Forefront Client Security & Windows Defender debugging

If you experience problems with Forefront Client Security (or Windows Defender) and likely also the new free Microsoft antivirus, here are some tips for debugging it;

Look for the file called;

MpCmdRun.exe

On Forefront Client Security this is found in;

C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware

If you go to a command prompt and run this command with a -? you will get a bunch of debugging commands, there are among others restore commands that will reset the configuration of the client etc etc..

One likely useful command to debug performance issues is;

MpCmdRun.exe -trace

However I have been unable to determine how to decode the .bin file created!?  So if you have any suggestions please let me know!?  However if you look in the .log file in the same directory you will get some historic information which may prove useful.  Also, there is still the good old utils from Sysinternals (eg filemon) to assist you.

All very useful..

Here are the switches for Forefront Client Security;

   -Scan [-ScanType]
        0  Default, according to your configuration
        1  Quick scan
        2  Full system scan
   -Trace [-Grouping] [-Level]
        Begins tracing Microsoft Forefront Client Security's actions.
        You can specify the components for which tracing is enabled and
        how much information is recorded.
        If no component is specified, all the components will be logged.
        If no level is specified, the Error, Warning and Informational levels
        will be logged. The data will be stored in the support directory
        as a file having the current timestamp in its name and bearing
        the extension BIN.
        [-Grouping]
        0x1    Service
        0x2    Malware Protection Engine
        0x4    User Interface
        0x8    Real-Time Protection
        0x10   Scheduled actions
        [-Level]
        0x1    Errors
        0x2    Warnings
        0x4    Informational messages
        0x8    Function calls
        0x10   Assertions
   -GetFiles
        Gathers the following log files and packages them together in a
        compressed file in the support directory
        - Any trace files from Microsoft Forefront Client Security
        - The Windows Update history log
        - All FCSAM or FCSAMRtp events from the
          System and Application event log
        - All relevant Microsoft Forefront Client Security registry locations
        - All software information from Software Explorer
   -RemoveDefinitions
        Restores the last set of signature definitions
   -RemoveDefinitions -All
        Rolls the signature definitions back to the default signature set
        and removes any installed signature and engine files.Use this
        option if you have difficulties trying to update signatures.
   -RestoreDefaults
        Resets all configuration options to their default values; this is the
        equivalent of running Microsoft Forefront Client Security setup
        unattended.
   -GetSWE
        Exports the contents of Software Explorer into a file named MPSWE.txt
        in the support directory
/by

GPS surviliance for the family

,

Want to keep track of your car, kids, wife or whatever, well there are tons of solutions for this today.  I just read about one called www.inanny.de (www.inanny.dk for Danes), this seem to be quite an organized setup and thus perhaps more reliable than some of the discount solutions on the marked.  So if you are in the marked for some GPS tracking, maybe the www.inanny.desite is worth a visit. I how done no research into pricing (the unit seem cheap enough however ther may be some monthly fee or what not)..

/by

Opdaterdinpc.dk

,

If your native tongue is Danish, and you are somewhat a newbee to securing your pc, then this page may be a good place to begin – it will give you the option to have your pc scanned and offer general suggestions to improving your online security.

www.Opdaterdinpc.dk

/by

Account Lockout Status – an oldie but still useful

, ,

lockoutIf you are debugging why a particular user always is being locked out with his/her domain account, then you may want to give this tool a spin.  It’s a freebie from Microsoft called “Account Lockout Status“, and what it will do is to let you see some useful info on the users bad password count etc. on all Domain Controllers in the domain.  Useful stuff even if it’s a golden oldie by now 🙂

JSI also has a few lines about it

You can also get a ‘package deal’ called “Account Lockout and Management Tools” from Microsoft that includes some additional utilities, among others an advanced Eventlog filter (can gather from several servers and filter in different ways) and can also be tweaked to display some additional info from AD on each userobject.

There is a good Technet article on it here;
http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx
This includes how to install and uninstall the debugging DLL’s.

/by

Windows hardening taken to the extreme

,

Want to seriously harden your Windows installation? You may find some inspiration here; http://nvd.nist.gov/fdcc/index.cfm this is an ongoing IT hardening project driven by the US NIST with help from the NSA and USAF among others.

Maybe not that useful to the regular user, but might be inspirational to corporate users.

/by

Kon-Boot bypass Windows Logon (scary stuff)

, ,

You maybe aware of utilities like ERD (from Microsoft former Winternals, sadly only available to certain Microsoft License holders) that will allow you to change the password for a Windows account, thus effectivelyallowing you access to the data on the pc/server? 

There can be legitimate reasons for this (forgotten passwords etc), but some users may have a more sinister motive…  to gain unauthorized access..  for the latter group utilities like ERO has a drawback, it leave traces behind, when the original user try to logon he can’t as you changed the password..  Now there are ways around this, some other utilities allow you to dump the password database before you change it, then afterwards (once you scored all the data) you can reinject the original password and only a close examination would reveal your traces.

kon-bootBut now there is a new player on the marked, Kon-Boot,this small boot cd will do something very clever indeed, it will allow you to boot into Windows as normally via a CD – and then once asked for the password you can just enter anything – Kon-Boot will simply bypass the password check..  Clever indeed. 

A few problems/concerns though;

  • Is this Kon-Bootsafe (or does it leave something nasty behind like eg a Rootkit), some experienced guys took it upon themselves to check just this and their preliminary findings is that it appear safe enough (no aparant traces left behind).
  • EFS and diskencryption will defeat this, you will not be able to read EFS (Microsoft Encrypted file system) files and diskencryption in general would serve as a protection against booting via a Kon-Boot bypass boot cd/dvd (this may however not apply to all encryption schemes / software brands).
  • Allegedly this bypass is only possible for local machine accounts and not for domain accounts (however if you use a local admin account, then once you are a local admin you will have full access to the entire disk (except EFS) and all data on it, thus this may not be a big deal).

I will have to experiment a bit with this in the near future, it sounds disturbing.
Update; I just tested this on a VM, and it works just as advertised on an XP installation, interesting indeed…

Update 2; I checked this on a domain account, if the user has his profile/password cached (have been logged on previously) you CAN logon locally and access the users data – BUT ofcause no access to network ressources and you will see a warning that your credentials has expired (or something to that effect).  I also tried a locked/disabled account, and here I was unable to logon.

Read this excellent post by Claus Valca on Kon-Boot

And see the YouTube demo on how it works;

/by

VistaPE a replacement for BartPE?

, ,

I just stumbled across a blog post from Claus Valca  refering to VistaPE, as I could judge this is more or less a replacement for BartPE which has been dead in the water since 2006.

VistaPE should allow you to create a bootable CD/DVD with the Vista kernal (much as BartPE did with the XP kernal), this is useful as a recovery tool/image tool/repair tool/virus cleanup tool etc.  I have previously created antivirus cleanup cd’s using BartPE, but maybe VistaPE could offer better compatibility with the later hardware models.

I will add this to my “I have to look into this list” (which sadly has become quite long)..

/by

Disable “File and Printer” sharing – quick security improvement

A quick security tip for you, on your laptop/netbook check your network configuration and remove the check mark under “File & Printer Sharing” for your wireless adapter.

wireless111

Why!?  Well you likely do not share that many files/folders/printers (if as, I suspect, any!?) on your pc while working wirelessly!?  Now where do you use your wireless network??, ANYWHERE both on hotels, work and at home and as many vulnerabilities target the ports used by “File and printer sharing” then you are unnecessary exposed.   Once disabled you can still access shares on a file server and on other computers, you just cannot share on your own computer (wireless only, it still work for wired network).

Why not do it on all adapters you say (including your wired LAN), well if you are not sharing any files or printers – go ahead it will all improve your security, however if you occasionally share files with co-workers etc. then this may not be ideal to you..

Think about it, how often do you share files or printers with co-workers/friends/family via Wireless network?  Rarely right?  And when you are at Starbucks or wherever which type of connection do you use?  Wireless!!  Exactly, and that is why you should at least disable “File and Pritner sharing” for your wireless net card.. 

PROS;  Really raise your security level for exposed environments, no real loss in options, speed or productivity.

CONS; None really, only if you really need “File and Printer sharing” via your wireless adapter (which as I mentioned is fairly unlikely).

Workaround if you DO need File sharing wirelessly;
Yes ofcause you can have your cake and eat it too..
hfs1If you need to share files with friends, coworkers etc, then there is a nifty small freeware utility that may be of interest to you called HFS, its basically a small webserver that you can run on demand (it does not install anything services, autolaunch at start up etc.) .  All you need to do is to download it, run it and then drag files you wish to share into it, your coworker, friend or whomever can simply download the file via his/her browser (you can even set password or limit the download speed so they don’t steal all your bandwidth).

/by

Freedownload manager – security update

, ,

fdmlogoIf you use the excellent “Free downloadmanager” (FDM) you should make sure you have the latest version and patches installed, a serious security bug was discovered on feb 2nd 2009 by Secunia.com

/by

Autorun FIXED – good news for Windows

,

autorunIf you have ever had problems with autorun files in Windows (within a corporate environment) here is some good news for you. 

If you, in your environment set up a GPO to disable autorun.inf to combat the spread of virus/malware you were likely dissapointed, yes the setting was propogated to the pc’s but it did not stop all autorun.inf’s from executing.  The problem (among other things) had to do with complexities of autorun introduced with of USB devices (before it was only cd and disks).

Anyway, FINNALLY Microsoft has come up with a patch, lets just hope it works out 🙂  I have not had the opputunity to test it yet.

Patch should be introduced via Windows Update, for more details look here;u
http://www.microsoft.com/technet/security/advisory/967940.mspx

Update March 8th 2009, I tested the patch, and it DOES now work on network shares as well, excellent 🙂

/by