New page: Shavlik Protect: An actual quick start guide.

March 30, 2016 Leave a comment

I’ve created a new page under Technology Solutions that will assist people with rolling our Shavlik Protect in actually under an hour (or whatever they say in their marketing).

Shavlik Protect: An actual quick start guide.

Change the default size of CABs that WSUS will accept to be published

March 10, 2016 Leave a comment

I came across an issue when using our third party patch management system (that integrates into WSUS) that an update could not be published to WSUS because it exceeded 384MB.

Searching the web, I located several posts, but arrived on this one which contains a quick powershell script that increases the maximum size of the CAB file that can be published.

I’ve not messed with reflection too much, but I do think this would be useful specifically for WSUS management classes that aren’t revealed through the regular cmdlets.

Don’t get-mousejacked

March 4, 2016 Leave a comment

[UPDATED: April 14th, 2016:

Good news everyone! MSFT has released an optional update that resolves this issue:

]

This morning, my boy Bruce Schneier posted about Bastille’s February 23rd published attacks on various wireless mouse/keyboard dongles.

I’ve written a quick Powershell script to get a full inventory of affected computers (deal with the output yourself).

Worth noting that this is clearly novel, but, as of this time, MSFT hasn’t released a patch, which is weird given that Bastille disclosed the vulnerabilities to them November 24th, 2015. The recommended solution (from Bastille) is to move to a wired keyboard. Nice! But aren’t those vulnerable as well?! Is Tom Cruise crawling in my ceiling tiles?!!1

Here are the details and links to attack code: https://www.bastille.net/affected-devices

Setting Gmail as your default mailto handler

December 19, 2015 Leave a comment

1) Configure firefox to use gmail for mailto links.
Options> Applications> mailto> use Gmail

2) Delete all other mailto options and set URL Protocol to nothing under: HKEY_CURRENT_USER\SOFTWARE\Classes\mailto

3) Add firefox as a handler: HKEY_CURRENT_USER\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\URLAssociations\ reg_sz: mailto = “FirefoxURL”

4) Delete all options in: HKCU\Software\Microsoft\Windows\Shell\Associations\URLAssociations\MAILTO\Userchoice

5) open a mailto link and set Firefox.

If you don’t set the mailto Application in firefox, it’s default is set to firefox, which will make firefox load firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox loading firefox GOTO loading firefox

Security software for personal PC

November 25, 2015 Leave a comment

I’ve been meaning to create a quick list of personal PC security software for some time, but haven’t gotten around to it. well…

RG0BS1U
  • Some antivirus… Windows defender is okay, but not great.
  • Immunet: this “cloud based antivirus” is the free version of Cisco/Sourcefire AMP for Endpoints and will provide you with access to TALOS intelligence on file integrity. [note that immunet is sourcefire… sourcefire is TALOS… TALOS is Cisco… Cisco is in bed with the US Government.]
  • EMET: Yes. This probably won’t cause too much trouble.
  • Glasswire: Easy to use network awareness.
  • Sysmon: Well, if you’re in the position of “supporting” your family/friend’s PCs, then you might want to be wise to malware infections. You can get crafty here.
  • Papertrail/LogEntries/SumoLogic/Loggly with nxlog: if you want to get real crazy, real quick, configure cloud-based event logging with alerting, as long as you can provide them with a work Email address. Papertrail supports alerting via Email and integration into other platforms (like librato, slack, zapier, stathat, pagerduty… anything that supports webhooks (which excludes IFTTT)) for free out-of-the-box.

That’s it for now. I guess I’ll expand when I come across other things.

Native powershell support for VSS snapshot mounting

October 30, 2015 Leave a comment

This link contains two functions that allow you to mount then dismount VSS snapshots in powershell. I’ve copied them a gist as I have a healthy fear.

“Application Initiation Error” with Adobe installer?

October 12, 2015 Leave a comment

To assist detection of malicious Adobe installers, Adobe seems to have taken the proactive step of not having their Download Manager/Installer respect the Windows certificate store and instead uses certificate pinning (an embedded cert) for it’s connection to download the Adobe installer.

An easy way around this is to download the installer itself by obtaining the redistribution package at https://www.adobe.com/products/flashplayer/distribution3.html .

I came to this conclusion via a forum post that showed how to perform debug logging of the Adobe Download Manager.

1) Create an empty text file named ADM.trace inside your %temp% directory (usually C:\Users\YourUserID\AppData\Local\Temp\).  The file extension itself is .trace, not .txt or anything else.

2) If your computer is not configured to show file extensions you'll want to enable this to ensure the file extension is .trace and not something such as .trace.txt

3) Run the online installer again (the online installer deletes itself after it's launched, so you'll need to download it again)
When the installer window displays the error obtain the Adobe_ADM.log and Adobe_GDE.log files from the %temp%\Adobe_ADMLogs directory (e.g. C:\Users\YourUserID\AppData\Local\Temp\Adobe_ADMLogs directory)

This revealed the error was related to the above and the Download Manager’s connection to the distribution servers:

10/12/15 13:23:17:430 | [TRACE] |  | ADM |  | WorkflowManager |  |  | 4408 | HTTPConnector::HTTPSend :: After callback : error Type : 0, error code : 0
10/12/15 13:23:17:430 | [WARN] |  | ADM |  | ApplicationContext | HTTPSend |  | 4408 | Certificate not matching.
10/12/15 13:23:17:430 | [FATAL] |  | ADM |  | WorkflowManager | HTTPConnectorError |  | 4408 | Error occurred while getting application xml: -4 extended error: 0
10/12/15 13:23:17:430 | [DEBUG] |  | ADM |  | ApplicationContext |  |  | 4408 | Showing screen: initErrorScreen

Oh… and for the URL list the ADM debug file also lists:

10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | White listed URLs are
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | get.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | get2.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | aihdownload.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | admdownload.stage.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | admdownload.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | airdownload.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | ardownload.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | ardownload2.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | download.macromedia.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | fpdownload.macromedia.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | fpdownload2.macromedia.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | fpdownload.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | fpdownload2.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | platformdl.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | platformdl-stage.corp.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | wwwimages2.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | wwwimages.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | wwwimages.stage.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | wwwimages2.stage.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | dlmping.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | dlmping2.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | dlmping3.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | dlmping4.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | get3.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | get3.stage.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | adobetag.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | promotion.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | stats.adobe.com
10/12/15 13:40:41:916 | [INFO] |  | ADM |  | ApplicationContext |  |  | 4196 | sstats.adobe.com
Follow

Get every new post delivered to your Inbox.

Join 55 other followers

%d bloggers like this: