Home > Production Story, Tips > Worlds are Colliding- production story

Worlds are Colliding- production story

It all started three years ago. My SAVCE (Symantec AV Corp Edition) renewal was around the corner and I’ve decided, against the conservative’s voice to replace it.
I had many reasons ranging from memory footprint to scanning capabilities and from virus detection to the high cost. It was time for a change and a new king was about to be crowned. At the time I was a happy home user of NOD32 and combined with great reviews, some personal recommendations and a price that knocked my CFO, we had a clear winner.

On a different world, three years earlier our compliance officer asked for a monitoring tool and my predecessor (actually her predecessor) selected eBlaster. If you’re not familiar with eBlaster I’ll just say it is a great PC based monitoring tool that collect data on user activity – web mail, URLs and IM are the core but it has many more features. At the end of each working day the program email all the data to a mailbox that we monitor using other tools. For more than five years it has worked and provided the service we need.

So everything is great and everyone is happy until… (ta da da dam)
The two worlds are colliding!!!

One day I found out that the report emails are not coming in. I’ve checked it over and over and nothing, the mailbox is empty. I ran to one of the PCs and tried to open eBlaster’s console but nothing come up. Am I going crazy or maybe someone uninstalled it (on all the PCs in the office)?

I tried to reinstall the software and was prompt for password, which is what you expect when eBlaster is already installed. I know that it is there but why can’t  I start the console or receive emails?

Time for my least favorite part of the job, calling a vendor support line…
eBlaster support is usually very good, this time was no exception. When I started to describe my problem she asked me which AV I’m using and when I told her she said “oh, we have a problem with NOD32 and you have to exclude the following 13 files on
C:\Windows\System32”. She sent me this link with instructions.

If you lasted all the way to this section you deserve something really interesting, not just a boring “I’ve made the changes as the link suggested and it worked”.

I’ve made the changes as the link suggested and it worked. I’ve booted (as the installation require) and when Windows started I found the email with the report.

While the good stuff happened, NOD32 found another file, one that show on the list but was on a different location.

The interesting part is that for every PC the path was different. It started at
C:\Windows\System32 and had the same svrltwp.dll file but the 2 folders where random and changed from one PC to another!

I called eBlaster again to see if they have a solution. Few hours later they sent me this message:

Our developers are in the process of making a change to the eBlaster program to stop the randomized folder form being created

If you’re also waiting for eBlaster to find a solution, here is a work around which I’ve tested, proved to be working and also got NOD32’s approval as valid and supported:

We all know how to use the * wild card as all files or anything under a certain path but did you know a ‘?’ (question mark sign) can replace a single character?

There is a good chance you already new it but did you know (or think) about using it to replace a full folder name path?
Since eBlaster create two random folders, 8 characters each, they can be replaced with 8 ‘?’ and the exclusion would be:

C:\windows\system32\????????\????????\svrltwp.dll

The tech from ESET (NOD32’s home) was surprised at the idea but tested it and confirmed it is supported. While confirming that the quarantined file cannot be restored via the management console she revealed that the next version would allow it. CooL!

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: