Real-Time Protection?

[SRD]

MAS install on my WinXPSP2 system was uneventful and MOST
of the program appears to function as advertised. Real-
Time Protection Security Agents are, however, a notable
exception.

Internet, System, and Application Agent statuses are each
reported with "25 of 25" Agents Active. Drilling down to
their respective "Management" levels yields only ONE
Internet Agent Checkpoint (Windows Host File), the status
of which cannot be changed, and NO System or Application
Checkpoints.

I've attempted several uninstalls/reinstalls with no
effect. Suggestions?!?

 

[Bill Sanderson]

What else are you running? Particularly security or antivirus type
applications?

Did you try control panel, add or remove programs, Microsoft Antispyware,
change, update

I know this seems as though it should be the same or "less" than the
uninstall reinstall, but it may be worth a try.

Are you on the .509 build posted February 16th? (see Help, about)

 

[Guest]

I should preface this list of security apps with the fact
that I installed MAS on two virtually identically
configured PCs. One seems to be working perfectly. The
other has the problem described below.

Both systems run Norton AntiVirus 2005 (disabled during
MAS install) and ZoneAlarm Pro 5.5 (MAS has Internet
access).

I have, in fact, tried uninstalling and updating via
Control Panel. Neither had any effect.

SRD

 

[Bill Sanderson]

I'm stumped. If you go to Tools, advanced tools, system explorers, and in
the left column, down to System, Shell Execute Hooks--what hooks do you see
listed there?

 

[Joe]

I'm having the exact same issues. System agents do not seem to be
functional. If I go to the system agents, or any of the agents,
configuration pages, I cannot view the actual agents, or change any of the
settings. The only thing that actually seems to be working is the Spyware
scanning function. Running WinXP Pro SP2 with all available windows updates
installed. Also running Symantec Client Security 2.0, which I disabled
during install. Uninstalled, restarted, reinstalled, and nothing changed. I
re-downloaded app this morning from microsoft.com, but it did not
help.......

 

[Joe]

Okay, I installed the program on another machine in our environment that is
only running symantec antivirus, and not the firewall. It seems to work just
fine. Looks like something in the Symantec Security applications is killing
the agents for MAS.....any ideas?

 

[Bill Sanderson]

So what is your answer to the question I posed to the O.P. in the post that
you replied to?

(i.e. system explorers, shell execute hooks content?)

 

[Joe]

Sorry Bill, looks like I responded to the wrong string. I was just trying to
add to the post about the general real-time protection issues. Sorry 'bout
that.

 

[Guest]

Interestingly, the System Explorers column is BLANK.
There is NOTHING below the "System Explorers" heading.

SRD

 

[Bill Sanderson]

big embarassed shrug!

What can I say--you are hitting multiple beta bugs.

I would sure like to have a sure-fire recipe for what is wrong when you see
this symptom, because at the moment it is one of the most common complaints.

I don't have one.

If you are comfortable with looking at the registry, and can use care not to
change anything, this information is at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Here's what I see there--this is in the form that an export gives, but check
out the number of items and the GUID's involved.

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service
Hook"

(no need to post yours--just say if it agrees or if you have additional
hooks there.)

This may well be a wild goose chase, I'm afraid.

 

[Guest]

I have EXACTLY the same entries you list below. No more,
no less, and no different (under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\She
llExecuteHooks).

SRD

 

[Joe]

Not sure if it helps or not, but I am having basically the same issue as
SRD, but I have an additional entry in my the registry key that you listed.
I have listed it below.

"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"=""

 

[Bill Sanderson]

At this point, I'm not sure what I was thinking, in terms of that hook. If
a user has a significant performance issue which is fixed by turning off
real-time protection, then my current theory is that code involved in that
hook is responsible in some way. I was hoping to find that perhaps there
were other factors--malware using that hook as well, for example.

Clearly that's not the case on your system.

I think I'd pull it off and wait for another release, barring better ideas
from the lurkers.

 

[Bill Sanderson]

I'd consider blocking that using the system agents in Microsoft Antispyware,
to see if anything changes. I suspect it won't, and that I've been barking
up the wrong tree in terms of that hook and the problems in this thread, but
it is worth trying. This looks like something old that isn't fully removed,
but I don't have enough experience looking at these entries on lots of
machines to say.
I googled for that string and got no hits at all. That may be
significant--it may be generated randomly--but whatever it was, it doesn't
look to me as though it is doing anything at this point.

 

[Zsolt]

I am having exactly the same issue. MS Antispyware was
working fine until I installed Norton SystemWorks 2005
Premier. I tried to uninstall SystemWorks but it didn't
solve the problem.
Can you install a SystemWorks 2005 to a computer at
Microsoft to see what happens?

Thanks:
Zsolt

 

[Joe]

Okay, I did not mention it initially, but I am logging onto a domain, as
opposed to logging on locally. In my quest to figure out why this was not
working properly, I decided to install the app using the local admin
account. I logged into that account, and installed the software, and it
worked great. Logged out, and logged into the domain account (which also has
admin rights), and it still did not work. Closed MAS, and ran it as the
local admin, and now it works. So, long story short, I have to run MAS as a
local admin to get it to function properly. Does this seem to make sense, or
is it just a coincedence?

JD

 

[Bill Sanderson]

No--I don't think it is a coincidence. That's why I try to use the phrase
"signed in as administrator on the local machine."

I'm not sure that's a perfect phrasing--I'd welcome suggestions for getting
that as crystal clear as possible.

This is not so much a design intent as a "current state of the beta" issue,
I believe--I'd at least look for the precise conditions to be specified
clearly by final release.

 

[Bill Sanderson]

Microsoft reads these groups and this issue has come up repeatedly. I don't
work for Microsoft, and don't have direct contact with the development team.
There may well be good reasons why the only statement they are able to make
will be something like:

"We are aware of this issue and it is under investigation."

I'll see if such a statement is possible.

 

[Guest]

Thanks for your advice, Bill.

FWIW, my copy of NAV is actually a component of Norton
SystemWorks Premier 2005. Interestingly, however, NSWP
2005 is running in the same configuration on the other
system to which I referred previously (the one where MAS
works perfectly).

SRD

 

[Bill Sanderson]

Hmm - so we've got the same product pair on two machines--one is fine and
the other is not?

This sounds like something which might be easily zeroed in by simply hooking
both machines up to a debugger and spending a lot of time looking at things
very carefully.
(that was intentional understatment--"easily" in this case involves quite a
bit of expense.)

Software is so gloriously messy. Surely you'd think something that is
binary would behave a bit more predictably.