« | Home | »

Security Essentials on Windows Server

Saturday, October 17, 2009

UPDATE 25. 11. 2009: here is a step-by-step tutorial for 64bit versions of Windows Server.

Even though not officially supported, Microsoft’s free antivirus Security Essentials installs and runs just fine on Windows Server 2008. You only have to trick it into thinking it’s Vista while installing.

The first challenge is downloading the installer. If you live in a country like Slovakia – when visiting the above URL, you’ll get redirected here (“You appear to be in a country or region where Microsoft Security Essentials is not available. Thank you for your interest in Microsoft Security Essentials.”). That sucks. But google cache is your friend: visit the website from google’s cache and download the thing from a link in the cached page. The download itself has no geoip restrictions.

The installer has two stages: the first stage unpacks the setup to your hard drive, the second one installs the real product. When you run the installer, it will tell you your operating system is not supported. No big deal: keep the setup running, find the unpacked files and copy them to a different location. Then close the setup and fire up OllyDbg. Load setup.exe in OllyDbg. Find all references to GetVersionEx function. Set a breakpoint on them. Run the setup. Anytime you hit the breakpoint, modify wProductType field in the returned OSVERSIONINFOEX: from VER_NT_SERVER (3) to VER_NT_WORKSTATION (1). You’ll have to to this a few times. After you get past the welcome screen, remove breakpoints, finish installing and you are done!

The setup would be much faster if Microsoft officially supported server version of Windows, but hell, it took me 10 minutes to figure this out and now I have a sleek and free antivirus on my test home server.

An obvious disclaimer: don’t do this on a production machine as this configuration was most probably not tested by Microsoft and may go berserk anytime.

And here is a proof:

Microsoft Security Essentials on Windows Server 2008

Microsoft Security Essentials on Windows Server 2008

UPDATE 24. 11. 2009: Brett Wilhelm adapted these steps for use with WinDbg. You can follow his instructions if you are installing the 64bit version of Security Essentials. It will probably work with the 32bit version too and it’s easier than doing what I did above (he doesn’t edit the structure returned from GetVersionEx – instead he is patching the return value of RtlGetNtProductType called from GetVersionEx). Here is what he did to make it work:

Using Windows Debugger with Symbols loaded:

  1. set breakpoint using ‘bp ntdll!RtlGetNtProductType+0x1A’ in the command window.
  2. Everytime this breakpoint is hit, modify the EAX CPU register (View -> Registers) to be 1 instead of 3
  3. *After* you’ve passed the Windows Validation screen, run until you hit the breakpoint again then remove it (Edit -> Breakpoints).

Thanks Brett!

Topics: Uncategorized | 6 Comments »

6 Responses to “Security Essentials on Windows Server”

  1. CJ Says:
    November 3rd, 2009 at 23:19

    I try hard, believe me. But I could not. Would like to make a step by step? Sorry my bad English.

  2. Michal Strehovsky Says:
    November 3rd, 2009 at 23:33

    I discussed this with someone else by e-mail and this approach only worked with OllyDbg 1.10 for him. I used the old OllyDbg too. The new version probably misses one of the calls (well, it’s still a beta). Never had a chance to look at what really happens there.

    I won’t write a step-by-step tutorial anytime soon, sorry. If you can’t follow the steps above, you won’t be able to resolve problems that might show up later (remember, Security Essentials on Windows Server is an unsupported and untested configuration). It’s for your own good.

  3. CJ Says:
    November 4th, 2009 at 0:18

    Ok I understand. But at least, could explain “wProductType field in the returned OSVERSIONINFOEX: from VER_NT_SERVER (3) to VER_NT_WORKSTATION (1)”? These commands are not in “C”? The OllyDbg does not show the file in assembly?
    PS.: My version of OllyDbg is 1.10.

  4. Michal Strehovsky Says:
    November 4th, 2009 at 0:28

    Yes, those are source-level constructs. But we only have a binary. If you know assembly language, you should be able to translate this to assembly. Instead of changing a structure field, you are changing a specific byte in memory.

    Look up OSVERSIONINFOEX on MSDN and find out where is the wProductType field stored (hint: it will be somewhere after the szCSDVersion field, which is a long Utf-16 string with the text “Service Pack 2” or something similar). Then change the value of the byte from 0x03 to 0x01.

  5. Pete Gomersall Says:
    November 13th, 2009 at 0:58

    Do you know of any method with x64 version as I get a problem OllyDbg?

  6. Michal Strehovsky Says:
    November 13th, 2009 at 1:17

    if I remember correctly, there is a plugin for OllyDbg called Stealth64. Among other things, it fixes the incompatibility of OllyDbg with x64 versions of Windows. (Obviously, this will only work if the installer is 32bit. If it’s 64bit, there is a debugger with similar UI to OllyDbg called fdbg, but not sure if that works.)

    If that doesn’t work, Microsoft’s Debugging Tools for Windows are a safe bet. Setting a breakpoint on GetVersionEx and editing the OSVERSIONINFOEX field should be even more easy with them.

Featured project

This is a personal web page, with personal opinions.
Content posted herein does not establish the official position of my employer.