Windows Firewall Proves Problematic for Symantec AntiVirus

If you've installed Windows XP Service Pack 2 (SP2) on a machine, you might have noticed that you can't remotely manage the workstation using the Symantec System Center Console. For example, if you try to start a manual scan on an XP SP2 machine, you'll receive an error message stating that the workstation can't be communicated with even though it's turned on and connected to the network. Because the Windows Firewall is turned on by default with SP2, it prevents the Symantec System Center from communicating with the workstation. You can use the Windows Firewall INF file to control the firewall's behavior. You can also use Group Policy to control the Windows Firewall settings. Complete the following steps to let the XP SP2 workstation be managed with the Symantec System Center Console.

1. Install Group Policy Management Console (GPMC). Go to http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en to download and install the utility. GPMC must be installed on a Windows 2003 or XP workstation. 2. Update your ADM templates for XP SP2. You can get the latest ADM templates from http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en. I made a backup of the .adm files in c:\windows\inf, then copied the updated template files to c:\windows\inf. If you made any changes to the existing .adm files, make sure you merge the existing modifications with the updated templates. 3. Download the patch to handle strings longer than 255 characters. You download this patch at http://support.microsoft.com/default.aspx?kbid=842933. If you don't download this patch you'll receive the error message “The following entry in the \[strings\] section is too long and will be truncated” whenever you try to edit a Group Policy Object (GPO). 4. Create a GPO to open ports on Windows Firewall. This setting is located in Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall, Domain Profile. You must define the settings for Windows Firewall: Define port exceptions and Windows Firewall: Allow local port exceptions. If you just want to allow remote management through the Symantec AntiVirus (SAV) Corporate Edition 9.x and 8.x console, open UDP port 2967. For additional port information used in SAV Corporate, refer to http://service1.symantec.com/SUPPORT/ent-security.nsf/529c2f9adcf33a1088256e22005026f1/826b484479226da688256c38008276b4?OpenDocument&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=9.0&src=ent&pcode=sav_ce&dtype=corp&svy=&prev=&miniver=savce_9.0. I suggest only allowing the IP address of your SAV servers in the port exception rule. Double-click Windows Firewall: Define port exceptions, click Show, click Add, and enter the exception string. The syntax for this string is ::::. Assuming that your SAV server has an IP address of 192.168.1.1, the entry string for the port exception should be: 2967:UDP:192.168.1.1:enabled:SAVMgmtPort. You can specify multiple IP addresses in the scope field by separating your entries with a comma. You can specify entire subnets by using a slash (/) and the number of bits in the subnet mask. For example, if you want to allow any computer on the 192.168.1.0 subnet, the entry would be 2967:UDP:1921.68.1.0/24:enabled:SAVMgmtPort. After you enter the correct string, click Next and make sure to allow port exceptions on Windows firewall. Because I want all users on the network to get this GPO, I linked the GPO at the domain level and assigned it to the Authenticated Users group. 5. Run GPUpdate and GPResult. Run GPUpdate to refresh the Group Policy and GPResult to view the results of the new Group Policy. 6. Verify the workstation firewall settings. Click Start, Settings, Control Panel, Network Connections, Change Windows firewall settings. Click the Exceptions Tab. You should see a grayed out entry that has your Windows Firewall port exceptions you entered in step 4. If the machine didn’t receive the Windows Firewall port exceptions, try running GPUpdate and GPResult to see why this workstation didn't receive the settings. 7.Manage the workstations. Open the Symantec System Center Console and verify that you can run a manual scan on the workstation. By using Group Policy, you can remotely manage Windows Firewall settings. This makes it easier to deal with problems that might arise after installing SP2. As with any major upgrade, thoroughly test SP2 before implementing it in production. Make sure that all the programs running on your computer are SP2-compliant before installing the service pack. The steps outlined here can be applied to any port exception for Windows Firewall.

Tip: Computer Bag

I just picked up a new computer bag. It’s made by Swiss Army and has allowed me to consolidate my briefcase and computer bag into one unit. It’s expandable, has wheels, an integrated handle and seems to have a compartment for everything. You can check it out at http://www.swissarmytravelgear.com/webstore/moreinfo.cfm?product_id=3649&category=54. You can probably get a significant discount off the retail price. I paid around $300 for mine at H. Savinar in Los Angeles (http://www.moredeals.com/ads/savinar.htm). If you travel a lot and need to lug around a lot of computer gear, it's a great bag to have.