All posts by corepcnadmin

Stop or Restart all Windows Services Starting With…

If you have product suites installed – usually this is the case with security products – you may frequently come across a need to disable all of the services at once.  When the service names contain similar strings, Powershell makes it easy to list, stop, restart or delete these services.

For instance, to find all the services from my Sophos suite:

PS C:\WINDOWS\system32> Get-Service -ServiceName *Sophos*


 

This gives all the services, running or not, containing the case-insensitive string "sophos".

To stop them all,

PS C:\WINDOWS\system32> Get-Service -ServiceName *sophos* | Stop-Service

You may see a few "waiting" messages as the services are stopped, but as long as you have the authority to stop these services you should be returned to a normal Powershell prompt when they have successfully halted.

Change VM Name in VMWARE PLayer

If you have multiple VMs in VMware Player, having meaningful names is probably part of the planning process.

But things change.

So when you need to change the hostname of your virtual machine, you’ll want to change the name of the VM as well.  This happens in a number of different locations so depending how picky you are, you may only want to do one or two of these steps.

In VMware Player

I’m using the wonderful VMware Workstation 12 Player.  This is a great choice if you have decent hardware but don’t want to wipe out your primary OS to run virtual machines in a dedicated hypervisor like ESX or Hyper-V.  VMware Player is free for noncommercial use and doesn’t support snapshots or centralized management, but it’s perfect for a home lab while studying for your RHEL certification Smile with tongue out.

I want to rename my RHEL 7 Server from “RH7Server” to “RH7-SRV01”.  You can use your own naming convention.  In my environment I plan to use no more than 5 VMs, so <OS>-<role><sequence> is an ideal convention.

Open up VMware Player.  The left panel shows the names of your registered VMs.  To change the display name of a VM right-click the VM, click Settings, then go to the Options tab.  Change “Virtual machine name” and click OK.

image

image

The displayed VM name has been updated.

image

 

To change the name of the associated VM files, please see the next post, Changing VMware Workstation VM File Names.

Allow root LOGIN to MySQL on Red Hat 7

If you’ve installed MySQL on a Linux server you’ve probably run the “mysql_secure_installation” script to lock it down.  But now you need to access this server remotely using MySQL workbench.  How do I allow remote connections to MySQL?

It isn’t as easy as throwing a switch and allowing MySQL to accept incoming connections from any source.  

Do not attempt these steps on an internet-facing server.  Make sure you have taken all other precautions to protect your machines from unauthorized access.

My first step was to open the firewall on the Red Hat server:

image

image

And don’t forget to “Options –> Runtime to Permanent” to keep these changes

image

But even then I received the error:image

The second step is in MySQL configuration.  Even though RHEL can accept incoming connections on port 3306, and MySQL is configured to allow incoming connections, root still doesn’t have permission to log in remotely

Here are the steps to configuring MySQL running on Red Hat server to allow incoming connection from root on any host.  You will have to run this in terminal as root.

# mysql –u root –p
(enter MySQL root password)

use mysql;

select user, host from user;
this shows a table of users and the host(s) the users are allowed to log in from.

+———–+———–+
| user      | host      |
+———–+———–+
| mysql.sys | localhost |
| root      | localhost |
+———–+———–+
2 rows in set (0.00 sec)

Now we update the “host” entry for root to allow login from any host.  For this we’ll use the SQL wildcard, ‘%’’

mysql> UPDATE user SET host = ‘%’ WHERE user=’root’ AND host=’localhost’;

Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> select user, host from user;
+———–+———–+
| user      | host      |
+———–+———–+
| root      | %         |
| mysql.sys | localhost |
+———–+———–+
2 rows in set (0.00 sec)

You should connect now with no issues!

Windows 7/8/10 Can’t Browse Web; Can Ping and TRACERT

I’ve seen this issue twice in as many days – a computer can ping internal and external machines, but cannot browse any websites or use VPN.  Skype may work on the LAN but IE will not connect to any websites (if it starts at all) and Outlook won’t connect to Exchange.

Checkpoint and Gotomeeting fail with error messages at logon.

The usual solutions left me scratching my head:

  • Link light shows connectivity, so it’s not a hardware problem
  • Windows network adapter shows connectivity to network, even recognizes the local domain
  • ARP-D * successful, no errors
  • Uninstall, reinstall adapters in Device Manager (this is helpful when a VPN adapter corrupts TCP/IP)
  • IPCONFIG / FLUSHDNS successful, no errors
  • Windows network adapter diagnose (no problems found)
  • NETSH INT IP RESET c:\resetlog.txt, successful
  • Confirm DNS settings (DNS wasn’t the problem, we can ping external addresses with DNS names)
  • Reset IE, no proxies in use

You can probably see which direction this is going (hint: session layer).  The problem was higher up the OSI.

NETSH WINSOCK RESET

Remember to run in administrative command prompt.  A VPN installation or uninstallation broke Winsock so it needed to be reset.

Connecting to OUTLOOK.COM accounts on Android

I use the default Samsung Mail app that comes with the Galaxy series (I prefer this over every other mobile email app for its usage of space, swipe options , appearance and many other features!)  After using NFC to sync my old phone and the new one, my Outlook email opened in the Gmail app which I definitely do not want to use.  Stranger though, I could not add my Outlook account in order to sync my contacts because the account was already in use.  Removing the account introduced new problems – now I couldn’t add the Outlook.com account at all. 

Microsoft changes its supported email clients (goodbye OE and Live Mail, hello Windows Mail or the browser).  Compounding the issue are the constantly changing addresses from which your account will retrieve mail – remember, these are statically set on a mobile device or a client, not automatically redirected with DNS as when you are using the web interface.

The Fix

Screenshot_20161106-141005Let’s re-add the account.  On the “Add new account” page I enter the address and password, then tap “Sign In”.   Easy enough, right?

 

 

 

 

Screenshot_20161106-140615Nope.  When I click “Sign In”,  I’m stuck at “Checking incoming server settings” message forever.  I left it this way for 30 minutes and it would not progress.

 

 

 

Screenshot_20161106-141005 - CopySo I tried Manual settings.   Everything looks normal, since I set this up on my previous replacement phone a couple of weeks ago.

 

 

 

 

Screenshot_20161106-141022A number of Microsoft help pages tell you to use alternate mail servers – m.hotmail.com, s.outlook.com, among others.  None of the suggested addresses yielded different results.

 

On a hunch, I tried using “m” (which I can only assume is for “mobile”) in front of “outlook.com”. 

 

Screenshot_20161106-141153And I was right- the server that worked for me was m.outlook.com. 

Windows Smart Screen prevented an unrecognized app from starting

That’s weird.  All I’m trying to do is install Microsoft SQL 2014, downloaded from the Microsoft site, on an Internet-connected computer.

image

image

There is no option to “run anyway” as there used to be.  But you can circumvent this thin layer of protection in the file’s properties:

  • Right-click the file and click “Properties”.
  • Check the “Unblock” box at the bottom of the Properties page and then click “OK”.

Now you can run the file with the usual UAC or SmartScreen prompts.

Windows Task Scheduler History Disabled

Your Task Scheduler may tell you that History is disabled when you view a task’s properties. 

This is a program setting that must be turned on for all of Task Scheduler.  To turn on History, open Task Scheduler and in the Actions Pane (the pane on the right), click “Enable All Tasks History”.

You can figure out the rest Smile

Which Security Suite Should You Use?

I’m regularly asked by clients which security suite is best, and which antivirus will “guarantee” against virus or spyware infection.  The first question has no single correct answer; the second has no answer. 

Computer viruses existed well before the ubiquitous World Wide Web we know today; before Google, AOL and even Microsoft.  Before high-speed Internet was commonplace, viruses could travel from PC to PC via floppy disks or CD-ROMs (we called this “sneakernet”).  Some viruses could be avoided by simply not booting your computer on a particular day (Michelangelo virus), while others could be detected and removed with simple tools such as Microsoft’s MSAV (included with MS-DOS until version 6.22).

Today your computer is constantly at some risk of virus, malware or spyware infection, URL redirects, and drive-by downloads.  But your computer isn’t at risk for every virus and every drive-by download. Windows Vista and later versions incorporate User Account Control, which can halt the system and warn you before running an unknown executable.  Acrobat Reader, Flash and Shockwave regularly find themselves at the top of the list of “most vulnerable software” titles along with Java – so if you don’t use them, the DDOS and remote-control exploits won’t apply to you. If you do use them, keep them patched and updated!

These risks, however real, exist at varying levels. Your PC’s risk is best measured by your own activities. In an office setting where machines are regularly updated and monitored and casual web browsing is discouraged or outright forbidden, the risks of any type of infection are very low. Office intranets are typically not a fertile breeding ground for malware. Households with teenage computer users or compulsive file sharers, on the other hand, may experience a higher incidence of hijackers, viruses and other sorts of malware.

Keep in mind, security is a moving target.  Symantec, McAfee, Kaspersky and Microsoft are constantly releasing updates and definitions to keep their subscribers protected.  But the techniques employed by writers of these malicious programs are changing as well.  And even as new variants of Zafi, NetSky and MyDoom are released, the old versions continue to make their rounds, ostensibly hoping for an unpatched, unprotected computer to infect.

Protection levels are not absolutes and they are not universal.  More protection means lowered usability and diminished performance.  Software firewalls and on-access virus scanners are very demanding on your CPU and RAM, but that’s part of the tradeoff.  You should never surrender a reasonable level of security for performance.  If your PC has become unbearably sluggish due to its security suite, it’s time for a part upgrade or a new PC.

Here is what I look for when determining an ideal protection suite for an individual machine:

  • What is this user doing on his / her computer?  What is the environment?  (Corporate office = low risk)
  • Will this machine spend most of its uptime editing locally stored  Word documents and checking email in a browser? (Boring activities = lower risks)
  • How many people will use this machine?  (More users = higher risks)
  • Is this machine running a fairly modern operating system?  (Windows 7 = pretty good, Windows XP = not so great)
  • Is this machine regularly updated and patched (Flash, Java, Adobe Reader, etc.)?
  • Does this computer have a history of virus infections and OS reinstalls? Trends are trends.
  • Does this computer have an unusually large library of uncategorized media named in all lower-case letters?

For a low-risk machine, I feel reasonably safe recommending Microsoft’s Security Essentials or Avast! Essential and Windows’ own Advanced Firewall.  For a machine with multiple users or some history of infection or hijacks, I still can’t comfortably recommend purchasing a retail version of any security software since your dollars will not buy you a guarantee against virus or malware infections.  Corporate installations require a high degree of customizability, centralized management and reporting, so corporate products exist in a different universe from their retail counterparts.

To further lock down your computer, take steps to immunize against compromised DNS servers and drive-by downloads by using SecureDNS or ThreatFire. 

For every machine, keep a local copy of Combofix, Spybot Search & Destroy and Malwarebytes’ Anti-Malware available just in case.

That Damned Whistler Bootkit

mbrcheckWorse than a 404 error or a “Wireless Network Not Found” notification, more horrifying than any Trojan or worm (short of CryptoLocker); more confounding and infuriating than any popup ad, reappearing toolbar or spyware… your computer has a problem.  It’s infected with something, and it’s a bootkit.

“What’s a bootkit?  You mean rootkit, right?”  No, it’s a bootkit, and here’s the difference:  a rootkit is subversive, usually malicious, code designed to evade detection and removal.  Typically, a rootkit will entrench itself in the Windows registry or attach itself to the Windows or Linux kernel. Modern rootkits can steal passwords and files, make your computer a spam-bot or transparently log your keystrokes.  There are legitimate uses for rootkits, but most these are “legitimate” in the same way flamethrowers are “legal” in most states. Rootkits are detected and removed by most consumer-grade antivirus and antispyware programs; free removal tools include Malwarebytes’ Anti-Malware and AVG Anti-Rootkit Free. 

A bootkit is similar in deed but exceedingly more difficult to detect and remove.   A bootkit resides on the master boot record of your hard drive, executing code before any user is logged in and before your antivirus is active.  These processes are invisible to your operating system and antivirus, and can be executed with administrative permissions on any NT-based machine, even in safe mode, even on 64-bit machines.  Scary, huh?

There are a few fairly accurate ways I’ve come across in detecting bootkit activity without a utility (this assumes, of course, that you have already resolved the mouse chatter, screen flicker, pop-ups and browser redirects): 

  • Random music or internet commercials play – and iexplore.exe respawns in Task Manager without a parent window. 
  • Network connections intermittently lock up for a few seconds at a time, booting network users from network drives, applications or printers.
  • Blue- or black-screen startups even though your antivirus, antimalware and Scandisk reveal no errors; Event Viewer logs are a dead end; your errors seem tied to power supply, video or network drivers and you’re sure your hardware is fine.
  • After your antivirus does remove a stubborn infection, your machine fails to boot with messages such as “Missing Operating System” or “Primary Boot Drive Not Detected”.

So how do you remove a bootkit?  There are some third-party utilities to detect and remove bootkits, but I’ve had mixed success with them.  MBRCheck is very effective in detecting an infected MBR, but when you need to write a new MBR the most straightforward method is the command prompt:  You need to write yourself a new MBR.

How to write yourself a new MBR in XP, Vista or 7… coming soon.