Forefront Client Security Tools

Created Issue: FCS Exclusions installation error.

kbanaszak — Sun, 07 Sep 2008 18:53:16 GMT

Hello I tried to install FCS Exclusions on my production Exchange 2007 server unfortunatelly I get the following error during installation:
"Exchange 2007 FCS Exclusions can not be installed on systems earlier then Windows Server 2003 x64". The operating system the Exchange is installed on is:
Windows Server 2003 R2 Standard x64.

See the attached error window. What can be the issue why I can not install it?

Best Regards
Krzysztof Banaszak

Updated Release: Forefront Client Security Deployment Tool (יונ 17, 2008)

Thu, 04 Sep 2008 20:44:54 GMT

The Forefront Client Security Deployment Tool is a free toolkit that is meant to provide additional deployment capabilities in addition to those who are available with the RTM Version of FCS . This tool gives network and security administrators the ability to scan their network and/or AD, discover existing solutions that are already installed on their clients, uninstall the existing solution and install FCS Client – all in one.

Update: Build 108
- Fixed "Program Files" Uninstall Bug
- Fixed AD Computers Bug.
- Added support for new version of symantec.
- Fixed Impersonation Bug (Using Task Scheduler)

Update: Build 106
- Fixed Symantec V11 Uninstall bug.
- Added Restart Timeout for process resume (for uninstallations that require workstation restart).
- Added Re-Scan Button.
- Currently Supporting Uninstall of Symantec Versions 8-11, Trend 7-8 and all Mcafee Virusscan versions.

New Post: Trend Officescan Removal

akajee — Thu, 04 Sep 2008 13:26:24 GMT

Hi Guys,

Is there anyway to incorporate the uninstall password into the script to remove trend?

New Post: typing error

akajee — Wed, 20 Aug 2008 09:34:05 GMT

I know that this is a trivial matter but just thought that I should mention it. When running a scan for computers with FF installed, the "message" as a typo. it reads:

Microswoft Forefront client security is installed.

Great tool so far..

;-)

New Post: I have this problem

Rogeriom — Fri, 27 Jun 2008 08:08:48 GMT

Feedback Form submitted the following :

With the following message:

ip: 172.26.2.116

[26/06/2008 10:04:14] Failed to install Forefront cilent

StackTrace: at Microsoft.FCS.deployment.Wmi.install(Object obj) in C:\projects\Microsoft.FCS.Deployment\Microsoft.FCS.Deployment\classes\Wmi.cs:line 538

The directory name is invalid.

StackTrace: at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

at System.IO.Directory.InternalGetFileDirectoryNames(String path, String userPathOriginal, String searchPattern, Boolean includeFiles, Boolean includeDirs, SearchOption searchOption)

at System.IO.DirectoryInfo.GetFiles(String searchPattern, SearchOption searchOption)

at System.IO.DirectoryInfo.GetFiles()

at Microsoft.FCS.deployment.Wmi.install(Object obj) in C:\projects\Microsoft.FCS.Deployment\Microsoft.FCS.Deployment\classes\Wmi.cs:line 495

**************************************

But the directory "C:\projects\Microsoft.FCS.Deployment\Microsoft.FCS.Deployment\classes\Wmi.cs" not exist and the application don't create this Directory

UPDATED RELEASE: Forefront Client Security Deployment Tool (יונ 17, 2008)

Tue, 24 Jun 2008 22:02:01 GMT

The Forefront Client Security Deployment Tool is a free toolkit that is meant to provide additional deployment capabilities in addition to those who are available with the RTM Version of FCS . This tool gives network and security administrators the ability to scan their network and/or AD, discover existing solutions that are already installed on their clients, uninstall the existing solution and install FCS Client – all in one.

Update: New build is available (106)
- Fixed Symantec V11 Uninstall bug.
- Added Restart Timeout for process resume (for uninstallations that require workstation restart).
- Added Re-Scan Button.
- Currently Supporting Uninstall of Symantec Versions 8-11, Trend 7-8 and all Mcafee Virusscan versions.

UPDATED RELEASE: Forefront Client Security Deployment Tool (יונ 17, 2008)

Wed, 18 Jun 2008 18:49:33 GMT

CREATED RELEASE: Forefront Client Security Deployment Tool (יונ 17, 2008)

Mon, 16 Jun 2008 21:23:48 GMT

RELEASED: Forefront Client Security Deployment Tool (Jun 17, 2008)

Mon, 16 Jun 2008 21:23:48 GMT

CREATED RELEASE: FCS Remote Definitions Update (יונ 09, 2008)

Mon, 09 Jun 2008 18:19:38 GMT

This Guide explains how to create a process of remote updating forefront client security definitions using MOM2005 Tasks. This ability to MOM2005 gives you the ability to "Right Click à Update Definitions" on each and every installed client and by that gives you the ability to update and control your client definitions outside "windows update".

Note: This update method is not a replacement for the Windows update method. You can take the scripts and the first part of this process (the definition download) and use it with any other distribution application you have deployed in your organization.

UPDATED RELEASE: FCS scanning exclusions msi (jun 03, 2008)

Tue, 03 Jun 2008 20:36:51 GMT

This msi file will add close to all (read the included ReadMe file) of the recomended scanning exclusions when running Forefront Client Security on an Microsoft Exchange 2007 server. Including file extension, process and folder path exclusions.
The setup will add the exclusions to the reg keys below and create a folder "Johan Blom, Truesec" under program files with the ReadMe file and an url shortcut to the Microsoft document describing the recomended scanning exclusions.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Paths
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes

The msi does not run on Windows server 2008 yet.

Included in the zip file is one 32bit msi for testing on the eval version of Exchange 2007 and one 64bit msi for production environment.

UPDATED RELEASE: Uninstall Scripts (Oct 01, 2007)

Mon, 14 Apr 2008 19:24:53 GMT

This is the first version of the uninstall scripts.

CREATED RELEASE: AVS Disable

Mon, 14 Apr 2008 19:23:01 GMT

This script disables AVG, it doesn’t truly remove it. It disables the service and removes all registry entries, etc. It is documented and theirs is a narrative in the zip file. Please feel free to pass on to your other customers or post on the source code site.

Posted on behalf of Steve Scholz

UPDATED RELEASE: Updating FCS Client defintions using SMS 2003 (מרץ 07, 2008)

Fri, 11 Apr 2008 08:46:39 GMT

Forefront Client Security update mechanism relies almost completely on Windows Update services. Some of you might ask if there is another way of deploying definition updates to the clients without using Windows Update.

This package provides preceptive guidance and tools necessary to you/your customers that have SMS 2003 (or other distribution mechanism for that matter). Use this release for purposes of creating an automated process of downloading and deploying client definitions updates to your machines.

UPDATED RELEASE: Updating FCS Client defintions using SMS 2003 (מרץ 07, 2008)

Tue, 18 Mar 2008 14:39:29 GMT

UPDATED RELEASE: Updating FCS Client defintions using SMS 2003 (מרץ 07, 2008)

Wed, 12 Mar 2008 21:15:21 GMT

UPDATED WIKI: Home

nehasharma — Sat, 23 Feb 2008 01:36:21 GMT

We now have new tools and guidance to integrate FCS with SCCM
Check new releases tab above for more information!

New Script
We've just released a new script to help you find out when FCS was last updated. Check it out in the "Releases" section and in the "Source Code" section.

Project Description
Tools to help FCS customers, including sample scripts to remove and uninstall existing AV/AS products. They are a great starting point to do so, but they can use your improvements and feedback.

Download the scripts, use and improve them, and submit your improvements.

CREATED RELEASE: Integrating FCS with SCCM (Feb 22, 2008)

Sat, 23 Feb 2008 01:30:34 GMT

Did you know SCCM can be used to provide client updates and signature updates to Client Security?

*This package provides presceptive guidance and tools necessary to your customers*

Deploying and maintaining your Forefront client Security clients can be automated using System Center Configuration Manager (SCCM). With SCCM customers can quickly deploy the Forefront Client Security (FCS) agents, maintain signature updates automatically and assess the agent’s configuration compliance on a routine basis.

NEW POST: FCS Install and Uninstall Script Tips

wstack — Wed, 05 Dec 2007 01:46:54 GMT

This post provides some information and tips around the sample FCS scripts supplied with the Service Kit. Hopefully it will help you configure them for your specific requirements. First remember that these are sample scripts. They were not designed nor were they intended to be comprehensive fully operational scripts. In every instance where I have used them, it has been necessary to modify them to fit the client’s particular situation. However, I have never had an instance where the processes in these scripts could not be modified to remove existing AV products.

General Information

The scripts were designed to be run as silent installation script using a software distribution system like SMS. They are written in a self documenting style, in other words the object and variable names were chosen to make the code easy to read and understand.

Common Framework

All the scripts begin by defining the same set of constants and creating the same three system objects. These objects are common to all the subroutines called by the Main Routine. This means that you can combine the functionality of these scripts into a single script just by adding the subroutines in. For example you can take the Install FCS Client script and append AV and Spyware removal subroutines to create a script that uninstalls old AV and Spyware products and installs and configures the new FCS client. The existing code show these options as:
* Call FCS_InstallXPSP2Hotfix
* Call UninstallMcAfee, Trend, Symantec, Sophos, eTrust...
* Call UninstallAntiSpywareProducts
* Call InstallFCSAgents
Where “Call UninstallMcAfee, Trend, Symantec, Sophos, eTrust...” is the name of the appropriate vendor uninstall script (e.g., Call UninstallMcAfeeAV)
Important Note About Script Configuration
While there are a number of constants, variables and objects common to all the scripts, some subroutine have installation specific constants. Make sure to review the constants and variables defined in the subroutines to ensure they have been set properly.

Local Execution

The scripts are designed to be executed locally on the client and assume all required resources are in the local directory or executable via the system PATH variable. They could be configured to execute on a remote system by changing the ThisComputer constant from "." to the name of a remote system. This may also require adding a user name and password to the system object creations.

Debug Option

While the scripts are designed to run silently (display no messages) a debug option is included to assist with interactive testing and troubleshooting. The second code line in each script defines the debug variable (bDEBUG) and sets it to False. By setting this value to True the scripts will generate a series of status and progress messages to assist with troubleshooting.
It is important to note, that debugging code makes the scripts larger and slower to execute. Once the scripts have been tested and verified, the debugging code should be removed from the scripts as part of the production deployment.

Error Handling

Error handling is minimized to keep the code base simple and small. If an error is generated the code will resume execution on the next line. In some instances it may be advantageous to add error checking to detect failures and generate notifications and/or log events.

Logging Messaging

Some of the uninstall scripts log informational events to the application event log. For example,
WshShell.LogEvent 4, "Uninstalled McAfee AV Framework"
However, the log is not an indication of the success or failure of the uninstall, it is merely shows that an uninstall was attempted.

Install Subroutines

The package contains two install subroutines: InstallFCSAgents in the FCS-SampleScript Install FCS Client script and FCSInstallXPSP2Hotfix_ in the FCS-SampleScript-XPSP2 HotFix Install script.
InstallFCSAgents installs the FCS and MOM agents on the client and triggers a signature update. It will also install a set of FCS policies on the machine if the system hasn’t receive them via GPO.
Important Note: This subroutine contain one constant that must be configured for your specific environment. The constant CollectionServerName must be set to the name of the collection server this client will use.
FCS_InstallXPSP2Hotfix checks for a prerequisite XPSP2 Hotfix (KB914882) and installs it if it is missing. This script does not require any configuration

Uninstall Scripts

The package contains a number of uninstall scripts for various vendor AV products as well as a consolidated script to uninstall Spyware/Adware products. All these scripts take one of three possible actions.
1) Calls the uninstall string stored in the SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall registry key. This process looks up the display name string (e.g., “CA eTrust Antivirus”) and invokes the string contained in the UninstallString value.
2) Uses MSIEXE to uninstall the product based on the GUID (e.g. MSIEXE /X{C6F5B6CF-609C-428E-876F-CA83176C021B})
3) Calls the vendors uninstall process

For newer products the first option usually works fine. Option two covers vendors that use MSI but bypass the standard installation process so their products do not show up in the uninstall registry key. The third option covers vendor proprietary installation processes (i.e., do not use MSI) to call vendor specific uninstall scripts. Whenever possible use option 1; it is implemented in the RegBasedUninstall subroutine.
Important Note: This subroutine take one input parameter which must be configured in the uninstall routine. The value is the Display Name of the product as it appears in the uninstall registry key (e.g., “CA eTrust Antivirus”). Scripts that use this option will usually have a constant defined with this value. For example in the CA eTrust script the constant eTrustDisplayName is set to the display name, "CA eTrust Antivirus". However some scripts have the string hard coded into the call statement. For example, the McAfee script contains this line: Call RegBasedUninstall("McAfee VirusScan")
Warning! This routine uses the in string InStr() function to locate the input value in the registry display name. It does not do a direct match. Since all enterprise versions of McAfee contain "McAfee VirusScan" in the display name this routine will find and uninstall multiple versions of the AV client.

However passing a poorly formed parameter to this routine could have some very bad unintended consequences. For example, if you pass the letter “a” to this routine it will uninstall every product on the system with an "a" in the display name!
Tip: Before you uninstall an AV product it is highly recommended that you stop any of the services and dependent services this product uses. (See the McAfee script for examples of this)

The UninstallAntiSpywareProducts subroutine is essentially the same as the RegbasedUninstall except checks are made for a number of different display name strings. Depending on the version of the product if may be necessary to alter the display name value in the code line
- If InStr(DisplayName, "Spybot - Search & Destroy") > 0 Then
or create a new section for uninstalling the new version or product. In some instances it may be necessary to use option 2 or option 3 type actions to uninstall these products if they do not contain uninstall registry values.

Testing

To test and configure the scripts I’d suggest running them interactively using cscript on a test system that has the software you want to remove installed. First using Regedit to find the DisplayName value of the product you want to uninstall. Second find the DisplayName constant or hardcoded value in the script and set it to match the value in the registry. For example: Const eTrustDisplayName = "CA eTrust Antivirus". Then run the script and see if the product get uninstalled successfully.
Tip: Successfully means the product gets uninstalled without any interaction with the user and no reboot. It should be the software distribution system that controls the reboot not the product uninstall routine.
Some products are more difficult to uninstall than others, for example McAfee has a McAfeeFramework service that needs to be stopped before the AV product can be removed. The current script uses a MSI ExecQuery to get the service object and dependencies and stop them but it could just as easily be done with calls to the SC.EXE utility. For example: WshShell.Run "sc.exe stop McAfeeFramework”

Troubleshooting

It’s virtually impossible to write a script that is going to cover every possible system configuration. There are any number of situations and/or system configurations that could cause the scripts to fail including:
• WMI configurations
• Permissions of the account running the script
• Version of the software being removed
• Etc.
Adding some code to display the error when the script fails can help troubleshoot the issue.

Source code checked in

nsagez — Tue, 04 Dec 2007 00:47:38 GMT

Bug Fix