Por muitas vezes em determinados projetos nos deparamos com a necessidade de customizar algo para atender um requisito exigido pelo cliente. Sabemos também da flexibilidade da plataforma Altiris, que nos permite construir basicamente qualquer tipo de customização. Graças a sua arquitetura e a maneira como os componentes estão dispostos, conseguimos agradar o cliente e disponibilizar a funcionalidade necessária.

Claro que cada customização tem a sua complexidade; por isso devemos avaliar no momento de uma pré-venda se a opção de criar algo para realizar uma determinada tarefa realmente é viável ou não.

Uma das funcionalidades disponíveis na plataforma Altiris é a opção de criarmos estruturas de dados que armazenarão informações diversas. O nome dessa estrutura é Data Class.

Nesse artigo vamos criar um data class customizado para armazenar os seriais de determinados softwares. Depois de seguir os passos aqui descritos e conseguir implantar essa customização em seu ambiente de testes, fique à vontade para alterar os scripts utilizados e assim ser capaz de coletar informações de outros softwares.

A criação de uma classe de dados customizada – ou Custom Data Class – é bem simples e nos permite armazenar e consultar os dados quando for necessário. No decorrer do artigo explicarei como criar uma estrutura e como consultar as informações dela.

Primeiro Passo: script de coleta de seriais

A função do script abaixo é verificar no registro do Windows se o serial de um determinado software está presente. Dependendo da versão do Office, Visio ou Project instalado na máquina-alvo o script executa funções específicas e armazena as informações em variáveis que posteriormente são enviadas para o Notification Server.

Por hora vale a pena percorrer o script, entender seu funcionamento e acompanhar as chamadas da função MsgBox para exibir os valores capturados durante a execução. Durante o artigo acrescentaremos a chamada da função responsável por enviar os dados para o Notification Server.

Dim nse

Set nse = WScript.CreateObject ("Altiris.AeXNSEvent")

nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"

nse.Priority = 1


On Error Resume Next


Const HKEY_LOCAL_MACHINE = &H80000002


Dim aOffID(5,1)


aOffID(0,0) = "97"

aOffID(0,1) = "8.0"

aOffID(1,0) = "2000"

aOffID(1,1) = "9.0"

aOffID(2,0) = "XP"

aOffID(2,1) = "10.0"

aOffID(3,0) = "2003"

aOffID(3,1) = "11.0"

aOffID(4,0) = "2007"

aOffID(4,1) = "12.0"

aOffID(5,0) = "2010"

aOffID(5,1) = "14.0"


Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")

oCtx.Add "__ProviderArchitecture", 64


Set oLocator = CreateObject("Wbemscripting.SWbemLocator")

Set oReg = oLocator.ConnectServer("", "root\default", "", "", , , , oCtx).Get("StdRegProv")


osType = 32

oReg.GetStringValue HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\Control\Session Manager\Environment", "PROCESSOR_ARCHITECTURE", osProc


If osProc = "x86" Then osType = 32

If osProc = "AMD64" Then osType = 64


For a = LBound(aOffID, 1) To UBound(aOffID, 1)

  If (aOffID(a,0) = "97") Then searchKey97 "SOFTWARE\Microsoft\Office\"& aOffID(a,1), true

  If (aOffID(a,0) = "2000") Then searchKey2000 "SOFTWARE\Microsoft\Office\"& aOffID(a,1) & "\Registration\ProductID", true


  searchKey "SOFTWARE\Microsoft\Office\"& aOffID(a,1) & "\Registration", true

  searchKey "SOFTWARE\Wow6432Node\Microsoft\Office\"& aOffID(a,1) & "\Registration", false

Next


Sub searchKey97(regKey, likeOS)

   oReg.GetStringValue HKEY_LOCAL_MACHINE, regKey, "BinDirPath", oDir97

  

   If IsNull (oDir97) Then Exit Sub


   oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Microsoft Reference\BookshelfF\96L", "PID", oProdID

   oKey = oProdID


   oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office8.0", "DisplayName", oEdit

   oProd = oEdit


   If Mid (oProdID,7,3) = "OEM" Then oOEM = " OEM"

  

   oProd = oProd & oOEM

   oBit = osType


   If Not likeOS Then oBit = 32


   oNote = ""


   writeXML oEdit,oProd,oProdID,oBit,oKey,oNote

End Sub


Sub searchKey2000(regKey, likeOS)

   oReg.GetStringValue HKEY_LOCAL_MACHINE, regKey, "", oProdID


   If IsNull (oProdID) Then Exit Sub


   oKey = oProdID

  

   oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0000040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft Office 2000 Premium Edition CD1


   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0001040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft Office 2000 Professional Edition

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0002040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft Office 2000 Standard Edition

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0003040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft Office 2000 Small Business Edition

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0004040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft Office 2000 Premium CD2

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0010040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft Access 2000

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0011040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft Excel 2000

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0012040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft FrontPage 2000

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0013040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft PowerPoint 2000

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0014040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft Publisher 2000

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0016040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft Outlook 2000

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0017040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft Word 2000

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0018040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Microsoft Access 2000

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{001A040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Publisher Standalone OEM

   If IsNull (oEdit) Then oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{004F040C-78E1-11D2-B60F-006097C998E7}", "DisplayName", oEdit ''Access 2000 SR-1 Run-Time

   If Not IsNull (oEdit) Then oProd = oEdit


   If Mid (oProdID,7,3) = "OEM" Then oOEM = " OEM"


   oProd = oProd & oOEM

   oBit = osType


   If Not likeOS Then oBit = 32

  

   oNote = ""


   writeXML oEdit,oProd,oProdID,oBit,oKey,oNote

End Sub


Sub searchKey(regKey, likeOS)

   oReg.GetBinaryValue HKEY_LOCAL_MACHINE, regKey, "DigitalProductID", aDPIDBytes


   If IsNull(aDPIDBytes) Then

      oReg.EnumKey HKEY_LOCAL_MACHINE, regKey, aGUIDKeys


      If Not IsNull(aGUIDKeys) Then

         For Each GUIDKey In aGUIDKeys

            searchKey regKey & "\"& GUIDKey, likeOS

         Next

      End If


   Else

      oKey = decodeKey(aDPIDBytes, (a>4))

      oReg.GetStringValue HKEY_LOCAL_MACHINE, regKey, "ProductName", oEdit

      oReg.GetStringValue HKEY_LOCAL_MACHINE, regKey, "ProductName", oProd


      If likeOS Then

         oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Office\"& aOffID(a,1) & "\Common\ProductVersion", "LastProduct", oVer

     

      Else

         oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Wow6432Node\Microsoft\Office\"& aOffID(a,1) & "\Common\ProductVersion", "LastProduct", oVer

      End If


      If (aOffID(a,0) = "XP") Then

         hProd = Mid ((Right(regKey,38)),4,2)


         Select Case hProd

            Case "11" oProductCode = "Microsoft Office XP Professional"

            Case "12" oProductCode = "Microsoft Office XP Standard"

            Case "13" oProductCode = "Microsoft Office XP Small Business"

            Case "14" oProductCode = "Microsoft Office XP Web Server"

            Case "15" oProductCode = "Microsoft Access 2002"

            Case "16" oProductCode = "Microsoft Excel 2002"

            Case "17" oProductCode = "Microsoft FrontPage 2002"

            Case "18" oProductCode = "Microsoft PowerPoint 2002"

            Case "19" oProductCode = "Microsoft Publisher 2002"

            Case "1A" oProductCode = "Microsoft Outlook 2002"

            Case "1B" oProductCode = "Microsoft Word 2002"

            Case "1C" oProductCode = "Microsoft Access 2002 Runtime"

            Case "27" oProductCode = "Microsoft Project 2002"

            Case "28" oProductCode = "Microsoft Office XP Professional with FrontPage"

            Case "31" oProductCode = "Microsoft Project 2002 Web Client"

            Case "32" oProductCode = "Microsoft Project 2002 Web Server"

            Case "3A" oProductCode = "Project 2002 Standard"

            Case "3B" oProductCode = "Project 2002 Professional"

            Case "51" oProductCode = "Microsoft Office Visio Professional 2002"

            Case "54" oProductCode = "Microsoft Office Visio Standard 2002"

         End Select

      End If


      If (aOffID(a,0) = "2003") Then

         hProd = Mid ((Right(regKey,38)),4,2)


         Select Case hProd

            Case "11" oProductCode = "Microsoft Office Professional Enterprise Edition 2003"

            Case "12" oProductCode = "Microsoft Office Standard Edition 2003"

            Case "13" oProductCode = "Microsoft Office Basic Edition 2003"

            Case "14" oProductCode = "Microsoft Windows SharePoint Services 2.0"

            Case "15" oProductCode = "Microsoft Office Access 2003"

            Case "16" oProductCode = "Microsoft Office Excel 2003"

            Case "17" oProductCode = "Microsoft Office FrontPage 2003"

            Case "18" oProductCode = "Microsoft Office PowerPoint 2003"

            Case "19" oProductCode = "Microsoft Office Publisher 2003"

            Case "1A" oProductCode = "Microsoft Office Outlook Professional 2003"

            Case "1B" oProductCode = "Microsoft Office Word 2003"

            Case "1C" oProductCode = "Microsoft Office Access 2003 Runtime"

            Case "1E" oProductCode = "Microsoft Office 2003 User Interface Pack"

            Case "1F" oProductCode = "Microsoft Office 2003 Proofing Tools"

            Case "23" oProductCode = "Microsoft Office 2003 Multilingual User Interface Pack"

            Case "24" oProductCode = "Microsoft Office 2003 Resource Kit"

            Case "26" oProductCode = "Microsoft Office XP Web Components"

            Case "2E" oProductCode = "Microsoft Office 2003 Research Service SDK"

            Case "44" oProductCode = "Microsoft Office InfoPath 2003"

            Case "83" oProductCode = "Microsoft Office 2003 HTML Viewer"

            Case "92" oProductCode = "Windows SharePoint Services 2.0 English Template Pack"

            Case "93" oProductCode = "Microsoft Office 2003 English Web Parts and Components"

            Case "A1" oProductCode = "Microsoft Office OneNote 2003"

            Case "A4" oProductCode = "Microsoft Office 2003 Web Components"

            Case "A5" oProductCode = "Microsoft SharePoint Migration Tool 2003"

            Case "AA" oProductCode = "Microsoft Office PowerPoint 2003 Presentation Broadcast"

            Case "AB" oProductCode = "Microsoft Office PowerPoint 2003 Template Pack 1"

            Case "AC" oProductCode = "Microsoft Office PowerPoint 2003 Template Pack 2"

            Case "AD" oProductCode = "Microsoft Office PowerPoint 2003 Template Pack 3"

            Case "AE" oProductCode = "Microsoft Organization Chart 2.0"

            Case "CA" oProductCode = "Microsoft Office Small Business Edition 2003"

            Case "D0" oProductCode = "Microsoft Office Access 2003 Developer Extensions"

            Case "DC" oProductCode = "Microsoft Office 2003 Smart Document SDK"

            Case "E0" oProductCode = "Microsoft Office Outlook Standard 2003"

            Case "E3" oProductCode = "Microsoft Office Professional Edition 2003 (with InfoPath 2003)"

            Case "FD" oProductCode = "Microsoft Office Outlook 2003 (distributed by MSN)"

            Case "FF" oProductCode = "Microsoft Office 2003 Edition Language Interface Pack"

            Case "F8" oProductCode = "Remove Hidden Data Tool"

            Case "3A" oProductCode = "Microsoft Office Project Standard 2003"

            Case "3B" oProductCode = "Microsoft Office Project Professional 2003"

            Case "32" oProductCode = "Microsoft Office Project Server 2003"

            Case "51" oProductCode = "Microsoft Office Visio Professional 2003"

            Case "52" oProductCode = "Microsoft Office Visio Viewer 2003"

            Case "53" oProductCode = "Microsoft Office Visio Standard 2003"

            Case "55" oProductCode = "Microsoft Office Visio for Enterprise Architects 2003"

            Case "5E" oProductCode = "Microsoft Office Visio 2003 Multilingual User Interface Pack"

         End Select

      End If


      If (aOffID(a,0) = "2007") Then

         hProd = Mid ((Right(regKey,38)),11,4)


         Select Case hProd

            Case "0011" oProductCode = "Microsoft Office Professional Plus 2007"

            Case "0012" oProductCode = "Microsoft Office Standard 2007"

            Case "0013" oProductCode = "Microsoft Office Basic 2007"

            Case "0014" oProductCode = "Microsoft Office Professional 2007"

            Case "0015" oProductCode = "Microsoft Office Access 2007"

            Case "0016" oProductCode = "Microsoft Office Excel 2007"

            Case "0017" oProductCode = "Microsoft Office SharePoint Designer 2007"

            Case "0018" oProductCode = "Microsoft Office PowerPoint 2007"

            Case "0019" oProductCode = "Microsoft Office Publisher 2007"

            Case "001A" oProductCode = "Microsoft Office Outlook 2007"

            Case "001B" oProductCode = "Microsoft Office Word 2007"

            Case "001C" oProductCode = "Microsoft Office Access Runtime 2007"

            Case "0020" oProductCode = "Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats"

            Case "0026" oProductCode = "Microsoft Expression Web"

            Case "002E" oProductCode = "Microsoft Office Ultimate 2007"

            Case "002F" oProductCode = "Microsoft Office Home and Student 2007"

            Case "0030" oProductCode = "Microsoft Office Enterprise 2007"

            Case "0031" oProductCode = "Microsoft Office Professional Hybrid 2007"

            Case "0033" oProductCode = "Microsoft Office Personal 2007"

            Case "0035" oProductCode = "Microsoft Office Professional Hybrid 2007"

            Case "003A" oProductCode = "Microsoft Office Project Standard 2007"

            Case "003B" oProductCode = "Microsoft Office Project Professional 2007"

            Case "0044" oProductCode = "Microsoft Office InfoPath 2007"

            Case "0051" oProductCode = "Microsoft Office Visio Professional 2007"

            Case "0052" oProductCode = "Microsoft Office Visio Viewer 2007"

            Case "0053" oProductCode = "Microsoft Office Visio Standard 2007"

            Case "00A1" oProductCode = "Microsoft Office OneNote 2007"

            Case "00A3" oProductCode = "Microsoft Office OneNote Home Student 2007"

            Case "00A7" oProductCode = "Calendar Printing Assistant for Microsoft Office Outlook 2007"

            Case "00A9" oProductCode = "Microsoft Office InterConnect 2007"

            Case "00AF" oProductCode = "Microsoft Office PowerPoint Viewer 2007 (English)"

            Case "00B0" oProductCode = "The Microsoft Save as PDF add-in"

            Case "00B1" oProductCode = "The Microsoft Save as XPS add-in"

            Case "00B2" oProductCode = "The Microsoft Save as PDF or XPS add-in"

            Case "00BA" oProductCode = "Microsoft Office Groove 2007"

            Case "00CA" oProductCode = "Microsoft Office Small Business 2007"

            Case "10D7" oProductCode = "Microsoft Office InfoPath Forms Services"

            Case "110D" oProductCode = "Microsoft Office SharePoint Server 2007"

            Case "1122" oProductCode = "Windows SharePoint Services Developer Resources 1.2"

            Case "0010" oProductCode = "SKU - Microsoft Software Update for Web Folders (English) 12"

         End Select


         oEdit = oProductCode

      End If


      If (aOffID(a,0) = "2010") Then

         For i = 280 to 312 Step 2

            If aDPIDBytes(i) <> 0 Then strEdition = strEdition & Chr(aDPIDBytes(i))

         Next


         Select Case strEdition

            Case "ProjectStdVL"    oEdit = "Microsoft Office Project Standard 2010 (VL)"

            Case "ProjectProVL"    oEdit = "Microsoft Office Project Professional2010 (VL)"

            Case "ProjectProMSDNR" oEdit = "Microsoft Project Professional 2010 (MSDN)"

            Case "HomeBusinessR"   oEdit = "Microsoft Office Home And Business 2010"

            Case "ProfessionalR"   oEdit = "Microsoft Office Professional 2010"

            Case "ProPlusR"        oEdit = "Microsoft Office Professional Plus 2010"

            Case "StandardR"       oEdit = "Microsoft Office Standard 2010"

            Case "StandardVL"      oEdit = "Microsoft Office Standard 2010 (VL)"

            Case "HomeStudentR"    oEdit = "Microsoft Office Home and Student 2010"

            Case "AccessRuntimeR"  oEdit = "Microsoft Office Access Runtime 2010"

            Case "VisioSIR"        oEdit = "Microsoft Office Visio Professional 2010"

            Case "SPDR"            oEdit = "Microsoft SharePoint Designer 2010"

            Case "ProjectProR"     oEdit = "Microsoft Project Professional 2010"

            Case "ProjectStdR"     oEdit = "Microsoft Project Standard 2010"

            Case "VisioSIVL"       oEdit = "Microsoft Visio 2010 Standard (VL)"

            Case "InfoPathR"       oEdit = "Microsoft Office InfoPath 2010"     

            Case Else              oEdit = "Microsoft Office Unknown Edition 2010: "& strEdition     

         End Select


         hProd = Mid ((Right(regkey,38)),11,4)


         Select Case hProd

            Case "0011" oProductCode = "Microsoft Office Professional Plus 2010"

            Case "0012" oProductCode = "Microsoft Office Standard 2010"

            Case "0013" oProductCode = "Microsoft Office Home and Business 2010"

            Case "0014" oProductCode = "Microsoft Office Professional 2010"

            Case "0015" oProductCode = "Microsoft Access 2010"

            Case "0016" oProductCode = "Microsoft Excel 2010"

            Case "0017" oProductCode = "Microsoft SharePoint Designer 2010"

            Case "0018" oProductCode = "Microsoft PowerPoint 2010"

            Case "0019" oProductCode = "Microsoft Publisher 2010"

            Case "001A" oProductCode = "Microsoft Outlook 2010"

            Case "001B" oProductCode = "Microsoft Word 2010"

            Case "001C" oProductCode = "Microsoft Access Runtime 2010"

            Case "001F" oProductCode = "Microsoft Office Proofing Tools Kit Compilation 2010"

            Case "002F" oProductCode = "Microsoft Office Home and Student 2010"

            Case "003A" oProductCode = "Microsoft Project Standard 2010"

            Case "003D" oProductCode = "Microsoft Office Single Image 2010"

            Case "003B" oProductCode = "Microsoft Project Professional 2010"

            Case "0044" oProductCode = "Microsoft InfoPath 2010"

            Case "0052" oProductCode = "Microsoft Visio Viewer 2010"

            Case "0057" oProductCode = "Microsoft Visio 2010"

            Case "007A" oProductCode = "Microsoft Outlook Connector"

            Case "008B" oProductCode = "Microsoft Office Small Business Basics 2010"

            Case "00A1" oProductCode = "Microsoft OneNote 2010"

            Case "00AF" oProductCode = "Microsoft PowerPoint Viewer 2010"

            Case "00BA" oProductCode = "Microsoft Office SharePoint Workspace 2010"

            Case "110D" oProductCode = "Microsoft Office SharePoint Server 2010"

            Case "110F" oProductCode = "Microsoft Project Server 2010"

         End Select

      End If


      If Not IsNull (oProductCode) Then oProd = oProductCode


      If Mid (oProdID,7,3) = "OEM" Then oOEM = " OEM"

     

      oProd = oProd & oOEM


      If IsNull (oEdit) Then oEdit = oProd

     

      oReg.GetStringValue HKEY_LOCAL_MACHINE, regKey, "ProductID", oProdID

      oBit = osType


      If Not likeOS Then oBit = 32

     

      oNote = ""


      writeNSE oEdit,oProd,oProdID,oBit,oKey,oNote

   End If

End Sub


Sub writeNSE (oEdit,oProd,oProdID,oBit,oKey,oNote)

   Dim objDCInstance

   Set objDCInstance = nse.AddDataClass ("{4e8d251e-cec2-4435-b245-e527f59a63df}")


   Dim objDataClass

   Set objDataClass = nse.AddDataBlock (objDCInstance)


   Dim objDataRow

   Set objDataRow = objDataClass.AddRow


   objDataRow.SetField 0, oEdit

   objDataRow.SetField 1, oProd

   objDataRow.SetField 2, oProdID

   objDataRow.SetField 3, oBit

   objDataRow.SetField 4, oKey

   objDataRow.SetField 5, oNote


   nse.SendQueued

End Sub


Function decodeKey(iValues, newOffice)

   Dim arrDPID, foundKeys

   arrDPID = Array()

   foundKeys = Array()


   If (newOffice) Then

      For i = 808 to 822

         ReDim Preserve arrDPID( UBound(arrDPID) + 1 )

         arrDPID( UBound(arrDPID) ) = iValues(i)

      Next

  

   Else

      For i = 52 to 66

         ReDim Preserve arrDPID( UBound(arrDPID) + 1 )

         arrDPID( UBound(arrDPID) ) = iValues(i)

      Next

   End If


   Dim arrChars

   arrChars = Array("B","C","D","F","G","H","J","K","M","P","Q","R","T","V","W","X","Y","2","3","4","6","7","8","9")


   For i = 24 To 0 Step -1

      k = 0


      For j = 14 To 0 Step -1

         k = k * 256 Xor arrDPID(j)

         arrDPID(j) = Int(k / 24)

         k = k Mod 24

      Next


      strProductKey = arrChars(k) & strProductKey


      If i Mod 5 = 0 And i <> 0 Then strProductKey = "-"& strProductKey

   Next


   ReDim Preserve foundKeys( UBound(foundKeys) + 1 )

  

   foundKeys( UBound(foundKeys) ) = strProductKey


   strKey = UBound(foundKeys)


   decodeKey = foundKeys(strKey)

End Function

Segundo Passo: entender a estrutura gerada pelo script

Agora que entendemos o objetivo e o funcionamento do script, é importante entender o resultado gerado pelo mesmo. Copie o script do passo acima e cole o conteúdo no bloco de notas. Dê um nome qualquer, como “ColetaSeriais.vbs”, e coloque o script no desktop de uma máquina-alvo.

Antes de executar o script é importante dizer que o conteúdo gerado por ele estará disponível na pasta que contém a fila do agente: “C:\Program Files\Altiris\Altiris Agent\Queue\<Nome do Servidor SMP>”. Ao executar o script o conteúdo aparece rapidamente na pasta e logo que é processado, desaparece. Portanto seja rápido para executar, dar um CTRL+C nos arquivos e um CTRL+V no desktop.

Depois de executar o script e copiar os arquivos gerados por ele para o desktop da máquina-alvo, abra um dos arquivos – geralmente são gerados dois – e analise o conteúdo, que deve ser semelhante ao abaixo:

<?xml version="1.0"?>

<message>

<to>{1592B913-72F3-4C36-91D2-D4EDA21D2F96}</to>

<priority>1</priority>

<msgId>{E03288D6-C490-41EE-9F9D-82EBA4F83DC8}</msgId>

<time>20131220060008.914000+480</time>

<from>

       <resource typeGuid="{2C3CB3BB-FEE9-48DF-804F-90856198B600}" guid="{C8AD41C6-7663-45B1-97E9-7151ABB6194C}" name="WIN7">

              <key name="fqdn" value="WIN7.ses.local"/>

              <key name="name.domain" value="WIN7.SES"/>

              <key name="uniqueid" value="hTb0l3RZKzqNkZGcJHVFrA=="/>

              <key name="uniqueid" value="tyuSc23itsGsVGJIBsg0RQ=="/>

       </resource>

</from>

<body>

       <inventory>

              <dataClass guid="{4e8d251e-cec2-4435-b245-e527f59a63df}">

                     <data>

                           <resource partialUpdate="false">

                                  <row c0="Microsoft Office Standard 2010 (VL)" c1="Microsoft Office Standard 2010" c2="82503-001-0000106-38277" c3="64" c4="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX" c5="" hash="FBOSq+KqyozClXgqoFpGug=="/>

                           </resource>

                           <resource partialUpdate="false">

                                  <row c0="Microsoft Office Project Professional2010 (VL)" c1="Microsoft Project Professional 2010" c2="82503-001-0000205-49789" c3="64" c4="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX" c5="" hash="oXZ58MD3Q9ad0ZSiPNIZRw=="/>

                           </resource>

                     </data>

              </dataClass>

       </inventory>

</body>

</message>

Basicamente o resultado gerado é um XML com informações no formato esperado pelo Notification Server, como: para qual data class a informação será enviada, qual a prioridade de envio, se o update é parcial e o mais importante, as informações sobre os softwares que procuramos e os seriais deles.

Como exemplo, vamos separar o trecho abaixo:

<row c0="Microsoft Office Project Professional2010 (VL)" c1="Microsoft Project Professional 2010" c2="82503-001-0000205-49789" c3="64" c4="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX" c5="" hash="oXZ58MD3Q9ad0ZSiPNIZRw=="/>

As informações que precisamos estão em estruturas como c0, c1, c2 e assim por diante. O nome do software, por exemplo, está na coluna c1 enquanto o serial está na coluna c4.

Terceiro Passo: criação do data class customizado

Agora que temos o script coletando as informações e gerando o resultado na fila do agente da nossa máquina-alvo, é hora de criar o data class no lado do servidor para armazenar as informações que serão enviadas.

A criação do data class customizado é simples e rápida. Apesar disso é importante ficar atento para a posição do campo, que deve ser a mesma gerada pelo script VBS. Se as posições não estiverem iguais pode acontecer de uma determinada informação ir parar em outra coluna do nosso data class customizado, o que obviamente não queremos.

Outro item de atenção é o GUID do data class, que deve ser colocado no script para o envio das informações para o data class correto. Depois de criarmos o data class vamos realizar essa alteração.

Um lembrete importante é que a cada alteração efetuada no data class, o GUID também muda. Isso significa que temos que atualizar o script que está na máquina-alvo. No decorrer do artigo veremos que depois de automatizar a tarefa, essa alteração é simples e não causa nenhum impacto importante.

Antes de criar o data class customizado, é importante saber os campos que queremos armazenar:

• NomeVL
• Nome
• Id
• Bits
• Chave
• Hash

Siga os passos abaixo para criar o data class customizado:

• Vá em Settings > All Settings > Settings > Discovery and Inventory > Inventory Solution > Manage Custom Data Classes.

• Clique em “New data class” e preencha as informações gerais de acordo com a tela abaixo:

• Clique em OK para fechar a caixa de diálogo acima e começarmos a informar os campos na ordem correta, para recebermos as informações que serão enviadas pelo agente.

• Agora selecione o data class e clique em “Add Attribute”, destacado na imagem abaixo:

• Um a um, informe os campos conforme exemplo abaixo, alterando apenas o parâmetro “Name”:

• A tela abaixo apresenta todos os campos necessários:

• Por último, antes de salvar o nosso data class customizado, é importante marcar o campo que permitirá armazenar vários registros vindos de um mesmo computador:

• Após todos os procedimentos acima, clique em “Save Changes”.

Quarto Passo: alterar o script para inserir o GUID do data class

Agora que temos o data class criado, vamos selecionar o GUID e inserí-lo no script. Assim garantimos que a informação coletada será entregue para o data class correto.

Para saber o GUID do data class que acabamos de criar, selecione o data class “ColetaSeriais” e clique no botão indicado abaixo:

Copie o valor do GUID, no nosso exemplo “1f5ce21a-bb0b-411d-a4c2-027e80ffd973” e cole-o no script que está na máquina-alvo. Cuidado para não copiar algum espaço em branco porque o script não irá enviar as informações para o data class. Segue a linha que devemos alterar:

Sub writeNSE (oEdit,oProd,oProdID,oBit,oKey,oNote)

   Dim objDCInstance

   Set objDCInstance = nse.AddDataClass ("{1f5ce21a-bb0b-411d-a4c2-027e80ffd973}")


   Dim objDataClass

   Set objDataClass = nse.AddDataBlock (objDCInstance)


   Dim objDataRow

   Set objDataRow = objDataClass.AddRow


   objDataRow.SetField 0, oEdit

   objDataRow.SetField 1, oProd

   objDataRow.SetField 2, oProdID

   objDataRow.SetField 3, oBit

   objDataRow.SetField 4, oKey

   objDataRow.SetField 5, oNote


   nse.SendQueued

End Sub

Quinto Passo: testar a execução do script

Hora de testar o nosso script. Nesse momento a tabela que irá armazenar as informações no servidor já está criada e pronta para receber os dados. No passo anterior podemos ver o nome da tabela, no campo “Table Name”: Inv_ColetaSeriais.

Dê um clique duplo no script e vamos consultar a tabela no servidor para verificar se os valores estão presentes.

Basicamente temos duas alternativas para visualizar as informações: consultando diretamente no banco de dados ou através do Resource Manager.

Consulta no Banco de Dados:

select * from Symantec_CMDB.dbo.Inv_ColetaSeriais

Consulta no Resource Manager:

• Vá em Manage > Computers e selecione a máquina-alvo na lista de computadores.

• Clique com o botão direito e escolha a opção “Resource Manager”

• Na nova janela que irá abrir, escolha a opção “View > Inventory”.

• No frame que fica no meio, escolha “Data Classes > Inventory > Custom” e selecione o nosso data class “ColetaSeriais”. Verifique se as informações estão presentes.

Importante: execute o comando de exclusão das linhas inseridas apenas por questão “estética”, já que nos passos seguintes iremos criar a Task para executar o script automaticamente e veremos se os valores foram inseridos na tabela.

Sexto Passo: automatizando a execução da coleta através de uma Task

Para executarmos o procedimento visto nos passos acima de maneira automática podemos fazer uso da criação de uma Task. A principal vantagem é utilizar a estrutura da plataforma para fazer a distribuição da task nas máquinas-alvo e permitir a criação de um agendamento; dessa maneira automatizamos o processo e partimos para o próximo passo: criar um relatório para visualização das informações coletadas.

A criação da Task é simples e pode ser feita seguindo os passos abaixo:

• Vá em Manage > Jobs and Tasks

• Do lado esquerdo selecione System Jobs and Tasks > Discovery and Inventory > Inventory.

• Clique com o botão direito na pasta e selecione a opção New > Task. Irá abrir uma janela onde você deverá selecionar a opção Run Script, uma das últimas da lista de opções.

• Altere o nome da Task para um nome qualquer. Em Script type selecione a opção VBScript e cole o conteúdo todo do script no campo central. Depois dessas configurações, a sua tela ficará semelhante a tela abaixo:

• Clique em OK para salvar a Task.

• A tela de criação de Task é dividida em duas seções: Script Details, onde fizemos todas as configurações, e Task Status, onde podemos criar uma agenda para a execução da Task de maneira automática ou esporadicamente através da opção Quick Run.

• Para o nosso artigo vamos apenas clicar em Quick Run. Ao clicar irá abrir uma janela para seleção do recurso-alvo, que no nosso exemplo é a máquina WIN7. Depois de selecionar a máquina-alvo e clicar em Run, a Task iniciará a executar, conforme exemplo abaixo:

• Depois da execução, siga os passos descritos no passo 5 para visualizar as informações.

Sétimo Passo: criando um relatório para exibição dos seriais coletados

A criação do relatório também é bem simples e pode ser facilmente executada seguindo os passos abaixo.

• Vá em Reports > All Reports

• Clique com o botão direito em Reports > New > Folder. Vamos criar uma nova pasta apenas para separar o nosso relatório dos demais.

• Informe qualquer valor para o nome da pasta, conforme exemplo abaixo:

• Clique com o botão direito na pasta recém criada e escolha a opção New > Report > SQL Report. A consulta pode variar de acordo com a necessidade do seu projeto ou de outros requisitos, mas basicamente o que precisamos é selecionar as informações da tabela, conforme exemplo abaixo:

• Clique em Save Changes e visualize as informações coletadas automaticamente!

Conclusão

Diversas vezes durante a execução de um projeto nos deparamos com alguns obstáculos. O propósito desse artigo é oferecer para a equipe responsável pelo projeto uma maneira sucinta e elegante de conseguir adicionar uma funcionalidade que não é nativa na solução.

O exemplo aplicado aqui – coleta de seriais de software – pode ser estendido para diversas outras situações. Quaisquer melhorias nesse script, como a adição de novos softwares, será compartilhada nesse forum para facilitar o dia-a-dia do time estendido. Façam bom uso!

Obrigado!

Hi All,

We have recently got a request to add around 1500 servers into the Opscenter. We already have a report which is being generated from the Opscenter, I want to add these 1500 clients to that particular report. Please suggest me how do I add them.

Welcome to the Security 1:1 series of articles

In Part 1 we start right off with Viruses and Worms - get to know the definitions and what differentiates them. Nowadays both terms are quite often used interchangeable but there are still differences between them. We look further more on the classifications and what are the characteristics of each types. We will have a bit historical look at both known and most devastating viruses and worms in the past.

I will provide you as well with references to Symantec write-ups about those threat where both in-depth characteristics and removal processes can be checked. Throughout the series I invite you as well to watch the youtube videos from Norton and Symantec channels introducing various types of threats and attacks - those are shown in really informative (sometimes as well funny) way and are very easy to understand.

The Security 1:1 series consist so far of following articles:

• Security 1:1 - Part 1 - Viruses and Worms

• Security 1:1 - Part 2 - Trojans and other security threats

• Security 1:1 - Part 3 - Various types of network attacks

1. Viruses

Virus - a malicious program able to inject its code into other programs/applications or data files. After successful code replication the targeted areas become "infected". By definition virus installation is done without user's consent and spreads in form of executable code transferred from one host to another.. Purpose of viruses is very often of a harmful nature - data deletion or corruption on the targeted host leading up to system in-operability in worst case scenario.

Viruses can spread pretty fast over network, shares or removable media. On many occasions the virus spread scenarios are connected with social engineering attacks, where end-users are tricked to execute malicious links or download malicious files, in some other cases malicious email attachments are being opened by end-users which ends in infection. Viruses as already mentioned have as well ability to inject the code in other legitimate executable files - when afterwards run by end-users - the virus code contained in the infected program is being executed simultaneously. Viruses can take avail of known OS security vulnerabilities that allow them to access the target host machines.

Video - Symantec Guide to Scary Internet Stuff: Pests on Your PC - Viruses, Trojans & Worms

Depending on virus "residence" we can classify viruses in following way:

• Resident Virus - virus that embeds itself in the memory on a target host. In such way it becomes activated every time the OS starts or executes a specific action.
• Non-resident Virus - when executed this type of virus actively seeks targets for infections - either on local, removable or network locations. Upon further infection it exist - this way is not residing in the memory any more.
• Boot sector Virus - virus that targets specifically a boot sector (MBR) on the host's hard drive. This type of viruses is being loaded to memory every time when an attempt is being made to boot from the infected drive - this kind of viruses loads well before the OS loads. Boot sector viruses were quite common in the 90s where the infection was spread mostly through the infected floppy disks left in the bootable drives.
• Macro Virus - virus written in macro language, embedded in Word, Excel, Outlook etc. documents. This type of viruses are being executed as soon as the documents they are contained within are opened - this corresponds to the macro execution within those documents that under normal circumstances is automatic.

Another classification of viruses can result from their characteristics:

• File-infecting Virus (File-Infector) - classic form of virus. When the infected file is being executed the virus seeks out other files on the host and infects them with malicious code. The malicious code is being inserted either at the begging of the host file code (prepending virus); in the middle (mid-infector); or at the end (appending virus). A specific type of viruses called "cavity virus" can even injects the code in the gaps in the file structure itself. The start point of the file executions is changed to the start of the virus code to ensure that it is run when the file is executed - afterwards the control may or may not be passed on to the original program in turn. Depending on the infections routing the host file may become otherwise corrupted and completely non-functional. More sophisticated viral forms allow though the host program execution while trying to hide their presence completely (see polymorphic and metamorphic viruses).

• Polymorphic Virus -  this kind of viruses can change its own signature every time it replicates and infects a new file in order to stay undetected from antivirus programs. Every new variation of the virus is being achieved by using different encryption method each time in the virus file copies. This type of viruses is especially difficult in detection by any detection programs due to the number of variations - sometimes going in hundreds or even thousands.

• Metamorphic Virus - the virus is capable of changing its own code with each infection. The rewriting process may cause the infection to appear different each time but the functionality of the code remains the same. The metamorphic nature of this virus kind makes it possible to infect executables from two or more different operating systems or even different computer architectures as well. The metamorphic viruses are ones of the most complex in build and very difficult to detect.

• Stealth Virus - memory resident virus that utilises various mechanisms to avoid detection. This avoidance can be achieved for example by removing itself from the infected files and placing a copy of itself in a different location. The virus can also maintain a clean copy of the infected files in order to provide it to the antivirus engine for scan, while the infected version still remains undetected. Furthermore the stealth viruses are actively working to conceal any traces of their activities and changes made to files.

The first known full-stealth Virus was "Brain"(http://virus.wikia.com/wiki/Brain) - a type of boot infector. The virus monitors physical disk I/O and redirects any attempt on reading a Brain-infected boot sector to where the original disk sector is stored.

• Armored Virus - very complex type of virus designed to make it's examination much more difficult than by traditional viruses. By using various methods armored viruses can also protect itself from antivirus software by fooling it into believing that the virus location is somewhere else than real location - which of course makes the detection and removal process more difficult.

• Multipartite Virus - virus that attempts to attack both the file executables as well as the master boot record of the drive at the same time. This type may be tricky to remove as even when the file executable part is clean it can re-infect the system all over again from the boot sector if it wasn't cleaned as well.

• Camouflage Virus - virus type that is able to report as a harmless program to the antivirus software. In such cases where the virus has similar code to the legitimate non-infected files code the antivirus application is being tricked that is has to do with the legitimate program as well - this would work only but in case of basic signature based antivirus software. As nowadays antivirus solutions became more elaborate the camouflage viruses are quite rare and not a serious threat due to the ease of their detection.

• Companion Virus - unlike traditional viruses the companion virus does not modify any files but instead compromises the feature of DOS that allows executables with different extensions (here .exe and .com) to be run with different priorities. This way where user tries to execute the legitimate "program"  without specifying the extension itself and expects program.exe to be run, the virus is run instead - with the program.com executable (as this one is first in the alphabetical order). Companion virus is an older type and became increasingly rare since introduction of Windows XP. Nowadays this kind of viruses can be still unintentionally run if the host machine does not have the option for "show file extensions" activated and user accidentally clicks the companion virus file.

• Cavity Virus - unlike tradition viruses the cavity virus does not attach itself to the end of the infected file but instead uses the empty spaces within the program files itself (that exist there for variety of reasons). This way the length of the program code is not being changed and the virus can more easily avoid detection. The injection of the virus in most cases is not impacting the functionality of the host file at all. The cavity viruses are quite rare though.

One good example of cavity virus is "Lenigh" (http://virus.wikia.com/wiki/Lehigh) - early DOS cavity infector, that was specifically targeting command.com files and using unused portions of the file's code.

2. Worms

Worm - this malicious program category is exploiting operating system vulnerabilities to spread itself. In its design worm is quite similar to a virus - considered even its sub-class. Unlike the viruses though worms can reproduce/duplicate and spread by itself - during this process worm does not require to attach itself to any existing program or executable. In other words it does not require any interaction for reproduction process - this capability makes worm especially dangerous as they can spread and travel across network having a devastating effect on both the host machines, servers as well consuming network bandwidth. More invasive worms target to tunnel into the host system and from within to allow code execution or remote control from the attacker. Some worms can as well include a viral component that infects executable files.

The most common categorization of worms relies on the method how they spread:

• email worms: spread through email massages - especially through those with attachments.
• internet worms: spread directly over the internet by exploiting access to open ports or system vulnerabilities.
• network worms: spread over open, unprotected network shares
• multivector worms: having two or more various spread capabilities

Some of the most known and destructive worms (by dates):

• Iloveyou [2000] (http://virus.wikia.com/wiki/Loveletter) - known also as Loveletter

Worm created by a student of computer university on Philippines. The worm was arriving in email inboxes with the simple subject of“ILOVEYOU” and an attachment “LOVE-LETTER-FOR-YOU.TXT.vbs”. The final ‘vbs’ extension was hidden, leading unsuspecting users to think it was a text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book and with the user’s sender address. It also made a number of malicious changes to the user’s system. Symantec Security Response has identified 82 variants of this worm.

More than 45 million computers around the globe have supposedly been infected by various strains of the worm. The Ford Motor Company shut off its email system after being hit by the worm. Some others affected were Silicon Graphics, the Department of Defense (including the Pentagon), Daimler-Chrysler, The Motion Picture Association of America. Estimates of the worm's damage: over $10 billion.

Reference:
[VBS.LoveLetter.Var]
http://www.symantec.com/security_response/writeup.jsp?docid=2000-121815-2258-99

• CodeRed and CodeRed II [2001] (http://virus.wikia.com/wiki/CodeRed)

Worm that targeted servers running the Microsoft IIS (Internet Information Server) Web Server. The worm propagates by installing itself into a random Web server using a known buffer overflow exploit, contained in the file Idq.dll.  It contains the text string"Hacked by Chinese!", which is displayed on web pages that the worm infected. The original CodeRed had a payload that caused a Denial of Service (DoS) attack on the White House Web server. CodeRed II has a different payload that allows its creator to have full remote access to the Web server.

The reported cost of worm activities: $2 billion

Reference:
[CodeRed II]
http://www.symantec.com/security_response/writeup.jsp?docid=2001-080421-3353-99

• Sobig [2003] (http://virus.wikia.com/wiki/Sobig)

One of the most destructive worms ever. The worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files.  It was able to send over a million copies of itself within just a few hours of the outbreak. Sobig was the first of the spam botnet worms. While some worms, like Tanatos, dropped trojans on the computers they infected, Sobig was the first to turn computers into spam relays. The worm was stalling or completely crashing Internet gateways and email servers worldwide.

Total estimated damage costs of the worm: $37 billion.

Reference:
[W32.Sobig.A@mm]
http://www.symantec.com/security_response/writeup.jsp?docid=2003-010913-1627-99

• Blaster [2003] (http://virus.wikia.com/wiki/Blaster) - known also as Lovesan

Blaster Worm is a worm that propagates by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205) affecting both Windows 2000 and Windows XP machines. Once a computer was infected, it displayed a message box indicating that the system would shut down in a couple of minutes. It has also a date triggered payload that launches a DDoS attack against windowsupdate.com.

The Blaster worm shut down CTX, the largest railroad system in the Eastern U.S., for hours, crippled the new Navy/Marine Corps intranet, shut down Air Canada's check-in system. Overall estimated damage caused by the worm: $320 million.

Reference:
[W32.Blaster.Worm]
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081113-0229-99&tabid=2

• Sasser [2004] (http://virus.wikia.com/wiki/Sasser)

Sasser Worm is a worm that attempts to exploit the vulnerability described in Microsoft Security Bulletin MS04-011. The worm was written by German Student of Computer Science. It spreads by scanning the randomly selected IP addresses for vulnerable systems. When a vulnerable system is found, a worm on the worm will send shell code to the target computer that attempts to exploit the LSASS buffer overflow vulnerability. Sasser was exploiting the same vulnerabilities used by Blaster - here as well Windows 2000 and XP affected. Sasser also displayed a notice indicating that the system was shutting down.

Security experts estimate that infected computers numbered in the millions. British Airways suffered delays when the worm hit Terminal Four at London's Heathrow Airport. Other affected companies were Sampo Bank in Finnland, Deutsche Post, Delta Airlines Estimated, British Coastguard, French Stock Exchange and the France Presse news agency. Damage costs caused by the worm estimated to: $500 million.

Reference:
[W32.Sasser.Worm]
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050116-1831-99

• MyDoom [2004] (http://virus.wikia.com/wiki/Mydoom) - known also as Novarg

One of the most damaging email worms ever released. Worm was spreading as well through the file sharing systam Kazaa. Worm was arriving as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

The impact of the worm was experienced worldwide as it was able to cause slowdowns of internet traffic. Estimated reported costs of the worm: $38 billion.

Reference:
[W32.Mydoom.A@mm]
http://www.symantec.com/security_response/writeup.jsp?docid=2004-012612-5422-99

• Conficker [2008] (http://virus.wikia.com/wiki/Conficker) - also known as Downadup

Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability MS08-067 (BID 31874), which was first discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of flooding it with traffic, it selectively queries various computers in an attempt to mask its traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and gateways. It also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.

It has the ability to update itself or receive additional files for execution. It does this by generating a large number of new domains to connect to every day. The worm may also receive and execute files through a peer-to-peer mechanism by communicating with other compromised computers, which are seeded into the botnet by the malware author.The worm blocks access to predetermined security-related websites so that it appears that the network request timed out. Furthermore, it deletes registry entries to disable certain security-related software, prevent access to Safe Mode, and to disable Windows Security Alert notifications.

It has an extremely large infection base – estimated to be between 10-15 million computers. This is largely attributed to the fact that it is capable of exploiting computers that are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. From interesting facts it is to mention that the vulnerability that allowed Conficker to spread had been patched for a little over a month before the worm appeared. Still, millions of computers were not updated. Estimated damage cost of the worm: $9 billion.

Reference:
[W32.Downadup]
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
Simple steps to protect yourself from the Conficker Worm
http://www.symantec.com/business/support/index?page=content&id=TECH93179

• Stuxnet [2010]

The Stuxnet computer worm is perhaps the most complicated piece of malicious software ever build.
The worm targets industrial control systems in order to take control of industrial facilities, such as power plants. The ultimate goal of Stuxnet is to sabotage such facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries. Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before. The majority of infections were found in Iran. While the attacker’s exact motives for doing so are unclear, it has been speculated that it could be for any number of reasons with the most probable intent being industrial espionage. Incredibly, Stuxnet exploits four zero-day vulnerabilities, which is unprecedented.

Stuxnet was the first piece of malware to exploit the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (BID 41732) in order to spread. The worm drops a copy of itself as well as a link to that copy on a removable drive. When a removable drive is attached to a system and browsed with an application that can display icons, such as Windows Explorer, the link file runs the copy of the worm. Due to a design flaw in Windows, applications that can display icons can also inadvertently run code, and in Stuxnet’s case, code in the .lnk file points to a copy of the worm on the same removable drive. Furthermore, Stuxnet also exploits the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which was notably used incredibly successfully by W32.Downadup (a.k.a Conficker), as well as the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073). The worm also attempts to spread by copying itself to network shares protected by weak passwords.

Reference:
[W32.Stuxnet]
http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
The Hackers Behind Stuxnet
https://www-secure.symantec.com/connect/blogs/hackers-behind-stuxnet
W32.Stuxnet Dossier
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Stuxnet 0.5: The Missing Link
https://www-secure.symantec.com/connect/blogs/stuxnet-05-missing-link
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf

Video - Stuxnet: How It Infects PLCs

Video - Stuxnet 0.5: The Missing Link

Wikipedia references:
http://en.wikipedia.org/wiki/Computer_virus
http://en.wikipedia.org/wiki/Macro_virus
http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms
http://en.wikipedia.org/wiki/Computer_worm
http://en.wikipedia.org/wiki/Stuxnet
http://en.wikipedia.org/wiki/Conficker

Welcome to the Security 1:1 - Part 2

In Part 2 we take a closer look at Trojans - what is a Trojan? Why is it different from a virus? What are the types of Trojans based on their function and attack vectors. The introduced classification of Trojans will be complemented with references to Symantec Security Response write ups to provide a real world examples of Trojans at large as well as theirs technical details, characteristics and removal steps.

In second part of this article we will dive into some more threats types - this time more general to cover the various definitions that are sometimes interchanagably used to define a specific trojan or threat.

The Security 1:1 series consist so far of following articles:

• Security 1:1 - Part 1 - Viruses and Worms

• Security 1:1 - Part 2 - Trojans and other security threats

• Security 1:1 - Part 3 - Various types of network attacks

1. Trojans

Computer Trojans or Trojan Horses are named after the mythological Trojan Horse from Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their soldiers to capture Troy. Computer Trojan horse works in way that is very similar to such strategy - it is a type of malware software that masquerades itself as a not-malicious even useful application but it will actually do damage to the host computer after its installation.

Trojans do not self-replicate since its key difference to a virus and require often end user intervention to install itself - which happens in most scenarios where user is being tricked that the program he is installing is a legitimate one (this is very often connected with social engineering attacks on end users). One of the other common method is for the Trojan to be spammed as an email attachment or a link in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging client. Trojans can be spread as well by means of drive-by downloads (see Symantec Video) or downloaded and dropped by other trojans itself or legimate programs that have been compromised.

Video: Symantec Guide to Scary Internet Stuff: Drive-By Downloads

The results of trojan activities can vary greatly - starting from low invasive ones that only change the wallpaper or desktop icons; through trojans that mere purpose is to open backdoors on the computer and allow in such way other threats to infect the host or allow a hacker remote access to targeted computer system; up to trojans that itself can cause serious damage on the host by deleting files or destroying the data on the system using various ways (like drive format or causing BSOD). Such Trojans are usually stealthy and do not advertise their presence on the computer.

Reference:
[Trojan Horse]
http://www.symantec.com/security_response/writeup.jsp?docid=2004-021914-2822-99

The trojan classification can be based upon performed function and the way they breach the systems. Important thing to keep in mind is that many trojans have multiple payload functions so any such classification will provide only a general overview and not a strict boundaries. Some of the most common Trojan types are:

• Remote Access Trojans (RAT) aka Backdoor.Trojan - this type of trojan opens backdoor on the targeted system to allow the attacker remote access to the system or even complete control over it. This kind of Trojans is most widespread type and often has as well various other functions. It may be used as an entry point for DOS attack or for allowing worms or even other trojans to the system. A computer with a sophisticated back door program installed may also be referred to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet" (see part 3 of the Security 1:1 series). Backdoor.Trojans are generally created by malware authors who are organized and aim to make money out of their efforts. These types of Trojans can be highly sophisticated and can require more work to implement than some of the simpler malware seen on the Internet.

Reference:
[Backdoor.Trojan]
http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99

• Trojan-DDoS - this trojan is being installed simultaneously on a large number of computers in order to create a zombie network (botnet) of machines that can be used (as attackers) in a DDoS attack on a particular target.

Reference:
[DDoS.Trojan]
http://www.symantec.com/security_response/writeup.jsp?docid=2012-111917-3846-99

• Trojan-Proxy - this trojan is designed to use target computer as a proxy server - which allows then the attacked to perform multitude of operations anonymously or even to launch further attacks.

• Trojan-FTP - trojan designed to open FTP ports on the targeted machine allow remote attacker access to the host. Furthermore the attacked can access as well network shares or connections to further spread other threats.

• Destructive Trojans - are designed to destroy or delete data - in its purpose are much like viruses.

• Security Software Disabler Trojans - designed to stop security programs like antivirus solutions, firewalls or IPS either by disabling them or killing the processes. This kind of trojan functionality is often combined with destructive trojan that can execute data deletion or corruption only after the security software is disabled. Security Software Disablers are entry trojans that allow next level of attack on the targeted system.

• Infostealer (Data Sending/Stealing Trojan) - this trojan is designed to provide attacker with confidential or sensitive information from compromised host and send it to a predefined location (attacker). The stolen data comprise of login details, passwords, PII, credit card information, etc. Data sending trojans can be designed to look for specific information only or can be more generic like Key-logger trojans. Nowadays more than ever before attackers are concentrating on compromising end users for financial gain - the information stolen with use of Infostealer Trojans is often sold on the black market. Infostealers gather information by using several techniques. The most common techniques may include log key strokes, screen shots and Web cam images, monitoring of Internet activity, often for specific financial web sites. The stolen information may be stored locally so that it can be retrieved later or it can be sent to a remote location where it can be accessed by an attacker. It is often encrypted before posting it to the malware author.

Reference:
[Infostealer]
http://www.symantec.com/security_response/writeup.jsp?docid=2000-122016-0558-99

• Keylogger Trojans - a type of data sending trojan that is recording every keystroke of the end user. This kind of trojan is specifically used to steal sensitive information from targeted host and send it back to attacker. For these Trojans, the goal is to collect as much data as possible without any direct specification what the data will be.

Video - The Threat Factory - Keystroke Logging From the Victim and Cybercrminal's Perspective

• Trojan-PSW (Password Stealer) - type of data sending trojans designed specifically to steal passwords from the targeted systems. In its execution routine the trojan will very often first drop a keylogging component onto the infected machine.

• Trojan-Banker -  trojan designed specifically to steal online banking information to allow attacker further access to bank account or credit card information.

• Trojan-IM - type of data sending trojans designed specifically to steal data or account information from instant messaging programs like MSN, Skype, etc.

• Trojan-GameThief - trojan designed to steal information about online gaming account.

• Trojan Mailfinder - trojan used to harvest any emails found on the infected computer. The email list is being then forwarded to the remote attacker.

• Trojan-Dropper - trojan used to install (drop) other malware on targeted systems. The dropper is usually used at the start or in the early stages of a malware attack.

Reference:
[Trojan.Dropper]
http://www.symantec.com/security_response/writeup.jsp?docid=2002-082718-3007-99

• Trojan-Downloader - trojan that can download other malicious programs to the target computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders that are encountered will attempt to download content from the Internet rather than the local network. In order to successfully achieve its primary function a downloader must run on a computer that is inadequately protected and connected to a network.

Reference:
[Downloader]
http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99

• Trojan-FakeAV - trojans posing as legitimate AV programs. They try to trick the user to believe that the system is infected with a virus and offer a paid solution to remove the threat.

Video: Symantec Security Response - Fake Antivirus Schemes

These programs intentionally misrepresent the security status of a computer by continually presenting fake scan dialogue boxes and alert messages that prompt the user to buy the product. The alert messages can include as well pop-up notifications in the notification area of Windows.

This type of trojan can be either targeted to extort money for "non-existing" threat removal or in other cases the installation of the program itself injects other malware to the host machine. FakeAV applications can perform a fake scans with variable results, but always detect at least one malicious object. They may as well drop files that are then ‘detected’.The FakeAV application are constantly updated with new interfaces so that they mimic the legitimate anti-virus solutions and appear very professional to the end users. An example of this may be the Nortel Antivirus (http://www.symantec.com/security_response/writeup.jsp?docid=2009-090113-2706-99&tabid=2).

In order to further convince the user to purchase the product, many of these applications also have a professionally designed product Web pages containing bogus reviews or even offering live online support. Symantec has published a blog article that describes how some misleading application vendors provide live online support - see referenced links.

Reference:
[Trojan.FakeAV]
http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99
Fake AV & Talking With The Enemy
https://www-secure.symantec.com/connect/blogs/fake-av-talking-enemy

• Trojan-Spy - trojan has a similar functionality to a Infostealer or Trojan-PSW and its purpose is to spy on the actions executed on the target host - these can the include tracking data entered via keystrokes, collecting screenshots, listing active processes/services on the host or stealing passwords.

• Trojan-ArcBomb - trojan used to slow down or incapacitate the mail servers.

• Trojan-Clicker or Trojan-ADclicker - trojan that continuously attempts to connect to specific websites in order to boost the visit counters on those sites. More specific functionality of the trojan can include generating traffic to pay-per-click Web advertising campaigns in order to create or boost revenue.

Reference:
[Trojan.Adclicker]
http://www.symantec.com/security_response/writeup.jsp?docid=2002-091214-5754-99&tabid=2

• Trojan-SMS - trojan used to send text messages from infected mobile devices to to premium rate paid phone numbers.

Examples of Trojan-SMS:
AndroidOS.FakePlayer (http://www.symantec.com/security_response/writeup.jsp?docid=2010-081100-1646-99)
Android.Opfake (http://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99).

Reference:
Server-side Polymorphic Android Applications
https://www-secure.symantec.com/connect/blogs/server-side-polymorphic-android-applications

• Trojan-Ransom (Trojan-Ransomlock) aka Ransomware Trojan - trojan prevents normal usage of the infected machine and demands payment (ransom) to restore the full functionality. The prevention of normal use can be achieved by locking the desktop, preventing access to files, restrict access to management tools, disable input devices or by similar means. The program displays a warning or a notice (often combined with a lock screen) prompting for a payment and often claims to originate from governmental or law enforcement agencies to convince the end user of its authenticity.

By checking the IP address of the user computer the Ransomware can tailor the language of the fake notice to the country of the user. Another technique used by Ransomware Trojans is to display notice posing as warning from a legitimate software vendor like Microsoft - this can concern for example expiring software license.

Video - Ransomware: A Growing Menace

Reference:
[Trojan.Ransomlock]
http://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99
Additional information about Ransomware threats
http://www.symantec.com/business/support/index?page=content&id=TECH211589
Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools
Ransomware: A Growing Menace
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ransomware-a-growing-menace.pdf

• Cryptolock Trojan (Trojan.Cryptolocker) - this is a new variation of Ransomware Trojan emerged in 2013 - in a difference to a Ransomlock Trojan (that only locks computer screen or some part of computer functionality), the Cryptolock Trojan encrypts and locks individual files. While the Cryptolocker uses a common trojan spreading techniques like spam email and social engineering in order to infect victims, the threat itself uses also more sophisticated techniques likes public-key cryptography with strong RSA 2048 encryption.

Reference:
[Trojan.Cryptolocker]
http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99
Cryptolocker: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace
Cryptolocker Alert: Millions in the UK Targeted in Mass Spam Campaign
https://www-secure.symantec.com/connect/blogs/cryptolocker-alert-millions-uk-targeted-mass-spam-campaign
Cryptolocker Q&A: Menace of the Year
https://www-secure.symantec.com/connect/blogs/cryptolocker-qa-menace-year

2. Other security threats

• Malware - malicious software. This general term is often used to refer viruses, spyware, adware, worms, trojans, ransomeware etc. Malware is designed to cause damage to a targeted computer or cause a certain degree of operational disruption. Malware often exploits security vulnerabilities in both operating systems and applications.

• Rootkit - malicious software designed to hide certain processes or programs from detection. Rootkit usually acquires and maintains privileged system access, while hiding its presence in the same time. The privileged access can allow rootkit to provide the attacker with a backdoor to a system; it can as well conceal malicious payload bundled with the rootkit - like viruses or trojans.

Reference:
Rootkits
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/rootkits.pdf

• Spyware - software that monitors and collects information about particular user, his computer or his organisation without his knowledge. Very often spyware applications are bundled with free packages of freeware or shareware and downloaded without any cost by users from internet. Spyware is usually installed unwillingly.Spyware can be generally classified into following types: system monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies.

• Tracking Cookies  - are a specific type of cookie that is distributed, shared, and read across two or more unrelated Web sites for the purpose of gathering information or potentially to present customized data to you. Tracking cookies are not harmful like malware, worms, or viruses, but they can be a privacy concern.

Video - Tracking Cookies

Reference:
[Tracking Cookie]
http://www.symantec.com/security_response/writeup.jsp?docid=2006-080217-3524-99

• Riskware - term used to describe a potentially dangerous software whose installation may pose a risk to the computer. Riskware is not necessarily a spyware or malware program, it may be as well a legitimate program containing loopholes or vulnerabilities that can be exploited by malicious code.

• Adware - in generall term adware is a software generating or displaying certain advertisements to the user. The advertisements may be displayed either directly in the user interface while the software is being used or during the installation process. This kind of adware is very common for freeware and shareware software and is on itself more annoying than malicious - in such scenario it is merely a mean for the software producer to gain some revenue while releasing applications that are free of change or at a reduced price. Adware may be as well used to analyse end user internet habits and then tailor the advertisements directly to users interests. Term adware is on occasions used interchangeably with malware to describe the pop-up or display of unwanted advertisements.

• Scareware - class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV software. Scareware is known as well under the names "Rogue Security Software" or "Misleading Software". This kind of software tricks user into belief that the computer has been infected and offers paid solutions to clean the "fake" infection. Scareware can advertise as well system or software security updates luring users into fraudalent transactions by buying for example fake Antivirus Software - thats either non-functional or malware itself.

Video - Symantec Guide to Scary Internet Stuff: Misleading Applications

Reference:
List of rogue security software
http://en.wikipedia.org/wiki/List_of_rogue_security_software

• Spam - the term is used to describe unsolicited or unwanted electronic messages - especially advertisements. The most widely recognizewd form of spam is email Spam, but there are many different forms of it in almost any available communication media - Instant messaging (called SPIM), over VOIP (called SPIT), internet forums, newsgroups, blogs, online gaming, etc. Spam may be a medium for phishing or social engineering attacks. It is estimated that between 70% and 80% of total email traffic worldwide is spam.

• Creepware - term used to describe activities like spying others through webcams (very often combined with capturing pictures), tracking online activities of others and listening conversation over the computer's microphone, stealing passwords and other data. The information, data, pictures gained with use of creepware may be later on used to extort money or blackmail the victims of this threat. Creepware is other term to RAT (Remote Access Trojan) described before.

Some of the creepware examples:
W32.Shadesrat - a worm that attempts to spread through instant messaging applications and file-sharing programs. It also opens a back door on the compromised computer.
http://www.symantec.com/security_response/writeup.jsp?docid=2011-022214-1739-99
Backdoor.Krademok -  a Trojan horse that opens a back door on the compromised computer.
http://www.symantec.com/security_response/writeup.jsp?docid=2011-121417-0311-99
Backdoor.Darkmoon - a Trojan horse that opens a back door on the compromised computer and has keylogging capabilities.
http://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99
Backdoor.Jeetrat - a Trojan horse that opens a back door on the compromised computer, steals information, and may download additional threats.
http://www.symantec.com/security_response/writeup.jsp?docid=2013-062815-5700-99
Trojan.Pandorat - a Trojan horse that opens a back door on the compromised computer and may steal confidential information.
http://www.symantec.com/security_response/writeup.jsp?docid=2013-101616-2121-99

Video - Creepware: Who Is Watching You?

Reference:
Creepware - Who’s Watching You?
https://www-secure.symantec.com/connect/blogs/creepware-who-s-watching-you

• Blended threat - defines an exploit that combines elements of multiple types of malware components. Usage of multiple attack vectors and payload types targets to increase the severity of the damage causes and as well the speed of spreading. Blended threat usually attempts to exploit multiple vulnerabilities at the same time.

Wikipedia references:
http://en.wikipedia.org/wiki/Trojan_horse_(computing)
http://en.wikipedia.org/wiki/Malware
http://en.wikipedia.org/wiki/Spyware
http://en.wikipedia.org/wiki/Riskware
http://en.wikipedia.org/wiki/Adware
http://en.wikipedia.org/wiki/Rootkit
http://en.wikipedia.org/wiki/Scareware
http://en.wikipedia.org/wiki/Spam_(electronic)

 

Welcome to the Security 1:1 - Part 3

In part 3 of the series we will discuss various types of network attacks. On this occassion I will introduce as well some types of attacks directed more at end-user than at network or host computers - we will speak hear about Phishing attempts and Social Engineering tenchniques. Of special importance would be new emerging threats and attack types as well the evolving ones. More than ever before we see attacks involving all available media - such as social portals, VoIP or Bluetooth. The artcile will be complemented with Symantec references both to Security Reponse ressource as well as Connect blogs.

The Security 1:1 series consist so far of following articles:

• Security 1:1 - Part 1 - Viruses and Worms

• Security 1:1 - Part 2 - Trojans and other security threats

• Security 1:1 - Part 3 - Various types of network attacks

What is a network attack?

Network attack is usually defined as an intrusion on your network infrastructure that will first analyse your environment and collect information in order to exploit the existing open ports or vulnerabilities - this may include as well unauthorized access to your resources. In such cases where the purpose of attack is only to learn and get some information from your system but the system resources are not altered or disabled in any way, we are dealing with a passive attack. Active attack occurs where the perpetrator accesses and either alters, disables or destroys your resources or data. Attack can be performed either from outside of the organization by unauthorized entity (Outside Attack) or from within the company by an "insider" that already has certain access to the network (Inside Attack). Very often the network attack itself is combined with an introduction of a malware components to the targeted systems (Malware has been discussed in the Part 2 of this article series).

Some of the attacks described in this article will be attacks targeting the end-users (like Phishing or Social Engineering) - those are usually not directly referenced as network attacks but I decided to include them here for completeness purposes and because those kind of attacks are widely widespread. Depending on the procedures used during the attack or the type of vulnerabilities exploited the network attacks can be classified in following way(the provided list isn't by any means complete - it introduces and describes only the most known and widespread attack types that you should be aware of):

What types of attack are there?

• Social Engineering - refers to a psychological manipulation of people (here employees of the company) to perform actions that potentially lead to leak of company's proprietary or confidential information or otherwise can cause damage to company resources, personnel or company image. Social engineers use various strategies to trick users into disclosing confidential information, data or both. One of the very common technique used by social engineers is to pretend to be someone else - IT professional, member of the management team, co-worker, insurance investigator or even member of governmental authorities. The mere fact that the addressed party is someone from the mentioned should convince the victim that the person has right to know of any confidential or in any other way secure information. The purpose of social engineering remains the same as purpose of hacking - unauthorized access gain to confidential information, data theft, industrial espionage or environment/service disruption

• Phishing attack - this type of attack use social engineering techniques to steal confidential information - the most common purpose of such attack targets victim's banking account details and credentials. Phishing attacks tend to use schemes involving spoofed emails send to users that lead them to malware infected websites designed to appear as real on-line banking websites. Emails received by users in most cases will look authentic sent from sources known to the user (very often with appropriate company logo and localised information) - those emails will contain a direct request to verify some account information, credentials or credit card numbers by following the provided link and confirming the information on-line. The request will be accompanied by a threat that the account may become disabled or suspended if the mentioned details are not being verified by the user.

Video: Symantec Guide to Scary Internet Stuff - Phishing

Symantec Security Response provides a portal where a suspected Phishing Site can be reported - if you ever encountered the Phishing attack and have details from the spoofed email with link to a specific suspicious website I highly recommend to report this to the provided portal: https://submit.symantec.com/antifraud/phish.cgi

• Social Phishing - in the recent years Phishing techniques evolved much to include as well social media like Facebook or Tweeter - this type of Phishing is often called Social Phishing. The purpose remains the same - to obtain confidential information and gain access to personal files. The means of the attack are bit different though and include special links or posts posted on the social media sites that attract the user with their content and convince him to click on them. The link redirects then to malicious website or similar harmful content. The websites can mirror the legitimate Facebook pages so that unsuspecting user does not notice the difference. The website will require user to login with his real information - at this point the attacker collects the credentials gaining access to compromised account and all data on it. Other scenario includes fake apps - users are encouraged to download the apps and install them - apps that contain malware used to steal the confidential information.

Facebook Phishing attacks are often much more laboured - consider following scenario - link posted by an attacker can include some pictures or phrase that will attract the user to click on it. The user does the click upon which he is redirected to mirror website that ask him to like the post first before even viewing it - user not suspecting any harm in this clicks on "like" button but doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the fake app to access user's personal information. At this point data is collected and account becomes compromised. For the recommendations on how to protect your Facebook account and do not fall a prey to  Facebook Phishing have a look at the Security Response blog referenced below.

Reference:
Phishers Use Malware in Fake Facebook App
https://www-secure.symantec.com/connect/blogs/phishers-use-malware-fake-facebook-app

• Spear Phishing Attack - this is a type of Phishing attack targeted at specific individuals, groups of individuals or companies. Spear Phishing attacks are performed mostly with primary purpose of industrial espionage and theft of sensitive information while ordinary Phishing attacks are directed against wide public with intent of financial fraud. It has been estimated that in last couple of years targeted Spear Phishing attacks are more widespread than ever before.

Video: Protect Against Spear Phishing and Advanced Targeted Attacks with Symantec

The recommendations to protect your company against Phishing and Spear Phishing include:

1. Never open or download a file from an unsolicited email, even from someone you know (you can call or email the person to double check that it really came from them)
2. Keep your operating system updated
3. Use a reputable anti-virus program
4. Enable two factor authentication whenever available
5. Confirm the authenticity of a website prior to entering login credentials by looking for a reputable security trust mark
6. Look for HTTPS in the address bar when you enter any sensitive personal information on a website to make sure your data will be encrypted

Source:
One Phish, Two Phish, Classic Phish, SPEAR Phish?!
https://www-secure.symantec.com/connect/blogs/one-phish-two-phish-classic-phish-spear-phish

• Watering Hole Attack - is a more complex type of a Phishing attack. Instead of the usual way of sending spoofed emails to end users in order to trick them into revealing confidential information, attackers use multiple-staged approach to gain access to the targeted information. In first steps attacker is profiling the potential victim, collecting information about his or hers internet habits, history of visited websites etc. In next step attacker uses that knowledge to inspect the specific legitimate public websites for vulnerabilities. If any are vulnerabilities or loopholes are found the attacker compromises the website with its own malicious code. The compromised website then awaits for the targeted victim to come back and then infects them with exploits (often zero-day vulnerabilities) or malware. This is an analogy to a lion waiting at the watering hole for his prey.

Reference:
Internet Explorer Zero-Day Used in Watering Hole Attack: Q&A
https://www-secure.symantec.com/connect/blogs/internet-explorer-zero-day-used-watering-hole-attack-qa

• Whaling - type of Phishing attack specifically targeted at senior executives or other high profile targets within a company.

• Vishing (Voice Phishing or VoIP Phishing) - use of social engineering techniques over telephone system to gain access to confidential information from users. This Phishing attack is often combined with caller ID spoofing that masks the real source phone number and instead of it displays the number familiar to the Phishing victim or number known to be of a real banking institution. General practices of Vishing includes pre-recorded automated instructions for users requesting them to provide bank account or credit card information for verification over the phone.

• Port scanning - an attack type where the attacker sends several requests to a range of ports to a targeted host in order to find out what ports are active and open - which allows him them to exploit known service vulnerabilities related to specific ports. Port scanning can be used by the malicious attackers to compromise the security as well by the IT Professionals to verify the network security.

• Spoofing - technique used to masquerade a person, program or an address as another by falsifying the data with purpose of unauthorized access. We can name few of the common spoofing types:

1. IP Address spoofing - process of creating IP packets with forged source IP address to impersonate legitimate system. This kind of spoofing is often used in DoS attacks (Smurf Attack).
2. ARP spoofing (ARP Poisoning) - process of sending faked ARP messages in the network. The purpose of this spoofing is to associate the MAC address with the IP address of another legitimate host causing traffic redirection to the attacker host. This kind of spoofing is often used in man-in-the-middle attacks.
3. DNS spoofing (DNS Cache Poisoning) - attack where the wrong data is inserted into DNS Server cache, causing the DNS server to divert the traffic by returning wrong IP addresses as results for client queries.
4. Email spoofing - process of faking the email's sender "From" field in order to hide real origin of the email. This type of spoofing is often used in spam mail or during Phishing attack.
5. Search engine poisoning - attackers take here advantage of high profile news items or popular events that may be of specific interest for certain group of people to spread malware and viruses. This is performed by various methods that have in purpose achieving highest possible search ranking on known search portals by the malicious sites and links introduced by the hackers. Search engine poisoning techniques are often used to distribute rogue security products (scareware) to users searching for legitimate security solutions for download.

• Network sniffing (Packet sniffing) - process of capturing the data packets travelling in the network. Network sniffing can be used both by IT Professionals to analyse and monitor the traffic for example in order to find unexpected suspicious traffic, but as well by perpetrators to collect data send over clear text that is easily readable with use of network sniffers (protocol analysers). Best countermeasure against sniffing is the use of encrypted communication between the hosts.

• Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS Attack) - attack designed to cause an interruption or suspension of services of a specific host/server by flooding it with large quantities of useless traffic or external communication requests. When the DoS attack succeeds the server is not able to answer even to legitimate requests any more - this can be observed in numbers of ways: slow response of the server, slow network performance, unavailability of software or web page, inability to access data, website or other resources. Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or infected systems (botnet) flood a particular host with traffic simultaneously.

Video: Symantec Guide to Scary Internet Stuff - Denial of Service Attacks

Reference:
DoS (denial-of-service) attack
http://www.symantec.com/security_response/glossary/define.jsp?letter=d&word=dos-denial-of-service-attack

Few of the most common DoS attack types:

♦ ICMP flood attack (Ping Flood) - the attack that sends ICMP ping requests to the victim host without waiting for the answer in order to overload it with ICMP traffic to the point where the host cannot answer to them any more either because of the network bandwidth congestion with ICMP packets (both requests and replies) or high CPU utilisation caused by processing the ICMP requests. Easiest way to protect against any various types of ICMP flood attacks is either to disbale propagation of ICMP traffic sent to broadcast address on the router or disable ICMP traffic on the firewall level.

♦ Ping of Death (PoD) - attack involves sending a malformed or otherwise corrupted malicious ping to the host machine - this can be for example PING having size bigged that usual which can cause buffer overflow on the system that lead to a system crash.

♦ Smurf Attack - works in the same way as Ping Flood attack with one major difference that the source IP address of the attacker host is spoofed with IP address of other legitimate non malicious computer. Such attack will cause disruption both on the attacked host (receiving large number of ICMP requests) as well as on the spoofed victim host (receiving large number of ICMP replies).

Reference:
ICMP Smurf Denial of Service
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20611

♦ SYN flood attack - attack exploits the way the TCP 3-way handshake works during the TCP connection is being established. In normal process the host computer sends a TCP SYN packet to the remote host requesting a connection. The remote host answers with a TCP SYN-ACK packet confirming the connection can be made. As soon as this is received by the first local host it replies again with TCP ACK packet to the remote host. At this point the TCP socket connection is established. During the SYN Flood attack the attacker host or more commonly several attacker hosts send SYN Packets to the victim host requesting a connection, the victim host responds with SYN-ACK packets but the attacker host never respond back with ACK packets - as a result the victing host is reserving the space for all those connections still awaiting the remote attacker hosts to respond - which never happens. This keeps the server with dead open connections and in the end effect prevent legitimate host to connect to the server any more.

♦ Buffer Overflow Attack - this type of attack the victim host is being provided with traffic/data that is out of range of the processing specs of the victim host, protocols or applications - overflowing the buffer and overwriting the adjacent memory.. One example can be the mentioned Ping of Death attack - where malformed ICMP packet with size exceeding the normal value can cause the buffer overflow.

• Botnet - a collection of compromised computers that can be controlled by remote perpetrators to perform various types of attacks on other computers or networks. A known example of botnet usage is within the distributed denial of service attack where multiple systems submit as many request as possible to the victim machine in order to overload it with incoming packets. Botnets can be otherwise used to send out span, spread viruses and spyware and as well to steal personal and confidential information which afterwards is being forwarded to the botmaster.

Video: Symantec Guide to Scary Internet Stuff - Botnets

• Man-in-the-middle Attack - the attack is form of active monitoring or eavesdropping on victims connections and communication between victim hosts. This form of attack includes as well interaction between both victim parties of the communication and the attacker - this is achieved by attacker intercepting all part of the communication, changing the content of it and sending back as legitimate replies. The both speaking parties are here not aware of the attacker presence and believing the replies they get are legitimate. For this attack to success the perpetrator must successfully impersonate at least one of the endpoints - this can be the case if there are no protocols in place that would secure mutual authentication or encryption during the communication process.

• Session Hijacking Attack - attack targeted as exploit of the valid computer session in order to gain unauthorized access to information on a computer system. The attack type is often referenced as cookie hijacking as during its progress the attacker uses the stolen session cookie to gain access and authenticate to remote server by impersonating legitimate user.

• Cross-side scripting Attack (XSS Attack) - the attacker exploits the XSS vulnerabilities found in Web Server applications in order to inject a client-side script onto the webpage that can either point the user to a malicious website of the attacker or allow attacker to steal the user's session cookie.

• SQL Injection Attack - attacker uses existing vulnerabilities in the applications to inject a code/string for execution that exceeds the allowed and expected input to the SQL database.

• Bluetooth related attacks

♦ Bluesnarfing - this kind of attack allows the malicious user to gain unauthorized access to information on a device through its Bluetooth connection. Any device with Bluetooth turned on and set to "discoverable" state may be prone to bluesnarfing attack.

♦ Bluejacking - this kind of attack allows the malicious user to send unsolicited (often spam) messages over Bluetooth to Bluetooth enabled devices.

♦ Bluebugging - hack attack on a Bluetooth enabled device. Bluebugging enables the attacker to inititate phone calls on the victim's phone as well read through the address book, messages and eavesdrop on phone conversations.

Reference:
Symantec warns users over Bluetooth security
http://www.cnet.com.au/symantec-warns-users-over-bluetooth-security-339282314.htm

Wikipedia ressources:
http://en.wikipedia.org/wiki/Attack_(computing)
http://en.wikipedia.org/wiki/Phishing
http://en.wikipedia.org/wiki/Port_scanner
http://en.wikipedia.org/wiki/Spoofing_attack
http://en.wikipedia.org/wiki/Denial-of-service_attack
http://en.wikipedia.org/wiki/Buffer_overflow
http://en.wikipedia.org/wiki/Botnet
http://en.wikipedia.org/wiki/Session_hijacking
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/SQL_injection

Hi All,

Wishes you all Happy & Prosperous New Year.

I am working on Netbackup

I was looking for the soft copy of "Configure,Install & Deploy Netbackup 7.1" .this book is provide when anyone attend netbackup training from Symantec.

If anyone having the soft copy,kindly share it to me
 

Thankx in advance.!!!!!!! 

Online gaming - "En Taro Adun" to the Part 5 of the Security 1:1 Series

Online gaming just like any other branch of internet community is being targeted for scam, fraud and hacks. Few years back the scope of the scams involving online players may not have been that visible - but with time as online games (here especially MMORPG games) became more popular with several different communication channels between the players, they made it to be very often an easy prey for the attackers. At the moment we speaking here of a base reaching millions of users - majority of them be nor IT-Security aware neither adolescent. Adding to this that the most of the game systems are based on password security only (with few exceptions offering additional two-factor authentication) - the field to exploit looks really promising for any attacker. Property theft be it either physical or virtual is still a theft and in this article we will explore several various means being utilized by malicious attackers to get hold of players credentials, accounts and virtual items.

The Security 1:1 series consist so far of following articles:

• Security 1:1 - Part 1 - Viruses and Worms

• Security 1:1 - Part 2 - Trojans and other security threats

• Security 1:1 - Part 3 - Various types of network attacks

"If no mistake have you made, yet losing you are... a different game you should play"

The are many reasons for attackers to target the online game community - as more and more online games have some kind of online store, your gaming account if often already connected to your payment information. Once the attackers have access to the account itself they can further compromise your credit card information. Other most obvious reason is your online account itself and the value of the "virtual stuff" you collected on it. Despite some beliefs that "virtual gaming things" cannot be worth that much, it is as a matter of fact sometimes worth a lot in real world currency. Both items and virtual gold are sold or either some kind of auction houses or auction websites (like Ebay). Getting access to your gaming account and ransack all your characters - its one way for the attacker to make some easy money.

The accounts itself may be sold as well with prices ranging from couple of Euros up to thousands depending on the level of the characters on the account, completed achievements and collected gear. All this in normal process takes time - the more time invested into an account, the more it is worth. Please note on this occasion that gold, items or account resale violate the term of use in most of the online games and game providers will ban the accounts itself if such activities are detected.

"Hail to the Horde!" - about phishing emails

Phishing is by all means the most widespread type of online gaming frauds. The purpose of this kind of attack at gamers is most commonly targeted at getting unauthorized access to gamer's account information. With this kind of access the attacker may later on exploit the account further for other fraud activities. Wave of game-related phishing attacks started for good few years back and still up to this day hundreds of examples can be found of such malicious attempts - the scale of how those phishing attempts are widespread can only confirm one thing - that still a lot of players are falling to them and become unaware victims!

Another grave danger comes from compromised game accounts - most of the players tend to use the same credentials for their gaming account as for their private or corporate access - if the attackers already got access to your video game account, what stops them from accessing your other accounts, that may contain much more sensitive information.

The attack pattern of phishing emails can vary slightly but there are some common elements that you should be vigilant of:

• source email address ("From" field) - this will be 100% a spoofed address. What you see will resemble as much as possible the real, legitimate email address that could come from your game provider. Only by examining the source code of the email and viewing the email header you can check exactly what is the source of the message and that it is in reality completely different that way you see in your mail browser.

• your email address ("To" field) - beware that many times the address to which you receive the email is not the same email address you're using with your gaming account. Many gamers are simply not checking this field. This is very important and allows already from beginning to classify the email as phishing attempt even without reading its content.

• email greeting - you will most likely never be addressed directly by your first or last name. What you will see here will be a brief "Hallo", "Dear valued customer", "Greetings" or similar.

• email signature - will indicate that it was send by Support Team, Account Team, Billing Team, Management Team or similar to stress the importance of the email, in most cases it does not mention any person by name. Signature will include as well links to the game provider - links here can be also spoofed or be legitimate to convince the recipient that the message is legitimate.

• email content will include a request for you to verify your data and access information by following a given link and providing input of those information in the browser. At this point we have the most important element in the phishing email - the link provided in the content section will be 100% spoofed and re-directing you to a malicious website of the attacker. Other than request for verification the email may contain as well information that you have violated the conditions or rules of the game (very often the email will imply you are for example trying to sell your account and this is a breach of terms of service) and your account will be blocked unless you follow a given link and verify your data. Another popular pattern are emails stating that some of the information on your account has been modified (email, name, etc.) recently which could potentially mean that it has been compromised (!) or that you will loose access to it as a result of the change. As you obviously did not make any changes the requester ask you to follow the given link and verify your data.

• redirection to fake website - the website itself may look very professional and be almost a mirror of the legitimate site to convince the user again of its authenticity. Later on we will have a look at the real-life examples of fake login website.

Below references will provide some examples and show that many online games are being targeted for potential phishing attacks. Don't feel secure though if your game haven't been listed here or targeted in the past - there is a really big chance the phishing attacks on it were/are happening as well.

Reference:
Phishing scam invades Star Wars online game
http://www.gmanetwork.com/news/story/266007/scitech/geeksandgaming/phishing-scam-invades-star-wars-online-game
Star Wars The Old Republic Phish: Scam You, it Will
http://www.threattracksecurity.com/it-blog/star-wars-the-old-republic-phish-scams-you-it-does
Guild Wars 2 players targeted in phishing attacks
http://www.techspot.com/news/50087-guild-wars-2-players-targeted-in-phishing-attacks.html
Hackers target Guild Wars 2 players
http://www.bbc.co.uk/news/technology-19543035

"Your gold is welcome here" - phishing targeting Battle.Net

Video: About scam attempts - World of Warcraft (WoW) / Battle.net

One thing to consider is that most attacker may not even know which game you play or if you play at all. Phishing is simply send to everyone "on the list" - one of the reasons most phishing attempts target most popular games that have the biggest base of players - the bigger the gaming community is, the higher possibility that the phishing attack will reach certain percentage of real players. The "cherry on the pie" for online attackers nowadayas is Blizzard - as all of its online games (World of Warcraft, Diablo, Starcraft) are currently managed by one shared account - Battle.net. Considering that the Battle.net account may include not only your gaming data but as well real payment information - be that either Paypal details or Credit Card information - the stakes go up as you realise the compromise of this account will cause damage not only to your virtual stuff but can potentially affect your real assets as well.

Size of the gaming community is one of several factors playing a definitive role when attackers select their target. Another factor is the willingness of this community to pay with real money for virtual items. This willingness is much higher in case of players that already pay monthly fee for a game itself and attackers are aware of this fact as well.

Reference:
Phishing in a World of Warcraft
http://nakedsecurity.sophos.com/2011/01/20/phishing-in-a-world-of-warcraft
Phishing scam hits World of Warcraft
http://www.gmanetwork.com/news/story/265872/scitech/geeksandgaming/phishing-scam-hits-world-of-warcraft

Being a big player on the gaming market, Blizzard is fully aware of the phishing threat targeted at unaware gamers and attempts to educated them about the looming danger. Under the the following link (http://us.battle.net/en/security/theft) you can find information and recommendations from Blizzard about several of account theft types and what can be done to prevent further damage. The sites provides as well examples on the phishing emails with Blizzard recommendations what "not-to-do" in case you find yourself to be potential target of phishing.

Further reference:
Battle.net - Phishing
https://us.battle.net/support/en/article/phishing

• Below I have posted example of the legitimate Battle.Net login website and second one of a faked login website. On the first look there are really not many differences but let's analyze both:

♦ During my testing the fake website triggered right away an alarm from Microsoft Smart Screen:

♦ In the address bar you can observe as well IE is reporting an unsafe website while on the legitimate one we see that it has been "Identified by Digicert"

♦ There is slight font different on certain words between both sites.

♦ Obviously the web page address in the address bar is different - but it is similar enough to trick users not paying attention to this (due to security concerns I covered the fake address).

♦ Interesting thing to mention is that the fake website contains only one fake link -"LOG IN". All the other links on the bottom of the page, even the create an account button are legitimate and redirecting to the official battle.net website.

US Battle.Net official legitimate website

 

US Battle.Net fake website

 

Let's have a look at some real live examples of Phishing emails targeted at Blizzard players:
 

Example 1: "From" field indicates Blizzard Entertainment but after checking the email belongs private account from "@gmail.com". Many sentences in the email are not grammatical what already makes one suspicious. The first link is spoofed, the other two are legitimate. The recipient is addressed as "Dear Customer" while legitimate correspondence would address the recipient directly by name.

----------------------------------------------------------------------------

Example 2: Again source as Blizzard Entertainment with spoofed email that after checking again comes from private account at @gmail.com. Email contains Blizzard post address to trick user of its authenticity.

"Look. More hidden footprints!" - about In-Game Phishing

Phishing means not always email. In almost every on-line game nowadays you will find either an on-line chat system or in-game mail system - both of those communication channels can be exploitet by malicious attackers. As an example to visualise the in-game phishing attack we take World of Warcraft and information published by TrendLabs (see references below). In the example provided by TrendLabs attackers were tempting the gamers by sending them invitations to beta-testing of World of Warcragt expansion -> Mists of Pandaria. As a reward for participation gamers are being offered free in-game mount - everything they need to do to get it is to register on the website following the provided link. The link takes the player to website that poses as legitimate Battle.net page. As soon as they login on the website to claim their reward the account is being compromised.

The second example brought up by TrendLabs describes misuse of the in-game chat system, where attacker poses as a Blizzard employee and whispers the unaware player to offer him a free in-game gift items or other rewards. Again to claim it the user is required to login on the given website. Same as in case of standard email phishing or in-game email phishing the links will often include phrases or words known to player - related to the games itself and should both attract the players and convince them of the authenticity. In-game chat phishing may as well include a threat to the player regarding account violation and pending ban procedures - this will have exact same meaning as the email phishing - only the transport channel is different. Blizzard on its own warns the player about fake/malicious whispers in-game and provides guidance on how to identify a fake whisper (https://eu.battle.net/support/en/article/phishing).

Reference:
World of Warcraft Scams: Mist of Pandaria, Free Mounts and Phishing Galore
http://blog.trendmicro.com/trendlabs-security-intelligence/world-of-warcraft-scams-mist-of-pandaria-free-mounts-and-phishing-galore
World of Warcraft Scams: Free Gifts and Fake Account Suspension Threats
http://blog.trendmicro.com/trendlabs-security-intelligence/world-of-warcraft-scams-free-gifts-and-fake-suspend-account-threats

"We cannot prevail against so many!" - about Keyloggers and Infostealer Trojans

If you are already aware about the phishing attempts and know how to recognize them on the sight - good for you, but still there are other means to get to your online gaming account credentials. Being an active player you certainly visit not only official game forums but as well other third-party or even private websites, forums, channels etc. Keep in mind those not always are harmless and can indeed be malicious. Often they will offer a third-party add-ons or tools that will make your gaming experience better - with the tool comes a gratis obligatory bonus - a keylogger trojan. As soon as it is installed on the target machine it will start recording all your keystrokes - including the credentials used to login the game. Don't expect to logon your game the next day - even if you do, do not expect to find your characters in the same state you left them. To protect yourself make sure you fulfil two easy steps: do not visit untrustworthy websites, do have a proper antivirus/antimalware solution. Be aware that many game providers will deny you any account restoration if they find out that it was compromised because of credentials leak on your side.

Reference:
How to protect your system from keyloggers [Updated]
http://wow.joystiq.com/2007/06/05/how-to-protect-your-system-from-keyloggers

There are many variants of Infostealer Trojans - some of them have functionality typical for keyloggers (capturing all your keystrokes), others are directly targeting data stored on the machine in search for credentials. Many of them are targeting not only only games but have multiple purposes and can as well collect other information like your online banking details and send them back to the author. Many of the malware attackes targeting gaming community will involve several attack vectors - phishing emails will re-direct players to spoofed websites offering fake patches or add-ons infected with malware. Those will contain both trojans that users will execute unwillingly by installing the fake updates and worms that will spread by itself to increase the scope of infection. Malware can as well perform actions killing antivirus processes to avoid detection or even have rootkit characteristics to stay completely hidden on the system.

Some of the examples of gaming trojans seen in the past or reported to Symantec:

• Trojan.Xilon [2002]. Trojan comes disguised as a patch for the Diablo II game. It also allows a hacker to steal Diablo II user account and character information.
• W32.HLLW.Gotorm  [2003]. Worm designed to steal sensitive account information and CD keys for popular games, including Half Life, Warcraft 3, Counterstrike, Starcraft, and Diablo 2, and attempts to spread through the KaZaA file-sharing network.
• Infostealer.Wowcraft (or PWSteal.Wowcraft) [2005] - Trojan attempting to steal password to the "World of Warcraft" MMORPG
• Trojan.Jasbom (or PWSteal.Lineage) [2005] - Trojan logs keystrokes, mouse clicks, and application memory, when playing MMORPG Lineage.
• Infostealer.Gampass [2006] - Trojan targetting MMORPG games and stealing registration keys.
• Infostealer.Maplosty [2006] - Trojan attempts to steal information related to the MapleStory online game, and send it to a predetermined email address.
• Infostealer.Onlinegame [2008] - Trojan steals online game password information from the compromised computer. This trojan was targetting mostly MapleStory, World of Warcraft and MSN Games.
• Trojan.Grolker [2013] - Trojan used both to steal gaming and online banking credentials from compromised machines.

Reference:
Trojan targets World of Warcraft gamers
http://arstechnica.com/uncategorized/2006/05/6778-2

Leveling Up: Gaming Trojan Adds Banks to Target List
https://www-secure.symantec.com/connect/blogs/leveling-gaming-trojan-adds-banks-target-list

2010 Symantec Teams came across a malicious server hosting over 44 million stolen gaming credentials from a variety of online games. Important to notice is that the credentials were not only collected (using most likely Trojans like Infostealer.Gampass) and stored but a large part of it was as well validated as being active by another Trojan specifically designed for this purpose - Trojan.Loginck. If you think of it obtaining amount of 44 million accounts credentials is one thing, another one is to validate them in order to find out the ones being still active and potentially available for exploit. Have a look at the whole story described in the Symantec blog as per reference below.

Reference:
44 Million Stolen Gaming Credentials Uncovered
https://www-secure.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered

"A Jedi uses the Force for knowledge and defense, never for attack” - Scammers and Phishers will use your interests against you and attack when the time is right

Any major events in the online games or releases of new expansions will mark the time where an increased scam/phishing attack is to be expected. Attackers are fully aware where the interests for the particular game are the greatest and will precisely choose this time to strike, offering free bonuses, in-game items, free beta passes - all of this related to the new add-on or update, even when it wasn't yet released officially. This is as well a reoccurring trend - every time a new expansion is being released a new wave of phishing attacks hits to gain access to accounts and new in-game items, mounts, pets, etc. The value of those items is highest just after the release of the expansion and will drop significantly while the time pass, which in the end leads to decreased income from potential sale.

TrendLabs reported in one of its articles (see reference) of increased amount of scams just before the release of Diablo 3. Apparently the browsing search results for "diablo 3 free download" were giving a bunch of scam sites offering the free beta version prior to official release

Reference:
Diablo 3 Scams Preempt Game Release
http://blog.trendmicro.com/trendlabs-security-intelligence/diablo-3-scams-preempt-game-release

In another attempt scammers did hit during the release of Starcraft 2 sending out phish scam supposedly coming from Blizzard Store and already confirming the purchase of the game. The only action required from end user was to login the spoofed website to redeem the code and claim the copy of the game.

Reference:
Beware: Email Scam Targeting StarCraft II Fans
http://www.tomshardware.com/news/StarCraft-II-Scams-Battle.net-Blizzard.com,10997.html

Similar attempts were reported again prior to release of again Diablo 3 and again before release of its expansion "Reaper of Souls" - below an example of such invitation email with fake game code and spoofed link to battle.net.

Diablo III - Reaper of Souls Phishing Email

Reference:
Gaming the security – Beware of fake Diablo III beta invitations!
https://www.securelist.com/en/blog/208193131/Gaming_the_security_Beware_of_fake_Diablo_III_beta_invitations

"Now, go. Leave this place, and never return!" - about Power-Leveling and other in-game scams

Email phishing or in-game phishing are only a part of the threats that await unaware players. Many of the scams are to be found directly in the game - some of the scam attempts may come from players itself but many are performed by organized collectives or even companies. Noteworthy is that if you fall victim to any of the listed below - your only hope may be contact with the support staff of the particular game, but even then keep in mind that activities such as "gold or account resale" or "power-leveling" are deemed as violating the in-game terms of use and will most probably void your support, in worst case scenario even lead to the ban of your account.

Let's have a look at few most common of online game scams you can encounter:

• In-game trade - bad trades are commonly known - you paid a price that is 10x exceeding the real value of the item. Game support will most likely not reimburse any items traded due to bad or misinformation about its price on the gamer's side. In-game trade scammers may as well exploit existing bugs in game to perform scammed trade in which you trade an item but receive nothing in return. Recommendation: Trade only with people you known and trust. Do not fall for trades that seem to good to be true.

• Account trade or sale - action violating the game's term of use. Often legitimate players try to sell or trade their account when they get bored of a particular game. Account trade scammer may be both the seller and the buyer - you can find yourself in situation when you buy an realy great looking account but in reality it's not worth a penny. Or you may sell your pumped-up account for money and got scammed during the process. Game support will most probably be denied if you report any scam that was involving account resale or trade.

• Gold and items sale - illegal by most of the game providers terms of use. You will find though quite many even professional companies offering tons of gold or high-level items for sale. Both the gold and items will most likely come from gold-farms or gold-bots. If the seller is scammer at the same time he may ask you for you account credentials during the sale process - don't ever fall for this. In any way your game account may become banned if in suspicion of in-game items or gold selling activities.

• Power-Leveling - paid service offered to users mostly by companies. It involves providing the company with your game credentials in order for the company employees to level up your characters in game. Power-leveling comprises many various dangers to your account - you need to provide your credentials willingly (this already should be enough of a warning sign to prevent you from using such services), you need to be aware that your account will be most likely leveled up by bots and not real people and this way it will be violating game terms of use and may endanger your account, lastly you may get back your account with characters ransacked of anything of value and will be not able to get back any money you paid as well.

Reference:
How Not to Get Victimized by MMORPG Scams and Hackers
http://www.ereviewguide.com/news/2012/04/09/how-not-to-get-victimized-by-mmorpg-scams-and-hackers

"Black magic bars our way, but the will of the templar is stronger" - how to protect yourself against online game fraud

Here I would like to provide you with some recommendations on how to protect your gaming account against scam. Below in reference section you will find as well respective links to some of the game publishers and their best practices to secure online accounts.

1. Account security - protect your login credentials, refrain from account sharing where someone else knows as well your login data.
2. Password security - make sure your password and user name are complex enough (to survive potential brute-force password cracking attack), do not reuse your gaming password again as your banking or corporate password, in case you have problems remembering the complex password make use of password manager software such as Norton Identifty Safe (https://identitysafe.norton.com).
3. Additional credentials security - if your game provider offers additional two-actor authentication, make sure you sign up for this. Two-factor authentication will include your normal logon name with password credentials alongside with hardware-based token authenticator or tokens generated on your mobile/smartphone device.
4. Email account security - make sure your email account adheres to same security regime as your gaming account, if attacker cannot gain access to your game account thay may try comprising first your email account
5. Anti-virus software - make sure you are using legitimate antivirus/antimalware solutions (such as many of the Symantec or Norton Security Solutions) that can protect your machine from malware infestation
6. Shared computers - if possible refrain from playing on shared or public computers that can compromise your account security
7. Operating system - make sure your operating system is update to prevent unauthorized access by exploited vulnerabilities
8. Beware of fan pages or third-party forums related to your games - those may be contain malicious downloads
9. Beware what your download and where from - advertised patch or add-on may be in reality something else
10. Learn how to recognize phishing emails, do not open unknown attachments, do not follow links included in HTML emails, do check the email header to find out the real originating email address
11. Beware that in-game phishing also exist, make sure the person you whisper on the in-game chat is really the person you take him for
12. Be sure that the legitimate game support will never ask you for you password details
13. Do not buy or sell game accounts
14. Do not buy items or gold from third-party companies - such actions may jeopardise security of your account and violate game terms of use
15. Do not use power-leveling services - ask yourself why are you playing for if you want to powerlevel? What's the fun of someone else leveling your characters for you?
16. In case of any suspicious activities targeted at you or your gaming account do contact the respective game support.

Reference:
ArenaNet - A Note about Phishing Emails
https://forum-en.guildwars2.com/forum/support/account/A-Note-about-Phishing-Emails/first
Battle.Net - Types of Account Thefts
http://us.battle.net/en/security/theft
Riot Games Security
http://www.riotgames.com/riot-games-security
League of Leagends - Protecting Your Account
https://support.leagueoflegends.com/entries/21552105-Protecting-Your-Account
Eve Online - Account security
https://wiki.eveonline.com/en/wiki/Account_security

"Your flesh is weak" - 18 GB of malware downloaded successfully?!

A quite recent example of scam hitting thousands of naive and impatient players. GTA 5 has been released in October 2013 for Xbox and PS3 exlusively. PC edition has not been even announced by that time by Rockstar, but despite this online search results were showing websites (mostly torrent sources) offering free GTA 5 PC version download, luring this way players eager to get this version ahead of its release. The installer looked quite convincing - 18GB in size, had a working executable setup.exe file. Attempting to install the game takes the user to a phishing website where he needs to input his personal information to register the game and fill out some surveys. What about the downloaded 18GB of files - most part most likely junk data, rest - malicious content. This is one more example that even with a much higher general awareness about phishing attacks and online gaming scams that ever before, people are still easily falling for scams as obvious as this one.

References:
Legit-Looking GTA V PC “Leaked” Setup Infects Thousands of PCs Worldwide
http://wccftech.com/gta-v-pc-scam-infects-thousands-pcs-world-wide
Torrent scam hits thousands eager for PC version of GTA V
http://news.cnet.com/8301-10797_3-57608943-235/torrent-scam-hits-thousands-eager-for-pc-version-of-gta-v
It's a trap! Malware disguises itself as Grand Theft Auto 5 for PC gamers
http://www.pcworld.com/article/2056566/its-a-trap-malware-disguises-itself-as-grand-theft-auto-5-for-pc-gamers.html
GTA 5 PC Torrent Fools Gamers: Installs 18 GB Malware
http://au.ibtimes.com/articles/517603/20131029/gta-pc-click-read-version-18-gb.htm

--------------------------

General article references:
Online Games: Fun or Risky?
http://us.norton.com/yoursecurityresource/detail.jsp?aid=online_games
Online gaming fraud: the evolution of the underground economy
https://www.securelist.com/en/analysis/204792139/Online_gaming_fraud_the_evolution_of_the_underground_economy
Online games and fraud: using games as bait
http://www.securelist.com/en/analysis/204791963/Online_games_and_fraud_using_games_as_bait

Hello

I have a question

in the Old norton ghost to Restore a V2i image automatically from DVD We write :

ghost.exe -clone,MODE=pload,SRC=%CDROM%\win.GHO:1,DST=1:1 –sure -rb

To prevent unauthorized users from removing the Symantec DLP Agent from an endpoint computer you just need to Add uninstallation passwords to agents.

Uninstallation passwords prevent unauthorized users from removing the Symantec DLP Agent from an endpoint computer.
Passwords can only be added to Symantec DLP Agents during agent installation or upgrade. If you have existing agents you want to protect, you must remove the agent and then reinstall the agent with the password.

Passwords are generated using the UninstallPwdKeyGenerator.exe tool. You can add the uninstallation password by including the password parameter
in the agent installation command line. You can use either Symantec Management Platform (SMP) or a software management system (SMS) program to install the agents with the uninstallation password.

You cannot add the uninstallation password to agents through the installation wizard.

To add the uninstallation password to an agent installation
Add the uninstallation password parameter in the agent installationcommand line

UNINSTALLPASSWORDKEY="<password key>"
where <password key> is the password that you created with the password generation tool.

A sample agent installation command line might look like the following example:
msiexec /i AgentInstall.msi /q INSTALLDIR="%ProgramFiles%\Manufacturer\Endpoint Agent\" ENDPOINTSERVER="hostname" PORT="8000" KEY="" UNINSTALLPASSWORDKEY="<password key>" SMC="hostname" SERVICENAME="EDPA" WATCHDOGNAME="WDP"

Using uninstallation passwords
When you want to uninstall a Symantec DLP Agent that is password protected, you must enter the correct password before the uninstallation continues. If you uninstall your agents manually, a pop-up window appears on the endpoint computer that requests the password. You must enter the password in this window.

If you are using a software management system, include the password parameter in the command string. If you want to uninstall a group of agents, specify the uninstallation password in the agent uninstallation command line. To enter the uninstallation password using a command line
Enter the following parameter in the uninstallation command line;
UNINSTALLPASSWORD="<password>"where <password> is the password that you specified in the password generator.
 

An agent command line looks like the following example:
msiexec /uninstall ? <product code> /q UNINSTALLPASSWORD="<password>"

Below is the process of upgrading agents and uninstallation passwords.

You can upgrade any agents which are protected by uninstallation passwords without affecting the password. If you do not want to change the password, do not include the password parameter to the upgradecommandline. The pre-existing uninstallation password is included in the upgraded agent automatically. Only include the password parameter if you want to change the password or if you want to add a new password to an agent.To add or change a password while upgrading an agent
Add the following password parameter to the upgrade command line:
UNINSTALLPASSWORDKEY=<password key> where <password key> is the password key that you created using the password generation tool.

Hi Friends

our enviornment we took only NDMP Backups 1 week ago our quantum scalar i500 library got down, hadrware replacement took place but after that we are not able to perform backup and restore task. library is connected to 2 near store fillers and we take backup of both the fillers only. firmware upgarde took place while part replacement. guys please help as it is beenbing issue for us. 

Introduction

This is the fourth of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions). 

• The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.
• The second, Recovering Ransomlocked Files Using Built-In Windows Tools, deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.
• Third came Two Reasons why IPS is a "Must Have" for your Network, which illustrated how SEP's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network 

This fourth article is for use after the attacks have ended.  It intends to help admins prevent further attacks and make recovery from any future infection as painless as possible.

BOOM!

Malware infections can be devastating.  Crucial files corrupted, data lost, intellectual property stolen, reputation tarnished, endless man-hours of labor wasted. Every company has their horror stories. 

Once the key malicious files are found and submitted to Symantec Security Response, definitions against that threat can be created and distributed.  Though it requires a lot of inconvenience, the virus outbreak is over…. Now what?  Back to business as usual?

How To Not Get Flattened Again

Hopefully not!  Though the steps necessary for recovery will differ from network to network and threat to threat, once an outbreak is over, there is always one best course of action: Learn the lesson- prepare better defenses.
 

How Did the Bad Guys Get In?

If possible, determine how and where this infection began.  See if the entry route can be determined- and that door firmly shut! 

This will be difficult, as SEP is not a forensic application. It may be possible to see which computers have had active Downloader threats on them: identify all the computers that were affected by a particular threat, and then examine those systems in more depth. 

As an example: an exported Risk Report from the SEPM will contain the unique hash of the threat sample.  With some filtering (and hiding columns for clarity), it's clear that all of the following computers detected the same Downloader.Trojan on the same day.  Chances are this malicious .exe had been present there, and then new definitions were downloaded and applied which added detection against it.  The next time the application ran (or a scheduled scan ran) it was picked up.

My advice would be to examine those five computers to see if they have weak passwords, or are missing patches and hotfixes, or if they have peer to peer clients installed, or if their internet browser download history shows unusual activity.  See what clues might be there! 

Change the Secret Plans- Quick!

Many threats have the ability to ability to upload files from a compromised computer. If the outbreak that has just ended was one with Infostealer capabilities, ask "what information did the intruders have access to?"If sensitive data was on the laptop, workstation or server that was even temporarily pwned, assume that it is now in the hands of an unknown remote party. Take measures, if possible, to ensure that what they got away with is outdated and useless. For instance:

• There have been cases where databases full of customer usernames and passwords have been stolen. Inform whoever needs informing and then ensure that all of those user passwords are reset.
• In other cases, attackers have left behind evidence that the details of every account in Active Directory were harvested. In such cases, hackers can RDP right into the company at will using valid admin credentials (without needing a single piece of malware) unless strong new passwords are made mandatory for every account.

The chances of sensitive data being successfully stolen are reduced if Data Loss Prevention (DLP) is used.  If such a security tool is not already in use, it might be a good idea to implement one before there is another breach.  The 2013 Cost of Data Breach Study may help determine if DLP is a good investment.

Do Not Fight with One Arm Behind Your Back and Shoelaces Tied Together 

Too many companies are still relying on old releases of SEP that have only the bare-minimum AV component installed.  Symantec Endpoint Protection is not Symantec AntiVirus, our long-retired product which only offered traditional signature-based scanning.  SEP a powerful suite of security tools.  

SEP 11 (which is now past its End Of Limited Support) came with AntiVirus, plus optional Proactive Threat Protection (PTP), firewall, IPS, and Application and Device Control (ADC) components.  SEP 12.1 enhanced the performance and effectiveness of all of those tools and added the powerful Insight reputation-based protection. 

To dramatically improve the defense of your network and everything on it, use a modern product with adequate components.  AV, IPS and Insight should be seen as an absolute minimum.  ADC, PTP and Network Threat Protection (NTP, the firewall) supplement their power at blocking malicious activity before it can get in place, and make removal much easier.  Definitely upgrade and use these features!   

How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations
http://www.symantec.com/docs/TECH90936

Stronger Passwords.... DLP... Add IPS.... What Else?

The battle plan in Symantec's "Five Steps" article has been effective for many years. 

Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/docs/TECH122466 
 

It's appropriate to quote at length from Step 5. Post-op: Prevent Recurrence here:

Patching vulnerabilities

Vulnerabilities are computer software flaws that can be exploited by malicious code. These vulnerabilities can be repaired by applying patches provided by the software vendor. In today's network environment, regular patching is a requirement. Every network should have a Patch and Configuration Management Policy for testing new patches and rolling them out to client computers. Patching plans should focus not just on operating systems and browser add-ons, but all deployed software. Any software installed on a computer should be regularly checked for updates—from office utilities to databases to web server applications. All software should be cataloged and regularly checked for updates. Internally developed code should be regularly audited for security holes and fixed as soon as possible. Appliances such as routers and printers should also be checked for software updates and patched quickly. This can be a lot to manage, but it is vitally important in preventing security incidents.

 

AutoPlay (AutoRun)

Autoplay is a functionality in Windows that allows files to automatically be opened or "played". This feature is useful to launch installation files and other applications from CDs and USB flash drives, but over the last few years has become one of the largest attack vectors in the enterprise environment. While USBs may provide an initial source of infection through the use of AutoPlay, most network drives are designed to use this functionality too. This allows threats to attack from a network drive as soon as the drive is mapped. Since antivirus software is designed to scan the local hard drive, the threat will be able to attack the client computer without detection or prevention, unless additional measures like Network Auto-Protect are employed.

In order to protect your network, disabling AutoPlay is the recommended course of action. This can be done on individual computers, pushed out to client computers using the Group Policy editor, configured by a policy in Symantec Endpoint Protection, or accomplished by disabling the external media ports on the computer entirely from within the BIOS. There is also a known Windows vulnerability within the autoplay feature that may re-enable it unless Windows patches are applied.

 

Network shares

First and foremost, access to all network shares should require a strong password not easily guessed. "Open Shares" are network shares that allow the inherited permissions from the user to validate access. These do not require an additional authentication and therefore allow threats to spread very fast. Open shares should be minimized as much as possible, and when they are absolutely essential to business continuity, write and execute privileges should be restricted.

If a user only needs to obtain files from a source, they should only be granted read access. For added security, write access for users needing file-transfer capabilities can be limited to a "temporary" storage folder on a file server, which is cleared semi-regularly. In terms of execution permissions, limit this access to administrators or power users who have such need. Disabling or limiting access to two other share-types is also recommended: Admin$ shares allow complete root access on a computer to any user that can authenticate as a member of the administrator group; Inter-Process Communication (IPC) shares, or IPC$, are intended to help communication between network-available processes and other computers on the network.

The problem with the aforementioned shares is that, regardless of whether strong passwords are in place, once a user is logged on to a system with elevated rights, any threat present can use the credentials to access Admin$ or IPC$ shares available on the network. Once the user is logged in, the rights and permissions are implicit -- the door has been unlocked. Anything that user account has access to will be accessible to anything that impersonates the account.

The best practices in this regard are:

• Do not auto-map network shares, instead supply a desktop icon to allow users access to the drive as needed.
• Do not log on using an account with elevated privileges (such as the domain or local Admin) unless absolutely necessary to perform a certain task.
• Be sure to log off once the task is completed.
• For most day to day duties, use a more restrictive account.

 

Email

Email attachments, while perhaps not as prevalent as in years past, are still used to spread malicious code today. Most email servers currently on the market provide the ability to strip certain attachment types from emails. Limiting the types of files that are valid as attachments handicaps many threats' ability to spread.

Investing in AntiSpam software is another way of reducing exposure to threats. Doing so reduces the number of phishing scams and spam that reach end users, and thus the network as a whole.

 

Education

An educated end user is a safer end user. Ensure that your users understand the basics of safe computing, such as the following:

• Do not give passwords to anyone or store them in an easily accessible location, either physical or electronic.
• Do not open unexpected email attachments from known or unknown sources.
• Do not click on unknown URLs.
• Scan software downloaded from the Internet before installing it.
• Having documentation, internal training, or periodic seminars on computer security available gives your users options for learning more about the topic.

 

Firewalls and other tools

Perimeter firewalls are critical to protect the network as a whole, but cannot cover all points of entry. Client firewalls add an extra layer of security by protecting individual computers from malicious behavior, such as Denial of Service attacks, and are critical to manage today's threat landscape.

Beyond basic firewalls, network and host-based Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) can help monitor unwanted activity on the network, and in many cases stops or alerts on the offending traffic in real time. Many client-side firewalls today provide these features.

 

Emergency Response Team and Plans

Even after all these tasks are complete, it is still a good idea to be prepared in case of the worst. Draft a plan how to respond to a potential outbreak and assign tasks and responsibilities to members of an Emergency response team. How quickly will an alert be generated if there's something on the network? Will there be administrators available to deal with it? How easy is it to reroute traffic and services on the network? Can a compromised computers be isolated quickly before they affect other computers? Having plans in place for these things makes dealing with unpleasant situations much easier and saves both time and money.

Great Stuff! What Other Steps Should Also Be Done?

• Scheduled scans should still be a part of every computer's weekly routine. Configure one in your AV policy!
• Ensure regular Backups are being performed- and don't forget to test recovery!  A recent backup of all important data can make a future outbreak an inconvenience rather than a catastrophe.
• Find all unsecured endpoints (and entry points!) and get them defended.  SEP's unmanaged detector feature can help track these down.
• Don't leave security settings at their defaults!  Follow Security Response recommendations for Symantec Endpoint Protection 12.1 settings
• Use "Defense in Depth."  Don't just defend at the endpoint- have a corporate firewall, mail security product and so on to safeguard all means of entry.
   

Final Recommendation

Your Symantec Endpoint Protection Manager contains in-depth records of threat-related activity, and the SEPM can alert you when there is a potential security incident for which manual action should be taken.  For example, some threats have ways of "tricking Windows" into protecting their processes from certain AntiVirus technologies.  It is possible to create a notification for incidents where SEP detects a threat but ultimately leaves it alone.

In the above example, the administrator will receive a mail whenever and of these Left Alone events occur.  The admin can then take a closer look at that computer and stop an infection before it can secure its foothold. So: definitely use SEPM notifications and scheduled reports.  These empower admins to know what is happening in their network- much better than finding out a breach from the news media or from law enforcement!
 

Conclusion

Increase the Peace!  With a bit of best practice and careful attention, disasters can be avoided. Yes, some effort will be involved- effective preventative measures can either be taken now, or there can be a lot of panicked screaming and running around in a mad rush during the next inevitable breach or destructive outbreak.  Symantec provides the tools, but what happens to your business tomorrow is up to you. 

Many thanks for reading!  Please do leave comments and feedback below. 

The Attached documents contains step by step instruction for  steps are given below

How to Install Microsoft Visio with Symantec Software Management Solution 7.1 SP2

This step by step document explains how to changes the connection string if your SQL Server default instance or SQL Server Instance on which you ProcessManager databse is installed assigned custom port instead of default port 1433.

1.     Go to Start > All Programs > Symantec >  Workflow >Designer > Tool > Workflow Explorer

2.     In Workflow Explorer, go to SymQ Configuration

3.     Go to SymQ_Local_Defaults section in the left pane

4.     Select local.workflowsqlexchange-

5.     Click Edit button and then click ellipsis in the end of the SQL Connection String.

6.     Modify it appropriately as <SQLSERVER\INSTANCENAME,port#>.

7.     Click on Test Connection if succeeded click OK

8.     Click on Save.

9.     Click on Yes

10.  Select local.orm, click Edit button and repeat the same procedure and Save

11.  Click Edit button and then click ellipsis in the end of the SQL Connection String.

12.  Enter the port like in below image as <SQLSERVER\INSTANCENAME,port#>

13.  Click on Test Connection and if succeeded click on OK

14.  Click on Save.

15.  Click Yes

16.  Go to Workflow_Core section in the left pane

17.  Select local.workflowsqlexchange- and edit the SQL connection string as in the steps above and Save again

18.  Click Edit button and then click ellipsis in the end of the SQL Connection String.

19.  Enter the custom port.

20.  Click on Test Connection if succeeded Click on OK

21.  Click on Save

22.  Click Yes.

23.  There is also an enctrypted SQL connection string in the web.config file, default path is C:\Program Files\Symantec\Workflow\ProcessManager\web.config - it may be on a drive other than C in your environment. You can use lbutil.exe Workflow tool to update the encrypted connection string - its default location is C:\Program Files\Symantec\Workflow\Tools\lbutil.exe

Open command window and run the following command, providing the correct file path where indicated.

Full Command  (only replace with your install drive and SQLServer,port or SQLServer Name\Instance,port)

Go to install Drive and location <Install Drive>:\Program Files\Symantec\Workflow\Tools\lbutil.exe  -updatepmconnection -connectionstring Data Source= SQLSERVER\INSTANCENAME,55599;Initial Catalog=ProcessManager;Integrated Security=True;Pooling=True;Connect Timeout=30 -webconfig <Install Drive>:\Program Files\Symantec\Workflow\ProcessManager\web.config

When all the changes are done, run iisreset command

24.  Go to Services and restart Symantec Workflow Server

If you face any error that could be related to one of the last 3 steps missing.

25.  Finally Test by opening browser and logging in

Enjoy

Syed Waqar Shah

Attached document contains step by step "How to Create, Review, and approve a Knowledge Base Article and Create Category and move article into category"

Submit Knowledge base Entry

1.       Click on Submit Request and click on Submit Knowledge Base Entry

2.       Enter title and contents and Click on Submit

3.       Click on Close.

Review and Edit the KB Article

1.       Login as KD Editor Role

2.       Click on Tickets

3.       Click on ne KB Article Link Under My Open Tickets

4.       Click on Review KB Request 

5.       Review the Existing KB Articles With Matching title or contents 

a.       If you find a duplicate article the click on duplicate

b.      If now duplication found then click on continue

6.        Enter the Description and click on Review

7.       After reviewing click on Submit if no further editing is required

8.       Close the Thank You page

Approve the KB Article

1.       Login as KB Approver role

2.       Click on Tickets

3.       Click on KB Ticket under My Open Tickets

4.       Click on Approve KB Request Link

5.       If satisfy then Click on Approve

6.       Close the ticket window

Viewing Knowledge Base Article 

1.       Click on Knowledge Base

2.       Click on the article you want to read

How to Create Category

1.       Click on folder with + Sign and click on Add Root Category

2.       Enter the Name and Description and click on Save

 Moving the Article to Category

1.       Click on the lightning sign of an article and click on Move to Category

2.       Click on Pick

3.       Select the Category and click on it

4.       Click on Move

5.       Click on Category and verify that article is moved in it

Syed Waqar Shah

 Symantec Data Loss Prevention for Mobile connects to your corporate network through Wi-Fi access or through cellular 3G connectivity. Network traffic for Webmail, third-party applications such as Yahoo and Facebook, and corporate email applications including Microsoft Exchange ActiveSync,IBM Lotus Notes Traveller, is sent through the HTTP/S protocol. Corporate email can be sent through Microsoft ActiveSync as either HTTP or HTTPS protocol information. Microsoft ActiveSync receives the information from the corporate proxy server after it has gone through detection; then, sends the message to the corporate Exchange Server. Messages that are sent through applications such as Facebook or Dropbox can be blocked from the message, depending on your policies.

The above graphic illustrates the connections necessary to enable Symantec Data Loss Prevention for Mobile:

Mobile devices must connect to the corporate network through a virtual private network (VPN) to send corporate messages or access the corporate network. The Mobile Prevent solution requires that mobile devices use the VPN On Demand feature to create a constant, protected VPN connection. If you are not connected to the corporate network, Mobile Prevent cannot detect any policy violations.

Your mobile device connects to the VPN server to gain access to your corporate network.

The VPN server assigns an IP address to each mobile device that connects to it. These IP addresses form a VPN subnetwork. The VPN subnetwork lets your mobile devices access the corporate network and the corporate proxy server. You can specify a range of IP addresses that your VPN server can assign to other devices. All of the IP addresses that the VPN server assigns to your mobile devices are within this range. If a range of addresses were not specified for your VPN server, the network could randomly assign IP addresses to your mobile devices. A specific range of IP addresses lets Symantec Data Loss Prevention identify which IP addresses are assigned to mobile devices and which addresses are not connected. Using a range of IP addresses assists in identifying which mobile device generated an incident.

If you deploy Mobile Prevent and Network Prevent together, the IP address identifies Network and Mobile incident types.

On the Mobile Prevent side, VPN On Demand ensures that the VPN connection is not interrupted. Apple mobile devices use VPN On Demand to dynamically create a VPN session. VPN on Demand starts the VPN session when connecting to a specific list of configured domains (for example .com, .net, or .org). Certificate-based authentication is required to configure the VPN On Demand feature. By configuring how VPN On Demand automatically enables VPN on an iOS mobile device, you can ensure that all traffic goes through your corporate network. You need a Web proxy that is deployed in transparent mode to route traffic from the mobile devices in your corporate network to Symantec Data Loss Prevention. The network traffic is routed uses the ICAP service.

You can use a mobile device management (MDM) solution to apply the network and VPN configuration.

VPN configuration can be specified in a configuration profile by your mobile device management (MDM) solution. The MDM solution applies a configuration profile to each mobile device that you want to connect to your corporate network.

Use a mobile device management (MDM) solution to manage and apply a wide variety of configuration settings to multiple mobile devices. You can load user profiles where corporate mail settings, VPN settings, security certificates, and proxy server settings are preconfigured onto the mobile devices. To access the Mobile Prevent for Web Server, you must use an MDM solution to apply the VPN server configuration profile. The VPN server configuration profile sets the conditions for VPN On Demand to route all network traffic through the VPN and into your corporate network. Only network traffic flowing in your corporate network can be monitored for violations.

Implementing Mobile Prevent :

The Mobile Prevent for Web Server integrates with a VPN server, an MDM solution, and a Web proxy server using ICAP. If it detects confidential data in Web content, the proxy will reject requests or remove HTML content as specified in your Mobile Prevent policies.

First, you need to know the high-level steps that are required for implementing Mobile Prevent. You can check the cross-referenced sections for more details. There are two deployment scenarios for Mobile Prevent: the Mobile Prevent as a standalone product, and Mobile Prevent installed in combination with Network Prevent. The following procedure assumes that you are implementing Mobile Prevent as a standalone product. If you want to implement Mobile Prevent and Network Prevent, you must also follow the implementation instructions for Network Prevent.

About deploying Mobile Prevent as a standalone solution :
When you deploy Mobile Prevent as a standalone solution, no other detection server is deployed with the Mobile Prevent for Web Server. The Mobile Prevent for Web Server interacts with the Enforce Server and the corporate proxy server to monitor and prevent incidents on mobile devices. The following diagram describes how the Mobile Prevent solution fits into your corporate infrastructure:

In this deployment, mobile devices connect to the corporate network through your VPN server. The VPN server assigns each mobile device an IP address. This address lets the device access the internal corporate network. After the device is assigned a unique IP address, all HTTP, HTTPS, and FTP traffic is monitored by the Mobile Prevent for Web Server. Each device must be connected to the corporate network through the VPN. If the VPN connection to the corporate network is lost, Mobile Prevent cannot detect any violations.

iPads and iPhones use a native feature called VPN On Demand to create a secure VPN connection automatically without user intervention. VPN On Demand requires certificate-based authentication to create the connection to the VPN Server.

After the VPN connection is established, traffic is sent through the proxy server and analyzed by Mobile Prevent for Web Server. Traffic between the proxy server and the Mobile Prevent for Web Server is done over the ICAP protocol. If no violations are discovered, the traffic is sent to its destination either internally or externally. If violations are discovered, an incident is created and response actions are implemented. Incidents are recorded on the Enforce Server.

When a mobile device sends an email through Microsoft Exchange ActiveSync, the HTTP/HTTPS packets are sent to the ActiveSync server. The packets are then sent to the Exchange Server. Any corporate email should go through Microsoft Exchange ActiveSync. Mobile Prevent does not support the SMTP protocol.

Note: Mobile Prevent does not support response mode (RESPMOD).

Below implementing procedures assume that you already have your VPN and proxy servers running in your environment.
 

Procedure Step 1 : Add a new Mobile Prevent Server.

Adding a detection server
  Add the detection servers that you want to your Symantec Data Loss Prevention system from the System > Servers > Overview screen.

You can add the following types of servers:

Network Monitor Server, which monitors network traffic.

Network Protect Server, which inspects stored data for policy violations (Network Discover).

Network Prevent Server, which prevents SMTP violations.

Network Prevent Server, which prevents ICAP proxy server violations such as FTP, HTTP, and HTTPS.

Mobile Prevent for Web Server, which monitors and prevents HTTPS, HTTPS, and FTP violations over mobile devices.

Note:
 If your Symantec Data Loss Prevention license includes both Mobile Prevent for Web and Network Prevent for Web Servers you add a single detection server called Network and Mobile Prevent for Web Server.
 

Endpoint Server, which controls Symantec DLP Agents that monitor endpoint computers.

Classification Server, which analyzes email messages that are sent from a Symantec Enterprise Vault filter, and provides a classification result that Enterprise Vault can use to perform tagging, archival, and deletion as necessary.

Procedure Step 2: Configure your Mobile Prevent Server.

Configuring the Mobile Prevent for Web Server
You can use a number of configuration options for Mobile Prevent for Web Server. For example, you can configure the server to:

Ignore small HTTP/S requests or responses.

Ignore requests to or responses from a particular host or domain (such as the domain of a business subsidiary).

Ignore user search engine queries.

To modify your Mobile Prevent for Web Server configuration

Go to System > Servers > Overview and click the Mobile Prevent for Web Server.
On the Server Detail screen that appears, click Configure.
You can verify or modify settings on the ICAP tab as described in subsequent steps. The tab is divided into several sections: Request Filtering, Response Filtering, and Connection.

Verify or change the Trial Mode setting.
Verify or modify the filter options for requests from HTTP clients (user agents). The options in the Request Filtering section are as follows:
Ignore Requests Smaller Than
 Specifies the minimum body size of HTTP requests to inspect. (The default is 4096 bytes.) For example, search-strings typed in to search engines such as Yahoo or Google are usually short. By adjusting this value, you can exclude those searches from inspection.
 
Ignore Requests without Attachments
 Causes the server to inspect only the requests that contain attachments. This option can be useful if you are mainly concerned with requests intended to post sensitive files.
 
Ignore Requests to Hosts or Domains
 Causes the server to ignore requests to the hosts or domains you specify. This option can be useful if you expect a lot of HTTP traffic between the domains of your corporate headquarters and branch offices. You can type one or more host or domain names (for example, www.company.com), each on its own line.
 
Ignore Requests from User Agents
 Causes the server to ignore requests from user agents (HTTP clients) you specify. This option can be useful if your organization uses a program or language (such as Java) that makes frequent HTTP requests. You can type one or more user agent values (for example, java/6.0.29), each on its own line.
 

Note: The Response Filtering options are not supported for Mobile Prevent.
 

Verify or modify the filter options for responses from Web servers. The options in the Response Filtering section are as follows:
Ignore Responses Smaller Than
 Specifies the minimum size of the body of HTTP responses that are inspected by this server. (Default is 4096 bytes.)
 
Inspect Content Type
 Specifies the MIME content types that Symantec Data Loss Prevention should monitor in responses. By default, this field contains content-type values for Microsoft Office, PDF, and plain text formats. To add others, type one MIME content type per line. For example, type application/wordperfect5.1 to have Symantec Data Loss Prevention analyze WordPerfect 5.1 files.

Note that it is generally more efficient to specify MIME content types at the Web proxy level.
 
Ignore Responses from Hosts or Domains
 Causes the server to ignore responses from the hosts or domains you specify. You can type one or more host or domain names (for example, www.company.com), each on its own line.
 
Ignore Responses to User Agents
 Causes the server to ignore responses to user agents (HTTP clients) you specify. You can type one or more user agent values (for example, java/1.4.2_xx), each on its own line.
 

Verify or modify settings for the ICAP connection between the HTTP proxy server and the Mobile Prevent for Web Server. The Connection options are as follows:
TCP Port
 Specifies the TCP port number over which this server listens for ICAP requests. This number must match the value that is configured on the HTTP proxy that sends ICAP requests to this server. The recommended value is 1344.
 
Maximum Number of Requests
 Specifies the maximum number of simultaneous ICAP request connections from the HTTP proxy or proxies. The default is 25.
 
Maximum Number of Responses
 Specifies the maximum number of simultaneous ICAP response connections from the HTTP proxy or proxies. The default is 25.
 
Connection Backlog
 Specifies the number of waiting connections allowed. A waiting connection is a user waiting for an HTTP response from the browser. The minimum value is 1. If the HTTP proxy gets too many requests (or responses), the proxy handles them according to your proxy configuration. You can configure the HTTP proxy to block any requests (or responses) greater than this number.
 

In the Mobile IP Ranges fields, enter the range of IP addresses that your VPN server is configured to assign to mobile devices. The IP addresses are used to identify the incidents that were triggered from mobile devices as Mobile incidents.
The IP addresses you enter into this range do not dynamically affect the VPN Server. This range is only to identify your mobile devices in the administration console. You must enter the exact same range of IP addresses when you configure the VPN Server to assign the addresses.

Click Save to exit the Configure Server screen and then click Done to exit the Server Detail screen.

Procedure Step 3: Configure your VPN Server with the IP address range that you want to assign to the corporate mobile devices for the Mobile Prevent sub-network

Procedure Step 4 : Configure your VPN profile with the MDM application.

You must configure the VPN profile before mobile devices can connect to the corporate network. The VPN profile combines security certificates, the VPN server configuration settings, VPN On Demand settings, and any network configuration settings. Normally, the VPN profile is set and applied through your MDM solution. Along with the VPN profile, you can configure other aspects of your mobile device such as Microsoft Exchange ActiveSync, firewall properties, or LDAP settings.

Procedure Step 5 : Define ICAP services on proxy to route traffic to Mobile Prevent Web Server.

Procedure Step 6 : Create and deploy a policy for Mobile Prevent.

Creating policies for Mobile Prevent
You can create the policies that include most standard response rules. The response rules include Add Note, Limit Incident Data Retention, Log to a Syslog Server, Set Attribute, and Set Status.

You can also incorporate the response rules that are specific to Mobile Prevent Server as follows:

Network Prevent and Mobile Prevent: Block HTTP/HTTPS

Blocks the posts that contain confidential data (as defined in your policies). This includes Web postings, Web-based email messages, and files that are uploaded to Web sites or attached to Web-based email messages.

Note:
Certain applications may not provide an adequate response to the Network Prevent and Mobile Prevent: Block HTTP/HTTPS response action. This behavior has been observed with the Yahoo! Mail application when a detection server blocks a file upload. If a user tries to upload an email attachment and the attachment triggers a Network Prevent: Block HTTP/HTTPS response action, Yahoo! Mail does not respond or display an error message to indicate that the file is blocked. Instead, Yahoo! Mail appears to continue uploading the selected file, but the upload never completes. The user must manually cancel the upload at some point by pressing Cancel.

Other applications may also exhibit this behavior, depending on how they handle the block request. In these cases a detection server incident is created and the file upload is blocked even though the application provides no such indication.
 

Network Prevent and Mobile Prevent: Remove HTTP/HTTPS Content

Removes confidential data from posts that contain confidential data (as defined in your policies). This includes Web-based email messages and files that are uploaded to Web sites. Note that the Remove HTTP/HTTPS Content action works only on requests.

Network Prevent and Mobile Prevent: Block FTP Request

Blocks FTP transfers that contain confidential data (as defined in your policies).

For details on setting up any response rule action, open the online Help.

Go to Manage > Policies > Response Rules and click Add Response Rule.

Even if you do not incorporate response rules into your policy, Mobile Prevent captures incidents as long as your policies contain detection rules. You can set up such policies to monitor Web and FTP activity on your mobile device before implementing the policies that block or remove content.

If you have configured your proxy to forward both HTTP/HTTPS requests and responses, your policies work on both. For example, policies are applied to both an upload to a Web site and a download from a Web site.

To create a test policy for Mobile Prevent

In the Enforce Server administration console, create a response rule that includes one of the actions specific to Mobile Prevent. For example, create a response rule that includes the Network Prevent and Mobile Prevent: Block HTTP/HTTPS action.
Create a policy that incorporates the response rule you configured in the previous step.
For example, create a policy called Test Policy as follows:

Include a Content Matches Keyword detection rule that matches on the keyword "secret."

Include a Network Prevent and Mobile Prevent: Block HTTP/HTTPS response rule.

Associate it with the Default policy group.

Procedure Step 7 : Test the system by generating an incident against your test policy.

Testing Mobile Prevent

You can test Mobile Prevent by sending an email that violates your test policy.

To test your system

Connect your mobile device to the Internet and connect to your corporate VPN.
Open your corporate email client and send an email with an attachment containing confidential data. For example, access your Microsoft Outlook client and send an email with an attachment containing the word secret and paragraphs of other text.
In the Enforce Server administration console, go to Incidents > Mobile and click Incidents - All. Look for the resulting incident. For example, search for an incident entry that includes the appropriate timestamp and policy name.
Click on the relevant incident entry to see the complete incident snapshot.

Procedure Step 8 : If required, troubleshoot the implementation.

See the Symantec Data Loss Prevention System Requirements and Compatibility Guide for more details on configuring Mobile Prevent to work within your organization.

This topic covers the installation of DLP Enforcer and Detection Server version 12.0 in grpahic representation for a Single Tier Architecture. Oracle is already installed on the server. The installation guide can be found under DLP installation set up under the folder 'Symantec_DLP_12.0_Docs_Win-IN\Symantec_DLP_12.0_Install_Guide_Win.pdf'. Before install make sure the system requirements are met and this guide can be found under 'Symantec_DLP_12.0_Docs_Win-IN\Symantec_DLP_12.0_System_Requirements_Guide.pdf'. Download the attachment to know about the seqeunce of install.

Logon as Administrator to the Enforce Server system on which you intend to install Enforce.

Double-click ProtectInstaller64_12.0.exe to execute the file, and click  OK.

In the Welcome panel, click Next.

After you review the license agreement, select I accept the agreement, and click Next.

In the Select Components panel, select the type of installation you are performing and then click Next. Since this single Tier, selecting the this will install all the components on the same server.

In the LicenseFile panel, browse to the directory containing your license file. Select the license file, and click Next.

License files have names in the format name.slf.

In the Select Destination Directory panel, accept the default destination directory, or enter an alternate directory, and click Next. The default installation directory is: C:\SymantecDLP.

Note: Do not install Symantec Data Loss Prevention in any directory that includes spaces in its path.

In the Select Start Menu Folder panel, enter the Start Menu folder where you want the Symantec Data Loss Prevention shortcuts to appear. The default is Symantec Data Loss Prevention.

In the System Account panel, create the Symantec Data Loss Prevention system account user name and password and confirm the password. Then click Next. This account is used to manage Symantec Data Loss Prevention services. The default user name is “protect.”

In the Transport Configuration panel (this panel only appears when during single-tier installations), enter an unused port number that Symantec Data Loss Prevention servers can use to communicate with each other and clickNext.

The default port is 8100.

In the SymantecManagementConsole panel, optionally enter the host name or IP address of the Symantec Management Console server to use for managing Symantec Data Loss Prevention Endpoint Agents. If you are not using the Symantec Management Console to manage agents, leave the field blank. Click Next.

If you have not purchased a license for Endpoint Prevent or Endpoint Discover, click Next to skip this step.

Note that you can add this host name or IP address later on the Enforce Server by navigating to Administration>Settings>SystemSettings. Then configure the Symantec Management Console setting..

In the Oracle Database Server Information panel, enter the location of the Oracle database server and listener port. Since this is single Tier is local host.

In the Oracle Database User Configuration panel, enter the Symantec Data Loss Prevention database user name and password. Confirm the password and enter the database SID (typically “protect”), then click Next.

In the AdditionalLocale panel, select an alternate locale, or accept the default of None, and click Next.

For a new Symantec Data Loss Prevention installation, make sure that the Initialize Enforce Data box is checked and then click Next.

In the Single Sign On Option panel, select the sign-on option that you want to use for accessing the Enforce Server administration console, then click Next:

Enter the password for the Administrator credentials. Click Next.

Confirm your participation in the Symantec Data Loss Prevention Supportability Telemetry program, and provide the appropriate information. The Symantec Data Loss Prevention Supportability Telemetry Program can significantly improve the quality of Symantec Data Loss Prevention. For more information, click the Supportability and Telemetry Program Details link.

Select the StartServices check box to start the Symantec Data Loss Prevention services after the after the completion notice displays. The services can also be started or stopped using the Windows Services utility.

Click Finish.

Starting all of the services can take up to a minute. The installation program window may persist for a while, during the startup of the services. After a successful installation, a completion notice displays.

Logon to console using the Administrator account and accept the EULA.

The home page look like this.

The next step is depending on the requirement Import the solution pack.  You must import a Symantec Data Loss Prevention solution pack immediately after installing and verifying the single-tier server, and before changing any single-tier server configurations.

Next is to Registering the detection server.

Log on to the Enforce Server as Administrator. Go to System > Servers > Overview. Click Add Server.

Select the type of detection server to add and click Next.

Enter the General information. This information defines how the server communicates with the Enforce Server.

■ In Name, enter a unique name for the detection server.

■ In Host, enter the detection server’s host name or IP address. (For a single-tier installation, click the Same as Enforce check box to autofill the host information.)

■ In Port, enter the port number the detection server uses to communicate with the Enforce Server. If you chose the default port when you installed the detection server, then enter 8100. However, if you changed the default port, then enter the same port number here (it can be any port higher than 1024).

Click Save.

The Server Detail screen for that server appears.

To verify that the server was registered, return to the System Overview page. Verify that the detection server appears in the server list, and that the server status is Running.

This completes the install process of Enforce and detection server in single Tier install.

Hope you find helpful.

Some customers want to know whether the DLP can send an Email notification to the manager if an employee trigger an incident. The answer is Yes.

This is some kind of workflow in DLP that can help the manager to master and improve the employee's behavior to avoid the data leak.

In order to send email notification to the manager, the DLP need to integrate with the Active Directory where the relationship between the employee and the manager is stored. 

The basic principle of such kind of configuration is obtaining the manager's email from AD by using the sender attribute in the incident which is the employee's email address.

Here we will give an example of the configuration in the testing environment to send email notification to the manager:

1. In a SMTP incident, the value of the sender attribute is the sender's email address, we need to use this attribure to query the information of the sender's manager:

2. Based on the testing environment, there are two users: dlp-test-user01 and dlp-test-manager. The dlp-test-manager is the manager of the dlp-test-user01:

3. We can use a third-party LDAP browse tool, such as LDAP Browser, to find out the attributes' relationship between these two users in AD:

Accordint to the screenshot above, the value of the Email Address of the employee is stored in the 'mail' attribute, and the 'manager' attribute is storing the base DN of the employee's manager.

Then we need to check the attributes of the manager:

According to the screenshot above, we can find out that:

the value of the 'manager' attribute of the employee is the same to the 'distinguishedName' attribute of the manager.

That's mean we can use the employee's 'manager' to relate to the manager's 'distinguishedName'.

4. After find out the relationship of the attributes in AD, we need to create two Custom Attributes in DLP, named as 'TempManager' and 'ManagerEmail':

The 'TempManager' is used to store the value of the employee's 'manager' attribute and manager's 'distinguishedName' attribute.

The 'ManagerEmail' is used to store the value of the manager's 'mail' attribute.

Remember to select the 'Is Email Address' during the creation of the 'ManagerEmail':

5. In DLP, create a new Directory Connection to let the DLP Enforce connect to the AD:

6. Then, we need to create the attribute lookup.

Add a new LDAP Loolup Plugin, select the 'Directory Connectiron' as the newly added one, and, on the 'Attribute Mapping', input the query as below:

attr.TempManager=:(mail=$sender-email$):manager

7. Modify the Lookup Plugin Execution Chain, and select to enable this newly added LDAP Lookup:

8. Edit the Lookup Plugin Parameters, and select to enable the Sender parameter:

9. Reload the plugins, and make suer the status of the newly added plugin is On:

10. After all these configurations, we need to check out whether the attributes are lookuped correctly:

11. At last, we need to create a response rule to send email notification to the manager.

During the creation of the Send Email Notification response, select the 'ManagerEmail' option:

Note: 

It's because we create the ManagerEmail attribute as an Email Address that it can be used on the response rule.

Then, if an employee triger a SMTP incident, an email notification will be send to his/her manager.

We can check out the result on the history of the incident:

Lately it has been noticed an increasing spread of threats which, entering a system by various means are encrypting several files on the attacked system like office documents, database files, e-mail archives, which represent a value for the attacked customer.

Those threats generally, after encrypting the files, sometimes delete themselves or propagate through the network.

To decrypt the file the hackers generally ask to pay a certain amount of money.

In order not to create misunderstandings, customers need to be aware of the following:  encrypted files will remain encrypted.  These should be replaced from a known-good backup (and Enterprises are responsible for regularly backing up their own important data).

Symantec products do not decrypt files that have been affected by these threats.

Why? The reason is as simple as very often not considered. The majority of these kind of threats is using an RSA public-key cryptography at 1024 or 2048 bits. Despit of a number of commercial tools which are released the truth is such: for large RSA key sizes (in excess of 1024 bits), no efficient method for solving this problem is known (this is the so called "RSA problem")

To know more about it:

http://en.wikipedia.org/wiki/CryptoLocker

http://en.wikipedia.org/wiki/RSA_(cryptosystem)

http://en.wikipedia.org/wiki/RSA_problem

Anyway, to pay the hackers is not a solution at all.

When a customer pays the hackers, there is no guarantee that the attacker can or will supply a method of unlocking their computer or decrypting their files.  For some variants, Symantec has received reports that the threat was received, the attacker provided a code to allow the threat to un-do the encryption that has been done on the customer’s files. Then, once Symantec updated our detection, the threat .exe is removed (deleted/quarantined) and the un-encryption can no longer continue.

When customers pay hackers for threats, such as these, it encourages attackers to continue these tactics and  additional attacks against everyone. 

 Please do not pay the hackers!

Additional information about those threats

http://www.symantec.com/docs/TECH211589

https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

https://www-secure.symantec.com/connect/blogs/cryptolocker-alert-millions-uk-targeted-mass-spam-campaign

https://www-secure.symantec.com/connect/blogs/cryptolocker-qa-menace-year

First Response

If the infection somehow already entered in our environment, the damage, unfortunately is already done.

Anyway, if we identify the threat in a timely manner, we can prevent the threat to spread and contain the damage.

Whenever you find a system in your environment which is being infected from this kind of encrypting threat, the first thing to do, even more than in other cases is:

Isolate the machine from the network!!

Afterwards, you will need to identify the virus finding the executable file and submit it to Symantec Security Response.

Contact the Symantec Enterprise Technical Support to know how to submit files:

http://www.symantec.com/support/contact_techsupp_static.jsp

In order to stop the eventual expanding of the threat in your environment, through the Symantec Endpoint Protection, you can use the “Application and Device Control” component to block the execution of that specific file, identifying it through the hash MD5:

http://www.symantec.com/business/support/index?page=content&id=TECH93451

An alternative way to get the hash MD5:

http://www.symantec.com/business/support/index?page=content&id=TECH96745

Once the threat has been blocked and the incoming new definitions from Symantec will remove the threat we can restore our data from backup.

There are many ways to maintain a safe backup of sensible data: each organization can choose the most suitable to its needs. Here an example:

http://www.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

How to prevent this unpleasant situation to repeat?

What the most of the people who faced this kind of threat at least once surely will desire, it is not to face it anymore.

To achieve this it is possible to take proactive steps to protect our environment.

-           Disable Auto-Run

The first thing to do, if not done already, surely is disable Auto-Run feature on all machines:

http://www.symantec.com/business/support/index?page=content&id=TECH104447

- Enable IPS (Intrusion Prevention System) component:

http://www.symantec.com/business/support/index?page=content&id=TECH95347

http://www.symantec.com/business/support/index?page=content&id=TECH104434

http://www.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

-           Increase the overall security

Moreover, again using the “Application and Device Control” component it is possible, it is possible to harden the overall security of the system with a specific policy:

http://www.symantec.com/business/support/index?page=content&id=TECH132337

http://www.symantec.com/business/support/index?page=content&id=TECH132307

Anyway, this is a general mean of prevention, helpful but not specific for this kind of threats.

It is always recommended to test the policy accurately before applying it massively to any production environment.

-           Lock your system down

Surely effective solution which will protect you from this and other kind of threats, it is to use the Symantec Endpoint Protection feature which is called “System Lockdown”.

It is based on the idea that an organization uses a determined and pre-allowed set of application which can be collected and allowed by an administrator, blocking the execution of anything else.

This document contains a guide to this feature:

http://www.symantec.com/business/support/index?page=content&id=HOWTO55130

CAUTION! Anyone who would like to implement this feature is invited to test it deeply! An incorrect deployment of the feature can highly compromise the functionality of the systems in object.

-           Granular approach (using Application and Device Control)

We can implement an application and device control policy to block the execution of the most common file extensions used by this class of threats, in the paths which are known to be the common launch points.

About “Application and Device Control” in general:

http://www.symantec.com/security_response/security updates/list.jsp?fid=adc

Attached to this article it is given an example of  policy which can be imported in SEP Manager and it is ready to use.

Please keep in mind: before implementing this policy massively in a production environment, test it on a small grouop of machine, verify its compatibility to your needs. Also feel free to customize it as you may find more appropriate

What are the features of our policy?

-           Blocking  Auto-Run (works out of the box)

-           Blocks  access to script files (works out of the box)

-           Blocks execution from removable drives (the details about the device types should be added. For an example of device ID check: http://www.symantec.com/business/support/index?pag...)

-           Blocks the execution of files with extension “.exe”, “.com”, “.scr”, “.pif” from the known launch points of those threats and also from some kinds of archives. 

Here the complete list:

%appdata%\

%appdata%\*\

%temp%\

%temp%\*\

%temp%\rar*\

%temp%\7z*\

%temp%\wz*\

%temp%\*.zip\

%iappdata%\

%localappdata%\

%localappdata%\*\

%userprofile%\Local Settings\Application\

%userprofile%\Local Settings\Application\*\

C:\$Recycle.Bin\

C:\$Recycle.Bin\*\

Please Note: This policy is going to block whatever file with the listed extension which is executing from the given locations. This may include also genuine third party applications or custom made applications.

You can anyway exclude custom application from being blocked adding them in the section “Do not apply to the following processes” located in the condition of the rule.

This article is a continuation of my three previous articles:

1. How to utilize SEP 12.1 for Incident Response - PART 1
2. How to utilize SEP 12.1 for Incident Response - PART 2
3. How to utilize SEP 12.1 for Incident Response - PART 3

In it, we will look at using Application Learning in an incident response situation. The purpose of application learning is for the SEP client to collect and monitor the applications and services that run on client PCs. I do want to point out that I only use this for incident response. While it is perfectly acceptable to use this in a normal situation, if you have many clients, your database can grow quite rapidly. If you do decide to use this on a regular basis, you should check out the Best Practices Guide to Application Learning in Symantec Endpoint Protection Manager

Now, let's get started. From time to time I come across a problem user who is no stranger to re-infection. I have a special purpose group setup for such cases. Application learning is enabled for this group. Enabling application learning is a two step process.

Log in to the SEPM:

1. Navigate to Admin page >> select your Local Site and select Edit Site Properties. Tick the checkbox for "Keep track of every application that the clients run". This will enable the feature.
2. Go to the Clients page and create your special purpose group and uncheck inheritance. Go to the Policies tab at the top and under Settings select Communications Settings. Under Upload tick the checkbox for "Learn applications that run on the client computers". This tells the SEP client to monitor all applications and upload it to the SEPM.

Now, this process will not be completed immediately. Logs will start to come in but it will depend on what you have your heartbeat set to. For this special purpose group, I like to set the heartbeat from anywhere from 5-15 minutes. Since this is usually done for one or two clients at a time, this should not be a problem. I like to give the entire process a few hours to take shape before I really dig into it. Once you feel enough time has passed, you can begin reviewing what applications are running on the PC.

To do this, go to the Policies page and under Tasks select Search for Applications

A new box will come up which will allow you to do some filtering:

Feel free to edit as you see fit and select Search when completed. You will get a similar result if all is working correctly:

Now, what I like to do is export the results and compare it to a list of known good process that are on our golden image(s). This can be a tedious task although it makes it slighly easier to find bad processes when you have a list of what you know contain good ones. When I find what I believe are bad processes I will submit them to ThreatExpert and Virustotal for analysis. If it's found to be malicious, I submit to Symantec Security Reponse so they can create a signature for it.

I hope this article has been helpful for you. Please post any feedback or questions that you may have.

Brian