The Internet Home of Kevin L. Collins
Windows
All things Microsoft
It’s Friday, have you cleaned malware from a PC this week?
1Yesterday around 9 A.M., one of my co-workers called to inform me that they had a “popup” message on their computer while browsing the web. First thought through my head was: “Here we go again…”. Before I even connected to the remote machine I knew what I was going to see. Another fake virus/malware/infection warning. I was right. As soon as I connected, I saw the warning: “You’re running unprotected, please click here to subscribe and removed the following infections.”
GAH! I’m am sick and tired of wasting my time cleaning this garbage up! Why can’t this stuff be stopped?
So, after spending 3 hours on the machine via PCAnywhere, I came to the conclusion that remote cleaning wasn’t going to work. I dispatched a person from each office to meet half-way to deliver the machine back to me. Around 2:30 yesterday afternoon I finally got a few moments to look at it.
Problem is, once the machine booted Windows, the keyboard and mouse became non-responsive. Either Windows had locked up, or the malware didn’t like being disconnected from the Internet (because I refuse to plug the NIC up until it is clean or temporarily running some other operating system). Either case, as it stood the machine was useless.
This morning I’m sitting in front of it watching it run a ‘dd’ from the Ubuntu Live CD, duplicating its hard drive onto another for further analysis. I don’t know how successful I’ll be, but I’m going to try to bring this machine back from “windows death”.
I know I may end up blowing the hard drive away and re-loading the system, but I want to at least try to find out what this malware did and how the machine got infected. I’m tired of not knowing and simply formatting and reloading. I want to get to the bottom of this.
Changes to the Laptop
0
Image via CrunchBase
So I started to layout the changes required for the new NEI Intranet this morning. A couple of things came to mind and were quickly shot down.
During this planning and organizing session one thing came to the top: The new site would need to be compatible with both Internet Explorer 8+ and Safari (because of the widespread use of iPhones and iPads at the office).
This brought me the realization that my laptop, which is currently running Ubuntu Linux, really couldn’t be used to test the new code because I can’t use IE or Safari on Linux.
So, very shortly now, I’m going to back up my work to date and load Windows 7 on my laptop. That way I can load both IE and Safari along with my favorite Windows editor (notepad++) and use Putty to access the code on the development server. (I’m toying with the idea of using WAMP on the laptop instead, but that’ll come later.)
I know, I could use VMware or VirtualBox. But this machine barely has enough resources to run Ubuntu or Windows 7 alone. I think having even a small virtual machine for just testing would be enough to break its back.
Yet another rant: Power Managment
0First, I understand the need for a computer to conserve power – especially laptops. When they’re sitting there doing nothing overnight or while a user is down the hall talking with co-worker, etc., there’s really no need for the screen to churning away at full brightness and wasting the electricty to do so. I completely understand that.
But what I don’t understand is when a compter is told scan for viruses and the CPU and hard drive are going nuts fulfilling that task that power management would kick in and put the machine in sleep mode. This is stupid!
I don’t know if this the fault of the anti-virus program developer, the computer manufacturer, or Microsoft, but it shouldn’t be allowed to happen. I can understand and will live with the screen dimming/blanking, but not the whole machine going to sleep.
Come on guys (and gals), let’s talk about what should and shouldn’t happen and prevent sleep mode when the disk is under heavy IO or the CPU is above 1% of usage. It can’t be that hard!
Symantec Endpoint Protection
01 year ago
- Image via Wikipedia
I have Symantec Endpoint Protection (SEP) installed in two locations – both with “on the side” clients of mine. Once their respective support contracts expire, I will be removing SEP from both sites.
Why? Simple. It’s too finicky to be trusted.
In both offices I’ve basically got someone onsite who has to reboot the server once a month to keep the thing running. When it’s running, I guess it does ok, but when it fails, it might be days before anyone knows about it.
But the nail in the coffin was when I called Symantec‘s tech-support today and was told that since I bought it from Dell, I need to call Dell for support. That, of course, is 100% wrong. A second call 20 minutes later proved that. But it was simply the fact that their own support agent didn’t know what she was supposed to support and when that gave me the very WRONG impression of Symantec’s abilities.
Another thing that really surprised me was when I found out that the database used by SEP was corrupt, the only option provided to me was to un-install and re-install the entire server program! No diags, no possible salvage, nothing – just wipe and reload.
Oh if you’re still thinking about using this product, be sure that your server has at least 4GB of free space (after the SEP install of course) on the “C” Drive or its database could simply run out of room. Appearently SEP downloads anti-virus definitions three times a day (not a problem) and holds on to every one of them for a very long time – like maybe as long as a year! (BIG PROBLEM)
I did find a nice utility to use though – SpaceSniffer. It’s a tool that graphically shows you where the space on your hard is being allocated. Today it pointed out that nearly 40GB of this server’s storage was being used by the SQL server. Not that I could do anything about it,but at least it shows me the biggest uses of the space that I have.
In addition (as my last post states) I found out about “netsh” and some additional Group Policy firewall controls that work – most of the time.
All in all, it’s been a GREAT day! NOT!
Microsoft’s Command Line Syntax SUX!!!
0
- Image via CrunchBase
So when Windows XP SP2 came out, it included the “Windows Firewall”. In most cases, I would say this was a good thing. This was most true for home users where even a little security is a good thing. For the corporate user (or more specifically, the domain administrator), this was really more of a pain than anything – especially when it came to nag screens that scream you were unprotected if the firewall wasn’t turned on. In most cases the corporate user is protected by more means than they are aware of and the Windows firewall is not really affording them any additional protection. (And yes I know about internal threats, etc. In most cases, internal threats use the very same mechanism that everyone needs to have access to anyway – File and Printer sharing – so again the firewall provided by Microsoft in the corporate environment is a joke.)
At any rate, either at the same time that the Windows firewall came out or shortly thereafter came the ability to control that firewall from the command line. This was a good thing – especially for the Domain Administrator that need to punch holes in the firewall or even temporarily disable it for application installation.
The syntax wasn’t really all that hard – but being Microsoft, it had its own…what’s the right word…flair. For example:
netsh firewall add portopening TCP 80 "Open Port 80"
That command would create a rule opening, as you can guess, port 80.
Sometime between then and now Microsoft decided to change that. They’ve updated the “netsh” command to make it better. Let’s take a look – we’re going to duplicate the same process – opening port 80 with the new “advaced” and “better” netsh:
netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
See! Isn’t that better!
Now you have to type about twice as much and enter the word “firewall” twice! I think it’s the same mentality that brought us the ten thousand “Are you sure?” dialog boxes. Yes, I’m really sure I want to mess with the firewall! GEEEZ!
Here is once case where I REALLY do want Microsoft to copy from Linux. It just seems to me that the Linux command line is so much simpler that the Windows command line. But that’s just me.
