0 Replies Latest reply on Jan 22, 2009 2:05 PM by pg13

    CMA loses settings

    pg13
      Hi,

      Running CMA 3.6.0 and VS 8.0i .

      Since a couple of days, we started noticing the following on some PCs: the agent loses its settings (VS exclusions for instance), which deletes programs that we had excluded, like VNC for instance. Following is an excerpt from the onaccessscanlog.txt file. As you can see, the log shows at 15:50:18 that the files vncconfig.exe, winvnc4.exe and wm_hooks.dll are among the exclusions. But only 45 seconds later, at 15:51:03, those 3 files are deleted by VS. And some time later, when I was informed that VNC had disappeared, I went into the console and indeed noticed that the exclusions were missing. I then ran the command cmdagent/E , which effectively enforced the policies and I saw in the console that the 3 files were excluded again.

      Oh and by the way, I had also excluded RemAdm-VNCView in the PUP settings, and those settings were lost too. All VS settings were back to the original installation.

      Any idea what causes those settings to be lost ?

      Here is my log:

      2009-01-14 15:49:10 Statistiques :
      2009-01-14 15:49:10 Fichiers analysés : 405916
      2009-01-14 15:49:10 Fichiers détectés : 0
      2009-01-14 15:49:10 Fichiers nettoyés : 0
      2009-01-14 15:49:10 Fichiers supprimés : 0
      2009-01-14 15:49:10 Fichiers déplacés : 0
      2009-01-14 15:50:18 Paramètres d'analyse à l'accès VirusScan (paramètres généraux) :
      2009-01-14 15:50:18 bDontScanBootSectors = 1
      2009-01-14 15:50:18 bScanFloppyOnShutdown = 1
      2009-01-14 15:50:18 bStartDisabled = 0
      2009-01-14 15:50:18 szMoveToFolder = \quarantine
      2009-01-14 15:50:18 ScannerThreadTimeout = 45000
      2009-01-14 15:50:18 ScanArchiveTimeout = 15
      2009-01-14 15:50:18 Paramètres d'analyse à l'accès VirusScan (tous les processus) :
      2009-01-14 15:50:18 bScanOutgoing = 0
      2009-01-14 15:50:18 bScanIncoming = 1
      2009-01-14 15:50:18 bNetworkScanEnabled = 0
      2009-01-14 15:50:18 LocalExtensionMode = 1
      2009-01-14 15:50:18 NumExcludeItems = 8
      2009-01-14 15:50:18 1 = 5|10|C:\WINDOWS\system32\dllcache
      2009-01-14 15:50:18 2 = 3|11|logmessages.dll
      2009-01-14 15:50:18 3 = 4|11|mbx
      2009-01-14 15:50:18 4 = 3|15|spool
      2009-01-14 15:50:18 5 = 4|11|toc
      2009-01-14 15:50:18 6 = 3|11|vncconfig.exe
      2009-01-14 15:50:18 7 = 3|11|winvnc4.exe
      2009-01-14 15:50:18 8 = 3|11|wm_hooks.dll
      2009-01-14 15:50:18 dwProgramHeuristicsLevel = 1
      2009-01-14 15:50:18 dwMacroHeuristicsLevel = 1
      2009-01-14 15:50:18 ScanArchives = 1
      2009-01-14 15:50:18 ScanMime = 0
      2009-01-14 15:50:18 ApplyNVP = 1
      2009-01-14 15:50:18 uAction = 5
      2009-01-14 15:50:18 uSecAction = 3
      2009-01-14 15:50:18 uAction_Program = 4
      2009-01-14 15:50:18 uSecAction_Program = 3
      2009-01-14 15:50:24 Version du moteur = 5.3.00
      2009-01-14 15:50:24 Version du fichier DAT = 5495
      2009-01-14 15:50:24 Nombre de signatures de virus dans EXTRA.DAT= Aucun
      2009-01-14 15:50:24 Nom des virus que EXTRA.DAT peut détecter= Aucun
      2009-01-14 15:51:03 Supprimé DA83698\beaudomo igfxsrvc.exe C:\program files\vnc\wm_hooks.dll RemAdm-VNCView (Outil d'administration à distance)
      2009-01-14 15:51:25 Non analysé (délai d'analyse écoulé) AUTORITE NT\SYSTEM jqs.exe C:\program files\java\jre6\lib\rt.jar\XPath.class (Virus)
      2009-01-14 15:51:25 Supprimé DA83698\beaudomo explorer.exe C:\program files\vnc\winvnc4.exe RemAdm-VNCView (Outil d'administration à distance)
      2009-01-14 15:51:26 Supprimé DA83698\beaudomo explorer.exe C:\program files\vnc\vncconfig.exe RemAdm-VNCView (Outil d'administration à distance)

      2009-01-14 15:55:04 Statistiques :
      2009-01-14 15:55:04 Fichiers analysés : 1214
      2009-01-14 15:55:04 Fichiers détectés : 3
      2009-01-14 15:55:04 Fichiers nettoyés : 0
      2009-01-14 15:55:04 Fichiers supprimés : 3
      2009-01-14 15:55:04 Fichiers déplacés : 0