Windows Defender Error Message After Deploy via GP

Hello,

I am receiving an error message on my Windows XP SP3 workstations after deploying software installation of Windows Defender group policy. I have a Windows 2003 environment and have read many threads without resolving this issue.

Can anyone help?

Thanks!
Error-Message.jpg
LVL 1
katredrumAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

B HCommented:
is this being ran as an account that has local administrator rights on the machine?

without a whole lot more detail (event logs mainly), you're probably only going to get general suggestions like this one:

have a read thru ALL of this page:
http://www.computerperformance.co.uk/Logon/code/code_80070005.htm
0
B HCommented:
and, from here:  http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/391470b9-a577-441e-96ad-12b40ab78c93

which might point to the way the gp pushed the software, didn't write all the files to the workstation


The most common cause for this error (in fact, the /only/ cause I've
actually seen traced), is that the Automatic Updates service is not running
with the LogOn set to the "Local System" account, thus AU cannot install the
updates because it does not have the necessary system permissions.
0
katredrumAuthor Commented:
I am running the deployment in a domain environment. I'm running the software installation through Group Policy. So I'm not sure what account it's being run as. I would assume it's the built-in System account but not sure.

I basically added Windows Defender to a GPO and deployed it. Windows Defender installed correctly but I am receiving the error when users log into the computer. I also noticed after the error message comes up, if they reboot it doesn't come back again.

I am trying to see if there is a way to eliminate the error message completely.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

B HCommented:
how do you know for sure it was installed properly?  can you review the application/system logs just after one finishes installing, look for errors/warnings?

also, it would be good to see the same logs right after it pops up for a user.  it could be a script that is part of the install, trying to "runonce" but using the local user permissions, and they might not be a local administrator
0
katredrumAuthor Commented:
I have test computer that was wiped, reloaded and joined to the domain. The event logs states that the application installed successfully. I also found it to update without any errors. Please see event logs. This is why I think it installed successfully.

Windows-Defender.jpg
Windows-Defender-2.jpg
Windows-Defender-update.jpg
0
katredrumAuthor Commented:
I logged in with another user account as you suggested and I did receive the same error message as when I logged in using a domain admin login. Here is the error log, but  I think it's because I have VNC installed on that computer.

Event Type:    Warning
Event Source:    WinDefend
Event Category:    None
Event ID:    1006
Date:        4/1/2010
Time:        4:33:13 PM
User:        N/A
Computer:    
Description:
Windows Defender scan has detected spyware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=RemoteAccess:Win32/RealVNC&threatid=7480
     Scan ID: {9BC0D965-614F-41E7-BB15-540B238EE777}
     Scan Type: AntiSpyware
     Scan Parameters: Quick Scan
     User: NT AUTHORITY\SYSTEM
     Name: RemoteAccess:Win32/RealVNC
     ID: 7480
     Severity: Medium
     Category: Remote Control Software
     Path Found: process:pid:520;process:pid:1896;regkey:HKLM\SYSTEM\CurrentControlSet\Services\WinVNC4;regkey:HKLM\Software\RealVNC;service:WinVNC4;file:C:\Program Files\realvnc\vnc4\wm_hooks.dll;file:C:\Program Files\realvnc\vnc4\winvnc4.exe;file:C:\Program Files\realvnc\vnc4\vncconfig.exe;file:C:\Program Files\realvnc\vnc4\logmessages.dll;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (user-mode)\Run VNC Server.lnk;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (user-mode)\Configure User-Mode Settings.lnk;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (service-mode)\Unregister VNC Service.lnk;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (service-mode)\Stop VNC Service.lnk;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (service-mode)\Start VNC Service.lnk;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (service-mode
     Detection Type: Concrete

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:    Warning
Event Source:    WinDefend
Event Category:    None
Event ID:    1006
Date:        4/1/2010
Time:        4:33:13 PM
User:        N/A
Computer:    P-390-1V89BF1
Description:
Windows Defender scan has detected spyware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=RemoteAccess:Win32/RealVNC&threatid=7480
     Scan ID: {9BC0D965-614F-41E7-BB15-540B238EE777}
     Scan Type: AntiSpyware
     Scan Parameters: Quick Scan
     User: NT AUTHORITY\SYSTEM
     Name: RemoteAccess:Win32/RealVNC
     ID: 7480
     Severity: Medium
     Category: Remote Control Software
     Path Found: process:pid:520;process:pid:1896;regkey:HKLM\SYSTEM\CurrentControlSet\Services\WinVNC4;regkey:HKLM\Software\RealVNC;service:WinVNC4;file:C:\Program Files\realvnc\vnc4\wm_hooks.dll;file:C:\Program Files\realvnc\vnc4\winvnc4.exe;file:C:\Program Files\realvnc\vnc4\vncconfig.exe;file:C:\Program Files\realvnc\vnc4\logmessages.dll;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (user-mode)\Run VNC Server.lnk;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (user-mode)\Configure User-Mode Settings.lnk;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (service-mode)\Unregister VNC Service.lnk;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (service-mode)\Stop VNC Service.lnk;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (service-mode)\Start VNC Service.lnk;file:C:\Documents and Settings\All Users\Start Menu\programs\realvnc\vnc server 4 (service-mode
     Detection Type: Concrete

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The issue here is that I think Windows Defender is working but the annoying error message comes up upon first login after install. I have also assigned it to the computer just in case you were wondering.


0
B HCommented:
ok, so it looks like windows defender is seeing your vnc server software, which i assume you put there and want to stay... and windefender is trying to remove it.  staying true to its reputation, it's completely unable to remove it of course... and your user is left with 'access denied'

can you script out to have windefender IGNORE or otherwise allow your vnc stuff?  assuming you want to keep the vnc stuff anyway.

otherwise, upgrade to ultravnc (www.uvnc.com) it -might- not be detected by windefender.

as you see, windefender is ... not really capable... you might be better off going with something else for antispyware.  malwarebytes is real good, and the paid-for version can run in the tray all the time and watch stuff.
0
katredrumAuthor Commented:
The issue isn't VNC. I just posted that because you asked me to check the logs. I completely uninstalled VNC and redeployed Windows Defender on a newly reformatted machine.

The problem is that I receive the error message above right after I deploy Windows Defender via Group Policy. I would like to know how I can deploy Windows Defender via Group Policy without getting this error message.
0
katredrumAuthor Commented:
I cannot believe no one else has experienced this and found a solution. I see it posted all over the internet so i know someone has bound to find a solution.
0
Dmitri FarafontovLinux Systems AdminCommented:
Can you post step by step actions and the result?
0
katredrumAuthor Commented:
Server-side:
  1. Created GPO (Computer Configuration -> Software Settings -> Software Installation -> New Package) as Assigned with the default settings
  2. Disabled User Configuration Settings
  3. Linked GPO to OU that has my test computers
Client-side:
  1. Freshly reformatted computer joined to Domain.
  2. Upon booting up, see managed software being installed
  3. Log in with any user account (even Domain Admin)
  4. See Windows Defender with Error msg (screenshot above)
  5. If I log off and log in as a new user, it will display same error.
  6. If I reboot, error msg will not reappear and works as intended
I would like to eliminate this error msg because even though most of my computer have Windows Defender installed, if I deploy this software installation with a computer that has Windows Defender installed it will display this error message anyway.
0
Dmitri FarafontovLinux Systems AdminCommented:
Windows Defender requires Genuine Validation. Thus the deployment fails. Please see:
http://forums.techarena.in/tips-tweaks/1020365.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
katredrumAuthor Commented:
That is amazing that MS makes its own product not pass a GP deployment. I guess its to cover their IP. Thanks for the explanation.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.