MCAFEE EPO SQL shrink large files in small steps

For all DBA's > Yes we know but Mcafee tells us to shrink ;-)

Also see our security concerning regarding centralizes SQL for Security Appliances/Servers.

 

Problem:

You are unable to shrink the Mcafee EPO SQL Database with Management Studio (GUI). You are already on "SIMPLE RECOVERY" mode for the DB.

 

Management thoughts:

There is base discussion which comes from real world outbreak experience on:

a)    Keep SQL on EPO Server with SQL Express with XXGB limit

OR

b)    Put all in a centralized large SQL-Cluster

c)    Install FULL licence SQL on EPO

 

Why?

The problem in an outbreak maybe the EPO can't reach the dedicated SQL WHICH by the way is anyway under the ATTACK prio 1 in today's ransomware. So we keep the SQL local. Now because ALL have no money we often use SQL Express.

This works just perfect UNTIL you reach the SQL Express limit and that only happens with FALSE Positive or when a real outbreak is there. You can filter what the Agent send to the EPO for that reason. Mcafee is often the #1 itself with Product a alerting mcafee product b as false/positive. Like the change they had with P9 for VSE 8.8

 

Solution:

Here is how to SHRINK the DB and Transaction LOG in smaller little steps so the TEMP file he needs for this does not overgrow. Sometimes this seems to be needed to overcome also the SQL Express limit which is at 10GB for 2008R2 Express.

 

1)    Make sure you have at least the same SIZE you have in DB on the Disk > Resize the VM EPO C: or d: drive in VM and Extend in FDISK.

2)    Check Locks (Maybe better than rebooting the EPO Server in such a situation)

 

select cmd,* from master..sysprocesses where db_name(dbid)='ePO4_CUSEPO3'

Check the EPO Database size on SQL-Express. Once again you need space to shrink it. If NOW do the Steps mention in here with really small values (Like: dbcc shrinkfile(ePO4_CUSEPO3_log, 100) < 100MB each time.

 

 

Use this to see the physical filenames of the SQL-DB you need shrink via CLI.

sp_helpfile

Samples filenames:

 

EPO4_CUSEPO3

EPO4_CUSEPO3_log

 

 

Then do following to shrink the Logfiles in 100MB=1GB step (Repeat a few times)

 

use ePO4_CUSEPO3

go

dbcc shrinkfile(ePO4_CUSEPO3_log, 1000)

 

use ePO4_CUSEPO3

go

dbcc shrinkfile(ePO4_CUSEPO3, 1000)

 

Please notice THAT some TABLES changed from EPO 5.X to 5.2/5.3 this may be the reason you landed on this post finally.

Here our sample scripts we use to keep customer EPO's small.

 

 

 

UNTIL EPO 5.1 < Important!

use EPO4_CUSepo3

go

DELETE FROM EPOEvents WHERE (DetectedUTC < GETDATE() - 30)

go

DELETE FROM OrionAuditLog WHERE (StartTime < GETDATE() - 30)

go

DELETE FROM OrionSchedulerTaskLog WHERE (StartDate < GETDATE() - 30)

go

DELETE FROM OrionSchedulerTaskLogDetail WHERE (MessageDate < GETDATE() - 30)

go

DELETE FROM DLP_EventInfo WHERE (InsertionTime < GETDATE() - 90)

go

Use master

GO

 

 

ABOVE/FROM EPO5.3 ON I think the tables changed!

use EPO4_CUSepo3

go

DELETE FROM epoEventsMT WHERE (DetectedUTC < GETDATE() - 15)

go

DELETE FROM EPOProductEventsMT WHERE (DetectedUTC < GETDATE() - 15)

go

DELETE FROM OrionAuditLogMT WHERE (StartTime < GETDATE() - 15)

go

DELETE FROM OrionSchedulerTaskLogMT WHERE (StartDate < GETDATE() - 15)

go

DELETE FROM OrionSchedulerTaskLogDetailMT WHERE (MessageDate < GETDATE() - 15)

go

DELETE FROM DLP_EventInfo WHERE (InsertionTime < GETDATE() - 90)

go

Use master

GO

 

 

 

 

 

 

 

 

MCAFEE EPO SQL-Server Express and how to shrink files in little steps

 

 

For all DBA's > Yes we know but Mcafee tells us to shrink ;-)

Also see our security concerning regarding centralizes SQL for Security Appliances/Servers.

 

Problem:

You are unable to shrink the Mcafee EPO SQL Database with Management Studio (GUI). You are already on "SIMPLE RECOVERY" mode for the DB.

Management:

 

There is base discussion which comes from real world outbreak experience on

a)    Keep SQL on EPO Server with SQL Express with XXGB limit

OR

b)    Put in a centralized SQL

c)    Install FULL licence SQL on EPO

The problem in an outbreak maybe the EPO can't reach the dedicated SQL WHICH by the way is anyway under the ATTACK prio 1 in today's ransomware. So we keep the SQL local. Now because ALL have no money we often use SQL Express.

This works just perfect UNTIL you reach the SQL Express limit and that only happens with FALSE Positive or when a real outbreak is there. You can filter what the Agent send to the EPO for that reason. Mcafee is often the #1 itself with Product a alerting mcafee product b as false/positive. Like the change they had with P9 for VSE 8.8

 

Solution:

Here is how to SHRINK the DB and Transaction LOG in smaller little steps so the TEMP file he needs for hirs does not overgrow. Sometimes this seems to be needed to overcome also the SQL Express limit which is at 10GB for 2008R2 Express.

 

1)    Make sure you have at least the same SIZE you have in DB on the Disk > Resize the VM EPO C: or d: drive in VM and Extend in FDISK.

2)    Check Locks (Maybe better than rebooting the EPO Server in such a situation)

select cmd,* from master..sysprocesses where db_name(dbid)='ePO4_CUSEPO3'

Check the EPO Database size on SQL-Express. Once again you need space to shrink it. If NOW do the Steps mention in here with really small values (Like: dbcc shrinkfile(ePO4_CUSEPO3_log, 100) < 100MB each time.

 

 

Use this to see the physical filenames of the SQL-DB you need shrink via CLI.

sp_helpfile

Samples filenames:

 

EPO4_CUSEPO3

EPO4_CUSEPO3_log

 

 

Then do following to shrink the Logfiles in 100MB=1GB step (Repeat a few times)

 

use ePO4_CUSEPO3

go

dbcc shrinkfile(ePO4_CUSEPO3_log, 1000)

 

use ePO4_CUSEPO3

go

dbcc shrinkfile(ePO4_CUSEPO3, 1000)

 

Please notice THAT some TABLES changed from EPO 5.X to 5.2/5.3 this may be the reason you landed on this post finally.

Here our sample scripts we use to keep customer EPO's small.

 

 

 

UNTIL EPO 5.1 < Important!

use EPO4_CUSepo3

go

DELETE FROM EPOEvents WHERE (DetectedUTC < GETDATE() - 30)

go

DELETE FROM OrionAuditLog WHERE (StartTime < GETDATE() - 30)

go

DELETE FROM OrionSchedulerTaskLog WHERE (StartDate < GETDATE() - 30)

go

DELETE FROM OrionSchedulerTaskLogDetail WHERE (MessageDate < GETDATE() - 30)

go

DELETE FROM DLP_EventInfo WHERE (InsertionTime < GETDATE() - 90)

go

Use master

GO

 

 

ABOVE/FROM EPO5.3 ON I think the tables changed!

use EPO4_CUSepo3

go

DELETE FROM epoEventsMT WHERE (DetectedUTC < GETDATE() - 15)

go

DELETE FROM EPOProductEventsMT WHERE (DetectedUTC < GETDATE() - 15)

go

DELETE FROM OrionAuditLogMT WHERE (StartTime < GETDATE() - 15)

go

DELETE FROM OrionSchedulerTaskLogMT WHERE (StartDate < GETDATE() - 15)

go

DELETE FROM OrionSchedulerTaskLogDetailMT WHERE (MessageDate < GETDATE() - 15)

go

DELETE FROM DLP_EventInfo WHERE (InsertionTime < GETDATE() - 90)

go

Use master

GO

 

 

 

 

 

 

 

Exchange: Server 2008 SMTP/IIS does not write Logfiles

On old Exchange machines we migrated we often (After Exchange is de-installed) install the SMTP Server. So we can re-route E-Mail from devices which have not been migrated and log that info.

 

You have a Server 2008 64BOIT RTM and the separate installed SMTP-Service in IIS 6.0 Manager does not write Logfiles.

  • You set the Logfiles options
  • You did a telnet IP (Not Localhost) on port 25
  • You tried to force write of logs with "netsh http flush logbuffer"

 

You will have to enable / Install the ODB-Protokollierung (ODBC Logging module)

Here is how to do that on a German Server 2008

 

You need the CORRECT permission on as example d:\smtp_logfiles or keep it at default location under c:\windows\system32\logfiles

 

 

Weiter

This steps may take up to 30 minutes don't ask why. Maybe it's reinstalling the full IIS or compiling some Framework Assemblies. Just wait it will finish.

 

Please also see:

http://www.butsch.ch/post/Exchange-Migration-Server-2008-SMTP-Service-installation-to-re-route-old-traffic.aspx

 

Wannacry / WannaCrypt: Microsoft Patch for SMB Exploit Blue on XP/2003 released. Ransomware in der Schweiz aktiv!

14.05.2017, Good News MS Release KB4012598 for XP/VISTA/2003 (32/64) BIT and you can patch your old special machines.

14:05.2017, Most of Swiss Media inlcuding SFDRS sf.tv (Swiss TV) did mention that they are no current infections to date in switzerland.

We think that's wrong and as normal the corporate who are infected keep that under the hood. It's possible because we have seen

Ransomware in the past which checks Country and keyboard codes of the OS and does only run in certain countrys.

One other Problem is that large enterprise often RENT IP-Subnets (Like people with AS-Records) from global ISP and their Source-IP is often extra hidden or in another country.

If we asume that https://intel.malwaretech.com/botnet/wcrypt/?t=1h&bid=all does Analyse the URL request he get's in on his domain

We can say that there are infections in Switzerland. Around EVERY second when not more customer was hit by Ransomware the last

12 months in switzerland. Criminials know where to ski in the winter, buy nice watches and where to steal money. Ther more Expat CEO and managers

who never understood a single part of IT-security the more money you can do with Ransomware in Switzerland. So yes switzerland i a pretty good place to run ransomwre.

Status Switzerland, Europe WANNA infections 13.05.2017 around 23:45 o'clock. Check the blue dots in Zürich.

 

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Microsoft solution available to protect additional products

Today many of our customers around the world and the critical systems they depend on were victims of malicious "WannaCrypt" software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

Details are below.

 

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).

This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.

Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources. For Office 365 customers we are continually monitoring and updating to protect against these kinds of threats including Ransom:Win32/WannaCrypt. More information on the malware itself is available from the Microsoft Malware Protection Center on the Windows Security blog. For those new to the Microsoft Malware Protection Center, this is a technical discussion focused on providing the IT Security Professional with information to help further protect systems.

We are working with customers to provide additional assistance as this situation evolves, and will update this blog with details as appropriate.

Phillip Misner, Principal Security Group Manager  Microsoft Security Response Center

   

Further resources: 

Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64

To download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Tags cyberattacks Microsoft Windows ransomware Security Update Windows

 

Here is how to integrate the special Patch for XP/VISTA/2003 in your WSUS via Windows Update Catalog (With all possible errors with Ie11 on your Server ;-)

If this comes up please Install

Search for KB4012598

 

If you see this error in the Windows Update catalog. Add the Microsoft.com to the Compatiblity Mode. It's really das that MS does not do that theirself.. ;-(

If you see error below > Try again (Windows Update down) or add the site Microsoft.com into comptiblity mode on the WSUS Server.

 

fehlernummer 8ddd0010

Now search again for KB4012598 and choose your supported platforms:

 

Choose herunterladen/Download

If the Basket does not Appear turn of POPUP blocker

 

 

 

 

Here we go ;-)

Server 2003 ;-) Don't laugh it's a 2003 we use to edit a Gpo Setting that was made

For IE9 but still is valid for IE11 in IEAK 11. So you need a) And old Server/Client, an Old Browser to modify those Proxy settings.

Dont believe it? http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

Regarding blocking the Extension.

For mcafee customers Please read:

http://www.butsch.ch/post/Ransomware-How-to-integrate-the-WannaCry-EXTRADAT-in-EPO-or-McAfee-ENS-client.aspx

http://www.butsch.ch/post/Ransomware-Schweiz-Mcafee-TIE-Threat-Intelligence-Exchange-im-Einsatz.aspx

http://www.butsch.ch/post/RansomwareDeutschlandSchweiz-Healthcare-Deutscher-Bund-warnt-und-reagiert.aspx

 

Ransomware: How to integrate the WannaCry EXTRADAT in EPO or McAfee ENS client

12.05.2017 Urgent Release FRIDAY, Wana Decrypt0r | Wana Decryptor | WanaDecryptor@.exe

https://kc.mcafee.com/corporate/index?page=content&id=KB89335

EXTRADAT: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/890 00/KB89335/en_US/EXTRA.zip

EXTRA.zip

 

McAfee is aware that several customers are impacted by a new ransomware. Ransom-WannaCry (also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r) is encrypting files with the .wnry, .wcry, .wncry, and .wncryt extensions. Encryption is occurring on the local host and across open SMB shares. Impacted systems might also show a blue screen upon system reboot.

https://kc.mcafee.com/corporate/index?page=content&id=KB89335

 

McAfee Client ENS 10.5.1 how to include the EXTRA.DAT (Extradat.zip) against the WannaCry Ransomware

Unpack the EXTRA.ZIP to EXTRA.DAT

 

 

McAfee EPO: How to the DEPLOY the EXTRADAT in a GERMAN or ENGLISH EPO Server 5.X

 

MENU > Master Repository

Unpack the EXTRA.ZIP to EXTRA.DAT

 

Make sure you check GLOBAL UPDATE. Above mentioned steps with UPDATE NOW do the same. Choose both ways to be 100% sure it done!

 

 

McAfee is aware of a new variant of ransomware that has been detected in corporate environments. Threat Name: Ransom-WannaCry (also known as WCry, WanaCrypt and WanaCrypt0r).

This article will be updated as additional information is available. Please continue to monitor this document for updates.


Files are encrypted with the .wnry, .wcry, .wncry, and .wncryt extension. End users see a screen with a ransom message.

  • End users see the following Ransom-WannaCry Desktop Background:


     

  • On restarting, impacted machines have a blue screen error and cannot start. 
  • Encryption seen on local host and open SMB shares. IMPORTANT: Customers should immediately install the Critical Microsoft Patch MS17-010, to prevent SMB shares from becoming encrypted: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

 

BUTSCH > Be CAREFULL with those VSE and ENS rules. DO NOT under any circumstance FORGET the SUBRULES! You would/will block all files otherwise! In newer Version you cant SAVE the rule then


VirusScan Enterprise (VSE) and Endpoint Security (ENS) Access Protection Proactive Measures


NOTE: The VSE and ENS Access Protection rules will prevent creation of the .WNRY file. This rule prevents the encryption routine, which is where one will see encrypted files that contain a .WNCRYT, .WNCRY and/or .WCRY extension. By implementing the block against .WRNY, other blocks are not necessary for the encrypted file types.

Use VSE Access Protection rules:

Rule1:

Rule Type: Registry Blocking Rule
Process to include: *
Registry key or value to protect: HKLM - /Software/WanaCrypt0r
Registry key or value p protect: Key
File actions to prevent: Create key or value

Rule2:

Rule Type: File/Folder Blocking Rule
Process to include: *
File or folder name to block: *.wnry
File actions to prevent: New files being created


Use ENS Access Protection rules:

Rule1:

Executable1:

Inclusion: Include
File Name or Path: *



SubRule1:

SubRule Type: Registry key
Operations: Create
Target1:

Inclusion: Include
File, folder name, or file path: *\Software\WanaCrypt0r



SubRule2:

SubRule Type: Files
Operations: Create
Target1:

Inclusion: Include
File, folder name, or file path: *.wnry


 

   


Please continue to return to this page for the latest updates.

Related Information

KB50642 - How to apply an Extra.DAT locally for VirusScan Enterprise 8.x
KB67602 - How to manually check in and deploy an Extra.DAT through ePolicy Orchestrator

Attachment

EXTRA.zip

Malware, Ransomware, Virus, Hospital, Healthcare, Trojaner, Switzerland, Schweiz, Suisse