Configuring Antivirus to Ignore Spector CNE

Troubleshooting

When the Spector CNE Servers and Clients are installed on a network where endpoint antivirus software (McAfee, Symantec, etc.) is deployed, there is a small chance the antivirus software may classify a component as a threat and remove it. This could happen during installation of the Client or anytime following installation.

The Client Install task ran successfully, but the Recorder is not installed

Steps you can take to prevent detection are:

Disable the antivirus software while installing. It's extremely rare, but some antivirus software packages will detect installation activity and immediately remove or quarantine files. Turning off or partially disabling antivirus/anti-spyware scanning ensures you will be able to complete the Server and Client installations. After the Clients are installed, reactivate normal antivirus scanning. Instructions for specific packages are provided in the Spector CNE Knowledge Base.
Exclude the SpectorSoft risk name. Some antivirus/anti-spyware packages allow you to exclude the SpectorSoft signature or "risk name" during scans. The package must list SpectorSoft products as a possible risk that you can exclude; or SpectorSoft software must have already been detected as a "risk," as described below.
Add all SpectorSoft filenames to a whitelist. Nearly all antivirus / anti-spyware packages allow you to specify files to exclude from scans. By adding all installed Client and Server file names to a whitelist, you can ensure the antivirus software will bypass these files in subsequent scans and not remove or quarantine them. To do this, you must install the Spector Client using fixed filenames as described below.

These steps are ONLY necessary if the Client or a Spector CNE service is being detected!

Excluding by Risk Name (Signature)

The advantage of this method is that it allows all SpectorSoft components; you do not have to install the Client using fixed filenames or list specific SpectorSoft files anywhere, which preserves stealth. The disadvantage of this method is that you may need to update the antivirus configuration as the software updates its "risk names."

To exclude by risk name:

Simply go into the antivirus software settings and select the SpectorSoft risk name (representing the signature) from the vendor's provided list to be excluded from future antivirus scans. Instructions for preventing detection by the following packages are provided in the Spector CNE Knowledge Base.

Vendor	Antivirus	Risk Name
Symantec	AntiVirus 10.0x Client	Remacc.Spector
Symantec	Antivirus 10.0x Server	Spyware.Eblaster, Spyware.Spector
McAfee	Managed VirusScan	Spector
McAfee	Enterprise Edition 8.0i	Spyware-eBlaster
Spyware Doctor	Spyware Doctor	Spector Pro Keylogger, eBlaster
Sunbelt	CounterSpy	eBlaster, Spector
Trend Micro	OfficeScan	SPYW_SPECTOR.A, SPYW_SPECTOR.B

If your antivirus software does not list SpectorSoft in its list of risk names, and you prefer this method over creating a whitelist of all Spector CNE filenames, you can obtain the risk name by allowing the Client (or Servers) to be detected. Follow these procedures to exclude the SpectorSoft risk name.

Install a single "dummy" Client. If you're using managed server-side antivirus package, install the dummy on another computer on the network. Note that you may have to turn off scanning while completing the installation.
Wait for the antivirus software to detect the Client.
Use the antivirus detection information to exclude the Client risk name from future scans.
Install the Client on network computers (you may have to turn off scanning again while you do this). When re-enabled, the antivirus software will now ignore the Client files it previously discovered on the "dummy" Client.

Keep in mind that a savvy user who is able to access and read the antivirus exclusionary list may figure out the Client is recording activities on his or her computer.

Excluding Spector CNE Client and Server Filenames

The advantage of excluding specific files from scans is that even if the antivirus software updates or changes its "risk names," the Client and other components will not be detected. Once this is done, you do not have to change the antivirus risk exclusion or update the Clients. The disadvantage of this method is that all Clients will use the same installed file names, sacrificing an element of stealth.

Even though the Client filenames are cryptic and not stored in an obvious location, a savvy user with access to the antivirus "whitelist" and Admin permissions may be able to locate and remove the Client files. If this is a concern, do not use fixed filenames.

To exclude Client detection by filename:

Open the Control Center.
Use the Deployment Utility to build a Client Install file.
- Select Manage Computers in the left pane.
- Open the Action menu and select Deployment Utility.
- Follow the instructions in the Spector Client Deploy Utility wizard
When you arrive at the final panel in the Deployment Utility wizard, check the Use Fixed Filenames option. Click OK and complete the wizard.

Add the Client fixed filenames (listed below) to be excluded or ignored in the antivirus software settings. If you are concerned about detection of Spector CNE Servers, add those filenames as well. Refer to the Spector CNE Knowledge Base for instructions on creating a whitelist in Symantec, McAfee, and other antivirus / anti-spyware programs.
Finally, install the Client on computers, selecting the Client Install file you just built that uses fixed filenames.

If the Client was already installed using random filenames, the Client Service will retain its previous, random name. You will need to uninstall the Client before reinstalling with fixed filenames.

The filenames for the Client, the 64-bit Client and the Server software are listed below. If you are concerned about servers, you may want to exclude the entire folder \..\SpectorSoft\* from scanning rather than list all files. Be sure to include every Client file in the whitelist.

Client Files

64-bit Client Files

Server Filenames

C:\...\SYSTEM32

cmproxfr.dll

nmcpusym.dll

secadtr.dll

sgvrfy32.exe

svrltwp.dll

svrlser.dll

svrltmgr.dll

vdorctrl.dll

wshvtx.exe

wzodlg32.dll

C:\...\SYSTEM32\drivers*

vdorctrl.sys

C:\...\SYSTEM32

cmproxfr.dll

nmcpusym.dll

sgvrfy32.exe

svrltwp.dll

svrltmgr.dll

vdorctrl.dll

C:\...\SYSTEM32\drivers*

vdorctrl.sys

C:\...\SysWOW64

mxcrsc32.exe

nmcpusym.dll

secadtr.dll

svrlser.dll

svrltmgr.dll

svrltwp.dll

wshvtx.exe

wzodlg32.dll

C:\...\SYSTEM32

SPLicenseManager.exe

SPDataServer.exe

CNESvrMgr.exe

CNECDLL3.dll

CENotify.dll

msocxushell.dll

C:\...\SpectorSoft\Spector CNE

Admin.exe

CEAdmin.cfg

CEAdmin.dll

CEAdminExt.dll

CEAdminRT.log

CENotify.dll

CESetup.exe

CNECommDll.dll

CNESvrMgr.exe

ControlCenterXP.msc

DeploymentGuide.chm

msnwcfg.ini

MSVxRsc.dll

NetConfig.xml

ReadMe.htm

Settings.ini

SPCEAdminSvc.exe

SPCEAdminSvc.log

SPDataServer.exe

SPDataServer.log

SpectorCNE.chm

SPLicenseManager.exe

SPLicenseManager.log

SPSetup.exe

spsetup_Settings.sds

SPUninst.exe

SPUninst64.exe

VersionInfo.txt

[Other files that you create:]

*.XML

*.SDS

*.INI

C:\Program Files\SpectorSoft\Setup\CNE

[all files]

* Only installed on Vista/Server 2008 machines