PG 3.150 & EraserUtilDrv10500

Discussion in 'ProcessGuard' started by Baldrick, Dec 12, 2005.

Thread Status:
Not open for further replies.
  1. Try adding the <.sys> driver file (eraserutildrv10500) to the Protected app list (Protection Tab) and giving it "Drivers/Service" rights.

    The driver seems to be a Symantec clean up driver (stressing "seems")allthough, there is already one in the same folder:

    C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

    But both have dates and time stamps for the day when this started:
    12th Dec 05
     
  2. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Sure, but since PG doesn't display the name of the exe, you would hardly add it to the protected list. That's why to temporarly disable "block service/driver" was handy and working (plus it's sometime better to disable it temporarly than to add too much apps with driver allow flag). But I admit you may run into troubles again when it happens through auto-update :( ...

    Same way, I doubt the .sys driver file could be added to the protected list (as suggested in eraserutildrv10500's post), we've to locate the litigious exe instead.

    Cheers,
    nicM
     
  3. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Why hasn't one of the authors responded to this issue with a fix yet? There seems to be enough people having an issue with this that a response is warranted.
     
  4. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,557
    Location:
    South Wales, UK
    Hi there

    The suggestion of adding the <.sys> driver file (eraserutildrv10500) to the Protected app list (Protection Tab) and giving it "Drivers/Service" rights is a 'nice try' but no dice. If you notice when you try to add an app the default file types are .exe & .scr. I tried this 'add' a week ago but to know avail. PG does not seem to recognise the 'add'.

    Wayne or Gavin, could you help us out this one even if it is just with an indication that you will eventually get around to seeing if there is anything that you could put into PG to sort out this issue?

    Thanks in advance.



    Baldrick
     

  5. I was able to add the driver to the list. But, it did not help. I agree, the Problem .exe needs to be found, although it could still be an integral part of another file <Rtvscan.exe> that might be causing the problem, or (dare I say) something else?


    As above, I was able to add this file to list, but, as you say "no dice" on finding a resolution to this problem.

    If this is part of another file that is yet unknown, then someone may have to contact Symantec to find out what they added to the 12 Dec 05 update (as I suspect this is when it started).

    I tried -
    I'll keep trying -
    I'll keep trying again -
    etc

    Kudos
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If Symantec can resolve it with the way the driver is loaded or used that would be easiest. Googling download NIS 2006 it gave interesting results :eek: but I did find http://www.symantec.com/public_beta 41MB NIS beta :) Downloading that now to test and hopefully I get the same symptoms - will use XP Pro SP2, PG 3.200 Beta 3
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I've replicated the problem.. we will look into it. Pressing ALLOW driver doesn't do anything which is the problem.

    Disabled PG, went to the registry and sure enough the entry is there. Reenabled PG and trying to replicate it, it may just go away which is desirable :) It hasn't come up again, and the driver IS there. Just leave PG off for a while if you have the problem, then re-enable it and it should be ok by the looks.
     
  8. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I've tried the "leave PG off" proposed solution. This seems to be a temporary fix and does not solve the problem in the long term. I've consistently experienced the reoccurance of the problem on subsequent reboots after having disabled PG in an effort to fix this issue.
     
  9. kampsk

    kampsk Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    33
    Just a Quick note. PG 3.2 has this problem too:(
     
  10. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I just wanted to add that I am also experiencing the problem with PG 3.200. The symptoms are identical.
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes its a weird one, seeing the same behaviour. Temporary solution then problem again.

    I think I know the problem though :) it will have to be found and fixed
     
  12. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Thanks Gavin. I appreciate you sticking with this issue and will anticipate a fix in the futute.
     
  13. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    786
    Location:
    West Virginia (USA)
    Any luck on getting out a fix for this Norton/PG issueo_O
     
  14. Tamplin Ted

    Tamplin Ted Guest

    Corporate version here, but the same is also happenning.
    Culprit is DWHWizrd.exe (under Corporate, that is).
    Locate DWHWizrd.exe (I am assuming that's the same filename under Norton AV). Mine is at
    J:\Program Files\Symantec AntiVirus\
    Add DWHWizrd.exe to ProcessGuard (Protection tab, <add application> button).
    Under "authorize this application to", check
    1)terminate protected applications
    2)modify protected applications
    3)read from protected applications

    Under "other options for this application", check
    1)install global hooks
    2)install drivers/services
    3)access physical memory

    This is how I got things working, YMMV.

    Best wishes,
    Tamplin Ted
     
  15. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    786
    Location:
    West Virginia (USA)
    Hmmm....DWHWizrd.exe does not exist in NIS 2006.
     
  16. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,557
    Location:
    South Wales, UK
    Hi Siliconman01

    I thought the same thing but have checked on the web and apparently "The Dwhwizrd.exe file is used when a new set of definitions comes in. If you set debug mode to "verbose" and copy a new .vdb file into the directory where NAV is installed, then Dwhwizrd.exe pops up a window that reports what it is doing. The window flashes by quickly, but the corresponding line in the Rtvscan.exe debug window is "Pattern File <path> loaded." It is also used to re-scan files sitting in quarantine when new virus definitions are updated and installed." This is according to the Symantec Knowledgebase (Document ID:200004241326514:cool: so I suppose that we whould be looking for the .exe that does the same thing in NIS?

    By the way I have logged a tech question with Symantec Technical Support but am not holding my breath for a sensible or helpful answer as I can see them saying that it is PGs issue as it is blocking a perfectly legitimate activity by their software and it is up to PG to provide function to allow it if the use r so desires (I hope that I am not writing their response for them......but based on past experience!).

    Anyway, will advise when I have a response. Perhaps we can isolate the releavnt .exe based on what Tamplin Ted has provded?

    Best regards




    Baldrick
     
  17. Red Dawn

    Red Dawn Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    116
    didn't work for me, Corp 10, did it as you but same problem. Any fix on this as of it?
     
  18. Plutox

    Plutox Registered Member

    Joined:
    Dec 28, 2005
    Posts:
    22
    This appears to be a partial solution. The eraserutildrv10500 problem can be provoked by running DWHWizrd.exe manually and the settings described by Tamplin Ted do allow it to run without problems. However, when a LiveUpdate is performed and the database is updated, the problem still arises so presumably there is something else that requires similar extended privileges.

    However, the fact that PG currently cannot work out where the driver installation request is coming from definitely needs to be addressed.
     
  19. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,557
    Location:
    South Wales, UK
    Hi Plutox

    Point taken but that does not help users of the non Corporate versions. We are still strugglingto find out what is the equivalent of DWHWizrd.exe, which does not exist in NIS or NAV.

    But you are right about the fact that "...fact that PG currently cannot work out where the driver installation request is coming from definitely needs to be addressed." Perhaps the guys at DCS will look into to that after the festive break? (...................Please!).

    Regards



    Baldrick
     
  20. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,557
    Location:
    South Wales, UK
    Hi Gavin / Wayne

    Happy New Year!

    Any news on the likelihood of you being able to look into this issue and provide a fix? I am currently battling with Symantec on this, trying to find out which .exe is responsible for trying to install EraserUtilDrv10500 (so at least we could try to give it th relevant PG rights) but as you might expect it is like tryingto draw blood from a stone.

    Any update on where this issue figures in your plans for 2006 would be most welcome.

    Best regards




    Baldrick
     
  21. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,557
    Location:
    South Wales, UK
    HI Anybody Interested in This Thread

    AN UPDATE!

    Have received the following back from Symantec Support re. this issue:

    "...please note that EraserUtilDrv10500 uses <.sys> driver files. I suggest that you please add (eraserutildrv10500) to the Protected application list (Protection Tab) and giving it "Drivers/Service" rights.

    EraserUtilDrv10500 is Symantec clean up driver, when you run full system scan this service automatically runs in the background."

    I have searched the local hard drive of my PC (using eraserutildrv10500* and including hidden system files) but can find no reference to this anywhere, and therefore I am unable to add this to the Protected Applications List as they have suggested. I have advised them that ProcessGuard allows the addition on of .exes & .scrs as a matter of course but to date I have never had to add a driver, rather it has been the .exe that calls or executes first initates the driver/service. I have therefore asked them if there is any chance that they could let me know which .exe is related to the execution of the Symantec clean up driver, or how I can locate this mysterious driver eraserutildrv10500?

    Well, at least I am still dialoging with them. Will keep you posted on developments in this are.......if there are any.

    Wayne / Gavin, any news on what yo can do at your end re. allowing us to include this type of driver/service execution in the Protected List? I am a little diappoint by the recent lack of response from DCS. Do you still love us?

    Best regards




    Baldrick
     
  22. Gestt

    Gestt Guest

    Following the advice from Dec 19th:

    "Try adding the <.sys> driver file (eraserutildrv10500) to the Protected app list (Protection Tab) and giving it "Drivers/Service" rights.

    The driver seems to be a Symantec clean up driver (stressing "seems")allthough, there is already one in the same folder:

    C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys"

    I was able to add the driver. I will sit back and see if the error continues.
     
  23. Gestt

    Gestt Guest

    Didn't work. Still sets of process guard.
     
  24. Fantumz

    Fantumz Guest

    No answero_O?

    Has everyone given up?
     
  25. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Re: No answero_O?

    After having second thoughts I have deleted my post... it didn't really add to anything.
     
    Last edited: Jan 10, 2006
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.