SAV Upgrades - Not As Hard As You Might Think
This recipe covers upgrading Symantec Corporation's Symantec Antivirus Corporate Edition (SAVCE) to the latest version of that product. SAVCE is the version used primarily in enterprise computing environments. This recipe enables you to upgrade your 7.x, 8.x, 9.x, and downlevel versions of 10.x of the SAVCE client software to the latest version offered by Symantec.
Why bother upgrading your existing SAVCE agents? SAV 8.1 went off of support in January 2007. SAV 8.0 went off support in 2006. SAV 9.x went of support in March 2009, and SAV 10.x goes off support in April 2012. For unsupported SAV versions, Symantec no longer tests virus definition updates. If a set of virus definitions comes down that breaks your older agents, you are on your own. Anti-rootkit support and better anti-spyware support is only available in the latest versions of 10.x and SEP11. Certain types of newer or more sophisticated malware can only be removed by SAV 10.x and higher. Some versions of SAV 10 have a serious security vulnerability (e.g. SYM06-010 described at http://www.symantec.com/avcenter/security/Content/2006.05.25.html). You should be running the latest Maintenance Release of SEP11 (MR6 as of this writing). If you must still run SAV 10.x for some reason, to ensure that you have all known vulnerabilities addresses, that should be no version less than 10.1.9.9000.
Things that you need to know or do before beginning
- Windows Installer 3.1 is required on each machine to be upgraded.
- Obtain NoNav and/or CleanWipe from Symantec Enterprise Support. These are the best tools available for removing old versions of SAVCE. (CleanWipe only support SAVCE 9.x and 10.x. Symantec no longer supports NoNav, but in some cases that is what you have to use if upgrading SAVCE 7.x or 8.x clients. Be careful with CleanWipe and be sure to understand EXACTLY what it does - it removes more than just SAVCE). The normal uninstall of SAV and upgrades from the SAV console are notoriously unreliable. You will need NoNav or CleanWipe to reliably and completely uninstall SAVCE. (NoNav and CleanWipe are only available by calling Symantec Support. It isn't freely downloadable).
- Unless each machine to be upgraded is completely disconnected from any network connection, it is essential to keep the amount of time that elapsed between the removal of the old SAV client and the installation of the new SEP/SAV client to an absolute minimum. This is most important in the case of bastion hosts residing in a DMZ. Bastion hosts should probably be removed from the network or air-gapped for this upgrade. Machines residing behind your corporate firewall infrastructure might not have to. That is a decision for your organization to make. The key take-away with this point is to keep the window of opportunity between the uninstall step and reinstall step as small as possible to minimize the chances for malware to infect machines on their upgrade day.
- A single reboot is required after the removal of the prior version of SAVCE, so plan your SEP/SAV upgrade inside of your normal server or workstation maintenance window.
- If you are performing this upgrade manually, you will need to obtain whatever SAV uninstall password you have. If you have uninstall password set and you want to perform an automated upgrade, then that needs to be either disabled first in the SAV console, or you need to disable the uninstall password in the registry first prior to running NoNav. (Sharpe Business Solutions can help you with an automated deployment. More information is available at the bottom of this article).
- A Symantec Antivirus upgrade is major surgery. Some machines that are already unhealthy might break during this upgrade, so make sure that you have recent and verified backups prior to starting the upgrade process. Also make sure that test this process on test clients and servers prior to putting any new version of SAVCE in production. Only this testing will reveal if the latest version of SAVCE will work properly in your production environment. You should also consider staging new versions of SAVCE into production slowly. Don't try to upgrade all of you clients or servers without at least doing a small, well-chosen pilot group of machines first.
- If you use this recipe on a machine with the SAV Console installed, the console will be removed. So, make sure that you have the means to reinstall the SAV console on any machine that requires it after upgrading SAVCE.
- Only SAVCE is covered by this article, not versions of Norton Antivirus intended for home use.
- You need to choose a version of SEP/SAVCE to upgrade to. As of this writing, SEP11 MR6 and SAVCE 10.1.9.9000 are considered stable and contain all known security vulnerability fixes.
1). Make sure each machine to be upgraded is running Windows Installer 3.1. Windows XP and above and Windows Server 2003 and above should already be at this version. Windows 2000 machines might not, so be sure to check and upgrade as required.
2). Use NoNav or CleanWipe from Symantec Enterprise Support to completely uninstall your prior version of SAVCE. There is no need to hunt down the uninstall key out of the registry first. NoNav or CleanWipeshould take care of completely removing your prior version of SAVCE.
3). You must reboot to complete the uninstall process. IMPORTANT - Unless the machine in question is totally air-gapped or disconnected from any type of network, it is unprotected at this point. It is imperative to limit the amount of time the machine is unprotected. If an administrator is actively driving the upgrade process, then that person should immediately install the upgraded version of SAVCE after the upgrade. This is a good place for some supporting automation.
4). Copy all of the appropriate SEP or SAV client installation files pulled from the proper group on your SEP/SAV server to your target machine. For SAV 10.x, the correct GRC.DAT and server group PKI certificate file (or client side SEP11 configuration files) should already be in the right spots alongside the other client installation binaries. For SEP, the right sylink.xml will be included with the client installation package you create from the SEP console. Run Setup and follow the on-screen prompts to install SAV.
5). You are done! No reboot is required at the end of the installation.
How Can I Upgrade SAVCE Through An Automated Software Deployment?
For those organizations with large numbers of clients or servers requiring an upgrade, we at Sharpe Business Solutions can provide a single packaged EXE for you to deploy to automate the upgrade. The upgrade package automates the disabling of the uninstall password on the client side, handles removing the old 7.x, 8.x, 9.x, or downlevel 10.x SAVCE agent, reboots the machine, and then automatically starts the automated installation of the new version of the SEP (or SAVCE) client. Right now, we recommend customers upgrade to SEP 11 MR6. We would provide you with a single executable that you could deploy through tools like Microsoft SCCM or SMS, Tivoli, Zenworks, Marimba, or PSexec.
*** Note that we will need copies of your configuration files (e.g. GRC.DAT, server group certificate files, SEP11 config files) to build the package(s) required for your company. Once you have placed your order, we will be in contact with you to obtain the necessary files and SEP/SAVCE version requirements for your organization. Unless you ask for an unusually large number of SEP/SAVCE upgrade packages, we can usually provide you with your upgrade package(s) within 5 business days after receiving your organization specific configuration files.
Your SEP/SAVCE upgrade package will include:
- A single EXE that performs the uninstall, reboot, and installation of the new version of SEP/SAV.
- A watchdog monitoring process to handle machines where the SAV graceful uninstall step might hang. If the watchdog sees
that your SAV uninstall has hung for more than 30 minutes, then it kicks off a process to forcibly remove the old version of SAV.
- Immediately after the uninstall step is done, the required reboot is automatically commanded. This is done to keep the amount
of time that your machines are alive on the network without antivirus protection to a minimum.
- After the reboot, the installation of the new version of SEP or SAV is automatically started by the package. This is another provision
for ensuring that your machine remains unprotected by SAV for the least amount of time possible during the upgrade.
- The sylink.xml, GRC.DAT or certificate files that you provided us are used to automatically configure the SAV agent per your specifications as part of the install step. No final reboot is required.
- The automated package can be run under the LocalSystem context, so it can be pushed out outside of business hours to your clients and servers using software deployment tools like Microsoft SCCM or SMS, IBM Tivoli, Marimba, ZENworks, or even PSexec. The user doesn't have to be logged on for the upgrade to work!
- SAV versions 7.6 and above on Windows 7, Windows Vista, Windows XP, Windows 2000 Pro/Server, Windows Server 2003, and Windows Server 2008 are supported. We do not support Windows NT at this time.
To be clear, what we are providing is a tool for upgrading legal and properly licensed copies of Symantec Corporation's Symantec Antivirus Corporate Edition (SAVCE) and Symantec Endpoint Protection (SEP) products. Sharpe Business Solutions is in no way affiliated with Symantec Corporation.
The price for a single SAVCE upgrade package for your enterprise is US $1000. The price for any additional packages is US $500 each. If for any reason you are not completely satisifed with the product and follow-on support, we will refund 100% of the purchase price.
Please contact us at email@example.com if you have any questions at all about our building an automated SEP/SAVCE upgrade deployment package for your organization.