Good afternoon everyone,

recently we experience wps office automatically installing itself,

the user is on normal acc, no admin rights, the installation doesn't require admin rights, it doesn't even need user to start installation by clicking installer, it just install itself

even if user accidentally click some link, it should have just downloaded the installer and shouldn't auto run itself.

it took over microsoft office and when we try to uninstall it, it ask for admin password.

How can i set for every installation must require admin rights? meaning i want block all such installation without admin permission.

and how can i prevent such program from acquiring admin rights, when they installed without admin right?


Thanks in advance


edit: found some other similar complaints, and seems like not much answer is available
https://learn.microsoft.com/en-us/answers/q...ault-pdf-viewer
https://www.reddit.com/r/WindowsHelp/commen...s_in_my_system/
https://superuser.com/questions/1729819/how...mpany-computers

for the last one it include some web link block in eu, i would prefer to just set a group policy if possible to disable all installation without admin rights, and to protect the admin rights from being accessed by the program. it seems like a loop hole that a program can install without admin and then gain the admin access afterwards.

This post has been edited by pandah: Oct 21 2024, 12:58 PM

this is on android phone or pc or laptop?

this is pc, it happens on 1 win10 and another win11.

the program itself is quite problematic also, it not only took over ms office, it also some how corrupts itself or corrupt the files. simple words and excel can be corrupted and wps itself can't open the file, then the only way to open it is uninstall wps, download a fresh copy of it and open the file again... then the file is normal again

download malwarebytes do a scan.
https://www.malwarebytes.com/

imo it is some app / software you installed that does the discreet installation of WPS, thats why it happens on WIN10 /11, go thru your liat of apps and see which 1 might be rogue

Block running WPS executable?

been using PC 30 years.
never see a PC so compromise like this.

1. illegal Copy of Windows 10/11
2. a super infected Thumbdrive passing around. ( my company Thumbdrive = Heroin. Who bring thumbdrive = fire on the spot )
3. Email. I dont know how u guys manage email. (read, inbox, send, auth)

I heard about it. It installs from browser. I think it is a browser exploit rather than virus. It defaults WPS office as a viewer/ editor to Office & PDF file.

Anyway if you want all the pc in the office not to allow any form of installation, you have to change the account from Administrator to User account.

The Pc will function as normal. But it would not allow installation and a window would pop up asking for administrator account and password.

This post has been edited by netmatrix: Oct 21 2024, 11:40 PM

Who trigger this exploit?
From where, and how it trigger this exploit?
and you think WPS can target all PC worldwide with this exploit?

think.

Answer is simple.

This PC and their office enviroment is totally compromised. Even buy NEW PC also same.
as long as the NEW PC enter this group of people, same thing happened.

1. Their illegal Copy of Windows.
2. They use compromised Pendrive
3. a Device in their LAN compromised. keep infected other Device in LAN.
4. Email system they use

It is a standard user, some programs doesn't need to have admin rights to install, even chrome can do so. The windows is legit and malwarebyte return nothing.

I need a way to prevent these kind of installing without admin rights behaviour.

have you tried set the account to user level?

enterprise environment kah? as in workplace?

install sophos antivirus...is a layer 7 antivirus basically. can block everything. even in home network

the account is set as user level, and some program is installing at user level folder such as the appdata so it doesn't require admin password to proceed.

small office environment, company is using trendmicro, i may try to ask if there is any function to do this