locked
How to restrict uers from removing FCS agent ? RRS feed

  • Question

  • Hi all,

    FCS dosen't block users from removing it. Trend Micro and Symantec both have this functions. 

    Company MIS wants to make sure that every employee has the same anti-virus program and pattern, and this is a very normal requirement.

    How can I restrict users from uninstalling the FCS agent if they have the local admin permission ?

    Thanks.

    David

    Thursday, February 22, 2007 4:18 PM

All replies

  • We are in the same situation.  How can we lockdown the client from being uninstalled?  Password protection (like Symantec AV) or no "Remove" option on Add/Remove programs (like Webroot AntiSpyware).

    What can we do?

    Thanks.
    Tuesday, July 7, 2009 7:20 PM
  • You could just just prevent users from running as local admins which would essential prevent them from installing or uninstalling any software.
    Tuesday, July 7, 2009 7:47 PM
  • That's not going to be possible here, unfortunately.  We had Symantec which was password protected.  We have Webroot installed now alongside Forefront that doesn't give the option to uninstall from Add/Remove programs - even for local admins (a removal utility must be used).
    Tuesday, July 7, 2009 8:17 PM
  • The threat of employment termination works well in my organization...

    Serioiusly, I would just remove the Uninstaller references. I don't know how to do this on a global basis but you could use a tool like CCleaner for individual machines.

    -Mike Tanis
    Wednesday, July 8, 2009 3:38 PM
  • http://blogs.microsoft.co.il/blogs/yanivf/archive/2009/01/09/temper-protection-in-forefront-client-security.aspx works ok.

    Unless you are using a NAP/NAC solution though you are realistically deluding yourself if you think that any of these put in a password thingeys to uninstall a program is going to stop a local admin from being able to remove a program.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Wednesday, July 8, 2009 6:14 PM
  • You can try to create a GPO (Software Restriction Policies). Put a hash or path rules to the uninstall file.
    Friday, July 10, 2009 12:27 PM