Hi there

I am running PG 3.150 (Full Version) and NIS2006. Tonight I used LiveUpdate to download and install Virus Defs & URL Security Def. Just after I installed them I started to get repreated PG Alert that something tried to install a driver/service named EraserUtilDrv10500. Looking further the application ' ' (as in BLANK) Proc Id 4 seemed to be the cuplrit. I check the PID using Process Explorer and that idenitfies it as 'System'. Anyway, I scanned for the driver and found it listed as being in Program Files\Common Files\Symantec\Shared Files\ EEngine. Has upped the Protection statistics from approx. 20000 to 35000 in under 20 minutes and shows no sign of stoppping. I have an Alert permanenetly displaying. I tried putting PG in learning mode and all that happens is that the icon flashes green, I still get the alert bubble..............so no luck there.

Has anyone else running NIS and PG come across this issue and found a way to resolve it?

Best regards





Baldrick

So a driver install was blocked ?

Ok - if you allow it should stop immediately. Clear the log and check

Gavin

I have same problem as Baldrick. Hitting allow button has no effect. PG just keeps scolling -up to 13711 items - in my case. Closing Symantec AV to system tray stop PG pop up alerts.Reopen AV and start a scan problem begins cycle again.

noel1947

I had the same thing happen but when PG was locked up and scrolling multiple install attempts I rebooted XP Pro and have had no problems since.
I have NAV NIS2006 and PG v3.150 but this did not happen during an update. It happened while I web surfing a trusted site:(

I had the same with Nav 2006 trial yesterday, and as pushing the allow button had no effect (were continuous and very fast prompts), I did disable the "block driver/service install" temporarly: seems that worked for me.

Hi there again

I finally rebooted my PC at some ungodly hour and, like kampsk, the problem went away and (fingers crossed) has not returned since. Once thing that I did notice is that I have NIS2006 set to run an automatic scan after a Virus Def download (new feature in NIS2006, I think). I will monitor the next download and if it happens again may try switching this off for the following download and see if there is a re-occurence.

The annoying thing from the PG point of view was the fact that clicking the Allow button had no effect. Perhaps the alerts were comig at such a rate that PG just could not cope. I also notice that the details in the Protection panel just 'flashed' into view to then be replaced by a balnk panel and then back to the details again, seemingly in'sync' with the alerts................Hmmmm!

Will keep an eye on things and post again if I come across anything that may be of interest.

Best regards



Baldrick

Something more to test.. thanks :) this sounds strange to say the least. I've had a game (Path of Neo) build thousands of events and hit ALLOW and it allowed fine. Alt - Tab back and everything was drawing perfectly and away it went.

Phew, Baldrick, thanks for this thread.

Running SAV10 and NPF2006 here.

This morning (UK time) I did the daily update on SAV. Within a short while PG was going absolutely berserk...

Driver/Service tried to install driver/service named EraserUtilDrv10500

Wondered what the hell it was especially as I use an app called Eraser to overwrite any rubbish on my PC.

Clicking on "allow" had absolutely no effect. Mine ran up to 5/6000 before it stopped and I had to disable PG. Fortunately I had done a Drive Image backup up a few minutes before so I was able to go back to that.

I was at first suspicious that it was the latest Microsoft updates, but using my DI backup for two or three times it was obvious it was Symantec.
Am now stuck not daring to update my SAV.

Hi Oremina

Scary, huh?

Well, you cannot no longer update your Anti Virus defs. I allowed the Virus Def update. Had the issue with EraserUtilDrv10500 but since I rebooted just after the Virus Def update PG has been fine. No more excessive PG Alerts.

My suggestion, for what it is worth, is that you a fresh Drive Image backup, then do the Virus Def update and then reboot as soon as possible afterwards. If when rebooted you are still having issues then you should be able to go back to that. If there are no further issues then you can continue as per normal.

Hope that helps? I will be trying a few things on my PC and will post again if I have any more relevant news.

Best regards




Baldrick

Hi again Oremina

After my last post I checked LiveUpdate again and found that there was another Virus Def update plus a couple of other updates (I run NIS2006 so that might be expected). Anyway, I downloaded and installed everything except for the Virus Defs just to be sure and rebooted. No ill effects highlighted by PG.

I then recalled that (i) I had noticed just after previous Virus Def updates that in the PG alerts window navw32.exe was shown as starting (allowed), and (ii) the AV options are set so that a Quick Scan is done (recommended) after Def updates. No ill effects from the no Defs update just done so i was convinced that it was related to the Def update..........and the only thing running after that that does not run all the time is a Quick Scan.

In the Protection panel I checkedwhether the NAV components that are protected by PG had authority to 'Install Drivers/Services'.......and they had not and so as an experiment I gave the following that authority:

navw32.exe
navapsvc.exe
navapw32.exe

I then ran LiveUpdate again to download/update the Virus Defs and following the completion of that there were no PG Alerts re. EraserUtilDrv10500.

Anyway, I don't know if I have solved it by doing the above. I will have to wait until there is another Virus Def update, run that and see if all is well. In the meantime you may like to try out the above and let us know what it does for you.

Hope that this helps?

Best regards




Baldrick

Hi Baldrick

Thanks for the info. Downloaded the latest update about an hour ago. Noticed a little thread over on DSLR about the possibility of a bad update (or something?) here :-

http://www.dslreports.com/forum/remark,15023372

Disabled PG, did the d/l and rebooted. Then put PG into learning mode and rebooted again. Up to now no problems and it is the best part of an hour now. Won't tempt fate by saying looking good (but it is).

I noticed the d/l was 783KB so there was obviously something there besides virus definitions.

Symantec seem to have a habit of doing this sort of thing every now and then.

Regards

Process guard is having an issue related to Symantec's Norton SystemWorks Premier, specifically, Antivirus 2006. When I open the main control panel and initiate a full system scan the scan begins, then I close the main control panel. When I do that, I get a stream of alerts indicating that Process ID: 4 is trying to install a driver/service named EraserUtilDrv 10500. I assumed, maybe mistakingly, that it was a legit part of the Norton. Even when I try to put PG into learning mode, the alerts continue. The scan seems to run ok.

After reading through this thread, it seems that some have managed to work around the problem. Myself, I cannot get it to stop. I can trigger the problem everytime by opening the "home" screen, which I refer to above as the control panel, going to the Antivirus tab, clicking on "system scan," and clicking "scan now." Once the scan begins and I close out of the control panel, bang, I get flooded with alerts. My experience from there is exactly like described above. I cannot get the alerts to go away without disabling the driver installation protection within PG.

With reference to my last post, it was all a bit too premature and optimistic.
When I did the last d/l and rebooted I had unticked all the PG Global Protection Options to let the update do its own thing. After rebooting I forgot to tick the Options again. Another senior moment.

As soon as I reticked them the "attacks" rattled up into their hundreds/thousands.

Couple of things here... is the problem PG or Symantec related? I do not know, but I do know this:- I've had PG for quite a long time now and have never had any problems with it. On the other hand I have had several problems with Symantec over the last couple of years. My gut feeling at this moment is that I've had it with Symantec and I'm ready to rip everything Symantec off my PC and replace it with something else. However, it appears not to be a widespread problem, but of course only PG users will be aware of it.

B*ggared if I know the answer! :-\

It's most likely something that Symantec has done that PG doesn't like. However, it is also a PG issue because it should not be this difficult to instruct PG to allow what Symantec it trying to do to happen.

Same problem here.

I am using Symantec Antivirus Corporate 10.x.

Let me know if a solution is found.

Hi there

Have done some further investigation and can confirm that the issue is linked to NAV or the NAV-componenet of the the Norton products when a scan is run, whether manually or as a result of a Virus Def download (is the QuickScan option is ticked).

The process running at the time appears to be navw32.exe (at least that is taking the larger share of the CPU) and I havd tried ticking the Install Drivers/Services option in the Protection panel for this entry but that has no effect (most probably as the process identified as causing the issue is Proc Id (no description or name) 4, which from a check with Process Explorer is identified as being 'System'.

I will try logging this with Symantec Support but I doubt that we will have any joy as it seems to be only PG users who are affected.

As Dallen notes it does not seem to intefere with the scan but the annoying things is that PG does not seem to be able to register the fact that this behavious should be allowed if the user so wishes it. Perhaps the excellent chaps at DCS could comment?

Edit: In fact thinking about it the fact that there is no application name displayed to identify what is trying to install the driver/service (as there usually is for all the other occurences of this type of alert) may be the clue as you need to be able to record the 'Allow' in the Protection panel and with no name how can you allow? Perhaps we need to be able to add a special entry for the 'System'? Probably the rantings of a tired mind but..................!

Best regards



Baldrick

Hi Baldrick

Can tell you that it isn't specifically just navw32.exe, but more that and its equivalent in SAV.. I remember navw32 well as that is the file I used to stick in my Download Manager to scan d/l's (if my memory serves me well). I think the equivalent in SAV is rtvscan.exe and the equivalent of navapsvc is vptray.exe. Whatever, it seems to be general with various Norton AV products and PG.

It is hard for me to be specific about these file names at the moment as I've spent half the day ripping Symantec off my PC and installing Avast - which I'm quite impressed by. That isn't to say that I've given up on Symantec as I've got an image to restore if/when the matter is sorted.

Anyway, let's keep smiling - ain't life wonderful!

In my case, Symantec Antivirus Corporate Edition 10.x, the files that seem to be involved are:

vpc32.exe
vpdn_lu.exe
vptray.exe

As Baldrick mentionned, it is probably because there is no name associated with the entry that we cannot do anything with it.

That said, anybody has more info on that strange driver from Symantec?

As Baldrick mentions in his post above, it would be useful to have an expert opinion (from DCS).

Hi there

All quiet on the EraserUtilDrv10500 issue but that is because there has been no further download. I find it interesting that Auto Protect that also scan when you access an object is not causing this problem so it may be the way that Symantec have recently changed the QuickScan & Full Scan functions.

Anyway, I am holding fast for a while in the hope that the boffins at DCS are looking into the info we have provided to see if they can do something. I am wondering if this has highlighted an area for the addition of some new functionality? At least PG is still protecting us from this type of 'attack'. It is just a shame that we cannot allow it at will.

I have to admit that I have been eyeing ZoneAlarms IS product as an alternative to NIS........but I will hold on for a little while more in the hope of a development. One thing that I am sure of is that I do not want to get rid of PG..........it is the best.

Best regards




Baldrick

Just to throw a little info out there. hope it helps.
Had NIS 2006 a while now and had no problems untill now. (Norton changed something during a recent update that flags PG? )
Just a quick snap shot of my PG Log at the time of the process conflict(this is the first time it happened the second time is almost an identical log and ends at same exe) there is a couple lines that are odd.



Mon 12 - 16:52:00 [EXECUTION] "c:\program files\symantec\liveupdate\ndetect.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1152]
[EXECUTION] Commandline - [ "c:\program files\symantec\liveupdate\ndetect.exe" ]
Mon 12 - 16:52:00 [EXECUTION] "c:\program files\symantec\liveupdate\aupdate.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [4048]
[EXECUTION] Commandline - [ "c:\program files\symantec\liveupdate\aupdate.exe" ]Mon 12 - 16:52:10 [EXECUTION] "c:\program files\symantec\liveupdate\lucomserver_2_7.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [988]
[EXECUTION] Commandline - [ "c:\progra~1\symantec\liveup~1\lucoms~1.exe" -embedding ]
Mon 12 - 16:52:39 [EXECUTION] "c:\program files\norton internet security\norton antivirus\navw32.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\symantec\liveup~1\lucoms~1.exe" [892]
[EXECUTION] Commandline - [ "c:\program files\norton internet security\norton antivirus\navw32.exe" /sescan ]
Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500

I have the same problem. I didn't dare try this, but wouldn't disabling "Block Rootkit/Driver/Service Installation" from the Global Options solve the problem?

(and perhaps create another)

Thanks

-{ Quote: "I have the same problem. I didn't dare try this, but wouldn't disabling "Block Rootkit/Driver/Service Installation" from the Global Options solve the problem
" }-

That did work for me, the matter is just to disable it temporarly for the update, and then re-enable it later: very simple and effective :)

...and no other problem doing this, although I can't check it back, I've removed NAV 2006 trial since.

Cheers,
nicM

As a temporary measure that is fine but long terms I think not. PG picks up the fact that a process (albeit unknown) is trying to install a drievr that is not (yet) allowed but you cannot make the decision to allow it or not..........that IMHO is the issue.

As I have said before, hopefully, once PG 3.2 Final is released Wany & Gavin will be able to turn their attentions to solving our little conundrum.

Regards



Bladrick

-{ Quote: "
As I have said before, hopefully, once PG 3.2 Final is released Wany & Gavin will be able to turn their attentions to solving our little conundrum.

Regards

Bladrick" }-
Some of us might not consider this to be a "little conudrum." A response by the developers on this issue would be nice.

Try adding the <.sys> driver file (eraserutildrv10500) to the Protected app list (Protection Tab) and giving it "Drivers/Service" rights.

The driver seems to be a Symantec clean up driver (stressing "seems")allthough, there is already one in the same folder:

C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

But both have dates and time stamps for the day when this started:
12th Dec 05

-{ Quote: "As a temporary measure that is fine but long terms I think not. PG picks up the fact that a process (albeit unknown) is trying to install a drievr that is not (yet) allowed but you cannot make the decision to allow it or not..........that IMHO is the issue.

" }-

Sure, but since PG doesn't display the name of the exe, you would hardly add it to the protected list. That's why to temporarly disable "block service/driver" was handy and working (plus it's sometime better to disable it temporarly than to add too much apps with driver allow flag). But I admit you may run into troubles again when it happens through auto-update :( ...

Same way, I doubt the .sys driver file could be added to the protected list (as suggested in eraserutildrv10500's post), we've to locate the litigious exe instead.

Cheers,
nicM

Why hasn't one of the authors responded to this issue with a fix yet? There seems to be enough people having an issue with this that a response is warranted.

Hi there

The suggestion of adding the <.sys> driver file (eraserutildrv10500) to the Protected app list (Protection Tab) and giving it "Drivers/Service" rights is a 'nice try' but no dice. If you notice when you try to add an app the default file types are .exe & .scr. I tried this 'add' a week ago but to know avail. PG does not seem to recognise the 'add'.

Wayne or Gavin, could you help us out this one even if it is just with an indication that you will eventually get around to seeing if there is anything that you could put into PG to sort out this issue?

Thanks in advance.



Baldrick

-{ Quote: "Same way, I doubt the .sys driver file could be added to the protected list (as suggested in eraserutildrv10500's post), we've to locate the litigious exe instead.

Cheers,
nicM" }-


I was able to add the driver to the list. But, it did not help. I agree, the Problem .exe needs to be found, although it could still be an integral part of another file <Rtvscan.exe> that might be causing the problem, or (dare I say) something else?


-{ Quote: "Hi there

The suggestion of adding the <.sys> driver file (eraserutildrv10500) to the Protected app list (Protection Tab) and giving it "Drivers/Service" rights is a 'nice try' but no dice. If you notice when you try to add an app the default file types are .exe & .scr. I tried this 'add' a week ago but to know avail. PG does not seem to recognise the 'add'.

Thanks in advance.

Baldrick" }-

As above, I was able to add this file to list, but, as you say "no dice" on finding a resolution to this problem.

If this is part of another file that is yet unknown, then someone may have to contact Symantec to find out what they added to the 12 Dec 05 update (as I suspect this is when it started).

I tried -
I'll keep trying -
I'll keep trying again -
etc

Kudos

If Symantec can resolve it with the way the driver is loaded or used that would be easiest. Googling download NIS 2006 it gave interesting results :o but I did find http://www.symantec.com/public_beta 41MB NIS beta :) Downloading that now to test and hopefully I get the same symptoms - will use XP Pro SP2, PG 3.200 Beta 3

I've replicated the problem.. we will look into it. Pressing ALLOW driver doesn't do anything which is the problem.

Disabled PG, went to the registry and sure enough the entry is there. Reenabled PG and trying to replicate it, it may just go away which is desirable :) It hasn't come up again, and the driver IS there. Just leave PG off for a while if you have the problem, then re-enable it and it should be ok by the looks.

-{ Quote: "I've replicated the problem.. we will look into it. Pressing ALLOW driver doesn't do anything which is the problem.

Disabled PG, went to the registry and sure enough the entry is there. Reenabled PG and trying to replicate it, it may just go away which is desirable :) It hasn't come up again, and the driver IS there. Just leave PG off for a while if you have the problem, then re-enable it and it should be ok by the looks." }-
I've tried the "leave PG off" proposed solution. This seems to be a temporary fix and does not solve the problem in the long term. I've consistently experienced the reoccurance of the problem on subsequent reboots after having disabled PG in an effort to fix this issue.

Just a Quick note. PG 3.2 has this problem too:(

I just wanted to add that I am also experiencing the problem with PG 3.200. The symptoms are identical.

Yes its a weird one, seeing the same behaviour. Temporary solution then problem again.

I think I know the problem though :) it will have to be found and fixed

Thanks Gavin. I appreciate you sticking with this issue and will anticipate a fix in the futute.

Any luck on getting out a fix for this Norton/PG issue???

Corporate version here, but the same is also happenning.
Culprit is DWHWizrd.exe (under Corporate, that is).
Locate DWHWizrd.exe (I am assuming that's the same filename under Norton AV). Mine is at
J:\Program Files\Symantec AntiVirus\
Add DWHWizrd.exe to ProcessGuard (Protection tab, <add application> button).
Under "authorize this application to", check
1)terminate protected applications
2)modify protected applications
3)read from protected applications

Under "other options for this application", check
1)install global hooks
2)install drivers/services
3)access physical memory

This is how I got things working, YMMV.

Best wishes,
Tamplin Ted

Hmmm....DWHWizrd.exe does not exist in NIS 2006.

Hi Siliconman01

I thought the same thing but have checked on the web and apparently "The Dwhwizrd.exe file is used when a new set of definitions comes in. If you set debug mode to "verbose" and copy a new .vdb file into the directory where NAV is installed, then Dwhwizrd.exe pops up a window that reports what it is doing. The window flashes by quickly, but the corresponding line in the Rtvscan.exe debug window is "Pattern File <path> loaded." It is also used to re-scan files sitting in quarantine when new virus definitions are updated and installed." This is according to the Symantec Knowledgebase (Document ID:2000042413265148) so I suppose that we whould be looking for the .exe that does the same thing in NIS?

By the way I have logged a tech question with Symantec Technical Support but am not holding my breath for a sensible or helpful answer as I can see them saying that it is PGs issue as it is blocking a perfectly legitimate activity by their software and it is up to PG to provide function to allow it if the use r so desires (I hope that I am not writing their response for them......but based on past experience!).

Anyway, will advise when I have a response. Perhaps we can isolate the releavnt .exe based on what Tamplin Ted has provded?

Best regards




Baldrick

-{ Quote: "Corporate version here, but the same is also happenning.
Culprit is DWHWizrd.exe (under Corporate, that is).
Locate DWHWizrd.exe (I am assuming that's the same filename under Norton AV). Mine is at
J:\Program Files\Symantec AntiVirus\
Add DWHWizrd.exe to ProcessGuard (Protection tab, <add application> button).
Under "authorize this application to", check
1)terminate protected applications
2)modify protected applications
3)read from protected applications

Under "other options for this application", check
1)install global hooks
2)install drivers/services
3)access physical memory

This is how I got things working, YMMV.

Best wishes,
Tamplin Ted" }-

didn't work for me, Corp 10, did it as you but same problem. Any fix on this as of it?

-{ Quote: "Culprit is DWHWizrd.exe (under Corporate, that is).
Add DWHWizrd.exe to ProcessGuard etc. etc. etc." }-
This appears to be a partial solution. The eraserutildrv10500 problem can be provoked by running DWHWizrd.exe manually and the settings described by Tamplin Ted do allow it to run without problems. However, when a LiveUpdate is performed and the database is updated, the problem still arises so presumably there is something else that requires similar extended privileges.

However, the fact that PG currently cannot work out where the driver installation request is coming from definitely needs to be addressed.

Hi Plutox

Point taken but that does not help users of the non Corporate versions. We are still strugglingto find out what is the equivalent of DWHWizrd.exe, which does not exist in NIS or NAV.

But you are right about the fact that "...fact that PG currently cannot work out where the driver installation request is coming from definitely needs to be addressed." Perhaps the guys at DCS will look into to that after the festive break? (...................Please!).

Regards



Baldrick

Hi Gavin / Wayne

Happy New Year!

Any news on the likelihood of you being able to look into this issue and provide a fix? I am currently battling with Symantec on this, trying to find out which .exe is responsible for trying to install EraserUtilDrv10500 (so at least we could try to give it th relevant PG rights) but as you might expect it is like tryingto draw blood from a stone.

Any update on where this issue figures in your plans for 2006 would be most welcome.

Best regards




Baldrick

HI Anybody Interested in This Thread

AN UPDATE!

Have received the following back from Symantec Support re. this issue:

"...please note that EraserUtilDrv10500 uses <.sys> driver files. I suggest that you please add (eraserutildrv10500) to the Protected application list (Protection Tab) and giving it "Drivers/Service" rights.

EraserUtilDrv10500 is Symantec clean up driver, when you run full system scan this service automatically runs in the background."

I have searched the local hard drive of my PC (using eraserutildrv10500* and including hidden system files) but can find no reference to this anywhere, and therefore I am unable to add this to the Protected Applications List as they have suggested. I have advised them that ProcessGuard allows the addition on of .exes & .scrs as a matter of course but to date I have never had to add a driver, rather it has been the .exe that calls or executes first initates the driver/service. I have therefore asked them if there is any chance that they could let me know which .exe is related to the execution of the Symantec clean up driver, or how I can locate this mysterious driver eraserutildrv10500?

Well, at least I am still dialoging with them. Will keep you posted on developments in this are.......if there are any.

Wayne / Gavin, any news on what yo can do at your end re. allowing us to include this type of driver/service execution in the Protected List? I am a little diappoint by the recent lack of response from DCS. Do you still love us?

Best regards




Baldrick

Following the advice from Dec 19th:

"Try adding the <.sys> driver file (eraserutildrv10500) to the Protected app list (Protection Tab) and giving it "Drivers/Service" rights.

The driver seems to be a Symantec clean up driver (stressing "seems")allthough, there is already one in the same folder:

C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys"

I was able to add the driver. I will sit back and see if the error continues.

Didn't work. Still sets of process guard.

Has everyone given up?

After having second thoughts I have deleted my post... it didn't really add to anything.

Hi there

I haven't given up. I have finally received a response from Symantec Technical Support that appears to be on the right track..........the only problem is that I cannot test it as I am currently trialing ZASS 6.1 having got fed up with (i) the increasing number of issues I was having after the last major NIS program update......I won't go into them as it will take too long, and (ii) the lack of coherent response from Symantec Technical Support on these issues.....until now. Mind is not yet made up if I will go back to NIS but I have to say that ZASS is very, very impressive (and the price that I can get it for is very good too).

Anyway, Symantec Technical Support suggest the following:

"...permit or add cceraser.exe to the trusted application list in Process Guard application to resolve this issue.". Hopefully, this is the culprit .exe!

Also suggested "... add the following files in trusted application list of process guard software.

navw32.exe
navapsvc.exe
navapw32.exe"

but I suspect that most people already have these secured.

So, if someone could try this out, see if we finally have an asnwer and then post back to let everyone know that would be great.

Hope that this helps?

Best regards




Baldrick

Good job on keeping us up to date on you're findings Baldrick, thanks for that .

I searched my HD and it only finds .dll's with "cceraser" in them, no .exe . I have NAV2006 BTW .

On my HD, the files are located in two folders :

C:\Program Files\Common Files\Symantec Shared\VirusDefs\
C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub

Take Care

Hi MentalNoiz

I have meialed the Symantec Technical Support contact I have and updated him on your findings. We now need to wait to see what he comes back with. What I cannot understand is why they cannot provide the name of the .exe. associated with the driver/service in question (unless it is started by some other means......but know Symantec it may be just that). You would assume that the support function would speak to the development function, eh?

Anyway, keep the info coming and I will see if I can pass it on as I have a 'pipeline' open for the moment. I am also a little disappointed that we have not heard from either Wayne or Gavin in a while on whether there is another approach to the is issue, ie, being able to register a name application in the Protection List (if that makes sense). Nothing like fighting a fire on two fronts, eh?

Best regards




Baldrick

Hi there

Have questioned Symantec Technical Support about their recommendation that we should register cceraser.dll in the Protection List with Install Driver/Services rights (see my posts above), and they have come back to confirm cceraser comes as dll file only but they still recommend the same approach, as well as also adding the following files in the Protection List:

navw32.exe
navapsvc.exe
navapw32.exe

As I cannot try this could someone else who is having this problem please try the recommendation and then get back to me on this thread with the results?

Many thanks




Baldrick

What wit!

DCS,
Please don't let this thread trail off and die. There are a lot of customers that need your help on this.

Ok, for those that can't add any other kind of file except for the default [.exe & .scr], this is how you do it...

Click the "Add Application" button - the dialog box shows up with only apps listed. Now, put this in the 'File Name' field at the bottom of the dialog box: *.*
Then hit the Enter (or Return) button.

All file types will now show up in the dialog box.

Now you can add "Files" to your hearts content...

Trying some of the recommendations listed in this thread - will try to keep up and let you know what happens...

Hope this helps...

Enjoy


PS
I agree that this thread should not die unil the problem(s) is address and corrected.

To those who finally got thru to Sillytec <Symantec>, Kudos - good job, and thanks alot. It is appreciated...

Gentlemen,

-> Using Corporate Edition 10.x

I tried the suggestion but it did not help. I registered the 3 cceraser.dll files in these directories:

C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub
C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub\20060102.025
C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub\20060112.018

Then I gave them 'Install Drivers/Services' permission but still did not help.

Then I was thinking what the f.... is going on?

I then uncheck the option 'Block Rootkit/Driver/Service Installation' on the main page, scanned for 2 sec, stopped the scan, re-check the option and everything was ok! Reboot the machine, still ok after that. Then used live update to get the current stuff. Scanned again and oh problem re-appear.

After investigation, I can say this:

Each time you use live update, a new directory is created and all the new definitions files are injected into the new directory, including a new cceraser.dll file.

That would be why each time you update symantec, you get the problem again. PG must see this new cceraser.dll file as a new file use when starting the driver EraserUtilDrv10500 and prevent the whole thing to register properly.

That said, if I re-do the trick of un-checking for 2 sec the main app option and start a scan for 2s sec and stop and re-check the option, I do not see the problem again. Of coarse until I update again.

There must be more to it than just the cceraser.dll file.
Let's keep up the good work!

Hi lebrocoli

Many thanks for the excellent investigative work. I will send this down the pipeline to Symantec Technical Support and see what they come back with. I will also suggest that rather than just keeping in-house, ie, with the Tech Support people, that they pass it back to the development team. Not sure that this will do any good but you never know.

Will post back as soon as I have any feedback.

Best regards



Baldrick

Same here,
I found multiple copys of the dll on my system with the date of update. tricky fix for DCS I would think.

Also just found this in my inbox. symantec and root kits?
http://www.eweek.com/article2/0,1895,1910077,00.asp


Would just like to add that this is just speculation as to the cause of this problem:-\

still no fixes on this huh? Only option so far is to disable PG on reboots and symantec updates...

I would like to add this:

Let's assume that unchecking 'Block Rootkit/Driver/Service Installation' on the main tab is that same as checking 'Install Drivers/Services' for a particular file.

Then, since checking 'Install Drivers/Services' for cceraser did not work BUT unchecking 'Block Rootkit/Driver/Service Installation' worked, we can probably say that Symantec is really trying to install some driver BUT cceraser is not the exact file we need to give permission to.

Does that make sense?

I can only add this to the discussion - until yesterday I was running SAV 9x, and this was not happening. Only after I installed 10x did this occur.

Hi there

I have heard back from Symantec Technical Support re. the last information I sent them (supplied by lebrocoli) and this is what they have to say:

"...thank you for mailing the details regarding this issue. I have passed the information which you have provided in your mail to our product Development team.

Our support staff thanks you for your patience as we investigate this issue. We will continue our efforts in tracking this issue, and will update the Symantec Online Knowledge Base to include new updates.
Please feel free to contact us for further assistance, and thank you for using Symantec software."

Well, this may be the last we hear of this from Symantec...but then again, you never know. Will keep scanning for this in the Knowledge Base and post back if I find anything.

Best regards




Baldrick

Thanks for the news Baldrick.

Which returns us (again) to the PG devs. We've not heard from you in 3 weeks.

Is there any update to this issue?

Hopefully we'll all hear more soon. Its being worked on as we speak/type :)

Thanks Baldrick/Gavin.

-{ Quote: "Hi there

I am running PG 3.150 (Full Version) and NIS2006. Tonight I used LiveUpdate to download and install Virus Defs & URL Security Def. Just after I installed them I started to get repreated PG Alert that something tried to install a driver/service named EraserUtilDrv10500. Looking further the application ' ' (as in BLANK) Proc Id 4 seemed to be the cuplrit. I check the PID using Process Explorer and that idenitfies it as 'System'. Anyway, I scanned for the driver and found it listed as being in Program Files\Common Files\Symantec\Shared Files\ EEngine. Has upped the Protection statistics from approx. 20000 to 35000 in under 20 minutes and shows no sign of stoppping. I have an Alert permanenetly displaying. I tried putting PG in learning mode and all that happens is that the icon flashes green, I still get the alert bubble..............so no luck there.

Has anyone else running NIS and PG come across this issue and found a way to resolve it?

Best regards





Baldrick" }-
Assuming you are running XP Pro, SP2, with all updates (Windows & AV), upgrade to PG 3.2.

http://www.diamondcs.com.au/processguard/pgsetup_3200.exe

To keep your current settings: Start > All Programs > ProcessGuard > Uninstall ProcessGuard. ( I.E., do *not* use "Add or Remove Programs" ! ) Reboot. Install into the existing ProcessGuard folder.

If you want to start fresh, use "Add or Remove Programs" to uninstall. Delete the existing ProcessGuard folder before installing. Reboot.

Enjoy ! :)

I'd like to download that version but on their website at http://www.diamondcs.com.au/processguard/index.php?page=download
they list 3.15 as being the most recent. Is 3.2 a beta?

-{ Quote: "I'd like to download that version but on their website at http://www.diamondcs.com.au/processguard/index.php?page=download
they list 3.15 as being the most recent. Is 3.2 a beta?" }-

Have a look at this thread (http://www.wilderssecurity.com/showthread.php?t=112366) ;)

regards,

paul

Much appreciated.

I've been having the problem since installing Norton SystemWorks 2006 (with PG3.15), but waited for the realease of PG 3.2 before I added my 2 cents to this thread.

I install PG 3.2 (after uninstalling 3.15), but still get the balloon mesage about "EraserUtilDriver" but this time the number has changed from 10500 to 10501.>:(

Not only is this bug triggered after the NAV initiates LiveUpdate, but it is triggered if I manually try to run Norton Full Scan or Quick Scan.

Clicking on Allow Driver/Service has NO effect -- only a brief pause in its entries in its log.

With great regret, I am compelled to disable "Block Driver/Service Installation," which was one of the main reasons for buying PG.

I trust this "bug" can be resolved soon!

I have a Dell XPS -- Windows XP Pro

Here's a new twist (Sort of...)

While checking for drivers in the Device Manager on a W2K machine, I came accross, none other than the "infamous" EraserUtilDrv10500 & EraserUtilDrv10501 Drivers.

It's listed under Non-Plug and Play Drivers, when you select to view hidden devices.

When viewing the properties of these rascals, this is what it says:

Class: Non-Plug and Play Drivers
Devvice: EraserUtilDrv10500
No resources used
Device Drivers:

Class: Non-Plug and Play Drivers
Devvice: EraserUtilDrv10501
No resources used
Device Drivers:


So, that being said, I checked it on XP SP2, no such luck. It's not there.

No Help, I know. Just adding to the Pot...

We keep trying....

Kudos

Well,

Seems like 3.3b might fix our problems. Anybody tried yet?

Have used NIS2006 to run a full system scan which worked fine with 3.3b. I'm waiting for daily liveupdate to see if a Quick Scan runs okay.

As a follow-up, NIS 2006 updated automatically, ran a quick scan and then later ran a full system scan without any conflicts between PG V3.3b and NIS 2006. Windows XP-SP2 Home Edition.

-{ Quote: "Well,

Seems like 3.3b might fix our problems. Anybody tried yet?" }-

That's a beta version that I and others won't install till it's ready for wide release. Last time I tried the beta version of PG, I had all kinds of issues. If their is a fix out for 3.3b, then there should be one for 3.1 & 3.2 version users. Anyone from Diamond have a clue on what to do here???

Same elproblemo here

Have to disable PG to stop the alerts..


con

-{ Quote: "That's a beta version that I and others won't install till it's ready for wide release. Last time I tried the beta version of PG, I had all kinds of issues. If their is a fix out for 3.3b, then there should be one for 3.1 & 3.2 version users. Anyone from Diamond have a clue on what to do here???" }-

3.3b is the beta of the fix for 3.15 and 3.2

Hi All-
I have something very similiar.
I have Norton 2006 and PG on a Win2000 machine. I don't know what set off my constantly scrolling error message. It is EraserUtilDrv10502. After reboot it was stable for a time. When I came back hours later, it was there again, constantly.
It seems that it must be the same problem, even though my message is a digit off. Any hopes for a solution?
-Sandra

Hi, Siliconman. Long time no talk!

Hi All-
I have something very similiar.
I have Norton 2006 and PG on a Win2000 machine. I don't know what set off my constantly scrolling error message. It is EraserUtilDrv10502. After reboot it was stable for a time. When I came back hours later, it was there again, constantly.
It seems that it must be the same problem, even though my message is a digit off. Any hopes for a solution?
-Sandra

Hi, Siliconman. Long time no talk!

Oops forgot to request notification of replies.

Have we given up on this? Should I just disable my Process Guard?

I unchecked block driver/service and now I don't get the messages. But I really don't like turning this off.

I'm not sure my problem is associated with norton however, since my says EraserUtilDrv10502. Can someone from PG please let me know if my issue is the same or just related.

Thanks!

My suggestion is to install 3.3beta, but if you want to wait then keep block driver/service enabled. When you see alerts (only after an AV update occurs?) then untick block drivers for a second then re-tick it.

Gavin-
How do I load the beta? Is there a downside? If I have a problem can I go back to the current version? Why is my error number 10502 instead of 10500 like everyone else's.
Thanks!

Gavin-
How do I load the beta? Is there a downside? If I have a problem can I go back to the current version? Why is my error number 10502 instead of 10500 like everyone else's.
Thanks!

Sarment,

Here is a procedure to remove PG 3.15 and install PG 3.3b. I've been running V3.3b on my XP-SP2 HE system since it was released and have experienced no problems thus far. It does clear up the problem with NIS 2006. BTW, the reason you are seeing this conflict "randomly" is that it occurs when NAV 2006 does a QuickScan after an virus definitions update or when one of your scheduled scans kicks it. The problem triggers on the RAM memory scanning part of NAV.

Download PG 3.3b and save to on the desktop or in a folder for access.
Be sure you have your PG license key available.

To remove PG 3.15 -

1. Open PG 3.15 and uncheck all options.
2. Completely close down PG 3.15.
3. Deactivate any options in other security programs that may/could block registry changes or program execution changes.
4. Using Windows Explorer, navigate to the C:\Windows\System32 folder and open this folder. Locate and copy Pguard.dat and Pghash.dat. Paste them in a folder where you can get to them if you have to revert back to PG 3.15 (or put them on a floppy for safe keeping). Close Windows Explorer.
5. Go to START-PROGRAMS-ProcessGuard and activate the uninstaller for PG. Uninstall PG 3.15.
6. Reboot your computer
7. Using Windows Explorer, navigate to the C:\Windows\System32 folder and open this folder. Locate and DELETE Pguard.dat and Pghash.dat. You CANNOT use these for V3.3b.

NOTE: If for some reason you have trouble removing PG 3.15, reboot into SAFE MODE and uninstall it.

To install PG 3.3b-

1. Deactivate any options in other security programs that may/could block registry changes or program execution changes.
2. Close down all programs in the lower right systray. De-Activate your virus scanner.
3. Install PG 3.3b. Reboot when requested.
4. Enter your license key.
5. Activate the desired PG options and global options.
6. Place/keep PG 3.3b in LEARNING MODE for a period of time to pick up all your programs and "learn their options". You can reduce the length of time in learning mode by activating each of your programs; by forcing updates on your security programs, printing with your various programs for word processing, pictures, etc.
7. Remember to re-enable your other security programs' options.

HTHs

Yes Safe Mode uninstall is a big recommendation from me - it ALWAYS works :) no files are in use and will be removed. For this beta, you still need to delete PGUARD.DAT and PGHASH.DAT

If you follow the instructions above all should be well. Thanks siliconman!

So, have you given up on a fix for 3.150?

Hope not...

Not at all, the whole point of the beta is to get this and other issues properly fixed and officially release a newer, better PG :) It seems we are very close now

New owner of Process Guard. Over 50,000 protected attacks, primarily in relation to Norton Internet Security running a Virus Scan and EraserUtilDrv10502 error.

Would sure like this issue resolved!

The issue is resolved in PG 3.3b1 and PG 3.3b2.

I have been watching this thing for about 3 months now and it seems that
the problem might not be PG or NORTONS at all. The numbers at the end
of the Drv have been changing every 3 weeks or more. The numbers on my machine have changed 3 times (10500,1061 and 10614). When things like
that change it usually means that a worm or trojan is trying to hide itself or
some kind of adware,spyware is tyring to erase its tracks. I have talked to
an enginer(programming) and he said that it is acting like a nasty. The last time that the error happened it flagged PG 18,000 times and I had to shut PG
down to get it to quit. It is acting like a DoS flooding attack. When I updated
nortons: everything was updated accept the worm signatures(that failed to
install). I talked to symantec and gave them all this info and told them that it would be a good idea to talk to DCS and compare notes to resolve this issue.
It might be an event trigger that is causing PG to be flagged. The only thing that hasent changed is the PID which is a system process not a program process. Watch the numbers to see if they start changing.

Just because the name is constantly changing, does not mean it is a worm / trojan / malware ... it could just be Norton doing an update and tagging a version number on (the numbers seem to be incrementing).

That having been said, it also doesn't mean it isn't one either ::). We'll just have to wait to see what Nortan have to say on this matter.

This Norton/PG issue is NOT an issue in 3.3beta1, 3.3beta2 or 3.3beta3 of ProcessGuard. DCS resolved it within PG. And to the best of my knowledge it was only a problem with NIS/NAV 2006.

How do I get to a download of the beta 3.3b so I can try it to see if it solves my eraserutildrv problem. Thanks!!

-{ Quote: "How do I get to a download of the beta 3.3b so I can try it to see if it solves my eraserutildrv problem. Thanks!!" }-The link in this announcement thread seems active still.
ProcessGuard v3.3b4 (final) ready (http://www.wilderssecurity.com/showthread.php?t=128354)

The latest PG version 3.4b1 works well with NIS 2006. I would use 3.4b1 instead of dropping back to 3.3.

http://www.wilderssecurity.com/showthread.php?t=135003

sarment asked for a 3.3 beta link. That was supplied. There have been some issues for 3.4 b including some you reported.
PG V3.4B1- Bug in Secure Message Handling (http://www.wilderssecurity.com/showthread.php?t=135320)
PG V3.4B1- A Bug in PGAccount Activation (http://www.wilderssecurity.com/showthread.php?t=135314)
Additionally the initial release with "physical memory protection" turned off.-{ Quote: "Well spotted. Yes, physical memory protection was turned off in that version for testing - that's been corrected now. The pgsetup_3400b1.exe file has been updated, but all that's needed is a 24kb driver update:" }-

How do I make the beta fully functional. I have a purchased version of Process Guard.

-{ Quote: "How do I make the beta fully functional. I have a purchased version of Process Guard." }-

Just enter your license key into your beta.

I tried but it didn't work.

I originally purchased an older version PG2 and PG3 came out less than 2 months later. I then upgraded to PG3. From my original purchase I have a Serial num and a RegSoft ID. I tried typing each of these into the "register" screen. Neither worked.

??????

I figrued it out. Thanks!!

Someone may want to know my experience with the 3.4 beta. It worked fine for a couple days on the "not full" version. When I finally figured out what to put in as an unlock code it was June 26. I put it in and it worked fine for a day. Then sometime between last night (jun 27) and this morning (jun 28) something went wrong. My computer started rebooting itself.

Sometimes on the reboot it would freeze and I would have to do a hard reboot. If I managed a reboot in regular mode, it would always reboot by itself sometime after windows loaded and while other programs were loading as part of startup.

Sometimes it would freeze on its way to safe mode. If I got to safe mode, it would not reboot by itself.

I tired a couple things, like turning off options and putting PG in learning mode. I tried a system restore to back a couple days ago. When I did this it restored and then froze on reboot. Nothing worked until I uninstalled PG while in safe mode.

I ran all my virus, etc scans to make sure I had no known nasties. Found nothing.

sounds like a BSOD, and that you have auto-restart turned on. to turn this off (to see the BSOD and read the info displayed on it, possibly including the name of the driver causing the problem) right-click my computer -> properties -> advanced -> startup and recovery settings -> make sure automatically restart checkbox is clear (ie. turned off)

as for the freezing on its way to safemode, this cannot be ProcessGuard as in terms of drivers, only boot-mode drivers will start and PGs drivers is set to automatic by default (ie. PGs protection is not running at any point during safe mode startup)

also, as this has kindof moved away from the PG 3.150 & EraserUtilDrv10500 problem, could one of the moderators splice this into another thread ;)

Sarment,

When you installed V3.4b1, did you fully remove the older PG version AND make sure that the 2 C:\System32 files pguard.dat and pghash.dat were removed? These two files are NOT compatible between v3.15 and the current betas. They have to be totally rebuilt through Learning Mode.

siliconman-
I uninstalled but did not look for those 2 particular files.

some name-
All I know for sure is after I unistalled PG beta my problems disappeared.

V3.15 does not automatically uninstall those two files. I strongly suspect that this is the cause of your problem. If you want to try again, be sure those two files are out of the C:\System32 folder, then re-install V3.4b1 and "re-teach" PG about your system by using the Learning mode for a period of time.

FYI, 3.4B1 will ask you if you want to uninstall those two files or zero them out when you uninstall V3.4b1 or when you install it.