Prevent End User Uninstall of Avast Endpoint Protection Suite

[Dezilu2]

Is there a way to prevent end user uninstall?  Or at least require a password to uninstall?
I am unable push installation via an .msi using Group Policy with Active Directory.  In the past, this is how we re-installed the software if an end user uninstalled.

Thanks.

[avast@@dvantage77.com]

I am researching this and have already created a support ticket.  From my understanding AEA does not have the ability to create an MSI.  I found this on the forum:

"ADNM used to create an MSI package which in turn could be used in AD group policy to deploy. Although the preferred way to deploy is via the console, in some cases this is not possible or wanted (design by company security policy). Then deployment via group policy can be used to deploy the MSI. With group policy, deployment of an exe is not possible."

Is it possible to lock the uninstaller with the console password when managed?

Is there any utility that will correctly convert the EXE installer (from AEA) into a MSI for GP deploy?

I will post here my solution, but so far no answer.  J.R. Guthrie

[wpn]

the real question here should be:  why does the end user have (local) administrator rights?
take that away and they cant install or uninstall anything

[ITG]

Unfortunately some environments require users to run as administrators.  Some of the software my clients use will not work properly or at all if the user does not have local admin rights.  What bothers me is that there is no way (perhaps with GPOs...?) to disable even certain administrators from being able to uninstall certain or any program.  Yes, I realize this can be done with an MSI as was stated in the post above, i mean with anything.

The real question is, why the hell Microsoft hasn't matured its AD or even local user permissions after 15+ years.......?

[spi]

@wpn some application (mostly in banking development department) need running under administrator privilege and it was put inside the wishlist that you create when I request the wishlist

@ITG and @advantage77.com I have open this issue to brou and avast team, brou said it will be implemented on the next EA program update.

@Dezilu2 yes, I have the same request to avast just hope avast make this feature this month or they will lose about 1500 licenses

[avast@@dvantage77.com]

Maybe a stupid question, but, under a managed A/V, shouldn't the un-installer require the avast! protected password to proceed?

[Infratech Solutions]

ADNM 4.8 does it!

I don't why AEA 7 doesn't.

[avast@@dvantage77.com]

Lukas, is there any possibility that this function of a passworded avast! uninstall could be incorporated into the Console (AEA & SOA)?

[.: Mac :.]

Maybe a stupid question, but, under a managed A/V, shouldn't the un-installer require the avast! protected password to proceed?

I thought that it did unless you disabled the self-protection module. It should have the blue popup to confirm the changes and require the password. The default password is admin so if it has not been changed perhaps the user guessed it?

[spi]

Maybe a stupid question, but, under a managed A/V, shouldn't the un-installer require the avast! protected password to proceed?

I thought that it did unless you disabled the self-protection module. It should have the blue popup to confirm the changes and require the password. The default password is admin so if it has not been changed perhaps the user guessed it?

Hi Mac, usually customers change the default password for this protection

[wpn]

offtopic
The discussion of which rights a user should have versus AD maturity can be extended for a long time
So a little example of my approach with crap software that needed admin rights to function properly:

The software package i have here running needs admin rights because the software updates itself when the application manager puts the update files in a certain directory, this happens monthly.
With Windows 7 this automatic updating was not possible since a normal user cant write files in the program files directory, FINALLY, without admin rights.
I solved this issue like this:
i created a global group and a domain local group in AD. I put the users that use the program in the global group, made the global member of the domain local group.
On the specific stations i added the domain local group to the ACL of the directory and gave it WRITE/CHANGE rights.
My problem was solved without giving users admin rights.

Basicly the software that is for regular users, should never need to run with admin rights. Its from the past (xp and before) that this behavior is incorporated in the software and the lazyness of the devellopment party to comply to OS regulations.
On the other side its the unwillingness of the buyer party to demand OS compliancy in the software since the bill probably goes to the demanding party.

Maybe its wise to investigate why the software needs to have admin rights and possibly solve it like the way i did with my package.


ontopic
The password protection of uninstalling AVAST is however still wanted, if a system gets corrupted then there is already something running with elevated rights, meaning the AV product can be silently uninstalled too.
The protection was present in the v6 version too so it is possible to incorporate that code into the v7 version too.
WISHED

[avast@@dvantage77.com]

Q: Dear Martin,

How hard is it going to be to add password for uninstall of a managed avast!
at the workstation (like ADNM)?


A: Hi

This feature is already embedded in the internal version of new  managed
client.  So when the new version will be available on public, you can count
with this feature.


Martin
AVAST software a.s.

[spi]

@WPN, yes the idea is great and I have but some of customers don't want to change this rules because of they standard operational procedures.

@advantage77.com, thanks for the information.. JFK also told me about this feature will be release on the next EA update