Windows Firewall Proves Problematic for Symantec AntiVirus
If you've installed Windows XP Service Pack 2 (SP2) on a machine, you might have noticed that you can't remotely manage the workstation using the Symantec System Center Console. For example, if you try to start a manual scan on an XP SP2 machine, you'll receive an error message stating that the workstation can't be communicated with even though it's turned on and connected to the network. Because the Windows Firewall is turned on by default with SP2, it prevents the Symantec System Center from communicating with the workstation. You can use the Windows Firewall INF file to control the firewall's behavior. You can also use Group Policy to control the Windows Firewall settings. Complete the following steps to let the XP SP2 workstation be managed with the Symantec System Center Console.
1. Install Group Policy Management Console (GPMC). Go to http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en to download and install the utility. GPMC must be installed on a Windows 2003 or XP workstation. 2. Update your ADM templates for XP SP2. You can get the latest ADM templates from http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en. I made a backup of the .adm files in c:\windows\inf, then copied the updated template files to c:\windows\inf. If you made any changes to the existing .adm files, make sure you merge the existing modifications with the updated templates. 3. Download the patch to handle strings longer than 255 characters. You download this patch at http://support.microsoft.com/default.aspx?kbid=842933. If you don't download this patch you'll receive the error message “The following entry in the \[strings\] section is too long and will be truncated” whenever you try to edit a Group Policy Object (GPO). 4. Create a GPO to open ports on Windows Firewall. This setting is located in Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall, Domain Profile. You must define the settings for Windows Firewall: Define port exceptions and Windows Firewall: Allow local port exceptions. If you just want to allow remote management through the Symantec AntiVirus (SAV) Corporate Edition 9.x and 8.x console, open UDP port 2967. For additional port information used in SAV Corporate, refer to http://service1.symantec.com/SUPPORT/ent-security.nsf/529c2f9adcf33a1088256e22005026f1/826b484479226da688256c38008276b4?OpenDocument&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=9.0&src=ent&pcode=sav_ce&dtype=corp&svy=&prev=&miniver=savce_9.0. I suggest only allowing the IP address of your SAV servers in the port exception rule. Double-click Windows Firewall: Define port exceptions, click Show, click Add, and enter the exception string. The syntax for this string is
Tip: Computer Bag
I just picked up a new computer bag. It’s made by Swiss Army and has allowed me to consolidate my briefcase and computer bag into one unit. It’s expandable, has wheels, an integrated handle and seems to have a compartment for everything. You can check it out at http://www.swissarmytravelgear.com/webstore/moreinfo.cfm?product_id=3649&category=54. You can probably get a significant discount off the retail price. I paid around $300 for mine at H. Savinar in Los Angeles (http://www.moredeals.com/ads/savinar.htm). If you travel a lot and need to lug around a lot of computer gear, it's a great bag to have.