I am always thankful for reader tips. In my how-to article where I explained how to install Microsoft Safety Scanner on Windows PE, I got a tip that Microsoft is offering another free standalone antivirus software, Microsoft Standalone System Sweeper. The tool is only in beta, but it appears to work well.

Microsoft Standalone System Sweeper

What I like about Standalone System Sweeper is that creating boot media is very simple and quick. Most antivirus vendors who offer standalone antivirus tools (for instance, Kaspersky Rescue Disk) bother their users with step-by-step instructions. You don’t need such instructions with Standalone System Sweeper. The installation wizard can create a bootable CD, USB stick, or ISO file for you.

Standalone System Sweeper boots up Windows PE, but you have no access to the command prompt. The functionality is comparable to Microsoft Safety Scanner and supports quick scans, full scans, and custom scans. Since custom scans don’t work with Microsoft Safety Scanner under Windows PE, Standalone System Sweeper is the better choice if you want to perform an offline scan on specific drives and folders.

Standalone System Sweeper also allows you to exclude specific folders and file types. You can find the corresponding settings under Options in the Tools menu. There, you can also configure whether the standalone antivirus tool scans archive files (for instance, ZIP and CAB), email attachments, and removable drives. You can also specify whether heuristics are used to identify malware.

Microsoft Standalone System Sweeper – Advanced Options

The Tools menu lets you access quarantined items and allowed items (files that won’t be scanned). You can also choose whether to share information about malicious software with Microsoft’s online community SpyNet. Also useful is the History feature, which allows you to view previous actions of Standalone System Sweeper.

A downside of Standalone System Sweeper compared to Microsoft Safety Scanner is that you can’t just run it from your USB rescue stick. Whenever I have to troubleshoot a PC in offline mode, I scan for malware first, just to be sure. Thus, it is useful to have an antivirus tool in your rescue environment. With Standalone System Sweeper, you need a second boot media and you have to boot up two times to troubleshoot a PC.

A major disadvantage compared to other free standalone antivirus tools (like Kaspersky Rescue Disk) is that Standalone System Sweeper doesn’t support online updates. Hence, you have to create new boot media whenever new antivirus definitions are available. On the other hand, a plus of Standalone System Sweeper certainly is its nice and easy-to-use interface.

Microsoft Standalone System Sweeper – 32-bit vs. 64-bit

Note that a 32-bit and a 64-bit version of Standalone System Sweeper exist. You can only scan 32-bit Windows editions with the 32-bit version of Standalone System Sweeper, and you need the 64-bit version for 64-bit systems.

Microsoft Standalone System Sweeper

• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)
• FREE: Microsoft Safety Scanner – Portable antivirus program (9)

After my review of Microsoft Safety Scanner, readers have recommended to look at Kaspersky Rescue Disk. The offline antivirus tool can be launched from a boot CD or a bootable USB stick.

Kaspersky Rescue Disk – Graphical User Interface

As with most offline antivirus tools, Kaspersky Rescue Disk boots up Linux. Of course, you can also scan the NTFS and FAT partitions of a Windows installation. Nevertheless, the disadvantage of Linux as the base operating system is that you might run into driver issues. I wasn’t able to try the graphical user interface of Kaspersky Rescue Disk because left clicks with my mouse didn’t work. However, Kaspersky’s text-based Rescue Disk worked fine.

After Linux informs you about every tiny bit that has been loaded, Kaspersky launches Midnight Commander, a Norton Commander clone. If you were an admin in the good old DOS times, I am sure you still remember the important shortcut keys: the function keys F1-F9 are for various file manipulation tasks; CTRL + I lets you switch between the left and the right pane; CTRL + O removes the Midnight Commander panel and gives you full access to the Linux command shell.

Kasperksy Rescue Disk – Text mode

If you are a Linux geek, you will like that because this allows you to repair a Windows installation with Linux command line tools. To edit files you can use the text editor nano. The drives of the host system are mounted under /discs. Of course, you can also use Midnight Commander to copy, delete, and edit files.

And yes, you can scan for viruses with the Kaspersky Rescue Disk as well. The command folder has some shell scripts that allow you to scan all files in a specified drive, scan all objects that can be infected by virus (executables), scan all startup objects, or scan disk boot sectors. The offline antivirus tool also supports online updates.

If you want to scan only specific files or folders, you have to run kav.exe on the command shell. The command “kav.exe /?” displays information about how to use the antivirus tool, and “kav.exe scan /?” shows all the options you have when scanning for viruses. For instance, you can choose whether Kaspersky should delete infected files or try to disinfect them.

Kaspersky Rescue Disk

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)
• FREE: Microsoft Safety Scanner – Portable antivirus program (9)

In Part 1, we installed FEP 2012 on the SCCM 2012 server. Now, it’s time to see what changes have been made to the SCCM environment so that we can deploy and configure the FEP environment.

The FEP installation makes a number of changes and additions to the SCCM console. In no particular order they are:

• Software Library – Packages – FEP Deployment
• Software Library – Packages – FEP Operations
• Software Library – Packages – FEP Policies
• Monitoring – Reporting – Report – Forefront Endpoint Protection (10 new reports)
• Monitoring – FEP Status
• Assets and Compliance – Device Collections – FEP Collections (24 new collections)
• Assets and Compliance – Compliance Settings – Configuration Items (24 new items)
• Assets and Compliance – Compliance Settings – Baselines (8 new baselines)
• Assets and Compliance – FEP Policies

Deployment

To get the FEP client out and installed in your SCCM environment, the first stop is to the FEP Deployment packages in the Software Library, and the Program we’re interested in is “Install”.

The FEP 2012 server installation automatically creates programs for deployment

By default this package can’t be integrated into as OSD task sequence because it’s configured to run only when a user is logged on. To change this (without impacting any other functionality):

1. Right-click the “Install” program and select Properties
2. Go to the Environment tab
3. Change the “Program can run” value to “Whether or not a user is logged on” from the dropdown list
4. Hit Apply and OK

Modify the FEP 2012 install program to support SCCM OSD

Now, to deploy the FEP 2012 client via an OSD task sequence, simple edit the task sequence and select Add – General – Install Package. Then select the “Microsoft Corporation FEP – Deployment 1.0” package and the “Install” program. Position the step somewhere near the end of the sequence, and then hit Apply and OK to save the changes. FEP 2012 will now be installed on all new installation of this OSD task sequence.

Create an OSD step to deploy FEP as a base SOE application

To deploy FEP outside of an OSD task sequence, simply create a new deployment for the “Install” program. To do this:

1. Right-click on “Install” and select “Deploy”
2. Select an appropriate collection and Distribution Point
3. Choose the deployment priority
4. Choose an appropriate deployment schedule
5. Finalize the wizard

By default, the installation program does not display a UI, so your users won’t be confronted with popup windows, thus sparking frantic calls to the helpdesk.

Configuration

Now that FEP 2012 is installed, how does it behave and how do you control it?

FEP functionality works via workstation collection membership – default policies are deployed via the Software Library to collections whose membership is kept up-to-date dynamically via SCCM discovery methods. Admins don’t actually need to do anything to ensure that FEP is deployed and updated correctly, as there’s enough default functionality in the system to guarantee that this happens automatically. Here’s how the process works:

1. Using OSD or a standalone deployment, the FEP 2012 client is distributed to workstations and/or servers
2. Using a WQL query, two device collections dynamically update membership based on FEP installations. These collections are:
   1. Desktops Deployed with FEP
   2. Servers Deployed with FEP
3. Using cscript.exe, default FEP policies are deployed via the Software Library as programs. These deployments are automatically set up during the FEP 2012 server installation so they’re ready to go from the outset.
   1. “Default Desktop Policy” is deployed to “Desktops Deployed with FEP”
   2. Default Server Policy” is deployed to “Server Deployed with FEP”

The default policies are located at Assets and Compliance – FEP Policies, and handle every aspect of FEP client functionality, including definition and client updates.

Default FEP policies centrally control every aspect of the client

By default, the client is directed to look at WSUS and Windows Update for updates, so as long as the workstation or server has access to either a WSUS server or the internet, the FEP client won’t be allowed to be deployed without also being fully up-to-date.

Now that FEP is deployed and functional, watch out for Part Three where we’ll look at how you can actively ensure that your fleet stays updated and protected.

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)
• FREE: Microsoft Safety Scanner – Portable antivirus program (9)

A while back, I reviewed Safety Scanner, Microsoft’s free portable antivirus software. My major complaint was that it was not possible to use Safety Scanner as an offline antivirus tool on Windows PE 3.0. Fortunately, a 4sysops reader, mentioned that you only have to increase the scratch space of the Windows PE image to make Safety Scanner run. Note that only the quick scan and full scan features work on Windows PE. Customized scans are not possible because you can’t select folders under Windows PE.

Microsoft Safety Scanner as offline antivirus tool on Windows PE 3.0

The fact that the Microsoft Safety Scanner runs on Windows PE makes the free antivirus tool much more useful because it allows you to scan a Windows installation while it is offline. Sophisticated viruses are difficult, and sometimes impossible to remove while Windows is running and the best way to remove them is to access the infected drive from a second OS while Windows is offline.

Windows PE is a good choice for an offline antivirus scan because the operating system is lightweight and boots up quickly. Many antivirus software vendors offer boot kits with their scan engines, which are usually based on Linux. The advantage of the Windows PE solution is that you can add Microsoft Safety Scanner to your Windows administration toolbox on your USB stick.

Of course, you can also create a boot CD with Windows PE and Microsoft Safety Scanner. I describe both options. I assume that you already downloaded and installed the WAIK for Windows 7 and the Microsoft Safety Scanner. Note that you need the 32-bit version of Safety Scanner even if you want to scan a 64-bit Windows, because in the scenario described here we will run the antivirus tool on Windows PE, which is 32-bit.

After you launch the WAIK command prompt from the Windows Start Menu with administrator privileges, you have to run this command sequence:

Create a boot CD with Windows PE and Microsoft Safety Scanner

1. copype.cmd x86 c:\img
2. dism /mount-wim /wimfile:c:\img\winpe.wim /index:1 /mountdir:c:\img\mount
3. dism /image:c:\img\mount /set-scratchspace:512
4. copy msert.exe c:\img\mount\windows\system32 Note: You have to change to the folder where you downloaded Safety Scanner, or use Windows Explorer to copy msert.exe to the mounted Windows PE image.
5. dism /unmount-wim /mountdir:c:\img\mount /commit
6. copy c:\img\winpe.wim c:\img\iso\sources\boot.wim
7. oscdimg -n -bc:\img\etfsboot.com c:\img\iso c:\img\img.iso

Windows PE 3.0 – Set scratchspace

In Windows 7, you can then just right-click img.iso and burn the ISO image to a CD or DVD. For older Windows versions, you can use ISO recorder.

Create a bootable USB stick with WinPE and Microsoft Safety Scanner

1. diskpart
2. list disk
3. select disk # Replace ‘#’ with the drive number that the list command displays for your USB drive. Be careful because this procedure will erase the whole drive!
4. clean
5. create partition primary
6. select partition 1
7. active
8. format quick fs=fat32
9. assign
10. exit
11. copype.cmd x86 c:\img
12. dism /mount-wim /wimfile:c:\img\winpe.wim /index:1 /mountdir:c:\img\mount
13. dism /image:c:\img\mount /set-scratchspace:512
14. copy msert.exe c:\img\mount\windows\system32 Note: You have to change to the folder where you downloaded Safety Scanner, or use Windows Explorer to copy msert.exe to the mounted Windows PE image.
15. dism /unmount-wim /mountdir:c:\img\mount /commit
16. copy c:\img\winpe.wim c:\img\iso\sources\boot.wim
17. xcopy c:\img\iso\*.* /e g:\ Note: “g:” is the drive letter of your flash drive

Also check the offline antivirus tool Kaspersky Rescue Disk.

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)
• FREE: Microsoft Safety Scanner – Portable antivirus program (9)

With the move away from Forefront Client Security to Forefront Endpoint Protection, Microsoft did away with the MOM backend and instead made use of the infrastructure available to System Center Configuration Manager to install, manage and deploy FEP.

In spite of the similarities of the underlying infrastructure between SCCM 2007 and SCCM 2012, FEP 2010 does not integrate with SCCM 2012 because one of the installation prerequisites is the presence of the SCCM 2007 administrative console. From discussions with product experts within Microsoft, it seems that FEP 2010 will not be updated to install on SCCM 2012, so FEP 2012 (which is in beta at the time of writing) will be the first enterprise AV product from Microsoft which will integrate fully with SCCM 2012.

Installing Forefront Endpoint Protection 2012

Forefront Endpoint Protection 2012 is currently in beta and can be downloaded directly from Microsoft.

To install FEP 2012, you’ll need to have SCCM 2012 installed and configured. In addition, the SQL server which is acting as the SCCM site database server must also have installed/enabled:

• .NET Framework 4.0 on both the SCCM and SQL servers
• Microsoft IIS (default role properties)
• Microsoft SQL Analysis services
• Microsoft SQL Reporting services
• Reporting services point site system role installed on the SQL server via the SCCM 2012 console

Additionally, the IIS server needs an appropriate certificate to run SSL on port 443, so that the reporting services URL and the SQL TCP connection can be secured.

This installation was run in a lab environment running on Hyper-V.

From the SCCM server, run the serversetup.exe from the folder which relates to the appropriate operating system type (ie: 32-bit or 64-bit), then fill in the identification information:

Forefront Endpoint Protection 2012 Installation – Name and Organization

Then, be incredibly conscientious and read the EULA (or not):

Forefront Endpoint Protection 2012 Installation – EULA

Next, choose the installation type. The “Basic topology” option installs everything you’ll need for a full FEP environment, including server and console extensions as well as reporting services and reports. Additionally, this installation makes use of the existing SCCM environment to target the right servers (eg: SQL server). There may be times when you would want to target different SQL servers or perform a fully customised installation, but for our lab purposes the “Basic topology” option is sufficient.

Forefront Endpoint Protection 2012 – Installation Options

Next, make sure that the SQL Reporting Server URL is correct, and select an account with sufficient access to run reports. In the lab environment I used a domain admin account which isn’t recommended in an enterprise environment.

Caption: FEP 2012 Installation – SQL report execution account

It’s worth ensuring that the system is using Windows Update to automatically keep FEP 2012 up-to-date (the FEP 2012 client will also be installed on the system as part of the installation) and joining the Customer Experience Improvement Program (CEIP) is always worth it – Microsoft does actually receive the information and uses the metrics to improve current and future products.

Forefront Endpoint Protection Installation – Updates and Customer Experience Options

For the same reason, it’s worth signing up to Microsoft SpyNet:

Forefront Endpoint Protection Installation – SpyNet Configuration Policy

Before commencing the installation, serversetup.exe will run through all the prerequisites and verify that the environment is correct. If any check fails, the issue as well as the documented fix will be displayed in the console. At this point you can remediate the issue and simply re-run the checker – you don’t need to start the installation process over again.

Forefront Endpoint Protection Installation – Prerequisite Verification

Once all the prerequisites are met, installation starts.

Forefront Endpoint Protection Installation – Installation

Once complete, you’ll now have FEP 2012 functionality integrated into the SCCM 2012 console. In the Monitoring → FEP Status screen you get an overview of the health of your organization, in Reporting there is now a Forefront Endpoint Protection folder with pre-defined reports, and in Software Library the FEP 2012 client is available for deployment.

Forefront Endpoint Protection Installation- Configuration Manager Integration

In Part Two we will look at deploying the FEP client, enforcing compliance in your organization and reporting on the health of your workstations.

• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)
• SCOM 2012 review – Part 5: Network Monitoring (0)
• SCOM 2012 review – Part 4: Infrastructure improvements (0)

The Microsoft Safety Scanner was just released a few days ago. The free portable antivirus tool only comes as a simple EXE file and is available as a 32-bit and 64-bit version. The EXE file contains all the virus signatures.

A portable antivirus program is useful whenever you want to scan a PC that lacks antivirus software. If you don’t have a Microsoft antivirus scan engine installed (Microsoft Security Essentials or Forefront), you can use the Safety Scanner if you need a second opinion.

Safety Scanner offers three scanning options: quick, full, and customized. Quick scan searches in “areas of the system most likely to contain viruses, spyware, and other potentially unwanted software.” It is unclear where these “areas” are. Therefore, I wouldn’t use this option because an antivirus scan only makes sense if you are more or less certain afterwards that the system is clean. The customized option is useful if you already suspect that a virus has infected a certain folder. In most cases, a full scan is the best option.

Safety Scanner has three major downsides. The antivirus patterns can’t be updated, the tool can only be used for 10 days after the download, and it doesn’t run on Windows PE.

I have been searching for quite a while for a portable antivirus program that runs on Windows PE. When I tried to start Safety Scanner on Windows PE 3.0, the anti-malware tool quit with an enlightening message “An error has occurred.” Some viruses can only be removed in offline mode. Thus, it is somewhat disappointing that Safety Scanner does not run on Windows PE.

Online updates are probably not supported because the Safety Scanner only consists of a single EXE file. However, technically, it would be possible to modify those parts of the EXE. Thus I hope that Microsoft adds this feature in a future version.

The 10-day restriction is probably related to the fact that Safety Scanner can’t be updated. This makes sense from a security point of view, but this means that you have to download the 70MB file every time you want to use the tool. This reduces the usability of Safety Scanner significantly.

Please let me know if you know of a portable antivirus program that works on Windows PE.

Microsoft Safety Scanner

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

The best security solutions are layered ones, taking a defense in depth approach so that there is no single layer between vital information resources and disaster. Nowhere can this be more critical than in protecting your Exchange infrastructure from malware attacks. In this post we will go over the seven key layers you should have in your game plan.

1. Consider a cloud solution as the first line of defense

The right place to stop malware (and spam) is as far away from your systems as possible. Using a solid SaaS solution is a great way to filter out malware and spam before it ever gets to your perimeter. This saves you on bandwidth, CPU cycles, and storage space and can reduce the number of threats crossing your border by an order of magnitude.

2. Deploy a packet filtering firewall with intrusion prevention at the perimeter

This firewall should be able to recognise protocol level attacks and shun source addresses.

3. Use the Edge Transport Server role The Edge Transport Server role is specifically designed to filter messages while they are still in your DMZ using anti-spam and antimalware agents. If something does get through, the inner firewall is still in place to protect your internal systems from threats. Use an antimalware product designed to work on the Edge Transport role and to scan messages with multiple engines.

4. Deploy that inner firewall. Whether this is a separate physical firewall, or another VLAN of a three-legged deployment, this firewall not only protects your internal systems from threats, but should prevent outbound SMTP from anything other than your Exchange infrastructure. That way, any malware that tries to send SMTP messages will be blocked, and detected.

5. Implement antimalware on the Hub Transport Server The Hub Transport Server role can also perform antimalware and anti-spam screening. Personally, I like to have one pair of antivirus engines running on the Edge Transport server, and a different pair on the Hub Transport, so that messages are scanned by four different engines overall.

6. Don’t forget the Mailbox server Messages passed between mailboxes on the same Mailbox Server won’t pass through a Hub Transport server. Make sure messages are being scanned on the Mailbox Server.

7. Use a comprehensive antimalware suite on your clients You want to make sure that your antimalware solution includes protection for Outlook as a last line of defense. It also helps to protect from any personal email accounts that your users might setup their Outlook client to access, if they have administrative rights.

As with all of your other servers, make sure you are also running antivirus on the operating system of each of your Exchange servers to protect the server itself. This is a critical step that cannot be skipped, to ensure that your Exchange servers are protected from threats that are not originating from email. Remember, your Exchange servers are still Windows servers, with all of the services and administrative shares that all your other servers have. Keep in mind that client antimalware can interfere with Exchange if it is not properly configured. Make sure to follow Microsoft’s recommendations on exempting key directories and processes of Exchange to avoid any problems.

There are a lot of layers that need to be protected, but there are a lot of layers in an Exchange infrastructure, and each is just as important as any other. Covering all your bases is the best way to minimize your risks, and maximize your defenses.

Additional reading:

• Top 10 Security Predictions For 2011
• File-Level Antivirus Scanning on Exchange 2010
• A Patch Management Strategy for Your Network
• Evolution of Defense in depth

This guest post was provided by Ed Fisher on behalf of GFI Software, a software developer that produces network and messaging security solutions for SMBs. Information about GFI email security for Exchange Server/SMTP/Lotus solution

• Troubleshooting Exchange eDiscovery: Errors due to lack of Full Access permission (0)
• Troubleshoot Exchange eDiscovery: This mailbox exceeded the maximum number of corrupted items (0)
• Exchange ActiveSync Mailbox Policies and Exchange Remote Wipe (1)
• How to change the allowable message size in Exchange 2010 (0)
• eDiscovery in Exchange – Part 5: Export and search (0)

This free portable antivirus tool can also be helpful if you need a “second opinion” about a virus. You probably know that it is usually not a good idea to install two different antivirus programs on the same PC. These tools are often deeply integrated into Windows and don’t like it if a rival patrols in their territory. However, as a standalone application ClamWin doesn’t have to be installed and therefore it is no problem to run it on a PC where another antivirus application is installed.

After you download the ClamWin executable you will wonder why you have to install a portable application. I wondered too. However, the setup program only extracts ClamWin’s file to a folder of your choice. You can then copy this folder to your USB stick. It is no problem to run the program from a different drive letter or directory because it uses relative paths. Before you copy ClamWin, you might want to update its antivirus signatures through its Tools menu.

This free portable antivirus software has all the essential features such a program needs. It allows you to scan individual drives or folders. It can report infections and quarantine or disinfect infected files. The tool also allows you to include or exclude certain file types.

ClamWin has no onaccess scanner like most antimalware tools. Such a feature is not feasible for a standalone antivirus tool. Hence ClamWin can’t replace your current antivirus tool. If you need free malware protection I recommend Microsoft Security Essentials.

I have tested ClamWin 0.95.3 on Windows 7. I can’t tell you how well ClamWin’s protection works, but it probably can’t compete with commercial solutions. However, since the tool is only for additional malware protection, this shouldn’t prevent you from using it.

Unfortunately, ClamWin doesn’t work on Windows PE 3.0. In my test I could launch the tool, but when I tried to scan a drive I got this error message: “Error: Broken or not a CVD file.” It appears the tool can’t find its antivirus database under Windows PE. This is a pity because scanning an infected PC from a clean Windows PE installation could be very helpful with intractable infections.

Please tell me if you know a solution to this problem or if you’re aware of another free portable antivirus solution that works on Windows PE.

ClamWin

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)

Windows Live One Care

One Care was not really a success. Its market share was only 2%, which is a little embarrassing for a giant like Microsoft. I suppose some security software vendors heaved a sigh of relief when they realized that OneCare was no real competitor for their antivirus tools. I guess the trembling starts again now. It is one thing if small companies such as AVG or Avira offer a free anti-malware tool, but a completely different matter if the Windows maker himself comes out with a free tool. Moreover, the free version will Microsoft help to improve the detection rate of the Forefront products

Microsoft Security Essentials features

On the other hand, can a 4.7 MB download (3.7 MB for x64) really be a serious threat? I think it can. First of all, Security Essentials indeed has all of the essential features that an antivirus software requires. It supports real-time scans, automatic signature updates, full and partial scans, and scheduled scans. In addition, it can quarantine or remove malware based on the severity level and it allows you to exclude folders, file types, and processes. Other free antivirus tools have more to offer, but, in my view, most of their features are superfluous anyway. Actually, reliable on-access scanning is the only feature that really matters.

Microsoft Security Essentials detection rate

However, the features of the scan engine and the user interface are not decisive for an antivirus product. The most difficult part certainly is to deliver the virus & spyware definitions against the latest threats before the competitors do. Virus and rootkit analysis is a tough business and you need an armada of experts for it. When Microsoft entered the antimalware business, the detection performance of their scan engines was lousy. But they improved steadily and, according to AV Comparatives, Microsoft’s detection rate is now second only to AVIRA and the false positive rate is the lowest of all 16 tested antimalware products. (Why doesn’t UAC have a comparably low false-positive rate?) First tests with Microsoft Security Essentials have already shown that it also performs quite well. Of course, it was only a matter of time until Redmond caught up with the specialists in this field. There is no doubt that Microsoft has the resources to build up a mighty strike force against Internet terrorism.

Mandatory Microsoft SpyNet membership

I have only one complaint about Security Essentials. This is the mandatory membership in Microsoft SpyNet. You can chose between basic and advanced membership. Basic membership means that Security Essentials will send information about software it detects to Microsoft. This can be where the software came from, the actions that were applied, and if they were successful or not. Advanced membership will send additional information such as the location of the software, file names, how the software operates, and how it impacted your computer.

What many will find disturbing is this sentence that applies to both options:

In some instances, personal information might unintentionally be sent to Microsoft; however, Microsoft will not use this information to identify you, or to contact you.

I am quite sure that this obligatory “membership” will be the main obstacle for Security Essentials to gain acceptance in this market that has so many competitors. Of course, the information that Microsoft acquires in this way is very helpful for the creation of better malware signatures. Unfortunately, I suppose that there are not many out there who like their personal information to be sent to people they have never met, be it intentionally or unintentionally. The solution to this problem would be to display information before it is sent and then let the user decide from case to case whether it should be sent to Microsoft or not. At least Microsoft is fair enough to describe Security Essentials’ behavior in detail. So it is up to you if you install the free software or not. I did.

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

One reader uploaded GiPo@FileUtilities to Virustotal to clarify things. I must admit I didn’t know about this useful free service, so perhaps you don’t know about it either. Virustotal uses 38 different malware scan engines to analyze the files you send them. There are many well-known brands among these such as Trend Micro, Symantec, F-Secure, or Sophos.

Virustotal only requires a few seconds to analyze a suspicious file. It then presents a list of the outputs of each scan engine. I was somewhat surprised that 50% of the antivirus tools identified a Trojan inside the GiPo@FileUtilities installation file. They don’t all detect the same Trojan, although at least they use different names. It is possible that a virus tool kit was used to compile the setup file.

On the other hand, the GiPo@FileUtilities perform file system manipulations that are typical for malware. Hence, I was still not convinced that this was not a false positive. In the same article Petr mentioned that the antivirus software vendor EST identified it as a false positive, even though Virustotal reports that their scan engine NOD32 also classified GiPo@FileUtilities as suspicious.

This just reaffirms my view that heuristics in antivirus software are quite unreliable. Therefore, I recommend using the Virustotal service if your AV software detected a virus in your network using its heuristics algorithms. However, this case demonstrates that even if several different scan engines claim to have detected a virus, you can’t be really sure. If you are uncertain if your network really has been infected, you should send the suspicious files to your antivirus software vendor.

Virustotal

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

I blogged about the bad detection rate of Microsoft’s antivirus solutions (Onecare and Forefront) in March this year. Microsoft OneCare was the only AV solution that failed AV Comparatives’ test. In June Microsoft OneCare already improved a little and went up to rank #14 out of 17.

I think this development is remarkable. It shows that Microsoft is serious about fighting against this plague that only affects Windows users. It is certainly quite embarrassing for the major AV players not to detect some outdated viruses. However, one should always be cautious from reading too much into such tests. It is much more important how fast an AV team reacts to new threats. I doubt that Microsoft is already able to compete with the specialists here.

I am still considering giving Microsoft’s AV solution a chance even though my first impression of Forefront was not really positive. As an educational institution, we get Microsoft software for a reasonable price. Thus their software is always an option for us.

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)

At first glance, Microsoft’s Malware Protection Center made a good impression on me. I searched for a couple of viruses I know and always found the information I was looking for. However, I am not a virus expert. What I like is that they list the various names given by different AV vendors to a certain virus.

My favorite malware database is still Trend Micro’s Virus Encyclopedia, though. It allows you to restrict your search to effect, malware type, infection channel, and the vulnerability used. For example, you could search for a virus that formats the hard disk and propagates via flash drives.

I think it is a good idea to bookmark several virus databases. If your network is infected by a new virus, your antivirus software vendor might not have analyzed this new threat yet. Then you will be thankful if someone else can provide information to solve your problem. What is your favorite malware database?

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)

This new test focused on new malware threats that appeared during the last three months. They found about 20,000 new viruses and worms. Can you believe that? This number illustrates how difficult the anti-malware business is. Some years ago, a friend who works for Trend Micro told me that they have about 200 people analyzing new computer viruses 24 hours a day. I guess they have even more now.

Of course, you need specialists for this kind of job. Therefore, I wouldn’t expect that Microsoft will be able to catch up with the leading AV vendors in the near future. It will simply take some time until they can build up the necessary infrastructure. Based on the impressions that others had with Forefront Client Security, it probably doesn’t make sense to have a closer look at Microsoft’s new AV software for desktop computers now.

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)

Well, I realized quickly that it isn’t really possible. Whenever MS comes out with a new product it is not a big deal to test it, because the first version is usually a rather simple tool. This doesn’t seem to be the case with FSC.

Actually, after reading about the requirements I had to give up my original plan to install it in a test environment now. If you want to try all its components, you have to install several other Microsoft products first: .NET Framework 2.0, Group Policy Management Console (GPMC) with SP1, Microsoft Management Console (MMC) 3.0, SQL Server 2005 with SP1 (including Database Services, Integration Services, Reporting Services, and Workstation components), Internet Information Services (IIS) 6.0 and ASP.NET, and Windows Server Update Services (WSUS) 2.0 with SP1.

Usually, it is not too difficult to install these programs. However, it takes quite some time until you got them all working. Unfortunately, neither the setup procedure nor the documentation provides the links where you can download them. This reminds me on my post about Server Manager of Windows Server 2008.

I wonder if Microsoft will use it in the future to simplify the installation of all its server products and not just for the Windows components. If you ever worked with YaST in SuSE Linux, you know how convenient it is to just select the software you want to install and let YaST collect all other components for you. It seems as if Microsoft was left behind by Linux in respect to ease-of-use of backend installations.

Beside the fact that you have to invest a lot of time to install all the requirements, FSC seems to be a rather complex product. At least this was my impression when I skimmed over its documentation. FSC itself consists of five different components: Management Server, Collection Server, Collection Database, Reporting Server and Reporting Database, and Distribution Server.

You can install them all on just one physical server, or use multiple machines for performance reasons. The documentation lists four different topologies with one, two, three or four servers. Unfortunately, I didn’t find any detailed description of the different components. So you can only guess their purpose from their names.

Obviously, Microsoft is also targeting big enterprises with FSC. To my knowledge this is a novelty for a new server product from Redmond. Since there seems to be no easy and fast way to try FSC, I am not sure if it makes sense to invest more time in this. I blogged some time ago that Forefront’s scan engine which is responsible for detecting malware is probably not yet reliable enough to compete with other major antivirus software vendors. Perhaps it would have been better if MS invested more in building an infrastructure to collect and analyze malware instead of focusing on the management components of FSC. If this were just a product of an unknown software vendor, I probably would forget about FSC by now. Okay, this was just my first impression, I am sure there will be a second one sooner or later.

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)

Systems Management Server 2003 SP3 I’ve been waiting for SMS 2003 SP3 for quite sometime, now. Most important, certainly, is the full Vista support. The limited support SMS 2003 SP2 for Vista was one of the reasons why we postponed Vista deployment. There are also some new features related to asset intelligence. Please, check out the official SMS 2003 SP3 homepage for more information.

Windows Update Services 3.0 WSUS 3.0 has a couple of interesting new features. You can find a complete list at the WSUS team blog. Most important for me is the fact that WSUS finally gets a real user interface, i.e. an MMC-based one. I really don’t like these Spartanic and slow Web interfaces. Ah, I guess, I mentioned this many times before.

ISA Server 2004 SP3 If you use Microsoft ISA Server as firewall, then you probably know that ISA Server 2006 has been available for sometime. We use ISA Server 2006 as http proxy and didn’t encounter any problems so far. However, we didn’t update our ISA Server 2004 firewall since we feared that some of our scripts might not work properly anymore and also because the new features of ISA Server 2006 seemed irrelevant for us. Thus, we’ll probably install ISA Server 2004 SP3 mostly for security reasons very soon. New features of ISA Server 2004 SP3 include new troubleshooting tools, improved log viewer functionality, and support for publishing Exchange Server 2007. By the way, an excellent source for information about ISA Server is Tom Shinder’s blog. Some guys discussing the SP3 in a blog post there.

Forefront Client Security So Microsoft finally entered the market for enterprise malware protection. We have been using Sophos Antivirus for a long time now and are not satisfied with it, anymore. With every new release, we encounter new problems. As an educational institution we get Microsoft software for a reasonable price. That’s why I am quite interested in Forefront Client Security. However, I reported some time ago that Microsoft can’t still compete with major anti-virus software vendors. Anyway, I am curious enough to want to take a look at it soon.

System Center Essentials 2007 System Center Essentials is the light version of Configuration Manager (formerly SMS) and Operations Manager (formerly MOM). This product is targeted for small-to-medium sized networks. We’ll probably use the “complete versions” of these products. However, I am curious about the new Configuration Manager.

Diagnostics and Recovery Toolset (DART) I just stumbled upon this one in Kurt Shintaku’s blog where you can find more information about DART. There are several tools included which could be quite useful for Windows admins.

Gosh! When will I find the time to check all these new releases? Originally, I planned to check out the Windows Server Longhorn Beta3 after my vacation. But now I don’t know where to start…

• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)
• SCOM 2012 review – Part 5: Network Monitoring (0)
• SCOM 2012 review – Part 4: Infrastructure improvements (0)

We have been using Sophos Antivirus for many years now. In the beginning, we were quite content with it, but every new release gives us more headaches than it is really worth. Antivirus software has to hook up deep in the OS. If the developers make mistakes here, it can result in serious problems. The developers who know most about Windows are certainly those from Microsoft. Hence, it makes some sense to use AV software from the Windows Company.

But reliable software alone does not make up a good AV tool. Big AV software vendors invest a huge amount of time to create AV signatures. The AV-Comparatives test showed that Microsoft cannot yet compete with the more established AV software vendors. However, the mere number of viruses recognized by an AV tool doesn’t say so much about its quality. The more important factor is, how fast an AV software vendor reacts to new threats. I doubt that Microsoft would come off better in such a contest, though.

However, I wouldn’t write off Forefront so early. Usually, if Microsoft comes out with a new product it takes one or two updates until they become competitive. Some people say that malware protection should be an integral part of a modern operating system and I am one of them. Let’s wait for Windows Vienna. Only two more years

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)

The argument against the use of personal firewalls is that malware can disable the personal firewall or leverage another program to access the internet. Malware often uses the Internet Explorer to phone home since it is usually allowed to access the internet.

In my view, both arguments are wrong with regards to standard users in the case of Vista’s desktop firewall. The first argument can easily be refuted. If users don’t have administrator privileges on their desktops (which I strongly recommend), then the malware will simply not have enough rights to disable Windows Firewall or to change its setting.

However, if you logged on as admin, it is indeed possible for malware to change the settings. The strange thing is that in my test this could be done without getting User Account Control (UAC) involved. I configured the Windows Firewall with the Local Security Policy tool (just enter the name on the Program Search Prompt). When I start this tool, I didn’t get an UAC prompt. I tried the same on another machine which belongs to a Windows domain and there I got an UAC pop-up.

Anyway, if you logged on as an Administrator and the malware is smart enough to change the firewall settings before connecting to the internet, then it could indeed be possible that Windows Firewall is useless in this case.

To investigate the second argument, which assumes that malware always can use another program to access the internet, I installed the IE Tab add-on for Firefox. This plug-in allows you to use Internet Explorer to load web pages within Firefox.

First, I changed the policy for outbound filtering for the Windows Firewall. You can do this by right clicking on “Windows Firewall” in the Local Security Policy tool (or Group Policy Editor) There, you can set outbound filtering to “block” for the different profiles (domain, private, public). Then, I added an outbound rule allowing IE to access the internet.

I was able to load web pages when I started IE, but internet access was blocked when I started IE within Firefox. This doesn’t prove that IE can’t be leveraged by malware to access the internet, but it shows, at least, that it wont be easy.

Next, I wanted to know if it is possible to trick Windows Firewall by exchanging exe files. In my test, I allowed Firefox to access the internet, then exchanged firefox.exe with putty.exe. I was indeed able to establish an internet connection with putty afterwards. Well, this is really disappointing. Most personal firewalls use hash codes to identify applications. Windows Firewall only uses file name and path.

Now, you might argue, what is the use of outbound filtering if it can be outsmarted so easily. The point is, standard users are not allowed to make any changes with the Program Files folder. So if a user starts a malware program, it won’t be able to use this trick. I, therefore, conclude that outbound filtering with Windows Firewalls makes sense for standard users, but not for administrators.

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• How to configure TMG for SSL Client Certificate Authentication (0)
• Using TMG, one-time passwords and Kerberos Constrained Delegation (2)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• How to use Kerberos Constrained Delegation with Forefront TMG (0)

4sysops runs on a tiny dedicated Linux server that is powerful enough to manage normal traffic, but gets overloaded as soon as these attacks start. Usually this lasts from 30 to 60 minutes. There are numerous accesses per second from different IPs during this time. Sometimes, even Apache crashes, i.e. 4sysops is unreachable even after the attack. The server runs with the default configuration of SuSE 10.0.

I don’t have much time at the moment to deal with this problem. I could only take some simple steps against the DDOS attacks. It improved the situation a little. At least, Apache won’t crash anymore.

I reduced the KeepAliveTimeout and installed the mod_evasive module for Apache. Mod_evasive helps in some cases with DOS attacks. I also installed the Bad Behavior plugin and the WP-cache plugin for WordPress. The latter just improves the performance.

I considered working with packet string-matching of iptables to block the attacks at the firewall before Apache gets involved. However, it seems that SuSE forgot to include this extension in the 10.0 version. This worked fine with SuSE 9. I guess, I have to compile a new kernel to get this working.

Please, let me know if you have better ideas. I am not a Linux geek. I suppose, there are plenty of other countermeasures possible. I apologize to those who can’t access the site during the attacks for the inconvenience. Please just come back later. Usually, it works again, at least after an hour or so

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)

FCS makes heavy use of other Microsoft products. The most interesting feature is that signatures can be deployed with WSUS. Uniting patch management and malware signature management makes a lot of sense. The settings of the FCS agent can be deployed using Active Directory and MOM is used for monitoring.

I am not sure if it simplifies matters if you have to use several tools to manage your anti-virus solution. There is, however, a central management component. I have to try FCS myself to get a better picture of its usability. I’ll probably do this in the near future. When it comes to malware protection, there is another important issue: How fast does the vendor react to the latest threats? Big players like Symantec, Trend Micro or Sophos already have an extensive infrastructure that helps them to get wind of the latest worms, to analyze the malware and to develop defence mechanisms. I’ve no doubt that Microsoft has enough money to build-up a comparable infrastructure, but it might take some time.

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)

There is an official statement from Microsoft about this case which I am partly quoting from APC magazine:

If an application requires administrative privilege, such as Tweak Vista, a prompt is generated through User Access Control (UAC). If consent is given by the user, this then elevates the application to a higher (administrative) integrity level and allows privileged access to occur within the context of that application only. Note that for this to occur, the UAC prompt requires that a user must provide consent before the application will be allowed to run.

So, the point is that UAC warns you before you start the malicious application which needs administrative privilege. However, everyone knows that malicious code usually just hooks up on other, seemingly harmless programs. So if you start an infected tool with the capabilities of tweakvista, you would be disabling UAC without realizing it.

I’ve said it before that pop-ups can never increase security. That’s why I usually disable the Internet Explorer enhanced security feature on any Windows server. If I decided that a web site I want to access from a server is secure enough, then I don’t need a pop-up asking me if I am really very, very sure that I want to do this.

It is the same with UAC. If I decide to run a program that means I really want to do it. The fact that UAC can be disabled by malware so easily shows that UAC decreases security. I guess, many inexperienced administrators rely on it. They think that if UAC didn’t complain after they started a tool, it can’t be so dangerous. What they don’t realize is that UAC was already disabled without their knowledge a long time ago.

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)