Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

GRC.DAT update issues - RealTimeScan exclusion not working.

Created: 22 Aug 2012 | 4 comments

 Hi everyone,

   I am following the steps below to update my SAV configuration :

    1 - copy GRC.DAT file to /var/Symantec

    2 - restart rtvscand

   These are exactly the same steps I have been using for the last years, and it is working fine, except for some
 machines.

  The problem is that RealTimeScan Exclusions (RTSE) were not correctly loaded, so it is scannning everything, what
can make the system unusable.

  I have 2 identical machines (A and B), and RTSE works fine for A but not for B. Both machines were installed at the
same time and have exactly the same RPMs installed. The GRC.DAT are identical, with the same permissions and checksum.

 These are the details I could get during my investigation :

 Machine A: (works Fine)

    Lines from Sadiag report :
    --------------------------
    SAV Scan Exclusions:
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\HaveExceptionDirs     1       REG_DWORD
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\HaveExceptionFiles    1       REG_DWORD
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir\/sys        1       REG_DWORD
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir\/renato     1       REG_DWORD

    Trying to scan the virus file test.com under /renato, I can see this :
    # /opt/Symantec/symantec_antivirus/rtvscand -F -c -x
    rtvscand: 11:00:21.160177[_0xdf933b70 (nil)_]|AP: Matched userid 500 to user renato:renato.granzoto.com.br
    rtvscand: 11:00:21.160378[_0xdf933b70 (nil)_]|AP: GETACT successful
    rtvscand: 11:00:21.161686[_0xdf933b70 (nil)_]|S R        [0] '/renato/test.com'
    rtvscand: 11:00:21.161786[_0xdf933b70 (nil)_]|file excluded by directory
    rtvscand: 11:00:21.161887[_0xdf933b70 (nil)_]|AP: SETRSP successful
 

 Machine B: (Does NOT works Fine)

    Lines from Sadiag report :
    --------------------------
    SAV Scan Exclusions:
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\HaveExceptionDirs     1       REG_DWORD
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\HaveExceptionFiles    1       REG_DWORD
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir\/sys        1       REG_DWORD
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir\/renato     1       REG_DWORD

    Trying to scan the virus file test.com under /renato, I can see this :
    # /opt/Symantec/symantec_antivirus/rtvscand -F -c -x
    rtvscand: 10:16:43.162792[_0xdf282b70 (nil)_]|AP: Matched userid 500 to user renato:renato.granzoto.com.br
    rtvscand: 10:16:43.162893[_0xdf282b70 (nil)_]|AP: GETACT successful
    rtvscand: 10:16:43.163295[_0xdf282b70 (nil)_]|S R        [0] '/renato/test.com'
    rtvscand: 10:16:43.163678[_0xdf282b70 (nil)_]|Scanning [/renato/test.com  {/renato/test.com}]
    rtvscand: 10:16:43.163879[_0xdf282b70 (nil)_]|VIRUS ENGINE Entry 0xdf282b70
    rtvscand: 10:16:43.163980[_0xdf282b70 (nil)_]|VEScanFile(/renato/test.com)
    rtvscand: 10:16:43.163980[_0xdf282b70 (nil)_]|ScanFile(handle: 0x08D3F200, info: 0xDF2819E0)
    rtvscand: 10:16:43.164080[_0xdf282b70 (nil)_]|Node, "/renato/test.com"
    rtvscand: 10:16:43.164181[_0xdf282b70 (nil)_]|NAV_ScanFile(
    rtvscand: "/renato/test.com"
    rtvscand: hNAVEngine:          0x08D41170
    rtvscand: lpFileId:            0xDF281E50
    rtvscand: lpstFileExt:         COM
    rtvscand: bPreserveLastAccess: True
    rtvscand: *ppEITCList:         0)
    rtvscand: 10:16:43.393089[_0xdf282b70 (nil)_]|NAV_ScanFile("/renato/test.com", ..., 0) returned OK
    rtvscand: 10:16:43.393189[_0xdf282b70 (nil)_]|Scan returned "VEOK"

 So my questions are :

 1 - In both machines I have /renato directory set as a RealTime Scan Exclusion. Why is it failing on machine B ?
 2 - What can be the cause for this issue ? Maybe the rtvscand service restarted while the GRC.DAT was being pushed to the SAV DBs ?
 3 - What would be the clever way to ensure that I have all my GRC.DAT configurations correctly configured. I use to inspect it by "symcfgd -r list"
 4 - What other SAV information should I inspect as well ?  For instance the DBs under /etc/Symantec.

 Thanks in advance for any help. Let me know any further information is required.

Renato Granzoto
 

Comments 4 CommentsJump to latest comment

.Brian's picture

What version are you on?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mohan Babu's picture

I hope GRC.dat is used in SAV not in SEP. so we cannot expect everything to work 100% for sure.

Instead you can create a policy in SEPM and apply to clients it willwork fine.........

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

P_K_'s picture

The customer is talking about SAV and I am not sure why you are asking him to create a SEPM policy???

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

Ashish-Sharma's picture

A guide to the Grc.dat file in Symantec AntiVirus Corporate Edition version 10.x

http://www.symantec.com/business/support/index?page=content&id=TECH101234

Thanks In Advance

Ashish Sharma