Butsch.ch

Mcafee Endpoint Intelligent Agent Raptor Integration clearing out question what if it DOES block or Isolate

The usage of Endpoint Intelligent Agent for tracing client Executables that make network connections for free of charge was promoted by Mcafee in a blog. However it was not mentioned that they use this to push Raptor their Stinger nextgen malware scanner to corporate clients. This technology will be also integrated in VSE Enterprise Version 10. You may know Raptor or Stinger in cases where VSE does not find malware and you need a second product.

There is really almost no good documentation or inside information on the usage of the EI-Agent and in concern of Raptor. Mainly and maybe because Raptor is there next tool which comes to VSE.

Here is how Endpoint Intelligence looks in EPO. Mainly the Endpoint Intelligence Agent is USED as client part for TIE and Mcafee Firewall to get more info what's in LAN segment (Beside as example HIPS).

Since people are left over with Cryptlocker virus it's good to have a free tool add. To EPO to track EXE Files a little bit. This without installing a FULL SIEM which starts at CHF 50'000.- for a 500+ employee box.

From the test run in Enterprise with 20 Test client with Agent we had 86 application and 2 seen as malware. One was an EXE running from a share and doing Certificate things. The second one a Clickonce side by side installation/Update which does ugly things in temp folder.

We wanted to know from Mcafee if the Raptor MODULE which is used in Endpoint Intelligent Agent EIA 2.5.0.125 will/was blocking something OR not. Because from the regular THREAT Alerts you could assume that.

a) Something is isolated?

Answer : No nothing is isolated.

b) Something is blocked?

Answer : No nothing is blocked.

c) We assume that raptor Module is used by EI-Agent to determine if EXE on client is bad/good nothing. Raptor.exe USED by EI-Agent WILL NOT BLOCK/ISOLATE/TRY-TOSTOP anything?

Answer : Raptor is only used for detecting malicious activity and to identify an executable that is responsible for this. It does not classify an exe as good or bad or unknown. No blocking.

d) As mentioned in the Mcafee Blog where mcafee recommends the EI-Agent as solution for finding Locker Malware EXE on clients IT SAYS it will MONITOR/REPORT only?

Answer : EIA with ePO can be used for reporting number of connections from an executable with other information like MD5, absolute path and also the malware risk score for each of the executables.

e) Why does the EPO then show the THREAT Event?

Answer : Threat event is shown for reporting alone. For alerting the admin.

EPO Threat Alert triggered through RAPTOR from EI-Agent

Detecting Prod ID (deprecated):

MNIAGENT2000

Detecting Product Name:

Endpoint Intelligence Agent

Detecting Product Version:

2.5.0.125

Threat Source Host Name:

Threat Source MAC Address:

Threat Source User Name:

Threat Source Process Name:

Threat Source URL:

Threat Target Host Name:

Threat Target File Path:

rundll32.exe(md5: dd81d91ff3b0763c392422865c9ac12e)

Event Category:

Malware detected

Event ID:

1024

Threat Severity:

Alert

Threat Name:

Injector

Threat Type:

raptor_detected_threat

Action Taken:

None

Threat Handled:

Analyzer Detection Method:

RAPTOR

Events received from managed systems

Event Description:

Infected file found, access denied < THAT'S was unlear

In this case it was a strange but well known hospital software doing Framework clickONCE installation to undergo deployment and process of deployment. (We think)

This the location where you can FIND more info what Raptor did.

\\PCNAME\c$\Program Files (x86)\McAfee\Endpoint Intelligence Agent\x64\RaptorDir

<MD5>

DD81D91FF3B0763C392422865C9AC12E

<\MD5>

c:\windows\system32\rundll32.exe

<\FILENAME>

Injector

<\DETECTIONNAME>

<JSON>

[{"t":"1d0ea2ec71c80c5","p":"0","e":"5","1":"c\\rundll32.exe","2":"1,2d,\"rundll32.exe\" dfshim.dll,shopenverbshortcut 1\\u:\\profiledata\\appdata\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\hospis business center.appref-ms|","j":0},{"t":"1d0ea2ec742021d","p":"2bd","e":"0","1":"7\\bvtbin\\tests\\installpackage\\csilogfile.log","j":0},{"t":"1d0ea2ec7421cec","p":"2bd","e":"d","1":"4\\s-1-5-21-730738710-497051466-624655392-1053\\software\\classes\\software\\microsoft\\windows\\currentversion\\deployment\\sidebyside\\2.0\\","j":0},{"t":"1d0ea2ec7452bd6","p":"2bd","e":"d","1":"4\\s-1-5-21-730738710-497051466-624655392-

Check your %path% variable if some software made UNC path in it. While this was heavy used on Windows XP under our standard Windows 7 client system this looks rather small.

Three samples on Windows 7 64 But with Domain user. None of them point to other than c: local drive.

Installing VirusScan to an environment that's required to place UNC shares into the PATH environment variable (%path%) is not advisable. The SYSTEM account, and all processes or services running as SYSTEM will be affected and potentially negatively as it requires Windows to check remote locations for needed files. In our experience this has caused our real-time scanner, the core part of AV protection, to fail to initialize properly on startup. Consequently, we modified our installer to check for this condition and abort installing to such an environment, to reinforce how it's not best practice or to at least bring attention to it. That install check can be overridden, as explained in article KB71200 (https://kc.mcafee.com/corporate/index?page=content&id=KB71200), but should only be done once it has been confirmed the product still functions in that environment. If there are issues, they cannot be solved by Intel Security except to advise removal of the UNC paths from the PATH environment variable.

If you have third party software that requires a UNC share in the PATH environment variable, contact your vendor for options. Any portable executable code required for that third party application to run on the local client should also be local (not have need for a UNC share). This also ensures a safer computing environment because those local files can then be scanned by the local scanner. Remote files are not scanned when accessed from a client running VirusScan Enterprise unless Network Drive Scanning is enabled, which means your third party application may be running code in memory that has not been scanned.

For information about Network Drive Scanning, see the VSE Product Guide (https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22941/en_US/vse_880_product_guide_en-us.pdf), and Best Practices (https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22940/en_US/vse_880_best_practices_guide.pdf).

5 Microsoft Patches take out Mcafee DLP copy handler function. Device control (USB) black is not affected.

Environment

McAfee Data Loss Prevention Endpoint (DLP Endpoint) software earlier than 9.3.425 (DLP Endpoint 9.3 Patch 4 HF25)

Microsoft Windows 7 64-bit (32-bit is not affected.)

Problem

Several applications fail to start after you install Microsoft Patch MS15-038 or MS15-090 or MS15-085 or MS KB3083992 on systems with DLP Endpoint earlier than 9.3 patch 4 hf 25(9.3.425.x).

Affected applications include, but are not limited to:

CMD.EXE
Explorer.EXE
MMC-based applications
Microsoft Office applications
PowerShell

Example startup errors include:

csc.exe- Application Error -- The application was unable to start correctly (0xc0000142)
iexplore.exe- Application Error -- The application was unable to start correctly (0xc0000018)
mmc.exe- Application Error -- The application was unable to start correctly (0xc0000018)
cmd.exe- Application Error -- The application was unable to start correctly (0xc0000018)

Cause

The issue is caused by a third-party component in DLP Endpoint.

NOTE: This issue does not affect the Device Control only operation mode. The other two operation modes may have the issue.

Solution

Intel Security has released DLP Endpoint 9.3 Patch 4 Hotfix 25 and DLP Endpoint 9.3 Patch 5 and later to resolve this issue.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You will need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, as well as alternate locations for some products.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.

Workaround

Either remove the Microsoft patch (MS15-038, MS15-090, MS15-085, or MS KB3083992) or disable the affected components in DLP Endpoint.

The affected components in DLP Endpoint include:

File Copy Handler
Clipboard Service
Portable Devices Handler (MTP)
Screen Capture Service
Internet Explorer Add-on
Firefox Handler
Cloud Protection Handlers (all)

To disable the affected components:

Open the DLP Management Console.
Open the Agent Configuration menu.
Click Edit Global Agent Configuration.
Select the Miscellaneous tab.
Deselect the components you would like to disable.
Click OK.
On the Agent Configuration menu, click Apply Global Agent Configuration.

NOTE: This will not update custom Agent Configurations. Those must be updated from the ePolicy Orchestrator policy catalog.

To remove Microsoft KB via Command line:

1. Run Command line as admin
2. Run the following commands:

"wusa /uninstall /kb:3045685 /quiet /forcerestart"
"wusa /uninstall /kb:3045999 /quiet /forcerestart"
"wusa /uninstall /kb:3060716 /quiet /forcerestart"
"wusa /uninstall /kb:3071756 /quiet /forcerestart"
"wusa /uninstall /kb:3083992 /quiet /forcerestart"

Potential impact of disabling handlers:

File Copy Handler - This was introduced in DLP Endpoint 9.3.0
Removable storage protection enhancement adding Windows Explorer
sandbox In McAfee DLP Endpoint version 9.2, the client software
processed files copied by Windows Explorer to removable storage devices
before they were actually copied to the destination. The new protection
rule algorithm hooks the Windows MoveFile and CopyFile APIs when files
are being copied to removable storage, and suspends the transfer until
the McAfee DLP Endpoint client software completes the scan and applies
the policy. The feature can be deactivated on the Agent Configuration |
Miscellaneous page.
Portable Device Handler (MTP) (9.3.100) (Patch 1)
Removable storage protection rules enhancement Media Transfer Protocol
(MTP) support has been added to removable storage protection rules. MTP
is a protocol for transferring media files and associated metadata
between portable devices or between portable devices and computers. MTP
devices are not traditional removable devices because the device
implements the file system, not the computer the device is connected
to.

The feature supports all removable storage protection rule actions
except Encrypt. Protection rules with the Encrypt action fall back to
Block, and files are placed in the quarantine folder. Only USB
connections are currently supported.

Note Microsoft Windows Server 2003 does not identify removable devices
in Windows Explorer. Therefore, removable storage protection rules with
MTP support cannot be applied on this platform.

The following services affect:
- Clipboard Service - Copying from Application to application or outside specified applications.
- Screen Capture Service - Snagit, Snipping tool. etc...
- Internet Explorer Add-on - Web post protection
- Firefox Handler - Web post protection
- Cloud Protection Handlers (all) - Protection from Cloud (dropbox, google drive, box...etc)

Related Information

See Microsoft article 3045999 for details on patch MS15-038: https://support.microsoft.com/en-us/kb/3045999
See Microsoft Article for details on MS15-090: https://technet.microsoft.com/en-us/library/security/ms15-090.aspx
See Microsoft Article for details on MS15-085: https://technet.microsoft.com/en-us/library/security/ms15-085.aspx
See Microsoft Article for details on MS15-038: https://technet.microsoft.com/en-us/library/security/ms15-038.aspx
See Microsoft Article 3083992 for details : https://technet.microsoft.com/library/security/3083992

Mcafee Tomcat Service Stuck at "STOP pending" and you don't want to restart the Server.

First dump all Service to a Text file to get the Name of the Service.

D:\edv>sc query > liste.txt

Notepad liste.txt

In this sample the Tomcat Service from Mcafee EPO was stuck.

SERVICE_NAME: MCAFEETOMCATSRV250

Finall command to kill service:

taskkill /fi "Services eq MCAFEETOMCATSRV250" /F

Grosse Infektion von Devices zwischen 17.09.2015 und 21.09.2015
Firewall = Sperren URL init.icloud-analysis.com. Dieser Record wird derzeit nicht mehr aufgelöst aber falls er noch im Cache ist. Die ist das Bot Control Center.
Es sind auch APPS ausserhalb China betroffen. Winzip, PDFReader (Total 300 APPS)
Nachsehen ob eine APP auf der Liste ist. FALLS > Entfernen APP falls vorhanden und am besten alle Passwörter ändern.
Apple auf Support Seite bis derzeit keine Infos. Die Liste der APPS sind aus traffic Scan auf die URL init.icloud-analysis.com (OPENDNS hat dazu genaue Daten)
Infizierte IPHONE fallen durch Nachfrage von Credentials auf

http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/

http://www.forbes.com/sites/abigailtracy/2015/09/21/hackers-infiltrated-apples-app-store-heres-what-you-need-to-know/?ss=Security

https://isc.sans.edu/diary/Detecting+XCodeGhost+Activity/20171

http://www.wired.com/2015/09/apple-removes-300-infected-apps-app-store/

http://blogs.blackberry.com/2015/09/faq-how-users-and-it-administrators-can-detect-and-dump-malware-ridden-ios-apps/

https://labs.opendns.com/2015/09/21/xcodeghost-materializes/

Sonstige Links:

https://www.elcomsoft.com/PR/recon_2013.pdf (Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage)

The FQDN init.icloud-analysis.com does not resolve anymore but it resolved to the following IP addresses (from the VT Passive DNS):

2015-07-17 52.2.85.22 AMAZON-AES - Amazon.com, Inc.,US 0/0

2015-05-14 52.4.74.88 AMAZON-AES - Amazon.com, Inc.,US 0/0

2015-05-13 52.6.167.64 AMAZON-AES - Amazon.com, Inc.,US 0/0

2015-04-29 52.68.131.221 AMAZON-02 - Amazon.com, Inc.,US 0/0

2015-04-15 104.238.125.92 AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC,US 0/0

How to detect infected devices?

If you're an iPhone user:

• Check for HTTP traffic to http://init.icloud-analysis.com in your firewalls or proxies logs.

• Check for traffic to the IP addresses listed above.

• Remove the apps listed as malicious.

• Change passwords on websites used by the malicious applications.

If you're a developer:

• Check if the file Library/Frameworks/CoreServices.framework/CoreService exists in the Xcode SDK/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/.

• Always download resources from official locations and double-check the provided hashes (MD5/SHA1).

------------------------------------------------------------------------

Infected iOS apps

51卡保险箱5.0.1

air2

AmHexinForPad

baba

BiaoQingBao

CamCardv.6.5.1

CamCardv6.5.1

CamScanner

CamScannerLite

CamScannerPro

ChinaUnicom3.x

CSMBP-AppStore

CuteCUT

DataMonitor

FlappyCircle

golfsense

golfsensehd

guaji_gangtaien

GuitarMaster

IHexin

immtdchs

InstaFollower

installer

iOBD2

iVMS-4500

jin

Lifesmart1.0.44

MobileTicket

MoreLikers2

MSL070

MSL108

Musical.ly

nicedev

OPlayer

OPlayer2.1.05

OPlayerLite

PDFReader

PDFReaderFree

Perfect365

PocketScanner

QuickSave

QYER

SaveSnap

SegmentFault2.8

snapgrabcopy

SuperJewelsQuest2

ting

TinyDeal.com

Wallpapers10000

WeChat

WeLoop

WhiteTile

WinZip

WinZipSector

WinZipStandard

下厨房

下厨房4.3.2

中信银行动卡空间3.3.12

中国联通手机营业厅3.2

口袋记账1.6.0

同花顺

同花顺9.60.01

喜马拉雅4.3.8

夫妻床头话1.2

开眼1.8.0

微信6.2.5

微博相机

快速问医生7.73

愤怒的小鸟22.1.1

懒人周末

我叫MT21.10.5

我叫MT5.0.1

新三板

滴滴出行4.0.0.6-4.0.0.0

滴滴司机

滴滴打车3.9.7.1–3.9.7

炒股公开课

爱推

电话归属地助手3.6.5

礼包助手

穷游6.6.6

简书2.9.1

网易云音乐

网易云音乐2.8.3

网易公开课4.2.8

股市热点

自由之战1.1.0

药给力1.12.1

讯飞输入法5.1.1463

豆瓣阅读

铁路123064.5

马拉马拉1.1.0

高德地图

高德地图7.3.8

One of the products Endpoints which does not get automatic de-installed while migrating a customer to Mcafee VSE Enterprise via EPO-deployment is Norman Endpoint Protection. Here is how to uninstall their Agent silent.

Mcafee VSE P6 and Norman 9.10.1500 can RUN on same W7 client temporary until Reboot

Here is what it looks in actual version:

removenorman.cmd

:: Uninstall Norman 9.X Silent

cd\

@echo off

cls

if Exist "c:\Program Files\Norman\Nse\bin\zlh_nse.dll" "c:\Program Files\Norman\Npm\Bin\delnvc5.exe" /quiet

if Exist "c:\Programmme\Norman\Nse\bin\zlh_nse.dll" "c:\Programme\Norman\Npm\Bin\delnvc5.exe" /quiet

You could run this on a client with PSEXEC remote:

psexec @d:\deployment\noch_norman.txt -u domain\administrator -p password -c d:\deployment\removenorman.cmd

Make a Textfile with all PC names under d:\deployment\noch_norman.txt (One PC name per LINE then CR)
psexec.exe (Systernals) and the removenorman.cmd have to be in d:\deployment for this

Some Links:

http://download01.norman.no/npro/docs/130918en-AdminGuide_EndpointProtection_910.pdf

http://support.kaspersky.com/3539

Cannot Upgrade VMware View Client 5.X / Windows Installer Error.

You try to install View Agent 5.X on Windows 6 64BIT.

Error: Event 1013, Msinstaller "Product View Agent -- The System must be rebooted before installation can continue.

Existing Versions

Every time you install it should reboot
Option /c to clean does not do something
You did remove VMware Tools
You did uninstall old Version of View
The account has enough permission and is Local Admin

MSI Windows Installer Logfile you get with:

VMware-viewagent-x86_64-5.3.5-3038335.exe /V"/l c:\drivers\viewlog.txt REBOOT=Reallysuppress"

MSI (c) (EC:E4) [13:12:26:910]: Doing action: VM_MustReboot

Aktion 13:12:26: VM_MustReboot.

Aktion gestartet um 13:12:26: VM_MustReboot.

Das System muss neu gestartet werden, bevor die Installation fortgesetzt werden kann.

MSI (c) (EC:E4) [13:12:29:317]: Transforming table Error.

Check if there are pending reboots ore name of files:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

Normally there is something really wrong in the Windows Installer Database then or the Installer is missing some MSP/MSI Source Files or Transforms.

Here is how to fix the German client, Do the Reboots as it wants it

:: VMWARE Repair VIEW Client

:: V1.0, 24.09.2015, M. Butsch

cls

@echo off

:: Vmware tools remove

MsiExec.exe /X{0240CD90-92F5-46EA-AF6D-E9E4092FDCE9} /quiet

MsiExec.exe /X{057921DD-9895-48EE-8094-8274956086B1} /quiet

:: Uninstall View Agent

MsiExec.exe /X{C9E58A5B-0C62-42D3-9303-2131F66C1BD3} /quiet

MsiExec.exe /X{E1BF8D0F-3C8E-43F8-93E7-9E779B2F25AB} /quiet

MsiExec.exe /X{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF} /quiet

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress" /f

reg delete "HKLM\SYSTEM\CURRENTCONTROLSET\Control\Session Manager" /v PendingFileRenameOperations /f

pause

Reboot the client 1) Install VMWARE Tools from Vcenter Command REFRESH > Reboot > Then RUN the command

:: ----------------------------------------------------------------------------

:: Installieren aktuelle Version

\\server\sw$\vmware\view_agent_5.3.5\VMware-viewagent-x86_64-5.3.5-3038335.exe /s/v/qb+ DESKTOP_SHORTCUT=0 VDM_SERVER=gzfvdm2 REBOOT=Reallysupress

Successful:

End final target:

Files used:

1st October was Release date Exchange 2016. So we finally take a look at Exchange 2013 in our Labs ;-) Exchange 2016 seems nothing else then Exchange 2013 SP2. Most of the Office365 things are now also available on Premise (On inhouse Exchange 2013).

First bug we had in Exchange 2013 with Outlook 2010.

Error 4.4.1 Mail does not get delivered to 2013 Test mailbox after Update to CU10.

You see E-Mail incoming in Exchange 2013 from 2007/2010 or itself BUT not delivered to Mailboxes.

Becaue of the Outlook Anywhere Proxy the internal and External DNS are important. There are also several Hotfixes

related in that Direction for Outlook 2010 and 2013. Mostly cumulative Hotfixes after SP2.

https://support.microsoft.com/en-us/kb/2839517

For Outlook 2010.

Get an Error 4.4.1 in Exchange 2013 GUI Toolbox.

Check DNS Settings under ECP / Server / DNS-Lookups
Check that the Services that work with that are running

The issue was related to having an external DNS server entered in the properties of the servers NIC. I had the internal primary and secondary DNS servers entered in the NIC, and in the advanced porperties I entered the IP address of our ISP's DNS server. I have done this for that past 8 years in my server NIC configurations and it has saved my butt numerous times. It allows the server to still access the Internet if one\both of the internal DNS servers goes offline\has issues, or if there are network issues. Until now I have never had an issue with this configuration. I do not know if it is an Exchange 2013 or a server 2012 thing or what, but either way we removed the external DNS server from the NIC and the issue has not returned.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28220238.html

Open a cmd.exe box with Elevated permissions:

set devmgr_show_nonpresent_devices=1

start devmgmt.msc

In Device Manager: click View, then Show Hidden Devices.

Just used in a DLP project where some clients had 94 COM Ports.

We use the Sophos appliance under Vmware ESXi 5.X Transparent behind our commercial Firewalls (Just some Wireshark replacment ;-)

The box looks real good and is easy to use. The Interface and GUI are just perfect. I like the Realtime options.

Like most of the times when you search for a solution for a linux Problem there seem to be 40 different

Solutions and Rekommandation. Worst case you update Perl, the Kernels and Download 2'000 files. Nobody knows what it does exept the guy who wrote it but thats the same under Windows sometimes.

Here is how to check the space and enable SSH which is more complicated because you have to enable SSH with a key.

After your cleaned up with this method:

Alert E-Mail you get

Data Disk is filling up - please check. Current usage: 98%

System Uptime : 11 days 20 hours 21 minutes

System Load : 0.06

System Version : Sophos UTM 9.314-13

Please refer to the manual for detailed instructions.

First to do that you have to enable SSH and you have to generate a KEY so you can logon with root

They Made that very nice on the Sophos compared to other appliances ;-)

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

https://opengear.zendesk.com/entries/23216142-Generating-and-uploading-SSH-keys-under-Windows

* Enable SSH

* make a private / Public key with PUTTYGEN.exe

* make the key (Save Public and private)

Mark they Public Key fully and paste it into the SOPHOS appliance (Next Screen)

Then give PUTTY.EXE that key to work with:

Now you are able to Logon with root to the Sophos and search for Big files.

cd /var/storage
du -sh *

There was 1.2 Gigabyte of files under: /var/storage/pgsql92/data after 2 weeks.

Got to the Directory:

Cd /pg_archivecleanup /var/storage/pgsql92/data/pg_xlog

List with:

Command:

pg_archivecleanup /var/storage/pgsql92/data/pg_xlog 000000010000000000000048

(Number 48 was just the last PLUS one i did have > No idea if this is right ;-)

Here are the large files / TS Logs of PSQL (We don't discuss if this should fill that fast or not or what they are)

pg_archivecleanup: must specify restartfilename

Try "pg_archivecleanup --help" for more information.

frissu:/var/storage/pgsql92/data/pg_xlog # pg_archivecleanup /var/storage/pgsql92/data/pg_xlog 000000010000000000000048

frissu:/var/storage/pgsql92/data/pg_xlog # ls

archive_status

frissu:/var/storage/pgsql92/data/pg_xlog #

Our Education/Migration Lab is the place where we consider every Crash as Bonus and source for learning and finally reproduce crashes before they happen at customers.

Last massive we Seen was with Server 2008 RTM and Exchange Server on it. We are unsure if it was disabling IPV6 by Registry or Handling or Manipulation Certificate Stores (wrong Trusted Root Certificates). Mainly this bug happens with Exchange or SharePoint and thus IIS Webserver where you handle San/Wildcard or self signed Certificates.

However > that happens:

ERROR:

Server 2008 stuck at "applying computer settings"
All Services are Down
Your main services like Exchange / SharePoint and VMWARE Tools are not working
You can PING the Server. You can PING from within the Server.
You can't access \c$ from External
You can't access a SHARE from within the Server

If this already happened

Reboot in Safe Mode
Open mmc
Add Services
Disabled all Services which you Don't need like (sample > backup/Vmware/VSS/Agents just leave the main Services from Windows)
Reboot The Server normal
Check the HOTFIX from Microsoft
Re-install VMware Tools

https://support.microsoft.com/en-us/kb/2379016 (Hotfix Server 2008)

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2005330

How to find a Service that LOCKS others because it's stuck

This issue can be caused by a service deadlock in Windows. To confirm, run this command from a command prompt window:

sc querylock

You can find more info very well done here:

http://ss64.com/nt/sc.html

If the output contains IsLocked: TRUE, then the service control manager is in a locked state due to a failed service start.

When you start a computer that is running Windows Vista Service Pack 2 (SP2) or Windows Server 2008 Service Pack (SP2), the computer stops responding and appears to hang at the "Applying User Settings" or "Applying Computer Settings" stage of the logon process.

You may experience that the "network connections" folder is empty. Additionally, the following services may not start at startup.

Note These services are set to the "Automatic" startup type.

Print Spooler
Terminal Services
Server service
Remote Registry
Windows Management Instrumentation (WMI)
Distributed Transaction Coordinator
Any services that are related to applications

Note This issue typically occurs after you install a server certificate and then configure Secure Sockets Layer (SSL) on the computer. For example, you install a SSL server certificate in Internet Information Services (IIS) 7.0 and then enable HTTPS on your website to use the certificate.

CAUSE

This issue occurs because of a deadlock in the Service Control Manager database.

The Service Control Manager tries to start the HTTP.sys service and then puts a lock in place in the Service Control Manager database. Then, HTTP.sys makes a call that requires Cryptographic Services during startup. Then, a request is sent to start Cryptographic Services. However, a lock is already in place in the Service Control Manager database. Therefore, a deadlock occurs.

Note The following method can be used in Windows Safe Mode when you are not able to log on successfully to install the hotfix or fixit.

To work around the issue without installing the hotfix, create a DependOnService registry key to modify the behavior of HTTP.sys. This makes HTTP.sys depend on crytosvc service to be started first. To do this, follow these steps:

Click Start, type regedit in the Start Search box, and then press ENTER.

If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.

Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP

On the Edit menu, point to New, and then click Multi-string Value.
Type DependOnService, and then press ENTER.
Right-click DependOnService, and then click Modify.
In the Value data box, type CRYPTSVC, and then click OK.
Exit Registry Editor.
Restart the computer.

Absolute fresh Exchange 2013 CU 10 install on Server 2012 R2 English with DC 2008 R2. Not updated! Direct installed from the Update 10. Only thing done Self signed SAN-CERT from 2008R2 CA integrated and Virtual Directory's bent to that.

Event 3008
You are unable to Logon to /OWA with a user
You get a waring "Something has failed"
All Exchange Services are up
You are able to logon with /ECP and the Admin account you made
You checked the File: AntiXSSLibrary and it's there where it should be
Your Browser URL after Logon try shows ErrorFE.aspx?httpCode=500
With Activesync Debug Tools like MD MobilityDojo.net EAS you get The remote server returned error (500) Internal Server error

This is how it looks:

"Something went wrong". Yes I test migrated from 2010 to 2013. Or I take a look at 2013 went wrong ;-) No just it's a new 3 year old MS product ;-)

This should appear:

Event 3008

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\web.config line 107

Could not load file or assembly 'AntiXSSLibrary, Version=4.2.0.0, Culture=neutral, PublicKeyToken=d127efab8a9c114f' or one of its dependencies. The system cannot find the file specified.

Event code: 3008

Event message: A configuration error has occurred.

Event time: 13.10.2015 15:13:18

Event time (UTC): 13.10.2015 13:13:18

Event ID: 80f73be924da451895c60d1e3e8be77e

Event sequence: 1

Event occurrence: 1

Event detail code: 0

Application information:

Application domain: /LM/W3SVC/2/ROOT/owa-4-130892155979061374

Trust level: Full

Application Virtual Path: /owa

Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\

Machine name: SRV2013

Process information:

Process ID: 9380

Process name: w3wp.exe

Account name: NT AUTHORITY\SYSTEM

Exception information:

Exception type: ConfigurationErrorsException

Exception message: Could not load file or assembly 'AntiXSSLibrary, Version=4.2.0.0, Culture=neutral, PublicKeyToken=d127efab8a9c114f' or one of its dependencies. The system cannot find the file specified. (C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\web.config line 107)

at System.Web.Configuration.CompilationSection.LoadAssemblyHelper(String assemblyName, Boolean starDirective)

at System.Web.Configuration.AssemblyInfo.get_AssemblyInternal()

at System.Web.Compilation.BuildManager.GetReferencedAssemblies(CompilationSection compConfig)

at System.Web.Compilation.BuildManager.CallPreStartInitMethods(String preStartInitListPath, Boolean& isRefAssemblyLoaded)

at System.Web.Compilation.BuildManager.ExecutePreAppStart()

at System.Web.Hosting.HostingEnvironment.Initialize(ApplicationManager appManager, IApplicationHost appHost, IConfigMapPathFactory configMapPathFactory, HostingEnvironmentParameters hostingParameters, PolicyLevel policyLevel, Exception appDomainCreationException)

Could not load file or assembly 'AntiXSSLibrary, Version=4.2.0.0, Culture=neutral, PublicKeyToken=d127efab8a9c114f' or one of its dependencies. The system cannot find the file specified.

at System.Reflection.RuntimeAssembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)

at System.Reflection.RuntimeAssembly.InternalLoadAssemblyName(AssemblyName assemblyRef, Evidence assemblySecurity, RuntimeAssembly reqAssembly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)

at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean forIntrospection)

at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)

at System.Reflection.Assembly.Load(String assemblyString)

at System.Web.Configuration.CompilationSection.LoadAssemblyHelper(String assemblyName, Boolean starDirective)

Request information:

Request URL: https://localhost:444/owa/proxylogon.owa

etc....

Warning: Here is a "Solution" which we don't like because the config file as it says is a configuration file for a web service. Copying such things on a security product? But it solves the error!

Solution:

Copy the file from:

SharedWebConfig.config

From: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\

To: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\

Cmd > iisreset

Or reboot Exchange

You are able to logon with users

Activesync Test

Internet Explorer, Group Policy, Gruppenrichtlinien, IE11 GPO Settings, PROXY Explained F5-F8

IE11 has to be installed so you see the IE10 Option
There is not IE11 Option > That's ok > Choose IE10 it will work fir IE11
You are on a SRV 2012 R2 or W8 to see this option or W7 with installed updated
You did try it always fails or you get too MUCH Gpo settings from the GUI Mode.

This is what we talk about and seems to make confusions. People set if with it and at the end did with HKCU keys.

You can configure the options with F5, F6, F7 and F8 keys from the GUI. Only choose the options you want to change.

ALL RED> Will not be touched (Like GPO Settings DEFAULT)

ALL GREEN> Will be touched or changed (Like GPO setting ENABLE/DISABLE) depending on the GUI if you have a checkbox selected or not.

GREEN = Stuff you want to change

RED = LEAVE IT at it is

Some sample settings

If you go back one step on the GPO Console and do an F5 / Refresh

You should only see the option which you marked GREEN with F7 or F8

Lets make a sample (That i don't want touched)

See forgot two things and not clear how to select under security

Back in GPO Console one step, Update F5, Refresh

The above mentioned is RED THUS Gone / Not touched

We recommend to enable a check if you DO Registry KEYS or such Settings with GPO and not deployment.

Make sure you have a WMI Filter to also capture IE11

Check out I11 LINKS:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

http://www.butsch.ch/post/IE11-Umsetzen-Unternehmensmodus-Enterprise-Mode.aspx

Dump all permission of the Exchange Virtual Directory (iis). This will help to get an overview of the permission set on IIS and within Exchange.

The Russian blog has an excellent description of this script:

http://sysmagazine.com/posts/204454/

http://msbro.ru/index.php/archives/4705

get-website | ForEach-Object -Process {

$xSite="IIS:\sites\"+$_.Name

cd $xSite

$xSite

$myWebApp=get-webApplication

$myWebApp | Format-Table -AutoSize Path ,

@{Label= "anonim:" ; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/anonymousAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "Basic:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/basicAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "ClientCert:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/clientCertificateMappingAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "Digest:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/digestAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "IIS client Cert:"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/iisClientCertificateMappingAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "Windows"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/windowsAuthentication -Name Enabled -PSPath $xSite -location $_.Path).value }},

@{Label= "SSL Flags"; Expression = {(Get-WebConfigurationProperty -Filter /system.webServer/security/access -Name * -PSPath $xSite -location $_.Path).SSLflags }}

}

Leitfaden für komplexen technischen Telefon-IT-Support bei einer deutschen Firma.

From listening several hours of German IT-support we have found a formula to shorten

Complex Enterprise problems into a few steps. This SOP is valid for all environments and

for all ranges of IT management. ;-)

Just follow this rule and you can work in every German IT company.

Problem: Mcafee Security for Exchange 8.5 Patch 1 Update fails on 2010 SP3 CAS with HUB roll

Product: McAfee Security for Microsoft Exchange -- Error 1920.Service MSExchangeIS (MSExchangeIS) failed to start. Verify that you have sufficient privileges to start system services.

Migration Groupshield Mcafee Security for Exchange 8.6 to Patch 1

We first thought this was related to a permission problem but afterwards did see that it also happens with a n account which has highest Security.

Exchange/Local/Schema/ads etc.

Make sure you have a backup of Groupshield before you start the update process. You can export it within Groupshield

Product: McAfee Security for Microsoft Exchange -- Error 1920.Service MSExchangeIS (MSExchangeIS) failed to start. Verify that you have sufficient privileges to start system services.

Logfile Windows Installer

MSI (s) (C4:AC) [08:50:13:980]: Executing op: ServiceControl(,Name=MSExchangeIS,Action=1,Wait=1,)

StartServices: Service: MSExchangeIS

Error 1920.Service MSExchangeIS (MSExchangeIS) failed to start. Verify that you have sufficient privileges to start system services.

MSI (s) (C4:AC) [08:51:38:394]: Product: McAfee Security for Microsoft Exchange -- Error 1920.Service MSExchangeIS (MSExchangeIS) failed to start. Verify that you have sufficient privileges to start system services.

Error 1920.Service MSExchangeIS (MSExchangeIS) failed to start. Verify that you have sufficient privileges to start system services.

MSI (s) (C4:AC) [08:52:52:544]: Product: McAfee Security for Microsoft Exchange -- Error 1920.Service MSExchangeIS (MSExchangeIS) failed to start. Verify that you have sufficient privileges to start system services.

Error 1920.Service MSExchangeIS (MSExchangeIS) failed to start. Verify that you have sufficient privileges to start system services.

MSI (s) (C4:C4) [08:56:40:966]: I/O on thread 2460 could not be cancelled. Error: 1168

MSI (s) (C4:C4) [08:56:40:966]: I/O on thread 8360 could not be cancelled. Error: 1168

MSI (s) (C4:C4) [08:56:40:982]: I/O on thread 8428 could not be cancelled. Error: 1168

MSI (s) (C4:C4) [08:56:40:982]: I/O on thread 9132 could not be cancelled. Error: 1168

MSI (s) (C4:C4) [08:56:40:982]: I/O on thread 7128 could not be cancelled. Error: 1168

MSI (s) (C4:C4) [08:56:40:982]: I/O on thread 5440 could not be cancelled. Error: 1168

MSI (s) (C4:AC) [08:56:40:982]: Product: McAfee Security for Microsoft Exchange -- Error 1920.Service MSExchangeIS (MSExchangeIS) failed to start. Verify that you have sufficient privileges to start system services.alert

Solution:

Press Cancel, it will do a small rollback of Windows Installer.

Start Setup again.

Fill out the paths for the Install and the Database as you had them before!

Choose the Option IMPORT as last step and all will stay.

Run the installation again.

Server 2008 R2

Error CDEO 8007EE2, Windows Update encountered an unknown error

Try the easy things first:

wuauclt.exe /resetauthorization

wuauclt.exe /reportnow

wuauclt.exe /reportnow /detectnow

wuauclt.exe /UpdateNow

Reboot

If not solved try:

net stop wuauserv
net stop bits

2. I then went to the following folders and deleted everything inside it.

c:\windows\softwaredistribution\Downloads – delete all files in it
c:\windows\softwaredistribution\DataStore – delete DataStore.edb
c:\windows\softwaredistribution\Datastore\Logs – delete all files in it
c:\windows\softwaredistribution\PostRebootEventCache – delete all files in it

net start wuauserv
net start bits

Reboot the Server

If this does not fix the Error reinstall the WSUS-Client. Install the latest Windows Update client for your OS from:

https://support.microsoft.com/de-de/kb/3065987

At the end this should look like this AFTER you check "Check for Updates"

Check out:

http://www.butsch.ch/post/WSUS-Windows-Update-Server-Most-common-Problems-FAQ.aspx

http://www.butsch.ch/post/WSUS-Windows-Update-Client-Agent-Commandline-wuaucltexe.aspx

Microsoft Patch 3102429 seems to make problems with Crystal Report, SAP some C++ Apps which contain Crystal Report components.

http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/windows-update-kb3102429-does-not-play-well-with/d4ac7c27-da72-4842-b44f-370128cd0993

http://scn.sap.com/thread/3828829

Here is how to uninstall the batch silent:

:: V1.0, 02.12.2015, M. Butsch, SSE

set myserver=myserverswitzerland001

:: Check if the patch is installed

c:\windows\system32\wbem\wmic.exe qfe GET HOTFIXID | find "3102429"

if %errorlevel%==0 goto found

goto notfound

:found

:: Remove/Uninstall the Patch silent

c:\windows\system32\wusa.exe /uninstall /kb:3102429/quiet /norestart

echo %date%,%time%,%computername%,%username%,%~dpnx0 >> \\%myserver%\logfiles$\3102429\found\%computername%.txt

goto ende

:notfound

echo %date%,%time%,%computername%,%username%,%~dpnx0 >> \\%myserver%\logfiles$\3102429\notfound\%computername%.txt

goto ende

:ende

We have been checking out Exchange 2013 in our lab for some weeks now. Yes 2016 is out but still

Most larger company realy live fine with Exchange 2010 on premise if they have complex Setup with Kemp.

Here is are some Problems with Performance we have seen also in our Labs under vmware

https://support.microsoft.com/en-us/kb/2995145

Performance issues or delays when you connect to Exchange Server 2013 that is running in Windows Server

For Exchange Server 2013 that is installed in Windows Server 2012 R2

Use one of the following methods:

• Create the COMPLUS_DisableRetStructPinning environment variable, and set the value of the variable to 1.

• Create a DWORDvalue of the DisableRetStructPinning entry at the following registry subkey, and set the DWORD value to 1:

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework

Vmware, VMXNET3 the Sources for al evil?

But, there is a also a Sources Problem client side. Some people tweak around stack settings on Windows 7. Some the finally find it's a bad Vmware Setup.

Esp the VMXNET3 driver. Well time for another Round-up of VMXNET and E1000 driver choise wars. And well yes the VMXNET is 30% faster of you Test in Labs

But if you have such Problems at the end?

https://community.spiceworks.com/topic/571571-outlook-slow-after-migrating-to-exchange-2013

Mcafee Endpoint Intelligent Agent, Raptor Integration

MCAFEE denied installing on client with %path% pointing to UNC share

Mcafee DLP, Microsoft September 2015 update disables Mcafee-DLP

5 Microsoft Patches take out Mcafee DLP copy handler function. Device control (USB) black is not affected.

Environment

Problem

Cause

Solution

Workaround

Related Information

Windows Server Service Stuck at Pending (Hwo to Force stop)

Apple iPhone/iPad/iPod Virus Malware (Hack Entwicklungs Plattform)

Silent Uninstall Norman Endpoint Protection with Batch / Mcafee Migration

Cannot Upgrade VMware View Client 5.X / Windows Installer Error

LAB: Exchange 2013 , Mail Stuck in Queue, DNS Set wrong in ECP

W7: Show hidden Hardware devices

Sophos UTM 9.314-13 Data Disk is filling up

Server 2008 stuck, applying computer settings, Most Services down (IIS, certificates)

Exchange 2013 CU 10, unable Logon /OWA with user, Something went wrong

IE11 GPO Settings, PROXY Explained F5-F8

Exchange 2013/2016

Complex IT-Support in Germany

Mcafee Security for Exchange 8.5 Patch 1 Update fails on 2010 SP3 CAS with HUB roll

WSUS: SRV 2008 R2, Code 8007EE2

WSUS: Uninstall Patch KB3102429, Crystal Reports, SAP, C# (VS2005), PABS

Enteo V7, Server 2012R2 Missing component

IT: Slow Exchange 2013 LAB, slow Outlook.exe under ESXi 5.5