We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Norton IS 2005: Automatic LiveUpdate for non-Admin users?

Havin_it
Havin_it asked
on
Medium Priority
1,321 Views
Last Modified: 2008-01-09
Hi,

I see this issue was previously addressed in Automatic LiveUpdate for non-Admin users in http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21292658.html but would like to re-open the discussion if possible.

Our office purchased Norton Internet Security 2005 (somewhat against my advice, but hey) and subsequently learned that it was not possible for Automatic LiveUpdate to be run while the logged-in user is a Limited User account.   This is extremely frustrating because (a) Earlier versions of NIS *did* permit this, and (b) it took a great deal of searching on the Symantec site to establish that it was unsupported, when IMHO it should have been writ large on the box!

[I promised myself I wouldn't turn this into a rant against Symantec.  Deep breath now...]

As best I can tell, this is in response to a design-flaw whereby the LiveUpdate client can enable privilege-escalation for the logged-in Limited User.  This wouldn't unduly concern me in our office, as I'm 100% confident that such attacks are beyond the capabilities of my users.  (I realise most people could not say this, but trust me, I can.)

So, rather than dumping Norton instantly (that day will come, but there's a subscription to work out first), I'd like to find a way to run LiveUpdate with administrative privileges once a day, or at boot-time.

My first attempt at this was creating a scheduled task to run C:\Program Files\Symantec\LiveUpdate\LUALL.EXE at startup, with admin privs.  I also changed the settings of LiveUpdate so it should run on full-auto (no interaction).  I don't believe it worked, however, because the log at C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.Liveupdate was empty for the time at which I rebooted.  (Previous runs had an entry even if there was nothing downloaded.)  The task had run, as I'd checked the Task Manager, but no evidence of it doing anything useful.

Is there another way I could use the Task Scheduler to get the right result?  Or as a rather extreme method, could a third user be created and their permissions fine-tuned so all they could do was run LiveUpdate?  [I'd need some guidance on how to set that up.]  Or is there any other method available?

Details:
OS: Windows XP Home Edition SP2
LiveUpdate version: 3.0.0

Any and all suggestions welcome.  Points at maximum in hopes of a positive outcome.
Comment
Watch Question

Top Expert 2005

Commented:
Norton Internet Security epitomizes Bloatware; all those poor computers will run so much faster without it.  How about using the run as option, right click on Nortons, select Run as, click user name, for instance administrator, then password, and even though you'll be logged on as limited user, you'll have admin privileges with nortons.

I still have a subscription to Norton's that is going unused, when you want to get rid of it here's some advice.

Disable system restore first; http://support.microsoft.com/kb/q310405/


Then go to start<control panel<switch to classic view<add/remove programs, remove live update first, then remove nortons av, sysytem works as well..  

Use the following tool to clean your system; http://www.mickelson.org/files/zips/nonav.zip
go through and open each file.

go to start<search<all folders and files<more advanced options, select search hidden, search for symantec, delete all it finds.

If you have GoBack get rid of that too.

Avast and AVG are free;

http://free.grisoft.com/doc/1

http://www.avast.com/eng/download-avast-home.html

NOD 32 is my favorite AV

Try free for 30 days; http://www.nod32.com/scriptless/download/trial.htm

Author

Commented:
Hi Tim,

sorry if I wasn't clear enough but what's required is Automatic LiveUpdate functioning - automatically - while only the Limited account is logged-in.  I'm not there every day, but I need the updates to be able to run in my absence.
Top Expert 2005

Commented:
Take a look at richrumble's posts in this thread and I believe you'll find joy;

http://www.experts-exchange.com/Security/Win_Security/Q_21438548.html

Author

Commented:
His accepted answer seems to suggest temporarily elevating the Limited account to the Administrators group, using it to schedule the LiveUpdate task, then reducing its permissions again.  Is that how you interpret it?  It sounds like something that really *should not* work, from a security point of view.

Author

Commented:
Okay, it appears I've bullied it into working by (more or less) the way I suggested initially.  I didn't think it was working when I initially looked at the log, but it turns out that Norton doesn't correct for British Summer Time (doh!) So the log I was reading was prior to the last changes I made.

Sooo....

Here's what I did.

[as an Administrator...]
1) Disable Automatic LiveUpdates
2) Set LiveUpdate to run in Express Mode (no interaction required)
3) Check the boxes to start and end the session automatically
4) Create a scheduled task to run "C:\Program Files\Symantec\LiveUpdate\LUALL.EXE" at boot.

Now this does work, but I was thrown off for a while because of the log confusion, and also because the update status in the Norton client is not updated until someone has opened it as an Administrator.  But as far as I can tell, the updates themselves are being installed, from my reading of the Log.LiveUpdate file.

Once I can establish for definite that this is the case, I'll ask for PAQ on this if there's no objection.

Author

Commented:
Sorry for leaving this hanging for so long.  The method above seemed so do the job, but the fact that the GUI did not update the virus definitions status was a nagging doubt which I couldn't settle comprehensively.  Such is the nature of trying to make software do unsupported things, I guess...

So I devised a workaround.  Note that the following is WAY insecure and I would not think of using it if I weren't confident of my users' (a) lack of malicious intent and (b) technical ignorance.

I learned that VBScript could be used to send keystrokes to a running program, in this case RunAs, and found an example here that suited my needs.
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci929880,00.html

I made the following .vbs file:

set WshShell = CreateObject("WScript.Shell")
WshShell.Run "runas /user:MyAdminUser ""C:\Program Files\Symantec\LiveUpdate\LUALL.EXE"""
WScript.Sleep 2000
WshShell.Sendkeys "MyPassword~"

For the sake of not having the admin password floating around in plaintext on the machine, I then encoded it to a .vbe file using the Windows Script Encoder
http://msdn.microsoft.com/library/default.asp?url=/downloads/list/webdev.asp

I then stuck the script away in a dark corner, and linked it in the startup folder for the Limited User account.  The result is that when that user logs in, the script opens LiveUpdate (which I've set to run in Express Mode so all the luser has to do is watch) as the Admin user.  [Sidenote: if Norton's ScriptBlocking is running, you need to run the script once as the Admin user so you can set Norton to permit it.]

Yes, it's a horrible hack.  No, no sysadmin in their right mind should do it.  But it'll serve my needs in my rarefied environment, until I can evict Norton's crapware once and for all.

Applying for a PAQ.  Thanks for your contributions all the same.
Commented:
Closed, 500 points refunded.
GranMod
The Experts Exchange
Community Support Moderator of all Ages

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.