W7, 64BIT, WMI Hotfixes do date post SP1

by butsch 29. Juli 2015 06:30

 

WMI Hotfixes to date 29.07.2015

During IE11 projects we have seen problems with some WMI and WUSA.EXE KB installations. It sometimes seems that the WMI provider

who offers that info hangs or is out of date. Even with some command to refresh it0s stuck. This is a list of Hotfixes we found in that direction

For Existing Windows 7 64BIT Deployments with SP1.

 

IE11patch Infos:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

 

YES = Installs on W7 SP1 64BIT with all Updates from WSUS do date 29.07.2015

NO = Does not install on same system

 

001 (YES)

https://support.microsoft.com/en-us/kb/2705357

2705357

Windows6.1-KB2705357-v2-x64.msu

 

002 (YES)

http://support.microsoft.com/kb/2692929

2692929

Windows6.1-KB2692929-x64.msu

 

003 (YES but choose 2617858)

Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7

http://support.microsoft.com/kb/2465990

2465990 > SUPERSEEDED > Replaced by > 2617858 (https://support.microsoft.com/en-us/kb/2617858)

2465990 > Windows6.1-KB2465990-v3-x64.msu (Older)

2617858 > Windows6.1-KB2617858-x64.msu (Newer, Superseeds the old one)

 

004 (YES)

https://support.microsoft.com/en-us/kb/2492536

2492536

Windows6.1-KB2492536-x64.msu

 

005 (NO)

https://support.microsoft.com/en-us/kb/982293

982293

Windows6.1-KB982293-x64.msu

 

 

 

Tags:

Client Management | Deployment | Hotfixes / Updates | Scripting | WSUS

WSUS: Do not Install KB3022345 it sends info back to MS over SSL

by butsch 27. Juli 2015 10:55

Not only ET wants to phone home! Microsoft is bombing even corporate customers and small business customers with Updates they don't want and never agreed. KB3022345 seems to be a patch for Clients and servers which send a lot of Information encoded over SSL to Microsoft Servers. They must be in short time for their Windows 10 releases and catching every application on the world. As if we did not supply enough Information with tools like MACT (https://www.microsoft.com/en-us/download/details.aspx?id=7352) they now get the info unasked. Feel free to block on your private or corporate Firewall. And no nobody has pre-selected Windows 10 Download and testbunny mode.

Update: KB3022345

Hosts which are connected:

191.232.139.254, vortex-win.data.microsoft.com

191.232.139.253, settings-win.data.microsoft.com

Port: HTTPS/SSL/443

https://support.microsoft.com/en-us/kb/3022345

Update for customer experience and diagnostic telemetry

This update has been replaced by the latest update for customer experience and diagnostic telemetry that was first released on June 2, 2015. To obtain the update, see 3068708 Update for customer experience and diagnostic telemetry.

Helping the overall application experience

The Diagnostics Tracking service collects diagnostics about functional issues on Windows systems that participate in the Customer Experience Improvement Program (CEIP). CEIP reports do not contain contact information, such as your name, address, or telephone number. This means CEIP will not ask you to participate in surveys or to read junk email, and you will not be contacted in any other way.

For any released product with an option to participate in CEIP, you can decide to start or stop participating at any time. Most programs make CEIP options available on the Help menu, although for some products, you might have to check settings, options, or preferences menus. Some prerelease products that are under development might require participation in CEIP to help ensure the final release of the product improves frequently used features and solves common problems that exist in the prerelease software.

 Please also see Windows 10 NAG screen posting we made:

http://www.butsch.ch/post/Windows-10-NAG-screen-active-How-to-prevent-(on-W7W8).aspx

Tags:

Mcafee EPO prevent exe RUNNING FROM %appdata%

by butsch 14. Juli 2015 04:04

Mcafee EPO prevent exe RUNNING FROM %appdata% folders with an Access protection Policy

How to protect from most 0day Flash Exploits and malware like Ransom Cryptowall in summer 2015. You simply can't keep up with patching even with deployment or

Management solutions in place. Now you should have an IPS Filter like Fortigate with Fortiguard. Fortigate is most of the times involved in detection of Flash Exploits so a good choice in that direction.

But the problems are SSL/HTTPS Virus of you can't break the stream because of legal concerns.

Here is a solution to strip it down by Mcafee but as always not clear in their documentation.

Sure this covers 80% but it will take out some heat. Another tip would be to use Microsoft EMET from ou side. There is also a GPO to prevent such things but this will take more time to setup.

 

Mcafee EPO Server Logon

Go to Clients

Assigned Policy

Access Protection Policy

Choose your "Policy" > "My Default"

Now the trick was the PATH. I am not sure but ONE Mcafee KB was wrong or not sol effective here.

We are still unsure if it has to be \ or / if you read their docu.

Well here is how it worked for us. We don't want to catch %appdata%\temp because there is already an

Options in mcafee itself for that and it was not a good idea with some customers and special apps.

01_APPDATA_ROAMING_BLOCK_EXE

avtask.exe, cfgwiz.exe, csscan.exe, dainstall.exe, EngineServer.exe, fssm32.exe, giantantispywa*, ienrcore.exe, kavsvc.exe, KillWia64.exe, mcdatrep.exe, mcscript*, mcshield.exe, mcupdate.exe, mfeann.exe, mfehidin.exe, msi*.tmp, msiexec.exe, mue_inuse.exe, navw32.exe, ncdaemon.exe, nmain.exe, Patch.log, regsvc.exe, rtvscan.exe, sdat*.exe, svchost.exe, TrolleyExpress.exe, VirusScanAdvancedServer.exe, vmscan.exe, VSE88HF793781.exe, \:::mcadmin.exe, \:::mcconsol.exe, \:::mcupdate.exe, \:::restartVSE.exe, \:::scan32.exe, \:::scncfg32.exe, \:::shcfg32.exe, \:::shstat.exe, \:::VSCore\dainstall.exe, \:::VSCore\x64\dainstall.exe, \:::vstskmgr.exe, \:::x64\scan64.exe

C:\users\**\appdata\local\**\*.exe

 

02_APPDATA_LOCALOW_BLOCK_EXE

avtask.exe, cfgwiz.exe, csscan.exe, dainstall.exe, EngineServer.exe, fssm32.exe, giantantispywa*, ienrcore.exe, kavsvc.exe, KillWia64.exe, mcdatrep.exe, mcscript*, mcshield.exe, mcupdate.exe, mfeann.exe, mfehidin.exe, msi*.tmp, msiexec.exe, mue_inuse.exe, navw32.exe, ncdaemon.exe, nmain.exe, Patch.log, regsvc.exe, rtvscan.exe, sdat*.exe, svchost.exe, TrolleyExpress.exe, VirusScanAdvancedServer.exe, vmscan.exe, VSE88HF793781.exe, \:::mcadmin.exe, \:::mcconsol.exe, \:::mcupdate.exe, \:::restartVSE.exe, \:::scan32.exe, \:::scncfg32.exe, \:::shcfg32.exe, \:::shstat.exe, \:::VSCore\dainstall.exe, \:::VSCore\x64\dainstall.exe, \:::vstskmgr.exe, \:::x64\scan64.exe

C:\users\**\appdata\local\**\*.exe

 

Some sample search patterns:

Find unwanted Google chrome.exe under %appdata%\local everwyhere

C:\users\**\appdata\local\**\chrome.exe

C:\users\**\appdata\local\**\gears-chrome-opt.msi

 

 

Check left corner FOR "Workstation" and for "Server"

Client side TEST

EPO side view

 

Original Link from Mcafee:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25480/en_US/McAfee_Labs_Threat_Advisory-Ransom_Cryptowall.pdf

Wildcard patterns mcafee:

https://kc.mcafee.com/corporate/index?page=content&id=KB54812

Adobe:

https://helpx.adobe.com/security/products/flash-player/apsa15-04.html

 

 

 

Tags:

Wie kann man eine DLL testweise auf einem Enteo Client ersetzen?

by butsch 13. Juli 2015 06:18

Wie kann man eine DLL oder ein File Testweise auf einem Enteo Client ersetzen? Wir haben heute eine DLL fuer einen DEV fix von Frontrange erhalten. Dann nach nachfragen noch einen Link zu einer KB welche einen Key beschreibt. Sollte jemand verstehen wo man es nun ändern soll oder darf kann er uns dies schildern. Eventuell in einer Zeichnung oder Schema?

WARNING Frontrange is now an English company (KB Artikel 12492)

Never use / change this key on a Management Point Server. This key must always be set on a Management Point Server because the client binary update is performed during Management Point update automatically.

 

Ersetzen einzeln TEST DLL bei Enteo Agent

  1. Beide Frontrange Service anhalten
  2. Registry KEY erstellen auf dem CLIENT
  3. Beide Frontrange Service neu starten
  4. Beide Frontrange Service anhalten
  5. DLL ersetzen (Rein filebasierend ohne Registrierung der DLL)
  6. Beide Frontrange Service Starten
  7. Kontrolle ob die beiden DLL nicht wieder ersetzt werden

Fix.reg, Dieser key muss auf dem DSM/Enteo/Frontrange client gesetzt werden

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NetSupport\NetInstall\SiteProperties]

"ClientAutoUpdateEnabled"=dword:00000000

 

Beispiel Files ersetzen welche Enteo Kunden vom Support bekommen:

KB Artikel 12492

 

 

Tags:

Fine grained Password Policy on 2012R2 made easy with ADAC

by butsch 8. Juli 2015 06:17

ADAC = NOT Deutscher Pannendienst ;-)

Fine grained Password Policy in 2013 R2 Domain Active Directory, Error 4625 event

Sometimes you need accounts TO None expire or not getting Locked out. We all now it's stupid in security terms but if the software has a bug and locks the account you have to hurry. Search on ALL of the Domain Controller for event 4625. There you should see the client who does it. There also lockout/whoislocked scripts which does that. (Account locked)

The regular Domain password policy is here:

But we want a second one with different settings and only for a few users in a security group

New way with ADAC on 2012R2

http://blogs.technet.com/b/canitpro/archive/2013/05/30/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad.aspx

https://technet.microsoft.com/de-CH/library/hh831702.aspx

Old way with ADSIEDT.MSC

http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/

https://technet.microsoft.com/en-us/library/cc754544(v=ws.10).aspx

 

Make a new ADS group: sg_gpo_password_policy_bsb_non_locked and make the accounts which should have special password policy member of that group "Only user accounts"

Go to SYSTEM

Go to PASSSWORD Settings Container

 

Choose "Directly applies to" and make sure you choose the correct Security Group you made for this.

Under cmd on DC do a:

Repadmin /syncall

Its finished and working

CROSS CHECK old Method with ADSIEDT

 

 

Tags: