Hey all, I've been lurking in the forum for quite some time, relying on others to ask the questions I need answered. Today I've encountered an issue I've not seen discussed on this forum (or at least not applicable to my environment), affecting several machines in an enterprise environment.
Issue seems to reside with emails that contain file attachments. Emails that did not contain file attachments opened promptly. Checking Event Manager under the SYSTEM portion, we found several of the following:
Timeout (30000 milliseconds) waiting for a transaction response from the Symantec AntiVirus service.
Checking for similarities on other machines, I found that this appears to stem from a corrupted dat file from 2-3-2010 rev 4 for Symantec Anti-virus. When we attempt to LiveUpdate, the process completes, appearing to have downloaded and install new definitions, but the version does not update in the SAV screen, nor has anything changed. A look in the Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\ folder shows a few folders containing updates, the most recent one (the last day updated) contains numberous *.9## files, all of which are only a few KB in size, compared to the more normal looking definitions in the previous folders.
Unfortunately, the corrupted dat file also corrupts the .msi for Symantec Anti-virus, which makes it almost impossible to remove cleanly through normal measures. We have acquired the NoNAv2.49 removal tool and if you DO NOT call the msi in the setup, the tool is successful in removing Symantec Antivirus. (this tool was linked on the forum) From there, a traditional reinstall is possible, and the pc will advance to the next definition.
Has anyone had similar issues? Something about this whole process--namely, that it is only affecting users in a single department known for sharing files frequently, with one exception--and the great difficulty involved in rectifying the issue, plus the fact that whatever is causing this effectively locks the system at a particular version number, makes me believe that a rootkit or some malicious virus activity is taking place. We've tried antivirus scans from a known good machine and have returned no viruses.
Any advice or direction would be greatly appreciated