LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

March 2008

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS March 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Strange WinXP & CCA 4.1.2 issue (VirusScan defs)
From:	ResNet-Info <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Mon, 10 Mar 2008 09:40:37 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (50 lines)

I have a weird one here and need some ideas.  A student has Windows XP
Pro
SP2, and passes all the Windows Critical Update checks.  She also has
VirusScan Enterprise 8.5 installed with the latest SuperDATs (5245
when I
worked on the PC). The VirusScan DAT files are the same files for the
4245
DATs as on another computer, so they appear to be ok.

When you install Clean Access 4.1.2.1 (or 4.1.2.2 - both have the same
behavior), the computer passes all the checks fine (Windows Critical
Updates, Windows Update set to Automatically download & install,
VirusScan
is installed, VirusScan is up to date).  After the computer restarts,
Clean Access fails, saying the definitions are 5229 from 2/13/2008.  The
VirusScan definition files are the same as another PC running the 5245
DATs, the registry says it has the 5245 DATs, and I can't find 5229 DATs
or the 2/13 date anywhere on the computer.  If I do a reinstall (which
does a Repair Install) of the Agent, the computer passes again.

I also ran Process Monitor to see what the Agent is checking and
requesting, and when it does a registry read for the SuperDAT info, it
does indeed pickup the 5229 DAT info, but if I go to that same
location in
the registry using regedit, it shows 5245.  After doing a reinstall/
repair
of the Agent (not doing a thing to VirusScan) without a restart, Process
Monitor shows the registry read as 5245 again.

The computer has almost no startup items (I disabled all of them and no
change, so I turned a few back on), and we ran SpyBot 1.5 with updated
definitions and didn't find anything.  Smitfraud and VundoFix didn't
find
spyware either.  There are no obvious signs of spyware on the computer
(no
weird installed programs, popups, etc.)  I tried rolling back the
SuperDATs to 4244 which didn't help.  I tried running the SuperDAT for
4245 in case they were corrupt, no help.  I even did a manual
uninstall of
VirusScan and the CCA Agent, but the problem persists.

We're not moving to 4.1.3 anytime soon, so that's out as an attempt.

Any ideas?

Doug Chudzik
ResNet Manager
Wellesley College
=

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU