Author Topic: Prevent End User Uninstall of Avast Endpoint Protection Suite  (Read 8671 times)

0 Members and 1 Guest are viewing this topic.

Dezilu2

  • Guest
Prevent End User Uninstall of Avast Endpoint Protection Suite
« on: November 09, 2012, 06:18:12 PM »
Is there a way to prevent end user uninstall?  Or at least require a password to uninstall?
I am unable push installation via an .msi using Group Policy with Active Directory.  In the past, this is how we re-installed the software if an end user uninstalled.

Thanks.

Offline avast@@dvantage77.com

  • J.R. Guthrie - avast! Sales and Support Specialist
  • Avast Reseller
  • Advanced Poster
  • *
  • Posts: 740
  • the only avast! Distributor & Platinum Reseller
    • Advantage Micro Corporation
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #1 on: November 09, 2012, 11:42:11 PM »
I am researching this and have already created a support ticket.  From my understanding AEA does not have the ability to create an MSI.  I found this on the forum:

"ADNM used to create an MSI package which in turn could be used in AD group policy to deploy. Although the preferred way to deploy is via the console, in some cases this is not possible or wanted (design by company security policy). Then deployment via group policy can be used to deploy the MSI. With group policy, deployment of an exe is not possible."

Is it possible to lock the uninstaller with the console password when managed?

Is there any utility that will correctly convert the EXE installer (from AEA) into a MSI for GP deploy?

I will post here my solution, but so far no answer.  J.R. Guthrie
Sincerely,
 
J.R. "AutoSandbox Guy" Guthrie

"At this point in time, the Internet should be regarded as an Enemy Weapons System!"

wpn

  • Guest
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #2 on: November 14, 2012, 09:59:11 AM »
the real question here should be:  why does the end user have (local) administrator rights?
take that away and they cant install or uninstall anything

ITG

  • Guest
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #3 on: November 14, 2012, 10:10:20 AM »
Unfortunately some environments require users to run as administrators.  Some of the software my clients use will not work properly or at all if the user does not have local admin rights.  What bothers me is that there is no way (perhaps with GPOs...?) to disable even certain administrators from being able to uninstall certain or any program.  Yes, I realize this can be done with an MSI as was stated in the post above, i mean with anything.

The real question is, why the hell Microsoft hasn't matured its AD or even local user permissions after 15+ years.......?

Offline spi

  • Poster
  • *
  • Posts: 530
  • 1st Services
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #4 on: November 14, 2012, 11:07:54 AM »
@wpn some application (mostly in banking development department) need running under administrator privilege and it was put inside the wishlist that you create when I request the wishlist

@ITG and @advantage77.com I have open this issue to brou and avast team, brou said it will be implemented on the next EA program update.

@Dezilu2 yes, I have the same request to avast just hope avast make this feature this month or they will lose about 1500 licenses
Windows 10 Pro 64-bit + avast Premium 11.1.2241
Network tools: Wireshark+CACE Pilot | Android Softphone + Grandstream UCM61xx | MI4i | Running Out of Time (1999)

Offline avast@@dvantage77.com

  • J.R. Guthrie - avast! Sales and Support Specialist
  • Avast Reseller
  • Advanced Poster
  • *
  • Posts: 740
  • the only avast! Distributor & Platinum Reseller
    • Advantage Micro Corporation
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #5 on: November 14, 2012, 08:11:37 PM »
Maybe a stupid question, but, under a managed A/V, shouldn't the un-installer require the avast! protected password to proceed?
Sincerely,
 
J.R. "AutoSandbox Guy" Guthrie

"At this point in time, the Internet should be regarded as an Enemy Weapons System!"

Offline Infratech Solutions

  • Avast Reseller
  • Super Poster
  • *
  • Posts: 2192
  • Mayorista e integrador de AVAST Software en España
    • Ciberseguridad AVAST para empresas y MSPs en España.
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #6 on: November 15, 2012, 01:01:51 PM »
ADNM 4.8 does it!

I don't why AEA 7 doesn't.

Offline avast@@dvantage77.com

  • J.R. Guthrie - avast! Sales and Support Specialist
  • Avast Reseller
  • Advanced Poster
  • *
  • Posts: 740
  • the only avast! Distributor & Platinum Reseller
    • Advantage Micro Corporation
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #7 on: November 15, 2012, 06:29:51 PM »
Lukas, is there any possibility that this function of a passworded avast! uninstall could be incorporated into the Console (AEA & SOA)?
Sincerely,
 
J.R. "AutoSandbox Guy" Guthrie

"At this point in time, the Internet should be regarded as an Enemy Weapons System!"

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #8 on: November 16, 2012, 01:25:52 PM »
Maybe a stupid question, but, under a managed A/V, shouldn't the un-installer require the avast! protected password to proceed?

I thought that it did unless you disabled the self-protection module. It should have the blue popup to confirm the changes and require the password. The default password is admin so if it has not been changed perhaps the user guessed it?
"People who are really serious about software should make their own hardware." - Alan Kay

Offline spi

  • Poster
  • *
  • Posts: 530
  • 1st Services
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #9 on: November 16, 2012, 05:16:48 PM »
Maybe a stupid question, but, under a managed A/V, shouldn't the un-installer require the avast! protected password to proceed?

I thought that it did unless you disabled the self-protection module. It should have the blue popup to confirm the changes and require the password. The default password is admin so if it has not been changed perhaps the user guessed it?

Hi Mac, usually customers change the default password for this protection
Windows 10 Pro 64-bit + avast Premium 11.1.2241
Network tools: Wireshark+CACE Pilot | Android Softphone + Grandstream UCM61xx | MI4i | Running Out of Time (1999)

wpn

  • Guest
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #10 on: November 19, 2012, 12:57:02 PM »
offtopic
The discussion of which rights a user should have versus AD maturity can be extended for a long time :)
So a little example of my approach with crap software that needed admin rights to function properly:

The software package i have here running needs admin rights because the software updates itself when the application manager puts the update files in a certain directory, this happens monthly.
With Windows 7 this automatic updating was not possible since a normal user cant write files in the program files directory, FINALLY, without admin rights.
I solved this issue like this:
i created a global group and a domain local group in AD. I put the users that use the program in the global group, made the global member of the domain local group.
On the specific stations i added the domain local group to the ACL of the directory and gave it WRITE/CHANGE rights.
My problem was solved without giving users admin rights.

Basicly the software that is for regular users, should never need to run with admin rights. Its from the past (xp and before) that this behavior is incorporated in the software and the lazyness of the devellopment party to comply to OS regulations.
On the other side its the unwillingness of the buyer party to demand OS compliancy in the software since the bill probably goes to the demanding party.

Maybe its wise to investigate why the software needs to have admin rights and possibly solve it like the way i did with my package.


ontopic
The password protection of uninstalling AVAST is however still wanted, if a system gets corrupted then there is already something running with elevated rights, meaning the AV product can be silently uninstalled too.
The protection was present in the v6 version too so it is possible to incorporate that code into the v7 version too.
WISHED




Offline avast@@dvantage77.com

  • J.R. Guthrie - avast! Sales and Support Specialist
  • Avast Reseller
  • Advanced Poster
  • *
  • Posts: 740
  • the only avast! Distributor & Platinum Reseller
    • Advantage Micro Corporation
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #11 on: November 20, 2012, 08:43:35 PM »
Q: Dear Martin,

How hard is it going to be to add password for uninstall of a managed avast!
at the workstation (like ADNM)?


A: Hi

This feature is already embedded in the internal version of new  managed
client.  So when the new version will be available on public, you can count
with this feature.


Martin
AVAST software a.s.
Sincerely,
 
J.R. "AutoSandbox Guy" Guthrie

"At this point in time, the Internet should be regarded as an Enemy Weapons System!"

Offline spi

  • Poster
  • *
  • Posts: 530
  • 1st Services
Re: Prevent End User Uninstall of Avast Endpoint Protection Suite
« Reply #12 on: November 21, 2012, 03:43:48 AM »
@WPN, yes the idea is great and I have but some of customers don't want to change this rules because of they standard operational procedures.

@advantage77.com, thanks for the information.. JFK also told me about this feature will be release on the next EA update
« Last Edit: November 21, 2012, 03:46:41 AM by spi »
Windows 10 Pro 64-bit + avast Premium 11.1.2241
Network tools: Wireshark+CACE Pilot | Android Softphone + Grandstream UCM61xx | MI4i | Running Out of Time (1999)