****************************************************************************** Symantec Endpoint Protection 11.0 MSI_FAQ.TXT Copyright 2007 Symantec Corporation. All rights reserved. Feb 2008 ****************************************************************************** This file is a list of the most commonly used MSI commands for Symantec Enterprise Protection, and Symantec Endpoint Security Manager, and Symantec Network Access Control. For a complete list of commands, properties, and features, see the Symantec Knowledge Base. BASIC MSI commands ------------------ /QN - Quiet No UI /QB - Quiet Basic UI /L*V log.txt - full verbose logging to file log.txt MSI logging ----------- When run from the setup.exe stub Symantec Enterprise Protection, and Symantec Endpoint Security Manager, and Symantec Network Access Control automatically create installer logs to the %TEMP% folder (e.g. C:\Documents and Settings\\Local Settings\Temp) named SEP_INST.LOG, SEPM_INST.LOG or SNAC_INST.LOG respectively. When the installers are run from either the ClientRemote tool the installer logs are automatically created in the %WINDIR%\temp folder (e.g. C:\WINDOWS\temp) named VPREMOTE.LOG. These installer logs are vital in determining installer failures. Please have these logs available when contacting Symantec Support. * Note – Localized operating systems may have slightly different folders for the log files. You can resolve this by clicking on the start button, clicking run and then entering either %TEMP% for the temp folder or %WINDIR%\temp for the windows temp folder. Please see the “Reading Installer logs” section below for more information. MSI Logging with System and Group Policy ---------------------------------------- MSI logging can also be controlled with a local System and Group Policy at the machine level. Please reference "How to Enable Windows Installer Logging in Windows XP" http://support.microsoft.com/kb/314852 MSI Logging options (VOICEWARMUP) --------------------------------- v - Verbose output o - Out-of-disk-space messages i - Status messages c - Initial UI parameters e - All error messages w - Non-fatal warnings a - Start up of actions r - Action-specific records m - Out-of-memory or fatal exit information u - User requests p - Terminal properties + - Append to existing file ! - Flush each line to the log * - Wildcard, to log all information except for the v option. To include the v option, specify *v. BASIC MSI properties -------------------- REBOOT=REALLYSUPPRESS – During migration a reboot may be required. By suppressing a required reboot, full product functionality may not be available until a reboot has taken place. This may not be apparent on a silent install or migration as no user interface messages are displayed. SAV properties -------------- RUNLIVEUPDATE= (1 = run LiveUpdate after install, 0 = do not run LiveUpdate after install, default = 1 run LiveUpdate after install) ENABLEAUTOPROTECT= (1 = ON, 0 = OFF, Default is 1 = ON) SYMPROTECTDISABLED= (0 = ON, 1 = OFF, Default is 0 = ON) DISABLEDEFENDER= (1 = Disable Windows Defender, 0 = Do not disable Windows Defender, Default is 1 = Disable Windows Defender) INSTALLDIR= (Install target directory, default is C:\Program Files\Symantec AntiVirus) CACHEINSTALL= (1 = Cache install, 0 = don't cache, Default is 1) MIGRATESETTINGS= (0 = don't preserve setting, 1 = preserve all sygate firewall/network acceess setttings, 2 = preserve SyLink.xml and logs only) This affects legacy sygate settings only. SAV10UNINSTALLFIXRUN= (1 = already run, 0 = not yet run) Upgrading SAV10.x or SCS3.x requires modification of the cached install package or the upgrade will fail. If SAV10.x or SCS3.x are detected, the install will abort unless the user is an administrator of the local machine. Setting this property to 1 disables this check. Note that enabling MSI to run with elevated privileges is not sufficient in this case. In addition to installing as a local administrator, the modification can be accomplished in two other ways: 1. Temporarily grant users write access to the Windows\Installer directory for the duration of the upgrade. 2. Run the tool Tools\Sav9UninstallFix under the credentials of an account with write access to Windows\Installer, and then execute the upgrade with the property SAV9UNINSTALLFIXRUN=1 on the command line. Many of these properties can also be set via the setAid.ini file. If there is a file named setAid.ini in the same folder as the MSI file, the installer will parse it for various options. The following sections and values equate to the listed properties: CUSTOM_SMC_CONFIG: DestinationDirectory = INSTALLDIR LU_CONFIG: Manageability ------------- The SAV installer will check for an external file named SyLink.xml. If this file is found it will override the internal version and be copied to the directory where the product is installed. It should contain the information needed to connect to the SESM. Windows Security Center features -------------------------------- These properties allow for the configuration of the interaction between users and the Windows Security Center (WSC) running on Windows® XP Service Pack 2. These properties apply to unmanaged clients only. The Symantec System Center controls these properties for managed clients. WSCCONTROL= (0= No action, 1 = Disable once, 2 = Disable always, 3 = Restore if disabled) Allows an administrator of a non-managed network to configure the WindowsSecurityCenterControl value set on the SSC Client Administrator Only General tab. WSCAVALERT= (0= Disable, 1 = Enable, Default is 0 = Disable) Allows an administrator of a non-managed network to configure the AntiVirusDisableNotify value for Windows Security Center. WSCFWALERT= (0= Disable, 1 = Enable, Default is 0 = Disable) Allows an administrator of a non-managed network to configure the FireWallDisableNotify value for Windows Security Center. WSCAVUPTODATE= (Integer value between 1 and 90, Default is 30) Allows an administrator of a non-managed network to configure the number of days used to determine if threat definitions are up to date for Windows Security Center. MSI Feature name - Feature Discription. Specificy the MSI Feature name when adding or removing features from the command line. Selectable SAV features ----------------------- SAVMain - Antivirus and Antispyware Protection ->EMailTools - Antivirus Email Protection ->OutlookSnapin - Outlook Scanner ->NotesSnapin - Notes Scanner ->Pop3Smtp - POP3/SMTP Scanner Proactive Threat Protection features ------------------------------------ PTPMain - Proactive Threat Protection ->COHMain - Proactive Threat Scan ->DCMain - Application and Device Control Network Threat Protection features ----------------------------------- ITPMain - Network Threat Protection ->Firewall - Firewall and Intrusion Prevention Adding and removing features ---------------------------- To remove existing features: REMOVE=,, To add new features: ADDLOCAL=,,, , , etc. Note: When adding new features using ADDLOCAL, any existing features on the target computer that you want to retain must be included or the installation will remove any features on the target computer that are not listed. Make sure that the ADDLOCAL= line always contains the feature "Core" in it, these are required by all of the various installs. It is also very important to note that feature names are case sensitive. "EmailTools" is not the same feature as "EMailTools". DEPLOYING TO VISTA CLIENTS -------------------------- The Symantec Deployment tool ClientRemote requires the remote target client computer to be running the Remote Registry service. In versions of Windows prior to Vista this service was on by default however in Microsoft Vista it is now off by default. ClientRemote has the ability to remotely detect that Remote Registry service is not running and start it. If ClientRemote does start the service, it will also disable the service once it has completed running. If it does not start it then it will not stop the service. Depending on the speed of the target client computer and various other timing issues, ClientRemote may prompt that the target client computers do not have the Remote Registry service running and if this happens you are advised to re-add the client a second time as this often works. Using administrative accounts and ClientRemote to deploy SAV clients to Microsoft Vista Clients. When Microsoft Vista is configured with UAC (User Account Control) turned on, local Administrative accounts (Little Abby) are filtered and are not able to remotely access remote administrative shares (C$, Admin$) as they were in previous versions of Windows. To use ClientRemote in this scenario either use a Domain Administrative account (Big Abby) if the client computer is on an Active Directory domain. Otherwise you must disable the client computer's local account filtering policy by creating the following registry key on the target machine. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\ LocalAccountTokenFilterPolicy DWORD: 1 Reading Installer logs ---------------------- The common installer logs are SEP_INST.LOG, SNAC_INST.LOG, or SEPM_INST.LOG. These are standard MSI log files. You can search for an installer failure point by doing a text search for the string “value 3” (CTRL+F = find in Notepad). This is important in determining installer and migration failures, especially in silent scenarios. A small sample of common errors and messages are “This version of [ProductName] requires Internet Explorer 5.5 Service Pack 2.” or “This version of [ProductName] does not support 64-bit platforms. Please install Symantec AntiVirus for Win64 instead.” Please have the installer log file and error message available when contacting Symantec Support. Command line example -------------------- This example demonstrates a silent Symantec AntiVirus installation. LiveUpdate is not run, and the system is not restarted even if it is required. Sample command line: setup /s /v"/l*v log.txt /qn RUNLIVEUPDATE=0 REBOOT=REALLYSUPPRESS"