Vodafone Mobile Connect (VMC) Wireless Network Problems and Solutions

Body:

image Have you installed the Vodafone Mobile Connect software and seen problems with it not getting DHCP addresses via the laptops Wireless NIC?

We’ve seen it on a few laptops and it is completely random. I had two laptops of exact same configuration and found that the problem existed on one 100% of the time and not at all on the other laptop – even though they were setup side by side identically. One of the guys in our office spent some time digging into it as we had it randomly causing problems on some client laptops. He came up with the following solution.

First off grab the software from this URL. The current version is 9.3.0.9237, but I’ve been running the 9.2.4.7868 since November 2007 without a problem. (You can get 9.2.4.7868 from here if you want)

When you install it, choose Custom Install.

You DO NOT want to install the Wireless Control Software or select the box to enable Optimisation.  For us this combination has been 100% successful and is now our standard deployment method.

image

Hmm – I just ran through the install of the latest software to grab the screenshot above. Aside from the screenshot above, it didn’t give me a chance to choose NOT to install the Wireless Components which were present in the 9.2.4.7868 build.  So far so good – it’s working for me.


Published: 31/07/2008 2:20 PM


Blocking UPS SPAM Mail

Body:

I use TrendMicros InterScan Messaging Hosted Security service as part of Worry-Free Business Security Advanced to provide front line SPAM and Malware detection to all mail coming into my family domain and to the sbsfaq.com domain.  I’ve been using it for nearly 12 months now.  In order to test the effectiveness of a SPAM solution, I’ve got a mailbox configured with old / defunct email addresses that I no longer use. Email addresses of info@sbsfaq.com, editor@sbsfaq.com and faq@sbsfaq.com collect nothing but SPAM.  Below you can see the last 10 days of email to these email addresses. They comprise of the daily SPAM reports from Trend and you will notice that only 2 pieces of SPAM made it through.  I’m finding that their detection rate simply rocks with the IMHS service.  I’m not seeing any of the UPS SPAM Mail that many are getting in the recent weeks. If you have WFBS 5.0 Advanced then you can use the IMHS service as part of your subscription and it really really helps reduce the crud that comes in via email.

image


Category: TrendMicro

Published: 31/07/2008 1:16 PM


How to remove Antivirus 2008

Body:

I had a migraine yesterday – a pretty severe one that lasted 12hours plus. So today I was off to the Doctors to figure out what it was and get some drugs to deal with it again.  Ok – so then I went to the Pharmacy to get the prescription filled.  I’ve been going to the same Doctor and Pharmacist for 10 years now. Behind the counter, the pharmacist – Allan was on the phone with Telstra.  It turned out that his computer was infected by a virus and had been down since last Friday. He had been lodged a case with Microsoft, and they had taken him so far, but then referred him to Telstra Bigpond as it was their antivirus protection package that he had installed.  Microsoft walked him through clearing the Internet History, AND they told him to remove the existing antivirus software in an attempt to fix the problem. Telstra Bigpond support was totally lost with this and they could not get his other AV software reinstalled.  Anyway – I walked in the door and offered to help.  I know that this thing is particularly bad right now and it appears to be constantly changing which makes it hard for the antivirus packages to keep up with it.  I however was very lucky. One of my close friends is Sandi Hardmeirer a known and respected Antimalware fighter.  I called Sandi and said "what do I do here…"

Sandi’s response was to use Smitfraudfix and Malwarebytes Anti-Malware to clean it. Ok – so I attempted to go to the Smitfraudfix website and found myself redirected to some funky website that was most certainly NOT the Smitfraudfix site.  Ok – this is one bad ass piece of malware on this computer. The issue here is that I don’t truly know what the malware on this computer will do now. It could contain a keylogger which is capturing every keystroke I type.  Hmm – this is a risk now as anything I do it may be logged.  The malware was also obviously preventing me from getting to the known sites to get the things I needed to fix this problem.  So I thought I’ll connect back to my SBS server which is fully protected and I guessed that the malware would not know about my URLs etc.  The risk though was that the keylogger might capture my passwords!  Again this did not bother me as my servers are protected with two factor authentication by AuthAnvilimageI have a cool key token which generates one time password that means even if the keylogger captures my password it is totally useless.  So I logged into my SBS server via which is protected by RWWGuard and then on to my SBS server itself.  I quickly downloaded the files I need and emailed them to myself. I was then able to access my email using RWW again and download the files to the computer.  There, I bypassed the bad guys attempts to block me AND protected my passwords at the same time.

Once downloaded I rant Smitfraudfix and set it to scan the system. It produced a logfile which is reproduced in part below.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+————————————————–+
[!] Suspicious: nfavxwdbmqx.dll
BHO: QXK Olive – {2419FE5A-CAAD-4C36-B45C-90D53379A7B3}
TypeLib: {35068476-D597-421A-A128-5A86F89D5C4C}
Interface: {C9CE49A0-843B-4A0E-8932-491C487B2EB7}
Interface: {D04BC5F0-97AA-404F-B8E4-AED0EF871551}
+————————————————–+
[!] Suspicious: kgxmotapktx.dll
BHO: QXK Olive – {812AE34E-162C-4C94-BAA1-A2C0431AEC84}
TypeLib: {8C6AACDD-4862-496C-BA20-D712AD679760}
Interface: {6A4A71B0-36D2-4674-87AF-288F60E3EC71}
Interface: {A74CD9A1-9348-4B3F-87A4-4852C2CE802E}

[!] Suspicious: eqvwamkl.dll
SSODL: eqvwamkl – {EF2A52A0-938B-4234-B611-AD17904E9996}

[!] Suspicious: evgratsm.dll
SSODL: evgratsm – {EC578342-2C34-40DC-B2DA-4E04D35A0E0C}

I then ran it to clean and it gave me the following (again an excerpt from the log file)

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\nfavxwdbmqx.dll deleted.
C:\WINDOWS\kgxmotapktx.dll deleted.
C:\WINDOWS\eqvwamkl.dll deleted.
C:\WINDOWS\evgratsm.dll deleted.

Ok – so that was some of the bad stuff – I then ran the  Malwarebytes Anti-Malware across the system and it showed me that the system was HEAVILY infected with a load of bad stuff.

Malwarebytes’ Anti-Malware 1.23
Database version: 1008
Windows 5.1.2600 Service Pack 2

11:00:12 30/07/2008
mbam-log-7-30-2008 (11-00-12).txt

Scan type: Quick Scan
Objects scanned: 44702
Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 23
Registry Values Infected: 10
Registry Data Items Infected: 2
Folders Infected: 13
Files Infected: 50

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\xxyyVmji.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\efccyayA.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yttcyivq.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcn66j0er8j (Rogue.Multiple) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0b399c3f-11f4-493e-95b5-22346ad53f93} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0b399c3f-11f4-493e-95b5-22346ad53f93} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b44e2b70-ed5a-4704-8c0c-2d0a09eb5a90} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b44e2b70-ed5a-4704-8c0c-2d0a09eb5a90} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{040ba7f9-cdc9-4f2a-bafd-5b13501b2dad} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{040ba7f9-cdc9-4f2a-bafd-5b13501b2dad} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyyvmji (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcj66j0er8j (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wnslvxtf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kvxqmtre (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Spammer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\247d4af7 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{040ba7f9-cdc9-4f2a-bafd-5b13501b2dad} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccyaya -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccyaya  -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\rhcn66j0er8j.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\rhcn66j0er8j.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winfe36.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcj66j0er8j.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\agpqlrfm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcj66j0er8j.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcj66j0er8j.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcj66j0er8j.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\esea.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\erms.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xdhyfgcj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efccyayA.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\Q33B17XP\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnlLefc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ccoqtf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ixmgasew.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\M10K8Y3M\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pxefpj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qcjuhnwx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oeyvtc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\btlnvy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vnwmdxwb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kwqxqdrt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ysvbxo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpwwljuo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ayayccfe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ayayccfe.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\djgazb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yttcyivq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qviyctty.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyyVmji.dll (Trojan.Vundo) -> Delete on reboot.

Ok – so at this point it looks like it was clean. To be sure I went to TrendMicros website and ran a Housecall – this now looks clean.

Advice to the pharmacist then was to ensure he changed all passwords for all online systems. I suggested also that he consider a format and rebuild of the system to be sure and left it in his hands for his regular support people to take over.


Category: Troubleshooting

Published: 30/07/2008 8:57 PM


SBS 2008 Documentation Updates

Body:

clip_image002Found today that Microsoft have updated the downloadable documents for SBS 2008 in the last few days.  Here are a few links for you.

Windows Small Business Server 2008 Installation Guide

Migrating to Windows Small Business Server 2008 from Windows Small Business Server 2003

Migrating to Windows Small Business Server 2008 from Windows Small Business Server 2008

That last one is indeed correct – they are providing guidance up front on how to migrate from SBS 2008 to SBS 2008 – that allows you to do a swing basically to a new SBS 2008 server. 


Category: SBS 2008 / Cougar

Published: 25/07/2008 7:18 AM


EBS 2008 Documentation Updates & Downloads

Body:

Category: EBS 2008

Published: 25/07/2008 7:17 AM


Windows SharePoint Services Operations Guide

Body:

One of the members of the SMB IT Professionals Group in Sydney is Robert Crane.  Robert has spent some time working with Windows SharePoint Services and has taken a vast amount of his knowledge and put it into writing in the form of his Windows SharePoint Services Operations Guide. This guide is comprised of many pages of information that walks you through from basics such as how to post information to the site, through to the various templates that come with WSS. I’ve had a chance to review his guide and found it to be an excellent resource if you are new to or even familiar with Windows SharePoint Services. It gives great overview in how to perform many of the tasks that you will need to do in a SharePoint installation, along with real world experience where it varies from the official Microsoft line.  I’d suggest you check it out if you are doing work with SharePoint as it will save you time and money. Robert has a sample chapter available online so you can check it out.

With SBS 2008 coming up just around the corner, this guide will likely help you with the more tricky installations that you might come across.

http://wssops.saturnalliance.com.au is the direct link to the site – Tell Robert that I sent you ;-)


Category: Documentation

Published: 24/07/2008 7:27 AM

SBS 2008 Migration Documentation

Body:

I’m finalising to do a migration this weekend from SBS 2003 to SBS 2008 for one of our customers who is on the official Microsoft TAP program for SBS 2008. As part of that I needed to download and review the latest documentation relating to the official Microsoft supported methods to perform the migration.  Basically they support a form of the "Swing Migration" method that I’ve been using since 2001.  You can get the latest downloaded documents from here

Once you download them and expand and run the CHM file you will get something like the screen below. For each page you select you get "The Address Is Not Valid".  The solution is easy and it relates to some Microsoft updates applied to Vista and Windows Server 2003.

 image

To be able to read the CHM file you need to right click the file and select Properties. Then Select the Unblock button at the bottom of the properties page. This will then allow this file to be opened and read.  Note that if you move the file to another location you will need to do the same again.

image

After you’ve done the procedure above you can see the real content as per the screenshot below

image


Category: SBS 2008 / Cougar

Published: 23/07/2008 7:38 AM


Trend blocking Antivirus 2009

Body:

This came up in the SBS2K list where one of the members posted about his sites and the fact that the users were downloading and installing a product called Antivirus 2009.  He wondered why the version of Trend he is using was not blocking them.  I suspect that this came to him using a form of malvertisement and sure enough – after checking Sandi’s blog, I am right.  It looks like one of the attack vectors for this is from "infected add banners", although it can be also from other sources too.  After some digging I found this blog post from Bill Mullins that talks about the software as well.

So why does Trend not block it?  Well it depends on the version really – you can see that from the screenshot below that WFBS 5.0 does indeed block it and it requires user interaction to bypass it.  I can only assume that the group member didn’t have the latest version installed on his computer.

Web Reputation Services is a facility in WFBS 5.0 that allows it to monitor a users web site access and if the URL that the user is going to is a known bad URL then it stops user access with the message below. The user can reclassify the URL and allow access to the site, but this as you can see is not something that they will do without first being warned that this is a bad thing :-)

 

image

If you don’t have WFBS 5.0 installed, this is yet one more reason that you should get it up and running ASAP.

 

I’ll be updating my Trend Guide for CSM to WFBS 5.0 shortly – it will be available for purchase via www.sbsfaq.com and available free to subscribers.


Published: 23/07/2008 7:18 AM


I’m outta here..

Body:

Yup – for the next few days I’ll be out of contact while I take a few days to spend with my family out west on a farm that has no mobile phone reception and no Internet access. I won’t be back online till next Tuesday so if you email me I’ll respond after that point.  I’ll be out west – in the center of this little map – so you can see there’s not much around which will be good.

 

image


Published: 17/07/2008 10:16 AM


SPAM Filtering Options in Trend Worry-Free Business Security

Body:

 

With the release of Trends WFBS 5.0 (formerly known as CS and CSM Security) Trend have upgraded the Antispam components in a number of ways. For some this is causing some confusion. Hopefully I can help resolve that.

When you purchase WFBS Advanced over Standard, you get support for Exchange Server. This is the typical choice for Small Business Server owners who use Exchange for their mail. The WFBS Standard suite has no support for Exchange Server and therefore a lot of what is below does not apply.

So what do you get?

WFBS Standard includes a client agent (CSA) that installs on the desktop PC’s. People that deploy WFBS Standard normally will not have an in-house Exchange server and their mail is often hosted on a POP3 mail server with your ISP. To protect them from SPAM you can enable the inbuilt protection that is part of the CSA installed on each PC.  The screenshot below shows how to configure this agent.

image

 

WFBS Advanced on the other hand has several layers of Antispam that can be used to help thwart the spam from getting into the users inbox.  This assumes that your mail is hosted on an in-house Exchange server such as Small Business Server 2003. The Antispam features include the following…

ERS – Email Reputation Services – This is a cool feature that is built into the Messaging Agent (MSA) for WFBS. You can see in the screen below that I’ve got this enabled and you can also see it has a Standard and Advanced option (now isn’t that confusing!!!).  What this is is effectively the ability of the Trend MSA to look at the source IP address that the incoming email connection is coming from and then decide based on rules if it should even allow the connection to take place. It does this by a lookup of a Trend maintained Email Reputation database that tracks known spammers. If the address is on the list then it drops the connection altogether therefore preventing the email from getting in at all.  If your address is not on the list then the email comes in and proceeds to the next level of SPAM filtering called Content Scanning.  The Standard and Advanced ERS lists are cool too. You can see I’ve configured for Advanced and there is a web based control panel if you need to tweak it for yourself. The Standard list contains all KNOWN spammers whereas the Advanced list contains the newest potential spammers. Trend monitor these newer spammers IP’s to determine if they are indeed sending out SPAM or if in fact they are a legitimate business doing a mail out to their customer base. Consequently you may find your mail coming into your organisation from one of the people on the dynamic list delayed by up to 4 hours whilst Trend evaluate if they are spammers or not.  I understand that if you are verified as a spammer then you get moved to the known spammers list.

image

 

Content Scanning – Ok – so after the inbound mail gets past ERS, it’s in your mail system and then can be content scanned using the Trend Antispam scanning engine.  If it’s found to be spam then it’s placed in your SPAM Mail folder (dependant on your configuration of Trend).  Here the user can retrieve it and look at it and deal with it as they see fit.

image

 

IMHS – Interscan Messaging Hosted Security – is another option that you may choose to use in conjunction with the above two. This is a hosted solution that filters your mail before it gets to your Exchange Server. To configure this you will need to change your DNS MX Records to point to Trends Mail servers and then configure your server to only receive mail from the Trend servers.  I’ve been using this service for nearly 12 months now and I’ve found a dramatic drop in the amount of SPAM that I get through to my inbox. These days I get almost zero SPAM in my inbox.  You can see from the pie chart below that 81% of my inbound mail in the last week is being blocked BEFORE it even evaluates it as SPAM. A further 4% is then checked and declared as SPAM.  That means overall my Internet connection and my mail system is having to deal with 85% LESS email than before.  Here in Australia where we pay per megabyte for Internet usage, this type of things translates to real business benefits.  The 81% that has been blocked below is using Trends Hosted ERS service which they themselves use in front of their own mail servers.  Therefore if you look at this article in whole, you could block 81% of your SPAM traffic using nothing more than the ERS service mentioned above.  As for the mail marked as SPAM by the IMHS – it goes into a queue and I get a daily report of what is in the queue – I can then use the web based console to review and release the mail if I want to.

image

 

So – what do I use?  For my main system (SBSfaq.com) I use the IMHS to filter all mail before it hits my SBS server – that keeps my Internet connection clear of the garbage that normally would slow me down.  For other systems of mine (i.e. my test systems) that are exposed to the Internet, I use the ERS and Content Scanning facilities.

 

I’ll be updating my Trend Guide for CSM to WFBS 5.0 shortly – it will be available for purchase via www.sbsfaq.com and available free to subscribers.


Category: TrendMicro

Published: 16/07/2008 11:52 AM