AKA – What to do if you install 2 antivirus products on one machine and RDP/Vsphere console are completely non-responsive.
Our guys at Symantec have done the footwork in the user forums to see if they could resolve the issue in this forum post.Boot into safe mode with networking on the Windows Hosts that you are working on by pressing F8 during the BIOS splash prior to boot. It is possible that your VM will breeze through the bios faster than you can click F8 during the boot sequence. If this is the case right click the VM -> Edit Settings -> Options -> Advanced -> Boot Options -> “Power on boot delay” -> Add millisecond value (e.g. 1000 for 1 full second)
Login to the server and after this use the following code to allow for an uninstall to be processed by the server. If multiple machines are having this issue save the following code into a .bat file and then place it in a network shared location and run it on each machine
REG ADD “HKLM\SYSTEM\CURRENTControlSet\Control\SafeBoot\Network\MSIServer” /VE /T REG_SZ /F /D “Server”
net start msiserver
At this point you will be able to uninstall the antivirus that is causing the issues and then restart your server and everything should be back up and running.
That concludes the How to portion of this post but the bigger question is how could this be avoided by the antivirus itself and/or does this occur with every antivirus? It surely would be interesting to see what products cause the most of this problem. Perhaps that will be a post for the future.
The title of this post was a bit tongue in cheek in that if not even IT staff is able to access a server it must be Fort Knox! One would think that if the primary goal is to secure a computer does that mean that the antivirus has failed in its goals or has it succeeded? It is interesting to me that an antivirus wouldn’t see another antivirus installing as being malicious or potentially causing harm. This opens a larger door in the balance between security and ease of use. Should an Antivirus product not allow you to access the sites of their competitors? This would make sure something like this wouldn’t happen but it also has the possibility to cause more issues than it is preventing.
Most people know not to install two copies of AV over one another but it does happen and most likely will continue to happen. This will also question the use of classic signature based AV in the sense that we are generally moving towards more innovative ways of capturing this sort of data in machine learning / AI integrated products. I will conclude this post with the question in that what if an AI was turned against itself in the form of having to AV products that were AI driven? Would we be in a worse spot than what inspired this blog post? Only time will tell.