5 replies to this topic

[AbSoLu]

I have a question about the real interest of creating a MSI package for an anti-virus : many antivirus update themselves, so they often modify their signature database file, and sometimes their programs (.exe files). If you create a MSI install for NAV, for example, it is a "best-practice" to set each .exe file as a component key file, to allow auto-repair.

The problem is : if the anti-virus modify its own executable files when updating, Windows Installer will "repair" them and you will have some sort of "incomplete upgrade" (in my opinion, it is not acceptable).

Am I wrong somewhere ? Or maybe is this the reason why Symantec does not support MSI install ?

Any help or comment would be great !

[Zweitze]

You should update your executables through MSI, eg. patches or upgrades. If you insist on updating files outside the Windows Installer, autorepair may restore the original version, as you noticed. That's not the only problem, also think of repair and changing features: Windows Installer may decide to install the version it knows about.

I guess you better stick to Windows Installer for updates.

BTW my Symantec antivirus product (Norton Antivirus 7.51.847, Corporate Edition) is installed through MSI.

[AbSoLu]

Thanks for your advice Zweitze... It confirms what I feared : if we repackage the AntiVirus software, we shouldn't let the AV use its own update feature, but we should repackage every update ! If we want to stay up to date, it will cost us much time...

About your antivirus (Norton Antivirus 7.51.847, Corporate Edition), was the MSI you are using created by Symantec (in this case, maybe NAV's updates contain MSI patches ?) ? Or did you repackage it yourself ?

[Zweitze]

Well, we didn't repackage it.

From an Installer perspective, it's an interesting product: the administrator installed it remote, without using Windows 2000 GPOs etc. He has a MMC (management console) from NAV, and from that MMC he can see all systems, with and without NAV. From that MMC, he can install NAV on a target system. Note the target system does not have to be a member of a Win2000 domain, the admin just needs to know a local admin account.

If you know how that technology works, please let me know.

A side effect of that remote installing, is that I do not have a clue if any updates were installed since the initial install. But it's working for over a year now...

I suggest you contact Symantec.

[AbSoLu]

About your MMC :

Do you have to reboot or at least logoff/logon to make the AV install on the remote PC ? If yes, maybe the MMC uses the remote "local administrator" account to connect to the registry, and then creates a HKLM\Software\Microsoft\Windows\CurrentVersion\Run entry to launch the NAV setup... BTW, even if the target isn't in the domain, with a local administrator account, you can do what you want on a remote PC, at least with a reboot.

With the scheduler service started, you can even run programs remotely without any reboot... And it is not so hard to automate (with VBScript/WMI, for example).


Now, for my problem, I will make additionnal tests with the AV before explaining to my boss the drawbacks of repackaging this kind of "self-modifying software".

[Zweitze]

Take my word for it: NAV is installed by an MSI (for instance, wiLstPrd.vbs shows NAV).

As far as I recall, logoff/logon or reboot wasn't necessary. I just had to supply credentials, I got no other instructions.

BTW:
I just managed to use WMI to install on a remote system, using
http://www.microsoft...gmt/ScrCM28.asp

But... I needed to change the impersonation, and authentication. It's not so trivial as one would think.

If you want to convince your boss to upgrade NAV: according to my admin, the best feature is getting notifications of all detected virusses on any system in the network. On the other hand: you could do that with WMI, too...