Re: OT: Virus scanner registry keys

From: Noah Roberts (nroberts_at_dontemailme.com)
Date: 02/15/05 

Date: Mon, 14 Feb 2005 22:20:01 -0800

prg wrote:

> As I mentioned in other post, this Mcafee AV searching turned up
> nothing really useful or informative.
>
> Seems that with the release of V.7 that Mcafee really went corporate
> and even pulled back on the amount of documentation readily available.

Yeah, they don't reply to their corperate users either. Maybe my boss
with shove some napalm up their butts...

>
> Seems that short of rolling your own solution, you're stuck with using
> one of their products.

The trick is finding all the damn keys. Not only that but they
periodically change the format of important keys. Like today I just
found yet another different date format in the damn registry on one of
the students' computers. I'm like, "Yeah well it wouldn't work anymore
now would it..." Pain in the ass. This one ever breaks my new code
that I thought should account for most of their BS.
>
> I did find some KiXtart scripts that provide what I think you are
> already providing when students first establish themselves on the
> campus network. Some of them try to read/manipulate the registry as
> part of the install script, but didn't find anything that actually
> "enforces" any policy like, "to log on to the network you must have AV
> running and set to autoscan downloaded docs/emails".

The trick is that they must run the program to log in, and the program
won't let them log in if they don't have XXX.
>
> Then the more I thought about the problem, the more I convinced myself
> that about all you can really do is check for installation and monitor
> if it is running. At least with your own monitoring daemon you might
> need to do no more than read the registry or check for currently
> running apps (similar to reading the Task List). I don't think you
> could set registry values and expect them to remain that way in your
> environment. It's not easy even in a situation where the computers are
> fully under your control
>
> But I could not find any code that monitors the running state of AV.
> MIBs would sure be nice for that.

That is a though. The answer we came up with, if we want to do it, is
to install a service. The service checks the status of certain registry
values and that other important services are running. Windows' version
of daemons. Then this service touches the main server from time to time
to keep the registration active. If the server doesn't get this touch
after a while it destroys that registration and the user has to go
through the whole thing again.

I think with all the BS going on in the registry it would also have to
be self updating. What is really scary is I am pretty sure I could do
all of this without the student knowing at all.

About MIB's, does windows actually speak snmp? Would there be such a
thing as an mib for virus scanner that you could look at on student
computers? That is sometihng I never ever thought of.
>
> Best links I could come up with that _might_ be worth a spare time look
> (when you're bored/restless):

Happens a lot, I'm sure I will.

Thanks.