Force "always ignore" for specific program for all PCs?

[Paul Reid]

We use Remote Administrator as a remote control server for
remote support services on our client's machines (using a
VPN for secure access to their office network first, of
course).

Microsoft Anti-Spyware is flagging the program as a severe
threat (which is reasonable, give it can be used maliciously).

Since we are aware of the program's presence on the
machines, is there a way to tell Anti-Spyware that the
program is to be always ignored via a registry setting or
something we can use on a mass scale - say via a logon
script, for example, or during installation of the
Anti-Spyware program via a .reg file maybe?

The problem is that users are letting Anti-Spyware just
remove anything it deems a threat, and then we have to make
a site visit to replace the Remote Administrator server and
manually configure Anti-Spyware to always ignore it, which
is becoming a serious productivity drain on our staff.

Microsoft developers - any help?

Thanks.

 

[Robin Walker [MVP]]

The problem is that users are letting Anti-Spyware just
remove anything it deems a threat, and then we have to make
a site visit to replace the Remote Administrator server and
manually configure Anti-Spyware to always ignore it, which
is becoming a serious productivity drain on our staff.

The blunt answer, I'm afraid, is that this is a beta test release for
testing and evaluation only. It is not intended for deployment in a
production environment. If you find support of this product to become a
burden, then one of the options to consider is withdrawing it from your
supported machines. Bill Gates has announced that there will one day be a
properly supported version for enterprise environments, but it will be a
paid-for option.

 

[Bill Sanderson]

I agree with Robin Walker. Microsoft has flagged this issue with a KB
article which is part of the Known Issues posted at the download site, and
in the help for build .509 of the product.

http://support.microsoft.com/kb/892375 End users may be prompted to allow or
block administrative actions that originate from a central management tool
after they install Windows AntiSpyware (Beta) on a computer that is managed
by Systems Management Server 2003

The workaround in this article is one you could use--but it does shut off
all real-time protection from Microsoft Antispyware.

 

[Bill Sanderson]

Whoops - left of an additional piece I want to get out there:

If you use scripting in any part of your environment, you should be aware of
some serious issues involving Microsoft Antispyware:

http://www.microsoft.com/technet/scriptcenter/resources/articles/antispy.mspx

 

[Guest]

Darn. I was hoping for a little hack I might be able to
use. It stored that exclusion list somewhere - though it's
probably protected to prevent malicious programs from just
deactivating Anti-Spyware's protection.

Oh well. Thanks for the prompt and clear reply. It's
apprecitated.

-----Original Message-----

The problem is that users are letting Anti-Spyware just
remove anything it deems a threat, and then we have to make
a site visit to replace the Remote Administrator server and
manually configure Anti-Spyware to always ignore it, which
is becoming a serious productivity drain on our staff.

The blunt answer, I'm afraid, is that this is a beta test release for
testing and evaluation only. It is not intended for deployment in a
production environment. If you find support of this product to become a
burden, then one of the options to consider is withdrawing it from your
supported machines. Bill Gates has announced that there will one day be a
properly supported version for enterprise environments, but it will be a
paid-for option.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.

 

[Paul Reid]

I have found a solution that I'll share for others running
into the same problem.

Do a clean install of Anti-Spyware on a machine that has
the program(s) you don't want Anti-Spyware to flag, and let
it scan. Once it finishes the scan, set the program(s) in
question to "Always Ignore", and let the program finish
cleaning up the machine.

Now, go to Anti-Spyware's install directory and copy the
gcThreatAuditIgnoredThreatsData.gcd file. Go ahead and
install the software on other machines, then overwrite the
gcThreatAuditIgnoredThreatsData.gcd with the one you saved
from the first install. Problem solved, as long as you
install the program before the user does, so you can deal
with the problem before the user has the program remove the
program you need to be left alone.

There are some instructions floating around on how to
install this program in unattended mode. Making a little
batch file that includes the copying of your modified
gcThreatAuditIgnoredThreatsData.gcd file in a logon script,
you could automate this solution fairly easily.

I tested this solution on a number of machines, and I am
comfortable that it works fine. However, keep in mind that
this trick may change in the future, since this product is
still evolving towards a final state - but it works for the
current build, so it'll save the headaches for now. Betas
are supposed to be "feature complete", which usually means
there won't be drastic changes to program architecture in
the final version (just bug fixes), so hopefully this will
continue to work.

I would be inclined to save the installer with your backed
up gcThreatAuditIgnoredThreatsData.gcd file, so you can be
sure everything will work as planned. Also keep in mind
that the current beta does expire, so this is a temporary
solution until the final release comes out without an
expiry date on it, at which time you'll want to test if
this trick still works or not.

Good luck.