Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fixed - How to address unexplained software restriction policies (local machine)


  • This topic is locked This topic is locked
No replies to this topic

#1 ammobake

ammobake

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 20 May 2014 - 02:32 AM

Hi my name’s Chris.  I recently had a thread on this forum but it has since been locked.  I wanted to post the solution in case other people have similar issues in the future.

 

A few months ago I started noticing that Symantec Antivirus wouldn’t boot, I couldn’t run Malwarebytes anti-Malware either.  Trying to run Malwarebytes would result in a message saying there was a software restriction policy in place.

 

I checked with the company that does our IT stuff but they said there as no kind of domain level restrictions on anything.

 

Basically, a group policy was enabled on my local machine.

 

The following 6 entries were discovered after a scan with Farbar Recovery Scan Tool...

 

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION

 

 

Exactly how this happened is still a mystery. I’ve scanned with dozens of scanners and virus removal tools but nothing has ever been discovered.

 

Our IT couldn’t even solve this problem.  They tried reinstalling, among other things.  Nothing worked.  They even tried setting up a separate, temporary admin account and that didn't work in fixing it.

 

They recommended shipping my computer from Alaska to Maine to reinstall the operating system, etc....

 

Completely impossible with my work situation.  It just wouldn’t have worked out.

 

Using the REGEDIT registry editor (Start>run > regedit) command I discovered where these entries were located after doing some digging...

 

HKEY Local Machine – SOFTWARE – POLICIES – MICROSOFT – WINDOWS – SAFER – 0 – PATHS

 

All six registry items were located under this directory but they could not be modified, removed or anything.

 

Then, today I had an idea.

I tried to change the permissions for these 6 entries (something even the IT company didn’t think of).  I granted myself and all users full control of the six entries.  I can't belive I thought of this before an entire company of IT and security professionals...

 

Anyway, after updating the permissions I deleted all six registry entries one at a time, closed the registry editor and rebooted.

 

Everything is now back up and running with no issues.  Symantec works great, Malwarebytes works great.  Problem solved!

 

The big mystery still remains – What caused this?

 

It was not any of our system administrators.  It was not me.  It was not anyone in our company that oversees the network/domain.

 

I still haven’t discovered ANY viruses on my computer and I have literally tried every tool and scanner out there (in safe mode and out).

 

Hopefully this helps others though!!

 

Also, if anyone might be able to shed light on what might have caused a software restriction policy on ONLY my security software (on the local machine only) from outside an encrypted/VPN configured domain – That I would like to know.  Because noone in our company or within our IT infrastructure had anything to do with this.



BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users