jump to navigation

Working with Extra.dat McAfee Threat Center November 23, 2009

Posted by John Ruby in Solutions.
add a comment

McAfee Threat Center
Working with EXTRA.DAT files

Explanation of EXTRA.DAT Files

EXTRA.DAT files contain information that is used by VirusScan to detect a new virus. When a major virus is discovered and extra detection is required, an EXTRA.DAT file is made available until the normal VirusScan update is released. These EXTRA.DATs can be downloaded from the the Newly Discovered Threats page, the Recently Updated Threats page, or the Removal Instructions section of the description for the major virus. When this EXTRA.DAT file is added to the VirusScan folder on your hard drive, it is used by the product in addition to its normal DAT files, to detect the new virus. This enables VirusScan to protect your computer from the new virus until the official update is released that contains the virus detection/removal information. Once the official update is released and installed the EXTRA.DAT file is no longer necessary.

EXTRA.DAT files are good for 30 days, at which time they disable themselves. It is recommended you keep your VirusScan up to date by downloading and installing the official daily updates.

Explanation of EXTRA.DAT packages

EXTRA.DAT files may be distributed in two forms, packaged inside a .ZIP file, and wrapped in a Super Dat package. The .ZIP package requires manually unpacking and manually installing the EXTRA.DAT file contained in the .ZIP. While the Super Dat executable is a self installing package. People unfamiliar with installing EXTRA.DAT files may find the task of downloading and installing a Super Dat package more manageable than using the .ZIP package.

Advertisements

VirusScan Enterprise 8.5i queries in ePolicy Orchestrator 4.x show many false positives on the network as malware November 23, 2009

Posted by John Ruby in Solutions.
add a comment

VirusScan Enterprise 8.5i queries in ePolicy Orchestrator 4.x show many false positives on the network as malware

Problem 1

ePolicy Orchestrator (ePO) 4.x reports many false positives for files in McAfee-related directories for network clients:
…\Program Files\Common Files\McAfee\Engine\avvnames.dat
…\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\UpdateHistory.ini

Problem 2

Files that the scanner will time-out on are being reported as Virus and seen in the ePolicy Orchestrator (ePO) reports as:
Event category: Malware

Problem 3

ePO 4.x reports show multiple Malware (Type Virus) entries:
Event Category
Type
Detecting Product
Detecting Version
DAT Version
Engine Version
File Path
Malware Virus VirusScan Enterprise 8.5 5279.0009 5200.2160 C:\Program Files\Common Files\McAfee\Engine\avvnames.dat
Malware Virus VirusScan Enterprise 8.5 5279.0009 5200.2160 C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\UpdateHistory.ini
Malware Virus VirusScan Enterprise 8.5 5279.0009 5200.2160 C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Current\SUPERDAT1000\SuperDAT000\PkgCatalog.z

Problem 4

On the client , the VirusScan Enterprise OnAccessScanLog.txt frequently reports the following :

Not scanned  (scan timed out)  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\McScript_InUse.exe C:\Program Files\Common Files\McAfee\Engine\avvnames.dat 
Not scanned  (scan timed out)  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\McScript_InUse.exe C:\Program Files\Common Files\McAfee\Engine\avvclean.dat 

Problem 5

On the client, the Windows Application Event log frequently reports the following :

Type: INFORMATION 
Source: McLogEvent
Event: 257
User: SYSTEM
Description: The scan of C:\Program Files\Common Files\McAfee\Engine\avvnames.dat has taken too long to complete and is being canceled.  Scan engine version used is 5200.2160 DAT version 5263.0000. 
 
Type: INFORMATION 
Source: McLogEvent
Event: 257
User: SYSTEM
Description: The scan of C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\UpdateHistory.ini has taken too long to complete and is being canceled.  Scan engine version used is 5200.2160 DAT version 5263.0000. 

Cause

These malware detections are actually scan timeouts. This is expected behavior because this event category has been assigned for instances where there is a scan timeout. These events are uploaded and reported to the ePO server and should be reviewed periodically.
 
NOTE: A Feature Modification Request (FMR) has been logged to change the way these timeouts are reported. However, this change will not be included in the next VirusScan Enterprise 8.7i release.

Solution

The scan timeout events that are tagged as Malware, can be filtered from the report at the ePO 4.x Console to allow the generated reports to display only virus detections.
 
IMPORTANT: McAfee strongly recommends that you do not add exclusions at the workstations to avoid the scan timeouts being reported.
 
 
To stop all timeouts from being included: 
  1. Log on to the ePO 4.X console.
    To open up a remote console through Internet Explorer, type one of the following URLs into the browser and press ENTER.

    https://<servername&gt;:8443
    https://<ipaddress_of_server&gt;:8443

     

  2. Click Reporting, Queries.
  3. In the left pane, select the query to modify.
    • ePO: Malware Detection History
    • VSE: Top 10 detected Threats
  4. In the right pane,click Edit.
  5. Click the Filter tab.
  6. On the left panel, click on EventID to be added, scroll down to the end of the page.
  7. In the first drop-down list, change Equals to does not equal.
  8. In the In the second drop-down list, type 1059.
  9. Click  Run.
  10. Click Save.
  11. On the next page click Save again.

What Does it Mean For You: HP Buys 3Com. November 18, 2009

Posted by John Ruby in BlogoSphere.
add a comment

 

Quote

What Does it Mean For You: HP Buys 3Com. Logitech Buys LifeSize. Cisco Launches Host Email. | Smallb
And on the bright side, it means that growing businesses are getting access to technologies that were once only affordable for large corporations. For example, LifeSize’s video conferencing solution costs a fraction of traditional systems, without making any compromises in quality of sound, video or speed.

ISA Server 2006 Stop Answering Requests November 11, 2009

Posted by John Ruby in Solutions.
add a comment

https://blogs.technet.com/isablog/archive/2009/01/12/isa-server-2006-stops-answering-requests.aspx

ISA Server 2006 stops answering requests

1. Introduction

 

Recently we have had some cases where customers call complaining of the following behavior:

·         ISA Server randomly stops answering requests.

·         Apparently there is no resource depreciation.

·         ISA Server logs the error FWX_E_NO_BACKLOG_PACKET_DROPPED 0xC0040016 in the Monitoring/Logging.

Vista Messenger service and alerter services November 11, 2009

Posted by John Ruby in Solutions.
add a comment

Messenger service and alerter services

In Vista the command is MSG:

 

MSG {username | sessionname | sessionid | @filename | *}
    [/SERVER:servername] [/TIME:seconds] [/V] [/W] [message]

  username            Identifies the specified username.
  sessionname         The name of the session.
  sessionid           The ID of the session.
  @filename           Identifies a file containing a list of usernames,
                      sessionnames, and sessionids to send the message to.
  *                   Send message to all sessions on specified server.
  /SERVER:servername  server to contact (default is current).
  /TIME:seconds       Time delay to wait for receiver to acknowledge msg.
  /V                  Display information about actions being performed.
  /W                  Wait for response from user, useful with /V.
  message             Message to send.  If none specified, prompts for it
                      or reads from stdin.

SuperStack 3 Switch 4400 – How to configure via the CLI to block illegal DHCP servers using QoS November 3, 2009

Posted by John Ruby in Solutions.
add a comment

SuperStack 3 Switch 4400 – How to configure via the CLI to block illegal DHCP servers using QoS
SuperStack 3 Switch 4400 – How to configure via the CLI to block illegal DHCP servers using QoSSolution ID – 2.0.71955808.3207581

The following are steps to configure the SuperStack 3 Switch 4400 to block the responses of illegal DHCP servers on your network.
For futher explanation as to QoS nomenclature.

STEP 1. Log in to your Switch 4400 as an administrator either via a telnet session or direct connection via a null modem cable.
STEP 2. Create a Classifier
Type in the following string at the "Select" menu option prompt when you first login.
Select menu option: trafficManagement qos classifier

Menu options: ————–3Com SuperStack 3 Switch 4400—————
create         – Create a new classifier
delete         – Delete an existing classifier
detail         – Detailed classifier information
modify         – Modify an existing classifier
summary         – Display summary information

Type "q" to return to the previous menu or ? for help
Select menu option (trafficManagement/qos/classifier): create
Enter classifier number (101-1000)[101]:
Enter classifier name: DHCP Response
Enter classifier type
(ipAddr,ipProtocol,ipPort,dscp,etherType): ipport
Enter IP port (tcp,udp,either)[either]: udpDest
Enter port number (0-65535)[0]: 68

STEP 3: Create Profile
Select menu option (trafficManagement/qos): profile
Menu options: ————–3Com SuperStack 3 Switch 4400—————
addClassifier         – Add a classifier to a QOS profile
assign                 – Assign QOS profiles to ports
create                 – Create a new QOS profile
delete                 – Delete an existing QOS profile
detail                 – Detailed information about a QOS profile
listPorts                 – List all ports with their associated QOS profiles
modify                 – Modify an existing QOS profile
removeClassifier         – Remove a classifier from a QOS profile
summary         – Display summary information

Type "q" to return to the previous menu or ? for help
—————————————– (1)—————————
Select menu option (trafficManagement/qos/profile): create
Enter profile number (11-1000)[11]: 11
Enter profile name: Rogue DHCP Servers

STEP 4: Now add a classifier to the profile
Select menu option (trafficManagement/qos/profile): addClassifier
Select profile number (1-2,11,all)[all]: 11
Select classifier number (1-5,101): 101
Enter service level number (1-6): 1

STEP 5: Assign the profile to the ports that you wish this action to take effect
NOTE: Only assign to ports that do not have a connection to a legal DHCP server, e.g. uplink ports, as to allow legal DHCP responses to reach the clients.
Select menu option (trafficManagement/qos/profile):
Menu options: ————–3Com SuperStack 3 Switch 4400—————
addClassifier         – Add a classifier to a QOS profile
assign                 – Assign QOS profiles to ports
create                 – Create a new QOS profile
delete                 – Delete an existing QOS profile
detail                 – Detailed information about a QOS profile
listPorts                 – List all ports with their associated QOS profiles
modify                 – Modify an existing QOS profile
removeClassifier         – Remove a classifier from a QOS profile
summary         – Display summary information
Type "q" to return to the previous menu or ? for help
—————————————– (1)—————————
Select menu option (trafficManagement/qos/profile): assign
Select unit (1,all)[all]: 1
Select port (1-24,all)[all]: all
Enter profile number (1-2,11)[1]: 11
Select menu option (trafficManagement/qos/profile):

STEP 6: You will need to remove Classifier #1 from the newly created profile as it does get assigned by default, follow the steps below to achieve this:
Menu options: ————–3Com SuperStack 3 Switch 4400—————
addClassifier         – Add a classifier to a QOS profile
assign                 – Assign QOS profiles to ports
create                 – Create a new QOS profile
delete                 – Delete an existing QOS profile
detail                 – Detailed information about a QOS profile
listPorts                 – List all ports with their associated QOS profiles
modify                 – Modify an existing QOS profile
removeClassifier         – Remove a classifier from a QOS profile
summary         – Display summary information
Type "q" to return to the previous menu or ? for help
—————————————– (1)—————————
Select menu option (trafficManagement/qos/profile): rem
Select profile number (1-2,11,all)[all]: 11
Select classifier number (1,101): 1

Note with Software Version 4.0 for the Switch 4400 there is a new feature called Traffic Shaping which allows you to control the egress traffic rate at a port. It does this using two parameters:
– Average Egress Bandwidth – The average data rate specified in Mbps
– Maximum Burst size – This is the maximum amount of data that will be burst at line rate in Kbytes.

Traffic Shapers are assigned to QoS profiles in a similar way to QoS classifiers i.e. via the

trafficManagement/qos/trafficShape command in CLI
Note the following:

?Traffic will be shaped to the next lowest multiple of 1Mbps on the front panel ports, and to the next lowest multiple of 8Mbps on the modular ports.
?Note that the minimum rate will be 1Mbps for front panel ports and 8 Mbps for modular ports. If a traffic shaper is applied to a modular port with a rate of less than 8Mbps, then the actual traffic will be shaped to 8Mbps.

You may experience high memory usage on a computer that is running ISA Server 2004 or ISA Server 200 November 2, 2009

Posted by John Ruby in Solutions.
add a comment

You may experience high memory usage on a computer that is running ISA Server 2004 or ISA Server 200
You may experience high memory usage on a Microsoft Internet Security and Acceleration $ISA$ Server 2004 computer or ISA Server 2006 computer that is configured to log messages to a Microsoft SQL Server Desktop Engine $MSDE$ database.

Although this behavior does not affect the regular operation of other processes, you may want to limit the amount of physical memory that is allocated for SQL Server. Recommended values are shown in the following table.

Collapse this tableExpand this table
System memory Recommended setting
1 GB 386 MB
2 GB 512 MB
3 GB 764 MB
4 GB 1024 MB

However, you should monitor the memory performance counters, the SQL Server log (Sql.log), and the ISA Server logs to make sure that logging is not affected. If you experience problems, increase the recommended values gradually. To do this, follow these steps: