So, I have a CIS Microsoft Windows Server 2008 R2 - Level 1 image that needs to have an Anti-Virus installed and set to scan every day. This must be done with PowerShell so I can fit it into the packer script or CloudFormation Init. I chose Microsoft Security Essentials because it's free, but I'm happy to consider other free AV's if they're easier to setup.
This CIS image is basically a hardened version of Windows that locks all the permissions down and hides vulnerabilities. It may be causing some of the issues I'm experiencing.
This is the script I have so far:
.\MSEInstall.exe /s /runwgacheck /o
Start-Sleep 5 # I have no idea how to wait for the installer to finish
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft Antimalware\Scan"
ScheduleDay "0"
Unfortunately, I get:
Set-ItemProperty : Requested registry access is not allowed.
I'm already running powershell with administrator privileges. Otherwise, I wouldn't be able to install the AV. I can get the value just fine, and I can edit the key manually with regedit just fine.
Some other article said something about ACLs, and true enough, regedit shows that the Admin group doesn't have full access to the folder. It had me try:
$user = whoami
$regPath = "SOFTWARE\Microsoft\Microsoft Antimalware\Scan"
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($regPath, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::ChangePermissions)
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ($user,"FullControl","Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
But I just get:
Exception calling "OpenSubKey" with "3" argument(s): "Requested registry access is not allowed.
So I'm stuck. Does anyone have any recommendations on how to get any free AV installed and running every day through Powershell?
