Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 14

Anyone seen Symantec's anti-virus updates replace the NIC driver with their new TEEFER2 NIC driver?

Jump to solution

We're having issues with anti-virus updates where it replaces the local system's NIC driver with their own.

It generates this error into the Orion Events console and makes it look like the node has lost SNMP by putting it into an Unknown state:

Mynodename Broadcom NetXtreme Gigabit Ethernet- Interface Polling stopped. Could not remap interface. Check ifDescription change.

The fix turns out I have to Node Admin to the node, delete interfaces, re-discover, re-poll etc to get it back right.

Has anyone else been seeing this or have a 'permanent' fix they can offer?


It's called the TEEFER2

The Teefer2 driver is responsible for capturing all network traffic entering or leaving a particular interface so that the packets may be passed to the personal firewall component of the SEP 11.0 client for analysis.
The Teefer2 driver works, in tandem with its associated miniport driver.
The Teefer2 driver runs in kernel mode, and passes information over to the teefer.dll for user mode operations.
Since all in- and outbound traffic is filtered through this driver, firewall rules are applied to all traffic passing through it.

Please note that it is not possible to disable the Teefer2 driver without removing SEP 11's firewall component.

0 Kudos
1 Solution
Level 13


This is a change we recently put in for 10.0.  What has happened is that your interface has changed both ifDescription and ifIndex.  Hence, when we go to try and remap the interface on the rediscovery interval we don't find a match in the database.  If an interface changes both its index and name, we consider this a new or different interface.  This new event is to tell you of this situation and have you take action.

Most likely your interface has gone into the Unknown status as we no longer are gathering statistics and status for it.

The quick work around is to remove the Unknown interface and add in the newly named/indexed interface.  But with that you lose your history.  To keep your history you have to be a little more brave and update the database directly.

Steps for this:

1. Be brave... backup your database.

2. Stop NetPerfMon service

3. Checking the interface index and interface description match:

a.       SELECT InterfaceID, NodeID, InterfaceName, InterfaceIndex FROM
Interfaces WHERE NodeID = <MyBadNode>

b.      Walk the IF MIB on the device using the SNMP MIB Browser.
Compare the ifIndex with the InterfaceIndex in the table.  Compare the ifDescription with the InterfaceName in the database.  Both should be an exact match.

4. Update your Interfaces table with the actual values

5. Restart your standard poller (NetPerfMon Service)

Let me know if you have any questions.


View solution in original post

0 Kudos
13 Replies