4 Replies Latest reply: Jan 23, 2013 10:47 AM by vandreytrindade RSS

    Deny framework from being uninstalled...

    vandreytrindade

      Hi,

       

      I'm using ePO to manage VirusScan on the computers in my organization.

      All users have administrator rights in the machines and they are able to uninstall the framework using the command line:

       

      • "C:\Program Files (x86)\McAfee\Common Framework\FrmInst.exe" /forceuninstall

       

      Is there a way to deny framework from being uninstalled that way?

      Using policies in ePO... NTFS permissions or something else?

        • 1. Re: Deny framework from being uninstalled...
          wwarren

          Yes, but you will unavoidably break something (such as any hopes of upgrading). So this type of action is not supported.

           

          There is a commonly requested product enhancement of wanting to password protect the removal of our software (instead of taking away admin privileges).

          But, arguably there's need within companies to monitor and even sanction what users with admin privileges do instead of relying on software to protect itself from administrators. The windows security model means Administrators have full control of everything - all software can do is make it more difficult for them.

          • 2. Re: Deny framework from being uninstalled...
            vandreytrindade

            Alright...

            The problem I'm facing is that the organization have no sanctions for the users who uninstall critical software....

             

            The password protection sounds nice and is something that can be enabled/disabled if the organization wants.

            Why McAfee don't give us the option to do it?

            • 3. Re: Deny framework from being uninstalled...
              wwarren

              I believe we want to, it's just a question of when. Normally something like this would be considered for inclusion in a future product release, and Support can't provide you much insight into what future products will look like or when they'll be available - at least, not until those releases are closer to an actual release date.

               

              If you have a Support Account Manager (SAM/RSAM), you could ask them about future releases.

               

               

              I could suggest trying to use VSE's access protection feature to assist you in hindering your admins, but I don't want someone to incorrectly create an AP rule and wind up trashing their network - which is entirely possible with bad AP rules. So, as long as you're careful with the rules and test them thoroughly before rolling them out, it's a plausible solution.

              • 4. Re: Deny framework from being uninstalled...
                vandreytrindade

                Ok wwarren.

                 

                Thanks for your time and patience!

                Have a nice day.