Archive for the 'Security' Category

Counter, the counterfeit flash drive

I’ve only just discovered this useful utility called H2testw 1.4.

So if you’ve bought one from eBay that looks a little dodgy, check it out.

A quote from the website

We give H2testw 1.4 the highest rating and recommend it for testing counterfeit USB Flash Drives for the following reasons:

  1. Easy to Use
  2. While in German an English Execution is possible
  3. Stand alone executable file – no installation required to run it
  4. You do not need administrator privileges on a computer to run it
  5. Tested to work on 1.1 and 2.0 USB drives
  6. Tested to work on 1.1 and 2.0 USB Ports
  7. Tested to work to analyze drives advertised as 4GB, 8GB, 16GB, 32GB and yes …64 GB capacity.
  8. Reports seen capacity – what the operating system sees size to be.
  9. Will write 1 GB files up to the reported size – requiring no work on your part except patience if it is a large drive and a slow computer
  10. Will read all the files it wrote and verify them
  11. Will produce a report. a) short if all is well b) detailed if there issues found.
  12. The program is offered free

Visit: here


Bug introduced in Windows NT3.1 (1993) still affecting all subsequent releases of Windows!

Since NT was introduced, pure command line DOS was replaced with the Virtual DOS machine (VDM) that allows legacy DOS and 16-bit windows application to run on top of NT (all variants), XP, Vista and Windows 7.

It would seem the VDM engine has a major flaw!

Read more at and packet storm security

A summary of the issue is that it is possible for a limited user (i.e. a non administrator user) to gain administrative privileges via the VDM.

A workaround is to disable 16-bit applications as part of the Active Directory policy for your domain.


Why should the FQDN make a difference when using Integrated Security authentication?

We run a few internal applications that are addressed using a FQDN:

The applications are also available through the server name:


We’ve had a strange issue with one of our applications that requires ‘Integrated Security’ authentication.

A few of our users, who run IE6 (because that’s what they are forced to use) get prompted for credentials.

You’d assume that since IE knows who the user is, that it would simply provide it to the application, and it would allow access.

I’ve done a little digging at it would seem we are not the only people with this issue.

It would seem that this is a browser, rather than application related issue:

Best explanation award foes to Windows IT Pro:

It would seem the only short term solution is to provide the fix to the user community before we can update group policy (if this is possible!)


Interim fix for Sophos 7.6.8 issues on Windows Vista x64

This is not a fix for all the issues raised in my previous posts, but a workaround released by Sophos for Sophos customers.

Sophos is expecting version 7.6.9 to be released at the end of the month, and it include the registry key noted, and the fix is tentatively slated to be released in 7.6.10 at the end of July.  This will allow for proper and complete testing of the proposed fix for this issue

The packages to request from Sophos support are:

  1. "Windows Endpoint Security and Control 8.0 with SAV v7.6.8 S215 VDL4.42E" – for enterprise customers (distributed install)
  2. "Sophos Anti-Virus for Windows v7.6.8 S215 VDL4.42E" – for home/standalone customers.

This contains the following registry key set:
32-bit: HKLM\Software\Sophos\Webscanning\SuppressBHOLoader
64-bit: HKLM\Software\WOW6432Node\Sophos\Webscanning\SuppressBHOLoader

Please get in touch with Sophos support to get the URL to retrieve this interim workaround.


Update on Sophos Issues

This is an update for posts

  1. Sophos IE8 add-on prevents IE8 from loading
  2. Resolution to Windows Security Centre not recognising Sophos Antivirus
  3. Sophos Antivirus on Windows Vista HP x64 not detected by Windows Security Centre
  4. Vista SP2 doesn’t recognize Sophos AV anymore

I’ve been in contact with Sophos support and they inform me:

The Windows Security Centre issue only affects 64 bit systems and will be corrected in the 7.6.9 version due out at the end of the month.

Sophos are aware of the IE8 issue as well.  IE8 will usually open if you use the link at the top of the start menu, or if you run as administrator.  To temporarily work around this issue, you can disable the BHO from within IE Options (this will disable the web scanning).  Sophos are currently waiting for more information from their Development Team on this particular issue


Sophos IE8 add-on prevents IE8 from loading

Are you having trouble launching IE8 from the desktop icon, the application icon or start menu?

Are you only able to launch it in ‘Administrator’ mode.

Are you running Sophos 7.6.8 on Windows Vista?

The problem might be related to the Sohos add-on. It seems that if you disable it, IE8 returns to working order.

Go to Internet Options and the programs tab. Click on ‘Manage add-ons’

imageFigure 1: Internet Options in IE8

Now disable the Sophos Web Content Scanner

Figure 2: Add-on management

Restart all instances of the browser you have open.

Things should now be back to normal.

This is likely to have something to do with the other Sophos issues that are currently related to an update in the last week. See Sophos Antivirus on Windows Vista HP x64 not detected by Windows Security Centre.


Resolution to Windows Security Centre not recognising Sophos Antivirus

I gave up in the end (see this post and comments) and went for a new install of Sophos AV, just in case one of the updates made it go pear shaped.

If you have a Sophos support account it should be no issue to go to their site and retrieve Version 7.6.x


I downloaded and ran the installer, and it seemed fine just overwriting the version already installed.


Security Centre is now happy… but for how long? :-)… I’m just off to tell Sophos support :-) who have been most helpful… this is why I don’t use a free AV :-)


Sophos Antivirus on Windows Vista HP x64 not detected by Windows Security Centre

I want my evening back!

Paranoia set in when I turned my PC on about four hours ago… Vista had been happily reporting that my machine was protected (for the last year+)… and it was, because it is loaded with Sophos Antivirus 7.6.8.. and it updated itself when I turned the machine on..


So why would Microsoft make me paranoid with this old chestnut:


I ran windows defender full scan, then for good measure the Conficker removal tool… then a full virus check… nothing found… hmm I thought, I’ll give the search engines a go.

Sophos appeared to know all about the issue, but it was stored deep in their knowledge base.

Microsoft also had ‘Windows Security Centre does not detect the antivirus application that is installed on a Windows Vista-based computer’ KB article. KB952923

I’m going to try the hotfix, and will report back if I doesn’t work… I’ll be paying close attention to the Sophos knowledge base as it seems to have more steps that Microsoft originally intended.


Sophos Antivirus on Windows 7 RC (Build 7100)

As you may be aware, Windows 7 has a number of beta products and applications that you can download to help protect your Windows 7 RC system.

Dwight Silverman: Getting the Windows 7 RC? You’ll need protection

Sophos is our corporate AV supplier, so it was important that I maintain similar protection on my Windows 7 RC laptop system.

Sophos is not listed amongst the Windows 7 antivirus partners, however, I can happily report that Sophos 7.6.7 (designed for Vista) works great for me on my x86 version of Windows 7 RC. It also worked great on a Virtual Machine running the x64 version of Windows 7 Beta. Pictures shown here are from the x86 version of Windows 7 running on a mid spec laptop.

imageFigure 1: Sophos AV 7.6.7 working on Windows 7 RC

Figure 2: Sophos system tray icon

Figure 3: Sophos Antivirus is not totally compatible with Windows 7

As you can see in Figure 3, the only snag with running this in Windows 7 is that is doesn’t report its status in the correct format, however, I’m watching the space for a new version of Sophos to be fully functional very soon.

windows7_av_001Figure 4: Action centre – showing Sophos AV is functioning correctly

Figure 4 shows that whilst Windows 7 acknowledges the fact that Sophos does not report status correctly to it, the application itself is fully functioning.

Figure 5: Sophos Antivirus start screen

I know some of you reading this will be asking why I don’t simply pick a free alternative, such as Avast! or AVG… I have considered going that way, but Sophos works great, and why fix it if it doesn’t seem to be broken!

I do hope the lab team at Sophos fix that status issue very soon, as it is the only minor flaw.

I cannot give enough superlatives for this new operating system, it is the most stable RC I’ve ever had the pleasure to use, and works a treat on my mid spec laptop (new in 2005).


P.S. please let me know if you are successfully using Sophos on Windows 7 RC :-)

Worming tablets required

I think our IT department learnt a very valuable lesson today!

Most of our servers are behind a fortress of firewalls, VPN connections and yet, today, we find ourselves ashamed of what has happened!

The Conficker grade E worm (Worm:Win32/Conficker.E: identified by the MMPC on April 8, 2009) made its way onto our network. It matters not how it got there, but does point the finger at our inadequate antivirus products, or perhaps it was more complacency…. no single machine is directly linked with the outside world, we use linux and unix based firewalls… it couldn’t affect us… could it?

Well it did… the investigation is on… my detective hat is on, and my finger is pointed at a small section of the network that has an un-patched server infrastructure. The reasons for not patching them almost outweigh the hassle it is to deal with today’s attack… for antiquated pieces of software/hardware that we can’t replace/rewrite* simply don’t run on operating systems with a patch! I’m sure there are other organisations out there with similar problems.

Have a read of what it does: here

It is rather nasty, and has the ability to block access to certain websites, certain applications and certain system administration tasks! (am I the only one to think it is rather clever?… not that I applaud the application of this genius in any way!)

As most of what you’ll read on the internet is about solution to it, I thought I’d share one of the most annoying symptoms

  • Account lockout policies being activated.

This one was a huge issue for us! With just under 7000 active directory users in the entire organisation, roughly 2500 were locked out… and this number kept rising all day. As you’d imagine, frustrated users were on the phone to the helpdesk, and some people, because of this issue did not deliver the service that our customers expect.

So fed up of the issue, and not being able to do our normal tasks today (the source control system went down, all our SharePoint boxes were down to be patched/checked), a colleague and I wrote a windows form application in C# that periodically queried our active directory to look for locked out accounts.

ad_accounts_locked Figure 1: Locked out user account tracker

The progress bar in Figure 1 shows the amount of users affected by this worm. A significant number!

The vet has been called, and a dose of software patches are on the way. Look in the research URLs below if you are yourself scrabbling for a solution. Good Luck :-)


* We could replace/rewrite them but it would be far too expensive and disruptive to the business!


Removing autorun might help prevent spread of the worm
F-secure FAQ on conficker
F-secure technical description of conficker
Conficker Worm: Help Protect Windows from Conficker

Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies. Additionally, Microsoft has implemented an Antivirus Reward Hotline, +1-425-706-1111, and an Antivirus Reward Mailbox,, where tips can be shared.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.