Remove Phantom Antivirus from Vista WMI Repository

Mark Berry April 18, 2008

Problem

In testing Spiceworks today, I discovered that a Vista machine was reporting that it had two antivirus products installed. Even after following the instructions Manually uninstalling the Client/Server Security Agent from a computer running Windows Vista, Spiceworks was still reporting Trend as installed as well as NOD32 (which really is installed). I downloaded and ran WMI Diagnosis Utility from Microsoft, but that didn't fix it either.

Solution 

Finally I found a Microsoft forum post that led me down the right path. With many thanks to its author prabhu_hv, here is a modified procedure to only delete one antivirus product:

1. Click Start, go to Command Prompt, and right-click to Run as administrator.
2. Run the command wbemtest and click Connect button.
3. Enter “root\SecurityCenter” in the Namespace field and click OK.
4. Click on “Enum Instances” button. Enter “AntivirusProduct” as the superclass name and click on OK.
5. You should see two AntiVirusProduct.instanceGuid entries. Double-click on each one and review the properties to determine which Guid corresponds to the antivirus product that is no longer installed. Then close the Object Editor.
6. In the Query Result window, highlight the incorrect AntivirusProduct and click on the Delete button. Then click Close to close the Query Result window.
7. Click the Exit button to exit the Windows Management Instrumentation Tester.

At this point, WMI and thus Spiceworks should only report the “real” antivirus product.

Comparing NOD32 2.7 to Trend Client-Server 3.6

Mark Berry March 15, 2008

A response to my previous blog post asked a fair question:  what sets
NOD32 apart or even on par with Trend Client-Server Messaging? I decided that I
would do some testing with Trend. Since I am using NOD32 without the Exchange
component, I tested Trend Client-Server without the Messaging component.

KeyFinder Problems

I've been building a UBCD4WIN version 3.12 ISO file as my test case. UBCD4WIN includes a
large number of plug-ins. One of them is keyfinder.exe, the Magical Jelly Bean
Keyfinder version 1.51. This handy program can display and update Windows and
Office installation keys.

I installed the Trend 3.5 agent on my workstation and tried the UBCD4WIN
build. The build failed because the keyfinder.exe file was missing. By
uninstalling and re-installing UBCD4WIN, and temporarily disabling the Trend
agent, I confirmed that Trend is deleting this file without logging it as a
virus or spyware and without sending it to quarantine. Trend is supposed to
encrypt and save suspicious files on the client in C:\Program Files\Trend
Micro\Client Server Security Agent\Suspect, but that folder is empty. I finally
got Trend to leave the file alone by adding keyfinder.exe to Trend's exclusion
list.
 
Is this a bug? I guess I'd better try the latest version, Trend 3.6 with Patch 1.
I downloaded the 336MB installation file, upgraded the server, and let it push
out the 3.6.1095 client. No reboot was requested.
 
After removing the file exclusion from the Trend configuration, I opened Windows
Explorer and highlighted keyfinder.exe (but did not execute it). The Trend icon
in the system tray indicated activity, then I got a message from Windows
indicating that my system may be vulnerable because Trend was not running. The
Trend system tray icon disappeared when I put the mouse over it. So scanning
keyfinder.exe caused the Trend Real-Time scanner to crash.

I rebooted the client and did the same test, highlighting the file in Windows Explorer. This time keyfinder.exe was
not deleted and the Trend real-time agent did not crash. However, the
UBCD4WIN build process, which actually copies keyfinder.exe, failed again
because access was denied on that file. When I went back to look at
keyfinder.exe in Windows Explorer, it was deleted before my eyes. The Trend
Client/Server Security Agent real-time scan window still tells me that there are
0 infected files; “Last virus/malware found” is blank. So Trend is again
deleting it without any warning or logging. I had to add the file back to the
exclusion list so I could complete the UBCD4WIN build.

The Numbers

Once I got the UBCD4WIN build to complete, I tested it with various levels of
extension exclusions as I had NOD32. The results, along with the NOD32 2.7
results from the previous post:

Some other numbers that are interesting from a system administration point of view are
installation size and memory overhead. The table below summarizes these numbers
for both server and workstation installations.

The server install of Trend Client-Server includes its web-based management
console. The server install of NOD32 includes the
ESET Remote Administrator Server and Console 2.0.56.

Conclusions

ESET NOD32 has a reputation for being lean and fast. Compared to Trend Client-Server 3.6, NOD32
definitely looks “lean” on disk space and memory footprint. However, Trend
allowed the UBCD4WIN build to proceed a little faster than NOD32.

My greatest concerns with Trend come from areas other than performance. One
was the experience back in February 2007 of Trend passing on a “possible worm”
to the client desktop, which would have allowed users to run the worm. I was amazed that there
was no way to configure Trend to not pass possible malware to end users. The
other experience is the one described above:  deleting a file without
warning and without logging. I wonder if I have lost other files that way and
will never know.

Clearly there is no perfect anti-virus solution. Both NOD32 and Trend CS(M)
have their own configuration hassles and “gotchas.” I do
appreciate the reduced memory footprint of NOD32, and the fact that my SBS
server no longer sends me a daily alert that it is running out of allocated
memory. We'll see how well it performs in the long term.