In a story published at PCWorld.com yesterday, Symantec is blaming Microsoft for registry corruption after installing XP SP3
- Products
- Services
- About
- Resources
In a story published at PCWorld.com yesterday, Symantec is blaming Microsoft for registry corruption after installing XP SP3
I was testing Symantec Endpoint Protection for a short while. After uninstalling endpoint protection I began receiving an error every time that I opened outlook. The error said something to the effect of “Unable to load Add-on please uninstall”.
In Outlook 2003 you should be able to simply remove the add-on within the add-on manager. In Outlook 2007 though it requires a different method. I had to delete a file called Extend.dat (location: C:\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Outlook) which is the file that stores the cached add-ons. After running Outlook again this file was recreated but this time Outlook did not give me an add-on error. This seems to apply to other add-ons as well. While searching the web I saw people report that this also works for similar errors after uninstalling AVG antivirus.
We were trying to update Symantec Mail Security (SMS) for SMTP from v4.0 to v4.1 and the upgrade routine seemed to hang during the ‘Java Liveupdate’ portion. Server hard-drive activity was heavy at that point and Task Mgr showed the upgrade ‘running’, but we did not seem to be making progress. We installed a Java-runtime update and found a Symantec Java-liveupdate hotfix, but we ran out of time and had to leave the server @ v4.0 We went back on site Monday ready to uninstall Java Liveupdate, but the add/remove routine behaved similarly – heavy drive paging and the routine showed running, but no progress was occurring (waited 15 minutes). I found a symantec procedure to manually remove Java Liveupdate and was going thru that, deleting folders, when I came upon ‘C:\Documents and Settings\All Users\Application Data\Symantec\Java Liveupdate’ Before deleting it, I looked inside – it had 1 folder called ‘downloads’, which contained approx 21,000 pattern update folders going back to 2004. I deleted all these subfolders, which took about 25 minutes. After that completed, I re-ran the v4.1 upgrade, which ran thru with no problems. Whether it was the upgrade routine or Jave Liveupdate uninstall, the server was obviously trying to process all these subfolders and choking on them (might have eventually completed if given long enough). So, when working with Java Liveupdate, it is probably a good idea to look for this downloads folder first and clear it out.
I was working on a server that was running low on disk space on the system (C:) partition. I was able to free up some space rather quickly (by removing the Automatic Update downloads), but when I checked the Event Logs, the Application log was filling up with errors from SMS for Exchange. The message was that the virus definitions were corrupted. It appeared that the XDB down script had run around lunch time and updated the virus definitions, but wasn’t able to complete the install due to low disk space. Despite the partial install, SMS for Exchange appeared to be trying to use the corrupted definitions. When I tried to run LiveUpdate (as recommended by the Event Log message), LiveUpdate said everything was current. People were starting to have problems with their e-mail (and for some reason the server was beeping irregularly on site). I stopped the SMS for Exchange service (which fixed the e-mail and the beep), but the service wouldn’t restart. I tried restarting the main Antivirus service as well, and it would not restart (also because of corrupt virus definitions). I had to manually stop all the Symantec services, remove the partially installed virus definitions from the C:\Program Files\Common Files\Symantec Shared\VirusDefs folder, manually edit the USAGE.dat file (which tells the Symantec products which defs to use), then restart the services. Once the services were up and running on the previous virus defs, I was able to re-run the XDB down script and let it update the defs to the most current.
The Symantec Mail Security Appliance software uses passive mode for ftp when backing up the configuration. Since this device is usually installed in the DMZ, an ISA server publishing rule needs to be created to publish your internal ftp server. This rule needs to be edited to support passive mode with a port range to be used. [more]
When backing up the configuration, a path is required and it puts a / in front of the path specified. Specifying "." for the path works, but it drops the file name and creates a file named ".". I found the best solution is to specify "./" for the path and then it will transfer the backup file into the ftp server's user's default directory.
Here are a couple Symantec Mail Security for Exchange tips concerning scanning. [more]
Notice here it took over a week for the scan to finish. This is an extreme case with a large information store, but even a medium size store could take a couple days to finish.
One of our customers is running Symantec Mail Security for Microsoft Exchange 5.0. We were having trouble with the service hanging up in a "Starting" state when the server started up. [more]See below the picture below.
I wanted to delay this service from starting up until the server boot process was further along. Using the command “sc query”, I was able to see the Service Name: SMSMSE that matched up with the Display name in the services list.
Since the service was hung up, I could not set the service startup type to disabled or manual. In the service properties, Log On tab, click the disable button to disable the service from starting up for the hardware profile, and reboot the server. After the server has rebooted, make sure to go back and “Enable” the hardware profile.
While the server was booting up, I connected to the services list of the server from another PC. This way, I could see which services were starting up towards the end of booting. One of the last services to start was “Microsoft Exchange Information Store”. Knowing that, I needed to find the Service Name to match the Display Name. Using “sc query” again, I found the service name to be MSExchangeIS.
In order to get the SMSMSE service to startup AFTER the MSExchangeIS service started, you have to specify that SMSMSE depends on MSExchangeIS to be started before it can start. To do this, open regedt32. Regedit will not work in this case because we have to edit a REG_MULTI_SZ key. Go to the following location in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Service name>. The key to edit or add is “DependOnService”. In this case, I added “MSExchangeIS” to this list so the service would not try to start until this service was started.
After this change was made, the SMSMSE service was delayed long enough for it to be able to startup automatically.
Excessive log files can be generated by both the Symantec AV client and the Windows Application Event Log when running ThinkVantage Away Manager and the Symantec AV client. These programs conflict with each other and generate several log events per second. On the laptop of one of our team members, the Symantec log files had grown to 5GB in size. There are two methods for stopping the conflict. [more]1) Turn off Tamper Protection in the Symantec AV client. 2) Uninstall ThinkVantage Away Manager. It is basically Lenovo’s version of Windows Scheduler and did not appear especially useful.
Symantec stores the log files at C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs.Symantec published a paper in conjunction with Indiana University describing how attackers could be using unsecured home wireless access points in pharming attacks. The vulnerability is related to easily guessed credentials on the wireless routers and default installations are definitely easily guessed.
The ploy described in this paper (http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf) involves the use of javascript on a malicious website that changes the DNS settings on the wireless router - provided the router credentials can be guessed by the application.
So, there is more to it than being sure your wireless transmissions are encrypted.
