STUPID Symantec antivirus – Autoit is not a virus.

It’s going to be a long day for sysadmins who use AutoIT on their production Lan as symantec has detected the product as MSN.flooder in their dat files – the last time this happened was Jan 2006. Fortunately I only have it on a couple of pc’s but it is going to be a real pain for someone who uses it on every desktop or in login scripts. This follows about a week after they crippled thousands of chinese pc’s by detecting windows files as virus’s. I sure wouldn’t want to be a chinese sysadmin running autoit! Home users can log a report at the symantec false positive report site but enterprise gold or platinum users need to contact support or submit a false positive report after updating the dats. To report using the antivirus application – right click the file in quarantine and choose submit to symantec security response. Unfortunately on my work pc I don’t have rights to do this!
Update Downloading the latest updates to May 31st defs, releasing the files from quarantine and then scanning did not quarantine the files again.
Update 2 It looks like the same definition patterns also got a false positive in Search & Destroy according to SANS.
Update 3 Html corrected to ensure the updates appear properly.

Symantec Direct assist retiring.

It’s funny, but someone should tell Symantec’s music on hold operator that their direct assist product that they push when you eventually (after 40 minutes) get to the support *queue* was withdrawn for new cases 4 days ago. Seeing as though this product “prevents call waiting time, increases uptime, eases the support burden on the end user” – why are they closing it down?

0xe00084af failure in symantec backup exec caused by wsus 3 installation

Fixed! One of my servers has been failing to backup with the error “0xe00084af The directory or file was not found, or could not be accessed. Final error category: Job Errors. For additional information refer to link V-79-57344-33967” I spent ages troubleshooting the errors and trying to work out what was going on and found that it would fail to backup any file on the local hard disk of the machine.
I posted a note in the symantec forums and didn’t hear anything back, but did find a post that upgrading to 10d might fix it (not a current solution as this would mean purchasing an upgrade of the software for the exchange agent and the exchange agent is currently working)
The other solution was to stop SQL servers on the box. This server was the WSUS box and I had also recently upgraded it to version 3 of WSUS. This created (at least) two new services – SQL Server VSS Writer and Windows Internal Database (Microsoft ##SSEE). Through trial and error I discovered that stopping the SQL Server VSS Writer service meant the backup would work, which is weird as why this should affect me backing up something like c:\jobs\fred.bat which has nothing to do with SQLI don’t know.
I’m hoping that my forum posting about the problem will get a better solution but for now I’m just pleased to be able to backup my file server.

Symantec control centre failing to synchronise with server

I’ve had an instance with Symantec’s system centre not being able to show me the details of the client pc’s, complaining that the parent server was down. An initial reboot of the server didn’t fix the problem and most of the documents refer to reinstalling or upgrading symantec to fix the problem. However the document at Error: “Event ID 62: Symantec AntiVirus communications layer failed to initialize…” appears in the Windows Event Viewer – Application log asks for a restart of the service and changing the LoginCaCertIssueSerialNum registry entry – that did the trick.

Symantec patch lists

I was initially under the impression that only 10.1 was vulnerable to the new exploit that went out, but apparently it’s almost every 10. version of the software. The web page at symantec’s sym06-010 page is good for providing links on what needs to be upgraded to what version. This is something that symantec is VERY poor at doing – I’ve never received a new patch level notification or anything, apart from the marketing push to upgrade to the latest version – but even then the latest versions that I’ve been sent haven’t been the latest version and have needed patching!

Norton Save & Restore

Symantec’s Save & Restore should be out any day now – this was some software that I attempted to betatest – the feature list is pretty impressive with incremental ghost-like images that can be merged back into a master ghost image is pretty useful – a bit like having full and differential backups but never having to create more than one full backup. In the case of my home system that is really handy as I have 130gb of data – an awful lot to backup more than once onto a hard disk (let alone dvd’s)

Symantec Updates are not so silent…

I was at a client site this afternoon and discovered that installing the latest patch as per the instructions doesn’t give the silent install that is meant to happen. You need to ensure you read the whole set of instructions first as otherwise you follow the steps and when you get to step 17 after setting the install off you then realise that the vpremote.dat needs editing FIRST! At this point you discover the silent install is extremely loud and colourful as the swearing echoes around the room as pc’s start to reboot with no warning whatsoever.