Small Business Server 2011 migration issues

March 7th, 2011

Here are some of the common issues I’ve run into on back to back migrations from Microsoft Small Business Server 2003 to Small Business Server 2011:

Error: Object not found when trying to migrate mailboxes from Exchange 2003
Solution: Add the SBS 2011 computer object to the “Exchange Domain Servers” group manually. Reboot SBS 2011 to complete the process.

Error: Trying to login to Outlook Web Access results in IIS server error 500
Solution: Ensure that the Microsoft Exchange Forms-Based Authentication service is started. One way to ensure this starts in the future is to modify the service to be Automatic (Delayed).

How To: Easiest way to migrate shares from SBS 2003 to SBS 2011
Ycopy (has a easy to use GUI interface)

How To: Migrating Recipient Policies and Address Lists
Get-EmailAddressPolicy | where {$_.RecipientFilterType -eq "Legacy"} | Set-EmailAddressPolicy -IncludedRecipients AllRecipients
Set-AddressList "All Users" -IncludedRecipients MailboxUsers
Set-AddressList "All Groups" -IncludedRecipients Mailgroups
Set-AddressList "All Contacts" -IncludedRecipients MailContacts
Set-AddressList "Public Folders" -RecipientFilter {RecipientType -eq "PublicFolder"}
Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Outlook error: Cannot open default mail folders
Option 1. Verify the MS Exchange RPC Client Access service is running
Option 2. Set-RpcClientAccess –Server server_name –EncryptionRequired $False

Running Barracuda Spam and Virus Firewall 300 out of Hyper-V

March 2nd, 2011

First of all, thanks very much to this blog: http://blog.shiraj.com/?p=49 without it, I wouldn’t have been able to get as far as I did. Anyways, now on to virtualizing a Barracuda Spam and Virus Firewall–

Things you will need:
1. Barracuda E-mail Spam Filter
2. Windows 2008 R2 Hyper-V server (VMWare probably works too… only thing I wouldn’t be sure of is how VMware portrays the mount points and what drivers it uses for legacy network adapters)
3. Acronis True Image (or similar bootable “ghosting” media)

The first step is to make an image of a Barracuda. Using the BIOS code from the aforementioned blog, login to the BIOS of the Barracuda and enable Boot from CD as the first boot option. Then connect a USB CD-ROM drive with Acronis True Image. Also connect a USB hard drive with enough space to accommodate at least 32GB worth of data.

Create the TIB image of the entire drive. Remove the USB drive when you are done and connect it to your Windows 2008 R2 Hyper-V server. Create a new virtual machine with 1 CPU, about 1GB RAM (my 300 only came with 512mb… max 2GB according to the motherboard specifications) and a legacy adapter. I also turned on Windows NT CPU support just to play it safe. Remove the SCSI controller and create a fixed 32gb VHD for the OS. Attach an ISO of Acronis True Image and boot the VM to Acronis.

I created a second VHD in the host OS and copied the TIB file into it, then mounted the VHD as a secondary IDE drive. This was the easiest way to get the VM to restore the TIB file… plus at any time I can reboot into Acronis and reimage my system.

Restore the image and reboot. You will want to follow the steps from the previously mentioned blog to gain root access. This is necessary to make the network card work. Once you have root access, modify the /etc/modules.conf file. Change the eth0 alias to use “tulip” instead of “via-rhine.” Type modprobe tulip to verify, then ifconfig to double check eth0 is now available.

This is a great way to avoid having to purchase instant replacement, and in a suitable backup environment… disaster recovery is a breeze if you backup your virtual machines for instant disaster recovery. Creating the image doesn’t void the warranty as long as you can avoid opening the case. However, if you ever experience problems… hopefully they don’t notice your hardware specs :) I’m not sure how much lspci differs from appliance to virtual machine, I haven’t gotten that deep into it yet.

Just an FYI, if you ever need to manually update firmware because the web interface is broken… look for /home/emailswitch/code/firmware/current/bin/update.pl and run update.pl with the argument “firmware”

i.e. ./update.pl firmware

Add -c at the end to perform a check only.

Just about every function of the web site is a perl script… doing some cat/grep operations on the index.cgi should help you out if you are ever in a bind.

Lab in a Box

March 2nd, 2011

If you are on a budget, but you have a Cisco PIX 515, Cisco layer-3 switch (I’m using a 3550) and a HP DL/ML 3-series server, you can create an entire lab with just these three devices. Obviously, it doesn’t have to be Cisco or HP… but as long as the Firewall supports trunking and VLAN subinterfaces, the switch supports VRF routing and the server supports trunking/vlans, then you should be able to modify this to work for any setup accordingly.

Lets start with the core switch, here is relevant config from the 3550 I’m using:

ip vrf INET
rd 2600:2
route-target export 2600:2
ip vrf NET1
rd 2600:3
route-target export 2600:3
ip vrf NET2
rd 2600:4
route-target export 2600:4

interface FastEthernet0/1
description Trunk to HP Server
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4
switchport mode trunk
no ip address
spanning-tree portfast

interface FastEthernet0/10
description Uplink to PIX Outside
switchport access vlan 2
switchport mode access
no ip address
spanning-tree portfast

interface FastEthernet0/11
description Trunk to PIX Inside
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3-5
switchport mode trunk
no ip address
spanning-tree portfast

interface Vlan2
description LAB-INET
ip vrf forwarding INET
ip address 1.1.1.1 255.255.255.0

interface Vlan3
description LAB-NET1
ip vrf forwarding NET1
ip address 192.168.10.254 255.255.255.0

interface Vlan4 description LAB-NET2
ip vrf forwarding NET2
ip address 192.168.20.254 255.255.255.0

ip route vrf NET1 0.0.0.0 0.0.0.0 192.168.10.1
ip route vrf NET2 0.0.0.0 0.0.0.0 192.168.20.1

Here is the relevant config on the Cisco PIX:

interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0

interface Ethernet1
no nameif
security-level 100
no ip address

interface Ethernet1.10
vlan 3
nameif inside-net1
security-level 100
ip address 192.168.10.1 255.255.255.0

interface Ethernet1.20
vlan 4
nameif inside-net2
security-level 100
ip address 192.168.20.1 255.255.255.0

access-list OUTSIDE_IN extended permit ip any any

global (outside) 6 1.1.1.4
global (outside) 7 1.1.1.5

nat (inside-net1) 6 192.168.10.0 255.255.255.0
nat (inside-net2) 7 192.168.20.0 255.255.255.0

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

On the HP server, configure the trunk interface to have vlan 1, vlan 2, vlan 3 and vlan 4 (name the interfaces appropriately, assign them IP addresses). I used the following IPs:

vlan 1 (n/a)

vlan 2 1.1.1.3

vlan 3 192.168.10.2

vlan 4 192.168.20.2

Then, on the HP server install VMWare Server (free). Configure the VM networks to be bridged to vlan 2, 3 and 4.

Provision a virtual server on each interface and assign a corresponding bridged network.

You now have an “internet” server and two “private” servers behind NAT. On the “internet” server, setup DNS and assign the other servers to use it for DNS.

To test that I had NAT and firewall working properly, I installed IIS on each server and configured a host header and the appropriate DNS A records on the “internet” server.

I set each website to use index.asp (enabled ASP first) and used the following code:

<html>
<head>
<title>Teh Interwebs</title>
</head>
<body>
Welcome to teh interwebs.
Your IP Address = <%=Request.ServerVariables("REMOTE_ADDR")%>
</body>
</html>

You should be able to hit each website and have the correct “WAN” IP address display on each website. If you can successfully hit the “internet” from each server, and each server from the “internet” then you have a working setup. You can now dcpromo, install Exchange… do whatever it is that you want to test. Modify my setup slightly, and you can test DMZ configurations, among other things.

How To: Updating Trixbox to support additional multi purpose lines (Grandstream)

January 24th, 2011

This example is for a Grandstream GXP2010. The basic logic behind it applies to the other Grandstream phones as well (GXP2000, 2020, etc). You can extend this further to include the ability to program extension modules as well.

Step 1: Update the device edit page
nano /var/www/html/maint/modules/endpointcfg/templates/endpoint_Grandstream_edit.tpl

Add the following code to increase 7 multi purpose keys to 18 keys


{translation charString = $MULTIPURPOSEKEY8 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key8_mode options=$key_mode_list selected=$phone.key8_mode} {translation charString = $NAME language = $trixbox_language}:

{translation charString = $NUMBER language = $trixbox_language}:

{translation charString = $MULTIPURPOSEKEY9 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key9_mode options=$key_mode_list selected=$phone.key9_mode} {translation charString = $NAME language = $trixbox_language}:

{translation charString = $NUMBER language = $trixbox_language}:

{translation charString = $MULTIPURPOSEKEY10 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key10_mode options=$key_mode_list selected=$phone.key10_mode} {translation charString = $NAME language = $trixbox_language}:

{translation charString = $NUMBER language = $trixbox_language}:

{translation charString = $MULTIPURPOSEKEY11 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key11_mode options=$key_mode_list selected=$phone.key11_mode} {translation charString = $NAME language = $trixbox_language}:

{translation charString = $NUMBER language = $trixbox_language}:

{translation charString = $MULTIPURPOSEKEY12 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key12_mode options=$key_mode_list selected=$phone.key12_mode} {translation charString = $NAME language = $trixbox_language}:

{translation charString = $NUMBER language = $trixbox_language}:

{translation charString = $MULTIPURPOSEKEY13 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key13_mode options=$key_mode_list selected=$phone.key13_mode} {translation charString = $NAME language = $trixbox_language}:

{translation charString = $NUMBER language = $trixbox_language}:

{translation charString = $MULTIPURPOSEKEY14 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key14_mode options=$key_mode_list selected=$phone.key14_mode} {translation charString = $NAME language = $trixbox_language}:

{translation charString = $NUMBER language = $trixbox_language}:

{translation charString = $MULTIPURPOSEKEY15 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key15_mode options=$key_mode_list selected=$phone.key15_mode} {translation charString = $NAME language = $trixbox_language}:

{translation charString = $NUMBER language = $trixbox_language}:

{translation charString = $MULTIPURPOSEKEY16 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key16_mode options=$key_mode_list selected=$phone.key16_mode} {translation charString = $NAME language = $trixbox_language}:

{translation charString = $NUMBER language = $trixbox_language}:

{translation charString = $MULTIPURPOSEKEY18 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key18_mode options=$key_mode_list selected=$phone.key18_mode} {translation charString = $NAME language = $trixbox_language}:

{translation charString = $NUMBER language = $trixbox_language}:

{translation charString = $MULTIPURPOSEKEY18 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key18_mode options=$key_mode_list selected=$phone.key18_mode} {translation charString = $NAME language = $trixbox_language}:

{translation charString = $NUMBER language = $trixbox_language}:

Step 2: Update SQL tables. This works best if you remove all phones first, otherwise it gets a bit complicated.

Use this to dump:mysqldump -c -u root -ppassw0rd endpoints Grandstream > endpoints.Grandstream.sql

Edit the file you just made by adding the following (should be obvious where):

`key8_mode` varchar(255) NOT NULL default '',
`key8_name` varchar(255) NOT NULL default '',
`key8_userid` varchar(255) NOT NULL default '',
`key9_mode` varchar(255) NOT NULL default '',
`key9_name` varchar(255) NOT NULL default '',
`key9_userid` varchar(255) NOT NULL default '',
`key10_mode` varchar(255) NOT NULL default '',
`key10_name` varchar(255) NOT NULL default '',
`key10_userid` varchar(255) NOT NULL default '',
`key11_mode` varchar(255) NOT NULL default '',
`key11_name` varchar(255) NOT NULL default '',
`key11_userid` varchar(255) NOT NULL default '',
`key12_mode` varchar(255) NOT NULL default '',
`key12_name` varchar(255) NOT NULL default '',
`key12_userid` varchar(255) NOT NULL default '',
`key13_mode` varchar(255) NOT NULL default '',
`key13_name` varchar(255) NOT NULL default '',
`key13_userid` varchar(255) NOT NULL default '',
`key14_mode` varchar(255) NOT NULL default '',
`key14_name` varchar(255) NOT NULL default '',
`key14_userid` varchar(255) NOT NULL default '',
`key15_mode` varchar(255) NOT NULL default '',
`key15_name` varchar(255) NOT NULL default '',
`key15_userid` varchar(255) NOT NULL default '',
`key16_mode` varchar(255) NOT NULL default '',
`key16_name` varchar(255) NOT NULL default '',
`key16_userid` varchar(255) NOT NULL default '',
`key17_mode` varchar(255) NOT NULL default '',
`key17_name` varchar(255) NOT NULL default '',
`key17_userid` varchar(255) NOT NULL default '',
`key18_mode` varchar(255) NOT NULL default '',
`key18_name` varchar(255) NOT NULL default '',
`key18_userid` varchar(255) NOT NULL default '',

and this (also rather obvious):

, `key8_mode`, `key8_name`, `key8_userid`, `key9_mode`, `key9_name`, `key9_userid`, `key10_mode`, `key10_name`, `key10_userid`, `key11_mode`, `key11_name`, `key11_userid`, `key12_mode`, `key12_name`, `key12_userid`, `key13_mode`, `key13_name`, `key13_userid`, `key14_mode`, `key14_name`, `key14_userid`, `key15_mode`, `key15_name`, `key15_userid`, `key16_mode`, `key16_name`, `key16_userid`, `key17_mode`, `key17_name`, `key17_userid`, `key18_mode`, `key18_name`, `key18_userid`

Use this to restore the table: mysql -u root -ppassw0rd endpoints < endpoints.Grandstream.sql

Step 3: Update Grandstream defaults:

nano /tftpboot/Grandstream_GXP2010_Default.txt

Add:

# Multi Purpose Key 8
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P354 = 0

# Multi Purpose Key 9
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P358 = 0

# Multi Purpose Key 10
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P362 = 0

# Multi Purpose Key 11
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P366 = 0

# Multi Purpose Key 12
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P370 = 0

# Multi Purpose Key 13
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P374 = 0

# Multi Purpose Key 14
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P378 = 0

# Multi Purpose Key 15
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P382 = 0

# Multi Purpose Key 16
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P386 = 0

# Multi Purpose Key 17
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P390 = 0

# Multi Purpose Key 18
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P394 = 0

Step 4: Edit global variables for Grandstream conversion

edit /var/www/html/maint/modules/endpointcfg/libs/trixbox.php and add the following:
$GrandstreamConvert['key8_mode'] = 353 ;
$GrandstreamConvert['key8_name'] = 355 ;
$GrandstreamConvert['key8_userid'] = 356 ;
$GrandstreamConvert['key9_mode'] = 357 ;
$GrandstreamConvert['key9_name'] = 359 ;
$GrandstreamConvert['key9_userid'] = 360 ;
$GrandstreamConvert['key10_mode'] = 361 ;
$GrandstreamConvert['key10_name'] = 363 ;
$GrandstreamConvert['key10_userid'] = 364 ;
$GrandstreamConvert['key11_mode'] = 365 ;
$GrandstreamConvert['key11_name'] = 367 ;
$GrandstreamConvert['key11_userid'] = 368 ;
$GrandstreamConvert['key12_mode'] = 369 ;
$GrandstreamConvert['key12_name'] = 371 ;
$GrandstreamConvert['key12_userid'] = 372 ;
$GrandstreamConvert['key13_mode'] = 373 ;
$GrandstreamConvert['key13_name'] = 375 ;
$GrandstreamConvert['key13_userid'] = 376 ;
$GrandstreamConvert['key14_mode'] = 377 ;
$GrandstreamConvert['key14_name'] = 379 ;
$GrandstreamConvert['key14_userid'] = 380 ;
$GrandstreamConvert['key15_mode'] = 381 ;
$GrandstreamConvert['key15_name'] = 383 ;
$GrandstreamConvert['key15_userid'] = 384 ;
$GrandstreamConvert['key16_mode'] = 385 ;
$GrandstreamConvert['key16_name'] = 387 ;
$GrandstreamConvert['key16_userid'] = 388 ;
$GrandstreamConvert['key17_mode'] = 389 ;
$GrandstreamConvert['key17_name'] = 391 ;
$GrandstreamConvert['key17_userid'] = 392 ;
$GrandstreamConvert['key18_mode'] = 393 ;
$GrandstreamConvert['key18_name'] = 395 ;
$GrandstreamConvert['key18_userid'] = 396 ;

Now add your devices and reboot your phones… The same logic can be used to add functionality for extension modules and newer Grandstream phones (the newest GXP2010 added several multi purpose buttons)

Configuring internet failover on Cisco PIX or ASA running 8.0+

November 17th, 2010

Here is how to do redundant ISP links on Cisco ASA 8.x:


sla monitor 111
type echo protocol ipIcmpEcho interface outside
num-packets 4
frequency 10

sla monitor 112
type echo protocol ipIcmpEcho interface backup
num-packets 4
frequency 10

sla monitor schedule 111 life forever start-time now
sla monitor schedule 112 life forever start-time now

track 1 rtr 111 reachability
track 2 rtr 112 reachability

route outside 0.0.0.0 0.0.0.0 1 track 1
route outside 0.0.0.0 0.0.0.0 10 track 2

Example NAT configuration:

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Configuring internet failover on a Cisco 2800 series router

November 17th, 2010

This is, in my opinion, the best way to do a failover configuration for 2 ISP links:

track 100 ip sla 100 reachability
delay down 10 up 20

track 101 ip sla 101 reachability
delay down 10 up 20

ip local policy route-map LocalPolicy

ip nat inside source route-map DYN_NAT interface <WAN1 Interface> overload
ip nat inside source route-map FAILOVER_NAT interface <WAN2 Interface> overload

ip route 0.0.0.0 0.0.0.0 <ISP1 Gateway> track 100
ip route 0.0.0.0 0.0.0.0 <ISP2 Gateway> 10 track 101
ip route 0.0.0.0 0.0.0.0 <ISP1 Gateway> 250
ip route 0.0.0.0 0.0.0.0 <ISP2 Gateway> 251

ip access-list extended PingISP_A
permit icmp host <WAN1 Interface IP> host 8.8.8.8

ip access-list extended PingISP_B
permit icmp host <WAN2 Interface IP> host 8.8.8.8

ip sla 100
icmp-echo 8.8.8.8 source-interface <WAN1 Interface>
ip sla schedule 100 life forever start-time now

ip sla 101
icmp-echo 8.8.8.8 source-interface <WAN2 Interface>
ip sla schedule 101 life forever start-time now

access-list 107 permit ip <LAN subnet> <LAN inverse mask> any
access-list 108 permit ip <LAN subnet> <LAN inverse mask> any

route-map FAILOVER_NAT permit 10
match ip address 107
match interface <WAN2 Interface>

route-map DYN_NAT permit 10
match ip address 108
match interface <WAN1 Interface>

route-map LocalPolicy permit 10
match ip address PingISP_A
set ip next-hop <ISP1 Gateway>
set interface <WAN1 Interface>

route-map LocalPolicy permit 20
match ip address PingISP_B
set ip next-hop <ISP2 Gateway>
set interface <WAN2 Interface>

If you need to do static NAT you would do basically the same thing:

route-map STAT_NAT permit 10
match ip address 109
match interface <WAN1 Interface>

route-map FAILOVER_SNAT permit 10
match ip address 110
match interface <WAN2 Interface>

Unable to create VPN sessions

September 3rd, 2010

If you receive any of the following errors in your event log when trying to establish a VPN session or PPP session, then the fix for you is listed below. I noticed this when trying to establish a VPN session through a Netgear VPN box. I checked my event logs and found the event IDs listed below.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Description:
The Remote Access Connection Manager service terminated with the following error:
The specified procedure could not be found.

Event Type: Error
Event Source: Rasman
Event Category: None
Event ID: 20063
Description:
Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified procedure could not be found.

Event Type: Error
Event Source: RemoteAccess
Event Category: None
Event ID: 20070
Description:
Point to Point Protocol engine was unable to load the C:\Program Files\Symantec AntiVirus\SymRasMan.dll module. The specified module could not be found.

Quote from http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008010718082848

“To work around this problem, restore the registry string values with the following variable path to rastls.dll:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
ConfigUiPath %SystemRoot%\System32\rastls.dll
IdentityPath %SystemRoot%\System32\rastls.dll
InteractiveUIPath %SystemRoot%\System32\rastls.dll
Path %SystemRoot%\System32\rastls.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25
ConfigUiPath %SystemRoot%\System32\rastls.dll
IdentityPath %SystemRoot%\System32\rastls.dll
InteractiveUIPath %SystemRoot%\System32\rastls.dll
Path %SystemRoot%\System32\rastls.dll”

Microsoft Outlook: “the account you have added is not fully configured” error

August 10th, 2010

I recently discovered a fix for the rare but annoying “the account you have added is not fully configured” when attempting to add an Exchange mailbox in Outlook 2003. I discovered it by mentioning it to a co-worker who happened to know about this rare issue– which is not documented anywhere that I searched (brief Google search including Microsoft KB or Experts Exchange). I probably didn’t give it my best effort, but nonetheless, the fix was incredibly simple.

The fix is to search for mapisvc.inf and delete both instances (windows/system32 and program files/common files), then re-create the Outlook profile which will be wiped out as a result.

Preventing Spyware

June 29th, 2010

You wouldn’t be reading this if you weren’t curious about spyware… I’ve shown you how to get rid of it (easily) so lets look at how to prevent it.

I’m not going to repeat myself so I won’t go into detail, but spyware has several limitations. If you don’t want to get too advanced, here are a few easy ways to prevent spyware:

1. Use Internet Explorer 8 (stop whining, it does work very well)

2. Use Google Chrome (preferred method)

3. Use Mozilla Firefox (whatever the lastest version is)

4. Don’t click on pop-ups… if you have a pop-up blocker, turn it on!

5. If it tells you that you have a virus, the thing telling you is probably the virus… stop clicking on things!

6. Download and install MalwareBytes… then do a full scan occasionally

Now for more advanced ways!

1. Set security on C:\windows\system32\drivers\etc\hosts to Everyone read-only

2. Use regedt32 to set permissions on HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN and HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN to Everyone Read-Only. *** SOME SOFTWARE INSTALLS WILL NOT LIKE THIS: meaning future installations of software may fail because they cannot write to this key ***

3. Research CLEANMGR and use it’s “autopilot” function to clean temp files every time you reboot.

4. If you are in a domain environment, lock down Internet Options (specifically the proxy part)– and if you ARE in a domain environment, get a web filter… Barracuda even has its own spyware removal tool. There are some free ones out there like Untangle that even work pretty well.

5. Change your DNS to OpenDNS servers (http://opendns.org/) by setting it manually on your NIC or where ever you get DHCP from (at home this would be your “Linksys” router)

6. Set these registry keys to everyone read-only as well HKEY_CLASSES_ROOT/.exe and HKEY_CLASSESROOT/exefile

Dealing With Spyware

June 29th, 2010

Let’s face it… I’ve never had spyware and I look at porn, and browse the web for hours at a time… whats your problem? :) All kidding aside, spyware is a real problem. I’m sure everyone reading this at some point or another has had or dealt with fake antivirus software that just will NOT go away! Luckily for you I do this for a living and understand the limitations of spyware and how to deal with it. Coders are lazy people… they do just enough to get things to work and patch/update as problems arise rather than spending a few extra days to plan out every possible scenario and code it into their program– I suppose if Microsoft tried that… well… lol

Current spyware has several limitations:

  • Unable to cross user profiles (possibly due to Windows Vista/7 and UAC… limiting coders options to the current user). While this is not a REAL limitation, when you code a program to mass infect, you have to make it as compatible as possible. Sticking around in the current user’s profile makes the software very compatible.
  • Relies on reboots/triggers to activate. Usually spyware will associate itself with .exe (exefile) in the registry, other times it will load as a hook… because of this it has more limitations. One of these triggers is setting Internet Options to use a proxy… the proxy is the spyware usually as a service or as a DLL hook
  • It can’t effectively control where you go in explorer.exe (Windows shell) or it would potentially block itself…
  • It usually can’t block regedit because it makes changes to the registry… or it would potentially block itself…
  • To deal with antivirus and AWESOME programs like MalwareBytes… it has to remain anonymous. Thus, its very easy to spot 130e9rjfm312rja.exe in a folder or in task manager
  • If you are lucky enough to be in a domain environment, it can’t stop domain admin from another PC using PSTOOLS! :)

I think you get the point, so here’s what I am going to do for you today… I’m going to teach you… how to count….all the way… to schffifty schvive. Actually… I’m going to show you how to solve 99% of spyware problems.

Problem: You have spyware!

Solution: Taking what we know into account, the first thing you should do is create a new user and set a good password. If you anticipate having lots of spyware problems, leave the account in place when we are done. In almost all verisons of windows, its the same process to add a new user

1. Start

2. Control Panel

3. User Accounts

4. Add a new user (administrative user, not standard user)

5. Call it… swsvc or AntiSpyware or.. Joe (me) and everytime you get spyware you can login as me (Joe)

6. Create a password… preferably a pass-phrase. A pass-phrase is at least 14 characters… you can use your phone number spelled out, i.e. “four eight zero five five five one two three four”

7. Reboot

When the computer comes back up, login as the new user you created. If you are lucky, the spyware hid itself in an obvious place and we can delete it before we continue. Once you are logged in, click Start, click Run (or use Windows key + R) and launch “regedit” then navigate to LOCAL MACHINE>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN

This is usually how the spyware starts everytime you reboot. Check for items that have a path starting with \users\<your username>\appdata\local or \documents and settings\<your username>\. These paths usually end up somewhere in a temp folder with a random lettered/numbered executable.

Honestly though, you can probably delete everything under Run and be safe. Most of that stuff is your quick launch, antivirus tray icon (not the service), adobe quick launch, java update, etc. Once that is done, browse to USERS>long string of numbers>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN. There are going to be quite a few “SIDs” which are the long string of numbers, but y0u won’t find that path if it isn’t a valid user. So take the time and explore them all. Delete anything “weird” under Run.

Just for the heck of it, Windows Vista/7 users should open up My Computer and browse to \users\<their username>\appdata\local\ and look inside temp and microsoft for folders that have random letters and numbers. XP users will do the same, except use \documents and settings\<their username>\application data\ or \documents and settings\<their username>\local settings\.

Once you’re done looking, whether you find anything or not, goto Start > Control Panel > Internet Options > Connections tab > LAN Settings button and clear all the check boxes.

Next step is to download the greatest tool ever made, MalwareBytes. Here is a link: http://download.cnet.com/3001-8022_4-10804572.html?spi=cd39b95079d2256cc6dc1fc880e6e8d0&part=dl-10804572

MalwareBytes is small, compact, FREE… it doesn’t have bloat-ware or annoying ads… and it WORKS! It is your typical Next>Next>Finish type of installation. No tricks… At the very end  of the install leave “Update” and “Launch” checked.

After it updates and opens up, close it. — yea… lol. You could have unchecked “Launch” but let’s face it… we’re already worn out trying to search for this article.

In Vista/7 we have to right click MalwareBytes and “Run as Administrator” or it will not search other user’s profiles.

Once its loaded, do a full scan on C:\ … and wait… depending on how many files (usually 100,000 per hour if you have a decent PC) you might have to wait a while.

Once the scan is completed, it will have undoubtedly found your spyware. Remove all of it and reboot. Login as your regular user and verify the spyware is gone. You will have to double check Internet Options again (as noted above) and verify the same things. If you don’t, internet might not work right away.

Side notes:

Under rare circumstances, spyware will associate itself with .exe and exefile in the registry. If you open up regedit, navigate to HKEY_CLASSES_ROOT\.exe, default should be set to exefile. If it is not, it is probably set to scefile or something else. In any case, browse to HKEY_CLASSES_ROOT\exefile or scefile or whatever is there, and check the load options (SHELL>OPEN>COMMAND) and see if it provides you with a strange path.  Command default should be set to “%1 %*”

Also a rarity, once in a while the spyware will infect your hosts file. This file is located at C:\windows\system32\drivers\etc\hosts. The easiest way to open this file, is to have notepad open, and drag/drop it into notepad. It should have ONE entry (two if you have IPv6):

127.0.0.1       localhost
::1             localhost

If you can’t figure this out, or something isn’t working and you haven’t removed your spyware… leave a comment with the exact steps and messages you get and I will surely (inb4 don’t call me Shirly) try to answer your questions. If you are in the Phoenix area, I can always come over and fix your problems for a nominal fee.