Can I tell windows to never allow specific apps (or apps with specific publishers) to be installed? [duplicate]

If you have one of the following Windows versions...

Windows XP Professional, Windows XP Media Center, Windows Vista Business, Windows Vista Enterprise & Ultimate, Windows 7 Professional, Windows 7 Enterprise & Ultimate

... there's another way to block it - by using built-in Software Restriction Policies (SRP). But it will be impossible to install or run ANY McAfee's products, not just Security Scan Plus.

  1. Create a restore point, just in case (incorrect SRP settings may lead to inability to run any software, even Windows components, so be careful).
  2. Open Local Security Policy (secpol.msc).
  3. Right click Software Restriction Policies and select "New Software Restriction Policies".
  4. Click "Additional Rules".
  5. There we see two default rules that allow everything from Windows and Program Files folders. If that's fine for you, you can just create a third rule, that allows Adobe products and that's all, if not - read on.
  6. Delete default rules. Since SRP will not allow anything which isn't explicitly allowed, we need to create a rule that allows everything. Create a rule that allows executable with any path - "New Path Rule...", enter "*" without quotes in "Path", select "Unrestricted" in "Security Level", hit OK.
  7. Create a rule that restricts McAfee products. To do so we need any signed executable from McAfee Inc. If you still have Security Scan installed, that will do the trick, or you can download it from their site (just download, don't install). Now right click "Additional Rules" and select "New Certificate Rule...". Browse for any McAfee's signed executable (select "Signed Files" instead of "Certificate Files"), select "Disallowed" in "Security Level".
  8. Run Services and start Application Identity service (and make it start automatically).

That's it. Now you can try to download Adobe Flash with McAfee SSP ticked and it should not be installed anyway.

If you have Windows 7 Ultimate/Enterprise or Windows 8 Enterprise you can use AppLocker (Local Security Policy (secpol.msc) -> Application Control Policies -> AppLocker). It provides even better capabilities for software control.

P.S. Sorry for poor English :).


Using the same principle, as I originally used for preventing Ask Toolbar to be installed by Java, I've created a script that removes McAfee Security Scan, creates the folder MSS installs into and modify the permissions, so no one can write to it.

Copy the following code to Notepad, save it as a .cmd file and run it in an elevated command prompt:

REM Silently uninstall McAfee Security Scan (tested with 3.8)
REM and prevent future installations

REM Detect processor architecture
set proc_arch=x64
if "%PROCESSOR_ARCHITECTURE%" == "x86" ( 
    if not defined PROCESSOR_ARCHITEW6432 set proc_arch=x86
) 

REM Define McAfee Security Scan path
if "%proc_arch%" == "x86" set McAfeePath=%ProgramFiles%\McAfee Security Scan
if "%proc_arch%" == "x64" set McAfeePath=%ProgramFiles(x86)%\McAfee Security Scan
set McAfeeReadme=%McAfeePath%\..\McAfee_ReadMe.txt
set McAfeeRevert=%McAfeePath%\..\McAfee_RestorePermissions.cmd

REM Uninstall McAfee Security Scan
if exist "%McAfeePath%\uninstall.exe" start "" /wait "%McAfeePath%\uninstall.exe" /s /inner

REM Create dummy McAfee Security Scan folder
md "%McAfeePath%"

REM Add explanatory text file, as to why the dummy folder is there
echo The 'McAfee Security Scan' folder is has been created and write protected,> "%McAfeeReadme%"
echo in order to prevent McAfee Security Scan from being 'accidentally'>> "%McAfeeReadme%"
echo installed, e.g. by Adobe Reader.>> "%McAfeePath%\readme.txt">> "%McAfeeReadme%"
echo.>> "%McAfeeReadme%"
echo This has been done using ICACLS by denying write access to the>> "%McAfeeReadme%"
echo EVERYONE security group.>> "%McAfeeReadme%"
echo.>> "%McAfeeReadme%"
echo To revert permissions run:>> "%McAfeeReadme%"
echo %McAfeeRevert%>> "%McAfeeReadme%"

REM Create script to remove restrictions
echo icacls "%McAfeePath%" /remove:d *S-1-1-0> "%McAfeeRevert%"

REM Deny everyone (SID: S-1-1-0) write access
icacls "%McAfeePath%" /deny *S-1-1-0:(OI)(CI)W

Please note: ICACLS is included in Windows Vista and later. You can download ICACLS for Windows XP/Server 2003 through Microsoft KB943043 (but must first be requested, after which you will receive a link by e-mail to download it).

A similar approach can most likely be used to block most other kinds of piggybacking crapware.

Windows Explorer quirk: Access denied

Windows Explorer behaves a little strange if you try to open the folder. Even though you still have read access to the folder, Windows Explorer will tell you that access is denied, even though only write access has been denied.

This doesn't happen if you simply only have been assigned read access in the first place, but it seems to happen when you have been assigned read/write permission to the folder and then been denied write access.

Reverting permissions

The script has been updated to add a 'read me' text file and a script for removing the restriction again. Both are stored in the 32-bit program files folder.