LiveUpdate™ Administrator's Guide

LiveUpdate™ Administrator’s Guide
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 3.0

Copyright Notice
Copyright 2005 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

Trademarks
Symantec, the Symantec logo, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. LiveUpdate, LiveUpdate Administration Utility, Symantec AntiVirus, and Symantec Security Response are trademarks of Symantec Corporation. This product includes software developed by the Apache Software Foundation <http://www.apache.org/>. Tomcat, Xerces, and Apache XML-RPC are trademarks of The Apache Software Foundation. Copyright © 1999, 2000 The Apache Software Foundation. All rights reserved. Hypersonic SQL is a trademark of HSQL Development Group. Copyright © 2001-2002, The HSQL Development Group. All rights reserved. This product includes software developed by Ultimate Technology, Inc. (http://www.UltimateTech.com/). Ultimate Technology, Inc. Open Source License, Version 1.1. Copyright © 1999-2003 Ultimate Technology, Inc. All rights reserved. The LogDriver software consists of the following files:
■ Utility.h - contains a number of useful helper data structures ■ Log.h - main CLog Class Definition ■ LogAppender.h - abstract CLogAppender Class Definition ■ ConsoleLogAppender.h - Console log appender class definition ■ FileLogAppender.h - File log appender class definition ■ EventLogAppender.h - Event log appender class definition

■ Utility.cpp - useful helper data structures ■ Log.cpp - main CLog Class Implementation ■ LogAppender.cpp - abstract CLogAppender Class Implementation ■ ConsoleLogAppender.cpp - Console log appender class implementation ■ FileLogAppender.cpp - File log appender class implementation ■ EventLogAppender.cpp - Event log appender class implementation

Which are used by permission as stated in the notice below. COPYRIGHT AND PERMISSION NOTICE Copyright (c) 2002 Will Senn All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts Symantec technical support offerings include the following:

A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support

■ ■

Licensing and registration
If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

Contacting Technical Support
Customers with a current support agreement may contact the Technical Support group via phone or online at www.symantec.com/techsupp. Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at www.secure.symantec.com/platinum/.

NIC information Operating system Version and patch level Network topology Router. gateway. Customer Service is available to assist with the following types of issues: ■ ■ ■ ■ ■ ■ ■ ■ ■ Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features. disk space. please have the following: ■ ■ ■ ■ ■ ■ ■ ■ Product release level Hardware information Available memory.html Select your country or language under Global Support.When contacting the Technical Support group. language availability. local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals . and IP address information Problem description ■ ■ ■ Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes Customer service Customer service information is available at the following URL: www.com/techsupp/ent/enterprise.symantec.

Your rights and obligations with respect to the use of this Software are as follows. precedes. C. use the Software as part of a facility management. F. This license governs any releases. and vulnerability assessment products utilize updated vulnerability data. License: The software and documentation that accompanies this license (collectively the “Software”) is the property of Symantec. AND CONTACT SYMANTEC CUSTOMER SERVICE FOR INFORMATION ON HOW TO OBTAIN A REFUND OF THE MONEY YOU PAID FOR THE SOFTWARE (LESS SHIPPING. decompile. use the Software in accordance with any additional permitted uses set forth below. these updates are collectively referred to as “Content Updates”). after written notice to Symantec. reverse engineer. modify. BREAKING THE SEAL. C. use one copy of the Software on a single computer. make any attempt to discover the source code of the Software. Content Updates: Certain Software utilize content that is updated from time to time (including but not limited to the following Software: antivirus software utilize updated virus definitions. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND SYMANTEC. SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES (“SYMANTEC”) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS THE INDIVIDUAL. use a previous version or copy of the Software after You have received and installed a disk replacement set or an upgraded version. or service bureau arrangement. Your License Module shall constitute proof of Your right to make such copies. all copies of the prior version must be destroyed. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS. revisions. nor H. Upon upgrading the Software. If a License Module accompanies. content filtering software utilize updated URL lists. provided that You have a licensed copy of the Software for each computer that can access the Software over that network. CLICK THE “I DO NOT ACCEPT” OR “NO” BUTTON OR OTHERWISE INDICATE REFUSAL. provided that You retain no copies of the Software and the transferee agrees to the terms of this license. or copy the Software onto the hard disk of Your computer and retain the original for archival purposes. or create derivative works from the Software. copy the printed documentation that accompanies the Software. D. While Symantec continues to own the Software. D. or license key (each a “License Module”) that accompanies. use. or enhancements to the Software that Symantec may furnish to You. OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS “YOU” OR “YOUR”) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. use the Software in any manner that contradicts any additional restrictions set forth below. any Symantec software on the media for which You have not received a permission in a License Module. if You received the software distributed on media containing multiple Symantec products. You will have certain rights to use the Software after Your acceptance of this license. and E. You may not: A.Symantec Software License Agreement LiveUpdate™ Administrator’s Guide IMPORTANT: PLEASE READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. precedes. AND ANY APPLICABLE TAXES) AT ANY TIME DURING THE SIXTY (60) DAY PERIOD FOLLOWING THE DATE OF PURCHASE. make one copy of the Software for archival purposes. You shall have the right to obtain Content Updates for any period for which . MAKE NO FURTHER USE OF THE SOFTWARE. B. disassemble. B. 1. use the Software in any manner not authorized by this license. transfer the Software on a permanent basis to another person or entity. license coupon. rent. or lease any portion of the Software. some firewall software utilize updated firewall rules. timesharing. use the Software on a network. Except as may be modified by a Symantec license certificate. G. BY OPENING THIS PACKAGE. 2. translate. You may: A. or its licensors. or follows this license. E. You may make the number of copies of the Software licensed to You by Symantec as provided in Your License Module. or follows this license. use a later version of the Software than is provided herewith unless You have purchased upgrade insurance or have otherwise separately acquired the right to use such later version. service provider. sublicense. THE COMPANY. HANDLING. CLICKING THE “ACCEPT” OR “YES” BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY. OR LOADING THE SOFTWARE. YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. and is protected by copyright law.

This License and the Software containing enforcement technology require activation as further set forth in the documentation.F. at its option. provided. Limited Warranty: Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the Software . as applicable. Your sole remedy in the event of a breach of this warranty will be that Symantec will. 48 C. All Symantec products and documentation are commercial in nature. You will provide Your unique product key accompanying the Software and computer configuration in the form of an alphanumeric code over the Internet to verify the authenticity of the Software. section 12. section 252. CONSEQUENTIAL.7202-4.7202 through 227. 3.227-7014(a)(1). WHETHER EXPRESS OR IMPLIED. AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS.F.R.227-14. or for any period for which You have otherwise separately acquired the right to obtain Content Updates. or as may be set forth in the documentation. 6. handling.You have purchased maintenance.R. or through any other method specified during the activation process. The Software will only operate for a finite period of time prior to Software activation by You.S.” as such terms are defined in 48 C. You agree that Symantec may use these measures to protect Symantec against software piracy. INDIRECT. OR SIMILAR DAMAGES.F.R. consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation.212 and 48 C.101. DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. which will restore Software functionality. You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. section 12.R.227-7014(a)(5) and 48 C.F. 5.7202. and any applicable taxes) at any time during the sixty (60) day period following the date of purchase. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You. the Software will cease to function until activation is complete.F. replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. 7. INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.R.R. 48 C. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free. FITNESS FOR A PARTICULAR PURPOSE. Symantec's computer software and computer 4. Product Installation and Required Activation: There are technological measures in this Software that are designed to prevent unlicensed or illegal use of the Software. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE. IN NO EVENT WILL SYMANTEC OR ITS LICENSORS BE LIABLE TO YOU FOR ANY SPECIAL. THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES. section 227. You may contact Symantec Customer Support using the information provided by Symantec during activation.R. During activation. The disclaimers and limitations set forth above will apply regardless of whether You accept the Software.R. and other relevant sections of the Code of Federal Regulations. that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase. This License does not otherwise permit the licensee to obtain and use Content Updates. If You do not complete the activation within the finite period of time set forth in the documentation. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS.R.F.F. Consistent with 48 C. Disclaimer of Damages: SOME STATES AND COUNTRIES. INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY. section 252. as applicable.F. and used in 48 C. Sixty Day Money Back Guarantee: If You are the original licensee of this copy of the Software and are not completely satisfied with it for any reason. section 2.” as that term is defined in 48 C. except for those Content Updates that Symantec elects to make available by separate paid subscription. or as prompted by the Software.227-7015. YOU MAY HAVE OTHER RIGHTS. SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.212. however. This Software may contain enforcement technology that limits the ability to install and uninstall the Software on a computer to not more than a finite number of times for a finite number of computers. section 227. section 252. Government Restricted Rights: RESTRICTED RIGHTS LEGEND. section 52. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA. In the event that You are not able to activate the Software over the Internet. IN NO CASE SHALL SYMANTEC'S OR ITS LICENSORS' LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The software and software documentation are “Commercial Items. U.F. WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY. to You. 48 C. please contact Symantec Customer Service for a refund of the money You paid for the Software (less shipping.

Manufacturer is Symantec Corporation.S. Otherwise. WHETHER IN CONTRACT. national. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 2000 The Apache Software Foundation. this acknowledgement may appear in the software itself. regional and local laws. this Agreement will be governed by the laws of England and Wales. This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec. Department of Commerce (DOC). proposals. according to the terms and conditions contained in this license agreement. 20330 Stevens Creek Blvd. or to any other entity for any military purpose. and “Apache Software Foundation” must not be used to endorse or promote products derived from this software without prior written permission. Iran. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. (ii) Symantec Authorized Service Center. “Tomcat”. U. Syria and Sudan or to any country subject to applicable trade sanctions. OR 97477. are permitted provided that the following conditions are met: 1. You agree to comply with the requirements of the EAR and all applicable international. 3. Version 1. This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. OR PROFITS. INCIDENTAL. 4. General: If You are located in North America or Latin America. BUT NOT LIMITED TO. 9. Postbus 1029. Violation of U. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications. Licensee agrees not to export. Iraq.1 Copyright (c) 1999.” Alternately. this Agreement will be governed by the laws of the State of California. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.S.S. Should You have any questions concerning this Agreement. The end-user documentation included with the redistribution. Software and documentation is delivered Ex Works California. if any. For more information on the Apache 8. DATA. under the Export Administration Regulations (EAR) (see www. For written permission.doc. The disclaimers of warranties and damages and limitations on liability shall survive termination. and (ii) prevails over any conflicting or additional terms of any quote. THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING. or (iii) Symantec Customer Service. SPECIAL. OR CONSEQUENTIAL DAMAGES (INCLUDING. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. NSW 2113. state. CA 95014. and regulations. Department of State's Debarred List. All rights reserved.org>. or similar communications between the parties. 3600 BA Maarssen.S. Redistributions of source code must retain the above copyright notice. Specially Designated Narcotics Traffickers. Products derived from this software may not be called “Apache” nor may “Apache” appear in their names without prior written permission of the Apache Software Foundation. or Dublin. Way. or re-export. 5. Symantec products to any military entity not approved under the EAR. if and wherever such third-party acknowledgements normally appear. INDIRECT. this list of conditions and the following disclaimer. LOSS OF USE. ACKNOWLEDGEMENTS The Apache Software License. or if You desire to contact Symantec for any reason. the U. United States of America. must include the following acknowledgement: “This product includes software developed by the Apache Software Foundation <http://www. 555 International . U. Australia.software documentation are licensed to United States Government end users with only those rights as granted to all other end users. The Netherlands. Furthermore.org/>. law is strictly prohibited. order. any product to any country outlined in the EAR.A. Licensee agrees not to export. please write to: (i) Symantec Customer Service. nor to any person or entity on the DOC Denied Persons. Redistribution and use in source and binary forms. Department of Treasury's lists of Specially Designated Nationals.S.S. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT. Libya. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. with or without modification.apache. Symantec products are currently prohibited for export or re-export to Cuba. The names “The Jakarta Project”. or Specially Designated Terrorists. North Korea. or re-export. including any applicable import and use restrictions. directly or indirectly.A. BUT NOT LIMITED TO.bxa. and representations with respect to its subject matter. Cupertino. acknowledgment. biological.gov). EXEMPLARY.. nor will it sell any Symantec product for use in connection with chemical. Springfield. North Ryde. STRICT LIABILITY.. or nuclear weapons or missiles capable of delivering such weapons. 2. Ireland respectively (ICC INCOTERMS 2000). Redistributions in binary form must reproduce the above copyright notice. Entities and Unverified Lists. Export Regulation: Certain Symantec products are subject to export controls by the U. or on the U. please contact <apache@apache. 1 Julius Ave.

LOSS OF USE.apache. Neither the name of the HSQL Development Group nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. LOSS OF USE. BUT NOT LIMITED TO. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. Inc. STRICT LIABILITY. and Apache XML-RPC. Copyright (c) 1999-2003 Ultimate Technology. must include the following acknowledgement: “This product includes software developed by Ultimate Technology. if any. Open Source License. please see <http://www. This product includes software developed by the Apache Software Foundation (http://www. with or without modification.org/>. The end-user documentation included with the redistribution. OR CONSEQUENTIAL DAMAGES (INCLUDING. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES.” Alternately. The HSQL Development Group. are permitted provided that the following conditions are met: 1. Portions of this software are based upon other open source products and are subject to their respective licenses.com.UltimateTech. ----------------------Ultimate Technology. Ultimate Technology and product names such as Ultimate Console may not be used to endorse or promote products derived from this software without prior written permission. with or without modification. OR PROFITS. Products derived from this software may not be called “Ultimate” nor may “Ultimate” appear in their names without prior written permission of Ultimate Technology.apache. A copy of the license may be found at www. IN NO EVENT SHALL HSQL DEVELOPMENT GROUP. HSQLDB. namely Tomcat. 2. All rights reserved. STRICT LIABILITY. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES.com/). 3. EXEMPLARY. All rights reserved. INDIRECT. Redistribution and use in source and binary forms.org/). INCIDENTAL. this list of conditions and the following disclaimer. Copyright © 2000 The Apache Software Foundation. . EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. this acknowledgement may appear in the software itself. Redistributions in binary form must reproduce the above copyright notice. OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT. OR CONSEQUENTIAL DAMAGES (INCLUDING.apache. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. SPECIAL. Inc. 5. BUT NOT LIMITED TO. 4. Redistributions of source code must retain the above copyright notice. Redistributions in binary form must reproduce the above copyright notice. if and wherever such third-party acknowledgements normally appear. are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice. SPECIAL. ----------------------Copyright (c) 2001-2002.1. All rights reserved. THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. INCLUDING.ORG. (http://www. DATA. Xerces. For written permission. BUT NOT LIMITED TO. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.org/LICENSE. Inc. OR PROFITS. Inc. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT. DATA. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.Software Foundation. BUT NOT LIMITED TO. please contact info@UltimateTech. Redistribution and use in source and binary forms. EXEMPLARY. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. Version 1. INCIDENTAL. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. INDIRECT. WHETHER IN CONTRACT. this list of conditions and the following disclaimer. WHETHER IN CONTRACT.

.

................... Symantec and Central LiveUpdate servers ............................................................................................................................................................................................................. About the LiveUpdate Administration Utility ......... Retrieving Update Packages ............. How clients are updated using a Symantec LiveUpdate server ... How LiveUpdate works ................. Updating the LiveUpdate Administration Utility ........................................................................................................... How clients are updated using a Central LiveUpdate server ........................................ Components of LiveUpdate ................................................ Where to get more information about LiveUpdate ...... 17 18 20 20 21 22 23 23 24 26 27 28 29 Chapter 2 Installing the LiveUpdate Administration Utility Before you install ................... 37 37 38 39 ...................................................... How the LiveUpdate Administration Utility works ............ LiveUpdate product and index files ............................................... LiveUpdate Administration Utility and LiveUpdate client compatibility . System requirements ........... Uninstalling the LiveUpdate Administration Utility . Setting update retrieval options .....Contents Technical support Chapter 1 Introducing the LiveUpdate Administration Utility About LiveUpdate .................................................................. Post-installation tasks ......................... About LuAdmin and Central LiveUpdate ......................................................................................................................................................... LiveUpdate Administration Utility files ............................... Setting up a Central LiveUpdate server ......................................... 31 31 32 33 34 34 35 35 Chapter 3 Using the LiveUpdate Administration Utility Starting the LiveUpdate Administration Utility .......... What you can do with the LiveUpdate Administration Utility .................. What's new in LiveUpdate ............................................................................................................... Installing the LiveUpdate Administration Utility .......................................................................................

..... General settings ....................................................................................................... Clearing the download directory ......... Enabling and scheduling client updates from the Symantec System Center ........................................................................................ Implementing LiveUpdate UNC support ......................................... 62 62 63 64 64 65 66 66 71 72 74 .. Configuring a host file for unmanaged clients ................................................ Windows LiveUpdate settings ..................................................... Enabling TCP/IP by location ... Windows Hosts settings ......................................................... Configuring multiple LiveUpdate servers for the Symantec System Center ............................................. Viewing LiveUpdate events ........... Making all connection options available ............. 40 40 43 44 45 46 46 46 49 49 50 50 51 51 52 53 53 Chapter 4 Using the LiveUpdate Administration Utility with the Symantec System Center Configuring a host file for use with the Symantec System Center .............................. Removing a product .......... Working with Windows LiveUpdate configurations ............................................................................................... Configuring LiveUpdate UNC support (LAN transport) ............................................................................................................................................... Using custom LiveUpdate packages ............... About the Symantec management console ............................. Changing LiveUpdate Administration Utility retrieval settings .............................................................................................12 Contents Configuring clients to use a Central LiveUpdate server ..................................................... Viewing and deleting events ............................. Automatic detection of the SESA Agent .............................................................................................. How SESA manages LiveUpdate client settings ............................................................................................................. Retrieving Update Packages automatically ....................................... Adding a product . 55 56 57 58 59 Chapter 5 Managing LiveUpdate clients with SESA About LiveUpdate and SESA .................. Updating the Symantec Product Line and Languages of Updates checklists ........... Working with LiveUpdate events ......... About Windows LiveUpdate client configurations .......................................................... Enabling location profiles ....... Configuring NetWare servers to retrieve updates in the Symantec System Center ................................................................................... Windows Custom Content settings ........................................................................................ Handling interrupted downloads ........... Creating a LiveUpdate host file for clients ..........................

...................................................................................................... Java LiveUpdate settings .................................... 110 Understanding LiveUpdate package authentication ............ 109 Adding a new client computer to the network .............................................. 93 LiveUpdate client file locations ............................................................................................................ Modifying a Java LiveUpdate configuration ................................................ 76 77 78 78 79 79 80 81 83 84 86 87 88 Chapter 6 Working with LiveUpdate clients Upgrading the LiveUpdate client ......... 112 Running LiveUpdate from a command line or scheduler ...... Java LiveUpdate Hosts settings ..... 109 Changing a client computer to receive updates from a Symantec LiveUpdate server ......................... Configuring Java LiveUpdate ............. Distributing a Windows LiveUpdate configuration ......conf files ............. Distributing a Java LiveUpdate configuration ................................................................... 113 Accessing LiveUpdate in the Control Panel in Windows XP 64-bit .............. 109 Changing a client computer to receive updates from a Central LiveUpdate server .................................................................................... Working with Java LiveUpdate configurations .................................... 111 Adding trusted root certificates .................................................................................... Modifying a Windows LiveUpdate configuration ...............................Contents 13 Editing Windows LiveUpdate configuration properties ............................................................................ 110 Understanding Automatic LiveUpdate Scheduler logging ......... Java LiveUpdate 3... 115 116 119 120 ....... 108 Adding or changing LiveUpdate client computers ..................... About Java LiveUpdate client configurations ..........................................................0 settings ................ 114 Chapter 7 Using Java LiveUpdate About Java LiveUpdate ........... 92 About LiveUpdate client files .......................................... 113 Configuring the Automatic LiveUpdate Scheduler service ......................................... Sample liveupdate............... 96 Understanding corporate mode settings ............................................. General settings .......... 110 Ensuring that Automatic LiveUpdate and scheduled LiveUpdate authenticate ..................................... 95 About LiveUpdate client configuration files ....................... Java LiveUpdate configuration guidelines ....................................................................................... 91 About checking version numbers .................................................................................. Editing Java LiveUpdate configuration properties ..................................... Java LiveUpdate Custom Content settings ..

....... Installing the Custom Content Publishing Application .......................................................... Running the Symantec Provisioning Tool locally ...........................................................................exe .......... Running luamtscan.......................................................................................................................... Running the Symantec Provisioning Tool ....exe remotely .................... Creating a configuration file to scan a range of computers ..................... Installing the LiveUpdate Administrator for Intel AMT program ......... Creating a host file to scan a range of computers . Enabling Java LiveUpdate logging on Linux servers ............... Creating a configuration file to provision a range of computers .................................................................................................................. Starting a new scan in the LiveUpdate Administrator for Intel AMT console ...... Java LiveUpdate command-line switches ......................... Working with the Custom Content Publishing Application ........ Starting a LiveUpdate session .........................................................exe .................................................................................... CCPA and LOTS file locations and Windows Start menu shortcuts ................................................................. Support for EBCDIC character encoding ............................. 147 148 148 149 149 151 ..............exe ..xml file that was created by luamtscan................................. 121 122 122 124 124 125 128 Chapter 8 Incorporating LiveUpdate with Intel Active Management Technology About Intel Active Management Technology and LiveUpdate ......... Running sysprovision................................... Creating a configuration file for use with sysprovision....................... About setting up the BIOS on the Intel AMT computer ........................................................... 129 131 131 132 133 134 134 135 136 136 137 139 139 140 141 142 144 144 145 Chapter 9 Working with custom content About LiveUpdate custom content publishing ............... About LiveUpdate Intel AMT client files ..................................... Running sysprovision............................ Planning for content publishing ............................................................. Configuring startup options ..... Running luamtscan..................................... About roles and users ..14 Contents Configuring Java LiveUpdate to use a Central LiveUpdate server .... Using the LiveUpdate Administrator for Intel AMT console .... Importing SSL certificates into the Java keystore .. Running Java LiveUpdate from the command line ................................... Running the Symantec Provisioning Tool remotely ...........................................................exe ..............exe remotely ..... Opening an existing ...........................

Contents

15

After you install the Custom Content Publishing Application ........ Uninstalling the Custom Content Publishing Application ............. Using the LOTS Manager ............................................................. How the LOTS file is used in the custom content publishing process ......................................................................... Working with certificates ....................................................... Enabling SSL support over HTTPS ........................................... Performing administrative tasks .................................................... Starting and logging on to CCPA .............................................. Navigating the Custom Content Publishing Application ............... Uploading the LOTS file ......................................................... Working with CCPA servers .................................................... Working with User Profiles ..................................................... Working with products and languages ...................................... Working with update types ..................................................... Setting the System Configuration ............................................ Managing publishing sessions ................................................ Enabling LiveUpdate clients to retrieve custom content .....................

151 152 152 153 154 154 156 157 157 158 158 160 162 163 164 167 172

Chapter 10

Publishing custom content
About the content publishing session ............................................. Submitting updates ..................................................................... Defining product updates ....................................................... Using PreConditions ................................................................... About PreCondition syntax ..................................................... PreCondition errors ............................................................... Using the PreCondition Editor ................................................. Signing and publishing updates .................................................... Uploading a signing certificate ................................................ Publishing updates ............................................................... Rejecting updates ................................................................. Testing product updates ............................................................... 175 178 179 182 183 197 200 202 204 204 205 206

Index

16

Contents

Chapter

1

Introducing the LiveUpdate Administration Utility
This chapter includes the following topics:
■ ■ ■ ■ ■ ■ ■

About LiveUpdate What's new in LiveUpdate Components of LiveUpdate How LiveUpdate works How the LiveUpdate Administration Utility works What you can do with the LiveUpdate Administration Utility Where to get more information about LiveUpdate

About LiveUpdate
LiveUpdate™ is the Symantec™ technology for automatically updating Symantec virus definitions and products. The LiveUpdate client is included with each Symantec product and is installed automatically. Periodically, the LiveUpdate client connects to a LiveUpdate server to check for new updates that apply to the Symantec products that are installed on the computer. If any updates are found, the LiveUpdate client prompts the user to download and install the update. Downloading virus definitions and program updates usually requires a paid subscription, but the updates are included in many corporate contracts.

18

Introducing the LiveUpdate Administration Utility About LiveUpdate

Symantec and Central LiveUpdate servers
LiveUpdate offers the option to use either a Symantec LiveUpdate server or, for host computers that are connected to a private network, an internal Central LiveUpdate server. Each LiveUpdate client can be configured separately to use either server. When a Symantec server is used, LiveUpdate clients connect using HTTP or FTP to a server that is located at a Symantec LiveUpdate site. If an internal Central LiveUpdate server is used, clients communicate with it for new updates. Using a Central LiveUpdate server means that clients do not need to connect to an external network for virus definitions and product updates. This reduces the LiveUpdate traffic between the local network and Symantec LiveUpdate sites. In addition, using a Central LiveUpdate server gives you control over the types of updates that are available to users, and supports the use of Custom Content publishing, a new feature in LiveUpdate. See “About LiveUpdate custom content publishing” on page 147. When you configure a Central LiveUpdate server, the LiveUpdate Administration Utility (LuAdmin) performs the following tasks:

Selects the Symantec products and languages for which updates will be downloaded Provides the full path to the directory in which downloads will be stored Retrieves all of the update packages and related index files from the Symantec LiveUpdate site that apply to the selected products

■ ■

The LiveUpdate Administration Utility stores all of the downloaded update packages and index files on the local server. After the updates are initially retrieved, LuAdmin checks with the Symantec LiveUpdate site for new update packages and automatically retrieves and stores them in the designated directory. You may want to set up the Central LiveUpdate server on a separate computer from the LiveUpdate Administration Utility. New updates can then be tested before they are moved to the Central LiveUpdate server. Once the Central LiveUpdate server has been configured, you can use LuAdmin to establish communication with client computers on the network. You can select the HTTP, FTP, or LAN transport method, and then create a LiveUpdate host file based on your selection. The host file contains the information that is needed by the client to connect to the Central LiveUpdate server. The host file is then distributed to each of the clients on the network. Depending on the time interval that has been set, each LiveUpdate client periodically connects to the Central LiveUpdate server and checks for new updates. Applicable updates are automatically downloaded from the Central LiveUpdate server and installed on the clients.

Introducing the LiveUpdate Administration Utility About LiveUpdate 19 Figure 1-1 shows a typical network using a Central LiveUpdate server. Figure 1-1 Network using a Central LiveUpdate server Symantec LiveUpdate site Symantec LiveUpdate server Update packages and index files Internet LUAdmin host Update packages and index files Gateway Local Area Network Update packages and index files Central LiveUpdate server Client hosting Symantec products and LU client LiveUpdate Product Inventory .

and downloads the updates that apply to the Symantec products that are installed on the local network. and can empty the cache on demand. What's new in LiveUpdate LiveUpdate (Win32) includes the following new enhancements and features: LiveUpdate service On Windows 2K/NT/XP client computers. You can periodically move the update packages and their associated index files from the LiveUpdate Administration Utility host to the Central LiveUpdate server. Users can configure the Update Cache to override the default maximum cache size of 5% of the drive where LiveUpdate is installed. It checks with an external Symantec LiveUpdate site at frequent intervals for new updates. Events are logged in response to standard commands. Packages that fail to install are retained in the Update Cache. based upon schedules and protocols that you determine.20 Introducing the LiveUpdate Administration Utility What's new in LiveUpdate About the LiveUpdate Administration Utility The LiveUpdate Administration Utility (LuAdmin) maintains a local LiveUpdate repository for product and virus definitions updates. The user is notified of low disk space in one of the following ways: ■ ■ Integration with the Windows Event Log Improved network bandwidth utilization Interactive LiveUpdate: a message box appears. The LiveUpdate Administration Utility does not need to be installed on the same server that is used as the Central LiveUpdate server. the LiveUpdate service loads on system startup and remains resident for the remainder of the Windows session. LiveUpdate will not attempt to download any updates if insufficient disk space is available to download and install all selected updates. The LiveUpdate Administration Utility is typically installed on one computer on the network. Silent Automatic LiveUpdate (ALU): a system tray notification message appears. patch installed. including server selected. Events specific to LiveUpdate are also logged. The LiveUpdate service integrates with the Windows Event Log. . and patch failed. The LiveUpdate Update Cache on the Windows 32 LiveUpdate client retains downloaded packages until they are successfully installed. including Service Start and Service Stop.

Components of LiveUpdate Table 1-1 lists the LiveUpdate components and their functions.Introducing the LiveUpdate Administration Utility Components of LiveUpdate 21 Usability improvements LiveUpdate provides improved Express Mode error reporting and error descriptions to aid in troubleshooting. See “Symantec and Central LiveUpdate servers” on page 18. downloading. clients communicate directly with a Symantec LiveUpdate site to check for new virus definitions and program updates. . When a Central LiveUpdate server is not used. Table 1-1 Component LiveUpdate client LiveUpdate components Function The LiveUpdate client is automatically installed on every computer that has a Symantec product installed. When a Central LiveUpdate server is used. and installing available updates for all Symantec products on the computer. The LiveUpdate client handles checking for. LuAdmin maintains a local and up-to-date repository of product and virus definitions updates. and their related index files. LuAdmin periodically checks for and downloads new updates. Symantec LiveUpdate server A LiveUpdate server is located at one of the LiveUpdate sites maintained by Symantec. only the computer running LuAdmin communicates with a Symantec LiveUpdate server. LiveUpdate Administration The LiveUpdate Administration Utility is typically installed Utility (LuAdmin) on one computer on the network. See “How the LiveUpdate Administration Utility works” on page 26. See “Upgrading the LiveUpdate client” on page 91. that is used by other computers on the network.

but a standard network server may also be used. including product identifiers. Periodically. version numbers. A compressed file that is sent by the LiveUpdate server to the client in response to a request for new updates.zip) Update Package .zip file are used to authenticate the Update Package and ensure that it has been delivered without modification. It contains information about each Symantec product that is installed on the client. and other product attributes. The signature and guard files that are sent with the xxxxtri. The Update Index file contains an index entry. for every update package that is available on the server (whether it is a Symantec server or a Central LiveUpdate server). instead of communicating with a server that is located at a Symantec site. an FTP. LiveUpdate product and index files LiveUpdate uses the following files to maintain catalog and index information: Client Product Inventory A file that must exist on each computer where the LiveUpdate client is installed. release date sequence numbers. This file comprises the Update Index file. language. HTTP. There is one Update Package for each update that is listed in the Update Index file. or HTTPS server is used. a Symantec signature. See “Setting up a Central LiveUpdate server” on page 37. Normally. or specification. Update Index (xxxxtri. LiveUpdate clients direct their requests for updates to this server. you may want to transfer new update packages and index files from the LiveUpdate Administration Utility to the Central LiveUpdate server.22 Introducing the LiveUpdate Administration Utility Components of LiveUpdate Table 1-1 Component LiveUpdate components (continued) Function Central LiveUpdate server A Central LiveUpdate server resides on an internal network that is used to store LiveUpdate packages and index files. The Client Product Inventory is maintained and used by the client. A set of files that contains the update content that is to be installed on the client. and a guard file. These entries contain the same information that is in the Client Product Inventory.

How LiveUpdate works When you start LiveUpdate. LiveUpdate then determines the types of updates that are needed. LiveUpdate automatically installs all the updates for your Symantec products. You can then choose which updates to install. it displays a list of the registered Symantec products that are on the computer and establishes the versions and languages of the products to be updated. which lists all of the Symantec products that are installed on the client.xml) A file that contains basic product identifiers and attributes for every product that uses LiveUpdate. In Interactive mode. LiveUpdate downloads a list of updates that are available for your Symantec products. based on a time interval setting that you define for the client. See “About LiveUpdate client configuration files” on page 96. LiveUpdate finds and connects to either an external Symantec server or an internal Central LiveUpdate server that has been set up by an administrator using the LiveUpdate Administration Utility. How clients are updated using a Symantec LiveUpdate server The following steps are performed when a client uses a Symantec LiveUpdate server for its updates: Start up The LiveUpdate client performs an update check periodically. is read. The LiveUpdate Administration Utility and LiveUpdate client have additional files. See “LiveUpdate Administration Utility files” on page 32.Introducing the LiveUpdate Administration Utility How LiveUpdate works 23 All Products List (Products. When LiveUpdate is started on the client. This file is used by LuAdmin to generate the list from which users can select the product versions and language versions. This file is refreshed each time that LuAdmin performs an update operation. the local Client Product Inventory. LiveUpdate operates in either Interactive or Express mode. . and the order in which to apply the updates. If you run LiveUpdate in Express mode.

Each Update Package is then installed on the local computer. If a match is found. there is an entry in the Client Product Inventory that contains the name of the Update Index file in which the updates are listed.24 Introducing the LiveUpdate Administration Utility How LiveUpdate works Request Update Indexes For each Symantec product that is installed. the corresponding Update Package is added to the list of updates to retrieve. the client checks the list of updates. If the list is empty. If there are Update Packages listed. the LiveUpdate operation is immediately terminated on the client. When the Update Index files have been received by the client. the client displays the list and prompts the user to select the updates to be downloaded. After each product in the Client Product Inventory has been checked against its Update Index. Check Update Indexes Update Package Request Update Package Installation Update completion How clients are updated using a Central LiveUpdate server The following steps are performed when a client uses a Central LiveUpdate server for its updates: . If the user selects one or more of the updates. the LiveUpdate operation is terminated. If the user declines all of the updates. the local Client Product Inventory is updated. a request is sent to the LiveUpdate server for them. the client verifies that the updates match those that were initially requested. the client checks each of the products in the local Client Product Inventory against its index file to see if there are any new updates available for it. The update operation is terminated. If Interactive mode is enabled. Following the installation. they are automatically downloaded using the default Express mode setting. When the Update Packages have been downloaded. The client collects the Update Index file names and sends a request to the LiveUpdate server for these files to be downloaded to the client. and that they have been delivered without modification.

the client authenticates the sender and verifies that the packages have been delivered without modification. the corresponding Update Package is added to the list of updates to be downloaded. based on a time interval setting that you define. Each Update Package that is accepted by the client is installed on the local computer. When the client has received the Update Index file. the LiveUpdate operation is immediately terminated on the client. it checks each of the products in its local Client Product Inventory against the Update Index file to see if there are any new updates available. the local Client Product Inventory is updated to reflect the package that was installed. When the Update Packages have been received.zip). If the list is empty.6x and later so that they can download updates from the closest internal LiveUpdate server. the LiveUpdate operation is terminated. If a match is found. the client displays the list and prompts the user to select the updates to be downloaded. After each product in the Client Product Inventory has been checked against its Update Index file. If there are Update Packages listed.Introducing the LiveUpdate Administration Utility How LiveUpdate works 25 Start up The LiveUpdate client performs an update check periodically. The client sends a request to the Central LiveUpdate server for the Update Index file (xxxxtri. they are automatically downloaded using the default Express mode setting. the client checks the list of updates. Following each installation. If the user declines all of the updates. and no updates are downloaded. . a request is sent to the LiveUpdate server for them. If the user selects one or more of the updates. This typically results in decreased download times. You can also configure the host file to use an external LiveUpdate server. The update operation is terminated. If Interactive mode is enabled. Request Update Indexes Check Update Indexes Update Package Request Update Package Installation Update completion You can configure a LiveUpdate host file for LiveUpdate clients version 1.

it checks each product in its Product Inventory against it to see if there are any new updates available. Descriptive warnings and error messages assist in troubleshooting LiveUpdate failures. LuAdmin sends a request to the Symantec LiveUpdate server for the selected Update Packages. However. The LiveUpdate Administration Utility sends a request to a Symantec LiveUpdate server for the Update Index file (xxxxtri. the corresponding Update Package is added to the list of updates to be downloaded.zip) to be retrieved. The Product Inventory for LuAdmin contains not only Symantec products that are installed on the computer on which LuAdmin is installed. If the list is empty. After each product in the Client Product Inventory has been checked against the Update Index file. When the LiveUpdate Administration Utility receives the Update Index file. LiveUpdate clients version 1. How the LiveUpdate Administration Utility works The LiveUpdate Administration Utility (LuAdmin) has its own update checking and retrieval operation. LuAdmin skips to the Retrieve Product List operation immediately. Request Update Indexes Check Update Indexes Update Package request . LuAdmin checks the list of updates to be requested. there are important differences. but also those for which updates are being maintained on behalf of the other computers on the network. See “Understanding LiveUpdate package authentication” on page 110. This operation is similar to the one that is performed by the client.26 Introducing the LiveUpdate Administration Utility How the LiveUpdate Administration Utility works See “Creating a LiveUpdate host file for clients” on page 40. If the list is not empty. If a match is found. The following steps are performed when LuAdmin is updated: Start up The LiveUpdate Administration Utility performs an update check periodically based on its time interval setting.7x and later perform additional authentication and error checking.

including the following: ■ Add and delete Symantec products and languages for which update packages are retrieved and made available on the Central LiveUpdate server. you can perform some type of testing and acceptance process on new update packages. ■ ■ . the new Update Index file is compared to the previous Update Index. Using the Update Index file that was received from the Symantec LiveUpdate server earlier as a starting point. LuAdmin creates an Update Index for the local network by eliminating entries for products that are not supported by the Central LiveUpdate server. The Client Product Inventory is updated to reflect the stored packages. This file is stored locally and is used to set download options. Then you can copy the update packages. and the new Update Index file. but are not included in the new index. The update operation is terminated. specifically to select products and language versions to be supported on the Central LiveUpdate server. from the computer that hosts LuAdmin to the Central LiveUpdate server. are deleted.Introducing the LiveUpdate Administration Utility How the LiveUpdate Administration Utility works 27 Store Update Packages When the Update Packages that were ordered have been received. Set the time intervals for checking the Symantec LiveUpdate site for new updates. the client authenticates the sender and verifies that the packages have been delivered without modification. You can use LuAdmin to manage update retrieval and storage operations on a continuing basis. LuAdmin requests the Product List from the Symantec LiveUpdate server. View and manage the local LiveUpdate repository of Symantec product and virus definitions updates and related files. Each Update Package that is accepted by the client is stored on the local computer. On most networks. Any Update Packages that were listed in the old index. Create new local Update Index Retrieve Product List Update completion About LuAdmin and Central LiveUpdate The LiveUpdate Administration Utility continues to update its cache of update packages periodically using the download settings that you defined. At the same time.

28 Introducing the LiveUpdate Administration Utility What you can do with the LiveUpdate Administration Utility ■ View. See “Changing LiveUpdate Administration Utility retrieval settings” on page 49. View and edit LiveUpdate events. See “About LiveUpdate client configuration files” on page 96. Note: The LuAdmin host file editor only supports FTP. Change update retrieval settings. HTTP. and manage custom content Update Packages that are stored on the Central LiveUpdate server and related index information. Configure LiveUpdate clients to use the Central LiveUpdate server. The Central LiveUpdate server can be either an intranet HTTP. add. or LAN and then manually change that setting in the LiveUpdate. you can use LuAdmin to create configuration files for LiveUpdate clients so that they send their LiveUpdate requests to the Central LiveUpdate server. ■ ■ ■ ■ . See “Working with LiveUpdate events” on page 53. View and manage the LiveUpdate event log. See “Setting up a Central LiveUpdate server” on page 37. you can set up and manage a Central LiveUpdate server. ■ What you can do with the LiveUpdate Administration Utility Using the LiveUpdate Administration Utility (LuAdmin). HTTPS. and LAN. rather than to an external Symantec LiveUpdate site. delete. or FTP server. HTTP. View Update Packages and other product files. Once a Central LiveUpdate server is set up.Settings file. See “Configuring clients to use a Central LiveUpdate server” on page 40. you can create a host file that specifies FTP. or a directory on a standard file server. You can use the LiveUpdate Administration Utility to perform the following administrative tasks: ■ Create a Central LiveUpdate server. If you want to point to an HTTPS server.

On the Web.Introducing the LiveUpdate Administration Utility Where to get more information about LiveUpdate 29 Where to get more information about LiveUpdate The Symantec Web site includes information on troubleshooting LiveUpdate and the LiveUpdate Administration Utility. product updates.symantec. and knowledge base articles.com/techsupp/ . go to the following URL: www.

30 Introducing the LiveUpdate Administration Utility Where to get more information about LiveUpdate .

6x and later.Chapter 2 Installing the LiveUpdate Administration Utility This chapter includes the following topics: ■ ■ ■ ■ ■ ■ Before you install System requirements Installing the LiveUpdate Administration Utility Post-installation tasks Updating the LiveUpdate Administration Utility Uninstalling the LiveUpdate Administration Utility Before you install Before you install the LiveUpdate Administration Utility. LiveUpdate Administration Utility and LiveUpdate client compatibility Because of the changes in configuration file locations in LiveUpdate version 1. you should become familiar with where the setup program installs the software. Make sure that your LiveUpdate clients are updated to the correct version for full compatibility. it is important that you use the correct version of the LiveUpdate Administration Utility (LuAdmin) when you manage LiveUpdate client computers. Table 2-1 lists the versions of the LiveUpdate Administration Utility that you can use with the versions of the LiveUpdate client. . and that your environment meets the system requirements.

5x only LuAdmin 1. When the LiveUpdate Administration Utility itself is being updated.7x and later LuAdmin 1.21 or later.hst LiveUpdate Administration Utility files Description Custom install and uninstall library. this file closes the LiveUpdate Administration Utility. Table 2-2 File ISLUA. you must use LuAdmin version 1. Logs from both the background execution of the application and the execution of the application in user mode. such as the retrieval process.6x LiveUpdate 1.18 or later LuAdmin 1.5. This eliminates the need to restart the computer.5x LiveUpdate 1. File that logs messages for events.exe Executable file.exe LuAdmin.3. . runs LiveUpdate. then relaunches the LiveUpdate Administration Utility. Host file that contains information that is used by LuAdmin to connect to a Symantec LiveUpdate site.3. Lualog. LiveUpdate Administration Utility files By default. The contents of this file are viewable and editable in the log file viewer within the LiveUpdate Administration Utility.5.DLL LuAdmin. the LiveUpdate Administration Utility is installed in the Program Files\LiveUpdate Administration folder. custom update merging. and host file encryption/decryption.xml Luaupdat.5.32 Installing the LiveUpdate Administration Utility Before you install Table 2-1 LiveUpdate version compatibility LiveUpdate client version LiveUpdate Administration Utility version LiveUpdate 1.3.7x and later. See “Viewing and deleting events” on page 53. Table 2-2 lists and describes the files that are used by the LiveUpdate Administration Utility. LiveUpdate Administration Utility program.21 or later To take full advantage of the increased security features in LiveUpdate clients 1.

SAMPLE. See “Viewing and deleting events” on page 53. the system requirements are as follows: ■ Windows 2000 Professional. as well as any technical and late-breaking information that is not included in the LiveUpdate Administrator's Guide. This file also stores your LiveUpdate Administration Utility preferences. This file is the source of the product information that is displayed by LuAdmin in the Retrieve Updates window.xml LiveUpdate Administration Utility files (continued) Description File that contains a comprehensive list of Symantec products.5 and later.HST SilntLuA.exe SYMZIP.TXT Text file that documents the latest changes to the LiveUpdate Administration Utility. File that uninstalls the LiveUpdate Administration Utility.DLL Uninst.0 or later Pentium 100-MHz processor or faster 16 MB RAM 25 MB hard disk space (up to 3 GB of additional space for LiveUpdate packages) ■ ■ ■ ■ For LiveUpdate clients. The contents of this file are viewable in the log file viewer within the LiveUpdate Administration Utility. Windows XP Professional 32-bit with Service Pack 2 Internet Explorer 5.isu LiveUpdate ZIP engine/compression library. Windows 2003. the system requirements are as follows: . System requirements For LiveUpdate Administration Utility 1. the Product List is updated. README. See “Retrieving Update Packages automatically” on page 46. Every time that the LiveUpdate Administration Utility checks for updates. where the product and language versions are selected for the update retrieval operation. Silent LiveUpdate Administrator executable file.Installing the LiveUpdate Administration Utility System requirements 33 Table 2-2 File Products. Host file that is customized by LuAdmin to provide clients with location and method directions for connecting to the internal Central LiveUpdate server.

exe. Windows Internet (WinINet) 4. compressed archive that is included with many Symantec products.com/techsupp/files/lu/lu.71.exe) is a self-extracting. See “About Intel Active Management Technology and LiveUpdate” on page 129.30. Post-installation tasks You can complete the following post-installation tasks: Set up a Central LiveUpdate server.symantec.exe) from the Symantec Web site at: http://www. You can also download the latest version of the LiveUpdate Administration Utility installation file (luau. . Windows NT 4. Installing the LiveUpdate Administration Utility The LiveUpdate Administration Utility (Luau. Windows 2000 Professional/Server/Advanced Server/Data Center.0 is recommended) ■ See “About Intel Active Management Technology and LiveUpdate” on page 129.4_02 (as a minimum) to run the LiveUpdate Administrator for Intel AMT console (JRE 5.34 Installing the LiveUpdate Administration Utility Installing the LiveUpdate Administration Utility ■ Windows 98/98 SE/Me.1 or later Pentium 100-MHz processor or faster 16 MB RAM 10 MB hard disk space (up to 50 MB of additional space for package downloads.0 Workstation/Server/Enterprise Server/Terminal Server. and then follow the on-screen instructions.html To install the LiveUpdate Administration Utility ◆ Launch luau. depending on the size of the LiveUpdate package) ■ ■ ■ ■ LiveUpdate clients that are using Intel Active Management Technology (AMT) also have the following requirements: ■ An Intel AMT-enabled system on the local computer to enable Intel AMT support in LiveUpdate Java™ Runtime Environment (JRE) 1. Windows XP Home Edition/Professional Note: LiveUpdate clients that are using Intel Active Management Technology (AMT) are supported only on Windows Server 2003 or Windows XP Professional with Service Pack 1 or later.

To update the LiveUpdate Administration Utility 1 2 3 4 Start LuAdmin. On the Tools menu. it automatically checks for new LiveUpdate Administration Utility updates and.Installing the LiveUpdate Administration Utility Updating the LiveUpdate Administration Utility 35 See “Setting up a Central LiveUpdate server” on page 37. . See “Starting the LiveUpdate Administration Utility” on page 37. Click Next to see the available updates. Uninstalling the LiveUpdate Administration Utility You can uninstall the LiveUpdate Administration Utility using Add/Remove Programs in the Control Panel. Note: The LiveUpdate Administration Utility temporarily quits while retrieving and installing updates for itself. click Update LiveUpdate Administration Utility. if one is found. Updating the LiveUpdate Administration Utility The LiveUpdate Administration Utility (LuAdmin) can update itself. When the LuAdmin finishes downloading packages. downloads it. Click Finish.

36 Installing the LiveUpdate Administration Utility Uninstalling the LiveUpdate Administration Utility .

you must create and configure a Central LiveUpdate server. To start the LiveUpdate Administration Utility ◆ On the Windows taskbar.exe in the Programs folder. . it creates a shortcut to LuAdmin.Chapter 3 Using the LiveUpdate Administration Utility This chapter includes the following topics: ■ ■ ■ ■ ■ ■ ■ Starting the LiveUpdate Administration Utility Setting up a Central LiveUpdate server Retrieving Update Packages Configuring clients to use a Central LiveUpdate server Changing LiveUpdate Administration Utility retrieval settings Using custom LiveUpdate packages Working with LiveUpdate events Starting the LiveUpdate Administration Utility When you install the LiveUpdate Administration Utility. click Start > Programs > LiveUpdate Administration Utility > LiveUpdate Administration Utility. Setting up a Central LiveUpdate server After you have installed the LiveUpdate Administration Utility.

Using LuAdmin. See “Setting update retrieval options” on page 38.38 Using the LiveUpdate Administration Utility Setting up a Central LiveUpdate server The following steps must be performed: Set download options. from the Symantec LiveUpdate site for the products and languages that you've selected. Under Symantec Product Line. and then store them in the location on the host computer that you've designated for that purpose. do one of the following: ■ Check the Symantec product lines for which you want updates. you first select the Symantec products and languages that you want to download from the Symantec LiveUpdate site and support on the Central LiveUpdate server. See “Starting the LiveUpdate Administration Utility” on page 37. To set update retrieval options 1 2 3 4 Start LuAdmin. click Retrieve Updates. in the left pane. Select individual product components and the language versions for each. . Download initial updates. select a language for download packages. You copy all of the Update Packages and the Update Index file to the Central LiveUpdate server (LuAdmin is not used to do this). In the LiveUpdate Administration Utility window. Setting update retrieval options You can select products for which to retrieve updates and languages in the following ways: ■ Select the primary language that applies to all of the products and then select full product lines. You also enter the location on the server in which Update Packages will be stored locally. you download all of the available Update Packages. See “Retrieving Update Packages” on page 39. ■ You must also designate the directory in which downloaded update packages will be stored. under Languages of Updates. Using LuAdmin. In the right pane. Transfer updates to the Central LiveUpdate server. and their related Update Index files.

. When you select individual product components to update.Using the LiveUpdate Administration Utility Retrieving Update Packages 39 Because all installed Symantec products that use LiveUpdate now point to your intranet server. Retrieving Update Packages LuAdmin retrieves the Update Packages and stores them in the directory that was defined in the download settings. and then check the Languages and Product Updates to download. click Retrieve to begin downloading update packages.xml.zip. These files are required by different versions of LiveUpdate. See “Starting the LiveUpdate Administration Utility” on page 37. If the LiveUpdate Administration Utility does not successfully download all of the packages that you selected. To retrieve Update Packages 1 2 3 4 Start LuAdmin. LuAdmin also downloads the Update Index files for the products that are selected and edits them to eliminate index entries for Update Packages that were not selected. In the right pane. These index files include Symtri. do one of the following: ■ ■ Type the path to the directory to which you want to download updates. then none of the packages will appear in your specified download directory. click Retrieve Updates. Check the log file for details about the download activity. The download directory can be any directory on the server or a directory on the FTP or HTTP server.zip. you should download full product lines rather than individual products.zip. Livetri. Follow the on-screen instructions. For example. Click Browse and specify a download directory. In the LiveUpdate Administration Utility window. as well as Products. new virus definitions files for Symantec AntiVirus may require an engine update that is also available. ■ To select individual product components by checking the appropriate product line. 5 Under Download Directory. click Details. See “Working with LiveUpdate events” on page 53. you may miss other available updates. in the left pane. and Symtri16.

The host file tells the LiveUpdate client the name and location of the Central LiveUpdate server and how to connect to it. Creating a LiveUpdate host file for clients You can build host files for multiple server types. the order in which the host entries appear in the host file is important if you are supporting both HTTP and FTP. The name and location information must be consistent with the type of server that is used.6x and later. Liveupdt.40 Using the LiveUpdate Administration Utility Configuring clients to use a Central LiveUpdate server Configuring clients to use a Central LiveUpdate server Liveupdt. it is directed to another server. and LAN hosts are supported by LiveUpdate. You can create a host file for the following server types: ■ ■ ■ FTP HTTP LAN To create a LiveUpdate host file for FTP 1 2 3 Start LuAdmin.6x and earlier. The location of the Liveupdt. and then distributed to each client computer on the network.6x and earlier. click Host File Editor. See “Creating a LiveUpdate host file for clients” on page 40. Whichever host type is specified first becomes the default connection type. See “Starting the LiveUpdate Administration Utility” on page 37. in the left pane. so that if the client fails in an attempt to connect to a LiveUpdate server.hst file is read and then deleted. it is configured to use a Symantec LiveUpdate server. For LiveUpdate 1.hst file on the client depends on the version of LiveUpdate that is installed.hst is the host file that controls the LiveUpdate operation on client computers. dictates the type of connection that is used by the client. . click Open. On the File menu. FTP.hst is located under C:\Program Files\Symantec\LiveUpdate. or LAN. Note: For LiveUpdate version 1. The type of server that is used for the Central LiveUpdate server. FTP. To direct LiveUpdate clients to retrieve updates from a Central LiveUpdate server instead. a new host file must be created using LuAdmin. the Liveupdt. When a LiveUpdate client is installed. In the LiveUpdate Administration Utility window. For LiveUpdate version 1. HTTP. HTTP.

type the user name for the FTP server. select one of the following: 32 bit If you install the 32-bit version. Under Subnet and Subnet Mask. On the File menu.0. type the URL for the server or the IP address of the server.Using the LiveUpdate Administration Utility Configuring clients to use a Central LiveUpdate server 41 4 5 In the current directory. double-click SAMPLE. Under Country/Area. then the DLLs in the LiveUpdate directory will have names starting with S16. click FTP. In the LiveUpdate Administration Utility window. click Open. type the password for the specified user name. Under Type.0 See “Enabling TCP/IP by location” on page 45. although the option for it remains on the user interface. All users use the same name. type the country in which your Central LiveUpdate server is located. Under Description. click Host File Editor. To create a LiveUpdate host file for HTTP 1 2 3 Start LuAdmin. ■ 6 Under Login. type the name that you want to display when users connect to the internal Central LiveUpdate server. 9 On the File menu. ■ 7 Under Connection. See “Starting the LiveUpdate Administration Utility” on page 37.HST. 16 bit Modem support has been removed from LiveUpdate. do the following: ■ Under Name. the file names start with S32. 10 Save the customized file as Liveupdt.hst. do the following: ■ Under URL or IP Address. If the 16-bit version of LiveUpdate is installed. ■ ■ 8 In the upper-right-hand side of the window. in the left pane. Under Password. click Save As.0. do the following: ■ Under Name. . This option is selected by default. The 16-bit and 32-bit host files are not compatible with each other. type the following: 0.

42 Using the LiveUpdate Administration Utility Configuring clients to use a Central LiveUpdate server 4 In the current directory. click Save As. in the left pane. click Open. Under Country/Area. type the name that you want to display when users connect to the internal Central LiveUpdate server. ■ 6 Under Login. In the LiveUpdate Administration Utility window. You will need to review the host and. click HTTP. LAN-based hosts are not available to 16-bit clients. If you select 16-bit. 5 Under Description. On the File menu. In the current directory. type the password for the specified user name. modify it. type the following: 0. ■ ■ Modem support has been removed from LiveUpdate. Under Subnet and Subnet Mask. . See “Starting the LiveUpdate Administration Utility” on page 37. type the country in which your Central LiveUpdate server is located. Under Type. ■ 7 Under Connection.0. double-click SAMPLE.0.0 See “Enabling TCP/IP by location” on page 45. To create a LiveUpdate host file for a LAN Start LuAdmin. type the URL for the server or the IP address of the server. click Host File Editor. if necessary. type the user name for the HTTP server. Under Password. do the following: ■ Under Name. you can have the utility convert the host into an FTP host. The 32-bit option button is selected by default. HTTP-based hosts are not available to 16-bit clients. The 32-bit radio button is selected by default.HST. Save the customized file as Liveupdt. although the option for it remains on the user interface. do the following: ■ Under Name. double-click SAMPLE. All users use the same name.hst.HST. 8 9 1 2 3 4 On the File menu. do the following: ■ Under URL or IP Address.

Using the LiveUpdate Administration Utility Configuring clients to use a Central LiveUpdate server 43 5 Under Description.5. type the name that you want to display when users connect to the internal server.21 or later. Do not use a UNC location for Windows NT clients and servers. click Save As. do the following: ■ ■ Under Type. You can download the latest version of LuAdmin (luau. click LAN.6x and 1. do the following: ■ Under Name. To use the download and security enhancements in LiveUpdate 1. Under Password. Configuring LiveUpdate UNC support (LAN transport) LiveUpdate supports the downloading of packages from an internal server using UNC support without the need for an HTTP or FTP server.hst. LiveUpdate attempts to connect using the user name logged on to the system.3. If you leave this field blank. do the following: ■ Under Name. Under Country/Area.7x.html 8 9 On the File menu. you must use LiveUpdate Administration Utility version 1. type the UNC path or DOS drive with the full path to the server directory that contains the LiveUpdate package. If you leave this field blank. Modem support has been removed from LiveUpdate. Save the customized file as Liveupdt. ■ 7 Under Connection.com/techsupp/files/lu/lu.dll). . If you use a scheduling utility.exe) and supporting documentation from the Symantec Web site at the following URL: http://www. type the user name that has access rights to the server. although the option for it remains on the user interface. ■ 6 Under Login. LiveUpdate uses the password for the user who is logged on to the system. type the password that corresponds to the user name. The UNC support consists of the following components: ■ A LiveUpdate DLL that supports UNC downloads (S32luhl1. type the country in which your server is located. LiveUpdate can't connect to a UNC location unless the LiveUpdate files reside in a shared resource on the Windows NT server that all users are authorized to access (a NULL share). Under Directory.symantec.

You can also specify a DOS drive with the full path instead of UNC. to have host files contain entries for an internal UNC location as well as for the Symantec FTP and HTTP servers. An issue exists for Windows 95/98 computers that connect to a Windows NT server. The default LiveUpdate directory is \Program Files\Symantec\LiveUpdate. With a Windows NT server. for example. refer to your Microsoft Windows NT server documentation.dll is present in the LiveUpdate directory. To configure LiveUpdate UNC support (LAN transport) ◆ Under HKEY_LOCAL_MACHINE\Software\Symantec\ LiveUpdate\Preference. the UNC DLL becomes the exclusive transport when it is present. add the following registry entry: Name: All Transports Available Type: DWORD If this entry is nonzero and S32luhl1. This is an ideal setup for laptop users. LiveUpdate ignores user names and passwords that are in the host file. Note: UNC support is available only with the 32-bit version of LiveUpdate.dll) to the LiveUpdate directories on the client computers. . Network is an available connection option. The solution is to create a shared resource on a server that all users are authorized to access. you must copy it and the UNC DLL (S32luhl1. one option is to create a shared resource that all users are authorized to access (a NULL share). You could use this feature. On LAN connections. You should not use a UNC location for Windows NT workstations and servers. For information about creating a NULL share. Windows 95/98 users must have access rights to the resource. By default. This prevents users from using FTP when you have specified a UNC path. the user who is logged on to the network must have access rights to the network resource. If you have workstations that connect to a UNC network location. Implementing LiveUpdate UNC support After you create the host file.44 Using the LiveUpdate Administration Utility Configuring clients to use a Central LiveUpdate server ■ A customized host file that is created by the LiveUpdate Administration Utility that points to the internal server. The user name and password that are in the host file are ignored.

See “Retrieving Update Packages” on page 39. See “Creating a LiveUpdate host file for clients” on page 40. and then tries to match the resulting IP address with the subnet of the same host entry.255. This is matched with the subnet of the host entry. LiveUpdate applies the subnet mask of the host entry to the IP address of the client workstation.168. Since these IP addresses are identical.0 255. If the IP address with the subnet mask applied does not match the subnet that is defined within the same host entry. LiveUpdate uses this host to connect to the specified LiveUpdate server.Using the LiveUpdate Administration Utility Configuring clients to use a Central LiveUpdate server 45 To implement LiveUpdate UNC support 1 2 3 Create and distribute a new Liveupdt.168.liveupdate. or if you want client computers to log on to different servers based on their IP addresses.168.159.159.hst file. Distribute S32luhl1. Table 3-1 shows a sample host configuration for a client workstation.dll to the workstations.155.20 The IP address of the client workstation with the subnet mask applied is 192. you must enable TCP/IP by location within the host file.0).80 and the subnet mask is applied (resulting in 192.0 192. This file is in the LuAdmin folder. Table 3-1 Option Host entry URL/IP Host entry subnet Host entry subnet mask IP address of client workstation Sample host configuration Entry myserver. Create the update retrieval folder. LiveUpdate proceeds to the next host entry and repeats the process.159. Enabling TCP/IP by location If you include more than one host entry in a single host file.168. the subnet and resulting masked IP address do not match and LiveUpdate proceeds to the next host entry and repeats the . LiveUpdate uses that host to access the LiveUpdate server that is defined within the host.168.255. If the masked IP address and subnet match.155. If the client workstation IP address is 192.com 192.0.

For example. To retrieve Update Packages automatically with Silent LiveUpdate Administrator ◆ Do one of the following: ■ Run SilntLuA. Retrieving Update Packages automatically Silent LiveUpdate Administrator lets scheduled LiveUpdate Administration Utility sessions automatically retrieve all of the packages that you need without user intervention. Network is the only available connection option. ■ Enabling location profiles LiveUpdate supports the use of multiple connection profiles. you can make all of the connection options available. the LiveUpdate session fails. Otherwise. and the download location. See “Setting update retrieval options” on page 38. This may be practical for laptop users. when S32luhl1. You should have a default host entry that does not contain either subnet or subnet mask information as the last entry in the host file. the language to use. This lets users . In the current version of LiveUpdate. Once Silent LiveUpdate Administrator exits. type all zeros for these settings. By default. the host file on the laptop might contain an entry for an internal UNC location as well as the Symantec FTP and modem servers. To enable TCP/IP by location ◆ Type both a valid subnet and subnet mask. Run LuAdmin. See “Configuring LiveUpdate UNC support (LAN transport)” on page 43. If no matching host entries are found. you must run the LiveUpdate Administration Utility to select the products to support. Making all connection options available Normally. A connection profile is a list of hosts that can be used when that profile is selected. the settings are saved and Silent LiveUpdate Administrator uses them every time that it runs. Before you run Silent LiveUpdate Administrator.exe /SILENT.exe.46 Using the LiveUpdate Administration Utility Configuring clients to use a Central LiveUpdate server process. this program resides under \Program Files\LiveUpdate Administration.dll is placed in the LiveUpdate folder on the workstations.

In the following example.symantec.&[>@M HOSTS\3\TYPE=HTTP HOSTS\3\PROFILE\0=WORK .com HOSTS\0\ACCESS2=https://luserver.com HOSTS\1\ACCESS2=http://liveupdate. LiveUpdate will only try connecting to the last two hosts. Then you would add HOSTS\3 to the WORK profile as follows: HOSTS\3\ACCESS=liveupdate. and a third when the laptop is being used at home.&[>@M HOSTS\2\TYPE=FTP HOSTS\2\PROFILE\0=HOME HOSTS\2\PROFILE\1=WORK If you wanted to change the host ordering of the WORK profile to HOSTS\0 -> HOSTS\2 -> HOSTS\1 instead. The ordering of which host gets used in which order is first determined by the profile selected but also by the ordering of the host in the whole list. the host list contains three hosts. All three belong to the WORK profile.com HOSTS\0\TYPE=HTTPS HOSTS\0\PROFILE\0=WORK HOSTS\1\ACCESS=liveupdate.com/opt/content/onramp HOSTS\2\ACCESS2=ftp://update. HOSTS\SET_PROFILE=HOME HOSTS\0\ACCESS=luserver. and the last two also belong to the HOME profile.xyz.Using the LiveUpdate Administration Utility Configuring clients to use a Central LiveUpdate server 47 connect to a specific LiveUpdate server depending upon their location.symantec.symantec. remove HOSTS\1 from the WORK profile and create a duplicate entry of HOSTS\1 as HOSTS\3.symantec.&[>@M HOSTS\1\TYPE=HTTP HOSTS\1\PROFILE\0=HOME HOSTS\1\PROFILE\1=WORK HOSTS\2\ACCESS=update.symantec.symantec. Since the SET_PROFILE setting is set to HOME. If SET_PROFILE was set to WORK.xyz. then LiveUpdate would try HOSTS\0 -> HOSTS\1 -> HOSTS\2 in that order.com HOSTS\1\IS_SYMANTEC=N%9-U. It will connect to HOSTS\1 then HOSTS\2 if it fails to connect to the first one. For example. you could set up a profile to be used when a laptop is connected to the LAN and another when it is being used on the road.com HOSTS\3\IS_SYMANTEC=N%9-U.com/opt/content/onramp HOSTS\2\IS_SYMANTEC=N%9-U.com HOSTS\3\ACCESS2=http://liveupdate. Profile ordering within a single host is of no significance.

LiveUpdate file and adding the HOSTS\{n}\PROFILE\{x}={pname} line to at least one host. Note: If the HOSTS\SET_PROFILE setting does not match an existing profile name. The location profile name can be up to 36 characters in length. . When the LiveUpdate client is started. LiveUpdate uses the profile of the first host that has a profile set.48 Using the LiveUpdate Administration Utility Configuring clients to use a Central LiveUpdate server You enable Location Profiles by editing the Settings. Figure 3-1 Location profile The LiveUpdate client uses the host that is designated by the profile to connect to the appropriate Central LiveUpdate server or Symantec LiveUpdate site. the user has the option to select which location profile to use (Figure 3-1).

under Symantec Product Line. HOSTS\SET_PROFILE See “About LiveUpdate client files” on page 93. x is the number of the profile. do one of the following: . in the left pane. you need to change the LiveUpdate Administration Utility retrieval settings. The Central LiveUpdate server is reinstalled on a new host computer. ■ ■ ■ Adding a product When a new Symantec product is installed on managed client computers on the network. click Retrieve Updates. See “Starting the LiveUpdate Administration Utility” on page 37. The time interval for update checking by LuAdmin changes. and pname is the name of the profile. The host computer for the Central LiveUpdate server is moved to a new location on the network. HOSTS\0\PROFILE\0=WORK. In the right pane. Name of the profile to use. where n is the number of the host.Using the LiveUpdate Administration Utility Changing LiveUpdate Administration Utility retrieval settings 49 To enable location profiles ◆ Add the following settings to the Settings. In the LiveUpdate Administration Utility window. or if it is set to a nonexistent location profile name. To add a product 1 2 3 Start LuAdmin.LiveUpdate file: HOSTS\{n}\PROFILE\{x}= {pname} Name of the profile that this host belongs to. Changing LiveUpdate Administration Utility retrieval settings You need to change the LiveUpdate retrieval settings when any of the following occur: ■ A product is added to or deleted from those that are being updated through the Central LiveUpdate server. For example. LiveUpdate defaults to retrieving updates from HOSTS/0 if this setting is not set.

. it removes all of the Update Packages for the product that is removed and deletes these Update Packages from the Update Index file. click Retrieve Updates. To remove a product 1 2 3 Start LuAdmin. See “Starting the LiveUpdate Administration Utility” on page 37. and then checking the Languages and Product Updates to be removed. under Symantec Product Line. The next time LuAdmin checks for updates. you need to change the LiveUpdate Administration Utility retrieval settings. and then checking the Languages and Product Updates to retrieve. it retrieves all of the currently available Update Packages for the added product and adds the Update Packages to the Update Index file. in the left pane.50 Using the LiveUpdate Administration Utility Changing LiveUpdate Administration Utility retrieval settings ■ Check the Symantec product lines that you want to add. In the right pane. clicking Details. clicking Details. You can clear the download directory of updates that you do not want clients to receive. Clearing the download directory Once you have downloaded an update. ■ The next time that LuAdmin checks for updates. In the LiveUpdate Administration Utility window. Be careful not to remove any already selected products. the custom content files are also removed. Removing a product When a Symantec product is uninstalled from client computers. Select the individual product components for the product that is being removed by checking the product line. Changing the product selections on the Retrieve Updates window does not affect the availability of downloaded updates. do one of the following: ■ ■ Uncheck the Symantec product lines that you want to remove. Select the individual product components for the product that you want to add by checking the product line. Note: If you have enabled clients to retrieve custom content and are using the download directory to store custom content files. it is always available to LiveUpdate clients.

To update the Symantec Product Line and Languages of Updates checklists 1 2 3 Start LuAdmin. In the right pane. Symantec Client Firewall. check English. See “Starting the LiveUpdate Administration Utility” on page 37. If a download is interrupted and you modify application settings (such as changing the product or languages). Once you have successfully updated one product. . In this case. you must either restart with the same application settings or remove the cached incomplete downloads from Program Files\LiveUpdate Administration\TEMP. and Symantec Client VPN are missing from the Symantec Product Line checklist. assuming that no application settings have changed. under Languages of Updates. Handling interrupted downloads The LiveUpdate Administration Utility detects when a download is interrupted. LuAdmin continues from where it left off.Using the LiveUpdate Administration Utility Changing LiveUpdate Administration Utility retrieval settings 51 To clear the download directory ◆ In the LiveUpdate Administration Utility window. SymAllLanguages may also be missing from the Languages of Updates checklist. click Tools > Clean Up Download Directory. but this does not always update the checklists. in the left pane. you may notice that items such as Symantec AntiVirus Definitions. and then integrates all of the packages that were downloaded in both sessions. LuAdmin treats the incomplete downloads that were cached from the preceding interrupted session as part of the current session. LuAdmin will be updated to the latest version. you must select a product that is available in the checklist and update it first. In the LiveUpdate Administration Utility window. To avoid this. click Retrieve Updates. When you restart the download. new options are added automatically to the checklists. Updating the Symantec Product Line and Languages of Updates checklists If you have recently installed the LiveUpdate Administration Utility. Note: If you click Tools and then Update LiveUpdate Administration Utility.

trx or . it adds new entries to the product list. you merge it with the most recent LiveUpdate virus definitions update. browse to the location of the . an update may include virus definitions. under Retrieving Previous Updates. When you receive a custom update. that detect and remove a new virus.trz file extension. In the right pane. Using custom LiveUpdate packages Symantec Security Response or Symantec Technical Support supplies custom updates to customers on an as-needed basis. click Retrieve Updates. are typically used to address unique situations or other specific Symantec customer needs. This ensures that a full index file is retrieved. It is not necessary to retrieve previously downloaded files. under Download Directory. You copy the . In the left pane. check Symevent.trx or . The merged update is delivered the next time that the client runs LiveUpdate. Click Retrieve. See “Starting the LiveUpdate Administration Utility” on page 37. not yet available on a LiveUpdate production server.52 Using the LiveUpdate Administration Utility Using custom LiveUpdate packages 4 5 Under Symantec Product Line. To merge custom LiveUpdate packages for the first time 1 2 3 4 Copy the . 5 6 7 Click OK. On the Retrieve tab.trz file that you received from Symantec to a folder on the hard drive. These updates.trx or . For example. which have either a .trx or . Start LuAdmin. After the LiveUpdate Administration Utility has retrieved the updates.trz file that you copied in step 1. On the Tools menu. This temporarily reduces the size of the download. click Options.trz file onto a computer on which the LiveUpdate Administration Utility is installed. . check Only retrieve new updates.

and then click Merge. click Custom Updates. and then click Retrieve. Working with LiveUpdate events The LiveUpdate Administration Utility includes an event log file which records events such as the following: ■ ■ ■ The retrieval process. 9 In the left pane. See “Updating the Symantec Product Line and Languages of Updates checklists” on page 51.Using the LiveUpdate Administration Utility Working with LiveUpdate events 53 8 Under Languages of Updates and Symantec Product Line. or remove events from. .trx or .trz files.trx or . 10 In the Custom update location dialog box. in step 7. type the location that was specified 11 Replace all of the files on the LiveUpdate server with the contents of the folder in step 7. including silent updates Custom update merging Host file encryption and decryption Viewing and deleting events You can view events in. select the languages and products that you want to update. You may have products or languages that are missing. The LiveUpdate server index file now contains only the products that you want with the proper references to the LiveUpdate packages that were in the . The Active custom updates box lists the current custom updates that are being applied by the LiveUpdate Administration Utility. The LiveUpdate Administration Utility compares the dates of the custom update and your most recent LiveUpdate virus definitions update and merges the files as appropriate.tri files are downloaded without removing unused entries.trz file. the event log file. All subsequent updates will allow the proper merging of the . The latest .

click Log File. in the left pane. check the events that you want to filter. In the LiveUpdate Administration Utility window. and then click Entire Log file. In the right pane. and then under Type and Status. ■ Delete events 4 Click OK. . See “Starting the LiveUpdate Administration Utility” on page 37. do one of the following: Under LiveUpdate Administration Utility Log. and then click Remove.54 Using the LiveUpdate Administration Utility Working with LiveUpdate events To view events in or delete events from the LiveUpdate Administration Utility event log file 1 2 3 Start LuAdmin. ■ To remove selected entries. click Remove. In the right pane. click Selected Types or Statuses. do one of the following: View events Under Filter by Type and Filter by Status. check the entries to remove. ■ To remove all entries. select the event to remove.

server group. To configure a host file for use with the Symantec System Center 1 In the left pane of the Symantec System Center. 2 . and then click All Tasks > LiveUpdate > Configure. This lets them connect to your internal LiveUpdate server to download updates. Click Internal LiveUpdate Server. or client group. right-click the parent server.Chapter 4 Using the LiveUpdate Administration Utility with the Symantec System Center This chapter includes the following topics: ■ ■ Configuring a host file for use with the Symantec System Center Configuring NetWare servers to retrieve updates in the Symantec System Center Configuring a host file for unmanaged clients ■ Configuring a host file for use with the Symantec System Center Managed clients and Symantec AntiVirus servers that are running on Windows NT/2000/XP can automatically receive LiveUpdate settings that are configured from the Symantec System Center.

To add the Symantec LiveUpdate Internet site to the list of hosts. For example. . You will see 2 of 2 listed. 5 6 Under Connection. Click Apply. Click OK. type the appropriate data. select one of the following: ■ ■ ■ FTP HTTP LAN 7 8 9 Check Apply settings to all clients. Configuring multiple LiveUpdate servers for the Symantec System Center The Symantec System Center lets you configure multiple LiveUpdate servers.56 Using the LiveUpdate Administration Utility with the Symantec System Center Configuring a host file for use with the Symantec System Center 3 4 Type the name of the server. To configure multiple LiveUpdate servers for the Symantec System Center 1 2 In the Configure LiveUpdate dialog box. not for shared directories. Click Apply. If you have multiple parent servers and are configuring hosts from the parent server. You can configure up to 32 hosts. it will try other LiveUpdate servers until it is successful. and then click OK. or the URL or IP address for your HTTP or FTP server. in the URL or IP address box. click New. click HTTP. If you are using an FTP or HTTP server. If LiveUpdate is unable to successfully connect to the first LiveUpdate server. type the following: liveupdate.com 3 4 5 Under Type. you may want to configure your clients to run LiveUpdate from an internal Network share and if that fails. to connect to Symantec's LiveUpdate servers. repeat steps 1 through 8 for each parent server. The Description boxes are optional. Under Type. type the UNC path to your shared directory.symantecliveupdate. The Login Name and Password boxes are used only for FTP or HTTP servers.

Using the LiveUpdate Administration Utility with the Symantec System Center Configuring a host file for use with the Symantec System Center 57 Enabling and scheduling client updates from the Symantec System Center After you create a new host file. uncheck Update virus definitions from parent server. you must enable LiveUpdate to perform scheduled updates of the clients. under How Clients Retrieve Virus Definitions Updates. right-click the parent server. . To enable and schedule client updates from the Symantec System Center 1 2 In the left pane of the Symantec System Center. and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box.

and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. Configuring NetWare servers to retrieve updates in the Symantec System Center The LiveUpdate Administration Utility does not retrieve updates for NetWare Symantec AntiVirus servers.58 Using the LiveUpdate Administration Utility with the Symantec System Center Configuring NetWare servers to retrieve updates in the Symantec System Center 3 Do any of the following: ■ To specify the frequency and time. right-click the NetWare server. click LiveUpdate (Win32) / FTP (NetWare). and then click Schedule. Click Configure. In the Virus Definition Manager dialog box. check Schedule client for automatic updates using LiveUpdate.symantec.exe ■ Note: For the NetWare server to download virus definitions from the internal Central LiveUpdate server.lst ftp://ftp. In the Configure Primary Server Updates dialog box. you must configure the NetWare server to use TCP/IP and FTP correctly. click Source. Uncheck Do not allow client to manually launch LiveUpdate. ■ 4 Click OK. To configure NetWare servers to retrieve updates in the Symantec System Center 1 In the left pane of the Symantec System Center. click Update each Server in this Server Group individually. However. under How Servers Retrieve Virus Definitions Updates.symantec. and then click Configure.com/public/english_us_canada/antivirus_definitions/ norton_antivirus/vpcur8. click Advanced. 2 3 4 5 . you can download these updates to your FTP server from the following FTP sites: ■ ftp://ftp. In the Setup Connection dialog box. To configure Randomization and Missed Event options.com/public/english_us_canada/antivirus_definitions/ norton_antivirus/navup8.

To configure and distribute a host file for unmanaged clients 1 2 3 4 Start LuAdmin. 7 Click OK.Liveupdate file and the Liveupdt. See “Starting the LiveUpdate Administration Utility” on page 37. in the left pane. Note: When you run LiveUpdate 1.hst file is converted to the Settings. In the Password text box. or the URL or IP address for your FTP or HTTP server.5. In order for the NetWare server to download definitions from an FTP server. do the following: ■ ■ In the Name text box. type the UNC path to your shared directory. On the File menu. type the name of the server. type the password for the FTP or HTTP server.hst file from LiveUpdate 1. type the FTP information that is needed to access the internal Central LiveUpdate server. you must create a new host file and distribute it to your clients. type the name of the FTP or HTTP server. Configuring a host file for unmanaged clients If you have unmanaged clients. In the LiveUpdate Administration Utility window. it must be configured correctly to use TCP/IP. under Description. type the location of the server. 5 If you are using an FTP or HTTP server instead of a shared directory.7 on the client computers.7 Settings.6 and 1. In the Type text box. under Login. the Liveupdt. in the URL or IP Address text box. do the following: ■ ■ In the Name text box.hst file is deleted. In the right pane. select one of the following: .Liveupdate file takes the place of the Liveupdt. The LiveUpdate 1. In the Location text box.6 or 1. click Host File Editor.Using the LiveUpdate Administration Utility with the Symantec System Center Configuring a host file for unmanaged clients 59 6 In the Configure FTP dialog box. These text boxes are optional. Changes that are made here apply to NetWare servers only. 6 7 Under Connection. click New > Host File.

60 Using the LiveUpdate Administration Utility with the Symantec System Center Configuring a host file for unmanaged clients ■ ■ ■ LAN FTP HTTP 8 9 On the File menu. This file is in the C:\Program Files\LiveUpdate Administration Utility folder on the computer on which the LiveUpdate Administration Utility folder is installed. it retrieves updates from the local LiveUpdate server. Save the file to the desktop or some place where you can easily locate it.dll This file only needs to be copied if it does not already exist. click Save As. 10 Copy the following files to the C:\Program Files\Symantec\LiveUpdate folder on each client: ■ ■ Liveupdt. Save the customized file as Liveupdt. Do not save the Liveupdt.hst S32luhl1. When LiveUpdate is started on the client computer. .hst file to the \Programs\Symantec\LiveUpdate folder on the LuAdmin computer.hst.

Chapter 5 Managing LiveUpdate clients with SESA This chapter includes the following topics: ■ ■ ■ ■ ■ ■ ■ ■ ■ About LiveUpdate and SESA Automatic detection of the SESA Agent How SESA manages LiveUpdate client settings About the Symantec management console Viewing LiveUpdate events About Windows LiveUpdate client configurations Working with Windows LiveUpdate configurations About Java LiveUpdate client configurations Working with Java LiveUpdate configurations .

Modify a LiveUpdate configuration and automatically apply the updated configuration to all of the LiveUpdate clients that use it. For information on other SESA administrative operations. the LiveUpdate client detects the presence of the SESA Agent.0. If the client does not detect the SESA Agent. SESA lets you do the following: ■ Define LiveUpdate client configurations that can be applied to groups of client computers or users. . or is unable to communicate with the SESA Agent successfully. Automatic detection of the SESA Agent In LiveUpdate 2. and inventory services. This lets you define and propagate settings for LiveUpdate clients across an entire network using the Symantec management console. Perform queries on and create reports for LiveUpdate events for a single client computer or for groups of clients. the client retrieves its configuration settings from the SESA Agent. using the last settings that were used. This means that the order of installing the SESA Agent and LiveUpdate client is not important. it runs independently of SESA. the client uses the SESA configuration. If a SESA Agent is present. logging.62 Managing LiveUpdate clients with SESA About LiveUpdate and SESA About LiveUpdate and SESA In LiveUpdate 2. see the Symantec Enterprise Security Architecture Administration Guide.1 and later. If the SESA Agent is installed. Regardless of the order. ■ ■ ■ Note: Java LiveUpdate does not work with versions of the SESA Agent that are earlier than 2.5 and later. clients are integrated with Symantec Enterprise Security Architecture (SESA) if the SESA Agent is running. For LiveUpdate. View the number of Symantec products that are installed on each client computer. a LiveUpdate client automatically detects whether the host computer is managed by SESA each time that a LiveUpdate session is started.

Managing LiveUpdate clients with SESA How SESA manages LiveUpdate client settings 63 Warning: The SESA Integration Package (SIP) for LiveUpdate should not be uninstalled. The LiveUpdate SIP is part of the base installation of SESA. . SESA distinguishes between a Product and a copy of that Product that is installed on a computer on the network. Many products have multiple Software Features. A setting is a setting name that is paired with a setting value. all clients that are connected to a given SESA Manager are part of the default configuration for a given Product Feature Folder. In SESA. Uninstalling it causes the Update reporting of the SESA Agent and SESA Manager to fail. This makes managing product settings across the network easier and less subject to error. configurations are linked to one or more SESA groups that each contain many computers or users. or groups. A Product comprises one or more Software Features. the Software Feature to which they apply. users. computers. and contained by. it can be linked to a location or to one or more groups of computers or users. SESA configurations are stored under. This lets you define a few configurations for LiveUpdate that cover all of the LiveUpdate clients that are installed on the entire network. A SESA configuration is a collection of settings. In SESA. you can define a SESA configuration that assigns values to some or all of the LiveUpdate client settings that can be managed through SESA. It is very important to distinguish the SESA LiveUpdate Product. This configuration is stored by SESA in the SESA Directory under LiveUpdate Product. such as Windows LiveUpdate or Java LiveUpdate. Once a configuration is defined and stored. from installed copies of the LiveUpdate client. a Product object pertains to a specific version of a Symantec product that has been integrated with SESA. By default. where configurations and settings are stored. In most cases. Some products have only one Software Feature. There are some LiveUpdate settings that cannot be managed through SESA. and then distributed. Instead. How SESA manages LiveUpdate client settings For LiveUpdate clients. A Software Feature is a separately configurable component of the Product. product configurations are not assigned or linked directly to installed products. configurations are linked to specific network locations.

you can define new client versions to SESA. on the Events view tab. create or modify client settings and configurations. including the following: ■ ■ Network organization. and their members. and then expand the appropriate SESA DataStore. and computers Symantec products that are defined and available on the network. view the status bar to find out how many events are in the report. The Symantec management console lets you view the entire SESA Directory. You can also add and modify information that is stored in the SESA Directory through the Symantec management console. For LiveUpdate. and create or remove associations of SESA groups with LiveUpdate client configurations. see the Symantec Enterprise Security Architecture Administration Guide. To see LiveUpdate events in the Symantec management console. Expand System Events > SESA System. you can view events that report the status of LiveUpdate sessions on computers in your network environment. For more information.64 Managing LiveUpdate clients with SESA About the Symantec management console About the Symantec management console Administrators define configurations and apply them using the Symantec management console. are linked to configurations) ■ ■ The Symantec management console gives you many capabilities. locations. in the left pane. Viewing LiveUpdate events When LiveUpdate is integrated with SESA. In the lower-left corner of the window. Click Failed Agent Start-up Events. including domains. the SESA Agent must first establish a connection with the SESA Manager. including event query and report creation. expand the top-level SESA domain. 2 3 4 . and which events you are currently viewing. configurations that are modifiable and available for each product The Symantec products that are installed on each computer on the network SESA groups with their members and associations (it is through these associations that groups. To view SESA Agent startup events 1 In the Symantec management console.

In the lower-left corner of the window. expand the top-level SESA domain. and which events you are currently viewing. on the Events view tab. you can make changes to it. In addition. Expand System Events > LiveUpdate. You must also specify the SESA organizational unit to which the computer or computers belong. and then expand the appropriate SESA DataStore. You can create a new Windows LiveUpdate configuration.Managing LiveUpdate clients with SESA About Windows LiveUpdate client configurations 65 To view all other LiveUpdate events 1 In the Symantec management console. You can specify any configuration groups to which the computer or computers belong. Windows LiveUpdate configurations let you specify network proxy server settings that may be required for LiveUpdate sessions in your network environment. Select any of the reports. you can create a LiveUpdate configuration to specify that certain LiveUpdate computers use a LiveUpdate configuration file other than the default. After the configuration is created. view the status bar to find out how many events are in the report. . Central LiveUpdate server that you have set up using the LiveUpdate Administration Utility. You can also specify additional LiveUpdate HTTP or FTP servers to use for downloading product updates. Windows LiveUpdate client configurations are divided into the following groups of settings: ■ ■ ■ ■ General Windows LiveUpdate Custom Content Windows Hosts You can use the Symantec management console to create and distribute additional Windows LiveUpdate configurations to one or more computers on which LiveUpdate is installed. When you create or modify a Windows LiveUpdate configuration. 2 3 4 About Windows LiveUpdate client configurations In SESA. in the left pane. See “Working with Windows LiveUpdate configurations” on page 74. you must specify the LiveUpdate computers to associate with the configuration. you can specify that certain LiveUpdate computers use an internal. Similarly.

You cannot modify this name after you create it. If you select Replace. This property name is displayed by the Symantec management console as a drop-down list that has the values Replace and Overwrite. Table 5-1 SESA property name OverwriteSettings Windows LiveUpdate settings Description Tells the LiveUpdate client how to apply the settings that were received from SESA to the client's Settings file. By default. SESA uses the Default Windows LiveUpdate configuration. You cannot change it manually. General settings The General tab displays the name and description of the selected Windows LiveUpdate configuration. The configuration description. If you select Overwrite. LiveUpdate setting None . LiveUpdate replaces its existing Settings data with the settings from SESA. but does not delete any Settings values that are not changed by SESA. Description Last modified on Windows LiveUpdate settings Only one set of the Windows LiveUpdate settings may be included in a single LiveUpdate configuration. A Windows LiveUpdate configuration is a collection of settings that you can apply to products on computers directly or by way of configuration groups or organizational units. You can define the Windows LiveUpdate settings that are listed in Table 5-1. LiveUpdate overwrites the existing Settings data with the settings from SESA. The date that is set automatically when you change a configuration.66 Managing LiveUpdate clients with SESA About Windows LiveUpdate client configurations See “Modifying a Windows LiveUpdate configuration” on page 77. The General tab contains the following options: Configuration name The name of the configuration. You cannot change the description of the Default configuration.

If this Boolean flag is set to TRUE. LiveUpdate does not create a local log file. If the switch is set to Error. If this setting is FALSE. LiveUpdate sends Session Start Events that have warning or higher severities. If the switch is set to All. SESA_EVENT\PRODUCT_ Tells LiveUpdate which type of Product Update Events to UPDATE_ VERBOSITY send. LiveUpdate sends all Session End Events. LiveUpdate setting SESA_EVENT\ SESSION_ START_ VERBOSITY SessionEndVerbosity SESA_EVENT\ SESSION_ END_ VERBOSITY ServerSelectionVerbosity SESA_EVENT\SERVER_ Tells LiveUpdate which type of Server Selection Events to SELECTION_ VERBOSITY send. LiveUpdate does not send any Product Update Events. If this Boolean flag is set to TRUE. If the switch is set to None. LiveUpdate sets the ALL TRANSPORTS AVAILABLE setting to 0 (false) and the LAN_HAL_PRESENT setting to TRUE if this SESA setting is true. LiveUpdate sends all Server Selection Events. LiveUpdate creates a local log file. LiveUpdate sends all Session Start Events. LiveUpdate sends Product Update Events that have warning or higher severities. ProductUpdateVerbosity UseLANHostsOnly EnableLocalLogFile LOGEVENTS . LiveUpdate tries to use LAN hosts to get updates. If the switch is set to None. Determines whether a local log file is created. If the switch is set to All. If this value is set to FALSE. This lets LiveUpdate use all host transports. If the switch is set to None. LiveUpdate sends Session End Events that have warning or higher severities.Managing LiveUpdate clients with SESA About Windows LiveUpdate client configurations 67 Table 5-1 SESA property name SessionStartVerbosity Windows LiveUpdate settings (continued) Description Tells LiveUpdate which type of Session Start Events to send. If the switch is set to All. If the switch is set to None. Tells LiveUpdate which type of Session End Events to send. LiveUpdate does not send any Session End Events. LiveUpdate sends all Product Update Events. If the switch is set to Error. LiveUpdate does not send any Session Start Events. LiveUpdate sends Server Selection Events that have warning or higher severities. LiveUpdate does not send any Server Selection Events. If the switch is set to Error. If the switch is set to All. ALL TRANSPORTS AVAILABLE and LAN_HAL_PRESENT Determines whether LiveUpdate uses only LAN hosts to get updates. LiveUpdate sets the ALL TRANSPORTS AVAILABLE setting to 1 (true) and deletes the LAN_HAL_PRESENT setting. If the switch is set to Error.

or by directly editing the Settings file. Holds the number of backup copies LiveUpdate makes of the Product Catalog file. a Setting's merge file. Because SESA is an enterprise product. LiveUpdate runs in Express mode and if it is FALSE. LiveUpdate automatically sets the Corporate Mode switch each time that it receives a new set of configuration data. By default. When this setting is TRUE.68 Managing LiveUpdate clients with SESA About Windows LiveUpdate client configurations Table 5-1 SESA property name LogFileSize Windows LiveUpdate settings (continued) Description Holds the maximum size that the log file can occupy. The maximum value is 10. CORPORATE. LiveUpdate uses the URL lines. Locks the Environment setting. Describes the environment in which the computer is running. and NOT USED. Holds the number of backup copies LiveUpdate makes of the Settings file. Allows or disallows LiveUpdate to use the URL lines in the TRI file. any Symantec program can modify the Environment switch. Disables the LiveUpdate control panel applet. LiveUpdate does not install or use the control panel applet. LiveUpdate uses the Environment switch to determine whether the update should be installed. this flag is TRUE. This drop-down list has the values RETAIL. By default. The Environment switch tells the LiveUpdate computer whether it is running in an enterprise or a home user environment. If this setting is set to FALSE (default). If this Boolean flag is set to TRUE. If this flag is set to FALSE. LiveUpdate runs in Interactive mode. If this Boolean flag is set to TRUE. The minimum log file size is 10 KB and the default value is 1024 KB. the default value for the Environment switch in SESA is CORPORATE. LiveUpdate setting LOG_FILE_SIZE ProductCatalogBackup PRODUCT_CATALOG_ BACKUPCOUNT SETTINGS_FILE_ BACKUPCOUNT CORPORATE_ ALLOWED_URL_ HOSTS SettingsFileBackup UseURLLines DisableControlPanel DISABLE_CONTROL_ PANEL Environment ENVIRONMENT EnvironmentLock ENVIRONMENT_ LOCK EnableExpressMode EXPRESS_MODE\ ENABLED . the Environment switch cannot be modified on the client's computer. this flag is set to TRUE. The value is in kilobytes (KB). The Environment switch can still be set by using SESA. the LiveUpdate control panel applet functions normally. Switches LiveUpdate between Interactive mode and Express mode. If this Boolean flag is set to TRUE. The LiveUpdate property requires the Corporate Mode switch to be set for the ALLOWED_URL_HOSTS property to work correctly. The maximum value is 10.

Express mode automatically starts its LiveUpdate session when it launches.Managing LiveUpdate clients with SESA About Windows LiveUpdate client configurations 69 Table 5-1 SESA property name ExpressModeAutoStart Windows LiveUpdate settings (continued) Description Determines whether the LiveUpdate process starts automatically once LiveUpdate is launched in Express mode. this flag is TRUE. this flag is TRUE. the Stop button is enabled. By default. or Use Existing Client Settings. LiveUpdate expects that this property refers to a valid URL address. These options appear in the Symantec management console in a drop-down list. LiveUpdate setting EXPRESS_MODE\ AUTO_START ExpressModeDisableStop EXPRESS_MODE\ Determines whether the Stop button in Express mode is DISABLE_STOP_ BUTTON enabled or disabled. By default. If this Boolean flag is TRUE. If the Stop button is disabled. LiveUpdate ignores this flag if it is running in Interactive mode. the user can't stop an Express mode session through LiveUpdate. Use Custom Settings. LiveUpdate ignores this flag if it is running in Interactive mode. LiveUpdate shows an Enhanced Error URL and if it is FALSE. LiveUpdate does not show the URL. Provides an alternate base path for the Enhanced Error Support URL. By default. If this text property is set. Do not Use Any Proxy Settings. Tells LiveUpdate how to get configuration information for an HTTP proxy. the Stop button is disabled and if this flag is FALSE. ExpressModeAutoExit EnableEnhancedError Support ENABLE_ENHANCED_ ERROR_SUPPORT EnhancedError SupportURL ENABLE_ENHANCED_ ERROR_SUPPORT_ URL HttpProxy PROXY\HTTP_PROXY . LiveUpdate uses the Symantec Technical Support Web site as the base URL. By default. this flag is FALSE. If this Boolean flag is set to TRUE. By default. Determines whether LiveUpdate provides an extended error information URL for all error messages. If this property is not set. this property is set to Use Existing Client Settings. the user must manually start Express mode. The options are Use Internet Options Settings. If it is set to FALSE. this property is not set. EXPRESS_MODE\ AUTO_EXIT Determines whether the LiveUpdate process closes automatically after LiveUpdate completes running in Express mode. which does not cause any change to the LiveUpdate client's Settings file. If this Boolean flag is TRUE. LiveUpdate looks for error pages on the page's URL.

This value is valid only if the FTP_PROXY setting is set to Use Custom Settings. Identifies the port on which the HTTP proxy server listens for traffic. BASIC\HTTP_ USERNAME PROXY\ Holds the password that is used for HTTP Basic AUTHENTICATION\ Authentication. These options appear in the Symantec management console in a drop-down list. This property is valid only if the BASIC\HTTP_ PASSWORD HTTP_USERNAME property is also set. which does not cause any change to the LiveUpdate client's Settings file. this property is set to Use Existing Client Settings. This value is valid only if the HTTP_PROXY setting is set to Use Custom Settings. or Use Existing Client Settings. Identifies the port on which the FTP proxy server listens for traffic. PROXY\FTP_PROXY Tells LiveUpdate how to get configuration information for an FTP proxy. This value is valid only if the FTP_PROXY setting is set to Use Custom Settings. Use Custom Settings. HttpProxyPassword FtpProxy FtpProxyServer PROXY\SERVER FtpProxyPort PROXY\PORT . This value is valid only if the HTTP_PROXY setting is set to Use Custom Settings. Holds the URL to the FTP proxy server. The options are Use Internet Options Settings. LiveUpdate setting PROXY\HTTPSERVER HttpProxyPort PROXY\HTTPPORT HttpProxyUsername PROXY\ Holds the user name that is used for HTTP Basic AUTHENTICATION\ Authentication. Do not Use Any Proxy Settings.70 Managing LiveUpdate clients with SESA About Windows LiveUpdate client configurations Table 5-1 SESA property name HttpProxyServer Windows LiveUpdate settings (continued) Description Holds the URL to the HTTP proxy server. By default.

LiveUpdate setting RAS\DO_NOT_ MANAGE_RAS Note: AOL Broadband users should set this option to TRUE. LiveUpdate does not attempt to close any of these connections. When LiveUpdate runs in Interactive mode. If this flag is set to FALSE. PreventUpgrade PREVENT_INSTALL Prevents the LiveUpdate installer from running. You can define the Windows Custom Content settings that are listed in Table 5-2. . If this flag is set to FALSE. PreventUninstall PREVENT_UNINSTALL Windows Custom Content settings Only one set of Custom Content settings may be included in a single LiveUpdate configuration. the LiveUpdate installer does not run unless LiveUpdate is not correctly installed on the user's computer. If this Boolean flag is set to TRUE. Determines whether LiveUpdate can be uninstalled.Managing LiveUpdate clients with SESA About Windows LiveUpdate client configurations 71 Table 5-1 SESA property name DoNotManageRas Windows LiveUpdate settings (continued) Description Tells LiveUpdate how to deal with a RAS connection that is created during the LiveUpdate session. the LiveUpdate uninstaller behaves normally. If LiveUpdate finds multiple RAS connections that have started since it first ran. the LiveUpdate uninstaller does not uninstall LiveUpdate. LiveUpdate attempts to close a RAS connection that started after the LiveUpdate session began. the user is prompted to close the connection. LiveUpdate does not attempt to close any RAS connection that was started during the LiveUpdate session. If this Boolean flag is set to TRUE. If this flag is set to FALSE. See “About LiveUpdate custom content publishing” on page 147. the LiveUpdate installer functions normally. If this Boolean flag is set to TRUE.

LiveUpdate setting None EnableCustomContent CUSTOM_CONTENT EnableLOTSFileUpdates UPDATE_LOTS_FILE LOTSURL LOTS\LOTS_HTTPS_URL LOTSUsername LOTS\LOGIN LOTSPassword LOTS\PASSWORD Windows Hosts settings You can define multiple sets of Windows Host configurations in a single configuration. If you select the Replace option. but does not delete any property values that are not set in SESA. custom content is still downloaded. LiveUpdate attempts to update the LOTS file during each LiveUpdate session.72 Managing LiveUpdate clients with SESA About Windows LiveUpdate client configurations Table 5-2 SESA property name OverwriteCustomContent Windows Custom Content settings Description Tells the LiveUpdate client how to apply the Custom Content settings to the Settings file. the LiveUpdate client does not look for a new LOTS file. This flag is set to FALSE by default. the 0 indicates the Windows Host number. If this flag is set to FALSE. LiveUpdate replaces its existing custom content data with the settings from SESA. This URL must be HTTPS or LiveUpdate does not update the LOTS file. The first Windows Host has the number 0. If this Boolean flag is set to TRUE. Determines whether custom content is received. The second Windows Host has the number 1. Holds the password that is required to log on to the HTTPS LOTS server. Holds the user name that is required to log on to the HTTPS LOTS server. Determines whether LiveUpdate attempts to update the LOTS file. If this is set to YES. This property name is a drop-down list that has the values Replace all host settings and Overwrite existing host settings. If this is set to OPTIONAL. If you select the Overwrite option. but if the file retrieval fails. LiveUpdate receives custom content. LiveUpdate disables custom content for that session. Where you see Host 0 in the Property Name. LiveUpdate overwrites the existing custom content values with the settings from SESA. Custom content is defined in the custtri. the LiveUpdate client looks for a new LOTS file. LiveUpdate ignores custom content. . If the LOTS file retrieval fails. Contains the HTTPS URL that LiveUpdate uses to retrieve the LOTS file. and so on. If this is set to NO. or HOST\0\ in the Setting Name.zip file.

This Login is currently supported only for FTP. Contains the display name for this Windows Host. If you select Overwrite. Contains the user name that is required to connect to this Windows Host. Holds the type of protocol that is used for this Windows Host. FTP. and HTTPS.Managing LiveUpdate clients with SESA About Windows LiveUpdate client configurations 73 You can define the Windows Hosts settings that are listed in Table 5-3. Contains the password that is associated with the Login user name. This property name is displayed by the Symantec management console as a drop-down list that has the values Replace all Windows Host settings and Overwrite existing Windows Host settings. The LiveUpdate log file always displays the Host URL instead of or in addition to the Host name. LiveUpdate displays this name above the progress bar when it connects to the Windows Host for the first time. LiveUpdate ignores the Password for all other Windows Hosts. LAN. This data is displayed in the Symantec management console as a drop-down list that has the values HTTP. LiveUpdate ignores the Login for all other Windows Hosts. LiveUpdate replaces its existing Windows Host data with the Windows Host settings from SESA. Table 5-3 SESA property name OverwriteHosts Windows Hosts settings Description Tells the LiveUpdate client how to apply the Windows Host settings from SESA to the Settings file. This password is currently supported only for FTP. but does not delete any Windows Host values that are not changed by SESA. LiveUpdate overwrites the existing Windows Host data with the settings from SESA. Holds the address and path to the LiveUpdate server's content. LiveUpdate setting None Host0Type HOSTS\0\TYPE Host0URL HOSTS\0\ACCESS HOSTS\0\ACCESS2 Host0Name HOSTS\0\NAME Host0Username HOSTS\0\LOGIN Host0Password HOSTS\0\PASSWORD . If you select Replace.

You can modify the Default configuration. You can create a subnet and subnet mask combination that no IP address can satisfy. the client may use the Windows Host. See “Modifying a Windows LiveUpdate configuration” on page 77. The subnet and subnet mask are applied to the IP address of the LiveUpdate client to determine if this client can use the Windows Host. Working with Windows LiveUpdate configurations You can create a new Windows LiveUpdate configuration. 2 Modify the Windows LiveUpdate configuration to specify configuration settings.74 Managing LiveUpdate clients with SESA Working with Windows LiveUpdate configurations Table 5-3 SESA property name Host0Subnet Windows Hosts settings (continued) Description Contains the IP address. is used to filter out Windows Hosts that the LiveUpdate client can select. you can distribute it to Windows LiveUpdate computers. Before you can distribute a Windows LiveUpdate configuration. After you have created or modified a configuration. . such as the Default configuration. or modify an existing one. which. See “Editing Windows LiveUpdate configuration properties” on page 76. See the Host 0 Subnet description for more information on how the subnet and subnet mask work together. The formula for subnet and subnet mask is as follows: if a logical AND between the LiveUpdate client IP address and the subnet mask equals the subnet IP address. To modify an existing Windows LiveUpdate configuration 1 Edit the Windows LiveUpdate configuration properties to add the computers that will use the Windows LiveUpdate configuration. or create a new Windows LiveUpdate configuration. along with the subnet mask. LiveUpdate setting HOSTS\0\SUBNET Host0SubnetMask HOSTS\0\ SUBNETMASK Contains the subnet mask that is used with the subnet. See “Distributing a Windows LiveUpdate configuration” on page 78. you must first configure it for distribution.

select a computer. In the Configuration Groups panel. and then click New. In the first panel of the Create a new Configuration wizard. do one of the following: If your computer or computers belong to a configuration group Do the following: ■ ■ Click Add. do not belong to a configuration group . and then expand LiveUpdate 1. In the Find Configuration Groups dialog box. ■ ■ 7 8 9 Repeat steps 5 and 6 as necessary. and then click Add so that it appears in the Selected configuration groups list. Right-click Windows LiveUpdate. In the Available computers list. In the drop-down list. select an existing configuration to copy from. and then click Start Search. click Next. ■ In the Configuration Groups panel. 5 6 In the Computers panel. on the Configurations view tab. select the configuration group to which the computer or computers belong. click Next. Type a description (optional). and then click Add so that it appears in the Selected computers list. do the following: ■ ■ ■ ■ 2 3 4 Type a configuration name. do the following: ■ In the Computer name text box.Managing LiveUpdate clients with SESA Working with Windows LiveUpdate configurations 75 To create a new Windows LiveUpdate configuration 1 In the Symantec management console. If your computer or computers Click Next. Click Next. in the left pane. type a specific computer name or a partial name and an asterisk (*). click Next. in the Available configuration groups list. In the Computers panel. expand the top-level SESA domain. ■ Click OK. click Add.0. In the General panel. Click OK. In the Find Computers dialog box.

16 When the status of each task shows Success. To edit Windows LiveUpdate configuration properties 1 In the Symantec management console. to associate an organizational unit with the selected computer. In the Configuration Properties dialog box. 15 In the Configuration summary panel. right-click the configuration that you want to modify. on the Computers tab. type a specific computer name or a partial name and an asterisk (*). view the information about the configuration tabs that appear in the Symantec management console. and then click Add so that it appears in the Selected organizational units list. do the following: ■ 2 3 4 In the Computer name text box. and then click Next. 13 In the Organizational Units panel. click Add. 14 In the Configuration properties panel. you must specify the computer names and associated organizational units. to associate your computer with a configuration group. select the organizational unit to which the computer or computers belong. Editing Windows LiveUpdate configuration properties You must add the computers that will use the Windows LiveUpdate configuration before you can distribute the configuration. At a minimum. in the left pane. 11 In the Find Organizational Units dialog box. ■ ■ 5 On the Configuration Groups tab. and then expand LiveUpdate 1. ■ 12 Repeat steps 10 and 11 as necessary. to add a computer. click Close. and then click Add so that it appears in the Selected computers list. click Add. In the Find Computers dialog box. select a computer. do the following: ■ In the Available organizational units list. Click OK. click Next. In the Available computers list. and then click Start Search. on the Configuration view tab. .0 > Windows LiveUpdate. click Finish.76 Managing LiveUpdate clients with SESA Working with Windows LiveUpdate configurations 10 In the Organizational Units panel. and then click Properties. expand the top-level SESA domain. Under Windows LiveUpdate. click Add. Click OK.

modify the configurations on the following tabs as necessary: ■ ■ ■ ■ 2 3 General Windows LiveUpdate Custom Content Windows Hosts See “About Windows LiveUpdate client configurations” on page 65. ■ 9 Repeat steps 3 through 8 as necessary. 10 In the Configuration Properties dialog box. click OK. and then click Add so that it appears in the Selected organizational units list. expand the top-level SESA domain. To modify a Windows LiveUpdate configuration 1 In the Symantec management console. Modifying a Windows LiveUpdate configuration To change an existing Windows LiveUpdate configuration. Under Windows LiveUpdate. select the organizational unit to which the computer or computers belong. and then click Add so that it appears in the Selected configuration groups list. do the following: ■ In the Available configuration groups list. Click OK. select the configuration group to which the computer or computers belong.0 > Windows LiveUpdate. to associate an organizational unit with the selected computer. click Add. in the left pane. on the Configurations view tab. In the right pane. select the configuration that you want to modify. In the Find Organizational Units dialog box. .Managing LiveUpdate clients with SESA Working with Windows LiveUpdate configurations 77 6 In the Find Configuration Groups dialog box. and then expand LiveUpdate 1. ■ 7 8 On the Organizational Units tab. you modify one or more settings on the Windows LiveUpdate tabs. Click OK. do the following: ■ In the Available organizational units list.

which you can also configure for distribution to Java LiveUpdate computers. When you are prompted to distribute the configuration. Under Windows LiveUpdate. as specified in the LiveUpdate. Java LiveUpdate client configurations are divided into the following groups of settings: ■ ■ ■ ■ ■ General Java LiveUpdate Hosts Java LiveUpdate 3.conf configuration file.78 Managing LiveUpdate clients with SESA About Java LiveUpdate client configurations Distributing a Windows LiveUpdate configuration To successfully distribute a Windows LiveUpdate configuration. right-click a configuration. you must specify the Java LiveUpdate computers to associate with the configuration. SESA provides a Default Java LiveUpdate configuration. click Yes. which instructs them to contact the SESA Manager for a new configuration. you must have specified the target computers and organizational units when you created or modified the Windows LiveUpdate configuration. However. expand the top-level SESA domain. . 2 3 About Java LiveUpdate client configurations In SESA. in the left pane. You must also specify the SESA organizational unit to which the computer or computers belong. on the Configurations view tab. In addition.0 > Windows LiveUpdate.0 Settings Custom Content Java LiveUpdate installs with a default configuration. and then expand LiveUpdate 1. You can use the Symantec management console to create and distribute additional LiveUpdate configurations to one or more computers on which Java LiveUpdate is installed. and then click Distribute. a message is sent to the computers that are associated with the Windows LiveUpdate configuration. When you distribute a configuration. you may want to modify a configuration or distribute additional configurations to Java LiveUpdate client computers. When you create or modify a Java LiveUpdate configuration. To distribute a Windows LiveUpdate configuration 1 In the Symantec management console.

A Java LiveUpdate configuration is a collection of settings that you can apply to products on computers directly. . You cannot change the description of the Default configuration. You can also configure the Default Java LiveUpdate configuration. you can make additional changes by selecting Properties. By default. The configuration description. or by setting up configuration groups or organizational units. You cannot change the date manually. The General tab contains the following options: Configuration name The name of the configuration. General settings The General tab displays the name and description of the selected Java LiveUpdate configuration. The date that is set automatically when you change a configuration. See “Distributing a Java LiveUpdate configuration” on page 88. Java LiveUpdate configurations let you specify network proxy server settings that may be required for Java LiveUpdate sessions in your network environment.Managing LiveUpdate clients with SESA About Java LiveUpdate client configurations 79 As an option. To create a new Java LiveUpdate configuration. You cannot modify this name after you create it. you can create a LiveUpdate configuration to specify that certain LiveUpdate computers use a LiveUpdate configuration file other than the default one. See “Working with Java LiveUpdate configurations” on page 84. In addition. SESA uses the Default Java LiveUpdate configuration. you use the Create a new Configuration wizard. After the configuration is created. You can also specify additional LiveUpdate HTTP or FTP servers to use for downloading product updates. Description Last modified on Java LiveUpdate settings Only one set of the Java LiveUpdate settings may be included in a single LiveUpdate configuration. you can specify that certain LiveUpdate computers use an internal LiveUpdate Administration host server. Similarly. Java LiveUpdate configurations also let you specify the maximum size of LiveUpdate log files. you can specify any configuration groups to which the computer or computers belong.

Java LiveUpdate discards older log entries once the log file exceeds the specified maximum size. Specifies whether overrides are allowed.80 Managing LiveUpdate clients with SESA About Java LiveUpdate client configurations Note: Java LiveUpdate does not accept user names and passwords for any protocol other than FTP. This setting is not supported for FTP. You can define the Java LiveUpdate settings that are listed in Table 5-4. This setting is not supported for FTP. Specifies the password that is associated with the specified proxyusername account. Java LiveUpdate honors the -c command-line switch and host file setting. Specifies the port on which the proxy server is listening (optional). The address must be the TCP/IP address of the server. JavaLiveUpdate ignores the -c command-line switch and host file setting. or hosts/0/ in the . The default is False. and the port must be the TCP/IP port that the proxy server is listening on. If a port number is not specified. If set to anything other than True. If the setting is not present or set to True. This setting is required only if your proxy server requires a logon password. This setting is required only if the proxy server requires a logon user name. The address must be either the TCP/IP address or the FQDN (fully qualified domain name) of the proxy server. Specifies the maximum allowed log file size in kilobytes (KB). The minimum allowable log file size is 512 KB. Table 5-4 SESA property name ProxyServer Java LiveUpdate settings Description Specifies a proxy server address. The default log file size is 1024 KB. LiveUpdate setting proxy ProxyServerPort proxy ProxyUsername proxyusername ProxyPassword proxypassword AllowConfigSwapping AllowConfiguration Override MaxLogFileSize MaximumLogFileSize Java LiveUpdate Hosts settings You can define multiple sets of Java LiveUpdate Host configurations in a single configuration. This setting is not supported for FTP. This setting is not supported for FTP. Value is either True or False. Where you see Host0 in the Property Name. it defaults to 80. Specifies a user name to use when logging on to the specified proxy server.

Managing LiveUpdate clients with SESA About Java LiveUpdate client configurations 81 Setting Name.0 settings that are listed in Table 5-6 (these settings apply only to Java LiveUpdate 3. For example. or FTP. As soon as you enter data for Host 1. You can have up to 10 defined hosts for Java LiveUpdate. hosts/<index>/access specifies a local or mapped directory to access for updates. both Host 1 and Host 2 data are sent. Contains the password that is associated with the logon user name to use when logging on to a LiveUpdate server using FTP (optional). but leave Host 1 settings empty. HTTPS. Note: Host data is not passed from SESA to the Java LiveUpdate client if there are blank entries in the host settings. The protocol can be HTTP. hosts/<index>/url specifies the URL of a LiveUpdate server. The path can be a full local path. Any valid URL or UNC path can be used. You can define the Java LiveUpdate Host settings that are listed in Table 5-5.0). The second Java LiveUpdate Host has the number 1. the 0 indicates the Java LiveUpdate Host number. Table 5-5 SESA property name Host0URL Java LiveUpdate Hosts settings Description Holds the address and path to the LiveUpdate server’s content. and so on. The first Java LiveUpdate Host has the number 0. LiveUpdate setting hosts/0/url or hosts/0/access Host0Username hosts/0/login Contains the logon user name to use when logging on to a LiveUpdate server using FTP (optional). no host information is sent to the Java LiveUpdate client. if you enter host data for Host 2. Host0Password hosts/0/password Java LiveUpdate 3. .0 settings You can configure the Java LiveUpdate 3.

If the FTP protocol is specified. Sends logs to Symantec Gateway Security (SGS). Determines whether Java LiveUpdate sends the Session Start Event. The default is False. Value is either All or None. or None. Value is either All. Enables redirection to third-party LiveUpdate servers. The default is 30000 (30 seconds). LiveUpdate overwrites the existing Settings data with the settings from SESA. this parameter is ignored. sends the event only if there is an error. If you select Replace. if set to True. If you select Overwrite. The default is False. The minimum is 5 seconds. ConnectionReadTimeout ConnectionReadTimeout ExternalLogURL extlog/<index>/url LogInSGSURL extlog/<index>/url LocalizedSysLog enableSyslogLocalization SessionStartVerbosity SESA/SessionStart SessionEndVerbosity SESA/SessionEnd . once a connection has been established. If True. This property name is displayed by the Symantec management console as a drop-down list that has the values Replace and Overwrite. LiveUpdate replaces its existing Settings data with the settings from SESA. or does not send any events at all. Value is either True or False. Allows localized messages. Value is either True or False. The default is 60000 (60 seconds).82 Managing LiveUpdate clients with SESA About Java LiveUpdate client configurations Table 5-6 SESA property name OverwriteNewSettings Java LiveUpdate 3. Error. Specifies the connection read timeout in milliseconds that Java LiveUpdate waits for a response from the LiveUpdate server. Determines whether Java LiveUpdate sends the Session End Event. LiveUpdate setting none UseURLLines urls ConnectionTimeout ConnectionTimeout Specifies the connection timeout in milliseconds that Java LiveUpdate waits when attempting to connect to a LiveUpdate server.0 settings Description Tells the LiveUpdate client how to apply the settings that were received from SESA to the client's Settings file. The default is False.tri file when it downloads packages using HTTP. Sends logs to the system log at the host address and port that are specified. Java LiveUpdate uses the URL= line in the . The default is All. but does not delete any Settings values that are not changed by SESA. The default is All. The minimum is 5 seconds. This entry can be included only once in the configuration file.

or None. You can define the Custom Content settings that are listed in Table 5-7. Determines whether custom content is received. sends the event only if there is an error. Determines whether Java LiveUpdate sends the Product Update Event. LiveUpdate receives custom content. Error. If this flag is set to False. LiveUpdate setting SESA/ServerSelection ProductUpdateVerbosity SESA/ProductUpdate Java LiveUpdate Custom Content settings Only one set of Java LiveUpdate Custom Content settings may be included in a single LiveUpdate configuration. Table 5-7 SESA property name OverwriteCustomContent Configurations Java LiveUpdate Custom Content settings Description Tells the LiveUpdate client how to apply the Custom Content settings to the Settings file. This property name is a drop-down list that has the values Replace all host settings and Overwrite existing host settings. or does not send the event at all.Managing LiveUpdate clients with SESA About Java LiveUpdate client configurations 83 Table 5-6 SESA property name ServerSelectionVerbosity Java LiveUpdate 3. If you select the Replace option. or does not send the event at all. The default is False. LiveUpdate ignores custom content. If this flag is set to True. The default is All. Value is either All. or None. Custom content is defined as content in the custtri. LiveUpdate overwrites the existing custom content values with the settings from SESA. Error. sends the event only if there is an error. If you select the Overwrite option. See “About LiveUpdate custom content publishing” on page 147. but does not delete any property values that are not set in SESA.zip file. LiveUpdate replaces the existing custom content data with the settings from SESA. LiveUpdate setting None EnableCustomContent PREFS_CUSTOM_ CONTENT . Value is either All. The default is All.0 settings (continued) Description Determines whether Java LiveUpdate sends the Server Selection Event.

. or modify an existing one.84 Managing LiveUpdate clients with SESA Working with Java LiveUpdate configurations Table 5-7 SESA property name EnableLOTSFileUpdates Java LiveUpdate Custom Content settings (continued) Description Determines whether LiveUpdate attempts to update the LOTS file. If this is set to LOTS file update optional. you can distribute it to Java LiveUpdate computers. or you can create a new Java LiveUpdate configuration. If the LOTS file retrieval fails. Holds the user name that is required to log on to the HTTPS LOTS server. See “Distributing a Java LiveUpdate configuration” on page 88. you must first configure it for distribution. Before you can distribute a Java LiveUpdate configuration. You can do this by modifying an existing configuration. LiveUpdate attempts to update the LOTS file during each LiveUpdate session. the LiveUpdate client looks for a new LOTS file. but if the file retrieval fails. such as the Default configuration. After you have created or modified a configuration as appropriate. custom content is still downloaded. LiveUpdate disables custom content for that session. LOTSUsername LOTS\USERNAME LOTSPassword LOTS\PASSWORD Working with Java LiveUpdate configurations You can create a new Java LiveUpdate configuration. the LiveUpdate client does not look for a new LOTS file. you must use the Create a new Configuration wizard. To create a new LiveUpdate configuration. This URL must be HTTPS. If this is set to LOTS file update required. If this is set to Do not update LOTS file. such as the Default Java LiveUpdate configuration. or LiveUpdate does not update the LOTS file. LiveUpdate setting LOTS\UPDATE_LOTS_ FILE LOTSURL LOTS\LOTS_HTTPS_URL Contains the HTTPS URL that LiveUpdate uses to retrieve the LOTS file. Holds the password that is required to log on to the HTTPS LOTS server. The default is Do not update LOTS file.

select a computer. 5 6 In the Computers panel. Right-click Java LiveUpdate. See “Modifying a Java LiveUpdate configuration” on page 87. See “Editing Java LiveUpdate configuration properties” on page 86. In the first panel of the Create a new Configuration wizard. and then click New. click Add. type a specific computer name or a partial name and an asterisk (*). In the drop-down list.0. ■ ■ 7 8 9 Repeat steps 5 and 6 as necessary. In the Available computers list. click Next. click Next. To create a new Java LiveUpdate configuration 1 In the Symantec management console. and then click Start Search. Type a description (optional). do the following: ■ In the Computer name text box. In the Configuration Groups panel. expand the top-level SESA domain. do the following: ■ ■ ■ ■ 2 3 4 Type a configuration name. in the left pane. on the Configurations view tab. 2 Modify the Java LiveUpdate configuration to specify configuration settings. In the General panel. Click Next. and then expand LiveUpdate 1. In the Computers panel. and then click Add so that it appears in the Selected computers list. In the Find Computers dialog box. do one of the following: .Managing LiveUpdate clients with SESA Working with Java LiveUpdate configurations 85 To modify an existing Java LiveUpdate configuration 1 Edit the Java LiveUpdate configuration properties to add the computers that will use the Java LiveUpdate configuration. Click OK. select an existing configuration to copy.

Editing Java LiveUpdate configuration properties You must add the computers that will use the Java LiveUpdate configuration before you can distribute the configuration. ■ Click OK. you must specify the computer names and associated organizational units. . click Next. do the following: ■ In the Available organizational units list. and then click Next. 13 In the Organizational Units panel. At a minimum. click Finish. 10 In the Organizational Units panel. 15 In the Configuration summary panel. 14 In the Configuration properties panel. click Close. click Add. click Next. ■ ■ In the Configuration Groups panel. view the information about the configuration tabs that appear in the Symantec management console. ■ 12 Repeat steps 10 and 11 as necessary. In the Find Configuration Groups dialog box. to associate an organizational unit with the selected computer. 16 When the status of each task shows Success. and then click Add so that it appears in the Selected configuration groups list. select the organizational unit to which the computer or computers belong. and then click Add so that it appears in the Selected organizational units list Click OK.86 Managing LiveUpdate clients with SESA Working with Java LiveUpdate configurations If your computer or computers belong Do the following: to a configuration group ■ Click Add. 11 In the Find Organizational Units dialog box. select the configuration group to which the computer or computers belong. in the Available configuration groups list. If your computer or computers do not belong to a configuration group Click Next.

In the Find Computers dialog box. and then click Add so that it appears in the Selected organizational units list. click Add. . to add a computer. do the following: ■ In the Available configuration groups list. to associate your computer with a configuration group. In the Find Configuration Groups dialog box. and then click Start Search. click Add. Under Java LiveUpdate. and then click Add so that it appears in the Selected computers list. do the following: ■ 2 3 4 In the Computer name text box. ■ 9 Repeat steps 3 through 8 as necessary. Click OK. ■ ■ 5 6 On the Configuration Groups tab. Click OK. In the Find Organizational Units dialog box. Modifying a Java LiveUpdate configuration To change an existing Java LiveUpdate configuration. Click OK. select the organizational unit to which the computer or computers belong.0 > Java LiveUpdate. do the following: ■ In the Available organizational units list. to associate an organizational unit with the selected computer. in the left pane. on the Configuration view tab. right-click the configuration that you want to modify. type a specific computer name or a partial name and an asterisk (*). and then expand LiveUpdate 1. and then click Add so that it appears in the Selected configuration groups list. you modify one or more settings on the Java LiveUpdate tabs. In the Configuration Properties dialog box. 10 In the Configuration Properties dialog box. select the configuration group to which the computer or computers belong. ■ 7 8 On the Organizational Units tab. click OK. and then click Properties. click Add. select a computer.Managing LiveUpdate clients with SESA Working with Java LiveUpdate configurations 87 To edit Java LiveUpdate configuration properties 1 In the Symantec management console. expand the top-level SESA domain. In the Available computers list. on the Computers tab.

Under Java LiveUpdate. You can distribute a Java LiveUpdate configuration to any of the following computer platforms: ■ ■ ■ ■ ■ ■ Windows 32-bit Linux Solaris™ AIX® HP-UX® Macintosh® . expand the top-level SESA domain. Distributing a Java LiveUpdate configuration To successfully distribute a Java LiveUpdate configuration.0 Settings Custom Content See “About Java LiveUpdate client configurations” on page 78. When you distribute a configuration. and then expand LiveUpdate 1.0 > Java LiveUpdate.88 Managing LiveUpdate clients with SESA Working with Java LiveUpdate configurations To modify a Java LiveUpdate configuration 1 In the Symantec management console. select the configuration that you want to modify. instructing them to contact the SESA Manager for a new configuration. you must have specified the target computers and organizational units when you created or modified the Java LiveUpdate configuration. a message is sent to the computers that are associated with the Java LiveUpdate configuration. on the Configurations view tab. In the right pane. modify the configuration using the following tabs as necessary: ■ ■ ■ ■ ■ 2 3 General Java LiveUpdate Hosts Java LiveUpdate 3. in the left pane.

Under Java LiveUpdate. right-click a configuration.Managing LiveUpdate clients with SESA Working with Java LiveUpdate configurations 89 To distribute a Java LiveUpdate configuration 1 In the Symantec management console. on the Configurations view tab. When you are prompted to distribute the configuration. expand the top-level SESA domain.0 > Java LiveUpdate. and then click Distribute. in the left pane. 2 3 . click Yes. and then expand LiveUpdate 1.

90 Managing LiveUpdate clients with SESA Working with Java LiveUpdate configurations .

The client can be installed silently when you run it manually. You can also download the latest LiveUpdate client setup file. use the PREFERENCES\UPGRADE_PREVENT=TRUE setting. See “Merging custom settings into the Settings.Chapter 6 Working with LiveUpdate clients This chapter includes the following topics: ■ ■ ■ ■ ■ ■ ■ ■ ■ Upgrading the LiveUpdate client About LiveUpdate client files Understanding corporate mode settings Adding or changing LiveUpdate client computers Understanding LiveUpdate package authentication Ensuring that Automatic LiveUpdate and scheduled LiveUpdate authenticate Running LiveUpdate from a command line or scheduler Accessing LiveUpdate in the Control Panel in Windows XP 64-bit Configuring the Automatic LiveUpdate Scheduler service Upgrading the LiveUpdate client The LiveUpdate client is updated by LiveUpdate itself. You can also create a log file for the installation. . Note: If you do not want LiveUpdate clients to automatically update.LiveUpdate file” on page 106.

The settings under HKLM\Software\Symantec\LiveUpdate are converted into values in the Settings. .Catalog.TXT. the HOSTS\ property tree is deleted so that the contents of the Liveupdt. After the conversion.html Download the client using the LiveUpdate Administration Utility. at the command line. at the command line. is converted into the HOSTS\ property tree in the Settings. About checking version numbers You can check which version of LiveUpdate is contained in the installer by checking the date that is displayed in LUSETUP.LiveUpdate file.hst.x and later. the settings in the registry are moved to the Settings.6x.LiveUpdate file.html For versions of LiveUpdate earlier than 1.LiveUpdate file. with the exception of information about registered Symantec products and patches. Liveupdt.symantec. type the following: Lusetup /s /a /q ■ For LiveUpdate version 1. Before this conversion takes place.hst file is deleted. ■ To install the LiveUpdate client silently ◆ Do one of the following: ■ For LiveUpdate version 1. When you install LiveUpdate 1.com/techsupp/files/lu/lu. This lets your LiveUpdate clients update their computers directly from your internal server.log in the Windows folder.com/techsupp/files/lu/lu. the Liveupdt. type the following: Lusetup /a/log This creates a log file named Luinstall. The legacy host file.symantec.Catalog.6.92 Working with LiveUpdate clients Upgrading the LiveUpdate client To download the latest LiveUpdate client setup file ◆ Do one of the following: ■ Download LUSETUP. type the following: Lusetup /s To create a log file of the Lusetup installation ◆ At the command line.EXE from the Symantec Web site at: www.x and earlier.5.6 or later over an earlier version of LiveUpdate. settings are stored in the registry.hst file replace any previous host information. This information is moved into the Product.LiveUpdate and Product.LiveUpdate files. which is available at: www.

EXE ALUNOTIFYRES.dll AUPDATE. Automatic LiveUpdate Scheduler file. LiveUpdate custom installer application that contains both the LiveUpdate base files and the SESA integration files.INF LUInit.Working with LiveUpdate clients About LiveUpdate client files 93 About LiveUpdate client files Table 6-1 lists the files that are used by the LiveUpdate client. Contains a list of the files that were installed by LiveUpdate. Localizable resource library file.EXE AUPDATERES. May be referenced later by LiveUpdate if it cannot find the LiveUpdate settings files.EXE LSETUPRES. Localizable resource library file. LiveUpdate engine file. Used to retrieve product or content updates automatically.DLL LuCallbackProxy. LiveUpdate installer file.exe LuComServer_3_0. Automatic LiveUpdate executable. Used to create the Automatic LiveUpdate log file.dat LUINFO.Default.LiveUpdate LiveUpdate client files Description Backup copy of the original default settings for the LiveUpdate client. Localizable resource library file.DLL AluSchedulerSvc. ALUNOTIFY. May be run from the command line. Localizable resource library file. Configuration file that stores the initial location of the LiveUpdate settings files. Localizable resource library file. Automatic LiveUpdate notification functionality.exe AluSchedulerSvcRes.DLL LUALL.EXE LuComServerRes. LiveUpdate executable file that displays all product user interface. Localizable resource library file. Used to issue callbacks to Symantec products.DLL LUSETUP. For reference only.dll Ludirloc. Table 6-1 File Settings.EXE LUALLRES. File that is used by the LiveUpdate installer.exe .

LiveUpdate advanced update selection engine. OS library file. Contains the final installer status result. . OS library file. SESA base file. Localizable resource library file.DLL LiveUpdate client files (continued) Description LiveUpdate installer file. Localizable resource library file.DLL S32LUCP1.DLL providerInst.exe SymantecRootInstaller Res. including recent enhancements.jar ProductRegCom_3_0. LiveUpdate engine file.DLL S32LIVE1RES.DLL ProductRegComPS. Created during installation.DLL NetDetectController_3_0. LiveUpdate control panel file.CPL S32LUIS1. Updated product information.dll MFC71. LiveUpdate engine file.DLL MSVCP71.DLL LuResult. LiveUpdate engine file.DLL README.DLL LUPreCon.94 Working with LiveUpdate clients About LiveUpdate client files Table 6-1 File LUInit. LiveUpdate installer file. Localizable resource library file. LiveUpdate product integration functionality.DLL SymantecRootInstaller. and known issues. Program that installs a copy of the Symantec root certificate into the Microsoft certificate store to be used by Internet Explorer.txt LUSESAIntegration. Automatic LiveUpdate executable.ini LUINSDLL.TXT S32LIVE1.exe winluproviderinst.DLL S32LUWI1. OS library file.DLL MSVCR71. LiveUpdate engine file. bug fixes. LUINSDLLRES.jar LiveUpdate SESA integration functionality. LiveUpdate SESA integration functionality.

if an Application Data folder exists at the time of the installation. LiveUpdate program files are stored in the following location: Program Files\Symantec\LiveUpdate The configuration information for LiveUpdate client versions 1. the location that is specified by Shfolder. the LiveUpdate data folder might be in the directory that is listed for the previously installed operating system.7x. settings are stored as read-only files in the LiveUpdate data folder. See “Merging custom settings into the Settings. The location of the LiveUpdate data folder is as follows: Windows 2000 (clean installation. the folder and path are created during installation.6x and later is in the \Downloads\ folder and in the following files: ■ ■ ■ Product.dll is distributed with Internet Explorer 5. Shfolder.LiveUpdate Settings.0 Note: If you have upgraded your operating system. However.LiveUpdate file” on page 106.LiveUpdate These files are in the Symantec\LiveUpdate folder locations that are specific to each operating system.6x and 1. A re-distributable Microsoft updater that installs this file is included with the LiveUpdate installation. If necessary.0 and later.dll is used. You can view and edit the information in these files with a text editor such as Notepad. .Working with LiveUpdate clients About LiveUpdate client files 95 LiveUpdate client file locations For LiveUpdate client versions 1.LiveUpdate Log. not an upgrade) Windows 2003\XP C:\Documents and Settings\All Users\ Application Data\Symantec C:\Documents and Settings\All Users\ Application Data\Symantec C:\Windows\Application Data\Symantec C:\Windows\All Users\Application Data\ Symantec C:\WinNT\Profiles\All Users\ Application Data\Symantec Windows 95 Windows 98\Me Windows NT 4.Inventory.

LiveUpdate The Product. When the number of backups reaches 10. and can empty the cache on demand. . 2. The LiveUpdate Update Cache on the Windows 32 LiveUpdate client retains downloaded packages until they are successfully installed.96 Working with LiveUpdate clients About LiveUpdate client files About LiveUpdate client configuration files The configuration information for LiveUpdate client versions 1.LiveUpdate Log.LiveUpdate file is used internally by LiveUpdate to list the Symantec products that are installed on the computer and the current patch level of each product.LiveUpdate Settings. Packages that fail to install are retained in the Update Cache. Warning: Do not edit this file.LiveUpdate and Settings.LiveUpdate files are kept. <LiveUpdate Data>\Downloads\ The <LiveUpdate Data>\Downloads\ directory contains downloaded LiveUpdate packages. the previous version is saved with a prefix that indicates the backup number. the information in this directory is used to attempt to resume the download.LiveUpdate indicates that this is the second backup of the Settings. You can use the information within these files to determine the causes of LiveUpdate download failures and to verify LiveUpdate client settings.LiveUpdate file. Product. For example.Inventory. which are decompressed into separate folders and applied. the oldest file is deleted. You can configure the number of backups that are kept in the Preferences section of the Settings.LiveUpdate Up to ten copies of the Product. If the LiveUpdate session was not completed successfully and your LiveUpdate connection uses HTTP. As each of these files is overwritten.Inventory.6x and later is kept in the following locations: ■ ■ ■ ■ <LiveUpdate Data>\Downloads\ Product. Users can configure the Update Cache to override the default maximum cache size of 5% of the drive where LiveUpdate is installed.Inventory.Settings.LiveUpdate file.Inventory.

LiveUpdate file is present. and information about the computer on which it is running.LiveUpdate contains all of the LiveUpdate configurations.Log. the changes from the merge file are saved as the default settings. if the Settings. This setting contains the full path to the location to search for a Settings. the size of the log file is set to 5120 KB. including download resumption information. Table 6-2 lists the settings and describes how they are used. Log.LiveUpdate file. Once it is loaded. You can open the log file using a text editor such as Notepad.LiveUpdate Settings. host entries. in the \Symantec\LiveUpdate folder). When the settings are saved. After a normal load of the Settings.Working with LiveUpdate clients About LiveUpdate client files 97 Log. MERGE_FILE_ LOCATION .LiveUpdate file. or it can be a full path and file name to use. the file is looked for in the location that is indicated by the value of the INSTALL_FOLDER setting.Merge.LiveUpdate. If this setting is not present (or it is empty).Merge. This setting can contain a folder to look for the Settings.LiveUpdate files and merges them into Log.Merge. The settings file contains the full path to the Settings. The minimum file size is 10 KB. it checks for any legacy #. Settings.LiveUpdate file (by default. At the beginning of each section is information about the version of LiveUpdate that is running. and merge indicators.LiveUpdate file. the file is deleted.LiveUpdate. Logging is enabled by default.LiveUpdate settings Description This setting shows where LiveUpdate is installed. The size can be configured using the PREFERENCE\LOG_FILE_SIZE setting in the Settings. its contents overwrite the default settings. By default. with the newest entries at the bottom of the file. Table 6-2 Setting INSTALL_FOLDER SETTINGS_FILE Settings. that is in the Application Data\Symantec\LiveUpdate folder. When the LiveUpdate client runs.LiveUpdate file.LiveUpdate LiveUpdate creates a log file. LiveUpdate settings.

MERGE_FILE_ NO_DELETE NEW_HOSTS_ LOCATION NEW_HOSTS_ NO_DELETE PRODUCT_CATALOG_ FILE PER_USER_FOLDER PER_USER_ ROAMING_FOLDER This is the Per User Roaming folder as returned from the Shfolder. the location that is indicated by INSTALL_FOLDER is searched for the Settings.LiveUpdate file (located in the \Symantec\LiveUpdate folder under PER_MACHINE_FOLDER).LiveUpdate (which contains text-settings format host specifications). This setting specifies the full path to a file that contains text-settings format host specifications. .98 Working with LiveUpdate clients About LiveUpdate client files Table 6-2 Setting Settings.LiveUpdate file. This is the Per User folder as returned from the Shfolder. By default (and if this setting is not present or if it is empty).LiveUpdate settings (continued) Description This setting is used to control whether or not the merge file is deleted once it is processed.Hosts. If this property is not present (or it is empty). it is then deleted. This may be useful if the settings point to a shared file on a network that is used as a global settings merge file by everyone every time that LiveUpdate runs. after a host file is found and loaded.Catalog.dll. This setting contains the full path to the Product. if a merge file is found and loaded. If it is found. a check is done for this file.Hosts.dll. By default (and if this setting is not present or it is empty). After the settings are loaded normally. This may be useful if the settings point to a shared file on a network that is used as a global new host file by everyone every time that LiveUpdate runs. It can also contain a path to a folder that contains a file called Settings. it is deleted. Setting this property to a nonempty value prevents the file from being deleted once it is loaded. Setting this property to a nonempty value prevents the file from being deleted once it is loaded. This setting controls whether or not the new host file is deleted once it is processed. any existing hosts are deleted from the settings and the contents of this file are loaded as the new host specifications.

ZIP\LASTMODIFIED=Tue.ZIP\SERVERPATH=/liveupdate2/ livetri. Following is an example of a DOWNLOADS entry: DOWNLOADS\LIVETRI. The location of this directory differs according to the operating system that is installed. This setting stores download resumption information. followed by a setting name.ZIP\CONTENTLENGTH= 676DOWNLOADS\LIVETRI. Other file information is kept until files are successfully downloaded.dll. Each file that is downloaded using HTTP gets a setting named after its object name here.Working with LiveUpdate clients About LiveUpdate client files 99 Table 6-2 Setting Settings. 28 Dec 1999 04:44:04 GMTDOWNLOADS\LIVETRI.zip file always has a setting under this key that is checked to see if a new download is necessary. The livetri. If downloads are not successful.ZIP\ LOCALPATH=C:\WINNT\Profiles\All Users\ Application Data\Symantec\ LiveUpdate\Downloads\livetri.comDOWNLOADS\ LIVETRI.zipDOWNLOADS\LIVETRI. symantec.ZIP\ STATUS=Complete PER_MACHINE_ FOLDER DOWNLOADS PREFERENCES This setting contains general settings.zip DOWNLOADS\LIVETRI. .LiveUpdate settings (continued) Description This is the Per Machine folder as returned from the Shfolder.ZIP\SERVER=ussmgreen. this information can be used for download resumption (this is available only when HTTP is the protocol that is being used to download updates).

The default is 30 seconds. operating system version and language. or if set to False. To opt out. This setting is used to specify the number of seconds LiveUpdate attempts to connect to the LiveUpdate server. The minimum value is 5 seconds. To disable the Automatic LiveUpdate Scheduler service. LiveUpdate sends information to Symantec such as the product and version of installed Symantec software. or set to No. This setting disables status reports that are sent to Symantec by LiveUpdate. and the LiveUpdate client version. The default value is used if the setting is not present. If this value is not present. If the setting is not present. or if it cannot be converted to a DWORD value. the Automatic LiveUpdate Scheduler service is enabled. DISABLE_STATUS _REPORT INTERNET_CONNECT _TIMEOUT INTERNET_READ_DATA _TIMEOUT . set to Yes.LiveUpdate settings (continued) Description This setting allows administrators in corporate environments to disable the Automatic LiveUpdate Scheduler service that is used by some Symantec consumer products. This setting is used to specify the number of seconds LiveUpdate takes to retrieve data from the LiveUpdate server. The default is 30 seconds. The default value will be used if the setting is not present or if it cannot be converted to a DWORD value. the computer make and model.100 Working with LiveUpdate clients About LiveUpdate client files Table 6-2 Setting DISABLE_ALU_ SCHEDULE Settings. The minimum value is 5 seconds. set to True.

If LiveUpdate finds a server name in the host file list that is a part of the symantec. LiveUpdate attempts to remove the entries from the host file. The default is YES (enabled). This check is only disabled when it is explicitly set to NO. ■ Leave these entries in the hosts files (ignore them later) LiveUpdate leaves the host file entries and adds them to the list of host entries that are ignored. Any value other than NO will enable the check. When this option is set to YES (enabled).com domain. It is disabled by default. PRODUCT_INVENTORY_ INTEGRITY_CHECK This setting is used to enable and disable the last known good inventory check. LiveUpdate attempts to load a last known good Product Inventory file. WORKINGDIRECTORY .Working with LiveUpdate clients About LiveUpdate client files 101 Table 6-2 Setting Settings. you are given the following options: Remove these entries from the hosts files (Recommended) This is the default option. ■ OSHOST_FILE_CHECK OSHOST_FILE_CLEAN This setting is used to enable automated OS hosts file cleaning. ■ Leave these entries in the hosts files (warn me about them later) LiveUpdate leaves the host file entries and alerts you about them the next time LiveUpdate runs. This setting is used for download resumption and during normal file downloads to specify where to store temporary files. LiveUpdate automatically cleans any detected entries in all OS hosts files checked. and LiveUpdate runs in silent mode from either the command-line or from a scheduler. or if it is not present. If this setting is set to anything other than NO.LiveUpdate settings (continued) Description This setting is used to enable or disable the host file integrity check.

6). events are logged to the file that is indicated in the PREFERENCES\LOG_FILE_NAME setting. LOGEVENTS . (LAN HAL is not used in LiveUpdate versions later than 1. It is only checked for a nonempty value. If the S32luhl1. When you convert from an old installation. If you use the Norton Program Scheduler. It is also created if the distribution of a LAN HAL to the client computer in a corporate environment that uses a legacy version of LuAdmin is detected.102 Working with LiveUpdate clients About LiveUpdate client files Table 6-2 Setting Settings. LiveUpdate can't connect to a UNC location unless the LiveUpdate files reside in a shared resource on the Windows NT server that all users are authorized to access (a NULL share). USEPASSIVEFTPMODE ALL TRANSPORTS AVAILABLE LAN_HAL_PRESENT Note: The LAN HAL (S32luhl1.dll) is a legacy file transport method that lets LiveUpdate retrieve files from a specific location using a UNC path. this setting is created. If it is zero or does not exist. It is checked every time that the host information is loaded (from any source). NON_SYMANTEC_HOST This setting is created when at least one host entry contains the property IS_SYMANTEC=NO. and 1 if true. The value of this setting is 0 if false.LiveUpdate settings (continued) Description This setting switches LiveUpdate to passive mode FTP (the default setting on a clean installation). then LiveUpdate uses active FTP.dll is found in the installation folder. LiveUpdate uses passive FTP. Passive FTP is more successful with some firewall configurations. You should not use this method for Windows NT workstations and servers. If this value is nonzero. This setting is created during installation when you upgrade from an earlier version of LiveUpdate. the PREFERENCES\LAN_HAL_PRESENT setting is created if a previous LAN HAL is detected. The presence of this setting is used to detect corporate mode. This setting allows an override of the default rule to only allow LAN/UNC hosts if the LAN HAL DLL is present. If this setting is nonzero. The value of this setting is not important.

the existing backup files are rotated down with the oldest one (highest number) being deleted. it specifies the number of Settings.Catalog. As each new Product. The first time the user interface runs. it specifies the number of Product. PRODUCT_CATALOG_ BACKUPCOUNT SETTINGS_FILE_ BACKUPCOUNT LOG_FILE_NAME INTERNET CONNECTION UIRUNONCE . A value of 2 means to silently dial the LiveUpdate-specific settings that are specified in the RAS settings.LiveUpdate settings (continued) Description If this setting is nonzero. If this property is not set but LOGEVENTS is on. and so on). The file is overwritten during each session. The default is 3 and the maximum is 10. this property's default value is set to Log.LiveUpdate with the PER_MACHINE_FOLDER as the path.LiveUpdate file backups to keep on a rotating basis. A value of 0 means to use Internet Explorer settings (if Internet Explorer is configured to use a RAS.Catalog. This setting determines remote access server (RAS) characteristics. If this setting is nonzero. Set this value to 0 to force the connection settings window to reappear.LiveUpdate file is saved. events are logged to the file that is indicated in this property's value.LiveUpdate file is saved. the existing backup files are rotated down with the oldest one (highest number) being deleted. If LOGEVENTS is on. Values are numeric (DWORD). As each new Settings. This setting contains the full path to the log file. The default is 3 and the maximum is 10.LiveUpdate file backups to keep on a rotating basis.Working with LiveUpdate clients About LiveUpdate client files 103 Table 6-2 Setting Settings. you can view the connection settings for RAS and proxy. it is used.

It can be one or more of the following strings: LAN. If it is running in corporate mode. corporate mode is not used.LiveUpdate settings (continued) Description Corporate mode preferences are set when an LuAdmin environment is detected. If RAS_USE_IE_RAS does not exist or is set to an empty value. If RAS_USE_IE_RAS exists and is set to a nonempty value. There are separate settings that indicate these two conditions. HTTP. . and they may be used instead. This is the default on a clean computer. then the custom RAS settings as indicated by RAS_SELECTEDRAS are used. The property names for the user name and password of a RAS must be constructed as they are under PREFERENCES\RAS\<RAS NAME>\USERNAME:ENC and PREFERENCES\RAS\<RAS NAME>\PASSWORD:ENC. or if there is a non-Symantec host entry present. CORPORATE_MODE CORPORATE_ALLOWED_ URL_HOSTS SELECTEDRAS USERNAME PASSWORD USE_HTTP_PROXY USE_FTP_PROXY USE_IE_PROXY This setting causes LiveUpdate to use the proxy settings (if there are any) that are specified in the Internet Explorer control panel. use commas to separate them. or FTP. This is used to determine if the URL= Tri entry property should be obeyed. Corporate mode is set to Yes if the LAN HAL is present.104 Working with LiveUpdate clients About LiveUpdate client files Table 6-2 Setting Settings. then the settings for a custom RAS are ignored. Corporate mode is indicated when this string is present and set to any value. corporate mode is automatically set if at least one of these conditions is true. If this setting is absent or set to an empty value. At this time. This setting sets whether URL hosts can connect when corporate mode is active. <RAS NAME> represents the descriptive name of the RAS entry to which the user name and password apply. it is not obeyed unless CORPORATE_ALLOWED_URL_HOSTS is active. These settings can be set to activate proxies. If more than one is specified.

the URL is displayed. For example. the Access property's value would be update. and so on.com/liveupdate. HTTPAUTHORIZATION This setting is used similarly to PREFERENCES\PROXY\AUTHORIZATION. If a name has not been specified.symantec.com/liveupdate. NTLM. or LAN. for an FTP host with a fully qualified URL of ftp://update. while the Access2 property's value would be ftp:// update. HOSTS NUM_HOSTS NAME TYPE ACCESS ACCESS2 LOGIN:ENC PASSWORD:ENC .Working with LiveUpdate clients About LiveUpdate client files 105 Table 6-2 Setting AUTHORIZATION Settings.com/liveupdate. It shows to which host a connection is attempted.) This setting usually contains the portion of the URL that is beyond the protocol specifier.LiveUpdate settings (continued) Description This setting is used in a proxy-authorization HTTP header that is sent in an InternetOpenUrl() request for FTP transfers.symantec. These settings contain the Login and Password (if any) that are used to connect. This setting contains host file information. This setting always contains the fully qualified URL of the host. This setting is used for display purposes. This setting can be FTP.symantec. A proxy-authorization header has the following form: proxy-authorization: scheme login:password where scheme is Basic. and login:password is UUEncoded. This setting shows the number of host entries that are listed. (Modem is no longer supported and modem entries are ignored. but for HTTP proxy-authorization headers. HTTP.

This setting contains the identifier of the host. See “Enabling location profiles” on page 46. This is important in determining if the password should be shown in LuAdmin. it is skipped. IS_SYMANTEC HOST_NUMBER HOSTS\{n}\PROFILE\{x}= {pname} HOSTS\SET_PROFILE This setting is the name of the profile to use when using location profiles. Merging custom settings into the Settings.LiveUpdate file on multiple computers. A zero value for both subnet and subnet mask always match every IP address. This setting is the name of the profile that this host belongs to when you want to allow clients to use location profiles. the current IP address is masked with the subnet mask and the result is compared with the value of the subnet property of the current host entry. If they match.LiveUpdate file You can add new settings to client computers without manually adjusting the Settings. LiveUpdate defaults to retrieving updates from HOSTS/0 if this setting is not set. This setting determines whether or not the server is a Symantec server. . Table 6-3 lists the types of Express mode merge files that you can create to update LiveUpdate settings. Otherwise.LiveUpdate settings (continued) Description When you select hosts. the host is used.106 Working with LiveUpdate clients About LiveUpdate client files Table 6-2 Setting SUBNET SUBNETMASK Settings. or is set to a nonexistent location profile name.

0.server/files HOSTS\0\LOGIN:ENC=YBR#A%5\(CI HOSTS\0\NAME=LU FTP on My Server HOSTS\0\PASSWORD:ENC=YBR#A%5\(CI HOSTS\0\PROFILE\0=WORK HOSTS\0\SUBNET=0. The following is an example of an Express mode merge file that prevents the upgrade or uninstallation of LiveUpdate: PREFERENCES\UPGRADE_PREVENT=TRUE PREFERENCES\UNINSTALL_PREVENT=TRUE To create a merge file for host-specific information 1 2 In a text editor.0.LiveUpdate.LiveUpdate file is updated with the new information.LiveUpdate file.LiveUpdate.Hosts. The Settings.Hosts. You must format the entries in the merge file as they would appear in the Settings. The Settings. create a new text file with the name Settings.Working with LiveUpdate clients About LiveUpdate client files 107 Table 6-3 Merge file type Merge file types Description You can create a file called Settings. You must format the entries in the merge file as they would appear in the Settings. The following is an example of an Express mode merge file that changes the first host: HOSTS\0\ACCESS=my.0 HOSTS\0\SUBNETMASK=0. Type the settings that you want to use on the destination computers. the host settings are usually overwritten by the host information in the Symantec System Center.LiveUpdate file is updated with the new information.0 HOSTS\0\TYPE=FTP Non-host-specific merge file You can create a file called Settings.LiveUpdate.Merge.0.0. . Host-specific merge file Note: In a managed Symantec AntiVirus™ Corporate Edition environment.server/files HOSTS\0\ACCESS2=ftp://my.LiveUpdate file.

108

Working with LiveUpdate clients Understanding corporate mode settings

3 4

Save the file in a location other than a \Symantec\LiveUpdate folder. Copy the Settings.Hosts.LiveUpdate file into the \Symantec\LiveUpdate folder. The default location of this file depends on your operating system. See “LiveUpdate client file locations” on page 95.

To create a merge file for non-host-specific information

1 2 3 4

In a text editor, create a new text file with the name Settings.Merge.LiveUpdate. Type the settings that you want to use on the destination computers. Save the file in a location other than a \Symantec\LiveUpdate folder. Copy the Settings.Merge.LiveUpdate file into the \Symantec\LiveUpdate folder. The default location of this file depends on your operating system. See “LiveUpdate client file locations” on page 95.

Understanding corporate mode settings
When LiveUpdate 1.6 or later is installed on a computer that meets either of the following criteria, it activates a condition called corporate mode:

A custom host file (Liveupdt.hst) is detected on the computer in the LiveUpdate program files location. A LAN HAL (S32luhl1.dll) exists from a version of LiveUpdate earlier than 1.6 in the LiveUpdate program files location.

While in corporate mode, LiveUpdate behavior changes in the following ways:

It does not attempt to use the URL= line in the TRI file to download a file. This prevents LiveUpdate from attempting to go through the firewall when it is downloading. You can modify this setting by changing the CORPORATE_ALLOWED_URL_HOSTS setting in the Settings.LiveUpdate file. For example: CORPORATE_ALLOWED_URL_HOSTS=HTTP LiveUpdate does not continue trying to connect to Symantec hosts if the internal entries fail. To change this behavior and allow access to all hosts (for example, during server failure), you may add the following setting to the Settings.LiveUpdate file: ALL TRANSPORTS AVAILABLE=YES

Working with LiveUpdate clients Adding or changing LiveUpdate client computers

109

With this value in place, LiveUpdate continues to attempt a connection to the first host entries, but if the connection fails, it uses an Internet connection to connect to Symantec servers. This is useful for environments in which the corporate LiveUpdate server is not always available.

Adding or changing LiveUpdate client computers
You can add new clients to the network and change their settings so that they can either receive updated virus definitions and program files from a Central LiveUpdate server or directly from a Symantec LiveUpdate site.

Adding a new client computer to the network
When a new client computer that uses Symantec products is first connected to the network and is to retrieve updates from the Central LiveUpdate server, you distribute the host file (Liveupdt.hst) that was created when the Central LiveUpdate server was set up to the new client computer using your preferred distribution tool. If this file has been deleted or changes to it are needed, create a new custom host file (Liveupdt.hst) that points client computers to the internal server using the LiveUpdate Administration Utility. See “Creating a LiveUpdate host file for clients” on page 40.

Changing a client computer to receive updates from a Symantec LiveUpdate server
When a client computer that previously received its updates from an internal Central LiveUpdate server is to be reconfigured to get its updates from a Symantec LiveUpdate server, the following steps are required:

Using the LiveUpdate Administration Utility, create a custom host file (Liveupdt.hst) that will direct a client computer to a Symantec LiveUpdate server for its updates. See “Creating a LiveUpdate host file for clients” on page 40. Distribute the new host file (Liveupdt.hst) to the client computer using your preferred distribution tool.

110

Working with LiveUpdate clients Understanding LiveUpdate package authentication

Changing a client computer to receive updates from a Central LiveUpdate server
When a client computer that previously received its updates from a Symantec LiveUpdate server is to be reconfigured to get its updates from a Central LiveUpdate server, you distribute the host file (Liveupdt.hst) that was created to direct client computers to the Central LiveUpdate server to the client computer using your preferred distribution tool. In the event that this file has been deleted or changes to it are needed, create a new custom host file (Liveupdt.hst) that points client computers to the internal server using the LiveUpdate Administration Utility. See “Creating a LiveUpdate host file for clients” on page 40.

Understanding Automatic LiveUpdate Scheduler logging
The Automatic LiveUpdate Scheduler creates daily log files. The log files are in the C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate folder and the filename is <YYYY-MM-DD>_Log.ALUSchedulerSvc.LiveUpdate, where YYYY-MM-DD is the year, month, and day when the file was created. Each time the Automatic LiveUpdate Scheduler writes to the log file, it first checks to see if there is a file for the current day in the folder. If a file exists for the current day, new information is appended to the log file for that day. The Automatic LiveUpdate Scheduler keeps logs for 14 days. After 14 days, the oldest log is deleted when the current day's log is created.

Understanding LiveUpdate package authentication
LiveUpdate 1.6x and later secures the download process by checking file signatures before delivering any LiveUpdate content to users. In addition, LiveUpdate 1.7 and later secures and authenticates downloaded packages to each client, server, and gateway. Each update is accompanied by a cryptographic signature, which is signed using a private key that is stored on a secure Symantec server. The resulting digital signature is stored in a signature file, which is compressed into the livetri.zip file along with the catalog file. If the .TRI file is not digitally signed, the authentication process will fail. If any of the authentication checks fail, an error message appears and the activity is recorded in the log file. On Windows NT computers, an error is also written to the NT event log.

Working with LiveUpdate clients Ensuring that Automatic LiveUpdate and scheduled LiveUpdate authenticate

111

Ensuring that Automatic LiveUpdate and scheduled LiveUpdate authenticate
When LiveUpdate runs from either an Automatic LiveUpdate (ALU) or a scheduled LiveUpdate session, you may need to configure the client computer differently to handle these special cases. When LiveUpdate authenticates an HTTP Web server (for HTTPS hosts) or the signer of a LOTS file (only for custom content), it must search the system's certificate store to find a trusted root certificate. By default, when a user installs a trusted root certificate, it is available only from that user account. If the default certificate store is used, a trusted root certificate is not available to other user accounts on that system, including the LocalSystem account under which most services run. ALU and scheduled sessions of LiveUpdate run within the LocalSystem account, and are subject to these limitations. If your CA's certificates are added as trusted roots only for the current user account, then LiveUpdate may experience one of the following errors when not running within the same account:
Server not trusted This happens when LiveUpdate is configured to connect to an HTTPS host whose certificate was issued by a CA that is not a trusted root. This happens when LiveUpdate is configured to use custom content, and has a LOTS file signed by a certificate that was issued by a CA that is not a trusted root.

Failed to authenticate custom content

If your trusted root certificate is not one of the default trusted roots provided by Microsoft, then you need to add your trusted root certificate manually to ensure that it is available to all users. For example, if you issued your HTTPS Web server certificate or your LOTS signing certificate from an in-house certificate authority (CA), you need to add these certificates as trusted roots on all LiveUpdate client systems that connect to your HTTPS server or that use your LOTS file. If your certificates were issued by commercial CAs that are not installed by default in Microsoft's trusted root certificate store, you also need to add them as trusted roots. To avoid having to add trusted root certificates so that LiveUpdate works properly, you should obtain these certificates from well-known CAs that are installed in Microsoft's default trusted root certificate store, such as VeriSign.

In the Certificates snap-in window. Click Finish. in the left pane. Click Local computer. and then click Next. Expand Trusted Root Certification Authorities. In the Microsoft Management Console. on the File menu. click Add/Remove Snap-in. under Available Standalone Snap-ins. click Next. In the Add/Remove Snap-in dialog box. and then click Add. and then click Install Certificate. In the Add Standalone Snap-in dialog box. In the Select Certificate Store dialog box. You can do this in the following ways: ■ ■ By using the Microsoft Management Console By using the Certificate Import Wizard To add trusted root certificates using the Microsoft Management Console 1 2 3 4 5 6 7 8 9 In the Microsoft Management Console. . click Add. and then click Place all certificates in the following store. Expand Trusted Root Certification Authorities. click Certificates. and then click All Tasks > Import. click Computer Account. Follow the on-screen prompts in the Certificate Import Wizard to import your trusted root certificate file. 10 Right-click the Certificates folder. and then click Close.112 Working with LiveUpdate clients Ensuring that Automatic LiveUpdate and scheduled LiveUpdate authenticate Adding trusted root certificates You can make new trusted root certificates available to all accounts on a computer by adding them to the Local Machine certificate store. Allow the certificate to be placed in the default certificate store Trusted Root Certification Authorities. In the Certificate Import Wizard. right-click the trusted root certificate file. To add trusted root certificates using the Certificate Import Wizard 1 2 3 4 5 In Windows Explorer. Click OK. expand Certificates (Local Computer). Click Browse. rather than to the current user certificate store (the default). click Show physical stores.

exe /fUpdate /s Retrieve virus definitions silently. you are not notified. and then click OK. Note: LiveUpdate does not display error messages when it runs in silent mode.exe /fVirusdef /s Retrieve product updates silently. Accessing LiveUpdate in the Control Panel in Windows XP 64-bit LiveUpdate is in a different location in the Windows XP 64-bit Control Panel. vpdn_lu. To run LiveUpdate from a command line or scheduler ◆ At the command line. . click Next. and then click Finish.x clients from a command line or a scheduler. LiveUpdate should now be able to access the trusted root when running under any account on the local computer. In the Certificate Import Wizard.exe /s Retrieve product updates and definitions silently.exe with the following parameters: /s Retrieve definitions and product updates in silent mode. Filter out definitions updates. type vpdn_lu. vpdn_lu.Working with LiveUpdate clients Running LiveUpdate from a command line or scheduler 113 6 7 Click the Local Computer folder. Filter out product updates. This enables the custom content and HTTPS hosts features to work properly under any account on the computer. Running LiveUpdate from a command line or scheduler You can run a LiveUpdate session for Symantec AntiVirus 8. If LiveUpdate fails. including ALU and scheduled LiveUpdates. /fUpdate /fVirusdef Some examples are as follows: vpdn_lu.

you do not see the correct folders. running Automatic LiveUpdate under a user account enables it to provide authentication credentials to servers that may require them. or certain types of Central LiveUpdate servers. To configure the Automatic LiveUpdate Scheduler service 1 2 3 4 5 6 7 On the Windows Control Panel. On the General tab. On the Log On tab. the Automatic LiveUpdate Scheduler service is installed to run under the LocalSystem account. click Symantec LiveUpdate. The LocalSystem account is not a user account. In addition. specify a user or domain account.114 Working with LiveUpdate clients Configuring the Automatic LiveUpdate Scheduler service To access LiveUpdate in the Control Panel in Windows XP 64-bit 1 On the Windows taskbar. In the Administrative Tools window. Click OK. double-click Services. click This account. If you select Control Panel from Windows Explorer. and then click Properties. In the Select User dialog box. In the Control Panel window. double-click Administrative Tools. Configuring Automatic LiveUpdate to run under a user account enables Automatic LiveUpdate to access internet settings. as they are maintained on a per-user basis. The LocalSystem account does not normally have access to Microsoft internet settings (specified using Internet Explorer). SSL certificates. Configuring the Automatic LiveUpdate Scheduler service By default. including Microsoft internet settings. and does not maintain any user information. including proxy server information. click Automatic. click Start > Control Panel. then click Browse. and dial-up network connections. in the Startup type box. 2 3 Click View x86 Control Panel icons. Right-click on the Automatic LiveUpdate Scheduler service. such as Microsoft Proxy Servers. .

The temporary directory and files are then removed. When Java LiveUpdate runs. it connects to the server that is specified in the host file or in liveupdate. .tri files are extracted. For each update that is found. unzipped. The packages are authenticated. and automatically fails over to the next host if it finds that the server is unreachable. Java LiveUpdate determines if there are updates available for the specified products. The zipped catalog file (livetri. a temporary directory is created under the local package directory into which the zipped files are copied. It tries each of the servers in the order in which they are listed in the Java LiveUpdate configuration file.zip) is downloaded into the local package directory and the LiveUpdt. and Macintosh®. UNIX®. and installed. Java LiveUpdate functions similarly to the Win32 version of LiveUpdate. Java LiveUpdate tracks configuration information about multiple LiveUpdate servers or hosts.Chapter 7 Using Java LiveUpdate This chapter includes the following topics: ■ ■ ■ ■ ■ About Java LiveUpdate Configuring Java LiveUpdate Running Java LiveUpdate from the command line Enabling Java LiveUpdate logging on Linux servers Importing SSL certificates into the Java keystore About Java LiveUpdate Java LiveUpdate is the Symantec technology that provides LiveUpdate services on Windows server products and non-Win32 operating systems such as AS/400®. Java LiveUpdate is automatically installed with Symantec products on these operating systems.conf. Solaris™.

Java LiveUpdate requires Java Runtime Edition 1. SESA employs data collection services for events that Symantec security products generate.conf <parameters> See “Java LiveUpdate command-line switches” on page 122. See “Java LiveUpdate command-line switches” on page 122. Java LiveUpdate creates it and uses the working directory as the local package directory.conf are ignored. For more information about SESA.1. unless the -k command-line switch is specified. Configuring Java LiveUpdate By default.conf: UNIX Win32 /etc/liveupdate.8 or later.conf file. all of the transport-related entries in liveupdate. Java LiveUpdate gets its configuration information from the liveupdate. You can specify a different configuration file with the -c command-line switch. hostfile The full path to a legacy host file (Liveupdt. The local package directory is removed when Java LiveUpdate exits. If the working directory does not exist.jar LiveUpdate -c /home/james/liveupdate.116 Using Java LiveUpdate Configuring Java LiveUpdate Java LiveUpdate also integrates into the Symantec™ Enterprise Security Architecture (SESA™) event management system. The following are the locations of liveupdate. Table 7-1 Parameter workdir Parameters in liveupdate. . see the Symantec Enterprise Security Architecture Installation Guide and the Symantec Enterprise Security Architecture Administration Guide.hst) that is generated by the LiveUpdate Administration Utility.conf Description The working directory on the client computer.conf \Documents and Settings\All Users\Application Data\Symantec\Java LiveUpdate\liveupdate. For example: java -classpath jlu. and the information from the specified host file is used instead.conf Table 7-1 shows the parameters that you can set when you configure Java LiveUpdate. Java LiveUpdate creates a local package directory under the specified working directory. If a host file is specified.

If this parameter is set to anything other than True in the shared liveupdate. no log file is created. If this setting is omitted. The name of a proxy server.conf (continued) Description The full path to the log file that Java LiveUpdate uses to log events and errors. The URLs of external Symantec server support. If this file is omitted. in kilobytes (KB). This setting is not supported for FTP. Addr is the TCP/IP address of the proxy server and :port is the TCP/IP port on which the proxy server is listening. The user name to use when you log on to the specified proxy server. Java LiveUpdate looks for its JAR file in the LiveUpdate subdirectory that is immediately under the Symantec directory. The default port is 80. This setting is not supported for FTP. This setting is not supported for FTP. The password that is associated with the specified proxyusername account. For example: proxy=addr:port.conf file. The full path to the jlu. where the port number is optional. If this parameter is 1 (true). Java LiveUpdate uses the URL= lines in the TRI file when it uses HTTP to download packages. Java LiveUpdate ignores the URL= lines in the TRI file. This parameter and the URL= lines are ignored if FTP is specified as the protocol. Java LiveUpdate ignores the -c switch and host file setting. This setting is needed only if your proxy server requires a logon password. The location of the Symantec directory is specified by the BaseDir parameter in the Symantec Shared section of the Symantec global configuration file /etc/Symantec. Java LiveUpdate discards older log entries once the log file exceeds the specified maximum size.Using Java LiveUpdate Configuring Java LiveUpdate 117 Table 7-1 Parameter logfile Parameters in liveupdate. jar urls proxy proxyusername proxypassword maximumLogFileSize AllowConfigurationOverride . The maximum allowed log file size.jar file.conf. By default. This setting is needed only if your proxy server requires a logon user name. Java LiveUpdate returns an error immediately if it cannot locate its JAR file. The default log file size is 1024 KB. The setting that is used to tell Java LiveUpdate to use the -c command-line switch and hostfile setting.

This setting is disabled by default. The entry is encrypted by Java LiveUpdate. The logon that is used to download the LOTS file (if authentication is required) for custom content.conf (continued) Description The URL of a LiveUpdate server. hosts/<host#>/login hosts/<host#>/password ConnectionTimeout ConnectionReadTimeout PREFS_CUSTOM_CONTENT LOTS/LOTS_HTTPS_URL LOTS/LOGIN LOTS/PASSWORD . The password to use when logging on to a LiveUpdate server using FTP. If set to 0. This optional setting is ignored for all other transports. This optional setting is ignored for all other transports. starting with 0 through 9. You may specify a nonstandard port for HTTP servers and a package directory for both FTP and HTTP servers. The default value is 30000 (30 seconds). The entry is encrypted by Java LiveUpdate. This setting replaces the following Java LiveUpdate 1.118 Using Java LiveUpdate Configuring Java LiveUpdate Table 7-1 Parameter hosts/<host#>/url Parameters in liveupdate. If set to 1.10 settings: ■ ■ ■ ■ ■ protocol host packagedir login password hosts/<host#>/access The local or mapped directory to access for updates. The password that is used to download the LOTS file (if authentication is required) for custom content. Java LiveUpdate supports up to 10 servers. The connection timeout in milliseconds that Java LiveUpdate will wait for responses from the LiveUpdate server once a connection has been established. The status of custom content. The URL from which to download the LOTS file for custom content. The path may be a full local path or a UNC share. The default value is 60000 (60 seconds). custom content is enabled. The user name to use when logging on to a LiveUpdate server using FTP. The connection time in milliseconds that Java LiveUpdate will wait when it attempts to connect to a LiveUpdate server. custom content is disabled.

a LOTS file is copied only if it is more recent than the one on the client.jar in <Program Files Folder>\<Common Files Folder>\Symantec Shared\Java LiveUpdate. you must specify its location using the jar parameter. If this is set to YES (the default).extlog/host#] enableSyslogLocalization Java LiveUpdate configuration guidelines You must specify the working directory on the client computer using the workdir parameter.jar in the LiveUpdate subdirectory immediately under the Symantec directory that is specified in /etc/Symantec. If you are not using a legacy host file. If this is set to NO. This entry may be included only one time in the configuration file. The URL that is used to send logs to Symantec Gateway Security (SGS). providing that a LOTS file already exists. you must type the full path to the host file. If this parameter is set to YES. The default value is NO.conf. Java LiveUpdate searches for jlu. The only parameters that are required in the configuration file are the workdir and the hostfile settings. the LOTS file on the client is always overwritten with a new copy. This setting enables specified external logons if the list is not empty. extlog/host#/url=syslog: //<address>[:<port>] extlog/host#/url=sgs The host address and port of the system log to which Java LiveUpdate sends logs. Java LiveUpdate searches for jlu.jar file does not exist in the directory. If you want to use a legacy host file. For UNIX platforms. the workdir and the hosts/<host#>/url setting must be specified.conf (continued) Description The parameter that determines when to copy a LOTS file. extlogdest=extlog host#[. If the jlu. the LOTS file on the client is never overwritten. localized messages are enabled. For Win32 platforms. If this parameter is set to OPTIONAL. This allows custom content processing to proceed regardless of download errors.Using Java LiveUpdate Configuring Java LiveUpdate 119 Table 7-1 Parameter LOTS/UPDATE_LOTS_FILE Parameters in liveupdate. . Java LiveUpdate must also be able to find its JAR file. The list of active external logging services. The parameter that determines whether to enable localized messages in the syslog.

Sample liveupdate.0: hostfile=opt/Symantec/LiveUpdate/liveupdt.log jar=/opt/Symantec/LiveUpdate/jlu.yourcompany.com/opt/content/onramp workdir=/tmp logfile=/opt/Symantec/LiveUpdate/liveupdt.conf file on UNIX using Java LiveUpdate 2.symantec.0: hostfile=C:\Documents and Settings\All Users\ Application Data\Symantec\Java LiveUpdate\liveupdt.conf files Following is an example of a liveupdate.120 Using Java LiveUpdate Configuring Java LiveUpdate If a setting is followed by :ENC.hst hosts/0/url=http://liveupdate.symantecliveupdate. if the :ENC tag is missing.0 and later automatically encrypts the login and password settings each time that Java LiveUpdate runs.symantecliveupdate.com:80 hosts/2/login:ENC=b3effee10d982d2c7449c810c hosts/2/password:ENC=19d3d3v3c123333898dcf293d hosts/2/url=ftp://update. The settings that may be encrypted are as follows: ■ ■ ■ ■ ■ ■ ■ ■ login password proxyusername proxypassword hosts/<host#>/login hosts/<host#>/password LOTS/LOGIN LOTS/PASSWORD Java LiveUpdate 2.com:80 hosts/1/url=http://liveupdate.conf file on Win32 using Java LiveUpdate 2.jar urls=1 proxy=proxy.hst hosts/0/url=http://liveupdate. the value has been encrypted by Java LiveUpdate.com:80 .symantec.com:8080 proxyusername=joe proxypassword=geer132 maximumLogFileSize=512 AllowConfigurationOverride=true Following is an example of a liveupdate.

log workdir=C:\Documents and Settings\All Users\Application Data\ Symantec\Java LiveUpdate\Downloads jar=c:\Program Files\Common Files\Symantec Shared\Java LiveUpdate\jlu. ■ .conf file.yourcompany.com workdir=/tmp jar=/opt/Symantec/LiveUpdate/jlu.jar urls=1 proxy=proxy.hst file using the LiveUpdate Administration Utility.com:80 hosts/2/login:ENC=b3effee10d982d2c7449c810c hosts/2/password:ENC=19d3d3v3c123333898dcf293d hosts/2/url=ftp://update.com/opt/content/onramp logfile=C:\Documents and Settings\All Users\Application Data\ Symantec\Java LiveUpdate\liveupdt. which is separately supplied and installed. an HTTP connection is made to the Symantec server.Using Java LiveUpdate Configuring Java LiveUpdate 121 hosts/1/url=http://liveupdate.log proxy=proxy.symantec.10 is not supported on Windows): protocol=HTTP host=liveupdate.jar logfile=/opt/Symantec/LiveUpdate/liveupdt. This Liveupdt. Create a new Liveupdt.conf settings to point to an existing Liveupdt.proxy. This server can use either an FTP or HTTP protocol connection. By default.symantec.10 (Java LiveUpdate 1.com:8080 proxyusername=joe proxypassword=geer132 urls=1 Configuring Java LiveUpdate to use a Central LiveUpdate server LiveUpdate operation is controlled by settings in the liveupdate. You can use a Central LiveUpdate server instead of the Symantec server by doing one of the following: ■ Change the liveupdate.com:8080 proxyusername=joe proxypassword=geer132 maximumLogFileSize=512 AllowConfigurationOverride=true Following is an example of a liveupdate.yourcompany.conf file on UNIX using Java LiveUpdate 1.hst file.hst file was created earlier to use an existing internal Central LiveUpdate server.symantecliveupdate.

jar. For more information. password.conf settings to point to an existing Liveupdt. type the following: java <classpath> jlu. protocol. it may be necessary to run Java LiveUpdate manually from the command line. which runs under Windows. To create a new Liveupdt. add the following line: hostfile=<full path to the . . See “Creating a LiveUpdate host file for clients” on page 40.conf file. Java LiveUpdate command-line switches Table 7-2 lists the command-line options that are available for Java LiveUpdate.hst file using the LiveUpdate Administration Utility ◆ Use the LiveUpdate Administration Utility (LUAdmin).conf before you modify it. For more information. Running Java LiveUpdate from the command line At times. see the LiveUpdate Administrator's Guide.conf. and proxy) are ignored.hst file on the client> If the hostfile= parameter is included in liveupdate.122 Using Java LiveUpdate Running Java LiveUpdate from the command line See “Configuring Java LiveUpdate to use a Central LiveUpdate server” on page 121. all of the settings that relate to transport (host.hst file ◆ In the liveupdate. see the LiveUpdate Administrator's Guide. To change the liveupdate.hst file is used instead. Warning: Do not run Java LiveUpdate from the command line unless you have been instructed to do so by Symantec Technical Support.jar LiveUpdate<options> where <classpath> is the full path to jlu. and data from the . logon. Warning: Make a backup copy of liveupdate. To run Java LiveUpdate from the command line ◆ At the command prompt.

For example: java -classpath jlu.jar LiveUpdate -c /home/lufiles/liveupdate. S/390®. Linux®. proxyusername. -c <full path to configuration file> This switch is used to specify a configuration file other than the default (/etc/liveupdate. and AIX®.Using Java LiveUpdate Running Java LiveUpdate from the command line 123 Table 7-2 Option -version Java LiveUpdate command-line options Description This switch prints information about the version of Java LiveUpdate to stdout. For example: java -classpath jlu. followed by the version number (1. password.conf -r /home/lufiles/ liveupdate_enc. Possible values for the operating system are Windows®. Use the -c switch to encrypt a specific configuration file other than default /etc/liveupdate.1) and the build number (9).conf file.jar LiveUpdate -c /home/lufiles/liveupdate. Macintosh. Java LiveUpdate exits immediately after printing the version information. Solaris. For example: java -classpath jlu.jar LiveUpdate -version The output is similar to the following: JLU Windows 1. The encrypted version of the configuration file is copied over the existing liveupdate. .conf. -d This switch enables debug mode with trace output to stdout. AS/400. and proxypassword settings.1 9 A general description of the operating system is printed.conf On S/390 and AS/400. the -e switch should also be used to specify a specific character encoding.conf).conf -r This switch is used to encrypt the logon. Java LiveUpdate exits immediately after creating the encrypted configuration file.

these files are deleted. If the syslog server is different from the server running Java LiveUpdate. For S/390. If you use debug mode. . Configure the syslog startup options.conf If the -e parameter is not specified. the name of the encoding is CP307.124 Using Java LiveUpdate Enabling Java LiveUpdate logging on Linux servers Table 7-2 Option Java LiveUpdate command-line options (continued) Description This switch is used to specify a character encoding for the configuration file. the ASCII character encoding. Otherwise. The following is an example of the parameter used for AS/400: java -classpath jlu. See “Support for EBCDIC character encoding” on page 124. you must do the following: ■ ■ ■ Create a entry in syslog. Java LiveUpdate indicates which code page is being used. The default when this parameter is not used is ISO-8859-1.jar LiveUpdate -e CP037 -c \etc\liveupdate. the default ASCII character encoding is used for all files.conf for logging Java LiveUpdate messages. See “Configuring startup options” on page 125. you must restart the server for the changes to take effect. In order to receive Java LiveUpdate messages. Finally. Create a messages log file. -e <character encoding> -k This switch is used to prevent the deletion of the temporary files that are retrieved from the LiveUpdate server and stored in the package directory that is specified by the workdir setting. you must also modify the firewall to allow inbound traffic on port 514. Support for EBCDIC character encoding You must pass the command-line parameter -e <encoding> to indicate the character encoding of the CONF files on your platform to Java LiveUpdate. a Linux syslog server is not configured to receive messages from remote clients. the name of the encoding is CP1047. For AS/400. Enabling Java LiveUpdate logging on Linux servers By default.

To create a jlu.* /var/log/jlu.conf for logging Java LiveUpdate messages ◆ In the syslog configuration file (/etc/syslog. once for klogd to decode. and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely . # -r enables logging from remote machines # -x disables DNS lookups on messages received with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0 -r -x" # Options to klogd # -2 prints all kernel oops messages twice.* and the name of the file. For example: local0.conf). It also checks the /etc/sysconfig/syslog to determine the various modes in which it should operate. Syslog listens for remote messages when you add the variable -r to SYSLOGD_OPTIONS and -x to disable DNS lookups on messages that are received with -r.conf file to determine the expected names and locations of the log files that it creates. Use tabs to separate the expressions. The following is an example of a syslog. type local0.log Warning: Do not use spaces between local0. and then type the file that you want to send the messages to.conf file: # Options to syslogd # -m 0 disables 'MARK' messages.log Configuring startup options Syslog checks the /etc/syslog.log file ◆ At the command line.Using Java LiveUpdate Enabling Java LiveUpdate logging on Linux servers 125 To create an entry in syslog. type the following: touch /var/log/jlu.

group root. start iptables if necessary. $IFACE is your external ethernet interface (eth0). and then add the following rule to be used on the logging server (the computer that receives syslog messages): -A INPUT -o $IFACE -p udp -s $LOGCLIENT -d $MYIP --dport 514 -j ACCEPT In this example. you should limit /etc/sysconfig/iptables to the client systems that send logs to you. For example: chown root:root /etc/sysconfig/iptables . manually add the following line to the /etc/sysconfig/iptables file: -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 514 -j ACCEPT This line should precede any reject lines.126 Using Java LiveUpdate Enabling Java LiveUpdate logging on Linux servers # See klogd(8) for more details KLOGD_OPTIONS="-2" Note: Make sure that SYSLOGD_OPTIONS contains -r -x. To ensure that you receive only legitimate log entries. ■ If you are using Red Hat®. Configuring firewall rules in /etc/sysconfig/iptables You need to modify your firewall to allow inbound traffic on UDP port 514. To configure firewall rules in /etc/sysconfig/iptables 1 Do one of the following: ■ If you are using Linux. $MYIP is the IP address of the server that you are adding this iptables rule to. and $LOGCLIENT is the IP address of the computer that sends messages. 2 Confirm that your iptables configuration file is owned by user root. This rule assumes a default OUTPUT policy of DENY.

0 0.d/syslog restart 5 To verify that the syslog daemon is running. the second line is the command.0 0. type the following: /etc/init.0 3664 548 pts/0 S 09:34 0:00 grep -F syslog The first line confirms that the syslog daemon process is up and running. You can determine if a problem exists on the syslog side.log This configures Linux to run in promiscuous mode so that it receives all messages.Using Java LiveUpdate Enabling Java LiveUpdate logging on Linux servers 127 3 Change the permissions of your iptables configuration file to read/write by user root only. or if a rule is missing for remote logging on a computer that has a firewall.d/iptables restart ■ To restart syslog.0 1576 616 ? S Nov09 0:00 syslogd -m 0 root 18738 0. type the following command: ps -aux | fgrep syslog The output should be similar to the following: root 1662 0. . at the command line. do both of the following: ■ To restart iptables. For example: chmod 600 /etc/sysconfig/iptables 4 To allow the changes to take effect. type the following: /etc/init.log file. logs in ASCII format with increased verbosity to the tcpdump. For example: tcpdump -a -vv -I -p -c 1000 > tcpdump. at the command line. and then exits after 1000 packets are logged. Verifying syslog messages You can use tcpdump to verify that syslog messages arrive at the server.

syslog udp. If no Java LiveUpdate messages are making it to the syslog destination. 2 3 Type the password for the Java keystore. . For example. <full_path> is <JAVA_HOME>\lib\security\cacerts. there may be a firewall on the syslog computer that is blocking the syslog port. See “Working with the Custom Content Publishing Application” on page 148.log | grep -v "\^" | grep udp This should return values similar to either .128 Using Java LiveUpdate Importing SSL certificates into the Java keystore To verify syslog messages ◆ At the command line. and <root_cert_file_name> is the full path and file name of the . type the following: cat tcpdump. in the <JAVA_HOME>/bin directory. the default <JAVA_HOME> directory is /usr/java/<JRE Version>/bin. the problem must be that something other than that the syslog configuration is preventing JLU syslog messages from reaching the syslog target. > . When you are prompted to accept the certificate. By default.syslog udp. > .514 udp or .cer file. To import an SSL certificate into the Java keystore 1 At the command line.514 udp or . > . Importing SSL certificates into the Java keystore To run Java LiveUpdate with custom content and LOTS file support. The certificate must be in the form of a . > .cer file. type the following: keytool -import -trustcacerts -alias <alias_name> -keystore <full_path>\cacerts -file <root_cert_file_name> where <alias_name> is a unique alias for the certificate that you are importing. On Linux/UNIX. yet the tcdump log displays lines similar to . the default <JAVA_HOME> directory is /Program Files/<JRE Version>/bin. the password is changeit. On Windows. click Yes. See “Using the LOTS Manager” on page 152. you need to import the Root CA certificate or the server certificate for the HTTPS server that you want to connect to.

Chapter 8 Incorporating LiveUpdate with Intel Active Management Technology This chapter includes the following topics: ■ ■ ■ ■ ■ ■ ■ ■ ■ About Intel Active Management Technology and LiveUpdate About LiveUpdate Intel AMT client files About setting up the BIOS on the Intel AMT computer Running sysprovision.exe Running the Symantec Provisioning Tool Starting a LiveUpdate session Installing the LiveUpdate Administrator for Intel AMT program Using the LiveUpdate Administrator for Intel AMT console Running luamtscan. even if individual computers or entire systems are not functioning.exe About Intel Active Management Technology and LiveUpdate Intel Active Management Technology (AMT) is the Intel technology that allows IT departments to remotely manage and protect networked computers and data. When computers on the network are turned off or have non-operational operating .

Run luamtscan. You access this console to display and filter your scan data. Intel AMT can still maintain access to them for management and protection purposes. Install the LiveUpdate Administrator for Intel AMT program. See “About setting up the BIOS on the Intel AMT computer” on page 131. You can either start a new scan directly in the console or open an existing . You run LiveUpdate on the Intel AMT computer so that the Symantec Storage Management APIs can update the inventory information in the Intel AMT storage. ■ ■ ■ ■ ■ ■ .exe” on page 132. See “Using the LiveUpdate Administrator for Intel AMT console” on page 139. you perform the following tasks: ■ Set up the BIOS on the Intel AMT computer. You run this command-line utility to retrieve LiveUpdate data. Start a LiveUpdate session. Run the Symantec Provisioning Tool. See “Running sysprovision. To make use of Intel AMT. See “Running luamtscan. See “Installing the LiveUpdate Administrator for Intel AMT program” on page 139. LiveUpdate inventory information is stored in the nonvolatile Intel AMT storage to allow you remote access.exe.exe ” on page 142. You run this command-line utility to set your enterprise name on the Intel AMT computer before you run any of the other Symantec tools. You run this command-line utility to allocate Intel AMT storage for Symantec use before you distribute computers to your end users. See “Starting a LiveUpdate session” on page 137.exe. You have to configure the BIOS to activate Intel AMT on the Intel AMT computer. See “Running the Symantec Provisioning Tool” on page 134.130 Incorporating LiveUpdate with Intel Active Management Technology About Intel Active Management Technology and LiveUpdate systems.xml file that was created by luamtscan. such as which Symantec products are installed or which computers are up to date with virus definitions. Intel AMT also provides nonvolatile storage for data during power outages and system rebuilds. Run sysprovision.exe. from one or more remote Intel AMT-enabled systems. Use the LiveUpdate Administrator for Intel AMT console.

Table 8-1 File SymAMTTools. that are necessary to use Intel Active Management Technology (AMT).intel.txt luamtscan.exe sysprovision.exe LiveUpdate Intel AMT client files Description Installer file that extracts the following files: ■ ■ ■ ■ ■ README. see the Intel Active Management Technology Basics documentation on the Intel support Web site at the following URL: http://www. You must do the following to set up the BIOS properly: .com/support/motherboards/ desktop/sb/cs-020828. in addition to the basic LiveUpdate 3.jar (the LiveUpdate Administrator for Intel AMT program) symantecprovision.exe luamt.exe sysprovision.htm Note: The Intel AMT computer must have a static IP address. you need to configure all network-related settings in the BIOS of the Intel AMT computer. See “Installing the LiveUpdate Administrator for Intel AMT program” on page 139. you activate Intel AMT on the Intel AMT computer.0 client files.exe Symantec Provisioning Tool that you can use to allocate Intel AMT storage for Symantec use Tool with which you can scan one or more Intel AMT computers on your network Program that sets up the enterprise name on the Intel AMT computer luamtscan.Incorporating LiveUpdate with Intel Active Management Technology About LiveUpdate Intel AMT client files 131 About LiveUpdate Intel AMT client files Table 8-1 lists the files. In this way.exe symantecprovision. About setting up the BIOS on the Intel AMT computer To make use of the various Intel AMT LiveUpdate tools. For more information on the configuration of your Intel AMT firmware.exe You must copy these files to a single directory in order to properly install the LiveUpdate Administrator for Intel AMT program.

Note: You cannot run sysprovision.exe Description This argument specifies the type of operation that you want to perform. By default. Type the host name of the Intel AMT computer.exe.exe You must run this command-line utility to set your enterprise name on the Intel AMT computer before you run any of the other Symantec tools.exe locally on the Intel AMT computer. Type the following for the Intel AMT computer: ■ ■ ■ ■ ■ ■ ■ ■ ■ IP address Network mask Gateway address Primary DNS Secondary DNS Domain name Running sysprovision. ■ . Table 8-2 Argument -entopt=<operation> Command-line arguments for sysprovision.132 Incorporating LiveUpdate with Intel Active Management Technology Running sysprovision. You have the following options: list: You can list all of the existing enterprise names on the specified Intel AMT computer. You must run it remotely from another computer. Table 8-2 lists the command-line arguments for sysprovision. Configure the Intel AMT firmware for static access. the user name is Admin and the password is p&ssw0rd. ■ remove: You can remove the enterprise name (specified in the -enterprise argument) from an Intel AMT computer.exe ■ Type the administrative user name and password of the Intel AMT computer. ■ add: You can add the enterprise name (specified in the -enterprise argument) to an Intel AMT computer.

The following is an example of a configuration file that you can use when you run sysprovision. This eliminates the need for you to retype the same information. and then type values for any of the arguments for sysprovision.exe 1 In a text editor.exe You can create a configuration file that contains all of the command-line arguments that you want to use. This argument specifies the user name of the Intel AMT computer. This argument specifies the host name or IP address of the Intel AMT computer.exe 133 Table 8-2 Argument Command-line arguments for sysprovision. The arguments in the configuration file always override any other command-line arguments if you use them both at the same time. This argument specifies the password of the Intel AMT computer.exe remotely: -enterprise=Intel -user=Admin -password=Password To create a configuration file for use with sysprovision. This argument lists all of the other available arguments.exe (continued) Description This argument lets you access a previously created configuration file that contains all other arguments.exe” on page 133. Type each argument on a separate line.Incorporating LiveUpdate with Intel Active Management Technology Running sysprovision. See Table 8-2 on page 132.exe. -config=<configfile_name> -enterprise=<EnterpriseName> This argument determines the enterprise name that you want to add or remove. See “Creating a configuration file for use with sysprovision. open a new file. 2 Save the file with a unique name and any extension that you want. . -user=<username> -password=<-password> <Host name or IP address> -? Creating a configuration file for use with sysprovision.

You run the Symantec Provisioning Tool either locally on the Intel AMT computer or remotely from another computer by using the command-line arguments that are listed in Table 8-3. Note: Before you run the tool.exe -entopt=<operation> -config=<configfile_name> <Host name or IP address> ■ If you are not using a configuration file.134 Incorporating LiveUpdate with Intel Active Management Technology Running the Symantec Provisioning Tool Running sysprovision. you must wait 60 minutes. Type the following: ■ If you are using a configuration file. During provisioning.exe remotely 1 2 On a remote computer.exe remotely You cannot run sysprovision. if you receive an error message indicating that the write limit has been exceeded. This tool allocates the specified storage (currently 24 KB) for Symantec application use during the computer provisioning phase. . You must run it remotely from another computer. The write limit is an Intel hardware setting and cannot be changed.exe. and provides the proper authorization and security protection for this storage space from other vendors' applications. type the following: sysprovision.exe locally on the Intel AMT computer.exe -entopt=<operation> -enterprise=<EnterpriseName> -user=<username> -password=<password> <Host name or IP address> See Table 8-2 on page 132. type the following: sysprovision. you must make sure that the Intel AMT computer has a static IP address. navigate to sysprovision. at the command line. and then run the Symantec Provisioning Tool again. To run sysprovision. Running the Symantec Provisioning Tool The Symantec Provisioning Tool is a utility that you can use to allocate Intel AMT storage for Symantec use before you distribute computers to your end users.

-? Creating a configuration file to provision a range of computers If you want to provision a range of computers. you can create a configuration file that contains all of the command-line arguments that you want to use. -user=<username> This argument specifies the user name of the Intel AMT computer. This argument lists all of the other available arguments. It is required for remote provisioning.LiveUpdate file. It must match the enterprise name that you add to the Settings. There is no default password. <Host name or IP address> This argument specifies the host name or IP address of the Intel AMT computer. The following is an example of a configuration file that you can use when you run the Symantec Provisioning Tool remotely: . This is the easiest way to provision a range of computers. See “Starting a LiveUpdate session” on page 137.Incorporating LiveUpdate with Intel Active Management Technology Running the Symantec Provisioning Tool 135 Table 8-3 Argument Symantec Provisioning Tool command-line arguments Description This argument lets you access a previously created configuration file that contains all other arguments. See “Creating a configuration file to provision a range of computers” on page 135. No user name is required for local provisioning. It is required for remote provisioning. This eliminates the need for you to retype the same information for each new computer. There is no default user name. -password=<password> This argument specifies the password of the Intel AMT computer. The arguments in the configuration file always override any other command-line arguments if you use them both at the same time. -config=<configfile_name> -enterprise=<EnterpriseName> This argument is different for each user. No password is required for local provisioning.

type the following: . type the following: symantecprovision. navigate to the Symantec Provisioning Tool. open a new file. at the command line. at the command line. Note: No user name or password is required for local provisioning.136 Incorporating LiveUpdate with Intel Active Management Technology Running the Symantec Provisioning Tool -enterprise=Intel -user=Admin -password=Password To create a configuration file to provision a range of computers 1 In a text editor. Running the Symantec Provisioning Tool locally You can run the Symantec Provisioning Tool locally on the Intel AMT computer. To run the Symantec Provisioning Tool remotely 1 2 On a remote computer. type the following: symantecprovision. Running the Symantec Provisioning Tool remotely You can run the Symantec Provisioning Tool remotely from a computer other than the Intel AMT computer. 2 Save the file with a unique name and any extension that you want.exe -config=<configfile_name> localhost ■ If you are not using a configuration file. Do one of the following: ■ If you are using a configuration file. Type each argument on a separate line. To run the Symantec Provisioning Tool locally 1 2 On the local Intel AMT computer. and then type values for any of the arguments for the Symantec Provisioning Tool.exe -enterprise=<EnterpriseName> localhost See Table 8-3 on page 135. navigate to the Symantec Provisioning Tool. Do one of the following: ■ If you are using a configuration file. See Table 8-3 on page 135.

At the start of a LiveUpdate session. and install new available updates.exe -config=<configfile_name> <Host name or IP address> ■ If you are not using a configuration file. or modification of sequence information for any PVL.0). Each registered product from the product inventory. Note: You can only run LiveUpdate locally on the Intel AMT computer. the Symantec Storage Management APIs update the inventory information in the Intel AMT storage. The following LiveUpdate data is sent to Intel AMT memory: ■ ■ The format revision of the data (for example. this will be listed as success. download. removal. . This information includes the following: ■ ■ ■ ■ ■ The registered product name (not the displayed or friendly name). The product version. LiveUpdate loads the most recent LiveUpdate Intel AMT data by using the SymcStorage API from Intel AMT storage. More often than not.exe -enterprise=<EnterpriseName> -user=<username> -password=<password> <Host name or IP address> See Table 8-3 on page 135. Any time that there is a change to the LiveUpdate product inventory. 1. The date and time stamp that shows when the LiveUpdate data was last written to the Intel AMT memory. and the addition.Incorporating LiveUpdate with Intel Active Management Technology Starting a LiveUpdate session 137 symantecprovision. For example. LiveUpdate updates the internal representation of the LiveUpdate Intel AMT data block and marks changes wherever they occur. or LiveUpdate has been run to check for. The result code of the last run of LiveUpdate. changes to the LiveUpdate product inventory can occur when a product makes a call to add or remove product registration information. including the addition or removal of Product/Version/Language (PVL) entries. but there can be partial success when multiple updates are downloaded. The product language. type the following: symantecprovision. This is the last time that anything changed in the LiveUpdate data block. Starting a LiveUpdate session When you run LiveUpdate on the Intel AMT computer.

138

Incorporating LiveUpdate with Intel Active Management Technology Starting a LiveUpdate session

The date and time stamp that shows when the PVL last changed. This is updated when a new PVL is added, or when its tracked sequence information is added, removed, or modified. The sequence information for the PVL. This information includes the following:
■ ■ ■

The sequence name. The sequence data (that is, the sequence number). The date and time stamp that shows when the sequence data last changed. This is updated when sequence information is added or changed.

To run the LiveUpdate Inventory Update, you must do the following:

Add the enterprise name to the Settings.LiveUpdate file. Note: The next time that you open the Settings.LiveUpdate file, the enterprise name will be encrypted. You can also use a Settings.Merge.LiveUpdate file to add the enterprise name to the Settings.LiveUpdate file. This allows you to update multiple computers with new Settings.LiveUpdate information automatically. See “Merging custom settings into the Settings.LiveUpdate file” on page 106.

Run LiveUpdate.

To add the enterprise name to the Settings.LiveUpdate file

1

On the Intel AMT computer, in a text editor, open the Settings.LiveUpdate file. The default location of this file depends on your operating system. See “LiveUpdate client file locations” on page 95.

2

In the Settings.LiveUpdate file, type the following lines:
PREFERENCES\AMT\ENABLE=TRUE PREFERENCES\AMT\ENTERPRISE_NAME=<Your enterprise name>

Note: The enterprise name is case sensitive.

3

Save and close the Settings.LiveUpdate file.

Incorporating LiveUpdate with Intel Active Management Technology Installing the LiveUpdate Administrator for Intel AMT program

139

To run LiveUpdate

1 2

On the Intel AMT computer, run LiveUpdate from any Symantec product that is on the computer (for example, Symantec AntiVirus Corporate Edition). Check the Log.LiveUdpate file to see that it documented the Intel AMT changes. For example:
5/11/2005, 13:04:03 PM GMT -> LiveUpdate will update AMT Memory with its Product Inventory data. ............ ............ 5/11/2005, 13:04:03 PM GMT -> LiveUpdate will update AMT Memory with its Product Inventory data. 5/11/2005, 13:04:04 PM GMT -> LU data changes were written to AMT memory.

Installing the LiveUpdate Administrator for Intel AMT program
To install the LiveUpdate Administrator for Intel AMT program, you must copy the LiveUpdate Intel AMT client files to a directory on the Intel AMT computer. To install the LiveUpdate Administrator for Intel AMT program

1

On the Intel AMT computer, copy the following files to the same directory:
■ ■ ■

symantecprovision.exe luamtscan.exe sysprovision.exe

2

Double-click SymAMTTools.exe. When you are prompted to select a location for luamt.jar, select the same directory.

Using the LiveUpdate Administrator for Intel AMT console
The LiveUpdate Administrator for Intel AMT console displays information about all of the Symantec components that are installed on the specified computers.

140

Incorporating LiveUpdate with Intel Active Management Technology Using the LiveUpdate Administrator for Intel AMT console

You can use either the Summary or Detail view to display this data. You can filter the data by using the Options command. You must use Java 2 Platform Standard Edition 5.0 to run the LiveUpdate Administrator for Intel AMT. You can download it from the following URL: http://java.sun.com You can use the LiveUpdate Administrator for Intel AMT console in the following ways:

Start a new scan directly in the LiveUpdate Administrator for Intel AMT console. Open an existing .xml file that was created by luamtscan.exe.

Note: The Host Up To Date and Component Up To Date columns in the LiveUpdate Administrator for Intel AMT console reflect the current state of the computer in relation to other computers in the network. They do not indicate that the computer is updated with the latest data, such as virus definitions, from Symantec.

Starting a new scan in the LiveUpdate Administrator for Intel AMT console
Starting a new scan in the console is useful when you are scanning only one or a few computers, because you have to type all of the IP addresses that you want to scan manually. If you want to scan many computers (for example, an entire subnet), you should run luamtscan.exe from the command line. See “Running luamtscan.exe ” on page 142. You cannot scan the same computer on which you access the LiveUpdate Administrator for Intel AMT console. Warning: If you exit the LiveUpdate Administrator for Intel AMT console while the scan is in progress, the console closes without any warning and the scan is not completed. To start a new scan in the LiveUpdate Administrator for Intel AMT console

1 2

On a remote computer, double-click luamt.jar. In the LiveUpdate Administrator for Intel AMT console, on the File menu, click New Scan.

Incorporating LiveUpdate with Intel Active Management Technology Using the LiveUpdate Administrator for Intel AMT console

141

3

In the New Scan window, do the following:
AMT enterprise name Hosts to scan Type your enterprise name. Type the IP addresses of the computers that you want to scan. Use spaces to separate ranges of computers. Type the name and password of the super user.

AMT super user

4 5

Click Start Scan. After the scan is finished, view the data in the console, and then on the File menu, click Export to save it as a .csv (comma-delimited) file. You can export data from either the Summary or Detail view.

Opening an existing .xml file that was created by luamtscan.exe
You can open an .xml file that was output from luamtscan.exe and export the data as a .csv (comma-delimited) file. See “Running luamtscan.exe ” on page 142. To open an existing .xml file that was created by luamtscan.exe

1 2 3

On a remote computer, double-click luamt.jar. In the LiveUpdate Administrator for Intel AMT console, on the File menu, click Open to open the XML file that you want to view. To view summary information for the scan, at the top of the LiveUpdate Administrator for Intel AMT console, click Summary. The Summary view includes the following information for each computer that luamtscan.exe scanned:
■ ■ ■

Host Name IPAddress ComputerSystem Product This is the Intel field that identifies the model type of the computer's motherboard. Host Up To Date

4

To view detailed information, at the top of the LiveUpdate Administrator for Intel AMT console, click Detail. The Detail view includes the following information for each computer that luamtscan.exe scanned:

142

Incorporating LiveUpdate with Intel Active Management Technology Running luamtscan.exe

■ ■ ■

Host Name IPAddress ComputerSystem Product This is the Intel field that identifies the model type of the computer's motherboard. Component This is the Product/Version/Language (PVL) entry. Component Value This is the numerical value that indicates the date of the last update for the particular PVL. Component Up-To-Date

5 6

To filter the data that you are viewing, at the top of the LiveUpdate Administrator for Intel AMT console, click Options. In the View Options window, select one or more of the LiveUpdate component types that you want to view. By default, all component types are selected.

7

To determine how a host computer is considered up to date in the Summary view, select one of the following:
■ ■

It has active LiveUpdate components for all the selected types Any components it has for the selected types have downloaded the latest known data Both: It has components for all the selected types, and they have downloaded the latest data

8 9

Click OK. To export the data as a .csv file, on the File menu, click Export. You can export data from either the Summary or Detail view.

Running luamtscan.exe
The luamtscan.exe command-line utility retrieves LiveUpdate data, such as which Symantec products are installed or which computers are up to date with virus definitions, from one or more remote Intel AMT-enabled systems. This utility scans the computer, obtains its LiveUpdate inventory and hardware asset information, and creates an .xml file of the data. Using luamtscan.exe, you can scan a range of computers at a time.

The name cannot be an empty string. The string length must be between 8 and 32 characters.exe Description This argument lets you access a previously created configuration file that contains all other arguments. Table 8-4 lists the command-line arguments for luamtscan. -superpassword=<password> This argument specifies the super user password. <Host name or IP address> This argument specifies the host name or IP address of the Intel AMT computer.LiveUpdate file. It must match the enterprise name that you add to the Settings.exe 143 Note: You cannot run luamtscan.Incorporating LiveUpdate with Intel Active Management Technology Running luamtscan. and both lowercase and uppercase letters. See “Creating a configuration file to scan a range of computers” on page 144. This argument lists all of the other available arguments. -hosts=<host_filename> This argument lets you access a previously created host file that contains the IP addresses of a range of computers. This is the easiest way to scan a range of computers.exe locally on the Intel AMT computer. -superuser=<username> This argument specifies the super user name. -output=<output_XML_file_name> -? . Table 8-4 Argument -config=<config_filename> Command-line arguments for luamtscan. See “Creating a host file to scan a range of computers” on page 144. See “Starting a LiveUpdate session” on page 137. The string length is limited to 16 characters. Note: Non-Unicode characters are not supported. the data is output to the command line. 0 x 20 or above.xml file to which you want to output scanning information. -enterprise=<EnterpriseName) This argument is different for each user. The password must include at least one number. The user name must contain 7-bit ASCII characters. one non-alphanumeric character. This argument specifies the . The colon (:) and quotation mark (") characters are not supported by the HTTP authentication protocol. Note: Non-Unicode characters are not supported.exe. The password must contain 7-bit ASCII characters. If you do not use this argument. 0 x 20 or above. You must run it remotely from another computer.

Creating a host file to scan a range of computers If you want to scan a range of computers. anonymous access is assumed. you can create a host file that contains a range of IP addresses.exe: .exe Note: If no user name or password argument is specified. This eliminates the need for you to retype the same information for each new computer. The following is an example of a configuration file that you can use when you run luamtscan. See Table 8-4 on page 143. Type each argument on a separate line.exe. 2 Save the file with a unique name and any extension that you want. See “Using the LiveUpdate Administrator for Intel AMT console” on page 139. The following is an example of a host file that you can use when you run luamtscan. because you have to type all of the IP addresses that you want to scan manually. open a new file.exe directly from the LiveUpdate Administrator for Intel AMT console.144 Incorporating LiveUpdate with Intel Active Management Technology Running luamtscan. Creating a configuration file to scan a range of computers If you want to scan a range of computers. This method allows you to use the console's graphical user interface and is useful when you are scanning only one or a few computers. You can also invoke luamtscan.exe: -enterprise=Intel -superuser=Admin -superpassword=Password -output=sample. This eliminates the need for you to retype the same information for each new computer. The arguments in the configuration file always override any other command-line arguments if you use them both at the same time. you can create a configuration file that contains all of the command-line arguments that you want to use.xml To create a configuration file to scan a range of computers 1 In a text editor. The arguments in the host file always override any other command-line arguments if you use them both at the same time. and then type values for any of the arguments for luamtscan.

2 Save the file with a unique name and any extension that you want. You must run it remotely from another computer.exe. at the command line.Incorporating LiveUpdate with Intel Active Management Technology Running luamtscan. .exe 145 192. type the following: luamtscan.103 To create a host file to scan a range of computers 1 In a text editor.exe locally on the Intel AMT computer.168. type the following: luamtscan.1.exe remotely 1 2 On a remote computer.exe -config=<configfile_name> -hosts=<host_filename> <Host name or IP address> -output=<output_XML_file_name> ■ If you are not using a configuration file and host file. navigate to luamtscan. open a new file. Type each IP address on a separate line.168. and then type the IP addresses that you want to scan.101 192.exe -enterprise=<EnterpriseName> -superuser=<username> -superpassword=<password> <Host name or IP address> -output=<output_XML_file_name> See Table 8-4 on page 143. To run luamtscan. Do one of the following: ■ If you are using a configuration file and host file.1. Note: You cannot scan the same Intel AMT computer from two different remote computers at the same time.1.102 192.exe remotely You cannot run luamtscan. Running luamtscan.168.

exe .146 Incorporating LiveUpdate with Intel Active Management Technology Running luamtscan.

and authenticates the package to determine if it can be trusted. Using the Custom Content Publishing Application (CCPA). modify. The custom content publishing process consists of users with clearly defined roles. settings for Symantec products. and virus and worm removal tools. including firewall rules for the Symantec Desktop Firewall products. When the LiveUpdate client runs. you create. and publish updates that are uploaded to the Central LiveUpdate server. . Custom content is any type of Symantec product file that you want your clients to receive.Chapter 9 Working with custom content This chapter includes the following topics: ■ ■ ■ ■ ■ About LiveUpdate custom content publishing Working with the Custom Content Publishing Application Using the LOTS Manager Performing administrative tasks Enabling LiveUpdate clients to retrieve custom content About LiveUpdate custom content publishing LiveUpdate custom content publishing lets you use the security features of LiveUpdate to allow client computers to receive custom content. in addition to LiveUpdate virus definitions and product updates. it looks for custom content packages.

CCPA requires Java Development Kit (JDK) version 1. stand-alone Web application that can be run on any Windows computer. You can provide this Signer certificate in the form of either a standard DER-encoded X. A Signer can approve product updates for publishing to a test server. (In this case. You must also have a code-signing certificate for each trusted Signer. A Submitter can define. Roles determine abilities and responsibilities within CCPA. or the actual PKCS #12 keystore file that is used by the Signer. This certificate can be a PKCS #12 keystore file. The CCPA server itself must be a computer that is running Windows 2000 Server SP3 or later. or reject the updates. Submitter Tester Signer Working with the Custom Content Publishing Application The Custom Content Publishing Application (CCPA) is a self-contained. CCPA roles are shown in Table 9-1. Table 9-1 Role Administrator CCPA user roles Description CCPA comes pre-configured with one administrative user. you will need the password that was used to create the PKCS #12 file.x or later. edit. This certificate must chain up to a trusted root certificate authority (CA) that is listed as a trusted root in the system certificate store.509 certificate file. The user name for this predefined Administrator is admin.148 Working with custom content Working with the Custom Content Publishing Application About roles and users The CCPA Administrator assigns a role to each system user. you will need a certificate to sign the LOTS file.) In addition. or it can be selected from the local system certificate store. A Tester can accept or reject product updates that are uploaded to the test LiveUpdate server.4. depending on the outcome of the testing process. and submit product updates to be tested by a Tester and published by a Signer. . The testing process is optional. approve publishing to the production server. The Administrator can create user profiles and assign roles to all other CCPA users.

it first checks for an updated LOTS file. CCPA files are installed in the following location: C:\Program Files\Symantec\CCPA By default. When CCPA is installed to an HTTPS server. Ensure that you have an HTTPS server for storing the LOTS file that is used by LiveUpdate clients: When the LiveUpdate client runs. Planning for content publishing Before you can publish content using the Custom Content Publishing Application (CCPA). all communication to and from the server is encrypted. LOTS Manager files are installed in the following location: C:\Program Files\Symantec\LiveUpdate Publishing The following shortcuts are placed under LiveUpdate Publishing on the Windows Start menu: LOTS Manager Launch the LOTS Manager application. ■ ■ You must install CCPA to a server that is running HTTPS to ensure secure transmissions. Login to CCPA Readme Start CCPA Stop CCPA Log onto the CCPA Web interface. When CCPA is installed to an HTTP server. Designate a server to be used for your CCPA production server. See “Enabling SSL support over HTTPS” on page 154.Working with custom content Working with the Custom Content Publishing Application 149 CCPA and LOTS file locations and Windows Start menu shortcuts By default. Stop the Apache Tomcat service. A typical CCPA environment is shown in Figure 9-1. Read important information not included in this manual. It compares the LOTS file on the HTTPS server with the copy of the file on the local computer. . Launch the Apache Tomcat service. you must perform the following tasks: ■ Upload the List of Trusted Signers (LOTS) file: The LOTS file validates the signature certificates that are uploaded by CCPA Signers from the User Profile page. all communication (including user names and passwords) is transferred in clear text. See “Using the LOTS Manager” on page 152.

When LiveUpdate is run on the client computers. . it first checks with the LOTS server to verify that the clients' LOTS file is the most current. If the client LOTS is older. Symantec content and custom content are then downloaded from the Central LiveUpdate server and applied to the client. the server running the Custom Content Publishing Application is brought up only when it is needed to publish updates. a current file is downloaded. For security. A separate server is used to test the Update Packages before they are published to the Central LiveUpdate production server.150 Working with custom content Working with the Custom Content Publishing Application Figure 9-1 A CCPA environment Certificate server Test server LOTS Manager Test client CCPA server Central LiveUpdate server HTTPS LOTS Server LiveUpdate clients The computer that is running the LOTS Manager obtains certificates from the Certificate server.

and then follow the on-screen instructions. and then follow the on-screen instructions. If you install the Custom Content Publishing Application to an SSL server. Click Install to start the installation. . See “Planning for content publishing” on page 149.msi). After you install the Custom Content Publishing Application After you've installed the Custom Content Publishing Application (CCPA) and the LOTS Manager. See “Using the LOTS Manager” on page 152. ■ 5 6 Click Next. as a best practice. You will need to install the LOTS Manager and upload a LOTS file before you configure user roles. click Next. In the LiveUpdate CCPA InstallShield Wizard window. you should perform the following basic administrative tasks: ■ Create a LOTS file.msi). and then select a different destination folder. click Next. Click Change. Click Install to start the installation.Working with custom content Working with the Custom Content Publishing Application 151 Installing the Custom Content Publishing Application The Custom Content Publishing Application and the LOTS Manager are installed separately. there are additional steps that you must perform to enable SSL support for CCPA. See “Enabling SSL support over HTTPS” on page 154. Start the Custom Content Publishing Application setup program (LiveUpdate CCPA. To install the LOTS Manager 1 2 3 Start the LOTS Manager setup program (Symantec LiveUpdate LOTS Manager. In the Destination Folder window. it is recommended that you install them on different computers. While they can be installed on the same computer. do one of the following: ■ Verify that the default destination folder is appropriate (C:\Program Files\Symantec\CCPA\). In the Symantec LiveUpdate LOTS Manager InstallShield Wizard window. To install the Custom Content Publishing Application 1 2 3 4 Review the preinstallation information.

cer and . ■ Specify update servers.152 Working with custom content Using the LOTS Manager See “Working with certificates” on page 154. The uninstall program for CCPA is located in Add/Remove Programs under LiveUpdate CCPA. View details of existing certificates. See “Browsing audit log entries” on page 170. See “Working with CCPA servers” on page 158. The LOTS Manager maintains the LOTS internally as an in-memory certificate store through CAPICOM. You cannot save the LOTS file to disk unless you have specified a certificate for signing the LOTS.crt) and PKCS #7 and PKCS #12 (. The uninstall program for the LOTS Manager is located in Add/Remove Programs under Symantec LiveUpdate LOTS Manager. it is added to the in-memory certificate store.p12). the LOTS Manager retrieves the certificate store in PKCS #7 format.509 (. Specify products and languages. Remove certificates. See “Performing administrative tasks” on page 156. you can do the following: ■ ■ ■ Add new certificates. Using the LOTS Manager. ■ ■ ■ Uninstalling the Custom Content Publishing Application Both CCPA and the LOTS Manager can be uninstalled using Add/Remove Programs in the Windows Control Panel.pfx and . When you save the LOTS file to disk. which contains a list of every Signer certificate that LiveUpdate can trust. Configure users and roles. or you can specify one from an external . including X. Enable LiveUpdate clients to retrieve custom content. This certificate. Multiple certificate file formats are supported. which must be associated with a private key. Using the LOTS Manager The LOTS Manager lets you create and maintain a LOTS (List of Trusted Signers) file. When you add a certificate to the LOTS. See “Enabling LiveUpdate clients to retrieve custom content” on page 172. can either be selected from the Microsoft local certificate store.

LiveUpdate can be configured to attempt to retrieve a LOTS file from an HTTPS server (the LOTS server). the LiveUpdate client automatically looks for a local copy of the LOTS file.zip file. The only certificate in the Custom Content Signature file is the one that belongs to the user (the Signer) who generated the Signature file. How the LOTS file is used in the custom content publishing process Before custom content can be downloaded to a client computer. It then checks to see if the Signer certificate has expired and verifies that the format of the Signer certificate is valid. and checks that the Signer certificate from the Signature File has a matching certificate in the LOTS database.Working with custom content Using the LOTS Manager 153 file (only PKCS #12 password-protected keystores are supported). To start the LOTS Manager ◆ On the Windows taskbar. The LiveUpdate client trusts the LOTS server only if its server certificate was issued by a ROOT CA that is identified as a Trusted Root in Internet Explorer. click Start > Programs > LiveUpdate Publishing > LOTS Manager. those certificates are not included in the Custom Content Signature file. The custtri.zip file also contains a Guard and Signature file. LiveUpdate verifies that the signature on the LOTS file chains to a trusted root certificate such as VeriSign. the LiveUpdate client verifies that the content is secure by using the LOTS file. The LiveUpdate client only downloads this LOTS file from the LOTS server in the event that the LOTS file on the local computer is older than the one on the LOTS server. The Administrator is responsible for managing the deployment of the LOTS file to the LiveUpdate clients. or if the Signer leaves the company. if the private key is compromised. LiveUpdate trusts this Signature file as long as the Signer's certificate can be found in the local LOTS file. Custom content is specified and secured in the custtri. It uses the information in this file to authenticate the custom content that is pulled from the Central LiveUpdate server much in the same way that Symantec LiveUpdate verifies and secures the content that is downloaded from the Symantec LiveUpdate site or from the Central LiveUpdate server. . Even if the Signer's certificate has a chain of CAs and a trusted root. If Custom Content has been enabled. You can always view the details of a certificate. The LOTS file can be redeployed if any of its Signer certificates need to be revoked. for example. because they are ignored by LiveUpdate. even if it is not trusted.zip. rather than livetri.

3 4 Click Select. The LOTS file cannot be saved to disk unless a LOTS-signing certificate has been specified. Add a signing certificate. under Certificate for signing the LOTS. and then select a certificate for signing the LOTS. To work with certificates 1 In the LOTS Manager window. you must have a Web server certificate. Before you begin this procedure. and then click OK. The LiveUpdate client uses the LOTS file to determine if it can trust the custom content that it downloads from the Central LiveUpdate server. 2 To save the LOTS file. you must perform some additional steps. click Select. Delete a certificate. Enabling SSL support over HTTPS To enable SSL support over HTTPS for the Custom Content Publishing Application using a PKCS #12 keystore. . You can select a certificate from either the System Certificate Store or from an External PKCS #12 File. type the password for the certificate. If you select a certificate from an external PKCS #12 file.154 Working with custom content Using the LOTS Manager Working with certificates You use the LOTS Manager to create a LOTS file. The LOTS file is used by the CCPA and by LiveUpdate clients that have been enabled to receive custom content from a Central LiveUpdate server. select any of the following: View Add Certificate From File Remove Certificate View the details of a signing certificate. SSL support in CCPA is turned off by default. which contains a copy of the code-signing certificates that are used by Signers when publishing custom content within the CCPA. Web server certificates can also be obtained from third-party certificate authorities (CA) such as VeriSign. You can create your own server certificate using Microsoft Certificate Services or you can create a self-signed certificate using the keytool utility that is included with the Java Runtime Environment and JDK. Obtaining a certificate from such a CA will allow your clients to trust the CCPA server implicitly when connecting over HTTPS.

** No SSL support.ccpakeystore” and replace it with the path to the certificate that you are using. do the following: ■ ■ ■ Delete the following: <!-. this location is C:\Program Files\Symantec\CCPA\webapps. this location is C:\Program Files\Symantec\CCPA\conf.1 Connector on port 8443 --> <Connector className="org. and export it to the \webapps directory where the CCPA program files are installed. By default. Add the attribute keystoreType=“PKCS12” before /> at the end of the section.Define a SSL Coyote HTTP/1. For example.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true" useURIValidationHack="false"> <Factory className="org. 2 3 Edit the server.xml file.apache.coyote. By default.tomcat4.tomcat4. by default *** --> Locate keystoreFile=“C:/ccpa/webapps/. ■ ■ The resulting section should be similar to the following: <!-. by default *** Delete the following: *** NO SSL support. Under the section <!-. The certificate must also chain to a trusted root.1 Connector on port 8443 -->.CoyoteServer SocketFactory" . The certificate issued common name must be the same as the name you are using to connect to the CCPA server.coyote. For example: keystoreFile=“C:/Program Files/Symantec/CCPA/webapps/[certificate filename]” Locate keystorePass=“ccpa42” and replace ccpa42 with the password used when you exported the PKCS #12 certificate.Working with custom content Using the LOTS Manager 155 The certificate request should indicate that the private key is exportable and that the intended purpose is Server Authentication.Define a SSL Coyote HTTP/1.apache. the CCPA server that is named ccpaserver is located at the following URL: https://ccpaserver:8443 To enable SSL support in CCPA 1 Locate the Server Authentication Certificate file that you want to use from the Certificate Store.

Manage publishing sessions. refer to the Apache Jakarta Web site at the following URL: http://jakarta. This menu enables you to navigate through the pages that are used for CCPA administration. languages. managing users and updating production servers. Open your browser and type the name of the server that is running CCPA and then append :8443. See “Starting and logging on to CCPA” on page 157. and Update Types. monitoring audit logs. Edit configuration settings. When you are logged on as the Administrator. . Restart the CCPA service.org/tomcat/tomcat-5. As an Administrator.html Performing administrative tasks The CCPA Administrator is responsible for configuring CCPA. click Admin on the main navigation menu to display the administration menu. you can do the following tasks: ■ ■ ■ ■ ■ ■ ■ Add and manage users. For example: https://ccpaserver:8443 To enable SSL on your server using the JKS format instead of PKCS #12. Review history.0-doc/ssl-howto. and update types that are addressed in CCPA product updates.156 Working with custom content Performing administrative tasks clientAuth="false" protocol="TLS" keystoreFile= "C:\Program Files\Symantec\webapps\myPKCScert.apache. Languages.pfx" keystorePass="mypassword" "keystoreType='PKCS12" </Connector> /> 4 5 6 Save server. and maintaining data about the products. Browse audit logs. Manage servers. Work with Products.xml.

click Start > Programs > LiveUpdate Publishing > Start CCPA. The filter bar is collapsed by default. users. you can log on to CCPA from the computer that is running the service. the default user name and password is admin. When you expand the filter bar. You will be required to type a new password before you can proceed. or from a remote workstation. and you can expand it by clicking the expand icon at the right end of the bar. Do not use the Back arrow to navigate to the previous page. For example: https://remotetest:8080 ■ The first time that you log on to CCPA. On the remote workstation. open a Web browser. and servers. On pages that display lists of items. You return to the previous page within a menu selection by clicking the link for that page. type the name of the server that is running CCPA. the name of that page appears under the menu in the left side of the browser window. click Start > Programs > LiveUpdate Publishing > Login to CCPA. To log on to the CCPA Web interface ◆ Do one of the following: ■ On the local CCPA computer. you can filter the display using the show only feature in the filter bar above the list. such as updates. Each time that you go to a page.Working with custom content Performing administrative tasks 157 Starting and logging on to CCPA Once you start the CCPA service. As you continue to other pages under that menu item. Navigating the Custom Content Publishing Application The CCPA user interface displays a trail below the menu to keep you informed of where you are and how you got there. you can select your filtering criteria. and then append :8080. To start the CCPA service ◆ On the Windows taskbar. CCPA adds a link for each page that you've accessed. on the Windows taskbar. .

you can select products in specific languages and click the update view button to display only those updates that match your selection. Click submit to upload the file to the CCPA. do the following: . and establish test and production servers. The show only drop-down menu lets you select all types. and then click New. inactive. or test servers. In the add server window. To cancel your action. To upload the LOTS file 1 2 3 4 5 In the main LiveUpdate . For example. and then click Open. See “Starting and logging on to CCPA” on page 157. To add a new server 1 2 3 4 Start CCPA and log on as an administrator. and you can edit the profile of any of your servers. when browsing the product updates list. click cancel. See “Using the LOTS Manager” on page 152.158 Working with custom content Performing administrative tasks By selecting attributes and clicking Update View. In the LOTS file status window. Working with CCPA servers You can define your CCPA servers. Click admin. Click LU servers. Uploading the LOTS file You should upload a LOTS file before you configure user roles. You can add or delete servers as necessary. you can filter the display to show only those items that are relevant to your task. browse the server list. You can then specify an inactive server as the production server. you will define each of your servers as either inactive or test servers. click Upload LOTS. The Update View button updates the list according to your selection. Click Browse. select the LOTS file. Initially. click admin. production.Custom Content window.

Click Confirm Switch. write access must be enabled. do the following: ■ ■ If necessary. To set a test server to production. click Reset Form. When you set a server as the production server. . Optionally. An inactive server can be changed to a production server. select the protocol that is used by the server to transfer data. To set an inactive server to a production server 1 2 In the LU servers window. select the server that you want to delete. To set a server as a production server. and then click Set as production. For all protocols. In the Protocol box. All users that are logged on are prevented from accessing CCPA functions. type the URL of the server. you must first change its type to inactive. type a name for the server. To delete a server In the LU servers window. and if you do not provide them as a part of the server profile. type the user name and password. select the server that you want to change.Working with custom content Performing administrative tasks 159 ■ ■ ■ In the nickname box. See “To set an inactive server to a production server” on page 159. and then set it to production. If the server requires a user name and a password. To cancel and reload the default form. You should password-protect the document root where you save the files. its current type must be set to inactive. you can specify a user name and password for the server. ■ ■ 5 6 1 2 Click Add Server. Click Confirm Delete to delete the server. In the URL box. in case authentication is required to access the server. You can only have one production server. the Signer will be prompted to type the user name and password at publishing time. In the Confirm Production window. You cannot delete a production server nor can you delete a test server that is being used for a publishing session that is currently in progress. Select the server to add as either a test server or an inactive server. CCPA goes into a maintenance state until it is synchronized with the new production server. and then click Delete.

With the exception of user name. all logged on users are prevented from accessing any CCPA functions. Users can also edit this information. The production server downloads update details (TRI file) from the remote server. Synchronizing the CCPA database with the production server The Synchronize option appears only when the selected server is the current Production server. To change a user name. ■ ■ ■ ■ To synchronize the CCPA database with the production server ◆ Click Synchronize. This is where you assign each user one or more user roles. The CCPA database is populated with the new update details. last name. When synchronizing servers. Passwords can be edited by users at any time. and if it is verified. User roles determine permissions and work flow in CCPA. CCPA goes into the maintenance state. you can change the information as needed to update the user's profile information. You create a password for each user. you must first delete the user record and then create a new one. The role(s) box is available only to CCPA Administrators. CCPA enters the available state. Once you confirm the synchronize. See “About roles and users” on page 148. All existing update details (TRI records) are removed from the CCPA database. CCPA performs the following actions: ■ The production server contacts the remote LiveUpdate server using the selected server protocol. You also type the first name.160 Working with custom content Performing administrative tasks CCPA validates the server. While in maintenance state. it cannot be changed. . and email address of each user. Working with User Profiles You can view and update the information that identifies your CCPA users. and users can access all CCPA functions. it switches the inactive server to a production server. Note: Once you establish each user's user name.

However. and Tester. define the user's role. In the verify password box. See “Uploading a signing certificate” on page 204. Users can change their passwords by accessing their profiles on the My Profile window. do the following: ■ ■ In the username box. See “About roles and users” on page 148. all users can update their own personal information. In the last name box. In the first name box. Click users. you assign roles to them according to the tasks that they perform. In the role(s) box. type the email address for the user.Working with custom content Performing administrative tasks 161 Note: If you change a user's role while the user is logged on. and then click New. You can also change the roles of your users as needed. In the password box. To add a new user 1 2 3 4 Start CCPA and log on as an administrator. When you set up or update a user with the role of Signer. In the email address box. retype the password. Adding new users When you add new users and the information that identifies them to the CCPA system. Signer. the change does not take effect until that user's next log on. Click admin. type the first name of the user. type the last name of the user. Some information can be edited only by CCPA Administrators. See “Starting and logging on to CCPA” on page 157. Submitter. type the name of the user. CCPA users who are assigned the role of Signer must have a signing certificate uploaded to the system. The roles are Administrator. type the password for the user. You can upload the Signer's certificate or allow the individual Signers to upload and manage their own signing certificates. Users can edit their first and last names and their email addresses in the My Profile window. To add a new user. the value of this box is missing. ■ ■ ■ ■ ■ .

Managing User Profiles The user list is accessible only to CCPA Administrators. You can select the products and languages that you want Submitters to select from when they work with Symantec content. you will see the User Profile page where you can maintain and update the information that identifies your CCPA users. With the exception of user name. See “Uploading a signing certificate” on page 204. The Current profile for option displays the name of the user that you selected on the Users page. When you click a user name. import. Click admin. Working with products and languages You can view all of the product names and languages in the CCPA database. you must click update profile.162 Working with custom content Performing administrative tasks Users who are assigned to the Signer role must upload their signing certificates to validate their authority to publish product updates. you can change the information as needed to update the user's profile information. To cancel your changes without saving. and force users to log off. You can add. You can sort. 5 6 Click Save. Work with languages. . your changes will be lost. filter. delete. or export product names and languages. To work with products and languages 1 2 3 Start CCPA and log on as an administrator. click Reset Form. CCPA includes a default list of Symantec products and languages. Note: To save your changes. In addition. and display all current users. delete users. you can add new users. Select one of the following: products languages Work with products. See “Starting and logging on to CCPA” on page 157. These are the lists that Submitters use when they select product names and languages to define or modify product updates. Otherwise.

Figure 9-2 CCPA product type list You can browse the update type list. if you have custom content updates for your accounting department. you could create a type called Accounting Department Updates. When the import process has completed. a message confirms the import. type the name of the custom content product or language. and how many were rejected. click Export. click Import. CCPA adds cc_ to let users know that this update contains custom content. and then click Add. and add new types of custom content updates. Working with update types You can categorize custom content updates by giving them distinctive names. The type appears in the list as cc_Accounting Department Updates (Figure 9-2). For example. how many were imported. how many were duplicates of existing records. The maximum length is 250 characters. in the new box. To import a list of products or languages. The list should be a flat text file with a single product or language on each line. The . along with a summary of how many records in the import file were processed. delete existing types. You can also import and export the list of file types. Records are rejected if they are too long or if they contain non-printable characters. To delete a listed product or language.Working with custom content Performing administrative tasks 163 4 5 6 To add a new product or language. You can export a flat text file that lists all of the products or languages to a location that you select. select it. When this is added to the types list. and then click Delete. 7 To export a list of products or languages.

a message confirms the import. with a single product or language name on each line. Records are rejected if they are too long or if they contain non-printable characters. type the name. See “Starting and logging on to CCPA” on page 157. To add a new update type. how many were duplicates of existing records. A Submitter can also add updates to this list by entering them during a publishing session. and how many were rejected. along with a summary of how many records in the import file were processed. and then click Add. Click admin. Running LiveUpdate from CCPA You can download and apply updates for CCPA by running LiveUpdate from the configuration page. To import a list of update types. To work with update types 1 2 3 4 Start CCPA and log on as an administrator. . you are logged off during the LiveUpdate session. and cc_ is added to the beginning of the name. and then click Delete. click Import. When the import process has completed. Setting the System Configuration You can modify the application configuration parameters. These are system-wide settings that determine how information is presented and handled for all CCPA users. 5 6 To delete a listed update type. The update type is added to the list. click Export. Click types. When you run LiveUpdate. select it.164 Working with custom content Performing administrative tasks list consists of the types of updates that are available for a Submitter to select from when defining a new update or modifying an existing product update. You can export a flat text file that lists all of the products or languages to a location that you select. The maximum length is 250 characters. in the new type box. 7 To export a list of update types. how many were imported. The list should be a flat text file.

■ ■ ■ ■ 4 To change logon and security settings. See “Starting and logging on to CCPA” on page 157. under invoke LiveUpdate. type the number of records to be maintained in history. and only error messages are displayed. log on and security settings. If this is not enabled. See “Starting and logging on to CCPA” on page 157. If you click Yes. To accept all LiveUpdate server certificates. click Yes. any HTTPS certificates that are installed on the server are accepted. In the maximum session history records. the length of passwords and user names. click Yes. and email notification. click LiveUpdate. To change the general application configuration settings. This turns on verbose debugging information. Click admin. Click admin. the number of history records that are kept. click Yes. All updates that apply to the Custom Content Publishing Application are downloaded from the LiveUpdate server. users will see the process icon of their browser. do the following: . This determines the maximum number of rows per page for all lists. A progress page is a way of showing the user that the system is executing the submitted action. a trusted authority such as VeriSign is required. In the configuration window.Working with custom content Performing administrative tasks 165 To run LiveUpdate from CCPA 1 2 3 Start CCPA and log on as an administrator. To enable debugging. This is disabled by default. To edit application configuration settings 1 2 3 Start CCPA and log on as an administrator. You can review history on the History page. Editing Application configuration settings You can change the number of rows that appear on a page. If you click No. To enable the progress page. type the number of rows to display. do the following: ■ In the maximum rows per page box. and then click configuration.

In the maximum number of unsuccessful login attempts box. ■ ■ ■ ■ 6 7 8 To save the settings. type the name of the SMTP server. click No. Resetting the session timeout value The session timeout value is the number of minutes CCPA is idle during a publishing session. When a user has a session open without activity for the . click Reload. To cancel and reload the previous settings. click Reset to Defaults. type the number that specifies the minimum number of characters that are required for a CCPA user's user name. 9 Do one of the following: ■ ■ Click Confirm to accept the defaults. The Confirm Reset to Defaults window displays the configuration parameters along with the default value for each one. Click Cancel to continue editing the configuration. Type the login ID for the SMTP server (optional). The default is four. Type the password for the SMTP server (optional).166 Working with custom content Performing administrative tasks ■ In the minimum username length box. ■ ■ ■ 5 To change email notification settings. this causes a significant slowdown. type the number of times a user can attempt to log on before the user is locked out of CCPA. This is the default. If you are enabling notification. click Yes. To restore the default settings. type the number of minutes a user will be locked out of CCPA after the maximum number of log on attempts is reached. Users will be notified by email when the status of a publishing session requires their attention. If SMTP server is not valid. In the login lockout duration in minutes box. type the number that specifies the minimum number of characters that are required for a CCPA user's password. To disable notification. do the following: ■ To enable notification messages. In the minimum password length box. click Update. The default is four.

You can cancel the session and return it to the Available state so that a Submitter can begin a new publishing session. Browse audit log entries. the LiveUpdate publish status box informs you of the current session type (add. Cancel a publishing session. Restart CCPA. Modifying the state of a publishing session You can modify the current publishing session as long as a session is in process and not submitted.xml file located at C:\ccpa\webapps\ccpa\web-inf\web.Working with custom content Performing administrative tasks 167 specified timeout period. Find the following line in the web. Change the session participants. delete. CCPA automatically logs that user off. .xml file: <session-config><session-timeout>10</session-timeout></session-config> Change the <session-timeout> value to the number of minutes that are required. You can reset the timeout value. or modify) and whether the session is awaiting a Tester or a Signer. You can do any of the following: ■ ■ ■ ■ ■ Change the current state of the session. or you can return the session to the In Work state so that the current session Submitter can add update definitions and resubmit the publishing session.xml. View session history. The default session timeout period is 10 minutes. To reset the timeout value 1 2 3 4 Open the web. The session attributes are listed in Table 9-2. Managing publishing sessions When the publishing session is locked.

Only supported new session states are listed. this box displays not selected. ■ Submitted: The current publishing session is locked and has been submitted for signing and testing. This text is included in the email notification message that is sent to all of the affected parties. ■ In Test: The current publishing session has been uploaded to the test LiveUpdate server by the Signer. If the session is in work. The displayed session transitions depend on the current publishing session state. The name of the test LiveUpdate server. and the Submitter has not specified a test server. If the session is in work. You are returned to the Updates window. Cancel your actions.168 Working with custom content Performing administrative tasks Table 9-2 Attribute Session state Current session attributes Description This is the current state of the session. you can type up to 500 characters in this text box. If you want to write a message regarding the publishing session state change. Tester Test LU server Select new session status Enter update message Cancel Modify session state . this box displays not selected. ■ Submitter Signer The Submitter's name. If the session is in work. and the Submitter has not specified a Signer. which can be: In Work: The current publishing session is locked by a submitter and is not yet submitted. and the Submitter has not specified a Tester. this box displays not selected. Confirm your modification of the session state. The Signer's name. The Tester's name. Select the new status that you want to set for the session. ■ Approved: The current publishing session has been approved by the Tester and is ready to be published. Nothing will be changed.

type a message of up to 500 characters. In the enter an update message box. Select a new session status. In the Current session participants window. select a new Submitter for the current publishing session. Modifying session participants You can change the participants of the current publishing session. In the updates window. click modify session state. click modify session participants. You can type up to 500 characters. in the select new submitter list. In the select new tester list. This displays all of the servers that have been defined as test servers. select a new test LU server. In the select test LU server list. You can change the session's current Submitter. Tester. All users who have been defined as Testers are listed. If a session has already been submitted. In the enter update message box.Working with custom content Performing administrative tasks 169 To modify the state of a publishing session 1 2 3 4 Start CCPA and log on as an administrator. See “Starting and logging on to CCPA” on page 157. LiveUpdate publish status box. To modify session participants 1 2 3 4 Start CCPA and log on as an administrator. 5 Click modify session state. select a new Tester. select a new Signer. do any of the following: ■ In the select new signer list. In the updates window. or test LiveUpdate server. All users who have been defined as Signers are listed. LiveUpdate publish status box. . Any changes that you make immediately become effective. ■ ■ ■ 5 Click change. CCPA generates email notifications to the users who are involved in the change. Signer. type a message to send to session participants. See “Starting and logging on to CCPA” on page 157.

in the LiveUpdate publish status box. You can select the length of history from current day to full history. select a number of records to be stored in the log. The session and all changes associated with it are canceled. select event types from specific events to all. Export Exports the log to a CSV (Comma Separated Values) file. To cancel a publishing session 1 On the updates page. click Cancel. Canceling a publishing session You can cancel a publishing session at any time. The Confirm Cancel Updates window warns you that your action will discard all changes defined in the session and asks you if you are sure you want to cancel the session. Update View Set audit log size . records are removed starting with the oldest. click modify. publishing session state changes. 2 Click yes to cancel. and so on. To cancel your changes. click apply. The audit log size specifies the number of records to be stored in the audit log. user and server modifications. and specify individual users or all users. On the drop-down menu. The session attributes remain unchanged. Major events are recorded for auditing purposes. Once this limit is reached. such as user log ons. To refresh the display. unauthorized access attempts.170 Working with custom content Performing administrative tasks 6 7 To save your changes. The following viewing and export options are available: Show filter The show only option allows you to filter and sort the display. click cancel updates. log offs. Updates the log according to the filtering criteria that you've selected. Browsing audit log entries You can view the major events that are captured by the audit log.

the History window shows: ■ ■ ■ ■ ■ ■ Submitter Signer Tester Test Server Production Server Product Update List Product name Version number Language Update type Sequence File . Click admin. The number of sessions that are retained in history depends on the setting that is specified by the CCPA Administrator. and then click audit. For each completed session. or delete The Submitter's name (visible only to Administrators) The Signer's name (visible only to Administrators) The Tester's name (visible only to Administrators) The name of the test server that was used in the session The name of the production server that was used in the session The product update list included in the publishing session For each session.Working with custom content Performing administrative tasks 171 To browse audit log entries 1 2 Start CCPA and log on as an administrator. modify. the History page displays the following information: Completed Started Action The completion date and time of the publishing session The start date and time of the publishing session The action that was performed in the session: Insert. See “Starting and logging on to CCPA” on page 157. Viewing CCPA history You can view details of completed CCPA publishing sessions.

See “LiveUpdate client file locations” on page 95. By default. If you do not specify a LOTS server.lts file must be copied to the same folder as Product. For example. The client's LOTS file is called MYLOTSFILE.172 Working with custom content Enabling LiveUpdate clients to retrieve custom content Enabling LiveUpdate clients to retrieve custom content You must configure your LiveUpdate clients to automatically retrieve custom content. LOTS\LOGIN:ENC=*P_A?Q0VSHE LOTS\LOTS_HTTPS_URL=https://Symfiles/LOTSDIR LOTS\PASSWORD:ENC=4V#GO=M=B\TC(%+!24M?+A LOTS\UPDATE_LOTS_FILE=YES LOTS\LOTS_FILE=C:\LOTSDIR\MYLOTSFILE. the following statements enable custom content.LiveUpdate file. but you must have a copy of the LOTS liveupdt. and specify a server. LiveUpdate clients display Symantec LiveUpdate Custom Content updates in the LiveUpdate Status window when LiveUpdate is run. .LiveUpdate.Inventory. The liveupdt. Symfiles. custom content is disabled in the client's Settings.lts file on the local computer. the LiveUpdate client can still retrieve custom content if it has been enabled.LTS PREFERENCES\CUSTOM_CONTENT=1 When custom content has been enabled.LTS and is in the C:\LOTSDIR\ folder. hosting the LOTS file in the LOTSDIR folder. The client looks for a new LOTS file each time that LiveUpdate runs.

■ LOTS\LOTS_HTTPS_URL= This is the URL of the HTTPS server hosting the LOTS file. See “About LiveUpdate client configuration files” on page 96. If this is set to OPTIONAL. LiveUpdate disables custom content for that session. custom content is still downloaded. ■ LOTS\LOGIN= This is the user name to use to log on to the HTTPS server hosting the LOTS file.Working with custom content Enabling LiveUpdate clients to retrieve custom content 173 To enable LiveUpdate clients to retrieve custom content 1 2 On the client computer. ■ LOTS\PASSWORD= . open the Settings. LiveUpdate encrypts this automatically when it runs. ■ LOTS\UPDATE_LOTS_FILE=YES/OPTIONAL/NO This enables the LiveUpdate client to check for a new LOTS file.LiveUpdate file. If this is set to NO. but if the file retrieval fails.zip file from the Central LiveUpdate server. Add the following settings: ■ PREFERENCES\CUSTOM_CONTENT=1 This enables custom content. If this is set to YES and the LOTS file retrieval fails. the LiveUpdate client looks for a new LOTS file. The client can retrieve a custtri. the LiveUpdate client does not look for a new LOTS file.

■ LOTS\LOTS_FILE (<PER_MACHINE_FOLDER>\LIVEUPDT. . LiveUpdate encrypts this automatically when it runs.LTS)= This is the LOTS file name and path that are used instead of the default location.174 Working with custom content Enabling LiveUpdate clients to retrieve custom content This is the password to use to log on to the HTTPS server that is hosting the LOTS file.

optionally testing the updates. and then publishing them to a Central LiveUpdate server. or modify product updates. . or modifying) a set of product updates. deleting. the current publishing session status is in one of the states shown in Table 10-1. Once a Submitter starts a publishing session. Only one publishing session can exist at any time and each publishing session can be used for only one action type: create new. delete.Chapter 10 Publishing custom content This chapter includes the following topics: ■ ■ ■ ■ ■ About the content publishing session Submitting updates Using PreConditions Signing and publishing updates Testing product updates About the content publishing session A content publishing session is the process of defining (adding. the publishing session process (workflow) is locked to all other users except the session participants and the CCPA Administrators. At any given time.

The Submitter can then make the needed changes and resubmit the updates. The session remains locked in the Submitted state until the selected Signer either rejects the updates or signs and publishes them to either the selected test server or the production server. it is locked to all other Submitters. Submitted When the Submitter submits product updates for testing or publication. only a Submitter can start a product updates publishing session. if testing is desired. Once a Submitter has started a publishing session. The Submitter can submit the defined product update changes for testing. The In Work status remains unchanged until one of the following occurs: ■ ■ In Work The Submitter cancels the publishing session. the publishing session status goes to Submitted. . or directly to production. The Submitter submits the session for testing or publication. the publishing session returns to the In Work state and remains locked to all users except the originating Submitter.176 Publishing custom content About the content publishing session Table 10-1 State Available CCPA publishing session status Description When no product updates are in process. All information in the current session is read-only to all other users. Only the Submitter who started the session can define product update changes. the session status is In Work. the publishing session is in the Available state and ready for a Submitter to start defining product updates. However. The Submitter selects the Signer and optionally the Tester and test server. Any user can browse the Updates window and select and view the details of existing product updates. While the session is In Work. If the Signer rejects the updates.

If the Signer rejects the updates. If the Tester rejects the updates. . The publishing session stays unlocked in the Available state until a Submitter starts another session. The Submitter can then make the needed changes and resubmit the updates. the Signer signs and publishes the approved updates to the Central LiveUpdate server. the publishing session goes to Approved. Note: If the originating Submitter did not select a Tester and test server. The session remains locked in the In Test state until the Tester who performs the testing either rejects the updates or approves and passes them on to the Signer. The Submitter can then make the needed changes and resubmit the updates. the publishing session returns to the In Work state and remains locked to all users except the originating Submitter. and the publishing session returns to the unlocked Available state. Once the publishing session is in the Approved state. The session remains locked in the Approved state until the Signer either publishes the updates to the production server or rejects them. the publishing session goes directly to the approved state. the publishing session returns to the In Work state and remains locked to all users except the originating Submitter. Approved When the Tester approves the product updates on the test server. the publishing session goes to In Test.Publishing custom content About the content publishing session 177 Table 10-1 State In Test CCPA publishing session status (continued) Description When the Signer signs and publishes the product updates to the test server.

the Tester marks the update as Approved. See “Signing and publishing updates” on page 202. and only one type of edit operation per session. This is an optional step. In addition to defining and submitting updates. it is marked Test Failed and sent back to the Submitter. you can manage the files (update packages) that are associated with the updates. neither the New nor the Delete options appear. if one is used. and delete them when they become obsolete. . See “Signing and publishing updates” on page 202. For example. See “Testing product updates” on page 206. If you are modifying updates. You can modify the files as needed. but it is recommended. 4 The Signer publishes the approved update to the production server. the New options do not appear. 2 The Signer publishes the submitted product updates to the test server. If you are deleting updates. and to the production server. Submitting updates CCPA allows only one publishing session at any time. If the test fails. See “Using PreConditions” on page 182. the Delete option does not appear. 3 The Tester tests the updates on a LiveUpdate test server.178 Publishing custom content Submitting updates To perform a publishing session 1 The Submitter starts a publishing session. The workflow process of submitting a product update begins with the publishing session in the Available state. See “Submitting updates” on page 178. selects and defines the updates to be included in the package. and then submits the update to either a test server or directly to a production server. If the update passes testing. if you are defining new updates. The options that are available are dependent upon the type of session that you have selected. creates any necessary PreConditions.

type the version number of the product for which you are defining updates. although they can browse updates. CCPA displays a message stating that the publishing session has been locked. Additionally. You are able to continue performing the previously selected type of edit operation (New. if you have a session in process. Defining product updates You can publish updates for Symantec products or for independent (non-Symantec) products. 2 In the Start Session Confirm window. That is. Replace. and log off of CCPA. The state of the publishing session persists between log ons. if another Submitter has locked the publishing session. The Status box indicates your session type (New. select the product for which you are defining updates. the publishing session is not available to you until the status of the publishing session returns to Available. no matter what its current state.Publishing custom content Submitting updates 179 To submit updates 1 In the Updates window. the state of the publishing session is as you left it when you log back on. This locks the session. click New Symantec Update. the status of your session is In Work. the publishing session is locked to other users. when you initiate a publishing session. which marks it In Work. click Define New Product Updates. Note: The maximum file size should not exceed 100 MB. In this state. . Until you have completed or cancelled the session. in the LiveUpdate publish status box. and you are the only Submitter allowed to work with that publishing session. you cannot begin another session until the updates of your current session have been either published or cancelled. In the Product box. For example. In the Version box. you are not allowed to begin another session. Once the session is started. Replace. click Start Publishing Session. The publishing session is locked once you confirm your selection. To define Symantec product updates 1 2 3 In the update window. or Delete). or Delete) and identifies you as the Submitter of the current session.

■ Select an Update Type: (ItemSeqName) from the list and then edit it in the text field. select the language of the product for which you are defining updates. or from the list of currently used update files (GRD). this box is not defined. do one of the following to specify the Update Type that applies to your update. You are returned to the New Product Update window. do one of the following: ■ ■ Accept the default. You can select an update file from either a local directory. Type the current date. ■ 11 In the Action Item box. 8 9 In the Item Name box. The File Name box displays the name of the update file. the Action Item box displays the associated script or executable. do one of the following: ■ To select a local file. ■ . Type it directly. ■ 6 Under Sequence Date: (ItemSeqDate). For a GRD. When you have specified which file you want.180 Publishing custom content Submitting updates 4 5 In the Language box. Under Update Type. The SHA-1 box displays the sha-1 calculation of the file that you selected. select the executable or script to insert into the Action Item text box. you can return to the default value by clicking Reset. click select. if one has been selected. Initially. In the Description box. If you enter a new date. the current UTC time is displayed. See “Using PreConditions” on page 182. or click Browse to select the file. type a description for the update. click New file from GRD. do the following: ■ For a local file. You are returned to the New Product Update window. 7 Click Edit to define or edit PreConditions for your update. The File Size box displays the size of the selected file. select a file from the list. For a new update. To select a new file from GRD. click New local file. and then click select. type the directory path of the local file that you want to use for your update. type a name for the update (up to 250 characters). 10 To select a file.

type a name for the update (up to 250 characters). click New Custom Update. accept the default or type the current date. In the Description box. click Save Update. you can return to the default value by clicking Reset. and then click select. Under Update Type.Publishing custom content Submitting updates 181 ■ Specify and edit the command-line parameters for the selected action item. click Edit. You are returned to the New Product Update window. Type the directory path of the local file to use for your update. Defining independent custom updates An independent custom update consists of files that are not associated with Symantec products. To define an independent product update 1 2 In the update window. type a description for the update. You can select an update file from either a local directory. click Submit. or from the list of currently used update files (GRD). and then click select. Optionally. do one of the following: ■ To select a local file. 3 Under Sequence Date: (ItemSeqDate). click New file from GRD. or enter it directly. If you enter a new date. specify the Update Type that applies to your update. you can enter your command-line parameters in the text box. this box is not defined. Initially. 12 To save the product update definition. 4 To define or edit PreConditions for your update. 7 To select a file. the current UTC time is displayed. For a new update. To select a new file from GRD. ■ . 13 To submit the update. click New local file. The session remains in the In Work state and returns to the Updates window. if one has been selected. or click Browse to select the file. 5 6 In the Item Name box. The File Name box displays the name of the update file. See “Using PreConditions” on page 182. You can select an Update Type: (ItemSeqName) and edit it in the text box. select a file.

Specify and edit the command-line parameters for the selected action item. For a GRD. but it also minimizes network traffic. you can type your command-line parameters in the text box. type the max bytes (Maximum Number of Bytes) to use. The File Size box displays the size of the selected file. The session remains in the In Work state and returns you to the Updates page. and then. This not only conserves bandwidth. 8 The Calculate Sha-1 hash box lets you calculate the SHA-1 of a local file. select the executable or script to insert into the Action Item text box. Click the calculate sha-1 button to calculate the sha-1 for the selected file. click Submit. When PreConditions are not used. For example. Enter the File Name or Browse to a file. Optionally. LiveUpdate defines a new update as any update whose sequence number is higher than the installed product to which it is targeted. optionally. the Action Item box displays the associated script or executable. click Save Update. and the package must first be downloaded to evaluate the necessity of the update. See “How LiveUpdate works” on page 23. 9 10 In the Action Item box. you can refine the update process so that LiveUpdate content is only downloaded by the client computer that actually needs the update. The SHA-1 box displays the sha-1 calculation of the file that you selected. LiveUpdate settings and more. you can filter updates based on the operating system of the target computer.182 Publishing custom content Using PreConditions You are returned to the New Product Update window. Using PreConditions. Your output is displayed below the Calculate Sha-1 hash box. do the following: ■ For a local file. The logic for this process is within the update package itself. PreConditions allow updates to be filtered based on several different filtering operators. much of the logic as to whether or not an update should be installed is based on the sequence number found in the client's Product Inventory. 12 To submit the update. the language of the operating system. Using PreConditions PreConditions offer you a powerful tool to target LiveUpdate content to specific computers. . ■ 11 To save the product update definition.

Like C language conditional expressions. using PreConditions. Because a PreCondition is used to either select an update for download or to reject the update. which allows you to build more complex expressions. When the expression evaluates to True. and ends with a semicolon: bSelect = <PreCondition expression>. bSelect = funct1(123. A new line is not interpreted as the end of a statement. the PreCondition is specified as a Boolean expression. Table 10-2 Data type Bool Long PreCondition parameters and return values Range True/False -9223372036854775808 to 372036854775807 Description Boolean type. 64-bit signed integer. “hello”). Because PreConditions are specified in the . The PreCondition expression is assigned to the system variable called bSelect. you can create complex PreCondition expression using standard Boolean operators including “&&” (and) and “||” (or): bSelect = funct1(123) && (funct2() || (funct3(“product”)<5)). PreCondition operators are based on C language syntax with a defined set of functions and variables. The available operators are infix. .Publishing custom content Using PreConditions 183 For example. PreCondition functions accept the parameter and return values shown in Table 10-2. the update is flagged for downloading. funct2(). unary.tri file. returning either True or False. you can specify that a particular update can only be applied if the update for another Symantec product or component has already been retrieved and installed. any number value that doesn't use a decimal point. About PreCondition syntax PreCondition expressions can range from simple to complex and they make calls to one or more predefined PreCondtion functions that query one or more attributes on the client computer. PreConditions also support specifying function calls as parameters to other functions. the LiveUpdate client can decide which updates are to be filtered out prior to retrieving the actual updates. This allows you to separate long statements into multiple PreCondition lines. and function (prefix) operators.

to strings. you would specify the following: \“Program files\\Symantec\“ ■ Infix and unary operators Table 10-3 describes the available infix operators. it ensures that the PreCondition expression is added to the .“ characters must be preceded by an escape character (“\“) within any quoted strings. ==. !=.7E=308 -2. Unicode string. >. prefix operators. ^. The PreCondition Editor evaluates the PreCondition statement and verifies it for proper syntax. any number that uses a decimal point or is in the floating point format of 17E+20.tri file in the correct format. is <. if a string must be read as “Program Files\Symantec“. <=. Table 10-3 Operator name < Infix operators Parameters Return Description Less than operator.7E+308 Description Double-precision floating point number. constants are specified by surrounding the string with double-quotes. For example. <long | double | string><long <boolean> Lexicographically compares | double | string> arguments when parameters Strings can only be compared are strings. The PreCondition syntax rules are as follows: ■ ■ ■ PreCondition operators and function names are case-sensitive. &&. from highest to lowest. >=. The backslash “\“ and period “. .184 Publishing custom content Using PreConditions Table 10-2 Data type Double PreCondition parameters and return values (continued) Range -1. The order of precedence for operators. &. ||. White space outside of quoted strings is ignored. |. String Syntax rules When you use the Custom Content Publishing Application to create a LiveUpdate PreCondition.

Lexicographically compares arguments when parameters are strings. Returns true when at least one of the input values is true. && And operation on two boolean values. <long | double | string><long <boolean> | double | string> Strings can only be compared to strings. <long | double | bool | <boolean> string><long | double | bool | string> Boolean values can only be compared to boolean values. <bool> <bool><bool> <boolean> . and strings can only be compared to strings. <long | double | bool | <boolean> string><long | double | bool | string> Boolean values can only be compared to boolean values. Returns true only when both input values are true.Publishing custom content Using PreConditions 185 Table 10-3 Operator name <= Infix operators (continued) Parameters Return Description Less than or equal to operator. || Or operation on two boolean <bool><bool> values. == Equals operator. <long | double | string><long <boolean> | double | string> >= Lexicographically compares Strings can only be compared arguments when parameters to strings. != Not equal to operator. to strings. > Greater than operator. and strings can only be compared to strings. Greater than or equal to operator. <long | double | string><long <boolean> Lexicographically compares | double | string> arguments when parameters Strings can only be compared are strings. are strings.

<string> ToLower <string> . <string> Description Returns index of first <string><string> instance of string1 in string2. String2 is appended to string1. Bitwise And operation on two <long><long> long values. Table 10-5 Operator name StringIndexOf Functions Parameters Return <long> -1 if substring is not found. Table 10-4 Operator name ! Unary operators Parameters Return <boolean> Description Takes in a boolean value and <bool> flips the value (true becomes false. Does not work for numbers. Bitwise Or operation on two <long><long> long values. String concatenation <string><string> function. returns the index of the substring. false becomes true). AppendPath An AppendString for two <string><string> string values that represent parts of a path. Otherwise. Available functions Table 10-5 describes the available functions.186 Publishing custom content Using PreConditions Table 10-3 Operator name /\ Infix operators (continued) Parameters Return <long> Description Bitwise xor operation on two <long><long> long values. & <long> | <long> + <string> Table 10-4 describes the available unary operators. Convert string to lowercase. The function ensures that a path separator is present in the returned string between string1 and string2.

Description Convert string to uppercase. <string> GetSeqNum Retrieves the sequence Product Name <string> number for a given Product. Type <string> <long> If moniker does not exist. -1 will be returned. Type <string> GetSeqNumby Moniker Retrieves the sequence for a Moniker <string> given LiveUpdate moniker. and Type Language <string> (PVLT). GetProductProp Retrieves the value of a Product Name <string> property set for a given PVL. <none> <long> .Publishing custom content Using PreConditions 187 Table 10-5 Operator name ToUpper GetSettingsProp Functions (continued) Parameters Return <string> <string> If the setting does not exist or is encrypted. Retrieves a general name of the operating system. Moniker {<string>} PropName <string> <string> If property does not exist. <NULL> is returned. <string> If property does not exist. -1 is returned. <NULL> is returned. <NULL> is returned. Language. Version <string> Language <string> PropName <string> GetProductPropBy Moniker Retrieves the value of a property set for a given registered moniker. Version <string> Version. Support for the following will be added later: ■ ■ ■ ■ ■ ■ GetOSName <none> Macintosh Linux Solaris AIX S/390 OS/400 GetOSVerMajor Retrieves the major version number of the operating system. <string> Retrieves the value for a LiveUpdate setting. <long> If a PVLT does not exist. <string> This version correctly identifies Window.

Retrieves the minor version <none> number of the Service Pack level of the operating system.0a. Win32 specific.0 or SP 1. Return <long> GetOSSPMajor Retrieves the major version <none> number of the Service Pack level of the operating system.188 Publishing custom content Using PreConditions Table 10-5 Operator name GetOSVerMinor Functions (continued) Parameters <none> Description Retrieves the minor version number of the operating system. For example. GetOSSPMinor cannot differentiate between Service Pack releases that differ at the letter version level. <long> GetOSSPMinor <long> . Win32 specific. the value 0 is returned on Windows XP computers that have SP 1.

Publishing custom content Using PreConditions 189 Table 10-5 Operator name GetOSSuiteMask Functions (continued) Parameters Return <long> OS suite mask as used by the OSVERSIONINDEX struct.asp?url=/ library/en-us/sysinfo/base/ getting_the_system_version.microsoft. <none> Win32 specific. The following values were defined in <winnt. Zero is returned when this function is used on these platforms. The following MSDN link describes how to detect the different versions of Windows: http://msdn.asp .h> and are possible numerical values that may be used: ■ Description Retrieves the OS suite mask. A bitwise & operation can be done on this mask to get more granular details about the operating system. ■ ■ ■ ■ ■ ■ VER_SUITE_BACKOFFICE 0x00000004 VER_SUITE_DATACENTER 0x00000080 VER_SUITE_ENTERPRISE 0x00000002 VER_SUITE_SMALLBUS INESS 0x00000001 VER_SUITE_TERMINAL 0x00000010 VER_SUITE_BLADE 0x00000400 VER_SUITE_PERSONAL 0x00000200 This function is unsupported on Windows 9x and versions earlier than NT4 SP6.com/ library/default.

190 Publishing custom content Using PreConditions Table 10-5 Operator name GetWinOSProduct Mask Functions (continued) Parameters <none> Description Retrieves the operating system product mask. This function reliably returns the domain name only on computers that are part of an NT or Active Directory domain. Return <long> OS product mask as used by the OSVERSIONINFOEX struct. <none> <string> <NULL> is returned if there is a problem determining the domain name or none was set. The domain name that is returned in this case is the name that is registered with the DNS servers. <none> <string> <NULL> is returned if there is a problem determining the host name. . Zero is returned when this function is used on these platforms.h> and are possible numerical values that may be used: VER_NT_WORKSTATION 0x0000001 ■ VER_NT_CONTROLLER 0x0000002 ■ VER_NT_SERVER 0x0000003 ■ This function is unsupported on Windows 9x and versions earlier than NT4 SP6. A bitwise & operation can be done on this mask to get more granular details about the operating system. GetHostName Retrieves the name of the computer. The following values were defined in <winnt. GetDomainName Retrieves the domain name of the computer. Win32 specific.

0.x).0. name/path) Returns the second most significant version number (I. therefore.E. The length of the hash is 20 bytes. this function returns a 40 character string of hexadecimal characters that represent the hash.x. <NULL> is returned. this function returns a 40 character string of hexadecimal characters that represent the hash.0.x.E. <none> .Publishing custom content Using PreConditions 191 Table 10-5 Operator name GetEnvVar Functions (continued) Parameters Return Description Retrieves the value of a given Param1: string (environment <string> environment variable. GetFileHash GetPartialFileHash Calculates the SHA-1 hash of the first n bytes of a given file. <NULL> is returned. <string> Returns <NULL> if there is an error. <long> Returns -1 if there is an error. 0. Param 1: string (file name/path) GetFileVerMinor GetFileVerBuild Param 1: string (file name/path) GetFileVerSub Build GetSystemDrive Returns the least significant Param 1: string (file version number (I. GetFileVerMajor Returns the most significant Param 1: string (file version number (I.0). variable name) Calculates the SHA-1 hash of string (file name/path) a given file.0). <long> Returns -1 if there is an error. Param 1: string (file name/path) <none> If there are problems calculating Param 2: long (Number of the hash. 0. <long> Returns -1 if there is an error. Returns the second least significant version number (I. x. <long> Returns -1 if there is an error.0.0). <string> If there are problems calculating the hash. 0.E. bytes of the file to use for the hash) GetFileVer Param 1: string (file name/path) <string> Returns <NULL> if there is an error.0. The length of the hash is 20 bytes.E. name/path) Returns the system drive. therefore. Returns the file version string of a file.0.

<none> <string> Returns <NULL> if there is an error. ■ >0 Version of Param 1 is greater than Param 2. GetProgFiles CommonDir Returns the Program Files\Common Files folder. ■ CompareFile Versions . ■ 0 Version of Param 1 is equal to Param 2. <none> <string> Returns <NULL> if there is an error. CheckFreeDisk Space Checks to see if enough free Param 1: string (drive/folder) <boolean> space is available on a given Param 2: long (disk space in drive or folder. Return <string> Returns <NULL> if there is an error. KB) Param 1: string (version string) Param 2: string (version string) <long> <0 Version of Param 1 is less than Param 2.192 Publishing custom content Using PreConditions Table 10-5 Operator name GetHomeDir Functions (continued) Parameters <none> Description Returns the user's profile folder. GetCommonApp DataDir Returns the common application data folder.

Terminal Server & Enterprise OS_SUITE_WIN2K: Windows 2000 Pro. Advanced Server & Datacenter OS_SUITE_WINXP: Windows XP Home and Pro OS_SUITE_WIN2003: Windows 2003 Server. Server. Enterprise & Datacenter .0 Workstation. Server.Publishing custom content Using PreConditions 193 Table 10-5 Operator name IsOSFamily Functions (continued) Parameters Param 1: constant ■ Description Tests to see if the operating system belongs to a particular family. Web. Return <boolean> ■ ■ ■ ■ ■ ■ OS_SUITE_WIN95: Windows 95a or Windows 95b OS_SUITE_WIN98: Windows 98 or Windows 98 SE OS_SUITE_WINME: Windows Me OS_SUITE_WINNT4: Winnt 4.

194 Publishing custom content Using PreConditions Table 10-5 Operator name IsOSProduct Functions (continued) Parameters Param 1: ■ ■ ■ ■ ■ ■ Description Tests to see if the computer is running a particular operating system. Return <boolean> OS_PRODUCT_WIN95A OS_PRODUCT_WIN95B OS_PRODUCT_WIN98 OS_PRODUCT_WIN98SE OS_PRODUCT_WINME OS_PRODUCT_WINNT4_ SRV OS_PRODUCT_WINNT4_ WRKSTN OS_PRODUCT_WNNT4_ ENTERPRISE OS_PRODUCT_WINNT4_ TERMINAL OS_PRODUCT_WIN2K_ DATACENTER OS_PRODUCT_WIN2K_ ADVSRV OS_PRODUCT_WIN2K_ SRV OS_PRODUCT_WIN2K_ PRO OS_PRODUCT_WINXP_ HOME OS_PRODUCT_WINXP_ PRO OS_PRODUCT_WIN2003_ DATACENTER OS_PRODUCT_WIN2003_ ENTERPRISE OS_PRODUCT_WIN2003_ WEB OS_PRODUCT_WIN2003_ SRV ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ .

2000.). On Windows 9x platforms.dll. <none> <string> GetWinDir Retrieves the Windows <none> directory as defined by the GetWindowsDirectory Win32 API call. <none> <string> GetSystemDir <string> GetProgFilesDir <none> <string> . and so on. Win32-specific. On Windows 9x platforms. <none> <boolean> IsWinnt Determines whether the <none> operating system is Windows NT-based (NT4. XP. <boolean> GetOSLang Retrieves the default language of the operating system. Retrieves the system directory as defined by the GetSystemDirectory Win32 API call. Return <boolean> IsPowerUser Checks to see if the current user is part of the Power Users group. this PreCondition always evaluates true. Win32-specific. this PreCondition always evaluates to true. Retrieves the Program Files directory as defined by the shfolder.Publishing custom content Using PreConditions 195 Table 10-5 Operator name IsAdminUser Functions (continued) Parameters <none> Description Checks to see if the current user is part of the Administrators group. <boolean> IsWin9x Determines whether the <none> operating system is Windows 9x-based.

196 Publishing custom content Using PreConditions Table 10-5 Operator name IniSectionExists Functions (continued) Parameters File name <string> Section name <string>: The section name that is used here should exclude the bracket characters [ and ]. used here should exclude the bracket characters [ and ]. Return <boolean> False is returned if the file does not exist. <NULL> is returned if the setting doesn't exist. atoll Converts a string that represents numbers into a long. <string> Section name <string>: <NULL> is returned if the The section name that is setting or file does not exist. It is assumed that the number that is represented in the string is base-10. a hex-string is returned. If the value is binary. File name <stringL ■ Description Determines if a given ini section exists. Reg Hive <string> ■ ■ ■ ■ ■ <string> If the value is a number. GetIniValue Retrieves a setting in an ini file. “HKCR” “HKCC” “HKCU” “HKLM” “HKU” Reg Keyname <string> Reg Setting <string>: Pass in an empty string to get the default value for a regkey. <boolean> “HKCR” “HKCC” “HKCU” “HKLM” “HKU” Reg Keyname <string> GetRegValue Retrieves a value from the registry. . the base-10 representation of the number is returned in a string. <string> <long> Returns 0 if the input cannot be converted. ■ Setting name <string> Reg Hive <string> ■ ■ ■ ■ ■ RegKeyExists Determines if a registry key exists.

Return <boolean> MatchesSubnet Determines whether one of ■ Param 1: string (IP the IP addresses of a Address) computer matches a given IP ■ Param 2: string (Mask) address/mask. the errors in Table 10-6 may be written to the log file. ■ <long> Bit mask. If debugging is turned on. . Log lex debug lines ■ 0x0000000000000004 : For testing purposes only.liveupdate). Param 1: string (Reg Hive) ■ ■ ■ ■ ■ <boolean> RegValExists <boolean> “HKCR” “HKCC” “HKCU” “HKLM” “HKU” Param 2: string (Regkey name) Param 3: string (Regvalue): Use an empty string to get the default value for a regvalue SetDebugMode Turns on or off debug mode. which causes various ■ 0x0000000000000001 : PreCondition events to be Log PreCondition debug logged to a known file lines location (C:\<windows ■ 0x0000000000000002 : dir>|LU_PC. Determines if a registry value exists. it can call the debug function to assist you in troubleshooting and testing update packages.log). add the following PreCondition function: SetDebugMode(1). To enable the output of debug statements into the LiveUpdate log on the client (log. Log yacc debug lines <none> PreCondition errors A PreCondition terminates and evaluates to false if an error occurs. However.Publishing custom content Using PreConditions 197 Table 10-5 Operator name FileExists Functions (continued) Parameters <string> Description Determines if a given file or folder exists. bSelect=funct().

Unknown operator used.3 The following example filters updates based upon the sequence number of the Symantec SymEvent Installer (in order for the bSelect condition to be set to true. LuPreCon. The filtering takes place after LiveUpdate catalog files are retrieved.198 Publishing custom content Using PreConditions Table 10-6 Error code -2 1 2 PreCondition errors Description The PreCondition DLL. Unsupported reserve word used. failed to load. but before any updates are downloaded and installed. Memory allocation error.Catalog. LiveUpdate product updates are filtered based upon specific LiveUpdate properties found in the following Product. In this example. Invalid argument type was used for a given operation or function. LiveUpdate settings. registry settings. or product dependencies. General abort error. You can filter update packages based upon the operating system. This may occur under low memory situations. the sequence number must be 20010917 or higher): . 3 4 5 6 7 PreCondition examples You can create a PreCondition that lets you target product updates to specific computers in your environment. Invalid number of arguments was passed into a function.UPDATE=20010917 SKU=123-4567 UPDATESTATUS=UPDATES:YES VERSION=10.dll. Unknown function used.LiveUpdate file: [Product 0] DESCRIPTIVENAME=SymEvent LANGUAGE=English MONIKER={6e34dcc1-b194-11D2-a11e-00409500ad7d} PRODUCT=Symevent Installer PRODUCTNAME=Symevent Installer SEQ.

“SAVCECLT_SymEvent”) == “1”. You can also use the registered product's moniker: bSelect = GetSeqNumByMonider (“{6e34dcc1-b194-11D2-a11e-00409500ad7d}”. “10.Publishing custom content Using PreConditions 199 bSelect = GetSeqNum (“Symevent Installer”. The two PreConditions are combined using the && operator: bSelect = (IsWinnt () && (GetOSVerMajor () == 5) && (GetOSVerMinor () == 1) && ((GetWinOSProductMask () & 0x1) && (GetWinOSSuiteMask () & 0x200) != 0x200)) && (ToLower (GetSettingsProp (“PREFERENCES\\ENVIRONMENT”)) == “retail”. ”Update”) >= 20010917.3”. “English”.3”. “SOFTWARE\\Symantec\SharedUsage”. “Location”) == “ C:PROGRA~1\\COMMON~1\\SYMANT~1\\VIRUSD~1”. .dat”). “Symantec_Client_Security\\Symantec AntiVirus\\defloc. bSelect will be True if the operating system is Windows XP and the environment setting is retail. In the following example. You can also create a PreCondition that filters based upon values that are in an INI file or in the registry.dat file to see if the Location setting from the DefBaseLocation section equals C:\Progra~1\COMMON~1\SYMANT~1\VIRUSD~1: bSelect = GetIniValue (AppendPath (GetProgFilesDir (). the PreCondition checks to see if the registry value of \\HKLM\SOFTWARE\SymantecSharedUsage\SAVCECLT_SymEvent is set to 1: bSelect = GetRegValue (“HKLM”. “English”. “Update”) >= 20010917. “10. In this example. In this example.LiveUpdate file PREFERENCES\ENVIRONMENT line is set to retail mode: bSelect = ToLower (GetSettingsProp (“PREFERENCES\ENVIRONMENT”)) == “retail”. the PreCondition checks the Settings. The following example checks the INI file in the <Program Files>\Symantec Client Security\Symantec AntiVirus\defloc. You can string two or more PreConditions together. “Update”) = 123-4567. the PreCondition checks to see if the SKU value registered with the Symantec Installer is 123-4567: bSelect = GetProductProp (“Symevent Installer”. “DefBaseLocation”. In the following example.

&& (AND) is used to combine the two PreCondition statements. Click Select to place the statement into the text box. click Syntax. Note: You are not able to exit the PreCondition Editor if any of your entries contain syntax errors. click Insert to add it to the list in the PreCondition Editor. cancel your edits. Click Insert. type a PreCondition statement. To change the statement to evaluate to True if one or the other statement is True. and save PreCondition statements. but once you begin defining the PreCondition for your update. You can insert a new PreCondition statement. use an existing PreCondition statement and modify it to create a new statement. To confirm the syntax of the PreCondition statement. click Edit.200 Publishing custom content Using PreConditions Parentheses are used to group the statement that checks for Windows XP and the statement that checks for the environment setting. modify an existing Precondition statement. 4 To confirm the syntax of the PreCondition statement. . To insert a PreCondition statement 1 2 3 In the new product update window. To use an existing PreCondition statement as a template for a new statement 1 2 3 4 5 Select the statement in the PreCondition Editor to use as a template. each statement of your PreCondition is listed. Click Insert. the PreCondition Editor is empty. In the PreCondition Editor box. use || (OR). The original statement on which you based your new one remains unchanged. which evaluates to True only when both statements evaluate to True. click Syntax. Check the syntax of each statement you insert. next to preconditions. Each time that you type a statement in the text box. Modify the statement with your changes. Using the PreCondition Editor Initially.

To save PreCondition statements ◆ Click Done. All changes that you have made to the PreCondition statements are discarded and you are returned to the New Updates window. You are returned to the New Updates window. To cancel PreCondition statement edits ◆ Click Cancel. When you have finished your changes. It appears in the text box where you can make changes as needed. click Modify. click Syntax. you can revise the processing order and delete specific statements (Figure 10-1). The selected statement is replaced by your modified version. Editing PreCondition statements In the PreCondition Editor. To confirm the syntax of the PreCondition statement. .Publishing custom content Using PreConditions 201 To modify a PreCondition statement 1 2 3 Select the statement to modify.

and then click Up or Down to move the statement up or down in the processing order. To delete a PreCondition statement ◆ Select the statement. Signing and publishing updates Signers are responsible for performing the following tasks in the CCPA process: ■ ■ Signing submitted updates and publishing them to the test LiveUpdate server Signing submitted updates and publishing them to the production LiveUpdate server Rejecting submitted updates either before publishing to a test server.202 Publishing custom content Signing and publishing updates Figure 10-1 CCPA PreCondition Editor To revise the processing order of the PreCondition statement ◆ Select the statement. or before publishing to production ■ . and then click Delete.

and CCPA notifies the Submitter and the Tester by email. or a Submitter submits updates without testing. CCPA notifies you by email. the publishing session status goes to Submitted or Approved. you then publish the custom content to the production server. If you reject the updates. As the Signer. you review the updates and either publish them to the production server or reject them. you review the updates and either publish them to the test or production server or reject them. After a Tester approves updates. and CCPA notifies the Submitter by email. and CCPA notifies you by email if email notification has been enabled. the publishing session status goes to Approved. and CCPA notifies the Submitter by email. and you are the designated Signer. . Update packages can cause severe problems if they are not configured properly. Figure 10-2 CCPA Publish Status The custom content is published first to a test server and once the Tester has approved the updates. Warning: You should test your updates before you publish them. the current publishing session status changes to Submitted.Publishing custom content Signing and publishing updates 203 ■ Managing their own signing certificates (PKCS12 keystore) When a Submitter submits updates for which you are the designated Signer. If you publish the updates to the production server. the publishing session status changes to In Test. As the Signer. If you reject the updates. and CCPA notifies the Tester by email. the publishing session status returns to In Work. If email notification is enabled. and the Publish Status box in the Updates window looks like the example shown in Figure 10-2. the publishing session status returns to In Work. the publishing session status goes back to the initial state of Available. When a Submitter submits product updates for testing. If you publish the updates to the test server. depending on whether or not the Submitter selected a Tester.

which authenticates the GRD file using the Signer's certificate and password.zip file is created with the TRI.Custom Content window. This includes the new updates that were just defined (added. . click My Profile. the updates are ready to be published to that server for testing. click Upload Certificate. The SIG file is created. the production server. replace. ■ ■ ■ ■ ■ Necessary cleanup operations are performed at the CCPA server and. The TRI file is transferred to the production server. finally. The GRD file is assembled based on all of the files (Update Packages) that are defined in the CCPA database. as well as those that were not affected by the publishing session. you must first upload your signing certificate. deleted. you can publish the updates directly to the production server after you approve them. You cannot publish updates to either the test server or the production server until your certificate has been uploaded. Depending on the session type (new. delete). or removed from. Publishing updates If the Submitter has designated a Tester and testing server. and SIG files. In the main LiveUpdate . Click submit. the relevant files (Update Packages) are transferred to. the following takes place: ■ The TRI file is assembled based on all of the product updates in the CCPA database. In the my profile window. Click Browse.204 Publishing custom content Signing and publishing updates Uploading a signing certificate To publish product updates. Once you confirm the publish to production action. If a testing server and Tester has not been designated. The custtri. or modified) as part of the current publishing session. To upload a signing certificate 1 2 3 4 5 Log onto CCPA. GRD. the publishing session goes into the Available state. and then select your signing certificate.

type your certificate password. A password is required for you to sign the GRD file. CCPA notifies the Submitter that the update has been rejected if email notification is enabled.Publishing custom content Signing and publishing updates 205 To publish updates to a test server 1 In the Updates > confirm test publish window. A password is required for you to sign the GRD file. This email is sent to all session participants. type the user name and password for the test server. . the publishing session remains locked and enters the In Work state. 4 Click Confirm Production Publish. This is only necessary if the user name and password were not entered in the server attributes during set up by the CCPA Administrator.zip file. A message confirms that the updates have been published to the production server. This may take time to complete. To publish updates to a production server 1 In the Updates > Publish to Production window. Rejecting updates When you reject an update for publishing. 4 Click Confirm Test Publish. This is only necessary if the user name and password were not entered in the server attributes during set up by the CCPA Administrator. type an email message regarding the update. To reject an update ◆ In the LiveUpdate publish status window. before the custtri file is assembled and transferred to the LiveUpdate test server. click Reject Updates. You can add up to 500 characters. This email is sent to all session participants. 2 3 If email notification is enabled. In the certificate password box. before the custtri file is assembled and transferred to the Central LiveUpdate production server. type an email message regarding the update. 2 3 If email notification is enabled. type your certificate password. depending on the size of the custtri. enter the user name and password for the production server. You can add up to 500 characters. In the certificate password box.

the status of the publishing session returns to In Work. CCPA notifies the Tester by email when updates have been submitted. It is the responsibility of the Submitter to ensure that the test server is in a ready state for testing the submitted updates. The products that are ready for testing are displayed in the list of product update entries in the LiveUpdate publish status window. if email notification has been enabled. the status of the publishing session changes to Approved and it is now the Signer's responsibility to perform the next step. The Tester is notified again when a Signer publishes the updates to a test server. CCPA notifies the Submitter and the Signer by email of the test results.206 Publishing custom content Testing product updates Testing product updates The Tester is responsible for testing product updates on a LiveUpdate test server. If the test passes. When you have completed testing. and it is the responsibility of the Submitter to perform the next step. This email provides the location of the test server where you can test the product updates. When the publishing status is marked In Test. as well as the details regarding the changes that were defined by the Submitter in this publishing session. If the test fails. . you can access the product updates on the test server to perform your verification test. you log on to CCPA and access the Updates window where you click Test Passed or Test Failed.

running in a corporate environment 111 C CCPA about 147 administrative tasks 156 Administrator 175 enabling SSL support over HTTPS 154 file locations 149 installing 151 managing publishing sessions 167 navigating 157 products and languages 162 publishing session status 177 roles and users 148 servers.Index A Active Management Technology (AMT) See Intel AMT Administrators. CCPA 170 Automatic LiveUpdate Scheduler service configuring 114 Automatic LiveUpdate. CCPA 175 audit log entries. Java LiveUpdate 122 configuration host files for unmanaged clients 59 host files for use with the Symantec System Center 55 Java LiveUpdate 116 Java LiveUpdate for an internal server 121 . working with 160 working with 148 Central LiveUpdate servers 18. working with 158 session timeout 166 Signer 202 signing 202 starting 156 Submitter 178 system configuration 164 Tester 206 CCPA (continued) update types 163 User Profiles. 24 and custom LiveUpdate packages 52 configuring clients to use 40 setting up 37 certificates importing into Java keystore 128 working with client compatibility 18 configuration files 96 creating LiveUpdate host files for 37 updating using a Central LiveUpdate server 24 updating using a Symantec LiveUpdate server 23 client files LiveUpdate 23 locations 22 command-line switches.

planning for 149 Custom Content Publishing Application See CCPA D downloads folder 153 interrupted 35 LiveUpdate data 153 E Express mode 23 F files client configuration 96 LiveUpdate client 23 Intel AMT client files 131 how it works with LiveUpdate 130 LiveUpdate Administrator for Intel AMT console installing program 139 opening an existing XML file starting a new scan using 140 luamtscan.exe 132 setting up the BIOS on the Intel AMT computer starting a LiveUpdate session 137 Symantec Provisioning Tool command-line arguments 134 creating a configuration file 135 running locally 136 running remotely 136 Interactive mode 23 interrupted downloads.0 settings in SESA 81 I Index files 22 installation CCPA 151 Java LiveUpdate 116 LOTS Manager 151 . 116 Host settings in SESA 81 in SESA 78 configuring for an internal server 121 enabling logging on Linux servers installing and uninstalling 116 Java LiveUpdate 3.exe command-line arguments 142 creating a configuration file 144 creating a host file 144 running remotely 145 running sysprovision.208 Index configuration (continued) NetWare servers from the Symantec System Center 58 custom content about 147 defining Java LiveUpdate settings in SESA 83 enabling clients 172 publishing. handling 35 H host files configuring for unmanaged clients 59 for client workstations 37 J Java LiveUpdate about 115 configuring 84.

147 using 37 using with the Symantec System Center 55 LiveUpdate Administrator for Intel AMT console.LiveUpdate 97 LOTS file and custom content publishing process 153 and working with certificates 154 locations of 149 uploading 158 LOTS Manager installing 151 using 152 luamtscan. 91. using 200 PreConditions examples 186.LiveUpdate 96 publishing session about 175 canceling 170 modifying participants 169 modifying state of 167 S scheduler running in a corporate environment 111 running LiveUpdate from 113 SESA and LiveUpdate 62 . 175 using command-line switches with 122 L LiveUpdate 115 See also Java LiveUpdate about 17 Automatic LiveUpdate in a corporate environment 111 configuration. 26 installing 31.exe. using SESA to distribute 78 creating host files for client workstations 37 how it works 23 running from a command line or scheduler 60 scheduled LiveUpdate in a corporate environment 111 upgrading 26 LiveUpdate Administration Utility and LiveUpdate client compatibility 18 how it works 23.conf configuring 116 configuring to use internal LiveUpdate server 121 parameters 116 sample files 120 Log.Inventory. 198 syntax 183 using 182 Product. using with Intel AMT 142 P PreCondition Editor. 34 system requirements 31 troubleshooting 61.Index 209 Java LiveUpdate (continued) running from the command line 122 SESA General settings 79 using 115. using with Intel AMT LiveUpdate client configuration files 96 file locations 22 LiveUpdate client (continued) files 23 liveupdate.

83 General settings 66 Java LiveUpdate Hosts settings 81 viewing LiveUpdate events 64 Windows Hosts settings 72 Windows LiveUpdate settings 66. CCPA 206 U unmanaged clients. using with Intel AMT 132 system requirements 33 Update types and CCPA 163 working with 164 updates defining custom content 179 enabling and scheduling from the Symantec System Center 57 independent products.LiveUpdate 97 Signers. configuring host files for 59 . importing into Java keystore 128 SSL support.210 Index SESA (continued) configuring Windows LiveUpdate clients 65 Custom Content settings 71. CCPA 205 submitting custom content 178 T Testers. using with Intel AMT 134 Symantec System Center configuring LiveUpdate host files for use with 55 NetWare servers from 58 enabling and scheduling client updates from 57 using the LiveUpdate Administration Utility with 55 sysprovision. enabling over HTTPS 154 Submitters. CCPA 202 SSL certificates. automatic detection of 62 Settings. defining 181 publishing to production server 205 publishing to test server 205 rejecting. 79 working with Java LiveUpdate configurations 84 working with Windows LiveUpdate configurations 74 SESA Agent.exe. CCPA 178 Symantec LiveUpdate servers 18 Symantec management console 64 Symantec Provisioning Tool.

Sign up to vote on this title
UsefulNot useful