Microsoft Framework 4.6.1 for W7 WSUS Integration

 

Identify Framework 4.6.1 with Registry Key

https://msdn.microsoft.com/de-de/library/hh925568(v=vs.110).aspx

Blog Framework 4.6.1 WSUS

https://blogs.technet.microsoft.com/wsus/2016/01/20/microsoft-net-framework-4-6-1-coming-to-wsus/

Important: 

  • When you synchronize your WSUS server with Microsoft Update server (or use Microsoft Update Catalog site for importing updates), you will see that there are two updates with .NET Framework 4.6.1 being published for each platform. The difference in the updates is scoped to the different applicability logic for targeting different computers. Please read the details included in the description of the respective update to get more information. We recommend that you import both the updates, if you plan to deploy .NET Framework 4.6.1 in your Enterprise.
    • One of the .NET Framework 4.6.1 updates will install only on computers that have an earlier version such as .NET 4, 4.5, 4.5.1, or 4.5.2 installed
    • The other .NET Framework 4.6.1 update will install on those computers that either have .NET 4.6 installed or no .NET Framework installed.

 

 

MCAFEE ENS 10.5.X HIPS Module, Exploit, ExP:Invalid Call how to Exclude single API calls (Solidworks CAD)

 

You have ENS 10.5.1 on Windows 7 64BIT

You have THREAT PREVENTION, Exploit Prevention all HIPS CATEGORY HIGH, MEDUIM, LOW on Report AND Blocking active (All three)

You use Solidcore CAD or any other software that trigger the ExP:Invalid Call in the HIPS Module

 

This is an in general help from us how to exclude things from the HIPS Module WHICH is integrated in every ENS Endpoint 10.5.X Client from Mcafee.

 

Alert/Events you see from Mcafee HIPS Module:

 

 

Beschreibung / error you see

Endpoint Security

Ereigniskategorie: Buffer Overflow durch Host-Eindringungsversuch

Schweregrad der Bedrohung: Kritisch

Name der Bedrohung: ExP:Invalid Call

Typ der Bedrohung: Exploit-Schutz

Ausgeführte Aktion: Blockiert

Entdeckungsmethode des Analyseprogramms: Exploit Prevention

Modulname: Bedrohungsschutz

Analyseprogramm – Inhaltsversion: 10.5.0.7691

Analyseprogramm – Regel-ID: 6015

Ziel signiert: Ja

Name des übergeordneten Zielprozesses: SVCHOST.EXE

Zielname: DLLHOST.EXE

Zielpfad: C:\WINDOWS\SYSWOW64

API-Name: OpenProcess

 

Beschreibung:

 

ExP:Invalid Call hat einen Exploit-Versuch auf 'C:\WINDOWS\SYSWOW64\DLLHOST.EXE' Blockiert, der vom Modul MWSCRIPTGUI.DLL abgerufen wurde, wodurch ein Angriff auf die API OpenProcess durchgeführt wurde.

 

 

Here is the Event on the Dashboard

German

English

 

Notice/Note/Writedown fllwing from the Event above:

 

  1. the Analyze RULE ID                    6015
  2. API Name                        OpenProcess
  3. Text after Description CALLED MODULE     MWSCRIPTGUI.DLL,    MWSCRIPTGUI.DLL

 

Go to your Exploit Policy's:

Now check if the RULE is active reporting and block

Enter the Analyze RULE ID in the Search field and mark all boxes above (Done save, Just to see if you have it active)

 

Here you see that the RULE 6015 is active in that policy

German

 

German

 

English

 

Now above in the POLICY make an exception from the info we noted from the event above.

 

This will look like this when done.

German (Screenshot show DL instead of DLL) see English version below

English

SAVE

SAVE (Two times don't forget)

 

Now TEST and update the Mcafee Agent

 

ONL if this DOES not work you COULD turn of the rile 6015 complete.

Last (badest) solution option is to turn the HIPS rule 6015 of ENS complete OFF.

 

MCAFEE EPO SQL shrink large files in small steps

For all DBA's > Yes we know but Mcafee tells us to shrink ;-)

Also see our security concerning regarding centralizes SQL for Security Appliances/Servers.

 

Problem:

You are unable to shrink the Mcafee EPO SQL Database with Management Studio (GUI). You are already on "SIMPLE RECOVERY" mode for the DB.

 

Management thoughts:

There is base discussion which comes from real world outbreak experience on:

a)    Keep SQL on EPO Server with SQL Express with XXGB limit

OR

b)    Put all in a centralized large SQL-Cluster

c)    Install FULL licence SQL on EPO

 

Why?

The problem in an outbreak maybe the EPO can't reach the dedicated SQL WHICH by the way is anyway under the ATTACK prio 1 in today's ransomware. So we keep the SQL local. Now because ALL have no money we often use SQL Express.

This works just perfect UNTIL you reach the SQL Express limit and that only happens with FALSE Positive or when a real outbreak is there. You can filter what the Agent send to the EPO for that reason. Mcafee is often the #1 itself with Product a alerting mcafee product b as false/positive. Like the change they had with P9 for VSE 8.8

 

Solution:

Here is how to SHRINK the DB and Transaction LOG in smaller little steps so the TEMP file he needs for this does not overgrow. Sometimes this seems to be needed to overcome also the SQL Express limit which is at 10GB for 2008R2 Express.

 

1)    Make sure you have at least the same SIZE you have in DB on the Disk > Resize the VM EPO C: or d: drive in VM and Extend in FDISK.

2)    Check Locks (Maybe better than rebooting the EPO Server in such a situation)

 

select cmd,* from master..sysprocesses where db_name(dbid)='ePO4_CUSEPO3'

Check the EPO Database size on SQL-Express. Once again you need space to shrink it. If NOW do the Steps mention in here with really small values (Like: dbcc shrinkfile(ePO4_CUSEPO3_log, 100) < 100MB each time.

 

 

Use this to see the physical filenames of the SQL-DB you need shrink via CLI.

sp_helpfile

Samples filenames:

 

EPO4_CUSEPO3

EPO4_CUSEPO3_log

 

 

Then do following to shrink the Logfiles in 100MB=1GB step (Repeat a few times)

 

use ePO4_CUSEPO3

go

dbcc shrinkfile(ePO4_CUSEPO3_log, 1000)

 

use ePO4_CUSEPO3

go

dbcc shrinkfile(ePO4_CUSEPO3, 1000)

 

Please notice THAT some TABLES changed from EPO 5.X to 5.2/5.3 this may be the reason you landed on this post finally.

Here our sample scripts we use to keep customer EPO's small.

 

 

 

UNTIL EPO 5.1 < Important!

use EPO4_CUSepo3

go

DELETE FROM EPOEvents WHERE (DetectedUTC < GETDATE() - 30)

go

DELETE FROM OrionAuditLog WHERE (StartTime < GETDATE() - 30)

go

DELETE FROM OrionSchedulerTaskLog WHERE (StartDate < GETDATE() - 30)

go

DELETE FROM OrionSchedulerTaskLogDetail WHERE (MessageDate < GETDATE() - 30)

go

DELETE FROM DLP_EventInfo WHERE (InsertionTime < GETDATE() - 90)

go

Use master

GO

 

 

ABOVE/FROM EPO5.3 ON I think the tables changed!

use EPO4_CUSepo3

go

DELETE FROM epoEventsMT WHERE (DetectedUTC < GETDATE() - 15)

go

DELETE FROM EPOProductEventsMT WHERE (DetectedUTC < GETDATE() - 15)

go

DELETE FROM OrionAuditLogMT WHERE (StartTime < GETDATE() - 15)

go

DELETE FROM OrionSchedulerTaskLogMT WHERE (StartDate < GETDATE() - 15)

go

DELETE FROM OrionSchedulerTaskLogDetailMT WHERE (MessageDate < GETDATE() - 15)

go

DELETE FROM DLP_EventInfo WHERE (InsertionTime < GETDATE() - 90)

go

Use master

GO

 

 

 

 

 

 

 

 

Exchange: Server 2008 SMTP/IIS does not write Logfiles

On old Exchange machines we migrated we often (After Exchange is de-installed) install the SMTP Server. So we can re-route E-Mail from devices which have not been migrated and log that info.

 

You have a Server 2008 64BOIT RTM and the separate installed SMTP-Service in IIS 6.0 Manager does not write Logfiles.

  • You set the Logfiles options
  • You did a telnet IP (Not Localhost) on port 25
  • You tried to force write of logs with "netsh http flush logbuffer"

 

You will have to enable / Install the ODB-Protokollierung (ODBC Logging module)

Here is how to do that on a German Server 2008

 

You need the CORRECT permission on as example d:\smtp_logfiles or keep it at default location under c:\windows\system32\logfiles

 

 

Weiter

This steps may take up to 30 minutes don't ask why. Maybe it's reinstalling the full IIS or compiling some Framework Assemblies. Just wait it will finish.

 

Please also see:

http://www.butsch.ch/post/Exchange-Migration-Server-2008-SMTP-Service-installation-to-re-route-old-traffic.aspx

 

Wannacry / WannaCrypt: Microsoft Patch for SMB Exploit Blue on XP/2003 released. Ransomware in der Schweiz aktiv!

14.05.2017, Good News MS Release KB4012598 for XP/VISTA/2003 (32/64) BIT and you can patch your old special machines.

14:05.2017, Most of Swiss Media inlcuding SFDRS sf.tv (Swiss TV) did mention that they are no current infections to date in switzerland.

We think that's wrong and as normal the corporate who are infected keep that under the hood. It's possible because we have seen

Ransomware in the past which checks Country and keyboard codes of the OS and does only run in certain countrys.

One other Problem is that large enterprise often RENT IP-Subnets (Like people with AS-Records) from global ISP and their Source-IP is often extra hidden or in another country.

If we asume that https://intel.malwaretech.com/botnet/wcrypt/?t=1h&bid=all does Analyse the URL request he get's in on his domain

We can say that there are infections in Switzerland. Around EVERY second when not more customer was hit by Ransomware the last

12 months in switzerland. Criminials know where to ski in the winter, buy nice watches and where to steal money. Ther more Expat CEO and managers

who never understood a single part of IT-security the more money you can do with Ransomware in Switzerland. So yes switzerland i a pretty good place to run ransomwre.

Status Switzerland, Europe WANNA infections 13.05.2017 around 23:45 o'clock. Check the blue dots in Zürich.

 

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Microsoft solution available to protect additional products

Today many of our customers around the world and the critical systems they depend on were victims of malicious "WannaCrypt" software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

Details are below.

 

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).

This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.

Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources. For Office 365 customers we are continually monitoring and updating to protect against these kinds of threats including Ransom:Win32/WannaCrypt. More information on the malware itself is available from the Microsoft Malware Protection Center on the Windows Security blog. For those new to the Microsoft Malware Protection Center, this is a technical discussion focused on providing the IT Security Professional with information to help further protect systems.

We are working with customers to provide additional assistance as this situation evolves, and will update this blog with details as appropriate.

Phillip Misner, Principal Security Group Manager  Microsoft Security Response Center

   

Further resources: 

Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64

To download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Tags cyberattacks Microsoft Windows ransomware Security Update Windows

 

Here is how to integrate the special Patch for XP/VISTA/2003 in your WSUS via Windows Update Catalog (With all possible errors with Ie11 on your Server ;-)

If this comes up please Install

Search for KB4012598

 

If you see this error in the Windows Update catalog. Add the Microsoft.com to the Compatiblity Mode. It's really das that MS does not do that theirself.. ;-(

If you see error below > Try again (Windows Update down) or add the site Microsoft.com into comptiblity mode on the WSUS Server.

 

fehlernummer 8ddd0010

Now search again for KB4012598 and choose your supported platforms:

 

Choose herunterladen/Download

If the Basket does not Appear turn of POPUP blocker

 

 

 

 

Here we go ;-)

Server 2003 ;-) Don't laugh it's a 2003 we use to edit a Gpo Setting that was made

For IE9 but still is valid for IE11 in IEAK 11. So you need a) And old Server/Client, an Old Browser to modify those Proxy settings.

Dont believe it? http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

Regarding blocking the Extension.

For mcafee customers Please read:

http://www.butsch.ch/post/Ransomware-How-to-integrate-the-WannaCry-EXTRADAT-in-EPO-or-McAfee-ENS-client.aspx

http://www.butsch.ch/post/Ransomware-Schweiz-Mcafee-TIE-Threat-Intelligence-Exchange-im-Einsatz.aspx

http://www.butsch.ch/post/RansomwareDeutschlandSchweiz-Healthcare-Deutscher-Bund-warnt-und-reagiert.aspx