The eTrust SigCheck.exe utility

CA eTrust has a utility called “SigCheck.exe”.  It’s purpose is to display the current version of the eTrust anti-virus definition which is on the local PC.

From a command line, you run it like this:

Sigcheck.exe Vet

Sigcheck will then return the command signature version

Sigcheck Vet version: 37.0.9825
(this was an eTrust AV version from 3 March 2012)

If you were to include the running of Sigcheck.exe into a “PC Health Check” type script, you’d have a quick way of determining whether anti-virus updates were reaching your fleet of PCs.

eTrust command line utilities

asutil.exe Imports subnet information into the ITM Server database.
compver.exe Displays the version of all installed components.
eavdisc.exe Causes a “free election” discovery to occur on the local subnet.
eAVreprt.exe Runs silently to cause reports to be generated.
EnableLogs.exe Turns logs on for CA Customer Support, for debugging purposes.
EnableWinICF.exe Opens all required Windows firewall ports needs for CA eTrust to function.
ITMRT_SupportDiagnostics.exe Diagnostic tool for eTrust Pest Patrol.
phonhome.exe Causes the eTrust client to try and “phone home” to the eTrust policy server.  Often this will resolve policy and update issues to be resolved.
polutil.exe Imports and exports policies.

Source: CA eTrust Implementation Guide – Utilities and Troubleshooting

How to select a good anti-virus product

Well, if you didn’t receive emails with viruii attached, or surf to “dubious” websites, you wouldn’t get infected. For the rest of us, we would be looking at either Microsoft Security Essentials, or something which costs money.

Or you’re a corporate customer, who has “business” needs, you’ll be needing to spend money.
If for no other reason that most anti-virus prohibit the use of their “free” products in a commercial setting.

The following are the questions I ask myself when I’m looking at an anti-virus product.

Personal use.

  1. Does it have a history of “false positives”?
    False positives are when the anti-virus product detects “good” files as being a virus.
    For personal use I wouldn’t buy Symantec, McAfee or CA eTrust products.
    Far too many false positives for my taste, which I wrote about here.   Heck, McAfee can’t even be bothered to test their product updates against known good Microsoft Windows PCs.
  2. What choices does the product give me if it finds a virus?
    Does it give me the choice to ignore the issue, quarantine the file, or just delete it?
    This is an important point for me, after having had McAfee delete some files I wanted to keep.
  3. Is it from a vendor I trust?
    This is a personal choice, but I wouldn’t ever buy McAfee products.  Ever.
  4. Will it slow down my PC if I install it?
    You used to pay a performance penalty for running an anti-virus product on your desktop.  But not so much now, with computers having gotten faster over the years.
    It is useful to be able to exclude programs from anti-virus monitoring, if you know the program is trustworthly.

For home use, I’d recommend Microsoft Security Essentials.

Continue reading

SMS 2003 Server running slow, check your AV exclusions.

sms2003_150x70 We had a problem with one of our SMS servers today, it was not processing DDR records.

All 19,000+ of them.

After some investigation, a co-worker found it was a corrupted DDR record which caused SMS to get stuck. 

After we fixed it, SMS started processing them records at 1 DDR per seconds.
Let’s do the math, 19,000 records at 1 per second, is 60 DDR per minute; and 3600 per hour.  It would take at 5 hours to process all those.
PLUS SMS was adding more DDR records, all the time.

Oh Bother it

Remembering that SMS Primary Sites run SQL Server, I wondered … … did we exclude the SQL Process from our AV program???

In short, no.  Excluding SQLSERVR.EXE made a tiny difference.  Adding SMSEXEC.EXE & CCMEXEC.EXE to the exclusion list made a HUGH difference.

We went from 1 record per second, to 5 records per second being processed.

We’re deploying the change to the rest of the SMS Server fleet, Tuesday.

Bookmark and Share

eTrust AntiVirus, and directories / processes you should exclude from scanning.

Computer Associates used to recommend excluding particular processes and directories from eTrust anti-virus scanning.  This, I found, was very important with Microsoft SQL Server, as it would cause a significant performance hit.
You would do this via setting the following registry keys, under HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustITM\CurrentVersion\Realtime
szExcludeProcessNames

Reason for exclusion List of processes to be excluded, separated by "|"
Microsoft SQL Server sqlserver.exe  sqlservr.exe
Microsoft Exchange store.exe
Microsoft SMS 2003 SMSEXEC.EXE  CCMEXEC.EXE
  and some others …

Continue reading

The Microsoft Loopback Adapter, NT4 & Windows 7.

Reading a Microsoft blog post recently, I was reminded of a customer request from late 2002.  The emailed request was something like this:

Had to use the generic Win NT4 install on a Toshiba laptop yesterday.  There were some issues.

No network adapter is installed at the time of the Win NT4 installation.* This causes an error with the installation of eTrust and the CA UniCenter software.  It also means that networking component needs to be manually installed AND Error 7001 is also written to the system log.
To fix the Error 7001, we need to reinstall Service Pack 6a.

My suggestion is that you install the Microsoft Loopback Adapter during the installation, as it will solve the build issues we’re finding.

This was a brilliant suggestion as it turns out.  We would occasionally see build failures due to our NT4 build not having the network card drivers for the newer network cards.  Older versions of SQL (SQL 2000?) also needed a network card to be installed, so SQL would install properly.
The loopback adapter was a suitable work around for those issues.

These days, I would only use a loopback adapter with virtual machines (think VMware/VPC) IF the host machine didn’t have a physical network connection.
NT4 MS Loopback Adapter A loopback adapter will give you a working TCP/IP stack.

On Windows 7, it’s not obvious or easy to add a loopback adapter.  But Cesar de la Torre tells you how, on his MSDN Blog.

“ In any case, if you want to run the Wizard where you can manually add hardware, you need to start it from the COMMAND PROMPT:

  1. Run cmd, but do it like: “Run as Administrator”
  2. From the command prompt, write down “hdwwiz.exe” and execute it. Then, the “Add Hardware Wizard” will be launched.
  3. Select: Install hardware manually –> Network Adapters –> Microsoft –> Microsoft Loopback Adapter.

* – Network adapters WERE installed for supported desktops & laptops.  The customer had an unsupported laptop.

How to debug CA eTrust’s INO_FLTR.SYS

With eTrust 8, those pack of clowns at Computer Associates seem to think it’s a good idea to distribute eTrust Anti-virus system file updates via the automated virus signature update process.

So, in the past, you as an eTrust AV admin might have distributed DRVUPDi.exe updates manually (or not at all).  CA  now forces that update out.

So why is that a problem?

  • An update requires a reboot.  The update includes the INO_FLTR.SYS & INO_FLPY.SYS files which hook into the file system.  Which requires a reboot.
  • When you reboot, say as part of regular maintenance, or a scheduled change, CA throws you a curve ball because they’ve changed something without telling you.
  • Yes, it truly is a problem.  Back in April 2004, a faulty INO_FLTR.SYS caused Citrix desktop clients to take 25 minutes to boot up.

Conclusion: CA are a pack of bastards.

So if you need to debug ino_fltr.sys
You use DebugView to capture what’s going on with INO_FLTR.SYS.

  1. Set the following registry key:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\INO_FLTR\Setting]
    ”DebugOption”=dword:0x20400D
  2. Restart the PC.
  3. Run the Sysinternals DebugView tool to capture the output.

Bookmark and Share