Configuring Antivirus to Ignore Spector 360

Troubleshooting

When the Spector 360 Servers and Clients are installed on a network where endpoint antivirus software (McAfee, Symantec, etc.) is deployed, there is a small chance the antivirus software may classify a component as a threat and remove it. This could happen during installation of the Client or anytime following installation.

The Client Install task ran successfully, but the Recorder is not installed

Steps you can take to prevent detection are:

Disable the antivirus software while installing. It's extremely rare, but some antivirus software packages will detect installation activity and immediately remove or quarantine files. Turning off or partially disabling antivirus/anti-spyware scanning ensures you will be able to complete the Server and Client installations. After the Clients are installed, reactivate normal antivirus scanning. Instructions for specific packages are provided in the Spector 360 Knowledge Base.
Exclude the SpectorSoft risk name. Some antivirus/anti-spyware packages allow you to exclude the SpectorSoft signature or "risk name" during scans. The package must list SpectorSoft products as a possible risk that you can exclude; or SpectorSoft software must have already been detected as a "risk," as described below.
Add all SpectorSoft filenames to a whitelist. Nearly all antivirus / anti-spyware packages allow you to specify files to exclude from scans. By adding all installed Client and Server file names to a whitelist, you can ensure the antivirus software will bypass these files in subsequent scans and not remove or quarantine them. To do this, you must install the Spector Client using fixed filenames as described below.

These steps are ONLY necessary if the Client or a Spector 360 service is being detected!

Excluding by Risk Name (Signature)

The advantage of this method is that it allows all SpectorSoft components; you do not have to install the Client using fixed filenames or list specific SpectorSoft files anywhere, which preserves stealth. The disadvantage of this method is that you may need to update the antivirus configuration as the software updates its "risk names."

To exclude by risk name:

Simply go into the antivirus software settings and select the SpectorSoft risk name (representing the signature) from the vendor's provided list to be excluded from future antivirus scans. Instructions for preventing detection by the following packages are provided in the Spector 360 Knowledge Base.

Vendor	Antivirus	Risk Name
Symantec	AntiVirus 10.0x Client	Remacc.Spector
Symantec	Antivirus 10.0x Server	Spyware.Eblaster, Spyware.Spector
McAfee	Managed VirusScan	Spector
McAfee	Enterprise Edition 8.0i	Spyware-eBlaster
Spyware Doctor	Spyware Doctor	Spector Pro Keylogger, eBlaster
Sunbelt	CounterSpy	eBlaster, Spector
Trend Micro	OfficeScan	SPYW_SPECTOR.A, SPYW_SPECTOR.B

If your antivirus software does not list SpectorSoft in its list of risk names, and you prefer this method over creating a whitelist of all Spector 360 filenames, you can obtain the risk name by allowing the Client (or Servers) to be detected. Follow these procedures to exclude the SpectorSoft risk name.

Install a single "dummy" Client. If you're using managed server-side antivirus package, install the dummy on another computer on the network. Note that you may have to turn off scanning while completing the installation.
Wait for the antivirus software to detect the Client.
Use the antivirus detection information to exclude the Client risk name from future scans.
Install the Client on network computers (you may have to turn off scanning again while you do this). When re-enabled, the antivirus software will now ignore the Client files it previously discovered on the "dummy" Client.

Keep in mind that a savvy user who is able to access and read the antivirus exclusionary list may figure out the Client is recording activities on his or her computer.

Excluding Spector 360 Client and Server Filenames

The advantage of excluding specific files from scans is that even if the antivirus software updates or changes its "risk names," the Client and other components will not be detected. Once this is done, you do not have to change the antivirus risk exclusion or update the Clients. The disadvantage of this method is that all Clients will use the same installed file names, sacrificing an element of stealth.

Even though the Client filenames are cryptic and not stored in an obvious location, a savvy user with access to the antivirus "whitelist" and Admin permissions may be able to locate and remove the Client files. If this is a concern, do not use fixed filenames.

To exclude Client detection by filename:

Open the Control Center.
Use the Deployment Utility to build a Client Install file.
- Select Manage Computers in the left pane.
- Open the Action menu and select Deployment Utility.
- Follow the instructions in the Spector Client Deploy Utility wizard
When you arrive at the final panel in the Deployment Utility wizard, check the Use Fixed Filenames option. Click OK and complete the wizard.

Add the Client fixed filenames (listed below) to be excluded or ignored in the antivirus software settings. If you are concerned about detection of Spector 360 Servers, add those filenames as well. Refer to the Spector 360 Knowledge Base for instructions on creating a whitelist in Symantec, McAfee, and other antivirus / anti-spyware programs.
Finally, install the Client on computers, selecting the Client Install file you just built that uses fixed filenames.

If the Client was already installed using random filenames, the Client Service will retain its previous, random name. You will need to uninstall the Client before reinstalling with fixed filenames.

The filenames for the Client, the 64-bit Client and the Server software are listed below. If you are concerned about servers, you may want to exclude the entire folder \..\SpectorSoft\* from scanning rather than list all files. Be sure to include every Client file in the whitelist.

Client Files

64-bit Client Files

Server Filenames

C:\temp\SPsetup.exe

C:\...\SYSTEM32

cmproxfr.dll

nmcpusym.dll

secadtr.dll

SPClientSVC????.exe

sgvrfy32.exe

svrltwp.dll

svrlser.dll

svrltmgr.dll

vdorctrl.dll

wshvtx.exe

wzodlg32.dll

C:\...\SYSTEM32\drivers*

vdorctrl.sys

C:\temp\SPsetup.exe

C:\...\SYSTEM32

cmproxfr.dll

nmcpusym.dll

sgvrfy32.exe

SPClientSVC????.exe

svrltwp.dll

svrltmgr.dll

vdorctrl.dll

C:\...\SYSTEM32\drivers*

vdorctrl.sys

C:\...\SysWOW64

mxcrsc32.exe

nmcpusym.dll

secadtr.dll

svrlser.dll

svrltmgr.dll

svrltwp.dll

wshvtx.exe

wzodlg32.dll

C:\...\SYSTEM32

SPLicenseManager.exe

SPWebFilterSvr.exe

SPDataServer.exe

CNESvrMgr.exe

CNECDLL3.dll

CNECDLL4.dll

CENotify.dll

msocxushell.dll

C:\...\SpectorSoft\Spector 360

Admin.exe

CEAdmin.cfg

CEAdmin.dll

CEAdminExt.dll

CEAdminRT.log

CENotify.dll

CESetup.exe

CNECommDll.dll

CNESvrMgr.exe

ControlCenterXP.msc

DeploymentGuide.chm

ExportCtl2.dll

FileToSql.exe

msnwcfg.ini

MSVxRsc.dll

NetConfig.xml

PostRead360.htm

Read360.htm

Settings.ini

SPCEAdminSvc.exe

SPCEAdminSvc.log

SPDataServer.exe

SPDataServer.log

SpectorCNE.chm

SPLicenseManager.exe

SPLicenseManager.log

SPSetup.exe

spsetup_Settings.sds

SPUninst.exe

SPUninst64.exe

SPWebFilterSvr.exe

SPWebFilterSvr.log

VersionInfo.txt

[Other files that you create:]

*.XML

*.SDS

*.INI

C:\Program Files\SpectorSoft\Setup:

<DIR> 360DotNet

<DIR> Cne

FileManipCommon.dll

FileManipDriver.exe

FileManipDriver.exe.config

FileToSql.cmp

license.txt

msdesetup.log

msvcr71.dll

msxml6_x86.msi

osql.exe

SACSDataVault.sql.log

SACSSqlAgent.sql.log

SACSSqlServer.sql.log

setup.exe

setup.ini

setup.rll

spctrdb_CreateAddLoginTest.sql

spctrdb_CreateAddLoginTest.sql.log

SPCTR_ADMIN_Data.cmp

SPCTR_ADMIN_Log.cmp

SPCTR_CUST_Data.cmp

SPCTR_CUST_Log.cmp

SPCTR_DB_CreateNewSPs.sql

SPCTR_DB_CreateNewSPs.sql.log

SPCTR_DB_Install.sql

SPCTR_DB_InstalX.sql

SPCTR_DB_InstalX.sql.log

SPCTR_DB_Preupgrade.sql

SPCTR_DB_ProductInfo.sql

SPCTR_DB_ProductInfo.sql.log

SPCTR_DB_Settings.sql

SPCTR_DB_Settings.sql.log

SPCTR_DB_TestConnect.sql

SPCTR_DB_TestConnect.sql.log

SPCTR_DB_TestLogin.sql

SPCTR_DB_Uninstall.sql

SPCTR_DB_Uninstall.sql.log

SPCTR_DB_Upgrade.sql

SPCTR_DB_UpgradeFrom2000.sql

SPCTR_DB_UpgradeFrom2000.sql.log

SPCTR_DB_UpgradeFrom2K_step2.sql.log

SPCTR_DB_UpgradeFrom2K_step3.sql

SPCTR_DB_UpgradeFrom2K_step4.sql.log

SPCTR_DB_UpgradeFrom2K_step5.sql

SPCTR_DB_UpgradeFrom2K_step5.sql.log

SPCTR_DB_UpgradeFrom2K_stepX.sql

SPCTR_DB_UpgradeFrom2K_stepX.sql.log

Spector360SqlAgent.msi

SpectorSoft.Spector360.SqlAgentService. SqlAgentInterface.cmp

SpectorSoft.Spector360.SQLCLR.cmp

sqdedev.dll

SQLEXPR.EXE

sqlresld.dll

SqlRun.cab

SqlRun01.msi

sqlsut.dll

sqlunirl.dll

usp_Migration_Detach2KDBs.sql

usp_Migration_Detach2KDBs.sql.log

VersionInfo.txt

VersionInfo.txtX

WFSCategories.cmp

* Only installed on Vista/Server 2008 machines

???? Replace with the 4-digit Client Recorder Version number being installed or, if possible, use wildcards. This is a temporary file created for "fresh" installations (not updates) and will change as the Client version changes.