Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3367 Views 7 Replies Latest reply: Jul 30, 2011 9:54 PM by bgavin RSS
bgavin Newcomer 4 posts since
Jul 24, 2011
Currently Being Moderated

Jul 24, 2011 2:11 PM

How-To Disable Scheduled AutoUpdate by Switch or Script

I am an admin in a large environment that has no public interface.

An EPO console is not in our immediate future.

 

Q: is there a script method, command line switch, or other process to disable scheduled auto-updates?

 

This is the audit point.  The value cannot be changed while the service "McShield" is running.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\Tasks\{A14CD6FC-3BA8-4703- 87BF-E3247CE382F5}]

"bSchedEnabled"=dword:00000001

 

The McShield service cannot be stopped when the "Prevent McAfee services from being stopped" box is checked.

I chased the rabbit down the hole and find mcconsol.exe is changing a few keys during the check/uncheck process.

A real-time trace reveals the keys, but manual setting of these keys is still disallowed.

There is a yet-undiscovered mechanism protecting the registry keys.

 

In short, the system is working as designed, but I also need a scripted method of disabling autoupdates.

Logging into a thousand boxes for a onsey-twosy change of every server isn't viable.

Rebooting is not viable... production environment.

 

I'm looking for a switch similar to:

 

McUpdate.exe /task {A14CD6FC-3BA8-4703-87BF-E3247CE382F5}  /disable

 

Does anybody know if this exists?

 

Message was edited by: bgavin Edited title for clarity on 7/24/11 2:11:47 PM CDT
  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009

    Hello,

     

    it is most likely some Access Protection rule (first module in VirusScan console) prevents you from changing the key manually. These rules often have processes as exclusion from under their scope, that is, a process listed among the exclusions with a certain name can still do the change.

    I would see the resolution as a multi-step process:

     

    1. Find out the rule in question (my bet is the "Prevent modifications in McAfee files and settings" in Common standard protection set)

    2. Open the rule and see which process names are listed in the exclusions section. Pick one (I would recommend ???setup.exe, setup.exe).

    3. [thin ice] You have several options here to use this name for the actual program that you can use to change the reg key. Make sure this program is launched as is, so not under CMD.EXE or other process that can hide the process name resulting in another block.

    I admit this is the hardest part and requires lot of testing.

    Also during this testing you might run into another obstacle when you want to perform an action prevented by another Access Protection rule.

     

    As you surely cannot disable Access Protection itself via the registry, the only workaround would be to use this coverup program name to perform the desired action.

     

    I hope I could be of some help.

     

    Attila

  • jhall1 McAfee Employee 18 posts since
    Aug 23, 2010

    Here you go!

    For Virusscan 8.8, you have to disable Access protection and change the two registry keys for the task:


    1. Command Prompt:

    net stop McShield    (This disabled access protection)

    2.

    Then the 2 registry key changes:

    HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\Tasks\{A14CD6FC-3BA8-4703-8 7BF-E3247CE382F5}

    bSchedEnabled=0 (this values indicates that the schedule is to be disabled)
    bSchConfigChanged=1   (this values indicates to Task Manager that the schedule for this task has changed and needs to be updated)

    3.

    Then restart Access Protection:

    net start McShield

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009

    Hi,

     

    jhall: stopping McShield could be the easiest way, however bgavin did not specifically say that he can stop and start McShield service - rather, he mentioned that it cannot be stopped when the prevention checkbox is set (obviously if this were not the case for all or most of his clients, he would not need help). Since no reboots are allowed, trying setting McShield to manual or disabled (some or both of them might not work I suppose anyway due to AP rule) then reboot to stop McShield is not an option.

     

    bgavin: however you deem it lame, you need to use one of the process names already on the exclusion list, otherwise you would need to add a new name to the list which is another problem if you want it to do via script.

     

    Attila

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009

    Hi bgavin,

     

    of course no offence was taken and I have not interpreted your reply in any bad sense. :-)

     

    Let me add one comment, though: in my opinion, if a Mcupdate.exe would have a switch, like /disable_task, then any malware first tried to launch these task in this way and out the window went updating for the future. Then mcupdate.exe would have to have a different protection and everything would start over again.

     

    I see a reason why a task is disabled the way it is and why it is protected the way it is and I, as opposed to you, do not consider this type of "hack" a hack, rather, using everything what's available to do a specific thing.

     

    The exclusion what I recommended is a factory set and do not have to add to any more servers, at least that was my intention when recommending it.

     

    One thing comes to mind: is not there a reg.exe doing the same registry operation that you could use on each server, calling only that .EXE from say, via login script?

     

    Attila

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points