Symantec AntiVirus Corporate Edition 10.0.0.359

[tbma]

My version of install.cmd

rem * Supress annoying warning about outdated virus definitions until nex update. Number is a definitions date, and depends 
rem on you current installation. Can be taken from HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternFileDate
rem after test install.
reg add HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion /v NoWarnPattern /t REG_BINARY /d 23030C0000000000 /f

rem * Installing all components except LotusNotus Auto-Protect. Enabling "Tamper Protection".
start /WAIT msiexec /i "Symantec AntiVirus.msi" /QB!- RUNLIVEUPDATE=0 SYMPROTECTDISABLED=0 ADDLOCAL=SAVMain,SAVUI,SAVHelp,EMailTools,OutlookSnapin,Pop3Smtp,QClient

rem * Launch silent LiveUpdate for virus definitions.
start /WAIT "" "%programfiles%\Symantec Antivirus\VPDN_LU.EXE" /s

rem * Removing auto-created startup scan to avoid high CPU usage.
reg delete "HKCU\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks" /f

[sleepnmojo]

rem * Removing auto-created startup scan to avoid high CPU usage.
reg delete "HKCU\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks" /f

This is only a temporary solution. You need to add the key I specified in post 43 of this thread. When SAV doesn't see it, it will create the startup scan. The Symantec solution is similar, but adds an extra key, which isn't really needed.

[tbma]

This is only a temporary solution.  You need to add the key I specified in post 43 of this thread.  When SAV doesn't see it, it will create the startup scan.  The Symantec solution is similar, but adds an extra key, which isn't really needed.

<{POST_SNAPBACK}>

Many Thanks!! I've added the line below following your recommedtations as the last line and it dit the trick.

reg add "HKCU\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks" /v CreatedUserQuickScan /t REG_DWORD /d 0x1 /f

[[deXter]]

**** I'm liking Symantec more and more!

Just yesterday morning I discovered a new virus strain which wasn't detectable by any AV and wasn't documented anywhere on web either! So I analyzed the virus, documented exactly what it did and submitted it to them. I immediately got a reply that my submission was accepted, and is being processed. A few hours later, I got another auto-reply saying that the new virus has now been officially recognized! The new signature was added to the virusdefs and bam after updating SAV can now remove it! All in a span of few hours! And today I checked up the Symantec Security Response site, and noticed that the new virus has been documented, and in full detail too!

Btw, for those interested, you can always get the latest and by latest I mean hourly updated defs here:

http://securityresponse.symantec.com/avcen...a.download.html

You ought' to download that in one go; cause if you pause and resume later, for all you know the defs already been updated! (I tried pausing and downloading an hour later, file size was already changed.)

[boooggy]

thanx for the link. but i think is useless. i downloaded the definition from there and after that i looked here symantec downloads and in my link the definitions are newer.....

[sleepnmojo]

I'll give those a try. I ended up finding one yesterday that SAV couldn't detect, even updated to latest and greatest. I was looking for a link to send it in, but couldn't find one. I do believe it has been discovered though, because I typed some info in google and came up with variants.

I ran it through VMWare just to play with it, and didn't look like it did much. I could remove it manually, so I felt it was pretty weak.

[plutoz]

rem * Removing auto-created startup scan to avoid high CPU usage.
reg delete "HKCU\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks" /f

This is only a temporary solution.  You need to add the key I specified in post 43 of this thread.  When SAV doesn't see it, it will create the startup scan.  The Symantec solution is similar, but adds an extra key, which isn't really needed.

<{POST_SNAPBACK}>

sleepnmojo, what is the timeframe for the re-creation of the automatic startup scan? I have removed it from PCs on my network by deleting the key I posted previously (no need to delete the entire 'Custom Tasks') and been through several reboots and it has not come back, without adding your key.

[sleepnmojo]

sleepnmojo, what is the timeframe for the re-creation of the automatic startup scan? I have removed it from PCs on my network by deleting the key I posted previously (no need to delete the entire 'Custom Tasks') and been through several reboots and it has not come back, without adding your key.

<{POST_SNAPBACK}>

If you were to delete the whole Custom Tasks key, then I would say after next login. As for the key you posted, it wouldn't matter. As long as the CreatedUserQuickScan key is there, it shouldn't come back. Since you don't delete it, it won't come back.

Now you could just import the key at t-12, or import it into the default profile, and not have to delete it at all.

[plutoz]

If you were to delete the whole Custom Tasks key, then I would say after next login.  As for the key you posted, it wouldn't matter.  As long as the CreatedUserQuickScan key is there, it shouldn't come back.  Since you don't delete it, it won't come back.

That makes a lot of sense, thx.

Now you could just import the key at t-12, or import it into the default profile, and not have to delete it at all.

<{POST_SNAPBACK}>

Not sure I understand this part...can you explain a bit more?

I tried adding the CreatedUserQuickScan to HKU\.DEFAULT\Software...etc but it didn't affect new users logging in on the machine - they got the auto generated scan for their first logins until the login script command I set up deleted it from their HKCU....

[tbma]

I tried adding the CreatedUserQuickScan to HKU\.DEFAULT\Software...etc but it didn't affect new users logging in on the machine - they got the auto generated scan for their first logins until the login script command I set up deleted it from their HKCU....

<{POST_SNAPBACK}>

You need to add 2 keys, imho.

reg add "HKU\.DEFAULT\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks" /v CreatedUserQuickScan /t REG_DWORD /d 0x1 /f
reg add "HKU\.DEFAULT\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks" /v CopiedDefaultScanOptions /t REG_DWORD /d 0x1 /f

adding those 2 in installation script to HKCU, before running MSIEXEC, would disable autocreation alltogether.

Edited June 7, 2005 by tbma

[sleepnmojo]

No no

HKU\.Default is the login session, not the default user. You should rarely have to touch the keys in there.

By importing it into the default profile, I mean load the registry hive of the default user. This can be done by either regedit or reg.

In regedit, goto the HKEY_USERS section, then go to File -> Load Hive. Browse to your Default Users directory, and load NTUSER.DAT. Name it something (default is what I would use), then import your key to it. You can unload the hive once you are done with it, but it shouldn't matter.

In reg.exe, you need the load command. Should look similar to

REG LOAD HKU\default "%PATHTODEFAULTUSER%\NTUSER.DAT"

then load the key.

By T-12, I talk about on a clean install, but I think most people know that on this site.

[Vadikan]

sleepnmojo is correct. No need to mess with HKU.

One can run the following commands from a batch file at T-12 and perevent doscan.exe from running upon the completion of SAV installation.

reg add "HKCU\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks" /v CreatedUserQuickScan /t REG_DWORD /d 0x1 /f
reg add "HKCU\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks" /v CopiedDefaultScanOptions /t REG_DWORD /d 0x1 /f

Alternatively, one can import PreventStartScan.reg provided by Symantec at T-12.

Either way the settings will apply to all users.

[tbma]

sleepnmojo is correct. No need to mess with HKU.

Either way the settings will apply to all users.

<{POST_SNAPBACK}>

Unfortunately they will not, if we are talking about just applying the keys to HKCU.

Try to create a new user and he will get the auto generated scan as soon as he logs in.

Universal automated way of determining the "Default Profile" folder is not trivial, but I have a solution as you may know

Edited June 8, 2005 by tbma

[tbma]

here it is

call :ReadReg ProfilesDirectory
for /f "usebackq delims==" %%i in (`echo %TMP1%`) do set TMP2=%%i
call :ReadReg DefaultUserProfile
set TMP1=%TMP2%\%TMP1%

if exist "%TMP1%" (
   reg load HKU\default "%TMP1%\NTUSER.DAT"
   reg add "HKU\default\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks" /v CreatedUserQuickScan /t REG_DWORD /d 0x1 /f
   reg add "HKU\default\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks" /v CopiedDefaultScanOptions /t REG_DWORD /d 0x1 /f
   reg unload HKU\default
   )
set TMP1=
set TMP2=
goto :eof

:ReadReg
rem *** single tab here between == and "
for /f "usebackq tokens=3,3* delims==	" %%i in (`reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /v %1 ^| find "%1"`) do set TMP1=%%i
goto :eof

[Vadikan]

Unfortunately they will not, if we are talking about just applying the keys to HKCU.

I'm not sure if you understand me correctly. My point is: improt HKCU tweaks at T-12 (cmdlines.txt) and they will apply to all users, because at that moment the tweaks get imported into the Default User profile. It's the same as loading the Default User registry hive and editing it prior to creating new users.

Well, in some cases HKCU tweaks may not "stick" when applied at T-12. Are you saying this is the case with doscan.exe prevention? Have you tried importing at T-12?