AVG’s fix for destroying Windows XP…

http://www.avg.com/faq.num-1575#faq_1575

 

In case you you are not able to run your Windows XP operating system after AVG 8.0 virus definition update (DB: 270.9.0/1777) and you do not have Windows XP installation CD, please proceed as follows in order to resolve this situation:

We have prepared an utility which can fix the issue mentioned above. You can use the following boot media: either CD-ROM or USB flash drive. If you decide to use CD-ROM, please follow the instructions in part A), in case of USB flash drive follow the steps in part B). When finished it is necessary (in both cases) to follow additional instructions described in part C).

A. CD-ROM instructions (recommended):

1. Please download the CD image.
2. Use your favorite CD burning software to burn the downloaded image (IMPORTANT NOTE: Please use the "Burn CD from image"* option).
3. Insert the CD into the CD-ROM drive of the affected computer and restart the computer. It should boot up from the CD. If not, please see the user's manual for you motherboard to find out how to let the computer boot from a CD.
4. Continue with instructions in section C).

B. USB flash drive instructions (available only for computers supporting USB boot function):

1. Please download the USB flash archive (rescue.zip).
2. Extract the content of the "rescue.zip" archive to your USB flash drive.
3. IMPORTANT: go to the root of the flash drive.
WARNING: take care to do the next step only when you are located on the flash drive. Doing the step on the local disk can DESTROY BOOT FILES ON YOUR HARD
DRIVE!

4. Please run the "makeboot.bat" batch (pay attention that it is the one on the USB flash drive) and follow the instructions.
5. Connect the USB flash drive to the affected computer and restart the computer. It should boot up from the USB flash drive. If not, please see the user's manual for you motherboard to find out how to let the computer boot from a USB flash drive. Please note that this function is not supported on all motherboards.

C. Additional instructions:

1. Boot the computer from the CD-ROM or USB flash drive as described in steps A) and B).
2. Follow the rescue process.
3. Please login to Windows as Administrator.
4. Update the AVG program (Open AVG User Interface and click the "Update now" button)
5. Rename the file "avgrsx.exe_off" to "avgrsx.exe". This file is located in the AVG 8.0 Program folder (C:\Program Files\AVG\AVG8 by default)´.
6. Rename the file "avgsched.dll_off" to "avgsched.dll". This file is located in the AVG 8.0 Program folder (C:\Program Files\AVG\AVG8 by default)
7. Remove the boot media (CD-ROM or USB flash drive) and restart your computer.

* The name of the function may vary depending on used software.

Latest news on MS08-067

Hi, this is Christopher Budd. We’ve been getting some questions from customers this week asking if we’ve seen any changes in the threat environment around MS08-067. We do have some information that we can share so I wanted to pass that along.

Most importantly, we continue to see strong deployments of MS08-067. We’re glad that customers have moved as quickly as they have to download, test and deploy the update. That said, we continue to urge customers who haven’t yet deployed the update to do so.

We have seen some new pieces of malware attempting to exploit this vulnerability this week. And while so far, none of these attacks are the broad, fast-moving, self-replicating attacks people usually think of when they hear the word “worm,” they do underscore the importance of deploying this update if you haven’t already.

My colleagues over in the Microsoft Malware Protection Center (MMPC) have provided write ups on the new pieces of malware we’ve seen this week and have included signatures to help protect against these.

· Trojan:Win32/Wecorl.A

· Trojan:Win32/Wecorl.B

· Trojan:Win32/Clort.A

· Trojan:Win32/Clort.A!exploit

· Trojan:Win32/Clort.A.dr

· TrojanDownloader:Win32/VB.CQ

· TrojanDownloader:Win32/VB.CJ

Again, none of these are broad, fast-moving, self-replicating attacks. They’re similar to the original attacks we detected, in that they focus on loading malware onto vulnerable system. They’re also similar in that the overall scope of these attacks is very limited. The largest of these attacks are those associated with Clort family and we’ve seen well below fifty attacks worldwide.

Overall the threat environment remains similar to what it was last Monday when we released Microsoft Security Advisory 958963. The publically available exploit code has resulted in limited malware attacks seeking to exploit the vulnerability. This is in-line with what Mike said we should expect last week. We expect we’ll continue to see new pieces of malware over the coming days and weeks, and our colleagues over in the MMPC will continue to add write-ups and signatures for them.

We’ll continue to watch and update you of any important new developments.

Thanks

Christopher

Original:  http://blogs.technet.com/msrc/archive/2008/11/05/latest-on-ms08-067.aspx

Recommendations for antivirus exclusions in MOM 2005 and OpsMgr 2007

Exclusions by process executable:

Creating exclusions based on the executable can potential be very dangerous in that it limits the control of scanning potentially dangerous files handled by the process.  For this reason, unless absolutely necessary, we do not recommend relying on exclusions based on any process executables for MOM or OpsMgr servers.  However with that said, if you do decide that you need to make exclusions based on the process executables for whatever reason they are listed below:

MOM 2005 – momhost.exe
OpsMgr 2007 – monitoringhost.exe

Exclusions by Directories: The following includes real-time, scheduled scanner and local scanner directory specific exclusions for Operations Manager.  The directories listed here are default application directories.  You may need to modify these paths based on your specific environment.  Only the following MOM\OpsMgr related directories should be excluded. 

Important Note: When a directory to be excluded is greater than 8 characters in length, add both the short and long file names of the directory into the exclusion list. To traverse the sub-directories, this is required by some AV programs.

SQL Database Servers:
These include the SQL Server database files used by Operations Manager components as well as system database files for the master database and tempdb.  To exclude these by directory, exclude the directory for the LDF and MDF files:

Examples:
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data
D:\MSSQL\DATA
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Log

MOM 2005 (management servers and agents): These include the queue and log files used by Operations Manager.

Example:
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Operations Manager\

OpsMgr 2007 (management servers and agents): These include the queue and log files used by Operations Manager.

Example:
C:\Program Files\System Center Operations Manager 2007\Health Service State\Health Service Store

Exclusion of File Type by Extensions: The following includes real-time, scheduled scanner and local scanner file extension specific exclusions for Operations Manager. 

SQL Database Servers: These include the SQL Server database files used by Operations Manager components as well as system database files for the master database and tempdb. 

Examples:
MDF, LDF

MOM 2005 (management servers and agents): These include the queue and log files used by Operations Manager.

Example:
WKF, PQF, PQF0, PQF1

OpsMgr 2007 (management servers and agents): These include the queue and log files used by Operations Manager.

Example:
EDB, CHK, LOG.

Note: Page files should also be excluded from any real time scanning.

Source:  The Manageability Team Blog

How did ConfigMgr help you during the critical patch rollout?

I’ve heard from a few others that deploying the critical update the past couple days really made ConfigMgr shine.  They say that ConfigMgr has completely alleviated the patching woes of the past.

Did it help you?  Did ConfigMgr make your patching life easier?  Should ConfigMgr be marketed more surrounding it’s awesome patching capabilities?

Drop me a note and let me know.

Special Live OneCare Message for the October 23, 2008 out of band update

Because I continually test Live OneCare updates, I run OneCare on my computer exclusively.  This is the first time an update from Microsoft has produced the following message (and, yes, Microsoft is actually misspelled in the message):

Current Advisory
October 23, 2008 Advisory: Important information about a Windows security update

Micrsoft released a critical security update for a recently identified security vulnerability (Microsoft Security Bulletin MS08-067). As long as your Windows Live OneCare status remains Good (green), Windows Live OneCare is helping to protect you by automatically applying the latest security updates and virus signatures. If your status is At Risk (yellow or red), please take the requested action(s) to ensure that your computer is protected.
You may also run a manual check of Windows update by following the steps below:

  1. Open Internet Explorer.
  2. In the Tools menu, click Windows Update.
  3. Follow the instructions to check for any applicable updates.

LiveOneCare

http://onecare.live.com/standard/en-us/secinfo/alert/criticalalerts.htm?criticalalertid=20081023