Commit d068a7df authored by Gabriel Moreau's avatar Gabriel Moreau
Browse files

More simple and robust file. Configure pass for Network Agent uninstall. Limit...

More simple and robust file. Configure pass for Network Agent uninstall. Limit variable. If key file, password are encrypted.
parent bfa43880
...@@ -39,12 +39,12 @@ $Global:SWMB_Custom = @{ ...@@ -39,12 +39,12 @@ $Global:SWMB_Custom = @{
NTP_ManualPeerList = "0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org, 3.pool.ntp.org" NTP_ManualPeerList = "0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org, 3.pool.ntp.org"
# Target Release # Target Release
ProductVersion = "Windows 10" ProductVersion = "Windows 10"
TargetReleaseVersionInfo = "21H2" TargetReleaseVersionInfo = "21H2"
# Kaspersky Endpoint Security # Kaspersky Endpoint Security and Network Agent
KesLogin = "KLAdmin" KesLogin = "KLAdmin"
KesPassword = "" KesPassword = ""
KesSecureString = "" KesAgentPass = ""
KesKeyFile = "" KesKeyFile = ""
} }
...@@ -72,12 +72,12 @@ Function TweakUninstallKasperskyEndpoint { # RESINFO ...@@ -72,12 +72,12 @@ Function TweakUninstallKasperskyEndpoint { # RESINFO
Function _String2Hex { Function _String2Hex {
Param ( Param (
[Parameter(Mandatory = $true)] [string]$Text [string]$Text
) )
$CharArray=$Text.ToCharArray() $CharArray=$Text.ToCharArray()
ForEach ($Char in $CharArray) { ForEach ($Char in $CharArray) {
$TextHex = $TextHex + " " + [System.String]::Format("{0:x2}", [System.Convert]::ToUInt32($Char)) $TextHex = $TextHex + [System.String]::Format("{0:x2}", [System.Convert]::ToUInt32($Char))
} }
Return $TextHex Return $TextHex
} }
...@@ -88,27 +88,27 @@ Function TweakUninstallKasperskyEndpoint { # RESINFO ...@@ -88,27 +88,27 @@ Function TweakUninstallKasperskyEndpoint { # RESINFO
$KesEndpoint = Get-WmiObject win32_product | Where { $_.Name -like "*Kaspersky Endpoint Security*" } $KesEndpoint = Get-WmiObject win32_product | Where { $_.Name -like "*Kaspersky Endpoint Security*" }
If ($KesEndpoint.IdentifyingNumber) { If ($KesEndpoint.IdentifyingNumber) {
Write-Host "Uninstalling Kaspersky version $($KesEndpoint.Version) with GUID => $($KesEndpoint.IdentifyingNumber)" Write-Host "Uninstalling Kaspersky version $($KesEndpoint.Version) with GUID => $($KesEndpoint.IdentifyingNumber)"
$PlainPassword='' $EndpointPlainPassword=''
If ($($Global:SWMB_Custom.KesPassword)) { If (($($Global:SWMB_Custom.KesPassword)) -And (Test-Path -LiteralPath "$($Global:SWMB_Custom.KesKeyFile)")) {
# Batch - password defined in clear text
$PlainPassword = $($Global:SWMB_Custom.KesPassword)
} ElseIf (($($Global:SWMB_Custom.KesSecureString)) -And (Test-Path -LiteralPath "$($Global:SWMB_Custom.KesKeyFile)")) {
# Batch - encrypted (blurred) password # Batch - encrypted (blurred) password
$CryptPassword = $($Global:SWMB_Custom.KesSecureString) | ConvertTo-SecureString -Key (Get-Content $($Global:SWMB_Custom.KesKeyFile)) $EndpointCryptPassword = $($Global:SWMB_Custom.KesPassword) | ConvertTo-SecureString -Key (Get-Content $($Global:SWMB_Custom.KesKeyFile))
$Credential = New-Object System.Management.Automation.PsCredential($($Global:SWMB_Custom.KesLogin),$CryptPassword) $EndpointCredential = New-Object System.Management.Automation.PsCredential($($Global:SWMB_Custom.KesLogin),$EndpointCryptPassword)
$PlainPassword = $Credential.GetNetworkCredential().Password $EndpointPlainPassword = $EndpointCredential.GetNetworkCredential().Password
} ElseIf ($($Global:SWMB_Custom.KesPassword)) {
# Batch - password defined in clear text
$EndpointPlainPassword = $($Global:SWMB_Custom.KesPassword)
} }
# Uninstall # Uninstall
$MSIArguments = @( $MSIEndpointArguments = @(
"/x" "/x"
$KesEndpoint.IdentifyingNumber $KesEndpoint.IdentifyingNumber
"KLLOGIN=$($($Global:SWMB_Custom.KesLogin))" "KLLOGIN=$($($Global:SWMB_Custom.KesLogin))"
"KLPASSWD=$PlainPassword" "KLPASSWD=$EndpointPlainPassword"
"/norestart" "/norestart"
"/qn" "/qn"
) )
Start-Process "msiexec.exe" -ArgumentList $MSIArguments -Wait -NoNewWindow Start-Process "msiexec.exe" -ArgumentList $MSIEndpointArguments -Wait -NoNewWindow
Write-Host "Uninstall finish" Write-Host "Uninstall finish"
} Else { } Else {
Write-Host "Kaspersky Endpoint is not installed on this computer" Write-Host "Kaspersky Endpoint is not installed on this computer"
...@@ -118,7 +118,26 @@ Function TweakUninstallKasperskyEndpoint { # RESINFO ...@@ -118,7 +118,26 @@ Function TweakUninstallKasperskyEndpoint { # RESINFO
$KesAgent = Get-WmiObject win32_product | Where { $_.Name -like "*Agent*Kaspersky Security Center*" } $KesAgent = Get-WmiObject win32_product | Where { $_.Name -like "*Agent*Kaspersky Security Center*" }
If ($KesAgent.IdentifyingNumber) { If ($KesAgent.IdentifyingNumber) {
Write-Output "Suppress Agent Kaspersky Security Center $($KesAgent.Version) with GUID => $($KesAgent.IdentifyingNumber)" Write-Output "Suppress Agent Kaspersky Security Center $($KesAgent.Version) with GUID => $($KesAgent.IdentifyingNumber)"
Start-Process "msiexec.exe" -ArgumentList "/x $($KesAgent.IdentifyingNumber) /qn" -Wait -NoNewWindow $AgentPlainPassword=''
If (($($Global:SWMB_Custom.KesAgentPass)) -And (Test-Path -LiteralPath "$($Global:SWMB_Custom.KesKeyFile)")) {
# Batch - encrypted (blurred) password
$AgentCryptPassword = $($Global:SWMB_Custom.KesAgentPass) | ConvertTo-SecureString -Key (Get-Content $($Global:SWMB_Custom.KesKeyFile))
$AgentCredential = New-Object System.Management.Automation.PsCredential($($Global:SWMB_Custom.KesLogin),$AgentCryptPassword)
$AgentPlainPassword = $Credential.GetNetworkCredential().Password
} ElseIf ($($Global:SWMB_Custom.KesAgentPass)) {
# Batch - password defined in clear text
$AgentPlainPassword = $($Global:SWMB_Custom.KesPassword)
}
$AgentHexPassword = (_String2Hex -Text $AgentPlainPassword)
# Uninstall
$MSIAgentArguments = @(
"/x"
$KesAgent.IdentifyingNumber
"KLUNINSTPASSWD=$AgentHexPassword"
"/qn"
)
Start-Process "msiexec.exe" -ArgumentList $MSIAgentArguments -Wait -NoNewWindow
} }
Else { Else {
Write-Host "Kaspersky Agent Security Center is not installed on this computer " Write-Host "Kaspersky Agent Security Center is not installed on this computer "
......
...@@ -33,7 +33,8 @@ It will ask you to run the command ...@@ -33,7 +33,8 @@ It will ask you to run the command
.\set-password-encrypted.ps1 .\set-password-encrypted.ps1
``` ```
because the Zip archive does not contain the files with the key because the Zip archive does not contain the files with the key
and the settings module to give the kaspersky password. and the settings module to give the Kaspersky Endpoint password
and the uninstall Network Agent password.
Then we restart the uninstallation with again Then we restart the uninstallation with again
```ps1 ```ps1
.\install.bat .\install.bat
...@@ -66,27 +67,32 @@ So it is possible to push this package on your WAPT package server ...@@ -66,27 +67,32 @@ So it is possible to push this package on your WAPT package server
## Configuration module ## Configuration module
Therefore, you need a password to ensure this operation. You may therefore need several passwords to ensure this uninstallation operation.
This password is local to each site. These passwords are local to each site.
You will have to configure / customize your SWMB installation You will need to configure/customize your SWMB installation
before you can uninstall kaspersky Endpoint. before you can uninstall Kaspersky Endpoint and the Network Agent.
This includes the creation of a parameter module This includes the creation of a parameter module
`Custom-VarOverload.psm1` which can be saved in the current folder `Custom-VarOverload.psm1` which can be saved in the current folder
or in any other folder... or in any other folder...
```ps1 ```ps1
# Kaspersky Endpoint Security # Kaspersky Endpoint Security
$Global:SWMB_Custom.KesLogin = "KLAdmin" $Global:SWMB_Custom.KesLogin = "KLAdmin"
# If clear password # If clear password
$Global:SWMB_Custom.KesPassword = "" $Global:SWMB_Custom.KesPassword = ""
$Global:SWMB_Custom.KesAgentPass = ""
# Or if encrypted blurred password # Or if encrypted blurred password
$Global:SWMB_Custom.KesSecureString = "" $Global:SWMB_Custom.KesKeyFile = ""
$Global:SWMB_Custom.KesKeyFile = "" $Global:SWMB_Custom.KesPassword = ""
$Global:SWMB_Custom.KesAgentPass = ""
``` ```
You can choose to put the password to modify Kasperky in clear text You can choose to put the password to modify Kasperky Endpoint in clear text
or to scramble it via a symmetric encryption process. or to scramble it via a symmetric encryption process.
Idem with the Network Agent.
If the key file exists, then the parameter is automatically assumed
to be encrypted for both passwords.
For safety, you can put this data in a configuration file `Custom-VarAutodel.psm1`. For safety, you can put this data in a configuration file `Custom-VarAutodel.psm1`.
The advantage with this is that it is destroyed after use. The advantage with this is that it is destroyed after use.
......
...@@ -3,15 +3,15 @@ Do { ...@@ -3,15 +3,15 @@ Do {
$KeyFile = Read-Host -Prompt "Key File" $KeyFile = Read-Host -Prompt "Key File"
} Until (Test-Path -LiteralPath "$KeyFile") } Until (Test-Path -LiteralPath "$KeyFile")
$EncryptedEndpointPass = Read-Host -Prompt "Encrypted blurred Endpoint Password" $EndpointEncryptedPass = Read-Host -Prompt "Encrypted blurred Endpoint Password"
$EncryptedAgentPass = Read-Host -Prompt "Encrypted blurred Agent Password" $AgentEncryptedPass = Read-Host -Prompt "Encrypted blurred Agent Password"
$EndpointPassword = $EncryptedEndpointPass | ConvertTo-SecureString -Key (Get-Content $KeyFile) $EndpointPassword = $EndpointEncryptedPass | ConvertTo-SecureString -Key (Get-Content $KeyFile)
$EndpointCredential = New-Object System.Management.Automation.PsCredential('AsYouWant',$EndpointPassword) $EndpointCredential = New-Object System.Management.Automation.PsCredential('AsYouWant',$EndpointPassword)
$EndpointPlainPassword = $EndpointCredential.GetNetworkCredential().Password $EndpointPlainPassword = $EndpointCredential.GetNetworkCredential().Password
Write-Output "Endpoint Password in clear text: $EndpointPlainPassword" Write-Output "Endpoint Password in clear text: $EndpointPlainPassword"
$AgentPassword = $EncryptedAgentPass | ConvertTo-SecureString -Key (Get-Content $KeyFile) $AgentPassword = $AgentEncryptedPass | ConvertTo-SecureString -Key (Get-Content $KeyFile)
$AgentCredential = New-Object System.Management.Automation.PsCredential('AsYouWant',$AgentPassword) $AgentCredential = New-Object System.Management.Automation.PsCredential('AsYouWant',$AgentPassword)
$AgentPlainPassword = $AgentCredential.GetNetworkCredential().Password $AgentPlainPassword = $AgentCredential.GetNetworkCredential().Password
Write-Output "Agent Password in clear text: $AgentPlainPassword" Write-Output "Agent Password in clear text: $AgentPlainPassword"
$KesKeyFile = Read-Host -Prompt "Key File (please put .key extension)" $KesKeyFile = Read-Host -Prompt "Key File (please put .key extension, empty if pass in clear text)"
$KesPassword = Read-Host -AsSecureString -Prompt "Kaspersky Endpoint Password to secure" $KesEndpointPassword = Read-Host -AsSecureString -Prompt "Kaspersky Endpoint Password to secure"
$KesAgentPassword = Read-Host -AsSecureString -Prompt "Kaspersky Network Agent Password to secure" $KesAgentPassword = Read-Host -AsSecureString -Prompt "Kaspersky Network Agent Password to secure"
if ($KesKeyFile) {
$Key = New-Object Byte[] 32 # create key AES 256-bit key (32 bytes)
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
$Key | Out-File $KesKeyFile
$KesSecureString = ConvertFrom-SecureString -SecureString $KesPassword -Key $Key If ($KesKeyFile) {
$KesAgentSecureString = ConvertFrom-SecureString -SecureString $KesAgentPassword -Key $Key If (Test-Path -LiteralPath "$KesKeyFile") {
# Use the same last key
$Key = (Get-Content $KesKeyFile)
} Else {
# Create a new key
$Key = New-Object Byte[] 32 # create key AES 256-bit key (32 bytes)
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
$Key | Out-File $KesKeyFile
}
If ($KesEndpointPassword.Length -ne 0) {$KesEndpointSecureString = ConvertFrom-SecureString -SecureString $KesEndpointPassword -Key $Key}
If ($KesAgentPassword.Length -ne 0) {$KesAgentSecureString = ConvertFrom-SecureString -SecureString $KesAgentPassword -Key $Key}
} Else {
# Default values if no key file
$KesEndpointSecureString = ConvertFrom-SecureString -SecureString $KesEndpointPassword -AsPlainText
$KesAgentSecureString = ConvertFrom-SecureString -SecureString $KesAgentPassword -AsPlainText
} }
Write-Output "" Write-Output ""
Write-Output "# Lines to add in your configuration file Custom-VarOverload.psm1" Write-Output "# Lines to add in your configuration file Custom-VarOverload.psm1"
Write-Output "# or in the auto delete one Custom-VarAutodel.psm1" Write-Output "# or in the auto delete one Custom-VarAutodel.psm1"
Write-Output "" Write-Output ""
Write-Output "`$Global:SWMB_Custom.KesSecureString = '$KesSecureString'" Write-Output "# Configuration for Kaspersky Endpoint and Network Agent"
Write-Output "`$Global:SWMB_Custom.KesAgentSecureString = '$KesAgentSecureString'" Write-Output "`$Global:SWMB_Custom.KesPassword = '$KesEndpointSecureString'"
Write-Output "`$Global:SWMB_Custom.KesKeyFile = '$KesKeyFile'" Write-Output "`$Global:SWMB_Custom.KesAgentPass = '$KesAgentSecureString'"
Write-Output "`$Global:SWMB_Custom.KesKeyFile = '$KesKeyFile'"
Write-Output "" Write-Output ""
If (!(Test-Path -LiteralPath ".\Custom-VarAutodel.psm1")) { If (!(Test-Path -LiteralPath ".\Custom-VarAutodel.psm1")) {
$Query = Read-Host -Prompt "Do you want to create an auto-delete configuration file (Custom-VarAutodel) in the current folder [Y|n]" $Query = Read-Host -Prompt "Do you want to create an auto-delete configuration file (Custom-VarAutodel) in the current folder [Y|n]"
If ($Query.ToLower() -ne "n") { If ($Query.ToLower() -ne "n") {
Write-Output " Write-Output "
# Configuration for Kaspersky Endpoint # Configuration for Kaspersky Endpoint and Network Agent
`$Global:SWMB_Custom.KesSecureString = '$KesSecureString' `$Global:SWMB_Custom.KesPassword = '$KesEndpointSecureString'
`$Global:SWMB_Custom.KesAgentSecureString = '$KesAgentSecureString' `$Global:SWMB_Custom.KesAgentPass = '$KesAgentSecureString'
`$Global:SWMB_Custom.KesKeyFile = '$KesKeyFile' `$Global:SWMB_Custom.KesKeyFile = '$KesKeyFile'
" | Out-File -FilePath ".\Custom-VarAutodel.psm1" -NoClobber " | Out-File -FilePath ".\Custom-VarAutodel.psm1" -NoClobber
} }
} ElseIf (Test-Path -LiteralPath ".\Custom-VarOverload.psm1") { } ElseIf (Test-Path -LiteralPath ".\Custom-VarOverload.psm1") {
$Query = Read-Host -Prompt "Do you want to append theses parameters in your current configuration file (Custom-VarOverload) [Y|n]" $Query = Read-Host -Prompt "Do you want to append theses parameters in your current configuration file (Custom-VarOverload) [Y|n]"
If ($Query.ToLower() -ne "n") { If ($Query.ToLower() -ne "n") {
Write-Output " Write-Output "
# Configuration for Kaspersky Endpoint # Configuration for Kaspersky Endpointand Network Agent
`$Global:SWMB_Custom.KesSecureString = '$KesSecureString' `$Global:SWMB_Custom.KesPassword = '$KesEndpointSecureString'
`$Global:SWMB_Custom.KesAgentSecureString = '$KesAgentSecureString `$Global:SWMB_Custom.KesAgentPass = '$KesAgentSecureString
`$Global:SWMB_Custom.KesKeyFile = '$KesKeyFile' `$Global:SWMB_Custom.KesKeyFile = '$KesKeyFile'
" | Out-File -FilePath ".\Custom-VarOverload.psm1" -Append " | Out-File -FilePath ".\Custom-VarOverload.psm1" -Append
} }
} }
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment