Link to home
Start Free TrialLog in
Avatar of daviper
daviper

asked on

Symantec autoprotect running but disabled

Symantec System Center
Symantec Corporation
Version: 10.0.0.359


I am working with the application above in a network setting.  I pushed out Antivirus from the Windows 2003 server using the remote client.  I control all setting from the console and everything is locked out to the user, including uninstalling without a password.

Recently I was going thru and revamping my group policies from scratch upon completion of which and a restart I noticed that my client antivirus was now disabled on my machine.  I was installing IE7 at the same time on my local computer as I was working with the GPO's on the server thru RDesktop.  But the client showing as disabled is across my entire network.

1.) When I look at the icon on any client it shows autoprotect is disabled and occasionally the yellow banner pops up alerting me to this fact.
2.) When I check the client using the Symantec system center it shows the client Autoprotect as enabled.
3.) Any setting changes I make in the Symantec system center are immidietly reflected on the client machines including enabling and disabling autoprotect.
4.) From what I can tell autoprotect is indeed running and all the virus updates are being pushed out to clients
5.) I tryed to uninstall the antivirus client using the password I get a "Data Execution Prevention Error" and then a fatal error during installation
6.) I tried to disable "Data Execution protection" then then uninstall and I get a "Fatal error during installation error"
7.) I tried to repush out Antivirus to all the clients thinking it may repair the installations.. But no effect, so it probably saw it was already there and just terminated.

How can I get my Autoprotect to function as normal once again?

Avatar of gonzal13
gonzal13
Flag of United States of America image

Go to symantec.com/autotools and you may possibly find there a program that will uninstall the program and then you can reinstall it.
Avatar of Simon Earl
Hi Daviper,

Firstly, can you download the virus test file from http://www.eicar.com and tell me if the machines detect it.

That way we know if you are protected or not.....

Firstly, on the Windows 2003 Server, SP1 featured a Data Execution Prevention pack that causes conflicts with 2003

See this

http://service1.symantec.com/SUPPORT/intrusiondetectkb.nsf/0/0c3ea631c557a5608025706c006e4158?OpenDocument&seg=hm&lg=en&ct=us

I'd also look at this article as I believe this issue is STILL Outstanding with Symantec Tech Support

http://service1.symantec.com/SUPPORT/ent-security.nsf/0/0f5b3eaf44b05e5d882570d70081a98c?OpenDocument&seg=hm&lg=en&ct=us

I'll have another think about it, but let me know if you've got any more information.

Cheers
Si
Avatar of Mnf
Mnf

try to download and install the latest version of the MSI file on your clients this will help you to unistall/reinstall your client antivirus
http://www.microsoft.com/downloads/details.aspx?familyid=889482FC-5F56-4A38-B838-DE776FD4138C&displaylang=en
Avatar of daviper

ASKER

I did try the Eicar virus and it kept denying me access to it until I downloaded the zip and then it would not let me extract it.  Upon restarting it came up and found it.  I am assuming then that the Autoprotect is working and the startup scan found it.  It then fired a DEP error and closed symantec.  So I believe you are right that something is going on with the Data prevention.

To MNF I do have the latest MSI file and did attempt to reinstall the software.  I can not uninstall the software though as I recieve an error.  I put it on line 5 of my first post but with long lists I know its easy to miss the little things.

Can I add the symantec exe file to my exclusion list and be done with it?
Hi daviper,

What I would do is to remove the program using the command line method

http://service1.symantec.com/SUPPORT/ent-security.nsf/0/d8c5cb556ec68e818825717f00712c42?OpenDocument

Then try reinstalling the product.

How many machines are causing this problem ?

Cheers
Si
Avatar of daviper

ASKER

Legalsrl

I attempted what you suggested and recieved the following error.

"This installation package could ot be opend.  Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package"

I did not recieve this error until I removed the silent switch however.

Part of the problem may be that I install all my Clients using the System Admin Console snap-in of Symantec on our Windows 2003 server.  I use that to do a remote silent install.  It was nice because I was able to install it on all 20 or so computers at one time.

As to your other question about how many computers are effected.  It seems they all are except ONE...  I do not know if her computer was off when the gpo pushed out and messed up, or what the reasoning is.  Everyone is running XP.  I did not check her service pack but unless I missed one computer everyone is running all patches and SP2.
Hi daviper,

Just a quick thought.....are you deploying the package over a password protected network share or is the area on which it's stored accessible freely by all ?

Thanks
Si
Avatar of daviper

ASKER

I ran the cleanup utility and now I no longer have nortons installed according to ADD/Remove but the program is still running, and active.  I had disabled the tamper protection before uninstalling.  I am going to attempt to reinstall just so see if I can get the settings back in to show it as installed.  It is so odd. I had the ability to enable or disable Autoprotect set to locked with Autoprotect enabled from the system center side.  I changed that to unlocked.  Immediatly the ability to click Enable autoprotect when right clicking the icon in the system tray became available.  It stays anywhere from 1 to 3 seconds until it updates and turns back off again.  I tried disabling my network connection and enabling autoprotect thinking maybe something is wrong on the system center side but it still reinables itself.  I may try reinstalling system center however.  I did a repair of system center and need to wait for this evening to restart.  

Everyone has share permissions to READ VPHOME and VPLOGON

I am also assuming its working because any system center change I make is reflected, also all AntiViruses show as having the current definitions and running their nightly 6:30pm scan.

So I chagned the System center to allow the user to enable or disable their Autoprotect.  If I double click the NAV icon in system tray click on the File System Auto-Protect option it allows me to check or uncheck Enable Auto-Protect.  Directly behind the checkbox label to Enable Auto protect is another piece of text in Parenthesis   (disabled)

It seems checking or unchecking this box has no effect.  It still pops up and says AutoProtect is disabled.  But right clicking the icon removes the little red circle for  1 to 3 seconds!!!!!

Thank you everyone for the help,

Kevin
Hmmm....sounds like the agent is still sitting on your machine when the AV is removed.

Can you run a HijackThis on the machine in question and post a link to the results here

http://www.hijackthis.de and download it, run it and the paste the results through the analyser

I need to see what processes are running

One you have a link to the results, post it here and I'll take a look

Thanks
Si
Avatar of daviper

ASKER

I have not forgotten, or resolved this it's just been busy and lowered a bit on the priority scale.  I will try to run this tommorow and post back what hijackthis reports.

To return with more info soon,

Kevin
Avatar of daviper

ASKER

legalsrl, here is the Hijack this link

http://www.hijackthis.de/logfiles/0955201ec0b0e5659fd4ec43312b233a.html


I did see that Websearch is running and a couple other ones.  I did see those processes running, tried disabling the service etc.. But that does not fix my problem.  I was messing around with the Tamper Protection for a while, and am wondering if part of this has to do with things getting stuck.  I can try going into the boot.ini and setting DEP to always off. Then installing and uninstalling again

Yep,

This one needs to be fixed

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm238YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitial Setup1.0.0.15.cab

What's this one ?
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch2.cab 

I think you need to do the following

Go to http://www.symantec.com/autotools 

Download the uninstall routine and run it.

Reinstall Norton

I would also post a netstat -a here as well so I can see what processes have ports open

Let me know how you get on

Cheers
Si
Avatar of daviper

ASKER

The Nortons Autotools did not uninstall the app.  I have tried stoping all services, deleting everything I can find in the Registry after using the MS clean up tool to uninstall.  Repush out Symantec from the server.  I may be wrong but I have a feeling this error may lie in the Group policies or an error server side with the symantec system center.  I say this because everything still works as normal as far as the clients responding to the server etc.  Except for AutoProtect?

The gateway item I can get rid of, but one of our clients was running a gateway with a crashed harddrive and in order to get them to replace it underwarrenty I had to follow their tech guy who said this is procedure to issue repairs.  Anyway I had to install this web help viewer :) which didnt work because the drive was down, but he used that to send me a link.  :) I guess he didn't want to type it out or something?

I will check autotools again, but it seems to be a bit different since it is a corporate edition pushed out from a server.

Thanks for working thru this with me,

Kevin
ASKER CERTIFIED SOLUTION
Avatar of Simon Earl
Simon Earl
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial