Announcement

Collapse
No announcement yet.
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Antivirus problem

    About a month ago I installed Kaspersky on our Shoretel server, running 8.1 on Server 2003. At first we didn't have any issues, but within a week a customer mentioned to the receptionist that he could not leave a voicemail. The prompt would direct him to leave a message at the beep, then no beep just dead air.

    Investigation found the server hung. Reboot fixed the issue, but it recurred about a week later. Reinstallation of Kaspersky did nothing. Shoreline Data is excluded from Kaspersky and the Shoreline Server folder\*.exe is listed as trusted, but the problem continues about every week. I uninstalled Kaspersky for a few weeks to see if the problem came back and it did not.

    A Warning in the Application event viewer reads:
    -----------------------------------------------
    Source: MsiInstaller
    Category: None
    Event ID: 1001
    User: NT AUTHORITY\SYSTEM

    Detection of product '{11F28876-DDF6-438B-B825-572387D36F99}', feature 'ShoreWareServer' failed during request for component '{435183D5-F604-46FB-B81D-7C520C983406}'
    -----------------------------------------------

    It seems to me that the original ShoreWare Server installer re-runs about once a week, and part of the install is to create this component, which looks like virus behavior to Kaspersky and it gets killed. It seems strange to me that the installer would re-run in the first place.

    Has anyone had experience with this sort of thing, be it Shoretel or some other program? :confused1:

    Sorry about the long post, I wanted to supply all the details I know.

  • #2
    For what it's worth the guys we had install ours highly recommended that we didn't put AV on it. Also for that matter not even join it to the domain. Is it a policy that they have to have AV on that server?

    Comment


    • #3
      I understand the problems with having AV on this server, but you're going to have that issue with almost any server hosting some specialized application. Kaspersky is easy when it comes to excluding this or that, so it's really a matter of what to exclude.

      In this case though, the big question is is it normal for shoreware server to run an installer every week? This installer gets killed then immediately starts again automatically, resulting in a loop that crashes the server. If this isn't normal I'd rather fix it. Theoretically this would be the root cause, not a Kaspersky false positive.

      Comment


      • #4
        We were told we could have AV on our server as long as we exempted the root shoreware directories. Did... done... no issues. We are using Eset on ours. You might want to call Kaspersky and talk to their tech support and see if there is anymore you can do to trust these directories. I don't have Kaspersky in front of me, but is there a way to disable the real time scanning? See what happens if you turn that off.
        Last edited by kremus; 10-01-2010, 05:50 AM.

        Comment


        • #5
          That's just it, I exempted the Shoreline Data folder, but the problem is that this ShoreWare Server installer runs every week. Kaspersky kills the installer and it runs again automatically, and gets killed again in a loop until the server crashes.

          This installer running every week does not seem like normal behavior, so it looks like Kaspersky is doing what it is supposed to do. So the question becomes: Does anyone know if this installer is abnormal behavior and if so how to stop it. Tinkering with Kaspersky as a workaround may end up being the recourse I finally take, but the best fix would be to fix the root cause of the installer running every week.

          Comment


          • #6
            Have you tried doing an uninstall - reinstall of the Shoretel application?

            Comment


            • #7
              Actually, I've been on the horn with support.

              It *may* be an issue with the way it was installed. Shorline Data was installed to the C drive, and they recommend it be installed to the D drive. It is possible that it's looking for a component, not finding it but finding a pointer in the registry to D:, and not finding anything there but then finding another pointer to temp files stored under Windows\installer.

              Tiers II and III are looking into the issue now, will post when I have something.

              Anyone else have Shoretel 8.1 with Shoreline Data on the C drive? With AV?

              Comment


              • #8
                I find that odd. I would assume they would want everything on the C drive. I was actually on a webinar with our vendor and they were showing us all the scripts for backup. All of them assume the C drive as where everything is. We have everything on our C drive. As for the installer running once a week, yeah, not normal. As much as I hate to say it, reinstall or get another machine running to test on a different platform.

                Comment


                • #9
                  It may come to that, but I can give support their chance before I do all the work. If I reinstalled and it turned out to be as simple as a registry key I'd be disappointed in myself.

                  Comment

                  Working...
                  X