Software Distribution, Anti-Virus, and UAC are giving me a headache!

(imported topic written by damen91)

Hey guys,

I’m trying to use BigFix to deploy Sophos (Anti-Virus) to our users to replace TrendMicro.

The Sophos installer is smart enough to uninstall Trend for us, but requires user interaction (you cannot force that part to run silently).

Unfortunately, when you push it with BigFix, they are never prompted. From playing around, I’ve discovered that if you set it to run as the current user, instead of as system, AND you disable UAC on the computer you’re deploying to, it works great. If you dont disable UAC, they never get prompted (not even the UAC priv escalation prompt), and if its run as system they never get prompted.

Obviously this is not a solution. We cant go disabling UAC on everyone’s computer (especially since it requires a reboot to disable).

Anyone know a workaround for this? This is really high priority for us.

(imported comment written by BenKus)

Hey Damen,

When you run a process as the SYSTEM account, you can’t see any dialogs that the process launches (this is how Windows works).

Perhaps use a separate Fixlet to uninstall TrendMicro and then install Sophos after…

Ben

(imported comment written by damen91)

It’s astonishingly hard to uninstall Trend, as it happens. Thats why we like that the Sophos installer does it for us.

Is there no way to get bigfix to show users the UAC elevation (or allow the UAC elevation to happen) while running as current user?

(imported comment written by BenKus)

Hey Damen,

Our options are limited by Windows…

  • Windows doesn’t allow services to interact with the desktop anymore (because it could lead to escalation or privileges like the “shatter attack”). So you can run the uninstall as SYSTEM, but no user can see any dialogs.
  • Windows UAC is designed to specifically to prevent situations exactly like what you are trying to do (make admin changes in the background). I am not sure the exact reason why it is not prompting you, but UAC causes lots of problems like this.

I don’t know much about uninstalling Trend (other than the version that we install ourselves)… Is there any tool or script you can run to uninstall TM?

Ben

(imported comment written by damen91)

Yes, but we need to run them via bigfix, and they all wind up having the exact same problem as our other method :-/

(imported comment written by bxk)

If their uninstall utility has to be run interactively, can might want to write a fixlet to do whatever the uninstaller would do.

You might want to set this to only run when a user isn’t logged in, so you can’t have to also kill the user process of Trend’s A/V scanner.

  1. Set the machine to be pending reboot.

  2. Stop all the trend services.

  3. Kill all of the trend process, just to make sure they’re not running.

  4. Delete all the trend services using sc.exe

  5. Delete all the registry keys that start the Trend product

  6. Delete the Trend installation directory

  7. Delete the Trend uninstall key and registry settings (so the sophos installer doesn’t detect it)

  8. Reboot the system (using a post action)

For your Sophos installer task you may want to add the requirement that Trend isn’t installed and isn’t pending reboot.

As long as that works, I’d:

  • Push out the Sophos Installer action, which won’t be relevant until the uninstall completes a the machine reboots.
  • Push out the uninstall task and in the action dialog box require it to run when no user is logged in.
  • Tell your users to logout of their computers for the evening, but to leave them powered on.
  • Have a team party, celebrating the successful migration.

(imported comment written by damen91)

I actually really like that solution - the only issue being we have trend setup so that you cant kill the services without unloading trend first (which takes a password).

haha, security is killing me :wink:

(imported comment written by SystemAdmin)

You also need to remove the Firewall component which is attached to the network settings. If you don’t remove this before removing all the other parts the PC becomes unable to access the network.

I’m doing the same atm (Removing Trend and installing Sophos) and I’ve removed our Trend uninstall password for now. My only issue is the PCs with broken Trend installations.