Updating McAfee VirusScan Enterprise DAT files manually.

Posted on May 4, 2016 by Dale

In short, go to http://www.mcafee.com/apps/downloads/security-updates/security-updates.aspx and download the DAT file. The install switches are as follows:
SuperDAT Help

Which seems much easier than following McAfee’s instructions here:
How to manually update the DAT files for VirusScan Enterprise 8.x

Can’t find script engine “VBScript” for script

Posted on January 5, 2013 by Dale

A user reported the following issue on Windows 7:

As it turns out, the user had deleted the McAfee Anti-virus program directory. No mean feat in itself. Which in turn led to the error message above when the user logged on.

So I knew McAfee was probably the cause.

When McAfee AV installs, it replaces the registry entry for vbscript.dll with scriptsn.dll. When the user deleted the Mcfee directory, it deleted scriptsn.dll, which is why it couldn’t find the script engine.

The solution in this case, was to re-install Windows. Deleting the McAfee directory will cause other problems. Less desperate solutions can be found in these articles:

What to put in a script to check anti-virus program healthiness

Posted on July 31, 2012 by Dale

The sort of checks you might want to put into a “PC Health Check” script, for anti-virus program healthiness is as follows

CA eTrust

vet.dat has a recent* modified/created date.
SigCheck is reporting a recent* version of the anti-virus signature file.
PhonHome is reporting that “Phone home successful”
eTrust services are running (at least INORT, INORPC, INOTASK)

McAfee AV client / EPO

avvscan.dat has a recent* modified/created date.
OnAccessScanLog.txt has a recent* modified/created date.
McAfee services are running.

Microsoft Security Essentials

mpavdlta.vdm & mpasdlta.vdm have recent* modified/created date.
(Microsoft, bless ‘em, hide these files in a subdirectory which changes with each update, under C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\)
MSE services are running (at least MSMENG)

What’s this about recent?
In a corporate environment, I would define recent as anywhere from 4 –> 8 days. This is because most users turn “their” PCs off on Friday night, and turn the PC back on 3 days later (Monday). And people do go on holidays for at least a weeks duration …

The eTrust SigCheck.exe utility

Posted on July 30, 2012 by Dale

CA eTrust has a utility called “SigCheck.exe”. It’s purpose is to display the current version of the eTrust anti-virus definition which is on the local PC.

From a command line, you run it like this:

Sigcheck.exe Vet

Sigcheck will then return the command signature version

Sigcheck Vet version: 37.0.9825(this was an eTrust AV version from 3 March 2012)

If you were to include the running of Sigcheck.exe into a “PC Health Check” type script, you’d have a quick way of determining whether anti-virus updates were reaching your fleet of PCs.

eTrust command line utilities

Posted on July 30, 2012 by Dale

asutil.exe	Imports subnet information into the ITM Server database.
compver.exe	Displays the version of all installed components.
eavdisc.exe	Causes a “free election” discovery to occur on the local subnet.
eAVreprt.exe	Runs silently to cause reports to be generated.
EnableLogs.exe	Turns logs on for CA Customer Support, for debugging purposes.
EnableWinICF.exe	Opens all required Windows firewall ports needs for CA eTrust to function.
ITMRT_SupportDiagnostics.exe	Diagnostic tool for eTrust Pest Patrol.
phonhome.exe	Causes the eTrust client to try and “phone home” to the eTrust policy server. Often this will resolve policy and update issues to be resolved.
polutil.exe	Imports and exports policies.

Source: CA eTrust Implementation Guide – Utilities and Troubleshooting

AV virus exclusion post update, and other post updates.

Posted on November 16, 2010 by Dale

Updated the

“AntiVirus, and directories / processes you should exclude from scanning”
With details of SQL Server 2008 and R2 best practices.
I plan to get around to rewriting this article, to make it less eTrust specific. The advice is applicable to other AV products. How you exclude will vary with those products.
Some Powershell links post, with a link to how to manipulate NTFS ACLs.

How to select a good anti-virus product

Posted on June 30, 2010 by Dale

Well, if you didn’t receive emails with viruii attached, or surf to “dubious” websites, you wouldn’t get infected. For the rest of us, we would be looking at either Microsoft Security Essentials, or something which costs money.

Or you’re a corporate customer, who has “business” needs, you’ll be needing to spend money.
If for no other reason that most anti-virus prohibit the use of their “free” products in a commercial setting.

The following are the questions I ask myself when I’m looking at an anti-virus product.

Personal use.

Does it have a history of “false positives”?
False positives are when the anti-virus product detects “good” files as being a virus.
For personal use I wouldn’t buy Symantec, McAfee or CA eTrust products.
Far too many false positives for my taste, which I wrote about here. Heck, McAfee can’t even be bothered to test their product updates against known good Microsoft Windows PCs.
What choices does the product give me if it finds a virus?
Does it give me the choice to ignore the issue, quarantine the file, or just delete it?
This is an important point for me, after having had McAfee delete some files I wanted to keep.
Is it from a vendor I trust?
This is a personal choice, but I wouldn’t ever buy McAfee products. Ever.
Will it slow down my PC if I install it?
You used to pay a performance penalty for running an anti-virus product on your desktop. But not so much now, with computers having gotten faster over the years.
It is useful to be able to exclude programs from anti-virus monitoring, if you know the program is trustworthly.

For home use, I’d recommend Microsoft Security Essentials.

Continue reading →

Anti-virus False Positives – been a few

Posted on May 17, 2010 by Dale

McAfee - Not Proven Security (image courtesy Lifehacker) It was an Ed Bott article which got me to thinking, “just how many anti-virus false positives have I dealt with over the years?”. Six. A false positive is when your anti-virus product flags a non-virus file as being virus-infected.

Number of false positive virus updates which impacted my customers?	6
Number of virus outbreaks which occurred, which the AV products missed?	3
Number of virus outbreaks actually prevented by an AV product?	0

I’ve often thought that enterprise customers should pilot AV updates before inflecting them on their wider user community. I mean, what’s the point of having an AV product which effectively does more damage than an actual outbreak?

Here is the list of anti-virus updates I’ve seen which have caused some havoc for customers. It was longer than I thought it would be.

AV product	Date	Product it killed	Customer impact
McAfee AV	April 2010	Windows	Minor. We stopped it in time.
CA eTrust	September 2008	Spybot S&D	Couldn’t use SpyBot as eTrust deleted the .exe
CA Pest Patrol	March 2005	IBM SameTime	20,000+ computers unable to use instant messaging product.
CA eTrust	January 2004	Windows	Stopped Windows booting in two countries.
CA eTrust	December 2003	WiseScript created utilities	Broke a number of software installations, and caused a logon error on 1,000+ computers.
Symantec Norton AV	November 2001	InstallShield created software installs.	When trying to install a particular VPN product, Symantec said the install was “NIMBA”. Stopped a country-wide deployment for a week.

The anti-virus product I use at home? Microsoft Security Essentials.

SMS 2003 Server running slow, check your AV exclusions.

Posted on November 26, 2009 by Dale

We had a problem with one of our SMS servers today, it was not processing DDR records.

All 19,000+ of them.

After some investigation, a co-worker found it was a corrupted DDR record which caused SMS to get stuck.

After we fixed it, SMS started processing them records at 1 DDR per seconds.
Let’s do the math, 19,000 records at 1 per second, is 60 DDR per minute; and 3600 per hour. It would take at 5 hours to process all those.
PLUS SMS was adding more DDR records, all the time.

Oh Bother it

Remembering that SMS Primary Sites run SQL Server, I wondered … … did we exclude the SQL Process from our AV program???

In short, no. Excluding SQLSERVR.EXE made a tiny difference. Adding SMSEXEC.EXE & CCMEXEC.EXE to the exclusion list made a HUGH difference.

We went from 1 record per second, to 5 records per second being processed.

We’re deploying the change to the rest of the SMS Server fleet, Tuesday.

eTrust AntiVirus, and directories / processes you should exclude from scanning.

Posted on September 28, 2009 by Dale

Computer Associates used to recommend excluding particular processes and directories from eTrust anti-virus scanning. This, I found, was very important with Microsoft SQL Server, as it would cause a significant performance hit.
You would do this via setting the following registry keys, under HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustITM\CurrentVersion\Realtime
szExcludeProcessNames

Reason for exclusion	List of processes to be excluded, separated by "\|"
Microsoft SQL Server	sqlserver.exe sqlservr.exe
Microsoft Exchange	store.exe
Microsoft SMS 2003	SMSEXEC.EXE CCMEXEC.EXE
	and some others …