Manually updating Microsoft Security Essentials from a UNC path
I haven’t seen anyone with this solution yet and I did get a request to post the how to. A while back I posted on how to push out the Microsoft Security Essentials (MSE) software to any number of machines with a system startup script. For IT shops on a budget this is a good solution. Couple this with not having your users running as local administrators or power users, some decent group policies, possibly some firewall packet filtering or AV scanning of that data with a web filter and you’ll be pretty secure!
Depending on your OS (32 bit or 64) you’ll need to adjust these commands to include the proper paths. For my examples they’re all done on a 32 bit machine so adjust accordingly.
The location of MSE is:
C:\Program Files\Microsoft Security Client\Antimalware
Doing a directory listing we find and notice the bolded files:
C:\Program Files\Microsoft Security Client\Antimalware>dir /B
Drivers
EN-US
IpsConsumer.dll
MpAsDesc.dll
MpClient.dll
MpCmdRun.exe
MpCommu.dll
mpevmsg.dll
MpOAv.dll
MpRTP.dll
MpSvc.dll
MpUtil.dll
MsMpCom.dll
MsMpEng.exe
MsMpLics.dll
NisIpsPlugin.dll
NisLog.dll
NisNetIP.dll
NisPerformanceProvider.dll
NisRes.dll
NisSrv.exe
NisWFP.dll
I’ve found that in the past just messing around with exe files by typing in (for example), mpcmdrun /? – you might find interesting things ;)
Donig so with the command line version of MSE you see you can do all kinds of interesting commands, if you use a program to execute commands on remote machines you can even scan machines remotely!
The file usage is MpCmdRun.exe [command] [-options]
So if we want to do a signature update according to the command options we’d do this:
mpcmdrun -SignatureUpdate -UNC%storepath%
* Of course you must declare your store path as a UNC file path \\servername\share for example
Here’s the batch file I have:
@echo off
:: Setting system variables
set storepath=”\\server\share\distribute\Microsoft_Security_Essentials\updates”
set package=”mpavdlta.vdm”
if exist “%storepath%\mpavdlta.vdm” (goto execute)
echo Update package does not exist…
goto end
echo.
:execute
:: Executing package
echo Executing Microsoft Security Essentials Update…
echo.
:: %storepath%\%package%
mpcmdrun -SignatureUpdate -UNC%storepath%
:end
What this does is sets the store path variable, the store path where we will be storing our update. When you download an update it seems that MSE looks for a file named “mpavdlta.vdm”. You just have to point it at your UNC share and it automatically looks for that file, I found this out by trial and error!
* Copy the above script into a bat file and make that a user log on script so the user executes the update. It’s doing the same thing as a user would who opens MSE and manually clicks the “update” button but if it’s a user logon script (preferably via group policy) then it’s a no brainer for the user and you’re telling MSE where to get the update from (NOT your WAN ;) ).
So now; how do we get our “update server” to always have a fresh ready to go update?
You need to use wget for Windows and make a scheduled task on your server that uses wget to download the latest update to the update folder. You’ll also need 7zip to unzip the package.
Here’s what I have for a script:
:: Here’s the KB on manually downloading the update: http://support.microsoft.com/kb/971606
@echo off
echo Setting system variables…
echo.
set storepath=”\\server\share\distribute\Microsoft_Security_Essentials\updates”
set patch=mpam-fe.exe
set updateurl=http://download.microsoft.com/download/DefinitionUpdates
:: Mapping drive
echo Mapping x: drive temporarily…
echo.
net use x: %storepath%
echo.
:: Removing the old update file
echo Removing the old udpated file…
echo.
del /q %storepath%\%patch%
echo.
:: Downloading the update
echo Downloading the MSE update…
echo.
%storepath%\wget -P x: “%updateurl%/%patch%”
echo.
:: Unmapping drive
echo Unmapping x: drive…
echo.
net use x: /delete /yes
echo.
:: Unzipping package
echo Unzipping the update…
%storepath%\7za x %storepath%\%patch% -y -o”%storepath%”
echo.
We name some variables in case we ever change the paths then all the settings will be changed by just changing one line, we map a drive, I called it “x:”, you can call it whatever you want, we use wget to download the patch to the storepath, we unmap the drive…I think I had to use a mapped drive because weget didn’t like UNC paths :-), we then unzip the update to our “updates” directory.
This isn’t “fullproof” because I haven’t used this process in a while. We had some machines (tablets) that went through a proxy server and we didn’t want to allow these tables any Internet except the specific SAAS (Software as a service) 3rd party vendor we were using. So we made the server get the updates and each client to look at the server for updates.
There does look like there are registry settings for changing WHERE MSE gets udpates from, the default is “MMPC”. I haven’t tried tweaking the setting since the clients I was putting it on couldn’t get to the site, they’d just update on user logon from a UNC path. Next shift of users = new update!
Again; the scripts worked for me but there could be some tweaking.