Wannacry / WannaCrypt: Microsoft Patch for SMB Exploit Blue on XP/2003 released. Ransomware in der Schweiz aktiv!

14.05.2017, Good News MS Release KB4012598 for XP/VISTA/2003 (32/64) BIT and you can patch your old special machines.

14:05.2017, Most of Swiss Media inlcuding SFDRS sf.tv (Swiss TV) did mention that they are no current infections to date in switzerland.

We think that's wrong and as normal the corporate who are infected keep that under the hood. It's possible because we have seen

Ransomware in the past which checks Country and keyboard codes of the OS and does only run in certain countrys.

One other Problem is that large enterprise often RENT IP-Subnets (Like people with AS-Records) from global ISP and their Source-IP is often extra hidden or in another country.

If we asume that https://intel.malwaretech.com/botnet/wcrypt/?t=1h&bid=all does Analyse the URL request he get's in on his domain

We can say that there are infections in Switzerland. Around EVERY second when not more customer was hit by Ransomware the last

12 months in switzerland. Criminials know where to ski in the winter, buy nice watches and where to steal money. Ther more Expat CEO and managers

who never understood a single part of IT-security the more money you can do with Ransomware in Switzerland. So yes switzerland i a pretty good place to run ransomwre.

Status Switzerland, Europe WANNA infections 13.05.2017 around 23:45 o'clock. Check the blue dots in Zürich.




Microsoft solution available to protect additional products

Today many of our customers around the world and the critical systems they depend on were victims of malicious "WannaCrypt" software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

Details are below.


We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).

This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.

Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources. For Office 365 customers we are continually monitoring and updating to protect against these kinds of threats including Ransom:Win32/WannaCrypt. More information on the malware itself is available from the Microsoft Malware Protection Center on the Windows Security blog. For those new to the Microsoft Malware Protection Center, this is a technical discussion focused on providing the IT Security Professional with information to help further protect systems.

We are working with customers to provide additional assistance as this situation evolves, and will update this blog with details as appropriate.

Phillip Misner, Principal Security Group Manager  Microsoft Security Response Center


Further resources: 

Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64

To download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Tags cyberattacks Microsoft Windows ransomware Security Update Windows


Here is how to integrate the special Patch for XP/VISTA/2003 in your WSUS via Windows Update Catalog (With all possible errors with Ie11 on your Server ;-)

If this comes up please Install

Search for KB4012598


If you see this error in the Windows Update catalog. Add the Microsoft.com to the Compatiblity Mode. It's really das that MS does not do that theirself.. ;-(

If you see error below > Try again (Windows Update down) or add the site Microsoft.com into comptiblity mode on the WSUS Server.


fehlernummer 8ddd0010

Now search again for KB4012598 and choose your supported platforms:


Choose herunterladen/Download

If the Basket does not Appear turn of POPUP blocker





Here we go ;-)

Server 2003 ;-) Don't laugh it's a 2003 we use to edit a Gpo Setting that was made

For IE9 but still is valid for IE11 in IEAK 11. So you need a) And old Server/Client, an Old Browser to modify those Proxy settings.

Dont believe it? http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

Regarding blocking the Extension.

For mcafee customers Please read:





Ransomware: How to integrate the WannaCry EXTRADAT in EPO or McAfee ENS client

12.05.2017 Urgent Release FRIDAY, Wana Decrypt0r | Wana Decryptor | WanaDecryptor@.exe


EXTRADAT: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/890 00/KB89335/en_US/EXTRA.zip



McAfee is aware that several customers are impacted by a new ransomware. Ransom-WannaCry (also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r) is encrypting files with the .wnry, .wcry, .wncry, and .wncryt extensions. Encryption is occurring on the local host and across open SMB shares. Impacted systems might also show a blue screen upon system reboot.



McAfee Client ENS 10.5.1 how to include the EXTRA.DAT (Extradat.zip) against the WannaCry Ransomware




McAfee EPO: How to the DEPLOY the EXTRADAT in a GERMAN or ENGLISH EPO Server 5.X


MENU > Master Repository



Make sure you check GLOBAL UPDATE. Above mentioned steps with UPDATE NOW do the same. Choose both ways to be 100% sure it done!



McAfee is aware of a new variant of ransomware that has been detected in corporate environments. Threat Name: Ransom-WannaCry (also known as WCry, WanaCrypt and WanaCrypt0r).

This article will be updated as additional information is available. Please continue to monitor this document for updates.

Files are encrypted with the .wnry, .wcry, .wncry, and .wncryt extension. End users see a screen with a ransom message.

  • End users see the following Ransom-WannaCry Desktop Background:


  • On restarting, impacted machines have a blue screen error and cannot start. 
  • Encryption seen on local host and open SMB shares. IMPORTANT: Customers should immediately install the Critical Microsoft Patch MS17-010, to prevent SMB shares from becoming encrypted: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.


BUTSCH > Be CAREFULL with those VSE and ENS rules. DO NOT under any circumstance FORGET the SUBRULES! You would/will block all files otherwise! In newer Version you cant SAVE the rule then

VirusScan Enterprise (VSE) and Endpoint Security (ENS) Access Protection Proactive Measures

NOTE: The VSE and ENS Access Protection rules will prevent creation of the .WNRY file. This rule prevents the encryption routine, which is where one will see encrypted files that contain a .WNCRYT, .WNCRY and/or .WCRY extension. By implementing the block against .WRNY, other blocks are not necessary for the encrypted file types.

Use VSE Access Protection rules:


Rule Type: Registry Blocking Rule
Process to include: *
Registry key or value to protect: HKLM - /Software/WanaCrypt0r
Registry key or value p protect: Key
File actions to prevent: Create key or value


Rule Type: File/Folder Blocking Rule
Process to include: *
File or folder name to block: *.wnry
File actions to prevent: New files being created

Use ENS Access Protection rules:



Inclusion: Include
File Name or Path: *


SubRule Type: Registry key
Operations: Create

Inclusion: Include
File, folder name, or file path: *\Software\WanaCrypt0r


SubRule Type: Files
Operations: Create

Inclusion: Include
File, folder name, or file path: *.wnry



Please continue to return to this page for the latest updates.

Related Information

KB50642 - How to apply an Extra.DAT locally for VirusScan Enterprise 8.x
KB67602 - How to manually check in and deploy an Extra.DAT through ePolicy Orchestrator



Malware, Ransomware, Virus, Hospital, Healthcare, Trojaner, Switzerland, Schweiz, Suisse


09.05.2017, Windows Defender vulnerability and the question if you have to update in Enterprise?


Microsoft has released a critical out-of-band security update addressing a vulnerability in the Microsoft Malware Protection Engine. A remote attacker could exploit this vulnerability to take control of an affected system.

Users and administrators are encouraged to review Microsoft Security Advisory 4022344 (link is external) for details and apply the necessary update.


To date 10.05.2017 it seems unclear for long time now. This by questions asked in Corporate Forums from Symantec and Mcafee. People are unsafe if they have to do something.

  • If the LEAK/Exploit/vulnerability is possible if "Windows Defender" as example on Windows 7 is disabled and you have if THIRD Party Virusprotection like Mcafee/Trend/Symantec you have an exploit
  • How to PATCH the vulnerability if you have "Windows Defender" disabled. You can only patch it when Windows Defender is active.
  • IF the vulnerability is open when you have "Windows Defender" deactivated in any form (From WIM, Via Service, Via Registry etc.)
  • You may have some machine in your enterprise who still have it activate (Not deployed though deployment [Special clients], Servers with TERMINAL SERVER role installed, Citrix etc.!)


Microsoft Says so in their FAQ and we assume they will PATCH this on Patchday 05/2017

Is Microsoft releasing a Security Bulletin to address this vulnerability? 
No. Microsoft is releasing this informational security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.

Typically, no action is required of enterprise administrators or end users to install this update.

Comment Butsch: Yes but that's only VALID if you have Windows Defender active and NOT disabled we assume?






Registry key to see what version you have in Windows Defender:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates\EngineVersion"

Is Windows Defender on or off?

If this key is "1" then Windows Defender is INACTIVE


Check if Windows Defender is running?

"C:\Program Files\Windows Defender\MSASCui.exe"

How to check if Windows Defender is running by Directory Check:

If it's ACTIVE there is Diretory called "C:\ProgramData\Microsoft\Windows Defender"

How to check if you are safe > this file has to be newer than 8.5.2017 to be safe:

"C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1F3264AD-BA13-4E95-93D5-DA22838B8633}\mpengine.dll"

GUID {1F3264AD-BA13-4E95-93D5-DA22838B8633} changes with every DEF update.

You can ONLY Update the DEF if Windows Defender is running.


With Mcafee:

Environment McAfee Endpoint Security (ENS) Threat Prevention 10.x

As per the Windows Anti-Malware agreement, McAfee is not supposed to uninstall Windows Defender on Windows systems. We integrate with Windows Action Center (WAC) and when WAC sees that ENS Threat Prevention is installed, it disables Windows Defender.

Perform the following steps to check whether Windows Defender is disabled after installing ENS Threat Prevention:

1.Open the Control Panel and check the status of Windows Defender.

2.Check the status of the Windows Defender services:

  • Press CTRL+ALT+DEL, and then select Task Manager.
  • Click the Services tab.
  • Check the status of the following services:

Windows Defender Network Inspection Service

Windows Defender Service

The Control Panel should show that Windows Defender is disabled and the Windows Defender services should be stopped. If the Windows Defender services are stopped, but the Control Panel is showing that Windows Defender is enabled, it is a system issue



How to enable/select Windows Defender Patches in WSUS 3.X


Microsoft Technet:

Microsoft Security Advisory 4022344, Security Update for Microsoft Malware Protection Engine

Published: May 8, 2017, Executive Summary

Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.

The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.

The Microsoft Malware Protection Engine ships with several Microsoft antimalware products. See the Affected Software section for a list of affected products. Updates to the Microsoft Malware Protection Engine are installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly.

Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.

Advisory Details

Issue References

For more information about this issue, see the following references:



Last version of the Microsoft Malware Protection Engine affected by this vulnerability

Version 1.1.13701.0

First version of the Microsoft Malware Protection Engine with this vulnerability addressed

Version 1.1.13704.0

*If your version of the Microsoft Malware Protection Engine is equal to or greater than this version, then you are not affected by this vulnerability and do not need to take any further action. For more information on how to verify the engine version number that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Antimalware Software

Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290

Microsoft Forefront Endpoint Protection 2010

Remote Code Execution

Microsoft Endpoint Protection

Remote Code Execution

Microsoft Forefront Security for SharePoint Service Pack 3

Remote Code Execution

Microsoft System Center Endpoint Protection

Remote Code Execution

Microsoft Security Essentials

Remote Code Execution

Windows Defender for Windows 7

Remote Code Execution

Windows Defender for Windows 8.1

Remote Code Execution

Windows Defender for Windows RT 8.1

Remote Code Execution

Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703

Remote Code Execution

Windows Intune Endpoint Protection

Remote Code Execution


MCAFEE: Unable to update AMCORE with Mcafee Agent 5.0.4 after ENS 10.2 to 10.5.1 Migration



Event 1119, Unable to update AMCORE Content and Scan Module with Mcafee Agent 5.0.4 after ENS 10.2 to 10.5.1 Migration


Customer had a running and working EPO 5.3.2 in German client environment.

What was done?

During a migration scenario with Agent 5.0.4 and ENS 10.2 we wanted to update to ENS 10.5.1.


After the Update for the "Platform" and "Endpoint security Threat Prevention" we had following problems:

  • AMCORE Content did not update > By Task > By Enduser GUI "Jetzt Aktualisieren" "Update Now" turned RED
  • Error on German Clients: Fehler bei der Aktualisierung. Siehe Ereignisprotokoll, Event ID: 1119
  • Downloading file from https://eposerver006:443/Software/SiteStat.xml?hash={15bbaf26-2e42-16e7-37b9-8be54700e4e7} to C:\Windows\TEMP\SiteStat.xml failed. (Manuel open of XML in browser worked fine)
  • Migration from 10.2 > 10.5.1 > Clients needed to reboot 1-2 times to get the second part "Threat Prevention running. That may be by design for 10.2 to 10.5.1 but we had other cases where this worked (This seems to be how it is EVEN with Framework 5.0.5). We had one customer where this worked in ONE during a 10.2 to 10.5 RTM migration.


    AMCONTENT Version stays at 0.5


Fehler bei der Aktualisierung. Siehe Ereignisprotokoll.

Solution Event 1119

We could solve this in Upgrading the Mcafee Framework Agent from 5.0.4 to 5.0.5 RTM ( This is filled under Mcafee 1156417. This even when the 10.5.1 ENS is already on the client and the client is in that stalled MODUS where he does not update AMCORE Content. (Hotfix not seen in Software Updater of EPO) did not solve it.


This is the config we had:


This is the Config all was working fine afterwards:


This is what's wrong:

This we talk about in EPO after we updated to Agent 5.0.5




Errors we did see on clients:

c:\ProgramData\McAfee\Common Framework\logs\McScript_error.log

2017-05-01 09:45:02    E    #4528    downloader     Downloading file from{15bbaf26-2e42-16e7-37b9-8be51700e4e7} to C:\Windows\TEMP\SiteStat.xml failed.

If you MANUALY open the XML file in a browser this works fine


c:\ProgramData\McAfee\Endpoint Security\Logs\PackageManager_Activity.log

02.05.2017 10:25:59 mfeesp(2600.3848) <SYSTEM> PackageManager.PackageManager.Activity: Fehler beim Herunterladen von C:\ProgramData\McAfee\Common Framework\\Current\AMCORDAT2000\DAT\0000\PkgCatalog.z.

02.05.2017 10:25:59 mfeesp(2600.3852) <SYSTEM> PackageManager.PackageManager.Activity: Fehler beim Aktualisieren auf Version 2966.0.

02.05.2017 10:26:00 mfeesp(2600.4004) <SYSTEM> PackageManager.PackageManager.Activity: Bei der Aktualisierung sind Fehler aufgetreten. Weitere Informationen finden Sie im Fehlerprotokoll.

02.05.2017 10:31:56 mfeesp(2600.3160) <SYSTEM> PackageManager.PackageManager.Activity: AutoUpdate wird gestartet: Standard-AutoUpdate

02.05.2017 10:31:59 mfeesp(2600.3852) <SYSTEM> PackageManager.PackageManager.Activity: Aktualisierung wird ausgeführt


Error seen on EPO:

Text: Fehler bei der Aktualisierung. Siehe Ereignisprotokoll.


Fehler bei der Aktualisierung. Siehe Ereignisprotokoll.

Event ID: 1119


This is wher you could see in GUI that something is not working. When you PRESS Update NOW button it turned RED.





Release Notes Agent 5.0.5





Virenschutz braucht 50-100% CPU Last – Wer ist schuld?


Mcafee / Symantec / Trend / Kaspersky

German: Windows Prioritätsinversion

English: Windows Priority Inversion


FAQ / Fragen

  • Immer wenn ich mich am Windows 7/8/10/XP anmelde ist dies langsam. Dies ist sicher der Virenschutz?
  • Immer wenn ich einen Server starte zieht der Virenschutz XX 100% CPU Last?
  • Warum braucht der Task/Service "******.exe" so viel CPU Last? Wenn ich das deinstallieren/abstelle ist es schneller?
  • Mcafee Task needs % CPU time why?
  • Wenn ich Option Y beim Virenschutz abstelle dann läuft es schneller. Es ist der Virenschutz Schuld.


  • Jeder Fehler/Delay Bug den eine Software macht > MACHT der Mcafee VSE/ENS oder Symantec SEP dann nochmals Performance mässig hinten drauf. z.B. gibt es im Healthcare Bereich Software welche beim Öffnen einer Anmeldemaske 400 Files ab einem Share zieht. Die Software macht kein Update, noch kontrolliert sie LDAP/DB usw. Sie ist einfach hundsmiserabel programmiert. Dies wäre nicht weiter schlimm würde Sie mit einem Windows Installer Paket als MSI installiert werden und nicht ab einem Share laufen.
  • Die CPU Last in Bezug auf Priority wird durch Windows gehandelt. Auch wenn die Mcafee Services oder der Scanner mit einer "Low Priority" kommen kann ein anderer Task diese tangieren sofern Sie die gleiche Resource handeln. So kann jedes EXE, dass mit HIGH Priority läuft andere die vorne in der Queue sind und hochstufen (Also nicht das EXE sondern Windows selber macht dies)
  • Also: prio1.exe kommt mit PRIO HIGH und hat es dringend auf einem File Share. Windows Stuft dann die Virenschutz Tasks auch hoch damit diese fertig werden mit was immer sie machen. Das blöde ist nur, dass diese Services immer was machen.



Finde die Software welche schlecht programmiert ist und a) Patche diese b) Ersetze resp. eliminiere diese.


Schuld ist selten der Virenschutz….Höchstens Ransomware und dass der Virenschutz im 2017 keine Exception mehr haben darf.


WIKIPEDIA: https://de.wikipedia.org/wiki/Priorit%C3%A4tsinversion

Schneller machen: So einfach geht es dann. Und mein meinesoftware.exe ist die schnellste: https://social.msdn.microsoft.com/Forums/vstudio/en-US/daae2f48-d2c9-44f1-b981-3d5397cf156c/how-to-change-the-application-priority?forum=netfxbcl (Ob andere Sachen noch laufen interessieren mich nicht….)

MSDN: https://msdn.microsoft.com/en-us/library/system.diagnostics.process.priorityclass.aspx

Dr. DOBBS Journal, Eric Bruno beschreibt dies (Kennt das noch jemand von den Hipstern-codern heute?): http://www.drdobbs.com/jvm/what-is-priority-inversion-and-how-do-yo/230600008


Priority Inversion



Priority inversion occurs when two or more threads with different priorities are in contention to be scheduled. Consider a simple case with three threads: thread 1, thread 2, and thread 3. Thread 1 is high priority and becomes ready to be scheduled. Thread 2, a low-priority thread, is executing code in a critical section. Thread 1, the high-priority thread, begins waiting for a shared resource from thread 2. Thread 3 has medium priority. Thread 3 receives all the processor time, because the high-priority thread (thread 1) is waiting for shared resources from the low-priority thread (thread 2). Thread 2 will not leave the critical section, because it does not have the highest priority and will not be scheduled.

The scheduler solves this problem by randomly boosting the priority of the ready threads (in this case, the low priority lock-holders). The low priority threads run long enough to exit the critical section, and the high-priority thread can enter the critical section. If the low-priority thread does not get enough CPU time to exit the critical section the first time, it will get another chance during the next round of scheduling.




Zwei Beispiele aus der Praxis:


  • Immer wenn ich mich am System anmelde ist dies langsam und der Virenschutz zieht 50% oder 100% CPU Time bei einem Core? (Bei 4/8 Stück….)
  • Immer wenn ich einen Server starte zieht der Virenschutz XX 100% CPU Last?


Dies ist im Grunde weil WINLOGON mit einer PRIO von 13 läuft und die Erlaubnis hat ANDERE Task zu forcieren (Windows selber)

Lauft dann z.B ein Virenschutz welcher SERVCIES und STARTUP Files/Keys wegen MBR-Malware scannt wird dieses vom hinteren TASK angepasst auf eine höhere Priorität.

An sich ist NICHT der Virenschutz dann langsam sondern die Software welche das ganze PRIO durch einander bringt.


Hier sieht man die TASK welche mit einer höheren PRIO laufen. WINLOGON damit beim LOGON alles klappt plus z.B. ein Forticlient SSL VPN.