Blog

This just came out, Mass Email Worm Outbreak: W32.Imsolk.B@mm . Detailed information obtained from Symantec include: Symantec Security Response has observed a global mass mailer worm spreading and affecting hundreds of thousands of computers worldwide. This appears to be a new attack – likely originating from a botnet – however, it is similar to the classic old school mass-mailing viruses like Nimda , Melissa and the Anna Kournikova virus from 2001. The new, malicious computer worm spreads using a socially engineered email attack. The threat arrives in the form of a standard email that directs the recipient to click on a link embedded in the email. This link points to a malicious program file that is disguised as a PDF file, hosted on the internet. When the user clicks on this link, their computer downloads and launches the malicious file. Symantec customers are protected from W32.Imsolk.B@mm both today and in the future using updates, as well as the products and services outlined below. How do I protect my organization against W32.Imsolk.B@mm worm threat? Customers with Symantec Antivirus (SAV) or Symantec Endpoint Protection (SEP) are protected Rapid Release signature of Sept. 9th rev 023 or later detects and blocks this threat. This signature set will stop all new infections. A fully certified regular definition set (dated Sept. 9th) known as rev 024 provides these protections. Symantec Security Response has created a Symantec Endpoint Protection Application and Device policy to prevent infections / execution of the threat and any side effects caused by the threat. The policy can be found here . What does the threat do? The worm uses e-mail for its initial propagation (an e-mail purporting to include a link to a requested document). The e-mail looks like the following: Hello: This is The Document I told you about, you can find it Here. Please check it and reply as soon as possible. Cheers, Once the link is followed, it downloads the W32.Imsolk.B@mm threat, which infects the computer. Once inside, it can spread rapidly via shared drives and removable drives. It also attempts to spread via e-mail by gathering e-mail addresses from the compromised computer. The main characteristics of the worm’s functionality are as follows: Primary mode of infection: email recipient clicks on link Infection spreads through Email send to contacts from address book of victims Mapped drives via autorun Instant messenger transmissions Disables various security related programs, but not Norton or Symantec products Best Practices Symantec is encouraging computer users to use the following security best practices: If you are currently suffering infection, your best protection is to obtain the latest signature updates for Symantec Antivirus or Symantec Endpoint Protection If your systems cannot get access to the latest updates: Disable network sharing for the infected systems and/or disconnect them from the local network and Internet. Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives and disconnect the drives when not in required. Apply the updates. Remove the infection and restore the host to the network. Technical Support already has the following knowledge base articles on the topic: How to prevent a virus from spreading using the “AutoRun” feature Preventing viruses using “autorun.inf” from spreading with “Application and Device Control” policies in Symantec Endpoint Protection (SEP) 11.x This includes specific instructions on how to use the policy feature of SEP to disable autorun.inf files. Keep antivirus definitions up-to-date. Avoid clicking on links and/or attachments in email messages. Configure mail servers to block or remove email that contains .SCR file attachments. Symantec products that can strengthen your organization’s security Mail Security for Microsoft Exchange Outbreak detection : Identify that an active outbreak is occurring because of the volume of traffic generated by the same “Here you Have” email Internal mail filtering : Block all internal traffic of the “Here you Have” email using Content Filtering Mail store / inbox cleanup : Seek out and eliminate the “Here you Have” email from Mail Stores and end user inboxes More Information Purchase Today Brightmail Gateway Small Business Edition Multiple layers of defense : Has over 20 different antispam technologies that can block new threats as they emerge. Updated rules : Brightmail Gateway updated both antispam rules and antivirus rules to block this attack immediately after it was detected on Sept. 9th. Symantec deployed a combination of predicative and aggressive rules to ensure complete protection. Global Intelligence Network : Protection includes a 24

Internet Explorer 9 Published with permission from blog.korteksolutions.com Read the post at Lyle Epstein’s Systems Engineer Blog.

Have you received this error? The SBSMonitoring database is nearing maximum size on SBS 2008. I was getting this on a SBS 2008 server running the SBS BPA. From the error message, it’s pretty clear that the SBSMonitoring database is too large to work normally. There is a fix for this and it turns out the same SQL script that is used for an SBS problem where the Console displays too slowly is part of the solution. To shrink the database, Please follow these steps: Step 1: Download the following file to the server you are going to be working on: 1. http://cid-d5fe25afb6c3615f.skydrive.live.com/self.aspx/.Public/updateSBSMonitoring.sql 2. I recommend you save the file to an easy to access path, such as c:windowstemp. Step 2: Complete a backup of the SBSMonitoring Databases 1.Open Services from Administrative Tools , Services 2.Accept the UAC prompt 3.Find and stop the SQL Server ( SBSMONITORING ) service. 4.Make a copy of the files in the following folder: 1.C:Program Files (x86)Microsoft SQL ServerMSSQL.1MSSQLData 5.Once the file backup is completed, start the SQL Server (SBSMONITORING) service. Step 3: Proceed to run the following set of commands to implement the improvements 1. Open an Administrative Command Prompt (Run As Admin) 2.Type the following command, substitute the path to the updateSBSMonitoring.sql file as needed (We recommend that you do NOT copy & paste this command directly from the blog post): 1. Sqlcmd -S %computername%SBSMonitoring -E

Today I was working on a Eaton 9125 UPS and setting up the software to cleanly shut down the server in case of a power outage. After installing the software, I noticed the Powerware LanSafe could not detect the controller. Nothing found: Taking a deeper dive to see what was going on, I cracked out my trusty NirSoft CurrPorts software to see the ports. I found out that LanSafe Power Monitor uses ports 3068 and port 3069. Upon looking at the ports, I noticed Microsoft DNS was using port 3068. This would cause LanSafe Power Monitor not able to bind with that port since it was in use. What was tricky was it still showed the service as running which I would have expected it to fail since it could not bind. Here is how I fixed it. Since DNS randomly selects the ports it wishes to use, I stopped the Microsoft DNS service. I then restarted the LanSafe Power Monitor services and checked to ensure it was bound to port 3068 and 3069. I then restarted the DNS service, and ensured it didn’t bind to port 3068 as it was before. Now launching LanSafe, I am able to see the server and am able to login to manage my UPS device. Share/Save