The
qextract.exe utility can be used to extract
quarantined files from the VBN files Symantec AntiVirus Corporate
Edition 8.0 and 8.1 (and possibly other versions) creates when
it quarantines infected files.
[ More Info ]
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
qextract.exe utility can be used to extract
quarantined files from the VBN files Symantec AntiVirus Corporate
Edition 8.0 and 8.1 (and possibly other versions) creates when
it quarantines infected files.
[ More Info ]
| Symantec AntiVirus Management Snap-In |
| Symantec AntiVirus could not collect all the log
data from the selected computer(s). Please verify that Symantec AntiVirus is running on these computers.
|
I received the same message if I tried viewing any log.
Symantec has a knowledgebase article on the problem at Error: "Symantec AntiVirus could not collect all the log data from the selected computer(s) . . ." when viewing client logs in Symantec System Center . I followed the steps listed in that article.
I could ping the IP address of the system and ping -a 192.168.0.7
showed the hostname associated with the address. I could also ping the server
from the client system using ping and ping -a,
which confirmed network connectivity and the ability to do reverse lookups
on the IP addresses to get host names.
I checked for the presence of any .cer server group root certificate on the server and the client. I didn't see any .cer file on either system, but nor did I see a certificate on a client for which I could successfully check log files from the antivirus server, so I didn't think that was the source of the problem.
I could successfully start the Symantec AntiVirus Client program on the client system. It showed the correct server name. Though nothing was listed for "group", nothing was listed for "group" on a system I could successfully query from the server, either.
And from the server, I could query the client and see that the
Symantec rtvscan.exe program was running.
C:\>tasklist /s 192.168.0.7 /fi "imagename eq rtvscan.exe" Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ Rtvscan.exe 1760 0 46,604 K
When I checked the Windows XP firewall settings on a system I could successfully
query from the antivirus server, I saw a firewall rule listed for
User Datagram
Protocol (UDP) port 2967, which the Symantec RTVScan program uses.
I checked the firewall rules on the system
I couldn't successfully query with the command netsh firewall show
portopening. I did not see a rule for RTVScan, so I created one from
the command line using the command netsh firewall set portopening
protocol = UDP port = 2967 name = "Symantec AntiVirus Client Management"
mode = ENABLE scope = CUSTOM 192.168.0.33 (IP address 192.168.0.33
corresponds to the IP address of the antivirus server).
When I tried checking the antivirus log files from the server again, I
still could not do so. Looking at the firewall rules on the client
with netsh firewall show portopening verbose = enable (you
have to specify the verbose option to see the scope of
rules), I saw that I had mistyped the IP address of the server when I
created the RTVScan rule with the netsh command. So I re-entered the
netsh firewall set portopening protocol = UDP port = 2967 name =
"Symantec AntiVirus Client Management" mode = ENABLE scope = CUSTOM
192.168.0.33 command exactly as before with the exception that this
time I specified the IP address correctly.
I was then able to check the virus history and other logs on the client from the Symantec System Center.
References:
[ More Info ]
tasklist command.
C:\>tasklist /fi "imagename eq rtvscan.exe" Image Name PID Session Name Session# Mem Usage ========================= ====== ================ ======== ============ Rtvscan.exe 1784 Console 0 9,736 K
From the above information, I can see that rtvscan.exe is running on the
system and that it has process ID (PID) 1794. I can verify that the process
with PID 1784 is listening on port 2967 on the system using the
netstat command.
C:\>netstat -ano | find "1784" UDP 0.0.0.0:1061 *:* 1784 UDP 0.0.0.0:2967 *:* 1784
You can create a firewall rule to allow the server to communicate with the client using the instructions at Configuring Windows XP Firewall for Symantec Antivirus Client through either a GUI or the command line. An example using the command line is shown below. The example below presumes the server's IP address is 192.168.0.33.
C:\>netsh firewall set portopening protocol = UDP port = 2967 name = "Symantec A ntiVirus Client Management" mode = ENABLE scope = CUSTOM 192.168.0.33 Ok.
You can verify the firewall now has the appropriate port opening with the
netsh firewall show portopening command.
C:\>netsh firewall show portopening Port configuration for Domain profile: Port Protocol Mode Name ------------------------------------------------------------------- 10280 UDP Enable Windows Media Connect 10281 UDP Enable Windows Media Connect 10282 UDP Enable Windows Media Connect 10283 UDP Enable Windows Media Connect 10284 UDP Enable Windows Media Connect 10243 TCP Enable Windows Media Connect 22 TCP Enable OpenSSH 2967 UDP Enable Symantec AntiVirus Client Management 139 TCP Enable NetBIOS Session Service 445 TCP Enable SMB over TCP 137 UDP Enable NetBIOS Name Service 138 UDP Enable NetBIOS Datagram Service 1900 UDP Enable SSDP Component of UPnP Framework 2869 TCP Enable UPnP Framework over TCP Port configuration for Standard profile: Port Protocol Mode Name ------------------------------------------------------------------- 10280 UDP Enable Windows Media Connect 10281 UDP Enable Windows Media Connect 10282 UDP Enable Windows Media Connect 10283 UDP Enable Windows Media Connect 10284 UDP Enable Windows Media Connect 10243 TCP Enable Windows Media Connect 139 TCP Enable NetBIOS Session Service 445 TCP Enable SMB over TCP 137 UDP Enable NetBIOS Name Service 138 UDP Enable NetBIOS Datagram Service 1900 UDP Enable SSDP Component of UPnP Framework 2869 TCP Enable UPnP Framework over TCP 3389 TCP Enable Remote Desktop Port configuration for Local Area Connection: Port Protocol Mode Name ------------------------------------------------------------------- 3389 TCP Enable Remote Desktop
Or, alternatively, you can use the netsh firewall show state
command.
C:\>netsh firewall show state Firewall status: ------------------------------------------------------------------- Profile = Domain Operational mode = Enable Exception mode = Enable Multicast/broadcast response mode = Enable Notification mode = Enable Group policy version = Windows Firewall Remote admin mode = Enable Ports currently open on all network interfaces: Port Protocol Version Program ------------------------------------------------------------------- 10243 TCP IPv4 (null) 10280 UDP IPv4 (null) 10281 UDP IPv4 (null) 10282 UDP IPv4 (null) 10283 UDP IPv4 (null) 10284 UDP IPv4 (null) 135 TCP IPv4 (null) 137 UDP IPv4 (null) 139 TCP IPv4 (null) 138 UDP IPv4 (null) 3389 TCP IPv4 (null) 445 TCP IPv4 (null) 22 TCP IPv4 C:\Program Files\Network\OpenSSH\usr\sbin\sshd.exe 1562 TCP IPv4 C:\WINDOWS\SYSTEM32\SVCHOST.EXE 2869 TCP IPv4 (null) 1900 UDP IPv4 C:\WINDOWS\SYSTEM32\SVCHOST.EXE 2967 UDP IPv4 C:\Program Files\Symantec_Client_Security\Symantec Ant iVirus\Rtvscan.exe Additional ports open on Local Area Connection: Port Protocol Version ------------------------------------------------------------------- 3389 TCP Any
The netsh firewall show state command will show you what program
is listening on the port. In this case it shows that Rtvscan.exe is listening
on port 2967
References:
Could not start scan. Scan engine returned error 0x2.
I rebooted the fourth system, but that did not resolve the problem. I checked to make sure the Symantec Antivirus Client service was running on the system. Its status was listed as "started".
After a few tests, I found that I could run the scans without the error, if I logged into the local system administrator's account on the two systems where the error occurred. When I started the scans on the third and fourth systems I had been logged into an account in the Power Users group on the third system and a regular user account on the fourth system. But in both cases, I had started the scans by right-clicking on the icon for Symantec Client Security while holding down a shift key and then selected "Run as" and selected the local administrator's account from which to run the scan. But that didn't work. I had to actually log into that account in order to successfully run the scans. In the case of the second system where I had run the scan successfully from the local user's account, that local user account was in the administrators group for that system.
I found someone else reporting the same problem at Some1 PLZ help Symantec AV will not scan. Someone had replied to that poster that rebooting resolved the problem for him, but it didn't help for me. Other URLs listed in replies referred to error messages that didn't match the 0x2 one I saw, so I don't think they were applicable.
When Service Pack 2 is installed on a Windows XP system, the Windows Firewall is automatically activated on that system. The firewall can prevent a Symantec Antivirus Server, e.g. a system functioning as the antivirus server for Symantec AntiVirus Corporate Edition 8.0, from managing the Windows XP client. You will need to add an exception to the firewall settings on the client system to open UDP port 2967 access from the antivirus server.
[ More Info ]
I've found that whenever I try to update the virus definitions for Norton Antivirus 2000 using the x86 Intelligent Updater package available from http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html, I receive a message indicating the subscription is expired, though it is not expired. The error message I receive is as follows:
Symantec Security Response Intelligent Updater
Your virus protection cannot be updated.
Your subscription has expired. You must renew your subscription to
continue using Intelligent Updater. Run LiveUpdate from Norton
AntiVirus to renew your subscription and then run Intelligent
Updater again.
Yet if I select Help, then About Norton Antivirus, and then click on the Norton AntiVirus tab, I see "Your virus definitions subscription started on 2/17/2004, and will expire in 210 days." I've tried this on several different occasions with similar results.
However, if I use the i32 Intelligent Updater package, which is available from the same URL, that package will update Norton AntiVirus 2000.
The i32 Intelligent Updater package, which is a smaller file than the x86 Intelligent Updater package, cannot be used to update Symantec AntiVirus Corporate Edition 8.0 servers or Norton AntiVirus Corporate Edition 7.6 servers, but can be used to update Corporate Edition clients. The x86 Intelligent Updater package can be used to update Corporate Edition clients and servers.
