PowerUp Tip: FreeCommanderXE + Total7zip Plugin

I think I am clearly on the record with my admiration and love of the freeware Windows file manager FreeCommander.

I have lot & lots of additional alternative freeware file managers as well. Each has its own spin. Some are single EXE files and others have options to open a bazillion multi-pane windows.

But I find I use FreeCommander almost exclusively.

If you weren’t aware, there is a “beta” version of FreeCommander out as well, FreeCommander XE. I’ve been using this one and found it super nice. It has a number of features that the “current” version of FreeCommander doesn’t offer. It updates pretty often so I’m checking back weekly to see what the latest version is and use it.

It comes in both an “installable” and “portable” version…just like the original. I prefer using this build.

If you want to get “crazy” you can download the FreeCommander Portable package (over at PortableApps.com) and then replace the application contents in the <path-to-location>\FreeCommanderPortable\App\FreeCommander folder with the FreeCommander XE program files instead.

Works like a charm.

Anyway, that’s not what this post is about.  Back in 2009 (has it been that long?!) I wrote a post Minor manual tweaking of freeCommander where I updated the stable version of FreeCommander (hereafter referred to as FC) with newer file compression binaries for some minor improvements in the file archiver feature FC supports.

You can still follow that post and do most of those tips, grabbing needed binaries from this DelphiZip Dlls link and this one WinRAR archiver as well.

But the new FreeCommander XE version (hereafter referred to as FCXE) builds use some different features for handling compressed files.

By default FCXE supports ZIP, JAR, and WAR file formats for unpacking.

That’s quite fine for most folks, but being a power-user, I often encounter many, many other types of compressed file formats that I want to view the internal contents of (before extracting). One of the most comment are RAR archive files.

After poking around a bit, I found a combination of tips in the FreeCommander Forums that pointed me to an awesome solution; the Total7zip plugin for Total Commander!

• FreeCommander Forum • View topic - 7zip setup
• FreeCommander Forum • View topic - R520 - FC crashes when packing with Total7zip plugin

It took a while to work out the details using a combination of tips from both threads and get it to perform smoothly but now I can browse and extract an amazing number of compressed file formats from within the FCXE application.

7z, XZ, BZIP2, GZIP, TAR, ZIP, ARJ, CAB, CHM, CPIO, CramFS, DEB, DMG, FAT, HFS, ISO, LZH, LZMA, MBR, MSI, NSIS, NTFS, RAR, RPM, SquashFS, UDF, VHD, WIM, XAR, Z.

You will almost certainly need to tweak the steps below to fit your own FCXE installation & environment.

1. Download and unpack the latest Total7zip plugin package for Total Commander; totalcmd.net
2. Under your FreeCommanderXE application location, create a “Plugins” folder…if not already there.
3. Under that one, create a “wcx” folder.
4. Under that one, create a “Total7zip” folder.
5. Copy all the files\folders unpacked from the Total7zip RAR file from step 1 into that folder created in step 4.
6. In that folder that you just copied all the files into, look for the file “total7zip.template.xml”
7. Save a copy of it as “total7zip.xml” in the same folder.
8. Open it up with your favorite text editor, we need to make some changes.
9. Line 6 says “<path path_7z_dll="" path_7zG_exe="" />” by default
10. Inside the double quotes (“”) insert the full path to each of the referenced files. For example, on my system, line 6 looks like this:
    <path path_7z_dll="C:\Standalone Apps\File Folder Tools\File Managers\FreeCommanderXEprealfa\Plugins\wcx\Total7zip\7z.dll" path_7zG_exe="C:\Standalone Apps\File Folder Tools\File Managers\FreeCommanderXEprealfa\Plugins\wcx\Total7zip\7zG.exe" />
11. Line 7 says “<path64bit path_7zG_exe="" path_7z_dll="" />”
12. Inside the double quotes (“”) insert the full path to each of the referenced 64-bit files. For example, on my system, line 7 looks like this:
    <path64bit path_7zG_exe="C:\Standalone Apps\File Folder Tools\File Managers\FreeCommanderXEprealfa\Plugins\wcx\Total7zip\64\7zG.exe" path_7z_dll="C:\Standalone Apps\File Folder Tools\File Managers\FreeCommanderXEprealfa\Plugins\wcx\Total7zip\64\7z.dll" />
13. There are some additional settings you can tweak if you wish on line 8. Check out the “Readme.rtf” file in there for details. One of the most popular recommendations is to set the “awaysWait7zip” value to “1”.  Here is what I have for my line 8.
    <compression save="1" sfx="7z.sfx" updateSfx="0" askByContent="0" askByContentTimeout="1" alwaysWait7zip="1" extractToTempCount="1" deleteToRecycleBin="1" keySimpleMode="-1">
14. Save the modified “total7zip.xml” file.
15. Copy your modified “total7zip.xml” file into the same folder location where your “FreeCommander.exe” file is located. (This is very important! Until I found that second forum thread tip, I still kept crashing when I tried to “pack” a file with FCXE)
16. Now launch your FreeCommander application.
17. On the menu-bar, go to “Tools”, “Settings”, and then select the “Archiver plugins” item.
18. Use the “bar+” icon in the top right to add a new entry to the list.
19. Browse to the location of the “Total7zip.wcx” file and select it. It should be under the “Total7zip” folder you created in step 4.
20. You will now see it listed beneath the default “fcZip” entry.
21. Uncheck the “fcZip” & “fcRar” items. (updated 2016-05-01 hat-tip to anonymous commenter)
22. Check the “Total7zip” item. Then click on the “Total7zip” row to make sure it is highlighted.
23. Add the list of supported archive types you are interested in under the “FileExtensions” form field. You can add as many or as few of the supported Total7zip ones you want. I added the following. Note that they are separated with a period symbol “.” and not a comma:
    7z.xz.bzip2.gzip.tar.zip.arj.cab.chm.cpio.cramfs.deb.dmg.fat.hfs.iso.lzh.lzma.mbr.msi.nsis.ntfs.rar.rpm.squashfs.udf.vhd.wim.xar.z
24. I don’t do this, but if you want to create “self-extracting (SFX)” archives then browse to the location of the binary you want to use. To keep things simple, I just kept the default provided FCXE binary “FCSFXStub.exe” which is located in the same location as the “FreeCommander.exe” file.
25. Under the “Supported options” drop down, make sure it shows “Supported options (735):”.
26. Click the “Apply” button.
27. Click the “OK” button.
28. On the menu-bar, go to “Tools”, and select “Save Settings”.
29. Done!

Your configurations panel should look something like this, though the application paths will be specific to your system.

I’m sure there are a whole lot more tips and tweaks and tricks you can do, but these were more than enough for me.

Being able to browse directly into an expanded set of archive file types is a super time saver for me.

Hat tips to the original form thread posters and contributors for setting me on the correct track!

Cheers,

Claus Valca

Chunking it all…and coming up roses

One of my side jobs is to help manage video-desk operations at the church-house.

Videos of the main services and special events are captured via several remote-operated Sony EVI type cameras, operated through a Sony RM-BR300 control board and then mixed via a Panasonic  AV-HS400 unit.

From there the the final video output is fed into a standard DVD player/recorder unit using base sound captured by the sound board.

And the generated output is a DVD-R optical master-disk from which copies may be made when requested by attendees/guests.

Not that big a deal…except when a request is made for just a digital portion of the DVD…say a special music performance or a sermon.

Unfortunately, because our rig isn’t (yet) set up for digital video capture to HDD, processing the request takes a few extra steps.

For DVD duplication, the process is pretty easy. I can use any of a number of fine freeware tools to rip an ISO of the master DVD we produced and then burn that ISO file to make copies at will of DVD copies. Works fine.

However, when I have to rip and convert a segment from the DVD, it has been a lot more dramatic.

Time being precious like it is around the Valca home lately, I prefer to take the DVD master disk home with me and then process it on my laptop.

It’s a Dell Studio 15 (1558) with an i7 quad-core processor, 8 GB RAM --maxed out :p --, and a 1024MB ATI Mobility Radeon HD 5400 Series graphics card driving the HD display. All that to say it is pretty beefy and should be able to handle just about any general video task I toss at it.

However, for the past year or so I’ve been battling choppy/stuttering video playback after I do my video re-encoding work.

DVD’s play fine, YouTube videos play fine, Vimeo plays awesome - particularly in 1080 HD.

But when I play back my own re-encoded rips…FLV/MOV/WMV/MP4/ETC…in anything, including KMPlayer or VLC Player, it is stutter city and very, very frustrating.

Houston, clearly there is a problem.

I don’t have the issue on our video-desk PC system up at the church house. It is a desktop system with less system RAM and  multiple video cards (4 displays baby!) but it does have a i7 quad-core processer as well.

The issue clearly was with my system, but what exactly.

I have more than a lot of video processing/recoding applications.

• FormatFactory
• Super
• Pazera
• ShanaEncoder
• TEncoder
• Weeny Video Converter
• AnyVideoConverterFree
• Hamster
• Freemake Video Converter
• HandBrake

One thing I prefer is that the application can read the DVD directly and allow me to select a custom start/end segment to capture and convert. It make pulling the specific segment out much more time efficient.

However, it seemed that no matter which application I tried, and which video format/quality I chose, the stutters always occurred. Yuck.  Watching my CPU threads and memory during processing didn’t seem to show that I was pushing the limits of the system at all. And I’ve successfully done some seriously heavy video editing processing in Lightroom with nary a hitch.

I did some research and found a lot of Dell Studio 15 (1558) users also complaining about stuttering playback.

Naturally I first tried to download and install the latest AMD ATI Mobility Radeon HD 5400 driver.  The AMD driver page is a bit kooky. If you follow the drop-down help it takes you to a new 13.11 Beta version available, but I wasn’t sure I was that desperate. However if you want the latest “stable” version, you won’t find it under the drop-downs, instead check the right-sidebar and look for the section with the Radeon HD 5000 series link in your Windows flavor. Currently it looks like the Catalyst Software Suite is at revision 13.9.

I did a full install but that didn’t help me one bit. Still the problem persisted.

Hmmm.

I did notice a bunch of options in the default install…do I really need those? Could those be causing an issue with the recoding software? I wonder…

I re-ran the installer again but this time chose the “Custom” option and noticed it actually contained a lot of additional options.  Ghacks has good post breaking them down.

I ended up uninstalling the following packages from my ATI driver package: AMD APP SDK Runtime, custom ATI codex, drag and drop transcoding, and some specialized video type playback support. All those specialized transcoding features that seemed to allow the graphics processor to assist with video decoding/encoding/processing seemed like they could potentially cause some issues with the software packages I was using.

Reboot and reattempt recoding.  Yea! Success!  Smooth video encoding results.

Since I was doing a lot of trial-and-error troubleshooting, I ended up finding that use of HandBrake to do my initial video selection edit rip-from-DVD and convert worked the fastest and best. From there it really didn’t seem to matter which other video-converter I used to change that file into another format, the final output played flawlessly regardless.

So, if you are using a AMD graphics card and using the ATI Catalyst software/drivers, but still experience issues with your video encoding/playback, you might want to try choosing a “Custom” install rather than the “Express” and then dumping (or uninstalling) those extra feature components that you think you really don’t need.

The Catalyst Control Center has a bunch more performance and feature tweaks you can make as well…and I made just a few but those were all for display picture quality rather than performance.

One awesome and unexpected benefit this brought me was being able to do additional tweaking of the display settings of my new’ish  HP Pavilion 22bw 21.5-inch Diagonal IPS LED Backlit Monitor(C4D29AA) display. I got super-frustrated with the HP driver-display management package and the quality (being output from my laptop on the free HDMI port) was pretty disappointingly sucky. Text was very muddy despite the best efforts to improve it, even with ClearType tweaking.  However, the Catalyst Control settings allowed me to adjust the overscan so it filled the frame and after a little playing with other display options the Catalyst Control Center offered me for it, the display now shows text and other content razor sharp! Hurrah!

Finally, here is one last “bonus tip” for you crazy (personal) video DVD rippers and editors and re-encoders out there.

I usually keep the ripped ISO imaged of our service DVD’s around for quite a while that way I don’t have to take the extra time to re-rip them (usually about 10-15 min per disk).  So when I want to make new copies I just burn the ISOs. Much faster.

So what I figured out was that when I am trying to rip a segment of video from of of our service DVDs, it’s a lot faster to mount the ripped DVD ISO as a virtual drive using ImDisk, OSFMount, or Virtual CloneDrive and use that as my source. The encoding software seems to access the data much faster than when reading it directly off the optical drive media.

I hope this helps some frustrated Studio 15 (1558) users out there who otherwise love their spiffy laptop.

Cheers!

--Claus Valca

Anti-Malware Response “Go-Kit”

I don’t know how many of my readers feel when it comes to performing a malware response.

I tend to get very frustrated, regardless of the response situation. A very wise person said to me that of all the challenges I am constantly wrestling against with myself, the core issue from their perspective is that I am a problem solver. Got a problem? I can and will step up and try to solve it; often by the book (as best I can muster) and then taking it beyond.

What I should be doing is learning to execute well, execute efficiently, and then walk away when done.

In other words, there are some bones I just need to bury and stop digging back up and chewing on again.

That’s often the problem I face with dealing with malware infections.

At work the response calls almost always come in from an automated alert. Some AV client on a system alerted when it found some binaries that matched something in its DAT collection. That client talks to the mother-ship program which is monitored by an admin who sends and email requesting the system be responded.

In almost every case, the required (per operational policy and procedures) response is to recover user data, wipe and reimage the system, scan the user data, restore the user data. Move on.

While we don’t probably have the resources available to do a full-blown incident response on every end-user system we get an infection alert on, I shudder to consider that we could be consistently missing out on understanding and identifying potential data-leakage off our user’s systems not to mention the lost opportunity to learn how the infection occurred and how take-aways from a in-depth analysis could help be used to better harden the protection systems in place; and educate the end users.

Sigh.

The case generally doesn’t get any easier in the home front. More than many times have friends and family approached to me explain they have some sinister problem on their home system and need some advice. What they generally are asking is, “Can you fix it for me?”

What they aren’t asking is, “Can you perform an in-depth analysis on what I have on my system, what data I may have lost in the process, how it got on there, and how I can keep it clean in the future?”

Nope.

They are in a panic, and want the system restored to a functional state so they can go back to their old habits.

So despite the tons of material out there from awesomely good-at-their-jobs malware and incident response experts, we generally continue the same fruitless routine of getting infected, getting the system cleaned, walking away, and getting infected again.

In my frustration, I wanted to spin it to the positive and try to share some of my “go-kit” for malware responses. It isn’t really geared to enterprise incident response and cleanup where a whole host of organized protocols, processes, and tools should (hopefully) come to bear on an issue; though there is some linkage that could support/supplement it perhaps.  It’s what I carry on my personal USB stick when I’m responding to family and friends who get themselves into trouble.

My USB stick is a Kanguru 16 GB Flashblu. I like it in that it has a physical write-lock switch so I can control USB infection when connecting it to a potentially hostile system. Because it is an otherwise “simple” USB stick, I can configure it for use as bootable USB device and load a custom WinPE system on it for off-line booting of an infected Windows system. Some more advanced USB drives (IronKey) have additional cryptographic security embedded in them that is good for file security, but a real nuisance in trying to make the device bootable. I do wish the storage size was greater but on the other hand it keeps me honest with stripping down my file and tool set on it to critical ones.

Most of these get regular version updates, so I have to check back frequently to download the newest versions.

One final note, tools listed are generally in alphabetical order rather than order of preference.

Stage One…Hone your Skills

The very first tool that should be used when responding to a potential malware infection is your brain.

Being familiar with Windows system operations, incident response techniques, and malware busting moves is critical. If you don’t get this part down first, the rest is just spinning your wheels and could lead to reinfection or infection spread.

Some resources you may want to review are:

• Triaging Malware Incidents - Journey Into Incident Response - Corey Harrell goes though one method that (with practice) could result in a 30 minute incident response that balances a focused and logical response against user-down-time; at least until the potential threat is confirmed and impact assessed.
• Finding Malware Like Iron Man Slide Decks - Journey Into Incident Response - Corey Harrell
• License to Kill: Malware Hunting with the Sysinternals ... - Channel 9 - Video presentation by Windows guru Mark Russinovich.
• Malware Hunting with the Sysinternals Tools - Channel 9 - Video presentation by Windows guru Mark Russinovich.
• Hunting Down and Killing Ransomware - Mark Russinovich’s Blog

And, from a previous GSD blog post,

Linkz 4 Free Infosec and IT Training - Journey Into Incident Response - Corey Harrell goes above and beyond with an outstanding listing of trainings, exercises, and learning resources that are ForSec focused and absolutely-friggin-free for the taking!  Corey promises to keep the listing updated so bookmark the page and check back often. I’m particularly interested in the CSIRT-like topics and materials listed like those in the ENISA CERT linkage. I’ve downloaded most all of the PDF versions already to review this week as time allows!

Many of these trainings have supplemental videos and VM’s for download.

Other specific courses from Corey’s post.

• Incident management guide - ENISA CERT
• Tools - ENISA CERT - OMG what a detailed and categorized listing.
• Certified Information Systems Security Professional (CISSP)® Common Body of Knowledge (CBK)® Review - via Open Security Training
• Introduction to Network Forensics - via Open Security Training
• Utilizing SysInternals Tools for IT Pros course - Microsoft Virtual Academy - Note I think I have already posted this one earlier!

Stage Two…My Core Tools

In almost every case, I will use these tools as part of my initial assessment. They will also very likely come into play as part of the malware track down and removal. I consider use and drilling in these tools my IT counterpart of “3-gun shooting”.

• Process Explorer - Windows Sysinternals - Shows me what is running on a Windows system, where it is running from, and why.
• Autoruns - Windows Sysinternals - Shows me what caused some of the “auto-start” execution of software on a Windows system, where it was called to run from from, and why.
• Process Monitor - Windows Sysinternals - Also shows me what is running on a Windows system, where it was called to run from from, and why. The logging is great for post analysis.
• ESET SysInspector - This tool does some of the things listed above but also performs advanced logging as well as heuristic coding to results. This helps me get a quick reconnoiter on the system which is critical when it is one I may not be familiar with. From there I can better plan points of focus.

Stage Three…Packaged Sweeps

As I said before, I really want to do full-blown reviews of systems to understand just what happened and how it happened, so I can then respond to make sure it doesn’t happen again.

But with non-technical users hovering over me in their (or my) living room this can be a frustrating situation for both of us.

One technique that I have found helpful is to run one or more advanced triaging tools on the system before starting the cleaning process. Most all of these tools help to automate the incident response and data collection process. These let me run a slew of individual tools at a single command and package the findings up for later review. If the end-user is agreeable (sometimes some personal information and data can get collected in the process so trust and integrity is critical) I’ll run some captures on the system for later review and post-mortem work after the system has made its way back home.

These resources are great starting points before we hit the tool sets.

• Triaging Malware Incidents - Journey Into Incident Response
• Windows Incident Response: Search results for triage - All kinds of great related blog posts from Harlan Carvey’s blog.
• SANS Digital Forensics and Incident Response Poster - SANS DFIR blog

Now the collection tool sets. Note that “some assembly is required” in most packages due to licensing restrictions of some of the leveraged utilities. One other consideration is that they can be “high maintenance.” Most depend on third-party tools -- like NirSoft or Sysinternals. As those get updated then you may find benefit in dropping the updated version into your sweep sets. That’s a lot of work and depending on the change made, might add/break certain functionality. Just something to consider.

• Confessor - Home - “Confessor is a Windows Application that utilizes WMI or PsExec along with standard tools to quickly gather live forensic information from any number of hosts." Confessor v.10 User Guide & Confessor v.10 download.
• Mandiant Redline - Mandiant - “…provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.”
• MIR-ROR - Home - “…MIR-ROR is a security incident response specialized, command-line script that calls specific Windows Sysinternals tools, as well as some other useful utilities, to provide live capture data for investigation.” MIR-RORv2.0 download
• rapier - First Responders Info Gathering Tool - Google Project Hosting - “…RAPIER is a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst.”
• RegRipper - Google Project Hosting - Tool developed by Harlan Carvey that allows parsing of Windows registry hives via plugins depending on the targeted information sought. Plugins are developed by the community so there are a lot out there now. Pretty amazing stuff and the logging results with just some of the standard “"
• TR3 Tool Kit v2 - Journey Into Incident Response Blog Resources - Google Project Hosting - See the post Tr3Secure Data Collection Script Reloaded for more information.
• triage-ir - Triage: Incident Response - Google Project Hosting - More details from project author Michael Ahrendt here in his blog post Student of Security: Automated Triage Utility
• ThreatExpert Memory Scanner - Like the previously mentioned ESET Sysinspector tool, this is a tool that allows you scan the live system memory and look for potentially rogue memory modules.

Finally, both the DEFT Linux live CD & CAINE Live CD/DVD have Windows-side packages (DART and WinTaylor/NirLaucher) available that can easily be ported to a USB stick.

The CAINE team is partnering with WIN-UFO (Ultimate Forensics Outflow) for a packaged multi-tool launcher that is pretty interesting and worth checking out. Win-UFO Beta (PDF link) has detailed tool information.

Stage Four…Rootkit Sweeps

After the first sweep and assessment, I generally want to confirm if there is a root kit running on the system. All the hard work after is for naught if a rootkit just re-infects the system once you have “cleaned” it.

Rootkits and other APT (Advanced Persistent Threats) are constantly evolving and detection tools must keep pace. Certainly no one tool here can identify every threat out there, but it is a good starting place.

Also, read carefully the supported OS of the tools, it doesn’t do much good to run a tool designed only for XP x32-bit on a Windows 8.1 x64-bit system!

• RootkitRevealer - Windows Sysinternals
• aswMBR - Avast - “…rootkit scanner that scans for TDL4/3, MBRoot (Sinowal), Whistler and other rootkits.”
• Bitdefender Rootkit Remover - BitDefender - “…deals with known rootkits quickly and effectively making use of award-winning Bitdefender malware removal technology. Unlike other similar tools, Bitdefender Rootkit Remover can be launched immediately, without the need to reboot into safe mode first (although a reboot may be required for complete cleanup).”
• Kaspersky Lab TDSSKiller - Anti-rootkit utility - Kaspersky Lab
• Malwarebytes Anti-Rootkit (Beta) - Malwarebytes
• RootkitRemover - McAfee Free Tools
• Rootkit Buster - Trend Micro

I do have quite a number of additional anti-rootkit tools that are a bit more advanced, but they aren’t really suitable for average home users…so I’ve left them out of this list for now.

Stage Five…General Malware Sweeps

Now that we have (hopefully) established we are not dealing with rootkit activity, next comes the general scan.

Again there are an incredible number of tools to help purge a system of a malware infection. Some are designed to be run “live” on the system, and others work “off-line” against the system files by running from a “pre-boot” alternative OS environment. I have found that in most cases, the latter works better and more effectively than the former.

Be aware that depending on the scan engine and the system hardware, these scans can take a considerable amount of time…I often have to let them run overnight.

Pick and use judiciously.

Also, you must keep them current either by freshly downloading the latest version before using, or downloading a DAT file package or two. Failure to do that may miss the most current iterations of the virus!

• Emsisoft Free Emergency Kit: portable malware scanner - Emisoft
• Free eScanAV Anti-Virus Toolkit (MWAV) - eScan
• HitmanPro 3 - SurfRight
• Kaspersky Virus Removal Tool 2011 - Kaspersky Lab
• Kaspersky Rescue Disk 10 - Kaspersky Lab. See also, How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
• Malwarebytes Anti-Malware Free - Malwarebytes. See also, Malwarebytes : Chameleon
• Microsoft Safety Scanner - Antivirus - Microsoft
• Malicious Software Removal Tool - Microsoft. Actually on most Windows systems that have been getting regular updates, run “MRT.exe” from the Windows “Run” bar.
• Microsoft Standalone System Sweeper - Microsoft. Available only via the Microsoft Connect site unless you go through a third-part download source. See this Utility Spotlight: Repair Your PC Infection from TechNet Magazine to get more info on it.
• Norton Power Eraser -  Norton Rescue Tools
• Norton Bootable Recovery Tool - requires ISP “PIN” or valid Norton product license key to use.
• Stinger - McAfee Free Tools
• Trend Micro Anti-Threat Toolkit - Trend Micro
• VIPRE Rescue - VIPRE Computer Recovery Solution - last in this list but usually the very first I deploy against a system. It rocks!

Stage Six…Highly Specialized Responses…

In some cases, even if you are able to clean up a system and “de-infect” it, the remaining mess it has made can still cause untold headaches. Registry keys are changed, EXE’s don’t execute, the internet sockets have been screwed up.

Use these tools ONLY if you know what you are doing and have a specific reason to be doing so. Use of them where not warranted may only exacerbate the mess you are trying to clean up.

• AdwCleaner - General Changelog Team FR - How to use AdwCleaner version 3.x
• ComboFix Download - Bleeping Computer hosted by author “sUBs”
• CryptoPrevent - Foolish IT LLC - to be clear this doesn’t “clean” CryptoLocker infections, but it prevents it from executing in the first place.
• exeHelper from Raktor - Cannot execute .exe, .reg, regedit? - Am I infected? What do I do?
• AntiVirus Utilities - Kaspersky Lab has a ton of specialized tools
• MBRWizard CLI - This free utility is a command line version only - you can pay $ for the GUI version if that is what you want. It’s under $10 if that’s your thing. It may be able to restore and repair your MBR.
• Remove Fake Antivirus 1.93 - Yes, Yes, Yes…the website does have that “is this dodgy?” vibe, but based on the testimony of many users whose systems were infected with fake AV malware, it’s the real deal. Cheers to the author for working tireless at keeping it effectively updated!
• RKill Download - Bleeping Computer
• Unhide Download - Bleeping Computer
• Windows Security Utilities - BleepingComputer - 20 specialized programs listed over two pages for your review and selection when needed.
• Download WinSock XP Fix - MajorGeeks - used to repair damages WinSock files after an infection. I don’t see this very much any more. Now days, the malware does all it can to keep the system online and communicating so it can be a RAT/Zombie/span-factory/APT.
• XP TCP/IP Repair 2.2 - WareSoft Software - Likewise.

GSD Field Dispatches…

In closing, here are some Grand Stream Dream blog posts that may be worth a re-read (or first read) that touched upon malware-busting.

• Incident Response Toolsets and Checklists - Grand Stream Dreams blog.
• Anti-Malware Tools of Note- Grand Stream Dreams blog. Older post but has references to a few more not covered here.
• Skirmish 1: A Rouge Security Software battle - Grand Stream Dreams blog - one of many documented struggles with malware.
• Skirmish 2: A Rouge Security Software battle - Grand Stream Dreams blog - in which a second is addressed.

Cheers,

--Claus Valca

Links of Note this week

Saturday was a pretty busy day around the Valca home.

I successfully upgraded Lavie’s Windows 8 laptop to Windows 8.1.  More than a few lessons were learned that may get a post later. However suffice it to say that the upgrade went smoothly and the only “damage” was that the custom Dell touchpad settings she had set up were wiped and she had to re-program them again from scratch.

I decided to pull the trigger and update my Windows 7 system’s Internet Explorer browser to IE 11. I could have waited -- and probably should have -- but some new zero-day reports on IE exploits making rounds and IE 11 being in a “release” state convinced me to give it a shot.  I really don’t use IE much on my home system. There is one on-line bill I pay with it -- the rest I use Firefox for as my browser of choice. For some reason this singular utility’s website doesn’t seem to fully render form pages correctly in Mozilla. Chrome does (usually) work but not always so IE it is. Finger’s crossed the IE 11 rendering works.

I really want to upgrade Alvis’s Win 7 IE browser to IE 11 as well as she uses IE a bit more than I do. However I don’t yet dare. Her college campus has a portal page for the students to use in interacting with their professors, to upload assignments, to download material, to take on-line exams, etc. It is horrible. If I upgrade Java (required) to the most current patched level/build. It breaks and nothing on the portal page works. Even in IE Compatibility mode. So I don’t want to run the risk of messing up her school portal interaction with and IE upgrade. Fortunately, she almost only uses IE for that. She is a Chrome browser user and actually has it set as her default Windows browser so we live for it for now.

Lavie’s laptop is already on IE 11 as it came for the ride with Windows 8.1.

I will say that IE 11 launches much faster on my Windows 7 system than IE 10 did. Other than than, I can’t really tell a difference…so I guess that is a good thing.

Here’s the linkage. It’s a hodge-podge this week but fairly thin.

Web Browser News…

• IE zero-day is targeted, sophisticated - ZDNet
• New IE Zero-Day Found in Watering Hole Attack - FireEye Blog
• Internet Explorer users face drive-by attacks targeting new 0day bug - Ars Technica
• Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method - FireEye Blog
• Internet Explorer 11 - Microsoft download
• IE11 for Windows 7 Globally Available for Consumers and Businesses - IEBlog
• Internet Explorer 11 for Windows 7 is all about performance - Beta News
• Announcing Octane 2.0 - Chromium Blog

What made the IE Zero-Day exploit interesting is that early malware analysis indicates that the payload runs in memory only and does not write itself to disk, making artifact analysis much more challenging. This could be another signal that defense-in-depth supported by NFAT techniques and packet monitoring/logging could be critical in incident detection, response, and analysis.

Speaking of Networking…

Network Throughput Testing Tools - WindowsNetworking.com

When Worlds Collide - wirewatcher - Wonderful post on using ELSA in a SecurityOnion deployment to tear up network activity logs and drill down (leveraging Carbon Black linked to ELSA) to pick apart a remote system’s activity. Neat.

Anatomy of Message Analyzer Analysis - MessageAnalyzer Blog

Update: naft-gfe.py - Didier Stevens

Malware and Incident Response…

Hacking a Reporter: Writing Malware For Fun and Profit (Part 1 of 3) - SpiderLabs Anterior

Hacking a Reporter: Writing Malware For Fun and Profit (Part 2 of 3) - SpiderLabs Anterior

Not just another pretty wrench! (by Casey Mullis) - LoveMyTool has a brief intro to Brett Shavers’ Windows Forensic Environment / (WinFE) project.

CryptoPrevent 4 - Introducing Event Logs and Email Alerts - Foolish IT - This new version has some more features added. If you are using this to defend against the CryptoLocker ransomware, then be sure you are using the latest version and go back often into it and run the “check for updates” feature. It works very smoothly. Once the update is done, you must hit the “Apply” button (and reboot) to apply the updated changes to your system. Or just pony up the $ and get the auto-updating version. It’s still much cheaper than a couple thousand in bitcoins to fix your system after it gets infected.

CryptoLocker Crew Ratchets Up the Ransom — Krebs on Security

CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest - Security Intelligence Blog at Trend Micro

Cryptolocker: Time to Backup - ThreatTrack Security Labs Blog

For the SysAdmins…

DOWNLOAD: Group Policy Settings Reference for Windows and Windows Server (Including 8.1 & 2013 R2) - Kurt Shintaku's Blog

Out Now: Group Policy Settings spread sheet for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 - Group Policy Central

Download Group Policy Settings Reference for Windows and Windows Server - Microsoft Download Center

Cheers,

--Claus Valca

Thank you, Veterans - 2013

Yesterday I had the opportunity to visit with my father and thank him for his former service to our country.

We talked about his service in Vietnam and lessons learned that seem to still perpetuate in service and in private employment (warehouse logistics managers seem to want to clear held inventory even if the engineers need it on shelf for emergency deployment).

Dad served as a commissioned officer in the 18th Engineer Brigade of the United States Army. He volunteered to serve and left his newly formed family behind to go overseas.

Growing up I remember he had a few shadow-boxes with some of his medals and pins and insignia patches. However, what made a more lasting impact to me of his years in service were the many, many photographs on the walls of the people and places of Vietnam; the good ones. Ones that you would expect to see today in travel shows and brochures.  The people were proud and kind and human and the culture rich and vibrant, despite the war raging around them. Dad was already an accomplished amateur photographer and his skill and eye for detail went overseas with him. Dad was able to capture the flavor and color of the country’s heart wonderfully and bring that legacy home for us to see.

We were a fortunate family and can celebrate his service together father and sons on Veteran’s day. Many don’t have that opportunity.

I was doing some shopping online a few weeks ago and spotted some nice high-quality decals with a few of his Brigade’s insignias in different styles so I ordered some and dropped them in the mail with a card that Alvis and Lavie also left messages in. It seemed like a very small and insignificant gesture for such a big sacrifice. But the conversation and sharing it re-started will remain priceless.

Happy Veteran’s Day, Dad. Thank you again.

Essayons et edifions

--Claus

HP Photosmart “All-in-one” Scanning Error Fix

Yesterday Lavie gave me an assignment.  I had to scan an old photo of her late maternal grandmother in younger times from an antique “charm-tree” and then resize/trim it to fit in a tiny locket.

We have an HP Photosmart C6280 all-in-one printer/scanner/copier (inkjet) that has held up quite well over the years.

So after delicately removing the original photo from the tiny frame, I placed it on the scanner, used the front-panel and menu-controls to set the scan details and tell it to scan to my laptop (listed).

However, on my laptop screen, there was the following error message:

“LCD list needs to be upgraded”

Went though the steps again and same error message.

Eventually I got it fixed. For posterity, here’s what was done and learned in the process.

Before we go any further, the “LCD list” that we are being notified about is the list displayed on the tiny LCD information/menu panel of the printer itself. On our model it flips up and down to adjust the viewing angle. From this LCD list, you can select different networked computers you want to send the scan to, and in what format you want the sent-scan to take place. I only mention it as the message may not be clear to some, especially if this LCD seems to be working and listing items as normal for selection.

There are at least two (I found a third) ways to directly start a scan. You can initiate the scan from the “HP Solutions Center” application from your Windows system if you installed the full software set. That’s normally how I do it as you get a lot more bells-and-whistles to refine your scan/quality this way.

You can also place an item to be scanned on the glass scanning bed and hit a button on the device’s front panel, and then use the LCD list to select which computer on your network should receive the scan. That’s normally how the girls do it.

Finally, there is another method which I will get to in a bit.

Note, depending on what software applications you have, they also may be able to initiate a scan. A number of my graphic image editing tools can also communicate with the scanner to grab/import a scan directly. But we are trying to keep it simple here so I’m not exploring that as an option. Keep it in mind however.

All my connections were good, the device was clearly communicating on our home network and bi-directional functionality seemed to work.

I power-cycled the printer unit and tried again. Same error.

I pulled the plug on the printer and tried again. Same error.

I ran the “HP Update” utility in my installed HP program folder. It did find one update that had something to do with fonts I think…installed it. Tried again. Same error.

I did some quick research on the web and got a lot of tips, but this first one got me productive immediately as a work-around. (Windows 7 system but concept should work on any Windows system with some minor tweakage.) This is the “third” method I referred to earlier.

1. Open up the “Network” window
2. Find your HP printer in the list.
3. Double click it.
4. Depending on the configuration, you should see your default web-browser launch.
5. The page displayed should be your HP printer with a bunch of device information and tabs.
6. Under the “Information” tab, find the “Applications” --> “Webscan” item and click that hyperlink.
7. You now should have a page with some basic options to select the image format, a preview window, the size of the document, and to “Scan” or “Reset”.
8. I set accordingly, hit the Scan preview and saved the resultant scan file generated to my desktop.

I later bookmarked the web-page for quick reference in the future. You can see it in my bookmark bar above.

That got me going and I was able to complete Lavie’s project for me quite nicely, but the root problem was still present.

More digging around in that particular HP forum thread got me to the solution.

The recommended solution is to follow this tip from poster “pcwizard”.

My window looked like that already and clicking “Update the Device” didn’t fix the issue. However a careful re-reading this morning finds that what I should have done is to first remove the shortcuts on the right side list, apply the update to the device, then move them back from the left side to the right again, and update the device.  Had I done that, it probably would have worked.

Instead, I had to dig more and eventually found and applied this routine that did work as offered from “mstrees”.

I have one additional hint:

I found that the sequence of applying the fix steps is very important.  After following PCWizard's instructions in the 02-08-2012 post, the list appeared to be corrected, but I still received the message that the list needed to be upgraded.  Here's how I fixed it:

1. Follow all of PCWizard's steps and then reset the printer by:

2. Power on the printer and disconnect the power cord

3. Wait 60 seconds

4. Reconnect the power cord and allow the printer to power on

5. Press the Scan button on the front panel and confirm that the "No Scan Options" message appears

6. Open the HP Solution Center app on the PC

7. Choose Settings - Scan Settings - Scan To Setup

8. Click Update Device button

9. Press Scan button on Front panel of printer. The updated Scan To options will now appear.

10. Use Start Scan button to initiate scan from printer front panel. The "LCD List needs to be upgraded" message should no longer appear.

That cleared the error message and I was back to full scanning functionality.

Cheers!

--Claus Valca.

Bonus linkage: I later found this awesomely fun-to-read post & review from HP C6280 user Ventzislav Tzvetkov who got it working (quite nicely it seems) with his Amiga computer. Cool! HP Photosmart C6280 All-in-One (Multifunction Device)

Ubuntu 13.10 Upgrade - Lessons Learned & VIDMA utility found

A few weeks ago a new release of Ubuntu came out.

Naturally that meant it was update time!

I have been getting pretty good at this now so I though I had it all figured out.

Wrong.

Here you go…documented for your entertainment and my education.

1. Find in RSS feeds that my Ubuntu 13.04 Raring Ringtail install has a Ubuntu 13.10 Saucy Salamander update available.
   ●  Upgrade your PCs, servers, and phones: Ubuntu 13.10 lands tomorrow - Ars Technica
   ●  Ubuntu 13.10 review: The Linux OS of the future remains a year away - Ars Technica
   ●  Ubuntu 13.10 Released - But Is It An Essential Upgrade? - OMG! Ubuntu
   ●  Ubuntu 13.10 Saucy Salamander Review: A Boring Amphibian - Desktop Linux Reviews
   ●  Ubuntu 13.10 (Saucy Salamander) review: Smart Scopes in, Mir out - ZDNet
   ●  Saucy Salamander/Release Notes - Ubuntu Wiki
2. Excitedly start the in-place upgrade of my VirtualBox Ubuntu build.
3. Remembered this time (3rds the charm) that VirtualBox upgrades screw with Ubuntu (and I had recently upgraded to a new VirtualBox release and hadn’t ran my Ubuntu guest since) unless you first disable 3D acceleration in the VM machine settings. So I disabled it, launched the Ubuntu VM and now was able to load the desktop!
   
   At that point I was able to install/upgrade to the latest VirtualBox Extension pack within Ubuntu proper. It ran slow as molasses but got the job done. For some reason I keep forgetting what the correct option clicks to get the Extension pack installer auto-running after I mount the CD/ISO file. I did better this time. For some reason the dialog window prompts aren’t fully intuitive to me as a Windows user.
   1. First, run the installer from the host.
      
   2. Next choose the “Ask what to do” option (I think this is where I get tripped up and select another option incorrectly).
      
   3. Run the auto installer
      
   4. Authenticate and install
      
      ●  How do I install Guest Additions in VirtualBox? - Ask Ubuntu.
      ●  Installing Guest Additions on Ubuntu - VirtualBoxes
4. Once done, I rebooted the system after re-enabling the 3D Acceleration option in the VM settings.
5. From there I continue by using Daniel Benny Simanjuntak’s tip in a previous Ubuntu post comments I did to run the following command from the terminal to start the upgrade process.
        …through terminal one can upgrade as well using the command:
         sudo do-release-upgrade -d
6. Watch with anticipation.
7. Installation failed.
8. What!
9. Try again.
10. Failed again.
11. Read error and log dialogs carefully and figure out I don’t have enough free space on my virtual hard drive. Apparently I set it up for a fixed disk size of about 8 GB.
12. Started simple and ran command “sudo apt-get clean”. I seem to recall I had to do that last time I did an Ubuntu upgrade.
13. That cleaned a bunch of stuff but when I tried to do the upgrade, I still didn’t have enough free space left to perform the upgrade. It eventually became clear that it was time to increase the size of my virtual hard drive. Goody.
14. I tried a number of processes to expand (in place) my VM’s VDI virtual HDD file. None of them seemed to work successfully. It was super frustrating.
15. Found vidma - Virtual Disks Manipulator (tool for resizing VDI). It’s a tiny standalone command line tool for resizing (fixed and dynamic type) VDI files. It is “Alpha” software but I figured I had little to loose at this point as if this didn’t work, I’d probably be going back to square one anyway.
    1. To make things easy I copied the utility over into the same location of my VDI file.
    2. Opened a command line window in this location
    3. Ran the command “vidma Xplico.vdi 20480” and fed it confirmations as needed. (Actually I  used the even value amount “20000” and resulted in a 19.53 GB expanded drive…not quite 20 GB even which the 20480 figure would have done.)
    4. Watched and waited patiently as it processed the file.
    5. When it was done I relaunched the VM (hurray it came up fine) and using GParted inside the current Ubuntu VM, checked the /dev/sda drive. It was showing the full 19.53 GiB partition. Up from the original 8 GiB.
16. That was part one. Now I had to resize my active partition to incorporate the additional unallocated space that I had created in step 13 with vidma.
17. I shut down the VM and rebooted it after attaching a GParted ISO. This would let me manipulate the internal partition information of my VDI file.
    1. Basically I followed (starting down the page at Step 4 “Expand the partition in the larger virtual disk”) the guide found posted by Eugene over at Trivial Proof: Resizing a VirtualBox Virtual Hard Disk”
    2. Because I had set my Ubuntu drive up with a swap partition, I had to deal with it first as explained in the addendum in that guide.
    3. For some reason I was not able to move the swap partition out of the way as it describes. So I ended up following a tip in the comments from “jayesh” after carefully noting what size it originally was set at.
       
       ”I had an extended partition containing a swap partition between my root partition and unallocated space. So i tried to follow ADDENDUM steps but i was not able to move the extended partition in one step. So, i extended the "extended partition" with unallocated space, then moved the swap partition to the end of this new partition and finally shrink the extended partition to its original size, leaving unallocated space close to my root partition.”
       
       This post guide over at mwpreston.net expands that process in wonderful detail if you want more information before trying: Expanding a Linux disk with gparted (and getting swap out of the way) - mwpreston.net
    4. I then was able to expand the existing (in use partition) to take in (almost) all of the newly created unallocated space.
    5. Whew!
    6. Rebooted and detached the GParted ISO.
    7. My VM guest came up just fine and after another check in the GParted tool, confirmed things were put right again and I now had 18.43 GB of available space.
       
18. Time to retry the Ubuntu 13.10 upgrade!
19. From a terminal session: “sudo do-release-upgrade -d”
20. Let it run forever…do a few reboots…
21. When it is all settled down, I log in and kick the tires a bit, and change the desktop to the charming “Saucy Salamander” image.
    
22. Looked for and updated any pending applications needing updating. Done.
23. Check “Upgrade to Saucy Salamander” off my to-do list.

I would swear I captured a ton of screen shots of the actual VDI expansion and post-GParted partition wrangling work to document what I was doing, but I just can’t find where I put the screen cap files. Despite my best efforts to scour my HDD’s looking for them they just haven’t turned up. If I do later stumble upon them, I’ll update the post accordingly.

The only other “gotcha” I discovered immediately after the upgrade is that my beloved power-button in the top-right bar in Ubuntu 13.04 had been removed.  How do I shut the figgin thing down now?

Apparently I wasn’t the only dolt stumbling over this, post upgrade.

• unity - Why am I not able to shutdown, log-off and restart after an upgrade to Ubuntu 13.10? - Ask Ubuntu

Per that thread, I ended up settling for the “open a terminal, type sudo shutdown -h now, press enter and put the password” shutdown method.

Since that original upgrade to 13.10, I have since ran the Software Updater again to bring it current and I find my familiar shutdown icon is now back. Hurrah!

I hope this helps any Ubuntu noobies out there with the upgrade process if you are running it in VirtualBox.

Previous Ubuntu upgrade posts here on GSD.

• grand stream dreams: Ubuntu 12.10 (Quantal Quetzal) Upgrade
• grand stream dreams: Ubuntu 13.04 (Raring Ringtail) Upgrade..a bit faster this time

--Claus Valca

ForSec Linkfest - 2013 DST Fallback Edition

FYI…tomorrow morning at 2 AM here in the United States of America it will be time to “fall back” from DST. One more hour of sleep and then it’s weeks of trying to get the body’s timeclock to readjust.

So as you get ready to find all the clocks you need to manually adjust (don’t forget the vehicles!), here is some linkage to distract you from that task. Please note I’ve also sprinkled in some networking items as well to keep you on your toes!

• Wireshark 1.10.3 and 1.8.11 Released - Wireshark website
• Wireshark - Official site Download
• Reviewing Wireshark's Capture Pane (by Tony Fortunato) - LoveMyTool blog
• Using PowerShell to Automate Tracing - MessageAnalyzer blog
• Nmap cheat sheet - HelpNet Security blog - From the notice:
• Counter Hack founder and SANS instructor Ed Skoudis and his team created a helpful cheat sheet for Nmap, which includes notable scripts of the Nmap Scripting Engine, script categories, instructions for scan types, probing options, and more.
• How A Wireless Issue Looks Like a Wired Issue (by Tony Fortunato) - LoveMyTool blog
• NAFT: The Movie - Didier Stevens
• New utility to quickly set the DNS servers of your Internet connection - QuickSetDNS utility from Nir Sofer's workbench.
• On getting Pineappled at Web Directions South - Troy Hunt’s blog
• Disassembling the privacy implications of LinkedIn Intro - Troy Hunt’s blog
• Command-line Forensics of hacked PHP.net - NETRESEC Blog
• iOS apps can be hijacked to show fraudulent content and intercept data - Ars Technica
• Your iPhone knows where you’ve been, puts it on a map - Chron.com’s TechBlog
• What's New in the Prefetch for Windows 8?? - Invoke-IR blog
• Re-Introducing the Vulnerability Search - Journey Into Incident Response blog
• Links - Windows Incident Response blog
• Incident Response Teams are the New (Security) Black - Speaking of Security - The RSA Blog and Podcast
• Red Alert: 10 Computer Security Blogs You Should Follow Today - MakeUseOf blog
• New Security Intelligence Report, new data, new perspectives - Microsoft Malware Protection Center blog
• Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps - Ars Technica
• Hacking a Reporter: Writing Malware For Fun and Profit (Part 1 of 3) - SpiderLabs Anterior
• Treasure Hunting with FTK, EnCase, and SQLite Databases - Computer & Digital Forensics at Champlain blog
• Add the CAINE ISO to your E2B drive - RMPrepUSB, Easy2Boot and USB booting

Cheers,

Claus Valca

CryptoLocker Ransomware Info & Free Prevention Solutions

I work hard to keep our home systems malware-free and safe.

That typically involves talking about good Windows end-user behavior with Alvis and Lavie, letting them know about various breaking threats, running a AV/AM product, installing advanced protection afforded by Microsoft's EMET v 4.0 on our home systems, making sure all Windows and third party browser plugins are kept updated, run backups, etc.

So generally, I don’t worry too much about viruses and malware…but this new CryptoLocker threat does have my nerves extra-edgy.

First, we don’t have 10 bitcoins sitting around to pony up for a decryption. Most home\SOHO Windows users probably don’t either. Note this price has gone up from the previous 2 bitcoin expense.

• CryptoLocker developers charge 10 bitcoins to use new Decryption Service - Bleeping Computer News

Secondly, it seems to work primarily on social-engineering and spear-fishing techniques (for now) to trick a user into opening a payload delivered by email. While I can have pretty good confidence in software defense-in-depth security practices, I never can trust the end-user (myself included) to be 100% dependable in catching this attack. I am my own weakest link.

Lastly, although CryptoLocker primarily targets local drives, it will encrypt any targeted files on a network share if the shared folder is mapped as a drive letter rather than a UNC share. So if one person on a network gets infected, and has mapped drives via drive lettering, that could hose everyone! That’s scary bad.

So the first important step you can take is to educate yourself about the threat itself:

• How To Avoid CryptoLocker Ransomware — Krebs on Security
• CryptoLocker Ransomware Information Guide and FAQ - Bleeping Computer - Probably the current de-facto resource for all technical details on this threat. Updated frequently.
• CryptoLocker Is The Nastiest Malware Ever - Here's What You Can Do - MakeUseOf blog
• Cryptolocker Ransomware: What You Need To Know - Malwarebytes Unpacked
• You’re infected—if you want to see your data again, pay us $300 in Bitcoins - Ars Technica

At home, my immediate response was to deploy a special package maintained by Foolish IT LLC on ALL our personal Windows systems (including my Windows VM’s) that protects against this threat. 

CryptoPrevent - free for personal and commercial deployment - Foolish IT LLC - current version at time of posting is 3.1 but that is certain to change. In both “portable” and installable versions.

Like any AV/AM vs. Security battle, it is a constant arms race of updates so if you go this method, check back frequently for new versions or pay the $ for the auto-updating version.

Just to illustrate the challenge, take a look at these posts from the developer to see how the tool has mutated to keep pace with the threat and customer’s needs.

• CryptoPrevent v2.0 just released with whitelisting capabilities!
• CryptoPrevent v2.1 - I just can't seem to win!
• CryptoPrevent v2.4 just released with internal update feature - please update!
• CryptoPrevent v2.5 - with a powerful new layer of protection introduced!
• CryptoPrevent v2.6 released - my life is consumed by this madness!
• CryptoPrevent v3.0 - Recycle Bin protection and a new optional AUTOMATIC UPDATE service!

For corporate locations, I learned about another solution via Brian Kreb’s post noted above. From that post:

A team of coders and administrators from enterprise consulting firm thirdtier.net have released the CryptoLocker Prevention Kit – a comprehensive set of group policies that can be used to block CryptoLocker infections across a  domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.

Cryptolocker Prevention Kit (updated) - Spiceworks

Get protected now if you are a Windows user. Period. 

It’s not worth dilly-dallying about.

Cheers,

Claus V.

Linkfest for the SysAdmins

Here is some assorted linkage from the past week or two that might be of interest to the system administrators lurking around.

• US State Governments Can’t Shake IT Woes - IEEE Spectrum - This week in gooberment IT support and deployment silliness. Offered as object lessons for self-improvement.
• HealthCare.gov deferred final security check, could leak personal data - Ars Technica
• The seven deadly sins of HealthCare.gov - Ars Technica
• Can we trust the data brokers who store our most intimate private details? - Ars Technica
• Defrag Tools: #61 - Windows 8.1 - Disk Space, Sysinternals DU and RU - Defrag Tools on Channel 9
• PowerShell: Location, Location, Location - 4sysops
• Download Active Directory Replication Status Tool - Microsoft Download Center
• How to make your USB drive Write-protected under Windows - RMPrepUSB, Easy2Boot and USB booting
• Install Windows 8.1 on Oracle VirtualBox - BetaNews article from Wayne Williams
• Customizing the Windows 8.1 Start Screen? Don’t follow Microsoft’s guidance - Aaron Parker
• Windows 8.1 / Windows Server 2012 R2 - Updated Shell UI changes - Ask the Performance Team blog

Cheers,

Claus Valca

Microsoft Security Essentials/Defender & PowerShell

Here are some minor tidbits for MSSE I found, as well as some cool tricks you can do against it with PowerShell.

Microsoft may end antivirus updates on XP in April - ZDNet

I’m not surprised to hear this deliberation going on, XP must go and MS can’t be responsible to support an unsupported OS forever. That said, for quite some time to come many home users (particularly), SOHO’s, and corporations may continue to use XP on their systems for some time to come.

While I’m confident other third-party vendors may continue to release AV/AM software that can run and support XP systems, many folks stick with MSSE. Leaving these systems vulnerable and unprotected, particularly if on a network with other Windows systems, seems a situation ripe for exploitation and shenanigans.

I hope that Microsoft continues to provide updated and current definition signatures for at least a period of time after the XP support ends.

Download Microsoft Security Essential - Microsoft Download Center

Meanwhile, over at the Hey, Scripting Guy! Blog, great fun has been reported playing around with Windows PowerShell and finding some neat things that can be done with Windows Defender. (Note: I don’t find a counterpart for the Microsoft Security Essentials application.)

• Exploring the Windows Defender Catalog - Hey, Scripting Guy! Blog
• Use PowerShell to Explore Windows Defender Preferences - Hey, Scripting Guy! Blog
• Use PowerShell to Update Windows Defender Signatures - Hey, Scripting Guy! Blog
• Use PowerShell to See What Windows Defender Detected - Hey, Scripting Guy! Blog
• Weekend Scripter: Use PowerShell to Configure Windows Defender Preferences - Hey, Scripting Guy! Blog

Have fun!

Claus Valca

Miscellaneous TrueCrypt linkage

I have used TrueCrypt for a long time…but only with TrueCrypt container files that stand alone and are mounted.

Then I branched out and started using full-volume encryption to protect some back-up external USB drive devices.

Recently, I bit the bullet and started using TrueCrypt system-wide encryption to protect my personal home laptop…all system volumes. No worries so far.

Because of that I pay close attention to TrueCrypt news, and here is some linkage, in case you are interested.

Let's audit Truecrypt! - A Few Thoughts on Cryptographic Engineering blog by Matthew Green

New effort to fully audit TrueCrypt raises $16,000+ in a few short weeks - Ars Technica

Is TrueCrypt Audited Yet? - project homepage

How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries - technically heavy-duty and most excellent article by Xavier de Carné de Carnavalet.

Windows 8.1 upgrade: be careful with TrueCrypt - GTranslated - Borns IT and Windows Blog - Basically, if you are using full-system partition encryption with TrueCrypt, the recommendation is to first fully-decrypt and remove TrueCrypt encryption…then apply the Win 8.1 upgrade…then reapply the TrueCrypt full system partition encryption. If not you might hose your system during the upgrade. That’s a bad thing.

Cheers,

Claus Valca

PowerShell 4.0 and a tiny “gotcha”

I spotted news last week that Microsoft released a new updated version (4.0) of PowerShell.

Download Windows Management Framework 4.0 - Microsoft Download Center

I thought I read and had met all the prerequisites successfully, so I installed away. Only when I checked the installed version it still reported 3.0. Hmmm.

I checked the “Add/Remove” program list and didn’t find the update listed in the Windows components. Strange. And when I tried to reinstall it, it said it was already installed…despite not being listed in the installed components.

What gives.

Long story short, after additional troubleshooting I found out that a required component for PowerShell 4.0 was missing.  WMF 4.0 requires Microsoft .NET Framework 4.5

I thought I had it on already, but turned out I had .NET Framework 4.0. My bad.

So I downloaded the .NET Framework 4.5 from the Microsoft Download Center and got it on my system, then reinstalled WMF 4.0 one more time.

This time it took and a version-check in PowerShell showed the new version was present.

A few days later this issue became pretty common information so you may want to consult this post if you haven’t figured it out yet. It has great technical details.

• WMF 4.0 - Known Issue: Partial Installation without .NET Framework 4.5 - Windows PowerShell Blog

Related:

• PowerTip: Find if Computer has .NET Framework 4.5 - Hey, Scripting Guy! blog

So now what?

• PowerShell 4.0 – A first look - 4sysops - Guest author Jeffery Hicks has a great pre-release review and rundown.

Cheers.

Claus Valca

New Software Updates + VMware Tools Update fix

The Valca household has survived last week’s torrential rain event. Unfortunately both our vehicles took a hit.

No…no cars were flooded due to poor driving decisions…they stayed high-and-dry…but they did suffer some incidental damage.

My beloved Saturn Ion apparently had material in the catalytic converter come loose and cause a blockage in the exhaust system.  That led to a significant power-loss -- I was only able to nurse it up to 55-60 MPH on the freeway. That’s a life-threatening highway speed here in Texas. I found a new local repair shop that was able to diagnose it (and +1 point for my dad who also guessed that would be the issue). So it awaits a new cat-converter install…and for good measure I’m having the front struts replaced as well as they are OEM and the front suspension is all clunky over road bumps and RR tracks. With almost 200,000 miles on it, I guess it is time.

Meanwhile, I got in Lavie’s car yesterday to borrow it while mine is in the shop. She doesn’t drive it much. It is a 2001 Nissan Altima with barely 43,000 miles on it. All was well until I went to unplug and toss her cell-phone charger on the passenger side foot-well floorboard…and found it full with 1.5” of standing water. Gasp!  Luckily I hadn’t put the car in reverse yet to slosh it out. Bother.  After some extensive wet/dry vac work it was only damp and between a few sunny dry days and some well placed Damp Rid containers I think we will be good. The windshield has some cracks in it that might cause it to not pass this month’s due vehicle safety inspection so the decision was made to schedule a windscreen replacement…which will result in all new weather seals.  The rest of the car was bone-dry so I really don’t think it was a seal that failed. My guess is the torrential rains (appx 3.5 inches in 24 hours) cascading down the windshield may have poured into the fresh-air intake vent under the hood which ran down into the passenger side foot well.  Not sure why it was just that side and not the driver’s as well. Thoughts?

So with one car finishing the air-out process and the other in the shop, it has been a bit stressful. Fortunately family and friends and Boss have been supportive and encouraging…and our older but beloved (and paid for) vehicles will continue to drive on a while longer.

Anyway…enough boring personal stuff…here is small collection of updated software you might want to check out as well as a fix for an aggravating VMware Player problem I ran into this morning after updating the main VMware Player application.

VMware Player Plus - Now updated to version 6.0.1. Note that VMware Player Plus is the $ version for commercial license usage. The free for personal use VMware Player is still around, but you just have to confirm that option during the setup. I prefer to use this VM software platform for my Windows guest clients and VirtualBox for my Linux-based ones.

• Download VMware Player 6.0
• VMware Player 6.0.1 Release Notes

One curious thing about this most recent version that I hadn’t encountered until now.

I had just upgraded to this latest VMware Player (host) software on Windows 7 and then launched an XP client so I could update the VMware Tools as well.

Strangely the Windows XP guest I started up reported it was stuck downloading the tools. On boot up of the VM guest, it offered me the upgrade tools option at the bottom of the window, and when I selected that action button, it popped a dialog window that said "VMware Tools installation cannot be started until the current download finishes." If I go to the VMware host’s menu, it says "Downloading VMware Tools" where it should say Upgrade/Reinstall VMware Tools.

I took matters into my own hands and was able to map the virtual CD ROM in my virtual XP client to the VMWare Tools ISO file for Windows at "C:\Program Files (x86)\VMware\VMware Player\windows.iso" figuring that it was the latest version and came down for the ride when I updated the host client software.

Once "mounted" it auto-started the VMWare Tools setup wizard in the XP guest session which I ran though and installed with no issues. A reboot and it was current in the XP VM.

However....on reboot VMware Player host software still was reporting the upgrade tools option at the bottom of the window, and when I selected that again, it said "VMware Tools installation cannot be started until the current download finishes."

Here's how I cleared it in VMWare Player (based on this forum thread I found and solution offered by John Swanagon).

• Launch VMware Player.
• Click "Player"
• Click "File"
• Click “Player Preferences”.
• Under "Software updates” section.
• Click “Connection Settings”.
• In the “Connection Settings” window, change the proxy from “No proxy” to “Windows proxy settings”.
• Click OK.
• Click OK.
• Open Internet Explorer. (note these IE steps may vary based on your IE version)
• Click "Tools" then select “Internet Options”.
• Click the “Connections” tab.
• Click the “LAN settings” button.
• Confirm/Select the “Automatically detect settings” option.
• Click “OK”.
• Click “OK”.
• Close Internet Explorer.
• Exit VMware Player.
• Run VMware Player as an Administrator.
• Click "Player"
• Click "File"
• Click “Player Preferences”.
• Under "Software updates” section.
• Click “Edit” -> “Preferences”.
• Click “Download All Components Now”.

Additional components for other guest OS systems downloaded and when done, and VMware player re-launched, the message at the bottom of the screen finally was cleared!

Updates: PsExec v2.0, RAMMap v1.3, Sigcheck v2.0  - Sysinternals Site Discussion Blog

Updates: RAMMap v1.32, Sigcheck v2.01 - Sysinternals Site Discussion Blog

New Utility - QuickHash - Foolish IT LLC

OSFMount - updated 10-22-13 - version 1.5.1014.

• Fixed issue with detecting partitions for ImageUSB images
• Windows dynamic disks are now supported
• Fixed issue with mounting via OSFMount command line with "-o rw" option
• Fixed issue with mounting multiple partitions in an image file as writable due to file sharing permissions
• Fixed issue with mounting multiple partitions in an image file from command line
• Drive letters 'A' and 'B' can now be used
• Propagated changes from Imdisk v1.7.5 including some key fixes:
  • Disks with "lost" drive letters can now be removed
  • Notifications hanging on drive creation and removal

I personally prefer to use Olof Lagerkvist’s ImDisk Virtual Disk Driver, also recently updated on 10-25-13 to build version 1.7.6.

Why do I mention that? well the OSFMount utility is based on Olof’s ImDisk software. That’s all.

mozdev.org - newsfox: installation - My favorite Firefox RSS reader is updated to 1.0.8.4.4.  Release notes

Speaking of Mozilla, Firefox was updated to version 25.0 and Thunderbird was updated to 24.1.0

Also, I’ve gone to a 3-monitor setup at home with my laptop. My desk is quite full!

I’m running my primary display from the attached Dell Studio 15 HD laptop display. It is super-sharp and has great resolution.

My secondary display is one of a pair of older Samsung SyncMaster 930B-A displays I got a long time ago as a gift from my brother. Maximum resolution is just 1280x1024 so it looks a bit under-scaled with the other displays but it seems to work great for text which is fine when I am pounding out blog posts. No OEM Win7 x64 bit hardware drivers exist for it either so it’s running the standard Microsoft PnP display driver just fine. The 4:3 ratio (the others are wide-screen format) also makes composing text documents more comfortable.

Since (like most Dell laptops) the laptop can only drive a maximum of two display outputs natively, I’m running this display with a StarTech USB 3.0 to DVI Adapter. I didn’t have any issues getting the drivers installed and the system up and running. It’s a must-have hardware accessory if you are running multiple monitors with a laptop and can’t toss in another hardware card internally.

My third display is a HP Pavilion 22bw 21.5-inch Diagonal IPS LED Backlit Monitor(C4D29AA) that I picked up some time ago on sale at a big-box outlet. Not a lot to say. It is HD and I am running it off the HDMI port on my laptop. Overall it is decent, but I am disappointed in the text-clarity of the display. Watching a video on it is fine, but for extended text-composition on it, it just isn’t as clear as I would prefer.

In good news, under Windows 7 (at least) you can set the ClearType text on a per-monitor basis!

That has helped a bit but the text still doesn’t compare with my primary laptop display.

Cheers!

Claus Valca.