Server Edition 4.8 - Can't Pause On-Access Nor Uninstall on Server 2003 Std R2

Forgive this cross-post, but I am not sure whether this is an ADNM-centric issue or a Server Edition issue

Basic stats:
Server OS:

  • Windows Server 2003 Standard R2
  • The OS is running as a Virtual Machine under the XEN Hypervisor running on RedHat Linux (actually CENTOS)

Server Functions:

  • Blackberry Enterprise server platform
  • ADNM Avast network management platform

Problem Exists with:

  • Avast Client: Avast Server Edition 4.8 (managed) generated as an MSI package from the Avast management console.

Repercussions:

  • Cannot update MAPI drivers using a BlackberrySupport-specified Microsoft update utility
  • Blackberry server is causing synchronization conflicts with end users that are filling up their exchange mailboxes
  • Two open tickets, one with Microsoft Paid Tech Support, the next with Blackberry Tier2 Server support cannot move forward
  • Exchange server behavior causing email problems that are costing man hours for our customer’s end users to re-file or prune daily

Here is the issue:

  • We need to make an update to our Blackberry Enterprise server to bring it’s MAPI version up to date with our Exchange 2003 Std server’s MAPI.
  • Blackberry server is running Avast 4.8 server edition (managed)
  • Upon running the microsoft update from the following link:
    http://www.microsoft.com/downloads/details.aspx?familyid=1d9f0956-88bd-4e13-a86b-b1c8d4782f71&displaylang=en
  • The installation stalls saying that a component of avast aswDisp.exe has files open that it needs to change.
  • There is a cancel, Retry, and Continue button, but continue is not what I want to do, I need the server to stay up during the upgrade, and I want to be CERTAIN all files get written correctly.

I tried to find ANY way to get the interface of avast 4.8 server edition up in order to pause all on access scanning, but I cannot:

Right clicking on the avast system tray icon does nothing

Double clicking (left clicking) on the system tray icon does nothing.

Going to Start | Programs | Avast Antivirus (managed) | Avast Antivirus does the following:

  • launches the splash screen
  • runs through the memory test
  • says “program will continue”
  • disappears without a trace.

This happens whether the user is:

  • logged into windows as besadmin (the account the console is normally logged in as because this is the blackberry server)
  • logged in as Administrator, on the console or in an RDP session

What am I doing wrong?

We have a highly visible issue that MUST be resolved and the first step along the way is to address this issue with BES, before we can go back to make more progress on the PAID Microsoft Support ticket.

Anyone know how to pause / disable the On-Access providers?

Update:

I changed the title of the original post because I decided that:

  • getting our blackberry server working was important enough to remove the avast client and deal with the full reboot interruption.
  • Don’t know how to pause just aswDisp.exe in a proper manner that does not have any unforseen side effects.
  • I found that uninstalling avast 4.8 Server edition (managed) was also impossible

Sure enough the forces of nature are still against me:

I go to Add Remove Programs, and click Uninstall on Avast

  • the uninstaller GUI never comes up.

Contemporaneous with that action:

From the Application Event Log:

Event Type: Error Event Source: Application Error Event Category: (100) Event ID: 1000 Date: 5/5/2010 Time: 12:15:34 PM User: N/A Computer: CRGBLACKBERRY01 Description: Faulting application avast.setup, version 4.8.0.0, faulting module aswCmnB.dll, version 4.8.1296.0, fault address 0x000088dd.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 61 76 61 ure ava
0018: 73 74 2e 73 65 74 75 70 st.setup
0020: 20 34 2e 38 2e 30 2e 30 4.8.0.0
0028: 20 69 6e 20 61 73 77 43 in aswC
0030: 6d 6e 42 2e 64 6c 6c 20 mnB.dll
0038: 34 2e 38 2e 31 32 39 36 4.8.1296
0040: 2e 30 20 61 74 20 6f 66 .0 at of
0048: 66 73 65 74 20 30 30 30 fset 000
0050: 30 38 38 64 64 088dd

From the System Event log around the same time:
Two messages (they both happen in pairs whenever you attempt to uninstall the software

Event Type: Warning Event Source: WinDefend Event Category: None Event ID: 3004 Date: 5/5/2010 Time: 12:15:24 PM User: N/A Computer: CRGBLACKBERRY01 Description: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=74409 Scan ID: {CF35A617-A734-42B3-9A44-06D70BC4EE68} User: CRG\Administrator Name: Unknown ID: Severity: Not Yet Classified Category: Not Yet Classified Path Found: service:avastTestService Alert Type: Unclassified software Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning Event Source: WinDefend Event Category: None Event ID: 3004 Date: 5/5/2010 Time: 12:15:24 PM User: N/A Computer: CRGBLACKBERRY01 Description: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=74409 Scan ID: {51121522-5126-4A1C-950A-5D052FE4FEBA} User: CRG\Administrator Name: Unknown ID: Severity: Not Yet Classified Category: Not Yet Classified Path Found: driver:avastTestService Alert Type: Unclassified software Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I CANNOT afford to use the Avast software removal tool on this server until I have some more information that tells me that it will not crash the server or cause some other issue that will suddenly have our field end users and CEO and President fall out of communication.

I am posting this here to hopefully learn from anyone who has had any experience as to what they have seen.

Also, I am going to generate a support ticket to support@avast.com and put the hyperlink to this thread into the support request email.

The last time I tried to get support directly from avast, the turnaround time was well over a week, and it was another visible incident.

Hopefully this post can serve as a good reference point for any information that they may ask for, I can keep this posting updated as we go.

Thanks all.

Chris.

Hi Chris,

Did you try to remove the client by running an update task in ADNM? You can set the update task to perform a uninstall by creating a custom update task.

Hey Que!

Thanks for the reply :slight_smile:

We were unable to use remote deployment in the first place, hence the MSI deployment method.

I did manage to get a response from support@avast.com from a technician from an earlier unrelated ticket, and he happened to respond to the tangential question I asked. Said I should be able to stop the windows service and I should be able to run the update I need to run for the MAPI dll’s as mentioned above.

Hi Chris,

I’m glad to hear you got a reply from support! Even though you deployed the client via a .msi file, it’s still considered managed and should show up in ADNM. If you’re unable to see it in your computer catalog, then theres a more serious issue going on with your ADNM server and/or the installation package was configured to point to the wrong mirror.

Update tasks can be applied to any managed client that connects back to ADNM, so if the other workaround doesn’t work try creating an update task to simply uninstall the managed client and you can start from scratch.

Worth a try. I will give it a shot.

IF that does not work, Do you know what specific service I should stop in services.msc to pause on-access scanning? If that will get me to the point where I can install the Microsoft MAPI update, that is all I really care about in the short term.

Thanks again.

Chris.

Hi Chris,

All the services for the various shields should start with ‘avast!’… for example ‘avast! NetAgent’. You might see numerous services depending on what shields were installed by the .msi package. You can also try to stop the processes in Task Manager that start with ash* (short for ALWIL Software).

Thanks, but the specificity question was because this is also the Avast Distributed Network Manager platform, and I don’t want to kill anything but a service for the client.

I got a reply from support that was not quite in line with the question I asked, but I think he told me what service, I just didnt have a warm and fuzzy feeling about the answer.

Ah OK… It still might be best to stop all avast! services before you run the MAPI dll update. If ADNM is stopped, the managed clients will still scan and perform normally, they just can’t get updates or report back viruses until the ADNM server is back online.

Ok, I will try the avast tech’s suggestion first, and see if the files are locked, and if that does not do the trick, I will stop the lot.

Thanks for the help, my good man. ;D