Missing AV Logs

[AngelicKnight]

I'm about to run off to do some Googling on this, but if any of you have already encountered this or know anything, input would be much appreciated, especially since so far Google hasn't helped me much with this particular AV.

We have CA's eTrust Antivirus running here. The domain controller server pushes scheduled scans, updates, etc. to all of the clients. However, I'm checking my logs on various clients on the network and the logs are completely empty, particularly for scheduled scans, as if nothing has ever run.

So this is odd. I don't know if either 1) the scheduled scans aren't being logged or 2) they just simply aren't running. I'm not receiving any errors that scheduled scans are failing to run, and that's just the problem -- I'm not being told anything. So, until I figure out what's going on, I'm just running manual scans on our most important server (which did turn up some trojans first time I ran it). Realtime scan is giving no logs either.

Checked log settings, and logs are supposed to purge once they become seven days old, so that doesn't seem to be the problem. Just to test, I turned off purging altogether -- no change.

Also, our support contract with CA has expired, so I can't call support. The boss wants me to figure it out on my own since they don't want to dump the money into renewing the contract. Yay!

So, got any ideas?

[KorpDeath]

I've never liked CA products even though I've had to install and use them at various jobs. I've noticed this same issue but with their backup software. It'll fail for no reason, then not give any notifications that it did or the reason why. It didn't even give one of those meaningless CA error numbers.

The only way I was able to fix this was by removing all traces of the client agents, reinstalling them and then rediscovering them with the server. This seemed to work after the third time, if I remember correctly. I had to run manually for about two days, until I screwed around with it enough.

Depending on how many clients are showing these symptoms it might be an option.

That is why, kids, I never trust products from a company with the initials CA.

[AngelicKnight]

Could it be that it only logs scans when something is found? I reviewed logs again today, and again there was hardly any there, but I did find some realtime log entries for scans that caught something. I wonder if it's simply not logged if the scan comes up clean? I'm still playing around with it...

I totally agree though, I'm not too keen on CA either, nor do I understand why they give you error numbers and don't offer any explanation as to what they mean.

[RoadClosed]

Where are you reviewing the logs? Who is logging it, ie does Etrust create it's own log or does it dump it into event viewer under applications or something. It may be possible that local logging is not enabled to either. I bet you checked that already but I have had to tweak Mcaffee to log properly through a domain policy on logging.

//Edit, oh I saw your last post to late. I tweaked mine to log start and stops of scans so I can quickly make sure they are at least running. etrust might not do that, but you should be able to see the service start up in the windows logs.

I've never liked CA products even though I've had to install and use them at various jobs. I've noticed this same issue but with their backup software. It'll fail for no reason, then not give any notifications that it did or the reason why. It didn't even give one of those meaningless CA error numbers.

Ahhh, that thing blows. Korp what are you using or would use as a replacement? My contract runs out and I can't stand to look at CA, Arcserve, Brightstore, whatever another f#c3ing day.

[AngelicKnight]

Yeah, it doesn't dump them into event logs, but has it's own internal logs. It's the logs in the client AV that's empty.

This is interesting, though: I found the administrative logs for forced policies, and the last scheduled scan pushed onto the network is logged as this:

Dispatch time: 3/11/2004 1:01:03 AM

So the last one logged was in March?! This just keeps getting stranger...

Event logs don't show anything either. There are only entries for scans that have uncovered trojans, not the scans that ran clean. My June 17th manual scan that ran clean doesn't appear.

Hmm...

/edit -- Well...Just as an experiment, I scheduled a local scan on my machine. Scan came up clean, nothing found. This one was logged too. So again, hmm...

/edit -- Ok, good news, I just found recent scheduled scans pushed from the server in my machine's log files. It was just under "General Events" instead of "Scheduled Scans" (that's kinda wierd). Off I go to check the other machines and see if that's the case with everyone...

[AngelicKnight]

Ok, here are the results of what I've found so far: If I schedule a scan via the local machine, it will appear in the log as having ran, wether it catches anything nasty or not. However, I have yet to find a machine that is logging scheduled scans pushed to it from the AV server. Nonetheless, the AV server pushing the scans is not reporting any errors, and nowhere am I finding any scan failures. The scheduled scans are configured from the server and still in place, as I checked their properties (set to scan 1:00am every morning). I haven't found anyway to configure logging either; it seems the only options I have are regarding purging logs (which is set to purge any log older than seven days).

So, I'm pretty stumped at the moment. I have no confirmation that scheduled scans are running, nor do I have any reports of scans failing. Other policies (update downloads, etc.) are successfully being pushed to clients and are logged.

And of course, from the server's admistrative view, my last log is from March, as described in the previous post.

So...I'm pretty baffled at the moment.

[KorpDeath]

Originally posted here by RoadClosed
Where are you reviewing the logs? Who is logging it, ie does Etrust create it's own log or does it dump it into event viewer under applications or something. It may be possible that local logging is not enabled to either. I bet you checked that already but I have had to tweak Mcaffee to log properly through a domain policy on logging.

//Edit, oh I saw your last post to late. I tweaked mine to log start and stops of scans so I can quickly make sure they are at least running. etrust might not do that, but you should be able to see the service start up in the windows logs.



Ahhh, that thing blows. Korp what are you using or would use as a replacement? My contract runs out and I can't stand to look at CA, Arcserve, Brightstore, whatever another f#c3ing day.

Well, as far as backup software goes, Veritas works pretty well (the current owners of Backup Exec). It did everything I wanted it to without having to jump through hoops, etc. etc. I do remember there are caveats to installing service packs over it,(bad thing) but all that's explained in the readme files that come with it.

And as far as enterprise AV I've always liked TrendMicro.

Enterprise software firewalls, Sygate, definitely.

Although I haven't seen all the newest releases ot these products I'd be willing to bet they are nice as I have had much experience with them prior to the newest and they were always a good product.

edit

Keeping in mind, of course, that you have the budget and the products meet your requirements. I hope that goes without saying?

If you don't have the budget then I have other recomendations, but since you already have a pretty expensive package it sounds like someone doesn't mind to spend cash money. Ya know?

[AngelicKnight]

Yeah, but the problem is they like what they have, so I'm stuck with what I've got. If I had it my way, we'd ditch CA altogether! As far as backups though, we're good there, we're backed up out the wazoo.

[nihil]

Hi Angelic~

Just checked my e-Trust (WinME, stand alone box). It seems to log on demand scans (it does!) but NOT scheduled scans.............I will have a dig around inside it.............I run a variety of cleaning routines, so if it uses temporary files these may get zapped? It may only report if it finds something, and I wonder how the enterprise version works?............wouldn't seem to be much point in storing the log locally?.................what is the mechanism for reporting back to the server?

I will go with the "Big Bad Wolf" (even though I should report him for advertising toothpaste )

and say that I have generally be very satisfied with Trend Micro's products...........I have only just loaded their PC-cillin 2004 Internet Security v.11 on this box (WinXP)..........so far so good.......no chance to look at logging etc. I only did it last night.

Cheers,

[AngelicKnight]

So just as I suspected, it doesn't seem to log clean scans then...But surely, there's gotta be a way to confirm that they've run. It would seem to be an awefully naive practice just to assume they did with no way of confirming. Well, let me know if you discover anything Nihil, thanks for confirming my suspicions. Wow, and WinME, you brave sould you.

The only reports you get server side are just logs in the administrative view, things like "job failed", "update succesful", blah blah blah. That's about it.