Microsoft Security Essentials Locked Down Even More

The ability to temporarily stop the service has been locked down even more.

Earlier this year I installed Microsoft Security Essentials on my moms old single core Windows XP system. Sometimes as she was playing games her pointer would float or hang on her along with other system performance problems.

As with all Antivirus /anti malware programs they can on occasion have a tendency to have a mind of their own and hog system resources slowing down the system or just plain blocking what you are doing until they are done with a scan. Most have a way to temporarily stop the service to get control back or to temporarily stop it if something needs to run that it would otherwise slow down or stop the system at a inconvenient time. MSSE did not have that ability built in, you would have to use the built in service control console to stop it.

I dusted off the VS 2008 service controller control and relearned how to use it, at least well enough to do what I needed. I was now able to start and stop the service with a click of the button. That was just what I needed because my mom would not be able to navigate to the built in service control console, figure out which service it was, and then stop it.

I “Just”(yeah right, like it was that easy) had her download a copy from my online file share and then I could talk her thru how to unzip and use it. That was great only 2 buttons 1 to start and 1 to stop. Worked great for her.

The problem came in as I was setting up a new desktop tower I had ordered for her. I began to clean out some of the preinstalled junk , setting up some favorites, and transferring some of my favorite tools so I could remote assist with the Windows 7 easy connect .

After uninstalling the preinstalled 60 day Trial of Norton (what ever version it was) and then installing the Microsoft Security Essentials , I decided to try my service controller application to make sure it still worked. It failed with an error of “Can not open MsMpSvc service on Computer “.”. Ok, so what does that mean ? I had to add the inner exception message as a return message and got “Access is Denied”

The next question is what is being denied. So I went to the built in service controller console and discovered that all buttons are disabled there and you can’t do anything for that service even as a Admin .

I also went thru the services in the list one by one and discovered there are several others that this happens to.

After looking at the Security tab In Sysinternals Process Explorer I discovered that the Administrators group still had full control. I also discovered that those access rights were just for the file system and not the service controller . Ok, so I was allowed to possibly delete the files but not stop the service.

Next I turned to the Console application “SC.exe” and ran the command “sc sdshow MsMpSvc” . It returned a list like this.

D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCR
RC;;;S-1-5-80-3232712927-1625117661-2590453128-1738570065-3637376297)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-391397178-1713532359-3388783719-1671243502-2983178441)(A;;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) , wow what a list.

So after building a small app to decode all of the two letter code names and SID’s I came up with a list of “Allowed” users ,

“BUILTIN\Users”,
“NT AUTHORITY\SYSTEM”,
“BUILTIN\Administrators”,
“NT AUTHORITY\INTERACTIVE”,
“NT AUTHORITY\SERVICE” ,
“NT SERVICE\wscsvc”,
“NT SERVICE\TrustedInstaller”,
“NT SERVICE\MsMpSvc”,
“NT SERVICE\msiserver”

all with various rights assigned to them.

The one I should be most concerned with is  this one (A;;CCLCSWRPLOCRRC;;;BA)  “BUILTIN\Administrators” . So what does this mean.

After Decoding the rights using the chart from Here or Here on MSDN we get.

(You can also find them listed in the Sddl.h header file)

A= allowed
CC= SDDL_CREATE_CHILD
LC= SDDL_LIST_CHILDREN
SW= SDDL_SELF_WRITE
RP= SDDL_READ_PROPERTY
LO= SDDL_LIST_OBJECT
CR= SDDL_CONTROL_ACCESS
RC= SDDL_READ_CONTROL

Ok, so the CR tells us we have control Access but why does the application still fail with “Access Denied” ?

The Answer I believe lies in “ Code Access Security” Here on MSDN. To large of a topic for this article.

This is defiantly a subject I have allot more to learn about.

Best I can tell is, first the program is not installed and runs as a standalone application, which tells the system it is a unknown application and will deny the application access even though it is run as Administrator and the Administrators group is allowed control access. Next it is not digitally signed by a authorized signing authority with the certificate stored on the system so that is a second strike.

So, Can this application be fixed to work again ? Possibly, I still have allot to learn and research to attempt to get it to work again.

Though the point to locking down this service to start with is so malicious code can’t just shut down the service and do nasty things to the system freely.

Back to Microsoft Security Essentials. So what changed and when ?

Since I dual boot Windows Vista and Windows 7  and I normally work in Vista I still had the Windows 7 partition to check this out on since it had not had the windows update applied yet that made the big change.

I ran a script that listed the files in the folder where the application and service .dll reside before and after the update. There were several files that were updated, removed or added with this update.

Next I ran the “SC” command sc sdshow MsMpSvc to see what changed.

Here were the permissions for the built in Administrator before the update.

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)

And here after

(A;;CCLCSWRPLOCRRC;;;BA)

So what was removed After the update.

DC=  SDDL_DELETE_CHILD
WP=  SDDL_WRITE_PROPERTY
DT=  SDDL_DELETE_TREE
SD=  SDDL_STANDARD_DELETE
WD=  SDDL_WRITE_DAC
WO=  SDDL_WRITE_OWNER

Basically the ability to make any changes or take ownership of it.

So which update was this ?

Microsoft Security Essentials Client Update Package – KB2754296 , Which was apparently released in September 2012 but I didn’t update the Windows 7 partition until the end of November.

This update was supposed to address performance issues and security and so far it appears to have done both.

As I have said the whole point of locking down this service is to keep malware from wreaking havoc on a system and to keep it from bypassing the service by shutting it down like they have done  so many times in the past.

For further research I can try to Install the application  and to digitally sign it and install the test cert. I can also attempt to request the specific permission for control in the code. Until this update it was not required so I need to dig deeper and learn more.

As a final note during the research of this I ran across a link on a site to a older KB article Here that for XP systems, some of the letters are different than listed above.