Stuff n Things

Another WSUS Cleanup Script

Kurt Falde — Tue, 20 Apr 2010 21:24:40 GMT

Just noticed this as I was looking for a solution for a different WSUS problem and thought I would share this here as well. http://gallery.technet.microsoft.com/ScriptCenter/en-us/90ca6976-d441-4a10-89b0-30a7103d55db Apparently a “Thomas Schlacter” posted this recently to the ScriptCenter and looks very convenient in that you would only need to schedule this on the master server and it would parse your downstream servers and remotely issue the calls to run the cleanup on those systems so that you do not have to schedule anything there. You would need powershell for this to work on the Upstream/Master server.

Some thoughts on Adobe Reader and malware

Kurt Falde — Wed, 10 Mar 2010 15:20:10 GMT

Not sure if anyone saw this bit of news recently where a report put out by ScanSafe indicates that PDF’s accounted for 80% of exploits in the 4th quarter of 2009. I support both FCS our antivirus product and I also do Incident Response work. As part of our IR work we do semi-forensics shall we say :) we do not do forensics as that would be something that is admissible in a court of law and our toolset isn’t we modify last access timestamps don’t keep a chain of custody etc. So as part of this dual hat role that our group currently plays when we see a customer that keeps submitting new samples repeatedly and raising the alert to us that our product is not cutting it with regards to detection of malware we like to push into the why/how this customer keeps finding all these new malwares.

Of the last 4 or so cases that I have had to investigate it has invariably come down to the following sequence: user was browsing around the internet > user passes by some page where either the page itself was compromised or their ad network was compromised > exploit javascript downloads malicious .pdf which silently opens in the browser in some hidden frame > user is using older version of Adobe Reader > malicious .pdf runs in user’s context (user is admin) malicious .exes/services etc are dropped on the box and that’s the end of the story.

So as an AV vendor do we have some blame to take here :) absolutely we missed some new variant. In a perfect world either IE8 with url reputation would have seen it as bad or our AV would have detected the malicious PDF or the .exes/services it created. Unfortunately all of these are reactive prevention mechanisms that are extremely reliant on previous signatures to detect them or being close matches to heuristic patterns.

On the other hand though when you are browsing the Internet with Adobe Reader that is any version lower than the latest you’re pretty much asking to try out new variants of malware. So if I’m going to take some blame then someone else needs to as well guessing both Adobe for lack of a patch management enterprise solution and the user of their products for not managing the state of this application in their environment.

So blame game aside lets move beyond this we know we have a problem here so what do we do to fix it.

Long Term there needs to be a patch management solution in place that keeps all clients up to date with all installed products. Have seen some interesting things around Shavlik SCUPdates for SCCM as well as Secunia CS product they are creating to integrate with WSUS. Also posted here it seems that Adobe is currently working with us to integrate their updates to their products into WSUS and SCCM which would be great, would be even better if we had this for JRE and some other products that are used widely for exploits.
Short Term you can look at deploying some mitigations for these products that are currently in your environment. Javascript within Adobe is typically a biggie which can easily be disabled within the registry. Disabling the auto-open functionality of documents is another. Disabling the IE Active X control for Adobe Reader would also be good. Disabling old versions of Adobe reader from running in your environment whatsoever via Software Restriction Policies?

The latter of those 2 is what I focused on for a while trying to find some items to help in the short term mitigate while you work on getting a patching solution in place. I have an attached GPO at the end of this that makes most of these simple. You create a new GPO and then import settings from the backup via GPMC. The following is a list of what is included with this:

2 Reg binary keys that are hacked manually into the .pol files of the GPO as adm syntax does not allow reg binaries in hex. The keys are HKCU\Software\Classes\AcroExch.Document.7\EditFlags set to 0’s as well as HKCU\Software\Classes\AcroPDF.PDF.1\EditFlags set to 0 as well. These will force IE to give a prompt every time a .pdf is encountered for Open/Save. This seems to work for Reader 6-9.
Registry keys in the User section Administrative Templates for the following
- Disable Browser check on startup for Reader 9
- Disable Browser integration for Reader 9 (make’s it open in separate window not within IE this only seems to work via reg key for Reader 9)
- Disable Fast Web View for Reader 9
- Disable Javaascript for Readers 7-9
Registry key under Computer section Administrative Templates for the following
- Disable user from re-enabling Browser Integration in Reader 9
Software Restriction Policies under the computer section for the following
- Path Rules for Reader 6-8 these are all set to Unrestricted by default if you change them to Restricted it will block any builds of those versions of Adobe Reader from running on your XP and higher systems that you apply this to.
- Hash rules for Adobe Reader 9 builds 9.0.0.332, 9.1.0.163, 9.2.0.124 This would allow you to block any but the currently latest version of Reader from running in the 9.x series.

I didn’t do one on managing Active X controls however this would be fairly simple as well to restrict the CSLID of the Active X control for reader. Unfortunately however Adobe has used the same CSLID since the beginning of time it seems for the Adobe Reader controls so you can’t killbit it or restrict it without restricting it for every version of Adobe including the latest patched ones so that is something you would need to evaluate in your environment.

Another caveat is that you can’t disable the browser integration just with reg keys for versions of reader less than 9. The reg keys are there in some cases however just setting them only changes the setting in the preferences GUI but not the actual behavior of the program which appears to do a lot more than just those reg keys when you throw it under procmon while making that change (it runs msiexec reconfiguring the program I eventually just gave up on it :( )

So here is the GPO

You will need to create a new GPO in AD and then use the GPMC to import settings from a backup and point to the folder where you extract this .zip.

Some more logparser & eventcomb stuff for IR work

Kurt Falde — Wed, 27 Jan 2010 20:26:53 GMT

Counting and sorting by unique text in the strings section:

As a follow on to a previous article http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx I found some other useful queries that I figured I would post as well that came in helpful on some recent cases.

We were basically looking for unique instances of event text from eventcomb logs so the same process applied gather eventcomb builtin account lockout search data.

Once you have the txt files you can run the following against them:

logparser -i:textline -o:csv "select substr(text,INDEX_OF(Text,'SYSTEM,'),NULL) into timestampremoved.txt from *LOG.txt"

This basically cuts off all the text on the line in front of the data that has the timestamp info which allows finding lines that are the same and counting those up.

Next run the following:

logparser -i:textline -o:csv "select COUNT(*), Text into uniques.txt from timestampremoved.txt group by TEXT order by COUNT(*) DESC"

This groups together unique lines and gives you a count of how many times that line occurred within all the logs.

This works for quite a few different things and would actually work well against event logs in general to just find out what your top offenders were in the log.

Determining the cause of FCS client performance issues

Kurt Falde — Wed, 30 Dec 2009 17:28:05 GMT

Realistically this process should work for other AV clients as well but I’m doing it in the context of the one I support. Although it isn’t extremely common we do run into scenarios where customer has issues with the FCS client taking up large amounts of CPU on a system. Sometimes it is constant and other times it is more intermittent. Regardless of the intermittency the key thing to remember is that this typically means that FCS engine is actively scanning files and quite possibly either a file that is complex or having to repeatedly scan the same file over and over again. I say complex as certain file types have much more complexity to their internal structures then others for example your notepad .txt file is extremely non-complex as opposed to say a .pdf or a .xlsx file which can be extremely complex. You may have a 100mb text file that scans quickly but a 1mb .pdf that takes much longer. The key point here is that file size does not equal time that it takes to scan the file but that internal complexity of the file is key to scan times.

The first thing to check when you see performance issues with the client is for “expensive” files. If you browse to C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Support on your client system look for a file called MPLog-########-######.log the #’s are date stamps I believe for when it first started. Open this file up in the text editor of your choice and search up from the bottom looking for the word “expensive”

An example is shown above, in this case it’s the service pack 2 file for SQL 2005 and it’s about 290Mb big so yes it probably does take a while to scan that file. You could consider an exclusion for this file specifically however I probably wouldn’t recommend it due to PE reinfector virii such as Sality that infect legitimate .exe’s. On the other hand if the expensive file is a .log or .txt or some other normally non-executable file on the file system and you see this file repeatedly in the mplog then it would be a definite candidate to add to your exclusions list via FCS policy.

The other situation that causes performance issues are where FCS requires repeated scanning of the same file(s) on the file system. As is typical with most AV system FCS uses a type of fingerprinting of the file system to know which files it has already scanned since the service was last restarted and does not scan those files again as long as they are not written to. For example if I create a new .exe on a file share FCS will scan this on the original write however if 50 other people run that .exe afterwards the FCS client will not scan this .exe again for their reads of the file. If however something attempts to write to the file FCS will be forced to scan this file again to verify the new contents of the file are not malicious. Typically what we see with multiple scans of the same file are processes that are writing to log files that will open the file / write to file /close the file and then repeat this process again in a very short order of time. Since they do not hold a handle open to the file but instead close the file FCS sees this as a new file modification and thus is force to rescan the contents of this file. Unfortunately these do not always show up in the MPLog as it may be fairly quick to scan the file it just does not hit the threshhold (3 seconds scan time) for us to determine this as an “expensive” file.

What we typically use to find these issues is Procmon. Get a copy of procmon loaded on the system and start it up. When the Filter window comes up you will want to remove the filter for “Process Name is System Exclude” as we do want to see activity from the System process as well.

Once you remove that filter let Procmon run for a couple of minutes while the high cpu for msmpeng.exe is occurring on the system. Stop the capturing in Procmon and then click on Tools>Cross Reference Summary this will generate a list of File locations that are being read/written to by different processes. We are looking for ones that are being written to by various processes but also being read by msmpeng.exe.

In my case I only had one on my system where Outlook is writing to my .ost file and it appears that msmpeng.exe has tried reading the file. If I doubleclick on this entry Process Monitor will apply a filter back to the main window that will show me all operations where the path is my .ost file. When I actually looked at it however there were only about 6 times that msmpeng.exe tried to read it and I don’t believe it actually did so probably not a good candidate for exclusions although I may do it anyway. What we typically see though are log files where Process X is continuously writing to the file followed by msmpeng.exe reading the file and then Process X writing again etc. In those cases it would be a good idea to add that file location to your exclusions to prevent the increased CPU load on the system for rescanning what is probably not an executable file and one that you may be able to determine as not needing AV scanning.

One item to note in regards to procmon and FCSv1 however is that even once you have put exclusions in place you will unfortunately still see msmpeng.exe as a reader in the cross-reference summary. This is due to the way that the mini-filter for FCS and exclusions in the client take place. When file IO happens the minifilter passes a memory mapped portion of this to the AV engine (msmpeng.exe), keep in mind this is not the whole file but rather information about the file, the engine in turn checks that against exclusion lists etc and if it determines it to be excluded will not request the whole file for scanning. From what I understand in v2 the client will operate somewhat differently so that we will not see that behavior which will make it slightly easier to know that exclusions are working properly.

Addition 3-18-010

Another item to look for in your procmon logs :) Add a filter for Result is “FILE LOCKED WITH WRITERS” and take a look at what processes are getting this. If msmpeng.exe is getting this frequently take a look at which files it’s getting it for. In my case I had 2 client AV on the system I didn’t know about the other and they were competing with each other for file access and locking each other out .. bad mojo. In another case I saw recently it was due to an app that apparently didn’t release files properly or something didn’t totally figure that out but we made and exclusion for the log file in that case and the performance issue went away.

Logparsing FCS to find files that were infected

Kurt Falde — Tue, 22 Dec 2009 17:38:42 GMT

Working an interesting case at the moment where we have multiple files across servers that were infected and we are needing to generate a list of all the files that were infected on each server.

So the first thing to realize is that the 1006 and 3004 events in the system event log under the source FCSAM are the ones that show the detection and include the path that the infection was found in. You could technically probably do the logparser syntax to run locally on the system and parse the event log directly for the paths or even the .evt file if you exported it however I am working with data collected from multiple servers and sent directly to me so have done the syntax for parsing the data that I have currently. As part of our MPS reports utility we export the system event log to a .csv file which you can do easily from the eventvwr gui as well.

You will need to install Logparser 2.2 and ensure it is in your path to run this.

I am basically running the following against the system.csv in order to gather the file paths that were detected.

logparser -i:textline -o:csv "SELECT SUBSTR(Text, ADD(INDEX_OF(Text, 'file:'), 5), SUB(INDEX_OF(Text, '\r\n\r\n\tAlert'), ADD(INDEX_OF(Text, 'file:'), 5))) into pathsfinal.csv from *SYSTEM.csv where
text like '%threatid%' and (text like '%3004%' or text like '%1006%')"

You will need to replace threatid with the actual threatid that you are interested in for example Eicar would probably be 2147519003 so you would replace threatid with 2147519003 if you were looking for paths of files that were infected with Eicar. In my case I’m working more with Sality/Virut file reinfectors so Eicar probably wouldn’t apply but you should get the idea.

Unfortunately I don’t have non-customer sample data to give a good example of the output but you should basically end up with a file that consists of lines with paths for example

c:\windows\junk.exe

c:\temp\gotinfected.exe

c:\users\kfalde\av2009.exe

etc…

EDIT 1/5/2010

Apparently my .csv I was working with was done differently then the output from a .csv exported from the GUI. Mine had carriage return symbols \r\n which I was triggering on as opposed to the output .csv from the GUI which puts the Path Found: on it’s own line like the following:

Path Found: file:C:\malwarefound\here\malware.exe

Unfortunately this makes it more complicated to gather files that were only infected by a specific threatid as this is now on a different line so I’ll look into a way to do this better but for now the following logparser line will work to gather the paths from a .csv output from the eventviewer GUI:

logparser -i:textline -o:csv "SELECT SUBSTR(Text, ADD(INDEX_OF(Text, 'file:'), 5), NULL) into pathsfinal.csv from sysevent.csv where text like '%Found:%'"

Also the following should work quite well directly against the event log however it may be slow when you run it over the network against a target computer that you are trying to gather data from:

logparser -i:EVT -o:csv "select eventid, timewritten, EXTRACT_TOKEN(Strings, 15, '|') into paths.csv from \\REMOTEIPADDRESSHERE\System where Eventid=3004 or EventID=1006

Replace the REMOTEIPADDRESSHERE with the IP of the system you are gathering data for. If you are just running this against the local system you are on use the following:

logparser -i:EVT -o:csv "select eventid, timewritten, EXTRACT_TOKEN(Strings, 15, '|') from System where Eventid=3004 or EventID=1006

Hopefully this is useful for someone :) I know it was a learning useful experience for me. And oh yeah Merry Christmas!! 3 days.. why am I at work???

Rare off-topic post :)

Kurt Falde — Thu, 22 Oct 2009 17:48:12 GMT

It is currently MS’s giving campaign where we promote philanthropicness :). A coworker sent this out to our internal blogger alias along with some others from this site that various MS MVP’s and internal employees worth with asking if we could post one on our blogs. Since I grew up myself in Haiti for about 8 years of my life as a missionary kid I picked the one from my 2ndary home country. So if you have 10 bucks or more to give and want to help a good cause click the link. Have a great day.

Dealing with malware that creates .exe’s on file shares

Kurt Falde — Fri, 24 Jul 2009 02:43:58 GMT

So lately we keep seeing variants of malware that modifies content on file servers in an environment in hopes of spreading to other users. My guess is that it is just using mapped drive letters thinking they are USB keys but the effects is the same regardless. The actions they take are usually something as follows. Hide your actual .doc/.xls etc create a new file with the same exact name as the .doc except that it is a .exe and they typically modify the icon to be a folder icon.

At first these seemed to only create havoc at the root of the file share so you could work around this by ACL’ing the root of the file share to stop creation of new files there and force your users to instead create files just in subdirectories assigned to their various workgroups etc. However later variants seem to be working their way down through subfolders and carrying out their black magic throughout the folder structure.

So what do you do when this happens to you or how you can prevent it?

Proactively

You could look at utilizing something like FSRM from 2003 R2 and 2008 and file screen filters to block .exe’s from being created on your file shares. FSRM has a built in template called “Block Executable Files” This has a large list of various executables including .exe which you can in turn easily apply to any folder/file share on your system to block creation of these files. You can also configure email notifications via SMTP to let you know when someone does try to create one of these files and it will log the event to the applog as well with the file it attempted to create and the user that tried to create it.

You could also a commenter proposed add a folder named autorun.inf to your file share and hide this so that malware could not create a new autorun.inf to start up malware.

Reactively you should probably do the following:

First and foremost get a copy of the .exe being created on the file share and get that off to your AV vendor. Open a ticket say X is being created and you are not detecting it I need signatures for this threat asap. Signatures on your file server should be able to handle this however you will still be left with AV constantly deleting the new .exe’s so realistically you should track down the offender.

Block the Read and Execute rights to the .exe’s that have been created. You can do this through the use of icacls by running the following at the root of your file share. Keep in mind if you have legitimate .exe’s in the share it will stop users from executing them/reading them.

icacls *.exe /T /deny Everyone:(RX)

Tracking down who/what/where is doing the creation of these files is more difficult. One approach is to turn on auditing but this can be complex and often doesn’t yield the IP address of the offending machine. So for this exercise we are going to go with Wireshark or Netmon and Process Monitor.

Wireshark or Netmon will yield the offending IP address and Process Monitor can tell us the User account it was created under if we are interested in that however normally we just want the machine IP so we can go find the malware on it.

So download a copy of Wireshark or Netmon and start it up. Make sure to go into your Capture Options and up your Buffer size to something larger say 50 Mb or so. In the display filter box we are going to put the following filters

For Wireshark

smb.create.action == 2 and smb.file contains “exe”

For Netmon

Property.SMBFileName.contains(“.exe”) and SMB.RNTCreateAndX.CreateAction == 0x2

This will basically filter down to creation of a new file that did not exist as well as filtering on a file that contains exe. Yes this could throw us a few false positives but we should be able to clearly identify the offending IP addresses.

My first try at this shows the following

The source IP in this case is the file server where I am running the trace and this is the response packet back to the workstation creating the .exe file stating the file did not exist but it was created. Note on Wireshark that you have to expand SMB>NT Create AndX Response to see the File ID ## which contains the name, the parser is basically filling in the file name from the previous packet which we do not see. The file name in this case is “tracelog.exe” So I would send my tech off (if I was that privileged) to the Destination IP and have them clean the malware off that system.

If I just wanted to find the user creating the files I could use Process Monitor for this. Download a copy and start running it and modify your filter to look like this

PID = 4 is for your System Process as this is the process that creates files that are created via a file share

CreateFile to try to limit this down to just creation of the files

Patch contains .exe to look for just .exe’s being created in this scenario

Since the System technically creates these files if you add the “User” column in Process Monitor all you will see is “NT AUTHORITY\SYSTEM” which doesn’t help so instead we need to look at the “Detail” column”. Within this text look for Impersonating and right after that it will show you the user that is being impersonated by the System to create the file so that it has the proper ACL’s etc. In the case shown below the user DCEXCHFSS\Administrator is the user account that is being utilized to create files on the file server.

Hopefully this helps someone if you have any improvements on filtering for either Wireshark or Process Monitor that would help here please let me know.

Edit 7-24-09 Added comments from Cd-Man regarding autoruns and acling files, Added netmon filtering usage based on comments both internally and externally :)

How to go green with FCS

Kurt Falde — Wed, 13 May 2009 23:56:00 GMT

I’m not a treehugger but I can definitely see the $$ with power savings. Having said that I had a customer recently that wanted his computers to wake up from sleep in order to do their scheduled scans for FCS. At first I was like nope not possible we have no such feature. Then I started digging around. Apparently since about XP SP1 or later we have had a feature in Task Scheduler that allows us to wake a computer up via APM/ACPI when we need a scheduled task to run. Unfortunately FCS itself has no way to set this option for “Wake the computer to run this task” but we can work around that.

If you look back to my other article on creating custom scan schedules at http://blogs.technet.com/kfalde/archive/2008/10/23/how-to-add-extra-scheduled-scans-or-definition-updates-for-fcs.aspx we can use the same mechanism.

Once again you don’t need a 2008 domain or Vista clients to use Group Policy Preferences. You just need the client extensions installed on your XP or 2003 systems which are available via WSUS. You need a Vista or 2008 system to edit the GPO, once in place the settings will apply to any system that has Group Policy Preferences extensions installed.

So basically we follow the other article we create the custom scan schedule that we want with the right mpcmdrun options but we make sure to go to the “Settings” tab for the scan and check the “Wake the computer to run this task”

From our testing this seems to work pretty well for computers that go to sleep mode. This will not work on systems that are fully powered off. Good luck let me know if you try this out. Thanks

Some Interesting FCS SQL Queries

Kurt Falde — Fri, 08 May 2009 21:39:00 GMT

With a recent case I have an issue where the client count of managed computers in MOM admin console was quite different then that in the FCS console so I was trying to find out exactly which computers were not in FCS so I could troubleshoot some of those more effectively. The first thing I checked was looking at Agent-Managed Systems in MOM admin just to make sure these were not computers that had not been checking in for a while (they weren’t all had heartbeats within last day or two) as I know we drop off computers from our total count in the FCS console that have not checked in in 30 days. Since this was not the case I was pointed out that it may be an issue with clients having the MOM agent but not actually having SSA or AM installed on them or corrupted in some way. Unfortunately I didn’t know a good way to check on this in MOM so I had to do some digging around to create some queries to make this happen, below are the results I have:

This one is the easiest but just dumps a list of all computers in MOM, make sure you select to use the OnePoint db when you start a New Query in SQL Server Management Studio

Select Name from Computer

This next one selects all the computers that have FCS installed on them

select Computer as FCSCLIENTS from computertocomputerruleview where [Rule] like '%Microsoft Forefront Client Security Agents%' order by FCSCLIENTS

This one does a subquery of total computers against computers that have FCS on them to give us a list of computers that for some reason do not have FCS on them.

select distinct Name as MISSINGFCS from Computer where Name not in (Select Computer from computertocomputerruleview where [Rule] like '%Microsoft Forefront Client Security Agents%')

Hopefully this helps someone else as well.. I’ll hopefully add to this over time if I find anything more that’s useful.

Update 7/10/09 Adding some more based on a request from a blog reader. Customer looking for a way to list all detection events. You could actually play around with this some as this View does have events from other sources as well as FCSAM.

SELECT [LoggedOn]
      ,[LoggedOnDomain]
      ,[Source]
      ,[Evtime]
      ,[Eventno]
      ,[Evttext]
FROM [OnePoint].[dbo].[EventView] where source like '%FCSAM%'
and ([Eventno]='1006' or [Eventno]='1007' or [Eventno]='3004' or [Eventno]='3005') order by [Evtime]

You could also do some filtering by date by adding an extra “and ([Evtime]>='2009-06-10' and [Evtime]<='2009-06-13')” statement to this before the order by statement.

Update 2/1/2010 Adding another interesting one. This one returns a list of computer names as well as the time that their last AV scan finished. Unfortunately it does not differentiate between Quick vs Full scan for this value that is collected but you could probably figure it out based on what your policy is supposed to be for those systems.. IE if your policy says full scan at 1am and you see scan finished at 1:44am this is probably your full scan finishing.

use OnePoint
Select Name, DATEADD(day, -2, CAST( CAST (Value as float) AS datetime)) as TimeLastScanFinished
from Attribute INNER JOIN Computer ON DISCOVERYCOMPUTERID = IDCOMPUTER
WHERE ClassAttributeID IN (Select ClassAttributeID from ClassAttribute where
ClassAttributeName = 'AM last scan time')
AND IDComputer IN (Select DiscoveryComputerID from Attribute WHERE
ClassAttributeID IN (Select ClassAttributeID from ClassAttribute where
ClassAttributeName = 'AM last scan time'))
order by value, name

Update 2/1/2010 Realized had a customer question below as well from a while back I never addressed. Below query should return a list of all computers and their AM signature versions.

use OnePoint
Select Name, Substring(Value,20,20) as AMSignatureVersion
from Attribute INNER JOIN Computer ON DISCOVERYCOMPUTERID = IDCOMPUTER
WHERE ClassAttributeID IN (Select ClassAttributeID from ClassAttribute where
ClassAttributeName = 'AM (AV) Signature Version')
AND IDComputer IN (Select DiscoveryComputerID from Attribute WHERE
ClassAttributeID IN (Select ClassAttributeID from ClassAttribute where
ClassAttributeName = 'AM (AV) Signature Version'))
order by value, name

Update 9/22/2010 few more queries the first is for AM Engine versions

Select Name, Value
from Attribute INNER JOIN Computer ON DISCOVERYCOMPUTERID = IDCOMPUTER
WHERE ClassAttributeID IN (Select ClassAttributeID from ClassAttribute where
ClassAttributeName = 'AM Engine Version')
AND IDComputer IN (Select DiscoveryComputerID from Attribute WHERE
ClassAttributeID IN (Select ClassAttributeID from ClassAttribute where
ClassAttributeName = 'AM Engine Version'))
order by value, name

This second one is for AM Client versions

Select Name, Value
from Attribute INNER JOIN Computer ON DISCOVERYCOMPUTERID = IDCOMPUTER
WHERE ClassAttributeID IN (Select ClassAttributeID from ClassAttribute where
ClassAttributeName = 'AM Agent Version')
AND IDComputer IN (Select DiscoveryComputerID from Attribute WHERE
ClassAttributeID IN (Select ClassAttributeID from ClassAttribute where
ClassAttributeName = 'AM Agent Version'))
order by value, name

Disclaimer…Just as an FYI tables/views/db schema of FCS/MOM are not documented/supported in any way so if any of these break with some update :) :) that’s life.

Update Views for FCS in WSUS

Kurt Falde — Wed, 08 Apr 2009 18:41:12 GMT

Nothing profound with this post just detailing out a step I typically recommend to most of our new customers with regards to making life easier when viewing updates in WSUS. In order to make your life easier viewing FCS inside of WSUS I typically recommend creating 2 new views one for FCS Definitions and another for FCS everything else. You can do this by using the following steps:

Right click Updates>New Update View

Select the following:

Updates are in a specific classification (Definition Updates)
Updates are for a specific product (Forefront Client Security)

Give the view a name (FCS Definitions in my case)

Once the view is created and you click on it to view it make sure you go up in the Approval and Status dropdowns and change these to “Any Except Declined” and “Any”

You should end up with a view like the above which shows you typically 4 definition updates for FCSAM and a single definition update for FCSSSA.

The 2nd view should basically be the inverse of the previous:

Right click Updates>New Update View

Select the following:

Updates are in a specific classification (Everything but Definition Updates)
Updates are for a specific product (Forefront Client Security)

Give the view a name (FCS in my case)

Again with the view make sure you go up in the Approval and Status dropdowns and change these to “Any Except Declined” and “Any” you should end up with a view like this:

Again nothing really profound here but this will give you 2 new views that allow you to easily see what updates are available to the client as well as what definitions are available. As always in WSUS if you right click on the columns in an update view there are plenty of other options that people typically do not realize exist such as “Arrival Date (to your WSUS server)” and others.

Utilize those to make things easier for yourself :) .. Thanks for reading have a great day!!

Cheap real time monitoring for Conficker clients

Kurt Falde — Mon, 09 Mar 2009 18:21:27 GMT

I already did one post about using eventcomb/logparser to look for clients but found a better way to do it on a case last night which I wanted to share. The first thing you need is to enable netlogon debug logging on all of your DC’s save the following as a .reg file and import it on all your DC’s that you want to monitor:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"DBFlag"=dword:2080ffff

This will cause netlogon to start logging extended entries to %windir%\debug\netlogon.log. You may take a slight perf hit on your DC’s for this just as an FYI. You will not fill up your drives as it logs to 2 20Mb files.. netlogon.log and netlogon.bak and uses circular logging where it starts overwriting once it fills up.

What we are looking for is the value “0xC000006A” on any line which indicates “The value provided as the current password is not correct”. So we already have articles on using NLParse to look for these as well as you could use logparser etc but these are all non-realtime right, you copy all the files somewhere you parse them you look at the output etc.. wouldn’t it be nicer if you could just have a console where you just glance and see when you have a malware client acting up :).. The key to this is using a TAIL utility. In my case I used Tail for Win32 which you can find here http://tailforwin32.sourceforge.net/.

On the system you plan on monitoring from install this piece of software. Strangely you have to open a log file before you can start modifying the settings for the client so open your first netlogon.log file. The client supports network paths so you will be opening \\DCNAME\C$\Windows\Debug\Netlogon.log for each of your DC’s (yes this would stink for a large environment but hopefully if you’re that large you spent the money on a product to do this for you anyway… right??).

Once you have your netlogon files open go to Settings>Keywords and add 0xC000006A as a keyword. Also you will want to set “Show only Hot Lines” to enabled (this drops all the other netlogon junk which we don’t want to see) and set “Wrap Lines” to enabled. Basically what you end up with in the end is multiple windows open that are only looking for entries of bad password attempts and pulling those in close to real time from the netlogon logs. This allows you to easily see when a client is hammering away on user accounts and allows you to go shutdown and clean that system. Another tip is you can use the Window>Cascade or Tile option to automatically arrange the netlogon file windows to easily see when a DC is seeing a problem client.

Updated had the wrong value in the for the reg key :)

Update 2 3/11/09: This has a slight catch here apparently in that this is only for NTLM bad password attempts and you still need to use eventcomb or something else to see Kerberos bad password tried :( http://technet.microsoft.com/en-us/library/cc776964.aspx

“If the Netlogon logs from all domain controllers from the time of lockout but do not display data that pertains to any of the locked-out user accounts that you are analyzing, then NTLM authentication is not involved in the lockouts. This normally indicates that the authentication issues are between computers running Windows 2000 or later, because earlier versions of Windows used NTLM authentication exclusively. You should focus on Kerberos authentication troubleshooting by using Kerberos logging and examining the Security event logs.”

Update 3 4/9/09 http://baremetalsoft.com/baretail/ is also good actually seems better then tailforwin32, free windows gui tail utility to use with this solution.

WSUS FCS Definitions

Kurt Falde — Thu, 05 Mar 2009 19:05:14 GMT

This is a follow up post to my previous FCS definitions post. The first one focused on the mpam-fe files and what is contained that you can find on the security portal at www.microsoft.com/security/portal. This one instead focuses on what is actually downloaded by your WSUS server and what is in turn downloaded by your WSUS clients normally.

Our AV group seems to typically release definitions about 3x per day although they can release more often then that if needed. From what I have seen the updates usually come out on MU (Microsoft Update this is also where WSUS gets them from) around 2am, 10am, 6pm eastern time ( 7am, 3pm, 11pm GMT).

In WSUS when you approve definitions you are approving definitions for both x86 and x64 versions of the definition set. The following represents a list of the files that are downloaded as a normal definition sync by your WSUS server with either MU or an upstream WSUS server. I’ve also added in the sizes of each download (based on this specific definition version) in the table below

Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, X86 Full+Engine) 33.5Mb

Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, x86 Delta) 1.11Mb

Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, X86 Binary Delta +Engine) 21.1Mb

Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, AMD64 Full+Engine) 34.0Mb

Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, AMD64 Delta) 1.15Mb

Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, AMD64 Binary Delta +Engine) 21.4Mb

So this amounts to about 112Mb that is synced 3x daily from either MU to your WSUS server or from upstream to downstream WSUS servers.

As you may have noticed these 3 types are a little different then what is available at the Security Portal so lets break that down some more.

Full+Engine = This set is used for a brand new client which is still at rtm versions of definitions/engine, it has the complete base, current deltas to that base and this months engine .dll.

Delta = This is the delta since the last base this is what your client machines are normally downloading throughout the month. It’s an incremental since the last base was applied.

Binary Delta +Engine = This is the one you don’t see on the Security Portal. This is the more interesting file and I had to get my Escalation Engineer (Craig Wiand I told him I would give him mad props here :) ) to explain this one better to me. We apparently use binary delta patching technology here and this can be used to update a client that had last months base to the current months bases. Below is a screen shot of the files in this package:

The interesting files are the _p files with are the delta patches to last months base. Basically from what I understand it’s a bitmap level type of differencing file between last months and this months base’s and engine files that saves some size from actually having to download the complet base. The difference between the normal base and the binary delta is about 13Mb. So basically if your clients are up to date then every month when a new engine and base definitions are released instead of having to download 33Mb they only need to download approximately 21Mb.

That should cover the sizes/how it works :). Now taking this knowledge and applying to your distributed branch office/wsus environment with slow wan links is where things get complicated. Typically you tend to think that having a WSUS server in my small branch office is a good thing, download once then clients download many, however in FCS definition scenarios it gets touchy. A downstream WSUS server based on these approximate numbers will download about 112Mb 3x a day or 336Mb daily. If I have a branch office of 30 Systems with FCS that are keeping up to date regularly they should download about 30 x daily delta 1.1Mb x 3 times/day = 90Mb. As you can see for my normal daily routine I would probably be saving 240Mb downloads by NOT having a WSUS server at this branch. Of course when the monthly rebasing occurs I would have downloaded 336Mb that day to WSUS and my clients would have downloaded 30x21Mb for the Binary Delta = 630Mb in one day.

Over the long run in this scenario strictly based on FCS Definitions I would probably be better off not having a local WSUS server. This is not typically the case though and normally my WSUS server will also be used for all types of other security updates and you would need some calculations based on average past patch sizes vs bandwidth savings etc which I don’t really care to try to go into and actually would vary based on your environment as well.

Blocking and finding Conficker and Downadup systems

Kurt Falde — Tue, 10 Feb 2009 03:47:00 GMT

EDIT 4/27/09: THIS NO LONGER WORKS WITH NEW VARIANTS OF CONFICKER HOWEVER THE CONCEPT IS STILL SOUND IF YOU ARE LOOKING FOR SYSTEMS THAT ARE QUERYING FOR SPECIFIC DNS NAMES.

I’ve already created one post on finding malware systems using eventcomb however when it comes to Conficker or Downadup and realistically other malware too all that method can really show you are clients that have decided to finally put a Domain Controller on their hitlist. One of the things we know about Conficker is that it utilizes a method to based on date to generate a url that it will connect to in order to report in to its evil overlords as well as to possibly see if there is some new update/commands available to it. The guys over at F-secure have put up a list of domains that the malware would possibly use for the month of February at http://www.f-secure.com/weblog/archives/00001593.html . Now if you have a proxy server or some type of firewall server that can do blocking or redirecting based on host names this is great. Not all customers have this though so we figured we would try to put something together that would work for most of our normal Windows customers :).

Basically what I did was utilize the dnscmd command to work with MS DNS to create new zones as well as wildcard records for each domain that may be possibly used. The download for the .cmd files you can get here:

If you know anything about MS DNS you realize this is going to look pretty darn messy :) we are talking about 7k new zones in your DNS server so I would either recommend putting this on a new box and forwarding all your DNS to this before going to the internet or not opening your DNS gui to look at zones that often after you add these :). The first script blocklistfebzoneadd.cmd will create all the zones. If you just want to block connections for these zones for February you can stop there… But no that’s wussing out we want to ERADICATE this thing!!! The next script is blocklistfebrecordadd.cmd you will want to edit this doing a find/replace and change 192.168.1.100 for a new IP address for a new IIS server in your environment. The beauty of this is that for this month everytime you have a Conficker / Downadup client try to connect to their control server they will instead connect to your new IIS setup. You just need to keep checking your IIS logs for that website you setup and cleaning those client IP addresses up.

Once the month of February is over you can use the 3rd script blocklistfebzonedelete.cmd which will go through and reverse the effects of this by deleting all of the zones we created. Hopefully this should be pretty simple but if you have any questions just let me know.

Happy malware hunting.

Understanding FCS Definitions

Kurt Falde — Mon, 09 Feb 2009 20:31:00 GMT

A fairly frequent question we get is how do FCS definitions work. How do I find just the delta’s for the month etc. You can always manually download the latest definitions from http://www.microsoft.com/security/portal with the links on the right. This will get you the mpam-fe.exe and the mpam-fex64.exe files.

So these are both self extracting cab files which you can easily open with your favorite unzipping utility usually. I used 7-zip to dump out a copy shown below.

The first file I’m not so sure on but if you open it appears to tell us the different products that we can update with this .exe which includes FCS, FCS2, ONECARE, ISA, Standalone System Sweeper. Makes sense as they all use the same MSAV engine right :).

The next 4 files are all .vdm files which are all variations of definition sets.

mpasbase.vdm = Last base signature set of AntiSpyware definitions

mpasdlta.vdm = Last delta signature set of AntiSpyware defintions ie if you just installed the client you need to install both mpasbase.vdm and mpasdlta.vdm to be full up to date.

mpavbase.vdm = Last base signature set of AntiVirus definitions

mpavdlta.vdm = Last delta signature set of AntiVirus definitions again you need both mpavbase and mpavdlta for a new client to update it.

The 2 Base files get updated monthly which means every month your client needs to install a new base set so that the deltas are applied to that base.

mpengine.dll is the actual AV engine :) so if there is an update to how the engine works to handle some new situation this update can actually be provided via the definition set.

mpsigstub.exe from what I know is just the .exe that is used to apply the definitions.

This is the basics :) I’ll try to do another posting soon that dives into how to download individual deltas that you can apply manually as well as how clients working with WSUS handle which exact updates they download.

Using Logparser + Eventcomb to find malware

Kurt Falde — Thu, 29 Jan 2009 01:04:00 GMT

During the course of these Conficker / Downadup issues we typically see cases that started because accounts are getting locked out. I pause briefly here to point out that account lockouts are the work of the devil and are a sorry excuse for most people to not use a complex password policy. So it seems that these cases for the most part are slowing down however customers are still looking for those few machines that fall between the cracks that are still causing account lockouts when they turn back on their account lockout policy (once again because they don’t want to use complex passwords).

So the tool to turn towards is the account lockout tools. Part of this toolset is eventcombmt (mt stands for multithreaded).

Eventcombmt is cool for all sorts of things but the only thing we are interested in is the built in Account Lockout Search. Select Searches>Built In Searches>Account Lockouts. You could also change your output directory if you want, the default is C:\temp.

Once you selected this it should put in the right event id’s and locate and select all your DC’s. Click Search and it’s off searching through all your DC’s Security Event Logs and dumping all the pertinent info to DomainControllername.txt files in the c:\temp directory.

While your waiting for this go download log parser. Install that you may want to make sure it’s in your path afterwards for this to work try typing logparser from a cmd prompt. Once you have logparser in place and Eventcomb has finished and output all of your DC’s .txt files then you will want to run the following logparser query in the directory with the .txt’s

Once that’s complete run the following in the directory with all your textfile outputs from the DC’s

logparser -i:textline "SELECT SUBSTR(SUBSTR(Text, ADD(INDEX_OF(Text, 'Address: '), 8)), 1, INDEX_OF(SUBSTR(Text, ADD(INDEX_OF(Text, 'Address: '), 9)),' ')) AS IPAddr INTO addrs.csv FROM *.txt"

Revision 5/8/09 You may need to use this instead of the Addresses are all at the end of the line:

logparser -i:textline "SELECT SUBSTR(Text, LAST_INDEX_OF(Text, 'Address: ')) AS IPAddr INTO addrs.csv FROM *.txt"

This should create a file called addrs.csv which has all of the IP addresses that has caused by password attempts. There will be lines for each attempt so we need to parse this down a little more to give use a column with IP address and a column with the number of bad password attempts so we will run the following logparser query next:

logparser -i:csv -o:csv "select IPaddr, count (*) as hits into final.csv from addrs.csv group by IPaddr order by hits desc"

This should leave us with a final.csv file which has 2 columns one for the IP address and another for the amount of times we have seen that IP address causing bad password attempts in our security event logs across our DC’s. In the case below that first IP had caused 85k bad password attempts guessing that machine has a problem :) …

Seeing we’ve primarily used this for Conficker it seems the following line works well to output just a list of IP addresses with no header on the file and no hits.

logparser -i:csv -o:csv -headers:OFF "select distinct IPaddr into ips.txt from addrs.csv"

You can then take the ips.txt file and use the import function on Mcafee’s Conficker Detection Tool to scan all of these IP’s quickly to see if they are infected with Conficker or not.

Update 1: 4/9/2009 Totally reworked this thanks to Neil Carpenter and some better logparser logic to filter this better and have a much cleaner final output. Also dropped need for .csv files as we are filtering using textline input instead.

Update 2: 7/10/2009 Added new logpaser query to output just IP’s to file with no hits etc which you can then easily import to Mcafee’s Conficker Detection Tool

How-to: Removal of Conficker in your FCS environment

Kurt Falde — Tue, 13 Jan 2009 21:46:00 GMT

Another Conficker post :) however this one is aimed at our FCS customers. It semi-applies to other customers however other AV vendors operated differently with regards to updates etc so this won’t necessarily be applicable to all.

So today is Patch Tuesday … Yeah!!!

With today’s releases we are finally getting some relief out for Conficker. The main piece of relief is through the MSRT or Malicious Software Removal Tool which contains an updated set of definitions and engine to handle the Conficker family of malware. There are both x86 and x64 versions of the MSRT that are released. I’ve never been a huge fan of this tool before as realistically this is a post-infection tool and it has a very limited definition set see KB890830 for the list. But when you are hurting with one of those on the list its a great thing to have around.

So you might say great my WSUS auto-approves that etc my clients are going to be all happy by tomorrow… WRONG. Part of the Conficker Modus Operandi is to disable both the Automatic Updates and BITS services. Automatic Updates (Windows Update in Vista) is your WSUS client so no joy for you.

So here’s what you should do to get things fixed in your environment. First off you need a logon script assigned to your computer accounts (user accounts would work if you knew they had admin access on the systems). The scripts need to basically call out to run the MSRT manually on the system. You will also need to get the AU/BITS services back up and functioning, you could either do this via the script and the SC command line tool (i.e. sc config wuauserv start=auto) or you could do this via GPO directly and set the startup state of AU to Automatic and BITS to Manual (default states). I’m posting in here some example code that one of our engineers put together (thanks Shain Wray I believe)

REM
REM   Running MSRT locally
REM

REM
REM   Checking for x86 or x64
REM   To use this as part of a GPO Startup Script, change <domain.com> to your
REM    domain.
REM   Notice the copy of the MRT.log up to a central location has 
REM   <servername>\<share with write perms>.  This is on purpose.
REM   In most cases, opening a share with everyone write permissions on a DC
REM    is not recommended, it is suggested to use a
REM   member server or workstation.
REM

if /i %PROCESSOR_ARCHITECTURE% == x86 goto x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto x64
if /i %PROCESSOR_ARCHITECTURE% == IA64 goto End

:x86
call \\<domain.com>\netlogon\Sleep.exe 10
Start /wait \\<domain.com>\netlogon\Windows-KB890830-V2.6.exe /q

copy %windir%\debug\mrt.log \\<servername>\<share with write 
perms>\%computername%_%username%_mrt.log

goto End

:x64
call \\<domain.com\netlogon\Sleep.exe 10
Start /wait \\<domain.com>\netlogon\windows-kb890830-x64-v2.6.exe /q

copy %windir%\debug\mrt.log \\<servername>\<share with write 
perms>\%computername%_%username%_mrt.log

:End

Exit

The sleep.exe can be found from the 2003 Resource Kit Tools. So this script should be self-explanatory for MSRT.

Once you have copied all the .exe’s to a share and assigned the script via GPO to your computers OU’s then you need to get your users to reboot their systems which will cause them to run/clean and should hopefully fix your environment. If you need help with this try posting a question here first and I’ll try to respond however if you need immediate assistance call us. As always we are here and available to help!! Malware cases are FREE as in no $250 for a ticket no hours decremented from your Premier contract etc. So get on the phone call the CSS # (800) 936-5800 I believe and let them know you have a malware issue and need a case to work with CSS Security.

So while typing this I just checked the MMPC’s blog and they have a good post and a beautiful picture that explains how the malware works as well http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx.

More on File Shares and Autorun.inf with regards to malware

Kurt Falde — Mon, 12 Jan 2009 19:32:00 GMT

So in my last post I mentioned the fact that Conficker/Downad whatever can also have a component that will spread through file shares that allow everyone to write at the root level of the file share.

So a typical autorun.inf looks something like this..

[Autorun]
open=setup.exe
icon=setup.exe,0

Glancing at my dvd folder structure in this case I have

So basically with autoruns enabled if I double-click this drive explorer will process Autorun.inf and will run setup.exe in the same location as the autorun.inf. Now if you were running Vista with UAC this wouldn’t be a big deal however a lot/most enterprises probably are not. If you were running with your users as non-admins this would again not be an issue but again this is usually not the case.

So what do we do to mitigate this problem?

Well by default supposedly we should not process/execute autorun.inf from a network drive anyway on our XP/2K/Vista machine. Check out http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true which goes into detail about the NoDriveTypeAutoRun registry key setting.

The 0x10 setting for “Disables Autoplay on fixed drives” is a default that is present on all our supported OS’s so why does the issue still occur? The reason it still occurs can be found in http://support.microsoft.com/kb/953252 “How to correct “disable Autorun registry key” enforcement in Windows”. If you read through the KB you will basically see that all of our currently supported OS’s had a bug with Explorer and autoruns. The bug though was fixed and released as security bulletin MS08-038 http://support.microsoft.com/kb/950582. Odds are though if you are one of those org’s that didn’t apply MS08-067 what’s a few more months (July vs October of 08). If you are having problems with malware that is spread via autoruns on network shares then you should probably make sure to get MS08-038 installed in your environment as quickly as possible.

As part of Defense in Depth I would also recommend that you set in a Group Policy linked to your domain to disable Autorun functionality completely. The defaults should be fine once the MS08-038 is installed however in an enterprise setting you don’t want to rely on the “I hope my users didn’t change it” scenario. KB953252 also has information on where to set this, I’ve also included a picture from my test system (it’s 2008 so may look slightly different then 2003). Basically you want to set that “Turn Off Autoplay” as Enabled for “All drives”

That’s about all I have at the moment if you have any questions post them here. Thanks

Malware Win32/Conficker.B W32.Downadup.B

Kurt Falde — Thu, 08 Jan 2009 08:37:00 GMT

So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware.

You can find write-ups from various AV companies at the following URL’s

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852

http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B

http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-123015-3826-99

http://www.symantec.com/norton/security_response/writeup.jsp?docid=2009-010717-4209-99

So the write-up’s are all pretty good some have details that the others don’t etc. We see a range of cases it seems from customers missing the patch to those who are completely patched but are still seeing this piece of malware in their environment causing issues. The interesting thing about this piece of malware is that it is really singling out organizations that have not done a good job with their security policies/procedures. The MMPC group made a post about this piece of malware http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx where they linked http://technet.microsoft.com/en-us/library/cc512606.aspx Jesper’s password paper from 2005!!! This guidance and similar guidance has been out for 3+ years now and we still have customers that aren’t following it. I sometimes wonder if we should just push out a “critical update” that applies to all DC’s and updates their Default Domain and Default Domain Controller Policies for them to something more acceptable :) of course we would probable pull a lot of flack for that :) . /Rant Off

So things you should look at doing if you are hit with this:

Disable Account Lockouts: You are already jacked why are you making it worse by leaving the account lockout policy in place?
If you are not patched (especially with MS08-067) do so immediately.
Find a machine that you know is infected and see if your AV will clean it up with the latest definitions/client. If it is not cleaning it then open a case with your AV vendor as well they are going to be the ones to update definitions to properly detect/remove the malware in the environment (believe me you want this instead of manually running around cleaning off systems)
Enable Password Complexity: Like the Account Lockouts this is in your Default Domain Policy if you don’t have it enabled odds are you have 10+% of your population using one of those weak passwords on the list from those write-ups on the malware, and if you have users with those passwords you are still going to have issues with malware spreading. Oh maybe you should get someone working on that org-wide email explaining to your users the new password policy like X characters and how they need 3/4 special characters/Upper/lower/numbers. You probably also want to look into a script/tools to expire accounts (selectively so you don’t whack things like service accounts you aren’t ready to change) Check out Joeware’s oldcmp and expire utilities at http://www.joeware.net/freetools/ you can dump selectively based on OU targeting to get lists of users’ password age and then pass the lists to the expire utility to force password changes across groups of users. Or if you’re a masochist you can just expire them all and deal with the consequences.
Password Complexity on local accounts: Is the password on your local Administrator accounts something on that list from the writeups? If so you better get it changed.
Share Permissions: This one is more complex to explain. Basically for any network shares that you know multiple users map drives to you need to have the permissions locked down in this fashion.. root of the share Remove Write/Modify access to Everyone.. Allow them full control to the contents of subfolders in the shares. The way the malware works is if you have say a N: drive mapped to \\FILE01\Data it will basically drop malware.exe in N: and an autorun.inf in the same N: pointing to malware.exe. The next user that is mapped to the same N: drive double clicks on drive icon and runs malware.exe (ok yes this can be mitigated by autorun settings but do you know those are set on your clients maybe a good idea for a GPO setting those as well :) )
Stop logging into infected machines with Domain Admins: One characteristic of the malware is that it can use impersonation and can be in the Run key so that it runs under the logged on user’s context. So when you log in on that infected system with your DA account guess what.. you just helped spread without it needing to force passwords use a vulnerability etc because hey its all allowed under your privileges.

I may add more to this possibly as it’s getting late my time and I’m sure it’s going to be another long day tomorrow. Hopefully this helps someone.

Changes to Microsoft Anti-Malware

Kurt Falde — Wed, 19 Nov 2008 20:14:00 GMT

This doesn’t really affect the FCS world but it is an interesting development. https://www.microsoft.com/presspass/features/2008/Nov08/11-18AmyBarzdukasQandA.mspx apparently we are going to begin to offer a no-cost anti-malware solution in 2nd half of 2008. This is going to be more targeted at the end-user market it appears from the look of it. Check out the article for an interesting read.

FCS .adm settings

Kurt Falde — Fri, 14 Nov 2008 19:50:00 GMT

I’m not really advocating using this and I can’t take credit for this as it was posted on the FCS forums by a “lofty10”. However I do know that many people are looking for something like this to manage FCS clients that do not have an FCS server infrastructure for whatever reason. Just remember that you get no reporting whatsoever doing this but you can at least control some scan/update intervals and exclusions. I have the .adm located on my SkyDrive at the following link.

How to add extra scheduled scans or definition updates for FCS

Kurt Falde — Thu, 23 Oct 2008 22:33:00 GMT

The default option for scheduled scans in FCS is kind of sparse currently and it's something we get requests about so I'm posting a possible workaround to get more scheduled scans. Below is the shot of the FCS policy setting.. you can either pick "every day" or an individual day and a certain time and which type of scan that you want to do.

So what happens say if I wanted to do a full scan on the 1st Sat of the month or say a Full scan on Saturday's and quick scans at 6pm every day or any other number of other scenarios you could think of? The answer is your kind of stuck if you have your mind dead set on using the current FCS v1 policies.

So how do we get around this limitation? The answer lies in how those scans are accomplished in the first place. If you go into Task Scheduler on your system and turn on "Show Hidden Tasks" you will see how your scheduled scans are actually occurring:

If you dig deeper and look at these tasks you will see that they are all using the following .exe with various options to perform scans

c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe

So basically from an understanding point of view.. the FCS policy writes reg keys that tell which type of Scans and what schedules to use.. the FCS client takes those reg keys and creates scheduled tasks based on them.

The following is a list of the options we are interested in:

Quick Scan

"C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe" Scan -RestrictPrivileges -ScanType 1

Full Scan

"C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe" Scan -RestrictPrivileges

Signature Update

"C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe" SignatureUpdate

So the obvious result here is that I can take these command lines and create any schedule that I want in my environment.

But you ask ok how do I push that task out to all my 5k workstations/servers etc. Well I guess there are any number of methods from using a group policy with a system logon script that creates it to SMS/SCCM jobs to any other type of desktop management software etc. The one I'll focus on here is using Group Policy Preferences. This is a new feature of Vista/2008 however there is a Group Policy Preferences Extensions that you can install on your XP/2003 systems. Just taking a look at WSUS it is there as an update that you can deploy easily via WSUS (which hopefully you are using if you have FCS)

Note that it is in the classification "Feature Packs" so you may need to sync that on your WSUS server. Also as an FYI you don't need a 2008 DC/Forest etc for these. You do need a 2008 server or a Vista system in order to edit and create policies that use these extensions but the settings are stored in the normal GPO folders inside SYSVOL for your domain.

So once you have Group Policy Preferences installed in the environment and you have a system capable of editing these in your environment create a new Group Policy and start editing. You should see a new section titled "Preferences"

We are specifically looking for the Scheduled Tasks area. Right click on it and select New Scheduled Task. From this point on it should be self-explanatory. Pick which command line options you want to use from the list before and assign the schedules that you want.

So just some thoughts here; you can't in one task schedule item set it to run multiple times per day, so for example if you wanted to run 3 definition updates at certain times of the day you would need 3 different task scheduler items. The only reason I point out that example is that we typically seem to release about AV definitions about 3 times a day from looking at my WSUS history and they typically seem to come in around 2am, 10am, and 6pm so if you wanted to be really .. um precise you could correlate both your WSUS with getting the definitions at the right time from us along with scheduling your clients to get the updates relatively soon after your WSUS server received them.

Well hopefully this was helpful I'm sure there are other ways as well to accomplish this but figured this would be an easy one to document and implement. Good luck in your scheduling efforts :)

Kurt

FCS Intervals

Kurt Falde — Fri, 17 Oct 2008 21:22:00 GMT

So you've seen the following options with your FCS settings and are wondering how do these work???

Malware Scanning

"Run a Quick Scan at set interval (hours):"

Security state assessment

"Scan at set interval (hours):"

Malware Definition Updates

"Check for updates at set interval (hours):"

We had a customer recently ask about this as they were having systems miss their scheduled scans for too many times which eventually causes the client to return the wonderful Orange Box with regards to haven't had a scan in more then 10 days. Initially it appeared that their scheduled scan was set to 5am or something of that like and the systems in question (mostly laptops) were turned off during this time period. Based on this we recommended setting a quick scan interval which the customer did however they were still having problems with missing scans. When we checked into the interval being used the customer had set it to 24 hours for quick scans...

So here's the problem and how it works. When the FCS client/service starts it basically creates a timer object which says right now is time 0 and at "interval" hours from now I will run whatever it is that needs to run Quick Scan/SSA Scan/Definition Update. The problem here is that when systems are turned off this timer object goes away and is basically restarted when the system restarts. So in our customers case the systems in question were being turned off at night and the 24 hour interval was never reached and the scan never performed. Based on the users computing habits we have basically recommended that the interval be set to something around 5-6 hours so that it will hopefully run at least 1x during the work day while the system is on but not multiple times so to not cause performance issues while the user is working.

Another side note of interest is that if your system hibernated between the intervals it should not reset the timer from what we have seen and the scan should still occur. Supposedly if your system is hibernated/in sleep mode it should also try to scan when you resume however I have not been able to test that yet to confirm (if anyone has a laptop and wants to try let me know your results).

FCS and System Center Essentials

Kurt Falde — Thu, 09 Oct 2008 01:16:00 GMT

Just found this posting on the SCE forums regarding integration of SCE and FCS:

http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1797488&SiteID=17 is the link, The text is below from the forum posting:

Question 16: Can I use Essentials 2007 and Forefront Client Security to manage the same computers?

Yes. Please read through these configuration steps to understand how to use both products in the same environment.

Setup

Base requirements:

· Essentials 2007 must be installed on x86 hardware.

· Forefront Client Security must be installed in the 2 machine (or more) supported configuration from their guide, where the SCE server is the distribution server component. No other FCS workload is supported on the Essentials server.

· All FCS managed machines must be SCE managed machines

Configuration notes:

· If the FCS distribution server is installed on to Essentials 2007, it will alter the subscription and approval settings already configured. The administrator will need to re-run the Update Management Wizard again to apply custom settings. It is important that the “Definitions” classification and the “Forefront” product remain subscribed and declared in the auto-approval settings.

· If Essentials is installed on to the Distribution server running FCS, the same classification and product settings need to be applied.

· The Essentials 2007 default client and server scan times fall 1-2 hours after the FCS scan, which may leave managed machines up to 22 hours stale. We recommend using Group Policy to set the client scan time to 4:00 AM, and the Server Sync time to 1:00AM.

Operation

It is important to note that the purchased limits of the FCS solution must remain within the purchased limits of the Essentials solution.

Automating WSUS Cleanup

Kurt Falde — Tue, 23 Sep 2008 23:50:00 GMT

By default WSUS does not clean up anything in an automated manner. This is not normally too much of an issue for a system with plenty of drive space and a system that does not do definitions. However with FCS thrown into the environment WSUS will sync new definitions three times a day at a size of about ~~30megs~~ 112Mb each. These definitions are then declined on a normal basis as new revisions come out which means that over a month you could build up about ~~1.8 gb~~ 9.4Gbworth of old definitions ( 5 business days 3 times a day 4 weeks a month 112Mb ~~30mb~~ per release).

There is a powershell script out that will allow you to automate this on your systems that you can find at http://www.pulsarit.net/cs/blogs/claudiog/archive/2007/05/16/eseguire-wsus-3-0-cleanup-manager-via-powershell.aspx however not everyone wants to install powershell on their systems. So in lieu of the script there's an .exe now on codeplex that does the same thing.

You can find it at http://www.codeplex.com/WSUS/Release/ProjectReleases.aspx?ReleaseId=17612. It's a small .exe just throw it in a folder somewhere and create a task scheduler task to run this on a periodic basis. This should help you keep the disk space bloat down on your WSUS servers that are serving up FCS definitions.

Revised on 3/5/09 based on corrected numbers for definition sizes from http://blogs.technet.com/kfalde/archive/2009/03/05/wsus-fcs-definitions.aspx So basically it’s even more data then previously and you definitely should use this script to keep your WSUS servers trimmed.

FCS SP1

Kurt Falde — Fri, 29 Aug 2008 22:35:00 GMT

So Forefront Client Security SP1 is out now. To download it go to the Microsoft Update Catalog http://catalog.update.microsoft.com/v7/site/home.aspx and search for "Forefront Client Security SP1" this will allow you to download it.

Here is the KB http://support.microsoft.com/default.aspx/kb/951951

Here are the release notes http://technet.microsoft.com/en-us/library/cc901470.aspx