SP2 breaks antivirus software

[Edwin Davidson]

I installed XP SP2 onto a test XP station. Although it recognized
eTrust antivirus 7.0, it broke it as well.

The station could no longer get antivirus pattern updates over FTP.
The XP firewall log showed that the XP firewall was blocking the FTP
connections being made by eTrust to update its' pattern files.

I checked on esupport.ca.com, and sure enough CA knows that there are
problems with eTrust and XP SP2.

The problem I have is all the laptops that are all over the world,
that are configured to use Automatic updates, that will get SP2 and
will no longer be getting antivirus updates.

The users will not complain, because they don't see anything wrong.
Getting all of these folks in so we can install SP2, and then install
the eTrust patches (which must be installed AFTER SP2 is installed.)
is going to cost us a lot of money.

My question is this: Why does XP SP2 recognize eTrust antivirus is
installed and subsequently prohibit it from updating the antivirus
patterns?

While I am making provisions to handle this, I know that thousands of
XP/CA customers will not have the resources to address this issue and
thus they will be scr*d over by another Microsoft *feature* (patch)
that breaks things. (The firewall isn't going to block e-mail/http
born viruses.)

Am I mistaken?

Edwin Davidson.

 

[Mike Kolitz]

You can't have it both ways. Either the firewall does it's job and blocks
traffic that's not specifically allowed, or it doesn't do anything at all.

Poking holes in the firewall automatically is no good... it should be up to
the administrator to poke the holes manually, if they want the security
level lowered for whatever reason.

You mentioned that you have laptops set up to download updates
automatically. You can prevent Automatic Updates from downloading SP2 using
the tools at this page:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2aumng.mspx

This will delay the download by 120 days from 8/16, and should hopefully
give CA time to make whatever patches or articles that are necessary to fix
this issue available to the public.

 

[Edwin Davidson]

So, while XP SP2 recognizes eTrust antivirus is running on my machine,
and shows that it is currently up to date on it's pattern files, It is
SP2's default to prohibit Antivirus Pattern updates from the
recognized antivirus software?

Seems very odd to me. It's an outbound FTP connection from a
registered service that is recognized by XP SP2. It's not an inbound
FTP connection. The service doesn't run an FTP server.

Call me crazy, but I would think that Microsoft would want to continue
to allow the antivirus software to download pattern files by default,
esp. when SP2 recognizes the antivirus software that is installed.

I have no plans to ever approve XP SP2 on my SUS servers. I don't
want the firewall to be turned on-which breaks a lot of my apps., and
I don't want to go around manually patching these machines to fix the
restriction on Anonymous RPC connections that also breaks eTrust's
management functionality. eTrust AV has no automatic update
functionality, other than the pattern files. Most of my XP stations
are not on the Active Directory, so no GPO management.

I also work as a consultant, outside of my normal job. I have the
feeling that when my clients automatic updates get SP2, and they find
their Peer-Peer networks and software quits working, I will be getting
more calls than I can handle. Some may fumble their way through the
firewall, but many will not. To this aspect, I like SP2 --
Additional income is always welcome, and this should generate it.

Edwin Davidson

 

[MikeP]

I have no problems with autoupdating eTrust EZ Antivirus with XP SP2's
firewall enabled.

 

[Mike Kolitz]

It is

SP2's default to prohibit Antivirus Pattern updates from the
recognized antivirus software?

No, it's SP2's default to stop any unsolicited connects from external
sources into the local machine. This has nothing to do with anti-virus
software.

It's not an inbound
FTP connection. The service doesn't run an FTP server.

I understand that. That's why there's got to be more going on here. Can
you post a link to the page you found on CA's website about their issues
with SP2? I'd like to try to understand more of what's going on here.

Call me crazy, but I would think that Microsoft would want to continue
to allow the antivirus software to download pattern files by default,

Ed, again... this has *nothing* to do with anti-virus definitions
specifically. As I said before, you *CAN'T* have it both ways. You're
either secure by default, or you're not. There's no middle ground.

eTrust AV has no automatic update
functionality, other than the pattern files.

:: comment about how I feel about eTrust removed due to better judgement ::

Most of my XP stations
are not on the Active Directory, so no GPO management.

Do you have the ability to run some sort of network-based logon scripts on
them? If so, you can control the firewall that way.

To this aspect, I like SP2 --
Additional income is always welcome, and this should generate it.

Well, they'd either call you once if their software stops working because of
the firewall, or call you consistently whenever they get hit by the next big
worm...

Personally, I'd prefer the former.

 

[Jason Tsang]

Your AV is using FTP as the transport mechanism to download the updates.
FTP is not a very good protocol when it comes to dealing with how data
transverses a firewall. Chalk it up to how the protocol works.

There are two FTP modes, active and passive.

With a firewall or a shared connection, active mode ftp won't work unless an
Application Layer Gateway (ALG) is present to dynamically open the ports
needed for active mode ftp to work. Windows XP provides such an ALG
service. In addition to the ALG service running, you should also be
prompted for an incoming connection request from the firewall as in the
process of an active mode ftp transmission, a listening port will be
created. In summary, for active mode ftp, if the firewall exception isn't
there and the ALG service isn't running, then active mode ftp will fail. I
suspect it is this reason why your AV software cant update itself.

Passive FTP on the other hand does not require an ALG service for active
mode FTP nor does it require a firewall exception because no listening port
is needed. However, your AV company's FTP server will need to support it (I
would bet that they do). If the server FTP supports passive mode, you
should use passive mode ftp to connect to the av company's FTP server. You
should be able to find a place to specify this option (hopefully).

Hopefully this explains why your AV software might not be updating itself
(re: FTP issues).

To say that SP2 breaks antivirus software is such a sweeping generalization
that is groundless when you analyze what is going on. The AV company in
question should probably pick an updating mechanism that is more
firewall/NAT friendly (FTP is not firewall or NAT friendly... in fact it is
one of the worse protocols to use in terms of dealing with firewall
transversal, HTTP on the other hand is much better suited for this).

 

[Alex Nichol]

I understand that. That's why there's got to be more going on here. Can
you post a link to the page you found on CA's website about their issues
with SP2? I'd like to try to understand more of what's going on here.

There is no fundamental difficulty other than some that there may be at
CAI's server. I have know several occasions when it was unable to
update for an hour or so, then on a fresh attempt did it without a
murmur. Possibly when they are bringing in a new version.

 

[Edwin Davidson]

#1) FTP issue. CA uses ACTIVE FTP. We currently use this internally
through our networks firewall, and it works fine. There is an option
to switch to PASV, but it requires A) A patch to be installed, and b)
a registry hack. Both ZoneAlarm and Sygate function fine using ACTIVE
FTP. The XP SP2 firewall did not prompt me to allow this Active FTP
connection. It did prompt me for many other things, such as if I
wanted my SMTP server to continue to accept incoming e-mail (This is a
development box, the SMTP is my own coding.) Which was impressive.
It asked if I wanted to allow other things, and it did ask me if I
wanted to allow INODIST to connect, which I said yes. You can see the
initial FTP connection, but when the PORT command is issued, the XP FW
stops it. So I would say your assumption is correct. The problem is
these are remote machines that I have no easy way of doing anything
to.

#2) http://esupport.ca.com/public/antivirus/infodocs/etrustav-xpsp2alert.asp
is the link., but you will probably need an account. Here is what the
link shows

Windows XP SP2 introduced a Windows Firewall component. By default the
firewall is set to block ports that eTrust Antivirus needs. We would
recommend to perform the following:

For eAV 6.0, 7.0 and 7.1 installations, please run the
AVEnablePorts.exe utility. The utility can be downloaded from
ftp://ftp.ca.com/pub/inoculan/AVEnablePorts.exe.

Windows XP SP2 also removed the Anonymous Access in the Remote
Procedure Call (RPC).

For eAV 7.1 installation, this is not affected.

For eAV 6.0 installation, please apply fix QO58103.

For eAV 7.0 installation, please apply fix QO58101.

Please contact your CA Technical Support for additional assistance.

----------
Again, the problem is that I don't have the ability to do anything on
these machines. They are all over the place.


That Microsoft link helps, but I am already provisioning to handle
this issue. We will be having the folks send these laptops in for
patching. My complaint is that there are a ton of other eTrust AV
users, and many of them will probably not be watching this SP2 issue
as seriously as they should. Past experience shows that these folks
will end up with SP2, but AV updates will quit working.

I applaud Microsofts' bold steps with XP SP2, I just wish that the
eSafe Antivirus updates would have been handled better by SP2. Like I
said, ZoneAlarm and Sygate handle it from the get-go correctly.

Edwin Davidson

 

[Edwin Davidson]

While that has been an issue in the past, their FTP servers have been
pretty stable for a while. Besides, the SP2 firewall log shows the
connection as being blocked by the firewall.

 

[sarah5211314]

Norton 360 coupon code: Norton 360 is one of the powerful security software of the Symantec Corporation.Every year,Symantec Corporation releases the new version . When you surf on the Internet ,just search Norton 360 coupon code,you can see the official Internet-http://www.antivirusprice.co.uk/Enter and get the cord. There are plenties of Norton 360 Coupons and Promotion Discounts. For example ,30% off Norton 360 v5.0,the cord following is N360SVNGS30. Or click the button “Click here to display code ”,search what you need.

 

[Paul]

Ummm, I don't think so!
I wouldn't touch Norton now with a 10 foot pole. A decade ago, you bet;
but not now (ever since its assimilation by Symantec, more or less). But
back in the DOS days, Norton was great.

The coupon lady is selling V5.0, and the current version is V6.0,
as near as I can tell. Copies of V5.0 on Newegg say "discontinued".

Paul

 

[glee]

Norton 360 coupon code: snip

spamalamadingdong

 

[David H. Lipman]

Ummm, I don't think so!
I wouldn't touch Norton now with a 10 foot pole. A decade ago, you bet; but not now
(ever since its assimilation by Symantec, more or less). But back in the DOS days,
Norton was great.

It is nothing but a spam campaign from China. There are these pseudo replies with similar
content all over Usenet all for the same Norton 360 and that web site.

 

[Hot-Text]

Norton 360 coupon code: Norton 360 is one of the powerful security software of the Symantec Corporation.Every year,Symantec
Corporation releases the new version . When you surf on the Internet ,just search Norton 360 coupon code,you can see the official
Internet-http://www.antivirusprice.co.uk/Enter and get the cord. There are plenties of Norton 360 Coupons and Promotion Discounts.
For example ,30% off Norton 360 v5.0,the cord following is N360SVNGS30. Or click the button “Click here to display code ”,search
what you need.

The Newer Norton need SP3 to run right...........