GRC.DAT update issues - RealTimeScan exclusion not working.

Created: 22 Aug 2012 | 4 comments

Hi everyone,

I am following the steps below to update my SAV configuration :

1 - copy GRC.DAT file to /var/Symantec

2 - restart rtvscand

These are exactly the same steps I have been using for the last years, and it is working fine, except for some
machines.

The problem is that RealTimeScan Exclusions (RTSE) were not correctly loaded, so it is scannning everything, what
can make the system unusable.

I have 2 identical machines (A and B), and RTSE works fine for A but not for B. Both machines were installed at the
same time and have exactly the same RPMs installed. The GRC.DAT are identical, with the same permissions and checksum.

These are the details I could get during my investigation :

Machine A: (works Fine)

    Lines from Sadiag report :
    --------------------------
    SAV Scan Exclusions:
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\HaveExceptionDirs     1       REG_DWORD
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\HaveExceptionFiles    1       REG_DWORD
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir\/sys        1       REG_DWORD
    \Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir\/renato     1       REG_DWORD

    Trying to scan the virus file test.com under /renato, I can see this :
    # /opt/Symantec/symantec_antivirus/rtvscand -F -c -x
    rtvscand: 11:00:21.160177[_0xdf933b70 (nil)_]|AP: Matched userid 500 to user renato:renato.granzoto.com.br
    rtvscand: 11:00:21.160378[_0xdf933b70 (nil)_]|AP: GETACT successful
    rtvscand: 11:00:21.161686[_0xdf933b70 (nil)_]|S R        [0] '/renato/test.com'
    rtvscand: 11:00:21.161786[_0xdf933b70 (nil)_]|file excluded by directory
    rtvscand: 11:00:21.161887[_0xdf933b70 (nil)_]|AP: SETRSP successful

Machine B: (Does NOT works Fine)

    Trying to scan the virus file test.com under /renato, I can see this :
    # /opt/Symantec/symantec_antivirus/rtvscand -F -c -x
    rtvscand: 10:16:43.162792[_0xdf282b70 (nil)_]|AP: Matched userid 500 to user renato:renato.granzoto.com.br
    rtvscand: 10:16:43.162893[_0xdf282b70 (nil)_]|AP: GETACT successful
    rtvscand: 10:16:43.163295[_0xdf282b70 (nil)_]|S R        [0] '/renato/test.com'
    rtvscand: 10:16:43.163678[_0xdf282b70 (nil)_]|Scanning [/renato/test.com {/renato/test.com}]
    rtvscand: 10:16:43.163879[_0xdf282b70 (nil)_]|VIRUS ENGINE Entry 0xdf282b70
    rtvscand: 10:16:43.163980[_0xdf282b70 (nil)_]|VEScanFile(/renato/test.com)
    rtvscand: 10:16:43.163980[_0xdf282b70 (nil)_]|ScanFile(handle: 0x08D3F200, info: 0xDF2819E0)
    rtvscand: 10:16:43.164080[_0xdf282b70 (nil)_]|Node, "/renato/test.com"
    rtvscand: 10:16:43.164181[_0xdf282b70 (nil)_]|NAV_ScanFile(
    rtvscand: "/renato/test.com"
    rtvscand: hNAVEngine:          0x08D41170
    rtvscand: lpFileId:            0xDF281E50
    rtvscand: lpstFileExt:         COM
    rtvscand: bPreserveLastAccess: True
    rtvscand: *ppEITCList:         0)
    rtvscand: 10:16:43.393089[_0xdf282b70 (nil)_]|NAV_ScanFile("/renato/test.com", ..., 0) returned OK
    rtvscand: 10:16:43.393189[_0xdf282b70 (nil)_]|Scan returned "VEOK"

So my questions are :

1 - In both machines I have /renato directory set as a RealTime Scan Exclusion. Why is it failing on machine B ?
2 - What can be the cause for this issue ? Maybe the rtvscand service restarted while the GRC.DAT was being pushed to the SAV DBs ?
3 - What would be the clever way to ensure that I have all my GRC.DAT configurations correctly configured. I use to inspect it by "symcfgd -r list"
4 - What other SAV information should I inspect as well ? For instance the DBs under /etc/Symantec.

Thanks in advance for any help. Let me know any further information is required.

Renato Granzoto

Discussion Filed Under: