Symantec Antivirus: All Faith is Lost

No product has failed me this bad lately, but Symantec Antivirus version 10 certainly has! You might remember my article last year on Symantec Antivirus 10. As I was working on a test box PC and running Process Monitor from Sysinternals, I noticed a rundl132.exe file trying to connect to a bunch of PCs on our network. I promptly rebuilt the PC 5 times only to have it yet again reinfected each time. This machine was running the latest version of Symantec Antivirus and had the latest virus definitions. Even when I turned off file and print sharing by stopping and disabling the server service, I kept getting reinfected. Apparently, 1732 executables on my main machine’s second partition were infected with Looked.P and this is how I was getting re-infected. This worm goes and searches every directory on your hard drive, leaving a _desktop.ini file to mark each directory it has visited. It also infects every executable on your hard drive, except if it’s in C:windows.

Worse yet, I wasn’t the only one infected with this virus. Somehow this nasty worm got past SAV client with the latest definitions (note this worm has been out in the wild since July of this year, it is NOT a new worm). Not only that, but Symantec Antivirus 10 also refuses to clean them! To add insult to injury, this worm also infects SAV executables, making the antivirus program itself quite useless. To clean up this mess, I had to go around and disable the server service to turn off file and print sharing. Once the PC was isolated, I then had to boot into safe mode to pull all the files back out of the quarantine as Symantec wouldn’t clean them (and in some cases, I had to copy VPC32.EXE from the server share as it was quarantined!). I then had to boot from BartPE and run a command line version of Mcafee which could clean the version. Mcafee basically saved my bacon and I will recommend Mcafee to all techs I meet now!

A call to Symantec tech support yielded equally disappointing results regarding our problem. “All we know is what is on our web site“. I’m glad we pay yearly maintenance to these guys, because it certainly seems to be helping, NOT!

– Soli Deo Gloria

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.