Not sure if anyone saw this bit of news recently where a report put out by ScanSafe indicates that PDF’s accounted for 80% of exploits in the 4th quarter of 2009 .  I support both FCS our antivirus product and I also do Incident Response work.  As part of our IR work we do semi-forensics shall...

Counting and sorting by unique text in the strings section: As a follow on to a previous article http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx I found some other useful queries that I figured I would post as well that came in helpful on some recent...

So lately we keep seeing variants of malware that modifies content on file servers in an environment in hopes of spreading to other users.  My guess is that it is just using mapped drive letters thinking they are USB keys but the effects is the same regardless.  The actions they take are usually...

I already did one post about using eventcomb/logparser to look for clients but found a better way to do it on a case last night which I wanted to share.  The first thing you need is to enable netlogon debug logging on all of your DC’s save the following as a .reg file and import it on all your DC...

EDIT 4/27/09: THIS NO LONGER WORKS WITH NEW VARIANTS OF CONFICKER HOWEVER THE CONCEPT IS STILL SOUND IF YOU ARE LOOKING FOR SYSTEMS THAT ARE QUERYING FOR SPECIFIC DNS NAMES.   I’ve already created one post on finding malware systems using eventcomb however when it comes to Conficker or Downadup...

During the course of these Conficker / Downadup issues we typically see cases that started because accounts are getting locked out.  I pause briefly here to point out that account lockouts are the work of the devil and are a sorry excuse for most people to not use a complex password policy. ...

So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware. You can find write-ups from various AV companies at the following URL’s http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852 ...

This doesn’t really affect the FCS world but it is an interesting development. https://www.microsoft.com/presspass/features/2008/Nov08/11-18AmyBarzdukasQandA.mspx apparently we are going to begin to offer a no-cost anti-malware solution in 2nd half of 2008. This is going to be more targeted at the end...