[prev in list] [next in list] [prev in thread] [next in thread]
List: patchmanagement
Subject: Re: [patchmanagement] How to disable Flash Autoupdate on a x64 windows
From: Emin <emin.atac () gmail ! com>
Date: 2015-04-24 8:39:11
Message-ID: CAGN5iajZc8xLYuVGoqAcURawHrfMkyoxBeynRAHFcEMOkTRi0g () mail ! gmail ! com
[Download RAW message or body]
Hi,
I've got the same behavior you described.
I've tested the following workaround based on Applocker (you need an
Enterprise version of Windows)
I've got an Allow Rule for EveryOne set on the file (hash) of
C:\Windows\SysWOW64\FlashPlayerApp.exe and a Deny rule for built-in
administrators set on C:\Windows\SysWOW64\FlashPlayerApp.exe
If the user is a standard user, he can launch the UI in the Control Panel
but members of the local administrators group cannot.
On Thu, Apr 23, 2015 at 11:23 PM, Vreman, Peter <peter.vreman@tatasteel.com>
wrote:
> We always disabled the autoupdate for flash on our XP machines by
> creating an mms.cfg in C:\WINDOWS\system32\Macromed\Flash\mms.cfg.
>
>
>
> Now we start needing also the browser plugin version on our W81 x64
> environment (and not just the ActiveX version which is provided and updated
> by Microsoft).
>
>
>
> I am aware of some previous discussions and warnings that to disable the
> autoupdate on a X64 bits windows you need a file
> C:\WINDOWS\system32\Macromed\Flash\mms.cfg and a
> C:\Windows\SysWOW64\Macromed\Flash\mms.cfg
>
>
>
> We had the same problem and discovered that mms.cfg needs to be in both
> C:\Windows\System32\Macromed\Flash and C:\Windows\SysWOW64\Macromed\Flash.
> If it is not in C:\Windows\System32\Macromed\Flash, you will see that when
> a non-admin user runs the C:\Windows\SysWOW64\FlashPlayerApp.exe, the
> Avanced tab will show the "Notify me to install updates" will be selected
> and grayed out and users will be prompted to update. Running it as an
> admin will pick up the mms.cfg setting in SysWOW64 and show "Never check
> for updates (not recommended)" selected and not grayed out. I could not
> find this documented on Adobe's forum.
>
>
>
> For XP made the changes by using an MST to alter the MSI from Adobe and we
> hope we can do the same for Win81
>
>
>
> Doing some research on this I see on IT nija that there is a new way (
> http://www.itninja.com/software/adobe/flash-player-activex/11-1367 )
>
> If you add "-install -au 2" argument to the start of the exe (inside the
> MSI) the Autopudate is disabled for you (the installer will no longer
> install a task or a service)
>
>
>
>
> http://www.gregorystrike.com/2012/05/15/the-adobe-flash-player-update-service-starts-up-every-hour/
> (I get the impression that Stephen Pohl is from Adobe)
>
>
>
> I wonder if anybody has so experience with "install -au 2" and/or has
> some more reference material on it preferably from adobe
>
> **********************************************************************
>
> This transmission is confidential and must not be used or disclosed by
> anyone other than the intended recipient. Neither Tata Steel Europe Limited
> nor any of its subsidiaries can accept any responsibility for any use or
> misuse of the transmission by anyone.
>
> For address and company registration details of certain entities within
> the Tata Steel Europe group of companies, please visit
> http://www.tatasteeleurope.com/entities
>
> **********************************************************************
>
---
PatchManagement.org is hosted by Shavlik
The content on the email list is intended for assisting administrators. If you would \
like to use any of this content in a blog or media publication, please contact the \
owners of the list for approval.
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
[Attachment #3 (text/html)]
<div dir="ltr"><div><div><div>Hi,<br></div>I've got the same behavior you \
described.<br></div>I've tested the following workaround based on Applocker (you \
need an Enterprise version of Windows)<br>I've got an Allow Rule for EveryOne set \
on the file (hash) of C:\Windows\SysWOW64\FlashPlayerApp.exe and a Deny rule for \
built-in administrators set on \
C:\Windows\SysWOW64\FlashPlayerApp.exe<br></div><div>If the user is a standard user, \
he can launch the UI in the Control Panel but members of the local administrators \
group cannot.<br> </div><br><div><div><div><div><br></div></div></div></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 23, 2015 at 11:23 PM, \
Vreman, Peter <span dir="ltr"><<a href="mailto:peter.vreman@tatasteel.com" \
target="_blank">peter.vreman@tatasteel.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="NL">
<div>
<p class="MsoNormal"><span lang="EN-US">We always disabled the autoupdate for flash \
on our XP machines by creating an mms.cfg in </span><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US">C:\WINDOWS\system32\Macromed\Flash\mms.cfg.<u></u><u></u></span></p> <p \
class="MsoNormal"><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US"><u></u> <u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US">Now we start needing also the browser plugin version on our W81 x64 \
environment (and not just the ActiveX version which is provided and updated by \
Microsoft).<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US"><u></u> <u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US">I am aware of some previous discussions and warnings that to disable the \
autoupdate on a X64 bits windows you need a file \
C:\WINDOWS\system32\Macromed\Flash\mms.cfg and a \
C:\Windows\SysWOW64\Macromed\Flash\mms.cfg<u></u><u></u></span></p> <p \
class="MsoNormal"><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US"><u></u> <u></u></span></p> <p class="MsoNormal" \
style="margin-left:36.0pt"><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US">We had the same problem and discovered that mms.cfg needs to be in both \
C:\Windows\System32\Macromed\Flash and C:\Windows\SysWOW64\Macromed\Flash. If it \
is not in C:\Windows\System32\Macromed\Flash, you will see that when a non-admin user \
runs the C:\Windows\SysWOW64\FlashPlayerApp.exe, the Avanced tab will show the \
"Notify me to install updates" will be selected and grayed out and users \
will be prompted to update. Running it as an admin will pick up the mms.cfg \
setting in SysWOW64 and show "Never check for updates (not recommended)" \
selected and not grayed out. I could not find this documented on Adobe's \
forum.<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US"><u></u> <u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US">For XP made the changes by using an MST to alter the MSI from Adobe and \
we hope we can do the same for Win81<u></u><u></u></span></p> <p \
class="MsoNormal"><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US"><u></u> <u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US">Doing some research on this I see on IT nija that there is a new way (<a \
href="http://www.itninja.com/software/adobe/flash-player-activex/11-1367" \
target="_blank">http://www.itninja.com/software/adobe/flash-player-activex/11-1367</a>
)<u></u><u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US">If you add "-install -au 2" argument to the start of the exe \
(inside the MSI) the Autopudate is disabled for you (the installer will no longer \
install a task or a service)<u></u><u></u></span></p> <p class="MsoNormal"><span \
lang="EN-US"><u></u> <u></u></span></p> <p class="MsoNormal"><span lang="EN-US"><a \
href="http://www.gregorystrike.com/2012/05/15/the-adobe-flash-player-update-service-starts-up-every-hour/" \
target="_blank">http://www.gregorystrike.com/2012/05/15/the-adobe-flash-player-update-service-starts-up-every-hour/</a> \
(I get the impression that Stephen Pohl is from Adobe)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I wonder if anybody has so experience with \
"</span><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333" \
lang="EN-US">install -au 2" and/or has some more reference material on it preferably \
from adobe</span><span lang="EN-US"><u></u><u></u></span></p>
</div>
<div>
<p><font face="Arial" \
size="2">**********************************************************************</font></p>
<p>This transmission is confidential and must not be used or disclosed by anyone \
other than the intended recipient. Neither Tata Steel Europe Limited nor any of its \
subsidiaries can accept any responsibility for any use or misuse of the transmission \
by anyone.</p> <p>For address and company registration details of certain entities \
within the Tata Steel Europe group of companies, please visit <a \
href="http://www.tatasteeleurope.com/entities" \
target="_blank">http://www.tatasteeleurope.com/entities</a></p> \
<p>**********************************************************************</p> </div>
</div>
</blockquote></div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic