7 Replies Latest reply: Jul 30, 2011 9:54 PM by bgavin RSS

    How-To Disable Scheduled AutoUpdate by Switch or Script

    bgavin

      I am an admin in a large environment that has no public interface.

      An EPO console is not in our immediate future.

       

      Q: is there a script method, command line switch, or other process to disable scheduled auto-updates?

       

      This is the audit point.  The value cannot be changed while the service "McShield" is running.

      [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\Tasks\{A14CD6FC-3BA8-4703- 87BF-E3247CE382F5}]

      "bSchedEnabled"=dword:00000001

       

      The McShield service cannot be stopped when the "Prevent McAfee services from being stopped" box is checked.

      I chased the rabbit down the hole and find mcconsol.exe is changing a few keys during the check/uncheck process.

      A real-time trace reveals the keys, but manual setting of these keys is still disallowed.

      There is a yet-undiscovered mechanism protecting the registry keys.

       

      In short, the system is working as designed, but I also need a scripted method of disabling autoupdates.

      Logging into a thousand boxes for a onsey-twosy change of every server isn't viable.

      Rebooting is not viable... production environment.

       

      I'm looking for a switch similar to:

       

      McUpdate.exe /task {A14CD6FC-3BA8-4703-87BF-E3247CE382F5}  /disable

       

      Does anybody know if this exists?

       

      Message was edited by: bgavin Edited title for clarity on 7/24/11 2:11:47 PM CDT
        • 1. Re: How-To Disable Scheduled AutoUpdate by Switch or Script
          Attila Polinger

          Hello,

           

          it is most likely some Access Protection rule (first module in VirusScan console) prevents you from changing the key manually. These rules often have processes as exclusion from under their scope, that is, a process listed among the exclusions with a certain name can still do the change.

          I would see the resolution as a multi-step process:

           

          1. Find out the rule in question (my bet is the "Prevent modifications in McAfee files and settings" in Common standard protection set)

          2. Open the rule and see which process names are listed in the exclusions section. Pick one (I would recommend ???setup.exe, setup.exe).

          3. [thin ice] You have several options here to use this name for the actual program that you can use to change the reg key. Make sure this program is launched as is, so not under CMD.EXE or other process that can hide the process name resulting in another block.

          I admit this is the hardest part and requires lot of testing.

          Also during this testing you might run into another obstacle when you want to perform an action prevented by another Access Protection rule.

           

          As you surely cannot disable Access Protection itself via the registry, the only workaround would be to use this coverup program name to perform the desired action.

           

          I hope I could be of some help.

           

          Attila

          • 2. Re: How-To Disable Scheduled AutoUpdate by Switch or Script
            bgavin

            Thanks!  This is already a 3-pointer.. holding off to see if we can get you the full 5 points.

             

            So far..  as per Step #1 above, adding "regedt32.exe" to the exclusions list does the trick.

            This allows changing the "bSchedEnabled"=dword:00000001" to a hex zero to clear the flag.

             

            The cscript.exe engine evidently uses the WMI StdRegProv class to call regedt32.exe.

            As a hack, I can copy the registry editor to one of the blessed exclusions in the list, i.e. ???setup.exe, but this is pretty lame.

             

            The next step is finding out if any of the setup utilities will let me programmatically add another name to the exclusion list.

            If so, I can script a pass of add "regedt32.exe" to the "Prevent modifications in McAfee files and settings"  Common standard protection set.

            • 3. Re: How-To Disable Scheduled AutoUpdate by Switch or Script
              jhall1

              Here you go!

              For Virusscan 8.8, you have to disable Access protection and change the two registry keys for the task:


              1. Command Prompt:

              net stop McShield    (This disabled access protection)

              2.

              Then the 2 registry key changes:

              HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\Tasks\{A14CD6FC-3BA8-4703-8 7BF-E3247CE382F5}

              bSchedEnabled=0 (this values indicates that the schedule is to be disabled)
              bSchConfigChanged=1   (this values indicates to Task Manager that the schedule for this task has changed and needs to be updated)

              3.

              Then restart Access Protection:

              net start McShield

              • 4. Re: How-To Disable Scheduled AutoUpdate by Switch or Script
                Attila Polinger

                Hi,

                 

                jhall: stopping McShield could be the easiest way, however bgavin did not specifically say that he can stop and start McShield service - rather, he mentioned that it cannot be stopped when the prevention checkbox is set (obviously if this were not the case for all or most of his clients, he would not need help). Since no reboots are allowed, trying setting McShield to manual or disabled (some or both of them might not work I suppose anyway due to AP rule) then reboot to stop McShield is not an option.

                 

                bgavin: however you deem it lame, you need to use one of the process names already on the exclusion list, otherwise you would need to add a new name to the list which is another problem if you want it to do via script.

                 

                Attila

                • 5. Re: How-To Disable Scheduled AutoUpdate by Switch or Script
                  bgavin

                  A long time back, I wrote a script that has to stop all the McAfee services so the registry can be scrubbed.

                  When the checkbox is checked, stopping McShield is not allowed.

                   

                  Attila, my comment about "lame" is not directed at you, but at resorting to cheap hacks to perform an ordinary admin function.

                  My apologies if you interpreted this otherwise.  It was not intended that way.

                   

                  I can exploit an out-of-the-box exclusion using the existing "???setup.exe" present in the list.

                  This can be done by copying REGEDT32.exe to C:\temp\$$$setup.exe, then calling PSEXEC with a command line to make the registry changes.

                  I have tested this process, and it does work.

                  It is a lame hack, though.

                   

                  I was hoping somebody would chime in with an undocumented command line switch for "mcupdate.exe" /TASK...  /DISABLE_SCHEDULER  or something similar.

                   

                  Also looking to find a scripted method of adding a non-listed SMTP client to the blessed mass mailing list.

                  HP-OpenView has a mailer agent that is currently blocked.

                  I don't want to add manually that exclusion to a zillion servers, either.

                  • 6. Re: How-To Disable Scheduled AutoUpdate by Switch or Script
                    Attila Polinger

                    Hi bgavin,

                     

                    of course no offence was taken and I have not interpreted your reply in any bad sense. :-)

                     

                    Let me add one comment, though: in my opinion, if a Mcupdate.exe would have a switch, like /disable_task, then any malware first tried to launch these task in this way and out the window went updating for the future. Then mcupdate.exe would have to have a different protection and everything would start over again.

                     

                    I see a reason why a task is disabled the way it is and why it is protected the way it is and I, as opposed to you, do not consider this type of "hack" a hack, rather, using everything what's available to do a specific thing.

                     

                    The exclusion what I recommended is a factory set and do not have to add to any more servers, at least that was my intention when recommending it.

                     

                    One thing comes to mind: is not there a reg.exe doing the same registry operation that you could use on each server, calling only that .EXE from say, via login script?

                     

                    Attila

                    • 7. Re: How-To Disable Scheduled AutoUpdate by Switch or Script
                      bgavin

                      I understand the reasoning behind the protection.  Having been in the game for decades, I've learned the hard way that when I start considering a code hack, that I've missed something more fundamental (and easier).  When all is said and done, rare is the occasion when a deep dive is the only solution, hence my asking on the community.  I want to stay as main-stream as possible.

                       

                      From a script, I can either exec a class method, or run PSExec on the local host to simulate a run-locally task.

                      REG ADD could possibly work, by doing an ADD of a changed key over top of the current key after the lockdown is removed.

                       

                      It would be easier if I can figure a means to stop McShield.  Once stopped, I can make my required registry changes and restart the service.

                      This is proving to be quite the challenge.