This Geek

I’ve been having lots of fun sorting out odd issues with McAfee Virusscan on one of our servers. It seems that McAfee locked an ini file for writing for some bizarre reason. It wasn’t even in the windows directory. Shutting down the services fixed it.

Virusscan 8.5 introduced a new feature to the Access Protection Policy: a switch to prevent the McAfee services from being stopped. “Brilliant!” I thought, because we’ve got some users who think they’re smart and constantly shut down the services - which is against company policy, I might add - so I thought it would bamboozle them. It turns out that it was me that got bamboozled instead. Having that option set prevents one from making remote console connections with Virusscan console. Thanks, McAfee, you bunch of retards!

Modified the filter slightly, because it kept missing a trailing = sign. Hopefully now it will work correctly without any further issues.

Hope it’s of use to someone besides me.

I ‘ve just had the pleasure of completing my performance review. I swear, our HR department out does themselves every year for making it the most painful, time consuming and boring process that they possibly can.

There is so much drivel that you have to respond to, it’s not funny.

You just have to love Monday mornings. You have that horrible feeling of slogging through yet another week of work. Admittedly, it’s not too horrible, but it could be better. I wonder what it would be like if I actually enjoyed my work?

Here’s my dilemma… I’m almost 32 and I have no idea what I want to do with my life. I suppose that’s quite funny coming from a guy who’s married with two kids. Maybe I should pull my finger out and do something about it… But what?

I got to bed very late last night. Kind of got addicted to Lego Star Wars 2 that I bought for my son. Anyway, as is typical, I’ve had no bloody chance to sleep in. My wife had to go to work early this morning for some inane reason, and she accidentally left her alarm on, so it went off next to me and woke me up, but before I could get back to sleep, my phone rang - standby support call, argh! So I got up to go take a look at the network link in question, to discover that it had come up again 10 minutes previously. As I was about to phone the dude back, he called me and said never mind. Sigh

Woohoo! I’ve just finished writing my very first Wordpress plugin. It’s just a basic filter that removes the horrible mangling that my iMate’s email client does when I send a post from it. For some reason, the mail client wraps lines at around 76 characters and appends an = to the end of each line, regardless of whether it’s in the middle of a word or not.

So now I can post via my phone with alacrity.

We run McAfee as our corporate antivirus software. It’s fairly nice to manage via ePolicy Orchestrator, and I haven’t really had any issues with it, apart from corrupt Framework agent files now and then etc. Until I rolled out VirusScan 8.5 + AntiSpyware.

We use several remote admin tools on our network, one of them being TightVNC. So, because of this, in the Unwanted Programs Policy, I disable the category to detect remote admin tools, thinking that our remote tools would be safe.

I roll out 8.5 to a few machines here and there for testing purposes. It’s been running on my entire department’s machines since the 21st December, and it has been running on about 7 additional test workstations scattered throughout the environment for the past two weeks with no issues.

So today is the big rollout day where we deploy 8.5 to the rest of the company.

The next thing, I notice that our monitoring workstation has a virus alert on the screen. I go take a look - and discover that McAfee has gleefully deleted Tight VNC - detecting it as RemAdm-TightVNC. Hmmm… RemAdm… Remote Admin perhaps? That category that was UNSELECTED for detection? Yep.

Since our monitoring workstation is set up in a really inconvenient place to work on it (hence the desire for VNC), I decided to try remotely execute a few commands in an attempt to solve the situation.

Oooh. Guess what - psexec is detected as RemAdm-PSKill.

What I find hilariously funny is that I have PSTools installed on my workstation - in my Windows directory for that matter, and I have been running McAfee VirusScan 8.5 for the past month with EXACTLY the same policy that is installed on our monitoring station, yet it has NOT picked it up. It also fails to pick up UltraVNC which I have installed on this workstation. Gotta love the selective detections.

So I add all those detections as specific exclusions in the Unwanted Programs Policy. Then I get to thinking, “What else is this fucking software going to detect and delete?”

To the knowledgebase, Batman!

I find an article referencing Antivirus 8.0i, explaining how to get a list of PuPs (Potentially Unwanted Programs) from a command line tool called csscan.exe. The article says to run csscan.exe /TARGET APPLIST >c:\applist.txt

I run it and view the resulting applist.txt.

CommonShell Command Line Scanner (VSCORE.13.3.1.100)

Engine Version : 5100.0194 AV DAT Version : 4947.0000 223716 detections Built Tuesday, January 23, 2007 Extra DAT : 0 detections

Summary :- FilesFound : 0 FilesScanned : 0 FilesNotScanned : 0

ObjectsFound : 0 ObjectsInfected : 0 ObjectsCleaned : 0 ObjectsDeleted : 0

FilesInfected : 0 FilesCleaned : 0 FilesMoved : 0 FilesDeleted : 0

Wow, quite a list. Well, I figure that since the article was applicable to 8.0i and not 8.5, they might have changed the command line a bit.

Indeed they had. Now there was a nifty parameter called PupList.

Please wait … retrieving list of names from the Anti-PUP DAT Detection name list retrieval failed

Fun fun. So I try all the other *List parameters, and discover that the only one that works is VirList, which helpfully lists most detections in the DAT files.

I also discovered that csscan.exe can be used to restore the backups that are made before files are deleted.

csscan.exe /BackupDir C:\Quarantine /RestoreBackup RemAdm-TightVNC

There’s quite a lot of nifty things that can be done with that csscan.exe. Pity it’s not documented somewhere useful. :p