Preventing Trend Micro from scanning server after the umpteenth time of installation.

When you have a problem with Trend and have to keep reinstalling it on the server, it gets extremely frustrating waiting for the agent to do a prescan and then fail to complete the install due to “unable to install the client/server security agent.Contact Trend Micro support. Error copying FlowControl.dll”

The problem of flowcontrol.dll can be fixed by deleting the trend micro\Client Security Agent folder after you have uninstalled the software. If you get a problem deleting perficrcperfmonmgr.dll then unregister it with regsvr32 /u perficrcperfmonmgr.dll  Wait a few seconds and then rename the Client Security Agent folder to .old.  Repeat the installation and the software should install with no problems.  (Note that you may have to reboot if the Security Agent service fails to stop)

To prevent the server from rescanning for virus’s (which after all it has been doing in the past and will take a long time on a server), edit the autopcc.ini that can be found in the \\server\ofcscan\autopcc.cfg folder.  Change NoPreScan to 1 instead of 0 and then run the autopcc.exe install program.

For what it’s worth, we are looking at using Trend due to some of the features such as the Remote Manager capabilities and the fact that they do seem to listen to their users and resellers.  I had a good training session with one of their Technical managers a week ago which was really great. unfortunately the install that sparked this blog post has caused me no end of problems and Symantec would be a much more efficient install in this case.

Symantec definitions slowly getting fixed.

Symantec have now released a patch that fixes the issue of definitions being dated 12/31/2009. However, the patch so far is only available for those running 11.03 or 11.05. For more details read the official statement on the Symantec forums or the Symantec Knowledgebase article . Most of our Endpoint Protection Servers were running 11.0.4 (as live update does not upgrade the server console component) so we have to upgrade to 11.0.5 first. This can be seen as a good thing as 11.0.4 has the nasty feature of filling up the hard drive of the server as Symantec downloads and keeps 3 copies of the av definitions every few minutes as it tries to download definitions dated in 2010 (and fails). So far, most of the Endpoint Protection Manager upgrades have been fairly simple with straightforward instructions – a 25 minute process after the files have been downloaded (including backing up the database) but we had one site that didn’t work and we had to reinstall every single Symantec Endpoint Protection client and server by hand. Not a lot of fun.

Symantec patch now fixes the definitions dated 91231

Yes I deliberately posted the date this way as that is how the shortsighted programmers as Symantec did it. Needless to say, when the year rolled around to 00101 this is a lot less that 91231 so the definitions were treated as old.  It scares me to see that this bug managed to get into the product – did they not learn anything from the Y2K issues?

To make matters worse we found some servers were continually downloading definitions onto the server and in one case filled up 73gb of disk space. The fix for this is to ensure that the endpoint protection manager software is running 11.0.5 – this is a new download and upgrade installation although for one of our clients it meant uninstalling and reinstalling every single pc at that location – not an upgrade at all.

To top it all, Symantec also decided this week to announce the end of life for the v10 of their products – the only version that was actually working with correct definition dates. Although end of life is in 2012, support should really have coordinated with sales to ensure that the notice didn’t go out *this* week.

I think I still have a few servers that haven’t updated, so I will be checking those out next week. If we continue to use Symantec (which I really do not want to do), I’m hoping to look at an MSP installation of the product – one server managing all the clients so I only have one place to check for client status (and only one server to install, patch and configure)

Symantec Enterprise Protection (SEP) firewall requirements for client checkin.

So I’ve spent ages troubleshooting and debugging Symantec’s Endpoint Protection (SEP) version 11, MR4 – the first version that actually has a hope of working  on a 64bit platform.  After spending far too long configuring the various policies and tweaking various settings I was finally able to get the software installed via group policy on a testlab machine but the client would not checkin with the management server. The virus definitions were 4 months old BUT the client console was saying everything was ok. Lots of troubleshooting later and I stumbled across the definitions for the Management server – a setting that I had originally wanted to change anyway.  In there I saw that the management server was listening on port 8014 and a quick telnet check from the client showed I was unable to connect.  Disabling windows firewall (temporarily – this is on a testlab so the infection risk is minimal) allowed the client to check in with the server, change some settings in the console and update the virus definition dates. Finally I re-enabled the firewall, added an exception for TCP port 8014 and it all looks good, but I’ll wait to see what happens overnight for definition updates on the client.  For future reference the list of communications ports for version 11 can be found at Symantecs website here or posted below in the extended entry. Continue reading “Symantec Enterprise Protection (SEP) firewall requirements for client checkin.”

Latest malware removals.

I had two pc’s given to me last weekend to fix various speed issues. Thankfully I had downloaded the AntiMalwareToolkit from Lunarsoft recently so I did a quick update which meant I had a lot of antivirus and antispyware tools with up to date definitions ready on a cd.
The first machine was pretty straightforward and just needed ad-aware removing and reinstalling to fix ad-aware crashing on bootup. At the same time I scanned for virus and was pleasantly surprised to see none on the machine. The combination of Norton 360, adaware and malwarebytes had done a good job. Norton was crippling the speed of the machine though and I had to disable Norton whilst I ran other diagnostics on the machine as it was just painfully slow whilst running.

The other machine was a whole other story. Norton AV2004 does not do a good job of keeping machines protected when the definitions were last updated in 2005, although I think you’d all agree that no other product would either! Running MalwareBytes detected 400 antivirus files ranging from vundo,trojans, spyware2009 and other infestations. My initial scan was run after booting the machine into safe mode – normal mode was unusable, taking 6 minutes to launch regedit after eventually managing to hit start/run and type in regedit.
The initial scan took over 8 hours to run. Unfortunately I had not cleaned out the temporary internet files on the machine – all 18gb of them! After the first scan completed I selected all the temporary internet files and deleted them. It took about 20 minutes for windows to finish the “preparing to delete” stage. I’m not sure what exactly it is doing, but it is incredibly annoying to hit delete, walk away from the computer and come back 20 minutes later to see it then popup and say “are you sure you want to delete these files?”. I could have deleted the files from a dos prompt but it was taking forever to do anything, so opening a dos prompt and then navigating would have been very painful.
So after 3 hours of deleting files, a reboot I did another scan. This time it took 2 hours. So the moral of the story is to delete temporary internet files first. Interestingly I later ran AdAware and that actually asked me if I wanted to delete these files before it did the scan.
The machine was now fairly responsive…..in safe mode, but still took forever to do anything in normal mode. Scans were coming up clean so the configuration was obviously still screwed up somewhere. I tried to uninstall symantec using their uninstall package but that just hung using no cpu usage so it was a hard reboot and I tried the Norton Removal Tool. The first time it would unpack the self extracting exe but do nothing after that.
At this point I came across a thread in software tips and tricks with the same symptoms of the machine running slowly and the start button being unavailable. This thread was started in 2004 so I was a bit pessimistic about the solution of running a reg cleaner (as most of them are not really worth bothering with). However several people had responded saying that the solution worked, with a couple of posts from Jan 2009 so I figured it was worth a try. I had never heard of the registry cleaner, but I had heard of Jv16 Powertools, so I downloaded RegSupreme and let it do it’s registry cleanup. I looked briefly through the results and could see nothing really unusual so I rebooted and was really surprised that the machine started to respond normally. I was then able to run the Norton Removal Tool and remove Norton from the machine completely.
I haven’t completely finished with the machine yet, but I’m nearly there. You may be wondering why I took so long on this machine. To be truthful, if it was mine I’d have wiped it straight away, but as the issues got harder to fix, my stubbornness and curiosity got the better and I needed to know how to fix the problem and retain the data on the machine. After all, formatting is the easy way out and one day I’ll have a machine that I MUST repair in order to get data and this experience will have given me some helpful experience and preparation for that day.

Symantec have a time machine!

I logged a ticket with Symantec today as I needed to download Maintenance Release 7 for their corporate edition 10.1 yet their fileconnect website only gave me version 11 (which is so unstable we refuse to install it). 2 hours later I got an email from their support site that started “We have been trying to reach you in the last few days to assist you with the issue regarding Symantec Antivirus but unfortunately we have not been able to do so.”
I guess they’ve invented a time machine in order to try and beat their really long wait times on hold for support…..either that or I forgot that I logged a ticket several days ago and they’ve finally got round to dealing with it!
Anyway, they’ve given me a new serial number to log into the website with so I can download the older version. I’m not sure if it’s an inplace upgrade (I hope so) rather than a removal and reinstall again – if its the removal and reinstall that means *another* 3 or 4 hours to remove, reboot, install and then fix the issues of the client software breaking other software again.
I guess I *really* need to get some time to investigate nod32 network deployments – anyone had any experience with this?