Difference between revisions of "MSSecurityEssentials"
(→Gotchas) |
(tidy up of reg info (thanks v.much whomever added that!)) |
||
| Line 39: | Line 39: | ||
== Gotchas == | == Gotchas == | ||
| − | * Soon after installation it can recognise potentially useful software as a threat. For example if you have UltraVNC installed it will flag up UltraVNC.exe and RealVNC.exe. There's a risk that a user, when prompted, will choose to remove or quarantine such files and remove the administrator's ability to connect. Administrative users can allow, quarantine or remove suspicious files where as Limited users can only remove or quarantine suspicious files. | + | * Soon after installation it can recognise potentially useful software as a threat. For example if you have UltraVNC installed it will flag up UltraVNC.exe and RealVNC.exe. There's a risk that a user, when prompted, will choose to remove or quarantine such files and remove the administrator's ability to connect. Administrative users can allow, quarantine or remove suspicious files where as Limited users can only remove or quarantine suspicious files. Administrators will want to white-list any such programs that should not be considered a threat, upon installation. |
White-listing can be performed manually using: Show details → Recommendation → Select an action → Allow → Apply actions (note that Close means 'don't take any action at this point') → Close - this is saved system-wide. | White-listing can be performed manually using: Show details → Recommendation → Select an action → Allow → Apply actions (note that Close means 'don't take any action at this point') → Close - this is saved system-wide. | ||
| − | Once done manually | + | Once white-listing has been done manually on one machine, it can be automated on other machines. The registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatIDDefaultAction" contains a list of signatures which are allowed and the action to perform (for example 00000006 relates to the action "Allow". |
| + | This registry key can be applied to other machines in any of the usual ways, for example by exporting it to filename.reg then importing it to others using "regedit /s filename.reg". Continuing with the above example, to allow RealVNC and UltraVNC the registry file should look like this: | ||
| + | <source lang="reg"> | ||
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatIDDefaultAction] | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatIDDefaultAction] | ||
; Allow RealVNC | ; Allow RealVNC | ||
| Line 50: | Line 52: | ||
; Allow UltraVNC | ; Allow UltraVNC | ||
"16555"=dword:00000006 | "16555"=dword:00000006 | ||
| + | </source> | ||
| − | Also, to set up exclusion paths and processes | + | Also, to set up exclusion paths and processes, include the following: |
| + | <source lang="reg"> | ||
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes] | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes] | ||
"C:\\Program Files\\UltraVNC\\winvnc.exe"=dword:00000000 | "C:\\Program Files\\UltraVNC\\winvnc.exe"=dword:00000000 | ||
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths] | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths] | ||
"C:\\Program Files\\UltraVNC\\winvnc.exe"=dword:00000000 | "C:\\Program Files\\UltraVNC\\winvnc.exe"=dword:00000000 | ||
| + | </source> | ||
== References == | == References == | ||
Revision as of 21:57, 23 March 2010
Contents
WPKG Package
This is a silent installer and uninstaller for Microsoft Security Essentials, Windows XP, US English, 32-bit version.
<package
id="microsoft-security-essentials"
name="Microsoft Security Essentials"
revision="2"
reboot="false"
priority="1">
<check
type="uninstall"
condition="exists"
path="Microsoft Security Essentials"/>
<install
cmd='%SOFTWARE%\ms_security_essentials\mssefullinstall-x86fre-en-us-xp.exe /s /runwgacheck' />
<upgrade
cmd='%SOFTWARE%\microsoft-security-essentials\mssefullinstall-x86fre-en-us-xp.exe /s /runwgacheck /o' />
<remove
cmd='%SOFTWARE%\ms_security_essentials\mssefullinstall-x86fre-en-us-xp.exe /s /u'/>
</package>
Note than an upgrade line is required because although the program may update itself (though I'm not certain it does), if you bump the revision number then WPKG will want to run an 'update'.
Installer command-line switches
- /s - perform a silent installation
- /runwgacheck - automatically perform a Windows Genuine Advantage check
- /o - don't automatically run the updater and the system scan after installation - when you then login it may then give a red indicator and say that real time protection is off because virus definition files are out of date. I've had a few differing experiences at this point, either it updates them quickly automatically, or if you click on the system tray icon it tells you it's out of date but then updates it quickly, or it displays this then just waits for you to manually press the 'Update' button.. This is as both an Administrator and as a Limited User.
Gotchas
- Soon after installation it can recognise potentially useful software as a threat. For example if you have UltraVNC installed it will flag up UltraVNC.exe and RealVNC.exe. There's a risk that a user, when prompted, will choose to remove or quarantine such files and remove the administrator's ability to connect. Administrative users can allow, quarantine or remove suspicious files where as Limited users can only remove or quarantine suspicious files. Administrators will want to white-list any such programs that should not be considered a threat, upon installation.
White-listing can be performed manually using: Show details → Recommendation → Select an action → Allow → Apply actions (note that Close means 'don't take any action at this point') → Close - this is saved system-wide.
Once white-listing has been done manually on one machine, it can be automated on other machines. The registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatIDDefaultAction" contains a list of signatures which are allowed and the action to perform (for example 00000006 relates to the action "Allow". This registry key can be applied to other machines in any of the usual ways, for example by exporting it to filename.reg then importing it to others using "regedit /s filename.reg". Continuing with the above example, to allow RealVNC and UltraVNC the registry file should look like this:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatIDDefaultAction]
; Allow RealVNC
"7480"=dword:00000006
; Allow UltraVNC
"16555"=dword:00000006
Also, to set up exclusion paths and processes, include the following:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes]
"C:\\Program Files\\UltraVNC\\winvnc.exe"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths]
"C:\\Program Files\\UltraVNC\\winvnc.exe"=dword:00000000
References
* http://social.answers.microsoft.com/Forums/en/msestart/thread/a944fa0a-db4c-43da-affb-ab21eb9a4d65 * http://social.answers.microsoft.com/Forums/en-US/msestart/thread/56426422-5c5d-4296-a055-421b554f5eee
Updates
Virus Definition Updates
Virus definition updates are automatically downloaded and used.
To download the Microsoft Forefront Client Security antimalware definition update file(Mpam-fe.exe) for 32-bit (x86-based) versions of Windows, click the following link: http://go.microsoft.com/fwlink/?LinkID=87342&clcid=0x409
To download the Microsoft Forefront Client Security antimalware definition update filefor 64-bit versions of Windows, click the following link: http://go.microsoft.com/fwlink/?LinkID=87341&clcid=0x409
Run in silent mode:
Mpam-fe.exe -q
Program Updates
Microsoft Security Essentials updates itself through Windows Update.