"Indeed, it has been said that democracy is the worst form of government except all those other forms that have been tried from time to time." -Winston Churchill
Substitute "democracy" and "government" with "Symantec AntiVirus Corporate" and "network-managed antivirus software" and you pretty much sum up my feelings. This post is devoted to a few things I've learned along the way.
Symantec System Center Console (SSC) is inaccurate with RDP
This is one of my favorites. Most engineers I know install SAVCE and SSC on a server. Many engineers also use RDP to administer a server. So far, so good, right?
Wrong. While on a call with a Symantec Engineer, he "disclosed" that information displayed in SSC is unreliable, as RDP lacks proper registry key access to display the information accurately. My experience verified it: missing clients, wrong versions, etc. Don't try to RDP into the console - it still won't work. The only solutions are to go to the server or install the client on your workstation. As an outbound consultant who travels from site to site, I'm left with the first.
Repairing a corrupt PKI in Symantec 10
Symantec AntiVirus 10 uses a Public Key Infrastructure (PKI) to facilitate communication between a server and clients. It is not too uncommon for this to get "messed up" (sorry to get overly technical there). Symptoms of a corrupt PKI would be clients that don't show in SSC (after you rule out the RDP bug from above.) In this case, Symantec's admission of guilt is evidenced in the creation of the ESUGMakeDrop tool.
ESUGMakeDrop is available from Symantec by contacting support. Unfortunately, it's not available as a public download. (I know you're dying with curiosity, so I'll tell you that ESUG stands for Enterprise Support Utilities Group - now you can pay attention again.) Make sure you obtain the admin guide as it tells you pretty much all you need to know.
ESUGMakeDrop creates a script that manually replaces the Root Certificate and GRC.dat file on the clients, deletes a certificate-related registry key, and cycles some services. It will run against all clients in SSC, but if your clients don't appear in the first place, that will do nothing. I've only run it against a list of IP Addresses, in a text file. DHCP export and Excel work wonders in this regard.
I'll leave you with boundless hope for the future: The Symantec engineer told me that version 11 (due in early 2008) represents a more thorough redesign of the product.
AOS
