Archive for the ‘Symantec’ Category

Enterprise Vault Support for Terminal Services and Citrix Presentation servers

Sunday, October 24th, 2010

To install the functionality, the GUID of the installed package must be known. Ie. Microsoft Office Outlook 2007 or Microsoft Office Professional Plus 2007

To obtain the GUID of the installed package, perform the following:

1. Verify the product name from Add/Remove programs or the Help > About menu

2. Open the registry, browse to: HKLM/Software/Microsoft/Windows/Current Version/Uninstall

3. Identify the GUID as per Microsoft KB 928516 (e.g. {90120000-0030-0000-0000-0000000FF1CE} )
 http://support.microsoft.com/kb/928516

4.From command prompt, enter the following syntax: It is case sensitive.

msiexec /i {GUID.EN_US} ADDLOCAL=OutlookVBScript /qb

where {GUID.EN_US} is the string identified in step 3 above.

Examples for common versions of Office:

Microsoft Office Professional Plus 2007:
msiexec /i {90120000-0011-0000-0000-0000000FF1CE} ADDLOCAL=OutlookVBScript /qb

Microsoft Office Standard 2007:
msiexec /i {90120000-0012-0000-0000-0000000FF1CE} ADDLOCAL=OutlookVBScript /qb

Microsoft Office Basic 2007:
msiexec /i {90120000-0013-0000-0000-0000000FF1CE} ADDLOCAL=OutlookVBScript /qb

Microsoft Office Professional 2007:
msiexec /i {90120000-0014-0000-0000-0000000FF1CE} ADDLOCAL=OutlookVBScript /qb

Microsoft Office Enterprise 2007:
msiexec /i {90120000-0030-0000-0000-0000000FF1CE} ADDLOCAL=OutlookVBScript /qb
 
 

Article URL http://www.symantec.com/docs/TECH35595

Large numbers of .tmp files are being created in the xfer_tmp or 7.5/xfer folder

Tuesday, August 3rd, 2010

Large numbers of .tmp files are being created in the xfer_tmp or 7.5/xfer folder and are being detected as threats.

Question/Issue:
After Symantec Endpoint Protection detects an infection, the xfer_tmp folder generates a large number of temporary (.tmp) files. How can I get this to stop?

After Symantec AntiVirus detects an infection, the 7.5\xfer and/or 7.5\xfer_temp folders starts generating numerous temporary (.tmp) files. How can I get this to stop?

After a migration from Symantec AntiVirus to Symantec Endpoint Protection the xfer_tmp folder starts generating a large number of .tmp files. How can I get this to stop?

Symptoms:
Large numbers of temporary (.tmp) files are generated in any of the following locations:

Symantec Endpoint Protection

  •  
    •  
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer
    •  
      • C:\Program Data\Symantec\Symantec Endpoint Protection\xfer_tmp
  • Windows 2000/XP/2003
    Windows Vista/7/2008

Symantec AntiVirus

    NOTE: The following file locations may still be relevant in a migration scenario from Symantec AntiVirus to Symantec Endpoint Protection

 

  •  
    •  
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp
    •  
      • C:\Program Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer
      • C:\Program Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp

  • Windows 2000/XP/2003
    Windows Vista/7/2008

Solution:


To take advantage of code improvements which make such detections much less likely, please ensure that the latest release of SEP 11 or SAV is installed on the client .
If such detections continue after deleting old .tmp files and updating to SAV_CE 10.1 MR9 or SEP 11 RU6a, see the following:

Stop the Symantec service

  •  
    • Click Start, then Run
    • Type: smc -stop
    • Click OK
    • Click Start, then Run
    • Type: services.msc
    • Click OK
    • Right-click and Stop the Symantec AntiVirus or Symantec Endpoint Protection service
  • Symantec Endpoint Protection
    Symantec AntiVirus

Deleting the files

    NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.Open the Command Prompt
  •  
    1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace “<NAMEOFUSER>” with the username of the desired Windows user you wish to empty the temp folder for:
      •  
        • Windows 2000/XP/2003
          DEL /F /Q “C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp”
        • Windows Vista/7/2008
          DEL /F /Q “C:\Users\<NAMEOFUSER>\AppData\Local\Temp”
    2. Deleting the contents of the temp folder at the root of C:\

      •  
        • Type the following command in Command Prompt:DEL /F /Q C:\temp
    3. Deleting the contents of the Windows Temp folder

      •  
        • Type the following command in Command Prompt:DEL /F /Q C:\WINDOWS\Temp
    4. Deleting the contents of the xfer and/or xfer_temp directories
      •  
        • Type the following command in Command Prompt:
          •  
            • Windows 2000/XP/2003
              DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\”DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\” 

            • Windows Vista/7/2008
              DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\”DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\” 

        • Type the following commands in command prompt:
          •  
            • Windows 2000/XP/2003
              DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer”DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp”DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp”

              DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer”
               

               

            • Windows Vista/7/2008
              DEL /F /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer”DEL /F /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp”DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp”

              DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer”

      • Symantec Endpoint Protection
        Symantec AntiVirus

        NOTE: For migrations from Symantec AntiVirus to Symantec Endpoint Protection, be sure that the below locations do not also exist

    • Click Start, then Run
    • Type: cmd
    • Click OK
  • Deleting files from User Temp folder

The Quarantine Folder

  •  
    •  
      •  
        • Type the following commands in the Command Prompt:
          •  
            • Windows 2000/XP/2003
              DEL /F /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine”RD /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine” 

            • Windows Vista/7/2008
              DEL /F /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”RD /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine” 

      •  
        • Type the following commands in Command Prompt:
          •  
            • Windows 2000/XP/2003
              DEL /F /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”RD /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine” 

            • Windows Vista/7/2008
              EL /F /S /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”RD /S /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine” 

    • Symantec Endpoint Protection
      Symantec AntiVirus

      NOTE: For migrations from Symantec AntiVirus to Symantec Endpoint Protection, be sure that the below location does not also exist

    •  
      •  
        • Type the following command in Command Prompt:
          •  
            • Windows 2000/XP/2003
              MD “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine”
            • Windows Vista/7/2008
              MD “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”
      •  
        • Type the following command in Command Prompt:
          •  
            • Windows 2000/XP/2003
              MD “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”  

            • Windows Vista/7/2008
              MD “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”
    • Symantec Endpoint Protection
      Symantec AntiVirus

  • NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

    Delete the Quarantine Folder
    Recreate the Quarantine Folder

Start the Symantec service

  •  
    • Click Start, then Run
    • Type: smc -start
    • Click OK
    • Click Start, then Run
    • Type: services.msc
    • Click OK
    • Right-click and Start the Symantec AntiVirus or Symantec Endpoint Protection service


 

 


Unable to start Routing and Remote Access Server (RRAS) (Event IDs: 7023, 20070, 20151, 20063) after uninstalling Symantec Antivirus/Symantec Endpoint Protection

Saturday, April 17th, 2010

Question/Issue:
Why is this error produced after uninstalling Symantec Antivirus/Endpoint? “Unable to start RRAS (Event IDs: 7023, 20070, 20151, 20063)”

Symptoms:
First Error:
Source: RemoteAccess
Event ID: 20070
Error: Point to Point Protocol engine was unable to load the C:\Program Files\Symantec\Symantec Endpoint Protection\SymRasMan.dll module. The specified module could not be found.

Second Error:
Source: RemoteAccess
Event ID: 20151
Error: The Control Protocol EAP in the Point to Point Protocol module C:\WINDOWS\System32\rasppp.dll returned an error while initializing. The specified module could not be found.

Third Error:
Source: Rasman
Event ID: 20063
Error: Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified module could not be found.

Fourth Error:
Source: Service Control Manager
Event ID: 7023
Error: The Remote Access Connection Manager service terminated with the following error: The specified module could not be found.

Fifth Error:
If tried to restart the service from RRAS mmc, it gives the following Error: “Routing and Remote Access cannot be started because of the following error.” Please see event log for more information: The service has returned a service-specific error code. (8007042a)

Cause:
The default location of the file SymRasMan.dll is %SystemRoot%\System32\rastls.dll. On installing Symantec Antivirus or Symantec Endpoint Protection the default location is then changed and edited in the registry to C:\Program Files\SAV\SymRasMan.dll. After uninstallation this location is not reversed for Windows Server 2003 SP2 because it does create a backup of the key during the change/installation unlike Windows Small Business Server 2003


Solution:
To resolve this issue follow the steps below:

  1. Click Start
  2. Click Run
  3. Type regedit
  4. Navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13

  5. Select the folder 13
  6. Change the value for keys: “ConfigUiPath”, “IdentityPath”, “InteractiveUIPath” and “Path” to:
    %SystemRoot%\System32\rastls.dll

  7. Navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25
  8. Select the folder 25
  9. Change the value for keys: “ConfigUiPath”, “IdentityPath”, “InteractiveUIPath” and “Path” to:
    %SystemRoot%\System32\rastls.dll
  10. Re-start the computer (recommended not required)
  11. Start the RRAS service

How to convert Symantec Endpoint Protection clients from managed to unmanaged without uninstalling and reinstalling

Tuesday, March 16th, 2010

Question/Issue:
Symantec Endpoint Protection Clients are installed as managed by a Symantec Endpoint Protection Manager. You need to change the clients to be unmanaged, but do not want to uninstall and reinstall the client.


Solution:
To convert the Symantec Endpoint Protection clients to unmanaged after they have been installed as managed

  1. Locate the Sylink.xml file that is located on CD 1 in the SEP folder.
  2. Copy the Sylink.xml file to a location that is accessible to clients on the network.
  3. On the client, navigate to CD2\TOOLS\NOSUPPORT\SYLINKDROP.
    Note
    : CD2 may also be labeled CD3
  4. Run SylinkDrop.exe on each Symantec Endpoint Protection client that needs to be converted to an unmanaged client.

Note
If the communication mode was not set for Client Control in the Symantec Endpoint Protection Manager policies during initial installation, you will not be able to change the local client policies after placing the new Sylink.xml file on the client.

This procedure changes the managed client to an unmanaged client, but will not change the policies that exist on the client. Ensure that you have the ability to change settings and run LiveUpdate on the client before changing the client to unmanaged. If you change the client to unmanaged without ensuring that you can change settings on the client , you may need to uninstall and then reinstall the client if you need to change settings in the future.

Microsoft Outlook error “The add-in ‘C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpmsece.dll’ could not be installed …”

Saturday, November 28th, 2009

Question/Issue:

When you start Microsoft® Outlook®, you see the following message: “The add-in ‘C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpmsece.dll’ could not be installed or loaded. This problem may be resolved by using Detect and Repair on the Help menu. Unable to load “C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpmsece.dll”. You may be out of memory, out of system resources, or missing a .dll file.” When Symantec AntiVirus 10.x is installed, the error message may reference the file vpmsece2.dll or vpmsece3.dll. Use of the Detect and Repair option, as suggested in the error message, does not solve the problem.

Solution:

To fix the problem, find and delete all copies of the Extend.dat file on the computer. A copy of this file exists for each local user account. Then, restart the computer.

To find and delete copies of Extend.dat from a command prompt

  1. Exit Outlook if the program is open.
  2. On the Windows taskbar, click Start > Run.
  3. In the Open box, type cmd and then click OK.
  4. At the command prompt type the following command and then press Enter:

    cd “C:\Documents and Settings\<local_user>\Local Settings\Application Data”

    where <local_user> is the name of the current local user.

  5. Type cd microsoft\outlook and then press Enter.

  6. Type del extend.dat and then press Enter.
  7. Delete the Extend.dat file for every user local account on the computer.

How to use HyperTerminal in resetting the Symantec Firewall VPN appliance through null modem cable

Monday, December 29th, 2008

How to use HyperTerminal in resetting the Symantec Firewall VPN appliance through null modem cable

Question/Issue:
HyperTerminal is an easy-to-use terminal emulation program that has shipped with every version of Windows since Windows 95. HyperTerminal lets you define connections to other computers through your modem or a direct cable connection.


Solution:


Before you begin:

  1. On the back of the Symantec Firewall VPN appliance, flip DIP switch #3 to down.
  2. Connect the null modem cable to the serial port on the back of the appliance and to the serial port on the back of the computer.
  3. Turn on the appliance.
  4. Click Start and then Programs. Click Accessories and go to Communications and then select HyperTerminal.
  5. Create a new HyperTerminal connection with the following parameters:
    Connect using Direct to Com1 (or Com2), click Configure, and then select the following Port Settings:
    Bits per second 9600, Data bits 8, Parity None, Stop bits 1, Flow control None.
  6. Click OK. Click OK again and then click CONNECT.

On Windows 2000 you may need to give the connection a Name first or double-click the icon to launch HyperTerminal. Also, click Yes to enable if you are prompted.


To reset the Symantec Fire VPN appliance:

  1. When connected, the following setup screen appears:

    HyperTerminal 1.0 -- HyperTerminal data file
    Please do not attempt to modify this file directly.
    Setup for Symantec Firewall/VPN 200 ver. 01.4I
    =========================================
    1. Local IP Address: 192.168.0.1
    2. Local Network Mask: 255.255.255.0
    3. DHCP Server (1:Enable, 2:Disable): Enable
    4. Start IP Address: 192.168.0.0
    5. Finish IP Address: 192.168.0.254
    6. Restore to Defaults
    7. Save
    Select


    Note: If the menu fails to appear, reset the appliance while connected to it.


  2. Select #6. The following screen appears:

    Setup for Symantec Firewall/VPN 200 ver. 01.4I
    =========================================
    == Cancel, please press 'Q' or 'q' ==
    Restore OK, but have not SAVED7
    Setup for Symantec Firewall/VPN 200 ver. 01.4I
    =========================================
    1. Local IP Address: 192.168.0.1
    2. Local Network Mask: 255.255.255.0
    3. DHCP Server (1:Enable, 2:Disable): Enable
    4. Start IP Address: 192.168.0.2
    5. Finish IP Address: 192.168.0.254
    6. Restore to Defaults
    7. Save
    Select

  3. Select #7. The following screen appears:

    Setup for Symantec Firewall/VPN 200 ver. 01.4I
    =========================================
    == Cancel, please press 'Q' or 'q' ==
    Waiting...

    Setup for Symantec Firewall/VPN 200 ver. 01.4I
    =========================================
    1. Local IP Address: 192.168.0.1
    2. Local Network Mask: 255.255.255.0
    3. DHCP Server (1:Enable, 2:Disable): Enable
    4. Start IP Address: 192.168.0.2
    5. Finish IP Address: 192.168.0.254
    6. Restore to Defaults
    7. Save
    Select

  4. Your Symantec Firewall/VPN appliance is now reset to original state.
  5. Flip DIP switch #3 back to the up position.
  6. Disconnect the null modem cable.

Symantec Endpoint Protection / Symantec AntiVirus Corporate Edition – Download Virus Definitions

Tuesday, August 12th, 2008

http://www.symantec.com/avcenter/download/pages/US-SAVCE.html

GRC Drop

Wednesday, July 4th, 2007

grcdrop.zip

Preventing Symantec AntiVirus 10.0 from scanning the Microsoft Exchange directory structure

Wednesday, June 20th, 2007

Exchange 2003

  • Exchange databases (default location: Exchsrvr\Mdbdata)
  • Exchange MTA files (default location: Exchsrvr\Mtadata)
  • Exchange temporary files: Tmp.edb
  • Additional log files (default location: Exchsrvr\server_name .log)
  • Virtual server folder (default location: Exchsrvr\Mailroot)
  • Site Replication Service (SRS) files (default location: Exchsrvr\Srsdata)
  • Internet Information Service (IIS) system files (<drive>:\Winnt\System32\Inetsrv or <drive>:\Windows\System32\Inetsrv)
  • Working folder for message conversion .tmp files. (default location: Exchsrvr\Mdbdata)
    The location of this folder is configurable. For additional information, read the Microsoft Knowledge Base article 822936 – Message Flow to the Local Delivery Queue Is Very Slow.
  • The temporary folder that is used in conjunction with offline maintenance utilities such as Eeseutil.exe.
    By default, this folder is the location from which you run the executable, but you can configure where you run the file from when you run the utility.
  • The folder that contains the checkpoint (.chk) file.
    For information on the location of this file, read the Microsoft Knowledge Base article Overview of Exchange Server 2003 and Antivirus Software.
  • Site Server Gatherer temporary directory (<drive>:\Windows\Temp\Gthrsvc), if it exists.
  • All of the appropriate folders listed in the next section, “When the following Symantec products are installed, exclude the following folders”