Configuring Virus Checkers

Match-IT is a huge system and the probability of false positives from virus checkers is high.  When this happens it can cause massive delays while it is resolved.  All our files are digitally signed with a “code signing” licence that we have to jump through hoops and pay a high price to obtain; but virus checkers still attack our files with false positives.

When our programs start they rigorously self-check both their digital signatures and verify a pre-computed checksum. Any alteration to a Match-IT file will be detected and Match-IT will refuse to run: It it is safe to exempt our files form your AV.  It is safe to exempt us.

While we do run our files through two virus checkers (Clamwin and Windows Defender) before uploading to the website, a change to your virus checker signature list (they typically update daily) may then detect new false positives.  We have absolutely no way at all to counter this other than folder exemption.  A good example happened on June 12th 2019 when Windows Defender on some sites (not all and not here) started attacking a file of ours that has not changed since 2015!

The following folders must be exempted in your virus checker(s) and Windows Defender if you allow it to run in parallel with your virus checker (often the case and in our experience often not realised).

Even if you are not getting false positives we highly recommend that you follow the procedure below for performance reasons.

Server

Assuming Match-IT is installed into c:\match_it you need to exempt:-

  • c:\match_it (if you have more than one install, do this for all of them)
  • c:\programdata\match_it

Workstations

Only applicable if you are running Match-IT across the network (i.e. not using terminal services).

It is absolutely essential that workstation exemptions are in place otherwise you will get all workstations checking the same files on the server which can result in data corruptions and performance issues.  You need to exempt:-

  • Any mapped drives that point at or contain Match-IT.  The server will be checking the destination of the mapped drive so having workstations duplicate that effort just negatively affects performance.  e.g. M:
  • The UNC path to Match-IT; e.g. \\myserver\match_it
  • Like the server, you must also exempt the local c:\programdata\match_it

Your IT company usually configure all this remotely with a global policy which means the workstations do not need to be done individually.

If you are unsure if the Match-IT exemptions are in place, please point your IT company at this article and ask them to check.

We also strongly recommend not using mapped drives; as they can be very slow.

Always use a UNC path as the target in the Match-IT shortcut.

Managed anti-virus programs often have alerts to the user turned off, so all the user will see is a problem with Match-IT.  Typical symptoms are Windows saying that the shortcut target has disappeared and strange access denied errors.  If you see anything  like this, call us but also please point your IT company at this article and ask them to check configuration.  Often a new PC can creep in under the radar or it has a free trial AV installed that needs to be removed. Problems can persist after exemption because of the quarantined files and your IT company may need to resolve that as well.

Current known threats

13/06/19 – Bit defender (and custom branded managed versions) is attacking sys/match_go.exe and sys/match_ix.dll.

13/06/19 – Windows defender is attacking sys/mime/core.exe.

 

How to move Match-IT between servers

Match-IT is self-contained in a single folder on a server.  There is no client-end software. This note assumes the immediate containing folder is called match_it.  It is connected from client workstations using one of three methods:-

  • A simple shortcut to run Match-IT across the network. This is how we leave it after the initial install.  Share the match_it folder on the server and then target match_go.exe using a UNC path.  Avoid using mapped drives(*).  The fields should look like this:-
    • Target: \\server_path\match_it\sys\match_go.exe ini=live.set
    • Start in: \\server_path\match_it
  • An overt RDP login to the server.
  • Some sort of application virtualisation; e.g. a published app.

The latter two are set up by IT and are becoming more popular with the availability of cheap powerful servers.  These also  facilitate use of WiFi which is not possible when running across the network.

To move Match-IT between servers, copy the Match-IT folder from one server to another and then repoint the workstation connection solution to the new location.  Users need full control of the Match-IT folder.

The first time Match-IT is run it needs local admin access to do some housekeeping.  It will let you know if it does not have this privilege.  Usually right-clicking and selecting “run as administrator” will allow Match-IT to do what it needs.  It may need an admin password depending on how IT have set up user profiles.  This only needs doing once.

There is a service that needs to be started on the new server but it’s easiest to call us to do it; for example over Teamviewer. It takes about 5 mins.

Match-IT is a large application and some virus checkers detect false positives.  Also the data files change many times per second which can have negative performance effects if virus checkers are active on them in real-time.  The Match-IT executables have built in checks and will not start if they have been modified.  We strongly recommend that you exempt the whole Match-IT folder on the server and also c:\programdata\match_it which contains a runtime copy.  If starting Match-IT with a simple shortcut we also strongly recommend exempting c:\programdata\match_it on workstations as well.

If the printers used by Match-IT now have different URLs, the Match-IT print queues will need a tweak and again it’s easiest if we do that if you let us know what they are.

(*) Virus checkers include mapped drives by default, which can obviously cause serious problems if the data files are changing frequently on the server.  If you have to use a mapped drive, we strongly recommend exempting it on the workstations.

 

Why has Match-IT slowed down?

Sometimes Match-ITs performance is compromised.  Here are the main reasons we have discovered over time:-

1. A virus/malware checker(s) is checking the Match-IT data files in real-time on the server. It is essential that the Match-IT data folder is exempt because the files changes so frequently (many times per second).  This is perfectly safe because the data files are not executable programs.

2. Use of mapped drives to access Match-IT is not recommended for the same reason. Local virus checkers on PCs check mapped drives to other computers by default, so you have to exempt the mapped drives on each PC and in each virus/malware checker on those PCs. This can usually be done with a global policy by your IT guys. But new PCs can still be a problem because they often come with a free one year AV program installed which starts checking mapped drives. We recommend sharing the Match-IT folder on the server and then connecting to it using UNC paths, but this is only of benefit if the mapped drive used to access Match-IT is also removed from each PC.  This also includes any other mapped drives that happen to include the Match-IT folder.  Either exempt the drive or preferably use UNC paths.

3. Dodgy network cards. Surprisingly frequently, network cards fail and while doing so cause problems. We have no idea how to detect this other than start one PC at a time and see when Match-IT slows down.

4. Slow/degrading server disk. Match-IT makes high demands on the server disk and it’s needs to be super-fast and efficient.

5. Use of WiFi.  If you use a laptop to run Match-IT please make sure that it’s physically plugged into the network.  Absolutely do not rely on WiFi.

6. Use a dedicated server.  Because of the relative cheapness of servers these days and the critical nature of Match-IT to our customers, many choose to have a dedicated Match-IT server; especially if the load from other server software components (like ACT) is high. Access is either by UNC paths (no mapped drives) or a published app so everybody is in fact running Match-IT on the server. Note that the latter has outlook licence and printing implications. We have a UK customer with a Match-IT server in mainland Europe and it is ultra-reliable; they use a  published app for access.

See also this article.

 

Applications needed to build Match-IT

Clarion 10 Enterprise Subscription

https://softvelocity.myshopify.com/collections/ide/products/core-subscription-program-for-enterprise-edition-new-license

Take Command

https://jpsoft.com/products/take-command.html

The build scripts need version 8 which you can download on request after buying the latest version.  At some point the scripts should be tweaked to support the later versions, but it’s never been a priority.

Setup Builder Developer Edition

http://www.lindersoft.com/order_dev.htm

This creates the installation file.

SVN client

We use tortoise command line client.  Free.

https://tortoisesvn.net

Help and Manual Professional Edition

https://www.helpandmanual.com/order.html

Only needed to build the product manual.

 

 

 

 

 

Posted in dev

Newsletter October 2017

Hi all,

This newsletter is intended to keep you up to date with Match-IT developments.  It will be published as required; not necessarily every month.

1.  Patton Air enforce very stringent dispatch paperwork/labelling etc requirements, which we have successfully implemented at two sites in the UK.  We have also implemented similar requirements at other sites, including in the USA.  If your customers are also starting to enforce dispatch rules, please do get in touch with us to discuss a solution.

2. To kick off a committed effort to gradually improve CRM capabilities, we have implemented infrastructure that allows qualifiers to be displayed in existing lists.  For example, you may have created qualifier fields for your customer/supplier records.  These can now also be displayed in the list of all customers/suppliers.

3. We would like to try and get everybody up-to-date with the latest version, as it contains several stability improvements.  We are happy to do the upgrades ourselves in the evenings and weekends to avoid any extra down time for you.  Please contact support to arrange your upgrade.

4.  All the the latest changes to Match-IT can be found here:  http://match-it.com/software/release.htm#latest

Newsletter August 2017

Hi all,

This newsletter is intended to keep you up to date with Match-IT developments.

1.  Hours.  Our support hours have changed to be 8am to 4pm which better suits our customers.  If you work in the evenings or weekends there is an emergency number you can ring if you are stopped.  We cannot guarantee to be able to help, but we will if we can.  This number is not published.  Please call and ask for it if you think it would be useful.

2.  SQL backend.  This was a huge undertaking by Dave Nichols and one customer has been trialling it for many months now without problems.  Having a SQL backend opens up Match-IT to generic report writing and the internet; for example your customers could create orders that appear in Match-IT and get their order’s status etc.  It’s also an alternative way of writing scripts if you have any coders in house.  We now have excellent in-house web skills ourselves (PHP, Javascript, node.js etc) and can help you build such interfaces.  We targetted PostgreSQL for it’s technical excellence and it is available for free at the link below.  If you would like us to set up a parallel SQL version of your system for you to trial it, please call on the support line and let us know.  It is available under your existing support agreement.

https://www.postgresql.org

3.  Cus/Sup reviews.  After feedback from auditors we have added a customer/supplier review system which forces you to review their details every N days (default 365).  They are considered to be unapproved if this is not done, which satisfies the auditing requirement.  This is available in builds from February this year.

4. A tip.  Many virus checkers target mapped drives which means that you need to exempt the Match-IT mapped drive on your PCs (imagine tens of PCs all having a virus checker targeting files on the server via a mapped drive).  This can cause problems when you get a new PC or update the virus checker etc.  The probem can be eliminated completely by deleting the mapped drive on the PC and using a “UNC path” in the shortcut to Match-IT instead.  i.e. instead of something like m:\sys\match_go.exe it becomes \\myservername\match_it\sys\match_go.exe.  If you would like this done, let us know your IT contact and we’ll speak to them.

We will leave it at that for now and detail more changes in the next newsletter.  Match-IT is in active daily development; including tracking upsets caused by Windows updates and a full list is always available in the link below; a useful shortcut to add to your browser toolbar maybe.

http://match-it.com/software/release.htm#latest

Why do sometimes have to recover a data file?

When using Match-IT across a network it is essential that the network is reliable because any dropout mid file transaction can cause a corruption of a data file.  Here are some tips to minimise problems:-

  1. On the server exclude the Match-IT folder (our executables self-check) and c:\programdata\match_it from real-time virus/malware checking and scanning.
  2. On workstations, do not use a mapped drive to point at Match-IT in your short cuts; use a UNC path (//servername/…).  Exempt c:\programdata\match_it and Match-IT on the server (using a UNC path) in anti-virus/malware software.  If you have a mapped drive to Match-IT on the server, even if it’s not used in the shortcut, also exempt it; this is essential, otherwise N PCs are checking Match-IT data files in parallel which can cause a lot of problems because the change so frequently.
  3. Do not rely on WiFi.  Make sure all network cables are connected and have not fallen out.
  4. Do not pull the network cable out of laptops before closing Match-IT and also make sure that you wait for Match-IT to exit completely.
  5. Close Match-IT and wait for it to exit completely before shutting down your workstation.
  6. Never under any circumstances click the “shutdown anyway” when shutting down your workstation and Windows says you have left Match-IT running.  Close Match-IT properly first.
  7. A Terminal Services solution (user logs into a server and run Match-IT from there) will provide better stability if any of the above are unresolveable.

See also this article.

How do I remove an Ad Hoc Works Order?

The output batches from an ad-hoc WO are almost always being used to satisfy a demand up the chain, so it is not usually possible to delete the WO itself.

The procedure needed is to go into the detail of the WO, then go to the Schedule tab, clear the Ad-Hoc Order Until date and save the WO.  It is then removed at the time of the next full reschedule – either automatically by the Agent overnight or if you decide to do one manually.