Wednesday, April 07, 2004
Automating SpyBot over a network
Although most of our users are well behaved and will not download and install programs of various types off the Internet if I ask them not to, there are enough of our users who, in spite of our best efforts of user education will continue to download and install programs, such as games, screen-savers, IE toolbars, weather reporting programs and other programs bundled with adware and spyware onto their machines. Due to reasons more political than technical we have not been able to use policy-based solutions to block our users from being able to install software onto their machines.
To date, whenever we have encountered machines that have become polluted with adware and spyware to the extent that they are no longer useable workstations, we have manually removed this junk using various tools, including SpyBot Search and Destroy. Even though using Spybot manually is effective, with the continuing spread of adware and spyware infested downloads it is becoming tedious to use manually every time that a user calls in complaining about their machine running too slow or having too many pop-ups. This led me to investigate if there was a way to install and run Spybot automatically over our network, for example using Novell ZenWorks and a series of batch files. I noticed in Spybot’s FAQ that there are a bunch of command line parameters that should make this possible. There is also a discussion forum for Spybot and other spyware-removal tools which has a thread discussing network installations of Spybot. I used this list of command line parameters and information found in this forum as a starting point. My goal was to automate the installation of Spybot and to run it automatically as unobtrusively and invisibly as possible. Ideally I wanted my users to not even know that it was there and running and to have any programs with adware and spyware simply disappear.
To do this I am using two ZenWorks policies, one to install Spybot and another to run it. Although I used ZenWorks, I am sure that this can be adopted for other network environments as well. Our network environment consists of a Novell NetWare 6.0 server with ZenWorks for Desktops 3.2 and approximately 400 Windows 2000 and XP clients. We have a very few 9x and NT clients left as well, which I will omit here for the sake of not making things more complicated than necessary. I am using the now current version of Spybot, which is version 1.2 and the updates available in February and March 2004. By the time you read this, a newer version and additional updates may be available, which may have changed some of my findings.
The Spybot installation program, which is called spybotsd12.exe, has a number of command line parameters available. Some of these are /silent, which will cause the Installation Wizard not to be shown, /verysilent, which will cause nothing except error messages to be shown, /nocancel, which will disable the Cancel and Close buttons, and /noicons, which claims not to install any icons for the installed software. I tried the /noicons parameter, and with it no start menu group or icons were created, however an icon was still placed on the desktop. After discussing this with my boss, he told me that he did want icons to be installed, so I stopped using the /noicons parameter, however if you want a completely invisible installation, you could probably write a script that deletes the desktop icon after installation.
Simply creating a ZenWorks policy that pushes out spybotsd12.exe with the /verysilent and /nocancel parameters alone will install Spybot, however it will create a problem if your goal is to allow Spybot to run as unobtrusively as possible.
When Spybot Search and Destroy is installed with the default settings, it is installed in C:\Program Files\Spybot - Search & Destroy. After it is run for the first time, a configuration file called configuration.ini is created, once the program is exited, at C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy. This configuration file contains settings that the program uses when it is executed. There are also command line parameters that can be used to control the manner in which the program runs, including one called /autocheck, which lets Spybot automatically check for, download and install any available updates prior to performing its scans. The problem is that if updates are available and downloaded, the program will automatically exit and restart in order for these updates to become active, and when the program is automatically restarted, it ignores any command line parameters that were passed and instead uses the settings in the configuration.ini file. With the default settings in the configuration.ini file, Spybot will restart with a full GUI with all buttons available in the user interface and nothing automated, which is not what I wanted.
To get around this, a customized configuration.ini file will need to be installed after Spybot is installed and before it is run for the first time. To do so, I created a ZenWorks policy not to run the Spybot installer directly, but to call a batch file which runs the installer and then creates the specific directory for the configuration.ini file and copies a customized configuration.ini file from the install point on the server into this directory. You can give this batch file any name you want; I called mine SBinst.bat; and my batch file contains the following lines:
@Echo OFF
IF EXIST "C:\sbinst.txt" GOTO END
z:\ZenPols\spybotsd12.exe /verysilent /nocancel
md "c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy"
copy Z:\ZenPols\Configuration.ini "c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Configuration.ini"
ECHO installed > c:\sbinst.txt
:END
EXIT
To create this custom configuration.ini file, I first created a default configuration.ini file by installing Spybot manually with a default installation on a test machine and then running it manually and exiting it. I then copied this default configuration file to my install point on my server (which can be anywhere on your server that your users have read and execute permission; I used Z:\ZenPols) and edited it with the following changes:
In the section [Main]
Legals=1
Confirmation=0
In the section [Automation\ProgramStart]
AutoCheck=1
AutoFix=1
DontAsk=1
AutoClose=1
In the section [Automation\WebUpdate]
AutoCheck=1
AutoDownload=1
Once I had my customized configuration.ini file, my installer batch file and the Spybot installation program in my installation point on my server, I created a ZenWorks policy which I called Spybot Installer and for which I selected the Run Hidden run option and which I specified to run once. With this policy the next time any user associated with it logs in, Spybot is installed with the custom configuration file in a perfectly unobtrusive manner; with no progress bars or other windows on the desktop and no icons on the task bar, and the user doesn’t know anything is going on until the program icon quietly appears on the desktop.
Now, to get the program to run as unobtrusively as possible, a few more tweaks were necessary. My goal was to have the program run with no GUI or windows or progress bars appearing on the desktop, no confirmation or other dialog boxes of any type, and no icons on the task bar; in other words, with no indication whatsoever that anything was going on. I also wanted the program to run with below normal priority so that it will not take away resources from other programs and make the machine appear to run sluggish to the user.
There are some settings available in the configuration.ini file which would appear to let the program run like this, however I could not get all of these to work as desired when I tested them, for example the Priority= setting in the [Main] section. So, once again I resorted to using batch files as a workaround, since there is a batch file command with a parameter that does just what I wanted, namely the command start /belownormal [programname]. I tried to create a file that uses start /belownormal to call the Spybot executable (spybotsd.exe) together with several command line parameters, but I was not able to get that to work as I wanted, so instead I created one batch file that does nothing but call the Spybot executable with a set of command line parameters and another batch file that uses the start /belownormal command to call the first batch file. Another nice feature of the start command is that it has other switches available that go even further to hide the command being called, namely /min, which runs the command minimized and /b, which starts an application without creating a new window. So, I created two batch files, called spybotrun.bat and spybelow.bat and put them in my Z:\ZenPols installation point on my server.
Spybotrun.bat contains the following lines:
@echo OFF
"C:\Program Files\Spybot - Search & Destroy\spybotsd.exe" /taskbarhide /autoupdate /autocheck /autofix /autoclose
EXIT
Spybelow.bat contains the following lines:
@Echo Off
start /belownormal /MIN /b z:\ZenPols\spybotrun.bat
EXIT
I then created another ZenWorks policy called Spybot run unattended which calls the spybelow.bat file with the Run Hidden run option. I used the run hidden option so that no command window will be displayed on the user’s desktop while Spybot is being run. I also gave this policy an availability requirement that the Spybot Installer must already have been installed.
You may have noticed that having this availability requirement as well as the IF EXIST command in the SBinst.bat file may appear to be redundant, however in my testing I noticed that even though I specified the Spybot Installer policy to run once it sometimes ran again and caused a conflict with the Spybot program trying to run, which in turn popped a dialog box onto the desktop, and once I put the IF EXIST command in the SBinst.bat file to check that the spybot installer has already run, this problem no longer existed.
Once I had all of these pieces set up, it was time to test this system. My testing yielded the following results:
- On machines with either no spyware or only minimal spyware, the system ran as expected, namely once Spybot was installed it would run automatically every time the user logs in, without displaying any windows, progress bars or task bar icons and it ran with below normal priority, not causing any noticeable decrease in performance to the end user. The only way to tell that it was running was to look in Task Manager.
- When a new update is available, Spybot downloads and installs it automatically. On the day that a new update became available the mirror from which it was downloaded was very busy, causing Spybot to appear to be Not Responding in Task Manager, however the program had not crashed and Spybot was able to download the update eventually (after approx. 30 minutes). Once the update had installed, Spybot exited and restarted, however upon restart a Spybot window with a progress bar and without any buttons or menus was displayed on screen until Spybot was done. Unfortunately there is no setting in the configuration.ini file that corresponds to the /taskbarhide command line parameter, which causes nothing to be displayed on screen.
- I intentionally downloaded and installed Hotbar, Bonzi Buddy, Gator eWallet and Comet Cursors onto my machine, which are all spyware-laden programs that I have encountered far too often in the field on my users’ machines. I used this combination of programs to test a ‘worst case scenario,’ since Spybot will not clean all of these programs off of a machine during its first scan, and if used manually after first scanning the machine will prompt for a reboot and then scan again after the user has logged back on and before a desktop is displayed. I first tested this heavily polluted scenario with doing nothing but displaying Task Manager after logging on to the machine. In this case most of these spyware programs were removed automatically after Spybot had finished. The program simply exited when done, neither prompting for a reboot nor spontaneously rebooting. After logging off of the machine and back on, Spybot ran with a progress bar and without any buttons or menus displayed on screen after login and before the desktop was displayed. In this case it is better to have a progress bar displayed, since otherwise the machine will display only an empty screen for 6-7 minutes while Spybot is running and before the desktop is displayed, which in turn would cause most of my users to think that the machine had crashed. After the user is logged in and the desktop is displayed, Spybot would run yet again, however with below normal priority and without displaying anything, which did not represent a problem.
- I tested my machine again with Hotbar, Bonzi Buddy, Gator eWallet and Comet Cursors installed, and this time checked my email several times with Outlook and surfed the Web with Internet Explorer by going to different random websites several times a minute while Spybot was running. This more closely mirrors the way a typical user would use a workstation rather than the previous scenario. In this case Spybot would run with below normal priority and without displaying anything on screen and without causing any noticeable performance decrease. Once Spybot had finished, the spyware programs were still installed. However, when I logged off and back on again, Spybot was triggered to run again after I had logged in and before the desktop was displayed, as described above, and all of the spyware programs were gone after the desktop was displayed.
- I also discovered that in any scenario, while Spybot is running it will first need to be killed with Task Manager if the machine needs to be rebooted for any reason before Spybot has finished.
I am hoping that we will soon deploy this automated installation of Spybot in our Division, and once we do I hope that it will drastically reduce the number of calls I receive about slow, sluggish or pop-up infested machines due to too much adware and spyware installed.
If you have any questions, comments or suggestions, I would appreciate any feedback.
Comments []
To date, whenever we have encountered machines that have become polluted with adware and spyware to the extent that they are no longer useable workstations, we have manually removed this junk using various tools, including SpyBot Search and Destroy. Even though using Spybot manually is effective, with the continuing spread of adware and spyware infested downloads it is becoming tedious to use manually every time that a user calls in complaining about their machine running too slow or having too many pop-ups. This led me to investigate if there was a way to install and run Spybot automatically over our network, for example using Novell ZenWorks and a series of batch files. I noticed in Spybot’s FAQ that there are a bunch of command line parameters that should make this possible. There is also a discussion forum for Spybot and other spyware-removal tools which has a thread discussing network installations of Spybot. I used this list of command line parameters and information found in this forum as a starting point. My goal was to automate the installation of Spybot and to run it automatically as unobtrusively and invisibly as possible. Ideally I wanted my users to not even know that it was there and running and to have any programs with adware and spyware simply disappear.
To do this I am using two ZenWorks policies, one to install Spybot and another to run it. Although I used ZenWorks, I am sure that this can be adopted for other network environments as well. Our network environment consists of a Novell NetWare 6.0 server with ZenWorks for Desktops 3.2 and approximately 400 Windows 2000 and XP clients. We have a very few 9x and NT clients left as well, which I will omit here for the sake of not making things more complicated than necessary. I am using the now current version of Spybot, which is version 1.2 and the updates available in February and March 2004. By the time you read this, a newer version and additional updates may be available, which may have changed some of my findings.
The Spybot installation program, which is called spybotsd12.exe, has a number of command line parameters available. Some of these are /silent, which will cause the Installation Wizard not to be shown, /verysilent, which will cause nothing except error messages to be shown, /nocancel, which will disable the Cancel and Close buttons, and /noicons, which claims not to install any icons for the installed software. I tried the /noicons parameter, and with it no start menu group or icons were created, however an icon was still placed on the desktop. After discussing this with my boss, he told me that he did want icons to be installed, so I stopped using the /noicons parameter, however if you want a completely invisible installation, you could probably write a script that deletes the desktop icon after installation.
Simply creating a ZenWorks policy that pushes out spybotsd12.exe with the /verysilent and /nocancel parameters alone will install Spybot, however it will create a problem if your goal is to allow Spybot to run as unobtrusively as possible.
When Spybot Search and Destroy is installed with the default settings, it is installed in C:\Program Files\Spybot - Search & Destroy. After it is run for the first time, a configuration file called configuration.ini is created, once the program is exited, at C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy. This configuration file contains settings that the program uses when it is executed. There are also command line parameters that can be used to control the manner in which the program runs, including one called /autocheck, which lets Spybot automatically check for, download and install any available updates prior to performing its scans. The problem is that if updates are available and downloaded, the program will automatically exit and restart in order for these updates to become active, and when the program is automatically restarted, it ignores any command line parameters that were passed and instead uses the settings in the configuration.ini file. With the default settings in the configuration.ini file, Spybot will restart with a full GUI with all buttons available in the user interface and nothing automated, which is not what I wanted.
To get around this, a customized configuration.ini file will need to be installed after Spybot is installed and before it is run for the first time. To do so, I created a ZenWorks policy not to run the Spybot installer directly, but to call a batch file which runs the installer and then creates the specific directory for the configuration.ini file and copies a customized configuration.ini file from the install point on the server into this directory. You can give this batch file any name you want; I called mine SBinst.bat; and my batch file contains the following lines:
@Echo OFF
IF EXIST "C:\sbinst.txt" GOTO END
z:\ZenPols\spybotsd12.exe /verysilent /nocancel
md "c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy"
copy Z:\ZenPols\Configuration.ini "c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Configuration.ini"
ECHO installed > c:\sbinst.txt
:END
EXIT
To create this custom configuration.ini file, I first created a default configuration.ini file by installing Spybot manually with a default installation on a test machine and then running it manually and exiting it. I then copied this default configuration file to my install point on my server (which can be anywhere on your server that your users have read and execute permission; I used Z:\ZenPols) and edited it with the following changes:
In the section [Main]
Legals=1
Confirmation=0
In the section [Automation\ProgramStart]
AutoCheck=1
AutoFix=1
DontAsk=1
AutoClose=1
In the section [Automation\WebUpdate]
AutoCheck=1
AutoDownload=1
Once I had my customized configuration.ini file, my installer batch file and the Spybot installation program in my installation point on my server, I created a ZenWorks policy which I called Spybot Installer and for which I selected the Run Hidden run option and which I specified to run once. With this policy the next time any user associated with it logs in, Spybot is installed with the custom configuration file in a perfectly unobtrusive manner; with no progress bars or other windows on the desktop and no icons on the task bar, and the user doesn’t know anything is going on until the program icon quietly appears on the desktop.
Now, to get the program to run as unobtrusively as possible, a few more tweaks were necessary. My goal was to have the program run with no GUI or windows or progress bars appearing on the desktop, no confirmation or other dialog boxes of any type, and no icons on the task bar; in other words, with no indication whatsoever that anything was going on. I also wanted the program to run with below normal priority so that it will not take away resources from other programs and make the machine appear to run sluggish to the user.
There are some settings available in the configuration.ini file which would appear to let the program run like this, however I could not get all of these to work as desired when I tested them, for example the Priority= setting in the [Main] section. So, once again I resorted to using batch files as a workaround, since there is a batch file command with a parameter that does just what I wanted, namely the command start /belownormal [programname]. I tried to create a file that uses start /belownormal to call the Spybot executable (spybotsd.exe) together with several command line parameters, but I was not able to get that to work as I wanted, so instead I created one batch file that does nothing but call the Spybot executable with a set of command line parameters and another batch file that uses the start /belownormal command to call the first batch file. Another nice feature of the start command is that it has other switches available that go even further to hide the command being called, namely /min, which runs the command minimized and /b, which starts an application without creating a new window. So, I created two batch files, called spybotrun.bat and spybelow.bat and put them in my Z:\ZenPols installation point on my server.
Spybotrun.bat contains the following lines:
@echo OFF
"C:\Program Files\Spybot - Search & Destroy\spybotsd.exe" /taskbarhide /autoupdate /autocheck /autofix /autoclose
EXIT
Spybelow.bat contains the following lines:
@Echo Off
start /belownormal /MIN /b z:\ZenPols\spybotrun.bat
EXIT
I then created another ZenWorks policy called Spybot run unattended which calls the spybelow.bat file with the Run Hidden run option. I used the run hidden option so that no command window will be displayed on the user’s desktop while Spybot is being run. I also gave this policy an availability requirement that the Spybot Installer must already have been installed.
You may have noticed that having this availability requirement as well as the IF EXIST command in the SBinst.bat file may appear to be redundant, however in my testing I noticed that even though I specified the Spybot Installer policy to run once it sometimes ran again and caused a conflict with the Spybot program trying to run, which in turn popped a dialog box onto the desktop, and once I put the IF EXIST command in the SBinst.bat file to check that the spybot installer has already run, this problem no longer existed.
Once I had all of these pieces set up, it was time to test this system. My testing yielded the following results:
- On machines with either no spyware or only minimal spyware, the system ran as expected, namely once Spybot was installed it would run automatically every time the user logs in, without displaying any windows, progress bars or task bar icons and it ran with below normal priority, not causing any noticeable decrease in performance to the end user. The only way to tell that it was running was to look in Task Manager.
- When a new update is available, Spybot downloads and installs it automatically. On the day that a new update became available the mirror from which it was downloaded was very busy, causing Spybot to appear to be Not Responding in Task Manager, however the program had not crashed and Spybot was able to download the update eventually (after approx. 30 minutes). Once the update had installed, Spybot exited and restarted, however upon restart a Spybot window with a progress bar and without any buttons or menus was displayed on screen until Spybot was done. Unfortunately there is no setting in the configuration.ini file that corresponds to the /taskbarhide command line parameter, which causes nothing to be displayed on screen.
- I intentionally downloaded and installed Hotbar, Bonzi Buddy, Gator eWallet and Comet Cursors onto my machine, which are all spyware-laden programs that I have encountered far too often in the field on my users’ machines. I used this combination of programs to test a ‘worst case scenario,’ since Spybot will not clean all of these programs off of a machine during its first scan, and if used manually after first scanning the machine will prompt for a reboot and then scan again after the user has logged back on and before a desktop is displayed. I first tested this heavily polluted scenario with doing nothing but displaying Task Manager after logging on to the machine. In this case most of these spyware programs were removed automatically after Spybot had finished. The program simply exited when done, neither prompting for a reboot nor spontaneously rebooting. After logging off of the machine and back on, Spybot ran with a progress bar and without any buttons or menus displayed on screen after login and before the desktop was displayed. In this case it is better to have a progress bar displayed, since otherwise the machine will display only an empty screen for 6-7 minutes while Spybot is running and before the desktop is displayed, which in turn would cause most of my users to think that the machine had crashed. After the user is logged in and the desktop is displayed, Spybot would run yet again, however with below normal priority and without displaying anything, which did not represent a problem.
- I tested my machine again with Hotbar, Bonzi Buddy, Gator eWallet and Comet Cursors installed, and this time checked my email several times with Outlook and surfed the Web with Internet Explorer by going to different random websites several times a minute while Spybot was running. This more closely mirrors the way a typical user would use a workstation rather than the previous scenario. In this case Spybot would run with below normal priority and without displaying anything on screen and without causing any noticeable performance decrease. Once Spybot had finished, the spyware programs were still installed. However, when I logged off and back on again, Spybot was triggered to run again after I had logged in and before the desktop was displayed, as described above, and all of the spyware programs were gone after the desktop was displayed.
- I also discovered that in any scenario, while Spybot is running it will first need to be killed with Task Manager if the machine needs to be rebooted for any reason before Spybot has finished.
I am hoping that we will soon deploy this automated installation of Spybot in our Division, and once we do I hope that it will drastically reduce the number of calls I receive about slow, sluggish or pop-up infested machines due to too much adware and spyware installed.
If you have any questions, comments or suggestions, I would appreciate any feedback.
Comments []
