09.05.2017, Windows Defender vulnerability and the question if you have to update in Enterprise?

 

Microsoft has released a critical out-of-band security update addressing a vulnerability in the Microsoft Malware Protection Engine. A remote attacker could exploit this vulnerability to take control of an affected system.

Users and administrators are encouraged to review Microsoft Security Advisory 4022344 (link is external) for details and apply the necessary update.

 

To date 10.05.2017 it seems unclear for long time now. This by questions asked in Corporate Forums from Symantec and Mcafee. People are unsafe if they have to do something.

  • If the LEAK/Exploit/vulnerability is possible if "Windows Defender" as example on Windows 7 is disabled and you have if THIRD Party Virusprotection like Mcafee/Trend/Symantec you have an exploit
  • How to PATCH the vulnerability if you have "Windows Defender" disabled. You can only patch it when Windows Defender is active.
  • IF the vulnerability is open when you have "Windows Defender" deactivated in any form (From WIM, Via Service, Via Registry etc.)
  • You may have some machine in your enterprise who still have it activate (Not deployed though deployment [Special clients], Servers with TERMINAL SERVER role installed, Citrix etc.!)

     

Microsoft Says so in their FAQ and we assume they will PATCH this on Patchday 05/2017

Is Microsoft releasing a Security Bulletin to address this vulnerability? 
No. Microsoft is releasing this informational security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.

Typically, no action is required of enterprise administrators or end users to install this update.

Comment Butsch: Yes but that's only VALID if you have Windows Defender active and NOT disabled we assume?

 

https://technet.microsoft.com/en-us/library/security/4022344

https://support.microsoft.com/de-ch/help/2510781/microsoft-malware-protection-engine-deployment-information

https://social.technet.microsoft.com/Forums/windowsserver/en-US/a4c83e56-758c-4ace-ba0f-4e1ffdc39514/wsus-and-microsoft-security-advisory-4022344-09052017-windows-leak-in-all-ms-security-products?forum=winserverwsus

https://www.us-cert.gov/ncas/current-activity/2017/05/08/Microsoft-Releases-Critical-Security-Update

Registry key to see what version you have in Windows Defender:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates\EngineVersion"

Is Windows Defender on or off?

If this key is "1" then Windows Defender is INACTIVE

 

Check if Windows Defender is running?

"C:\Program Files\Windows Defender\MSASCui.exe"

How to check if Windows Defender is running by Directory Check:

If it's ACTIVE there is Diretory called "C:\ProgramData\Microsoft\Windows Defender"

How to check if you are safe > this file has to be newer than 8.5.2017 to be safe:

"C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1F3264AD-BA13-4E95-93D5-DA22838B8633}\mpengine.dll"

GUID {1F3264AD-BA13-4E95-93D5-DA22838B8633} changes with every DEF update.

You can ONLY Update the DEF if Windows Defender is running.

 

With Mcafee:

Environment McAfee Endpoint Security (ENS) Threat Prevention 10.x

As per the Windows Anti-Malware agreement, McAfee is not supposed to uninstall Windows Defender on Windows systems. We integrate with Windows Action Center (WAC) and when WAC sees that ENS Threat Prevention is installed, it disables Windows Defender.

Perform the following steps to check whether Windows Defender is disabled after installing ENS Threat Prevention:

1.Open the Control Panel and check the status of Windows Defender.

2.Check the status of the Windows Defender services:

  • Press CTRL+ALT+DEL, and then select Task Manager.
  • Click the Services tab.
  • Check the status of the following services:

Windows Defender Network Inspection Service

Windows Defender Service

The Control Panel should show that Windows Defender is disabled and the Windows Defender services should be stopped. If the Windows Defender services are stopped, but the Control Panel is showing that Windows Defender is enabled, it is a system issue

 

 

How to enable/select Windows Defender Patches in WSUS 3.X

 

Microsoft Technet:

Microsoft Security Advisory 4022344, Security Update for Microsoft Malware Protection Engine

Published: May 8, 2017, Executive Summary

Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.

The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.

The Microsoft Malware Protection Engine ships with several Microsoft antimalware products. See the Affected Software section for a list of affected products. Updates to the Microsoft Malware Protection Engine are installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly.

Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.

Advisory Details

Issue References

For more information about this issue, see the following references:

References

Identification

Last version of the Microsoft Malware Protection Engine affected by this vulnerability

Version 1.1.13701.0

First version of the Microsoft Malware Protection Engine with this vulnerability addressed

Version 1.1.13704.0

*If your version of the Microsoft Malware Protection Engine is equal to or greater than this version, then you are not affected by this vulnerability and do not need to take any further action. For more information on how to verify the engine version number that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Antimalware Software

Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290

Microsoft Forefront Endpoint Protection 2010

Critical  
Remote Code Execution

Microsoft Endpoint Protection

Critical  
Remote Code Execution

Microsoft Forefront Security for SharePoint Service Pack 3

Critical  
Remote Code Execution

Microsoft System Center Endpoint Protection

Critical  
Remote Code Execution

Microsoft Security Essentials

Critical  
Remote Code Execution

Windows Defender for Windows 7

Critical  
Remote Code Execution

Windows Defender for Windows 8.1

Critical  
Remote Code Execution

Windows Defender for Windows RT 8.1

Critical  
Remote Code Execution

Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703

Critical  
Remote Code Execution

Windows Intune Endpoint Protection

Critical  
Remote Code Execution

 

MCAFEE: Unable to update AMCORE with Mcafee Agent 5.0.4 after ENS 10.2 to 10.5.1 Migration

 

 

Event 1119, Unable to update AMCORE Content and Scan Module with Mcafee Agent 5.0.4 after ENS 10.2 to 10.5.1 Migration

Setup:

Customer had a running and working EPO 5.3.2 in German client environment.

What was done?

During a migration scenario with Agent 5.0.4 and ENS 10.2 we wanted to update to ENS 10.5.1.

Error:

After the Update for the "Platform" and "Endpoint security Threat Prevention" we had following problems:

  • AMCORE Content did not update > By Task > By Enduser GUI "Jetzt Aktualisieren" "Update Now" turned RED
  • Error on German Clients: Fehler bei der Aktualisierung. Siehe Ereignisprotokoll, Event ID: 1119
  • Downloading file from https://eposerver006:443/Software/SiteStat.xml?hash={15bbaf26-2e42-16e7-37b9-8be54700e4e7} to C:\Windows\TEMP\SiteStat.xml failed. (Manuel open of XML in browser worked fine)
  • Migration from 10.2 > 10.5.1 > Clients needed to reboot 1-2 times to get the second part "Threat Prevention running. That may be by design for 10.2 to 10.5.1 but we had other cases where this worked (This seems to be how it is EVEN with Framework 5.0.5). We had one customer where this worked in ONE during a 10.2 to 10.5 RTM migration.

     

    AMCONTENT Version stays at 0.5

 

Fehler bei der Aktualisierung. Siehe Ereignisprotokoll.

Solution Event 1119

We could solve this in Upgrading the Mcafee Framework Agent from 5.0.4 to 5.0.5 RTM (5.0.5.6585.0.5.658). This is filled under Mcafee 1156417. This even when the 10.5.1 ENS is already on the client and the client is in that stalled MODUS where he does not update AMCORE Content.

5.0.4.400 (Hotfix not seen in Software Updater of EPO) did not solve it.

 

This is the config we had:

5.0.4.283

10.2.0.619

10.2.0.620

 

This is the Config all was working fine afterwards:

5.0.5.658

 

This is what's wrong:

This we talk about in EPO after we updated to Agent 5.0.5

 

 

 

Errors we did see on clients:

c:\ProgramData\McAfee\Common Framework\logs\McScript_error.log

2017-05-01 09:45:02    E    #4528    downloader     Downloading file from https://10.20.12.203:443/Software/SiteStat.xml?hash={15bbaf26-2e42-16e7-37b9-8be51700e4e7} to C:\Windows\TEMP\SiteStat.xml failed.

If you MANUALY open the XML file in a browser this works fine

 

c:\ProgramData\McAfee\Endpoint Security\Logs\PackageManager_Activity.log

02.05.2017 10:25:59 mfeesp(2600.3848) <SYSTEM> PackageManager.PackageManager.Activity: Fehler beim Herunterladen von C:\ProgramData\McAfee\Common Framework\\Current\AMCORDAT2000\DAT\0000\PkgCatalog.z.

02.05.2017 10:25:59 mfeesp(2600.3852) <SYSTEM> PackageManager.PackageManager.Activity: Fehler beim Aktualisieren auf Version 2966.0.

02.05.2017 10:26:00 mfeesp(2600.4004) <SYSTEM> PackageManager.PackageManager.Activity: Bei der Aktualisierung sind Fehler aufgetreten. Weitere Informationen finden Sie im Fehlerprotokoll.

02.05.2017 10:31:56 mfeesp(2600.3160) <SYSTEM> PackageManager.PackageManager.Activity: AutoUpdate wird gestartet: Standard-AutoUpdate

02.05.2017 10:31:59 mfeesp(2600.3852) <SYSTEM> PackageManager.PackageManager.Activity: Aktualisierung wird ausgeführt

 

Error seen on EPO:

Text: Fehler bei der Aktualisierung. Siehe Ereignisprotokoll.

 

Fehler bei der Aktualisierung. Siehe Ereignisprotokoll.

Event ID: 1119

 

This is wher you could see in GUI that something is not working. When you PRESS Update NOW button it turned RED.

 

1119

 

 

Release Notes Agent 5.0.5

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26907/en_US/ma_505_rn_0-00_en-us.pdf

 

 

 

Virenschutz braucht 50-100% CPU Last – Wer ist schuld?

 

Mcafee / Symantec / Trend / Kaspersky

German: Windows Prioritätsinversion

English: Windows Priority Inversion

 

FAQ / Fragen

  • Immer wenn ich mich am Windows 7/8/10/XP anmelde ist dies langsam. Dies ist sicher der Virenschutz?
  • Immer wenn ich einen Server starte zieht der Virenschutz XX 100% CPU Last?
  • Warum braucht der Task/Service "******.exe" so viel CPU Last? Wenn ich das deinstallieren/abstelle ist es schneller?
  • Mcafee Task needs % CPU time why?
  • Wenn ich Option Y beim Virenschutz abstelle dann läuft es schneller. Es ist der Virenschutz Schuld.

Warum

  • Jeder Fehler/Delay Bug den eine Software macht > MACHT der Mcafee VSE/ENS oder Symantec SEP dann nochmals Performance mässig hinten drauf. z.B. gibt es im Healthcare Bereich Software welche beim Öffnen einer Anmeldemaske 400 Files ab einem Share zieht. Die Software macht kein Update, noch kontrolliert sie LDAP/DB usw. Sie ist einfach hundsmiserabel programmiert. Dies wäre nicht weiter schlimm würde Sie mit einem Windows Installer Paket als MSI installiert werden und nicht ab einem Share laufen.
  • Die CPU Last in Bezug auf Priority wird durch Windows gehandelt. Auch wenn die Mcafee Services oder der Scanner mit einer "Low Priority" kommen kann ein anderer Task diese tangieren sofern Sie die gleiche Resource handeln. So kann jedes EXE, dass mit HIGH Priority läuft andere die vorne in der Queue sind und hochstufen (Also nicht das EXE sondern Windows selber macht dies)
  • Also: prio1.exe kommt mit PRIO HIGH und hat es dringend auf einem File Share. Windows Stuft dann die Virenschutz Tasks auch hoch damit diese fertig werden mit was immer sie machen. Das blöde ist nur, dass diese Services immer was machen.

 

Lösung

Finde die Software welche schlecht programmiert ist und a) Patche diese b) Ersetze resp. eliminiere diese.

Fazit

Schuld ist selten der Virenschutz….Höchstens Ransomware und dass der Virenschutz im 2017 keine Exception mehr haben darf.

 

WIKIPEDIA: https://de.wikipedia.org/wiki/Priorit%C3%A4tsinversion

Schneller machen: So einfach geht es dann. Und mein meinesoftware.exe ist die schnellste: https://social.msdn.microsoft.com/Forums/vstudio/en-US/daae2f48-d2c9-44f1-b981-3d5397cf156c/how-to-change-the-application-priority?forum=netfxbcl (Ob andere Sachen noch laufen interessieren mich nicht….)

MSDN: https://msdn.microsoft.com/en-us/library/system.diagnostics.process.priorityclass.aspx

Dr. DOBBS Journal, Eric Bruno beschreibt dies (Kennt das noch jemand von den Hipstern-codern heute?): http://www.drdobbs.com/jvm/what-is-priority-inversion-and-how-do-yo/230600008

 

Priority Inversion

 

https://msdn.microsoft.com/library/ms684831(v=VS.85).aspx

Priority inversion occurs when two or more threads with different priorities are in contention to be scheduled. Consider a simple case with three threads: thread 1, thread 2, and thread 3. Thread 1 is high priority and becomes ready to be scheduled. Thread 2, a low-priority thread, is executing code in a critical section. Thread 1, the high-priority thread, begins waiting for a shared resource from thread 2. Thread 3 has medium priority. Thread 3 receives all the processor time, because the high-priority thread (thread 1) is waiting for shared resources from the low-priority thread (thread 2). Thread 2 will not leave the critical section, because it does not have the highest priority and will not be scheduled.

The scheduler solves this problem by randomly boosting the priority of the ready threads (in this case, the low priority lock-holders). The low priority threads run long enough to exit the critical section, and the high-priority thread can enter the critical section. If the low-priority thread does not get enough CPU time to exit the critical section the first time, it will get another chance during the next round of scheduling.

 

 

 

Zwei Beispiele aus der Praxis:

 

  • Immer wenn ich mich am System anmelde ist dies langsam und der Virenschutz zieht 50% oder 100% CPU Time bei einem Core? (Bei 4/8 Stück….)
  • Immer wenn ich einen Server starte zieht der Virenschutz XX 100% CPU Last?

 

Dies ist im Grunde weil WINLOGON mit einer PRIO von 13 läuft und die Erlaubnis hat ANDERE Task zu forcieren (Windows selber)

Lauft dann z.B ein Virenschutz welcher SERVCIES und STARTUP Files/Keys wegen MBR-Malware scannt wird dieses vom hinteren TASK angepasst auf eine höhere Priorität.

An sich ist NICHT der Virenschutz dann langsam sondern die Software welche das ganze PRIO durch einander bringt.

 

Hier sieht man die TASK welche mit einer höheren PRIO laufen. WINLOGON damit beim LOGON alles klappt plus z.B. ein Forticlient SSL VPN.

 

Exchange 2010 large Mailbox with 112 GB size found

The largest Exchange customer Mailbox seen to date? (People with large attachments who really have them business related)

Did not even know that's possible?

A new top scorer was found on a Swiss Exchange 2010 not under maintenance. A busy female user of an advertising and printing office has 112 GIGABYTE in her Exchange Mailbox.

The BOX did run over 4 year's fine now.

 

  • Maybe the OST Cache files would come into game when the once migrate their local client from Spinning disk to smaller SSD ;-) Her OST-File would then fill the 128GB SSD disks. Now I understand why some user doesn't like Cached Mode from a 1st level view.

 

The user has a true workload like this and his recycle only shows 188MB. We have seen an employee once who made and ARCHIVE SOLUTION under hid RECYCLE folder in Outlook.exe. So Cleaning out Recycle when you leave outlook.exe per GPO is not always a good solution.

Swiss record I guess?

get-mailbox | Get-MailboxStatistics | where {$_.ObjectClass –eq "Mailbox"} | Sort-Object TotalItemSize –Descending | ft @{label="User";expression={$_.DisplayName}},@{label="Total Size (MB)";expression={$_.TotalItemSize.Value.ToMB()}},@{label="Items";expression={$_.ItemCount}},@{label="Storage Limit";expression={$_.StorageLimitStatus}} -auto

 

Running time of the Mailbox

Proof

UNINSTALL Internet Explorer 11 - IE11 - Re-Deinstallieren IE 11

 

Some times you may need to Uninstall Internet Explorer 11. It may get corrupt or what we don't hope you would need another browser.

99% of the websites run just fine if you understand Corporate tools like "ENTERPRISE MODE" (http://www.butsch.ch/post/IE11-Umsetzen-Unternehmensmodus-Enterprise-Mode.aspx).

Also keep in mind that in the last leaked CIA Wikileaks (*1) papers all other browsers and esp. Portable Version where mentioned as DLL Injectors. IE is manged by Group Policy

In your company so leave it like it is ;-) No there is NO Gpo for Chrome and Firefox.

 

uninstall IE11 with GUI (If you find it after 2 hrs in list of 800 Updates)

  1. Click the Start button, type Programs and Features in the search box, and then select View installed updates
  2. Under Unistall an update, scroll down to the Microsoft Windows section
  3. Right-click Internet Explorer 11, click Uninstall, and then, when prompted, click Yes

Using batch:

 

 

FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*11.*.mum /c "cmd /c echo Deinstalliere @fname && start /w pkgmgr /up:@fname /norestart /quiet"

 

Using cli with WUSA tool:

wusa.exe /uninstall /kb:2841134 /quiet

Check our Post for WUSA: http://www.butsch.ch/post/How-to-identify-WSUSWindows-Update-Patches-installed-on-a-Windows-7-in-Batch.aspx

 

If you have an PRE Installed IE11 from Microsoft or some OEM brand (Producer) then you may need to do add. steps to uninstall IE11.

1.    Cmd.exe to bring the Run box, type regedit and hit enter.

2.    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

3.    Right-click on the Internet Explorer key, choose "New" and select "DWORD" value.

4.    Enter "InstalledByUser" as the name and hit "Enter" on your keyboard.

5.    Cmd.exe

%windir%\ie11\spuninst\spuninst.exe

 

*1 Reference mentioned Wikileaks around 02/2017:

 

Our Links:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

http://www.butsch.ch/post/How-to-identify-WSUSWindows-Update-Patches-installed-on-a-Windows-7-in-Batch.aspx

http://www.butsch.ch/post/IE11-Umsetzen-Unternehmensmodus-Enterprise-Mode.aspx