How to debug CA eTrust’s INO_FLTR.SYS

With eTrust 8, those pack of clowns at Computer Associates seem to think it’s a good idea to distribute eTrust Anti-virus system file updates via the automated virus signature update process.

So, in the past, you as an eTrust AV admin might have distributed DRVUPDi.exe updates manually (or not at all).  CA  now forces that update out.

So why is that a problem?

  • An update requires a reboot.  The update includes the INO_FLTR.SYS & INO_FLPY.SYS files which hook into the file system.  Which requires a reboot.
  • When you reboot, say as part of regular maintenance, or a scheduled change, CA throws you a curve ball because they’ve changed something without telling you.
  • Yes, it truly is a problem.  Back in April 2004, a faulty INO_FLTR.SYS caused Citrix desktop clients to take 25 minutes to boot up.

Conclusion: CA are a pack of bastards.

So if you need to debug ino_fltr.sys
You use DebugView to capture what’s going on with INO_FLTR.SYS.

  1. Set the following registry key:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\INO_FLTR\Setting]
    ”DebugOption”=dword:0x20400D
  2. Restart the PC.
  3. Run the Sysinternals DebugView tool to capture the output.

Bookmark and Share