it is most likely some Access Protection rule (first module in VirusScan console) prevents you from changing the key manually. These rules often have processes as exclusion from under their scope, that is, a process listed among the exclusions with a certain name can still do the change.
I would see the resolution as a multi-step process:
1. Find out the rule in question (my bet is the "Prevent modifications in McAfee files and settings" in Common standard protection set)
2. Open the rule and see which process names are listed in the exclusions section. Pick one (I would recommend ???setup.exe, setup.exe).
3. [thin ice] You have several options here to use this name for the actual program that you can use to change the reg key. Make sure this program is launched as is, so not under CMD.EXE or other process that can hide the process name resulting in another block.
I admit this is the hardest part and requires lot of testing.
Also during this testing you might run into another obstacle when you want to perform an action prevented by another Access Protection rule.
As you surely cannot disable Access Protection itself via the registry, the only workaround would be to use this coverup program name to perform the desired action.
I hope I could be of some help.
Thanks! This is already a 3-pointer.. holding off to see if we can get you the full 5 points.
So far.. as per Step #1 above, adding "regedt32.exe" to the exclusions list does the trick.
This allows changing the "bSchedEnabled"=dword:00000001" to a hex zero to clear the flag.
The cscript.exe engine evidently uses the WMI StdRegProv class to call regedt32.exe.
As a hack, I can copy the registry editor to one of the blessed exclusions in the list, i.e. ???setup.exe, but this is pretty lame.
The next step is finding out if any of the setup utilities will let me programmatically add another name to the exclusion list.
If so, I can script a pass of add "regedt32.exe" to the "Prevent modifications in McAfee files and settings" Common standard protection set.
Here you go!
For Virusscan 8.8, you have to disable Access protection and change the two registry keys for the task:
1. Command Prompt:
net stop McShield (This disabled access protection)
Then the 2 registry key changes:
bSchedEnabled=0 (this values indicates that the schedule is to be disabled)
bSchConfigChanged=1 (this values indicates to Task Manager that the schedule for this task has changed and needs to be updated)
Then restart Access Protection:
net start McShield
jhall: stopping McShield could be the easiest way, however bgavin did not specifically say that he can stop and start McShield service - rather, he mentioned that it cannot be stopped when the prevention checkbox is set (obviously if this were not the case for all or most of his clients, he would not need help). Since no reboots are allowed, trying setting McShield to manual or disabled (some or both of them might not work I suppose anyway due to AP rule) then reboot to stop McShield is not an option.
bgavin: however you deem it lame, you need to use one of the process names already on the exclusion list, otherwise you would need to add a new name to the list which is another problem if you want it to do via script.
A long time back, I wrote a script that has to stop all the McAfee services so the registry can be scrubbed.
When the checkbox is checked, stopping McShield is not allowed.
Attila, my comment about "lame" is not directed at you, but at resorting to cheap hacks to perform an ordinary admin function.
My apologies if you interpreted this otherwise. It was not intended that way.
I can exploit an out-of-the-box exclusion using the existing "???setup.exe" present in the list.
This can be done by copying REGEDT32.exe to C:\temp\$$$setup.exe, then calling PSEXEC with a command line to make the registry changes.
I have tested this process, and it does work.
It is a lame hack, though.
I was hoping somebody would chime in with an undocumented command line switch for "mcupdate.exe" /TASK... /DISABLE_SCHEDULER or something similar.
Also looking to find a scripted method of adding a non-listed SMTP client to the blessed mass mailing list.
HP-OpenView has a mailer agent that is currently blocked.
I don't want to add manually that exclusion to a zillion servers, either.
of course no offence was taken and I have not interpreted your reply in any bad sense. :-)
Let me add one comment, though: in my opinion, if a Mcupdate.exe would have a switch, like /disable_task, then any malware first tried to launch these task in this way and out the window went updating for the future. Then mcupdate.exe would have to have a different protection and everything would start over again.
I see a reason why a task is disabled the way it is and why it is protected the way it is and I, as opposed to you, do not consider this type of "hack" a hack, rather, using everything what's available to do a specific thing.
The exclusion what I recommended is a factory set and do not have to add to any more servers, at least that was my intention when recommending it.
One thing comes to mind: is not there a reg.exe doing the same registry operation that you could use on each server, calling only that .EXE from say, via login script?
I understand the reasoning behind the protection. Having been in the game for decades, I've learned the hard way that when I start considering a code hack, that I've missed something more fundamental (and easier). When all is said and done, rare is the occasion when a deep dive is the only solution, hence my asking on the community. I want to stay as main-stream as possible.
From a script, I can either exec a class method, or run PSExec on the local host to simulate a run-locally task.
REG ADD could possibly work, by doing an ADD of a changed key over top of the current key after the lockdown is removed.
It would be easier if I can figure a means to stop McShield. Once stopped, I can make my required registry changes and restart the service.
This is proving to be quite the challenge.