I'm about to run off to do some Googling on this, but if any of you have already encountered this or know anything, input would be much appreciated, especially since so far Google hasn't helped me much with this particular AV.

We have CA's eTrust Antivirus running here. The domain controller server pushes scheduled scans, updates, etc. to all of the clients. However, I'm checking my logs on various clients on the network and the logs are completely empty, particularly for scheduled scans, as if nothing has ever run.

So this is odd. I don't know if either 1) the scheduled scans aren't being logged or 2) they just simply aren't running. I'm not receiving any errors that scheduled scans are failing to run, and that's just the problem -- I'm not being told anything. So, until I figure out what's going on, I'm just running manual scans on our most important server (which did turn up some trojans first time I ran it). Realtime scan is giving no logs either.

Checked log settings, and logs are supposed to purge once they become seven days old, so that doesn't seem to be the problem. Just to test, I turned off purging altogether -- no change.

Also, our support contract with CA has expired, so I can't call support. The boss wants me to figure it out on my own since they don't want to dump the money into renewing the contract. Yay! :)

So, got any ideas?

I've never liked CA products even though I've had to install and use them at various jobs. I've noticed this same issue but with their backup software. It'll fail for no reason, then not give any notifications that it did or the reason why. It didn't even give one of those meaningless CA error numbers.

The only way I was able to fix this was by removing all traces of the client agents, reinstalling them and then rediscovering them with the server. This seemed to work after the third time, if I remember correctly. I had to run manually for about two days, until I screwed around with it enough.

Depending on how many clients are showing these symptoms it might be an option.

That is why, kids, I never trust products from a company with the initials CA. ;)

Could it be that it only logs scans when something is found? I reviewed logs again today, and again there was hardly any there, but I did find some realtime log entries for scans that caught something. I wonder if it's simply not logged if the scan comes up clean? I'm still playing around with it...

I totally agree though, I'm not too keen on CA either, nor do I understand why they give you error numbers and don't offer any explanation as to what they mean.

Where are you reviewing the logs? Who is logging it, ie does Etrust create it's own log or does it dump it into event viewer under applications or something. It may be possible that local logging is not enabled to either. I bet you checked that already but I have had to tweak Mcaffee to log properly through a domain policy on logging.

//Edit, oh I saw your last post to late. I tweaked mine to log start and stops of scans so I can quickly make sure they are at least running. etrust might not do that, but you should be able to see the service start up in the windows logs.

I've never liked CA products even though I've had to install and use them at various jobs. I've noticed this same issue but with their backup software. It'll fail for no reason, then not give any notifications that it did or the reason why. It didn't even give one of those meaningless CA error numbers.

Ahhh, that thing blows. Korp what are you using or would use as a replacement? My contract runs out and I can't stand to look at CA, Arcserve, Brightstore, whatever another f#c3ing day.

Yeah, it doesn't dump them into event logs, but has it's own internal logs. It's the logs in the client AV that's empty.

This is interesting, though: I found the administrative logs for forced policies, and the last scheduled scan pushed onto the network is logged as this:

Dispatch time: 3/11/2004 1:01:03 AM

So the last one logged was in March?! This just keeps getting stranger...

Event logs don't show anything either. There are only entries for scans that have uncovered trojans, not the scans that ran clean. My June 17th manual scan that ran clean doesn't appear.

Hmm...

/edit -- Well...Just as an experiment, I scheduled a local scan on my machine. Scan came up clean, nothing found. This one was logged too. So again, hmm...

/edit -- Ok, good news, I just found recent scheduled scans pushed from the server in my machine's log files. It was just under "General Events" instead of "Scheduled Scans" (that's kinda wierd). Off I go to check the other machines and see if that's the case with everyone...

Ok, here are the results of what I've found so far: If I schedule a scan via the local machine, it will appear in the log as having ran, wether it catches anything nasty or not. However, I have yet to find a machine that is logging scheduled scans pushed to it from the AV server. Nonetheless, the AV server pushing the scans is not reporting any errors, and nowhere am I finding any scan failures. The scheduled scans are configured from the server and still in place, as I checked their properties (set to scan 1:00am every morning). I haven't found anyway to configure logging either; it seems the only options I have are regarding purging logs (which is set to purge any log older than seven days).

So, I'm pretty stumped at the moment. I have no confirmation that scheduled scans are running, nor do I have any reports of scans failing. Other policies (update downloads, etc.) are successfully being pushed to clients and are logged.

And of course, from the server's admistrative view, my last log is from March, as described in the previous post.

So...I'm pretty baffled at the moment.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=259080#post762003) by RoadClosed
Where are you reviewing the logs? Who is logging it, ie does Etrust create it's own log or does it dump it into event viewer under applications or something. It may be possible that local logging is not enabled to either. I bet you checked that already but I have had to tweak Mcaffee to log properly through a domain policy on logging.

//Edit, oh I saw your last post to late. I tweaked mine to log start and stops of scans so I can quickly make sure they are at least running. etrust might not do that, but you should be able to see the service start up in the windows logs.



Ahhh, that thing blows. Korp what are you using or would use as a replacement? My contract runs out and I can't stand to look at CA, Arcserve, Brightstore, whatever another f#c3ing day.

Well, as far as backup software goes, Veritas works pretty well (the current owners of Backup Exec). It did everything I wanted it to without having to jump through hoops, etc. etc. I do remember there are caveats to installing service packs over it,(bad thing) but all that's explained in the readme files that come with it.

And as far as enterprise AV I've always liked TrendMicro.

Enterprise software firewalls, Sygate, definitely.

Although I haven't seen all the newest releases ot these products I'd be willing to bet they are nice as I have had much experience with them prior to the newest and they were always a good product. :thumbsup:

edit

Keeping in mind, of course, that you have the budget and the products meet your requirements. I hope that goes without saying?

If you don't have the budget then I have other recomendations, but since you already have a pretty expensive package it sounds like someone doesn't mind to spend cash money. Ya know?

Yeah, but the problem is they like what they have, so I'm stuck with what I've got. If I had it my way, we'd ditch CA altogether! As far as backups though, we're good there, we're backed up out the wazoo. :)

Hi Angelic~

Just checked my e-Trust (WinME, stand alone box). It seems to log on demand scans (it does!) but NOT scheduled scans.............I will have a dig around inside it.............I run a variety of cleaning routines, so if it uses temporary files these may get zapped? It may only report if it finds something, and I wonder how the enterprise version works?............wouldn't seem to be much point in storing the log locally?.................what is the mechanism for reporting back to the server?

I will go with the "Big Bad Wolf" (even though I should report him for advertising toothpaste :p )

and say that I have generally be very satisfied with Trend Micro's products...........I have only just loaded their PC-cillin 2004 Internet Security v.11 on this box (WinXP)..........so far so good.......no chance to look at logging etc. I only did it last night.

Cheers,

So just as I suspected, it doesn't seem to log clean scans then...But surely, there's gotta be a way to confirm that they've run. It would seem to be an awefully naive practice just to assume they did with no way of confirming. Well, let me know if you discover anything Nihil, thanks for confirming my suspicions. Wow, and WinME, you brave sould you. ;)

The only reports you get server side are just logs in the administrative view, things like "job failed", "update succesful", blah blah blah. That's about it.

So they assume because you get no response that should be good? CA can't possibly be that stupid, I mean, I knew they were pretty dumb from my experience trying to get support from them but this just takes the cake.

IMO - The console should be flexible enough to allow you to turn on or off any level of logging, even if you just want to verify that the scan came up clean. Even with minimal logging it should tell what drives it scanned and how many files, etc. etc.

Exactly! I keep hoping that it's there and I'm just overlooking it somehow, but I have yet to find anything. Grr...Indeed, silence hardly equates safety, I don't know what the deal is.

And here's something else, though I'm not sure if it's related to the problem. On the server administering the AV, I get this log under General Events:

Type: Critical
Source: Admin Server
Code: 47
Description: The admin server could not communicate with the proxy <adminservername>.<ourdomain>, error 1717. The request has been lost.

Once again, more meaningless error codes! Yay!

Two things don't make sense too me:

1) First and foremost, we don't use a proxy!
2) The admin server can't communicate with itself?

Not that that is an indication of anything bad happening but If I were you I'd check all logins that relate to AV system, service logins, etc. etc. Then I'd go through every nook na d cranny of that admin program to see if you just missed something.

Other than that if the AV proggy doesn't have the ability to log that stuff then you, my friend, are what they call "ass out". Sorry. CA sucks, what else can I say.

If you're good withbatch files maybe you could set something up that drops a file on the users system after a succesfully completed scan, but I wouldn't. That's too much work, for very little, IMO.

peace

Sorry, I haven't got time to check this out now, but can't you created an audit policy which will cut a record into the eventlog when something happens? I am thinking here, creating an audit policy on the scan process, cut a record when it starts, cut another record when it stops. Like I said I don't have time to check it but maybe someone here can confirm or deny if it can be done.

Cheers:

Oh, good thinking, DjM! And lo and behold, did some more digging through the administrative view and found where it's set up to e-mail alerts to my address. I hadn't given that option much thought since it's already running and doesn't regard logging, but when I took a look into it's configuration, I found this:

1) It has an option to log to EventViewer (which was disabled)
2) It was set to only report alerts, not informational logs

So, I've enabled both of those. Hopefully that's the magic fix *crossing fingers*. We'll know soon!

Hi Angelic~

Just checked mine (single user)...........you should have:

viruslog.txt
RT_log.txt

The first is for system scanning, and the second for real time scanning.

I have checked it with viruses and without viruses, and you should still get a log telling you about the object locked system files that it could not check.

I have an option to list "all scanned files" or just problem ones...............perhaps if you tell it to list all scanned files, it will tell you if it works?

Otherwise, I can prepare you a little folder of "fun stuff" that should get it going :D

ONLY TO BE USED ON A TEST MACHINE NOT CONNECTED TO A NETWORK

You just copy the folder and run your AV..............it should go ballistic?

Please let me know..........

Cheers