Antispyware updates /symantec Antivirus

[Bill Sanderson]

A couple of other users have now posted that System Restore enabled them to
get Symantec Antivirus fully functional again. If you are on a version of
Windows that includes this feature--such as XP--I'd recommend that route
over the attempt to manually uninstall.

5805 didn't come out 'til the wee hours of this morning--any restore point
before midnight of last night should be good, in terms of this issue.

--

 

[Bill Sanderson]

Excellent. I'm happy to say that the one office I admin that might have
been affected wasn't, so I haven't had any first hand experience .

--

 

[Bill Sanderson]

That should be good--if you were experiencing the false positive, it should
be gone now.

--

 

[Guest]

with 5807, 160/160 all OK now !!!!!
0 detected.

Until you see 160/160 the 5807 is not fully in place, and I would ignore
scan results showing the false positive.

 

[Bill Sanderson]

Terrific--glad to hear it!

--

with 5807, 160/160 all OK now !!!!!
0 detected.

 

[Robbie]

Thank you Bill For these links was the only way I could get MSAS to update
to 5807....Been trying and it was bouncing from 160/158 to 160/156 It is
now 160/160 after I download them manual and putting them in the right
folder. Got 5807 this way.
Microsoft AntiSpyware Version: 1.0.701
This version expires on: 7/31/2006
Spyware Definition Version: 5807 (2/11/2006 12:14:17 PM)

Definitions Increment Version: 160/160
Definitions ThreatAuditThreatData: 1355029
Definitions ThreatAuditScanData: 3098970
Definitions DeterminationData: 806390
Software Update Check Date: 2/9/2006 2:46:37 PM

The software Update check time is wrong been doing this since yesterday...it
downloaded 3805 and 3807 many times. Just never stuck

Robbie

 

[Bill Sanderson]

Terrific--glad that worked. It shouldn't be necessary--the distribution
system should settle down over time. Yet another issue that will change for
the better with beta2, which unfortunately is not here yet.

--

 

[Robbie]

This is the first time it refused to update...I had it before where it may
once or twice but not this...
Robbie

 

[Guest]

We have a machine where the System Restore Points appear to have been
corrupted by this, and the person has now spent hours trying different
solutions before I discovered that the cause was MS AntiSpyware. She's
persuing using Symantec's tool to remove NAV 2006 and then reinstalling.

Also, it does NOT seem to impact '05 versions.

 

[Guest]

Latest Antispyware definitions (version 5805, 5807) detects Symantec
Antivirus files as PWS.Bancos.A (Password Stealer). Users panic and do
"remove" and now you have exposed system. Because Symantec Antivirus is now
corrupt and will not protect your PC from incoming virus.

Yes! I was quoted on Washington Post article.

http://blog.washingtonpost.com/securityfix/2006/02/microsoft_antispyware_deleting_1.html

Hey Kris N., Craig N., Ken N., do u believe me now?

 

[Guest]

I for one am going to trust the spyware, if the fingerprint matches then
there's a good chance the process is the same, after all they can't even keep
their registry entries on one branch.

 

[Guest]

As Bill said, try System Restore if you have a restore point before the
incident, try using your original install CD. If all else fails, you can also
try one of the following (depending on which version of Norton you have):

Removing your Norton program using SymNRT (Norton AntiVirus 2004/2005/2006)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Removing Norton AntiVirus 2003 or earlier by using the Rnav2003.exe removal
utility when Add/Remove programs fails
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606

Uninstalling Norton Internet Security or Personal Firewall 2003 or earlier
using the RnisUPG.exe removal utility
http://service1.symantec.com/SUPPORT/nip.nsf/docid/2001090510510636

Manual uninstallation documents for Symantec Client Security products (this
is Norton/Symantec Corporate)
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002031914291648

If all else fails, I have found a utility known as NoNav to be very
effective at removing Norton:
http://home.utm.utoronto.ca/~keith/uninstaller/

Make sure you read the NoNav.pdf

 

[Guest]

Well, this might not help you in the short term I was so tired to hve to deal
with security problems in Windows that I now, along with all my familly, use
Linux. We never have this kind of problems. Perhaps you should consider
switching...

 

[Bill Sanderson]

Here's my understanding of the hierarchy of repair options:

1) System Restore if available (i.e. if it exists on the platform and the
restore points work!)

2) Use the tools available on the original Symantec media to do the
uninstall/install--this seems to work when add/remove programs does not.

3) Automated or manual uninstall instructions/tools provided by Symantec
that are definitely for your precise version of their software. This can be
difficult to determine sometimes--there are situations were the exact set of
upgrade circumstances may be needed to get this right, as I recall.

I'd be interested in hearing precisely what Norton version is involved--this
should only be impacting the Corporate Edition products, but there are a
number of those. Email would be fine if you (e-mail address removed)

--

 

[Bill Sanderson]

I like that list of manual uninstall docs--that's very valuable in this
situation. Most affected users I believe have one of the corporate edition
products --and they are covered well in that list. I'm not clear whether
the automated uninstallers do the right thing with the Corporate products.

 

[Bill Sanderson]

Jo is correct. This was a false positive in definitions 5805. However,
this false positive is, in fact, fixed in definitions 5807. There's some
confusion about this because the definition update process may result in
incomplete updates under some circumstances, and we are seeing some
confusion as a result of that issue.

If you have definition 5805, and are seeing this detection, I would strongly
urge you to:

1) don't clean the detection--choose ignore.
2) do File, check for update, and get definitions 5807.

--

 

[Bill Sanderson]

Jo - I believe you. However, I also believe that this was fixed with the
5807 definitions.

If you are still seeing this detection with 5807 in place, I'd like to see
the output from Help, about--Diagnostics button. In particular--look for a
line ending in 160/160. If you don't see both those numbers, then the 5807
definitions are not fully in place, and you should re-try File, Check for
updates.

--

 

[Guest]

SystemWorks Premier 2006 and Internet Security 2006.

At this point, she's fit to be tied. She was deliberating between calling
Symantec and paying $39 for further deletion help since she still can't get
it totally removed (new installs "fatally fail", I told her to remove
anything in registry that says Norton or Symantec". if that doesn't work,
she's going to backup her data and use Dell PC Restore by Symantec to be "as
shipped" and then reinstall her other programs.

Needless to say, she's fit to be tied that MS AntiSpyware did this, she has
no recollection of getting a warning or deleting anything. However, on
Friday morning, 2/10, she no longer could send emails, and her Norton
products were no longer on the Programs menu. All virus scans were negative.

 

[Guest]

Hi all,

I have been using NoNav for months when dealing with clients that would not
uninstall cleanly. It is very good, but it reboots your system without prompt
after the uninstall.

Cheers
Fulvio

 

[Bill Sanderson]

Frankly, this does not sound like the same issue as the false positive in
definitions 5805.

I would recommend using Norton's automated removal tools:

I believe that the SymNRT removal method, as outlined in this document:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

should be appropriate.

There's a number of steps and several downloaded programs involved in this
method, but it should be effective--it's what Symantec recommend themselves.

I recommend reading through the procedure and collecting the various
downloads needed, and printing out the procedure.

I can't say that I've ever used this tool myself, so I don't know what
gotchas to keep an eye out for--but this is the route I'd go next.
--