• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1298
  • Last Modified:

Norton IS 2005: Automatic LiveUpdate for non-Admin users?

Hi,

I see this issue was previously addressed in Automatic LiveUpdate for non-Admin users in http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21292658.html but would like to re-open the discussion if possible.

Our office purchased Norton Internet Security 2005 (somewhat against my advice, but hey) and subsequently learned that it was not possible for Automatic LiveUpdate to be run while the logged-in user is a Limited User account.   This is extremely frustrating because (a) Earlier versions of NIS *did* permit this, and (b) it took a great deal of searching on the Symantec site to establish that it was unsupported, when IMHO it should have been writ large on the box!

[I promised myself I wouldn't turn this into a rant against Symantec.  Deep breath now...]

As best I can tell, this is in response to a design-flaw whereby the LiveUpdate client can enable privilege-escalation for the logged-in Limited User.  This wouldn't unduly concern me in our office, as I'm 100% confident that such attacks are beyond the capabilities of my users.  (I realise most people could not say this, but trust me, I can.)

So, rather than dumping Norton instantly (that day will come, but there's a subscription to work out first), I'd like to find a way to run LiveUpdate with administrative privileges once a day, or at boot-time.

My first attempt at this was creating a scheduled task to run C:\Program Files\Symantec\LiveUpdate\LUALL.EXE at startup, with admin privs.  I also changed the settings of LiveUpdate so it should run on full-auto (no interaction).  I don't believe it worked, however, because the log at C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.Liveupdate was empty for the time at which I rebooted.  (Previous runs had an entry even if there was nothing downloaded.)  The task had run, as I'd checked the Task Manager, but no evidence of it doing anything useful.

Is there another way I could use the Task Scheduler to get the right result?  Or as a rather extreme method, could a third user be created and their permissions fine-tuned so all they could do was run LiveUpdate?  [I'd need some guidance on how to set that up.]  Or is there any other method available?

Details:
OS: Windows XP Home Edition SP2
LiveUpdate version: 3.0.0

Any and all suggestions welcome.  Points at maximum in hopes of a positive outcome.
0
Havin_it
Asked:
Havin_it
  • 4
  • 2
1 Solution
 
tim_quiCommented:
Norton Internet Security epitomizes Bloatware; all those poor computers will run so much faster without it.  How about using the run as option, right click on Nortons, select Run as, click user name, for instance administrator, then password, and even though you'll be logged on as limited user, you'll have admin privileges with nortons.

I still have a subscription to Norton's that is going unused, when you want to get rid of it here's some advice.

Disable system restore first; http://support.microsoft.com/kb/q310405/


Then go to start<control panel<switch to classic view<add/remove programs, remove live update first, then remove nortons av, sysytem works as well..  

Use the following tool to clean your system; http://www.mickelson.org/files/zips/nonav.zip
go through and open each file.

go to start<search<all folders and files<more advanced options, select search hidden, search for symantec, delete all it finds.

If you have GoBack get rid of that too.

Avast and AVG are free;

http://free.grisoft.com/doc/1

http://www.avast.com/eng/download-avast-home.html

NOD 32 is my favorite AV

Try free for 30 days; http://www.nod32.com/scriptless/download/trial.htm
0
 
Havin_itAuthor Commented:
Hi Tim,

sorry if I wasn't clear enough but what's required is Automatic LiveUpdate functioning - automatically - while only the Limited account is logged-in.  I'm not there every day, but I need the updates to be able to run in my absence.
0
 
tim_quiCommented:
Take a look at richrumble's posts in this thread and I believe you'll find joy;

http://www.experts-exchange.com/Security/Win_Security/Q_21438548.html
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Havin_itAuthor Commented:
His accepted answer seems to suggest temporarily elevating the Limited account to the Administrators group, using it to schedule the LiveUpdate task, then reducing its permissions again.  Is that how you interpret it?  It sounds like something that really *should not* work, from a security point of view.
0
 
Havin_itAuthor Commented:
Okay, it appears I've bullied it into working by (more or less) the way I suggested initially.  I didn't think it was working when I initially looked at the log, but it turns out that Norton doesn't correct for British Summer Time (doh!) So the log I was reading was prior to the last changes I made.

Sooo....

Here's what I did.

[as an Administrator...]
1) Disable Automatic LiveUpdates
2) Set LiveUpdate to run in Express Mode (no interaction required)
3) Check the boxes to start and end the session automatically
4) Create a scheduled task to run "C:\Program Files\Symantec\LiveUpdate\LUALL.EXE" at boot.

Now this does work, but I was thrown off for a while because of the log confusion, and also because the update status in the Norton client is not updated until someone has opened it as an Administrator.  But as far as I can tell, the updates themselves are being installed, from my reading of the Log.LiveUpdate file.

Once I can establish for definite that this is the case, I'll ask for PAQ on this if there's no objection.
0
 
Havin_itAuthor Commented:
Sorry for leaving this hanging for so long.  The method above seemed so do the job, but the fact that the GUI did not update the virus definitions status was a nagging doubt which I couldn't settle comprehensively.  Such is the nature of trying to make software do unsupported things, I guess...

So I devised a workaround.  Note that the following is WAY insecure and I would not think of using it if I weren't confident of my users' (a) lack of malicious intent and (b) technical ignorance.

I learned that VBScript could be used to send keystrokes to a running program, in this case RunAs, and found an example here that suited my needs.
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci929880,00.html

I made the following .vbs file:

set WshShell = CreateObject("WScript.Shell")
WshShell.Run "runas /user:MyAdminUser ""C:\Program Files\Symantec\LiveUpdate\LUALL.EXE"""
WScript.Sleep 2000
WshShell.Sendkeys "MyPassword~"

For the sake of not having the admin password floating around in plaintext on the machine, I then encoded it to a .vbe file using the Windows Script Encoder
http://msdn.microsoft.com/library/default.asp?url=/downloads/list/webdev.asp

I then stuck the script away in a dark corner, and linked it in the startup folder for the Limited User account.  The result is that when that user logs in, the script opens LiveUpdate (which I've set to run in Express Mode so all the luser has to do is watch) as the Admin user.  [Sidenote: if Norton's ScriptBlocking is running, you need to run the script once as the Admin user so you can set Norton to permit it.]

Yes, it's a horrible hack.  No, no sysadmin in their right mind should do it.  But it'll serve my needs in my rarefied environment, until I can evict Norton's crapware once and for all.

Applying for a PAQ.  Thanks for your contributions all the same.
0
 
GranModCommented:
Closed, 500 points refunded.
GranMod
The Experts Exchange
Community Support Moderator of all Ages
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now