Exceptions not retained at logout/reboot

[Guest]

Hello,

I have an issue with Antispyware on an XP SP2 machine which is heavily
locked down. I.e. my account is not a local admin etc.

The XP SP2 machine in question is a member of a Win2k3 domain and has Group
Policy applied to it. As part of login, a number of scripts run and perform
duties such as redirecting 'My Documents' to a shared network folder. Also,
Group Policy configures IE - sets up a number of Trusted Sites etc.

For these, Antispyware agents ask me if I want to allow the redirection of
'My Documents', adding of sites to IE 'Trusted Sites' etc. as I would expect.
However, when I click 'Accept' and 'Remember this action', on a reboot or
logout/login, Antispyware asks me each time if I want to allow the action,
despite me checking the box for the action to be remembered.

Does anyone know how to ensure Antispyware permanently allows these
exceptions? Also, where are these exceptions held in the Registry so I can
check that my day-to-day account has the correct permissions over the
relevant Registry keys etc.?

Thanks.

 

[Andre Da Costa]

You may receive an "Internet Explorer trusted site requires approval"
message from Windows AntiSpyware (Beta) if you also use the Immunize feature
in Spybot Search & Destroy

http://support.microsoft.com/Default.aspx?id=902956
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Guest]

Andre,

Thanks for your reply.

The only anti-spyware product on this workstation is MS Antispyware.

Thanks.

Fatman.

 

[Guest]

The first problem is the you aren't logging in as the administrator account
that installed MSAS. The current; release only supports the admin account
that installed MSAS.

The second problem is the bigger of the two. It happens to do with the fact
that the current release isn't meant for a network/production environment.
An enterprise version is in the works, but won't be out until sometime next
year at the earliest, after the home version (i.e., the final version of this
beta product) is released.

Alan

 

[Guest]

Alan -

Is there a post anywhere that discusses the limitations of the beta with
regard to use in a corporate environment? We're using it in a corporate
environment and have been happy with the results (we're also running SAV
Corporate ver 10.x for additional anti-spyware support) so far, but are
bumping up against the limited corporate environment features.

Will Beta 2 provide any support for group policy controls?

Greg

 

[Bill Sanderson]

I made a post which might match your description--it was somewhat
intemperate, I'm afraid, and maybe I shouldn't repeat it--I'll see if I can
find it and append it to this reply.

The product you want for your environment will be the Microsoft Client
Protection product--check that out:

http://www.microsoft.com/windowsserversystem/solutions/security/clientprotection/default.mspx

The technology that we are testing will eventually become part of a number
of further products--Windows OneCare Live, Microsoft Client Protection, and
Windows Vista. Whether the package that we will test as beta2 will be
controllable by group policy I don't know yet. My bet would be that it will
be controllable, so that in a small environment, you may be able to manage
this by hand writing your own policies. In a larger environment you'd want
the control console and reporting facilities provided by Microsoft Client
Protection.
In fact, I'm not much of a betting person, and many of my bets about this
beta have been wildly off the mark--so take this with a grain of salt...
--
OK, found the post. The context was a request for a silent install command
line for an enterprise deployment.

I'll repost this, but I'm going to downplay the security issue I mention.
This is real, known to Microsoft, and fixed in beta2. On the new NVD scale
of such vulnerabilities, it rates a 7 out of 10. I don't know what to do
with that information, but it hasn't made me rush out and remove the beta
from any machines.

Really--the primary limitation is the complete lack of control and the
ability it gives the user to block any administrative script. We've had
posts from folks asking how to control the product so that they can roll out
an app install, for example, that Microsoft Antispyware will otherwise throw
up dialogs requiring user response about. There is no simple method--all we
can suggest is taskkill to kill the Microsoft Antispyware processes,
followed by the script to do the install.

------------------------------
This software is not suitable for deployment in such an environment. Among
other attributes, it requires running as administrator, will allow users to
block administrative scripts, and contains an elevation of privilege
security vulnerability.

Here's what's known about command line switches for the app itself:

http://blogs.technet.com/stevedod/archive/2005/04.aspx

There've been some stabs at silent installs in this group, I think some
successful--however, I'm not sure if the HTML interface retains messages
fare enough back to make the search facility effective.

Here are the notes I have in this area:

[Managed environments, scripting, turning off real-time protection]

http://support.microsoft.com/kb/892375 End users may be prompted to allow or
block administrative actions that originate from a central management tool
after they install Windows AntiSpyware (Beta) on a computer that is managed
by Systems Management Server 2003

Scripting issues:

http://www.microsoft.com/technet/scriptcenter/resources/articles/antispy.mspx
(sorry--this one has gone permanently missing)

Unattended uninstall:

The command should be:
MsiExec.exe /X {536F7C74-844B-4683-B0C5-EA39E19A6FE3} -qn

If you want a log file ... (note: no space between the /L
and its parameters (ime))

MsiExec.exe /X {536F7C74-844B-4683-B0C5-
EA39E19A6FE3} /Lime c:\temp\msas.log -qn

(from lori)

Unattended Install:

http://www.overdose.net/docs/msas_silent_remote_install.txt
-----------------
Security vulnerability:

Multiple Vendor Insecure Call to CreateProcess() Vulnerability

iDEFENSE Security Advisory 11.15.05
www.idefense.com/application/poi/display?id=340&type=vulnerabilities
--

 

[Guest]

WOW! An early X-Mas present. Thanks for the indepth reply.

I made a post which might match your description--it was somewhat
intemperate, I'm afraid, and maybe I shouldn't repeat it--I'll see if I can
find it and append it to this reply.

The product you want for your environment will be the Microsoft Client
Protection product--check that out:

http://www.microsoft.com/windowsserversystem/solutions/security/clientprotection/default.mspx

The technology that we are testing will eventually become part of a number
of further products--Windows OneCare Live, Microsoft Client Protection, and
Windows Vista. Whether the package that we will test as beta2 will be
controllable by group policy I don't know yet. My bet would be that it will
be controllable, so that in a small environment, you may be able to manage
this by hand writing your own policies. In a larger environment you'd want
the control console and reporting facilities provided by Microsoft Client
Protection.
In fact, I'm not much of a betting person, and many of my bets about this
beta have been wildly off the mark--so take this with a grain of salt...
--
OK, found the post. The context was a request for a silent install command
line for an enterprise deployment.

I'll repost this, but I'm going to downplay the security issue I mention.
This is real, known to Microsoft, and fixed in beta2. On the new NVD scale
of such vulnerabilities, it rates a 7 out of 10. I don't know what to do
with that information, but it hasn't made me rush out and remove the beta
from any machines.

Really--the primary limitation is the complete lack of control and the
ability it gives the user to block any administrative script. We've had
posts from folks asking how to control the product so that they can roll out
an app install, for example, that Microsoft Antispyware will otherwise throw
up dialogs requiring user response about. There is no simple method--all we
can suggest is taskkill to kill the Microsoft Antispyware processes,
followed by the script to do the install.

------------------------------
This software is not suitable for deployment in such an environment. Among
other attributes, it requires running as administrator, will allow users to
block administrative scripts, and contains an elevation of privilege
security vulnerability.

Here's what's known about command line switches for the app itself:

http://blogs.technet.com/stevedod/archive/2005/04.aspx

There've been some stabs at silent installs in this group, I think some
successful--however, I'm not sure if the HTML interface retains messages
fare enough back to make the search facility effective.

Here are the notes I have in this area:

[Managed environments, scripting, turning off real-time protection]

http://support.microsoft.com/kb/892375 End users may be prompted to allow or
block administrative actions that originate from a central management tool
after they install Windows AntiSpyware (Beta) on a computer that is managed
by Systems Management Server 2003

Scripting issues:

http://www.microsoft.com/technet/scriptcenter/resources/articles/antispy.mspx
(sorry--this one has gone permanently missing)

Unattended uninstall:

The command should be:
MsiExec.exe /X {536F7C74-844B-4683-B0C5-EA39E19A6FE3} -qn

If you want a log file ... (note: no space between the /L
and its parameters (ime))

MsiExec.exe /X {536F7C74-844B-4683-B0C5-
EA39E19A6FE3} /Lime c:\temp\msas.log -qn

(from lori)

Unattended Install:

http://www.overdose.net/docs/msas_silent_remote_install.txt
-----------------
Security vulnerability:

Multiple Vendor Insecure Call to CreateProcess() Vulnerability

iDEFENSE Security Advisory 11.15.05
www.idefense.com/application/poi/display?id=340&type=vulnerabilities
--

Alan -

Is there a post anywhere that discusses the limitations of the beta with
regard to use in a corporate environment? We're using it in a corporate
environment and have been happy with the results (we're also running SAV
Corporate ver 10.x for additional anti-spyware support) so far, but are
bumping up against the limited corporate environment features.

Will Beta 2 provide any support for group policy controls?

Greg