Document ID:2002091810595048 Last Modified:06/12/2006

Release notes for Symantec AntiVirus Corporate Edition 8.01

Situation:

This document contains the inline release notes for Symantec AntiVirus Corporate Edition 8.01. Each incident explains the symptom and is followed by the solution, including details of any user or administrator interaction needed to implement the solution. This document is written so that the most recent product builds are added to the beginning of the document.

Solution:

As updates to Symantec AntiVirus Corporate Edition are released, they are added as sections in this document. The sections are added in chronological order, with the most recent additions at the top. For information about how to obtain the latest build of Symantec AntiVirus or Symantec Client Security, read How to obtain an update or an upgrade for your Symantec corporate product. Symantec AntiVirus 8.01 Release MR9, build 501 New Features New Windows XP SP2 features Symantec Client Firewall now includes support for Windows XP SP2. This support comprises two new features: Support for Windows Security Center Firewall alerting Additional support for Windows Security Center With Symantec Client Security Maintenance Pack 9, the Windows Security Center displays state of Symantec Client Security as Enabled or Disabled. If configured to do so, Symantec Client firewall displays a message in the notification area for Windows Security Center, alerting users if the firewall has been disabled. Administrators can disable, enable, or allow users to configure their own setting of the Windows Security Center Firewall alert at in a firewall policy with Symantec Client Firewall Administrator or at install time. To configure Windows Security Center alerting during installation, read Configuring Windows Security Center alerts during installation of Symantec AntiVirus Corporate Edition 8.x or Symantec Client Security 1.x. To configure Windows Security Center alerting when the product has already been installed, read Configuring Windows Security Center antivirus alerts after installing Symantec AntiVirus Corporate Edition or Symantec Client Security. New Fixes and Enhancements: 1-2GUQXJ - When performing an update of a Symantec AntiVirus server that was installed into the NetWare Directory Tree, the server is changed to BINDERY mode. Symptom: If BINDERY emulation is turned off, the upgrade will fail. Resolution: Added functionality to treat NetWare 6 the same as NetWare 5. 1-2MX3G9 - Client install using login scripts fails on some computers Symptoms: When installing clients using Active Directory login scripts, the install fails on some clients. This problem happens on some Windows 98 and Windows 2000 computers (more commonly on Windows 98). Resolution: The problem occurs because the install fails to load certain .dll files during the Windows login. The install succeeds if tried after the login is complete. The solution is to try the install once more if it fails the first time. 1-21D0K0 - NetWare disk writes increase when Symantec AntiVirus is running Symptoms: Monitoring disk writes shows 1 minute and 10 minute spikes when Symantec AntiVirus is installed on NetWare. Resolution: RegFlushKey functionality was removed from the RegCloseKey function. This causes the registry to be written to disk every five minutes instead of every time RegCloseKey is called and the Registry is dirty. This is the same as the Windows Registry. 1-2HE2JD - After Upgrading 7.6 to 8.01, errors occur when running Outlook (cannot load plug-in .dll) Symptoms: After upgrading Symantec AntiVirus 7.6 to 8.01 and running Outlook, you see an error message that the plug-in .dll file, vpmsece.dll, could not be loaded. Resolution: Updated the installation to remove any leftover entries from previous versions. 1-325N8P - Symantec AntiVirus on NetWare may ABEND in VPReg.nlm Symptom: Random ABENDs in VPReg.nlm Solution: Added a parameter so that Symantec AntiVirus does not access improper memory. 1-2OAVO - Access List Violations are not written to the Windows NT Event Log Symptom: After setting up Access Lists to restrict server response to authorized Consoles only, requests by unauthorized Consoles are logged in the Symantec AntiVirus Event Log, but not in the Windows NT Event Log. Solution: Corrected the code so that unauthorized Console access events are written to the Windows NT Event Log. 1-2XZVIR - Shutdown error on Windows NT 4: "OleMainThreadWndName Will Not Close (Must be Ended)" Symptom: After upgrading Symantec AntiVirus, shutting down Windows NT 4 will hang and show a pop-up window saying that the OleMainThreadWndName will not close (End, Wait, Cancel). This occurs twice before Windows NT 4 will shut down successfully. Solution: Recent changes to support Windows Security Center introduced a new dependency on the code as defined by Microsoft (KB 136885). The code has been corrected to resolve this problem. 1-2UQEA2 - Symantec AntiVirus on NetWare causes an ABEND when moving a server from one group to another. Symptom: Moving a server from one server group to another causes an ABEND on NetWare; on Windows, it causes a Dr.Watson error. Solution: Updated error checking on the NetWare platform and changed a return code for FindKey on all platforms. Symantec AntiVirus 8.01 Release MR8, build 471 New Fixes and Enhancements: 1-1Y0FI1 - Symantec AntiVirus clients unexpectedly change parent servers Symptom: Symantec AntiVirus clients unexpectedly change parent servers ("client jumping"). Resolution: A timing issue was found where a client could lose its DHCP lease between the time the Symantec AntiVirus server queued the client for updates and the time the server pushes files to the client (virus definitions or GRC.DAT). If another client from another server assumes the first client's IP address, the server could push a GRC.DAT to the wrong client. In this case the client would "jump" to the new server. The server code was fixed to check the validity of the client again before pushing any files to the client. 1-26GHY7 - LiveUpdate sessions are not Logged in the Symantec AntiVirus Event log (Histories) Symptom: After installing an unmanaged client, and then running LiveUpdate to get the latest virus definitions updates are not logged in the Symantec AntiVirus Event Log. Resolution: A previous fix broke this existing functionality. It has been repaired. 1-28VYYT - Automatic install on NetWare login fails if the popup window is closed too soon Symptom: If the popup window is closed and the search drive is deleted before all of the install programs (particularly LiveUpdate) are installed, then the install fails. Resolution: The system close button is no longer on the menu bar of the popup window. 1-21RAAK - Server rollout fails doing a bindery install to NetWare. Symptom: Setup.exe gives a Dr. Watson error and exits when doing a bindery install on some versions of Windows XP. Resolution: Double check the buffer returned by Winsock before using it. 1-44TY9 - AMS should not install PDS.exe / XFR.exe on unmanaged clients Symptom: AMS installs PDS.exe / XFR.exe on unmanaged clients. This incurs processor overhead but provides no benefit. Resolution: The AMS configuration files are included in the AMS releases from LANDesk, so this fix keeps getting re-introduced with every new release of AMS. LANDesk has now included a new configuration section specifically for our unmanaged clients. The client install was updated to use this new configuration, and the product was updated to AMS release 126. 1-1PZ3J7 - SESA Console client events do not appear correctly when uploaded from a server in a different time zone Symptoms: When viewing client events in Symantec System Center or SESA, the timestamps of the client events are incorrect if the client is in a different timezone than its parent server. Resolution: When events (Virus Found, Scan Start / Stop / Abort, etc.) are forwarded from the client to the parent server (and later to SESA), the timestamp in the event was not being converted to the server timezone. Then when these events are uploaded to SESA, the timestamps are converted to UTC - from the server timezone. To correct this, clients now include their Timezone offset when they check in with their parent - then the parent can use this value (and its own) to convert client timestamps to the server timezone. This fix was originally implemented in the previous inline - this latest change completes the implementation for NetWare servers, and incorporates changes made in the 9.0 product when this change was ported forward. 1-22DE1Z - Scheduled LiveUpdate sessions on clients fail after configuration update from Symantec System Center Symptom: After updating client (RealTime Protection) configuration options in Symantec System Center, the clients can no longer run LiveUpdate (the update fails). Resolution: This was the result of a previous fix to force an update to the scheduled LiveUpdate in some cases, but not overwrite the existing (client) schedule in other cases. This caused a critical Registry key to be deleted and not restored, causing LiveUpdate to fail. The Scheduled LiveUpdate code was corrected to prevent this condition, and as an added precaution, the critical is also written back in all cases. 1-245YF7 - SESA Console – virus found events are created for files that have already been detected Symptoms: When new virus definitions are delivered to a client (or server), it rescans all the files being held in Quarantine (in case they can now be repaired). This causes new Virus Infection events on the local machine, and forwarded to the parent, which can alert AMS, be forwarded to SESA , etc. Since these are not new virus detections, they should not be reported as such. Resolution: The virus handling routines should not forward alerts when rescanning Quarantine files (identified by the caller of the scan) - this was implemented in the previous inline. but code review found potential problems with this implementation (Quarantine may not be able to actually repair files even if the new definitions address the virus). We also found that a mechanism used to alert the running Symantec AntiVirus Service would not work if the pathname was too long (if the total record > 256 bytes). With alerts from rescanning Quarantine being suppressed, there my not be any other usage of this mechanism - but it was repaired just in case. 1-21QP5O Symantec System Center client version displays differently depending on new install vs. upgrade Symptom: Installing Symantec AntiVirus 8.1.1 Server on a clean machine, the Symantec System Center displays the version as "8.11.1.319," but upgrading to the same version from a previous version displays as "8.11.0.319." Resolution: Actually, both are incorrect. The version should display as "8.1.1.319." Symantec System Center was also using a "ServiceRelease" key that was not being updated on an upgrade. The general display of version numbers in Symantec System Center has been updated across several versions of the product to standard the display: 8.1.1.319, 8.0.1.450, 9.0.1.340, etc. 1-247LWV - Automatic update configuration not rolled out to Symantec AntiVirus clients in a group Symptoms: When LiveUpdate schedule for Symantec AntiVirus Client is created at client group level on Symantec System Center, the configuration of automatic update is not rolled down to Symantec AntiVirus clients belonging to the client group. Resolution: This issue is fixed. The settings on client group are propagated to the client if the option "Do not allow client to modify LiveUpdate Schedule" is selected. 1-21IE2T - Unable to scan Pagefile.sys reported erroneously in application event log Symptom: Unable to scan Pagefile.sys (EventID 6) is reported in the Application Event Log even though our website notes we do not scan the Pagefile.sys file. Resolution: An erroneous error was being logged noting that PageFile.sys was being scanned. This error was eliminated. 1-2BFKR1 - Symantec System Center vulnerability allows attacker to unlock server group without knowing password Symptom: Symantec System Center is vulnerable to an attack that allows an attacker can unlock a server group without knowing the console password. Resolution: Symantec AntiVirus and Symantec System Center were modified to protect against this attack. 1-1ZYYLI - Symantec AntiVirus does not scan specially-formed folder / filenames ("TestX\Y") Symptoms: Specific folder / filename combinations are not scanned (example C:\Test.X\Y - where "Test.X" is the foldername and "Y" is the complete filename). Resolution: A check for the file extension in the scan routines would search for a period, then make sure there were 3 characters or less remaining in the filename. These examples satisfy the test (Test.X\Y returns "X\Y" as the extension) - but since the file actually has no extension, the scan fails. The solution is to add a specific check for this case - if the resulting extension contains a '\' character, then the extension is really null. Symantec AntiVirus 8.01 Release MR7, build 464 New Fixes and Enhancements: Non-unique GUID generation Symptom: Multiple client machines are cloned from the same image that contain Symantec AntiVirus and one or more virtual network adapters. Virtual network adapters (e.g. AOL WAN adapter) have the same MAC address for all clients. When Symantec AntiVirus starts it does not generate a new GUID and the machine will be "missing" from Symantec System Center if it is managed. Resolution: Symantec AntiVirus uses the MAC address to determine if the GUID should change. The GUID was not being changed because a Windows API call was returning the MAC address of the virtual adapter instead of a physical adapter. The code was modified to perform a binary XOR operation on all MAC addresses in the system to generate a more unique value. Note: After this change the LocalMAC value in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion) may not correspond to any of the MAC addresses on the system because it may be combination of multiple addresses. Upgrade from 7.61 to 8.01 using Windows 98 login script fails Symptom: Trying to upgrade a Windows 98 client from 7.61 to 8.01 via login script returns an error: "Vp_log32.exe caused an exception in **** with Vp_log32.exe". Resolution: The exception occurred when the login script (vplogon.bat) tried to run vp_log32.exe on the T: mapped network drive. The exception occurred in vp_log32.exe due to timing issue. The login script mapped the remote share to T:, and then would try to access it immediately. On Windows 98 this caused Vp_log32.exe to cause an exception due to network delays. Waiting a few seconds after mapping the drive allowed it to work. Two changes were made to fix this. On windows 9x, Vp_log32.exe is now copied to the local temporary directory before running it. Vp_Log32.exe then reads the .ini file, which is on the mapped network drive. Also, if Vp_log32.exe fails to access the .ini file on the first try, it tries again after a delay. Rtvscan uses the wrong port Symptom: Rtvscan uses port 26409, rather than 2967, for client-server communication. Resolution: The registry values were in binary format. This was corrected to DWORD format. Client Group exclusions are not included when creating a new group from a template Symptom: If you create a new group in Symantec System Center by using a template from an existing group, the file exclusion directories are not included in the new template. Resolution: The copy process used incorrect calls that lost some of the data. These were corrected so that all information is included. Virus Found events are created for files that have already been detected Symptoms: When clients or servers get new virus definitions, they rescan the files in Quarantine (in case they can be repaired with the new definitions). The files in Quarantine are detected as viruses, and the Virus Found events appear in the log on the local machine, can be forwarded to parent machines, and are visible in Symantec System Center and in the logs collected by SESA. Resolution: Since these virus detections are not new, and do not reflect additional viruses being found, they should not be acted on as normal virus detections would be. Rescanning files in Quarantine is handled by the DefWatch component, so the behavior was changed to take no action on virus detections originated by DefWatch. SESA Console: Client events do not appear correctly when uploaded from a server in a different time zone Symptoms: The date and time for Virus Found and Scan Start / Stop log events from clients in different time zones from the server do not appear correctly in the SESA Console. Resolution: When clients forward log events to the parent server, the timestamps are based on the client's time zone. When the Symantec AntiVirus Collector converts them to UTC, it uses the server's time zone, so the timestamps are converted incorrectly. The solution is to covert these log event timestamps from the client to the server's time zone, when they are received by the server. Then if they are converted to UTC for SESA (or viewed through Symantec System Center), the client timestamps appear correctly. Some files cause new Virus Alert events when rescanning Quarantine, but others do not Symptoms: When clients or servers get new virus definitions, they rescan the files in Quarantine (in case they can be repaired with the new definitions). The virus detections from this rescan can be configured to generate an AMS alert on the parent server. Having two different files in Quarantine, one causes the AMS alert during the rescan, but the other does not. Resolution: Rescanning Quarantine files will no longer generate alerts or logging (see "Virus Found events are created for files that have already been detected"), so the parent server will never be alerted in these cases. The reason one file did not generate an alert was probably that the forwarded alert line is limited to 255 characters. Longer paths can exceed this limit, and the forward will fail. This is currently under review to determine whether other AMS functions are affected. Symantec AntiVirus 8.01 Release MR6, Build 460 New Fixes and Enhancements: Upgrade resets LiveUpdate schedule Symptom: Upgrading from 8.01 to 8.1 sets the LiveUpdate schedule to the default, which is to update weekly. Resolution: Changed the way that the registry values for the LiveUpdate schedule are handled during an upgrade. At this time, the problem is fixed for the client, but not the server. Client list refreshes slowly Symptom: The Symantec System Center is slow to build a client list under a server group after upgrading from build 429 to build 434 or later. Resolution: Every time a new client is added in the result pane, Symantec System Center sorts the list. This could take a long time, as the number of items in the list increases one by one as the discovery service runs. Removed the list sort as the items are added, and changed it to sort only after the list finishes refreshing. MMC sporadically crashes during Symantec System Center shutdown Symptom: During shutdown of the Symantec System Center, the MMC harness that loads the Symantec System Center snap-in stops responding sporadically. In some environments, this happens more often than not. Changes in console settings are not saved in this instance. (Note that changes to Symantec AntiVirus settings are saved. Only changes to the console itself are not saved.) Resolution: The snap-in was selecting the current item (node) before initialization was fully finished, causing memory corruption and crashes during cleanup. Eliminated the race condition that was causing this intermittent problem. Client Scheduled LiveUpdate cannot be modified with ConfigEd.exe Symptoms: Using the unsupported tool ConfigEd.exe to roll out a new scheduled LiveUpdate to unmanaged clients, clients do not update their scheduled updates. The scheduled LiveUpdate can only be modified in the client user interface. Resolution: A previous fix for managed clients also affected unmanaged clients, causing them to not accept new scheduled updates. The fix has been modified to apply only to managed clients. Using Backup Agent for Open Files, one virus detection generates hundreds of alerts Symptom: Using Computer Associates' Backup Agent for Open Files (BAOF), which is part of the ArcServe product, and having Realtime Protection set to Quarantine, detecting a virus will generate hundreds or thousands of virus detections (until Realtime Protection is disabled). Resolution: When Realtime Protection detected an infected file, it would move the file to a temporary location in preparation to move it to Quarantine. BAOF would detect the new temporary file being created and open it again, triggering another Realtime Protection scan and detection. This would happen recursively until Realtime Protection was turned off. The solution is to create the temporary file in such a way that BAOF does not open it. Symantec AntiVirus 8.01 Release MR5, Build 457 New Fixes and Enhancements: Manual or scheduled scan does not detect folders beginning with "." Symptom: One or more folders begin with a single period ("."). The Symantec AntiVirus user interface does not display the folders in the "Scan Computer" dialog. A manual or scheduled scan will not scan these folders. Resolution: The code was skipping any folders that started with a period. The intent of this was to skip the two built-in folders "." and "..". The code was modified to explicitly skip "." and ".." but to allow everything else. Symantec AntiVirus 8.01 and 8.1 ABEND NetWare when being moved to a new server group Symptom: NetWare ABENDs with a CPU HOG ABEND when moving a server to a group with a Symantec AntiVirus 8.x server running on NetWare. Resolution: Added appropriate calls to ThreadSwitch and ThreadSwitchWithDelay. Corrupted .vdb file on client prevents later successful application of same .vdb file Symptom: If a server sends a .vdb file that is corrupted, a subsequent good .vdb file with the same name will not be applied successfully. Resolution: Added cleanup routines after a corrupted .vdb file is found to allow a good .vdb file to be applied subsequently. Definition/Engine file mismatch when downloading from a NetWare parent Symptom: After switching to a new parent server, or a new primary server, an incomplete set of definitions is downloaded to clients, resulting in definition files from different releases. This causes errors when loading the definitions. Resolution: Set some new internal flags to indicate a new parent or primary server. These flags force the entire definition set to be downloaded, to ensure that they are all from the same release. User AppData folder not used for Symantec AntiVirus logs (logs not available in UI) Symptom: After switching to a new primary partition on the hard drive, the Symantec AntiVirus logs (Virus History, Scan History, Event Log) are no longer available in the main user interface of the product. Resolution: The code that determines the location of these logs would not resolve the path correctly in the case where the primary partition was reset after Windows was installed. This has been corrected. Symantec AntiVirus Logs are not purged correctly based on history settings Symptom: Setting the History settings (File > Configure Histories) to delete the Symantec AntiVirus logs (Scan History, Virus History, Event Log) after 1 day does not delete the logs until the second day. Further, the logs are not deleted correctly at the end of months with more or less than 30 days. Resolution: The code would not delete logs until the age in days was greater than the specified number of days. Also, all months were considered to have 30 days and all years 365 days. The code was changed to delete the logs when the age equals the specified age, and the code was rewritten to calculate the exact age in days. This will handle all months correctly, leap years, and also considers Daylight Savings Time (the age may be less than one full day). Mail plug-ins are enabled after upgrade when they were previously locked and disabled Symptom: If a user uses the grc.dat to lock and disable the mail plug-ins and then installs Symantec AntiVirus over the previous installation, the email plug-ins remain locked but are enabled. Resolution: Email plug-in state is maintained during upgrades. Cannot clean a .zip file in Quarantine (Error Message does not Apply) Symptom: If Quarantine is the primary action specified for a scan, and later an attempt is made to clean a .zip file in Quarantine, the attempt fails, but none of the possible reasons applies to this situation. Resolution: Due to the complexity of cleaning files from Quarantine (cleanable / non-cleanable infections, different levels of containers within containers, etc.), it is not allowed. A workaround it to restore the file from Quarantine, then scan it again with Clean as the Primary Action. This allows the scan engine to handle all the complexities involved. The error message was updated to include attempting to clean a compressed file (.zip) as one of the possible causes of the failure. Roaming profile is not saved correctly and temporary profile is left on local computer after a scan is executed Symptom: If you log on to a roaming profile, perform a scan, and then log off, the Roaming profile is not saved correctly and the local copy of the profile is not deleted even if you have a setting to delete it. Resolution: The scandlgs.dll was being loaded by a nonpersistent thread and the destructor was not unloading resources properly. Included in this was a lock to the file usrclass.dat which is one of the user profile files. The fix was to switch the loading of scandlgs.dll to a thread that is fully controlled by rtvscan.exe so we can gracefully and reliably control the destruction of resources when we log out. The dll scandlgs.dll controls the status dialog during scanning. Copying files from read-only media takes twice as long Symptom: Copying files from removable media (Zip drive, floppy drive, etc.) that has been set to Read-only takes up to twice as long as when it is set to Writable. Resolution: Auto-Protect was updated to restore the Last Access timestamp of files that are scanned. This is to support backup products that check the Last Access timestamp to back up files. However, when the media is set to Read-only, the Last Access timestamp cannot be restored. The attempt to restore the timestamp eventually times out, but this results in a significant time delay when scanning files on Read-only media. This problem was not addressed directly, but a workaround was provided: setting the Registry key PreserveFileTimes=0 will suppress the restoration of the Last Access timestamp, which eliminates the delay on Read-only media. 10:00 AM scheduled scan in Symantec System Center causes MMC to crash when the time zone is set to Sydney Symptom: Scheduling a scan for 10:00 AM crashes MMC or the Symantec AntiVirus user interface when the time zone is set to Sydney. The crash occurs in MMC.exe when using Symantec System Center to schedule the scan. The crash occurs in VPC32.exe when using the Symantec AntiVirus user interface to schedule the scan. Resolution: A Microsoft function call was failing because we were calculating the time with the year 1970. This is due to a bug in Microsoft's implementation of the function call (see Microsoft KB article 148790 for more details). The year is not used in this particular time calculation, so the solution is to change the year to another value greater than 1970. Symantec AntiVirus 8.01 will not upgrade over Norton AntiVirus Corporate Edition 7.61 or an earlier build of Symantec AntiVirus 8.01 on NetWare Symptom: A new copy of VPStart.nlm is copied to the server. VPStart is then run on the server. The new copy of VPStart requires additional exports from VPReg.nlm. However, the currently running VPReg cannot be upgraded until RTVScan.nlm is unloaded. Therefore VPStart.nlm exits without upgrading the server. Resolution: Added functionality to VPStart.nlm to allow it to import the VPReg functions needed but not error on the new functions. This way, VPStart.nlm is able to trigger a shutdown of RTVScan.nlm and upgrade VPReg.nlm. VPStart is then able to load the new VPReg.nlm and proceed to upgrade the server. Update from 8.00 to 8.01 using login script process fails Symptom: After upgrading a server from Symantec AntiVirus 8.00 to 8.01, clients logging in using login scripts do not install the new version of the product. Resolution: The code that checks for a newer version was only looking at the major and minor version numbers, which are 8 and 0 respectively for both products. The code was updated to also look at the inline version number and build number when comparing for a new version of the product. Virus list in Symantec AntiVirus user interface does not match virus list in Symantec System Center Symptom: The dialog that displays the list of viruses addressed by the current definition set in Symantec System Center does not match the list in the main product user interface. Resolution: A previous change addressed the problem of the total number of viruses addressed not matching between Symantec System Center, the main UI, and the Security Response website. This takes it one step further by using the same code and dialog to present the virus list in both places. This eliminates redundant code, and causes the lists to be presented in the same way in both places. Auto-Protect Vulnerabilites Symptom: Two security vulnerabilities were identified in the Auto-Protect component: not adequately checking the parameters of an I/O Control request, and handling errors when moving a file to Quarantine. Resolution: These Auto-Protect vulnerabilities have been addressed. Cannot contact internal LiveUpdate server after changing language to Taiwanese Symptom: After changing Windows to use a double-byte language, attempting to call LiveUpdate to an internal LiveUpdate server fails. Resolution: LiveUpdate uses the Liveupdt.hst file to store the location of the server to get updates from. Updating the primary language in Windows causes this file to be regenerated for the new language. There was a problem in the code that caused this to fail when using a double-byte language (like Taiwanese). This resulted in an empty Liveupdt.hst file, which caused LiveUpdate to fail. This has been corrected. Upgrading 7.61 client to Symantec AntiVirus 8.1 causes rtvscan.exe to run continuously at 99 percent CPU Symptom: Norton AntiVirus Corporate Edition 7.61 is installed on a client with the Lotus Notes plug-in. A Symantec AntiVirus 8.1 package is created (with Symantec Packager) that does not contain the Lotus Notes plug-in. The package is deployed to the Norton AntiVirus Corporate Edition 7.61 client which upgrades the client to 8.1. Installation is successful, but after installation rtvscan.exe runs continuously at 99 percent CPU. Resolution: The upgrade process was not removing the old Norton AntiVirus Corporate Edition 7.61 Lotus Notes plug-in from the target computer. This resulted in a newer version of Rtvscan.exe but older versions of the Lotus Notes plug-in, which are not compatible. The installer was modified to detect and remove the older plug-ins. Intel PDS Service cannot be started from SCM Symptom: Several related problems: PDS service cannot be started from SCM, AMS sending alerts to IP addresses instead of computer names, problem with AMS in Italian Windows. Resolution: Upgrading to a new version of the Alert Management System (AMS), now being supported by LANDesk. This new version addresses these specific issues. Managed clients disappear from Symantec System Center after upgrade from Norton AntiVirus Corporate Edition 7.6 to Symantec AntiVirus 8.01 or 8.1, and cannot be managed Symptom: After upgrading a managed client from Norton AntiVirus Corporate Edition 7.6 to Symantec AntiVirus 8.01, it no longer appears in Symantec System Center, and can no longer be managed by its parent server. Resolution: A previous fix that allows unmanaged clients to be converted to managed clients during an upgrade caused this problem with managed clients, wiping out the Parent key. This broke the connection between the client and its parent server, preventing it from being updated by its parent or through Symantec System Center. This has been corrected. Symantec AntiVirus 8.01 ABENDs NetWare if it is made primary of a group that contains other servers Symptom: Symantec AntiVirus 8.01 ABENDs processing COM_ALIVE packets. This means it will ABEND if it is the primary server and there are other servers in the group. It probably means it will ABEND if it has clients as well. Resolution: We were attempting to use a NULL pointer. Added a check for the NULL pointer, and passed new memory if needed. When regional settings are changed to UK, local Symantec AntiVirus displays correctly, but Symantec System Center still displays dates in US format Symptom: When regional settings are changed to UK, Symantec System Center displays dates in US format because of hardcoding. Resolution: The dates are now displayed according to the system locale (not the user locale). Symantec AntiVirus 8.01 Build 446 New Fixes and Enhancements: Symantec AntiVirus does not detect W32.HLLW.Lovgate.C@mm drop events Symptom: W32.HLLW.Lovgate.C@mm drops files on network shares. Symantec AntiVirus does not detect these drop events when they initially occur. However, Realtime Protection will detect the files if they are later accessed. Resolution: SymEvent was causing a handled exception when these files are dropped on the network share. SymEvent was modified to fix this problem. Install incorrectly reference counts SYMEVENT Symptom: After uninstalling Symantec AntiVirus 8.0x, the SymEvent reference counts are too low, possibly causing SymEvent to be removed prematurely. Resolution: This was caused by code in the Symantec AntiVirus installation which incorrectly handled a value used in creating/updating the SymEvent reference counts. This was resolved in the Symantec AntiVirus installation, and code was added to Sevinst.exe to detect this situation and automatically correct it. Lotus Notes stops responding when accessing an encrypted Notes database Symptom: The Symantec AntiVirus Lotus Notes Realtime Protection plug-in is installed. Lotus Notes hangs when accessing an encrypted Notes database. Resolution: The Symantec AntiVirus Lotus Notes Realtime Protection plug-in uses certain Notes APIs to get Notes items and extract the attachments for scanning. The ordering of these API calls, if used incorrectly, can cause unexpected behavior in some cases. The code was modified to call the APIs in the correct order. Symantec AntiVirus causes the Win32 API ReadDirectoryChangesW to receive change notification on FILE_NOTIFY_CHANGE_LAST_WRITE, FILE_NOTIFY_CHANGE_CREATE, and FILE_NOTIFY_CHANGE_SECURITY. Symptom:After the directory is scanned, Symantec AntiVirus causes the Win32 API ReadDirectoryChangesW to receive change notification on FILE_NOTIFY_CHANGE_LAST_WRITE, FILE_NOTIFY_CHANGE_ CREATE, and FILE_NOTIFY_CHANGE_SECURITY. This causes ASP.NET to restart applications because it believes the files composing the application have been modified. Resolution: After a normal scan, Symantec AntiVirus no longer restores the File creation time and File Last Write time. Only the Last Access Time is restored. Realtime Protection folder exclusions set in Symantec System Center are not displayed on the client Symptom: Client Realtime Protection folder exclusions are set in Symantec System Center. The exclusions do not appear in the folder exclusion tree view on the Symantec AntiVirus clients. Resolution: The input method for Symantec System Center folder exclusions is a text field in which the administrator specifies the desired folder exclusions, one per line. Symantec AntiVirus was doing a case-sensitive comparison of the folders before displaying them in the Symantec AntiVirus client user interface. Realtime Protection was not affected, but if the case did not match the folder, it was not displayed in the Symantec AntiVirus client tree view. The code was modified to do a case-insensitive match. Parent server name change is not completely updated in the registry Symptom: The parent server name is changed. The registry still contains references to the old server name, even after the Symantec AntiVirus service is stopped and restarted. Resolution: The code was fixed so that any changes to the parent server name will properly update the registry. When you install Symantec AntiVirus as an unmanaged client, the LiveUpdate dialog appears behind the Symantec AntiVirus installer. Symptom: When you install Symantec AntiVirus as an unmanaged client, when LiveUpdate is installed, the dialog appears behind the Symantec AntiVirus installer window. Resolution: The InstallShield window is disabled before the LiveUpdate process is started. Starting the Symantec System Center causes a "Snap-In failed to initialize" error when you've installed with the ntfsdisable8dot3namecreation key set to 1. Symptom: If you have HKEY_LOCAL_MACHINE\system\currentcontrolset\control\filesytem\ntfsdisable8dot3namecreation set to 1, after you've installed the Symantec AntiVirus server and Symantec System Center, the launch of the Symantec System Center will produce an error noting that the Snap-In failed to initialize. Resolution: InstallShield's "get short path name" conversion routines do not work correctly with the 8dot3 key set to 1. The workaround is to quote all path names to ensure they are parsed correctly when passing them to DOS commands. The reason the Snap-Ins were not initialized correctly was that their path names were saved incorrectly and in a form that they couldn't be accessed to be initialized. The "Enable File System Realtime Protection" menu item is disabled from the context menu of the tooltray icon, but not in the user interface. Symptom: When you log in as a power user and not an Administrator, if you right-click the System Tray icon, the "Enable File System Realtime protection" menu item is disabled. However,if you launch the user interface and go to the Configure/File System Realtime Protection section, the entry is not grayed out and the user can change it there. Resolution: The check to determine whether the logged-on user has permissions to the right part of the registry to change realtime protection state depended on Administrator privileges to allow the entry to be enabled from the context menu of the tooltray icon. This was too stringent. All that is needed is to check read/write/modify/create privileges for the user in the registry. This was the change to fix the issue. PDS.NLM not updated on upgrade Symptom: After upgrading an existing Symantec AntiVirus server on Novell NetWare, the PDS.NLM file was not updated. Resolution: The NetWare installer relies on file date/times instead of file versions. This problem was caused by a lack of synchronization in the file date/times between the two versions of PDS.NLM on the CD Set. The problem was resolved by stamping the last access and create times of all files on the CD set. VP Registry not being created correctly - Symantec System Center Hangs when promoting server to primary Symptom: VirusProtect6 subkey is not populated with the correct values. Resolution: VPReg needed a 5-second wait on some busy servers, therefore VPStart needed to wait for it to finish initializing. Added a 5-second wait before VPStart accesses the registry. Not detecting mapped drives created using FQDN (Fully Qualified Domain Name) as network drives Symptom: Symantec AntiVirus does not detect mapped drives created using the fully qualified domain name as network drives. Resolution: The buffer was not large enough to hold longer share names. Enlarged the buffer. Memory leak when an error occurs Symptom: A memory leak occurs when Symantec AntiVirus encounters an error, such as if it tried to repair a file on a CD-ROM. Resolution: Added code to free allocated memory on all paths, including errors. Wangy worm infects print queues Symptom: Dell Wangy worm (W32.HLLW.Wangy@mm) infects print queues. Resolution: Adjusted to scan on system thread to catch all paths, then rescan files if the size changes. Symantec AntiVirus does not pick up new virus definition files Symptom: New files added to the virus definition set are not picked up when the definitions are integrated into the product. Resolution: The buffer used to read in all the files in a section of the catalog (Catalog.dat) was limited to 260 bytes (13-15 filenames), so that when more files were added, they were not picked up. The buffer has been enlarged and can be dynamically enlarged further to handle any number of new virus definition files. SymEvent is not upgraded correctly when the product is upgraded from a previous version Symptom: When upgrading from a previous version of Norton AntiVirus Corporate Edition / Symantec AntiVirus, the SymEvent files are not updated to the new version, and reference counting for different products no longer works. Resolution: During an upgrade, to avoid incrementing the reference count for the product, SymEvent would be re-installed without a product code. This did not update the files correctly, and caused reference counting to be turned off. Now during upgrade, the correct product code is used to maintain reference counting and cause the new SymEvent files to be installed. Symantec AntiVirus Corporate Edition 8.01 Build 437 This version includes the Windows fixes from build 434 along with new fixes for NetWare. New Fixes and Enhancements: Symantec AntiVirus versioned 8.01 on NetWare Symptom: The NetWare NLMs were versioned 8.01. Because version 8.1 exists, we must not use 8.01 because they are numerically identical. Resolution: Changed the file version numbers to 8.00. Incorrect creation of VP Registry causes Symantec AntiVirus to hang when creating a primary server Symptom: The VirusProtect6 subkey sometimes is not populated with correct values. Resolution: VPReg needed a 5-second wait on some busy servers, therefore VPStart needed to wait for it to finish initializing. Added a 5-second wait before VPStart accesses the registry. NetWare server doesn't get configuration changes from parent server with access list enabled. Symptom: After promoting a new primary server, secondary servers don't get configuration changes from the primary server when Enhanced Server Group Security is enabled. Resolution: The Symantec System Center was updated to instruct each secondary server to refresh its list of allowed servers when a new primary is promoted, which allows configuration changes to roll down to the secondary. NetWare servers revert to default install configuration after server restart Symptom: Some NetWare servers fail to initialize the file system quickly enough for Symantec AntiVirus. This causes the VP Registry to be initialized to an empty state, and the Symantec AntiVirus to return to hard coded default settings. Resolution: Added a 10 second delay in VPReg.nlm at the point of failure. This allows the NetWare file system to finish initializing without VPReg.nlm resetting the registry. Symantec AntiVirus does not check the NetWare version before copying files Symptom: Symantec AntiVirus will overwrite existing Norton AntiVirus Corporate Edition files on a NetWare 4.x server on an update. This causes the server to be broken after an attempt to update. Resolution: Added checks to Setup32\Setup.exe to validate the server version both on update and on install. Symantec AntiVirus 8.01 build 434 (Windows only) New fixes and enhancements: IAO.exe (AMS) Crashes Intermittently after Upgrading to Symantec AntiVirus 8.0 Symptom: IAO.exe (AMS originator service) crashes intermittently (heavy alert load) after updating to Symantec AntiVirus 8.0. Resolution: Simultaneous writes to the log during heavy usage caused the log to become corrupted and the service to crash. The IAO.exe code was updated to only allow one record to be added at a time. Running LiveUpdate after deleting Settings file gets HOST_SELECTION_ERROR Symptom: Deleting the settings file should allow everything to reset to default values. But running an update after this gets a Host Selection Error - host cannot be found. Resolution: Symantec AntiVirus uses all available transports for updates - but some of them are implemented implicitly by copying specific DLL files to different locations (legacy support). When the settings file is deleted, S32luhl1.dll triggers LAN support only in Symantec AntiVirus - so the host is usually not found. The solution is to not install this DLL, and to use the settings for all transport methods - so if the settings are deleted, the restored defaults include All Transports. Symantec System Center Virus List View shows Fewer Viruses than on Server or Security Response Web site Symptom: Selecting a server in Symantec System Center and selecting View Virus List... shows a total of 26,400 viruses, but the main UI on the server and the Security Response Web site show that the definitions will detect over 63,000 viruses. Resolution: The problem is that the Symantec System Center Virus List view showed the number of definitions - but since some definitions can detect more than one virus, this is smaller than the number of viruses detected. Updated the dialog to query and display the actual number of viruses detected. Note: This will only work if both the Symantec System Center Console and Server components are updated. After refresh of the Server Group on the Symantec System Center console, Group information is displayed inconsistently and sometimes incorrectly in the right pane Symptom: If you make any changes to the Server Groups like Add, Delete, Modify, the right pane does not display the correct information in every case. In some cases, it may display something that if you double-click it, it will cause a crash. Resolution: The right pane data corresponding to the available groups were not managed correctly. For every List command called, we were adding duplicate data. Since this command is called multiple times, it resulted in improper accounting of the number of data items to display and organize. Hence, the inconsistent display on the right pane. Migrating over a previous build of CE doesn't retain installation status of existing plug-ins Symptom: During a migration, the current product installs both the Exchange and Notes plug-ins regardless of what the previous installation status was for both plug-ins. This only happens in "Silent" install mode. Resolution: In "Silent" install mode, Symantec AntiVirus assumes it is a new product installation and installs both plug-ins accordingly. The fix was to add logic to detect the migration scenario and to check the existing status for the plug-ins installed before installing each plug-in again. Rtvscan is using the wrong port Symptom: Rtvscan is using port 26409, rather than 2967. Resolution: In the registry, the data types of the keys that indicate the ports that RtvScan uses to communicate with the server (AgentIPPort and AgentIPXPort) were stored as binary values instead of DWORD values. These values were changed from binary to DWORD so that RtvScan communicates through the right ports. Quarantine Server is using the wrong port Symptom: Symantec AntiVirus 8 Quarantine client/server does not use the UDP port specified in the GUI for Quarantine. Resolution: If the Symantec AntiVirus client contains a registry entry HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Quarantine\SendToUIPort, then client communicates with the correct port mentioned in the UI. If the Quarantine Server contains a registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Quarantine\Server\ListenToUIPort (DWord , value does not matter), then Quarantine Server listens to the correct port mentioned in the UI. Absence of the registry keys default to old behavior. (Both Quarantine Server and Symantec AntiVirus client listen and send to the wrong port). For this fix to work without any issues, all the clients and Quarantine Server need to be updated and contain the appropriate registry entries. The user cannot specify the install directory Symptom: The user cannot specify the install directory in case that the install package configured "Display optional Installation Panels in interactive mode" as "yes." Resolution: The Package was updated so that it also writes the INSTALLDIR and InstallLocationRule properties into the property file during UI-Only mode (where the user enters all information needed during install) to preserve them between UI-Only and Passive launches. After upgrading to Symantec AntiVirus 8.01 build 425, View & History menus are not present Symptom: After upgrading Symantec AntiVirus 8.00 clients from build 378 to Symantec AntiVirus 8.01 build 425, the "View" and the "History" menus are not available in the User Interface. Resolution: The binary LDVPView.ocx is now “COM Extract at Build” during the IS build process. One effect of this is that during the builds of Symantec AntiVirus Client/Server, the DllRegisterServer function is called during the build itself (in a virtual session space to figure out what effects on the registry this function has). Because of this, LDVPView.ocx is looking for the Ldvpview.ldl (license file) during the build and can’t find it (because it is installed in the same directory as the ocx, but is placed in a separate directory during the build). To combat this, a copy of the LDVPView.ldl file was added to the same staging area directory as the ocx during the IS build process. Schedule settings clients modified are overwritten by the server group setting of Symantec System Center Symptom: When Symantec System Center LU “schedule client for automatic updates using liveupdate” is turned off, any custom settings that the clients make will be overwritten by these values in Symantec System Center. Resolution: Since there does not exist the same “locking” mechanism for the scheduled update settings (as per realtime protection settings), the settings are freshly propagated to the clients each time the grc.dat is pushed (which happens in many situations). The result is that, although clients can change these settings, the settings will be overwritten upon a new grc.dat push. To get around this, the Symantec System Center console snap-in now does a “reset-all” for these settings when accepting new values. In turn, Rtvscan also checks and only allows these values to be propagated if invoked through this “reset-all”. Event log message: "<number> configuration changes have been made" Symptom: The message "<number> configuration changes have been made" appears in the application event log when no changes have been made recently. Resolution: When the server pushes virus definitions to the client, it also repeatedly updates the client registry keys in HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Xfer_Tmp. This key holds the file information for the incoming .VDB file (size, date, etc.). Each time the server sends this information, the client increments its "change count." These changes are tallied and then eventually logged as "<number> configuration changes have been made." This is misleading because no actual changes were made by the Symantec System Center administrator. The code was modified so that it no longer counts these registry changes. Symantec AntiVirus installation fails with an unhandled exception Symptom: Symantec AntiVirus installation fails with an unhandled exception in the function InstallSymPkgFilesForRepair. Resolution: Packager 1.1.0.A (Build 725) and later address this problem. The Symantec AntiVirus build was modified to include the new Packager. Remote installation fails on Windows 2000 and Windows XP Professional when logged-in user is not Administrator Symptom: Symantec AntiVirus client is pushed to one or more remote machines. The pushed client installation fails on Windows 2000 or Windows XP Professional machines when the currently logged-in user on those machines does not have Administrator permissions. Resolution: The InstallShield InstallDriver (ISScript.msi) was installing itself to run as the interactive user. If the interactive user (currently logged-in user) does not have Administrator permissions, the Symantec AntiVirus installation will fail. InstallShield could not fix this problem in time so we included a modified ISScript.msi file in Packager 1.1.1 Release 002. The Symantec AntiVirus build was modified to include the new Packager. Realtime Protection fails to start after migration from Norton AntiVirus Corporate Edition 7.x to Symantec AntiVirus 8.01 on Windows 98/Me Symptom: Norton AntiVirus Corporate Edition 7.x is installed on Windows 98 or Windows Me, then Symantec AntiVirus 8.01 is installed. The installation completes successfully but Realtime Protection fails to start after restarting the computer. Resolution: Packager 1.1.1 Release 002 addresses this problem. The Symantec AntiVirus build was modified to include the new Packager. Symantec AntiVirus 8.01 build 429c New Fixes and Enhancements: User interface takes a long time to display when launched from the system tray icon Symptom: When you launch the Symantec AntiVirus user interface by double-clicking the system tray icon or by right-clicking the icon and selecting "Open Symantec AntiVirus," there is a long delay of 30 seconds before the user interface appears. Resolution: The code was using a Windows API call to get a security identifier from the Windows domain. This caused a long timeout in an environment where there is no domain or where the domain controller takes a long time to respond. The code was fixed to remove the unnecessary call. Note: This applies to Windows NT domains only, and does not apply to Active Directory. Error: "A network error occurred. (0x48b, 1208)" Symptom: When adding a Windows 2000/XP client, if the system clock of the client is not synchronized with the clock of the primary domain controller, the system outputs the error message: "A network error occurred. (0x48b, 1208)" after login. Resolution: A general error handling function has been added to display a more appropriate and detailed error message based on the last error code received. Inconsistent use of short pathnames in registry can cause security vulnerability Symptom: Since services are launched using a long file name, such as: C:\Program Files\Symantec AntiVirus\RTVScan.exe, the spaces can be taken as delimiters. Windows tries to launch programs in the following sequence (with the rest of the path passed in as parameters): C:\Program.exe, C:\Program Files\Symantec.exe, C:\Program Files\Symantec Antivirus\RTVScan.exe. If a user creates the EXE files in the first 2 examples, these will execute as a service with Administrator privileges, instead of RTVScan. Resolution: All the services and binaries are now installed and executed using short pathnames. Note: When installing using Packager, when the system tries to install isscript.msi (InstallShield's script engine) before installing Symantec AntiVirus, program.exe (if it is present in root directory) is launched instead of some other binary in between installation of isscript.msi. This issue has been submitted to InstallShield and their Technical support is working on this. Pkgclnup.log is hard coded to C:\ Symptom: The installation's pkgclnup.log is hard coded to C:\. If C:\ does not exist, the Symantec AntiVirus server or client installation fails. Resolution: This issue is solved in Packager 1.1 build 720. Symantec AntiVirus does NOT install when the ntfsdisable8dot3namecreation registry value is set Symptom: Symantec AntiVirus would not install when the following registry value is set to 1:HKey_Local_Machine\System\CurrentControlSet\Control\Filesytem\ntfsdisable8dot3namecreation . This flag is used to disable the creation of new corresponding short file name entries in the file system, and is an option that may be put in place via Group Policy to tighten up security. Resolution: Changed several occurrences of GetShortPathName and LongPathToShortPath in InstallScript handling so that success is not assumed, and so that the logic can handle failures within the calls of these functions. Correction of Shatter Fix issue where formatting of an output statement was incorrect Symptom: The fixes for the Shatter problem introduced a formatting issue for an output statement when logging is turned on. As a result, a component window name was left out in the logging. Resolution: Fixed the formatting statement to correctly include the component window name. Startup Scans were re-executing after a user logs off and logs back in Symptom: The expected behavior for Startup Scans is to execute initially during a login after a reboot or shutdown and restart. However, if the same user logs off and logs back in, the Startup Scans execute again. Resolution: Symantec has changed various components to detect logoff and shutdown situations, saving some state information. Upon re-login, Symantec AntiVirus can use this state information to distinguish between a reboot or shutdown and restart scenario, versus a re-login scenario. Symantec AntiVirus subsequently determines whether a Startup Scan should execute. RTVScan abends when scanning directories deeper than 20 levels Symptom: RTVScan on a NetWare server will abend during a scheduled or manual scan, if a directory exists that is deeper than 20 levels. (For example: 1\2\3\4\5\6\7\8\9\10\11\12\13\14\15\16\17\18\19\20\) Resolution: The recursive function that processes directories was using 0x2E0 bytes of stack. Two structures were moved from the stack to heap memory. Now the function uses 0x44 bytes of stack, and Symantec AntiVirus can scan several hundred levels deep. AMS alerts fail after upgrade Symptom: Upgrading Norton AntiVirus Corporate Edition 7.61 or Symantec AntiVirus 8.0 on a NetWare server with AMS alerts configured will cause the alerts to stop working. Resolution: When performing an upgrade of a Norton AntiVirus Corporate Edition or Symantec AntiVirus server, the \COMMON\AMS: value would be reset from 1 to 0. Now, this value is written if it isn't already present, and left alone if it is present. AMS alerts always fail after failing once Symptom: If an AMS alert fails to a network error or because the receiving machine is down, alerts will always fail from then on. Resolution: LanDesk has released updated AMS libraries that address this issue for NetWare environments. Installing a new client from VPHOME\clt-inst\WIN32\setup.exe is silent Symptom: Installing a new Client from VPHOME\clt-inst\WIN32\setup.exe is silent (with no-reboot option) instead of interactive. Resolution: VPHOME\clt-inst\WIN32\setup.exe now runs interactively. Exclusions modified in client groups do not take effect for clients of secondary servers Symptom: Some exclusions modified for clients in client groups do not take effect for clients of secondary servers that belong to the same client group as clients of the primary server. Resolution: When importing GRCGRP.DAT from the primary server, secondary servers would reinitialize their "GRC-State-Counter" registry value in the client group keys, which would cause clients not to adopt some changed settings. This was addressed by saving and restoring the previous "GRC-State-Counter" values when appropriate. VPC32 caused an invalid page fault in module Webshell.dll Symptom: When using an unmanaged install of Symantec AntiVirus to scan in Safe mode on Windows 98, the customer gets "VPC32 caused an invalid page fault in module Webshell.dll". Resolution: When booting in Safe mode on Windows 9x, the "Orientation" registry key is not initialized correctly. This erroneous value incorrectly broadcasts that the service is running, which causes the initialization of various COM objects to fail, eventually causing the error. The fix in this case was to correctly set the "Orientation" flag from within StartLPC() upon detection that the service is not active. Event in the NT event log for a failed client update should be a Warning Symptom: In the Windows NT event log on a parent server, when a client fails to update its definitions, the log gives it an Information type event, instead of a Warning. Resolution: There is only one event to handle a successful or failed pattern update. Instead of adding a new event for the failed update, Symantec AntiVirus now uses the event context to determine whether it should be labeled as a Warning or not. Windows 98 login script install prompts to end task "Vp_log32.exe" Symptom: Symantec AntiVirus is installed on Windows 98 using a login script. The installation is successful, but at the end of the install the user is prompted to end the task "Vp_log32.exe". Resolution: Vp_log32.exe was converted from a console application to a Windows application. This allows Windows 98 to end the process without prompting the user. Uninstall of Symantec AntiVirus removes Symantec Client Security program group and Symantec Client Firewall icon Symptom: If Symantec AntiVirus server and Symantec Client Firewall are installed on the same machine, uninstalling Symantec AntiVirus removes the entire Symantec Client Security program group, including the Symantec Client Firewall icon. Resolution: The install was modified to save the Symantec Client Security program group if the Symantec Client Firewall icon still exists inside the group. SMS installation of Symantec AntiVirus using the provided Package Definition File fails Symptom: An SMS installation of Symantec AntiVirus using the provided Package Definition File (PDF) fails because the parameters in the file are incorrect. The parameters are not compatible with a Packager install of Symantec AntiVirus. Resolution: The PDF file contained old parameters that were compatible with an MSI install only. The PDF file was fixed to remove the /m parameter and other parameters that are not compatible with a Packager install. Error 2020: The server was unable to allocate from the System Paged Pool Symptom: After running for a while, the server would return Error 2020: The server was unable to allocate from the System Paged Pool. Resolution: This was caused by a memory leak in the SymEvent component. A new release of SymEvent was incorporated to address this issue. Cannot access VPMSECE.dll (MSE mail plug-in module) after upgrading Norton AntiVirus Corporate Edition 7.x to Symantec AntiVirus 8.0 Symptom: After upgrading Norton AntiVirus Corporate Edition 7.x to Symantec AntiVirus 8.0, Outlook displays a "Cannot access VPMSECE.dll" error when opened. Resolution: Outlook caches the path to its plug-in DLLs. Installing Symantec AntiVirus 8.0 over Norton AntiVirus Corporate Edition 7.x changes the location of this DLL, but since the same key is used ("LDVP"), Outlook tries to load the DLL from the old location, and it is not found. The solution is to use a different key if the path is changing. Symantec AntiVirus now uses "SavCorp801" as the key. Attempting to save Symantec AntiVirus logs in MDB format fails Symptom: Attempting to export an Symantec AntiVirus log (such as the event log, or scan history) in MDB format fails in some cases, even though Office 2000 is installed. Resolution: Symantec AntiVirus Export routines were being tied to an older version of the Microsoft DLL that supports this format (DAO350.dll). This DLL was installed by older versions of Office (and other products), but is no longer installed in Office 2000. If the older DLL was not found on the system, then the Export call would fail. As described in Microsoft article 230485, a coding change was implemented to force the use of the newer DLL (DAO360.dll). Symantec AntiVirus 8.01 Build 425b Important: Build 425b contains only fixes for AMS on NetWare. There are no fixes for other platforms. New Fixes and Enhancements: NetWare servers may abend in IAO.NLM Symptom: NetWare will abend if the "Event History" file becomes corrupted. It also happens in some of the other AMS configuration and history files. Resolution: LanDesk has provided an updated IAO.NLM that doesn't abend if the file format of the configuration files is damaged. Symantec AntiVirus 8.01 build 425a Included with Symantec Client Security build 425a New Fixes and Enhancements: Upgrading Norton AntiVirus Corporate Edition 7.61 client to Symantec AntiVirus 8.0 causes Rtvscan.exe to run continuously at 99 percent CPU Symptom: You chose to install the Norton AntiVirus Corporate Edition mail plug-in during the installation of Norton AntiVirus Corporate Edition 7.61, although neither Microsoft® Exchange or Lotus Notes is installed. Upgrading to Symantec AntiVirus 8.0 does not upgrade the plug-ins, because the mail client is not installed. This causes Rtvscan.exe to run continuously at 99 percent CPU. Resolution: Now during upgrade, the mail plug-ins are upgraded if they had been installed by previous installation. Specific email makes Symantec AntiVirus crash when the Lotus Notes plug-in is active Symptom: Lotus Notes has provided invalid attachment information on an email that does not actually contain an attachment. When the Notes Hook Driver processed this email, the driver crashed, thus crashing Notes. Resolution: Now, if Lotus Notes provides invalid attachment information for an email, the particular attachment is skipped and the system proceeds with the next attachment. Exploit found where messages from other applications could cause execution of arbitrary functions in Norton AntiVirus Corporate Edition Symptom: WM_TIMER messages can specify an arbitrary address that most default window processes and message pumps will blindly jump to. Solution: Norton AntiVirus Corporate Edition now filters out WM_TIMER messages in key message processing codes that have branching addresses associated with them. Cannot deploy server or client from Microsoft Windows .NET Server Symptom: When installing Symantec AntiVirus Server on a Microsoft Windows .NET Server, the main menu selections "Deploy AntiVirus Server" and "Deploy AntiVirus Client to NT/2000/XP" are unavailable. Resolution: Setup was failing to recognize operating systems above Windows XP. In Symantec AntiVirus 8.01, the code has been modified to only disable these two menu selections for Windows 95/98/Me. All other operating systems will enable the selections. Uninstall of Symantec AntiVirus removes Symantec Client Security program group and Client Firewall icon Symptom: Symantec AntiVirus client and Symantec Client Firewall are installed on the same machine. Uninstalling Symantec AntiVirus removes the entire Symantec Client Security program group, including the Symantec Client Firewall icon. Resolution: The installation was modified to save the Symantec Client Security program group if the Symantec Client firewall icon still exists inside the group. Upgrading an unmanaged client to a managed client using packager fails Symptom: Using Symantec Packager install package to upgrade an unmanaged installation of Symantec AntiVirus 8.0 fails to make the client managed. The Grc.dat file isn't copied to the local machine, even though it was added to the package. Resolution: With Symantec AntiVirus 8.01, if a Grc.dat is included in the package, it is processed in the same way that it would be in the case of a new install. Also, if the "Network Setup Type" + "Symantec AntiVirus Server Name" settings are set appropriately in Packager, then these values will be used in the case of a migration from unmanaged to managed. Missed client scan unable to be paused Symptom: You have set up a client scan at the server group level and configured the scan to automatically run missed events. You have also configured the scan to allow the client the ability to pause the scan for a certain length of time. New clients installed into the server group initiate the scheduled scan as a missed event correctly, but are not able to pause the scan for longer than 1 minute. Resolution: If a client scan is found to be missed, and still within the missed time window, then the scan will run, as designed. However, if this scan is then paused, it is possible that the [missed scan time]+[delay time] will also be seen as a missed scan (if said event summed with delay is also in the past). This causes some paused scans to continue after one iteration of the Rtvscan timer loop, which is approximately 1 minute. This behavior was fixed in Symantec AntiVirus 8.01 by making sure that originally missed scans that are paused adhere to a strict wait time. Symantec System Center does not allow multiple Quarantine Server Snap-ins Symptom: Attempting to add another Quarantine Console snap-in into Symantec System Center returns an error message "Cannot connect to server..." Resolution: Adding a new snap-in through Symantec System Center (Console menu > Add/Remove Snap-ins) would not fully initialize the snap-in. In Symantec AntiVirus 8.01, all snap-ins are fully initialized. Scanning a FAT32 volume will not scan the entire drive Symptom: Attempting to scan a volume formatted as FAT32 will return immediately without scanning the drive. Sometimes, only a couple of files are scanned. Resolution: The Scan routines would fail when access was denied to FAT32 system files in the root directory. Symantec AntiVirus 8.01 will continue to scan when access to some files is denied. NT EventLog IDs are undefined when rolled out from Symantec System Center Symptom: When a Symantec AntiVirus Client is rolled out from a server, Symantec AntiVirus Events in the NT EventLog are undefined in the EventViewer. Resolution: The install was incorrectly defining the path to the Symantec AntiVirus EventLog handler during silent installs. This has been corrected in Symantec AntiVirus 8.01. Installation packages without LiveUpdate will fail to install Symptom: Packager allows packages to be created that do not include the optional LiveUpdate component. But if LiveUpdate is not already installed on the target machine, the package will fail to install because LiveUpdate is required by Symantec AntiVirus. Resolution: The description of the LiveUpdate component in Packager was updated to note that LiveUpdate must be included in the package if not already installed. AMS Intel Alert Originator fails to start after upgrade to Symantec AntiVirus 8.0 Symptom: After upgrading to Symantec AntiVirus 8.0, the Intel Alert Originator (IAO) service fails to start. Resolution: The problem is due to corruption of the IAO log file (IAOLOG.dat). This caused errors when the IAO service read the log file during startup. Further research indicates that the corruption was caused by simultaneous writes to the log, due to heavy alerting activity. Symantec AntiVirus 8.01 includes a newer release of IAO.exe (and related AMS/PDS routines), which prevents corruption of the IAO log file by synchronizing access to the file. Note: This will not correct previously corrupted files, and other problems could cause corruption of the log. Norton AntiVirus Corporate Edition 7.6 or Symantec AntiVirus 8.0 does not load after a server is moved into a new server group Symptom: When a NetWare Norton AntiVirus Corporate Edition 7.6 or Symantec AntiVirus 8.0 server is moved into a server group whose primary server is installed using a different location, then the secondary server cannot find its load location. This is because the NLMsToLoad subkey copied from the DomainData area of the Primary Server is incorrect for the new server. Solution: Primary Servers now skip the NLMsToLoad subkey when creating the GRCSRV.DAT file. Norton AntiVirus Corporate Edition 7.6 or Symantec AntiVirus 8.0 asks to overwrite PDS.nlm on upgrade or fresh install Symptom: If a user is installing a server with AMS, the install attempts to copy PDS.NLM onto the server twice. The files are the same, but their date-stamps do not match, so the user is prompted to overwrite the older file. Resolution: Updated to new LanDesk NLMs. This causes the two locations of PDS.NLM to have matching date-stamps. Norton AntiVirus Corporate Edition 7.6 or Symantec AntiVirus 8.0 abends while downloading definitions Symptom: If the connection to the FTP definition server is lost in the middle of downloading text information, the NetWare server will abend with a stack overflow detected. Resolution: Additional error checking has been added to Symantec AntiVirus 8.01. Added a check for zero bytes read in the FTP text download protocol. Symantec AntiVirus 8.01 will abort the download on this condition. Scanning a text file with the word "begin" can cause a decomposer error. Symptom: In certain circumstances, decomposer errors are received when scanning text files containing the word "begin." Resolution: Decomposer was incorrectly identifying ASCII as UUEncoded data. Upgraded to Decomposer 3 Release 8J resolved this issue. AMS e-mail alert doesn't support 29 character Fully Qualified Domain Names (FQDN) Symptom: AMS currently does not support 29 character FQDN. Resolution: Symantec AntiVirus 8.01 includes a newer release of AMS which now supports 29 character FQDN. Vulnerability with Microsoft® IME2000/2002 Symptom: Input Method Editor (IME) is a tool to support accessibility requirements for Microsoft. This tool allows application windows to interact with and launch the IME dictionary functions. These functions can be used to launch applications. Resolution: Disabled IME integration with Rtvscan. IME still works, but is no longer closely coupled with antivirus services. Fixes ported from Norton AntiVirus Corporate Edition 7.61 The following fixes were included in Norton AntiVirus Corporate Edition 7.61 build that shipped after Symantec AntiVirus 8.0 was complete. These fixes have been ported to Symantec AntiVirus 8.01. Upgrade of Norton AntiVirus Corporate Edition 7.6 or Symantec AntiVirus 8.0 on NetWare server changes Norton AntiVirus Corporate Edition Server settings Symptom: When upgrading Norton AntiVirus Corporate Edition 7.6 or Symantec AntiVirus 8.0 on a NetWare server, configuration settings are not preserved. Resolution: Server configuration settings will now be preserved when upgrading to Symantec AntiVirus 8.01. Default Registry settings will now only be restored if previous values do not exist. Directory Exclusions not working after volume mount dismount Symptom: If the administrator dismounts a volume with directory exclusions, then on remount the directories may not be excluded from real-time scanning. If a clustered server fails over to a new server, excluded directories on the volume being mounted on the new server will not be excluded from real-time scanning. Resolution: The process of checking for excluded directories on mounted volumes runs every 30 seconds in Symantec AntiVirus 8.01. NetWare may abend scanning files with long path names Symptom: NetWare will abend scanning files with full names longer than 260 characters. Resolution: Added a check for file name length longer than 260 characters, and log the missed file or directory. Definition date displayed in Symantec System Center is incorrect Symptom: In time zones other than US-Pacific, the time and date of the definition may be displayed incorrectly. Resolution: Symantec AntiVirus 8.01 corrects the time of the definition file for server's current time zone before sending the information to Symantec System Center. Temporary files being left deleted but not purged Symptom: A manual scan would leave temporary files in the I2_LDVP.TMP directory in the state of being deleted, but not purged. This could cause the NetWare server to run out of directory entries. Resolution: Added functionality to set the "purge on delete" flag before deleting temporary files. AMS alert parameters are missing when configuring AMS Symptom: When configuring AMS, only 6 of the 12 alert parameters are displayed in the selection box on the "Enter Action Message" dialog box. Resolution: Symantec AntiVirus 8.01 uses an updated version of AMS which contains a fix for this issue. Computer stops responding when trying to install Office 2000 over Norton AntiVirus Corporate Edition 7.6 Symptom: This is due to a conflict between the Windows Installer and version 2.40.4514.1 of Microsoft's OLEAUT32.DLL, which is distributed with Norton AntiVirus Corporate Edition and Symantec AntiVirus 8.0. This conflict is specific to this version of OLEAUT32.DLL and does not occur with older or later versions. Resolution: The issue was resolved by updating the install to include a later version of this file (2.40.4518) which is now available. Creating a "Quarantine Central Events" action results in a warning message "The Intel Alert Originator service has already been started." Symptom: In Symantec System Center, right-click Symantec Central Quarantine and select "Configure Quarantine Events." Create any alert action other than "Default Alert." After completing the alert configuration, the warning message appears. Resolution: An incorrect text mapping was being used for the alert name when registering it with AMS. The code was fixed to use the correct text mapping. Blue Screen Crash when Scanning Boot Records on some HP Servers using RAID Drives Symptom: Auto-Protect would cause a bluescreen crash when attempting to scan the boot record of a RAID drive. Resolution: The RAID drive was returning incorrect partition information for the drive, causing a crash when Auto-Protect attempted to retrieve information from a nonexistent location. Auto-Protect was updated to validate the partition information before attempting to read from the partition. Scanning issues with folders that have the same name as an environmental variable Symptom: If a folder on the drive had the same name as an environmental variable and the user scanned it, Norton AntiVirus Corporate Edition and Symantec AntiVirus 8.0 would not detect viruses in it. Resolution: This was due to old logic that internally checked the folders along the path of each file to see if any were the same as an environmental variable and then replaced them with the value of that variable. This logic was removed. Scheduled scans are immediately interrupted with the message "Scan stopped by user" Symptom: A scan is scheduled and the computer is turned off until the scheduled time has passed. When the computer is turned on, the scheduled scan starts but is immediately interrupted with the message "Scan stopped by user." Resolution: The scheduled scan was starting before the antivirus service was fully initialized. The code was fixed so that missed scheduled scans are not started until the service is fully initialized. Logs show incorrect computer as being infected Symptom: A virus is detected on a client computer, but the virus history or AMS log incorrectly lists the parent server as infected. Resolution: A fix was made in an earlier Norton AntiVirus Corporate Edition build to address scanning performance in domain environments. An error was discovered in the fix where the client machine name is lost or overwritten by the parent machine name. The code was fixed to address this problem. File system realtime protection does not scan subst Drives when Network Scanning Disabled Symptom: On Windows 98/Me computers, local files on subst drives are not being scanned if network realtime file scanning is turned off. Resolution: Norton AntiVirus Corporate Edition and Symantec AntiVirus do not scan a local drive that is substituted using subst.exe. The problem occurred because File system realtime protection checked logical DCBs to determine if a drive was local, but subst drives don't have a logical DCB. To fix this issue, if File system realtime protection can't find a logical DCB for a drive, it checks to see if the drive is subst. Symantec System Center client icon does not reflect client virus status Symptom: When a virus is detected on a client, the log event is sent to the server immediately and shows up in the client virus history. However, the client icon and status in Symantec System Center are not updated until the next regular client checkin - which can be up to 60 minutes with a default configuration. In version 7.0x, the client icon and status were updated immediately. Resolution: A fix for another issue in Norton AntiVirus Corporate Edition 7.5 inadvertently changed the code so that the client icon and status are not immediately updated. This has been corrected, restoring the original 7.0x behavior. Servers installed into an existing server group do not inherit server group settings Symptom: Servers installed into an existing server group would get the default server settings instead of the settings defined for that server group. To have the server group settings apply to the new server, it would have to be dragged into a different group in Symantec System Center (or initially installed into a different group) and then dragged into the target group to have the group settings applied. Resolution: When installing a server into an existing group, the server will pull down and incorporate the server group settings from the primary server the first time it starts up (during the install). This should also work for NetWare servers. Quarantine Server allows access to remote servers without Username and Password Symptom: In Symantec System Center, attaching to Quarantine Server (Central Quarantine) on another machine will prompt for a username and password, but will allow access if no username or password is provided - even if the remote machine requires a different username / password than the local machine (to map a drive, for instance). Resolution: The username and password prompt dialog was updated to require a username and password combination when accessing Central Quarantine on another machine. If not provided, an error message is generated and the user is returned to the prompt dialog. A username and password are not required if attaching to local Quarantine Server. Install replaces the Windows system dlls with older version dlls. Symptom: During the client or server install, existing Windows system dlls like Psapi.dll, Ctl3d.dll, Mfc42.dll are replaced by older versions. Resolution: Only files with equal or lesser version are replaced by Symantec AntiVirus 8.01. NAVRoam errors out occasionally Symptom: You receive a Memory Access Error Dialog when NavRoam is run as a Command-line utility or as a service. Resolution: There is a possibility that when multiple processes use WinInet.dll and one process unloads the .dll from memory, the rest of the processes may suffer. The function call which unloads WinInet.dll in NavRoam is removed. NAVRoam errors out occasionally in Windows 98/Me Symptom: You receive a Memory Access Error Dialogbox when NavRoam is run as a Command-line utility or as a service. Resolution: When the system is not able to resolve its IP address, this error occurs. In this situation, every time NavRoam verifies whether the network address changed, the system looks for a nearest parent and the crashing is handled. Cannot suppress a reboot during a silent uninstall Symptom: Customers have requested the ability to suppress the reboot prompt on Windows 98/Me computers. However, we also wish to maintain this prompt for other customers to avoid the situation where a user uninstalls, and then attempts to install again without rebooting. Resolution: A SUPPRESSRBPARAM parameter was added to Microsoft Installer (MSI) to suppress this reboot if it is specified equal to 1. If set to any value other than 1, the install will prompt to reboot. For example, use the following command line to uninstall without the prompt to reboot: msiexec -x NavCE.msi SUPPRESSRBPARAM=1 Crash during installation over Norton AntiVirus consumer versions Symptom: A crash occurs when the retail version of Norton AntiVirus's Auto-Protect Service is not uninstalled or disabled prior to installing Norton AntiVirus Corporate Edition or Symantec AntiVirus 8.01. Resolution: File system realtime protection is now verifying that a valid configuration structure is being passed. Pool Non-paged memory leak Symptom: Some antivirus client computers experience a pool non-paged memory leak. This leak occurs every 30 minutes by default. Resolution: The application has code which monitors file changes in certain directories. The antivirus client's usage of the Microsoft file monitoring functions/APIs was incorrect. The code was modified to use these APIs in the proper order. Gradual memory leak over time Symptom: Client experiencing gradual memory leak over time. Resolution: The application creates threads to perform tasks. As each thread is created, four bytes of memory were left unreleased. The software was modified to correct this problem. Rtvscan memory leak when scanning Symptom: When scanning a large number of viruses with realtime and reporting viruses with the message box, Rtvscan can leak memory. Resolution: Two related memory allocations which fail to release during the virus detection process have been corrected. Memory leak with large number of infected files Symptom: When "Display message on infected computer" is displayed and you are scanning a large number of infected files, Rtvscan uses a large amount of memory that is not released when the dialog is closed. Resolution: Found a deadlock condition, where closing the dialog box, while reporting a large number of infected files, causes two threads to hang. The fix for this deadlock condition involves moving some code from an un-safe, to a thread-safe location. Upgrade to Decomposer Component Symptom: Upgrading the Decomposer component addresses several issues as described below: Decomposer Extraction errors Problems with Multiple Simultaneous Scans Outlook file not recomposing properly PowerPoint document parsing errors Crash / Hang after processing certain e-mails Scanning Text file generates error 00000017 Issues with .DOC and .TXT file formats Symantec AntiVirus Corporate Edition 8.0 build 378 Included with Symantec Client Security build 392 New Fixes and Enhancements: Symantec AntiVirus 8.0 no longer performs a migration over Norton AntiVirus 5.0 Symptom: When you install Symantec AntiVirus 8.0 on a machine where Norton AntiVirus 5 is installed, a message box is displayed, notifying the user that they must uninstall Norton AntiVirus 5 before upgrading to Symantec AntiVirus 8.0. Resolution: The migration install code from Norton AntiVirus Corporate Edition 7.6 was placed back in the Symantec AntiVirus 8.0 client and server installations and the message box warning was removed.

Document ID:2002091810595048 Last Modified:06/12/2006

Does this document answer your question? Yes No Maybe, need to test None of the above Is this document well written and easy to use? Submit specific suggestions to improve the quality of this document.

Product(s): Symantec AntiVirus Corporate Edition 8.0
Operating Systems(s):
Date Created: 09/18/2002