Trend Micro Worry Free Professional proxy software is not talking with my AD

I am not sure if this is a widely known problem yet. Fresh install of TMWF9 and then the Professional AD sync tools.

I selected my own custom port for Trend to quirey my AD (6443). (It uses an Apache service)

It will not communicate. I ran up a fake IIS server on this port and it works, so my firewall rules are ok.

I ran “Netstat -an” and noted that the Trend service was running on 0.0.0.0 port 6433. I need it on my server IP on port 6443.

I located and edited:
<drive letter>:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\conf

I changed the following

Listen 6443

(Which listens on all free IP’s ports)

To the following (Where I have used my server IP)

Listen 10.0.0.2:6443

All fixed.

Tags: , ,

Unplugging my iPhone from my Laptop causes a BSOD (Stop Error)

Over the last 3 days, when I unplug my iPhone, my laptop has a Blue screen of death (BugCheck 1000007E).

This is accompanied by what can only be described as the most disturbing crackle from the laptop speakers on reboot. My imagination originally made me think the bearings in my hard disk were being ground down and I was happy to discover it was just a noise from the speakers.

My Laptop is running Windows 7 and I am not aware of any changes leading up to this. USB drives (including powered external drives), my keyboard and other USB devices do not cause this issue. Uninstalling iTunes made no difference. I found that the problem could be resolved by taking the file C:\windows\system32\drivers\mpfilt.sys out of action.

This file seems to have no author information stored in it and online, no one seems to know what it is. My system is now working fine. So far no services or devices have played up and I have no more blue screens.

Using Microsoft’s debug tool “WinDbg” I located and analysed the memory dumps in C:\Windows\Minidump
Unable to load image \??\C:\windows\system32\drivers\mpfilt.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for mpfilt.sys *** ERROR: Module load completed but symbols could not be loaded for mpfilt.sys ******************************************************************************* * * *                       Bugcheck Analysis                                  * * * ******************************************************************************* BugCheck 1000007E, {c0000005, 83a8c778, 8f38bb78, 8f38b750} *** WARNING: Unable to verify timestamp for usbaapl.sys *** ERROR: Module load completed but symbols could not be loaded for usbaapl.sys Probably caused by : mpfilt.sys ( mpfilt+9fb )   Followup: MachineOwner ———   SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0×80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but … If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 83a8c778, The address that the exception occurred at Arg3: 8f38bb78, Exception Record Address Arg4: 8f38b750, Context Record Address   Debugging Details: ——————   EXCEPTION_CODE: (NTSTATUS) 0xc0000005 – The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: nt!IofCallDriver+5f 83a8c778 ff548838       call   dword ptr [eax+ecx*4+38h] EXCEPTION_RECORD: 8f38bb78 — (.exr 0xffffffff8f38bb78) ExceptionAddress: 83a8c778 (nt!IofCallDriver+0x0000005f) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2    Parameter[0]: 00000000    Parameter[1]: 00000074 Attempt to read from address 00000074 CONTEXT: 8f38b750 — (.cxr 0xffffffff8f38b750) eax=00000000 ebx=86f52600 ecx=0000000f edx=86f52600 esi=8915b3d8 edi=86f527f4 eip=83a8c778 esp=8f38bc40 ebp=8f38bc50 iopl=0 nv up ei ng nz na pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287 nt!IofCallDriver+0x5f: 83a8c778 ff548838 call   dword ptr [eax+ecx*4+38h] ds:0023:00000074=???????? Resetting default scope CUSTOMER_CRASH_COUNT: 1 PROCESS_NAME: System CURRENT_IRQL: 0 ERROR_CODE: (NTSTATUS) 0xc0000005 – The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000074 READ_ADDRESS: GetPointerFromAddress: unable to read from 83bb971c Unable to read MiSystemVaType memory at 83b99160 00000074 FOLLOWUP_IP: mpfilt+9fb 94b829fb ??             ??? BUGCHECK_STR: 0x7E DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE LAST_CONTROL_TRANSFER: from 94b829fb to 83a8c778 STACK_TEXT: 8f38bc50 94b829fb 888890e0 8904d430 86df54f8 nt!IofCallDriver+0x5f WARNING: Stack unwind information not available. Following frames may be wrong. 8f38bc68 83a8c77c 00001081 86f52600 00000000 mpfilt+0x9fb 8f38bc80 b730194b 88889028 88889028 888890e0 nt!IofCallDriver+0×63 8f38bcac b7307dc9 86df54f8 8f38bccc 88889765 usbaapl+0x194b 8f38bcd8 b7304228 88889028 885c5670 88889028 usbaapl+0x7dc9 8f38bcec 83c71cb5 8a5651b0 8a5651b0 86b638e0 usbaapl+0×4228 8f38bd00 83abe10b 885c5670 00000000 86b638e0 nt!IopProcessWorkItem+0×23 8f38bd50 83c5fb6f 00000001 ab4bfbea 00000000 nt!ExpWorkerThread+0x10d 8f38bd90 83b11299 83abdffe 00000001 00000000 nt!PspSystemThreadStartup+0x9e 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0×19 SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: mpfilt+9fb FOLLOWUP_NAME: MachineOwner MODULE_NAME: mpfilt IMAGE_NAME: mpfilt.sys DEBUG_FLR_IMAGE_TIMESTAMP: 43670416 STACK_COMMAND: .cxr 0xffffffff8f38b750 ; kb FAILURE_BUCKET_ID: 0x7E_mpfilt+9fb BUCKET_ID: 0x7E_mpfilt+9fb Followup: MachineOwner ———  

With UAC turned off I went into the folder C:\windows\system32\drivers\and renamed this file mpfilt.sys (mpfilt.sys.old). then restarted the computer. After the reboot I started Regedit.

 

**** WARNING when editing the registry be very careful. I always make backups (Export). There is no undo when editing the registry and many settings apply immediately *****

 

I went to HKLM – localmachine\system\currentcontrolset\services\mpfilt , then exported the settings for the “mpfilt” folder and deleted this “mpfilt” folder.
I also exported and deleted HKLM – localmachine\system\controlset001\services\mpfilt and localmachine\system\controlset002\services\mpfilt

Finally I exported and deleted the following key called “LowerFilters” in the following locations

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000} (deleted the value “Lowerfilters “) and the same process applied to HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000} and HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{36FC9E60-C465-11CF-8056-444553540000} .

 

Now my system is stable once again.

 

Does anyone know what this mpfilt.sys does and whom produces it ?

 

 

Tags: , , , , ,

Trend Micro Worry Free 9 (TMWF9)

When upgrading from TMWF8 to TMWF9, the upgrade crashed. This error came up.

Messaging Security Agent installation failed. Fail to Setup SQL Server 2008 R2 Express Service Pack 2 instance SCANMAIL. Refer to the setup log (%ProgramFiles%\Microsoft SQL Server@\setup Bootstrap\Log) for details.

Setup.exe has stopped working.

tmwf9

We found to continue the install we need to uninstall the old SQL instance for the TMWF8 and then it installed fine.

Tags: ,

Windows 7 in an unknown network Zone

I have a machine (Windows 7) on a domain but it tells me it is in an Unknown / Unidentified network zone and therefore has applied the Public firewall profile.
You can’t ping it, remote desktop to it or any other form of remote management.

I looked about on the internet for a solution and found many that made it look so easy to fix, but none of them worked.

(Example http://www.sevenforums.com/tutorials/43629-network-location-set-home-work-public-network.html)

I believed that there was nothing to loose so I opened the registry editer on the machines (Normal warnings about caution apply when editing the registry).

I navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

I exported the profiles key as a backup.

I then deleted all profiles under this key.

I rebooted the machine and it was fixed. It found the domain, hooked into the domain zone and applied the domain profile. All is working again.

 

 

Tags: , ,

Watch out Australian Businesses!

My business is happy to sponsor well-meaning community efforts. We were legitimately listed in the AiPol (Australasian Policing) magazine last year.
We can’t throw money away and only advertise when we can.

 Imagine our surprise when we had an Ad in the “Crime Alert” publication, but never placed it.


 The Ad is a form of sponsorship and we never signed up for it. We never had a hand in designing the Ad and never got to see it before it was “Published”.
We had our Credit card debited and have since successfully had the money refunded.

We new we had been scammed somehow and moved on.

Then we started getting more phone calls about more magazines we apparently sponsored and now owed the money for.

The list so far includes
  • Crime Alert
  • Volunteer Rescue Forum
  • Sun smart Kids
  • Neighbourhood Support Guide
  • Street Watch

 

All of these are around the $440 Ex Gst price (AUS) and all the Ad’s appear to be lifted from company websites.
The content of the publications also appears to be lifted from Websites.
The email contact addresses are @Hotmail.com or @Bigpond.com.au and bounce back.
They all have answering services on 1800 or 1300 numbers. Their addresses all seem to be in QLD.
When you have them on the phone, all deny knowing about the other publications.

All have the same stamp “Proof of Publication” in the rear of the publication.
All have laser printed ads in them that texturally feel different to the rest of the magazine.

None of them have a presence online and the phone numbers do not appear to be in Google.

This scam is known as a Charitable publication scam or Directories and advertising (false billing) scam
Charitable publication scams happen when a telesales agent calls a business selling advertising space in a bogus publication for a seemingly good cause. The caller will give the impression that the publisher is partnered with local charities, emergency services, crime prevention or community health initiatives. Sometimes the caller will say that a business has placed an order previously, or even that someone else in the business has agreed to take out the advertising space. They will either ask for payment details upfront for a 10% discount or already have your credit card details. All offer to send out a proof of publication with the Invoice. This does arrive but looks suspect. In general the fraudsters may also send the business invoices whether or not the victim has agreed to take out the advertising space. They may follow up the invoices with threats of legal action.

So if you get a call like this from a publication you have no connection with, write down their number, name and the publication name and contact the ACCC and Scamwatch.

 

 

Programmatically alter “Automatically Detect settings” in IE through VBS

I am trying to turn off the “Automatically Detect settings” in the proxy settings in Internet Explorer (IE), using vbscript (vbs).

It is not as easy as you would think. There are loads of forums out there where people are trying to find the answer. I now have working code, for my version of IE in my environment and whilst you need to do your own testing (not on production machines) I want to let the world know how I did it.

The problem is that this tick box is set by the following registry keys

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

The value is binary and whilst reading this with vbs is easy, changing the huge Hex value into something you can save back, is almost impossible. The REG_BINARY in the Regwrite method wants an integer.

The value looks something like this (This has been edited to keep details private).
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections] “DefaultConnectionSettings”=hex:46,00,00,00,67,38,00,00,03,00,00,00,10,00,00,\ 73,74,72,61,2e,63,6f,6d,3b,2a,2e,6a,68,67,2e,6c,6f,63,61,6c,3b,31,39,32,2e,\ 02,00,00,00,c0,a8,02,45,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 73,74,72,61,2e,63,6f,6d,3b,2a,2e,6a,68,67,2e,6c,6f,63,61,6c,3b,31,39,32,2e,\ 02,00,00,00,c0,a8,02,45,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 02,00,00,00,c0,a8,02,45,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 64,61,74,a2,2c,55,62,09,d5,ce,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,\ 00,00,02,00,00,00,c0,a8,02,45,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00 “SavedLegacySettings”=hex:46,00,00,00,d1,4f,00,00,03,00,00,00,10,00,00,00,31,\ 02,00,00,00,c0,a8,02,45,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 2e,74,65,6c,73,74,72,61,2e,63,6f,6d,3b,2a,2e,74,69,70,74,2e,74,65,6c,73,74,\ 02,00,00,00,c0,a8,02,45,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 38,2e,32,2e,2a,3b,3c,6c,6f,63,61,6c,3e,00,00,00,00,01,00,00,00,1a,00,00,00,\ 02,00,00,00,c0,a8,02,45,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 74,a2,2c,55,62,09,d5,ce,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,\ 02,00,00,00,c0,a8,02,45,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00

I spent ages reading how the individual offsets changed certain details. I tried to work out how to change certain parts of these values. I also tried to work out how to reset these values back to a default settings.

Lot’s of people are arguing online what each value does. I got to the point where that was all meaningless.

I looked at importing a reg file to solve my problem. Then I had a change of thought. What if I could somehow force something into this key that blanks all settings but the one I want, and then trough code, add back the other values I needed.
If i can find the code I need and if IE rebuilds the rest of the key, this might be possible. I deleted the whole key. Went into IE and unticked just the “Automatically Detect settings” setting.

I then reviewed the registry and noted that the value of that key was now very simple. It was basically “0F”  and the rest of the data was made up of “00″. So, I wrote my vbs code to delete the key, put back “0F” and then wrote the remainder of what I needed into the settings and … it works !
WSHShell.Regdelete “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings” WSHShell.Regdelete “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings” WSHShell.RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings”,&H46,”REG_BINARY” WSHShell.RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings”,&H46,”REG_BINARY”

 

The rest of the code was

 
WSHShell.RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable”, 1, “REG_DWORD” WSHShell.RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer”, Proxy IP WSHShell.RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride”, “IP addresses or servernanes here;<local>” WSHShell.RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisablePasswordCaching”, 1, “REG_DWORD” ‘WSHShell.RegWrite “HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Autoconfig”, 0, “REG_DWORD”

This now leaves me with “Automatically Detect settings” off, “Use Automatic configuration script” off, “Bypass Proxy for local servers” on, Proxy details all filled in and a bypass list created.

Perfect !

Tags: , ,