Solved

Symantec autoprotect running but disabled

Posted on 2006-11-10
17
4,719 Views
Last Modified: 2010-08-05
Symantec System Center
Symantec Corporation
Version: 10.0.0.359


I am working with the application above in a network setting.  I pushed out Antivirus from the Windows 2003 server using the remote client.  I control all setting from the console and everything is locked out to the user, including uninstalling without a password.

Recently I was going thru and revamping my group policies from scratch upon completion of which and a restart I noticed that my client antivirus was now disabled on my machine.  I was installing IE7 at the same time on my local computer as I was working with the GPO's on the server thru RDesktop.  But the client showing as disabled is across my entire network.

1.) When I look at the icon on any client it shows autoprotect is disabled and occasionally the yellow banner pops up alerting me to this fact.
2.) When I check the client using the Symantec system center it shows the client Autoprotect as enabled.
3.) Any setting changes I make in the Symantec system center are immidietly reflected on the client machines including enabling and disabling autoprotect.
4.) From what I can tell autoprotect is indeed running and all the virus updates are being pushed out to clients
5.) I tryed to uninstall the antivirus client using the password I get a "Data Execution Prevention Error" and then a fatal error during installation
6.) I tried to disable "Data Execution protection" then then uninstall and I get a "Fatal error during installation error"
7.) I tried to repush out Antivirus to all the clients thinking it may repair the installations.. But no effect, so it probably saw it was already there and just terminated.

How can I get my Autoprotect to function as normal once again?

0
Comment
Question by:daviper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 13

Expert Comment

by:gonzal13
ID: 17923994
Go to symantec.com/autotools and you may possibly find there a program that will uninstall the program and then you can reinstall it.
0
 
LVL 16

Expert Comment

by:legalsrl
ID: 17937923
Hi Daviper,

Firstly, can you download the virus test file from http://www.eicar.com and tell me if the machines detect it.

That way we know if you are protected or not.....

Firstly, on the Windows 2003 Server, SP1 featured a Data Execution Prevention pack that causes conflicts with 2003

See this

http://service1.symantec.com/SUPPORT/intrusiondetectkb.nsf/0/0c3ea631c557a5608025706c006e4158?OpenDocument&seg=hm&lg=en&ct=us

I'd also look at this article as I believe this issue is STILL Outstanding with Symantec Tech Support

http://service1.symantec.com/SUPPORT/ent-security.nsf/0/0f5b3eaf44b05e5d882570d70081a98c?OpenDocument&seg=hm&lg=en&ct=us

I'll have another think about it, but let me know if you've got any more information.

Cheers
Si
0
 
LVL 6

Expert Comment

by:Mnf
ID: 17940342
try to download and install the latest version of the MSI file on your clients this will help you to unistall/reinstall your client antivirus
http://www.microsoft.com/downloads/details.aspx?familyid=889482FC-5F56-4A38-B838-DE776FD4138C&displaylang=en
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:daviper
ID: 17961071
I did try the Eicar virus and it kept denying me access to it until I downloaded the zip and then it would not let me extract it.  Upon restarting it came up and found it.  I am assuming then that the Autoprotect is working and the startup scan found it.  It then fired a DEP error and closed symantec.  So I believe you are right that something is going on with the Data prevention.

To MNF I do have the latest MSI file and did attempt to reinstall the software.  I can not uninstall the software though as I recieve an error.  I put it on line 5 of my first post but with long lists I know its easy to miss the little things.

Can I add the symantec exe file to my exclusion list and be done with it?
0
 
LVL 16

Expert Comment

by:legalsrl
ID: 17970975
Hi daviper,

What I would do is to remove the program using the command line method

http://service1.symantec.com/SUPPORT/ent-security.nsf/0/d8c5cb556ec68e818825717f00712c42?OpenDocument

Then try reinstalling the product.

How many machines are causing this problem ?

Cheers
Si
0
 

Author Comment

by:daviper
ID: 17981904
Legalsrl

I attempted what you suggested and recieved the following error.

"This installation package could ot be opend.  Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package"

I did not recieve this error until I removed the silent switch however.

Part of the problem may be that I install all my Clients using the System Admin Console snap-in of Symantec on our Windows 2003 server.  I use that to do a remote silent install.  It was nice because I was able to install it on all 20 or so computers at one time.

As to your other question about how many computers are effected.  It seems they all are except ONE...  I do not know if her computer was off when the gpo pushed out and messed up, or what the reasoning is.  Everyone is running XP.  I did not check her service pack but unless I missed one computer everyone is running all patches and SP2.
0
 
LVL 16

Expert Comment

by:legalsrl
ID: 17982017
Hi daviper,

Just a quick thought.....are you deploying the package over a password protected network share or is the area on which it's stored accessible freely by all ?

Thanks
Si
0
 

Author Comment

by:daviper
ID: 17983910
I ran the cleanup utility and now I no longer have nortons installed according to ADD/Remove but the program is still running, and active.  I had disabled the tamper protection before uninstalling.  I am going to attempt to reinstall just so see if I can get the settings back in to show it as installed.  It is so odd. I had the ability to enable or disable Autoprotect set to locked with Autoprotect enabled from the system center side.  I changed that to unlocked.  Immediatly the ability to click Enable autoprotect when right clicking the icon in the system tray became available.  It stays anywhere from 1 to 3 seconds until it updates and turns back off again.  I tried disabling my network connection and enabling autoprotect thinking maybe something is wrong on the system center side but it still reinables itself.  I may try reinstalling system center however.  I did a repair of system center and need to wait for this evening to restart.  

Everyone has share permissions to READ VPHOME and VPLOGON

I am also assuming its working because any system center change I make is reflected, also all AntiViruses show as having the current definitions and running their nightly 6:30pm scan.

So I chagned the System center to allow the user to enable or disable their Autoprotect.  If I double click the NAV icon in system tray click on the File System Auto-Protect option it allows me to check or uncheck Enable Auto-Protect.  Directly behind the checkbox label to Enable Auto protect is another piece of text in Parenthesis   (disabled)

It seems checking or unchecking this box has no effect.  It still pops up and says AutoProtect is disabled.  But right clicking the icon removes the little red circle for  1 to 3 seconds!!!!!

Thank you everyone for the help,

Kevin
0
 
LVL 16

Expert Comment

by:legalsrl
ID: 17987430
Hmmm....sounds like the agent is still sitting on your machine when the AV is removed.

Can you run a HijackThis on the machine in question and post a link to the results here

http://www.hijackthis.de and download it, run it and the paste the results through the analyser

I need to see what processes are running

One you have a link to the results, post it here and I'll take a look

Thanks
Si
0
 

Author Comment

by:daviper
ID: 18034328
I have not forgotten, or resolved this it's just been busy and lowered a bit on the priority scale.  I will try to run this tommorow and post back what hijackthis reports.

To return with more info soon,

Kevin
0
 

Author Comment

by:daviper
ID: 18047530
legalsrl, here is the Hijack this link

http://www.hijackthis.de/logfiles/0955201ec0b0e5659fd4ec43312b233a.html


I did see that Websearch is running and a couple other ones.  I did see those processes running, tried disabling the service etc.. But that does not fix my problem.  I was messing around with the Tamper Protection for a while, and am wondering if part of this has to do with things getting stuck.  I can try going into the boot.ini and setting DEP to always off. Then installing and uninstalling again

0
 
LVL 16

Expert Comment

by:legalsrl
ID: 18047818
Yep,

This one needs to be fixed

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm238YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitial Setup1.0.0.15.cab

What's this one ?
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch2.cab 

I think you need to do the following

Go to http://www.symantec.com/autotools 

Download the uninstall routine and run it.

Reinstall Norton

I would also post a netstat -a here as well so I can see what processes have ports open

Let me know how you get on

Cheers
Si
0
 

Author Comment

by:daviper
ID: 18060871
The Nortons Autotools did not uninstall the app.  I have tried stoping all services, deleting everything I can find in the Registry after using the MS clean up tool to uninstall.  Repush out Symantec from the server.  I may be wrong but I have a feeling this error may lie in the Group policies or an error server side with the symantec system center.  I say this because everything still works as normal as far as the clients responding to the server etc.  Except for AutoProtect?

The gateway item I can get rid of, but one of our clients was running a gateway with a crashed harddrive and in order to get them to replace it underwarrenty I had to follow their tech guy who said this is procedure to issue repairs.  Anyway I had to install this web help viewer :) which didnt work because the drive was down, but he used that to send me a link.  :) I guess he didn't want to type it out or something?

I will check autotools again, but it seems to be a bit different since it is a corporate edition pushed out from a server.

Thanks for working thru this with me,

Kevin
0
 
LVL 16

Accepted Solution

by:
legalsrl earned 500 total points
ID: 18060894
Hiya Kevin,

No problems mate....

Try uninstalling it manually

http://service1.symantec.com/SUPPORT/ent-security.nsf/0/7c828a2663ec13dc88256cad0067e6f7?OpenDocument&seg=hm&lg=en&ct=us

This link provides the manual uninstall for both the client and the server

I'll have a think about the GPO issue, probably tomorrow as it's9:30pm in the UK (and it's Sat night!)

Cheers
Si
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question