I logged a ticket with Symantec today as I needed to download Maintenance Release 7 for their corporate edition 10.1 yet their fileconnect website only gave me version 11 (which is so unstable we refuse to install it). 2 hours later I got an email from their support site that started "We have been trying to reach you in the last few days to assist you with the issue regarding Symantec Antivirus but unfortunately we have not been able to do so."
I guess they've invented a time machine in order to try and beat their really long wait times on hold for support.....either that or I forgot that I logged a ticket several days ago and they've finally got round to dealing with it!
Anyway, they've given me a new serial number to log into the website with so I can download the older version. I'm not sure if it's an inplace upgrade (I hope so) rather than a removal and reinstall again - if its the removal and reinstall that means *another* 3 or 4 hours to remove, reboot, install and then fix the issues of the client software breaking other software again.
I guess I *really* need to get some time to investigate nod32 network deployments - anyone had any experience with this?
Recently in Symantec Category
I had the good fortune to get through to Symantec support in under a minute this afternoon - probably because there tech's can't actually do much as their licensing portal is down. For some reason the system doesn't actually bother to tell you this, even after you spend ages filling in all the details they need and hitting the final submit button. It would be nice if they put a notice at the login screen to say that the server is down, don't bother wasting 30 minutes to get a serial number so that you can install the product you've purchased and use it!
Grrrrr
This time around, the uninstall program for filezilla is apparently Adware.CPush - yeah right.
What has happened to Symantec's QA - there have been too many false positives this year.
Update It's also detected spiceworks as the same virus too.
Update2 See also Donna's post and Calendar of updates
It's going to be a long day for sysadmins who use AutoIT on their production Lan as symantec has detected the product as MSN.flooder in their dat files - the last time this happened was Jan 2006. Fortunately I only have it on a couple of pc's but it is going to be a real pain for someone who uses it on every desktop or in login scripts. This follows about a week after they crippled thousands of chinese pc's by detecting windows files as virus's. I sure wouldn't want to be a chinese sysadmin running autoit! Home users can log a report at the symantec false positive report site but enterprise gold or platinum users need to contact support or submit a false positive report after updating the dats. To report using the antivirus application - right click the file in quarantine and choose submit to symantec security response. Unfortunately on my work pc I don't have rights to do this!
Update Downloading the latest updates to May 31st defs, releasing the files from quarantine and then scanning did not quarantine the files again.
Update 2 It looks like the same definition patterns also got a false positive in Search & Destroy according to SANS.
Update 3 Html corrected to ensure the updates appear properly.
It's funny, but someone should tell Symantec's music on hold operator that their direct assist product that they push when you eventually (after 40 minutes) get to the support *queue* was withdrawn for new cases 4 days ago. Seeing as though this product "prevents call waiting time, increases uptime, eases the support burden on the end user" - why are they closing it down?
Fixed! One of my servers has been failing to backup with the error "0xe00084af The directory or file was not found, or could not be accessed. Final error category: Job Errors. For additional information refer to link V-79-57344-33967" I spent ages troubleshooting the errors and trying to work out what was going on and found that it would fail to backup any file on the local hard disk of the machine.
I posted a note in the symantec forums and didn't hear anything back, but did find a post that upgrading to 10d might fix it (not a current solution as this would mean purchasing an upgrade of the software for the exchange agent and the exchange agent is currently working)
The other solution was to stop SQL servers on the box. This server was the WSUS box and I had also recently upgraded it to version 3 of WSUS. This created (at least) two new services - SQL Server VSS Writer and Windows Internal Database (Microsoft ##SSEE). Through trial and error I discovered that stopping the SQL Server VSS Writer service meant the backup would work, which is weird as why this should affect me backing up something like c:\jobs\fred.bat which has nothing to do with SQLI don't know.
I'm hoping that my forum posting about the problem will get a better solution but for now I'm just pleased to be able to backup my file server.
United States Technical Support - Phone: 800 342 0652 or 407 357 7600. Be prepared for a long wait
follow the instructions at Symantec's website
I've had an instance with Symantec's system centre not being able to show me the details of the client pc's, complaining that the parent server was down. An initial reboot of the server didn't fix the problem and most of the documents refer to reinstalling or upgrading symantec to fix the problem. However the document at Error: "Event ID 62: Symantec AntiVirus communications layer failed to initialize..." appears in the Windows Event Viewer - Application log asks for a restart of the service and changing the LoginCaCertIssueSerialNum registry entry - that did the trick.
I was initially under the impression that only 10.1 was vulnerable to the new exploit that went out, but apparently it's almost every 10. version of the software. The web page at symantec's sym06-010 page is good for providing links on what needs to be upgraded to what version. This is something that symantec is VERY poor at doing - I've never received a new patch level notification or anything, apart from the marketing push to upgrade to the latest version - but even then the latest versions that I've been sent haven't been the latest version and have needed patching!
Symantec's Save & Restore should be out any day now - this was some software that I attempted to betatest - the feature list is pretty impressive with incremental ghost-like images that can be merged back into a master ghost image is pretty useful - a bit like having full and differential backups but never having to create more than one full backup. In the case of my home system that is really handy as I have 130gb of data - an awful lot to backup more than once onto a hard disk (let alone dvd's)
I was at a client site this afternoon and discovered that installing the latest patch as per the instructions doesn't give the silent install that is meant to happen. You need to ensure you read the whole set of instructions first as otherwise you follow the steps and when you get to step 17 after setting the install off you then realise that the vpremote.dat needs editing FIRST! At this point you discover the silent install is extremely loud and colourful as the swearing echoes around the room as pc's start to reboot with no warning whatsoever.
Since I've been using Microsoft's Virtual Server every time that I start the server up I get an error message from Symantec Corporate Edition entitled Symantec Tamper Protection Alert. Apparently the vmh.exe file is triggering the tamper protection and is allegedly being blocked by symantec..... However, the server seems to behave quite perfectly with having its .exe files blocked and the only visible side effect is a very annoying popup box that insists on being the topmost window complaining about the attempts (96+ per launch) I've not found anything on the web or google about this although I know I'm not the only one to have the error message
I'm not impressed. The product ships with virus definitions dated the 12th July and running Liveupdate says there are no new defs to install (but did install product updates the first time I ran it). However the pc upstairs running Nav2005 has definitions dated the 20th July. This might not be too bad on its own if it wasn't for the fact that NAV constantly complains that the defs are out of date and to run live update. This complaining takes the form of popup messages in the corner of the screen and a yellow coloured caution bar containing a triangle and Norton in the bottom right of the screen next to the system tray. Why they couldn't have just put the application in the system tray like everyone else I don't know. Right click on Norton status and select Move to System Tray.
The one plus point to having the bar is that when the application silently crashes you can tell because the bar disappears which is more noticable than having an icon in the systray disappear (which can happen with xp hiding icons when it feels like it). Yes, Nav has already crashed on me once and the only reason I noticed was because my email server refused to connect to any of my pop3 accounts yet I could ping them ok. Nav crashing had taken out the forwarding part of the proxy service but was still capturing the outgoing traffic - just not forwarding it onto the mail server. As the bar had vanished I realised what the problem was and restarted the application (and said YES I KNOW THE DEFS ARE OUT OF DATE)
Another plus point is that I can now use Google Desktop search again as it is compatible with Nav - it wasn't with Nod32 although this isn't really a plus point to be honest.
The beta only lasts another 14 days (although their website says 30) and I'm glad as so far the product is really awful. The initial scan of my hard disk took 6 hours for the 100gb of data (how did i get that much so quickly?) and the machine was pretty much unusable at this time as the response time was awful. It wasn't too bad if only one application was used but switching applications would take at least 60 seconds before the new one was available.
I have posted these points to Symantec with at their feedback page and had no response back from them whatsoever. I think a beta program really should have a feedback forum so that it is possible to tell if anyone else is having the same problem and provide an ongoing support conversation with Symantec.
The PIL computer has Norton Antivirus 2004 on it and in the past month and a half the machine has been hanging occasionally with the active task (logging, web browsing or emailing) coming up with the hour glass cursor. Killing the process goes through an endless loop of informing MS about the problem and being unable to kill the process. Over the past week and a half I've been trying to diagnose the problem by changing bits and pieces on the config and I think I've finally tracked it down. The problem is that we need to leave the pc unattended for a period of a day or so to ensure that the problem is fixed (as it often seems to have occured whilst we've been away at the computer). It turns out that Symantec have a kb article 2001101111334406 - Computer stops responding when Automatic LiveUpdate runs. Their workaround is to stop liveupdate running and getting the virus updates automatically (which kind of defeats the point of having av updates!) but it does seem to have worked. The computer has been stable for a day and a half and we have had an update warning pop up and the defs downloaded. What annoys me is that they have known about this problem since 2001 and have not fixed it yet.
For the past week I've had agro from two of our users who have recently had new laptops and been unable to vpn into our network. The vpn connection is established but no traffic is passed through to the lan. The weird thing is that the wireless card on one of the machines would pass traffic but the lan connection wouldn't. I spent about 5 hours troubleshooting this last week and thought I had a working solution until the next morning when it stopped working again.
This morning I spent an hour systematically working through symantecs troubleshooting guide and finally found this document:- Symantec VPN Client connectivity problems on IBM ThinkPad Laptops and guess what these new laptops are?
Turns out that IBM include some special software that automatically work out where you are connected and fiddle with the tcpip stack appropriately. As soon as I removed the IBM access software from running tasks I was able to ping the network - I was SOOO relieved as I really was starting to get worried about how I was going to fix this problem.
Some days at work I really wish I was a cat which only has to worry about when they are next going to be cuddled and have to make the decision as to whether they should eat some more or sleep some more.
Today I had to go round a colleagues house to sort their vpn out
Symantec have released a patch for the UPX vulnerability in their products as documented in their UPX parsing engine heap overflow vulnerability and Symantec Client Security document. Only a few of our machines were affected and rather than upgrade them to the latest release it was easier to install the nodec2exe patch
2 of our clients have managed to get corrupt symantec antivirus definitions which means the services stop. As the services are stopped I am unable to update them with the console and I've disabled liveupdate. Unfortunately the symantec.com websites are unavailable (and so was msn search) (even though they are using the akamai network to protect against ddos). In the end I used the ftp service at ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/ to download the definitions onto the local pc.
Having said all that I spent about an hour trying various things to fix the client but in the end gave up. I've now uninstalled the software and moved across to our new corporate mcafee software instead. I'm not saying this is any better (I doubt it) but we'll see....
As I write this msn search and symantec are now available again.
Now that we had proved (or thought we had) that the DR recovery onto new hardware for our Symantec Enterprise Firewall worked it was time to upgrade to version 8 of the software.
Finally completed the DR of our firewall - 8 days after starting it....
Two of us have been trying to DR our Firewall onto another machine today. The documents available on symantecs website are not clear or complete about the steps you need to do to make a safe DR copy. So far we've had to do the following.....
Not having that much internet access and the time to blog, I've quickly gone through my feeds and pulled a couple of things out of them
- A WUS Wiki which sounds like a bad day for Jonathan Ross, but is actually a wiki for the new Windows Update Services.
- Links to video's of the Tsunami. This hit whilst we were on holiday and I never got to see any moving pictures of the wave itself - saw plenty of horrific news photos of the devastation afterwards though.
- I removed Norton AntiVirus off the home computer as the subscription had run out and I'm not impressed with the number of infections that have gotten past it this year. Instead I've tried the free home edition of Avast's Antivir software which looks ok. It certainly picked up on eicar when I downloaded it - will be interesting to see how it copes with email borne virus's
Discovered that by creating a file in the symantec firewall directory it will autobackup the config everytime a change is made - very handy!More details
I've been trying to get my head around the NAT configuration of our vpn. At the moment our vpn clients keep the original internet ip's so remote networks on our lan are unable to respond to pings as they see the internet address rather than an internal network address. The Symantec knowledgebase article Cannot pass traffic to LAN devices through a VPN tunnel describes the problem (complete with a pretty picture!). However the last line says "you need to use a symantec enterprise firewall to do this"...The document category i searched for was symantec enterprise firewall. unfortunately they don't link to the document that tells you HOW to do this.
I've just uninstalled sp2 on the laptop and my vpn connection to the office now works again....Now to reinstall it and log a call with symantec (what fun!)
when you open your first email after starting Outlook, you see the error message Error: "VPMSECE.DLL could not be installed or loaded. It may be missing or there may not be enough resources." The error message may or may not reference a location, as in: "C:\Program Files\NavNT\vpmsece.dll could not be installed or loaded. It may be missing or there may not be enough resources."
The documented solution is to uninstall the symantec security client, delete extend.dat (search your computer for this file) and start outlook. If this doesn't work, reinstall outlook (in my case office). There is no way I was going to uninstall office and then reinstall it so I went hunting.
10 minutes later I had a solution.
A quick search on the registry for vpmsece.dll comes up with LDVP under hklm\software\microsoft\exchange\client\extensions. Disabling LDVP under tools/options/other/Advanced Options/AddInManager and restarting Outlook and everything was ok. Re-enabling the extension and the problem re-occurs.
Deleting the registry entry hklm\software\microsoft\exchange\client\extensions\LDVP and restarting outlook means I don't get the error message and the LDVP addon is not listed in the registry.
I then installed Symantec Client Security again and all seems to be ok. The cryptic LDVP has been replaced with SavCorp810 in the extension manager which is a lot easier to work out what the extension is.
when you open your first email after starting Outlook, you see the error message Error: "VPMSECE.DLL could not be installed or loaded. It may be missing or there may not be enough resources." The error message may or may not reference a location, as in: "C:\Program Files\NavNT\vpmsece.dll could not be installed or loaded. It may be missing or there may not be enough resources."
The documented solution is to uninstall the symantec security client, delete extend.dat (search your computer for this file) and start outlook. If this doesn't work, reinstall outlook (in my case office). There is no way I was going to uninstall office and then reinstall it so I went hunting.
10 minutes later I had a solution.
A quick search on the registry for vpmsece.dll comes up with LDVP under hklm\software\microsoft\exchange\client\extensions. Disabling LDVP under tools/options/other/Advanced Options/AddInManager and restarting Outlook and everything was ok. Re-enabling the extension and the problem re-occurs.
Deleting the registry entry hklm\software\microsoft\exchange\client\extensions\LDVP and restarting outlook means I don't get the error message and the LDVP addon is not listed in the registry.
I then installed Symantec Client Security again and all seems to be ok. The cryptic LDVP has been replaced with SavCorp810 in the extension manager which is a lot easier to work out what the extension is.
