[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

MSIinstaller events after antivirus scan

Posted on 2008-01-30
7
Medium Priority
?
1,268 Views
Last Modified: 2013-11-22
Hello everyone,

I apologize upfront for my long initial post.  But I want to give you all the info I can in order to receive the best possible answer to my issue.

Here is my environment:
Windows 2003 SP2 servers
Etrust Antivirus 7.1 (with 8.1 on the ITM/Etrust management server)

Here is the issue:
We have been using the above configuration for at least a few months.  However, two weeks ago, our scheduled jobs decided to become possessed.  They started generating scan errrors left and right. The errors are related to Etrust's inability to scan an open or encrypted files (example: c:\windows\system32\config\default)  CA tech support states that it is normal and does not indicate our systems have been infected.  Since our AV product is up-to-date with the latest signatures, I do not suspect an infection.

Subsequently, after the scheduled scan job had finished, MsiInstaller started reconfiguring every program that was installed using its package!!!  

The Etrust events are as follows:
Event ID: 128 - Source: Etrust Antivirus - Type: Error - Description:
[time 1/28/2008 1:27:43 PM: ID 128: machine server.domain.COM: response 1/28/2008 3:49:11 PM] 6f3f0894-4e0d-4288-bcb8-59dc651437c7|3|3664470400/29909475|2|4294967096|2|0|0||1|SYSTEM|D:\path-to-a-file:CA_INOCULATEIT:$DATA

The MsiInstaller events are:
Event id: 11728 - Source: MsiInstaller - Type: Information - Description:
Product: productname (example: Microsoft .NET Framework 2.0) -- Configuration completed successfully.

More information:
The MsiInstaller messages appear for every product installed using MsiInstaller, so there are about 30 events per server.  I have stopped the Antivirus scheduled job until a resolution can be found.  My instincts tell me that CA pushed out a signature update that is causing the Etrust events and the scan job is somehow screwing up MsiInstaller to think that it needs to reconfigure all the products installed.  Contacted CA and of course they are "very confused" as to why this is suddenly occuring, but they doubt the MsiInstaller events are caused by their product.  Even though disabling the scheduled scan stops those events from happening. (got to hate tech support, right?)

Summary:
Again, this setup was functioning with no issues for at least a couple of months.  I had a solid list of scan exclusions configured to avoid such errors.  All was good.  Now, all is bad. If anyone has experienced this with Etrust or any other product, please let us know.  I fear this maybe causing harm to our systems and I dislike not having a weekly scheduled scan run.

Thanks!

0
Comment
Question by:jedifenner
  • 4
  • 3
7 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 1500 total points
ID: 20779152
You could try the following:

from an Elevated CMD prompt:

msiexec /regserver

0
 

Author Comment

by:jedifenner
ID: 20780732
Ok.  Can you explain what is does and why you believe it would fix this issue?  I don't wish to sound rude, but these are production servers so I can't attempt a fix without knowing what it will correct.

(and thanks for responding!)
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20780961
It reregisters the Installer service.  I'm not certain that will correct the fact it's triggered continuously, but it won't cause any issues to try it.

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:jedifenner
ID: 20786374
Do you think I should unregister it first?  Will that hurt anything?

msiexec /unregister
msiexec /regserver
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20786637
I don't think the unregister switch is valid.

No, it's not necessary to unregister it anyway - just run the regserver switch.

As I say, it may not make a difference anyway.  There have been others that rerun the Installer setup to cure this problem, so that's an option also.

0
 

Author Comment

by:jedifenner
ID: 20786812
I will give it a try.  Thanks again for the assistance!
0
 

Author Comment

by:jedifenner
ID: 20813920
Well,

That did not fix it.  It appears it is our Symantec Altiris agents that are causing the issue.  When they scan the system for an inventory, it causes our Antivirus to go haywire because of all the open files the agent has locked open.  We are disabling the periodic scans and hopefully that will correct things.

As thanks to Netman66, I will award you the points.  The information you provided was at least a good start.
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
If you are like me and like multiple layers of protection, read on!
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question