The Application Event Log records Service Startup and Shutdown notifications from clients after installing Symantec AntiVirus 8.0

Article:TECH99950  |  Created: 2002-01-23  |  Updated: 2003-01-19  |  Article URL http://www.symantec.com/docs/TECH99950
Article Type
Technical Solution


Environment

Issue



The Application Event log on a Symantec AntiVirus Corporate Edition 8.0 (Symantec AV) server contains unexpected information regarding Norton AntiVirus Corporate Edition (NAVCE) 7.xx legacy clients that were not present when the clients were managed by a NAVCE 7.xx server. Most notably, this will be seen as multiple NAVCE and Symantec AV startup and shutdown messages, although the specific client that generated the event is not mentioned in the Application Event log.


Solution



Symantec AV 8.0 introduced enhanced logging and forwarding of client events (For more information please see the document How to enable enhanced event forwarding in Symantec Client Security). Because of the ability to turn on and off specific events to be forwarded, the Default configuration contained in the Grc.dat file from a Symantec AV 8.0 server now instructs all clients managed by that server to turn on event forwarding. Specific events such as client startup and shutdown are turned off by default in the Grc.dat file. However, as NAVCE 7.xx clients do not understand these new granular settings, they forward all events to the parent server.

To turn off forwarding of these events in a mixed environment requires that you edit your registry using one of the following methods:


CAUTION: We strongly recommend that you back up the registry before making any changes. Incorrect changes to the registry could result in permanent data loss or damaged files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows registry and How to use the Windows Registry Editor before proceeding.


Turn off forwarding for 7.xx clients only
  1. Group all 7.xx clients under a Symantec AV 8.0 server into a client group (For more information, please see the document How to create and manage Client Groups in Symantec System Center 5.0.)
  2. Open the registry editor on the managing Symantec AV 8.0 server.
  3. Navigate to the following subkey :

    HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Groups\\ClientConfig\Common
  4. Change the "ForwardLogs" DWORD value to 0 (zero).
  5. Close the editor and open Symantec System Center.
  6. Click the Reset All button under Client Realtime protection options for that client group.

    This will force the updated Grc.dat file out to the clients in that group and disable log forwarding for all clients in that client group.
    Turn off event forwarding for ALL clients under a Symantec AV 8.0 server
    1. Open the registry editor on the managing Symantec AV 8.0 server.
    2. Navigate to the following subkey :

      HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\ClientConfig\Common
    3. Change the "ForwardLogs" DWORD value to 0 (zero).
    4. Close the editor and open Symantec System Center.
    5. Click the Reset All button under Client Realtime protection options for that parent server.

    This will force the updated Grc.dat file out to all clients not belonging to a client group managed by that 8.0 server, and disable log forwarding for all clients that report to that server (7.xx and 8.0 clients).


    Note: Using the first method does not introduce any loss of functionality, as 7.xx clients were not, by default, forwarding events in a pure 7.xx environment. If they were, then all events were being forwarded.







    Legacy ID



    2002092313343548


    Article URL http://www.symantec.com/docs/TECH99950


    Terms of use for this information are found in Legal Notices