In my opinion Microsoft Security Essentials does a decent job for the price :p – they don’t just do spyware anymore, they also do malware and antivirus! For a smaller company (or even a larger one for that matter) looking to save money they can try using it rather than a more “corporate” package from the big vendors (Norton, McAfee, AVG, Panda, Avast, etc, etc, etc…the list goes on). There might be just a few small problems; MSE doesn’t really have a central administration tool (or server) but that’s not a big deal with a small amount of work you can kind of make one or centrally manage it yourself. It also doesn’t alert and administrator if it finds something, it only alerts the end user so expect a phone call from time to time. Those are the biggest downfalls but depending on what you’re looking for or can tolerate it might work out for you. I’ve distributed this on about 75 workstations and I haven’t really heard a peep from anyone.
Again though; it’s free and does a decent job so if you’re willing to ‘trust’ it and you’ve got other layers of protection (like not letting end users run as power user or local admin, local firewall, corporate firewall, strong passwords, encryption, etc, etc, etc) then your comfort level should be better (mine is).
So here’s the recipe for pushing out various version of MSE and configuring it with the options you want. In our MSE batch of goodness you need these tools:
- A Windows Domain (Could work without this but it’s helpful to have it)
- Group Policy Know How (moderate)
- Batch file skills (moderate)
- A file share
- 7-zip to extract the exe’s from M$
- Install MSE so you can configure it then export your configuration via the registry
Download 7-zip and install it (link above)
Available Versions:
- Windows XP 32-bit
- Windows Vista/Windows 7 32-bit
- Windows Vista/Windows 7 64-bit
You should be downloading a file called: mseinstall.exe <- Same name for all version but the packages are different
With 7-zip installed you should then be able to right click mseinstall.exe and extract the contents.
What I would do here is create a share folder “mse”, of course permissions are up to you but read only is fine for everyone, you could / should also make it a hidden share or ONLY a hidden share ;). You can append a $ sign at the end of your share name like “mse$”, this way it won’t be browsable on your network. You’ll have to know it’s there to find it (\\servername\mse$). Copy your extracted folder to the mse share, maybe put an “xp” folder in the mse folder and then 7×32 and 7×64 folder to keep your versions straight if you need to deal with multiple versions.
For this example I downloaded the XP 32 bit version, I extracted it, I made my mse share with the appropriate subfolder named xp.
start > run > \\myserver\mse\xp or \\myserver\mse$\xp if you used a hidden share (recommended)
Folder contents are:
en-us <-Folder
x86 <- Folder
compappsconent.dll
epplauncher.exe
eppmanifest.dll
setup.ini
setupres.dll
* I just noticed this but in the setup.ini if you’re upgrading versions it looks like you can mark “ShowUpgradeEULA=true” to =false so you don’t have to agree to the EULA again ;)
So what we’ve done so far is gather our ingredients, the tools and files we need to make our batch of goodness :) We’ve downloaded and installed 7-zip, we’ve downloaded our versions of MSE and we’ve created our share then extracted the files to their respective folders. Now it’s time to create out batch file that will:
- Detect the OS
- Detect the OS Architecture (32 or 64 bit)
- Call the appropriate installer
In the \\servername\mse folder on your network create a batch file, I called mine push_mse.bat. Then right click and ‘edit’ the file, it should open notepad. For you sophisticated types you might like using notepad++, a favorite editing tool of mine because it highlights things in colors and has advanced search / replace filters.
In our batch file start by typing in or copy and pasting in this text with edits to match your environment:
****
@echo off
:: This is a comment – this will install MSE
echo Finding your Windows Version
:: Error = 0 for true
:: Error = 1 for false
:: This version number = Windows XP
ver | findstr/C:”Version 5.1.2600″
if %errorlevel% EQU 0 goto XP
:: This version number = Windows 7
ver | findstr/C:”Version 6.1.7601″
if %errorlevel% EQU 0 goto arch
:XP
:: Checking to see if the MSE folder exists, if it doesn’t then it’s not installed
if exist “%ProgramFiles%\Microsoft Security Client” goto end
\\servername\mse\xp\x86\setup.exe /s /runwgacheck /o
reg import \\servername\mse\windows_security_essentials_default_settings.reg
goto end
:arch
:: Detecting 32 bit or 64 bit
wmic OS get OSArchitecture | findstr /C:”32-bit”
IF %ERRORLEVEL% EQU 0 goto 7-32
IF %ERRORLEVEL% GTR 0 goto 7_64
:7-32
:: Checking to see if the MSE folder exists, if it doesn’t then it’s not installed
if exist “%ProgramFiles%\Microsoft Security Client” goto end
\\servername\mse\7×32\x86\setup.exe /s /runwgacheck /o
reg import \\servername\mse\windows_security_essentials_default_settings.reg
goto end
:7-64
:: Checking to see if the MSE folder exists, if it doesn’t then it’s not installed
if exist “%ProgramFiles%\Microsoft Security Client” goto end
\\servername\mse\7×64\amd64\setup.exe /s /runwgacheck /o
reg import \\servername\mse\windows_security_essentials_default_settings.reg
goto end
:end
****
I think that’s about right, the above is untested really, it’s similar to what I’m using but mine is much messier :p. What you can do to see your errors is comment out the “@echo off” section and it’ll print every line on the screen, then end your script with a pause or put a bunch of pause statements in the script, I often do that to “step through” a program and when I’m done I get rid of all the pausing. You can also “echo %errorlevel%” to see the output / result.
The ‘cherry on top’ are the settings. You’ll notice above I’ve got a registry import for the settings. To get these you’ll need to install MSE, configure it in the settings then export your settings from the registry to a reg file. The settings seem to be the same from 32 bit to 64 bit and they have the same registry entry options.
start (or Windows Button how lame!) > regedit > OK or enter if you’re on Vista or 7. This will open the registry editing tool, navigate down to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware
I have only exported things like my Exclusions list / paths, the scan settings like allowing pause located under “Scan” and not joining of SpyNet under “SpyNet”. Here’s a sample of my registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths]
“%programfiles%\\someprogramfilderhere”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan]
“AllowPause”=dword:00000001
“DisableCatchupQuickScan”=dword:00000001
“DisableCatchupFullScan”=dword:00000001
“CheckForSignaturesBeforeRunningScan”=dword:00000001
“QuickScanInterval”=dword:00000000
“ScheduleDay”=dword:00000000
“AvgCPULoadFactor”=dword:0000000a
“ScheduleTime”=dword:0000021c
“DisableRemovableDriveScanning”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\SpyNet]
“SpyNetReporting”=dword:00000000
* Recent update / addition here; a fee command line options I’ve used to do scans remotely with a tool like psexec:
psexec -u domain\username \\computername
It’ll prompt you for your password (must have admin privilages)
Then cd to your directory “cd c:\program files\Microsoft Security Client\Antimalware”
mpcmdrun -SignatureUpdate
* That command above updates the MSSE detection database
mpcmdrun -Scan -ScanType 2
* That command above will run a full system scan, 0 = default, 1 = quick scan, 2 = full system scan and 3 = a single file custom scan but you’ll need to point it at your file with “-File “c:\somehwere\somefile.extension”
You could probably export the entire “Microsoft Antimalware” hive and call it good too ;). You’ll notice things like “ScheduleTime” – it’s a bit cryptic so if you want to adjust all the scanning times (mine is at noon I think) you can make the change on your local machine, check that key for the change then update your registry file. Now what you want to do (and I’m not going to go into the how) is make a system startup group policy and point your new batch file in the system startup for PC’s in your organization. You can do it many ways. Something I’ve done in the past is have one system batch file that runs at startup and I tweak it for installs or settings like this. Then you don’t have to create more group policies and have a plethora of batch files out there. You just edit the one file and you’re good to go; that us…unless you need specialized settings for various departments or people.
Lastly, when the installation ‘kicks off’ there’s a bit of a pause or lul, it might take a few minutes to “do something” and for you to notice the Security Essentials little blue home logo in the system tray, the icon will probably be orange but it will shortly turn to blue after it updates which our command above on the install tells it to do ;).
There’s also a process I have to do an “update server” so all your clients don’t go out to the net for updates but rather they get updates from your local share. I’m not going to post it here unless someone wants that process too.
All in all it’s been smooth and I’ve had no complaints. It’s also saved the company a few thousand dollars in licensing fees to one of the big AV companies.
* Update *
I saw someone in my logs (yes you’re not anonymous Verizon Enterprise Center :P!) looking for pushing just the “updates” to clients. In order to do that you can’t really “push” the update but rather push a pull :). What I mean is you can (depending on the operating system) schedule an “at” job: http://support.microsoft.com/kb/313565 <– For more information and here http://rafaelwolf.com/?p=300 <– For more information. What you do is make one batch file on a network share (which has your code telling each client where and how to update – via the command line, I mention it on another post with mpcmdrun.exe: http://rafaelwolf.com/?p=725), then schedule each PC via that scheduled task (at job) to update whenever you want, however often, etc bye editing your batch file with the commands in it. You make one bat file with commands and paths for the update, use at or schtasks to schedule each pc to run the shared batch file at x time. You could also “push” the “pull” too all the PC’s you wanted with a for loop. Scheduling your task on any number of PC’s would be a snap. I have examples on my blog for that as well.
Note that M$ is moving away from “at” but it still works, they’re favoring it over the “schtasks” command: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/schtasks.mspx <– Have fun!
* Oh and MAYBE just maybe they could have posted the questions and I would have thrown them the bone ;)
Great article, but how do I deploy a .bat file via group policy?
Hey Daniel – I don’t have the step 1, step 2, step 3 for you at this very second and I’m assuming you know about group policy since you asked so…what you do is:
Create a new group policy for MSE
Right click and edit it
Under the: Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) > double click “Startup” > click “add” > click “browse” > find your bat file.
* Often, I copy my bat file into the directory that opens.
I’d test it first before rolling it out to the masses ;-)
Unfortunately, Microsoft Security Essentials is only free for businesses to use on 5 or less computers.
Interesting point Norm, others think there is more grey area than that :P
http://answers.microsoft.com/en-us/protect/forum/protect_start/microsoft-security-essentials-for-schools/8c55b1a5-3598-47b4-a9bc-28827e2bf729
“The License text does not exclude any use, but mentions home and home based businesses. However, I suspect the lack of a specific exclusion is done on purpose to allow for flexiibility. Note that I am not a lawyer nor do I work for Microsoft. My opinion is, yes, you can use it in schools.”
I’m no licensing expert either but the lack of not excluding it does seem to then allow businesses to use it ;)
* Edit, I believe this has been updated in the M$ licensing text for MSE, it’s home users or small businesses with up to 10 computers: http://blogs.msdn.com/b/mssmallbiz/archive/2010/09/22/announcing-microsoft-security-essentials-available-free-to-small-businesses-in-october.aspx
Now there’s no more grey area :-)
When I try to import my registry file I get “ERROR: Error accessing the registry.”
I am sure my registry file is correct. Is MSSE blocking it?
I have just a few questions. How are you installing the app and how are you calling your registry file? I call them with a startup script from the “system” account and the system has full access to write to the registry but if you’re “testing” the process (which you should certainly do) it might be that the user you’re using doesn’t have access to the registry where the MSE settings are stored (and rightfully so!). It sounds like a permissions problem not that MSE is blocking anything because when you’re installing it, MSE isn’t fully “on” yet so it’ll let you import your registry settings.
Oh, and one last thing, know of a way to do a silent install WITHOUT it enabling the Windows Firewall like it does by default?
Thank you for posting this – very clever! I’d like to hear about your “update server” setup, centralized updates are something that my company would love to implement with MSE.
Posted my notes but forgot to post to your comment: http://rafaelwolf.com/?p=725
This is good for the free version of MSSE, I always forget the 2nd S when I do it, I usually do MSE :P