Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)

Ok, so I sat down yesterday and started migrating my network and clients over to the new Symantec Corporate Anti-Virus v10 package and ran into an interesting dilemma. If you want to skip my enlightening path to discovery and just get to the solution then scroll down to the Solution header otherwise read on.

Right off the bat I must warn you DO NOT INSTALL the v10 server anti-virus over a terminal server remote desktop connection!! I can’t stress this enough. If you install the server version, or do an in place upgrade of your v9 server install over a terminal server remote desktop it will not function correctly. The new v10 software uses self issued PKI certificates to secure server-to-server comms, among other things I’m sure, and they will not generate correctly if installed from anywhere but the console. Save yourself the headache, install the server software on-site, at the console, and not via RDP! If you do fall into this trap follow the “Rebuild the PKI folder structure” section of the Symantec KB article Symantec Anti-Virus server shows "Disabled" in the Symantec System Center after migration.

Ok, with the server gotcha’s out of the way I sat down at my first PC and started installing the new v10 package. All looked well until it started to install the LiveUpdate package. Here’s where it got interesting. The install process just, well… went out for lunch. The process didn’t hang or even consume large amounts of overhead, it just sat at the Installing LiveUpdate screen…. FOREVER! So…

My next thought was instead of installing the client from the server’s CLT-INST/WIN32 directory to try and install the client from the original CD. Now, for those of you who don’t know the CLT-INST directory is in the VPHOME share of the server computer and has all the proper GRC.dat files etc. needed for a seamless network install. It is easier to install from this directory, it’s the same files used for the “push” auto install you can initiate from the Symantec Console. You can also install from the original CD and just specify the server and group you want the client to be a member of. Of course this is not an option for large installs… I’m just laying out my train of thought. Anyway, it produced the same result but if you are reading this… you already know that.

—Solution—

Ok, you’re probably getting tired of my trek so I’ll bring it all together for you. If you run ISA Server 2004 (pre-SP1) and the proxy client is installed on the client’s workstation the Symantec install will halt at Installing LiveUpdate. If you uninstall the proxy client the Symantec install will succeed. Of course, who wants to uninstall the proxy client, install Symantec Corp v10 then go back and install the proxy client again. Luckily, you don’t have to.

The secret here is ISA Server 2004 SP1. If your ISA 2004 server is not running SP1 then shame on you!! Since ISA Server 2004 requires Windows Server 2003 and ISA Server 2004 SP1 is required prior to installing Windows Server 2003 SP1 that means you aren’t patching your servers! Bad admin, bad bad. Anyway, I digress so please excuse me, even if you installed SP1 on your ISA box you might have forgotten to push out the new proxy client to the workstations. Here’s how you tell. Open the Firewall Client on a workstation and click the help button in the bottom right corner. If you see this:

A pre-SP1 proxy client

Then you are running the pre-SP1 proxy client and the Symantec v10 install will hang. Push out the new SP1 proxy client to your clients, you should have anyway, and the install will complete successfully. You want to see this:

The SP1 proxy client version number

There you have it. One of those days where you are just embarrassed in the end that something so simple kick your ass so hard. Yes, I’m a bad admin because I forgot to push the new proxy client out. I paid for it yesterday. Now, the easiest way to push this new proxy client out is via Group Policy. If you need help with that just post a comment. Oh, and most of you might have already found this but here is Symantec’s KB page listing this problem with no solution. Installation of Symantec Anti-Virus Corporate Edition 10.x stops at “Installing LiveUpdate” when using Microsoft ISA Server proxy Perhaps they’ll read this post. The workaround listed in the article above doesn’t work… why? One there’s not enough information given since an exception requires more than just the process name but as you may well know Google is full of people that have tried this workaround and failed time and time again. Moral? Don’t waste your time, update to SP1 and push out the new proxy client before you install the v10 update of Symantec Corporate Anti-Virus.

posted on Wednesday, July 13, 2005 2:13 PM

Feedback

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 8/19/2005 10:02 AM Robert Taylor

Eric, although I was aware of the DCOM service hanging, I did not know why. Thank you!!!! My ISA clients were not up to date and this was huge.

I was curious how you rolled out the update via Group Policy. I am starting to learn and work with it more, but I am unsure of the task to roll my Firewall client out.

Great article, I can relate!

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 8/29/2005 4:25 AM stillabdul

How is this upgrade done through group policy?

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 8/29/2005 5:29 AM Eric Hammersley

This is done via the Computer Configuration...Software Settings... Software Installation. You right click and create a new package and point it to the .msi file for the ISA client. You can do an advanced setup but I don't think you need to. If I remember correctly the ISA client is straight forward.

NOTE!!! Do not distribute this via the Default Domain Policy! If you do it will not only install on the domain workstations but it will also install on your servers! The best thing is to have your workstations divided up into OUs specific to their function and push group policies to them outside the Default Domain Policy.

You may have to reboot the workstations twice or run gpupdate /force to get the changes to run quick.

This is not meant to be a Group Policy Primer, I'm afraid I don't know enough to go that far.

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 9/5/2005 3:14 AM John Maunder

Eric,

I owe you big time.

I have spent countless hours on this problem & found your article by chance.

I found the Symantec suggestion re ISA2004 but proved it didnt work by connecting the client directly to the internet.

I very much appreciate you taking the time to publish the solution.

Thanks,

John

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 9/5/2005 8:43 AM Eric Hammersley

Wow, outstanding! I appreciate the thank you. I had hoped it would save someone some time.

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 9/18/2005 5:55 PM Paul Bellanca

Eric
How do you change the group once virus software installed on client? Does it have to be uninstalled to point to new primary server.
tia Paul

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 9/19/2005 7:07 AM Eric Hammersley

Hey Paul, The easiest way is to drag and drop the client into a different group via the MMC snap-in on the Primary Server. After a few minutes the client will see the change and switch groups.

If for some reason the above won't/doesn't work you can force the change with the grc.dat file. Go to the Symantec Support page for v10 here (this server doesn't allow URLs in comments so cut and paste)

www.symantec.com/techsupp/enterprise/products/sav_ce/sav_ce_10/search_ts.html

Once there search for grc.dat and find an article titled "A guide to grc.dat..."

This article will explain or link you to articles that will explain to you how to force a client into another group manually via the grc.dat file.

Note: this is a bigger pain in v10 because of the PKI certs they've added to the servers. The article however says it is still possible.

Good luck.

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 11/3/2005 5:55 AM Rodney Dixon

God bless you man!!!!! If you only knew the hours I spent trying to figure this one out.

Now it's off to Symantec site to rate the "usefullness" of their knowledge base article.

P.S.
I work for Little Debbie and if you let me know what kind you like, if any :), I'll see if I can get you a box or two.

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 11/3/2005 6:51 AM Eric Hammersley

LOL, thanks Rodney... I appreciate the offer.

I am very pleased at how useful this article has been for so many people.

One thing that still burns be is that I notified Symantec back in July about this article and that it was a fix to their KB article I link to in the last paragraph. They are still saying that they are looking for a solution.

Guess what Symantec... I've had the solution for months, and I've offered it to you more than once. I suppose I shouldn't be surprised that they don't listen.

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 12/3/2005 10:14 AM Roger

Eric,

Great post. Thanks for taking the trouble. I hadn't updated one computer and couldn't understand why I was having problems installing SAVCE 10. It now makes sense!

Cheers!

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 12/13/2005 9:36 AM Robert Popenhagen

Thanks a BUNCH!!!!

I have been fighting this for a little while now. I tried to be a good little admin and I was updated on the ISA server, but had the client share on another machine which wasn't updated. This has been a thorn in my side for a few weeks. Broke down and called Symantec today (on phone for several hours) and happened across this while waiting. Thanks again!!

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 12/13/2005 9:57 AM Eric Hammersley

Great, I'm glad it helped.

I do wish SYMANTEC would figure this out and pass the information down to people via their KB. I've notified them several times about the fix and they ignore it/me. Oh well I suppose.

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 1/25/2007 4:17 AM Jurgen Daems

I stumbled on this post by google and although my symantec problem isn't related to the aboven, I'm going to ask anyway, as I'm on a dead end...

I've also migrated to SAV 10.x from SAV 9 and I have the strangest problem that my pc's in the desktop and notebook groups aren't inheriting the setting to disable the "schedule client for automatic updates using LiveUpdate". They take every other setting except this one. This is very annoying cause I only want my clients to get definitions from the parent.

I changed the group setting and it saves this, but the client won't take it...

I find it so weird that every other setting gets accepted. Maybe you have a clue?

Greetings,
Jurgen

# re: Symantec Corpoate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case) 1/6/2008 2:27 AM Abdul Kader

Hi Eric
I have a problem in deploying Clients.

My Configuration:

Windows 2003 Ent Edition
ISA Server 2004 with SP1
Symantec Corporate Edition V 10

My problem is when i install client installation it is not getting update from the Server. Now i install in five clients. Only one client is getting update from the server others not.

So pls help me to solve this problem, because i have 100 more clients yet to deploy.

Waiting for your reply.
Kader
aabdulkader@gmail.com

Post Feedback

Title:
Name:
Email: (never displayed)
Url:
Comments:
Please add 1 and 2 and type the answer here: Remember Me?

Eric Hammersley

News

Archives

Post Categories

Blogroll

Feedback

Post Feedback