PDA

View Full Version : Latest Symantect AntiVirus blocks Spybot and TeaTimer



fishbait
2005-11-16, 21:08
Just installed Symantect AntiVirus 2005 version 10.0.0.359 and it's Tamper Protection keeps blocking TeaTimer and Spybot 1.4. It doesn't mind HiJack This 1.99. I've tried reinstalling Spybot and the same thing happens. I'm running a Dell D6600 laptop with XP pro (latest service packs). Anyone else have this problem?

Thanks.

tashi
2005-11-16, 22:40
Hello fishbait.
Is Symantec AntiVirus 2005 version 10.0.0.359 a corporate program?

Have you contacted Symantec about the problem seeing as it is coming from their end?

fishbait
2005-11-17, 03:25
Yes, it's a corporate version. Haven't had any luck getting a reply from Symantec so I thought I'd post here to see if anyone else had the problem. This may have started earlier than version 10, but I was upgraded from several releases ago (we were a couple behind) and never had a problem with NAV (now called SAV) blocking Spybot or TeaTimer (or course, their Tamper Protection was in those releases).

tashi
2005-11-17, 09:30
Hi.
When I googled Symantec AntiVirus 2005 version 10.0.0.359, I did not see any support forums for the product.

Must be frustrating. Perhaps one of our members will respond. :)

bitman
2005-11-17, 14:04
This is a problem with active type protection that's unfortunately becoming common as traditional antivirus products attempt moving into spyware. Though it would be nice if they all played well together, the likelyhood of this is low due to the complexities of interactions between active protection covering the same portions of the OS. If the anti-spyware community can't agree what spyware is, how do you expect the anti-malware (anti-spyware/anti-virus) communities to agree on methods for active scanning conflict resolution.

Modular design where you can easily define which product's active protection is responsible for which areas of the OS would be the only workable solution, but would require cooperation by at least most anti-malware products, which isn't likely with competing products. The 'all-in-one' type product was the more likely response and is beginning to occur, especially from the anti-virus side of things.

As for your specific issue, here's how to find the Symantec response to your issue:
Click the following link, type 'Tamper Protection' without the quotes in the Search box and click the Search button.
http://www.symantec.com/techsupp/enterprise/products/sav_ce/sav_ce_10/search_ts.html
find the article "Symantec Tamper Protection Alerts reference a third-party spyware scanning program" and click it.

Alternatively you can try this link, though I'm not certain it will work here due to it's length:
http://service1.symantec.com/SUPPORT/ent-security.nsf/4c7874c886a9bb0c88256fc700654267/b20ada2e7d7bc43088256fdc0055e473?OpenDocument&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=10.0&src=ent&pcode=sav_ce&dtype=corp&svy=&prev=&miniver=sav_ce_10

Bottom line from that article:

Solution:
Because Symantec Client Security 3.0 and Symantec AntiVirus Corporate Edition 10.0 contain a realtime spyware scanning component, Symantec does not recommend running third-party realtime spyware scanning programs on the same computer.

If the alerts appear during a manual spyware scan, turn off Tamper Protection before the scan.

Though it's not as open as a forum, the Symantec Knowledgebase is one of the best in the industry. It covers most known product issues, organizes them in a coherent easily searchable manner and makes them available at no cost via the Internet. This and excellent managability is why many Network Administrators swear by Symantec products, even with its 'bloatware' image.

tashi
2005-11-17, 17:13
Good information bitman, bookmarked.

fishbait
2005-11-17, 22:29
Thanks for the info. It's pretty much what I expected that the Tamper Protection needs to be disabled in order to run Spybot. Of course, it's one thing to disable/enable to do a manual scan but for a resident process like TeaTimer, it essentially means you have to choose one or the other, and most corporations aren't allowing the disabling of the tamper protection (it's settings are pushed from the corporate server at login). It would sure be nice if Symantec recognized TeaTimer without user intervention. Or if there was a way to exclude specific processes but I'm sure that would open the door to malware hijacking that override :(

Thanks again.

patflgn
2006-08-29, 19:06
Fishbait,

Just a bit more information to add to the mix, and thanks for your initial post. It's the only one on this subject in the forums that I can find and proved a valuable source of information.

I experimented with enabling Tamper Protection on my workstation yesterday. We're also running Symantec Corporate AntiVirus 10.0. Our network engineer did not enable tamper protection system-wide when he installed it (a good thing).

I then ran Spybot 1.4. Of course I got the Symantec pop-up reporting that Spybot was attempting to tamper with Symantec, but the Spybot scan completed successfully and reported no immediate threats found.

I then changed the tamper protection setting from block to log only and left it enabled the rest of the day. Checking the logs later, it also detected that rundll.exe and winword.exe (Microsoft Word) were attempting to tamper with Symantec. I then disabled tamper protection.

In my opinion, Symantec should have included this product in a later version after it becomes truly funtional. It appears to act like a beta, throwing it out to users to see what problems it causes. Who do they think they are, Microsoft? It should allow for certain processes to be excluded by the administrator and detect only attempts to tamper from viruses and spyware in their definitions like their other features do. Right now, there appears to be no tie-in to their definitions database at all.

In any case, we're building a new server for a company we do part-time work for. They're getting Symantec 10.1. I'll enable tamper protection on a workstation there and see how it behaves, then report back to this post.

Pat

bitman
2006-08-30, 20:40
patflgn: You might be interested to know that the Symantec Tamper Protection is having similar issues with Windows Defender. In this case, it appears that Tamper Protection is detecting Winlogon or other file scanning done by Defender as 'attacks'. To learn more, go to the Microsoft NewsGroups for Spyware and search for Symantec, especially the Application Compatibility NewsGroup.

At this point, since the Symantec Tamper Protection really protects nothing except its own executables and serves merely to interfere or require the removal of other more useful anti-malware applications, it seems to have little value versus the cost. Though Symantec had a strong reputation for good protection in the past, it's also now loosing many to protection suites with leaner use of resources and less of the 'bloatware' effect noted in many forums.

Symantec still has one of the best management facilites in the industry, but other options have emerged, including some from Microsoft itself. This pressure appears to be causing Symantec to loose their point of reference and simply attack these other applications, both verbally and within their programs operation. This, of course, isn't helpful to their users and the community as a whole.

I try to reserve judgement when issues arise between vendor's products, but since I've used and/or helped with all of these products, I feel I can see what's real and what's simply the result of changes in the industry. Symantec doesn't seem to have an effective handle on what is currently needed for true protection and rather than fixing that problem, instead appears to be lashing out at other vendors through their own products.

You need to make these decisions for youself, but I'd recommend looking closely at what your real protection needs are and how well various vendor's products fulfill those needs.

Bitman

patflgn
2006-08-30, 21:00
Bitman,

I completely agree. The days when we could trust a major vendor's reputation and install their software with confidence it would work correctly are gone.

It's a lot of time overhead, but I'm researching just about everything before installing it now.

Including Microsoft patches, for example MS06-42 in the August, 06 updates. I delayed that one until I could research the many, many issues listed in the bulletin, then read about a bug in the patch. I have not applied that yet and probably won't anytime soon. I see that MS decided to re-release it 8/22 to fix the bug; but they've now issued the following statement: "...We had planned to release the update today, but last night we found an issue that would prevent some customers from being able to deploy the update. As a result, we decided to hold the release until it meets the appropriate level of quality for such a broad distribution..." The full MS statement is here if you're interested: http://blogs.msdn.com/ie/archive/2006/08/22/711402.aspx

Symantec: Your reference to bloatware is correct, I believe. Bad experience this last weekend trying to update my girlfriend's Norton Internet Security 2004 to the 2006 version (definition subscription was about to expire and figured that her old version being 2 years out of date, it was time). Horrible, horrible experience. Just about crashed her system. After multiple attempts to reinstall, figure out what the problems were and fix them, etc., I finally completely removed it and installed Kaspersky, which is behaving nicely.

Thank you for your input,
Pat

tashi
2006-08-30, 21:08
Also see:
http://forums.spybot.info/showpost.php?p=40114&postcount=64 :spider:

bitman
2006-08-30, 21:52
Including Microsoft patches, for example MS06-42 in the August, 06 updates. I delayed that one until I could research the many, many issues listed in the bulletin, then read about a bug in the patch. I have not applied that yet and probably won't anytime soon. I see that MS decided to re-release it 8/22 to fix the bug; but they've now issued the following statement: "...We had planned to release the update today, but last night we found an issue that would prevent some customers from being able to deploy the update. As a result, we decided to hold the release until it meets the appropriate level of quality for such a broad distribution..." The full MS statement is here if you're interested: http://blogs.msdn.com/ie/archive/2006/08/22/711402.aspx

Pat,

The fix for this was released two days after the August 22nd notification.

Microsoft Security Advisory (923762): Long URLs to sites using HTTP 1.1 and compression Could Cause Internet Explorer 6 Service Pack 1 to Unexpectedly Exit (http://www.microsoft.com/technet/security/advisory/923762.mspx)

Excerpt from that bulletin:

Revisions:


August 22, 2006: Advisory published

August 24, 2006: Advisory updated to direct customers to the revised version of Microsoft Security Bulletin MS06-042 (http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx) that includes new updates for Internet Explorer 6 Service Pack 1.


I have actually given up on keeping up with such changes, since it's impossible to truly be aware if you aren't constantly scanning official sites for such issues. Since as the blog stated, this type of re-release issue last occured 2 1/2 years ago in early 2004, the risk of a failure is much less than the risk of an exploit being created shortly after the release of an update. In fact, though this issue was caused by the previous fix, the fact that it was identified and fixed so quickly shows how well the Microsoft system is working overall.

FYI, I don't bother trying to keep up with all of this myself since AplusWebMaster (http://forums.spybot.info/member.php?u=222) does it so well in the General Security Alerts (http://forums.spybot.info/forumdisplay.php?f=28) forum here. Though I updated to the new version of MS06-024 as soon as I was notified by Automatic Updates, his posts in the MS Alerts thread (http://forums.spybot.info/showthread.php?p=39121#post39121) kept me up to date with several links.

As you stated, I don't trust my choices for new purchases simply by vendor name any longer, but I do find it necessary to trust those vendors regarding updates of the programs themselves, including notification of problems. Microsoft didn't fail in this regard, they simply had an unforseen hiccup and admitted and solved it quickly. This only strengthens my willingness to trust their updates over the long term.

Bitman

patflgn
2006-08-30, 22:43
Bitman,

I had initially thought that the MS06-42 re-release was still on hold because of this article I received a link to in an email from PCMag on 8/29. The information turns out to be out-dated based on your post and AplusWebMaster's thread.

Thank you very much for your reference to AplusWebMaster's thread. It's excellent and is going to be my primary source going forward.

Thanks also for your rational approach. I tend to get emotional about the vendors sometimes, and I need to control that.

Pat