Symantec autoprotect running but disabled

Symantec System Center
Symantec Corporation
Version: 10.0.0.359


I am working with the application above in a network setting.  I pushed out Antivirus from the Windows 2003 server using the remote client.  I control all setting from the console and everything is locked out to the user, including uninstalling without a password.

Recently I was going thru and revamping my group policies from scratch upon completion of which and a restart I noticed that my client antivirus was now disabled on my machine.  I was installing IE7 at the same time on my local computer as I was working with the GPO's on the server thru RDesktop.  But the client showing as disabled is across my entire network.

1.) When I look at the icon on any client it shows autoprotect is disabled and occasionally the yellow banner pops up alerting me to this fact.
2.) When I check the client using the Symantec system center it shows the client Autoprotect as enabled.
3.) Any setting changes I make in the Symantec system center are immidietly reflected on the client machines including enabling and disabling autoprotect.
4.) From what I can tell autoprotect is indeed running and all the virus updates are being pushed out to clients
5.) I tryed to uninstall the antivirus client using the password I get a "Data Execution Prevention Error" and then a fatal error during installation
6.) I tried to disable "Data Execution protection" then then uninstall and I get a "Fatal error during installation error"
7.) I tried to repush out Antivirus to all the clients thinking it may repair the installations.. But no effect, so it probably saw it was already there and just terminated.

How can I get my Autoprotect to function as normal once again?

daviperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gonzal13RetiredCommented:
Go to symantec.com/autotools and you may possibly find there a program that will uninstall the program and then you can reinstall it.
Simon EarlSenior ConsultantCommented:
Hi Daviper,

Firstly, can you download the virus test file from http://www.eicar.com and tell me if the machines detect it.

That way we know if you are protected or not.....

Firstly, on the Windows 2003 Server, SP1 featured a Data Execution Prevention pack that causes conflicts with 2003

See this

http://service1.symantec.com/SUPPORT/intrusiondetectkb.nsf/0/0c3ea631c557a5608025706c006e4158?OpenDocument&seg=hm&lg=en&ct=us

I'd also look at this article as I believe this issue is STILL Outstanding with Symantec Tech Support

http://service1.symantec.com/SUPPORT/ent-security.nsf/0/0f5b3eaf44b05e5d882570d70081a98c?OpenDocument&seg=hm&lg=en&ct=us

I'll have another think about it, but let me know if you've got any more information.

Cheers
Si
MnfCommented:
try to download and install the latest version of the MSI file on your clients this will help you to unistall/reinstall your client antivirus
http://www.microsoft.com/downloads/details.aspx?familyid=889482FC-5F56-4A38-B838-DE776FD4138C&displaylang=en
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

daviperAuthor Commented:
I did try the Eicar virus and it kept denying me access to it until I downloaded the zip and then it would not let me extract it.  Upon restarting it came up and found it.  I am assuming then that the Autoprotect is working and the startup scan found it.  It then fired a DEP error and closed symantec.  So I believe you are right that something is going on with the Data prevention.

To MNF I do have the latest MSI file and did attempt to reinstall the software.  I can not uninstall the software though as I recieve an error.  I put it on line 5 of my first post but with long lists I know its easy to miss the little things.

Can I add the symantec exe file to my exclusion list and be done with it?
Simon EarlSenior ConsultantCommented:
Hi daviper,

What I would do is to remove the program using the command line method

http://service1.symantec.com/SUPPORT/ent-security.nsf/0/d8c5cb556ec68e818825717f00712c42?OpenDocument

Then try reinstalling the product.

How many machines are causing this problem ?

Cheers
Si
daviperAuthor Commented:
Legalsrl

I attempted what you suggested and recieved the following error.

"This installation package could ot be opend.  Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package"

I did not recieve this error until I removed the silent switch however.

Part of the problem may be that I install all my Clients using the System Admin Console snap-in of Symantec on our Windows 2003 server.  I use that to do a remote silent install.  It was nice because I was able to install it on all 20 or so computers at one time.

As to your other question about how many computers are effected.  It seems they all are except ONE...  I do not know if her computer was off when the gpo pushed out and messed up, or what the reasoning is.  Everyone is running XP.  I did not check her service pack but unless I missed one computer everyone is running all patches and SP2.
Simon EarlSenior ConsultantCommented:
Hi daviper,

Just a quick thought.....are you deploying the package over a password protected network share or is the area on which it's stored accessible freely by all ?

Thanks
Si
daviperAuthor Commented:
I ran the cleanup utility and now I no longer have nortons installed according to ADD/Remove but the program is still running, and active.  I had disabled the tamper protection before uninstalling.  I am going to attempt to reinstall just so see if I can get the settings back in to show it as installed.  It is so odd. I had the ability to enable or disable Autoprotect set to locked with Autoprotect enabled from the system center side.  I changed that to unlocked.  Immediatly the ability to click Enable autoprotect when right clicking the icon in the system tray became available.  It stays anywhere from 1 to 3 seconds until it updates and turns back off again.  I tried disabling my network connection and enabling autoprotect thinking maybe something is wrong on the system center side but it still reinables itself.  I may try reinstalling system center however.  I did a repair of system center and need to wait for this evening to restart.  

Everyone has share permissions to READ VPHOME and VPLOGON

I am also assuming its working because any system center change I make is reflected, also all AntiViruses show as having the current definitions and running their nightly 6:30pm scan.

So I chagned the System center to allow the user to enable or disable their Autoprotect.  If I double click the NAV icon in system tray click on the File System Auto-Protect option it allows me to check or uncheck Enable Auto-Protect.  Directly behind the checkbox label to Enable Auto protect is another piece of text in Parenthesis   (disabled)

It seems checking or unchecking this box has no effect.  It still pops up and says AutoProtect is disabled.  But right clicking the icon removes the little red circle for  1 to 3 seconds!!!!!

Thank you everyone for the help,

Kevin
Simon EarlSenior ConsultantCommented:
Hmmm....sounds like the agent is still sitting on your machine when the AV is removed.

Can you run a HijackThis on the machine in question and post a link to the results here

http://www.hijackthis.de and download it, run it and the paste the results through the analyser

I need to see what processes are running

One you have a link to the results, post it here and I'll take a look

Thanks
Si
daviperAuthor Commented:
I have not forgotten, or resolved this it's just been busy and lowered a bit on the priority scale.  I will try to run this tommorow and post back what hijackthis reports.

To return with more info soon,

Kevin
daviperAuthor Commented:
legalsrl, here is the Hijack this link

http://www.hijackthis.de/logfiles/0955201ec0b0e5659fd4ec43312b233a.html


I did see that Websearch is running and a couple other ones.  I did see those processes running, tried disabling the service etc.. But that does not fix my problem.  I was messing around with the Tamper Protection for a while, and am wondering if part of this has to do with things getting stuck.  I can try going into the boot.ini and setting DEP to always off. Then installing and uninstalling again

Simon EarlSenior ConsultantCommented:
Yep,

This one needs to be fixed

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm238YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitial Setup1.0.0.15.cab

What's this one ?
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch2.cab 

I think you need to do the following

Go to http://www.symantec.com/autotools 

Download the uninstall routine and run it.

Reinstall Norton

I would also post a netstat -a here as well so I can see what processes have ports open

Let me know how you get on

Cheers
Si
daviperAuthor Commented:
The Nortons Autotools did not uninstall the app.  I have tried stoping all services, deleting everything I can find in the Registry after using the MS clean up tool to uninstall.  Repush out Symantec from the server.  I may be wrong but I have a feeling this error may lie in the Group policies or an error server side with the symantec system center.  I say this because everything still works as normal as far as the clients responding to the server etc.  Except for AutoProtect?

The gateway item I can get rid of, but one of our clients was running a gateway with a crashed harddrive and in order to get them to replace it underwarrenty I had to follow their tech guy who said this is procedure to issue repairs.  Anyway I had to install this web help viewer :) which didnt work because the drive was down, but he used that to send me a link.  :) I guess he didn't want to type it out or something?

I will check autotools again, but it seems to be a bit different since it is a corporate edition pushed out from a server.

Thanks for working thru this with me,

Kevin
Simon EarlSenior ConsultantCommented:
Hiya Kevin,

No problems mate....

Try uninstalling it manually

http://service1.symantec.com/SUPPORT/ent-security.nsf/0/7c828a2663ec13dc88256cad0067e6f7?OpenDocument&seg=hm&lg=en&ct=us

This link provides the manual uninstall for both the client and the server

I'll have a think about the GPO issue, probably tomorrow as it's9:30pm in the UK (and it's Sat night!)

Cheers
Si

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.