******************************************************************************

Symantec Endpoint Protection 11.0 MSI_FAQ.TXT

Copyright 2007 2009 Symantec Corporation. All rights reserved. March 2009
******************************************************************************
This file is a list of the most commonly used MSI commands for Symantec Enterpri
se Protection, and Symantec Endpoint Security Manager, and Symantec Network Acce
ss Control.
For a complete list of commands, properties, and features, see the Symantec Know
ledge Base.
BASIC MSI commands
------------------
/QN - Quiet No UI
/QB - Quiet Basic UI
/L*V log.txt - full verbose logging to file log.txt
MSI logging
-----------
When run from the setup.exe stub Symantec Enterprise Protection, and Symantec En
dpoint Security Manager, and Symantec Network Access Control automatically creat
e installer logs to the %TEMP% folder (e.g. C:\Documents and Settings\<USERNAME>
\Local Settings\Temp) named SEP_INST.LOG, SEPM_INST.LOG or SNAC_INST.LOG respect
ively. When the installers are run from either the ClientRemote tool the install
er logs are automatically created in the %WINDIR%\temp folder (e.g. C:\WINDOWS\t
emp) named VPREMOTE.LOG.
These installer logs are vital in determining installer failures. Please have th
ese logs available when contacting Symantec Support.
* Note Localized operating systems may have slightly different folders for the l
og files. You can resolve this by clicking on the start button, clicking run and
then entering either %TEMP% for the temp folder or %WINDIR%\temp for the window
s temp folder.
Please see the Reading Installer logs section below for more information.
MSI Logging with System and Group Policy
----------------------------------------
MSI logging can also be controlled with a local System and Group Policy at the m
achine level.
Please reference "How to Enable Windows Installer Logging in Windows XP" http://
support.microsoft.com/kb/314852
MSI Logging options (VOICEWARMUP)
---------------------------------
v - Verbose output
o - Out-of-disk-space messages
i - Status messages
c - Initial UI parameters
e - All error messages
w - Non-fatal warnings
a - Start up of actions
r - Action-specific records
m - Out-of-memory or fatal exit information
u - User requests
p - Terminal properties
+ - Append to existing file
! - Flush each line to the log
* - Wildcard, to log all information except for the v option. To include the v o
ption, specify *v.
BASIC MSI properties
--------------------
REBOOT=REALLYSUPPRESS During migration a reboot may be required. By suppressing
a required reboot, full product functionality may not be available until a reboo
t has taken place. This may not be apparent on a silent install or migration as
no user interface messages are displayed.
Install properties
--------------
RUNLIVEUPDATE= (1 = run LiveUpdate after install, 0 = do not run LiveUpdate afte
r install, default = 1 run LiveUpdate after install)
ENABLEAUTOPROTECT= (1 = ON, 0 = OFF, Default is 1 = ON)
SYMPROTECTDISABLED= (0 = ON, 1 = OFF, Default is 0 = ON)
DISABLEDEFENDER= (1 = Disable Windows Defender, 0 = Do not disable Windows Defen
der, Default is 1 = Disable Windows Defender)
INSTALLDIR= (Install target directory, default is C:\Program Files\Symantec Anti
Virus)
CACHEINSTALL= (1 = Cache install, 0 = don't cache, Default is 1)
MIGRATESETTINGS= (0 = don't preserve setting, 1 = preserve all sygate firewall/n
etwork acceess setttings, 2 = preserve SyLink.xml and logs only) This affects
legacy sygate settings only.
SAV10UNINSTALLFIXRUN= (1 = already run, 0 = not yet run)
Upgrading SAV10.x or SCS3.x requires modification of the cached install package
or the upgrade will fail. If SAV10.x or SCS3.x are detected, the install will a
bort unless the user is an administrator of the local machine. Setting this pro
perty to 1 disables this check.
Note that enabling MSI to run with elevated privileges is not sufficient in this
case. In addition to installing as a local administrator, the modification can
be accomplished in two other ways:
1. Temporarily grant users write access to the Windows\Installer directory for
the duration of the upgrade.
2. Run the tool Tools\Sav9UninstallFix under the credentials of an account with
write access to Windows\Installer, and then execute the upgrade with the proper
ty SAV9UNINSTALLFIXRUN=1 on the command line.
Many of these properties can also be set via the setAid.ini file. If there is a
file named setAid.ini in the same folder as the MSI file, the installer will pa
rse it for various options. The following sections and values equate to the lis
ted properties:
CUSTOM_SMC_CONFIG:
DestinationDirectory = INSTALLDIR
LU_CONFIG:
Manageability
-------------
The SAV installer will check for an external file named SyLink.xml. If this fil
e is found it will override the internal version and be copied to the directory
where the product is installed. It should contain the information needed to con
nect to the SESM.
Windows Security Center features
--------------------------------
These properties allow for the configuration of the interaction between users an
d the Windows Security Center (WSC) running on Windows® XP Service Pack 2.
These properties apply to unmanaged clients only. The Symantec System Center con
trols these properties for managed clients.
WSCCONTROL= (0 = No action, 1 = Disable once, 2 = Disable always, 3 = Restore if
 disabled)
Allows an administrator of a non-managed network to configure the WindowsSecurit
yCenterControl
value.
WSCAVALERT= (0 = Disable, 1 = Enable, Default is 0 = Disable)
Allows an administrator of a non-managed network to configure the AntiVirusDisab
leNotify value for Windows Security Center.
WSCAVUPTODATE= (Integer value between 1 and 90, Default is 30)
Allows an administrator of a non-managed network to configure the number of days
used to determine if threat definitions are up to date for Windows Security Cen
ter.
MSI Feature name - Feature Discription. Specificy the MSI Feature name when addi
ng or removing features from the command line.
Selectable SAV features
-----------------------
SAVMain - Antivirus and Antispyware Protection
->EMailTools - Antivirus Email Protection
->OutlookSnapin - Outlook Scanner
->NotesSnapin - Notes Scanner
->Pop3Smtp - POP3/SMTP Scanner
Proactive Threat Protection features
------------------------------------
PTPMain - Proactive Threat Protection
->COHMain - Proactive Threat Scan
->DCMain - Application and Device Control
Network Threat Protection features
-----------------------------------
ITPMain - Network Threat Protection
->Firewall - Firewall and Intrusion Prevention
Adding and removing features
----------------------------
To remove existing features:
REMOVE=<feature1>,<feature2>,<feature3>
To add new features:
ADDLOCAL=<feature1>,<feature2>,<feature3>, <existing feature 1>, <existing featu
re 2>, etc.
Note: When adding new features using ADDLOCAL, any existing features on the targ
et computer that you want to retain must be included or the installation will re
move any features on the target computer that are not listed. Make sure that th
e ADDLOCAL= line always contains the feature "Core" in it, these are required by
all of the various installs. It is also very important to note that feature na
mes are case sensitive. "EmailTools" is not the same feature as "EMailTools".
DEPLOYING TO VISTA CLIENTS
--------------------------
The Symantec Deployment tool ClientRemote requires the remote target client comp
uter to be running the Remote Registry service. In versions of Windows prior to
Vista this service was on by default however in Microsoft Vista it is now off by
default. ClientRemote has the ability to remotely detect that Remote Registry s
ervice is not running and start it. If ClientRemote does start the service, it w
ill also disable the service once it has completed running. If it does not start
it then it will not stop the service. Depending on the speed of the target clie
nt computer and various other timing issues, ClientRemote may prompt that the ta
rget client computers do not have the Remote Registry service running and if thi
s happens you are advised to re-add the client a second time as this often works
.
Using administrative accounts and ClientRemote to deploy SAV clients to Microsof
t Vista and Windows 7 Clients
--------------------------------------------------------------------------------
-----------------------------
When Microsoft Vista or Windows 7 is configured with UAC (User Account Control)
turned on, local Administrative accounts (Little Abby) are filtered and are not
able to remotely access remote administrative shares (C$, Admin$) as they were i
n previous versions of Windows. To use ClientRemote in this scenario either use
a Domain Administrative account (Big Abby) if the client computer is on an Activ
e Directory domain. Otherwise you must disable the client computer's local accou
nt filtering policy by creating the following registry key on the target machine
.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\ LocalAccountToke
nFilterPolicy
DWORD: 1
Reading Installer logs
----------------------
The common installer logs are SEP_INST.LOG, SNAC_INST.LOG, or SEPM_INST.LOG. The
se are standard MSI log files. You can search for an installer failure point by
doing a text search for the string "value 3" (CTRL+F = find in Notepad). This is
important in determining installer and migration failures, especially in silent
scenarios.
A small sample of common errors and messages are This version of Symantec Endpoin
t Protection requires Internet Explorer 6 or later. or This version of Symantec En
dpoint Protection does not support 64-bit platforms. Please install Symantec En
dpoint Protection for Win64 instead.
Please have the installer log file and error message available when contacting S
ymantec Support.

Command line example

--------------------
This example demonstrates a silent Symantec Endpoint Protection installation.
LiveUpdate is not run, and the system is not restarted even
if it is required.
Sample command line:
setup /s /v"/l*v log.txt /qn RUNLIVEUPDATE=0 REBOOT=REALLYSUPPRESS"