I do some consulting about Windows Deployment for my company, so I have to use Microsoft Deployment Toolkit (MDT) to prepare USB sticks when I need to deploy Windows by using offline media.
Microsoft Deployment Toolkit has an Import Operating System operation that copies all files from any drive to the shared folder and It its failing when starts coping:
It says "Access is denied".
I then ran Proccess Monitor from Sysinternals and found nothing about ACCESS DENIED with the Count ocurrences feature. I asked the guy responsible for the AntiVirus here in my company and told me they have some security policies for some kinds of files like .INF, .LNK, and they would not create an exception.
I decided to run Process Monitor from Sysinternals and see what was going on. I searched for autorun.in and found some operation at the end of the trace; however, it seemed like everything was just find, but I remembered that Procmon would not see anything from kernel mode, so I opened the stack trace and found that SYSFER.DLL, from Symantec, was injected in the file operation:
| 9 | SYSFER.DLL | SYSFER.DLL + 0x19c19 | 0x74679c19 | C:\Windows\System32\SYSFER.DLL |
When I opened the properties it said that it belongs to the Symantec CMC Firewall sysfer.
I then ran Autoruns and fount that there was a driver called SysPlant.sys that had the same description, but I could not stopped from whitin Windows, obviosly.
I created a Windows PE media, copied Autoruns.exe and booted the machine from the PE media, using an USB stick. I ran Autoruns, went to the Drivers tab and disabled the SysPlant.sys driver; I restarted the machine and now I was able to import the operating system using MDT.
So... have a couple of questions:
1. What is the relationship between SYSFER.DLL and SYSPLANT.SYS?
2. What does Symantec CMC stand for? What does CMC mean?
3. Is there anything I can suggest to my company so they can keep the policy and I can work with MDT?
Thanks a lot!