MSIinstaller events after antivirus scan

Hello everyone,

I apologize upfront for my long initial post.  But I want to give you all the info I can in order to receive the best possible answer to my issue.

Here is my environment:
Windows 2003 SP2 servers
Etrust Antivirus 7.1 (with 8.1 on the ITM/Etrust management server)

Here is the issue:
We have been using the above configuration for at least a few months.  However, two weeks ago, our scheduled jobs decided to become possessed.  They started generating scan errrors left and right. The errors are related to Etrust's inability to scan an open or encrypted files (example: c:\windows\system32\config\default)  CA tech support states that it is normal and does not indicate our systems have been infected.  Since our AV product is up-to-date with the latest signatures, I do not suspect an infection.

Subsequently, after the scheduled scan job had finished, MsiInstaller started reconfiguring every program that was installed using its package!!!  

The Etrust events are as follows:
Event ID: 128 - Source: Etrust Antivirus - Type: Error - Description:
[time 1/28/2008 1:27:43 PM: ID 128: machine server.domain.COM: response 1/28/2008 3:49:11 PM] 6f3f0894-4e0d-4288-bcb8-59dc651437c7|3|3664470400/29909475|2|4294967096|2|0|0||1|SYSTEM|D:\path-to-a-file:CA_INOCULATEIT:$DATA

The MsiInstaller events are:
Event id: 11728 - Source: MsiInstaller - Type: Information - Description:
Product: productname (example: Microsoft .NET Framework 2.0) -- Configuration completed successfully.

More information:
The MsiInstaller messages appear for every product installed using MsiInstaller, so there are about 30 events per server.  I have stopped the Antivirus scheduled job until a resolution can be found.  My instincts tell me that CA pushed out a signature update that is causing the Etrust events and the scan job is somehow screwing up MsiInstaller to think that it needs to reconfigure all the products installed.  Contacted CA and of course they are "very confused" as to why this is suddenly occuring, but they doubt the MsiInstaller events are caused by their product.  Even though disabling the scheduled scan stops those events from happening. (got to hate tech support, right?)

Again, this setup was functioning with no issues for at least a couple of months.  I had a solid list of scan exclusions configured to avoid such errors.  All was good.  Now, all is bad. If anyone has experienced this with Etrust or any other product, please let us know.  I fear this maybe causing harm to our systems and I dislike not having a weekly scheduled scan run.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You could try the following:

from an Elevated CMD prompt:

msiexec /regserver


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jedifennerAuthor Commented:
Ok.  Can you explain what is does and why you believe it would fix this issue?  I don't wish to sound rude, but these are production servers so I can't attempt a fix without knowing what it will correct.

(and thanks for responding!)
It reregisters the Installer service.  I'm not certain that will correct the fact it's triggered continuously, but it won't cause any issues to try it.

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

jedifennerAuthor Commented:
Do you think I should unregister it first?  Will that hurt anything?

msiexec /unregister
msiexec /regserver
I don't think the unregister switch is valid.

No, it's not necessary to unregister it anyway - just run the regserver switch.

As I say, it may not make a difference anyway.  There have been others that rerun the Installer setup to cure this problem, so that's an option also.

jedifennerAuthor Commented:
I will give it a try.  Thanks again for the assistance!
jedifennerAuthor Commented:

That did not fix it.  It appears it is our Symantec Altiris agents that are causing the issue.  When they scan the system for an inventory, it causes our Antivirus to go haywire because of all the open files the agent has locked open.  We are disabling the periodic scans and hopefully that will correct things.

As thanks to Netman66, I will award you the points.  The information you provided was at least a good start.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.