1 ;--------------------------------
6 ;--------------------------------
9 !define MUI_ICON favicon.ico
10 !define MUI_UNICON ossec-uninstall.ico
11 !define VERSION "2.5.1"
12 !define NAME "OSSEC HIDS"
13 !define /date CDATE "%b %d %Y at %H:%M:%S"
15 Name "${NAME} Windows Agent v${VERSION}"
16 BrandingText "Copyright (C) 2010 Trend Micro Inc."
17 OutFile "ossec-win32-agent.exe"
19 InstallDir "$PROGRAMFILES\ossec-agent"
20 InstallDirRegKey HKLM Software\OSSEC ""
22 ;--------------------------------
25 !define MUI_ABORTWARNING
27 ;--------------------------------
29 !define MUI_WELCOMEPAGE_TITLE_3LINES
30 !define MUI_WELCOMEPAGE_TEXT "This wizard will guide you through the install of ${Name}.\r\n\r\nClick next to continue."
31 !define MUI_FINISHPAGE_TITLE_3LINES
32 !define MUI_FINISHPAGE_RUN "$INSTDIR\win32ui.exe"
33 !define MUI_FINISHPAGE_RUN_TEXT "Run OSSEC Agent Manager"
35 ; Page for choosing components.
36 !define MUI_COMPONENTSPAGE_TEXT_TOP "Select the options you want to be executed. Click next to continue."
37 !define MUI_COMPONENTSPAGE_NODESC
39 !insertmacro MUI_PAGE_WELCOME
40 !insertmacro MUI_PAGE_LICENSE "LICENSE.txt"
41 !insertmacro MUI_PAGE_COMPONENTS
42 !insertmacro MUI_PAGE_DIRECTORY
43 !insertmacro MUI_PAGE_INSTFILES
44 !insertmacro MUI_PAGE_FINISH
46 ; These have to be defined again to work with the uninstall pages
47 !define MUI_WELCOMEPAGE_TITLE_3LINES
48 !define MUI_FINISHPAGE_TITLE_3LINES
49 !insertmacro MUI_UNPAGE_WELCOME
50 !insertmacro MUI_UNPAGE_CONFIRM
51 !insertmacro MUI_UNPAGE_INSTFILES
52 !insertmacro MUI_UNPAGE_FINISH
54 ;--------------------------------
57 !insertmacro MUI_LANGUAGE "English"
59 ;--------------------------------
60 ; Function to stop OSSEC service if running
63 IfFileExists $INSTDIR\ossec.conf 0 +3
64 MessageBox MB_OKCANCEL "${NAME} is already installed. It will be stopped before continuing." /SD IDOK IDOK NoAbort
68 ;; Stopping ossec service.
69 nsExec::ExecToStack '"net" "stop" "OssecSvc"'
72 ;--------------------------------
75 Section "OSSEC Agent (required)" MainSec
88 internal_options.conf \
99 rootcheck\rootcheck.conf \
100 rootcheck\db\win_applications_rcl.txt \
101 rootcheck\db\win_malware_rcl.txt \
102 rootcheck\db\win_audit_rcl.txt \
108 WriteRegStr HKLM SOFTWARE\ossec "Install_Dir" "$INSTDIR"
109 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC" "DisplayName" "${NAME} ${VERSION}"
110 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC" "DisplayVersion" "${VERSION}"
111 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC" "DisplayIcon" "${MUI_ICON}"
112 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC" "HelpLink" "http://www.ossec.net/main/support/"
113 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC" "URLInfoAbout" "http://www.ossec.net"
114 WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\ossec" "UninstallString" '"$INSTDIR\uninstall.exe"'
115 WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\ossec" "NoModify" 1
116 WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\ossec" "NoRepair" 1
117 WriteUninstaller "uninstall.exe"
119 ; Writing version and install information
120 FileOpen $0 $INSTDIR\VERSION.txt w
122 FileWrite $0 "${NAME} v${VERSION} - "
123 FileWrite $0 "Installed on ${CDATE}"
127 CreateDirectory "$INSTDIR\rids"
128 CreateDirectory "$INSTDIR\syscheck"
129 CreateDirectory "$INSTDIR\shared"
130 CreateDirectory "$INSTDIR\active-response"
131 CreateDirectory "$INSTDIR\active-response\bin"
132 Delete "$INSTDIR\active-response\bin\route-null.cmd"
133 Delete "$INSTDIR\active-response\bin\restart-ossec.cmd"
134 Rename "$INSTDIR\rootkit_trojans.txt" "$INSTDIR\shared\rootkit_trojans.txt"
135 Rename "$INSTDIR\rootkit_files.txt" "$INSTDIR\shared\rootkit_files.txt"
136 Rename "$INSTDIR\win_malware_rcl.txt" "$INSTDIR\shared\win_malware_rcl.txt"
137 Rename "$INSTDIR\win_audit_rcl.txt" "$INSTDIR\shared\win_audit_rcl.txt"
138 Rename "$INSTDIR\win_applications_rcl.txt" "$INSTDIR\shared\win_applications_rcl.txt"
139 Rename "$INSTDIR\route-null.cmd" "$INSTDIR\active-response\bin\route-null.cmd"
140 Rename "$INSTDIR\restart-ossec.cmd" "$INSTDIR\active-response\bin\restart-ossec.cmd"
141 Rename "$INSTDIR\os_win32ui.exe" "$INSTDIR\win32ui.exe"
142 Delete "$SMPROGRAMS\OSSEC\Edit.lnk"
143 Delete "$SMPROGRAMS\OSSEC\Uninstall.lnk"
144 Delete "$SMPROGRAMS\OSSEC\Documentation.lnk"
145 Delete "$SMPROGRAMS\OSSEC\Edit Config.lnk"
146 Delete "$SMPROGRAMS\OSSEC\*.*"
148 ; Remove start menu entry.
149 RMDir "$SMPROGRAMS\OSSEC"
151 ; Creating start menu directory
152 CreateDirectory "$SMPROGRAMS\OSSEC"
153 CreateShortCut "$SMPROGRAMS\OSSEC\Manage Agent.lnk" "$INSTDIR\win32ui.exe" "" "$INSTDIR\win32ui.exe" 0
154 CreateShortCut "$SMPROGRAMS\OSSEC\Documentation.lnk" "$INSTDIR\doc.html" "" "$INSTDIR\doc.html" 0
155 CreateShortCut "$SMPROGRAMS\OSSEC\Edit Config.lnk" "$INSTDIR\ossec.conf" "" "$INSTDIR\ossec.conf" 0
156 CreateShortCut "$SMPROGRAMS\OSSEC\Uninstall.lnk" "$INSTDIR\uninstall.exe" "" "$INSTDIR\uninstall.exe" 0
158 ; Install in the services (perhaps it would be better to use a plug-in here?)
159 ;nsExec::ExecToStack '"$INSTDIR\ossec-agent.exe" install-service'
160 ExecWait '"$INSTDIR\ossec-agent.exe" install-service'
161 ;nsExec::ExecToStack '"$INSTDIR\setup-windows.exe" "$INSTDIR"'
162 ExecWait '"$INSTDIR\setup-windows.exe" "$INSTDIR"'
166 Section "Scan and monitor IIS logs (recommended)" IISLogs
168 nsExec::ExecToStack '"$INSTDIR\setup-iis.exe" "$INSTDIR"'
172 Section "Enable integrity checking (recommended)" IntChecking
174 nsExec::ExecToStack '"$INSTDIR\setup-syscheck.exe" "$INSTDIR" "enable"'
178 ;--------------------------------
182 ;Need a step to check for a running agent manager, otherwise it and the INSTDIR directory will not be removed.
184 ; Stop ossec. Perhaps we should look for an exit status here. Also, may be a good place to use a plug-in.
185 nsExec::ExecToStack '"net" "stop" "OssecSvc"'
187 ; Uninstall from the services. Again, maybe use a plugin here.
188 nsExec::ExecToStack '"$INSTDIR\ossec-agent.exe" uninstall-service'
190 ; Remove registry keys
191 DeleteRegKey HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\OSSEC"
192 DeleteRegKey HKLM SOFTWARE\OSSEC
194 ; Remove files and uninstaller. There have been instances where the ossec-agent directory and executable is left. Why?
195 Delete "$INSTDIR\ossec-agent.exe"
196 Delete "$INSTDIR\manage_agents.exe"
197 Delete "$INSTDIR\ossec.conf"
198 Delete "$INSTDIR\uninstall.exe"
200 Delete "$INSTDIR\rids\*"
201 Delete "$INSTDIR\syscheck\*"
202 Delete "$INSTDIR\shared\*"
203 Delete "$INSTDIR\active-response\bin\*"
204 Delete "$INSTDIR\active-response\*"
207 ; Remove shortcuts, if any
208 Delete "$SMPROGRAMS\OSSEC\*.*"
209 Delete "$SMPROGRAMS\OSSEC\*"
211 ; Remove directories used
212 RMDir "$SMPROGRAMS\OSSEC"
213 RMDir "$INSTDIR\shared"
214 RMDir "$INSTDIR\syscheck"
215 RMDir "$INSTDIR\rids"
216 RMDir "$INSTDIR\active-response\bin"
217 RMDir "$INSTDIR\active-response"