6 Replies Latest reply on Nov 20, 2009 5:02 AM by sgrimmel

    McAfee halts Norton GhostCast Server Upload

    cpremo

      We have a Win2k Advanced Server (fully patched) with Norton GhostCast (ver 8.3.0.1331)  and McAfee VirusScran Enterprise 8.7.0.570 SP2 (Engine 5400.1158) managed by an ePO 4.5 server.  When we try to "Upload" a new PC Image to the server, McAfee seems to halt the process.  Is there something we need to do to prevent McAfee from interfering with the Imaging process?

       

      If we uninstall McAfee, the imaging process works just fine.  If we halt McAfee and begin the imaging process, the ePO server forces McAfee active again which halts the Gosting process.

        • 1. Re: McAfee halts Norton GhostCast Server Upload
          twenden

          If you look at you event logs on the EPO server you should see what is being blocked. I had a group that ran into a similar issue with Ghost and images. We got around the issue by adding the executable ghostsrv.exe to the "Prevent IRC Communication" section under the Access Protection Rules and Anti-Virus Standard Protection.

          • 2. Re: McAfee halts Norton GhostCast Server Upload

            I stop the services for virus Scan Enterprise  only and I ghost my machine and turn the services back on,  This works for me

            • 3. Re: McAfee halts Norton GhostCast Server Upload
              cpremo

              The only problem there is the ePO forces the services back on during the process (enforced rules).

              • 4. Re: McAfee halts Norton GhostCast Server Upload

                I stop the following services when finished I start the services back up

                McAfee Framework Service

                McAfee McShield

                McAfee Task Manager

                • 5. Re: McAfee halts Norton GhostCast Server Upload
                  cpremo

                  I tried to implement KB58692 with regards to this, unfortunately the instructions lack clarity (as usual - way they never have a "non-tech user re-write the instructions so most normal people can understand them" is still a mystery).  However, it did seem to work yesterday Ghosting a PC.  When we finish updating the PC we're going to Upload the image to the Ghost server.  Will let you know how that goes.  Anyway, Here is what I did to my ePO server configuration.

                   

                  First, all my Windows Servers are in a separate Group from all my PCs (which are Grouped by Office or Function [for our HQ office]).  For the Ghost server I completed the following steps:

                   

                  (NOTE: Each time you Save your changes you will have to repeat steps 1 and 2.)

                  1.  Check marked my Ghost server.
                  2.  Selected the "Directory Managment - View Effective Policy (by user) option.
                  3.  Filtered view by selecting the "VirusScan Enterprise 8.7.0" Product option.
                  4.  Clicked on the "Edit Assigment" option for "On-Access Low-Risk Processes Policies".

                       a.  Select "Break inheritance and assign the policy and settings below" option
                       b.  Select the "New Policy" option.
                       c.  Give it a name.
                       d.  Select "Server" for the "Settings For:" option.
                       e.  Select the "Configure different scanning policies for high-risk, low-risk, and default processes" Process Settings.
                       f.   Clicked on the "Scan Items" tab and unchecked the "When writing to disk" and "Opened for Backup" Scan File: options.

                       g.  Saved my changes

                  5.  Filtered view by selecting the "VirusScan Enterprise 8.7.0" Product option.
                  6.  Clicked on the "Edit Assigment" option for "On-Access High-Risk Processes Policies".

                       a.  Select "Break inheritance and assign the policy and settings below" option
                       b.  Select the "New Policy" option.
                       c.  Give it a name.
                       d.  Select "Server" for the "Settings For:" option.
                       e.  Scrolled to the bottom of the list in the "High Risk Processes" tab and clicked on the "+" to add a new line.
                       f.   Added "ghostsrv.exe"

                       g.  Clicked on the "Scan Items" tab and unchecked the "When writing to disk" and "Opened for Backup" Scan File: options.

                       h.  Clicked on the "Exclusion" tab, clicked on the "Add..." button, added "Ghostsrv.exe" to the "By pattern" field, and clicked the OK button.

                       i.  Saved my changes

                  7.  Filtered view by selecting the "VirusScan Enterprise 8.7.0" Product option.
                  8.  Clicked on the "Edit Assigment" option for "Access Protection Policies".

                       a.  Select "Break inheritance and assign the policy and settings below" option
                       b.  Select the "New Policy" option.
                       c.  Give it a name.
                       d.  Select "Server" for the "Settings For:" option.
                       e.  Select the "Anti-virus Standard Protection" categories option.  Then, select the "Prevent IRC communication" Block/Report/Rules option.
                       f.   Click the "Edit..." button, add dbserv.exe, ghostsrv.exe, ngserver.exe to the "Processes to exclude:" box and click OK.

                       g.  Saved my changes

                   

                  This seems to have worked.  Hopefully, this didn't expose my Server!!

                  • 6. Re: McAfee halts Norton GhostCast Server Upload

                    The article referred to deals with ePO 3.6.x.

                     

                    We will add the relevant steps for ePO 4.x.

                     

                    Many thanks

                     

                     

                    on 11/20/09 4:02 AM