norton/Symantec Antivirus Services
44. Now you are ready to add this vulnerability/remedy to your machines.
45. Right click on the device name and choose ‘Add Vulnerability to Device…’.
46. Under ‘Name Starts With’ input ‘Norton’ without quotes and click the ‘Search’ button.
11
Manually Restoring Norton/Symantec Antivirus Services
47. Your newly created vulnerability should be found in this list. Click on it to highlight and click
‘Finish’.
48. Expand the ‘Import Session’ folder for the device you are currently on.
49. You should have a manually added vulnerability now.
50. Click on the vulnerability on the right hand side to highlight and then place a check in the ‘repair’
box to set the remedy to an ‘activated’ status.
12
Manually Restoring Norton/Symantec Antivirus Services
51. Repeat steps 46 through 51 until all needed devices contain your manual remedy.
52. Click on the group containing the devices to show which ones are in a ‘waiting’ status and place
checks into each box you wish to remediate.
53. You are now done with your custom remedy.
13
Manually Restoring Norton/Symantec Antivirus Services
54. You just need to wait for each global remediation status to change to 100% for each selected
device, then check the remediation session history to see if any failed.
14