Geeks With Blogs

News

Subscribe in NewsGator Online

Thawte WOT Notary
Serving Southern Indiana



Eric Hammersley <insert impressive list of technology to blog about here>

Ok, so I sat down yesterday and started migrating my network and clients over to the new Symantec Corporate Anti-Virus v10 package and ran into an interesting dilemma.  If you want to skip my enlightening path to discovery and just get to the solution then scroll down to the Solution header otherwise read on.

Right off the bat I must warn you DO NOT INSTALL the v10 server anti-virus over a terminal server remote desktop connection!!  I can’t stress this enough.  If you install the server version, or do an in place upgrade of your v9 server install over a terminal server remote desktop it will not function correctly.  The new v10 software uses self issued PKI certificates to secure server-to-server comms, among other things I’m sure, and they will not generate correctly if installed from anywhere but the console.  Save yourself the headache, install the server software on-site, at the console, and not via RDP!  If you do fall into this trap follow the “Rebuild the PKI folder structure” section of the Symantec KB article Symantec Anti-Virus server shows "Disabled" in the Symantec System Center after migration.

Ok, with the server gotcha’s out of the way I sat down at my first PC and started installing the new v10 package.  All looked well until it started to install the LiveUpdate package.  Here’s where it got interesting.  The install process just, well… went out for lunch.  The process didn’t hang or even consume large amounts of overhead, it just sat at the Installing LiveUpdate screen…. FOREVER!  So…

My next thought was instead of installing the client from the server’s CLT-INST/WIN32 directory to try and install the client from the original CD.  Now, for those of you who don’t know the CLT-INST directory is in the VPHOME share of the server computer and has all the proper GRC.dat files etc. needed for a seamless network install.  It is easier to install from this directory, it’s the same files used for the “push” auto install you can initiate from the Symantec Console.  You can also install from the original CD and just specify the server and group you want the client to be a member of.  Of course this is not an option for large installs… I’m just laying out my train of thought.  Anyway, it produced the same result but if you are reading this… you already know that.

—Solution—

Ok, you’re probably getting tired of my trek so I’ll bring it all together for you.  If you run ISA Server 2004 (pre-SP1) and the proxy client is installed on the client’s workstation the Symantec install will halt at Installing LiveUpdate.  If you uninstall the proxy client the Symantec install will succeed.  Of course, who wants to uninstall the proxy client, install Symantec Corp v10 then go back and install the proxy client again.  Luckily, you don’t have to. 

The secret here is ISA Server 2004 SP1.  If your ISA 2004 server is not running SP1 then shame on you!!  Since ISA Server 2004 requires Windows Server 2003 and ISA Server 2004 SP1 is required prior to installing Windows Server 2003 SP1 that means you aren’t patching your servers!  Bad admin, bad bad.  Anyway, I digress so please excuse me, even if you installed SP1 on your ISA box you might have forgotten to push out the new proxy client to the workstations.  Here’s how you tell.  Open the Firewall Client on a workstation and click the help button in the bottom right corner.  If you see this:

A pre-SP1 proxy client

Then you are running the pre-SP1 proxy client and the Symantec v10 install will hang.  Push out the new SP1 proxy client to your clients, you should have anyway, and the install will complete successfully.  You want to see this:

The SP1 proxy client version number

There you have it.  One of those days where you are just embarrassed in the end that something so simple kick your ass so hard.  Yes, I’m a bad admin because I forgot to push the new proxy client out.  I paid for it yesterday.  Now, the easiest way to push this new proxy client out is via Group Policy.  If you need help with that just post a comment.  Oh, and most of you might have already found this but here is Symantec’s KB page listing this problem with no solution.  Installation of Symantec Anti-Virus Corporate Edition 10.x stops at “Installing LiveUpdate” when using Microsoft ISA Server proxy  Perhaps they’ll read this post.  The workaround listed in the article above doesn’t work… why?  One there’s not enough information given since an exception requires more than just the process name but as you may well know Google is full of people that have tried this workaround and failed time and time again.  Moral?  Don’t waste your time, update to SP1 and push out the new proxy client before you install the v10 update of Symantec Corporate Anti-Virus.

Posted on Wednesday, July 13, 2005 2:13 PM Software | Back to top


Comments on this post: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
Eric, although I was aware of the DCOM service hanging, I did not know why. Thank you!!!! My ISA clients were not up to date and this was huge.

I was curious how you rolled out the update via Group Policy. I am starting to learn and work with it more, but I am unsure of the task to roll my Firewall client out.

Great article, I can relate!
Left by Robert Taylor on Aug 19, 2005 10:02 AM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
How is this upgrade done through group policy?
Left by stillabdul on Aug 29, 2005 4:25 AM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
This is done via the Computer Configuration...Software Settings... Software Installation. You right click and create a new package and point it to the .msi file for the ISA client. You can do an advanced setup but I don't think you need to. If I remember correctly the ISA client is straight forward.

NOTE!!! Do not distribute this via the Default Domain Policy! If you do it will not only install on the domain workstations but it will also install on your servers! The best thing is to have your workstations divided up into OUs specific to their function and push group policies to them outside the Default Domain Policy.

You may have to reboot the workstations twice or run gpupdate /force to get the changes to run quick.

This is not meant to be a Group Policy Primer, I'm afraid I don't know enough to go that far.
Left by Eric Hammersley on Aug 29, 2005 5:29 AM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
Eric,

I owe you big time.

I have spent countless hours on this problem & found your article by chance.

I found the Symantec suggestion re ISA2004 but proved it didnt work by connecting the client directly to the internet.

I very much appreciate you taking the time to publish the solution.

Thanks,

John
Left by John Maunder on Sep 05, 2005 3:14 AM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
Wow, outstanding! I appreciate the thank you. I had hoped it would save someone some time.
Left by Eric Hammersley on Sep 05, 2005 8:43 AM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
Eric
How do you change the group once virus software installed on client? Does it have to be uninstalled to point to new primary server.
tia Paul
Left by Paul Bellanca on Sep 18, 2005 5:55 PM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
Hey Paul, The easiest way is to drag and drop the client into a different group via the MMC snap-in on the Primary Server. After a few minutes the client will see the change and switch groups.

If for some reason the above won't/doesn't work you can force the change with the grc.dat file. Go to the Symantec Support page for v10 here (this server doesn't allow URLs in comments so cut and paste)

www.symantec.com/techsupp/enterprise/products/sav_ce/sav_ce_10/search_ts.html

Once there search for grc.dat and find an article titled "A guide to grc.dat..."

This article will explain or link you to articles that will explain to you how to force a client into another group manually via the grc.dat file.

Note: this is a bigger pain in v10 because of the PKI certs they've added to the servers. The article however says it is still possible.

Good luck.
Left by Eric Hammersley on Sep 19, 2005 7:07 AM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
God bless you man!!!!! If you only knew the hours I spent trying to figure this one out.

Now it's off to Symantec site to rate the "usefullness" of their knowledge base article.

P.S.
I work for Little Debbie and if you let me know what kind you like, if any :), I'll see if I can get you a box or two.
Left by Rodney Dixon on Nov 03, 2005 5:55 AM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
LOL, thanks Rodney... I appreciate the offer.

I am very pleased at how useful this article has been for so many people.

One thing that still burns be is that I notified Symantec back in July about this article and that it was a fix to their KB article I link to in the last paragraph. They are still saying that they are looking for a solution.

Guess what Symantec... I've had the solution for months, and I've offered it to you more than once. I suppose I shouldn't be surprised that they don't listen.
Left by Eric Hammersley on Nov 03, 2005 6:51 AM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
Eric,

Great post. Thanks for taking the trouble. I hadn't updated one computer and couldn't understand why I was having problems installing SAVCE 10. It now makes sense!

Cheers!
Left by Roger on Dec 03, 2005 10:14 AM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
Thanks a BUNCH!!!!

I have been fighting this for a little while now. I tried to be a good little admin and I was updated on the ISA server, but had the client share on another machine which wasn't updated. This has been a thorn in my side for a few weeks. Broke down and called Symantec today (on phone for several hours) and happened across this while waiting. Thanks again!!
Left by Robert Popenhagen on Dec 13, 2005 9:36 AM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
Great, I'm glad it helped.

I do wish SYMANTEC would figure this out and pass the information down to people via their KB. I've notified them several times about the fix and they ignore it/me. Oh well I suppose.
Left by Eric Hammersley on Dec 13, 2005 9:57 AM

# re: Symantec Corporate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
I stumbled on this post by google and although my symantec problem isn't related to the aboven, I'm going to ask anyway, as I'm on a dead end...

I've also migrated to SAV 10.x from SAV 9 and I have the strangest problem that my pc's in the desktop and notebook groups aren't inheriting the setting to disable the "schedule client for automatic updates using LiveUpdate". They take every other setting except this one. This is very annoying cause I only want my clients to get definitions from the parent.

I changed the group setting and it saves this, but the client won't take it...

I find it so weird that every other setting gets accepted. Maybe you have a clue?

Greetings,
Jurgen
Left by Jurgen Daems on Jan 25, 2007 4:17 AM

# re: Symantec Corpoate Anti-Virus 10 vs. ISA Server 2004 with SP1 (or lack thereof in this case)
Requesting Gravatar...
Hi Eric
I have a problem in deploying Clients.

My Configuration:

Windows 2003 Ent Edition
ISA Server 2004 with SP1
Symantec Corporate Edition V 10

My problem is when i install client installation it is not getting update from the Server. Now i install in five clients. Only one client is getting update from the server others not.

So pls help me to solve this problem, because i have 100 more clients yet to deploy.

Waiting for your reply.
Kader
aabdulkader@gmail.com
Left by Abdul Kader on Jan 06, 2008 2:27 AM

Your comment:
 (will show your gravatar)


Copyright © Eric Hammersley | Powered by: GeeksWithBlogs.net