Symantec Endpoint: Good at Giving Me Heart Attacks

04. May 2010 · 4 comments · Categories: "It's a Feature", Rants, Servers, Software, Troubleshooting · Tags: , ,

Oi. Symantec is definitely giving me a lot to blog about recently.

I logged in to one of our public file servers today for a weekly inspection, and as is someone common was greeted with a dozen reports from Symantec Endpoint 11 of infected files being deleted. It’s not uncommon for our clients to open malicious attachments, visit shady websites, and generally make a mess of things, but a combination of good ACL’s, Deep Freeze, and SEP 11 on the server have kept things clean.

So, after reading through the alerts and verifying SEP cleaned all of the detected files, I ran Live Update followed by a Full System Scan, as is standard procedure. Out of curiosity, I watched the first part of the scan process, when I noticed it pause on these files:

c:windowshide_evr2.sys

c:windows9129837.exe

d:autorun.inf

The first two file names made me worried, and the third a little more so, if only because D: is another RAID array and therefore has no reason to have an Autorun.inf. After a little digging, however, I found that none of these files seemed to exist on the server. Now I started thinking ‘rootkit’.

Sure enough, a quick Google later showed that yes, these files are common to a number of different rootkit variants. As such, I busted out my usual toolkit of malware detection/removal utilities and took the server offline.

As I dug deeper in to the server, though, I still couldn’t find any traces of the mentioned files. I tried several different rootkit tools, browsing the hard drive contents from a Linux LiveCD, and even a few tools to check ADS (Alternate Data Streams), but had no luck.

At this point, I was fairly convinced that the server was clean, however why would Symantec report those files as present, unless…. Digging a little further in to the results from Google, I found this forum thread: http://www.antionline.com/showthread.php?t=278671 – apparently, during the initial part of the scan, Endpoint doesn’t actually report just the files that it’s scanning, it also reports the name of the files it’s looking for.

So, a little life lesson - don’t assume that Symantec will do anything that makes sense. And, when in double, Google is still you’re friend – you just need to look harder.

Sample Symantec Endpoint scan showing a non-existent file

Sample Symantec Endpoint scan showing a non-existent file

The TL;DR version: The scan status on Symantec Endpoint 11 doesn’t just show the actual files on the computer, but it also shows non-existent files that it’s looking for. When in doubt – verify manually!

Low on Server Disk Space? Have Symantec Endpoint? There’s Your Problem

29. April 2010 · 3 comments · Categories: "It's a Feature", Servers, Short, Troubleshooting · Tags: , , ,

This morning, I received an email from a charity I do some consulting for saying that they were getting a Low Disk Space warning on their primary terminal server. After remoting in, I confirmed that on the 120GB primary partition, there was less than 100MB free. Odd, considering that the server only has about 40GB worth of user files on it.

A quick check (done by selecting likely folders in the root of the drive and opening the properties window) confirmed that C:ProgramData was using an extra 40GB space that it shouldn’t. Further digging revealed that C:ProgramDataSymantecSymantec Endpoint ProtectionXfer contained somewhere in the neighbourhood of 48,000 file, each ~20KB in size.

Solution? Delete and recreate the Xfer folder, then run Live Update again. Low disk space problem solved, but would someone at Symantec care to explain just what the hell happened?

Update: Found a temporary fix here: http://www.symantec.com/connect/forums/symatec-ep-making-alot-files-under-xfer-folder

Apparently, the issues results from EndPoint rescanning files in quarantine every time new definitions arrive. If you have a lot of files in quarantine, your disk space will disappear that much faster. Go figure. Apparently they’ve fixed some instances of this, but not others, as it was supposed to have been solved in MR4, but is still present in MR4 and MR5.

Rant: Business Internets are Serious Business

08. April 2010 · 3 comments · Categories: "It's a Feature", Rants · Tags: ,

I work for a non-profit that provides general employment services to the public. In part, we offer a large number of public-access computers for job search purposes, as well as a smaller number of systems for general use. Couple these with ~20 staff workstations and a video conference unit, and we chew through a large chunk of bandwidth each day.

Until now, our dual 6Mbit DSL connections have been making due, but really only because of a WSUS server and two IPCop servers acting and web and update caches. With the possibility of adding new offices and increasing the number of computers on our network, I’ve been looking in to alternative ways of boosting our throughput.

One of the first plans was to check in to a Fiber connection, but that was quickly scrapped. Unfortunately, we can’t afford the $1500/month rates being offered for the lower-tier connections, and the staggering ~$5900/month for a 100Mbit up/down connection is completely impossible. As such, I started looking in to other business packages.

This brings me to the root of my rant. I’ve never been a big fan of DSL, so my first thought was to check out what was offered by our local cable provider, Shaw Cable. I’ve used them for my residential internet connection since 1997 and couldn’t be happier, especially since they’ve just started to offer 100Mbit down 2Mbit up service in my area.

After several phone calls to them, however, my opinion has completely changed. Despite the fact that they provide faster service, Shaw is only willing to offer a 15Mbit down/1Mbit up service to businesses. That’s the fastest you can go without switching to Fiber, which again is out of our price range. Although the service is slightly cheaper than the DSL equivalent, I need at least 4 static IP addresses, and which Shaw will provide–for an extra $50 on top.

Speaking with their customer service reps was a frustrating experience, because I couldn’t get an answer as to why businesses aren’t allowed access to higher tiered packages. “That’s just the way it is” was all I was told.

As such, we’ll be sticking with DSL, and Shaw has lost a potential customer. I hope they eventually decide to let businesses catch up with home users, but somehow, I have my doubts.

Internet. Serious Business.

Seriously.

From the Search Results: Backing Up

07. April 2010 · 1 comment · Categories: Hardware, Short, Support · Tags: , , ,

To the person who found my blog by searching for “raid 1 backup“, please note: RAID IS NOT AN ACCEPTABLE BACKUP SOLUTION!

Any method of RAID (other than RAID0) is good for protecting against failing hard drives. However, it is by no means a backup solution, as it doesn’t save your data from things like accidental deletion, file system corruption, users, and malicious software. If you’re looking for a backup solution, investigate external hard drives, SAN/NAS devices, tape backup units, etc….

Please. For the sake of your data, get a real backup solution.

Short Non-Tech Rant: Tim Hortons

08. March 2010 · 4 comments · Categories: Non-Tech, Rants, Short · Tags: , , , ,

Wow. I’ve got quite a long history with Tim Hortons, but for some reason I keep going back (probably because of Roll Up The Rim). This morning at the drive-through was about par for the course.

Her: Welcome to Tim Hortons, how can I help you?

Me: Hi. Can I please get an extra-large tea, with two milk and two sugar?

Her: <several seconds of silence> Ummm, so you want a decaf tea?

Me: Actually, I just want a regular tea.

Her: Okay. Do you want anything in it?

Me: Yes. Two milk, and two sugar.

Her: <several seconds more of silence>. So two cream, and one sweetener?

Me (trying not to sound frustrated): No. Two milk. <pause> And two sugar.

Her: Oh! Okay!

I’m surprised that I didn’t end up with a Double-Double instead, as has been known to happen before.

Rogers, Android, and You

04. March 2010 · 8 comments · Categories: Android, Hardware, Rants · Tags: , ,

(Updated 04/29/2010) — YOU CAN NOW ROOT the Rogers HTC Magic! Details here: http://forum.xda-developers.com/showthread.php?t=627384 Exact steps to root are here: http://greatbigdog01.wordpress.com/2010/04/30/rogers-magic-post-e911-update-to-cyanogen-5-0-7-android-2-1/

I’ve posted before about my HTC Dream, and some of the run-arounds I’ve had with Rogers, but I haven’t posted about that recently. Rogers, it seems, is out to alienate Android users and seemingly could care less.

A little back story first:

In September of 2009, an Android user reported a problem with the Android 1.5 ROM where, if you had GPS enabled and attempted to call 911, your phone would crash and reboot. The issue was promptly fixed in the Android source, and all was good. The user then reported the problem to Rogers, who did nothing.

Fast-forward to January. Rogers comes under fire for the issue and disputes having known about the problem for several months. The make an update to fix it, and push it out. To make sure that their asses are covered, though, they tell everyone that it’s a Mandatory Upgrade. “If you don’t upgrade, we’re going to disconnect your data.” And, on January 24th, 2010, they did. All HTC Dream and Magic users lost data for at least a day. The official word was that if you upgraded to the new ROM, you’re connection would be restored within 24 hours.

Those who didn’t update not only lost data, but starting receiving daily telephone calls and text messages telling them to upgrade. Some people even had their outgoing calls redirected to Rogers Customer Support (and reportedly, even 911 calls were affected by this, although Rogers denies this happened – Update: see the comment from RogersMary below).

Eventually, Rogers released a waiver users could sign that would allow them to continue using their old ROM and get their data back (although some people had gotten around this by phoning Technical Support and having them manually enable the data connection, with mixed results).

Then, for a five-day period (February 9th through 14th), Rogers re-instated their free HTC Dream to HTC Magic upgrade program (for users who purchased an HTC Dream before December 31st, 2009). I took part and received a shiny new HTC Magic at no charge, and promptly sold my still-rooted HTC Dream.

Okay, back story over. What’s the deal with the new ROM?

Well, there’s what you need to know. If have a Dream or Magic that’s still rooted, you can simply upgrade to the newest Radio image (available on the XDA forums if you do a little searching). This will allow you to keep your root, as Rogers’ network uses the Radio Version String to determine whether or not you’ve upgrade (it simply looks at the radio version string when your phone connects to the network). Alternatively, you can sign the waiver above and you’re fine as well.

If, however, you already performed the ROM upgrade (or received/purchased a new Dream or Magic from Rogers after the beginning of February), you’re in a little bit of trouble. Here are the relevant details. The new ROM contains:

  • An updated Kernel, which contains a fix to the Root Privilege Elevation Exploit used by Flashrec. In short, the One-Click Root no longer works.
  • A new ‘perfect’ SPL (version 1.76.2010 SAP50000). This one comes with Security On and Fastboot disabled. As such, Magic users can no longer simply boot from a new recovery image and flash.
  • Strict sigchecks are now in place, which prevent running the RUU with the previous ROM from working (HBOOT reports a Main Version Error if you try to run the RUU or use the rom.zip as a SAPPIMG.zip).
  • The Gold Card method no longer works. This is an odd one, because it seems to process, but then exits without error. It isn’t likely that Rogers disabled it – rather, they probably changed how it operates (update: it appears that even when using a Gold Card, it still does a Main Version Check – as such, none of the existing SAPPIMG.img ROMs will work, as they are all older versions).
  • There is an engineering SPL floating around the internet, however without a way to flash it, it currently does us no good.

As such, Rogers users with the Mandatory Update are currently boned. In order to gain root, we need one of the following:

  1. A new Kernel Root Elevation Exploit that will allow an application like Flashrec to load a new recovery image.
  2. A newer ROM that we can inject the engineering SPL in that will allow Fastboot (edit: although this is *very* difficult, if not impossible to do while keeping the signature in tact)
  3. An answer to why the Gold Card method is failing, and a fix for that (edit: I’ve re-created my gold card and tried again, this time with no other specific errors. I’m on the lookout for a newer SAPPIMG that works with 32A Magic’s that has a higher version than the Rogers ROM – that may well be the key). Update – the most likely reason that the gold card method is failing is that it doesn’t bypass the Main Version check. As such, we’re still stuck until a newer SAPPIMG is leaked with an engineering SPL.
  4. An easier-to-use JTAG method (see XDA forum link below).

Until one of these solutions is found, we’re stuck with 1.5. So far, solution number 2 looks like our best bet, as Rogers has announced that Magic users will receive an Android 2.1 update (with Sense UI) sometime soon – when this update comes out, it should be possible for an engineering SPL to be injected in to the update. Until that happens, we’re stuck without access to a number of newer apps (like Google Goggles and Google Earth), and flaky Bluetooth.

The important things to take away from this are the following:

  • If you care about rooting, NEVER perform a ROM update from Rogers unless you’re prepared to lose the ability to root, possibly forever. When the 2.1 update comes out, avoid it like the plague until it has either been deemed safe, a de-fanged version has been released, or someone has ‘fixed’ it to allow rooting.
  • Watch the XDA forums for information regarding updates.
  • Don’t trust Rogers.

Update: In response to a comment below, here are a few of the best threads for information on the rooting effort:

Additionally, I’m currently selling my Rogers HTC Magic. Yes, it has the update applied, as I received after the update was released. If you’re interested, send me an email. Currently asking $300 OBO.

Short Rant: WSUS

09. February 2010 · Write a comment · Categories: "It's a Feature", Microsoft, Rants, Short, Software · Tags: , , , ,

I’m running WSUS 3.0 SP2, and it really helps to not only track the update status of my machines, but also because we’re only on a DSL connection, and the update caching is a lifesaver. My main complaint with WSUS, though, is the update filtering.

In WSUS, you can tell it what products you want to get updates for, what classification (driver, critical update, service pack, etc…), and even whether to auto-approve them or not, but for some unknown reason, WSUS doesn’t let you specify the damn architecture that you want.

Our organization doesn’t have any Intanium hardware – why doesn’t WSUS let me specifically block that architecture? I only want x86 and x86_64 updates. Is that so hard? Instead, my auto-approve rules happily let those updates download, and then sit and take up space until I run the cleanup wizard.

Come on, Microsoft. Think this one through, please? Maybe introduce it in the 4.0 update?

Weighing in on the iPad

27. January 2010 · Write a comment · Categories: Apple · Tags: ,

This is a first here, really. I’m not really an Apple guy (I used to have an iPhone, and I use an iMac at work that runs Windows most of the time), and I rarely comment on products that I don’t own, but really, this is just dying for picking apart.

Steve Jobs has reportedly been quoted to say, “This [the iPad] will be the most important thing I’ve ever done” – I really hope that this is just a misquote, or wrongfully attributed. Why? Well, let’s start with what we now know.

How it looks. If you haven’t seen it, it looks basically like a huge iPod Touch with a massive bezel.

What it runs. Apparently Apple has licensed the rights to make another ARM processor, dubbing it the “Apple A4“. Do we really need another ARM processor varient? What’s wrong with the Snapdragon?

What it doesn’t do. Flash. Yes, really. I don’t particularly like Flash, but if they’re touting it to be ‘better than a laptop’, why are they blocking access to a large chunk of the content that’s out there?

What it doesn’t change. It apparently going to run the iPhone OS (speculated at version 4), so you’re still locked in to the App Store and Apple’s draconian approval process. I wonder how long it will take before it’s jailbroken?

What it lacks. Supposedly, it won’t come with 3G. Reports say that you’ll be able to tether it with a mobile device (although I wouldn’t be surprised if they only let you tether it with an iPhone), but really, if they’re saying people should use this instead of an e-book reader, why leave that out? And on the subject of e-books, who really wants to ready a 1000+ page book on an LCD screen, when you can get a Kindle 2 with an easy-on-the-eyes e-ink screen instead?

What they screwed up on. Really, why name it the iPad? I see where they might want to leverage the branding from the iPod, but all that makes me think of is another type of product.

All and all, I think that a lot of people who bought in to the hype of this are probably pretty disappointed. The iPad? What a joke.

Update: Unconfirmed tweets are saying that it will be priced at $499, or $629 with 3G.

Update #2: Apparently you’ll be able to use connect a standard keyboard to the iPad as well. So why bother making it a tablet at all? Why not just give it a slide-out keyboard and be done with it?

Tales from Support: Why doesn’t my wireless work?

21. January 2010 · 2 comments · Categories: Hardware, Tales from Support · Tags: ,

While working at rhymes-with-Gordita Technical Support a few years ago, I definitely had my share of WTF calls. The following is about as close to a transcript as I can get to one of them, although the topic of Wifi was common when it came to people making asses of themselves.

Me: Thank you for calling Gordita technical support, this is Laslow speaking.

[snip five minutes of gathering information, creating a ticket, and registering the laptop]

Me: Alright, how can I help you today?

Him: Well, I just bought this damn thing yesterday and the damn wireless doesn’t work.

Me: Okay, sir. Here’s what we’re going to try. Can you please–

Him: NO! I’ve done all of the troubleshooting that can be done on this! I’ve reinstalled the driver, uninstalled and reinstalled the Wireless Config utility, removed it completely and let Windows manage the wireless networks, checked to make sure that the Wireless Zero Configuration service is enabled, and it STILL won’t see ANY wireless networks. NONE! Now I want this thing replaced with a new one, NOT a factory refurb unit. If you can’t do this for me, I want someone who can.

Me: Okay, wow. So you’ve done all that, and no wireless. There is one thing we can still try, which is–

Him: NO! Look, kid – I’ve been working with computers for longer than you’ve been alive. I have my A+, my MCSE, my Cisco ticket, and a Masters in Computer Science. I’ve forgotten more than you know! Now can you replace this damn laptop with one that works?

Me (breathing deeply): Okay, sir, here’s what we’re going to do. Before we can do anything like that, I need to make sure the laptop is in the factory-default state. To do that, I need you to check one, just one, thing for me. Can you please do that?

Him: Just one thing? Okay, what?

Me: Please look on the right-hand side of the laptop.

Him: Okay, what am I looking for?

Me: Do you see a tiny little black switch, with an amber light beside it?

Him: Yes, the light isn’t on.

Me: Okay, good. Can you please flick the switch?

Him: Okay, the light just turned on. Now what?

Me: Look back at the screen – what does it say in the bottom-right-hand-corner?

Him: Wireless networks detected…oh. It’s working now. Why the hell do they turn the wireless off out-of-box. That’s the stupidest thing I’ve ever heard of! Any why isn’t it in the manual?

Me: Actually, sir, they disable by default for your security, and to help save battery power for those customers who don’t have wireless networks. And in regards to the manual, it’s on page 4.

*CLICK* *DEAD AIR*

Me: Hello, sir? Sir?

Me (to dead air): You’re welcome, and thank you for calling Gordita. Have a nice day!

Bluetooth Headsets, Android, and You

19. January 2010 · Write a comment · Categories: Android, Hardware, Troubleshooting · Tags: , ,

On January 1st, a new law came in to effect in the province of British Columbia requiring that motorists must use a hands-free device while driving if they wish to make phone calls or else face to fine (of somewhere around $160). So, rather than risk a ticket, I broke down and bought a Bluetooth headset, which has ended up being a learning experience.

At first I was unable to stream music over my headset, but then I discovered that the Motorola H780 I had purchased wasn’t A2DP compatible. I then exchanged it for a Jabra BT530 and music streaming worked out-of-box, so I can’t blame that on the OS.

However, I can blame the biggest deficiency on Android – although both headsets support Voice Dialing, Android doesn’t allow you to Voice Dial from your headset. You still have to pick up the phone and either manually dial or use the handset’s built-in voice dialing, both of which will get you a ticket if you do them while driving.

So if you’re looking for a full-featured Bluetooth Headset for an Android phone, make sure you pick one up that’s A2DP compatible, just don’t expect to do anything other than listen to music and receive calls. Just don’t expect to be able to make calls from a headset anytime soon.

« Older articles
Newer articles »