VMWARE / VDI malware Protection Symantec, Trend and Mcafee

by butsch 24. February 2015 21:21

Symantec Endpoint Protection still has no Agentless Virus scan version like Trend or Mcafee with Move. Those use VSHIELD API from VMware and need no direct Software running in the VM. (http://www.vmware.com/pdf/vshield_55_admin.pdf)

BUT test have shown that even with the Agent in the VM/VDI Symantec SEP 12.X is faster in daily tracking, stable status, scanning but only slow if the machine does Virus pattern updates once a day.

Keep in mind that most virus producers only update the main definitions once a day (mcafee 17:00 CET) and the rest is GTI/0-day releases on all three.

So even with the Agent in VDI machines you over the thumb get more or even performance.

Also keep in mind that Virus API like the one from Microsoft has been sources for a lot of trouble, false events and fights the last few years. You can decide if you want that between:

  1. your antivirus producer and MS


  2. Between your antivirus producer and VMWARE

To mention on that part would be a solution with Hypervisor which mixes up things again.

The problem in general may be not so actual since Netapp and all the new companies who come out with Flash/SSD Storage try to solve it on the other side.

Gartner Magic Quadrant


Mentioned products in terms of VM in those articles:


McAfee's Management for Optimized Virtual Environments (MOVE) has offered optimized anti-malware scanning in virtualized environments for two years, and now MOVE 2.5 offers agentless anti-malware scanning in VMware environments using native vShield API integration.


Symantec does not yet offer an "agentless" version for optimizing anti-malware scanning in virtualized environments (although its shared Insight cache feature can be used to improve performance).

2012 Symantec SEP 12.1 and Mcafee MOVE under VMware 5.X


2012 Symantec SEP 12.1 and Trend


Back in 2011 Trend was faster

2011 Symantec SEP 11, Trend and Mcafee





APP-V: Debug App-V Environment from package

by butsch 8. December 2013 17:08


On an APP-V Client crate a shortcut to the Desktop of the Existing APP-V Application you would like to debug.


Open the Properties of the Shortcut change the TARGET as marked and include

/EXE cmd.exe





Existing Target:

"C:\Program Files\Microsoft Application Virtualization Client\sfttray.exe" /launch "LeechFTP"

New Target for Command line Box (Changes red)

"C:\Program Files\Microsoft Application Virtualization Client\sfttray.exe" /exe cmd.exe /launch "LeechFTP"

If you open that Link now you are inside the Bubble and are able to check code, Path or Registry Keys.




Here is how to CHECK what may be wrong inside the BUBBLE.

Download and copy PROCMON.EXE PROCEXP.EXE from Technet/Microsoft/Systernals.



If you WANT to DEBUG as Domain user without special rights (Why is it slow as USER and not as Administrator)

you may have to RUN procmon.exe with RUNAS. be sure to use /NONPROFILE otherwise the MON will see diffrent data.

 Exclude the PROCESS you don't need. You SEE WANT TO see like vmware, virus protection, winlogon, windows services etc.



You want to check the Virtuell EXE itself:

Example: GIMP-2.6.exe


Also check the APP'V process itself:



If the TRY to write files/open files or change Files on the Q: Drive that they may not have access as the Logged on user.

If you FOUND the file which the PROCESS has no Change permission OPEN the APPV package

Example FILE made problems: users30.mpm

Change the Sequencer File type from "Application Data" to "user data" and REDO the package


APPV | Client Management | Deployment

Microsoft APPV package Recipe for Irfanview 4.x

by butsch 16. May 2013 16:43

16.05.2013, Version 4.3X, Sequence Irfanview for Windows 7 64BIT

  1. Download all Binaries from the Website www.irfanview.com
  2. Download the Plugins you want
  3. Download the Language files you want

Start sequencing on your clean machine.

  1. Install Irfanview to the Path q:\irfan.001
  2. Copy over the Plugins and the language Files to the correct paths

Place the language files in:

Place the plugins in:

Path used:


Path for Plugins:

Q:\irfan.001\Irfanview\plugins (Copy the Plugin .DLL into this path)

Without Registering the DLL's the package will run as "Local Admin" or "Domain Admin" but NOT as regular user. As example if you open a Postscript EPS

File or press the button under Options / Plugins you may receive an error. To prevent this do following command during sequencing and also press the mentioned Plugins buttons

In "Picture 2 below" once to make sure the Software does load all components. . Please adapt your package path (irfan.001)


regsvr32.exe /s Q:\irfan.001\Plugins\8BF_Filters.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ansi2Unicode.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Awd.dll

regsvr32.exe /s Q:\irfan.001\Plugins\B3d.dll

regsvr32.exe /s Q:\irfan.001\Plugins\BabaCAD4Image.dll

regsvr32.exe /s Q:\irfan.001\Plugins\CADImage.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Crw.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Dicom.dll

regsvr32.exe /s Q:\irfan.001\Plugins\DjVu.dll

regsvr32.exe /s Q:\irfan.001\Plugins\EAFSH.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ecw.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Effects.dll

regsvr32.exe /s Q:\irfan.001\Plugins\EMail.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Exif.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Exr.dll

regsvr32.exe /s Q:\irfan.001\Plugins\FFactory.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Flash.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Flash4.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Formats.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Fpx.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ftp.dll

regsvr32.exe /s Q:\irfan.001\Plugins\FUNLTDIV.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Hdp.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ics.dll

regsvr32.exe /s Q:\irfan.001\Plugins\ImPDF.dll

regsvr32.exe /s Q:\irfan.001\Plugins\IPTC.dll

regsvr32.exe /s Q:\irfan.001\Plugins\JPEG2000.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Jpg_transform.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Jpm.dll

regsvr32.exe /s Q:\irfan.001\Plugins\KDC120.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Lcms.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ldf.dll

regsvr32.exe /s Q:\irfan.001\Plugins\LogoManager.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Lwf.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Med.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mng.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mp3.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mpg.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mrc.dll

regsvr32.exe /s Q:\irfan.001\Plugins\MrSID.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Nero.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Paint.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Photocd.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Pngout.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Postscript.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Quicktime.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ra_player.dll

regsvr32.exe /s Q:\irfan.001\Plugins\RegionCapture.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Sff.dll

regsvr32.exe /s Q:\irfan.001\Plugins\SoundPlayer.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Video.dll


Also there comes « add-ware » starting with version 4.3 ? Google Toolbar and chrome. The author prevents the popups until some date. Here is how to get rid of it:


[HKEY_LOCAL_MACHINE\SOFTWARE\Google\No Chrome Offer Until]

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\No Toolbar Offer Until]


Change that value to some date in the future like from "20130914" to "20200101" (Year 2020)


Picture 2

Also During Sequencing press these buttons below once. See if it working as it should:




APPV | Deployment

APPV How to call a script/batch FROM within the APPV bubble

by butsch 6. May 2013 21:17

Insert following Text as example into the Filename.OSD to run a script from wtihin the APPV package


      <SCRIPTBODY>@call \\\\apv01\\scripts$\\pabs\\check.cmd \n </SCRIPTBODY>
      <SCRIPTBODY>if exist "C:\Program Files (x86)\Pabsnet\pabs.exe" (exit 0) else exit 1 </SCRIPTBODY>





Clear identical APPV packages out of client cache (Worst case)

by butsch 14. March 2013 19:28

To Make this easy if you don't like it complicated run follwing command under Elevated permission (Guess Local Admin) on the client:

Clear all applications from the APPV Cache

sftmime.exe remove obj:app /global /complete




If you want to know more:


  1. If you do as you not should and make the same package under the same name and have to integrate UNDER the same path APPV does not like that. Here is way to delete the package.
  2. The does not include or use the Update feature. You get the "vlc.001" from external or Affiliate in a new version and it has the same directory name as your old version.


Old: Vlc.001

New: Vlc.002



Old: vlc.001

New: vlc.001 (Different Binaries)

  1. Note/mark down the GUID from the old package you remove (DAD9A7A7-2BAF-4934-A704-A075286F3F66)

  1. Delete the package from "Apllications" or however you root is called
  2. Delete the package from "Packages"
  3. Backup the Directory from content to save place
  4. Delete the specific Directory
  5. Copy over the new vlc.001 to content
  6. Import in Console as normal
  7. On the client run following script with the correct GUID of the OLD! package

 This kills the APPV client on the cache and all APPV packages that the user uis currenly using close!

net stop sftlist

net stop "Application Virtualization Client"

net stop "Application Virtualization Service Agent"

del "C:\ProgramData\Microsoft\Application Virtualization Client\SoftGrid Client\OSD Cache\DAD9A7A7-2BAF-4934-A704-A075286F3F66.osd" /Q /F

net start sftlist

net start "Application Virtualization Client"

net start "Application Virtualization Service Agent"


List all Aplications that the client has:




Clear single Appliation from the cache (Needs Administrator rights)





if Exist "c:\Program Files\Microsoft Application Virtualization Client\SFTMIME.com" "c:\Program Files\Microsoft Application Virtualization Client\SFTMIME.EXE" UNLOAD APP:"VLC"
if Exist "C:\Program Files (x86)\Microsoft Application Virtualization Client\SFTMIME.com" "C:\Program Files (x86)\Microsoft Application Virtualization Client\SFTMIME.EXE" UNLOAD APP:"VLC"

if Exist "c:\Program Files\Microsoft Application Virtualization Client\SFTMIME.com" "c:\Program Files\Microsoft Application Virtualization Client\SFTMIME.EXE" REMOVE APP:"VLC" /COMPLETE
if Exist "C:\Program Files (x86)\Microsoft Application Virtualization Client\SFTMIME.com" "C:\Program Files (x86)\Microsoft Application Virtualization Client\SFTMIME.EXE" REMOVE APP:"VLC" /COMPLETE

if Exist "c:\Program Files\Microsoft Application Virtualization Client\SFTMIME.com" "c:\Program Files\Microsoft Application Virtualization Client\SFTMIME.exe" REFRESH SERVER:GVXAPP
if Exist "C:\Program Files (x86)\Microsoft Application Virtualization Client\SFTMIME.com" "C:\Program Files (x86)\Microsoft Application Virtualization Client\SFTMIME.exe" REFRESH SERVER:YOURAPPSERVERHERE

if Exist "c:\Program Files\Microsoft Application Virtualization Client\SFTMIME.com" "c:\Program Files\Microsoft Application Virtualization Client\SFTMIME.EXE" LOAD APP:"VLC"
if Exist "C:\Program Files (x86)\Microsoft Application Virtualization Client\SFTMIME.com" "C:\Program Files (x86)\Microsoft Application Virtualization Client\SFTMIME.EXE" LOAD APP:"VLC"

There may be a problem if the user still has the package OPEN or there are parts of it open (Child process). In that case the only solution we know is to kill the APPV client like mentioned on top above (Sample batch).


Clear all applications from the APPV Cache

sftmime.exe remove obj:app /global /complete




Further reading:



Client Management | Deployment | APPV

APPV: Hot to identify Microsoft office 2010 deployment kit for appv

by butsch 29. August 2012 18:02

How to identify Microsoft office 2010 deployment kit for appv. This is useful if you have APPV Packages for Visio or Project.

Before you can run those you need to pre-install Microsoft office 2010 deployment kit for appv with Software Deployment.

The APPV packages should not show up before the basis software is installed.


Here are some flags to check from the MSI package: OffVirt.msi, Version: 14.0.4763.1000


APPV | Deployment

WIN7/GPO: Offline Files, Transparent Caching

by butsch 22. August 2012 21:05


Suddenly you have 30GB on Offline Files on laptops under Windows 7? Someone may have set the new Server 2008R2/W7 Option "Transparent Caching" in GPO. This caches most used files IF the LAN/WAN is ever slow.

You have to strictly handle this per drive or Share and disable "Offline". Otherwise Windows 7 will cache those files automatic as he thinks via "Offline" mechanisms from Windows 7 and you can't disable or handle/Turn off those syncs.


By default this options is disabled. People often think they get better performance; which they do but at the end run into large trouble with Sync issues. The day heomeworkers come BACK into office and you have this options on you are in a mess.


This is how the offline status looks and you wonder why certain files are there. Maybe you even think it's has something to with APPV since some APPV used ICONS from shares are listed ;-)


Transparent caching is disabled by default. To enable it, use Group Policy, as shown below.

  1. Use the Group Policy Management console to open the Group Policy Object that will be used to set the policy. Make sure it's linked to the OU/site/domain that contains the clients that should use transparent caching.
  2. Navigate to Computer Configuration, Policies, Administrative Templates, Network, Offline Files.
  3. Double-click Enable Transparent Caching.
  4. Set it to Enabled and set the network latency that will be considered a slow connection. When the system experiences that much latency, it will use transparent caching.

  5. Click OK
  6. Refresh group policy on the machines










APPV | Deployment

APPV: Win7/UAC Warning, Requested Operation Requires Elevation"

by butsch 13. July 2012 03:26

Error code: 4615186-18401f2c-000002e4



Open the OSD File and insert:



  • The RunAsInvoker compatibility fix should be considered as a possible resolution if the application prompts for elevation, but can also run successfully as a Standard User. I think there is no security breach if RunAsInvoker shim is applied to applications.

    The RunAsAdmin compatibility fix causes an application to require administrator privileges. If you use this shim, you need to provide admin rights to all users who use the application.


    Using the RunAsInvoker Fix:

    Using the RunAsAdmin Fix:


APPV | Deployment

You think VDI is the solution?

by butsch 18. June 2012 21:05

You think VDI is the solution?

Here is what they and others found out:

VDI-Solution in 2011/2012 Cost x2 (two) times more than Regular Deployment or TS.

Boot storm > yes go ahed! Buy two new Storage Shelfs and a Storage Virtualisation which will dynamic handle your storage for such cases (Split SSDS and regular 15'000 U/Min disks).


You think XEN is cheaper then VMWARE/View? You need add. Software to get it running smooth.




For many years we’ve been hearing that the future of the desktop is going to be VDI. Clearly that hasn’t happened. Server virtualization has been wildly successful, so why not VDI and desktop virtualization?

VDI vendors made a lot of wild promises in the mid-2000s. Some of them were true, some were a stretch, and some were just plain misleading. The VDI Delusion digs into these into these claims, taking a technical look at some of the common myths around desktop virtualization. It also examines practical reasons why many VDI pilots and proofs of concept fail to go full scale or just plain fail completely.

Of course there are many good reasons to use VDI, which are also covered in this book. Brian, Gabe, and Jack aren’t actually VDI haters—they just don't like it when it’s used inappropriately. They outline practical, concrete reasons for using VDI and other server-based computing solutions in addition to all the poor reasons people try and fail.


APPV | Client Management | WSUS

APPV SFT-Server.log Growing and Growing with default 3

by butsch 20. July 2011 03:14

 APPV SFT-Server.log Growing and Growing

Description: Stores messages from the SoftGrid Virtual Application Server.
Path: %ProgramFiles%\Softricity\SoftGrid Server\logs

Note: In App-V 4.5 the directory is now called "Microsoft System Center App Virt Management Server\App Virt Management Server", not Softricity\SoftGrid Server. For more information see 930871.

The logging level for the Application Virtualization Management Server can be changed in the registry at:


The logging levels range in values from 1-5 as outlined below:

• 0: Transactions
• 1: Fatal Errors
• 2: Errors
• 3: Warnings
• 4: Informational
• 5: Debug (Verbose)

The default is 3:



Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: