Andrew Berges at myITforum.com

Issue: When using the �??/forceinstall�?? switch and only changing the data (/datadir=<new folder>) folder, the upgrade process did not remove the old data folder and used the new folder. (Reference: 393182)

Resolution: Now when using the �??/forceinstall�?? switch and changing the data (/datadir=<new folder>) folder, the upgrade process removes the old data folder and uses the new folder.

Issue: When the AgentEvents folder was missing, the upgrade process failed. (Reference: 393764)

Resolution: Now the upgrade process creates the AgentEvents folder when it is missing.

Issue: Managed product installation routines were executed each time a deployment task ran on systems that used a language other than English. (Reference: 399232)

Resolution: Managed product installation routines now execute only when necessary.

Issue: If the installation or data folder contained a double-byte character, the upgrade process failed. (Reference: 404111)

Resolution: Now the installation and data folders can contain non-English characters.

Issue: When executing the VirusScan update process (mcupdate.exe) with the �??/update�?? and �??/quiet�?? switches, an upgrade dialog box would still be displayed. (Reference: 405004)

Resolution: The VirusScan update process now honors the �??/quiet�?? switch.

Issue: The upgrade process was checking for the existence of the �??My Favorites�?? and �??Fonts�?? folders. If they were not present, the upgrade failed. (Reference: 405314)

Resolution: The upgrade process no longer requires the �??My Favorites�?? and �??Fonts�?? folders to be present.

Issue: When an error occurred during Host Intrusion Prevention policy enforcement, the system could be �??locked out of the network�??. (Reference: 406896)

Resolution: Now the ePolicy Orchestrator server connection information (server IP, name and port, and incoming agent wake-up port) is recorded. This allows Host Intrusion Prevention to create specific rules that allow communication to and from the ePolicy Orchestrator server, even in the absence of Host IPS policies.

Issue: The name of the ePO server the system last communicated with appears in the XML log file. The value is initially blank and remained blank for a period of time after the first communication. (Reference: 407154)

Resolution: The name of the ePO server the system last communicated with now appears immediately after the last server communication.

Issue: The McAfee Agent deployed managed products to Microsoft Vista or Windows Server 2008 that were not supported on these platforms. (Reference: 408989)

Resolution: Managed products are now deployed only to their supported platforms.

Issue: The Mirror task created a duplicate repository, but it failed to copy the sitestat.xml file. This caused the duplicate repository to remain disabled. (Reference: 409637)

Resolution: The Mirror task now copies the sitestat.xml file to the duplicated repository.

Issue: During a managed product update, a dialog box could be presented requesting a system reboot. The dialog box asked the user if they wanted to reboot now and rebooted the system even when the user selected �??No�??. (Reference: 410573)

Resolution: The managed product update process now honors the user's selected reboot response.

Issue: Certain dates, such as leap years, were recorded incorrectly in the agent_<machinename>.xml log file. (Reference: 413415)

Resolution: All dates are now recorded correctly in the agent_<machinename>.xml log file.

Issue: The McAfee Agent only updated the VirusScan engine if the minor version was newer than what was installed. This prevented the VirusScan engine from updating to a newer build of the same version. (Reference: 414065)

Resolution: The McAfee Agent now supports build-to-build VirusScan engine updates.

Issue: The installation and upgrade processes failed if the data folder was located in the �??Windows�?? or �??WinNT�?? folders. (Reference: 415578)

Resolution: Now the installation and upgrade processes allow the data folder to be located in the �??Windows�?? or �??WinNT�?? folders with the exception of the system32 folder. The installation and upgrade processes prohibit the data folder from including the system32 folder.

Issue: Some non-McAfee product installation routines removed critical registry entries, such as the Windows IStream COM registration, causing the McAfee Agent to fail. (Reference: 416298)

Resolution: The upgrade process now re-registers the ole32.dll file when it detects it is missing.

Issue: The installation and upgrade processes failed if the installation or data folders contained double-byte characters. (Reference: 416559)

Resolution: The installation and upgrade processes now allow the installation and data folders to contain double-byte characters.

Issue: Several install and uninstall error messages made no sense when displayed on a Japanese language system. (Reference: 418729)

Resolution: The upgrade process now displays meaningful install and uninstall error messages on a Japanese language system.

Issue: On systems running VirusScan Enterprise version 8.0 the McAfee Agent did not remove the Temp files created during the execution of an �??Agent Update Task�??. (Reference: 419066)

Resolution: The McAfee Agent now removes the Temp files created during the execution of an �??Agent Update Task�??.

Note: This change does not remove the Temp files created during the execution of an "Agent Update Task" prior to implementing this patch.

Issue: During Policy Enforcement, when the McAfee Agent failed to compile the policy file, the policy enforcement failed and the agent crashed on the next Policy Enforcement. (Reference: 423070)

Resolution: The McAfee Agent now detects failed Policy Enforcements and retries the policy compilation until it completes successfully.

Issue: DAT updates were postponed indefinitely and the message �??Update will be retried after 3 mins because update is already in progress�?? appeared repeatedly in the agent log file. (Reference: 424203)

Resolution: The DAT update process now terminates properly when it detects an error in an FTP transaction.

McAfee ePolicy Orchestrator Server 4.0 Patch 3 Released

aberges — Wed, 17 Dec 2008 17:06:00 GMT

Download

McAfee KB

Resolved issues

Issues that are resolved in this release are listed below.

Issue: SuperAgent Repositories on Windows Vista and Windows 2008 systems did not appear as Distributed Repositories in the ePolicy Orchestrator console. (Reference: 371932, 405958)

Resolution: SuperAgent Repositories on Windows Vista and Windows 2008 systems now appear as Distributed Repositories in the ePolicy Orchestrator console.

Issue: A synchronization point could not be created, edited, or deleted for the �??My Organization�?? group. (Reference: 384135)

Resolution: A synchronization point for the �??My Organization�?? group can now be created, edited, and deleted.

Issue: Grouped Summary Table queries could not be ordered by label values when grouped by a version number column. For example, a group summary of managed systems grouped by group name and DAT version could not be ordered by the group name label and then by DAT version label. (Reference: 386121)

Resolution: Grouped Summary Table queries can now be ordered by the label values when grouped by a version number column.

Issue: When configuring an Active Directory synchronization group, the �??Browse�?? button for browsing and �??Add�?? button for exceptions were disabled unless the user first selected an NT domain synchronization type. (Reference: 391830)

Resolution: The �??Browse�?? and �??Add�?? buttons are now enabled without having to first select an NT domain synchronization type.

Issue: Active Directory synchronization failed when a synchronized folder name included a semicolon. (Reference: 392803)

Resolution: Active Directory folder names can now contain a semicolon.

Issue: When viewing the system properties of a system that has never communicated with the ePolicy Orchestrator server, clicking on the �??more�?? link resulted in a blank page. (Reference: 398952)

Resolution: Selecting the �??more�?? link for a managed system that has never communicated with the ePolicy Orchestrator server no longer results in a blank page.

Issue: Extra.DAT packages were not updated on Windows Vista or Windows 2008 Server managed systems. (Reference: 400563)

Resolution: Extra.DAT packages are now updated on Windows Vista and Windows 2008 Server managed systems.

Note: All Extra.DAT packages in the repository must be reinstalled before this change takes effect.

Issue: The McAfee Agent failed to enforce Host Intrusion Protection rule policies when the rule name contained an angled bracket character. (Reference: 400808)

Resolution: The McAfee Agent now enforces Host Intrusion Protection rule policies regardless of the rule name.

Issue: A client task with a �??repeat starting at�?? schedule could have a repeat duration that was less than the repeat interval, resulting in the client task never running. (Reference: 401301)

Resolution: New or modified client tasks with a �??repeat starting at�?? schedule must now have a repeat duration that is greater than or equal to the repeat interval.

Issue: When viewing the results of a query for Events, the �??Show Related Systems�?? action is not available. (Reference: 402250)

Resolution: The �??Show Related Systems�?? action is now available for Event queries.

Issue: Importing managed systems into the System Tree from a Unicode text file created erroneous entries in the System Tree. (Reference: 402271)

Resolution: An error message is now displayed when non-UTF-8 encoded text files are imported, and the System Tree is unaffected.

Issue: An updated version of the System Compliance Profiler 2.0 extension is available. (Reference: 404381)

Resolution: Version 2.0.2.191 of the System Compliance Profiler 2.0 extension is now installed during ePolicy Orchestrator 4.0 Patch 3.

Issue: Running a previous upgrade a second time, after it had been successfully installed, failed. (Reference: 405288)

Resolution: The upgrade can now be run multiple times.

Issue: VirusScan DAT and Engine version information was missing on Managed System Rollup queries. (Reference: 405383)

Resolution: Managed System Rollup queries now include VirusScan DAT and Engine version information.

Issue: In the ePolicy Orchestrator console, the option that uninstalls the McAfee Agent from managed systems was not supported by non-Windows agents, but it was a selectable option. When this option was selected and the agents were manually uninstalled and later reinstalled, the managed systems never reappeared in the ePolicy Orchestrator System Tree. (Reference: 405859)

Resolution: A non-Windows managed system, which successfully reinstalls the McAfee Agent after a failed agent uninstall from the ePolicy Orchestrator console, now reappears in the ePolicy Orchestrator console System Tree.

Issue: An ePolicy Orchestrator 4.0 upgrade failed when the SQL Server UDP port was enabled for the initial ePolicy Orchestrator 4.0 installation and disabled before upgrading. The inverse scenario also caused the upgrade to fail. (Reference: 406814, 415166)

Resolution: The ePolicy Orchestrator 4.0 upgrade no longer fails when the SQL Server UDP port was enabled for the initial ePolicy Orchestrator 4.0 installation and disabled before upgrading. The inverse scenario has also been corrected.

Issue: The Synchronization Group Agent Deployment checkbox, �??Force installation over existing Version,�?? does not remain selected after saving the Synchronization Group and accessing it again for editing. (Reference: 410246, 426930)

Resolution: The Synchronization Group Agent Deployment checkbox, �??Force installation over existing Version,�?? now retains the selected value.

Issue: Installations in clustered server environments incorrectly set the ePolicy Orchestrator services to start �??Automatically.�?? (Reference: 410543)

Resolution: Installations in clustered server environments now correctly set the ePolicy Orchestrator services to start �??Manually.�??

Issue: The managed system name is truncated to a length of 14 characters on the ePolicy Orchestrator console �??Systems�?? tab. (Reference: 410779)

Resolution: The column �??DNS Name,�?? containing a �??Fully Qualified Domain Name,�?? can now be selected as the managed system name on the ePO console �??Systems�?? tab.

Issue: The import policies process did not verify the ownership of the existing policies, which could result in policies being overwritten by users other than the owner. (Reference: 410917)

Resolution: The import policies process now verifies the ownership of the existing policies and prevents policies from being overwritten by users other than the owner.

Issue: Changes to existing policies were not recorded in the Audit Log. (Reference: 412589)

Resolution: Changes to existing policies are now recorded in the Audit Log.

Issue: The ePolicy Orchestrator Alerting extension, used by Rogue System Detection 2.0, was not localized. (Reference: 412661)

Resolution: The ePolicy Orchestrator Alerting extension is upgraded to a localized version, on ePolicy Orchestrator servers with Rogue System Detection 2.0 installed.

Issue: The ePolicy Orchestrator server failed to respond if a corrupt package file was checked in. (Reference: 413466)

Resolution: The ePolicy Orchestrator server responds correctly when a corrupt package file is checked in.

Issue: Editing a client task could result in the error message �??An Unexpected error occurred�?? being displayed in the ePolicy Orchestrator console. (Reference: 413963)

Resolution: Editing client tasks no longer results in unexpected errors.

Issue: Client tasks, for managed product extensions that do not have a default policy, were not available for configuration. (Reference: 415739)

Resolution: Client tasks, for managed product extensions that do not have a default policy, are now available for configuration.

Issue: An ePolicy Orchestrator 4.0 upgrade stopped installing the included managed product extensions after the first failure was discovered. (Reference: 415974)

Resolution: An ePolicy Orchestrator 4.0 upgrade now attempts to install each of the included managed product extensions, even if an error occurs during the installation of a previous managed product extension.

Issue: When the ePolicy Orchestrator server did not have a �??Master Agent to Server Communication Key,�?? the ePolicy Orchestrator 4.0 upgrade failed leaving the ePolicy Orchestrator server in a non-functional state. (Reference: 419859)

Resolution: The ePolicy Orchestrator 4.0 upgrade now verifies the ePolicy Orchestrator server has a �??Master Agent to Server Communication Key�?? before it starts the upgrade.

Issue: An updated version of the Host Intrusion Prevention 7.0 extension is available. (Reference: 422819)

Resolution: Version 7.0.1.133 of the Host Intrusion Prevention 7.0 extension is installed during the ePolicy Orchestrator 4.0 upgrade.

Issue: The �??delayload.log�?? file could grow without limit in the root (C:\) of the ePolicy Orchestrator server. (Reference: 425738)

Resolution: The �??delayload.log�?? file is no longer used.

Note: The ePolicy Orchestrator 4.0 upgrade process does not remove existing �??delayload.log�?? files.

Issue: Event queries could not be chained to ePolicy Orchestrator server task actions. (Reference: 427217)

Resolution: Event queries can now be chained to ePolicy Orchestrator server task actions.

Issue: Server tasks could not run an event query that was chained to these actions: apply, clear, or exclude tag actions. (Reference: 427708)

Resolution: Server tasks can now run an event query chained to these actions: apply, clear, or exclude tag actions.

Issue: The �??View Logs�?? button could fail to display the correct installation log files after an ePolicy Orchestrator 4.0 upgrade failure. (Reference: 429819)

Resolution: The �??View Logs�?? button now displays the main installation log files after an ePolicy Orchestrator 4.0 upgrade failure.

Issue: An initial ePolicy Orchestrator 4.0 installation, on a system with a local MSDE database and the UDP port disabled, could result in incorrect ePolicy Orchestrator service dependencies. (Reference: 430390)

Resolution: The ePolicy Orchestrator 4.0 upgrade repairs the ePolicy Orchestrator service dependencies for systems installed with a local MSDE database and the UDP port disabled.

Issue: Miscellaneous language translation and localization issues were reported. (Reference: 429847, 430581)

Resolution: The reported language translation and localization issues were addressed.

Issue: An updated version of the ePolicy Orchestrator Help extension is available. (Reference: 433198)

Resolution: Version 1.0.6 of the ePolicy Orchestrator Help extension is now installed during the ePolicy Orchestrator 4.0 upgrade.

Issue: Inconsistent event times would appear in the Server Task Log. (Reference: 417725)

Resolution: The problem of inconsistent event times appearing in the Server Task Log after applying patches has been fixed.

Issue: Console logons using NT authentication, worked only when the ePolicy Orchestrator console was located in a domain where a two-way trust existed between the console and ePolicy Orchestrator server domains. (Reference: 395894)

Resolution: Authentication support for multiple domain controllers has been added to the product. (For more information see KB article: 616709)

Issue: The date formats are incorrect for the English (United Kingdom) locale. (Reference: 362588)

Resolution: A new choice of English (United Kingdom) has been added to the Language drop-down list of the ePolicy Orchestrator Logon screen.

Issue: When installing managed product extensions on ePolicy Orchestrator, the installation could fail with the message: �??ERROR: java.lang.OutOfMemoryError: PermGen space.�?? (Reference: 407724)

Resolution: The PermGen Memory allocation size has been increased to 128 MB on clean installations and upgrades. (For more information see KB article: 615843)

Issue: There was a performance bottleneck when processing a large number of unrelated dashboard requests. (Reference: 407724)

Resolution: Performance has been improved to allow many users to view the dashboard.

Issue: Dashboard related caching is not functioning correctly, which caused the user to see stale data. (Reference: 411646)

Resolution: Dashboard caching has been fixed so the user views the most current data.

Issue: An unexpected error occurred while creating a query using a Grouped Bar Chart with Boolean types of data. (Reference: 415069)

Resolution: Grouped Bar Charts now correctly display data when using any of the supported data types.

Issue: Drilling down into a chart, a user could see an unexpected error page if there was a null value in the returned time field. (Reference: 413954, 419692)

Resolution: Chart drill-down now works as expected and no longer returns an error when drilling down into null time-based reports.

Issue: Some international characters caused problems in the server log details page. (Reference: 411088)

Resolution: Log entries are now correctly formatted prior to being written to the server task log.

Issue: Some valid characters caused problems when user names or passwords were typed in the ePO installer. (Reference: 395890)

Resolution: The installer now accepts all valid characters for ePolicy Orchestrator user names and passwords, including all NT authentication-allowed characters.

McAfee Rogue System Detection 2.0 Patch 1 Released

aberges — Wed, 17 Dec 2008 17:04:00 GMT

Download

Resolved issues

Issues that are resolved in this release are listed below.

Issue: Selecting the �??Next Page�?? while viewing �??Managed Machines�?? caused this message to be displayed: �??An Unknown Error has Occurred.�?? (Reference: 427453)
Resolution: Now when you view a subnet containing more than a single page of system information and you select �??Next Page,�?? the requested information is properly displayed.
Issue: The columns on the �??Managed Systems for Subnet�?? page did not sort when selected. (Reference: 430417)
Resolution: Now when you select a column on the �??Managed Systems for Subnet�?? page, the page is properly sorted.
Issue: Although the Rogue System Detection Sensor deployment task would run, the Rogue System Detection Sensor was not updated. (Reference: 415191)
Resolution: The Rogue System Detection Sensor deployment task now supports build-to-build upgrades.
Issue: The �??Detected Systems Details�?? page displayed the �??Last Detected IP Address�?? with NULL IP addresses as �??unknown error.�?? (Reference: 431047)
Resolution: The �??Last Detected IP Address�?? on the �??Detected Systems Details�?? page now displays NULL IP addresses as �??blank.�??
Issue: Rogue System Detection only allowed domain names of up to 16 characters in length. (Reference: 431049)
Resolution: Rogue System Detection now allows domain names of up to 255 characters in length.
Issue: The Rogue System Detection Sensor Service was incorrectly described in the �??Services�?? pane of the �??Computer Management�?? window. (Reference: 423608)
Resolution: The Rogue System Detection Sensor Service is now described as �??Performs broadcast and DHCP detection.�??

McAfee Host Intrusion Prevention Server 7.0.1 Extension Released

aberges — Wed, 17 Dec 2008 17:00:00 GMT

Download

New features

New and updated features in the current release of the software are described below:

7.0.1

Management of version 6.1 clients from ePolicy Orchestrator 4.0 patch 1 when the 6.1 extension is installed.
Migration of version 6.x policies to version 7.0 by running a server task from ePolicy Orchestrator 4.0.

McAfee Host Intrusion Prevention Version 7.0.0 Patch 3 Released

aberges — Wed, 17 Dec 2008 16:59:00 GMT

Download

McAfee KB

New Resolved Issues

Host IPS 7.0 Patch 3 resolves a number of stability issues seen on high availability servers, domain controllers, and backup servers. In addition, the following customer issues were also resolved:

Issue: Tivoli does not function when using Check Point VPN-1 Client when Connection Aware Group firewall rules are applied. (Reference: 425392)

Resolution: Connection Aware Group matching failed with inbound traffic with some IPSec VPNs. The Connection Aware Group matching logic was extended to handle IPSec VPN re-routing of inbound traffic to the physical adapter�??s NDIS miniport instance.

Issue: Unable to connect to HTTPS server when a client is connected with T3G wireless network connection. (Reference: 414155)

Resolution: Unsolicited inbound traffic was not being matched by the Connection Aware Group. The Host IPS Firewall will now use the IP address, instead of the MAC address, when matching traffic for Connection Aware Groups.

Issue: The Host IPS client does not block all SQL injections on a single IIS 6 server hosting multiple sites. (Reference: 419431)

Resolution: The ISAPI filter stub tracked the engine status using a single value even when multiple instances of the stub were loaded. Each ISAPI filter stub instance now tracks its respective engine status.

Issue: System stops responding or �??hangs�?? at shutdown because of incompatibility with NetMotion VPN. (Reference: 426645)

Resolution: In certain circumstances, a specific Windows API used during shutdown caused the system to stop responding. This API is no longer used during shutdown.

Issue: TCP traffic is blocked when firewall rules use short path names. (Reference: 414249)

Resolution: The firewall drivers, which failed to convert a short path name to a long form, now obtain a long form of a short path name before matching the rules.

Links for 2008-12-16 [del.icio.us]

Wed, 17 Dec 2008 00:00:00 -0600

OpenManage Client Instrumentation (OMCI) - The Dell TechCenter

Links for 2008-12-15 [del.icio.us]

Tue, 16 Dec 2008 00:00:00 -0600

Links for 2008-12-12 [del.icio.us]

Sat, 13 Dec 2008 00:00:00 -0600

Using OMCI with ConfigMgr - The Dell TechCenter

Links for 2008-12-01 [del.icio.us]

Tue, 02 Dec 2008 00:00:00 -0600

Mini Monster Mof Builder - Sherry Kissinger at myITforum.com

Links for 2008-11-21 [del.icio.us]

Sat, 22 Nov 2008 00:00:00 -0600

Links for 2008-11-20 [del.icio.us]

Fri, 21 Nov 2008 00:00:00 -0600

Links for 2008-11-19 [del.icio.us]

Thu, 20 Nov 2008 00:00:00 -0600

SANS Internet Storm Center; Adobe Reader vulnerability exploited in the wild

aberges — Fri, 07 Nov 2008 16:41:56 GMT

Adobe Reader vulnerability exploited in the wild

Published: 2008-11-07,
Last Updated: 2008-11-07 15:54:09 UTC
by Bojan Zdrnja (Version: 1)

0 comment(s)

One of our readers, Wayne Dilly, sent couple of malicious PDF documents to us. Wayne noticed that some machines got infected and wondered if the PDF documents exploited the vulnerability patched by Adobe couple of days ago (CVE-2008-2992 - see http://isc.sans.org/diary.html?storyid=5282).

Unfortunately, Wayne was right �?? these PDF documents exploit the JavaScript buffer overflow vulnerability. This is not surprising, though, as a fully working PoC has been recently published as well, but it's interesting to see that the attackers modified the PoC a little bit, probably in order to evade anti-virus detection.

And indeed �?? at the time of writing this article, according to VirusTotal 0 (yes �?? ZERO) AV products detected this malicious PDF. Very, very bad.

The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call.

Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts. For example, the PoC defines a long number variable (referenced to the advisory by CORE), as shown below:

var num = 129999999999999999�?�. [a lot of numbers]
util.printf("%45000f",num);
However, the exploit code in the wild has the following loops:
var nm = 12;
for(i = 0; i < 18; i++){ nm = nm + "9"; }
for(i = 0; i < 276; i++){ nm = nm + "8"; }
util.printf(unescape(""+"%"+"25%34%35%30%30%30%66"), nm);
See how they manage to do exactly the same thing? Unfortunately, this was probably enough to fool the AV vendors.
In any case, if you haven't patched your Adobe Reader installations �?? do it ASAP as the attacks are in the wild.
--
Bojan

CounterSpy Enterprise 3.1 Maintenance Release

aberges — Wed, 29 Oct 2008 19:24:26 GMT

Just posted to the web at the below URL:

http://go.sunbeltsoftware.com/?linkid=400

List of fixes below:

Enterprise Console and Service: (Agent fixes/features are further down).

1. Removed Custom Reports from UI and Service.

2. Added support for Agent Shutdown/Agent Start from Console.

3. Give the administrator the ability to Unquarantine and send to Sunbelt for Analysis.

4. Changed name of Sunbelt Software Research Center to Sunbelt Malware Research Labs.

5. Added Force Full Threat DB Update for selected agents on Agents & Policy Grid.

6. Removed Custom from Admin Known Good/Bad controls (Not necessary).

7. Allow end-user to manually edit Known Good/Bad files and folders. Also disallow the addition of invalid file names and paths and wildcards for file names.

8. Added tab in Policy for Agent Proxy settings.

9. Allow end-user to delete System Message at both Agent and System levels.

10. Added "Archives" checkbox to scanning tab in the policy.

11. Added admin ability to turn on/off On-Access file extensions from the console.

12. Fixed bug that resulted in "Rootkit Scanned" being displayed as the title for "Rootkit Found".

13. Cleaned up the Known Good/Bad file dialogs and grids.

14. Fixed context menu on the agents/policy grid to enable/disable entries properly in sub-menus.

15. Changed minimum agent version to 3.1.2300 to support Unquarantine and Send for Analysis.

16. Added support for migrating SystemMessage table from MSAccess to SQL.

17. Added Power Management Tab to UI and settings to the policy.

18. Enable remote starting of service from console on logon, if service is not running. User must be admin on box running service.

19. Added Ping Agent, Say Hello and Check for Policy Update to Advanced Sub-menu of agents & policy control context menu.

20. Fixed bug on console that disabled File menu if a connection w/ the server was lost.

21. Added ability to report back to admin if Unquarantine or Delete from Quarantine failed.

22. Reworded Power Management tab, changed the order of the items to match consumer UI.

23. Fixed "Perform quick scan approximately..." so that it saves data to the policy.

24. Prevented logging of error messages to the System Messages table in the DeferredWorkQueueHandler, this could result in deadlock.

25. Enhanced code that Pings an agent box, pinging by both Machine Name and IP and presenting the results of both pings in a dialog after completion of the ping.

26. Added the ability to turn off information balloons in the policy

Agent:

1. Add a System Event for missed scheduled scans.

2. Added logic to report when a quarantine, unquarantine or delete from quarantine action failed.

3. Added logic in the service to set the services display name in Service Control Manager to the Product Name Long or Enterprise Product Name Long string in the resource file.

4. Added the definitions version to the hover text for the main tray icon.

5. Changed ALL history lists to sort in reverse chronological order by default.

6. Added logic to the tray to provide an Active Protection snooze feature. The user can turn AP off for a few minutes.

7. Added logic to disable AP when a machine is started in safe mode.

8. Added logic to not start tray in safe mode.

9. Fix bug where Quick/Deep Scans were not always scanning all local drives.

10. Changed the label "Risk definitions" on the overview panel to "Definitions version".

11. Removed the seconds from the definitions date/time on all screens.

12. Added logic to the Enterprise Agent dll to not send Hello calls when the machine is on battery and in power save mode.

13. Added code in the Enterprise Agent to recognize the Service State of Paused and stop sending Hello calls to the service.

14. Added a double click handler for the warning icon. It will perform the first item on the warning icon context menu.

15. Create an option that allows user to specify auto shutdown of computer once manual scan has completed (non-sticky).

16. Fix code that shows, "Bad Date Format" when there are no definitions present.

17. Added a browse button on the Safe Mode UI where a user can manually apply a definitions file that they downloaded.

18. Added a browse button on the UI Update settings page where a user can manually apply a definitions file that they downloaded.

19. Fixed a bug where the Scan Archives was not being properly set for the Enterprise Agent.

20. Removed the software version from the updates section of the overview panel.

21. Scan history panel. Changed the "Date" column headers to say "Date/Time". Also changed scan history to use the start date/time not end date/time of the scan.

22. Scan history panel. Changed column label, "Risks Total" to "Total Risks".

23. Scan history panel. Changed label for days to keep history to from, "Delete history files older than 15 days" to "History files older than 15 days will be deleted".

24. Change enterprise agent to set the sku config for the UI to always show the proxy settings tab.

25. Added support in the Enterprise Agent dll for reporting a possible False Positive as part of Unquarantine.

26. Added support in the Quarantine Panel for reporting a possible False Positive as part of Unquarantine or directly from the quarantine list.

27. Added logic in the Enterprise Agent to support a deferred work item from the service to force a definitions update.

28. Added scanner and cleaner errors to scan results xml file (threat engine).

29. Fixed Rootkit bug that could casuse BSOD.

30. Added more parameter validation in process scanning.

31. Fixed bug in the UI where Update Dialog breaks during application of multiple incremental Updates.

32. Fix AP bug where AP did not detect threats on some removable USB devices on XP SP2 and possibly other OSs.

33. Fixed a bug in the Threat Engine where one of the traces of the CommonName threat was not being detected.

34. Fixed a bug in the Enterprise Agent where cookies were only scanned for a custom scan but not quick and deep when initiated from the agent console.

35. Fixed a bug where the Enterprise Agent would show as a consumer UI when installed but could not communicate with the Enterprise service.

36. Added option to hide all balloons shown by the tray.

37. Added a policy setting from the Enterprise service to allow the admin to show/hide tray balloons.

38. Added two tray menu items; Show Balloons and Hide Balloons.

39. Fixed bug in Threat Engine where it was always calculating an MD5 for every file scanned by AP On Access.

40. Prevent premature scheduled Risk Definitions and Software Updates on wake for scheduled scans.

41. Junction point bug fix in boot time scanner and root kit engine.

42. The right click scanner shell extension was loading the resource dll one per second on Vista. Fixed to only load SBAMRes.dll once per right click 43. Fixed bug where VIPRE was not rescheduling updates when they were canceled. (Update intervals being ignored)

44. Added logic to the Enterprise Agent SOAP class to set the timeout parameter for calls to the Enterprise service. This helps resolve SOAP error 5 communications errors. Added to the policy so the Admins can change it.

45. Fixed bug where items that are moved from quarantine to always allowed aren't all making it to the always allowed section.

Adobe PSIRT: Clipboard attack update

aberges — Fri, 26 Sep 2008 18:09:18 GMT

Here's a quick update to note that we will be changing the way Flash Player interacts with the clipboard to help prevent the potential clipboard attacks that have been reported recently. Please see the following Article on security changes in Flash Player 10 for more information. These changes will be available in the final Flash Player 10 release soon.

This posting is provided �??AS IS�?? with no warranties and confers no rights

Clipboard attack update

McAfee VirusScan Enterprise 8.7i Released

aberges — Fri, 26 Sep 2008 18:07:01 GMT

New and updated features in the current release of the software:

Support for Microsoft Windows Server 2008

This release provides support for Windows Server 2008 (Longhorn).

Architectural changes

· VirusScan Enterprise incorporates some significant architectural changes that affect the manner in which the VirusScan Enterprise 8.7i core components work. These changes result in greater security benefits to customers, including:

· Better rootkit detection and cleaning without system restart �?? Safe memory patching, better IRP repair support at the system core, and the ability to read locked files at the kernal level provide better rootkit detection and the ability to clean detections without restarting the system.

· On-access scan performance improvements during system startup �?? A new boot cache process improves on-access scan performance during system startup.

· Greater self-protection �?? The self-protection feature has been enhanced to protect against a wider range of mal-processes that can terminate McAfee processes. This provides greater VirusScan Enterprise self-protection and product stability.

· Real-time malware protection

A new feature, Heuristic network check for suspicious files, provides customers with real-time detections for malware.

This feature uses sensitivity levels that can be configured, based on your risk tolerance, to look for suspicious files on your endpoints that are running VirusScan Enterprise 8.7i.

When enabled, this feature detects a suspicious program and sends a DNS request containing a fingerprint of the suspicious file to McAfee Avert Labs, which then communicates the appropriate action back to VirusScan Enterprise 8.7i.

The real-time defense feature also provides protection for classes of malware for which signatures might not be available.

This protection is in addition to the world-class DAT-based detection VirusScan Enterprise has always provided. The user experience remains the same and no additional client software is required.

In this release, this feature is available only for on-demand scans and email scanning and is disabled by default. You must select a sensitivity level to enable the feature.

Performance improvements

These changes improve performance.

· New scan deferral options improve local control of on-demand scans, including the ability to defer scans when using battery power or during presentations. One option can be configured to allow end users to defer scheduled on-demand scans for the increment of time you specify. You can specify hourly increments up to twenty-four hours, or forever.

· Enhanced system throttling now includes registry and memory scanning in addition to file scanning.

· Improved email scanner

The email scanner now supports double-byte and multi-byte languages. This improves detection reliability.

· Buffer overflow protection exclusions by API

The ability to specify buffer overflow exclusions by API was removed from VirusScan Enterprise 8.5i, but has been reinstated for the VirusScan Enterprise 8.7i release. The API exclusion name is case-sensitive.

· On-access scanner �?? Scan processes on enable

A new feature, Scan processes on enable, scans processes that are already running when the McShield service becomes enabled. When the McShield service starts, the scanner examines any process that is already running and any process as it is launched.

· On-demand scan usability improvements

When initiating an on-demand right-click scan, you can now choose an action to take on items detected by the scan. These options are available:

· Clean �?? Report and clean the detection.

· Continue �?? Report the detection and continue scanning.

SunbeltBlog: CounterSpy Enterprise 3.1 ships

aberges — Wed, 20 Aug 2008 15:56:06 GMT

Screenshot here:

http://sunbeltblog.blogspot.com/2008/08/counterspy-enterprise-31-ships.html

This is a big upgrade to their product. I'm quite excited to deploy it in our environment as the performance increase and definition overhead decrease have been talked about on their mailing lists for months now. I'll be sure to post my impressions when I begin testing.

More info on the product can be found here:

http://www.prweb.com/releases/2008/08/prweb1223244.htm

Adobe PSIRT: Flash Player "Clipboard Attack"

aberges — Wed, 20 Aug 2008 13:06:51 GMT

http://blogs.adobe.com/psirt/2008/08/clipboard_attack.html

We are aware of recent press reports about a potential �??Clipboard attack�?? issue that involves Flash Player. Adobe is currently investigating potential solutions to this issue and will update customers as soon as we have more information to provide.

More information and links available from the below source:

http://www.theregister.co.uk/2008/08/15/webbased_clipboard_hijacking/

CVE-2008-3648: Remote Code Execution Exploit with Windows XP nslookup.exe

aberges — Tue, 19 Aug 2008 13:49:59 GMT

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3648

Overview

nslookup.exe in Microsoft Windows XP SP2 allows user-assisted remote attackers to execute arbitrary code, as demonstrated by an attempted DNS zone transfer, and as exploited in the wild in August 2008.

Impact

CVSS Severity (version 2.0):
CVSS v2 Base score: 9.3 (High) (AV:N/AC:M/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 8.6
Access Vector: Network exploitable , Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information , Allows unauthorized modification , Allows disruption of service

BlackBerry Updates Attachment Service PDF Security Advisory

aberges — Tue, 19 Aug 2008 13:30:34 GMT

RIM has released version 4.1 Service Pack 6 (4.1.6) to address the vulnerability, giving an alternative to their prior suggested workaround of blocking the processing of PDF files:

http://www.blackberry.com/btsc/dynamickc.do?externalId=KB15766&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=KB15766

Download the new version here:

http://www.blackberry.com/go/serverdownloads

Cisco Security Advisory: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control

aberges — Tue, 19 Aug 2008 13:23:15 GMT

Summary

A buffer overflow vulnerability exists in an ActiveX control used by the WebEx Meeting Manager. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the user client machine. The WebEx Meeting Manager is a client-side program that is provided by the Cisco WebEx meeting service. The Cisco WebEx meeting service automatically downloads, installs, and configures Meeting Manager the first time a user begins or joins a meeting.

When users connect to the WebEx meeting service, the WebEx Meeting Manager is automatically upgraded to the latest version. There is a manual workaround available for users who are not able to connect to the WebEx meeting service.

Cisco WebEx is in the process of upgrading the meeting service infrastructure with fixed versions of the affected file.

Full advisory here: http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml

PDF download here: http://www.cisco.com/univercd/cc/lib/csco/pdf_opt.gif

SunbeltBlog: CounterSpy 3.1 ships

aberges — Tue, 19 Aug 2008 13:11:37 GMT

Today, we officially released the consumer version of our all-new CounterSpy 3.1 product. (It�??s actually version 3, but due to having to align our version numbering scheme with our Enterprise version, it was released as 3.1).

This is a major upgrade to CounterSpy. All-new threat engine, all new technology �?? completely re-written from the ground-up for fast performance. As always, none of our products bundle toolbars, our trial versions are full versions, and we provide free support.

Give it a whirl and let me know what you think. You can always email me your opinions directly.

Users of VIPRE will find the interface familiar �?? CounterSpy is simply a sub-set of VIPRE, excluding features specific to viruses. CounterSpy customers can upgrade at anytime to the VIPRE product for a small cost.

One small note: Unlike a �??silent�?? preview edition posted last week on our website, this version comes with the On Access feature of Active Protection disabled by default (it can always be re-enabled). This feature will invariably conflict with some antivirus programs�?? real-time protection, and since almost everyone runs this product alongside their existing antivirus product, it�??s not necessary. A further explanation is in our video tutorial here.

Full company propaganda here.

Alex Eckelberry

CounterSpy 3.1 ships

Adobe Customization Wizard 9 Released

aberges — Fri, 08 Aug 2008 14:54:27 GMT

Adobe's customization tool has been updated for the latest version 9 release.

Download it here:

http://www.adobe.com/support/downloads/detail.jsp?ftpID=3993

F-Secure Weblog: F-Secure Rescue CD 3.00

aberges — Fri, 08 Aug 2008 14:53:03 GMT

Our colleagues from the Linux team blogged about it last month, but it's worth repeating:

The latest version of our Emergency Rescue CD is available.

It's a bootable Linux CD that can scan Windows hard drives (NTFS and FAT) as well attached USB drives.

If the computer has an Internet connection, the virus definition databases are updated automatically. If an Internet connection isn't available, the definition databases can be manually updated using a USB drive.

It's an excellent support tool. It's also one of the best ways to scan for MBR rootkit infections.

You can download it from here and read more details from the Linux team's post.

On 24/07/08 At 03:43 PM

F-Secure Rescue CD 3.00

McAfee VirusScan 5300 Engine Released

aberges — Thu, 07 Aug 2008 15:33:18 GMT

New Features:

Improved automatic identification and removal of malware delivering to the customer the next generation of best-of-breed Anti-Virus Scanning Engines. The 5300 Anti-Virus Scanning Engine offers improved protection against existing, new and future threats and increases the depth and breadth of the protection McAfee provide our customers.
100% drop-in compatibility with the existing McAfee Anti-Virus Scanning Engine and DAT files. It's easy to upgrade; just replace your existing Engine with the new version and you're protected.
Enhanced support for detection and repair for Office 12 documents, as well as improved ZIP file support.
Support for Solaris 10 on Intel x86 and x64.
Support for FreeBSD 6.2 and 7.0
Support for HP-UX 11i v3 on PA-Risc

Download here:

http://www.mcafee.com/apps/downloads/security_updates/engines.asp

VIPRE Enterprise Released

aberges — Tue, 05 Aug 2008 18:20:15 GMT

The new enterprise managed AV / AntiSpyware solution from Sunbelt Software:

http://www.vipreenterprise.com/

Press release available here:

http://www.sunbeltsoftware.com/Press/Releases/?id=238

CounterSpy Agent 2.x Enterprise: ThreatDB download "stuck"

aberges — Tue, 29 Jul 2008 19:15:09 GMT

Today I ran into an issue with a client that seemed unable to download the latest CounterSpy Enterprise ThreatDB.

Normally invoking a quick or full scan forces a download of the local ThreatDB -- either from the local server or from the Internet as a fallback if the client is so configured.

In this particular case, the client was not updating the DB, which was causing problems with network connectivity due to certain safeguards we have in place.

I've found that the best solution in these types of cases is to stop the CounterSpyAgent service and delete SBTS.dat and SBTEDef.idx. These are the ThreatDB files themselves and when the CounterSpyAgent service is then restarted, it will re-download a full DB from the server/Internet as the case may be.

McAfee Agent 4.0 - Comments and Complaints

aberges — Mon, 28 Jul 2008 19:19:12 GMT

Recently I deployed McAfee Agent 4.0 to one of our company's ePO 4 Server and Windows workstation clients after a bit of testing with relative success.

For those interested, the master list of support articles for the 4.0 Agent is located here:

https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=615002&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=615002

Release notes are available here:

https://knowledge.mcafee.com/SupportSite/dynamickc.do?sliceId=SAL_Public&command=show&forward=nonthreadedKC&externalId=615005

Major changes to the Windows agent include the ability to detect laptops and x64 OS's and query/tag based on those properties (which also means you can now leverage things like only deploying PreScan to Win32 clients, or only applying HIPS to laptops without using a 3rd party deployment tool), changes to the sitelist.xml format that allow for DNS and NetBIOS-based entries instead of solely IP-based, as well as changes to the installer format.

Since the new McAfee Agent 4.0 enters itself in Add/Remove Programs, I created a WQL query to create a collection that would identify those that did not have the McAfee Agent listed in ARP. In the future, I'll need to change this to query on version but currently this is how I'm identifying clients that need the upgrade:

select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System where Name not in (select SMS_R_System.Name from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "McAfee Agent")

This WQL statement will definitely need to be revised in the near future to account for version variations. When I make the adjustments, I'll post them here.

Incidentally, McAfee Windows Agent 4.0 Hotfix 1 has been released. (FYI The build version for this particular hotfix is 4.0.0.1318 vs. 4.0.0.1180 for the shipping version)

You'll need to open a case with PrimeSupport in order to receive it however as it is not yet available via the PrimeSupport portal. More details here:

https://knowledge.mcafee.com/article/200/616270_f.SAL_Public.html

Resolved issues:

Issue: The McAfee Agent's ability to perform updates is blocked when the name of the installation or data folders includes an extended ASCII character. (Reference: 404111)
Resolution:The McAfee Agent's ability to update is no longer blocked if the installation or data folder names include an extended ASCII character.
Issue: The McAfee Agent process "RunPullTask" would run, but it wouldn't copy SiteStat.xml to the specified mirror location. (Reference: 409637)
Resolution:The McAfee Agent process "RunPullTask" now creates a SiteStat.xml file in the appropriate mirror location.
Issue:When a managed product's plug-in required a reboot, the user was prompted, but the computer rebooted even when the user selected No. (Reference: 410573)
Resolution:The McAfee Agent now responds correctly based on the user's selection.

Impressions of McAfee Agent 4.0:

Although I can't say installation went off flawlessly (more on that in a moment), the installation was completely transparent to the end user and the new x64 and IsLaptop properties seem to be detected correctly on clients, as I have tags automatically applied based on these criteria and they began functioning immediately. I cannot speak for the changes to the sitelist.xml as we're not basing our repositories on DNS or NetBIOS, I can only say that the clients are still updating properly post-installation.

Gripes about installation:

Just like many McAfee updates before, despite the fact that I alter my deployment and update tasks accordingly, often days and/or weeks before checking an update package into the server, I still find that the update will be applied to numerous machines where the task explicitly states not to update that particular component. In this case, checking in Agent 4 resulted in it being deployed to numerous machines where the deployment task should have prevented its installation. One of the advantages of ePolicy Orchestrator 4 is the ability to view task inheritance and review that no task inheritance is broken (or at least only those you want broken), and I verified this days before checking in the package. In an environment such as ours where due to compliance issues we tightly regulate the deployment of *ANY* software update, this is unacceptable.

It isn't as if I haven't observed this many times in the past in multiple environments, but it is disappointing to see that it is still an issue. I don't know if this is a remnant of the glitches I've observed in 3.6, but I'm hopeful that the 4.0 agent may address this glaring flaw moving forward. I guess I'll find out when I begin applying McAfee VirusScan 8.5 Patch 6.1...

Light posting lately...

aberges — Mon, 28 Jul 2008 18:32:15 GMT

I've been working on a few things in and out of the office which I will blog about soon, but mainly, things have been pretty much busy yet uneventful and I haven't had much to say here. All that will change soon, as I have a few new projects about to begin...

But before that, expect there will be very few updates in the next week, as I will be basking in the Bermuda sun starting Wednesday afternoon :)

McAfee VirusScan Enterprise 8.5 Patch 6.1 Released

aberges — Mon, 28 Jul 2008 14:24:46 GMT

Details here:

https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=616311&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=616311

Improvements:

1. The on-demand scanner has been updated to better use the System Utilization setting throughout the entire scanning process.

Refer to McAfee Support Knowledgebase article 9197288 for further information.

2. This Patch contains a new Buffer Overflow and Access Protection DAT (version 378) which adds an Access Protection category for Virtual Machine Protection. These rules provide access protection functionality for virtual machines.

NOTE:
In order to manage the new Virtual Machine Protection category with ePolicy Orchestrator 3.x or Protection Pilot, you will need to use the latest NAP file, included in this Patch package, or VirusScan 8.5i Repost Patch 5.

For ePolicy Orchestrator 4.x users, the Extension update also contains the updated rule file. The updated Extension package is available on the web product download area under the Patches category.

PATCH 6.1 RESOLVED ISSUES

1. ISSUE:
An issue can occur when the 5300 engine is installed prior to installing VirusScan 8.5i Patch 6. The scanner engine files are partially overwritten with the previous 5200 version that is stored in the MSI cache. This mismatch causes the scanner engine to fail to initialize.

RESOLUTION:
The Patch installation package has been updated to correct this issue, and does not overwrite the engine files.

PATCH 6 RESOLVED ISSUES

1. ISSUE:
The VirusScan Enterprise management plug-in writes all settings to the registry on every policy enforcement. McShield service monitors the registry and reloads whenever the settings are written, generating frequent pause events in the Windows System log.

RESOLUTION:
The VirusScan Enterprise management plug-in has been updated to only write to the registry if it sees that it is different from the current policy. This will prevent McShield from generating events on policy enforcement, unless that policy has changed.

This is an addendum to the original solution in Patch 5, where the fix did not work when the preferred language was set to something other then automatic.

2. ISSUE:
A compatibility issue has been seen with VirusScan�??s port blocking feature, and Veritas backup applications. This was causing the backup software services to stop running.

RESOLUTION:
The VirusScan Anti-Virus Mini-Firewall Driver has been updated to correct the compatibility issue.

3. ISSUE:
A race condition in the On-Access Scanner service can cause high CPU utilization with high performance systems.

RESOLUTION:
The On-Access Scanner service has been updated to remedy multi-threading synchronization issues and remove occurrences of runaway threads.

4. ISSUE:
The On-Access Scanner service sometimes crashes during a system shutdown or during installation of a Patch/HotFix.

RESOLUTION:
The On-Access Scanner service has been repaired to correct a race condition in which a critical-section synchronization object is deleted before another thread has entered.

5. ISSUE:
A deadlock could occur on high end servers caused by a race condition in VirusScan�??s link driver.

RESOLUTION:
The link driver has been changed to properly handle the release of system objects, while holding a lock on resources.

6. ISSUE:
Port blocking fails on Microsoft Windows Vista Service Pack 1.

RESOLUTION:
The McAfee Driver Installer has been update to handle the changes in network stack load order.

7. ISSUE:
The On-Demand Scanner system utilization changes that were put in patch 5 changed the memory scanning function. This caused the process
scanning to only scan the first process ID.

RESOLUTION:
The change has been reversed so that all processes are scanning irrespective of process ID.

8. ISSUE:
When applied to a client installation that was customized by McAfee Installation Designer (MID), the patch installer deletes the MidFileTime registry value. This caused MID .CAB files to be re-applied to the system.

RESOLUTION:
The patch installer has been updated to no longer delete the MidFileTime registry value.

9. ISSUE:
A newly created user defined Unwanted Program Policy, does not take affect immediately if the file has been scanned by the On-Access Scanner before the change occurred.

RESOLUTION:
The On-Access Scanner service has been updated to properly recognize changes to the user defined detections and clear the cache of files that have already been scanned so that the new settings take effect immediately.

10. ISSUE:
A trust relationship exists in McAfee drivers that can be leveraged by McAfee processes to avoid triggering access protection rules and other compatibility symptoms. When the link driver was updated to newer releases this trust relationship was lost until a reboot occurred.

RESOLUTION:
The link driver has been modified to better handle the process of future upgrades to itself without the need for a reboot.

WQL - Identifying Clients requiring Adobe Acrobat and Reader 8.1.2 Security Update 1

aberges — Fri, 11 Jul 2008 15:24:40 GMT

After reading this post on the SANS ISC weblog, I thought I would provide the WQL I'm currently using in SMS to deploy the Adobe Acrobat and Reader 8.1.2 security update.

The following WQL will query Add/Remove Programs on clients and identify those who have Acrobat or Reader 8.1.2 but not the Security Update 1. Hope someone finds this useful:

select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_R_System.Name not in (select SMS_R_System.Name from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)" ) and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName in ( "Adobe Acrobat 8.1.2 Professional", "Adobe Acrobat 8.1.2 Standard", "Adobe Reader 8.1.2" )

Rogue System Detection 2.0 Update

aberges — Fri, 11 Jul 2008 14:51:01 GMT

Despite my HIPS exclusion to completely ignore port scans, I still was bombarded with alerts for a TCP port scan.

More interesting still, the System event viewer on many Windows clients was showing the following error once a day:

Event Type:    Error
Event Source:    TermDD
Event Category:    None
Event ID:    50
Description:
The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

So, yesterday I disabled "Device details detection" in the policy for RSD sensors. Today, no more alerts and no more errors. Too bad I have to turn this off, but it seems to be more trouble than it's worth.

Java Runtime Environment 6.0 Update 7 Released

aberges — Wed, 09 Jul 2008 20:04:34 GMT

Download the update here:

http://tinyurl.com/6zdjph

Release notes here:

http://java.sun.com/javase/6/webnotes/ReleaseNotes.html

McAfee Rogue System Detection 2.0 - HIPS 7.0 Port Scan Alerts

aberges — Wed, 09 Jul 2008 19:55:02 GMT

I installed Rogue System Detection 2.0 for ePolicy Orchestrator 4.0 yesterday. Setup completed without a hitch, and I didn't even need to install it separately as an extension like most of their products.

It's not much different than the 1.0 version. The sensor deployment seems a bit more reliable, and the new web frontend is definitely slick. I spent the better part of the day methodically identifying and excluding networking devices and the like, and I'm pleased to say that there are a negligible number of malfunctioning McAfee agents in our environment. Deploying an agent package cleared most of the issues up and I'm addressing the few remain individually.

The one thing I've noticed is that HIPS is flagging a Port Scan threat from the RSD sensor as it interrogates the client. I've tried writing an exception for HIPS to disregard alerts for Port Scans against the IP's in question, but it doesn't seem to work. Even excluding the signature altogether doesn't seem to do it. Actually, it doesn't appear that the exclusions work all that well in HIPS 7 period... 6.x worked far more reliably and would say it was definitely easier to manage.

I am curious whether disabling "Device details detection" in the Rogue System Detection policy would resolve this, or whether it just does an aggressive nmap style scan on detected systems altogether... in which case changing this would likely accomplish nothing. Either way, I don't think it's the preferred method to take, as I'll have a lot less data available for identifying IP's that don't report hostnames etc.

I suppose I'll wait another day to see if client policy catches up and the HIPS clients stop sending me these darn alerts. More to follow.

ePolicy Orchestrator 4.0 Patch 2 / SQL 2005 / VMware - FAILURE: In LaunchAppAndWait

aberges — Wed, 09 Jul 2008 15:09:44 GMT

Monday I attempted to update our ePolicy Orchestrator server from 4.0 Patch 1 to 4.0 Patch 2.

Our ePO 4.0 Server resides as a guest on a VMware server with a remote SQL backend. This is dissimilar from our old ePO 3.6.1 Server, which had its own instance of SQL 2000 locally. Also, this time we are (well, were) using Windows authentication instead of SQL authentication, which we had in the past.

Patching the ePO Server has generally been a painless process, but this particular patch was over 150MB, so I had a sinking feeling that this wouldn't be one of those times...

Turns out, I was right. I got partway through the install - everything's looking good... then BAM... out of the blue:

Setup has encountered the error:
FAILURE: In LaunchAppAndWait while trying to run the following program:
""

And, yes, those are empty quotes. Weird, I know.

A little digging in C:\Docume~1\username\Local Settings\Temp\NAILogs\EPO400-Patch-MSI.LOG shows a bit more to the error:

FAILURE: In LaunchAppAndWait while trying to run the following program:
"C:\PROGRA~1\McAfee\EPOLIC~1\jre\bin\java.exe" ... blah ...

Some Googling gave a bit more information in the form of a McAfee technote, appropriately titled "ePO 4.0 Patch 2 fails to install on a VMWare image containing ePO 4.0 and SQL Server 2005 / SQL 2005 Express" and located here:

https://knowledge.mcafee.com/article/60/615839_f.SAL_Public.html

The issue apparently results from the use of Windows authentication for SQL 2005, specifically when used on a VMware server. In order to complete the patch, ePO must be configured to use an account with dbowner rights (note that it is *not* required to use sa despite the KB using that as an example).

The following steps will resolve the issue:

Log in to your ePO Server at http://servername:port/core/config
Change the user name to an appropriate SQL ID
Set the password accordingly
Remove the domain listed next to User domain
Click Test Connection
If the test completes successfully, click Apply
Restart the "McAfee ePolicy Orchestrator 4.0.0 Application Server" service
Reapply the patch
Verify that the patch applied and all extensions were checked in successfully via the logfiles as per the patch 2 readme file
Verify that dashboards, etc function as intended.

At this point you should be able to reverse the steps above to return ePO Server to use Windows authentication if you so desire.

Dusting off the blog...

aberges — Wed, 02 Jul 2008 18:12:55 GMT

It's been over a year since I posted here. I've been keeping myself busy at work with various projects... and many family obligations and other circumstances dictated that my blogging needed to take a backseat for the time being.

So what have I been up to tech-wise? To name a few of the larger endeavors:

I've upgraded our SMS heirarchy to SP3 and integrated the Asset Intelligence feature as well as the catalog update.
Installed Ron's Web Remote Tools with Sherry's tweaks, much to the happiness of both our technicians and my management. If either of you read this, kudos to you both for providing these to the community. It's certainly made my life easier :)
I've replaced our production ePolicy Orchestrator 3.6.x environment with a VMware host running ePolicy Orchestrator 4.0 with Patch 1. All VirusScan clients were upgraded to 8.5i with the 5200 engine. All McAfee HIPS clients were upgraded to 7.0 with Patch 1. More gripes about McAfee to follow in coming weeks, I'm sure. There's just not enough room here to post them all :)
I've deployed a series of CounterSpy Enterprise 2.0 "servers" (I use this term loosely) in our home office and branch offices throughout the globe and deployed a series of CounterSpy Enterprise agent versions to all clients in those offices. CounterSpy was later upgraded to 3.0 for the servers.

As well as many other, far-less interesting things like application deployments, which I won't get in to here.

Lately I've been working in a few "new-to-me" areas: the Microsoft Deployment Toolkit (and WDS), SCCM 2007, x64 Operating Systems, and of course Vista - all of which will be deployed as the standard within my organization in coming months.

I've recently been approved to begin a side-by-side deployment of SCCM SP1 and migrate all our existing SMS clients to the new infrastructure. Following that, I anticipate going to SCCM Native Mode, and leveraging the OSD aspects of MDT and SCCM to standardize on a single image, phasing out the multiple Ghost image approach that is currently used by our technicians. I hope to utilize this blog in part to document my process and any "lessons learned" along the way.

With that said, I'll close this entry. Stay tuned, more to follow!

Anti-Malware Blog: SAP Internet Graphics Service (IGS) Remote Buffer Overflow

aberges — Thu, 25 Jan 2007 14:58:13 GMT

SAP is the largest business application and Enterprise Resource Planning (ERP) solution software provider in terms of revenue.

CYBSEC Security Systems has discovered a vulnerability in SAP IGS which when exploited can result in remote code execution with the privileges of the LocalSystem on Windows and SAP System Administrator Account on UNIX systems.

For more information about the vulnerability, read here.

SAP has already released a solution for this and customers that are affected should apply the patch as soon as possible. For more information about the patch read SAP Note 968423.

Link to SAP Internet Graphics Service (IGS) Remote Buffer Overflow