Professional Documents
Culture Documents
Course Guide
Support Readiness Training
T r ad e m a rk s
Symantec, the Symantec logo, Intruder Alert, NetProwler, Raptor, VelociRaptor,
Symantec Desktop Firewall, Symantec Enterprise VPN, Symantec Enterprise
Firewall, Symantec Ghost, Symantec pcAnywhere, RaptorMobile, NetRecon,
Enterprise Security Manager, NAV, Norton Anti Virus, Symantec System Center,
Symantec Web Security, Mail-Gear and I-Gear are trademarks of Symantec
Corporation.
The Norton AntiVirus 2007 course is divided into eleven sections. The instructor's
lecture is followed by lab exercises in which students apply knowledge gained
throughout the course.
Intended audience
This course is intended for those who have responsibility for supporting, installing,
and configuring Norton AntiVirus.
Course prerequisites
It is assumed that the following prerequisites have been met:
• Students have a working knowledge of Microsoft Windows operating systems.
• Students have a working knowledge of computer security practices and
software.
• Students have read the Norton AntiVirus 2007 User’s Guide.
Course objectives
After you complete this course, you will be able to do the following:
• Install Norton AntiVirus 2007
• Understand the install-over matrix for Norton AntiVirus 2007
• Troubleshoot installation of Norton AntiVirus 2007
• Identify the components of Norton AntiVirus 2007
o Auto-Protect
o Manual Scanning
o Email Scanning
o Instant Messenger Scanning
o ccEraser
o Internet Worm Protection
• Understand techniques for troubleshooting Norton AntiVirus 2007 issues
• Monitor Norton AntiVirus activities via reporting section
• Understand the Symantec shared components used in Norton Antivirus 2007
o SymProtect
o Norton protection Center
o Activation
o Subscription
o LiveUpdate
Unit 5 Auto-Protect.......................................................................
Overview.....................................................................................................55
What Auto-Protect does? ...............................................................................56
How Auto-Protect works? ..............................................................................55
Auto-Protect files and their functions...............................................................57
Repair Modes...............................................................................................58
Auto-Protect Options and Configuration............................................................59
Troubleshooting Auto-Protect.........................................................................60
Summary................................................................................................... 63
Unit 10 ccEraser............................................................................
Overview.....................................................................................................92
What ccEraser does?.....................................................................................93
How ccEraser works? ....................................................................................93
ccEraser files ...............................................................................................93
Load points cleaned.......................................................................................94
Summary.....................................................................................................95
Unit 11 SymProtect.......................................................................
Overview......................................................................................................96
What SymProtect does? .................................................................................97
How SymProtect works? ................................................................................97
Summary.....................................................................................................99
Appendix A.................................................................................................116
Appendix B................................................................................................ 120
Norton AntiVirus is the fourteenth release of the Norton AntiVirus product line. This
latest version continues to provide enhanced protection to the customers against
latest threats and malicious content. The user interface is enhanced and optimized,
to provide a new exciting experience to the customers.
Objectives
• Introduction to threats
• Introduction to Norton AntiVirus 2007
• New features in this release
A computer virus is a small program written to alter the way a computer operates,
without the permission or knowledge of the user. A computer virus attaches itself to
a program or file so it can spread from one computer to another, leaving infections
as it travels. Almost all viruses are attached to an executable file, which means the
virus may exist on your computer but it cannot infect your computer unless you run
or open the malicious program. It is important to note that a virus cannot be spread
without a human action, (such as running an infected program) to keep it going.
Worms
Worms are programs that replicate themselves from system to system without the
use of a host file. This is in contrast to viruses, which require the spreading of an
infected host file. A worm is similar to a virus by its design, and is considered to be a
sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it
has the ability to travel without help of any host files. The biggest danger with a
worm is its ability to replicate itself on your system, so rather than your computer
sending out a single worm, it could send out hundreds or thousands of copies of
itself, creating a huge devastating effect.
Trojan Horses
Trojan horses are impostors, files that claim to be something desirable but, in fact,
are malicious. A very important distinction from true viruses is that they do not
replicate themselves, as viruses do. Trojans contain malicious code that, when
triggered, cause loss or even theft, of data. For a Trojan horse to spread, you must,
in effect, invite these programs onto your computer, for example, by opening an
email attachment.
Trojans are also known to create a backdoor on your computer that gives malicious
users access to your system, possibly allowing confidential or personal information to
be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting
other files nor do they self-replicate.
Backdoor
Dropper
An executable file that, when run, "drops" a virus. A 'Dropper' file has the capability
to create or run a virus and infect the user's system when it is executed. When a
'Dropper' file is scanned, the scan may not detect a true virus, because the viral code
has not yet been created. The viral code (and virus) is created when the 'Dropper'
file is executed. Heuristics scanning often detects droppers before regular scanning
will.
Joke Programs are programs that change or interrupt the normal behavior of your
computer, creating a general distraction or nuisance.
Spyware
Adware
Dialers
Dialers are programs that use a system, without your permission or knowledge, to
dial out through the Internet to a 900 number or FTP site, to accrue charges. Dialers
are typically associated with websites that contain Adult content.
Hack Tools
Tools used by a hacker to gain unauthorized access to your computer. One example
of a hack tool is a keystroke logger -- a program that tracks and records individual
keystrokes and can send this information back to the hacker
Remote Access
Programs that allow another computer to gain information or to attack or alter your
computer, usually over the Internet. Remote access programs detected in virus
scans may be recognizable commercial software, which are brought to the user’s
attention during the scan.
Security Risks
Threats which do not conform to the strict definitions of Viruses, Trojan horses,
Worms, or other expanded threat categories, but which may present a threat to your
computer and its data.
Features removed:
• Introduction to threats
• Introduction to Norton AntiVirus 2007
• New features in this release
This unit focuses on installation of Norton AntiVirus 2007. The installation of the
2007 products is remarkably optimized and requires less user intervention as
compared to the previous releases.
Objectives
After you complete this unit, you will be able to do the following:
Before installing Norton Antivirus 2007 customers should review the hardware and
software requirements. These requirements are detailed in the following pages under
the hardware and software sections.
Hardware requirements
The following list illustrates the minimum hardware requirements for Norton Antivirus
2007 to be installed. Platform performance is directly related to the robustness of the
hardware and the resources taken from other applications running on a PC.
Customers will find increased performance in Norton Antivirus with a more robust
hardware
Windows XP editions
300-MHz processor
256 MB of RAM
175 MB of available hard disk space
CD-ROM or DVD-ROM drive
Internet Explorer 6.0
Administrator privileges to install program
Installation from CD
Installation from CD is the most common way of installing Norton AntiVirus 2007.
Installation runs from the Autorun file on the CD automatically. If the installation
doesn’t start automatically, you can open the CD and double-click the Navsetup.exe
file.
The following screenshots will help you better in understanding the process of
purchasing, downloading, and installing the product from SymantecStore.
Download Manager starts downloading. Windows XP SP2 may block the download
After extracting all the installation files to the Temp folder, it will start NAVSetup,
which will continue the installation. From here, the installation process is same as in
the CD version. The complete process and screenshots are added at end of this unit.
Navsetup.exe
Pre-flight checks
The installer checks the client machine prior to making any changes to make sure
that it meets all requirements. The following checks are made:
Pre-install scanner
NAVSetup
PreScan.exe
ccEraser.dll
ecmldr32.dll
ccScanS.dll
Virus Definitions from CD
Prescan.exe interacts directly with ccEraser.dll & ccScanS.dll to begin the scan.
ccScanS.dll, in turn interacts with ecmldr32.dll and the virus definitions to scan the
users computer. Preinstall Scanner is dependent the following four Symantec
components:
Dependencies
1. ccScanS.dll
2. ecmldr32.dll
3. Virus Definitions
4. ccEraser.dll
During the installation the user would get an option to install the Symantec-Yahoo
tool bar. This toolbar adds to the functionality of Internet Explorer. If the installation
fails, it will fail silently and continue the installation without alerting the user.
NAVSetup supports Common Error Display error messages. The Common Error
Display (CED) messages work exactly the same way the product errors work. After
alerting the user about an installation error, the software will direct the user to an
online Knowledge Base article.
Norton AntiVirus 2007 installation will provide automatic submission system for
reporting install success or failure.
If the installation fails, users will be able to submit their error log through the CED
reporting system.
The installer will also check the results of executable based nested installers such as
LiveUpdate. If the installations of these components fail, NAVSetup will alert the user
using Common Error Display.
During uninstallation of the program if there is still any subscription left in the
product, users will be informed on the period remaining in the subscription.
- When installing the same or newer version of NAV. And, all install over scenarios
including reinstallation and upgrade.
The installer will be able to upgrade older Norton AntiVirus products. This is done by
removing the previous product prior to installing the new one. Products that can be
upgraded will include:
The installer will also be able to upgrade any of these products when they are
installed within a suite product such as Norton Internet Security or Norton System
Works. The following table shows the 2007 product Install-over matrix:
ALLOW = Allow Install-Over; BLOCK= Block Install Over; NOTIFY = Allow, with
notification that the licensing scheme is going to change.
NAV2007 will be capable of installing over a version with a higher Minor version
number when the installed product is an OEM product and product being installed is
a Retail/SCSS product. That is, NAV 12.0.0.xx Retail will be able to install over NAV
12.0.2.xx OEM, but NAV 12.0.0.xx Retail will NOT be able to install over NAV
12.0.2.xx Retail.
Folders list:
The registry keys that are created during the installation of Norton AntiVirus contain
information to ensure the proper functionality and settings of the product and its
components. The key registry locations of interest are:
• HKEY_LOCAL_MACHINE\Software\Symantec\Installed Apps
This key lists all of the Symantec Products and components installed on the
computer, as well as their locations.
• HKEY_LOCAL_MACHINE\Software\Symantec\Shared Defs
This key list the components of Norton AntiVirus that use definitions, as well as the
name of the definition file used by each component and the locations of these
definition files.
• HKEY_LOCAL_MACHINE\Software\Symantec\Symsetup\refcounts
This key lists the GUID (Globally Unique Identifier, a unique 128-bit number that is
produced to identify any particular Symantec component) for each component as
well as the number of installations that have been counted by Digital Rights
Management for each.
• HKEY_LOCAL_MACHINE\Software\Symantec\CommonClient
This key lists the version of the Common Client that is installed.
The order of Norton AntiVirus 2007 component installation from first to last:
ccCommon.MSI
SYMLT.MSI Norton AntiVirus SYMLT MSI
CfgWiz.MSI
OPCSharedCore.MSI Online Platform Client Shared Components
SymCUW.MSI
OPCLM.MSI
PIF.MSI PIF installer
uiNPC.MSI Norton Protection Center
Parent.MSI Norton AntiVirus Parent MSI
cfCore.MSI Component Framework
SPBBC32.MSI SPBBC 32bit
SymNet.MSI SymNet
AppCore.MSI
AV.MSI
SRTSP.MSI Symantec Real Time Storage Protection Component
Firewall.MSI Firewall Component
IWP.MSI Internet Worm Protection
SymHTMLU.MSI
SymTheme.MSI
MSGCntr.MSI
SubEng.MSI
NAV.MSI Norton AntiVirus
Short.MSI NAVShortcut
Help.MSI Norton AntiVirus Help
The following registry keys will indicate successful installations of Norton AntiVirus
and can be located in the following path:
HKEY_LOCAL_MACHINE\Software\Symantec\Norton AntiVirus\
Version key – Upon a successful installation of NAV this key contains the internal
version number.
Value = (String) "version"
Data = (String) "x.y.z"
Navsetup
• Perform all pre-install launch condition checking and prompt for any unmet
conditions.
• Displays all install UI panels; including the wizard pages, progress pages and
any error dialogs.
• Call each child (MSI) install in the correct order.
• Keep track of all products installed during installation and remove them
during uninstall.
Microsoft Installer
The Microsoft Installer (MSI) handles the installation of all Norton AntiVirus 2007
components. MSI is only concerned with installation; it doesn’t do pre-installation
checks such as those done by Navsetup.exe. The MSI installers check to see only
that Navsetup.exe launched the MSI.
Note: In Norton AntiVirus 2007, users are unable to run the MSI files as stand-alone
executables. Navsetup.exe must be used to control the MSI packages.
The resolution for any issue that may arise in this stage depends on the type of
issue/error message that’s encountered. With the integration of the Common Error
Display with the installer, a majority of the installation issues can easily be identified
and resolved.
In case of any installation failure, generally a “9999, XXX” series error would be
flagged. The procedure to troubleshoot installation issues is outlined below:
In many cases, issues might also occur due to a failed uninstall attempt of a previous
installation. This could be an uninstall attempt of a previous version or a failed
installation attempt of the same version. In both cases, it is recommended to remove
the remnants before attempting a clean installation. Here is the list of SymSetup
errors which can appear based on the action that it performs:
Issue
Solution
For the 9999,171 error message there are 6 documents currently available. These
documents are created depending on the stage where the installation fails. When the
user clicks on the URL in the CED, it will direct the user to the appropriate document
depending on the parameters that CED fetches.
1. Enable Hidden System Files and folders in the Windows Explorer folder options.
2. Go to C:\Documents and Settings\All Users\Application Data\Symantec\Errlogs
You should see at least one zip file in the folder. If you see multiple files, please look
at the latest one. The zip file will have a randomly-generated name. For example:
{D1A19EF5-5886-4EEE-BEE5-694827069F2D}1cc9b170.zip
3. Open the file URL.txt and look the values for the “a” and “h” variable.
http://www.symantec.com/techsupp/servlet/ProductMessages?&module=9999&error
=171&language=English&product=Norton+AntiVirus+2006&version=12.0.0.94&e=2
753&a=1603&h=NAV_CTO_Action_comm&k=AVSTE.dll&l=PARENT.MSI&c=false
&m=2753&n=11.5.0&build=Standard
Depending on the “a” and “h” variable, direct the user to the appropriate document.
The Lotus Notes internal document will have the “a” and “h” variable for the
document. The link for all the documents is provided below:
NAVSetup
NAV Installer
Installation Issues
(Module 9999)
MSI
Feature Issues
(Module 1002, 4002, 1007...)
NAV User Interface
Installation issues
Configuration issues
The Windows Installer (MSI) will remove the proper registry keys, files, directories,
services to uninstall Norton AntiVirus 2007. Always try this method before moving
If you need to reinstall, make sure that you have the Product Key and the
installation CD or the download files
Select Norton AntiVirus from the Add/Remove program and Click Remove
If you have files in the Norton AntiVirus Quarantine, you will get the prompt to keep
it in the quarantine or delete it. If you are reinstalling Norton AntiVirus, and if you
have files in the Quarantine to repair, then you can keep the files. The Norton
AntiVirus Quarantine is explained in detail in Unit 4.
This unit focuses on the user interface changes in Norton AntiVirus 2007. The User
interface of Norton AntiVirus 2007 has been greatly improved as opposed to any of
the previous version's .The interface now is enhanced and simplified.Also, It is
optimized for easy usability and performance.
Norton Antivirus 2007 uses a new rendering engine to display its interface instead of
Internet Explorer. The new engine integrates with the existing components
seamlessly and provides Norton AntiVirus 2007 with a fresh and streamlined user
interface.
Objectives
After you complete this unit, you will be able to do the following:
Tabbed approach
The program window which can be maximized stays static and the actions and
configurable options appear under the tabs or as drop down menus as displayed in
the screen shot below:
Also, the options menu follows the program interface design and supplements the
program usage. The Screens shot of the Options Menu with the enhancements are as
provided below:
Options and User interface options that were redundant in the previous versions
have been replaced or removed, this is a part of the stream lined interface which
ensures maximum usability. Multi tiered and redundant options such as "How to
respond when a virus is found”, which is common between AutoProtect, Email
scanning and IM scanning have been removed and are replaced by easier interfaces.
An example of this approach is explained below:
The scanning window and the Log viewer are completely changed to ensure that they
adhere to the program interface seamlessly. Also, the interface is dynamic in nature;
it changes with the change in status of the program and the computer security.
The Norton AntiVirus 2007 user interface is now enhanced and uses SymHTML. The
SymHTML component has a new integrated engine that uses Terra Informatica,
which is a faster HTML rendering engine than the Internet Explorer rendering engine.
This should resolve the User Interface responsiveness issues that were in the
previous versions.
SymHTML reads SymTheme.dll to fetch the product theme and applies it to the
interface. You will still be able to open the product if the SymTheme.dll is missing or
corrupted. However, the user interface will be plain in this case.
File dependencies
Description
Norton AntiVirus includes various components that scan the computer like Auto-
Protect, Full System Scan, Email Scanning etc.However, a single scanning engine is
used by these components. In this unit, we will describe this technology used by the
Norton AntiVirus 2007. Other Norton Components that use the scanning engine are
described in detail in the forthcoming units.
Objectives
The most important component of Norton AntiVirus is its Scanning engine. This is the
core of the product and is continuously used. The functioning of this component is as
explained below:
When a scan request is initiated, The Norton AntiVirus executable (NAVW32) would
forward the request to the core AntiVirus module (AVModule) by parsing it through
the options as configured by the user. Also, it sends the Scan Interface (avScanUI)
the details pertaining to the current scan request.
The Scan Interface would then communicate with the core AntiVirus module, which
then provides the details of the scan being performed to the Scan Interface, through
which it is provided to the user.
The core AntiVirus module would read the files on file system through the Kernel
Mode Symevent files and then scans the file, using the threat definitions installed. If
a threat is detected by core AntiVirus Module, further action is performed according
to the user’s configuration preference (Alert, Delete, Quarantine).
UI
(1) Configure
Options User Session
AppCore service
(3) Scan
avModule
(4) Scan Details
Decomposer files
Decomposer Limitations
Decomposer also has limitations on the level and ability in dealing with some items;
these limitations include the following:
Quarantine generally means "to impose a state of enforced isolation", this is required
for computer files that are untrusted or infected. These files could be placed in the
quarantine folder which is a "safe" place to store threat infected files without
infecting other files on the computer.
When Norton AntiVirus quarantines a file, it puts the file in encrypted container
format so that no other application can access it, and then stores it in the Quarantine
folder. This encryption uses an MD5 hashing algorithm.
The Quarantine functions as a safe place as it separates the infected files from the
Operating System by encrypting them. This ensures that the file cannot further infect
the computer in any way. Also, if an infected file is not repaired, and if it is stored in
the Quarantine folder, you can try to repair the file with the new set of virus
definitions when it is available.
In all of the above scenarios the file is encrypted using an encryption algorithm and
is then physically moved to the quarantine folder. The quarantine engine then
interacts with the threat through the threat scanner module in order to get the
category type for each item it stores and displays it to the user in the type column.
Once a file is quarantined the user could either try to repair the file and submit it to
Symantec Security Response if repair fails, or Delete the file.
Also, if the repair fails and the user chooses to retain the file, then the user could
repair the files after updating the virus definitions.
Quarantine files
Heuristics is method of scanning for viruses by looking for patterns or activities that
are virus like. Most antivirus programs have a heuristic scanning method to detect
unknown viruses in the wild. The disadvantage of a heuristic scan is that it may
result in a number of false alarms (false positive).
Heuristic scanning is similar to signature scanning, except that instead of looking for
specific signatures, heuristic scanning looks for certain instructions or commands
within a program that are not found in typical application programs. As a result, a
heuristic engine is able to detect potentially malicious functionality in new, previously
unexamined, malicious functionality such as the replication mechanism of a virus,
the distribution routine of a worm or the payload of a Trojan.
Nowadays heuristic implement rule-based systems. This means, that the component
of the heuristic engine that conducts the analysis (the analyzer) extracts certain
rules from a file and this rules will be compared against a set of rule for malicious
code. If there matches a rule, an alarm can be triggered.
Objectives
After you complete this unit, you will be able to do the following:
• Removable media such as floppy disks, zip disks, USB thumbnail drives or
compact disks
• Files accessed or download from the internet, including cached web files
• New Files as they are created
• Files that are received by POP mail clients
When a file Read or Write request is generated, the Windows Input/Output manager,
will pass the information to the Symevent files.If the file is being written these
drivers will call the Norton AntiVirus scanning engine and check for threats.Once the
procedure is complete, a request to write the file is sent to the Filesystem drivers.
In case of a read operation, the Symevent files send a read request to the
FileSystem drivers and then send the file to the scanning Engine.The file is then
made available to the Windows Input/Output manager if the scanning operation is
successful. For further information on the Scanning Engine, refer to "Unit-4 Scanning
Technology"
SAVRT
SAVRTPEL
In addition to the key files that are installed by Norton Antivirus 2007, there also
exists a dependency on the Remote Procedure Call Service (RPCSS) by the product.
This service is provided by Windows based platforms for miscellaneous RPC services
and by default the service is active. The possibility does exist for a customer to
manually disable it. Disabling the RPC service will cause inconsistent behavior and
errors in the Norton Antivirus 2007 product.
Auto-Protect has the ability to scan items contained compressed files in real-time.
Uncompressed files are normally scanned in synchronous mode. Compressed files
are locked and scanned in asynchronous mode (user mode) to close specific
vulnerabilities.
Subsequent attempts to open the file are blocked until a complete scan ended.
Should an open occur while the item is being scanned, a system tray alert will notify
the user that the file may appear locked until the complete compressed file scan is
ended. The files performing this action include; Savrt32.dll, Navapsvc.exe,
Navapw32.dll and Navapw32.exe.
Auto-repair: Auto-Protect will try to repair the infected file. If it fails to repair it, it
will deny access to the file
Repair then quarantine: Auto-Protect will try to repair the infected file. If it fails to
repair it, it will try to quarantine it. If it then fails to quarantine it, it will deny access
to the file
Deny access: Auto-Protect just denies access to the infected file. It doesn’t try to
repair or quarantine the file.
Issue
Solution
For Auto-Protect to function properly, the following items should be loaded and
running:
1. Symevent
2. SAVRT
3. ccApp
4. NAVAPSvc.exe
4. The product licensing is valid
5. Virus Definitions
The most common cause of the is issue would be the ccapp.exe file being disabled at
startup or due to the Norton AntiVirus Auto-Protect service being stopped or not
being set to automatic. Correcting these values would resolve this issue.
However, if the issue persists then it would be necessary to ensure that the
computer is threat free by performing a virus scan. It can either be a manual scan
using Norton AntiVirus or an Online Virus scan. By verifying that all detected threats
are removed and following the procedure mentioned above to enable the Symantec
files.
If the issue persists, then starting the computer only with Symantec and Microsoft
services would help in resolving any conflicts. Finally, if the issue still persists then it
could be due to corruption of files and uninstalling and reinstalling Norton AntiVirus
would resolve the issue. The procedure above is represented as a flowchart below:
Solution
Title: 'Error: "Norton AntiVirus 2006 has encountered an internal program error"
(4002,517)'
Document ID: 2005102808565606
http://service1.symantec.com/Support/nav.nsf/docid/2005102808565606
This issue can mainly happen if the ccApp is not set to load at startup. Check
whether the ccApp is checked in the MSCONFIG. If it is set to load at startup, then
check using task manager whether the ccApp is running. It can happen that the
ccApp crashes during the startup. In that case, a restart of the computer can resolve
the issue.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
If the issue persists, then this can happen if the Symevent files are corrupted and
not loading. Download the sevinst.exe file and run it to reinstall the Symevent files.
If reinstalling the Symevent does not resolve this issue, then this issue can be due to
corrupted Norton AntiVirus files. An uninstall and reinstall should resolve the issue.
The Norton AntiVirus manual scanner provided a reactive protection against Viruses,
Trojans, worms, and expanded threats. This protection is provided by allowing the
user:
• To scan a specific location on the hard drive by right-clicking on the file\folder
and choosing “Scan with Norton AntiVirus.”
• To scan files and folders on the local network drives.
• To scan the load point files and registry keys
Objectives
After you complete this unit, you will be able to do the following:
Norton AntiVirus can scan and repair files inside compressed files. With this higher
level of security, there can be a trade-off in computer performance. Norton AntiVirus
uses its own decomposer to decompress and scan the archived files. The files are
decompressed to Windows Temporary folder where the scan is performed.
When Scan active programs and start-up files is turned on (this feature is on by
default), all manual scans will first scan files that have already infected your system
or that can potentially infect your system when your computer first starts up.
Specifically these files are:
• NAVW32.exe
• avModule
• avScanUI
• cScanUIc
Scan Window
Attention Required
Solution
Title: 'Norton AntiVirus scanner stops before reaching 100 percent complete'
Document ID: 2000011717445506
http://service1.symantec.com/Support/nav.nsf/docid/2000011717445506
Some corrupted Temp files can freeze the scanning. If the files are corrupted Norton
AntiVirus will not be able to read the file causing the process to terminate or freeze.
Running a scan in safe mode can resolve this if the issue is caused due to a virus
infection. Some threats may initiates numerous process and take much resources
which may affect the scanning process. Running in Safe mode can prevent many
viruses from loading automatically
Some corrupt compressed files on your computer can cause this issue. Norton
AntiVirus decomposers will not be able to decompress these corrupt file which can
terminate the process.
This is the best way to find out the exact cause of the issue. If the scanning is
getting freezed at any particular file, it will be a good option to exclude the file from
being scanned and let Norton complete the scan. If the scan is stopping at a
particular compressed file, you can extract the file and create a new archive to make
sure that the archive is not corrupted.
Issue
Solution
Title: 'Error: "Norton AntiVirus 2006 was unable to scan your computer for
infections" (3019,6) when running a virus scan'
Document ID: 2006050113575206
http://service1.symantec.com/Support/nav.nsf/docid/2006050113575206
This error can appear if scan encounter some corrupt compressed files. Unchecking
the compressed file scanning can allow Norton AntiVirus to complete the scan.
If the issue persists, then uninstall and reinstall Norton AntiVirus, as this error can
happen due to some corrupted program files
Norton AntiVirus 2007 scans incoming and outgoing emails for threats and malicious
code. As emails are one of the most sought after channels for virus infections, this
enhanced version of Email Scanner is designed to protect the best security towards
email-based infections.
Objectives
Norton Antivirus 2007 supports antivirus scanning of the email clients that are
compatible with the AvModule plug which will be discussed in detail in the following
unit. Email scanning has been tested and is supported for the following POP3-
compatible and SMTP-compatible (Simple Mail Transfer Protocol) email clients:
• IMAP
• AOL
• POP3s with Secure Sockets Layer (SSL)
• Web-based email such as Hotmail and Yahoo! Mail
• Lotus Notes
Note: Norton AntiVirus does not support email connections that use Secure Sockets
Layer (SSL). SSL is a security protocol designed to provide secure communications
on the Internet. If you use an SSL connection, Norton AntiVirus automatically detects
that connection and skips scanning it the connection completely.However, any data
that is transmitted through the connection is scanned as and when data is accessed
on the disk.
When there are new emails available for download, the mail server sends it to the
computer through Port 110. Port 110 is the POP3 (incoming) port. avModule, which
is monitoring port 110 for incoming email, forwards the emails into a single file in the
Windows temporary folder, which is scanned for viruses. Once Norton AntiVirus has
determined that email is virus-free, it responds to the server telling it to mark the
messages as received.
In case of infection
AvProdsvc
AvProdApp
avScanUI
All incoming / outgoing emails will be scanned by AvModule if the feature is turned
on. AvModule will notify AvProdSvc of any detection that are made. AvProdSvc will
return instructions to remove and quarantine all threats contained in the e-mail. If
there are threats that need additional processing, AvProdSvc will call into AvProdApp
for the current active session, which will in turn invoke avScanUI to display UI to the
user so they can address the threats manually.
AVMail.dll
ccEmlPxy.dll
rcEmlPxy.dll
Solution
Title: 'Cannot download email with Norton AntiVirus email scanning enabled'
Document ID: 2003060310162506
http://service1.symantec.com/Support/nav.nsf/docid/2003060310162506
1. Check that your Email program is set to not hang up after receiving
Make sure that the option to hang up after receiving emails is disabled. Enabling this
option can cause this issue.
This issue can occur iif the user is using some third-party firewall and if the firewall is
set to block the Email Scanning files
Email Scanning scans the emails from Windows Temporary folder. If the Temp
environment variable is not set properly, then Email Scanning will not be able to take
the emails to the Temp location for scanning. Also, it is advisable to clear the
contents of the Temp folder, as the corrupt contents can also cause this issue.
4. Disable Email Scanning, download the problem email and then restart email
scanning
This step is a workaround that allows you to download problem email or email with a
very large attachment. Once the email is downloaded, re-enable the Email Scanning.
Solution
Title: 'Cannot send email with Norton AntiVirus email scanning enabled'
Document ID: 2003100110523806
http://service1.symantec.com/Support/nav.nsf/docid/2003100110523806
1. Check that your Email program is set to not hang up after sending
Make sure that the option to hang up after receiving emails is disabled. This option
can cause this issue when Email Scanning enabled.
This issue can occur iif the user is using some third-party firewall and if the firewall is
set to block the Email Scanning files
Email Scanning scans the emails from Windows Temporary folder. If the Temp
environment variable is not set properly, then Email Scanning will not be able to take
the emails to the Temp location for scanning. Also, it is advisable to clear the
contents of the Temp folder, as the corrupt contents can also cause this issue.
4. Disable Email Scanning, send the problem email and then restart email scanning
This step is a workaround that allows you to send problem email or email with a very
large attachment. Once the email is sent, re-enable the Email Scanning.
Description
Objectives
Note: If a user is using any other IM client than the ones listed above, then Norton
AntiVirus Auto-Protect will scan any incoming files as they are saved to the hard
drive. Norton AntiVirus plug-in is just another layer on top of this.
Internet Worm Protection is an inbound firewall that protects your computer against
worms and other malicious network / Internet activities. Worms are threats that
replicate themselves through the network and can be prevented from entering a
computer with the help of Internet Worm Protection. Through Internet Worm
Protection, incoming network traffic can be restricted and incoming connections to
specific installed applications can also be controlled.
Objectives
Note: Internet Worm Protection does not detect new viruses that come in the
form of email attachments. Internet Worm Protection also will not alert if the
worm sends data out only.
Internet Worm Protection uses several techniques to prevent these attacks. The list
below describes these techniques in detail:
Port Blocking
The port blocking feature monitors all outgoing connections and allows those
incoming connections for which, a request was sent. If an incoming connection is
being made without a request by the receiving computer, then the port blocking
feature will block this connection.
General Rules
This section monitors the incoming data flow and takes appropriate action when the
flow matches a pre-defined rule. The General Rules section also allows the users to
create a rule to suit their needs. Refer to the Configuration section for more
information on creating a General Rule.
Traffic analysis
Monitors network traffic for malicious activity. If such activity is detected, Internet
Worm Protection blocks the traffic, logs the event, and issues an alert.
Exploit detection
Prevents another computer from exploiting bugs in your computer’s software. Worms
use these bugs to transfer infected files onto your computer.
Listen events
Listen events are triggered when an application opens a port for “listening”.
Examples are FTP and web servers, and multiplayer internet games.
IP traffic events
IP events are triggered by incoming traffic to open ports. Usually a listen event is
generated before the traffic is received so the user has already permitted or blocked
the application. However, IP events can occur in cases where the agent wasn’t
running when the application tried to listen. This frequently happens at system
startup.
IDS events
The following section describes how each feature can be configured and customized.
Exclusions
Internet Worm Protection monitors the incoming Internet / network traffic and blocks
it if the data transfer matches the attack signatures that are present in the
signatures list. An attack signature is a unique arrangement of information that can
be used to identify an attacker's attempt to exploit a known operating system or
application vulnerability.
Any signature can be excluded from being matched simply by un-checking it from
the signatures’ list. However, excluding a signature would mean allowing that
particular type of data transfer to happen. In case of a false positive, a General Rule
(or a Program Control Rule) can be created to allow specific type of data transfer to
happen, while the signature remains blocked.
Program Control
A user can control a program’s access to the Internet using this feature. However,
the access in this case would be inbound. Using this feature, it is not possible to
block a program from establishing an Internet connection but an attempt to initiate a
control or connection to the program from a remote system can be blocked. If you
would like to add a program that requires an inbound blockage, just add the program
in the Programs’ list and select the Block option.
At times, users may want to block specific type of data transfer from specific
computers in the network or the Internet. Using the General Rules feature, users can
create “Rules” to block specific type (or all type of data) from entering the computer.
By default, Internet Worm Protection offers certain pre-defined rules that prevent
specific type of connections and keep malicious data transfer at bay. Users can
create their own rules by clicking on the “Add” button and following the
comprehensive on screen instructions. However, it is important to know that the
rules listed here execute and work on a hierarchy basis
When Internet Worm Protection detects an attack, it places the attacking computer's
IP address in the "AutoBlock" zone. While a computer's IP address is in the
AutoBlock zone, it cannot establish a connection. By default, the computer will be
placed in the AutoBlock zone for 30 minutes.
You can also unblock a computer that's blocked by the AutoBlock feature and to
block the computer permanently, you can "Restrict" the computer.
All traffic from local All traffic from local All traffic is allowed.
networks is allowed. networks is blocked by
default.(can be configured
to allow it)
Incoming traffic alerts are Incoming traffic alerts set Incoming traffic is allowed.
set to “Permit” instead of to “Block”.
“Block”
The most likely cause of this issue would be the Internet Worm Protection (IWP)
feature. Hence, disabling IWP and checking for the issue would assist in determining
the exact cause of the issue.
If the issue does not persist, then this could be caused due to the filtering nature of
Internet Worm Protection, as it might sometimes block Internet access to certain
applications that do not have valid rules created for them. This is true if the user is
using an application provided by his Internet Service Provider to log into or access
internet that is not configured with Internet Worm Protection.
Configuring the Internet Worm Protection feature for use with the erring application
would restore internet access. However, if that fails then recreating the Internet
Worm Protection program control list will resolve all conflicts.
The ccEraser was a feature of Norton AntiVirus 2006 that has been carried
forward and is improved for 2007. This feature is designed to remove the side
effects of threat attacks in the Windows registry, batch files, startup folder, ini
files and memory resident threats. ccEraser replaces the Generic Side Effects
Engine that was introduced in Norton AntiVirus 2005. Norton AntiVirus 2007 will
detect and remove Spyware and other expanded threats on-demand through the
use of ccEraser.
Objectives
After you complete this unit, you will be able to do the following:
ccLib.lib
EsrDef.xml
Navapsvc.exe
User Mode
Kernel Mode
SAVRT Symevent
ccEraser files
ccLib.lib
EsrDef.xml
ccScan.dll
The following is a list of the common load points that are cleaned by the ccEraser.
Registry keys
■ HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\Run
■ HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\RunOnce
■ HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\RunServices
■
HKEY_USERS\<UserID>\Software\Microsoft\Windows\CurrentVersion\RunServicesO
nce
■ HKEY_USERS\<UserID>\Software\Microsoft\Windows NT\CurrentVersion\Windows
■ HKEY_USERS\<UserID>\Software\Mirabilis\ICQ\Agent\Apps
■ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
■ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
■ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
■ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
■
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOn
ce
■ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
■ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
■ HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
■ HKEY_LOCAL_MACHINE\Software\Classes\<extension>file\shell\open\command
Startup folder
The following items are part of the startup folder load points.
.ini files
Processes
Processes that are terminated by the ccEraser are treated differently from effects at
the load points. Users are prompted to stop the processes so that they know which
programs are stopping.
Objectives
After you complete this unit, you will be able to do the following:
However, it does not prevent the reading of our files and registry keys to avoid
interfering with normal operations, such as backup. Authorized applications have full
access, so they do not require any changes to continue to work.
The following authorization methods are used by Norton AntiVirus 2007 to authorize
an application, which can make changes to protected resources:
Applications which are signed with a Symantec digital signature are free to
access all protect assets. This will cover a great deal of legacy products,
Intelligent Updaters and all fix tools should also be signed.
The product can register the name of the authorized software, such as
System Restore or the Windows XP Backup program,
%SystemRoot%\System32\Ntbackup.exe.
A flowchart of the order of events that are followed after an attempt to modify
Symantec files are as shown below:
All the Symantec Program folders, common folders, Registry keys under the HKLM
and HKCR paths are protected. A list of protected resources is provided below:
Objectives
New
Advanced Options
Which disk, folders, or files, to
Edit
exclude from risk scanning
Remove
Scan Exclusions
New
Remove
New
Risk Details
Spyware
Which category or security risks to
detect
Adware
Dialers
Spyware Protection
Joke Programs
Remote Access
Trackware
Other
Change Password
If you have any particular file to exclude from both Auto-Protect and Manual scan,
then you have to add the file separately in the Auto-Protect and Manual scan
exclusion list.
Signature Exclusions
Using signature exclusions, you can exclude any expanded threat from getting
removed by Norton AntiVirus scan. If you wish to run some non-viral threats like
adwares which NAV is detecting on every scan, then you can add those threats in the
signature exclusions. After that, Norton AntiVirus will not alert about that threat in
the subsequent scans.
Also, if Norton AntiVirus has detected any false positive for a legitimate program, you
can add that in Signature Exclusions until an updated virus definitions are available.
Spyware Protection
This option allows you to select what types of expanded threats that Notron AntiVirus
should detect. You can select the option to scan for high risk items like spyware
while excluding low risk threats like adwares and joke programs.
Options Password
Options Password allows you to set a password for Norton AntiVirus Options. You will
be prompted to enter the password when ever you try to change the Norton
AntiVirus options.
• You should disable the office plug-in if you suspect it is causing problems
opening or saving Word, Excel, Power Point, or other Microsoft Office
documents.
• If you decide to uninstall Norton AntiVirus you should unregister and rename
the Officeav.dll file to ensure this plug-in will not cause future issues.
• If you disable the Microsoft Office plug-in, Auto-Protect still scans Microsoft
Office documents in real time.
With the changes to the user interface of Norton AntiVirus the Log viewer is also
updated to ensure maximum program usability and ease of use. It has been
streamlined and is now available as Message Center.
The Message Center provides a categorical view of all logged events and also makes
it easy to track and view the events and their details including the firewall events
and also the Antivirus events.
Description
The components of Norton Antivirus log all activities that are performed by them.
These Message Center provides the user, the ability to read and analyze these
activities, which include events such as alerts, application activities, and threat
activities that have occurred in Norton AntiVirus 2007.
Objectives
After you complete this unit, you will be able to do the following:
Message Center stores all event data that is generated by Norton AntiVirus. This is
achieved by common client files which monitor all event details that components
produce. The Message Center component is a generic log viewer that is plug-in
driven and provides a common user interface to display logged events, including all
of those listed above.
Activity logs record the events and activities that occur with the program. The
information stored in the log files can be used extensively for troubleshooting as they
store all events that occur in the program’s environment.
Message Center allows a technician or a user to view the events that occur in the
program’s environment. This technique allows a user or a technician to look what
exactly happened with the program and also helps in tracking or narrowing down an
issue through the recorded details.
The following categories of information are available in the Message Center of Norton
AntiVirus 2007:
This displays a list of events that are logged by the Internet Worm Protection. The
Internet Worm Protection logs are best used when a specific program is having
difficulty connecting to the Internet or to a Network.
Security Risks
This provides the user with details about all security risks that were detected by
Norton AntiVirus; this includes threats detected by Manual Scans, Auto Protect, Email
scanning and IM scanning. The information provided the about the threats that are
partially removed or those which were not deleted, would be of importance in
ensuring optimum security.
Manual Scans
This provides information about the various components that perform scans that are
initiated by the user. Such as context scans, IM scanning and Email scanning events.
It provides information about the various scan entries such as the number of files
scanned, infection detection and removal details could be obtained.
Quarantine Items
This contains a list of items that are quarantined either automatically or that have
been added manually. Also, the quarantined file could be submitted to the Symantec
Security Response through this console.
Submissions
This option displays in detail the files that are submitted to the Symantec Security
Response and the status of their submission. It also provides the details about the
file, the threat detected in it and the date and time the file was updated. This
information could be used by the customer to ensure that a suspicious file has been
sent to Security Response for analysis.
The Log files provide a great level of detail about the activities that are performed by
the user. These include a detailed statistics which would be of assistance in
troubleshooting Connectivity issues.
To read a particular log file choose a log entry and click on “More info” on the right
side information Window to view details of the selected event.
The Detailed information view would provide information about the actions that were
recommended and the actions that were performed by the user. Also a link for more
information about the particular log type being viewed would be available.
Information about each log type and its functionality is explained below:
Full history
The Full history view display all log entries. Selecting an entry displays brief
summary about it in the "Alert Details" window. Clicking on the More details display
complete information about the event. The information provided for events of each
feature are explained below.
The window displays a list of alerts and events that are generated by the Internet
Worm Protection Component. It contains the name, priority and status of the event.
The alert details window displays the event details as mentioned above and
information about any IP addresses and files involved and a description of the event.
Security Risks
The alert details window displays the Risk name, type and any impact that it has on
the computer. It also displays the component which detected the risk which could be
either of the two "AutoProtect" or "Manual Scan" and the recommended and
performed actions. Finally it displays the filename, path and file information.
The advanced details window in addition to the above provides the product name
and version which generated the alert .The component version and the internal
definition version. These would be helpful in trouble shooting virus removal issues.
Also, it displays a link to the Symantec Security response article corresponding to the
threat. And general information about Viruses and Auto-protect as provided in the
Help files.
The results of a manual scan operation are different from the results of the other
scanning related log entries. The alert window displays all the information that the
advanced details provide. Which are the Component that initiated the scan, the Task
name for the scan and finally the time taken for the completion of the Scan in
Seconds. And, the results of that scan, this includes the number of
• Boot Records
o Scanned
o Infected
o Repaired
• Files
o Scanned
o Infected
o Repaired
o Quarantined
o Excluded
The event window displays details about Priority, title and the status of removal of
the threat. The alert details display the Risk name and level, the threat Category and
the component which placed it in quarantine. It also does provide the state of the
threat removal.
The advanced details window displays the risk type, eraser version and the internal
definition version. Also, it provides a link to the corresponding Symantec Security
response article about the threat.
In the advanced details window the Threat could be Sent to the Security Response
Team, Deleted permanently or be restored back.
Submissions
This Window displays a list of "submissions" and their priorities and names. The
details window displays details about the date the event was updated, the source
which updated the file and the description of the updated file.
Explaining the Symantec Shared components in details is not within the scope of this
manual. But, without explaining the components like Activation and LiveUpdate,
Norton AntiVirus manual will not be complete.
Here, we discuss how Norton AntiVirus uses the Activation and LiveUpdate
components to activate and update the product.
Objectives
Norton Protection Center reports on how safe it is for you to use your computer to
perform popular tasks. It groups your activities into five protection categories. Your
protection is based on the programs that you have installed. To improve your
protection status, ensure that your installed programs are up to date.
The Security Basics category includes programs that protect your computer from
viruses and other security risks, and ensures that the protection is updated
frequently. It reports on whether your disks have been scanned for viruses recently,
whether you have spyware protection, and whether you receive Windows updates
and antivirus updates automatically.
After the installation a Norton Protection Center icon appears on the Windows
System tray which provides the status of the Norton AntiVirus.
Also, note that the user needs to have a valid subscription in order to download the
updates through LiveUpdate.
LiveUpdate
Automatic LiveUpdate
Symevent Installer - Consumer
Common Client Core
Common Client Core Resource
Symantec Security Software
Decomposer
ccpd_Retail_Licensing_Technology
NortonProtectionCenter
Component Framework
Submission Engine
Submission Engine Data
SPBBC
IDS - Consumer
Symnet Consumer
Appcore - Beta
Symantec Known Application
System
COH White List
COH Update
SRTSP Consumer
Firewall - Pre Release
Symantec Trusted Application List
AV IDS Defs 2006 Microdefs25
AV IDS Defs 2006 Microdefs25
Avenge Microdefs25 NAV2007
NAVNT 2007 - Pre Release
Avenge Microdefs25 nav2007
Remote Registry – Remote Registry is a Windows registry editor that displays the
registry for a remote device and enables you to add, delete, and modify registry keys
and entries remotely over a network or Internet.
GUID- A GUID is a 128-bit integer (16 bytes) that can be used across all computers
and networks wherever a unique identifier is required. Such an identifier has a very
low probability of being duplicated.
Service Pack- A Service pack is the means by which product updates, fixes and/or
enhancements are distributed. Service packs may contain updates for system
reliability, program compatibility, security, and more. All of these updates are
conveniently bundled for easy downloading.
AutoRun - AutoRun is the ability of the operating system to automatically take some
or the default action upon the insertion of a removable media such as a CD-ROM,
DVD-ROM, or flash media. This feature can be bypassed by holding down the shift
key as the media is inserted.
Protocol - A method or predefined set of rules by which two dissimilar systems can
communicate
Hosts – The Hosts file is used to look up the Internet Protocol address of a device
connected to a computer network. It also provides mapping of device names to IP
addresses. When accessing a device by name, the networking system will attempt to
locate the name within the hosts file; this is used as a first means of locating the
address of a system, before accessing the Internet domain name system
IIS - Internet Information Services is the Microsoft's Web server that runs on
Windows NT platforms is tightly integrated with the operating system; it is relatively
easy to administer.
TCP- Transmission Control Protocol is one of the core protocols of the Internet
protocol suite. Using TCP, applications on networked hosts can create connections to
one another, over which they can exchange data or packets. The protocol guarantees
reliable and orderly delivery of data both at the sender to receiver ends.
IP- The Internet Protocol (IP) is a data-oriented protocol used for communicating
data across a packet-switched internetwork. It is a network layer protocol and is
encapsulated in a data link layer protocol. As a lower layer protocol, IP provides a
unique global addressing amongst computers.
Mac address - Media Access Control address is a unique identifier available in NIC
and other networking equipment. Most network protocols use one of three
numbering spaces managed by the IEEE: MAC-48, EUI-48, and EUI-64, which are
designed to be globally unique. A computer in the network can be identified by using
its MAC and IP address.
SMTP - Simple Mail Transfer Protocol is the protocol used to send mail between
servers and to send mail from your client to a mail server.
FTP - File Transfer Protocol is the language used for file transfer from computer to
computer across a network such as the Internet.
Telnet - TELNET is a network protocol used on the Internet or local area network
LAN connection. It is used to provide user oriented command line login sessions
between hosts on the Internet. The name is derived from the words telephone
network, since the program is designed to emulate a single terminal attached to the
other computer.
Loopback - A diagnostic test that returns the transmitted signal back to the sending
device after it has passed through a network or across a particular link. The returned
signal can then be compared to the transmitted one. The discrepancy between the
two helps to trace the fault.
For e.g. A Norton Internet Security 2006 installation log file would have the
name: Norton Internet Security 2006 7-7-2006 6h50m10s.log
The name of the log file also contains the date and time when the log was
created.
A typical MSI log file will contain entries starting with MSI (c), MSI (s) or MSI (n)
followed by the action that took place during the installation at that point of time.
Let’s now discuss some of the key entries of a typical MSI log file:
MSI (c) – Denotes an operation that’s taking place in the client engine (NAVsetup).
MSI (s) – Denotes an operation happening in the Windows Installer service.
MSI (n) – Denotes a nested installation activity.
Note: The 4 digit number that follows the “Note” string denotes the code for the
action that’s following. At times, this number can be used to lookup information on
the Microsoft website to determine the exact action that took place. If an error
occurs during the installation, then the error message would contain the same 4 digit
code.
Return Values
Every action that’s performed during the setup is noted in the log file. And the
completion of each action is logged as a “Return Value”.
Return Value 3: Return Value 3 indicates a failed install action. And this is the key
value to look for while troubleshooting.
While reading an MSI log file for errors, it’s a good practice to search for errors from
the bottom of the document. Reach the bottom of the document, and do a top
search for the “Return Value 3” string. If there’s a Return Value 3 entry in the log,
analyze the values just above the “Return Value 3” entry for the actual cause of the
failure. The resolution for the installation issue depends on the cause of the failure.
Let’s now take a look at a failed install log file:
In the above Norton AntiVirus log, the installation has encountered an error while
trying to install a file (in this case msvcp71.dll). We also understand from this log
that the installation was being done through the hard drive and not a CD-ROM, as
the file’s (msvcp71.dll) path is shown as Desktop. An error has occurred in this
installation due to the file’s absence in the source. The error: “System error 3. Verify
that the file exists and tat you can access it.” clearly confirms this.
The solution is this case would be to make sure that the product source is complete
and has all the required files and folders.
Using the Windows Event logs, a user can check all the events that occur in the
computer irrespective of the user being logged on / off. Information about the
computer’s hardware / software or an application crash can also be gathered through
the Windows event logs.
1. Click Start
2. Click Control Panel
3. Click Performance and Maintenance
4. Click Administrative Tools
5. Double-click Event Viewer.
1. Application log
2. Security log
3. System log
Application log
System log
The system log contains all entries related to the operating system components.
Information on drivers that fail to load or any system service that fails to start will be
logged here.
Security log
Security logs make entries of successful and unsuccessful login attempts. It also logs
the attempts made to access a restricted file / folder etc.
Error
An error occurs due to loss of functionality. If a specific file or a program fails to load
(either manually or automatically), then this event can be termed as an error, as
there’s an interruption to the normal behavior. These types of “Error” events will be
recorded in the Application logs as Error
Warning
Any event that may cause a problem in the future will be an ideal Warning type of
log entry. For e.g. Low Disk Space
Information
Success Audit
Failure Audit
At times, after determining that a required Norton service is stopped, when you try
to start it, you may not be able to do so. In this case, look for the status of a
dependant service. If the dependant service is stopped, then we won’t be able to
start the service in question.
http://support.microsoft.com/default.aspx?scid=kb;en-us;255905
The primary developer use for Orca is to edit MSI files. However, it can be an
invaluable support tool for viewing these files as well. In order to use Orca to view
the content of an .msi file, locate the file in question and right click on the file. Orca
installs a context menu handler that allows you to then choose “edit with Orca.” This
will then open the Orca editor and display all of the information contained with the
.msi file in question.
There is a large amount of information that can be found by using Orca. Not
all of this information is useful for troubleshooting purposes. Therefore, we will only
concentrate on the items necessary to aid with our troubleshooting.
SymNestedInstaller Table
CustomAction Table
Within the installation log file, will be every action that is outlined by the .msi
file. These are located within the CustomAction table within Orca. In the example
below we can see several examples of these actions, such as RollBackStuff, Upgrade,
EnableOBC, etc. In analyzing an installation log file, we would expect to see
instances of every singly action listed in this table.
All of the custom actions that are listed above will be found at some point,
during the actual installation sequence.
InstallExecuteSequence Table
The Property Table can be used to obtain the ProductCode and UpgradeCode
for any MSI package, as shown below.
The ProductCode and UpgradeCode are important to note, in case a removal was not
completely done. The ProductCode is sometimes the sole means of identification for
Uninstall keys. These are located in the registry at HKEY_LOCAL_MACHINE\
Software\Microsoft\Windows\CurrentVersion\Uninstall. The UpgradeCode’s are
located in the registry at
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\ (for Windows
98, Me and 2000) and
HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\ (for Windows
Xp).
Without looking in Orca, there are other methods for obtaining ProductCode
and UpgradeCode information. For example, on Windows Xp if you go to
HKEY_CLASSES_ROOT\Installer\Products\<GUID>\SourceList you can look on the
right at the PackageName. This means the GUID in the path is the ProductCode. If
you are doing a removal, and want to find the UpgradeCode, you can delete keys
already found (HKEY_CLASSES_ROOT\Installer\Products\<ProductCode>) and then
The Windows Installer Verbose Log Analyzer enables users to select a log file for
analysis, once a log file is open it then provides a preview of the log file and when
the Analyze button is selected it provides a detailed view of the log file and options
to debug the log files.
For further information on the MSI Log Analyzer, please refer the following MSDN
documentation of the Tool:
http://msdn.microsoft.com/library/en-us/msi/setup/wilogutl_exe.asp
Debughlp.exe tool needs to be executed before installing the Norton program so that
the debugger can track and log the MSI activities. Unlike MSI log files, logging
through DebugHlp.exe is done module-wise. Once Debugging is enabled, the logs are
saved in C:\Symlogs folder. To use the DebugHlp tool:
1. Click Start
2. Click Run
3. Drag and drop the DebugHlp.exe
4. Enter the switch to start debugging and hit the enter key.
5. Logging starts.
/Debugon
This switch enables logging and starts creating logs in the Symlogs folder.
/DebugOff
/DebugOnOff
Enables and disabled degugging instantly. This switch is used to log instant activities.
/Runconfigwiz
Each log file holds the install information for that specific module. In case of an error,
the verbose logging will give information about that specific error and the cause of
the error.
If the debugger is enabled while the Norton program is working, then it logs debug
information related to all activities. Any error feature based error message can be
tracked by looking into log that corresponds to that feature.
Debughlp.exe logs the updates that LiveUpdate downloads and installs as well. The
information on Update logging is held in Spa.log
It uses standard Windows security APIs to populate its list view with read, write and
deny access information. This information can be very useful in troubleshooting
installation or usage issues while using Norton applications.
http://www.sysinternals.com/Utilities/AccessEnum.html
With this, you can verify that the User has sufficient permissions to read and write
the ROOT directories and registry keys to ensure that all files can be read and
written to by both the User and the Norton Program started by the user.
Process Explorer
Process Explorer is a tool which shows the complete information about a process
including which handles and DLLs that a particular process has opened.
It also has a search capability that will quickly show you which processes have
particular handles opened or DLLs loaded
The display consists of two sub-windows. The top window shows a list of the
currently active processes, including the names of their owning user accounts. The
information displayed in the bottom window depends on the mode that Process
Explorer is in, which can be either of the two:
Handle Mode
If the bottom Window is in the handle mode you can see the handles that the
process selected in the top window has opened.
DLL Mode
If Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that
the process has loaded.
http://www.sysinternals.com/Utilities/ProcessExplorer.html
Most of the access denied error messages that you get can be determined and
troubleshoot using Process Explorer and AccessEnum. For more details on Access
denied error, please read the document from Microsoft:
http://support.microsoft.com/kb/q245068/
The maximum number of hops is 30 by default and can be specified using the -h
parameter.
-j HostList : Specifies that Echo Request messages use the Loose Source Route
option in the IP header with the set of intermediate destinations specified in HostList.
With loose source routing, successive intermediate destinations can be separated by
one or multiple routers. The maximum number of addresses or names in the host list
is 9. The HostList is a series of IP addresses (in dotted decimal notation) separated
by spaces.
-w Timeout : Specifies the amount of time in milliseconds to wait for the ICMP Time
Exceeded or Echo Reply message corresponding to a given Echo Request message to
be received. If not received within the time-out, an asterisk (*) is displayed. The
default time-out is 4000 (4 seconds).
Further Information about the utility can be obtained at the “Tracert” page of the
Windows XP documentation. A link for the same is provided below:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/tracert.mspx?mfr=true
This tool can be used to determine the path traversed while trying to access a
Website.
InstallRite Scan
After running the scan, you install the program on the machine. Then you
perform another scan of your machine hard drive, and any changes reported
compared to the initial scan is considered to be part of the software installation. We
it is finished, you get a complete image of the trace left by an installation package.
The “Export details to HTML” and “Export detail to TEXT” option can be used to get a
copy of the log from the customer’s computer.
The files that are added during the installation of the program
You can view the added, modified and deleted registry keys
http://www.epsilonsquared.com/anonymous/InstallRite25.exe
HijackThis scans all the load points and displays the contents or values that are
stored in them. It also shows the Processes that run in the background when the tool
is run. While HijackThis displays the values and data present in the load points, it is
up to the user to decide which program or file is malicious and which is valid. Once a
file or a program has been identified as illegitimate or malicious, it can be easily
deleted through the tool. The HijackThis tool itself cannot differentiate between a
legitimate and an illegitimate program. There are various ways of differentiating a
legitimate program from an illegitimate one, which will be covered in a later section.
Let’s now have a look at the tool itself.
http://www.hijackthis.de
Note: Extract the downloaded zip file and save HijackThis.exe in a folder.
Double-clicking on the tool should open a screen with several options. To analyze all
load points and running tasks, click on the “Do a System Scan and Save log file”
button. Clicking on this button should open a screen similar to the one shown below:
Each entry shown in this window has a specific value in the beginning. Each value
has its own specifications. Following is a description of each value:
HijackThis also creates a log file for the user’s convenience so that it can be sent
across to an expert (or a technician for an analysis).
Once the log file has been obtained, it can either be analyzed manually or can be
pasted on the HijackThis website (www.hijackthis.de) for automatic analysis.
Manual Analysis
Note: Before deleting a file through HijackThis, make sure that the file / program is
malicious.
By analyzing the log / results, browser hijackers and host file redirections can also be
countered. To remove a host file entry, simply place a check mark next to the O1
value (s) and click the “Begin Fix” button. Do not remove entries in the host file that
may be intentionally added by systems administrators.
There are several Miscellaneous Tools available in HijackThis that can be used for
advanced troubleshooting. The following section provides an overview of the
advanced HijackThis options:
Process Manager
Process Manager is a Task Manager like tool that shows all running tasks along with
their paths and Process IDs. Information about DLL file dependencies can also be
viewed by clicking the “Show DLLs” check box.
This option opens a small hosts file editor to remove / modify the hosts file entries.
A file specified through this option will be deleted upon the next system restart. This
option can be ideally used if a user is unable to delete a file that’s in use or is
running in the background.
Delete an NT service
Uninstall Manager
Remove entries from the Add/Remove Programs’ list using this feature. This option
can be used to remove an entry of a program that’s left out in the Add/Remove
Programs list despite of that program being uninstalled.
The main usage of HijackThis tool is to identify malicious programs and eliminate
them. The usage of this tool needs to be controlled and operated in a relevant
environment. Do not delete a file or a program through HijackThis which you are
unsure of being illegitimate. Always consult a Supervisor or a lead before doing so.