I’ve spent most of the day fighting a WordPress install at work as it has been slow and sending various out of memory issues on a 16GB of memory VPS – so should really have enough memory to run a WordPress site. Therefore it was quite a surprise to see that 4.6 was released today for me to spend yet more time in WordPress today.
However, on this personal site, the upgrade went through smoothly with no issues (as far as I know).
It was an interesting week at work with several malware infections making it through the various av protections that we have in place which proves that end user education should be your primary line of defense in the fight against virus’. It is amazing how often people will click on random emails that have been sent to them with random filenames just because the email arrived in their inbox (or in another mailbox that they happen to have access to), even if it was not addressed to them.
I was lucky enough to get one of these emails through to my corporate mailbox on Tuesday this week, evading detection by McAfee email protection and Forefront on the desktop. (Using another av solution would not have prevented this as you will see later)
This was obviously some scam with the description of the user not even matching the email address of the user. Being curious, I naturally saved the file to my hard drive and then uploaded it to virustotal. On Tuesday, only 1 of 58 av engines recognised this as a virus – kudos goes to Quihoo-360 for being the sole detector. I must admit that I’ve never even heard of this software and I was very surprised to see that only 1 av vendor recognised the file.
I submitted the file to McAfee for scanning by zipping the file up with 7-zip and password protecting it with the phrase infected and sending it to their response team at [email protected] Incidentally, McAfee’s instructions for doing this are very outdated as Windows10 no longer has the option to password protect a zip file. McAfee immediately came back saying that their analysis was inconclusive and the file had been submitted for further research. This was an improvement on the previous sample I had submitted on Friday for a cryptolocker variant that came back as no virus found!
Wednesday morning I uploaded the file to virustotal again to see what the state of detection was.
This time the detection rate was slightly better – 9 products including Sophos that I use at home, but neither of the products in use at the office.
Thursday morning, two days after receiving the virus I received a response back from McAfee that confirmed the file was malicious. They included an extra.dat that would detect the file.
By this time, virustotal was showing 25 out of 53 products detecting the virus so it is getting better. Microsoft’s product was listed as detecting the file, yet Forefront was still passing it through as clean. Although virustotal has the definition date of 7/28, my computer was showing “defs of 7/26, update on 7/27”. Not sure why there is this discrepancy of the definition dates.
Yesterday, my laptop at home still had old definitions as it was not connected to the corporate lan and was still showing the file as clean which is pretty scary.
This morning I downloaded the file to my personal laptop, saving the file with a .txt extension so I would not accidentally open it – something that is easier to do on a touch screen tablet. Interestingly Sophos did not detect anything wrong with the file. Launching the file in notepad, it starts with the letters PK which implies the file is actually a zip file and there are several strings referring to HP printers and Adobe Photoshop.
At this point I’m not going to risk my machine further by opening it with 7zip to see what happens.
However when I copied the file to .zip or to .rtf Sophos did spring into action and quarantine the file. This is really handy as it protects the file from being saved to the machine in an executable form, but also allows you to save the file to the hard drive for further analysis in your debugger of choice. Other applications will quarantine the file no matter what the extension is, making it harder to retrieve. On the other hand, you now have an infected file on the machine that av is not discovering.
This Sunday morning, I uploaded the file to virustotal again. This time we’re slightly better at 29/54 detections. However, Comodo, Malwarebytes, Panda, SuperAntiSpyware,Symantec, TrendMicro and Vipre (among others) do not detect the file as malicious.
Malware bytes is an interesting discovery as it’s not usually regarded as an av product as it typically protects you from software being installed into suspicious locations such as autorun, startup, browser toolbars etc as opposed to traditional av that scans every file being written or read to the hard drive. However in this case and my recent cryptolocker, MalwareBytes failed to find anything malicious although HitManPro did find the Cryptolocker exe file on the machine (but MalwareBytes and McAfee did not).
The best av is the human kind that recognises a file is suspicious or unexpected and does not open it – although even this kind of av can fail (and some are more prone than others!)
Incidentally, one of my favourite solutions for the Cryptolocker variant, in theory at least, is pretty drastic and requires the permissions of file shares to be changed so that files can be created but they can’t be edited. Users (and software) would be able to write new files to the file share, but any edits to the file would not be allowed unless the changes are written to a new file. This forces users to do Save-As all the time, may break Office documents that insist on modifying the original file, but would stop Cryptolocker from overwriting files on the drive. Obviously this takes up a lot more disk space and would not be suitable for shares holding Autocad documents.
*Please note that this post is not meant to denigrate any one particular av product in particular as I understand that definitions take time to produce but av software that does not detect infections 5 days later should probably be evaluated to see if it is safe for continued use. I do reserve the right to moderate comments on this post if they are not helpful and just say “Product XYZ is useless”
Wait a bit for the install to finish.
I do wish that pkgmgr would actually wait until the install has finished before coming back to a dos prompt as it’s annoying that you have no idea when the install has actually completed. On my machine it takes about 30 seconds.
I’m finding it hard to believe that my laptop did not have telnet on it – as I use it all the time. However whenever I install telnet from the dos prompt I always have to look up the syntax (and it’s still quicker than going into add/remove programs.
Hopefully this blog post will hit the search engines and therefore the syntax will be displayed on the first page rather than having to open a Microsoft page, scroll down and then view the syntax.
I use powershell a lot at work – I’m not a guru by any means and I often find it hard to remember the commands I have run in a session, either for future use or for documenting in my time sheet (which also acts as a point of reference for future helpdesk tickets).
When I started going through the Powershell in a month of lunches book (which I highly recommend or the Powershell v3 book) I decided to use the start-transcript commandlet to record all my powershell activities. This worked very well until I would scroll through several screens worth and then forget what file I had saved my transcript too. There was also the possibility of forgetting to transcript everything.
By using the powershell profile file I was able to enter the commands to automatically set the transcript to the current date. I was then able to modify the title of the powershell prompt to display the filename so I could always see where the file was saved with the added bonus of a variable being used if I ever needed to open the transcript
My next step was to include the time in the powershell prompt – this enables me to go back through the transcript and see how long it took to run the commands for my timesheet entries. Remembering back to the good old dos days, I remembered the prompt command. A quick bit of experimenting with the Date command I had the current time displayed at the beginning on the Powershell prompt. Note this is displayed after the previous command is run, so technically it’s not the exact current time, but the time that the prompt was displayed on the screen.
The final profile script can be copy/pasted into notepad by typing in
is as follows:-
$log="c:\temp\powershelllogs-" + $env.username + (get-date -uformat "%y%m%d-%H%M") + ".txt"
$host.ui.rawui.WindowTitle = $log
write-host ((Date -uformat %T).ToString() + "PS " +$(get-location) + ">") -nonewline
return " "
This ends up with a powershell prompt that looks like the following. Hope this brief posting inspires you to change your powershell prompt to be even more useful for you.
<a href="https://absoblogginlutely.net/wp/wp-content/uploads/2013/09/masonichelpinghands.org-Screenshot-9_28_2013-4_00_11-PM.png"><img class="aligncenter size-full wp-image-3287" alt="Powershell prompt with the filename in the title and current time in the prompt" src="https://absoblogginlutely.net/wp/wp-content/uploads/2013/09/masonichelpinghands.org-Screenshot-9_28_2013-4_00_11-PM.png" width="671" height="211" /></a>
I’ve been working on a case with Microsoft’s Office365 support for several weeks trying to find out why email sent *to* a particular user was not being journalled. All the other mail seemed to be journalled to the external recipient, email from the user was working, just not email to that user.
The experience was quite frustrating as Microsoft’s support were terrible at calling back and could not grasp the concept of email tracking. Their solution after making a change was to wait a day to see if it was fixed although it was quite apparent that the Microsoft servers were not even trying to send the email (by looking at the Trace Logs you can see what email was being sent and received).
After checking the connectors were setup, mail properly scoped, the user had no rules on their mailbox, Microsoft’s solution was to delete the mailbox and reset it up again. Not so easy when the mailbox/user is federated with Active Directory and the user happens to be the owner of the company. That was not a conversation I was going to have with them!
The only thing that was different with this user was that in troubleshooting this issue we had set the user up to receive the journalling non delivery reports. I figured that if the emails were not being delivered, maybe sending him the errors would help. However no reports were being received either. However, according to KB 2829319 this behaviour can be seen. Although I had removed the journal receipient in the web gui, the emails were still not being journalled until I added another external email address to the configuration using the powershell command set-transportconfig -JournalingReportNdrTo [email protected]
At this point, all the email started to be journalled.
Note that we only added the recipient into the mix when I was trying to work on the initial problem so it looks like this wasn’t the only fix.
The other thing we did was change the outboundconnector to be onpremises. Changing the setting in the GUI we then ran Set-OutboundConnector archivemymailconnector -routeAllmessagesviaonpremises $true.
These two combinations seemed to fix the issue.
One thing I also learnt was that it is really useful to send multiple emails between changes and keep the subject line starting the same. Use the date/time at the end of the email. That way you can sort the email logs by Subject and just pick out the ones you were working on. By having the subject start with zzz followed by Round X (ie zzz Round 1 – change connector – 1345pm and zzz Round 1 – change connector 1346pm ) then the results are likely to appear at the end of your mail logs if you sort by subject. Sorting by Date was not always a good idea as mail flow could occur between mail coming into the server and mail leaving the server.
I have been battling this install for 2 days so far and not getting anywhere. There are a ton of sql prerequisites and the install error messages are very vague, like this message below:-
Surely it can’t be that hard to display the version of SQL server that is detected.
I’m currently following Harold Wong’s System Center install guide along with Matthew Peter’s guide and downloaded the Cumulative update 10 for SQL.
Attempting to install this patch on the server gives the error message below.
The stupid thing about this is that neither 10.51.2500.0 or 10.1.2531.0 are valid sql version numbers. Select @@version returns the accurate 10.50.2500.0 which is sql 2008 r2 sp1 but it ignores the previous cumalative update that I’ve already installed.
So far my hopes for System Center have been severely dashed and buried in the ground. It’s a good job we don’t have windows in this office or I’d be tempted to set fire to the server and chuck them out of the window.
It’s been a long start to the new year.