Installing an antivirus using Microsoft Software distribution Wizard

Customizations
1

(imported topic written by jmlafreniere91)

Hello, we have created a VBS script that installs Symantec Endpoint Protection 11.x antivirus a few months ago. Basically, the script checks if an older version is present and uninstalls it, then checks the OS language to deploy the antivirus based on it. We were deploying it using a GPO, but now we’re trying to transfer all installation GPOs to Bigfix.

I’m trying to create a Bigfix package using the wizard that does the same operations, but it doesn’t seem to be working. The actual action says it is completed, but the antivirus remains not installed on the computer.

I’ve tried uploading the .vbs, the .msi, as well as the whole directory that contains the .msi to the Bigfix server, but it still doesn’t work.

Here’s the VBS script:

Option Explicit

Dim MessageLog

Dim Windows

Dim Machine

Set Windows = WScript.CreateObject(“WScript.Shell”)

MessageLog = “”

'---------------------------------------------------------------------

’ Detect machine name

'---------------------------------------------------------------------

Dim WshNetwork

Set WshNetwork = WScript.CreateObject(“WScript.Network”)

Machine = WshNetwork.ComputerName

MessageLog = Machine

'---------------------------------------------------------------------

’ Checks presence of AV

'---------------------------------------------------------------------

Dim Cle

On Error Resume Next

Cle = Windows.RegRead (“HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection”)

If err.number 0 Then

'---------------------------------------------------------------------

’ Detects OS language (1036 / 1033) and machine name

'---------------------------------------------------------------------

Dim strComputer

Dim objWMIService

Dim colOSes

Dim objOS

Dim LangueOS

strComputer = “.”

Set objWMIService = GetObject(“winmgmts:” _

& “{impersonationLevel=impersonate}!\” & strComputer & “\root\cimv2”)

Set colOSes = objWMIService.ExecQuery(“Select * from Win32_OperatingSystem”)

For Each objOS in colOSes

LangueOS = objOS.OSlanguage

Next

'-----------------------------------------------------------------------

'Disable the password from the registry and uninstalls SAV 8.1

'-----------------------------------------------------------------------

Windows.RegWrite “HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security\UseVPUninstallPassword”, 0, “REG_DWORD”

Windows.Run “msiexec.exe /x {0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E} /quiet /norestart”,TRUE

MessageLog = MessageLog & " | -SAV81"

'---------------------------------------------------------------------

’ Installs SEP 11 (OS language based)

'---------------------------------------------------------------------

If LangueOS = 1036 Then

Windows.CurrentDirectory = “\10.1.7.22\packages\FRENCH”

Windows.Run “msiexec.exe /i ““Symantec AntiVirus.msi”” /quiet /norestart”,TRUE

MessageLog = MessageLog & " | +SEP11 FR"

ElseIf LangueOS = 1033 Then

Windows.CurrentDirectory = “\10.1.7.22\packages\ENGLISH”

Windows.Run “msiexec.exe /i ““Symantec AntiVirus.msi”” /quiet /norestart”,TRUE

MessageLog = MessageLog & " | +SEP11 EN"

End If

End If

'---------------------------------------------------------------------

’ Creates a log or add to the existing log

'---------------------------------------------------------------------

Dim Sortie

Dim FichierLog

Set FichierLog = CreateObject(“Scripting.FileSystemObject”)

If FichierLog.FileExists("\10.0.2.14\pwd$\SEP" & Machine & “.txt”) Then

Set Sortie = FichierLog.OpenTextFile("\10.0.2.14\pwd$\SEP" & Machine & “.txt”, 8, True)

Else Set Sortie = FichierLog.CreateTextFile("\10.0.2.14\pwd$\SEP" & Machine & “.txt”, True)

End If

Sortie.WriteLine MessageLog & " | " & Date & " | " & Time

Sortie.Close

WScript.Quit

Here’s my action script:

Relevance 1

exists value “InstallLanguage” whose (it as string = “040C”) of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language” of registry

Action1 (default) (the .MSI only)

Script Type BigFix Action Script

download http://bigfix.cogeco.com:52311/Uploads/f8db246d2cad7a44dbb3037c7ba7b8c2a8246fb6/Symantec%20AntiVirusmsi.tmp

continue if {(size of it = 6110394 AND sha1 of it = “f8db246d2cad7a44dbb3037c7ba7b8c2a8246fb6”) of file “Symantec%2520AntiVirusmsi.tmp” of folder “__Download”}

extract Symantec%20AntiVirusmsi.tmp

wait “{pathname of system folder & “\msiexec.exe”}” /i “{(pathname of client folder of current site) & “__Download\Symantec AntiVirus.msi”}” /qn /norestart

OR (the full directory)

download http://bigfix.cogeco.com:52311/Uploads/1b3a0bec776afc136ea150c7c08b556255c4a5ba/ENGLISH.tmp

continue if {(size of it = 100290959 AND sha1 of it = “1b3a0bec776afc136ea150c7c08b556255c4a5ba”) of file “ENGLISH.tmp” of folder “__Download”}

extract ENGLISH.tmp

wait “{pathname of system folder & “\msiexec.exe”}” /i “{(pathname of client folder of current site) & “__Download\Symantec Antivirus.msi”}” /qn /norestart

Please help !

JML

2

(imported comment written by BenKus)

Hi JML,

Wow… that certainly is a long script… My guess is that the problem here is that the agent runs as the SYSTEM account and thus can’t access the file shares… I recommend that you move the script to an action… Here is what I came up with:

For Relevance (this will return TRUE and be relevant if either Symantec isn’t installed OR if it is less than version 11):

(not exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry) OR (version of file “Rtvscan.exe” of it < ") of (value “SAV Install Directory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry as folder)

Action:

// check if old SEP is installed (TODO: Make this check more specific for SEP 8)

if {exists “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection” of registry}

// change password reg key

regset "

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security

" “UseVPUninstallPassword”=dword:00000000

// run the uninstaller (escape the open bracket)

waithidden “{pathname of system folder & “\msiexec.exe”}” /x {{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E} /quiet /norestart

endif

if {system language as lowercase contains “english”}

// download english version (you can upload the file through the software distribution wizard or put it on a webserver somewhere else… make sure the url and sha1 and size are right)

download http://bigfix.cogeco.com:52311/Uploads/f8db246d2cad7a44dbb3037c7ba7b8c2a8246fb6/Symantec%20AntiVirusmsi.tmp

continue if {(size of it = 6110394 AND sha1 of it = “f8db246d2cad7a44dbb3037c7ba7b8c2a8246fb6”) of file “Symantec%2520AntiVirusmsi.tmp” of folder “__Download”}

extract Symantec%20AntiVirusmsi.tmp

wait “{pathname of system folder & “\msiexec.exe”}” /i “{(pathname of client folder of current site) & “__Download\Symantec AntiVirus.msi”}” /qn /norestart

elseif {system language as lowercase contains “french”}

// download french version (same as above, but use a french download

// TODO: fill in french download info

endif

Note: I don’t have Symantec so I didn’t test any of this… please make sure to test the different pathways and let me know if I made a mistake.

The nice thing about a Fixlet like this is that it will only be relevant if SEP is old or not installed… Also, if there is an error, it will tell you which line failed in the relevance.

Ben

3

(imported comment written by jmlafreniere91)

Thanks Ben, I might have found another way to do it but I’ll give this one a shot.

4

(imported comment written by jmlafreniere91)

Ben, I’ve tried this for the relevance:

exists key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language” whose (value “InstallLanguage” of it as string = “0409”) of registry AND (not exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry) OR (version of file “Rtvscan.exe” of it < ") of (value “SAV Install Directory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry as folder)

And it doesn’t work, too many relevant computers that are in fact not relevant.

Can you tell me what I’m doing wrong ?

Jim

5

(imported comment written by BenKus)

Try it in the Relevance Debugger on a computer and see if that helps… It is very hard for us to know what is wrong with this expression and it would be better if you could pinpoint the subexpression that is giving you the issue.

Ben

6

(imported comment written by jmlafreniere91)

Hi Ben, I have downloaded the Relevance Debugger and extracted the files, as instructed. When I copy/paste my relevance or even if I try the example “name of operating system” and I click “Evaluate”, it doesn’t return anything. Anything else I should try ?

7

(imported comment written by MattBoyd)

In the debugger, go to View -> New Single Clause Tab. You should be able to see the results then.

As a side note, I’m working on SEP issue right now. Sometimes I feel like most viruses would cause less trouble than SEP does :slight_smile:

8

(imported comment written by jmlafreniere91)

Ok, now I know how to make the Relevance Debugger work, but I’m still scratching my head of the reason why it is still relevant on my computer.

exists key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language” whose (value “InstallLanguage” of it as string = “0409”) of registry AND (not exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry) OR (version of file “Rtvscan.exe” of it < ") of (value “SAV Install Directory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry as folder)

The result is TRUE, so it means it will install the software which is already up to date in my case.

9

(imported comment written by BenKus)

Try breaking it down more in the relevance debugger… Use the “new QnA tab” and then separate the clauses with a “Q:” like this:

q: exists key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language” whose (value “InstallLanguage” of it as string = “0409”) of registry

q:(not exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry)

q: (version of file “Rtvscan.exe” of it < ") of (value “SAV Install Directory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry as folder)

See if that helps,

Ben

10

(imported comment written by jmlafreniere91)

Ok, it’s this part that is TRUE:

(version of file “Rtvscan.exe” of it < ") of (value “SAV Install Directory” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps” of registry as folder)

I’ve just realized that although the SEP client version is 11.0.5002.333, Rtvscan.exe version is 11.0.5002.290 (1). I’ll check if it works that way and I’ll keep you posted.

Thanks,

Jim

11

(imported comment written by jmlafreniere91)

Hi Ben, when changing the version of Rtvscan.exe to 11.0.5002.290, the relevance returns as FALSE, but I still have computers that are considered relevant even though the 3 relevances are false. I don’t understand the way it works.

12

(imported comment written by BenKus)

Hey Jim,

If the relevance is false, the agent should report the Fixlet unrelevant. If you updated the Fixlet and see some computers that aren’t reporting properly, it could be that they are offline (and thus haven’t seen the new update you sent), haven’t got the updated Fixlet yet (possibly due to a communications issue), or haven’t reported it yet.

Usually if you just wait a bit, these issues resolve themselves when the agent checks-in again or re-reports… You can force it by right-click send refresh… And it is also possible that your console cache has some corruption so if the problem persists you can try to clear your cache…

Ben