Symantec AntiVirus Asks For Password During Uninstall

KB ID 0000894 

Problem

I was finishing off a domain migration this week and was changing the clients over to McAfee. On one machine I found it had Symantec AntiVirus. When I tried to remove it, it asked for a password.

One of the other machines had Symantec Endpoint Protection installed and this did the same.

As expected, no one knew what this password was, and the default password ‘symantec’ didn’t work.

Solution

The same fix worked for both of them, and its painfully easy. While still being asked for the password, do the following.

1. Launch Task Manager, (Press Ctrl+Alt+Delete, Or right click the taskbar, or simply run Taskmgr.exe).

2. Select the processes tab, Locate the MSIEXEC.EXE service. Note: There may be more than one, if so select the one that running under the user account that you a logged on as DO NOT select it is it is running under the SYSTEM account. End the process.

3. Now the password request box will have disappeared, and the uninstall process will complete on its own.

Related Articles, References, Credits, or External Links

NA

Testing Your Email AntiSpam and AntiVirus Systems

KB ID 0000972 

Problem

I’ve known about the Eicar test virus ever since I started installing CSC modules. But until recently I didn’t realise you could test your AntiSpam system as well.

Solution

Test Your AntiVirus Device/Software

1. Open a text editor and paste in the following text, (make sure you don’t add any extra spaces or formatting).

[box]X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*[/box]

2. Save the file as eicar.com (Note: If using notepad (as below), change the file type to ‘all files’, so it does not save as eicar.com.txt).

2. Then simply email that file to the recipient mailbox that is protected by the system you want to test.

Test Your AntiSpam Device/Software

1. Compose a new email message and and paste in the following text into the body of the message, (make sure you don’t add any extra spaces or formatting).

[box]XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X[/box]

2. Then simply send that email to the recipient mailbox that is protected by the system you want to test.

Related Articles, References, Credits, or External Links

NA

Managing Forefront Endpoint Protection (FEP) with Microsoft Group Policy (GPO)

KB ID 0000604

Problem

FEP is Microsoft’s offering for antivirus, try to think of it as the corporate version of Security Essentials. Just about everything on the net for managing it seems to be geared to managing it with SCCM. Which is fine if you have SCCM, but what if you don’t? Thankfully you can manage it with group policy, even if information on how to do it is rarer than hens teeth!

With a Microsoft CoreCAL you can use the FEP client, so if you already have CoreCALs, then it’s a solution that can save you some cash on your corporate AV strategy.

Solution

Installing Forefront Endpoint Protection

The client software is available in x64 and x86 bit flavours, it is installed from a single executable (FEPInstall.exe). There is no MSI installer (yeah thanks Microsoft!) So if you want to roll it out on mass, you need to either install it using a startup script, include the software in your ‘Master/Golden Image’ and re-image you machines, or tear your hair out trying to work out SCCM.

Managing Forefront Endpoint Protection with Group Policy

1. First you need to download the policy definitions, copy the FEP2010.admx file to %Systemroot%PolicyDefinitions.

2. Then copy the FEP2010.adml file to %Systemroot%PolicyDefinitionsEN-US

Creating a Group Policy Central Store

3. If you have all your ADMX policy definitions in a central location, all your clients can use them. The correct place for them is in the sysvol directory, in a folder called policies (this is where your clients read their group policies from). To create the directory issue the following command;

[box]MD “%logonserver%sysvol%userdnsdomain%policiesPolicyDefinitions”[/box]

4. Now copy all your policy files into it, (from the folder we used earlier) with the following command;

[box]xcopy %systemroot%policydefinitions*.* “%logonserver%sysvol%userdnsdomain%policiesPolicyDefinitions” /S /Y[/box]

5. Then either create a new policy, or edit an existing one that’s linked to the COMPUTER objects you want to manage.

6. Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > System > Forefront Endpoint Protection 2010[/box]

Here you will find the policy settings you require.

7. When you are controlling settings via GPO this is what you will see on the client machines.

Importing and Exporting Forefront Policy Settings

8. From the files you extracted earlier locate and run the FEP2010GPTool.exe. From here you can import and export all the policy settings from a particular group policy. Microsoft have published a set of policy settings which you can download for various server roles.

Note: By default each policy you import will merge with the existing settings in the GPO, unless you tick the “clear the existing Forefront Endpoint Protection settings before import” option.

Updates for Forefront Endpoint Protection

9. Windows uses it’s existing ‘Windows updates’ path for getting updates. If you have a WSUS server you will need to enable the updates in the ‘Products and Classifications’ section.

10. If you DONT have WSUS but you are behind a proxy, you can manage FEP proxy settings from the following policy.

Related Articles, References, Credits, or External Links

NA

Event ID 2098

KB ID 0000325 

Problem

Event ID 2098

Failed to write to the Product Log. 80040230:McEFILEIOERROR

This is usually caused by a fault in the Groupshield databases, you need to generate new ones.

Solution

1. Click Start > run > services.msc {enter} > Locate the “McAfee Groupshield” > right Click > Stop.

2. Navigate to C:Program FilesNetwork AssociatesMcAfee GroupShieldbin > Locate detecteditems.bin and detecteditems.bin.qtn, then delete them.

3. In the same folder locate productlog.bin and delete that also.

4. Finally back in the services console restart the “McAfee Groupshield” service.

 

Related Articles, References, Credits, or External Links

NA

 

McAfee Groupshield – Adding Email Disclaimers

KB ID 0000432 

Problem

With Exchange 2007 and 2010 you can add a disclaimer with a transport rule. But if you are still using Exchange 2003 then you don’t have that luxury.

I had a client with a broken Groupshield 6 installation today, and his main concern was his disclaimers. (You can longer get Groupshield 6 so I had to install version 7).

Solution

1. Open the Groupshield console.

2. Select Policy Manager > Gateway > Click “Master Policy”.

3. Select “Disclaimer Text”.

4. Edit.

5. Type/Paste in the text of your disclaimer (Sorry no images).

6. Don’t forget to apply the changes.

Related Articles, References, Credits, or External Links

NA