PG 3.150 & EraserUtilDrv10500

Discussion in 'ProcessGuard' started by Baldrick, Dec 12, 2005.

Thread Status:
Not open for further replies.
  1. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi there

    I am running PG 3.150 (Full Version) and NIS2006. Tonight I used LiveUpdate to download and install Virus Defs & URL Security Def. Just after I installed them I started to get repreated PG Alert that something tried to install a driver/service named EraserUtilDrv10500. Looking further the application ' ' (as in BLANK) Proc Id 4 seemed to be the cuplrit. I check the PID using Process Explorer and that idenitfies it as 'System'. Anyway, I scanned for the driver and found it listed as being in Program Files\Common Files\Symantec\Shared Files\ EEngine. Has upped the Protection statistics from approx. 20000 to 35000 in under 20 minutes and shows no sign of stoppping. I have an Alert permanenetly displaying. I tried putting PG in learning mode and all that happens is that the icon flashes green, I still get the alert bubble..............so no luck there.

    Has anyone else running NIS and PG come across this issue and found a way to resolve it?

    Best regards





    Baldrick
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    So a driver install was blocked ?

    Ok - if you allow it should stop immediately. Clear the log and check
     
  3. noel1947

    noel1947 Registered Member

    Joined:
    May 13, 2003
    Posts:
    41
    Location:
    Australia
    Gavin

    I have same problem as Baldrick. Hitting allow button has no effect. PG just keeps scolling -up to 13711 items - in my case. Closing Symantec AV to system tray stop PG pop up alerts.Reopen AV and start a scan problem begins cycle again.

    noel1947
     
  4. kampsk

    kampsk Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    33
    I had the same thing happen but when PG was locked up and scrolling multiple install attempts I rebooted XP Pro and have had no problems since.
    I have NAV NIS2006 and PG v3.150 but this did not happen during an update. It happened while I web surfing a trusted site:(
     
  5. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    I had the same with Nav 2006 trial yesterday, and as pushing the allow button had no effect (were continuous and very fast prompts), I did disable the "block driver/service install" temporarly: seems that worked for me.
     
  6. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi there again

    I finally rebooted my PC at some ungodly hour and, like kampsk, the problem went away and (fingers crossed) has not returned since. Once thing that I did notice is that I have NIS2006 set to run an automatic scan after a Virus Def download (new feature in NIS2006, I think). I will monitor the next download and if it happens again may try switching this off for the following download and see if there is a re-occurence.

    The annoying thing from the PG point of view was the fact that clicking the Allow button had no effect. Perhaps the alerts were comig at such a rate that PG just could not cope. I also notice that the details in the Protection panel just 'flashed' into view to then be replaced by a balnk panel and then back to the details again, seemingly in'sync' with the alerts................Hmmmm!

    Will keep an eye on things and post again if I come across anything that may be of interest.

    Best regards



    Baldrick
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Something more to test.. thanks :) this sounds strange to say the least. I've had a game (Path of Neo) build thousands of events and hit ALLOW and it allowed fine. Alt - Tab back and everything was drawing perfectly and away it went.
     
  8. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Phew, Baldrick, thanks for this thread.

    Running SAV10 and NPF2006 here.

    This morning (UK time) I did the daily update on SAV. Within a short while PG was going absolutely berserk...

    Driver/Service tried to install driver/service named EraserUtilDrv10500

    Wondered what the hell it was especially as I use an app called Eraser to overwrite any rubbish on my PC.

    Clicking on "allow" had absolutely no effect. Mine ran up to 5/6000 before it stopped and I had to disable PG. Fortunately I had done a Drive Image backup up a few minutes before so I was able to go back to that.

    I was at first suspicious that it was the latest Microsoft updates, but using my DI backup for two or three times it was obvious it was Symantec.
    Am now stuck not daring to update my SAV.
     
  9. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi Oremina

    Scary, huh?

    Well, you cannot no longer update your Anti Virus defs. I allowed the Virus Def update. Had the issue with EraserUtilDrv10500 but since I rebooted just after the Virus Def update PG has been fine. No more excessive PG Alerts.

    My suggestion, for what it is worth, is that you a fresh Drive Image backup, then do the Virus Def update and then reboot as soon as possible afterwards. If when rebooted you are still having issues then you should be able to go back to that. If there are no further issues then you can continue as per normal.

    Hope that helps? I will be trying a few things on my PC and will post again if I have any more relevant news.

    Best regards




    Baldrick
     
  10. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi again Oremina

    After my last post I checked LiveUpdate again and found that there was another Virus Def update plus a couple of other updates (I run NIS2006 so that might be expected). Anyway, I downloaded and installed everything except for the Virus Defs just to be sure and rebooted. No ill effects highlighted by PG.

    I then recalled that (i) I had noticed just after previous Virus Def updates that in the PG alerts window navw32.exe was shown as starting (allowed), and (ii) the AV options are set so that a Quick Scan is done (recommended) after Def updates. No ill effects from the no Defs update just done so i was convinced that it was related to the Def update..........and the only thing running after that that does not run all the time is a Quick Scan.

    In the Protection panel I checkedwhether the NAV components that are protected by PG had authority to 'Install Drivers/Services'.......and they had not and so as an experiment I gave the following that authority:

    navw32.exe
    navapsvc.exe
    navapw32.exe

    I then ran LiveUpdate again to download/update the Virus Defs and following the completion of that there were no PG Alerts re. EraserUtilDrv10500.

    Anyway, I don't know if I have solved it by doing the above. I will have to wait until there is another Virus Def update, run that and see if all is well. In the meantime you may like to try out the above and let us know what it does for you.

    Hope that this helps?

    Best regards




    Baldrick
     
  11. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Hi Baldrick

    Thanks for the info. Downloaded the latest update about an hour ago. Noticed a little thread over on DSLR about the possibility of a bad update (or something?) here :-

    http://www.dslreports.com/forum/remark,15023372

    Disabled PG, did the d/l and rebooted. Then put PG into learning mode and rebooted again. Up to now no problems and it is the best part of an hour now. Won't tempt fate by saying looking good (but it is).

    I noticed the d/l was 783KB so there was obviously something there besides virus definitions.

    Symantec seem to have a habit of doing this sort of thing every now and then.

    Regards
     
  12. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Process guard is having an issue related to Symantec's Norton SystemWorks Premier, specifically, Antivirus 2006. When I open the main control panel and initiate a full system scan the scan begins, then I close the main control panel. When I do that, I get a stream of alerts indicating that Process ID: 4 is trying to install a driver/service named EraserUtilDrv 10500. I assumed, maybe mistakingly, that it was a legit part of the Norton. Even when I try to put PG into learning mode, the alerts continue. The scan seems to run ok.

    After reading through this thread, it seems that some have managed to work around the problem. Myself, I cannot get it to stop. I can trigger the problem everytime by opening the "home" screen, which I refer to above as the control panel, going to the Antivirus tab, clicking on "system scan," and clicking "scan now." Once the scan begins and I close out of the control panel, bang, I get flooded with alerts. My experience from there is exactly like described above. I cannot get the alerts to go away without disabling the driver installation protection within PG.
     
  13. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    With reference to my last post, it was all a bit too premature and optimistic.
    When I did the last d/l and rebooted I had unticked all the PG Global Protection Options to let the update do its own thing. After rebooting I forgot to tick the Options again. Another senior moment.

    As soon as I reticked them the "attacks" rattled up into their hundreds/thousands.

    Couple of things here... is the problem PG or Symantec related? I do not know, but I do know this:- I've had PG for quite a long time now and have never had any problems with it. On the other hand I have had several problems with Symantec over the last couple of years. My gut feeling at this moment is that I've had it with Symantec and I'm ready to rip everything Symantec off my PC and replace it with something else. However, it appears not to be a widespread problem, but of course only PG users will be aware of it.

    B*ggared if I know the answer! :doubt:
     
  14. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    It's most likely something that Symantec has done that PG doesn't like. However, it is also a PG issue because it should not be this difficult to instruct PG to allow what Symantec it trying to do to happen.
     
  15. Brocoli

    Brocoli Registered Member

    Joined:
    Dec 15, 2005
    Posts:
    5
    Same problem here.

    I am using Symantec Antivirus Corporate 10.x.

    Let me know if a solution is found.
     
  16. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi there

    Have done some further investigation and can confirm that the issue is linked to NAV or the NAV-componenet of the the Norton products when a scan is run, whether manually or as a result of a Virus Def download (is the QuickScan option is ticked).

    The process running at the time appears to be navw32.exe (at least that is taking the larger share of the CPU) and I havd tried ticking the Install Drivers/Services option in the Protection panel for this entry but that has no effect (most probably as the process identified as causing the issue is Proc Id (no description or name) 4, which from a check with Process Explorer is identified as being 'System'.

    I will try logging this with Symantec Support but I doubt that we will have any joy as it seems to be only PG users who are affected.

    As Dallen notes it does not seem to intefere with the scan but the annoying things is that PG does not seem to be able to register the fact that this behavious should be allowed if the user so wishes it. Perhaps the excellent chaps at DCS could comment?

    Edit: In fact thinking about it the fact that there is no application name displayed to identify what is trying to install the driver/service (as there usually is for all the other occurences of this type of alert) may be the clue as you need to be able to record the 'Allow' in the Protection panel and with no name how can you allow? Perhaps we need to be able to add a special entry for the 'System'? Probably the rantings of a tired mind but..................!

    Best regards



    Baldrick
     
    Last edited: Dec 15, 2005
  17. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Hi Baldrick

    Can tell you that it isn't specifically just navw32.exe, but more that and its equivalent in SAV.. I remember navw32 well as that is the file I used to stick in my Download Manager to scan d/l's (if my memory serves me well). I think the equivalent in SAV is rtvscan.exe and the equivalent of navapsvc is vptray.exe. Whatever, it seems to be general with various Norton AV products and PG.

    It is hard for me to be specific about these file names at the moment as I've spent half the day ripping Symantec off my PC and installing Avast - which I'm quite impressed by. That isn't to say that I've given up on Symantec as I've got an image to restore if/when the matter is sorted.

    Anyway, let's keep smiling - ain't life wonderful!
     
  18. Brocoli

    Brocoli Registered Member

    Joined:
    Dec 15, 2005
    Posts:
    5
    In my case, Symantec Antivirus Corporate Edition 10.x, the files that seem to be involved are:

    vpc32.exe
    vpdn_lu.exe
    vptray.exe

    As Baldrick mentionned, it is probably because there is no name associated with the entry that we cannot do anything with it.

    That said, anybody has more info on that strange driver from Symantec?
     
  19. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    As Baldrick mentions in his post above, it would be useful to have an expert opinion (from DCS).
     
  20. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi there

    All quiet on the EraserUtilDrv10500 issue but that is because there has been no further download. I find it interesting that Auto Protect that also scan when you access an object is not causing this problem so it may be the way that Symantec have recently changed the QuickScan & Full Scan functions.

    Anyway, I am holding fast for a while in the hope that the boffins at DCS are looking into the info we have provided to see if they can do something. I am wondering if this has highlighted an area for the addition of some new functionality? At least PG is still protecting us from this type of 'attack'. It is just a shame that we cannot allow it at will.

    I have to admit that I have been eyeing ZoneAlarms IS product as an alternative to NIS........but I will hold on for a little while more in the hope of a development. One thing that I am sure of is that I do not want to get rid of PG..........it is the best.

    Best regards




    Baldrick
     
  21. kampsk

    kampsk Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    33
    Just to throw a little info out there. hope it helps.
    Had NIS 2006 a while now and had no problems untill now. (Norton changed something during a recent update that flags PG? )
    Just a quick snap shot of my PG Log at the time of the process conflict(this is the first time it happened the second time is almost an identical log and ends at same exe) there is a couple lines that are odd.



    Mon 12 - 16:52:00 [EXECUTION] "c:\program files\symantec\liveupdate\ndetect.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [1152]
    [EXECUTION] Commandline - [ "c:\program files\symantec\liveupdate\ndetect.exe" ]
    Mon 12 - 16:52:00 [EXECUTION] "c:\program files\symantec\liveupdate\aupdate.exe" was allowed to run
    [EXECUTION] Started by "Unknown Process" [4048]
    [EXECUTION] Commandline - [ "c:\program files\symantec\liveupdate\aupdate.exe" ]
    Mon 12 - 16:52:10 [EXECUTION] "c:\program files\symantec\liveupdate\lucomserver_2_7.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [988]
    [EXECUTION] Commandline - [ "c:\progra~1\symantec\liveup~1\lucoms~1.exe" -embedding ]
    Mon 12 - 16:52:39 [EXECUTION] "c:\program files\norton internet security\norton antivirus\navw32.exe" was allowed to run
    [EXECUTION] Started by "c:\progra~1\symantec\liveup~1\lucoms~1.exe" [892]
    [EXECUTION] Commandline - [ "c:\program files\norton internet security\norton antivirus\navw32.exe" /sescan ]
    Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
    Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
    Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
    Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
    Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
    Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
    Mon 12 - 16:52:45 [DRIVER/SERVICE] [4] Tried to install a driver/service named EraserUtilDrv10500
     
  22. Galaxy

    Galaxy Guest

    I have the same problem. I didn't dare try this, but wouldn't disabling "Block Rootkit/Driver/Service Installation" from the Global Options solve the problem?

    (and perhaps create another)

    Thanks
     
  23. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    That did work for me, the matter is just to disable it temporarly for the update, and then re-enable it later: very simple and effective :)

    ...and no other problem doing this, although I can't check it back, I've removed NAV 2006 trial since.

    Cheers,
    nicM
     
  24. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    As a temporary measure that is fine but long terms I think not. PG picks up the fact that a process (albeit unknown) is trying to install a drievr that is not (yet) allowed but you cannot make the decision to allow it or not..........that IMHO is the issue.

    As I have said before, hopefully, once PG 3.2 Final is released Wany & Gavin will be able to turn their attentions to solving our little conundrum.

    Regards



    Bladrick
     
  25. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Some of us might not consider this to be a "little conudrum." A response by the developers on this issue would be nice.
     
Thread Status:
Not open for further replies.