Solved

Symantec autoprotect running but disabled

Posted on 2006-11-10
17
4,703 Views
Last Modified: 2010-08-05
Symantec System Center
Symantec Corporation
Version: 10.0.0.359


I am working with the application above in a network setting.  I pushed out Antivirus from the Windows 2003 server using the remote client.  I control all setting from the console and everything is locked out to the user, including uninstalling without a password.

Recently I was going thru and revamping my group policies from scratch upon completion of which and a restart I noticed that my client antivirus was now disabled on my machine.  I was installing IE7 at the same time on my local computer as I was working with the GPO's on the server thru RDesktop.  But the client showing as disabled is across my entire network.

1.) When I look at the icon on any client it shows autoprotect is disabled and occasionally the yellow banner pops up alerting me to this fact.
2.) When I check the client using the Symantec system center it shows the client Autoprotect as enabled.
3.) Any setting changes I make in the Symantec system center are immidietly reflected on the client machines including enabling and disabling autoprotect.
4.) From what I can tell autoprotect is indeed running and all the virus updates are being pushed out to clients
5.) I tryed to uninstall the antivirus client using the password I get a "Data Execution Prevention Error" and then a fatal error during installation
6.) I tried to disable "Data Execution protection" then then uninstall and I get a "Fatal error during installation error"
7.) I tried to repush out Antivirus to all the clients thinking it may repair the installations.. But no effect, so it probably saw it was already there and just terminated.

How can I get my Autoprotect to function as normal once again?

0
Comment
Question by:daviper
17 Comments
 
LVL 13

Expert Comment

by:gonzal13
Comment Utility
Go to symantec.com/autotools and you may possibly find there a program that will uninstall the program and then you can reinstall it.
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Hi Daviper,

Firstly, can you download the virus test file from http://www.eicar.com and tell me if the machines detect it.

That way we know if you are protected or not.....

Firstly, on the Windows 2003 Server, SP1 featured a Data Execution Prevention pack that causes conflicts with 2003

See this

http://service1.symantec.com/SUPPORT/intrusiondetectkb.nsf/0/0c3ea631c557a5608025706c006e4158?OpenDocument&seg=hm&lg=en&ct=us

I'd also look at this article as I believe this issue is STILL Outstanding with Symantec Tech Support

http://service1.symantec.com/SUPPORT/ent-security.nsf/0/0f5b3eaf44b05e5d882570d70081a98c?OpenDocument&seg=hm&lg=en&ct=us

I'll have another think about it, but let me know if you've got any more information.

Cheers
Si
0
 
LVL 6

Expert Comment

by:Mnf
Comment Utility
try to download and install the latest version of the MSI file on your clients this will help you to unistall/reinstall your client antivirus
http://www.microsoft.com/downloads/details.aspx?familyid=889482FC-5F56-4A38-B838-DE776FD4138C&displaylang=en
0
 

Author Comment

by:daviper
Comment Utility
I did try the Eicar virus and it kept denying me access to it until I downloaded the zip and then it would not let me extract it.  Upon restarting it came up and found it.  I am assuming then that the Autoprotect is working and the startup scan found it.  It then fired a DEP error and closed symantec.  So I believe you are right that something is going on with the Data prevention.

To MNF I do have the latest MSI file and did attempt to reinstall the software.  I can not uninstall the software though as I recieve an error.  I put it on line 5 of my first post but with long lists I know its easy to miss the little things.

Can I add the symantec exe file to my exclusion list and be done with it?
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Hi daviper,

What I would do is to remove the program using the command line method

http://service1.symantec.com/SUPPORT/ent-security.nsf/0/d8c5cb556ec68e818825717f00712c42?OpenDocument

Then try reinstalling the product.

How many machines are causing this problem ?

Cheers
Si
0
 

Author Comment

by:daviper
Comment Utility
Legalsrl

I attempted what you suggested and recieved the following error.

"This installation package could ot be opend.  Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package"

I did not recieve this error until I removed the silent switch however.

Part of the problem may be that I install all my Clients using the System Admin Console snap-in of Symantec on our Windows 2003 server.  I use that to do a remote silent install.  It was nice because I was able to install it on all 20 or so computers at one time.

As to your other question about how many computers are effected.  It seems they all are except ONE...  I do not know if her computer was off when the gpo pushed out and messed up, or what the reasoning is.  Everyone is running XP.  I did not check her service pack but unless I missed one computer everyone is running all patches and SP2.
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Hi daviper,

Just a quick thought.....are you deploying the package over a password protected network share or is the area on which it's stored accessible freely by all ?

Thanks
Si
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
0
 

Author Comment

by:daviper
Comment Utility
I ran the cleanup utility and now I no longer have nortons installed according to ADD/Remove but the program is still running, and active.  I had disabled the tamper protection before uninstalling.  I am going to attempt to reinstall just so see if I can get the settings back in to show it as installed.  It is so odd. I had the ability to enable or disable Autoprotect set to locked with Autoprotect enabled from the system center side.  I changed that to unlocked.  Immediatly the ability to click Enable autoprotect when right clicking the icon in the system tray became available.  It stays anywhere from 1 to 3 seconds until it updates and turns back off again.  I tried disabling my network connection and enabling autoprotect thinking maybe something is wrong on the system center side but it still reinables itself.  I may try reinstalling system center however.  I did a repair of system center and need to wait for this evening to restart.  

Everyone has share permissions to READ VPHOME and VPLOGON

I am also assuming its working because any system center change I make is reflected, also all AntiViruses show as having the current definitions and running their nightly 6:30pm scan.

So I chagned the System center to allow the user to enable or disable their Autoprotect.  If I double click the NAV icon in system tray click on the File System Auto-Protect option it allows me to check or uncheck Enable Auto-Protect.  Directly behind the checkbox label to Enable Auto protect is another piece of text in Parenthesis   (disabled)

It seems checking or unchecking this box has no effect.  It still pops up and says AutoProtect is disabled.  But right clicking the icon removes the little red circle for  1 to 3 seconds!!!!!

Thank you everyone for the help,

Kevin
0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Hmmm....sounds like the agent is still sitting on your machine when the AV is removed.

Can you run a HijackThis on the machine in question and post a link to the results here

http://www.hijackthis.de and download it, run it and the paste the results through the analyser

I need to see what processes are running

One you have a link to the results, post it here and I'll take a look

Thanks
Si
0
 

Author Comment

by:daviper
Comment Utility
I have not forgotten, or resolved this it's just been busy and lowered a bit on the priority scale.  I will try to run this tommorow and post back what hijackthis reports.

To return with more info soon,

Kevin
0
 

Author Comment

by:daviper
Comment Utility
legalsrl, here is the Hijack this link

http://www.hijackthis.de/logfiles/0955201ec0b0e5659fd4ec43312b233a.html


I did see that Websearch is running and a couple other ones.  I did see those processes running, tried disabling the service etc.. But that does not fix my problem.  I was messing around with the Tamper Protection for a while, and am wondering if part of this has to do with things getting stuck.  I can try going into the boot.ini and setting DEP to always off. Then installing and uninstalling again

0
 
LVL 16

Expert Comment

by:legalsrl
Comment Utility
Yep,

This one needs to be fixed

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm238YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitial Setup1.0.0.15.cab

What's this one ?
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch2.cab

I think you need to do the following

Go to http://www.symantec.com/autotools

Download the uninstall routine and run it.

Reinstall Norton

I would also post a netstat -a here as well so I can see what processes have ports open

Let me know how you get on

Cheers
Si
0
 

Author Comment

by:daviper
Comment Utility
The Nortons Autotools did not uninstall the app.  I have tried stoping all services, deleting everything I can find in the Registry after using the MS clean up tool to uninstall.  Repush out Symantec from the server.  I may be wrong but I have a feeling this error may lie in the Group policies or an error server side with the symantec system center.  I say this because everything still works as normal as far as the clients responding to the server etc.  Except for AutoProtect?

The gateway item I can get rid of, but one of our clients was running a gateway with a crashed harddrive and in order to get them to replace it underwarrenty I had to follow their tech guy who said this is procedure to issue repairs.  Anyway I had to install this web help viewer :) which didnt work because the drive was down, but he used that to send me a link.  :) I guess he didn't want to type it out or something?

I will check autotools again, but it seems to be a bit different since it is a corporate edition pushed out from a server.

Thanks for working thru this with me,

Kevin
0
 
LVL 16

Accepted Solution

by:
legalsrl earned 500 total points
Comment Utility
Hiya Kevin,

No problems mate....

Try uninstalling it manually

http://service1.symantec.com/SUPPORT/ent-security.nsf/0/7c828a2663ec13dc88256cad0067e6f7?OpenDocument&seg=hm&lg=en&ct=us

This link provides the manual uninstall for both the client and the server

I'll have a think about the GPO issue, probably tomorrow as it's9:30pm in the UK (and it's Sat night!)

Cheers
Si
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now