OT: Virus scanner registry keys

I know at least some of you have to deal with Windows machines on your
network. I have asked everywhere else I can think to.

I am trying to develop a program that scans windows machines to make
sure they won't destroy the network. I check for SP2 and virus scanner
existance currently. I want to check to be sure the scanner is set up
to scan periodically, not just by user intervention, and that it has
been used recently and came up clean. These things I am having trouble
finding and deciphering in the registry.

Students in the Dorms tend to not ever use the virus scanner. So it is
up to date, and the service is running, for all the good it does. They
still get infected because they never scan...then I have to deal with
it, and I hate windows.

Anyway, if anyone has any information on these values and keys or knows
a place where the information is available (I have even contacted
McAfee and am still waiting...Norton has no damn address or anything on
their site, but I will continue attempting)...



Noah Roberts

Noah Roberts wrote:
> I know at least some of you have to deal with Windows machines on
your
> network. I have asked everywhere else I can think to.
>
> I am trying to develop a program that scans windows machines to make
> sure they won't destroy the network. I check for SP2 and virus
scanner
> existance currently. I want to check to be sure the scanner is set
up
> to scan periodically, not just by user intervention, and that it has
> been used recently and came up clean. These things I am having
trouble
> finding and deciphering in the registry.
>
> Students in the Dorms tend to not ever use the virus scanner. So it
is
> up to date, and the service is running, for all the good it does.
They
> still get infected because they never scan...then I have to deal with
> it, and I hate windows.
>
> Anyway, if anyone has any information on these values and keys or
knows
> a place where the information is available (I have even contacted
> McAfee and am still waiting...Norton has no damn address or anything
on
> their site, but I will continue attempting)...

Sympathize with your problems, but you may not want to go down this
road of remote registry access given the wide range of Win versons and
the real potential of leaving the registry wide open for _any_ remote
access if you don't get it right for each and every client setup. Yet
more proof of MS's brain dead implementation of this _vital_ system
file.

Besides, these are not _your_ machines, so you may end up being
responsible for anything that goes "wrong" with them despite your pleas
that your editing/mucking with registry was not the fault. Put
yourself in their shoes if _your_ laptop "broke". You may not be able
to resist the outcry;(

We tried using this approach at the school district just to monitor
that _we_ had set up _our_ (~2500) machines correctly, and ... what a
headache.

Best would be to have a directory service and Win policy that enforced
starting/running the AV software on each client. Not easy in any case
and may be nearly impossible in a college setting with students'
laptops. We were running a NetWare net and eventually went with
ZenWorks to lock down and configure startup of _our_ computers.

We also relented and now scan all email moving through the system.
Even reduced that by having local email service/accounts only for staff
-- students have to use a web based email account of their choosing,
Yahoo, etc. They rarely used their local accounts anyway since they
weren't accessible off-campus. Having an off-campus, web email account
also useful when students needed a quick-n-dirty way of making a
"backup" of their term papers they worked on in the labs/library --
just mail it to themselves.

Pegasus Mail will go far in reducing email born viruses. Since it's
free, we've used it for years in the schools. It does not provide the
same level of integration as Outlook, which causes some users to
complain, but makes mail admins shout with joy;-)

That said, you still need some way to insure the AV software _is_
running to automatically scan at least new flles and incoming email --
scanning outgoing email will boink many mail server setups. IIRC, you
are making the AV software available on your site and installing it
when students first setup on the network.

Perhaps you can come up with a script that runs after the AV install
that sets the registry values needed to insure and lock how the AV
software runs. Setting registry values is probably easy enough but
haven't looked at what you can do with the policy editor lately. And
rather than testing the registry at each login, you could write your
own, encrypted "license" file that you read for proper checks. A
script that runs the AV? A downloaded/login script kicker that runs a
previously installed AV startup/run script on the client?

These are off-the-top ideas I've used in various contexts, not
together, and not for network "authorization" of any kind. Also
haven't looked lately at how Novell ZenWorks is coming along on Linux
-- maybe this weekend? Will try to look into "locking down" AV setup
on clients. No, not 'cause I'm such a great guy, but because this is
a recurring problem I've not looked into for some time. And I really
should look into it these days

I'll get back with anything I find that may be useful to you.

good luck,
prg
email above disabled

prg wrote:
> Noah Roberts wrote:

> Sympathize with your problems, but you may not want to go down this
> road of remote registry access given the wide range of Win versons
and
> the real potential of leaving the registry wide open for _any_ remote
> access if you don't get it right for each and every client setup.
Yet
> more proof of MS's brain dead implementation of this _vital_ system
> file.

I won't be doing remote registry access. This is local. The user
downloads a program and runs it before they are allowed to access the
network. Some of the ideas I have seen in other versions of this type
of program I will also use, such as possibly forcing the user to set an
administrator password (maybe not though since being able to hack in
through insecure admin accounts has helped us several times.)

I don't necessarily need to 'lock down' any settings, I just need to
make sure the system is relatively safe before allowing it to access
servers and such. We are trying to keep down the damage done by things
like Blaster as well.

Currently I have figured out how to find out if the virus scanner is up
and running. I am working on deciphering the On-Access settings and
such, but there are a lot of values in there. I think the only way to
make sure the system has been scanned at this point is to initiate a
scan, I can't find anything that will really help me decide if one has
been done. At least with McAfee I can find the cmd line program and
start it.

I am rather hindered by the fact that all these programs use different
keys and settings even among versions of the same product. I have
access to a limited subset of these programs. Is the program output of
the cmd line program even going to be the same from version to version?

Another thing we have though of, to make sure that the system continues
to operate safely, is to have a service run on the client computer that
polls a server every once in a while and tells it that everything is as
it should be...or the system gets unregistered.

If it was up to me I think I would require that no windows computers
are allowed access to the network at any time...but I can't exactly do
that.

Noah Roberts wrote:
[snip]
> Currently I have figured out how to find out if the virus scanner is
up
> and running. I am working on deciphering the On-Access settings and
> such, but there are a lot of values in there. I think the only way
to
> make sure the system has been scanned at this point is to initiate a
> scan, I can't find anything that will really help me decide if one
has
> been done. At least with McAfee I can find the cmd line program and
> start it.
>
> I am rather hindered by the fact that all these programs use
different
> keys and settings even among versions of the same product. I have
> access to a limited subset of these programs. Is the program output
of
> the cmd line program even going to be the same from version to
version?
>
> Another thing we have though of, to make sure that the system
continues
> to operate safely, is to have a service run on the client computer
that
> polls a server every once in a while and tells it that everything is
as
> it should be...or the system gets unregistered.
>
> If it was up to me I think I would require that no windows computers
> are allowed access to the network at any time...but I can't exactly
do
> that.

As I mentioned in other post, this Mcafee AV searching turned up
nothing really useful or informative.

Seems that with the release of V.7 that Mcafee really went corporate
and even pulled back on the amount of documentation readily available.
Everthing re: installation and monitoring is geared to their own
products (surprise!):
Installation Designer
ePolicy Orchestrator
Pretty much summed up by:
http://techrepublic.com.com/5100-6313_11-5053908.html

Tried but failed to even find any SNMP/MIB info except for V4.5.

Seems that short of rolling your own solution, you're stuck with using
one of their products.

I did find some KiXtart scripts that provide what I think you are
already providing when students first establish themselves on the
campus network. Some of them try to read/manipulate the registry as
part of the install script, but didn't find anything that actually
"enforces" any policy like, "to log on to the network you must have AV
running and set to autoscan downloaded docs/emails".

Then the more I thought about the problem, the more I convinced myself
that about all you can really do is check for installation and monitor
if it is running. At least with your own monitoring daemon you might
need to do no more than read the registry or check for currently
running apps (similar to reading the Task List). I don't think you
could set registry values and expect them to remain that way in your
environment. It's not easy even in a situation where the computers are
fully under your control

But I could not find any code that monitors the running state of AV.
MIBs would sure be nice for that.

Best links I could come up with that _might_ be worth a spare time look
(when you're bored/restless):
http://www.adminscripteditor.com/scr...rary/index.asp
http://www.utdallas.edu/~pauls/scripts.html
http://cwashington.netreach.net/depo...ptType=command
http://www.google.com/search?num=50&...iates%5CTVD%5D
http://www.mibdepot.com/cgi-bin/vend...r=na&id=231231
http://www.mibdepot.com/cgi-bin/vend...?r=na&id=22054

Maybe someone else will find some use for them...

sorry no help,
prg
email above disabled

prg wrote:

> As I mentioned in other post, this Mcafee AV searching turned up
> nothing really useful or informative.
>
> Seems that with the release of V.7 that Mcafee really went corporate
> and even pulled back on the amount of documentation readily available.

Yeah, they don't reply to their corperate users either. Maybe my boss
with shove some napalm up their butts...

>
> Seems that short of rolling your own solution, you're stuck with using
> one of their products.

The trick is finding all the damn keys. Not only that but they
periodically change the format of important keys. Like today I just
found yet another different date format in the damn registry on one of
the students' computers. I'm like, "Yeah well it wouldn't work anymore
now would it..." Pain in the ass. This one ever breaks my new code
that I thought should account for most of their BS.
>
> I did find some KiXtart scripts that provide what I think you are
> already providing when students first establish themselves on the
> campus network. Some of them try to read/manipulate the registry as
> part of the install script, but didn't find anything that actually
> "enforces" any policy like, "to log on to the network you must have AV
> running and set to autoscan downloaded docs/emails".

The trick is that they must run the program to log in, and the program
won't let them log in if they don't have XXX.
>
> Then the more I thought about the problem, the more I convinced myself
> that about all you can really do is check for installation and monitor
> if it is running. At least with your own monitoring daemon you might
> need to do no more than read the registry or check for currently
> running apps (similar to reading the Task List). I don't think you
> could set registry values and expect them to remain that way in your
> environment. It's not easy even in a situation where the computers are
> fully under your control
>
> But I could not find any code that monitors the running state of AV.
> MIBs would sure be nice for that.

That is a though. The answer we came up with, if we want to do it, is
to install a service. The service checks the status of certain registry
values and that other important services are running. Windows' version
of daemons. Then this service touches the main server from time to time
to keep the registration active. If the server doesn't get this touch
after a while it destroys that registration and the user has to go
through the whole thing again.

I think with all the BS going on in the registry it would also have to
be self updating. What is really scary is I am pretty sure I could do
all of this without the student knowing at all.

About MIB's, does windows actually speak snmp? Would there be such a
thing as an mib for virus scanner that you could look at on student
computers? That is sometihng I never ever thought of.
>
> Best links I could come up with that _might_ be worth a spare time look
> (when you're bored/restless):

Happens a lot, I'm sure I will.

Thanks.