Sunday, November 23, 2008

Security and Forensics Roundup: Heavy Version

I think I need a bigger lorry for this one.

New, Updated, and/or Free Utilities

Security Database Tools Watch - FireCAT 1.4 package released – For those who don’t know, FireCAT is a logical collection of security-auditing/pen-testing Add-on extensions for Mozilla Firefox. It is a really amazing work.  However, up until now, you’ve had to pick and choose, and manually download each one you wanted, one at a time. Now, pop over to Package de plugins FireCAT 1.4 (natively in French so here is the English Version a-la Google) and download the compressed file and install away.  Thanks Hurukan!

ProduKey v1.35 - (freeware) – NirSoft app that extracts the product keys from a Windows system.  Latest version now allows you to “…load the product keys of external Windows installations from all disks currently plugged to your computer. When using this option, ProduKey automatically scan all your hard-drives, find the Windows installation folder in them, and extract all product keys stored in these Windows installations. New Command-Line Option: /external “

ChromePass v1.05 - (freeware) – NirSoft app updated now has “…added support for recovering Chrome passwords from external drive. (In Advanced Options).”

Volatility - (freeware) - Memory forensics tool from Volatile Systems.  I see this as a really great tool not just for forensic investigators but also Windows Internals investigators who are digging deep into very specific troubleshooting and system analysis.

Overview

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. <snip>

Capabilities

The Volatility Framework currently provides the following extraction capabilities for memory samples

  • Image date and time
  • Running processes
  • Open network sockets
  • Open network connections
  • DLLs loaded for each process
  • Open files for each process
  • Open registry handles for each process
  • A process' addressable memory
  • OS kernel modules
  • Mapping physical offsets to virtual addresses (strings to process)
  • Virtual Address Descriptor information
  • Scanning examples: processes, threads, sockets, connections,modules
  • Extract executables from memory samples
  • Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
  • Automated conversion between formats

For some great examples on how it can be used, check out these posts from the MNIN Security Blog:

Spotted via SANS ISC Handler’s Diary post Finding stealth injected DLLs.

NetWitness Investigator - (freeware) – I generally use WireShark for most of my packet-capture work, unless I need something quick and easy for which I turn to one of several other micro-sniffer tools.  However, from what I’ve read, NetWitness has a lot of specialized features that might make WireShark look more like a piranha.

Product Features:

  • Captures raw packets live from most wired or wireless interfaces
  • Imports packets from any open-source, home-grown and commercial packet capture system (e.g. .pcap file import)
  • License supports 25 simultaneous 1GB captures - far exceeding data manipulation capabilities of packet tools like Wireshark
  • Real-time, patented layer 7 analytics
         – Effectively analyze data starting from application layer entities like users, email, address, files , and actions.
         – Infinite, free-form analysis paths
         – Content starting points
         – Patented port agnostic service identification
  • Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)
  • IPv6 support
  • Full content search, with Regex support
  • Exports data in .pcap format
  • Bookmarking & history tracking
  • Integrated GeoIP for resolving IP addresses to city/county, supporting Google® Earth visualization
  • NEW! SSL Decryption (with server certificate)
  • NEW! Interactive time charts, and summary view
  • NEW! Interactive packet view and decode
  • NEW! Hash PCAP on Export
  • NEW! Enhanced content views

The only real issue is that is seems like you have to give a lot of valid and real information to register and use the product (on a per workstation basis), which might turn many otherwise great customers off a bit.  The install file does include a wonderfully detailed documentation guide in PDF format. I also turned up a nice review of it over at Decurity Blog you might want to check out as well.  Spotted over at the SANS-ISC Handler’s Diary post: New Tool: NetWitness Investigator.

Firefox 3 Forensic Examination Tools

It has been a while since I posted More Firefox "Forensics" Tools which outlined a number of NirSoft tools and Firefox browser structure background.

Turns out that Chrome/Chromium also uses a very similar structure in their SQLite files as well.

An anonymous commenter left a heads-up on that post recently which pointed to a new (to me) forensics tool specifically designed for Firefox 3

Firefox 3 Extractor - (freeware) - Firefox 3 Forensics offers this really clever tool which I like for a number of reasons. First, the author states they have worked on UK police force and performed special forensics work. As such it seems to be developed from a real-world application standpoint. Secondly it is very simple to use.  Download the file and extract. Then copy the target SQLite file from Firefox into the same folder and from the command line, run the command.  It executes in a batch-file prompt mode asking you to select a choice depending on what you want to accomplish.

What can f3e do?

f3e presently has the following features:
  • Extract all data from Firefox 3 SQLite databases to CSV.
  • Extract all data from Firefox 3 SQLite databases to CSV and decode dates and times.
  • Create a CSV 'Internet History Usage Report' from 'places.sqlite'.
  • Create a HTML 'Internet History Usage Report' from 'places.sqlite'. example
  • Decode PRTime.
  • Extract all data from Chrome SQLite databases to CSV.
  • Extract all data from Chrome SQLite databases to CSV and decode dates and times.

I played with it using some of my own system’s Firefox 3 SQLite files and it worked very well.  I really liked having a number of different formats to output into.  The Chrome support is a bit “experimental” but seemed to work as promised to me.

Great program and it has been quickly added to my USB disk.

FoxAnalysis - (freeware) - Digital Forensic Software tool I stumbled upon while getting background information on the one listed above.  This is another forensics tool from our UK friends across the pond.  Unlike Firefox 3 Extractor, FoxAnalysis has a GUI format that some users might feel a bit more comfortable working in nowadays.

Features

  • Extract data regarding bookmarks, cookies, downloads, form history and web history

  • Analyse data by filtering and sorting it:
    • Filter by multiple keywords
    • Filter by date range
    • Filter by download status
    • Filter by website visit type
    • Filter by selection
  • Convert UTC timestamps to any time zone (apply custom daylight saving settings)
  • Save and load case files
  • Export activity report to HTML or CSV (Excel) files

I ran out of time this weekend so I didn’t get a chance to go hands-on with this one, but it looks good and I hope to play with it this week if things are slow at work. (Like that will ever happen!)

Looks like they are also developing a Chrome version not yet released.

Anti-Virus News

Some quick points in the AV world:

Microsoft® Malware Protection Center : MSRT Review on Win32/FakeSecSen Rogues – Some interesting statistics on the spread of fake security applications that all all the rage now.

VirusTotal [Sunbelt] += CWSandbox – Notice that VirusTotal upload scan site now includes a tie-in to Sunbelt Software’s CWSandbox.  Basically the way this works is that if you upload a file to VirusTotal, and it comes back with a match to a previously submitted version to CWSandbox, you will be offered a link to view that behavior summary analysis.  How neat is that!

VirusTotal += McAfee+Artemis – Notice that VirusTotal doesn’t just now include McAfee scan engine, but also one that leverages the Artemis technology as well.  I hadn’t heard of Artemis before but some digging turned up interesting information:

Basically (read the above posts for the full-meal-deal) Artemis provides “cloud-based” protection for emerging malware threats.  It runs on the client side and if a file is discovered that meets a certain behavior or heuristic then its fingerprint is uploaded to McAfee which does additional analysis and sends back a “block” or “allow” action order to the client software.  In theory this provides rapid protection where signature-based protection cannot deliver due to morphing or other factors.

Bits and Pieces

.: The Story of a Hack - Part 3. Kung Fu Shopping – SynJunkie concludes his walkthrough on a hack-attack.  It was a nice and clearly written/illustrated example of the challenges sysadmins and CSO’s face keeping things locked down.

I’ve been following the .:Computer Defense:. blog for a long time.  However, lately the posts have been dropping off a bit.

Fortunately they have pointed to a new security-news and commentary aggregation site that I’ve quickly added to my RSS feed list.

I’m constantly amazed at the wealth of fantastic material and work out there by lots of dedicated IT security workers and researchers.  It is almost impossible to canvass them all.  Many I stumble across in the act of researching a specific problem or via cross-links in other posts.

For the two days I’ve been subscribed to the above site, I’ve already collected at least ten new sites and posts that have really added to my understanding and knowledgebase.

Good work guys and gals!

Cheers!

--Claus V.

Windows Registry Tricks and some Processing Treats

Yes, October is behind us and the pumpkins are being ground up for pie.

However, I really scored a few awesome finds on the Net this week while I was continuing my hunt for a solution to my PE 2.0/Vista project headaches.

Alas, despite a plea for assistance in loading a preferred driver in VistaPE over in the Boot Land forums, no one has yet dared take up the challenge.  Either it’s too hard for even the pros to deal with, or it is noobie question they don’t want to waste their time on.

Exciting Progress!  At Last…

Luckily the D-Man has been brainstorming at work as well and on Friday proposed a trick that I had toyed with, but didn’t allow to fully bake in my brain and follow through to its conclusion.  I had all the tools, just didn’t put the pieces together in just the right way. Initial testing of a method based on his recommendation was very favorable.  I have a bit more work to do before calling it a success and posting the brilliant and remarkably flexible custom hardware/driver building solution for all VistaPE builders, but looks like I’m buying D-Man’s lunch pretty soon. Looks like our dual-core brain-processing array has paid off on this particular issue.

But I am getting ahead of myself.  You have to wait a bit longer for those posts.

In a troubleshooting low-point, I was feeling like I had no choice but to scrap the whole VistaPE boot build environment model and return to a simple WAIK Windows PE 2.0 boot disk with the specialized and injected PGP WDE drivers alone.  I had already proofed it would work technically on all our systems, but the interface of WinPE 2.0 is (initially) pure Command Line Interface (CLI).  If you know your CLI commands and custom-load the disk with extra GUI tools/utilities in the building process, you can still find and launch them; it’s just not very sexy.  And yes, I like sexy tech.

So since I already have crafted a pretty advanced auto-run menu and utilities package for the Windows “auto-play” side of the disk, I wondered if there was a way I could just have the Win PE 2.0 boot disk side call and auto-run the menu-system.  It wouldn’t be quite as sexy (more like lipstick and hot-pink heels on pig) as librarian-sexy VistaPE is, but still would be better than a pure CLI box.

I knew that Win PE 2.0 is all based on a WIM file. And I knew that WIM files and their contents could be manipulated.

Could I build a standard WAIK Win PE 2.0 boot disk and modify the registry to add a custom auto-start key?  That would meet my need to load-up and execute the custom auto-menu utility picker.

Sure enough, you can modify the registry of a WIM file.

WIM Registry Editing

  • Edit the registry on a mounted WIM – Off Campus blog.  Michael Greene post a great basic walkthrough on just how to do it.  Granted, you really need to be familiar with ImageX and registry work, but if you know the basics of both, you should get the gist of the process pretty quickly.

For some added background, I also offer this find:

  • How to edit the registry offline using BartPE boot CD ? – Ramesh’s site contains a few more helpful foundational elements on the process as well as additional pictures and though it doesn’t apply specifically to mounted WIM file Registry editing, it does show the process of attaching to an offline Registry Hive, which still applies.

Fortunately, before I spent too much time in this retro-lounge, D-Man burst in with his lead and I left this exploration uncompleted.

  • Windows Registry – Wikipedia provides some great information for quick lookup of facts and locations of Hive files.

Finally, you shouldn’t begin to muck around without a good understanding of the Windows Registry structure and functions.  To do that you could buy and read the Microsoft Windows Internals (4th Edition) as I am now doing on the side, or you could just download a free chapter from that same book offered by Microsoft.  Amazingly it happens to focus on the Registry! Windows Internals Chapter 4 (direct PDF file link).

Just be careful you don’t nuke your system in the process.

Blue Gold from Alex Ionescu

To be released in February 09 will be Microsoft Windows Internals (5th Edition) which will cover Vista and Sever 2008 this time.  Mark Russinovich and David Solomon will be the lead authors again, but contributing to this edition will be newcomer Alex Ionescu.

I happened to stumble upon Alex’s blog this weekend and found a number of amazingly great posts on Windows Vista processes and internal goodies.  He hasn’t posted for a while, but I imagine he has been busy with editing the new book.  It ends up being a good thing as it is taking me a while to read through and get my brain around his wonderfully detailed posts.

Here’s a sample of recent ones:

Hope this helps and leads to wonderfully wasted time in pursuit of Windows Internals understanding.

Cheers!

--Claus V.

Three Quick Bits

These finds just didn’t seem to fit in with any of the other posts I have planned for this week so here they are as standalone items.

Not so really useful (IMHO) as a boot disk any longer, now that there are better options such as Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD or Windows PE 2.0 or even the amazing VistaPE projects.

What I did find useful from that particular link was that TACKtech Corp. provides a ton of useful tips, links, news, articles and other resources off their home page.  Take some time to poke around.  I’m sure you will find it worthy of adding to your bookmark pile.  It is well laid-out and fun to browse around.  Kudos TACKtech and thanks for sharing!

I don’t often run into DAA/UIF disk-image format files.  I prefer the ISO format and after that BIN/CUE files.  If however you do need to convert a DAA/UIF file, you can buy a program, or use DAA2ISO and UIF2ISO freeware tools from developer Luigi Auriemma. Read the DLSquad link and find the additional link to Luigi’s proof that he actually had his original code “appropriated” by a commercial software company for their own product.

Confessions Junkie maximillian_x takes a look at a freeware network suite that might just have a few things worth looking into.  I’ve got a number of network tool suites and I have a hard time deciding which one I want to use.  Now I’ve got another one; Axence Software - Free NetTools.  Max does a great job on his review and covers all the major points as well as a few shortcomings.

That is all…

--Claus V.

All Over Gmail: Like Stink on a Skunk

It’s not the Shine…

If you are a Google Gmail users and unless your ISP has been down, you probably haven’t been able to miss the newest eye-candy rolled out this week to you.

Spice up your inbox with colors and themes – Official Gmail Blog

Google starts rolling out Gmail themes - Download Squad

Gmail: Gmail Updates Its Look, Adds Themes – Lifehacker

Gmail gets pretty, oh so pretty, with new themes – TechBlog

When the dust had settled and I had run through all the offerings with Alvis hanging over my shoulder, we both settled on the “Shiny” theme.

Lavie remains on the fence at the moment.

It’s about keeping safe from stink…

I’ve noted here in the past that I am a bit overprotective when it comes to Web accounts.  I always follow the following procedure when active on a secure website…say for checking my Gmail or doing on-line banking.

  1. Close out my current browsing session.
  2. Open a fresh browsing session window.
  3. Use a pre-saved and inspected bookmark URL to go immediately and directly to the web-account in question I intend to log into.
  4. Log in and conduct my business, remaining only on the host site or any cross-linked pages only.
  5. When done with my secure session, I log out.
  6. I delete both my cache files as well as any saved form data.
  7. I shut down my browsing session window.

From there I open a fresh session and begin my general web-surfing again.

I know it is a drag to do that, but this is a key layer in trying to avoid any page-exploits or XSS shenanigans.  And as tied as I am to my Gmail account (a weakness in itself) I must disciple myself in not remaining logged in to my Gmail/Google sessions when I go browsing across the web.

Check your Gmail Filters…Regularly!

Case in point, I’ve now had to add an 8th step to the list above:

  • Check my Gmail “filters” to ensure they are mine and mine alone.

One of the blogs I follow is MakeUseOf.  It always has great freeware and how-to tips.

Recently they were hacked and lost their domain.

I encourage you to read the great details of their post-attack assessment.

BREAKING: New Gmail Security Flaw. More Domains Get Stolen! - MakeUseOf.com

What became clear is that Gmail was one key factor in the subterfuge.

How the attack actually was implemented is still a matter of some discussion; is it a new non-disclosed Gmail flaw? It is a variant of an existing one? Maybe none of the above?

One very interesting (and disturbing) angle can be found in this awesome Gmail Security Flaw Proof of Concept post from Brandon at Geek Condition blog.

Regardless of your interest in any of these things I believe Brandon makes one very clear and important point for ALL Gmail users to follow:

What you should do if you have a Gmail Account?

Check your filters and make sure that nothing seems out of the ordinary. If you’re using Firefox, you can download an extension called NoScript which helps to prevent you from becoming a victim of one of these attacks. Overall, though, be cautious.

To check your Gmail filter rules, log into your Gmail account and select “Settings” 

Filters1

Then select “Filters”

Filters2

And now examine your Filters closely to make sure they are what you have set and expect. 

Filters3

If not then delete any ones that shouldn’t belong, change your Gmail password immediately, and start the damage assessment and mitigation process depending on what you find.

The end-result of this attack, however it occurs, is that the user is completely unaware that important and critical emails are being deleted and/or routed to the hacker/exploiter without the owner even being aware.  They continue to log into and use their Gmail account, blissfully unaware of all the traffic and danger speeding in and back out of their account. (This of course assumes the Gmail owner hasn’t completely lost the keys to their Gmail account and the violator broke into their account and actually changed the password on them.  In that case, things get even worse!)

So check those email/Gmail filters, and check them often!

Related posts and perspectives:

I’m sure there will be more on this story and “exploit” as security folks dig deeper.  So stay tuned for details.  In the meantime, the following might not be as effective as tomato-juice, but might be a good place to continue from.

Using filters – Gmail Help Center

Stealing Domains via GMail - Sûnnet Beskerming

Malicious Setting Up of Filters in Gmail? – Google Blogoscoped

Hacking Security Researchers -  - Sûnnet Beskerming

Be safe.

--Claus V.

Microsoft Link Dump: Load #4

MSDump

CC Photo Credit: by Choctopus on Flickr

That’s not just any dirt I’m leaving on your doorstep.  Nope.  It’s fresh Redmond brand dirt!

The Biggest Dirt Clod First

Let’s break this one apart into the good bits.

Updates: Process Explorer v11.3, Handle v3.42 | A new Mark’s blog post | 2 New Mark’s webcasts: Case of the Unexplained and Inside Windows Server 2008 R2 Virtualization and VHD Improvements - Sysinternals Site Discussion

  • Process Explorer v11.3 - (freeware) – Nice update that “includes numerous enhancements and bug fixes, including a physical memory history graph, options to configure memory tray icons, asyncronous thread symbol resolution and security ID lookup, dynamic recognition of new volume drive letters, multiple character matching in the process view, and a smaller memory footprint.” Stop and download it right away!

  • Case of the Unexplained – MS Tech-Ed EMEA 2008 - (video) – Mark Russinovich provides an updated presentation showing how some basic Sysinternals and Windows tools can help diagnose and resolve a myriad of confunding Windows system issues.  It’s a good review of foundational points that all good desktop support and system administrators should be familiar with.  I watched it with delight and relish.  Run time is just about an hour and fifteen minutes.  It goes by very fast.

  • Inside Windows Server 2008 R2 Virtualization and VHD Improvements - Microsoft Tech·Ed EMEA 2008 - (video) – A bit more technically specific for Virtualization geeks and admins, Mark Russinovich goes over a number of highlights including a demo of the new Windows native BHD and boot-from-VHD support.  This gets into features available in the coming Windows 7 release architecture.

While there, you might want to peek around at Mark’s other webcasts on TechNet.  Vista will still be kicking around for years to come, so some folks might find his presentation on Windows Vista User Account Control Internals particularly useful knowledge.

MS Blog Watch

The Microsoft blog machine was a bit lighter on material in the specific areas I follow.  Nonetheless, there were a few good finds.

Engineering Windows 7 : Disk Space – Fascinating technical post that attempts to address two questions before moving on to describing how Windows 7 manages disk space:

  • What does the WinSxS directory contains and why is it so big, and can I just delete it?
  • Where does all the disk space go for Windows components?

The post is a very long one and gets both technical and philosophical from a design standpoint, however I found it really illuminating both for current Vista system file caching and storage as well as the issues facing the Windows 7 build team as hardware (and storage devices in particular) force changes in OS design.

Engineering Windows 7 : The Windows 7 Taskbar – Another long post.  This isn’t quite as technical.  It touches on how users have been observed interacting with the Windows taskbar in the past and how the Windows 7 design team have been hard at work tweaking it.  It’s not just about eye-candy but trying to bring added efficiency and workflow to users.  I think these posts give me a better understanding the differences on how Windows was designed to work for me, and how I actually use it.

IEBlog : IE8: What’s After Beta 2 – Umm. Release Candidate 1.  Keep the testing coming.  I’m not planning on converting to the MS IE dark-side when IE8 is finally released, but I will relish it’s eventual deployment at work as a more secure “approved’ browser than IE 6 that remains the version of standard across most all of our systems.  Heck, I would be happy if we could bump to IE 7 before IE 8 final rolls out.

Third-Party MS Bits

Windows Live Sync to replace Windows Live FolderShare - Windows Experience Blog – Brandon drops a bomb on all you Windows Live Folder Share fans and users.  Sorry Charlie.  It’s getting yanked and replaced with Windows Live Sync.  The Windows Live FolderShare Team Blog lists all the information you need to know.

In December, we will release a new product called Windows Live Sync. You can think of it as FolderShare 2.0. It's going to look familiar and offer the same great features, plus:

  • More folders and files - sync up to 20 folders with 20,000 files each.
  • Integration with Windows Live ID - no more extra sign-in stuff to remember.
  • Integration with the Recyle Bin - no more separate Trash folder to fiddle with.
  • New client versions for both Windows and Mac. 
  • Unicode support - sync files in other languages.

A huge part of Sync's success story depends on FolderShare users like you. When Sync releases, FolderShare goes into retirement. That means your FolderShare software will stop working and will ask you to upgrade to Sync. Once you do, Sync will automatically rebuild your personal folders. We expect a lot of new users when Sync is released, so if you can't sign in right away, please give it a little time.

Here's the part you need to pay attention to: Sync will not be able to rebuild your shared libraries. If you have a lot of shared libraries, you should hop over to the FolderShare website while it's still available and copy all that information. You'll need it to rebuild your shared libraries in Sync.

You should also note that the Professional option is being retired with the FolderShare name. Sync has a single offer, which provides free synchronization for up to 20 libraries and 20,000 files. We'll be working to raise those numbers as our service grows.

No upgrades from XP to Windows 7?  - Ed Bott’s Windows Expertise.  Leave it to Ed to rain on XP users who like the in-place upgrade path to a new OS.  At least in the current version, it does not appear that users can upgrade their XP systems to W7 as an overlay.  It’s going to be a clean-install only, baby.  So plan on doing some major user-data collection and migration before attempting.  To be honest, it’s probably all for the best anyway.

What is the quickest/easiest way to open the Network Connections page in Vista/2008 – Off Campus blog. Great tip as when I was setting up Wi-Fi on the Vista notebook, it seemed like I had to navigate a number of links to get to where I wanted to go.  Solution? Go to the Vista Start orb and put in ncpa.cpl in either the search field or the Run field.  Bam!  There you go!

--Claus V.

Firefox 3.1b2 Watch

Over the last week there were hopeful signs that the beta 2 version of Firefox 3.1 (Shiretoko) would be released.

There were in fact a few teasers that it would be released on November 21st, but alas, that did not come to pass.  From what I can tell, the official release might be around the 28th, give or take a few days.

I suppose that one could dive into the “nightly” Minefield builds, but I’m trying to be good of late and stick with the slightly more stable beta versions.

On the Watch Tower

Some b2 watch-bits while we wait:

Releases/Firefox 3.1b2 – MozillaWiki – Basic pre-release checkpoints and timetable.

WeeklyUpdates/2008-11-17 – MozillaWiki – Big picture on Mozilla release activity. Its all about bug-killing and quality assurance.

Firefox3.1/StatusMeetings/2008-11-19 – MozillaWiki – For the most part it seems that most (all?) of the release blocking bugs have been neutralized.

However, it looks like one anticipated feature will get yanked out of this beta version, again; Ctrl-tab preview switching.  For specific reasons why this is being held back see bug 465843 link.

If you don’t recall, this is the Vista-ish alt-tab feature that pops up a preview page highlight dock-style when ctrl+tab-ing through tabs on a browser window.

If you read that bug link, seems there is some interesting behind-the-scenes discussion on the merits and application of the feature when just one or two tabs exist.

Anyway, looks like there is still some cleanup work and decisions to be finalized before we get a working 3.1b2 in our hands.

So until things become “official” I guess I will keep checking in at the Index of ftp://ftp.mozilla.org/pub/firefox/releases/ site and look for a new folder called 3.1b2.  Sometimes I can get lucky and snag it a day or so early that way.

Coming soon to Firefox: Tab Tearing

One of the newest features that 3.1 will offer is an expanded feature called “tab-tearing.”

Mozilla Links offers a great video and rundown of this capability. Firefox 3.1 gets tab tearing.

While previous versions of Firefox have always allowed some URL drag-n-drop handling, say a link from the desktop, a file, email application, or from the bookmarks, tab-tearing is a bit different

Basically it allows you to click and hold on a tab and drag it off the browser window and when released it will open in a new browser window and be removed from the originating browser window.  Or you can drag the tab off the existing Firefox window and drop it on another Firefox browser window and it will be added to the destination and removed from the source.

If it sounds complicated, it really is basic.  Hop to the link and view the very short window video and you will see what I mean.

Claus V.

Saturday, November 22, 2008

Absent today, on to “Morro”; MS’s coming free AV tool

Earlier this week, Microsoft quietly let leak they would be releasing a new and free anti-virus tool for XP and Vista users. 

Improving Global Access to Core PC Protection: Q&A: Amy Barzdukas, senior director of product management, discusses Microsoft’s strategy to provide broader access to critical anti-malware protection. – Microsoft PressPass release.

Available at no additional cost,this new solution will focus on delivering easy-to-use protection from threats that can place personal information at risk and harm system performance.

This new anti-malware offering, scheduled to be released in the second half of 2009, will provide protection from a variety of threats – including viruses, spyware, rootkits and Trojans – and is specifically designed to address the demands of smaller PC form factors and the rapid increases in the incidence of global malware. This solution will be suitable for customers in emerging markets where infection rates tend to be higher,1 and where demand for entry-level PCs makes it even more important that protection be available that does not sacrifice system performance.

First Thoughts

I expect it will be offered in some fashion (I’m not yet saying “bundled”) with Windows 7 as well.

Kind of like how if you have Windows XP, you can download and install the free Microsoft Windows Defender anti-malware product. But if you have Vista, it comes pre-installed.

While Windows Defender does an acceptable job providing basic and free anti-malware protection to users, it doesn’t really provide any anti-virus protections.

That’s not to say that Microsoft doesn’t already address consumer’s anti-virus needs in a (very) limited scale. Remember the MSRT (Malicious Software Removal Tool) that gets updated each month? It’s installed on every XP and Vista system although most consumers don’t know it.

Information at the moment is sketchy, but either we will see a complimentary product to Windows Defender, or some new iteration that incorporates existing Windows Defender protection along with anti-virus/trojan type protections.  I say that as the Microsoft quote above specifically mentions “spyware”.

Windows Defender is an optional install for XP users and, as mentioned, comes included in Vista.  Because of the third-party anti-malware/anti-virus protection I have, I made the decision some time ago to disable Windows Defender. Nor do I run it on my XP systems.  I suspect and hope that Microsoft makes Morro either an optional consumer install or makes disabling/uninstalling it a simple and clean process.

They probably will to avoid ire of anti-trust/competition attention.

While Microsoft is generally hammered on the web for its constant insecurity and vulnerability patching, and OneCare hasn’t always received high-marks in efficacy tests, to those in the know, Microsoft’s security analysts work hard to understand and counter trojan and virus code. Regular reading of the following company blogs often finds great technical information on emerging and persistent threats.

Morro Tolls for who?

So who exactly is the targeted audience for Morro?

Definitely “emerging” markets where Microsoft/Windows hopes to gain a larger share.  Average consumers across the board looking for basic/free malicious file protections, probably technical users looking for something very simple to toss on their relatives pc’s that they won’t have to explain or continually return to tweak and babysit.  I expect “thin” platforms like Netbooks might be another target if Morro is (as claimed) designed light and lean and does not impact system performance over protection.

The biggest winner? 

Microsoft and their enterprise security product customers.

Why do I say that?

It almost seems “Dickens-esque”

Check out what Microsoft’s "Forefront” security product team blog says:

So, people may ask how does "Morro" compare to Forefront Client Security?  Will enterprise customers use it?  The answer is no, "Morro" is intended for consumers, whereas Forefront products are enterprise solutions, providing the capabilities and features required in sophisticated IT environments, e.g. centralized deployment, management and reporting, security state assessments, scheduled signature distribution, update management, etc.

It is worth noting that "Morro" will have a positive impact on Forefront, because it will allow Microsoft to capture even more threat intelligence from customers as more people use the free anti-malware solution.  We'll be able to use that information in our security research and the development of signatures and protection capabilities in Forefront.

Yummers!  Gads and Loads of juicy consumer-provided threat-intelligence data funneled up to Microsoft off the backs of the humble and poor masses so they can analyze and then develop improved signature and protection capabilities in their enterprise and upper-class threat-protection product Forefront.

I hope that doesn’t come off sarcastic.  It’s actually a brilliant move and the consumer (and everyone) wins in the end.  Microsoft’s offering of Morro just isn’t as altruistic as the spin might seem.

More opinions on Morro. 

Expect the discussions to grow, and become interesting as we begin to see beta releases.

I’ll be keeping my eye for beta versions and will be quick to test and evaluate when available.

The things I do….

--Claus V.

Sunday, November 16, 2008

Linkfest – Nov. 16, 2008

I can’t believe it!  Sunday isn’t even over and I have processed about eight loads of laundry, taken the trash out, cleaned the kitchen at least two times, baked peanut-butter cookie bars, cleaned up the “downloads” directory of our laptop (it was quite full), installed/removed a number of assorted utilities and software, hung out with Alvis as she did her homework, and sorted the collection of recycling trash to go out next week.

Whew!

Working in my favor was a quiet weekend on the InterTubes, allowing me to easily keep pace with the remaining links in my “to blog” bookmark folder.

Weekend Thanks

Special thanks this weekend to Gary Berg for taking his time to leave me some great feedback on the Olympus E-5xx line of DSLR cameras.

Also getting a big hat tip this weekend is SunbeltBLOG who I had a brief but awesome back-channel conversation with this weekend.  I’ll eventually disclose a bit more of that goodness in the coming weeks.

Linkage

This week’s links are almost all software related.  There are a few tips, but it’s pretty much all neat stuff to consider and play with.  All free!

Help! Some idiot partitioned my giant hard drive! - Download Squad – The DSquad suggests some software tools to help fix accidently (re)partitioned drives. Take a quick look and make sure you have noted these recommended tools.

Free ISO Creator - (freeware) – I have quite a collection of ISO file tools. This will become yet one more to add to that mix.  It makes creating an ISO file (particularly for data-disks) a very simple process.  Spotted via Download Squad.

ISODisk - (freeware) – While I personally use and recommend the freeware tool SlySoft Virtual CloneDrive for my virtual drive (ISO file mounting) needs, this one looks pretty sweet also.  ISODisk supports up to a remarkable 20 virtual drives for ISO file mounting support.  Wow!  Not sure why anyone would need that many, but if you do, there you go.  I generally just mount one or two ISO files at a time, max.

5 Windows tools to remove damaged antivirus programs - Download Squad – Very nice collection of commercial AV product uninstall tools.  These are always great to keep bookmarked.  I can’t recall how many times a borked Symantec AV install simply refused to come out of a system and we had to resort to a brute-force SAV uninstaller tool to gut it from a system.

Ammyy Admin - (freeware) – Funny name but handy “remote control” software for Windows 2000/XP/2003/Vista/2008, 32-bit and 64-bit systems. Basically you and your remote “customer” both download the file and run it.  The customer provides you the ID # which you enter into your window and away you are connected.  See this MakeUseOf.com review for more details and screenshots.

Hive Five: Five Best Remote Desktop Tools – LifeHacker – Not to be outdone by MakeUseOf, LifeHacker offers five additional remote-desktop tools.  Take the time to sort through the comments as LifeHacker readers are known to be a clever bunch and the comments really add some meat to the post.

ShowMyPC- (freeware) – My personal favorite and “go-to” tool for remote-desktop support extended to family and friends. It’s got an easy-to-remember URL.  Just have your “target” download the single file and click-to-run.  You do the same. Have them click the “show my PC” button and provide you the password ID number. You click on “View a Remote PC” button and enter in the number they give you.  In a matter of seconds, you are viewing (and controlling) their system.  Works through firewalls quite nicely with almost no issues.

Windows Vista SP2 and Windows Server 2008 SP2 - the interesting part – 4sysops – What is going to be the most interesting part of Vista SP2? Nothing!

New features of Vista SP2
  • Windows Search 4.0
  • Bluetooth 2.1 Feature Pack
  • Support for ICCD/CCID smart cards
  • Ability to record data onto Blu-Ray media natively
  • Adds Windows Connect Now (WCN) to simplify Wi-Fi Configuration
  • exFAT file system to support UTC timestamps, which allows correct file synchronization across time zones
  • New VIA 64-bit CPU support
  • Print server and spooler performance improvements for printers
  • Application compatibility updates
New features of Windows Server 2008 SP2
  • Hyper-V RTM included
  • Backward compatibility with Terminal Services licensing keys
  • Improved manageability features with DFS/FRS console and Storage Resource Manager
  • Print server and spooler performance improvements for printers
  • Improved error reporting in DFSR to help identify incorrectly configured deployments which lead to failed replication
  • Improved power profile

Delicious new Windows Live Wave 3 icons – istartedsomething – Long’s got some new icons dug up for the Windows Live Wave products.  I rather like them.

ShadowExplorer - (freeware) – Now this is handy for all you Vista Home Premium users out there! Basically, Vista’s “Volume Shadow Copy Service” creates point-in-time duplicates of your files. So if you accidently delete or change one, you should be able to recover a prior “shadow” version. Only the problem is that even though all versions of Vista run this service by default, only users of les you accidentally deleted or altered. This service is turned on by default on all versions of Vista Ultimate, Business, and Enterprise editions can take advantage of the benefits.  ShadowExplorer allows Vista Home users to now have access to retrieval of those “shadow” files. Neat!  For more information check the developer’s website as well as a review by Confessions of a freeware junkie.

Tiny Victories Inside Microsoft - SmallestDotNet makes headway & SmallestDotNet: On the Size of the .NET Framework – Scott Hanselman’s Computer Zen.  - This is some good stuff to read and then bookmark. Many more applications today are being developed on the .NET framework from Microsoft. The problem is that for many users, trying to decide which is the best package to download can be a real headache. As Scott points out, the .NET download can be a real whopper.  So one of Scott’s first tasks at Microsoft was trying to make this process much clearer to understand. He had mixed results, but it’s a good reminder that a stop by the SmallestDotNet.com website will almost certainly ensure you get the smallest-sized, but correct, .NET package you need.  It’s a great and interesting series of posts to read.

Two tools to remove locked Windows files on restart - Download Squad – Yep. DSquad has two more freeware utilities to assist with removing stubborn files from your system.  For an expansive roundup check out my previous GSD post of freeware locked-file deleter utilities.  I bet you won’t click-away unsatisfied.

Use On Screen Keyboard - Technofriends - Who knew that XP and Vista OS’s included a handy on-screen keyboard utility. Yep. Just go to

Start —> Run –> and type OSK then press <enter>. There you go!  Great if the keyboard goes out…what? How are you to type OSK if they keyboard isn’t working? Ummm Good question. Try navigating to the OSK.exe file in the Windows\System32\ folder with just your mouse and launch it.

For a slightly more configurable and fully portable version use On-Screen Keyboard Portable from PortableApps.com. I now include it on all my USB and utility/Win PE 2.0 boot CD’s…just in case the keyboard drivers fail to load. (Grrrrr.)

WinAudit Creates Seriously Extensive System Profiles – LifeHacker – Nice recommendation for WinAudit which is yet another system auditing tool. Looks like it has been recently updated. In the past I used Belarc Advisor which does a great job but isn’t able to be used at work without a license. Nowadays I prefer to use SIW-System Information for Windows (freeware) or the amazing SIV - System Information Viewer (freeware) tools. If you want a truly “tiny” application in this class, consider looking at the EFD Inspector (freeware) tool. Although it doesn’t provide quite the same depth of information, it does weigh in at just 252kB. Scroll down a bit on the page to find it as it isn’t the main focus of it’s developer’s page.  By the way, all of these are nicely portable for use on USB sticks.

How To: Customize Your Own Killer "Enigma" Desktop – Lifehacker – Now I personally have my desktops just the way I like them, and as cool as the Vista Sidebar is, it seems a bit cluttered to me so I disable it from running on my Vista system.  Nevertheless, reader Kaelri has provided a great tutorial on how to create a very polished and stunning desktop theme.  Check it out.

Signing off for now…!

--Claus V.

Browser Bullets

Last night Lavie went in for a sleep-study. I think this one was number four in less than two years.

Why is it that when your partner has a sleep-study, the other seems to not get any sleep?

The first time Lavie went in, she didn’t want to be left alone, so I remember trying to sleep in her room in a faux-pigskin recliner. Everytime I moved it sounded like a prat-joke movie gone bad. I got about three hours of zzz’s that night.  The only comfort was my iPod filled with Security Now podcasts.

By the time Lavie had her second and third studies she was a bit braver and was allowed to just drop her off and pick her up.  The center’s results were very inconclusive.  Lavie’s diagnosis was that the center wasn’t getting very good results if they had to keep coming in to wake her up every hour to adjust a sensor, or ask her to roll a certain way.

Friday night I dropped her off again and stayed a while as she got connected up to the harness.  The technician was young but enthusiastic.  Turns out he was also sleep deprived as his main work hours were at night, but he was going to school on a GI Bill grant during the day.  Tough kid.  He had served, with honestly mixed feelings, on a few different ships during his tour, including a carrier flight-deck.  Lavie and I had watched the PBS series CARRIER on PBS so we were able to hold a great discussion with him. Turns out his duties involved crash-recovery as well as some aircraft taxi control.  Although he didn’t seem particularly impressed with military life, he did exhibit a noticeable attention to detail as he plugged Lavie up so the sensors wouldn’t come loose by applying extra conductivity paste and taped the leads down where possible.

Lavie was tucked in by 9PM and I was home just before 10PM.  Alvis quickly went to bed but I stayed up restless until past midnight listening to the wind howl and bay and the trashcans tumble around.

Then came the 5AM phone call that Lavie was ready to be picked up.  When we got back home before 7AM, it was back to bed.  Unfortunately, I slept way too long (until almost 10AM) and woke up with a sleep-hangover headache.  I’m prone to those when I get greedy with oversleeping in the mornings.  Should have just stayed up.  The rest of the morning was a write-off with the girls going shopping for a bridesmaid dress for Alvis and sundry items for Lavie.  Me? I was pretty much a weekend bum until the fingers started moving on these blog posts mid-afternoon.

On to some browser related links of interest:

Browser News

Opera Mini 4.2 beta – I’ve been using Opera Mini on my Blackberry unit for a while now and generally like it a lot.  This new beta-release installs alongside the current version you may have.  It boasts skin colors (yawn), some performance improvements, video compatiblity, and Opera Sync support. For more on that last one check out Opera Link.  This is actually pretty cool as it offers the opportunity to sync information from both your desktop Opera browser with your mobile Opera browser and even a web-accessible version of your Opera data if you happen to be using another brand of browser.

Upcoming Releases – Firefox Extension Guru – While the Mozilla release schedule in of itself is pretty dry reading, if you are a Firefox fan, seeing that the next beta 2 version release of Firefox Shiretoko 3.1 is coming out around November 21’st is certainly something worth expecting. Especially if it incorporates the new Private Mode features.

Meet Firefox private mode - Mozilla Links – Speaking of that Private Mode feature, Mozilla Links has a great overview of how this feature will work.  Basically if you want to start a browsing session that disables retention of history, cache, cookies, etc, you select a Private Mode session. Your current browsing session is saved and the window/tabs closed. A new Private Mode window opens and away you go. When you exit, your previous “normal” Firefox browsing mode returns.

Although Mozilla’s, along with IE 8’s, and Safari’s private browsing modes are “private” but not actually anonymous sessions, I suspect they will still leave a bit of evidence behind for the forensic experts and am looking forward to how these Windows sleuths will uncover the evidence left behind.

Make Firefox look better on Vista - Mozilla Links -  If you were looking for a quick solution to add a nice Vista Aero effect to the default Firefox theme, forgettaboutit.  However, if you are willing to do a bit of work and theme-tweaking, Percy Cabello’s walk-through is pretty simple and really does deliver a much more pleasing effect.

Firefox: Why TraceMonkey is Going to Blow Your Web Browsing Mind (Lifehacker) and JavaScript:TraceMonkey (MozillaWiki) – Both posts give more information on just how awesome the TraceMonkey JavaScript performance improvements will be.  These are now built into the Firefox Nightly (Minefield) and Shiretoko (beta) releases of Firefox 3.1 but to my knowledge not enabled by default.  You can enable them with a quick about:config tweak. 

In my usage, many JavaScript enabled sites to respond much faster. However the JavaScript still can do weird things. For example, even though I NoScript enabled all the elements at Lands End (I’m buying some long-needed dress shirts), with TraceMonkey enabled, some drop-downs just didn’t work. When I disabled it again all behaved normally. So play with it all you want, but be mindful that some sites still don’t always work quite as expected.

Safari: Safari 3.2 Released, Bolsters Security (Lifehacker), Apple Safari download, (or via FileHippo.com).  Either way, if you are a Windows user and run Safari, go ahead and get this update.  It contains a number of security-related tweaks.  I personally am running a beta version of Safari 4 – Apple Insider. If you are interested in this version, follow the steps at the end of this previous post and you should be set.  It continues to work great on my Vista system.

Browser Related Utilities of Note

Transmute - (freeware) – Now I don’t know how it has taken me so long to find this clever little utility. Transmute allows you to convert bookmark files between different web-browsers.  That doesn’t sound like a big deal but consider this, this particular utility will let you do so for Google Chrome, Mozilla Firefox (versions 1, 2, and image3), Microsoft Internet Explorer, Opera, Apple Safari, and Chromium.

Wow! Think how much time this could save if you are a browser junkie like me!  Or maybe if you are a sysadmin or investigator and you want to review some links from a user’s Internet “exploiter” browser but want to do so in a more secure and controllable browser like Firefox with a ton of specialized security add-on extensions.  Convert away and go!  Added options include exporting directly to the target browser file locations, another folder, appending with a timestamp, exporting to a root folder, and overwriting the target file directly. You can (and should) also request a backup file be made.  It is glorious in its simplicity.

Transmute does require the .NET 2.0 framework, but does come in both install and “portable” flavors. Always a big plus in my book!

OperaCacheView - (freeware) – NirSoft's cache viewer for Opera web browser now allows for recall of last specific cache folder opened/viewed as well as re-saving the cache files in the same directory structure of the website.  Something that might be handy for forensic examiners.

ChromeCacheView - (freeware) – NirSoft's cache viewer for Google Chrome Web browser now also allows re-saving the cache files in the same directory structure of the website.

IE PassView - (freeware) – NirSoft's Internet Explorer password viewer adds an exciting new feature. Namely the ability to read the IE 7 passwords off an external drive. As Nir points out in his related NirBlog entry, this could be useful for users (or examiners) who want to collect the passwords from a dead (or offline) drive.  The only restriction is that you need to know “…the last log-on password that you used for the user profile that store the passwords.”

Good stuff, all around!

--Claus V.

Saturday, November 15, 2008

Windows 7 News Roundup #3

Overall the dust has settled from the previous weeks’ W7 madness.

Everyone has retreated back into their caves to play with their official or torrent sourced W7 install files and are poking around for the deeper bits and pieces.  So far things have been pretty quiet.

Only a handful of W7 news bits came out this week that piqued my interest:

Windows 7 to allow PC backups to network share – istartedsomething – Long Zheng discovers an option that allows backups not only to another local drive or CD/DVD media, but now you can specify a network share as well.

Windows 7 security: An overall improvement? - Defense in Depth – Robert Vamosi breaks down how the Vista Security Center will be removed and replaced with the W7 Action Center that seeks to unify 10 existing Windows features: Security Center; Problem, Reports, and Solutions; Windows Defender; Windows Update; Diagnostics; Network Access Protection; Backup and Restore; Recovery; and User Account Control.

5 very basic things Windows 7 still isn’t any good at - Download Squad – The crew is feeling pretty bold to make judgments on a pre-beta release, but they do nail some key issue such as compressed file handling and time adjustment.

10 genuinely kick-ass features to get excited about in Windows 7 - Download Squad – On the other hand the crew does find many more things they like in W7 including the Device Stage, improved network file sharing, PC Safeguard, and a new “Time Machine”-like image-backup system.  I’m wondering if it will be based on Microsoft’s ImageX utility which is frankly super-cool.

Get Windows 7 Calculator In Vista – Daily Gyan takes us down a hack to get the W7 calculator working in Vista.  It’s not too difficult, but will take a moderate amount of system-fiddling so you better want it really badly to take the effort to get it configured.

"Blue Badge" tool available, unlocks all known protected features - Within Windows – A few weeks ago Rafael Rivera did some great detective work and found that many of the cool W7 features displayed in the Microsoft presentations (but missing from the pre-beta not-quite public release version) were actually in it anyway, but trickily disabled.  His workaround released those locked up bits.  Now, Rafael has refined his tool with the "Blue Badge" tool.  It’s really clever and polished.  Recommended for everyone playing with the W7 pre-beta.

Engineering Windows 7 : Action Center – The W7 Microsoft team gets all crazy-technical about why they felt they needed to redesign the Vista Security Center into the W7 Action Center.  Lots of end-user behavior studies and stuff like that.  Skip past all that boardroom discussion and head down to the technical presentation on Action Center mid-way into the post.

Our effort to quiet the system and make sure you are in control took the following approach:

  • Working across Windows 7 to reduce unnecessary notifications
  • Put you in control of the notifications you see
  • Creating Action Center with the following goals
    • Reduce the number of notification balloons sent to you and make the ones that are sent more meaningful
    • Provide a contextual way to address the issues with a single click
    • Reduce the user-interface clutter in the system to streamline solving system issues

While there are many other efforts going around notifications and the notification area I’m going to focus on Action Center. In a nutshell, Action Center is a central location for dealing with messages about your system and the starting point for diagnosing and solving issues with your system.

If pulled off right, this could be a Good Thing for the W7 user experience.

--Claus V.

Security Simmerings…chunky style goodness

image

Lean Snake-meat

I’m trial-testing a new (to me) anti-virus/anti-malware product on our Vista system.  It’s Sunbelt Software’s VIPRE Antivirus + Antispyware program.

It’s a bit of a different product for me as I usually stick with “free for personal use” versions such as AVG Free.  This one is good for just 15 days.  On the plus-side, Sunbelt offers a $49.95 deal to register its use on all the computers in your home for a year.  That does seem like a good value.

I uninstalled AVG Free 8 then after a reboot loaded this one up.  A full scan with VIPRE took 128 minutes and as the image above shows scanned a bunch-load of items.  In all it found five cookies as well as two possible trojans and one potentially unwanted program.  I was a bit shocked at first, but found that one was Abel (of Cain and Abel), one was a utility in NetTools, and the last (PUP) was a tool that allows you to run an application under a different date. So all were in fact, known and approved by me to be on my system.

I must say my first impressions are very positive.  The interface is very logical and easy to navigate. Each time I wanted to do something or find something, I was quickly able to find it, even without having read the Help files.

My only “gripe” at this point is that I was not able to select any of the items found in the middle of a scan to view the details on them.  This led to some mixed concern on my point until the scan completed and I was able to see the details. I’d like to ask the Sunbelt team to allow viewing of detected threat details in the process of the scan, or allow additional columns to be added to the default view that would at least show the location (path) and filename of the threats so some information can be reviewed mid-scan.

I’m not intending this to be a “review” but more of a first impressions.  However, if after the fifteen days are up I’m still happy, I’m pretty sure I’ll be signing up for a subscription and composing a longer review.  In the past I used their Sunbelt Firewall product for a very long time, abandoning it only when it took so long for them to deliver a Vista compatible version…(now available). I was very pleased with the product and company from that experience.

On top of that, CEO Alex Eckelberry’s SunbeltBLOG is a long-time RSS feed of mine and I really enjoy the posts found there. Alex is very responsive and frequently drops into forums and blogs and leaves his comments.  I’m always impressed with his attitude and willingness to engage in constructive discussions on both his company’s product as well as the anti-malware industry in general.

AVG Foul and Alternative Poultry Choices for the Pot

Goodness knows, I’ve been a long-time apologist for AVG Free here on this blog.  It was one of the very first “free” anti-virus products I switched to after leaving a paid-subscription service.  It’s had its ups and downs but overall I still remain pretty pleased with AVG and continue to recommend it for most home-users looking for a free security product.

My complaints remain, however; a very busy interface, difficulty finding and using the “advanced” settings and configurations tools, periodic false-positives, the fact I’ve never been able to get the “upload to AVG” feature for sending sample files to AVG to work, and the fact that it continues to hammer away on a number of my utilities as “Potentially Unwanted Programs” despite the fact I tell it not to.

AVG again has made the tech-circles with reports of nailing false-positives for some critical (or important) system files. Although I personally haven’t experienced any of these recent behavioral problems, they could be a bit disconcerting for AVG noobies not yet accustomed to the frequent AVG false-positives the signatures are know for.

TechBlog: Ooops: AVG thinks key Windows file is a Trojan

TechBlog: Yet another AVG false alarm: Time for an alternative?

AVG virus scanner removes critical Windows file - Security and the Net

This led to me re-evaluating my selection with AVG Free 8 again and giving VIPRE a try.

In my previous AVG Free v8 versus the Competition (Speed to Scan only) post, I came to the conclusion that AVG Free v8 had the fastest performance overall of any free anti-virus product that I had tested.

The runner up was Avira AntiVir Personal.  I said that I would likely choose this as my second choice were I to leave AVG Free 8.  The only drawbacks I find with AntiVir is the fact that the free product did have a few more limitations in this product compared to other free solutions. On the plus-side, Avira consistently leads the pack of SRI’s Most Effective Antivirus Tools Against New Malware Binaries detection list.  See also AV-Comparatives.

Curiously, I did not see Sunbelt Software’s VIPRE listed in either location. So I really have no way to see how they would stack up in these tests by comparison.

If I did go with AntiVir I would probably also use it in tandem with either (or both) Malwarebytes' Anti-Malware (free but $ for full-feature version) and ThreatFire (freeware).  I had always relied on ThreatFire’s HIPS type protection before, but it seemed to conflict with COMODO’s firewall and kept locking up my XP system’s hard-drive so I just uninstalled it from everything for now.

Then there is COMODO’s Internet Security suite which remains a free security product that bundles both it’s awesomely hardened firewall along with some interesting anti-virus/anti-malware products.  Certainly worth looking at as well as an integrated anti-malware/anti-virus solution if you are tempted to walk away from AVG Free 8.

Finally, I found this security software review site that uses YouTube videos to highlight its findings: Remove Malware.

Pure Angus Meatiness

Microsoft® Malware Protection Center : Malware and Signed Code – Yep, it’s a brief discussion on code signing and how it is beneficial to preventing malware.

Microsoft® Malware Protection Center : Win32/FakeSecSen - A Nasty Piece of Work – MMPC staff take some of the fake security programs to task. I frequently see evidence of these at work where users were surfing, got a pop-up and the program/presentation looked quite legitimate and tricked the user into installing the app on the system.  Then our Symantec program alerts on them, (but can’t remove them) and off we go to pull them off the system.  It’s probably even worse for many home users. It’s a great roundup and discussion.

Wi-Fi Networking News: WPA Not Cracked, But Still Vulnerable and Security experts reveal details of WPA hack - News - heise Security UK – The weakness of the WPA chain is finally fully out.  It is a flaw, but probably nothing for the average home user to be deeply concerned about…at least not quite yet.  If you are really concerned and your Wi-Fi router supports it, consider switching to WPA2.

Windows Incident Response: More Deleted Keys Goodness! – Harlan shows just how valuable the ability to find (and recover) deleted registry keys can be. Neat stuff.

Windows Incident Response: New Code Posted – Harlan also kindly offers up a plug-in to his RegRipper tool that will help recover deleted registry key information for investigators and SysAdmins.

SynJunkie: The Story of a Hack - Part 2. Breaking In – SynJunkie is continuing his class on how a penetration attack occurs.  So far it has been quite educational and nicely documented.

Shoulder Surfing a Malicious PDF Author « Didier Stevens – This was really cool.  Didier was able to obtain a malicious PDF file that actually retained the incremental changes the malware writer used to try to get the PDF bomb ticking.  He provides a great analysis and I wonder what applications this technique could play for forensic examiners as well who could find some good clues and data as well.  If nothing else it is good information to be familiar with.

--Claus

Saturday Diversions

Well, it’s Saturday.  It’s cool, bright, and lazy.

I usually have a pile of bookmarks I’ve noted and collected each week, but this week has been slower than most.  I have a few collections of subjects to get up, but so far I have been feeling pretty lazy.

Watched the Notre Dame – Navy game.  It was really exciting.  Went outside for a brief bit to pick up yard litter and stuff overturned from the strong winds over the last 24 hours.  I’d like to test my wireless connection out in the back-yard, but it is just too windy to be enjoyable out there.

I do have plans to make a pot of chili for the family.  Got a new recipe to try out. Seemed appropriate for the cold night forecast for tonight.  I haven’t done much baking for a while, but I might also make some peanut-butter/chocolate bars again as well.  Alvis and I tried about a month ago, but the big mistake was going with margarine rather than real butter.  The bottom layer came out mealy.  Ick.  Nothing beats butter.

Dell USB HID Keyboard and WinPE headaches 

I’m still banging my head against the wall with my VistaPE building sessions at work.

For a recap, see Rainy-Day Placeholder Linkage: It’s a PE 2.0/VistaPE thing…

To summarize, I have to create a WinPE 2.0 based live boot CD that has had PGP encryption drivers “injected” to allow access to whole disk encrypted systems.  My preferred platform for WinPE 2.0 is VistaPE.  I can successfully build a PGP/PE combo with a pure WAIK build but that just nets me a command-line box.  Not very “sexy”.

I can build a VistaPE/WAIK build that is sexy and has PGP, only the Root USB HID keyboard driver used by our Dell Optiplex systems won’t load.  I’ve installed an on-screen keyboard tool as a workaround, but it is clunky-sexy.

The D-Man attended a TechNet session last week here in Houston and brought me back some awesome goodies.  Biggest was a “real” Vista Ultimate setup DVD with a 1-year promo license.  I’m less interested in installing Vista with it, but it has become golden as it now allows me to build full “Vista” based VistaPE disks instead of relying on the Vista WAIK wim file.  Really sexy.

So now it gets really weird.  I successfully build a Vista base VistaPE WinPE 2.0 disk.  I also successfully injected the PGP drivers on it.  I copied the resulting WIM file to my bootable USB stick build and tested it on the Dell Optiplex.  Worked 100% perfectly.  Full VistaPE environment and keyboard worked perfectly.  So did the PGP drivers. Awesome.

But when I burned the same ISO file to CD, the PGP driver load causes a BSOD in the boot disk.  It works off USB but not off CD.  Strange.

So I continue to work through the driver loading issues.  I’m determined to get it to work.

Lego Building

Although tonight’s schedule at the Valca den is to eat chili and watch a classic movie or two with the girls, I might also try to divert my weakened brain cells by doing some more Lego building.

Mom got me a few Star Wars Lego sets for my birthday last month. I built a mini-kit in bed one night, but the two bigger sets remain in the box.

I noted this week that Lego loses EU trademark on bricks.  We grew up with Lego blocks in our home and had several large tubs filled with them.  I think Mom still does have them somewhere in her home.  Every now and then a wanna-be brick would make it in.  These were like weeds.  They looked pretty but we tossed them as soon as they were discovered.  Lego has always been tops in our book due to their quality.  Everything else just doesn’t satisfy.

For days when you don’t want to scatter the bricks, there is also the Digital Designer by Lego.  It’s a free download that lets you design and build virtual Lego models.  If you are so enamored by your choice, you can always purchase the custom build kit from Lego.  That’s pretty cool.

Flickr Voyeurism

I still haven’t had the fiscal courage to help our nation’s ailing economy by making a DSLR camera purchase.

I keep going around and around on the choices.  My photography friend at work (as well as my brother) both recommend the Canon EOS Digital Rebel XTI, or the SIGMA DP2, but now I am leaning towards something from the Olympus E-System Digital SLR mid-range line.

To keep fueling my jonesing, I have been spending time browsing through the loads of great photography work to be found on Flickr.  However, browsing and finding the best works is daunting.

To that end I have been using two specialized “Flickr aggregators” to help speed my image surfing.

Scout: Find your photographs in Flickr’s Explore – Created by BigHugeLabs, it allows for image collection loads from random artists who have made Flickr Explore.  It’s really nice and I’ve found a number of artists in particular I have bookmarked for future reference.

Flickr Leech – Created by Andrew Houser is simply amazing.  Load a collection for a particular day or search for images based on a keyword.  The interface is really pleasing and it is a joy to search for specific images.  Just how long Flickr Leech is allowed to continue is in some doubt.  See Thomas Hawk’s post “Flickr Censors Popular Flickr API Developer, Developer Threatens to Kill Flickr Application FlickrLeech This Week” to get the background.  I hope it survives.

--Claus

Update/Tip:  Figured out there were also some Flickr Groups that specialized in the particular DSLR cameras I am considering.  What a fantastic way to really see just what kind of imaging each camera is capable of delivering in the hands of an amateur or professional photographer!

All of them look pretty amazing!

Tuesday, November 11, 2008

Rainy-Day Placeholder Linkage: It’s a PE 2.0/VistaPE thing…

image

Rain is coming down pretty heavy here on the Texas Gulf Coast.

I had the day off in remembrance of Veteran’s Day.  I met my Dad last night in Houston and took him out for dinner at a local bar-b-que joint. My treat as he is a Vietnam vet and it seemed like as good an excuse as any for trying to convince him not to grab the check.

Tonight, in honor of the rain, I’m getting ready to put on a pot of homemade potato soup. At some point in the past Lavie was the family soup maker and we had some recipes we used. Now I’ve made this particular blend so often that I just make it from scratch using recipe-reckoning.  And I found some a loaf of fresh roasted-garlic artesian bread to serve on the side.  Yummers.

So anyway, I’ve been working on a technical side project at work and making some progress. Basically it has two elements…the first I seem to have overcome, the second has me stopped at the moment.

We are now getting ready to deploy whole-disk file-encryption to all our computer systems.  This is a great idea and a long time coming. It should greatly help secure our data in case any of our desktop/laptop systems walk off.

This does add a layer of complexity to our IT jobs, however, as each system will be encrypted at the boot level, using a “LiveCD” to boot and troubleshoot the system/files would be impossible.  Two primary workarounds do exist; first to use the vendor’s “LiveCD” to boot the system and enter the access-code to get on to the system, or use the vendor’s “LiveCD” to to decrypt the entire drive before working on it.  The first only provides a limited set of tools, the second could take hours (4+) to process.

I did discover a third option, and that is a method to inject the encryption drivers into a Win PE 1.0 or 2.0 boot disk.  By running a command to execute the encryption filter service along with the password, the entire disk’s files can be manipulated, user-data extracted immediately, or other “normal” off-line technical service to the system.  Perfect.

I use a customized VistaPE (Win PE 2.0) so after a bit of effort, I was able to successfully inject these specialized encryption system filter drivers into my PE disk. Worked like a charm. I was so happy.  (Will post about this later once I have everything worked out.)

However, turns out that I’m still having issues with these crazy Dell Optiplex 755 systems.  They are pure USB connectors now (no legacy PS2) and while the USB keyboard/mouse works just fine with a “pure” Win PE 2.0 WAIK built disk, the keyboard refuses to work under my VistaPE build.

To further complicate things, the Dell USB keyboard is an “enhanced” multi-media keyboard with additional USB ports on the back of it.  Now I’m not certain but I really think that is the real issue.  I suspect the VistaPE hardware detection is picking up the keyboard as a USB hub and not as a keyboard.  If that’s true, and I can find that driver, it might take care of the keyboard issue.

I do have a PS2 –> USB adapter.  I might also try using that to use a different “standard” keyboard and see if that is sensed by VistaPE better.

I’ve discovered that during the building process, not all of the drivers from the WAIK .wim file are installed in the VistaPE wim file, it is much smaller in size.  Also, from what I can tell, either the USB keyboard driver isn’t getting loaded in the VistaPE build OR there is a USB root hub controller driver that isn’t getting properly loaded.  To compound things, Win PE 2.0 is build on Vista so I’m having to look for Vista drivers for this thing…fortunately they seem to be in the Win PE 2.0 wim so I just need to identify the specific ones I need and either try to “inject” them into the VistaPE wim or load them during the VistaPE wim building process.  So, I know the drivers I need are present in the Win PE 2.0 boot.wim file, and (they?) are missing in the VistaPE wim file.  Sigh.

Miles (from TinyApps Blog) posted a tip over on another post that might have some bearing as well: PC Accessories Issues when USB Legacy Support is Disabled so I’m going to see if the Dell 755 BIOS has a setting for this.  If so, that might make things simpler. But I’m now determined to figure out how this works so I can master a new skill in the VistaPE building process.

I’ve signed up for the Boot-Land forums and am waiting to be approved by an administrator so I can post a few questions there as well.

In the meantime, I’m dumping all the links I’ve been bookmarking and referring to here for quick reference.

Most won’t probably mean anything to anyone but me, but if they help…bonus!

VistaPE — Downloads – VistaPE now at a v12 RC1 release.  I’m using v11 beta 3 and I’m not sure if the new version will help me or not.  Will be trying that as well.

HOW TO: inject drivers into Microsoft’s free OS, Windows PE 2.0 – APC Mag

How To Inject Drivers into Win PE 2.0 – Commodore.ca post

DriverView: List all device drivers currently loaded on your Windows – NirSoft utility

Windows Preinstallation Environment & BartPE Tools – PGP technical guide (PDF) and zip files. Note the PDF document seems to have quite a few typos and other technical errors in it. Took me a while to work through them all.  Will post those as well once I get my bigger fish caught and mounted.

Oscdimg Command-Line Options – Microsoft TechNet

Wpeutil Command-Line Options – Microsoft TechNet

PEImg Command-Line Options – Microsoft TechNet

Toss DOS, Install Vista with Free WinPE – ITsVISTA

cd c:\program files\Windows AIK\Tools\PETools\

oscdimg –n –m -bc:\winpe_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso

WinPe with Dell Optiplex 755 - MSFN Forums

v12RC1: RAID driver not loaded (even though included in SATA script) - Boot Land – Although I don’t have this specific issue, the discussion seemed to touch on related issues.

Adding Drivers for Unsupported Hardware – MudCrab’s VistaPE WinBuilder script looks like it could save me (and others) time in trying to “inject” drivers into the wim by installing them via the VistaPE building process.  Still not sure which drivers I want to be adding to get the stupid USB keyboard/hub working.

Driver Installer For VistaPE - Boot Land. Another thread on drivers and VistaPE.

[App Scripts Guide] Creating a new app script - Boot Land. I’m feeling like I need to take my knowledgebase for VistaPE up to a new level by understanding the foundations of how it works and script-building.  This guide by Nuno Brito looks to be excellent.

VistaPE - Boot Land. Primary forum for VistaPE issues and discussions.

PC Accessories - Issues when USB Legacy Support is Disabled – Intel tip from Miles with USB support and BIOS settings.

Wish me focus, patience and a measure of luck.

Oh yeah, I still have my “normal” work duties to stay focused on while I work this one out.  Very hard to do once I get focused on trying to resolve a technical issue that is just outside my fingertips!

Now…on to that soup!

--Claus V.