MSIinstaller events after antivirus scan
Posted on 2008-01-30
I apologize upfront for my long initial post. But I want to give you all the info I can in order to receive the best possible answer to my issue.
Here is my environment:
Windows 2003 SP2 servers
Etrust Antivirus 7.1 (with 8.1 on the ITM/Etrust management server)
Here is the issue:
We have been using the above configuration for at least a few months. However, two weeks ago, our scheduled jobs decided to become possessed. They started generating scan errrors left and right. The errors are related to Etrust's inability to scan an open or encrypted files (example: c:\windows\system32\config\default) CA tech support states that it is normal and does not indicate our systems have been infected. Since our AV product is up-to-date with the latest signatures, I do not suspect an infection.
Subsequently, after the scheduled scan job had finished, MsiInstaller started reconfiguring every program that was installed using its package!!!
The Etrust events are as follows:
Event ID: 128 - Source: Etrust Antivirus - Type: Error - Description:
[time 1/28/2008 1:27:43 PM: ID 128: machine server.domain.COM: response 1/28/2008 3:49:11 PM] 6f3f0894-4e0d-4288-bcb8-59dc651437c7|3|3664470400/29909475|2|4294967096|2|0|0||1|SYSTEM|D:\path-to-a-file:CA_INOCULATEIT:$DATA
The MsiInstaller events are:
Event id: 11728 - Source: MsiInstaller - Type: Information - Description:
Product: productname (example: Microsoft .NET Framework 2.0) -- Configuration completed successfully.
The MsiInstaller messages appear for every product installed using MsiInstaller, so there are about 30 events per server. I have stopped the Antivirus scheduled job until a resolution can be found. My instincts tell me that CA pushed out a signature update that is causing the Etrust events and the scan job is somehow screwing up MsiInstaller to think that it needs to reconfigure all the products installed. Contacted CA and of course they are "very confused" as to why this is suddenly occuring, but they doubt the MsiInstaller events are caused by their product. Even though disabling the scheduled scan stops those events from happening. (got to hate tech support, right?)
Again, this setup was functioning with no issues for at least a couple of months. I had a solid list of scan exclusions configured to avoid such errors. All was good. Now, all is bad. If anyone has experienced this with Etrust or any other product, please let us know. I fear this maybe causing harm to our systems and I dislike not having a weekly scheduled scan run.