Sharpe Business Solutions - SAVCE Upgrade Tool

 

 		  

 

SAV Upgrades - Not As Hard As You Might Think

 

This recipe covers upgrading Symantec Corporation's Symantec Antivirus Corporate Edition (SAVCE) to the latest version of that product. SAVCE is the version used primarily in enterprise computing environments. This recipe enables you to upgrade your 7.x, 8.x, 9.x, and downlevel versions of 10.x of the SAVCE client software to the latest version offered by Symantec.

 

Why bother upgrading your existing SAVCE agents? SAV 8.1 went off of support in January 2007. SAV 8.0 went off support in 2006. SAV 9.x went of support in March 2009. For unsupported SAV versions, Symantec no longer tests virus definition updates. If a set of virus definitions comes down that breaks your older agents, you are on your own. Anti-rootkit support and better anti-spyware support is only available in the latest versions of 10.x and SEP11. Certain types of malware, like Blackmal, can only be removed by SAV 10.x and higher. Some versions of SAV 10 have a serious security vulnerability (SYM06-010 described at http://www.symantec.com/avcenter/security/Content/2006.05.25.html). In fact, there might be an argument to be made for standardizing your environment on at least version 10.1.8.8000 due recently announced SYM07-011, SYM07-012, SYM07-016, SYM07-017, SYM07-018, and SYM07-19 vulnerabilities.

 

Things that you need to know or do before beginning

  • Windows Installer 3.1 is required on each machine to be upgraded.
  • Obtain NoNav and/or CleanWipe from Symantec Enterprise Support. These are the best tools available for removing old versions of SAVCE. (CleanWipe only support SAVCE 9.x and 10.x. Symantec no longer supports NoNav, but in some cases that is what you have to use if upgrading SAVCE 7.x or 8.x clients. Be careful with CleanWipe and be sure to understand EXACTLY what it does - it removes more than just SAVCE). The normal uninstall of SAV and upgrades from the SAV console are notoriously unreliable. You will need NoNav or CleanWipe to reliably and completely uninstall SAVCE. (NoNav and CleanWipe are only available by calling Symantec Support. It isn't freely downloadable).
  • Unless each machine to be upgraded is completely disconnected from any network connection, it is essential to keep the amount of time that elapsed between the removal of the old SAV client and the installation of the new SAV client to an absolute minimum. This is most important in the case of bastion hosts residing in a DMZ. Bastion hosts should probably be removed from the network or air-gapped for this upgrade. Machines residing behind your corporate firewall infrastructure might not have to. That is a decision for your organization to make. The key take-away with this point is to keep the window of opportunity between the uninstall step and reinstall step as small as possible to minimize the chances for malware to infect machines on their upgrade day.
  • A single reboot is required after the removal of the prior version of SAVCE, so plan your SAV upgrade inside of your normal server or workstation maintenance window.
  • If you are performing this upgrade manually, you will need to obtain whatever SAV uninstall password you have. If you have uninstall password set and you want to perform an automated upgrade, then that needs to be either disabled first in the SAV console, or you need to disable the uninstall password in the registry first prior to running NoNav. (Sharpe Business Solutions can help you with an automated deployment. More information is available at the bottom of this article).
  • A Symantec Antivirus upgrade is major surgery. Some machines that are already unhealthy might break during this upgrade, so make sure that you have recent and verified backups prior to starting the upgrade process. Also make sure that test this process on test clients and servers prior to putting any new version of SAVCE in production. Only this testing will reveal if the latest version of SAVCE will work properly in your production environment. You should also consider staging new versions of SAVCE into production slowly. Don't try to upgrade all of you clients or servers without at least doing a small, well-chosen pilot group of machines first.
  • If you use this recipe on a machine with the SAV Console installed, the console will be removed. So, make sure that you have the means to reinstall the SAV console on any machine that requires it after upgrading SAVCE.
  • Only SAVCE is covered by this article, not versions of Norton Antivirus intended for home use.
  • You need to choose a version of SAVCE to upgrade to. As of this writing, SAVCE 10.1.8.8000 is considered stable. The latest releases of SEP11 are also OK to deploy.

The Process

 

1). Make sure each machine to be upgraded is running Windows Installer 3.1. Windows XP and Windows Server 2003 should already be at this version. Windows 2000 machines might not, so be sure to check and upgrade as required.

2). Use NoNav or CleanWipe from Symantec Enterprise Support to completely uninstall your prior version of SAVCE. There is no need to hunt down the uninstall key out of the registry first. NoNav or CleanWipeshould take care of completely removing your prior version of SAVCE.

3). You must reboot to complete the uninstall process. IMPORTANT - Unless the machine in question is totally air-gapped or disconnected from any type of network, it is unprotected at this point. It is imperative to limit the amount of time the machine is unprotected. If an administrator is actively driving the upgrade process, then that person should immediately install the upgraded version of SAVCE after the upgrade. This is a good place for some supporting automation.

4). Copy all of the appropriate SAV client installation files pulled from the proper group on your SAV server to your target machine. The correct GRC.DAT and server group PKI certificate file (or client side SEP11 configuration files) should already be in the right spots alongside the other client installation binaries. Run Setup and follow the on-screen prompts to install SAV.

5). You are done! No reboot is required at the end of the installation.

 

How Can I Upgrade SAVCE Through An Automated Software Deployment?

 

For those organizations with large numbers of clients or servers requiring an upgrade, we at Sharpe Business Solutions can provide a single packaged EXE for you to deploy to automate the upgrade. The upgrade package automates the disabling of the uninstall password on the client side, handles removing the old 7.x, 8.x, 9.x, or downlevel 10.x SAVCE agent, reboots the machine, and then automatically starts the automated installation of the new version of the SAVCE client. Right now, we recommend customers upgrade to SAVCE 10.1.8.8000 - although the very latest releases of SEP11 (starting in early 2009) are getting stable enough for use. (Frankly, the earlier versions of SEP11 weren't production-ready, but you can probably safely go either way - 10.1.8.8000 or latest SEP11 - now). We would provide you with a single executable that you could deploy through tools like Microsoft SMS, Tivoli, Zenworks, Marimba, or PSexec.

 

*** Note that we will need copies of your configuration files (e.g. GRC.DAT, server group certificate files, SEP11 config files) to build the package(s) required for your company. Once you have placed your order, we will be in contact with you to obtain the necessary files and SAVCE version requirements for your organization. Unless you ask for an unusually large number of SAVCE upgrade packages, we can usually provide you with your upgrade package(s) within 5 business days after receiving your GRC.DAT and certificate files.

 

Your SAVCE upgrade package will include:

  • A single EXE that performs the uninstall, reboot, and installation of the new version of SAV.
  • A watchdog monitoring process to handle machines where the SAV graceful uninstall step might hang. If the watchdog sees that your SAV uninstall has hung for more than 30 minutes, then it kicks off a process to forcibly remove the old version of SAV.
  • Immediately after the uninstall step is done, the required reboot is automatically commanded. This is done to keep the amount of time that your machines are alive on the network without antivirus protection to a minimum.
  • After the reboot, the installation of the new version of SAV is automatically started by the package. This is another provision for ensuring that your machine remains unprotected by SAV for the least amount of time possible during the upgrade.
  • The GRC.DAT and certificate files that you provided us are used to automatically configure the SAV agent per your specifications as part of the install step. No final reboot is required.
  • The automated package can be run under the LocalSystem context, so it can be pushed out outside of business hours to your clients and servers using software deployment tools like Microsoft SMS, IBM Tivoli, Marimba, ZENworks, or even PSexec. The user doesn't have to be logged on for the upgrade to work!
  • SAV versions 7.6 and above on Windows 2000 Pro/Server, Windows Server 2003, and Windows XP are supported. We do not support Windows NT.

To be clear, what we are providing is a tool for upgrading legal and properly licensed copies of Symantec Corporation's Symantec Antivirus Corporate Edition (SAVCE) product. Sharpe Business Solutions is in no way affiliated with Symantec Corporation.

 

The price for a single SAVCE upgrade package for your enterprise is US $1000. The price for any additional packages (i.e. you use unique GRC.DATs for each configuration that you require) is US $500 each. If for any reason you are not completely satisifed with the product and follow-on support, we will refund 100% of the purchase price.

 

Please contact us at sales@sharpebusinesssolutions if you have any questions at all about our building an automated SAVCE upgrade deployment package for your organization.

 

 

Valid XHTML 1.0 Strict

 
 
Copyright © 2007-2010. Sharpe Business Solutions. All Rights Reserved.