VNC Server

[Guest]

Hi,

I wish to run VNC server and Microsoft Defender together on our workstations.

Unfortunately, MS Defender identifies VNC server as spyware. As we are
running a network with 170 odd workstations, does anyone know any way I can
deploy ignore settings? Modifying the registry or deploying a config file
would be fine.

Any help appreciated.
Regards,
Chris

 

[Bill Sanderson]

You should be running Forefront Client Security, currently in 120 day trial
availability.

As I recall, ignore settings are in the registry, but that recollection is
sufficiently hazy that I might be ... wrong.

You might load a tool that tracks registry changes--I think there is one
from Sysinternals?--and see if you can create the right settings on a given
machine to ignore your VNC version, then create a file to apply those to
other machines.

Here's the Sysinternals tool:

http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx

Oct 3 2007 rev date, so even if you have it, this may be a rev.

 

[Bill Sanderson]

As an aside--the full blown Forefront installation can be quite daunting.
It is possible to run just the client piece via setup.exe /nomom (setup.exe
in the client subdirectory) I'm unclear what policy management templates
are available via that kind of install, though. The client can update via
Windows update, Microsoft update, or WSUS.

--

 

[Guest]

Hi Bill,

Thanks for the fast response.

I have never looked too much into it, but is Forefront destined to be an AV
product with paid subscriptions? At the mo this organisation is a school that
gets symantec corporate for $5.60 per seat per year, so Forefront may be out
of the question, and I'm looking to just run defender rather than the trial.
Thanks for the suggestion.

As for sysinternals, this may be more what I am after. In fact, if it tracks
registry changes like that I can see many uses for it so thanks for the heads
up. Will let you know how I get on.

Regards,
Chris

 

[Bill Sanderson]

Forefront is full-blown virus and antispyware, and more, and has a per-seat
subscription charge. The charges are very reasonable, but I'm not sure what
the charitable/non-profit rates would be. Possibly not that low, though.

This is something I need to investigate more carefully myself, though, since
I work with mainly non-profits.

The sysinternals app should allow you to see what happens with the ignore
settings, and probably script making that change on another machine--which
is what you are looking for.

--

 

[Chris de Vidal]

I am having the same problem as the poster back in October; Windows
Defender is prompting users to disable UltraVNC. We use UltraVNC and we
have about 100 computers we need to modify. Without this, we'll be
getting dozens of help desk calls.

I found the registry key that controls the allowed programs:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
Defender\Threats\ThreatIDDefaultAction

Here is the contents of a .reg file I created:
========================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
Defender\Threats\ThreatIDDefaultAction]
"16555"=dword:00000006

========================================


The next step is to see how to add this to everyone's registry. The key
is protected with security permissions so it's not as easy as just
adding it to the login script; I must first disable security and THEN I
can add this.

Any ideas how to do this? The login script is written in VBScript.
--
Chris de Vidal
Be sure to remove @Example.com if you're emailing me directly.

======================================
You're a good person? Yeah, right ;-)
Prove it: TenThousandDollarOffer.com

 

[Chris de Vidal]

The next step is to see how to add this to everyone's registry. The key
is protected with security permissions so it's not as easy as just
adding it to the login script; I must first disable security and THEN I
can add this.

Any ideas how to do this? The login script is written in VBScript.

*Update:* What did I need you guys for :-D

My script will look something like this:
subinacl /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
Defender\Threats\ThreatIDDefaultAction" /grant="Domain Admins"=F
regedit /s Windows_Defender_-_Allow_UltraVNC.reg
subinacl /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
Defender\Threats\ThreatIDDefaultAction" /revoke="Domain Admins"

I just need to copy SubInACL to each workstation, add error checking,
logging, etc.
--
Chris de Vidal
Be sure to remove @Example.com if you're emailing me directly.

======================================
You're a good person? Yeah, right ;-)
Prove it: TenThousandDollarOffer.com

 

[Bill Sanderson]

I've no experience in working with the registry via group policy, or any
remote method.

When working locally on a machine, I've had no trouble modifying the
permissions, making the desired changes, and then setting the permissions
back. What I can't recall--it's been a good while--is whether I took
ownership, or just added administrators with full permissions, made the
changes, and then removed administrators again.

I suspect the latter--as I recall it seemed fairly neat and easy, working
locally.

Whether you can do this, or how, is well beyond what I know about, in terms
of scripting or any sort of remote work.

I'd recommend asking in either a group related to scripting--there are some
good ones--or one where server admins hang out--they tend to know how to do
this stuff. The organizations I work with are small enough, both physically
and in terms of numbers of seats, that I haven't needed to do very much
along those lines.

Forefront's pricing appears pretty good, but when I got an actual quote from
our licensing vendor, it was quite different from what I'd expected--and he
added a note asking me to call him so he could explain "how they sell
forefront." I haven't managed to make that call yet...

I'd be interested to hear how this goes--if you choose a group to post in,
let me know--and maybe I can follow the thread there. If you want
suggestions, let me know--I can try to spot some good candidate locations to
ask.

 

[Bill Sanderson]

Sounds good to me--but as I mention--I really wouldn't know!
That definitely seems analogous to what I remember doing manually.