Can’t find script engine “VBScript” for script

A user reported the following issue on Windows 7:
Can't find script engine "VBScript" for script

As it turns out, the user had deleted the McAfee Anti-virus program directory.  No mean feat in itself.  Which in turn led to the error message above when the user logged on.

So I knew McAfee was probably the cause.

When McAfee AV installs, it replaces the registry entry for vbscript.dll with scriptsn.dll.  When the user deleted the Mcfee directory, it deleted scriptsn.dll, which is why it couldn’t find the script engine.

The solution in this case, was to re-install Windows.  Deleting the McAfee directory will cause other problems.  Less desperate solutions can be found in these articles:

What to put in a script to check anti-virus program healthiness

The sort of checks you might want to put into a “PC Health Check” script, for anti-virus program healthiness is as follows

CA eTrust

  1. vet.dat has a recent* modified/created date.
  2. SigCheck is reporting a recent* version of the anti-virus signature file.
  3. PhonHome is reporting that “Phone home successful”
  4. eTrust services are running (at least INORT, INORPC, INOTASK)

McAfee AV client / EPO

  1. avvscan.dat has a recent* modified/created date.
  2. OnAccessScanLog.txt has a recent* modified/created date.
  3. McAfee services are running.

Microsoft Security Essentials

  1. mpavdlta.vdm & mpasdlta.vdm have recent* modified/created date.
    (Microsoft, bless ‘em, hide these files in a subdirectory which changes with each update, under C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\)
  2. MSE services are running (at least MSMENG)

What’s this about recent?
In a corporate environment, I would define recent as anywhere from 4 –> 8 days.  This is because most users turn “their” PCs off on Friday night, and turn the PC back on 3 days later (Monday).  And people do go on holidays for at least a weeks duration …

The eTrust SigCheck.exe utility

CA eTrust has a utility called “SigCheck.exe”.  It’s purpose is to display the current version of the eTrust anti-virus definition which is on the local PC.

From a command line, you run it like this:

Sigcheck.exe Vet

Sigcheck will then return the command signature version

Sigcheck Vet version: 37.0.9825
(this was an eTrust AV version from 3 March 2012)

If you were to include the running of Sigcheck.exe into a “PC Health Check” type script, you’d have a quick way of determining whether anti-virus updates were reaching your fleet of PCs.

eTrust command line utilities

asutil.exe Imports subnet information into the ITM Server database.
compver.exe Displays the version of all installed components.
eavdisc.exe Causes a “free election” discovery to occur on the local subnet.
eAVreprt.exe Runs silently to cause reports to be generated.
EnableLogs.exe Turns logs on for CA Customer Support, for debugging purposes.
EnableWinICF.exe Opens all required Windows firewall ports needs for CA eTrust to function.
ITMRT_SupportDiagnostics.exe Diagnostic tool for eTrust Pest Patrol.
phonhome.exe Causes the eTrust client to try and “phone home” to the eTrust policy server.  Often this will resolve policy and update issues to be resolved.
polutil.exe Imports and exports policies.

Source: CA eTrust Implementation Guide – Utilities and Troubleshooting

AV virus exclusion post update, and other post updates.

Updated the

How to select a good anti-virus product

Well, if you didn’t receive emails with viruii attached, or surf to “dubious” websites, you wouldn’t get infected. For the rest of us, we would be looking at either Microsoft Security Essentials, or something which costs money.

Or you’re a corporate customer, who has “business” needs, you’ll be needing to spend money.
If for no other reason that most anti-virus prohibit the use of their “free” products in a commercial setting.

The following are the questions I ask myself when I’m looking at an anti-virus product.

Personal use.

  1. Does it have a history of “false positives”?
    False positives are when the anti-virus product detects “good” files as being a virus.
    For personal use I wouldn’t buy Symantec, McAfee or CA eTrust products.
    Far too many false positives for my taste, which I wrote about here.   Heck, McAfee can’t even be bothered to test their product updates against known good Microsoft Windows PCs.
  2. What choices does the product give me if it finds a virus?
    Does it give me the choice to ignore the issue, quarantine the file, or just delete it?
    This is an important point for me, after having had McAfee delete some files I wanted to keep.
  3. Is it from a vendor I trust?
    This is a personal choice, but I wouldn’t ever buy McAfee products.  Ever.
  4. Will it slow down my PC if I install it?
    You used to pay a performance penalty for running an anti-virus product on your desktop.  But not so much now, with computers having gotten faster over the years.
    It is useful to be able to exclude programs from anti-virus monitoring, if you know the program is trustworthly.

For home use, I’d recommend Microsoft Security Essentials.

Continue reading

Anti-virus False Positives – been a few

McAfee - Not Proven Security (image courtesy Lifehacker) It was an Ed Bott article which got me to thinking, “just how many anti-virus false positives have I dealt with over the years?”.   Six.   A false positive is when your anti-virus product flags a non-virus file as being virus-infected.

Number of false positive virus updates which impacted my customers? 6
Number of virus outbreaks which occurred, which the AV products missed? 3
Number of virus outbreaks actually prevented by an AV product? 0

I’ve often thought that enterprise customers should pilot AV updates before inflecting them on their wider user community.  I mean, what’s the point of having an AV product which effectively does more damage than an actual outbreak?

Here is the list of anti-virus updates I’ve seen which have caused some havoc for customers.  It was longer than I thought it would be.

AV product Date Product it killed Customer impact
McAfee AV April 2010 Windows Minor.  We stopped it in time.
CA eTrust September 2008 Spybot S&D Couldn’t use SpyBot as eTrust deleted the .exe
CA Pest Patrol March 2005 IBM SameTime 20,000+ computers unable to use instant messaging product.
CA eTrust January 2004 Windows Stopped Windows booting in two countries.
CA eTrust December 2003 WiseScript created utilities Broke a number of software installations, and caused a logon error on 1,000+ computers.
Symantec Norton AV November 2001 InstallShield created software installs. When trying to install a particular VPN product, Symantec said the install was “NIMBA”.  Stopped a country-wide deployment for a week.

The anti-virus product I use at home?  Microsoft Security Essentials.

Bookmark and Share

SMS 2003 Server running slow, check your AV exclusions.

sms2003_150x70 We had a problem with one of our SMS servers today, it was not processing DDR records.

All 19,000+ of them.

After some investigation, a co-worker found it was a corrupted DDR record which caused SMS to get stuck. 

After we fixed it, SMS started processing them records at 1 DDR per seconds.
Let’s do the math, 19,000 records at 1 per second, is 60 DDR per minute; and 3600 per hour.  It would take at 5 hours to process all those.
PLUS SMS was adding more DDR records, all the time.

Oh Bother it

Remembering that SMS Primary Sites run SQL Server, I wondered … … did we exclude the SQL Process from our AV program???

In short, no.  Excluding SQLSERVR.EXE made a tiny difference.  Adding SMSEXEC.EXE & CCMEXEC.EXE to the exclusion list made a HUGH difference.

We went from 1 record per second, to 5 records per second being processed.

We’re deploying the change to the rest of the SMS Server fleet, Tuesday.

Bookmark and Share

eTrust AntiVirus, and directories / processes you should exclude from scanning.

Computer Associates used to recommend excluding particular processes and directories from eTrust anti-virus scanning.  This, I found, was very important with Microsoft SQL Server, as it would cause a significant performance hit.
You would do this via setting the following registry keys, under HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustITM\CurrentVersion\Realtime
szExcludeProcessNames

Reason for exclusion List of processes to be excluded, separated by "|"
Microsoft SQL Server sqlserver.exe  sqlservr.exe
Microsoft Exchange store.exe
Microsoft SMS 2003 SMSEXEC.EXE  CCMEXEC.EXE
  and some others …

Continue reading