I had the same problem with SAV 10. I think its the spyware scan engine with this version. I was surprised when I did my unattended install and found that DAP was not installed. I finally realized that SAV was cleaning out the entire DAP directory in Program Files the moment it is installed. FTM, I have got rid of SAV10 and sticking with SAV 9. Too many things wrong with SAV 10 if you ask me.

i tried using the

[QUOTE]/qb RUNSCAN=0 RUNLIVEUPDATE=0 REBOOT=REALLYSUPPRESS[QUOTE]

as suggested but i still get the message that my virus definitions are old and displays the message to update.

HOWEVER the installation continues and all my other applications install and then the PC reboots.

Does anyone think this would have any ill-effects on the computer?

This is being done on an actual machine and not VM. Any suggestions?


Josh

Yeah, that message is annoying me too. The "workaround" I'm using right now is to just update vdefhub.zip from time to time

http://service1.symantec.com/SUPPORT/ent-s...niver=sav_ce_10

DoScan.exe causes high CPU usage

Situation:
You installed Symantec AntiVirus Corporate Edition 10.0. After you restart the computer, you notice that the process DoScan.exe is using a large amount of CPU and memory. After the DoScan.exe process completes, the Rtvscan.exe process is using about 40 MB of memory.

Solution:
Symantec is investigating this problem to determine a solution. This document will be updated when new information or a solution is available.


The DoScan.exe process is part of the default startup Quick Scan that runs after a user logs on. You cannot disable this Quick Scan using Symantec System Center.

Nice workaround on that link dude!

upon further investigation I found I was able to get rid of the auto-generated quickscan simply by deleting the following key:

[HKEY_CURRENT_USER\Software\Intel\Landesk\VirusProtect6\CurrentVersion\Custom Tasks\TaskPadStartup\Auto-Generated QuickScan]


not sure why the symantec workarounds remove so much other registry information!

or u open symantec antivirus go to startup scans and right click on sturtup scan and click delete.

I have the same problem here. Symantec 10.0 is so buggy.

it is not a bug, it warns you about Browser Helper Object that adds its button to IE. you can exclude monitoring such a things in SAV

While I have used DAP from time to time myself, it has long been on the naughty list of several anti-malware vendors. I don't know what their current business practices are, but I remember that for quite some time they really walked a fine line between legit and spyware spreader. So if their products still raise alarms it really doesn't surprise me, even if they have cleaned up their act.

My version of install.cmd

This is only a temporary solution. You need to add the key I specified in post 43 of this thread. When SAV doesn't see it, it will create the startup scan. The Symantec solution is similar, but adds an extra key, which isn't really needed.

Many Thanks!! I've added the line below following your recommedtations as the last line and it dit the trick.

**** I'm liking Symantec more and more!

Just yesterday morning I discovered a new virus strain which wasn't detectable by any AV and wasn't documented anywhere on web either! So I analyzed the virus, documented exactly what it did and submitted it to them. I immediately got a reply that my submission was accepted, and is being processed. A few hours later, I got another auto-reply saying that the new virus has now been officially recognized! The new signature was added to the virusdefs and bam after updating SAV can now remove it! All in a span of few hours! And today I checked up the Symantec Security Response site, and noticed that the new virus has been documented, and in full detail too!

Btw, for those interested, you can always get the latest and by latest I mean hourly updated defs here:

http://securityresponse.symantec.com/avcen...a.download.html

You ought' to download that in one go; cause if you pause and resume later, for all you know the defs already been updated! (I tried pausing and downloading an hour later, file size was already changed.)

thanx for the link. but i think is useless. i downloaded the definition from there and after that i looked here symantec downloads and in my link the definitions are newer.....

I'll give those a try. I ended up finding one yesterday that SAV couldn't detect, even updated to latest and greatest. I was looking for a link to send it in, but couldn't find one. I do believe it has been discovered though, because I typed some info in google and came up with variants.

I ran it through VMWare just to play with it, and didn't look like it did much. I could remove it manually, so I felt it was pretty weak.

sleepnmojo, what is the timeframe for the re-creation of the automatic startup scan? I have removed it from PCs on my network by deleting the key I posted previously (no need to delete the entire 'Custom Tasks') and been through several reboots and it has not come back, without adding your key.

If you were to delete the whole Custom Tasks key, then I would say after next login. As for the key you posted, it wouldn't matter. As long as the CreatedUserQuickScan key is there, it shouldn't come back. Since you don't delete it, it won't come back.

Now you could just import the key at t-12, or import it into the default profile, and not have to delete it at all.

That makes a lot of sense, thx.




Not sure I understand this part...can you explain a bit more?

I tried adding the CreatedUserQuickScan to HKU\.DEFAULT\Software...etc but it didn't affect new users logging in on the machine - they got the auto generated scan for their first logins until the login script command I set up deleted it from their HKCU....

You need to add 2 keys, imho.



adding those 2 in installation script to HKCU, before running MSIEXEC, would disable autocreation alltogether.

No no

HKU\.Default is the login session, not the default user. You should rarely have to touch the keys in there.

By importing it into the default profile, I mean load the registry hive of the default user. This can be done by either regedit or reg.

In regedit, goto the HKEY_USERS section, then go to File -> Load Hive. Browse to your Default Users directory, and load NTUSER.DAT. Name it something (default is what I would use), then import your key to it. You can unload the hive once you are done with it, but it shouldn't matter.

In reg.exe, you need the load command. Should look similar to

then load the key.

By T-12, I talk about on a clean install, but I think most people know that on this site.

sleepnmojo is correct. No need to mess with HKU.

One can run the following commands from a batch file at T-12 and perevent doscan.exe from running upon the completion of SAV installation.


Alternatively, one can import PreventStartScan.reg provided by Symantec at T-12.

Either way the settings will apply to all users.

Unfortunately they will not, if we are talking about just applying the keys to HKCU.
Try to create a new user and he will get the auto generated scan as soon as he logs in.

Universal automated way of determining the "Default Profile" folder is not trivial, but I have a solution as you may know

here it is

I'm not sure if you understand me correctly. My point is: improt HKCU tweaks at T-12 (cmdlines.txt) and they will apply to all users, because at that moment the tweaks get imported into the Default User profile. It's the same as loading the Default User registry hive and editing it prior to creating new users.

Well, in some cases HKCU tweaks may not "stick" when applied at T-12. Are you saying this is the case with doscan.exe prevention? Have you tried importing at T-12?

Honestly I haven't tried it with cmdlines.txt.
I am interested in one unified way to install the app not only at T-12, but also on already installed boxes (XP and w2k workstations that is).

Oh, I see now. That makes sense. BTW, nice batch file

Thanks hope somebody find it useful

Sorry if this sorta off-topic but thought it the best place to mention it...

(tho if any admin's want to use it as news, etc. and delete this post, they can of course)

...but if anyone with a Gold (dont know if Silver includes SA) or above maintainance in Europe is wondering why they haven't had their v10 upgrade pack (as per their maintainance agreement), the packs are due to be shipped out to everyone this month or next month.

Regards,
N.

Hi,

How can i get ride from "Old Virus Definition File" (see enclosed image) message after a silent install

Here the silent switches i'm using
I know the a06lp step by step update definition. It's usefull for the fresh burned unattended CD. what about using that CD few months later?

Regards
couocu

Just read the first post on page seven from tbe beginning, and you'll find out how to get rid of the message.
You'll need the recent virus defs anyway, correct?
You don't have to repack the whole package in order to update definitions. If 10 mb of space is not an issue, you can get an intelligent updater and open it in WinRar and change one line in the comment from
toOr you can just unpack the SFX, extract updater.exe and run it with /q.

Hi Guys,

I guess this topis is a bit old now, however i do hope someone can help me.
I created 7Zip Symantec corp. install. It works like a charm, however if I try to install it via RunonceEx It fails to install.

It's unzipping and when startx should have run msi, msg box with following text appears: StartX, No parameters spcified.

For a complete description of the command line parameters StartX accepts, click "Help"

Can you see the problem? The package works when it's run inside windows and RunonceEx does start it however there is some wierd problem that it does not wan't to install.

Be careful using the suggestion of grabbing the VIRSCAN.ZIP file from the Symantec Intelligent Updaters and just renaming them the VDefHub.zip to place in the install packages. This can result in duplicate or missing definitions the next time the system runs LiveUpdate. The VDefHub file is also utilized to populate the BinHub folder. The BinHub is used to merge LiveUpdate packages to create the new set of definitions when using LiveUpdate. The method used when a parent server pushes definitions to a client is completely different and does not utilize the BinHub folder. When using LiveUpdate the BinHub set has to be from a known point in order for the merge to provide a correct set of definitions and in most cases the VIRSCAN.ZIP file you use will not be one of these known points specified by Symantec.

Instead what you should do is take a system that is always updating definitions using LiveUpdate (not getting them from a parent server), zip up the contents in the BinHub folder, and name that VDefHub.zip. This will mean that the system might not start out with the absolute latest definition file set but they will be within the last couple weeks and this way you don't end up with possibly non-functional definitions down the road.

@coucou, I have the same problem as I'm buildingan install for a friend who may not install it for a few weeks or even a couple of months. HIs dsl won't be setup until after install, so the "old virus def" box is sure to pop up.

I solved this in the following way. I use one cmd file called GetCurrentDate.cmd and first grab the current date and put it into a text file. Then it changes the system date during the installation to 1 May 2005 (a date with in 30 days of the build). After installation I run RestoreCurrentDate.cmd which take the date from the previously created file.

GetCurrentDate.cmd


RestoreCurrentDate.cmd


The "for" command is necessary to parse the date into the correct form which will be accepted by the date function. It took me a while to finally get this working, but now it works a charm and can be used for any program which has date sensitivity without disrupting the unattended installation! )

I haven't tested this yet, but I noticed this key changed when clicking the box


Then try deleting it, after install, to re-enable it so the user would know to update.

Edit: bad code tags

sorry, double post

Not certain, but that key looks like it pertains to the new built-in MS Security Center. I kdon't know if the mesagge box that pops up is from the security center or from Symantec! If it is MS, then that would work also.

In either case it requires running and cmd file before and after, which is a bit of a kluge and inelegant, even if it works. I would prefer to disable it in the msi file itself, but I don't have time to look into it right now because I have to finish my tax declaration by the end of the month!!!! I found a program, MakeMSI which is free and allows you to manipulate and look inside msi files. If I'm successful I'll post the results here. Until then, a quick change of the system date does the trick and after reboot it automatically goes out and gets the updates.

Addendum, I also found that if you set LiveUpdate to Express Mode you can copy over the ini file which is Setting.LiveUpdate to

%AllUsersProfile%\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate

it will update without any necessary input from the user! :o)

Message pops up from the Symantec AV itself, when filedate of the virus definitions in the installation differs from current date for more than 30 days.
You can disable it either

• setting date back before installation, and returning it back after LiveUpdate.
  
• Or constantly updating definitions inside the installation.
  
• Or using a method I described here.

Fist do the test install.
Then run

it will display something like

Grab that long number (it's a filedate of the definitions installed) and insert it into your installation script.

Something like

Running this before installation will supress the warning.


p.s. With this method there is no need to mess with the system dates, and remake your install every month (which looks very elegant to me;)). And since you will need to run cmd commands anyway if you want to get rid of the "AutoCreated Scan", - I see no problem adding some more.
Just hide the black ugly cmd windows (there is plenty of tools available) and it will look very elegant.

I am running all this from the 7zip SFX using StartX

and cmd window never shows up.

Thank you for that, tbma!

By inelegant, I meant having to run a cmd file before and after to do something like cahnge a system date. That shouldn't be necessary and you've shown me how. I appreciate that! )

The AutoGenerated scan is a nuisance to me and you I'm sure, but I'm just as happy to leave it in there for clents, most of whom don't do anything until I show up again and find defs out of date and various spy/adware on the machine!

Thanks again.

I know i haven't read the whole thread, but I'm not ready yet to implement norton symantec 10 with all the troubles you guys seem to have. I'm just wondering, have symantec released a patch, or does anyone know when it should be more reliable and easy to setup? Should I expect updates during the summer? I'm waiting for it to be a sure bet before taking out SAV9 from my ua cd and replacing it with SAV10

The most significant new feature in 10.0 that differs from the 9.0 is "Tamper Protection", where AV will fight any programs (viruses) that are trying to damage it's registry or files.

After I've seen some viruses, that eat AV's from the inside and leave happy "pretend that I'm working" shell - any question for me about migrating to 10.0 disappeared.

Sounds great (tamper protection)

....just wish they'd hurry up sending out the upgrades in Europe lol

Cheers,
N.

A bit off topic but ... I've been testing out version 10 on a stand-alone PC. The updated defs downloaded to the 2005mmdd.vvv folders are supposed to automatically copy into the BinHub folder. However, after running the LiveUpdate the BinHub directory always seems to be a mixture of old files and new files. It only copies some of the new files.

Eventually, after awhile a message comes up saying the virus defs are missing and scanning is disabled. So I have to copy the files from the latest download folder and copy to the BinHub folder, reboot and then everything is ok again.

I have tried completely deleting the BinHub and 2005mmdd.vvv folders. I have tried downloading the virusdefs manually. And I have checked the attributes of the files to make sure they are not read-only.

Any Ideas?

Actually, don't wait. It is a better implementation with more features and controls. You can easily turn off what you don't want.

Ok, i'm convinced about upgrading, but again, I keep hearing so much good of nod32 but no real comparisons with symantec av, except user opinion saying i prefer one over the other because it's like that... I've always stick with symantec. Any of you can light me up even if it's a bit off topic? Im about to pack my ua cd and I want the best av, didnt try nod32 cause symantec av is so memory saving comparend to norton av...

SAV 10.0.1 is out now and should fix that nasty startup scan problem.

Cheers

Is there an MSP of 10.0.1 yet?

Where can we download SAV10?

sorry mate this is not allowed here cause it's considered warez....

in 10.0.1 they change the way for installing lusetup. i mean is easier. just made an administrator install and then just remove lusetup from sav10 administrative folder\program files\Symantec AntiVirus with the new one and then that is it. pack it using winrar or 7zip and voila...