AppNote: Automating the Installation and Execution of Spybot Search & Destroy with ZENworks
Novell Cool Solutions: AppNote
By Bill Geschwind
Digg This -
Posted: 11 Aug 2004
By Bill Geschwind
University of North Carolina at Chapel Hill
Division of Student Affairs
The objective of this article is to outline how to install and run Spybot Search & Destroy remotely, automatically and as unobtrusively as possible using ZENworks for Desktops.
- The problem
- The solution
- Network environment
- Installation policy
- Run policy
- Test results
In recent times more and more supposedly free applications that can be downloaded via the Internet, such as games, screen-savers, IE toolbars, weather reporting programs, games, etc. are bundled with adware and spyware, and the user downloading and installing the application may not even be aware that adware and spyware is being installed. In spite of our best efforts in user education asking our users to be careful while surfing the web and to not install such applications, it has gotten to the point that numerous client machines on the network have enough adware and spyware installed to have a significant negative impact on the performance and even usability of the machine. Although it may at first seem obvious to configure the client machines and the user accounts in such a way that the user does not have rights to install software, in a large public University this may not always be possible for reasons more political than technical.
Spyware and adware have become so prevalent in recent times that administrators and technicians are spending an excessive amount of time manually removing this malware from polluted machines. There are a number of applications available, including well respected free applications such as Ad-aware by Lavasoft and Spybot Search & Destroy, which have proven to be effective tools to remove this malware. These free applications however are designed for individual users and do not contain any enterprise management functions that allow the application to be distributed and managed from a central location. Unfortunately Ad-aware, which is an excellent tool, is free for personal use, but it is not free for institutional or corporate use, however Spybot Search & Destroy is free even for institutional and corporate use. Neither of these applications will remove all adware and spyware; both will remove most of it, both will remove some objects that the other will miss, and either does a sufficient job to return a severely polluted machine back to a useable state.
Using a series of batch files and ZENworks for Desktops, Spybot Search & Destroy, which is available at http://www.safer-networking.org, can be installed and managed from a central location and executed automatically.
While researching whether it was possible to automate Spybot Search & Destroy in any way, I noticed in the FAQ section of the site from where Spybot is available that there are a number of command line parameters that should make this possible (see http://www.safer-networking.org/index.php?page=faq). I used this list of command line parameters and information found in forums as a starting point. My goal was to automate the installation of Spybot and to run it automatically as unobtrusively and invisibly as possible. Ideally I wanted my users to not even know that it was there and running and to have any programs with adware and spyware simply disappear. This can be achieved using two ZENworks policies, one to install Spybot and another to run it.
Our network environment consists of a Novell NetWare 6.0 server with ZENworks for Desktops 3.2 and approximately 400 Windows 2000 and XP clients. We have a very few 9x and NT clients left as well, which I will omit here for the sake of not making things more complicated than necessary. I originally got this to work with the then current and now previous version of Spybot, version 1.2, and I tested it again with the now current version 1.3 and found my results for the most part to be the same. However there is no telling how future versions of Spybot will work, so any implementations will need to be tested again whenever a new version of Spybot is released. Once a new version is released, it is advisable to switch to it as soon as reasonably possible, since updates will likely no longer be available for the previous versions and as a result they will be of little practical use.
The Spybot installation program, the current version of which is called spybotsd13.exe, has a number of command line parameters available. Some of these are /silent, which will cause the Installation Wizard not to be shown, /verysilent, which will cause nothing except error messages to be shown, /nocancel, which will disable the Cancel and Close buttons, and /noicons, which claims not to install any icons for the installed software. I tried the /noicons parameter, and with it no start menu group or icons were created, however an icon was still placed on the desktop. After discussing this with my supervisor, I was told that he did want icons to be installed, so I stopped using the /noicons parameter, however a completely invisible installation should be possible with a script that deletes the desktop icon after installation.
Simply creating a ZENworks policy that pushes out spybotsd13.exe with the /verysilent and /nocancel parameters alone will install Spybot, however it will create a problem if the goal is to allow Spybot to run as unobtrusively as possible.
When Spybot Search and Destroy is installed with the default settings, it is installed in C:\Program Files\Spybot - Search & Destroy. After it is run for the first time, a configuration file called configuration.ini is created, once the program is exited, at C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy. This configuration file contains settings that the program uses when it is executed. There are also command line parameters that can be used to control the manner in which the program runs, including one called /autocheck, which lets Spybot automatically check for, download and install any available updates prior to performing its scans. The problem is that if updates are available and downloaded, the program will automatically exit and restart in order for these updates to become active, and when the program is automatically restarted, it ignores any command line parameters that were passed and instead uses the settings in the configuration.ini file. With the default settings in the configuration.ini file, Spybot will restart with a full GUI with all buttons available in the user interface and nothing automated.
To get around this, a customized configuration.ini file will need to be installed after Spybot is installed and before it is run for the first time. To do so, a ZENworks policy can be created to not run the Spybot installer directly, but to call a batch file which runs the installer and then creates the specific directory for the configuration.ini file and copies a customized configuration.ini file from the install point on the server into this directory. This file can be given any name, for example SBinst.bat; and it should contain the following lines:
To create this custom configuration.ini file, first create a default configuration.ini file by installing Spybot manually with a default installation on a test machine and then running it manually and exiting it. Then copy this default configuration file to the install point on the server (which can be anywhere on the server where users have read and execute permission; for purposes of illustration Z:\ZenPols is used here) and edit it with the following changes:
In the section [Main]
In the section [Automation\ProgramStart]
In this section create an additional line as follows:
In the section [Automation\WebUpdate]
Once the customized configuration.ini file is created and placed together with the installer batch file and the Spybot installation program in the installation point on the server, create a ZENworks policy, which can be called Spybot Installer, and select the Run Hidden run option and specify it to run once. With this policy the next time any user associated with it logs in, Spybot is installed with the custom configuration file in a perfectly unobtrusive manner; with no progress bars or other windows on the desktop and no icons on the task bar, and the user doesn't know anything is going on until the program icon quietly appears on the desktop.
Now, to get the program to run as unobtrusively as possible, a few more tweaks are necessary. The goal is to have the program run with no GUI or windows or progress bars appearing on the desktop, no confirmation or other dialog boxes of any type, and no icons on the task bar; in other words, with no indication whatsoever that anything is going on. I also want the program to run with below normal priority so that it will not take away resources from other programs and make the machine appear to run sluggish to the user.
There are several settings available in the configuration.ini file which would appear to let the program run in this manner, however testing revealed that they did not work as desired, for example the Priority= setting in the [Main] section. So, once again batch files can be used as a workaround. There is a batch file command with a parameter that allows this to run as desired, namely the command start /belownormal [program name]. My testing revealed that creating a file that uses start /belownormal to call the Spybot executable (spybotsd.exe) together with several command line parameters will not work as desired, so instead you can create one batch file that does nothing but call the Spybot executable with a set of command line parameters and another batch file that uses the start /belownormal command to call the first batch file. Another nice feature of the start command is that it has other switches available that go even further to hide the command being called, namely /min, which runs the command minimized and /b, which starts an application without creating a new window. So, create two batch files, one called spybotrun.bat and the other called spybelow.bat and put them in the installation point on your server.
Spybotrun.bat should contain the following lines:
Spybelow.bat should contain the following lines:
Next, create another ZENworks policy, which can be called Spybot run unattended, which calls the spybelow.bat file with the Run Hidden run option. Use the run hidden option so that no command window will be displayed on the user's desktop while Spybot is being run. Also, give this policy an availability requirement that the Spybot Installer must already have been installed, as shown below.
You may have noticed that having this availability requirement as well as the IF EXIST command in the SBinst.bat file may appear to be redundant, however my testing revealed that even though the Spybot Installer policy is configured to run once it sometimes runs multiple times and causes a conflict with the Spybot program trying to run, which in turn displays a dialog box onto the desktop. This problem no longer occurs once the IF EXIST command is placed in the SBinst.bat file to check that the Spybot installer has already run.
If no scheduling parameters are specified in the Spybot run unattended policy, the policy will be run whenever the user first logs in. If you want to run Spybot at a specific time every day, you can specify a schedule in the Availability tab as shown in the following illustration. In this case Spybot is run on the specified days within 15 minutes of 11:00 am.
Once I had all of these pieces set up, it was time to test this system. My testing yielded the following results:
- On machines with either no spyware or only minimal spyware, the system ran as expected, namely once Spybot was installed it would run automatically every time the user logs in. In version 1.2 no windows, progress bars or task bar icons were displayed at all. With the now current version 1.3 a window appears briefly upon startup indicating that Spybot is being loaded and another window appears briefly immediately thereafter indicating that the program is updating itself. With both versions the program then ran with below normal priority, not causing any noticeable decrease in performance to the end user. The only way to tell that it was running was to look in Task Manager.
- When a new update is available, Spybot downloads and installs it automatically. On the day that a new update became available in version 1.2 the mirror from which it was downloaded was very busy, causing Spybot to appear to be Not Responding in Task Manager, however the program had not crashed and Spybot was able to download the update eventually (after approx. 30 minutes). Once the update had installed, Spybot exited and restarted, however upon restart a Spybot window with a progress bar and without any buttons or menus was displayed on screen until Spybot was done. Unfortunately there is no setting in the configuration.ini file that corresponds to the /taskbarhide command line parameter, which causes nothing to be displayed on screen. I have not been able to test version 1.3 on a day when a new update becomes available, however I expect a similar result with the current version.
- I intentionally downloaded and installed Hotbar, Bonzi Buddy, Gator eWallet and Comet Cursors onto my machine, which are all spyware-laden programs that I have encountered far too often in the field on my users' machines. I used this combination of programs to test a 'worst case scenario,' since Spybot will not clean all of these programs off of a machine during its first scan, and if used manually after first scanning the machine will prompt for a reboot and then scan again after the user has logged back on and before a desktop is displayed. I first tested this heavily polluted scenario with doing nothing but displaying Task Manager after logging on to the machine.
In this case most of these spyware programs were removed automatically and silently after Spybot had finished. With version 1.2 the program simply exited when done, neither prompting for a reboot nor spontaneously rebooting. While testing version 1.3 what appeared to be several Spybot error messages appeared, which could be closed by clicking on the only available button (OK), however these error messages are not Spybot messages, but rather the spyware being removed complaining about being removed, and disguising its error messages to appear to be Spybot error messages.
In Version 1.3 Comet Cursors displayed an error message without trying to disguise it as a Spybot error message. I suspect that this problem is not due to changes in Spybot from version 1.2 to 1.3, but rather due to changes made to the specific malware programs at the same time. After logging off of the machine and back on, version 1.2 of Spybot ran with a progress bar and without any buttons or menus displayed on screen after login and before the desktop was displayed. In version 1.3 the window contains a "Stop check" button, and I have not found any way to disable this button. In either case it is better to have a progress bar displayed, since otherwise the machine will display only an empty screen for 6-7 minutes while Spybot is running and before the desktop is displayed, which in turn would cause most users to think that the machine had crashed. After the user is logged in and the desktop is displayed, Spybot would run yet again, however with below normal priority and without displaying anything, which did not present a problem.
Here are a few examples of the error messages that I encountered while running version 1.3:
Here is the Window that Spybot version 1.3 displayed while running after having been rebooted:
- I tested my machine again with Hotbar, Bonzi Buddy, Gator eWallet and Comet Cursors installed, and this time checked my email several times with Outlook and surfed the Web with Internet Explorer by going to different random web sites several times a minute while Spybot was running. This more closely mirrors the way a typical user would use a workstation rather than the previous scenario. In this case Spybot would run with below normal priority and without causing any noticeable performance decrease and in the case of version 1.2 without displaying anything on screen and in version 1.3 showing the same windows as described above. Once Spybot had finished, the spyware programs were still installed. However, when I logged off and back on again, Spybot was triggered to run again after I had logged in and before the desktop was displayed, as described above, and all of the spyware programs were gone after the desktop was displayed.
- I also discovered that in any scenario, while Spybot is running it will first need to be killed with Task Manager if the machine needs to be rebooted for any reason before Spybot has finished.
- When Spybot is run manually by double-clicking on the desktop icon, it will launch and display the window with the progress bar and the [Stop check] button instead of its full GUI. Once the scan has been completed the GUI as shown in the following illustration will be displayed.
Spybot Search and Destroy is an effective tool to remove spyware and adware from computers to return a heavily polluted machine back to a useable state. The current version of the Spybot program does not contain any functions to install, run and manage it over a network from a central point. This can be done effectively using ZENworks for Desktops in combination with a series of batch files in such a way that the installation is unobtrusive and without causing users whose machines are not infested with spyware and adware to suffer decreased performance while the program is running.
Spybot Search & Destroy program web site: http://www.safer-networking.org
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com