Despite my protests, my manager had us deploy Microsoft’s Windows AntiSpyware (Hello?! Beta software!) throughout our domain last year. Other than the need to reinstall the latest versions occasionally, MSAS (MWAS?) has been working well in our environment. As well as can be determined without having an MSAS console to monitor our systems, that is.
This ‘bliss’ faded when I came across a major problem last week as MSAS detected a trojan on several of our PCs. All hell broke loose when I instructed MSAS to remove the threat. MSAS locked up on the removal process and SAV jumped into an endless virus scan cycle. SAV will no longer function, uninstall or reinstall on these machines. After several frustrating attempts to find the cause, I stumbled across an article that pointed me in the right direction. I called Symantec Technical support and was given the information pasted below. I am hoping this information may provide some help to those who may have been forced to roll out MSAS in their corporate environment.
From Symantec:
?Microsoft and Symantec are aware of an issue currently affecting customers using both Microsoft Windows AntiSpyware Beta 1 and versions of Symantec AntiVirus (SAV) Corporate Edition and Symantec Client Security (SCS). The issue involves a Windows AntiSpyware Beta 1 signature (5805) released at 11:30pm on Thursday, February 9th which incorrectly identified a registry key affecting these Symantec products as belonging to a password stealing malware known as PWS.Bancos.A.?
?Customers running Symantec’s consumer products, Norton Antivirus and Norton Internet Security, are not impacted by this issue. This issue also does not affect customers using Symantec’s software alongside Microsoft Windows Defender Beta 2 either in Windows XP or preview versions of Windows Vista.?
?Customers running Symantec Antivirus (SAV) Corporate Edition versions 7, 8, 9 or 10 or Symantec Client Security (SCS) versions 1, 2 or 3 in combination with Windows AntiSpyware Beta 1 could be impacted by this issue. The beta software will prompt and allow the user to remove a registry key containing subkeys belonging to these Symantec products. The deletion of these registry keys will cause all versions of the SAV and SCS software to stop operating correctly. No files are removed in this situation, only registry keys.?
?Once this issue was discovered, Microsoft quickly released a new signature set (5807) to remove this false positive. Both companies are working jointly together to identify the number of affected customers, which we believe to be very limited.?
The Symantec Tech Support Rep provided a link to their NoNav (NoNav2.1.exe) tool in order to completely remove SAV.
?NoNav removes Norton AntiVirus Corporate Edition and Symantec AntiVirus Corporate Edition versions 4, 5, 6, 7, 8, 9, 10, Symantec Client Security versions 1, 2 and 3 as well as the Symantec System Center, AMS, and optionally the virus definitions, LiveUpdate, and Symevent. It runs on Windows 95, 98, Me, NT, 2000, and XP.?
?Disclaimer: NoNav is provided as a convenience and is an unsupported tool.?