Browser TLS 1.3 activated and your Firewall can’t handle it?

TLS 1.3

https://tools.ietf.org/html/rfc8446

Some modern Browser switch to TLS 1.3 automatic if the Web server on the other side supports this. Like Version 72 of Chrome.exe or even your OS is like Windows 10 Buildnummer 20170 upwards (That means the OS itself). So it's all safer and faster?

https://blogs.windows.com/windows-insider/2020/07/15/announcing-windows-10-insider-preview-build-20170/

The problem is that some Next Generation Web Filter (Firewall) can't look into the SSL-encryption anymore and find malware/Ransomware. With Browser self updating mechanism like in Chrome or Edge Chromium you suddenly have a constellation that you did not want. While you approved IE11/EDGE Updates in WSUS and mostly checked each new Release of the Browser before releasing it this has changed.

The interesting point is that also some Load Balancer are only able to break (Deep Inspect) traffic with really new Firmware releases. Customers demanded that feature since 2017 we see in diverse blogs and feature request portals of producers. So if you want to sniff into SSL (Break SSL Stream) and you're Firewall can't handle TLS 1.3 special you currently have a problem.

Check if your browser has TLS 1.3 active is easy

CHROME:

chrome://flags/#tls13-variant (Since Version 72 TLS 1.3 default)

MICROSOFT EDGE CHROMIUM:

edge://flags/

As example Type edge://flags/ in the Browser URL window.

Or jump direct to the TLS 1.3 setting with edge://flags/#enable-tls13-early-data

Open following URL / Test Website to see what's supported:

https://browserleaks.com/ssl

 

https://news.sophos.com/en-us/2020/08/18/report-firewall-best-practices-to-block-ransomware/

https://www.fortinet.com/blog/business-and-technology/tls-is-here-what-this-means-for-you

https://www.f5.com/c/landing/encrypted-threats/article/tls-1-3-are-you-ready-for-the-update

https://community.checkpoint.com/t5/General-Topics/CheckPoint-TLS-1-3-support-When/td-p/63672

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/understanding_traffic_decryption.html

https://www.sonicwall.com/support/knowledge-base/ssl-tls-protocols-supported-by-sonicos-matrix/170615123553371/

 

 

Read more:

https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/

https://www.imperial.ac.uk/media/imperial-college/faculty-of-engineering/computing/public/1819-pg-projects/Detecting-Malware-in-TLS-Traf%EF%AC%81c.pdf

https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/

https://www.heise.de/security/meldung/Verschluesselung-TLS-1-3-Fauxpas-gefaehrdet-Embedded-Systeme-mit-wolfSSL-4883741.html

https://www.heise.de/hintergrund/Was-TLS-1-3-ist-und-wie-Sie-davon-profitieren-4248740.html

https://www.sans.org/reading-room/whitepapers/vpns/paper/39715

https://nakedsecurity.sophos.com/2020/02/18/malware-and-https-a-growing-love-affair/

 

 

 

McAfee Security for Exchange 8.6, Display Bug warning Dat out of date

EPO integrated McAfee Security for Exchange 8.6 SP2

If you have a fully integrated Mcafee Security for Exchange which you manage the POLICY and SETTINGS from the EPO (Not on the Exchange itself)

you may see an error in the GUI where it says "Your Anti-Virus DAT may be out of DATE".

That is just the warning if check the DAT it's fine and up to date.

DAT Update Button in GUI on Exchange itself does not seem to update

The server actually has the latest DAT. As example on the left side below you see 9730 which is the DAT from 31.08.2020 as example.

Just the Update function does not understand the server received the DAT from the EPO instead from WAN.

Often Exchange behind Load Balancer like Kemp or F5 have limited WAN Internet access.

Some Tips:

  • On smaller Exchange > Sometimes you can solve this by changing the Schedule like from 08:00 to 08:01 (Just add a minute) And update > Maybe fine
  • If not behind Load Balancer > You may have to check your WAN access from the Exchange Server and if he can get the DAT from Mcafee
  • If you download the DAT manual from Mcafee and try to install you will see that you already have the newest version.

Screenshot from 1. September 2020

Check in EPO under Products

If you can't get it to working for whatever reason, PUSH the DAT from McAfee EPO direct to the Exchange Server

where McAfee Security for Exchange runs. The Error in the GUI will stay.

WSUS, W10 19XX > Feature update to Windows 10, Unable to find Resource

Unable to deploy W10 > W10 19XX (Feature Updates) to Windows 10 Clients via WSUS on Server 2012 R2.

That is a patch you need to Update your W10 client from W10 19XX to 19XX/20XX via WSUS.

This should have been fixed by Update KB 2919355 and Windows8.1-KB3095113-v2-x64. However on some WSUS Server 2012 R2 we could not install the patch (Depending on the order you installed Patches and installed the WSUS role timely). The patch does open the handling of ESD files in the Web server IIS (So the IIS know what to do with the Extension and how to Deliver it). You can manually add that entry in IIS.

Error you see in WSUS Server

Feature update to Windows 10 (business editions), version 1909, de-de x64

Event reported at 27.08.2020 03:08:

(Unable to Find Resource:) ReportingEvent.Client.167; Parameters: Funktionsupdate für Windows 10 (Business-Editionen), Version 1909, de-de x64

 

Here is how to solve manual

Right side "ADD"

File name extension:

.esd (With the dot infront)

MIME type:

application/octet-stream

OK

Close and maybe restart IIS or best WSUS Server.

After reboot of the WSUS you that the clients download the update.

You can read here further info:

https://support.microsoft.com/de-de/help/3095113/update-to-enable-wsus-support-for-windows-10-feature-upgrades

This pre-needs KB 2919355

 

WMI Filter for GPO WIN 10 and 1709, 1803, 1809, 1903, 1909

Here is how to catch different Windows 10 OS release within WMI.

We used this the first time during a 1709 > 1909 Migration where we wanted to push customer startlayout.xml (Different new syntax and command for W10 1909)

with GPO ONLY to the 1909 clients. SBS/KMU seamless upgrades but often forget to handle GPO Policy side during the upgrade process. If you wan to modify

The startlayout/startmenu tiles this is often the first place you will need the WMI filters.

 

W10 Version Info:

Major   Minor   Version Build      Info       Released

10           0             1607       14393    2016 RTM LTSC 09/26/2016

10           0             1709       16299    2016 SAC            10/17/2017

10           0             1803       17134    2016 SAC            04/30/2018

10           0             1809       17763    2019 LTSC           11/13/2018

10           0             1903       18362    2019 SAC            5/21/2019

10           0             1909       18363    2019 SAC            11/12/2019

 

WMI Query to check which version you run of Windows 10.

NAMEPSPACE: Root\CIMv2

W10 1607:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "14393"

W10 1709:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "16299"

W10 1803:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "17134"

W10 1809:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "17763"

W10 1903:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "18362"

W10 1909:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "18363"

 

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wql-sql-for-wmi

GPO WMI FILTER

Based on above info from us you can build the GPO filter for each W10 version.

 

Example: Use the Paessler WMI tester to check

If the query was successful then you get FEEDBACK from the Query (if not it would be empty)

 

Please also check these WMI related links from us:

http://www.butsch.ch/post/W10-Enable-Remote-Management-for-WMI-from-Commandline-silent.aspx

http://www.butsch.ch/post/How-to-identify-WSUSWindows-Update-Patches-installed-on-a-Windows-7-in-Batch.aspx

http://www.butsch.ch/post/Script-WMI-Fetch-modell-BIOS-Version-with-VB-like-SM_info-from-Dell.aspx

http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

http://www.butsch.ch/post/IE11-GPO-Settings-PROXY-Explained-F5-F8.aspx

 


 
 

SRV2016, WSUS Server, Report Viewer 2012 CRL Types

Server 2016 running WSUS-Server if you click on a Report you the error with the Report Viewer as before.

If you did not install the WSUS in an SQL and used the WID (Windows Internal Database) or have a different Version

Of or many SQL Versionen mixed on that machine.

ERROR:

ENG: The Microsoft Report Viewer 2012 Redistributable is required for this feature

DEU: Für dieses Feature ist Microsoft Report Viewer 2012 Redistributable erforderlich

  1. Install Microsoft System CLR Types (If needed)

Microsoft System CLR Types for Microsoft® SQL Server® 2012

32BIT

http://go.microsoft.com/fwlink/?LinkID=239643&clcid=0x409

64BIT

http://go.microsoft.com/fwlink/?LinkID=239644&clcid=0x409

 

  1. Download and install MICROSOFT® REPORT VIEWER 2012 RUNTIME

https://www.microsoft.com/en-us/download/details.aspx?id=35747

These are the two files you need to install:

Close and reopen the WSUS console and it works now