Norton IS 2005: Automatic LiveUpdate for non-Admin users?

Posted on 2006-04-02
Last Modified: 2008-01-09

I see this issue was previously addressed in Automatic LiveUpdate for non-Admin users in but would like to re-open the discussion if possible.

Our office purchased Norton Internet Security 2005 (somewhat against my advice, but hey) and subsequently learned that it was not possible for Automatic LiveUpdate to be run while the logged-in user is a Limited User account.   This is extremely frustrating because (a) Earlier versions of NIS *did* permit this, and (b) it took a great deal of searching on the Symantec site to establish that it was unsupported, when IMHO it should have been writ large on the box!

[I promised myself I wouldn't turn this into a rant against Symantec.  Deep breath now...]

As best I can tell, this is in response to a design-flaw whereby the LiveUpdate client can enable privilege-escalation for the logged-in Limited User.  This wouldn't unduly concern me in our office, as I'm 100% confident that such attacks are beyond the capabilities of my users.  (I realise most people could not say this, but trust me, I can.)

So, rather than dumping Norton instantly (that day will come, but there's a subscription to work out first), I'd like to find a way to run LiveUpdate with administrative privileges once a day, or at boot-time.

My first attempt at this was creating a scheduled task to run C:\Program Files\Symantec\LiveUpdate\LUALL.EXE at startup, with admin privs.  I also changed the settings of LiveUpdate so it should run on full-auto (no interaction).  I don't believe it worked, however, because the log at C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.Liveupdate was empty for the time at which I rebooted.  (Previous runs had an entry even if there was nothing downloaded.)  The task had run, as I'd checked the Task Manager, but no evidence of it doing anything useful.

Is there another way I could use the Task Scheduler to get the right result?  Or as a rather extreme method, could a third user be created and their permissions fine-tuned so all they could do was run LiveUpdate?  [I'd need some guidance on how to set that up.]  Or is there any other method available?

OS: Windows XP Home Edition SP2
LiveUpdate version: 3.0.0

Any and all suggestions welcome.  Points at maximum in hopes of a positive outcome.
Question by:Havin_it
    LVL 17

    Expert Comment

    Norton Internet Security epitomizes Bloatware; all those poor computers will run so much faster without it.  How about using the run as option, right click on Nortons, select Run as, click user name, for instance administrator, then password, and even though you'll be logged on as limited user, you'll have admin privileges with nortons.

    I still have a subscription to Norton's that is going unused, when you want to get rid of it here's some advice.

    Disable system restore first;

    Then go to start<control panel<switch to classic view<add/remove programs, remove live update first, then remove nortons av, sysytem works as well..  

    Use the following tool to clean your system;
    go through and open each file.

    go to start<search<all folders and files<more advanced options, select search hidden, search for symantec, delete all it finds.

    If you have GoBack get rid of that too.

    Avast and AVG are free;

    NOD 32 is my favorite AV

    Try free for 30 days;
    LVL 10

    Author Comment

    Hi Tim,

    sorry if I wasn't clear enough but what's required is Automatic LiveUpdate functioning - automatically - while only the Limited account is logged-in.  I'm not there every day, but I need the updates to be able to run in my absence.
    LVL 17

    Expert Comment

    Take a look at richrumble's posts in this thread and I believe you'll find joy;
    LVL 10

    Author Comment

    His accepted answer seems to suggest temporarily elevating the Limited account to the Administrators group, using it to schedule the LiveUpdate task, then reducing its permissions again.  Is that how you interpret it?  It sounds like something that really *should not* work, from a security point of view.
    LVL 10

    Author Comment

    Okay, it appears I've bullied it into working by (more or less) the way I suggested initially.  I didn't think it was working when I initially looked at the log, but it turns out that Norton doesn't correct for British Summer Time (doh!) So the log I was reading was prior to the last changes I made.


    Here's what I did.

    [as an Administrator...]
    1) Disable Automatic LiveUpdates
    2) Set LiveUpdate to run in Express Mode (no interaction required)
    3) Check the boxes to start and end the session automatically
    4) Create a scheduled task to run "C:\Program Files\Symantec\LiveUpdate\LUALL.EXE" at boot.

    Now this does work, but I was thrown off for a while because of the log confusion, and also because the update status in the Norton client is not updated until someone has opened it as an Administrator.  But as far as I can tell, the updates themselves are being installed, from my reading of the Log.LiveUpdate file.

    Once I can establish for definite that this is the case, I'll ask for PAQ on this if there's no objection.
    LVL 10

    Author Comment

    Sorry for leaving this hanging for so long.  The method above seemed so do the job, but the fact that the GUI did not update the virus definitions status was a nagging doubt which I couldn't settle comprehensively.  Such is the nature of trying to make software do unsupported things, I guess...

    So I devised a workaround.  Note that the following is WAY insecure and I would not think of using it if I weren't confident of my users' (a) lack of malicious intent and (b) technical ignorance.

    I learned that VBScript could be used to send keystrokes to a running program, in this case RunAs, and found an example here that suited my needs.,289483,sid1_gci929880,00.html

    I made the following .vbs file:

    set WshShell = CreateObject("WScript.Shell")
    WshShell.Run "runas /user:MyAdminUser ""C:\Program Files\Symantec\LiveUpdate\LUALL.EXE"""
    WScript.Sleep 2000
    WshShell.Sendkeys "MyPassword~"

    For the sake of not having the admin password floating around in plaintext on the machine, I then encoded it to a .vbe file using the Windows Script Encoder

    I then stuck the script away in a dark corner, and linked it in the startup folder for the Limited User account.  The result is that when that user logs in, the script opens LiveUpdate (which I've set to run in Express Mode so all the luser has to do is watch) as the Admin user.  [Sidenote: if Norton's ScriptBlocking is running, you need to run the script once as the Admin user so you can set Norton to permit it.]

    Yes, it's a horrible hack.  No, no sysadmin in their right mind should do it.  But it'll serve my needs in my rarefied environment, until I can evict Norton's crapware once and for all.

    Applying for a PAQ.  Thanks for your contributions all the same.

    Accepted Solution

    Closed, 500 points refunded.
    The Experts Exchange
    Community Support Moderator of all Ages

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
    It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now