MSSecurityEssentials

From WPKG | Open Source Software Deployment and Distribution
Jump to: navigation, search

Microsoft Security Essentials, available from http://www.microsoft.com/security_essentials/, protects from viruses, spyware, and other malicious software.

Microsoft Security Essentials is licensed for use only by home users, and "small businesses" that install it on up to 10 devices (see http://www.microsoft.com/security_essentials/eula.aspx#mainNav). For other use cases Microsoft's equivalent product is Forefront Client Security.

WPKG Package

This is a silent installer and uninstaller for Microsoft Security Essentials (Windows XP, US English, 32-bit version), different binaries are available for other systems.

<package
	id="microsoft-security-essentials"
	name="Microsoft Security Essentials"
	revision="4"
	reboot="false"
	priority="1">

	<check
		type="uninstall"
		condition="exists"
		path="Microsoft Security Essentials"/>

	<install
		cmd='%SOFTWARE%\microsoft-security-essentials\mseinstall.exe /s /runwgacheck' />

	<upgrade
		cmd='%SOFTWARE%\microsoft-security-essentials\mseinstall.exe /s /runwgacheck /o' />

	<remove
		cmd='%SOFTWARE%\microsoft-security-essentials\mseinstall.exe /s /u'/>
</package>

Note that an upgrade line is required because although the program updates itself automatically using Windows Automatic Updates (though only for minor updates, not upgrades such as from version 1 to 2), if you bump the revision number then WPKG will want to run an 'upgrade'.

Alternate package with registry edits and 64-bit aware

This is an alternate installation package with the following changes:

  • Registry changes are implemented (in my case, run daily, even if computer isn't idle, at 4PM; also, ignore UltraVNC). This works even if you aren't running as SYSTEM.
  • Bypassing the registry permissions is done with the freeware SetACL (http://helgeklein.com/setacl/). It may also be possible with Microsoft's subinacl.exe, but see this first: http://support.microsoft.com/kb/296865.
  • This also assumes you've renamed the 64-bit version of the installer to mseinstall_64.exe.
<package
        id="microsoftsecurityessentials"
        name="Microsoft Security Essentials"
        revision="4.3.0219"
        reboot="false"
        priority="1">

        <check
                type="uninstall"
                condition="exists"
                path="Microsoft Security Essentials"/>

        <variable name="INSTALLER_NAME" value="mseinstall.exe" />
        <variable name="INSTALLER_NAME" value="mseinstall_64.exe" architecture="x64" />

        <install cmd='%SOFTWARE%\microsoftsecurityessentials\%INSTALLER_NAME% /s /o /runwgacheck' />

        <!-- Change the registry permissions to allow Administrator to edit these registry entries.  Unneeded if you're running as SYSTEM (e.g. wpkg client) -->
        <install cmd='%SOFTWARE%\microsoftsecurityessentials\SetACL.exe -on "hklm\software\Microsoft\Microsoft Antimalware\Scan" -ot reg -actn ace -ace "n:Administrators;p:full"' />
        <install cmd='%SOFTWARE%\microsoftsecurityessentials\SetACL.exe -on "hklm\software\Microsoft\Microsoft Antimalware\Exclusions\Paths" -ot reg -actn ace -ace "n:Administrators;p:full"' />

        <!-- Change registry settings on these registry entries -->
        <install cmd='%COMSPEC% /C REG ADD "HKLM\Software\Microsoft\Microsoft Antimalware\Scan" /v ScheduleDay /t REG_DWORD /d 0x00000000 /f' />
        <install cmd='%COMSPEC% /C REG ADD "HKLM\Software\Microsoft\Microsoft Antimalware\Scan" /v ScheduleTime /t REG_DWORD /d 0x000003c0 /f' />
        <install cmd='%COMSPEC% /C REG ADD "HKLM\Software\Microsoft\Microsoft Antimalware\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0x00000000 /f' />
        <!-- This whitelists UltraVNC.exe -->
        <install cmd='%COMSPEC% /C REG ADD "HKLM\Software\Microsoft\Microsoft Antimalware\Exclusions\Paths" /v "C:\Program Files\UltraVNC\winvnc.exe" /t REG_DWORD /d 0x00000000  /f' />
        <install cmd='%COMSPEC% /C REG ADD "HKLM\Software\Microsoft\Microsoft Antimalware\Exclusions\Paths" /v "C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe" /t REG_DWORD /d 0x00000000  /f' />

        <!-- Set the registry permissions back the way they were -->
        <install cmd='%SOFTWARE%\microsoftsecurityessentials\SetACL.exe -on "hklm\software\Microsoft\Microsoft Antimalware\Scan" -ot reg -actn ace -ace "n:Administrators;p:read"' />
        <install cmd='%SOFTWARE%\microsoftsecurityessentials\SetACL.exe -on "hklm\software\Microsoft\Microsoft Antimalware\Exclusions\Paths" -ot reg -actn ace -ace "n:Administrators;p:read"' />

        <upgrade include="install" />


        <remove
                cmd='%SOFTWARE%\microsoftsecurityessentials\%INSTALLER_NAME% /s /u'/>
</package>


Installer command-line switches

  • /s - perform a silent installation
  • /runwgacheck - automatically perform a Windows Genuine Advantage check
  • /o - don't automatically run the updater and the system scan after installation - when you then login it may then give a red indicator and say that real time protection is off because virus definition files are out of date. I've had a few differing experiences at this point, either it updates them quickly automatically, or if you click on the notification area icon it tells you it's out of date but then updates it quickly, or it displays this then just waits for you to manually press the 'Update' button. This is as both an Administrator and as a Limited User.
  • /u - uninstall

--80.36.75.112 18:13, 30 August 2013 (CEST)==Error Codes==

  • -2147156178 - you are triying to install 32 bits version on 64 bits OS
  • -2147156138 - Windows XP SP2, extra package required - http://support.microsoft.com/kb/914882?mkt=en-us
  • -2147156213 - Windows hasn't been activated or WGA validation failed
  • 327426 - program already installed

White-listing

See http://www.microsoft.com/security_essentials/HelpTopic.aspx?mkt=en-tt&assetid=f1b60a57-20d6-466e-b817-9e998a7d8a8c.

Soon after installation MSE can recognise potentially useful software as a threat. For example if you have UltraVNC installed it will flag up UltraVNC.exe. There's a risk that a user, when prompted, will choose to remove or quarantine such files and remove the administrator's ability to connect. Administrative users can allow, quarantine or remove suspicious files where as Limited users can only remove or quarantine suspicious files. Administrators will want to white-list any such programs that should not be considered a threat, upon installation.

White-listing can be performed manually using: Show details → Recommendation → Select an action → Allow → Apply actions (note that Close means 'don't take any action at this point') → Close. This is saved system-wide.

White-listing is saved in the registry so can be automated in any of the usual ways, see the registry editing section.

Relevant white-listing registry settings are:

  • Excluded processes.

"Exclude files that are accessed by processes such as programs ... For example, if you don't want Microsoft Security Essentials to scan files that are accessed by Windows Live Messenger, add Messenger.exe to the list of excluded processes.". Add .exe, .cmd, .bat, .pif, .scf or .scr files.
The registry key is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes

  • Excluded paths.

Exclude particular files and/or locations from the scan.
The registry key is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths

  • Excluded file types.

Exclude particular files types / extensions from the scan.
The registry key is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions

For a list of recommended files and file types to exclude see Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows.

Continuing with the above example to allow UltraVNC, a .reg registry file would look like this:

Windows Registry Editor Version 5.00

; Set an exclusion path for winvnc.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths]
"C:\\Program Files\\UltraVNC\\winvnc.exe"=dword:00000000

Permissions

Note that 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware' is read-only for all users apart from SYSTEM. If you use a script, such as a batch file, to alter Microsoft Antimalware registry settings then it will need to run as SYSTEM, which WPKG Client does.

References

* Silent Install 
* how to uninstall MSE if need arises?

Updates

Virus Definition Updates

Virus definition updates for MSE are automatically downloaded and incorporated by the program, or via Windows Automatic Updates.

To download the Microsoft Forefront Client Security antimalware definition update file (Mpam-fe.exe) for 32-bit (x86-based) versions of Windows, go to http://go.microsoft.com/fwlink/?LinkID=87342&clcid=0x409 and for 64-bit versions of Windows go to http://go.microsoft.com/fwlink/?LinkID=87341&clcid=0x409

To run the Microsoft Forefront Client Security antimalware definition update file in silent mode: Mpam-fe.exe -q

Program Updates

For minor updates, the Microsoft Security Essentials program updates itself or is updated through Windows Automatic Updates. for Major upgrades, such as from version 1.x to version 2.0, the program must be upgraded manually by an Administrator (not sure about Power User), not by a Restricted / Limited user. Either using Help → Check for software updates, or after being on for an amount of time, the software will prompt for an upgrade, choosing this as a Restricted / Limited user does nothing.

I don't know of a way to determine the installed version, to base WPKG updates off.