Monday, August 24, 2009

Microsoft Security Essentials 1.0 BETA vs. Kaspersky 2010

My colleague Henry asked to scan his USB he suspect a virus is lurking in there. I have both Kaspersky and MSE running in real-time.

MSE detects and Kaspersky snoozed!.

It was Win32/Vorus.CV

Capture1

And MSE cleans it. I am confident with this product. Since it’s gonna be free, i am a full supporter and advocator of MSE. Use it try and have a trouble free computing environment.

PS> Want a copy of MSE? I can give it to you but you have to write to me for with your email addy.

Capture2

Saturday, August 22, 2009

Immunet - Antivirus Cloud Computing


Immunet, a startup by Symantec senior execs take Antivirus to the cloud. Immunet attempts to aggregate the results and "opinions" of threats from people using this service. This means, if Bob gets an infection from Saudi Arabia, Immunet alongside your antivirus will then update everyone in this Immunet community about the threat in realtime and get protected from this threat.
They also plan to protect social networking and other communities (probably Twitter, etc..)
Interesting concept. Could Computing Antivirus.

In summary, this is like every single immunet user would then be a possible contributor to protect all other immunet users in realtime.
Checkout their narrative:
Immunet Protect is free, light weight, cloud based Anti-Virus software which uses new approaches to provide malware protection. It is designed to work alongside Symantec, AVG and Mcafee to provide significantly improved detection rates in those products. You can also install it alone. Immunet works by providing its own fast and light layer of cloud based virus detection on top of your existing Anti-Virus product. Once you have Immunet installed it ties you into the Immunet Cloud and allows you to build communities of friends and family. When Immunet Protect detects a threat on your system it automatically makes available protections for it to everyone in your community and to the global community protecting them instantly.
Checkout and download. It doesn’t work on my Windows 7 X64 RTM tho :(. So i had to put it on my XP32 running AVG. Perfect!
Currently, this product works better with those three AV products. I am using Kaspersky + Microsoft Security Essentials Beta, so probably i wont benefit much but probably some security information when a bug/security threat is detected on Windows. (not sure..shall try).
Requirements
Microsoft Windows XP with Service Pack 2 or later
* 300MHz or faster processor
* 256MB of RAM
* 10 MB of available hard disk space
Microsoft Windows Vista Home Basic/Home Premium
* Supports 32-bit platforms only at this time
* Must meet the minimum Windows Vista operating system requirements
Windows 7 (RC)
* Supports 32-bit platforms only at this time
* Must meet the minimum Windows 7 (RC) operating system requirements
Required for all installations:
* A working Internet connection

http://www.immunet.com
Note, this product is a pre-release i.e. BETA, so use with discretion.
image
Above: Number of people online and threats it can clean!!!, not bad.
INTERESTING. After about 20 minutes into writing this, the protection increases by 2!!!!!…SUPER COOL. There were no updates and downloads of threat patterns. Realtime, hell yeah!
image
If i click the threat meter..
image
nsDialogs.dll is apparenly “safe”
image
Settings and such.
To participate, you need to register. Without registering you wont be able to “help” others :)
image
Click on register and go get a new account at www.immunet.com. Then immediately sign in and you should be able to see like below;
image
image
Join the cloud? Let us know the experiences.

Thursday, August 13, 2009

My views on free VS. premiere security products.. and Microsoft’s Antivirus?

It's interesting how one AV product suppress the other in just a matter of months. Look at the graphs produced by those so called independent testers. A sample here. Its a big war of AV companies out there.
My problem is, it's sickening to know that we as consumers are always confused with all their gimmicks about free vs premiere/paid editions. You cannot do that with security products! <period>. Give it for 100% or don’t give it at all.
My take on it is, if you want to give something free, give it 100% (and the world shall love you for it). Tearing down features for free Vs. full versions is like saying "you get the car for free but the brakes work only 50%. So be careful. If you want full braking then you need to pay". This is their message and how i see it. This is also why the open source world keeps propelling and gaining mileage. They fall under the GPL which do not allow licenses to be sold, so how they profit? Professional support and services...
Know this…I am not talking about features, that’s different, maybe your security product perform system wide application update, now, that’s a feature, security such as filtering through different protocols, email filtering, web filtering for example, shouldn’t be a “paid” feature..it should just be a standard one.

Anyway, Microsoft will also soon be in the chase, prime time. Its called MS Security Essentials dubbed Morro- a new free AV for PCs (they stopped beta test downloads already so its getting ready for RC).

Combined with Security Center, Windows Update, MS Firewall, its almost a full desktop security suite. However, it's yet to get the real world challenge, this is a fact. So, wait till it releases and we shall all see. (Word to note, HOME PC…) So, not sure where this is going for corporations, yet.
From a commercial point this service will seriously dent the rest of the commercial AV market, no doubt, but again, i would rather get an AV at 100% free than of those "free but we wont give you 100% brakes" ones...This is good for consumers, the competition will ease of our pockets for sure.
I bet there will be certain camps that will say its from Microsoft, we can't trust bla bla, just so you know, MS products are seriously “tested” (ie smothered and smacked) by millions of testers worldwide as soon as it sees daylight, every second, even at the point i am writing this, this is why you get lots of "bugs/problems" reported, so effectively, for me, as security paranoia, i rather have those bugs exposed, fixed than have/use a product that no one knows if its a big ass Swiss cheese or not. I don’t really care about the games the corporations play, i just want good quality software.

Wednesday, August 12, 2009

Possible new breed of mass spreading worms ? New vulnerabilities found in MS products.


Microsoft Office OWC10.Spreadsheet ActiveX BorderAround() Heap Corruption Vulnerability

The specific vulnerability exists in the OWC10.Spreadsheet.10 ActiveX control installed by Microsoft Office. By accessing specific methods in a certain order heap corruption occurs leading to remote code execution. If exploited, complete control of the affected system can be achieved under the rights of the currently logged in user.
[http://www.securityfocus.com/archive/1/505679]
This looks like a perfect candidate for a possible mass spreading worm from a newly discovered (and patched) vulnerability in Microsoft Office Web Components.
  • Office XP, Office XP Web Components, and Office 2000 Web Components (all editions)
  • Office 2003, Office 2003 Web Components, and Office 2003 Web Components for the 2007 Microsoft Office system (all editions)
  • Internet Security and Acceleration Server 2004 and Internet Security and Acceleration Server 2006 (all editions)
  • Microsoft BizTalk Server (all editions)
  • Visual Studio .NET 2003 (all editions)
  • Microsoft Office Small Business Accounting 2006 (all editions)
Especially those running ISA server, this is seriously critical. You must get patched, get secure.
Since the attack takes the permission of the logged on user, it is possible that UAC will prevent privileged tasks from the remote exploit attempt.
Patch immediately or stand a chance to be part of the statistics (hopefully not)
http://www.microsoft.com/technet/security/bulletin/MS09-043.mspx

Monday, August 10, 2009

Logging on to Windows 2008 domain as an administrator on Windows 7 domain computer

This has probably been blogged a thousand times but let me be the 1001th ..blogger ;).

Thought I’d share this from Windows 7 perspective instead.

So, here’s the rundown:

  • I got myself W2008 R2 and Windows 7 RTM up and running, joined the domain and stuff.

Ok, so the thing is, when you use the logon UI from Vista/Windows 7, it does “see” the domain it just joined and sets it up for you by default as your default domain (there’s no more pull down domain lists).

image

Notice the part where it says “Log on to: BEAUTISEC”? Well, BEAUTISEC is my domain and you can skip the BEAUTISEC\username way of logging on and just go with username. If you want to log on to other than BEAUTISEC domain, do/see this …

image

So, lets say I've got a domain called MSFT, i would need to do the MSFT\domain user  and log on that way. But since i am in my primary domain i.e. BEAUTISEC, i don’t have to, i just logon.

I log on user sanjay and my password just like that works. But, when i log on as administrator, it doesn’t. Here’s why:

For administrator accounts

In the above scenario, local administrator logons will take precedence unless you specify the domain preceding the logon name like BEAUTISEC\administrator which is your domain administrator account. Then you get to logon as the domain “administrator” account.

See this screen below when i key in administrator (NOTE: The administrator here is the default built in administrator user for that PC, it could be renamed as admin or papasmurf and the effect below is still the same)

image

The “Log on to” value is automatically set to BEAUTIFULPC, which is the local PC name i.e logon locally. This “feature” can also help someone figure out what is the local built in admin account even before logging on, but yea..moving on..

For regular accounts

Domain logons will always take precedence unless you specify BEAUTIFULPC\<username> to log on to local accounts or in other words, other than the built-in administrator account. (See my note above about the local admin account)

image

The Log on to value automatically changes to my domain BEAUTISEC.

SIDE NOTE: You can’t change to classic logon interface for Vista/Windows 7 machines like how you see in XP for machines that are part of the domain. But you can enable the Interactive Logon: Do not display last username directive through registry or GPO (or GPEDIT locally). That shall let you enter your username manually but still no domain pulldowns… like in old days. ):

Saturday, August 8, 2009

My first Windows 7 BSOD

image

This happened when i was extracting a 7zip file and launching Google Chrome around the same time. I noticed that Kaspersky had reported some antiphishing around this same time when i was accessing a website.

Case: Win 7 64 bit RTM, Kaspersky Internet Security 2010, Google Chrome Beta 3, extraction using WinRAR Windows of a 7z file.

Windows 7 (RC, RTM) and static disk activity (about a minute of pause)


I was running into this problem since i got the RC build of Windows 7. I didn’t much bother as i was patient enough to wait till things started to work again (which eventually it does) and also figured it may be fixed by the time RTM is out.
Well, that isn’t the case, now, i am on the official RTM build (and 64bit) and it still choked every once in a while (similar to what i had on an RC 32bit).
Symptom.
Every other time, the disk activity on my SATA disk on my cheapo Dell Inspiron 1525 kept a static blink like a contiguous disk activity or as though there was a hardware failure on the disk. This causes certain newly launched apps or older ones which are running to freeze momentarily for almost about 30 seconds to 1 minute. This problem didn’t appear when i used Ubuntu 9.04 on this same exact system.
Solution
Well i found the problem (or more like the solution). It was the AHCI setting in my BIOS that causes this to happen (well, when i turned it to ATA mode, this problem didn’t crop up). This is also related to an older SATA HDD i inserted into my new Dell (the older SATA disk had higher RPM so i decided to use that instead)
SO if you get this annoying problem every once in a while, load up your BIOS, go to your SATA disk configuration and turn off AHCI and turn off flash cache (this is required according to the BIOS setting when you turn of AHCI.
Now, i am at peace :)
(NOTE: Some OSes including 7 BETA will not boot well according some internet searching i did) so, if things break, read next line.)
Use Ubuntu.

Thanks to my colleague Feroz Khan for the idea and this little snippet below from the WIKI link on AHCI above.

Friday, August 7, 2009

Check Point SSL Network Extender and Windows 7

If you use an older version of SSL Network Extender (SNEX) and you run the new Windows 7 (Beta, RC or RTM) on 64bit architecture you may get errors through both ActiveX and Java stating it failed to load. This is confirmed by Check Point and you need a new file.

You can fix this by manually downloading the SNEX client from CP’s website or click here that will update your older SNEX client. This should get you up and running in no time. Finally, get your admins to update their CPFW’s SNEX source files, available from this article from CP’s website to automatically upgrade other users as well.

Here’s a screenie.

image

Oh by the way, i am running Windows 7 64bit RTM. :D. Have a great weekend.

Malaysia for Internet Censorship? Vain Move. 5 reasons why.

I read the Star article and Nasdaq this on Internet censorship. I think this is simply a vain move by our government. Why?

  1. Nobody should play God, especially when it comes to information and information disclosure! Who determines if one site is politically “compliant” and is not. Who determines if a particular site is “racial” or simply stating the obvious? Who determines if a particular site is “good” or “bad”? Those who decides, are they being objective?
  2. No technology in the world can avoid accessing sites if people wanted. China tried, but people still could go to those sites “banned” by the government. When i was in Beijing in 2005, they blocked access to certain sites. All i had to do was to get myself a public proxy residing outside China and i could access those “banned” sites (to name a few methods. See this link for VPN feature. VPN keeps everything within an encrypted tunnel, so no one sees anything. And other ways of course :). I will definitely blog a comprehensive list if this were to materialize. :P
  3. It will slow things down even more. Putting up filters will undoubtedly slow things down. In fact, any devices in between you and the host-you-access/server can potentially slow stuff down. Especially if filtering is at the application layer (in this particular censorship case). Not to forget, we already have a substandard internet!
  4. Nobody will be happy to know that now EVERYTHING they do is now potentially INTERCEPTED. Those blocking tools basically get headers and certain data from your internet transaction and “analyze” them against their policy for a ACK or NACK. So, YES, EVERYTHING IS PICKED UP.
  5. It will create unnecessary workload to start managing and maintaining sites that are to be blocked (sites bloom faster than fungi on soggy bread), managing the devices, managing the people managing the devices etc..

Instead, the powers at play should educate users, encourage and promote the use of the internet to users to be wise and decide how they would like to use this facility. Give them an option to opt for a censorship program if they like, through installing of a software etc. Promote healthy thinking. Build trust with the people but also, keep the law in tact. Enforcement of cyber laws is really in its infancy here. This should be the first move.

Wednesday, August 5, 2009

MSI and Run As Administrator

Some MSI programs require elevated privilege to run and its always cumbersome to run it through runas.

In Windows Vista/7, the shell integration (right click) of an Exe will contain a Run As Administrator function like below.

image

But for MSI files, there’s no such context! Of course, there are otherways but this right click thingy is what i want, its quick and easy.

image

MSI files do not have the Run as administrator shell integration.

How to make that Run as administrator come integrated with MSI and or other executables (e.g. VBS, MSI, BAT). Try this.

For MSIs

Start notepad.exe and paste the below text exactly

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Msi.Package\shell\runas]

[HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command]
@=hex(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
  00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,\
  73,00,69,00,65,00,78,00,65,00,63,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,\
  00,69,00,20,00,22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00

Don’t worry about text residing to a point you can see, just copy and paste the whole table. When you paste the above, it MUST look something like this:

image

If it doesn’t stop right there, something is not right. Try again.

Now save this document as shell_enable_msi.reg (filename doesnt matter, just as long the extension is .reg. Make sure the registryicon appears after you do that like below.

image

This means its associated with the registry tool. Now double click the icon and UAC should complain, but just say yes on both counts!

image

image

Once exported, you should see this;

image

Now try again with that MSI extension. Voila!

image

And there you go.

Anyway, in case you’re curious what all those jargon you pasted into your registry its nothing much, its actually…

image

Tuesday, August 4, 2009

Exchange 2007 Service Pack 2 (SP2)


What to look forward to Exchange 2007 SP2 (these are the ones i really like, there are more of course)
  1. Enhanced Auditing – Not sure what’s brewing for this but in itself is great news. Exchange seriously needs to sort out and “humanize” their Audit trail logs. I had to go through hell just to know if someone logged with privileged rights to open another user’s mailbox. I will be very happy to see what’s installed for us in this SP2 auditing enhancements. Disgruntle employees perhaps need to read this before they “take over” the CIO’s mailbox again…
  2. It allows you to do backups straight away like what was available in MSbackup for ex2000/03 on Windows 2008 (called in box backup)
More on Exchange 2007 SP2 http://msexchangeteam.com/archive/2009/05/11/451281.aspx

 

Wait ..PowerGUI?????? what the..@@@@???!?!

Microsoft makes powershell and made Windows management as slick as the unix people do. Reading through the blog post of the Exchange team, i saw a post that made me search a little and verify.
Quest comes up with a GUI for powershell (slap head) called PowerGUI. MS makes a powerful scripting language to slowly but surely replace that bulky GUI that was lugging around since Ex03 and now Quest makes a GUI for those scripts? Tsk tsk tsk.
Anyway, i never like Quest or their tools! They make smart admins stupid and stupid admins look like Bill himself.
And like my colleague Frank Rovers say, GUI is the primary factor why novices “think” they are experts, goes and pokes around and messes things up!

Windows Live Writer (and Blogger problems)

image

This post and the previous one was written using Windows Live Writer through the Windows Live Software Suite (http://download.live.com/?sku=messenger). This software is just amazing and its really convenient as i don’t have to use the crappy blogger.com writer interface no more.

I think this software pretty much support all types of blogs like myspaces, blogger, typepad, wordpress, sharepoint. As long as it’s XML-able i guess.

One note for blogger.com or blogspot.com users using this service. If you get a 404 forbidden error, simply log on to http://picasaweb.google.com/ with the same account used for blogger.com/start once and and you can close this web page and you can post your blog entry. This is because you have a embedded graphics inside the blog post and Writer needs the blogger.com account to be initialized in Picassa Web (where all your images in your blog are stored by default) for the first time. It will then create an album called Windows Live Writer inside Picassa and that should be it.

Happy beeeeeloggging.

Nagios vs HP OVO

Was searching around the web to see opinions and stuff as off this above title. I came across a very interesting post found here: http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1249349302208+28353475&threadId=1333927 posted by a gentleman named Dirk Dierickx.

He’s a person using HP Openview OVO for over 10 years and i think i personally would value such an opinion :).

Here’s the snippet.

image

How true. Smile.

Now, get Nagios to do what all ever HP OVO can for no license cost at all. Nagios can do much more in contrary to old believes

Sunday, August 2, 2009

Security Event Logs - Windows 2008 and Nagios



Have you ever wondered what does Event 4790 or 4767 in your security audit is all about? Well, i do, but i don't know many many more.

These IDs are super important, say for instance the famous 4740. This event ID should always be tracked. Why? It means someone's ID is locked out and it could be an impersonator. It is important to get this and many many more IDs in Windows security auditing enabled in your corp net. If you have one server, eh, fine.. if you have 100 now the question is, how can we automate, pickup and evaluate "right" problems/threats.

I would recommend Nagios. With this puppy, you can simply put out all events, do filter, say for instance, get all 4740 with the username "Bob Hope". Bob, is your CEO and if his account is locked out, we better sort it out.

So, with free form queries, a little guide from Microsoft (see link below) and some consulting from us (fat grin), you can achieve a powerful, centralized, "intelligent" security event log correlator solution for nuts (no license cost). Really, Nagios is free.

In my next post, i will show a litle how i query a Windows 2008 server to filter out Bob Hope's event 4740 and give me a "state" CRITICAL, send an email out or an SMS immediately.

Nagios and this tiny events plug-in and 8MB agent on your 2008 server/workstation, we can:
  • Selection criteria can be defined to filter from most eventlog fields
  • Criteria can be defined using a FIELD:VALUE pairs
  • AND/OR operations can be employed to create complex filtering rules
  • Choose to INCLUDE or EXCLUDE eventlog records
  • Define the time period for which events you are after
  • Either trigger on most CRITICAL alert in defined time period or trigger on LASTEST event status (useful for checking of backups)
Which brings you and i to a tool, a powerful monitoring tool, to a powerful security collaborative tool.

Also, if you wish to know more about the events in Windows 2008 and Vista, check out this guide from MS Support: http://support.microsoft.com/default.aspx?scid=kb;EN-US;947226

Saturday, August 1, 2009

Why you should NOT hide extensions for known extensions (Windows users)

Microsoft should just disable the feature in Explorer that hides known extensions. But in Windows 7, its still not and you should. By default it is turned on. This is bad. Here's why;

It is very easy to simply trick a user into thinking that a particular executable is actually an MP3 for instance. See my sample screen shot here.


Most people, including myself would believe enough that the file above is indeed an MP3 file and would wonder, hmm, cool, i've got an MP3 here perhaps its my collection and would try to open.

Now, lets see the actual file in shell terminal.

As you can see, in this simple example, we see that the file is actually an EXEcutable, making it possible to run by itself and do stuff to you/computer.

Well, in Windows 7, it is simple to turn on this folder view setting. Open any folder in Explorer. Go to Organize --> Folder and Search Option --> View --> Uncheck "Hide hxtensions for known file types". Make sure you click "Apply to folders" this will make it system wide.

Now, look at the file in Explorer view.


As seen above, .exe is now obvious which can prompt you to reconsider opening the file. With Vista and better yet Windows 7 UAC, a possible scamware will require intervention which you could then say "yes allow" to because you think it's just an MP3. So, try to avoid this scenario altogether and disable this feature.