From a thread at the Symantec Forums, it looks like Symantec has left out a critical component of admin virus alerts.
I like to receive emailed virus alerts when clients computers detect a virus. Waiting for me to open SEPM and look in the console or waiting for the user to mention it is not an option. While SEP11 has email virus alerts functionality, it cannot be customized. Their email is not as useful as it should be because it does not include the file path or filename.
If anyone knows of a way to do this let me know.
Happy sysadmin’s day.
As usual I’m not in the office on sys admins day. (the last Friday every July). I can only assume the guys that are in today are being showered with gifts.
The second set of July 23, 2008 LiveUpdate posting will correct a false
positive detection on DWRCS.EXE from DameWare Development LLC. The Affected
file is incorrectly detected as Infostealer.Gampass. This FP was first
introduced in RapidRelease definitions build number 83841 (version
07/22/2008 revision 53) and in the 07/23/2008 revision 9 LiveUpdate and
Intelligent Updater definitions. It was corrected in RapidRelease
definitions build number 83882 (version 07/23/2008 revision 37).
So Donna thinks that PC World is a victim of DNS Cache Poisoning.
What is the attack here? pcworld.com DNS resolves to 70.42.185.10 which according to an IPWHOIS is their IP address.
So what if removespyware.ru resolves to the same address. Unless they can modify the routing, I dont see what they’ve accomplished other than getting Donna to add the IP the Outpost firewall blacklist while invoking the name Dan Kaminsky.
If a site “malware.r.us” has a reputation for serving malware, and they change their DNS to resolve that URL to my website, why should my website be blocked. The biggest security problem here is the denial of service instigated by the Outpost personal firewall against a innocent website.
I guess when you’re looking for a DNS cache poisoning attack, everything looks like a DNS cache poisoning attack.
I’ve seen more than a handful of snarky posts linking results from http://www.doxpara.com’s DNS tester and complaining that their ISP is still vulnerable to DNS attack mere days after the patches were released.
The Verizon Business Security Blog has some good comments and reports they have recommended to their customers to patch within 30 days.
No not this one. I’m just falling into the classic blog trap of making a cutsey title rather than a descriptive one.
I’ve been thinking a bit about birthdates and identity theft. What is it they’re going to do with my birthdate? I don’t know but apparently I’m supposed to be afraid of anyone having data about me (watch out for Google) even if the data isn’t personally identifying.
Sophos reported yesterday a bugin a beta version of Facebook (since fixed) . It would display the date of birth even when it was marked as private.
You’ve all heard of the “trade your password for a chocolate bar” test. Apparently many people are failing the “trade your date of birth for a scoup of ice cream at Baskin Robins” test.
I guess I’d rather have my friends wish me happy birthday on the right day. I’d rather not have to remember which day my fake birthday is so I can get my free scoup of ice cream. I’d rather not get busted for phony documents because I need a ID with my fake birthday on it to get a free meal (the the purchase of a second meal) at Texas de Brazil (coupon required).
Firefox 2.0.16 and 3.0.1 is out to fix the following security vulnerabilities.
MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
MFSA 2008-34 Remote code execution by overflowing CSS reference counter
UPDATE – looks like 3.0.1 isn’t out just yet. Keep your eyes open for it. http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
When I was looking at different NAC solutions, I remember one vendor being aghast at my plans for NAC, “NAC isn’t patch management” he sputtered. While I agree that no one is looking to supplant their SMS/patchlink whatever with NAC, making sure every computer meets a baseline requirement is an important goal.
We continued looking at vendors and eventually went with Forescout’s Counteract. As I’ve been implementing it, one of the things that struck me was that Microsoft SMS 2003 is even worse that I thought. We used Forescout to run a check for June 2008 Microsoft patches. What I found was 5% of the systems didn’t have those patches because their SMS was hosed.
Using NAC to gather vulnerability information has a lot of advantages. Unlike vulnerability scans, in many cases I was not restricted by personal firewalls. The Forescout uses a connector so it can run scans on the local machine with admin credentials. A vulnerability scan runs once per week and not every system may be online. With Forescout I have a more accurate view of the patching in the enterprise because the scan can be set to run as the client comes online.
Forescout NAC has given me insight to the network that I didn’t have before. Unfortunately its putting in a 100 watt bulb after you’ve been using 40 watts. With the sudden brightness, you see the cobwebs and dirt that you hadn’t noticed before.
The next steps are to fix the SMS on the 5% systems that are broken. Plans are being drawn up to upgrade to SCCM which uses WSUS for updates. I’m hoping that version will be more robust.
a vulnerability in zlib, which can be exploited by malicious people to cause a DoS (Denial of Service) against a vulnerable application.
The vulnerability has been reported in version 1.2.2. Prior versions may also be affected
This doesn’t bother me so much when it is detected in old versions of Taxcut installed on the computer, but when it is reported in Wireshark 1.0.1 (not sure if this is fixed in Wireshark 1.0.2) and the latest version of iTunes, I wonder what the deal is. UPDATE – See the comments, this is actually fixed in Wireshark in spite of the Secunia detection.
I renamed the old dll and replaced it with the latest version from http://www.zlib.net/. Secunia is happy, and it didn’t seem to cause any issues with the applications.
I’m sure some people will read this and think gee what a moron, but it may save some other people a few minutes.
After installing Symantec Endpoint Protection, I found that the Windows Firewall was still enabled on my computer. I had set up a WMI filtered Group Policy that disabled the Windows Firewall if SEP11 was installed. Eventually, I remembered that I created the firewall disable policy on Windows 2003, and that was not going to be able to manage the Vista policy. While I could disable the XP firewall, there were some Vista options not available in that policy.
I notice there are some things called Vista Extensions for Group Policy, perhaps that would have added the missing pieces to my Windows 2003 GPMC, but I don’t know.
I set out googling GPMC and Vista. I was beset by websites talking mostly about release candidate versions of Vista. There were a few pre-SP1 articles complaining that it was being removed. Even searching at Microsoft.com didn’t help. I finally found a forum post that linked KB941314, the Remote Server Administrator Tools for Vista SP1 and Windows 2008. I installed that, but apparently didn’t read the instructions because I still couldn’t find the Group Policy Management Console after the installation concluded.. Eventually I found a post indicating the need to install the KB then go into the control panel -> Programs -> Programs and Features and add new windows features.
I ultimately solved the problem I was trying to solve, after wasting a lot of time.
