All About Eraser Updates and Application Testing After An Eraser Engine Update Is Applied

book

Article ID: 156624

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

What is an Eraser Update and how do you test your internal applications after the update is applied?

Resolution

1. How is the Eraser Update installed?
The same Intelligent Updater (IU) is used for both installing definitions and installing the Eraser test definitions to a Symantec Endpoint Protection (SEP) client.

2. What happens during the Eraser Update?
The actual Eraser driver update process happens at the time of the next scan, after the definitions update, but not as part of the  update.
An Active Scan or Full Scan must be activated by the user.
Once the Eraser test definitions have been installed correctly, the scan triggers the SEP client to complete the Eraser Update.
The SEP client operates independently of the user’s permissions level and runs as part of the SEP service with SYSTEM privileges.      
 
3. What registry keys are involved during the installation of the test definitions?
When a new version of the Eraser binaries is shipped, the existing driver name is changed and the new service name is created in the registry (e.g. EraserUtilDrv11210).
 
The path to these entries can be found here:
{HKLM\System\CurrentControlSet\Services\eeCtrl\Parameters\Clients}
The entries are:
EraserUtilDrv11122
EraserUtilDrv11210 
            
Note:
For Eraser, the eeCtrl service will always be installed in the registry to the following location:
HKLM\System\CurrentControlSet\Services\eeCtrl
Upon uninstall, when that driver/service is removed, that key and all sub keys are simply deleted, including that Clients key.

4. Are there minimum security permissions required on these registry keys so the test definitions installation does not halt or error out?
When making or performing any configuration changes to a SEP client, it is always recommended that it be performed by an Administrator.
Intelligent Updater is run under the permissions context of the user who triggered it. The user must have Read-Write-Execute-Modify permissions settings to specific Symantec folders.

Additional Note:
For every driver-based service that Windows launches, the Windows’ plug-and-play (PnP) subsystem automatically creates a “root-enumerated device node” key for the driver:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EECTRL
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ERASERUTILDRV11210
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ERASERUTILDRV11211

The entries in the Clients path are required in order to identify the Legacy drivers that have been created to enable an Uninstall to be as clean as possible.
(“...the “Clients” key directs which PnP keys should be manually deleted at uninstall time, before removing the main eeCtrl service entry.”)
Note that in some cases the MSI Installer that performs the Un-Install sometimes does not remove these information entries even if it is successful in removing SEP. These left over registry entries do not create any issues outside of unnecessary entries in the Registry.
 
5. How does the Intelligent Updater replace existing (older) Eraser files when there are new ERASER engine files in the update?
This is part of the general virus definitions update process.
Files in the VirusDefs folder are not replaced. The update process makes a new folder and puts a complete set of definitions there (often based on differences from the previous version to keep the size down, but that doesn’t apply to the manual definitions case).
Gradually the whole product migrates over to using the new VirusDefs folder location and the old one will be removed automatically.
 
The Eraser update process is slightly different with respect to its driver because the driver lives in the EENGINE location. When Eraser loads, it checks the version in the EENGINE folder and compares it to the one in its definitions folder; if they’re different Eraser will copy the current one on top of the one in the EENGINE folder.
To complete the process, if Eraser can determine that no other components are using the running instance of the old driver, the old one will be unloaded from memory and the new Eraser driver will be loaded in its place.
 
6. How can you verify a successful installation of an Eraser Update?
There is no logging to record the Eraser update. The Eraser version update must be manually verified after the next Active or Full scan.
To verify if Eraser was successfully updated after the scan, check the version of the [eeCtrl.sys] file in the EENGINE folder location as directed in Step 1 above.
 
Any logging that is created during the Eraser test definitions install is to record the Intelligent Updater process and does not pertain to the Eraser Update. The Intelligent Updater (IU) will succeed independently of Eraser. The Intelligent Updater essentially just copies files and the result is all or nothing. 
 
7. How is the Eraser Update tested by Symantec prior to release?
The binaries themselves are tested for functionality and verified against a suite of regression tests to make sure everything is working as it should.
Note: The specifics about the internal processes used by Symantec for testing are considered proprietary information.
 
Concerning the test definitions package, (specifically the Intelligent Updater), the package is reviewed to ensure that it contains the correct files and that the product reports the correct version(s).

 
Application Testing after an Eraser Update
-Important-

Symantec recommends performing all internal application testing in a non-production test environment. The purpose of the testing is for the customer to verify that all their internal applications function correctly without any issue. Symantec recommends the SEP client, where application testing will be performed, either be a SEPM managed test SEP client or be a newly installed unmanaged SEP test client.
 
Customer application testing of an Eraser Update should be performed according to the following instructions:
 
a. Ensure that the Eraser test definitions and the SEP Install Package you intend to use are copied to the Desktop of a Test machine in a controlled test environment
b. If using a test machine with SEP already installed, you must ensure the current definitions on the test machine are older than the date of the Eraser test definitions.  If the Intelligent Updater is run on a computer which has newer/more recent definitions, the engine will not be updated. 
If you are using a SEPM managed client please use the instructions in the article How to Backdate Virus Definitions in Symantec Endpoint Protection Manager to rollback definitions for that test client. 
After the definitions have been confirmed to have been rolled back proceed to Step "c".
If using an unmanaged client, uninstall the SEP client and LiveUpdate. Proceed with Step “c”.
c. Disconnect or disable the Network connection to the SEP client
d. If you had to remove the current SEP install, perform a fresh SEP install using your current Install Package.
e. Reboot
f.  Apply the Eraser Update
g. Reboot
h. Activate an Active Scan or Full Scan (this completes the Eraser Update process) and verify that no false positives are detected
i.  Verify the version number of the eeCtrl.sys file in the EENGINE folder matches the Eraser Update version
 The file can be located in the paths indicated below:
 Win XP …\Program Files\Common Files\Symantec Shared\EEngine\
 Win 7   …\Program Files (x86)\Common Files\Symantec Shared\EEngine\
j.  Proceed to open and run all your applications as they would normally be used.
 Watch for unusual program error messages or popups from your internal applications  
 

 

 

Attachments