Saturday, October 17, 2009
UPDATE 25. 11. 2009: here is a step-by-step tutorial for 64bit versions of Windows Server.
Even though not officially supported, Microsoft’s free antivirus Security Essentials installs and runs just fine on Windows Server 2008. You only have to trick it into thinking it’s Vista while installing.
The first challenge is downloading the installer. If you live in a country like Slovakia – when visiting the above URL, you’ll get redirected here (“You appear to be in a country or region where Microsoft Security Essentials is not available. Thank you for your interest in Microsoft Security Essentials.”). That sucks. But google cache is your friend: visit the website from google’s cache and download the thing from a link in the cached page. The download itself has no geoip restrictions.
The installer has two stages: the first stage unpacks the setup to your hard drive, the second one installs the real product. When you run the installer, it will tell you your operating system is not supported. No big deal: keep the setup running, find the unpacked files and copy them to a different location. Then close the setup and fire up OllyDbg. Load setup.exe in OllyDbg. Find all references to GetVersionEx function. Set a breakpoint on them. Run the setup. Anytime you hit the breakpoint, modify wProductType field in the returned OSVERSIONINFOEX: from VER_NT_SERVER (3) to VER_NT_WORKSTATION (1). You’ll have to to this a few times. After you get past the welcome screen, remove breakpoints, finish installing and you are done!
The setup would be much faster if Microsoft officially supported server version of Windows, but hell, it took me 10 minutes to figure this out and now I have a sleek and free antivirus on my test home server.
An obvious disclaimer: don’t do this on a production machine as this configuration was most probably not tested by Microsoft and may go berserk anytime.
And here is a proof:
UPDATE 24. 11. 2009: Brett Wilhelm adapted these steps for use with WinDbg. You can follow his instructions if you are installing the 64bit version of Security Essentials. It will probably work with the 32bit version too and it’s easier than doing what I did above (he doesn’t edit the structure returned from GetVersionEx – instead he is patching the return value of RtlGetNtProductType called from GetVersionEx). Here is what he did to make it work:
Using Windows Debugger with Symbols loaded:
- set breakpoint using ‘bp ntdll!RtlGetNtProductType+0x1A’ in the command window.
- Everytime this breakpoint is hit, modify the EAX CPU register (View -> Registers) to be 1 instead of 3
- *After* you’ve passed the Windows Validation screen, run until you hit the breakpoint again then remove it (Edit -> Breakpoints).