Forum Replies Created
-
Posts
-
@hackerman1 wrote:
Could you please explain #2 ?
There is no “deny rights” on your own user account in the original post.
It says “deny read rights” for ADMIN.If you carefully followed Scimitar’s instructions (the step in question is below) you should have had a “Deny Read” permission on your own user account. If you are unsure how to remove that permission, the way I did it was to promote another unprivileged user account to administrator and then remove the permission on my local administrator account.
@Scimitar wrote:
[…] Now change the permissions of the folder “ProductOptions” –> add your user account (for example ComputernameUsername) and deny yourself the read rights for the whole folder. Be careful not to deny the whole rights for all administrators or something like that […]
@hackerman1 wrote:
Could you please explain #3 ?
Where should “NT SERVICEavast! Antivirus” be added ?Pictures tell an entire written tutorial. 🙂
(Imgur album) I took the screen shots on a Windows 7 laptop but the process is the same.
I noticed that with the newest update to Avast (Version 8) that the update mechanism now also does a check on that registry key. Furthermore, because this check is run within the Avast service, not the interactive “AvastUI.exe”, it ignores the deny permissions that we have set. This was not a problem on version 7. Luckily, on Server 2008 R2 and up (according to this stack exchange post), there is a way to set permissions that only affect a single service! I have verified that these steps have no sides effects on my server and quite possibly less affect than the original solution due to only restricting permission on the avast process. The steps are as follows:
1. Install or upgrade the antivirus software in accordance to the instructions in the OP
2. Remove the “Deny read” permission on your own user account
3. Add this new entity to the permissions list: “NT SERVICEavast! Antivirus”, for the case of Avast 8. Additionally, if a member of a domain or a domain controller, change the search scope (the “Locations…” button) to your local server instead of the Active Directory.
4. Click “Check Names”
5. Click Ok and set the “Deny Read” permission.
6. Update Avast!P.S. I don’t use any of the other free antiviruses on my server but if Avira or other antiviruses use a service to gain full “NT AUTHORITYSYSTEM” this may help bypass any checks they may do without affecting other processes or destroying the integrity of the binaries. Btw, I’m running Windows Server 2012 Essentials.
-Prydom
prydom.net
