See all products »
Curah! curation service
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Server and Tools Blogs
TechNet Flash Newsletter
Cloud and Datacenter
Windows Server 2012 R2
System Center 2012 R2
Microsoft SQL Server 2012 SP1
Windows 8.1 Enterprise
See all trials »
Microsoft Download Center
TechNet Evaluation Center
Compatability & Converters
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
MCSA: Windows 8
Windows Server Certification (MCSE)
Private Cloud Certification (MCSE)
SQL Server Certification (MCSE)
Second shot for certification
Born To Learn blog
Find technical communities in your area
For small and midsize businesses
For IT professionals
For technical support
For home users
Microsoft Premier Online
Microsoft Fix It Center
Security Bulletins & Advisories
International support solutions
Log a support ticket
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Stuff n Things
Content from a CSS Security Engineer usually covering FCS and Incident Response
Forefront Client Security
System Center Essentials
Browse by Tags
Stuff n Things
Some thoughts on Adobe Reader and malware
Not sure if anyone saw this bit of news recently where a report put out by ScanSafe indicates that PDF’s accounted for 80% of exploits in the 4th quarter of 2009 . I support both FCS our antivirus product and I also do Incident Response work. As part of our IR work we do semi-forensics shall...
10 Mar 2010
Some more logparser & eventcomb stuff for IR work
Counting and sorting by unique text in the strings section: As a follow on to a previous article http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx I found some other useful queries that I figured I would post as well that came in helpful on some recent...
27 Jan 2010
Dealing with malware that creates .exe’s on file shares
So lately we keep seeing variants of malware that modifies content on file servers in an environment in hopes of spreading to other users. My guess is that it is just using mapped drive letters thinking they are USB keys but the effects is the same regardless. The actions they take are usually...
24 Jul 2009
Cheap real time monitoring for Conficker clients
I already did one post about using eventcomb/logparser to look for clients but found a better way to do it on a case last night which I wanted to share. The first thing you need is to enable netlogon debug logging on all of your DC’s save the following as a .reg file and import it on all your DC...
9 Mar 2009
Blocking and finding Conficker and Downadup systems
EDIT 4/27/09: THIS NO LONGER WORKS WITH NEW VARIANTS OF CONFICKER HOWEVER THE CONCEPT IS STILL SOUND IF YOU ARE LOOKING FOR SYSTEMS THAT ARE QUERYING FOR SPECIFIC DNS NAMES. I’ve already created one post on finding malware systems using eventcomb however when it comes to Conficker or Downadup...
10 Feb 2009
Using Logparser + Eventcomb to find malware
During the course of these Conficker / Downadup issues we typically see cases that started because accounts are getting locked out. I pause briefly here to point out that account lockouts are the work of the devil and are a sorry excuse for most people to not use a complex password policy. ...
29 Jan 2009
Malware Win32/Conficker.B W32.Downadup.B
So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware. You can find write-ups from various AV companies at the following URL’s http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852 ...
8 Jan 2009
Changes to Microsoft Anti-Malware
This doesn’t really affect the FCS world but it is an interesting development. https://www.microsoft.com/presspass/features/2008/Nov08/11-18AmyBarzdukasQandA.mspx apparently we are going to begin to offer a no-cost anti-malware solution in 2nd half of 2008. This is going to be more targeted at the end...
19 Nov 2008
© 2014 Microsoft Corporation.
Privacy & Cookies