Regset and regdelete

(imported topic written by SystemAdmin)

I’m trying to modify some McAfee settings via BigFix since I’m having some trouble with ePO.

However, I am preventing modification of the McAfee settings via VirusScan. So things like reg.exe and regedit.exe will be blocked if it tries to write to those areas.

I thought I was going to get creative by allowing besclient.exe to write to the mcafee settings and adding that as an exclusion in ePO. But it looks like regset and regdelete actually shell out regedit.exe?

Paul

(imported comment written by BenKus)

Yep… that is how it works today (it may change later)…

I have seen McAfee (and other products) do some very weird things to keep their settings from changing so I am not sure if you will have success with other methods… you can try using vbscript and see if it helps…

Ben

(imported comment written by SystemAdmin)

Yeah the way VirusScan works is that it blocks everything, unless the process name is excluded (literal or wildcard). So I could do something quick and dirty like in the action copy the local regedit.exe as a new temporary filename like, WriteThoseDarnSettings90210.exe. In epo, I’d have to go under “access protection” and under one of the protection rules I’d permanently exclude WriteThoseDarnSettings90210.exe or wildcard exclude it like WriteThoseDarn*.exe. I’d just have to make sure to delete the local EXE when done, because the rule allowing it as that name would always be there.

That’s why I was thinking of excluding BesClient.exe - until I discovered it wasn’t modifying the registry directly, but using RegEdit.exe to do it.

vbscript won’t work either. I’d have to exclude wscript.exe or cscript.exe, which is dangerous as well. (Unless I do the same trick, copying it as a temp filename).

Paul

(imported comment written by SystemAdmin)

For what its worth, here’s what I came up with…

As I mentioned before, you can add an exclusion in ePO to allow various EXEs to modify the VirusScan settings. ePO has a number of pre-defined exclusions already in place. I found that I could “cheat” by copying the local regedit.exe as a new filename, which is allowed as an exclusion. While you cannot run regedit.exe interactively as a differently named EXE under Vista (it appears), you can still run it silently to import .reg files.

Here’s an example of creating/appending McAfee VirusScan scriptscan URL exclusions, which is stored in a REG_MULTI_SZ. Note, I’m using a .reg header of “Windows Registry Editor Version 5.00” because the REG_MULTI_SZ is in unicode format.

Assumption: ePO has an exclusion in place for Setup*.exe to allow VirusScan setting modifications.

Tested: I tested this with Windows 2000, XP and Vista

Title:

McAfee VirusScan 8.5/8.7 ScriptScan exclusion for desired-exclusion-goes-here

Relevance:

((((name of operating system as lowercase starts with “win”) AND (not exists key “HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion” whose (exists value “ProductId” of it OR exists value “CommonFilesDir” of it) of registry AND not exists values “PROCESSOR_ARCHITECTURE” whose (it as string as lowercase = “ia64”) of keys “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment” of registry))) AND (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\Script Scanner” whose (not exists value “ExcludedURLs” of it or exists value “ExcludedURLs” whose ((set of substrings separated by “%00” whose (it != “”) of (it as string as lowercase) of it) does not contain “desired-exclusion-goes-here”) of it) of registry AND exists key “HKEY_LOCAL_MACHINE\Software\McAfee\DesktopProtection” of registry)) AND (exists value whose (name of it = “szProductVer” AND (it >= “8.5” and it <= “8.7”) of (it as string as version)) of keys “HKEY_LOCAL_MACHINE\Software\McAfee\DesktopProtection” of registry)

Action:

delete __appendfile

delete scriptscan_exclude.reg

appendfile Windows Registry Editor Version 5.00

appendfile

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\Script Scanner

appendfile “ExcludedURLs”=hex(7):{concatenation “,” of ((concatenation “,00,” of (characters of it as hexadecimal) & “,00,00,00”) of (substrings separated by “%00” whose (it != “”) of (it as string as lowercase) of ((if (exists value “ExcludedURLs” of key “HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\Script Scanner” of registry) then (it as string) of value “ExcludedURLs” of key “HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\Script Scanner” of registry else “”) ; “desired-exclusion-goes-here”))) & “,00,00”}

move __appendfile scriptscan_exclude.reg

copy {pathname of windows folder}\regedit.exe setup_regedit.exe

wait setup_regedit -s scriptscan_exclude.reg

delete setup_regedit.exe