Hi everyone,
I am following the steps below to update my SAV configuration :
1 - copy GRC.DAT file to /var/Symantec
2 - restart rtvscand
These are exactly the same steps I have been using for the last years, and it is working fine, except for some
machines.
The problem is that RealTimeScan Exclusions (RTSE) were not correctly loaded, so it is scannning everything, what
can make the system unusable.
I have 2 identical machines (A and B), and RTSE works fine for A but not for B. Both machines were installed at the
same time and have exactly the same RPMs installed. The GRC.DAT are identical, with the same permissions and checksum.
These are the details I could get during my investigation :
Machine A: (works Fine)
Lines from Sadiag report :
--------------------------
SAV Scan Exclusions:
\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\HaveExceptionDirs 1 REG_DWORD
\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\HaveExceptionFiles 1 REG_DWORD
\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir\/sys 1 REG_DWORD
\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir\/renato 1 REG_DWORD
Trying to scan the virus file test.com under /renato, I can see this :
# /opt/Symantec/symantec_antivirus/rtvscand -F -c -x
rtvscand: 11:00:21.160177[_0xdf933b70 (nil)_]|AP: Matched userid 500 to user renato:renato.granzoto.com.br
rtvscand: 11:00:21.160378[_0xdf933b70 (nil)_]|AP: GETACT successful
rtvscand: 11:00:21.161686[_0xdf933b70 (nil)_]|S R [0] '/renato/test.com'
rtvscand: 11:00:21.161786[_0xdf933b70 (nil)_]|file excluded by directory
rtvscand: 11:00:21.161887[_0xdf933b70 (nil)_]|AP: SETRSP successful
Machine B: (Does NOT works Fine)
Lines from Sadiag report :
--------------------------
SAV Scan Exclusions:
\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\HaveExceptionDirs 1 REG_DWORD
\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\HaveExceptionFiles 1 REG_DWORD
\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir\/sys 1 REG_DWORD
\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir\/renato 1 REG_DWORD
Trying to scan the virus file test.com under /renato, I can see this :
# /opt/Symantec/symantec_antivirus/rtvscand -F -c -x
rtvscand: 10:16:43.162792[_0xdf282b70 (nil)_]|AP: Matched userid 500 to user renato:renato.granzoto.com.br
rtvscand: 10:16:43.162893[_0xdf282b70 (nil)_]|AP: GETACT successful
rtvscand: 10:16:43.163295[_0xdf282b70 (nil)_]|S R [0] '/renato/test.com'
rtvscand: 10:16:43.163678[_0xdf282b70 (nil)_]|Scanning [/renato/test.com {/renato/test.com}]
rtvscand: 10:16:43.163879[_0xdf282b70 (nil)_]|VIRUS ENGINE Entry 0xdf282b70
rtvscand: 10:16:43.163980[_0xdf282b70 (nil)_]|VEScanFile(/renato/test.com)
rtvscand: 10:16:43.163980[_0xdf282b70 (nil)_]|ScanFile(handle: 0x08D3F200, info: 0xDF2819E0)
rtvscand: 10:16:43.164080[_0xdf282b70 (nil)_]|Node, "/renato/test.com"
rtvscand: 10:16:43.164181[_0xdf282b70 (nil)_]|NAV_ScanFile(
rtvscand: "/renato/test.com"
rtvscand: hNAVEngine: 0x08D41170
rtvscand: lpFileId: 0xDF281E50
rtvscand: lpstFileExt: COM
rtvscand: bPreserveLastAccess: True
rtvscand: *ppEITCList: 0)
rtvscand: 10:16:43.393089[_0xdf282b70 (nil)_]|NAV_ScanFile("/renato/test.com", ..., 0) returned OK
rtvscand: 10:16:43.393189[_0xdf282b70 (nil)_]|Scan returned "VEOK"
So my questions are :
1 - In both machines I have /renato directory set as a RealTime Scan Exclusion. Why is it failing on machine B ?
2 - What can be the cause for this issue ? Maybe the rtvscand service restarted while the GRC.DAT was being pushed to the SAV DBs ?
3 - What would be the clever way to ensure that I have all my GRC.DAT configurations correctly configured. I use to inspect it by "symcfgd -r list"
4 - What other SAV information should I inspect as well ? For instance the DBs under /etc/Symantec.
Thanks in advance for any help. Let me know any further information is required.
Renato Granzoto