Installshield V6.X, Microsoft APP-V 4.6.x Sequence error

 

ERROR: The installshield engine (ikernel exe) could not be launched interface not registered

FEHLER: Schnittstelle nicht unerstützt

Problem: You are unable to sequence a software setup which comes with Installshield/Flex Version 6 under WIN 7 with APPV 4.6.X sequencer.

 

We just had a case where a producer of a German software still uses Installshield 6 (From 2000 17 years old) to push EVEN

recent client version of their software to customers. The application did work in any older version under APPV. If they would have re-written their code

and use Installshield/Flex products from version 10/11 they could even SUPPLY a APP-V package do their customers. But the full version edition of that suite is around USD 5'000.- so they tend to skip updates ;-)

 

https://www.flexera.com/producer/resources/white-papers/is-appvdevelopers.html

 

Error we had while trying to Sequence Allegion Interflex Client 1.83 which comes with Installshield 6.

 

You tried all:

http://consumer.installshield.com/faq.asp

  • All TEMP Folder at any location %temp% and c:\windows\temp where deleted
  • No running Installshield leftover anywhere
  • Every Installation of any other or older version of Installshield components where removed
  • DCOM Permission for SYSTEM user Set or reverted
  • Windows Installer AUTO / MANUAL State (During or before sequence state changed and reverted)
  • Tried to silent install the Installshield IN the sequencer with .INI Files etc.

 

We stripped down the problem to Installshield 6 setup itself: "IkernelUpdate.exe"

Just the Runtime Part of Installshield which is contained in as sample a setup.exe solution software developers ship their software made with Installshield.

On a complete other second sequencer machine we had the same error on German Windows 7 64BIT SP1 Enterprise.

 

We shortly did investigate in the "LEGO ISLAND 2.ico" and the "T-online\setup.exe" BUT that was contained in every Installshield 6.X Release from all sources. May be some education or test keys. Maybe leftovers?

In days of Ransomware you have to be sure what developer's ship into your box and if they are aware of such things. So we did a procmon and Sandbox analyze of all the files.

However ORIGINAL sample from Installshield/FLEX net from year 2000 had those things too so all fine we guess.

 

 

We did not found any other suspicious information in the setup.exe from the supplier or the IkernelUpdate.exe binary.

 

Solution workaround:

To SEQUENCE an Installshield 6.X supply on APPV 4.6 under Windows 7 64BIT.

  1. Download the Installshield 6 runtime from Flex:

http://support.installshield.com/kb/files/Q108322/IkernelUpdate.exe

  1. Pre Install the IkernelUpdate.exe on your sequencer machine before you sequence!
  2. From that point open the Sequencer and Install the Software which comes with Installshield 6. It will see that the correct version is already installed and skip the check.

     

     

     

 

Microsoft Framework 4.6.1 for W7 WSUS Integration

 

Identify Framework 4.6.1 with Registry Key

https://msdn.microsoft.com/de-de/library/hh925568(v=vs.110).aspx

Blog Framework 4.6.1 WSUS

https://blogs.technet.microsoft.com/wsus/2016/01/20/microsoft-net-framework-4-6-1-coming-to-wsus/

Important: 

  • When you synchronize your WSUS server with Microsoft Update server (or use Microsoft Update Catalog site for importing updates), you will see that there are two updates with .NET Framework 4.6.1 being published for each platform. The difference in the updates is scoped to the different applicability logic for targeting different computers. Please read the details included in the description of the respective update to get more information. We recommend that you import both the updates, if you plan to deploy .NET Framework 4.6.1 in your Enterprise.
    • One of the .NET Framework 4.6.1 updates will install only on computers that have an earlier version such as .NET 4, 4.5, 4.5.1, or 4.5.2 installed
    • The other .NET Framework 4.6.1 update will install on those computers that either have .NET 4.6 installed or no .NET Framework installed.

 

 

MCAFEE ENS 10.5.X HIPS Module, Exploit, ExP:Invalid Call how to Exclude single API calls (Solidworks CAD)

 

You have ENS 10.5.1 on Windows 7 64BIT

You have THREAT PREVENTION, Exploit Prevention all HIPS CATEGORY HIGH, MEDUIM, LOW on Report AND Blocking active (All three)

You use Solidcore CAD or any other software that trigger the ExP:Invalid Call in the HIPS Module

 

This is an in general help from us how to exclude things from the HIPS Module WHICH is integrated in every ENS Endpoint 10.5.X Client from Mcafee.

 

Alert/Events you see from Mcafee HIPS Module:

 

 

Beschreibung / error you see

Endpoint Security

Ereigniskategorie: Buffer Overflow durch Host-Eindringungsversuch

Schweregrad der Bedrohung: Kritisch

Name der Bedrohung: ExP:Invalid Call

Typ der Bedrohung: Exploit-Schutz

Ausgeführte Aktion: Blockiert

Entdeckungsmethode des Analyseprogramms: Exploit Prevention

Modulname: Bedrohungsschutz

Analyseprogramm – Inhaltsversion: 10.5.0.7691

Analyseprogramm – Regel-ID: 6015

Ziel signiert: Ja

Name des übergeordneten Zielprozesses: SVCHOST.EXE

Zielname: DLLHOST.EXE

Zielpfad: C:\WINDOWS\SYSWOW64

API-Name: OpenProcess

 

Beschreibung:

 

ExP:Invalid Call hat einen Exploit-Versuch auf 'C:\WINDOWS\SYSWOW64\DLLHOST.EXE' Blockiert, der vom Modul MWSCRIPTGUI.DLL abgerufen wurde, wodurch ein Angriff auf die API OpenProcess durchgeführt wurde.

 

 

Here is the Event on the Dashboard

German

English

 

Notice/Note/Writedown fllwing from the Event above:

 

  1. the Analyze RULE ID                    6015
  2. API Name                        OpenProcess
  3. Text after Description CALLED MODULE     MWSCRIPTGUI.DLL,    MWSCRIPTGUI.DLL

 

Go to your Exploit Policy's:

Now check if the RULE is active reporting and block

Enter the Analyze RULE ID in the Search field and mark all boxes above (Done save, Just to see if you have it active)

 

Here you see that the RULE 6015 is active in that policy

German

 

German

 

English

 

Now above in the POLICY make an exception from the info we noted from the event above.

 

This will look like this when done.

German (Screenshot show DL instead of DLL) see English version below

English

SAVE

SAVE (Two times don't forget)

 

Now TEST and update the Mcafee Agent

 

ONL if this DOES not work you COULD turn of the rile 6015 complete.

Last (badest) solution option is to turn the HIPS rule 6015 of ENS complete OFF.

 

MCAFEE EPO SQL shrink large files in small steps

For all DBA's > Yes we know but Mcafee tells us to shrink ;-)

Also see our security concerning regarding centralizes SQL for Security Appliances/Servers.

 

Problem:

You are unable to shrink the Mcafee EPO SQL Database with Management Studio (GUI). You are already on "SIMPLE RECOVERY" mode for the DB.

 

Management thoughts:

There is base discussion which comes from real world outbreak experience on:

a)    Keep SQL on EPO Server with SQL Express with XXGB limit

OR

b)    Put all in a centralized large SQL-Cluster

c)    Install FULL licence SQL on EPO

 

Why?

The problem in an outbreak maybe the EPO can't reach the dedicated SQL WHICH by the way is anyway under the ATTACK prio 1 in today's ransomware. So we keep the SQL local. Now because ALL have no money we often use SQL Express.

This works just perfect UNTIL you reach the SQL Express limit and that only happens with FALSE Positive or when a real outbreak is there. You can filter what the Agent send to the EPO for that reason. Mcafee is often the #1 itself with Product a alerting mcafee product b as false/positive. Like the change they had with P9 for VSE 8.8

 

Solution:

Here is how to SHRINK the DB and Transaction LOG in smaller little steps so the TEMP file he needs for this does not overgrow. Sometimes this seems to be needed to overcome also the SQL Express limit which is at 10GB for 2008R2 Express.

 

1)    Make sure you have at least the same SIZE you have in DB on the Disk > Resize the VM EPO C: or d: drive in VM and Extend in FDISK.

2)    Check Locks (Maybe better than rebooting the EPO Server in such a situation)

 

select cmd,* from master..sysprocesses where db_name(dbid)='ePO4_CUSEPO3'

Check the EPO Database size on SQL-Express. Once again you need space to shrink it. If NOW do the Steps mention in here with really small values (Like: dbcc shrinkfile(ePO4_CUSEPO3_log, 100) < 100MB each time.

 

 

Use this to see the physical filenames of the SQL-DB you need shrink via CLI.

sp_helpfile

Samples filenames:

 

EPO4_CUSEPO3

EPO4_CUSEPO3_log

 

 

Then do following to shrink the Logfiles in 100MB=1GB step (Repeat a few times)

 

use ePO4_CUSEPO3

go

dbcc shrinkfile(ePO4_CUSEPO3_log, 1000)

 

use ePO4_CUSEPO3

go

dbcc shrinkfile(ePO4_CUSEPO3, 1000)

 

Please notice THAT some TABLES changed from EPO 5.X to 5.2/5.3 this may be the reason you landed on this post finally.

Here our sample scripts we use to keep customer EPO's small.

 

 

 

UNTIL EPO 5.1 < Important!

use EPO4_CUSepo3

go

DELETE FROM EPOEvents WHERE (DetectedUTC < GETDATE() - 30)

go

DELETE FROM OrionAuditLog WHERE (StartTime < GETDATE() - 30)

go

DELETE FROM OrionSchedulerTaskLog WHERE (StartDate < GETDATE() - 30)

go

DELETE FROM OrionSchedulerTaskLogDetail WHERE (MessageDate < GETDATE() - 30)

go

DELETE FROM DLP_EventInfo WHERE (InsertionTime < GETDATE() - 90)

go

Use master

GO

 

 

ABOVE/FROM EPO5.3 ON I think the tables changed!

use EPO4_CUSepo3

go

DELETE FROM epoEventsMT WHERE (DetectedUTC < GETDATE() - 15)

go

DELETE FROM EPOProductEventsMT WHERE (DetectedUTC < GETDATE() - 15)

go

DELETE FROM OrionAuditLogMT WHERE (StartTime < GETDATE() - 15)

go

DELETE FROM OrionSchedulerTaskLogMT WHERE (StartDate < GETDATE() - 15)

go

DELETE FROM OrionSchedulerTaskLogDetailMT WHERE (MessageDate < GETDATE() - 15)

go

DELETE FROM DLP_EventInfo WHERE (InsertionTime < GETDATE() - 90)

go

Use master

GO

 

 

 

 

 

 

 

 

Exchange: Server 2008 SMTP/IIS does not write Logfiles

On old Exchange machines we migrated we often (After Exchange is de-installed) install the SMTP Server. So we can re-route E-Mail from devices which have not been migrated and log that info.

 

You have a Server 2008 64BOIT RTM and the separate installed SMTP-Service in IIS 6.0 Manager does not write Logfiles.

  • You set the Logfiles options
  • You did a telnet IP (Not Localhost) on port 25
  • You tried to force write of logs with "netsh http flush logbuffer"

 

You will have to enable / Install the ODB-Protokollierung (ODBC Logging module)

Here is how to do that on a German Server 2008

 

You need the CORRECT permission on as example d:\smtp_logfiles or keep it at default location under c:\windows\system32\logfiles

 

 

Weiter

This steps may take up to 30 minutes don't ask why. Maybe it's reinstalling the full IIS or compiling some Framework Assemblies. Just wait it will finish.

 

Please also see:

http://www.butsch.ch/post/Exchange-Migration-Server-2008-SMTP-Service-installation-to-re-route-old-traffic.aspx