My blog 2011 in review

Thank you all for visiting my blog! This year many more is coming! Also, if you have any topic suggestion/doubt shut out, the I will make sure to cover it! Once again, thank you!

The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

A New York City subway train holds 1,200 people. This blog was viewed about 7,600 times in 2011. If it were a NYC subway train, it would take about 6 trips to carry that many people.

Click here to see the complete report.

Regards,

Paulo Oliveira.

From End to Edge and Beyond – Episode 11

Hi there folks!

There is a new episode on security talk show From End to Edge and Beyond. It is great to talk about Forefront TMG 2010 and also great to hear about it!

This episode Yuri Diogenes and Tom Shinder interviewed Richard Hicks, a well-know MVP and much knowledge about Forefront TMG.

They discuss about the new features added to Forefront TMG 2010 when you install SP2, like Kerberos authentication for web proxy clients, when using the cluster VIP, new website-based reports, if TMG is a good solution for those who want to migrate to cloud and many more!

Despite it is a service pack, Richard cool the ones nervous about installing the latest TMG service pack and break the environment, since it is very stable.

Last but certainly not least, Yuri and Tom gave 3 books of Forefront collection signed by them, as promised in the previous episode. The lucky one which won them was a good friend of mine Uilson Souza. This guy is very lucky, at TechEd Brazil 2011 he also won a book that Yuri gave out on one of his sessions, the book is focused on Security+ certification (only in Portuguese)! Congrats Uilson!

With all said don´t miss it: http://technet.microsoft.com/en-us/edge/from-end-to-edge-and-beyond-episode-11

Regards,

Paulo Oliveira.

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 released!

Hi,

Microsoft has just released Service Pack 2 for Forefront Threat Management Gateway (TMG) 2010 as below.:

The service pack includes the following new functionality and feature improvements:

New Reports
• The new Site Activity report displays a report showing the data transfer between users and specific websites for any user.
Error Pages
• A new look and feel has been created for error pages.
• Error pages can be more easily customized and can include embedded objects.
Kerberos Authentication
• You can now use Kerberos authentication when you deploy an array using network load balancing (NLB).

In my opinion, the major feature is the possibility to use Kerberos Authentication when using Network Load Balancing (NLB). This for sure is one of the most requested features by TMG community. Now, Domain Controllers are going to get some rest.

Go get yours now! Click here!

Regards,

Paulo Oliveira.

Heads up ISA 2006 admins! New ISA hotfix package!

Hi,

Microsoft has released a September hotfix package for ISA 2006 to fix some bugs found on the product. The list of fixes are below:

2618727 (http://support.microsoft.com/kb/2618727/ )
FIX: Users in remote forests cannot change their passwords through ISA Server 2006

2620088 (http://support.microsoft.com/kb/2620088/ )
FIX: Large files become corrupted during file transfer through the Socks V4 client

2620076 (http://support.microsoft.com/kb/2620076/ )
FIX: ISA 2006: Outlook Web App clients are not timed out after the ISA FBA idle time-out is reached

2620069 (http://support.microsoft.com/kb/2620069/ )
FIX: ISA 2006 may crash with the error “DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)”

2622172 (http://support.microsoft.com/kb/2622172/ )
FIX: ISA 2006 blocks published website requests for URLs that include carriage returns (CR) or linefeeds (LF)

For more information about each of these KBs, click on it!

Regards,

Paulo Oliveira.

TechEd Brazil 2011, how it was?

                                  

Figure 1 – TechEd Brazil                                   Figure 2 – Microsoft booth at TechEd Brazil

Well, in my last post I said that TechEd Brazil conference was my next stop. I can tell you guys it was a really great, well organized event. I had the opportunity to meat some friends face-to-face and make new ones!

As I wrote before, it was hard to choose between so many (interests) sessions. My focus was for virtualization, a trend on these last years, especially about the exciting new Hyper-V version that will come on Windows Server 8. The other sessions were about storage and, of course, security, more specifically a 400 session about Deep Dive TMG Troubleshooting and Cloud Security, in this one I could notice some points to think when planning a migration to the Cloud.

As I mentioned on the last post, Yuri Diogenes record an interview with a Microsoft PFE (Marcelo Tozin), Rodrigo Immaginario (Enterprise Security MVP) and myself

You can watch the video with some great points about different subjects on security. I hope you all like it! Check it at From End to Edge and Beyond web site episode 9.

Figure 3 – Recording interview for From End to Edge and Beyond

Stay tuned for more, Yuri and Tom are promising good things on episode 10.

Last, but not least, I had a really great time meeting new MVPs at MVP Open Day that happened a day before TechEd Brazil, September 28th. Also, had a great time with my folks from work that attended to TechEd Brazil.

                    

Figure 4 – MVPs on the Top!                              Figure 5 – MVPs at TechEd Brazil

 

Regards,

Paulo Oliveira.

TechEd Brazil, here I come!

Hi,

next week, more precisely September 29, I will be on the greatest Microsoft event of Latin America: TechEd Brazil. For those not aware what TechEd is I can tell that it is the one of the most important event for Microsoft professionals. This year specifically, 198 lectures and quick sessions will be delivered!

There are so many topics for so few days You can imagine how hard is to select a lecture! The attendees can choose only up to 11 lectures.  In my case, the first selection that I made was for 24 lectures, however I was already filtering a lot!

I can say now, 8 days before the event, I haven´t closed my schedule yet!

I have received an invitation from the great Yuri Diogenes, I certainly sure most of you know him, he´s one of the master of ISA Server and Forefront TMG 2010. He is working now on Microsoft Security Team as Senior Technical Writer. The invitation is to participate on one episode from Security Talk show From End to Edge and Beyond, presented by Tom Shinder, I´m also pretty sure you know Tom, and Yuri Diogenes.

I am really honored and grateful to join them. Unfortunally, Tom Shinder won´t be on TechEd Brazil, so Yuri will record my interview at TechEd. Thanks guys for invitation!

Stay tuned on From End to Edge and Beyond and make sure to not miss an episode!

Oh! For those who wants to come to TechEd Brazil you still have time! Check out at the website (Portuguese and Spanish).

 

Regards,

Paulo Oliveira.

What to do when you think your computer is infected and your antivirus solution does not detect it?

The scenario

Hi fellows! It’s being a while since my last post. Let’s say I am having pretty busy weeks. A lot is going on at work, don’t take me wrong, to me that’s good! The sad part is that I have less time to spend with the community.

Anyway, last Friday a friend of mine came up on Skype asking me if I was aware of a malware that changes Internet Explorer’s proxy settings. I know that there’s a bunch of malwares which does it. However, the real question was: Why his machine antivirus did not detect it?

Moreover, Microsoft Security Essentials (MSE) was installed on the machine, one of the best antivirus/antispyware on the market today, and updated with the latest detection signatures.

I truly recommend MSE, since it’s free of charge (you have to have a genuine Windows copy, but who doesn’t? ), it uses the same engine as Forefront Endpoint Protection (Microsoft antivirus solution for corporate costumers), as I said before one of the best on the market, check AV-Comparatives web site.

Backing to the initial topic, after my friend told me that every time he rebooted his machine the malicious proxy configurations were set up again, my first though was to look for a suspicious running process.

In my humble opinion, there’s no better tool to unveil process information than Process Explorer, developed by Mark Russinovich. Next step, was download and run it on the affected computer.

At this moment I identified a suspicious .vbs file named amsfx.vbs. This Visual Basic script file was configured to change many registry key configurations, including the browser’s proxy settings, and also was calling an executable file named dwm.exe. I know what you’re might thinking, this executable is the Desktop Window Manager for Windows Vista and Windows 7 Operating Systems, although, the OS running on the machine is Windows XP.

That said, it is clearly this executable file was malicious. However, how to confirm this info if the MSE did not detect it?

The solution

I told him that I submitted the above files to Microsoft Malware Protection Center (MMPC) for their analysis and if confirmed as malware the MSE database signature will be updated with this new threat. Some of you might think: “Why not use another antivirus solution and remove the threat?” or “I don’t think MSE is good enough”.

The answer to this question is that only the following antivirus suspected (did not identified it) the .exe was malicious:

After I submitted the file, the time frame between malicious file submission and release of new detection signature was like below:

Submission status history:
Analysis Completed: Aug 29, 2011 01:46 PM UTC
Preliminary Result Available: Aug 29, 2011 09:07 AM UTC
Under Active Investigation: Aug 26, 2011 02:46 PM UTC
Received: Aug 26, 2011 12:49 PM UTC

That was fast, isn’t it? Considering it was sent on Friday and the new detection signature was available on Monday. I must say it is no surprise to me. All possible malicious file that I receive, I send to MMPC for analysis. The majority of the times the answer is like that, real fast.

I also send these samples to other antivirus providers, but the speed to respond and create a new signatures are not that fast. You must note that I don’t need a special contract or anything like it to send and get fast responses. Microsoft is really committed to provide us better security.

After that, I checked again on Virus Total web site and the only antivirus solution that really identified the malware was MSE.

At time of this writing a few more AV solutions now identifies this new malware. Check here.

If you would like to see the final report, check here.

Final message

The bottom line here is if you think your machine is infected and even if your AV solution does not detect any threats, you can search for the (possible) malicious file and send the sample to your antivirus provider to analyze and create a signature for the new threat helping every one out there!

If you are like my buddy and I, chose Microsoft Security Essentials, then you can access MMPC website or use this link to submit a suspicious file.

Regards,

Paulo Oliveira.

My first Microsoft MVP award!

Hi Folks!

I am really happy and honored to say I just received, on July 1st, my first Microsoft MVP (Most Valuable Professional) award on Forefront.

I can not even describe how I fell to join Microsoft elite team! It is a dream that come true and now I’m going to keep working (even harder) to help Forefront community.

Thanks very much for all of you that reads my blog!

Regards,

Paulo Oliveira.

Time to update your TMG 2010 infrastructure

This Patch Tuesday (June, 13) Microsoft released many security bulletins, one of them was MS11-040. The bulletin discuss about a privately reported security vulnerability in Microsoft Forefront Threat Management Gateway (TMG) 2010 Client that could allow RCE (Remote Code Execution).

Also, in this week Microsoft released an update for Forefront TMG 2010 Service Pack 1 with Software Update 1. This is not a security update, but a Rollup 4 to correct some bugs found in HTTPS inspection, Malware inspection, E-mail Policy and TMG firewall engine.

Keep in mind that 4 of 11 bug fixes must activated running a script provided in their own KB page. In my opinion, this is great because you can choose if you want to enable the new functionality or not. For example, the KB2518663 has the following warning:

This resolution may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. Microsoft does not recommend this resolution but is providing this information so that you can choose to implement this resolution at your own discretion. Use this resolution at your own risk.

For more information about the Rollup 4, read KB2517957.

Regards,

Paulo Oliveira.

The power behind MRS and SmartScreen

Hi folks!

I must confess when Firefox 2.0 was made publicly available I had to move from Internet Explorer 6, since it´s features were very outdated and had no tabbed browsing. Since then, Internet Explorer team got a “wake up call” and started to add new features, improve functionalities and adopt web standards.

I don´t want to talk about all through Internet Explorer history here. I do want to highlight a particular great security feature introduced by IE Team: SmartScreen Filter (formerly Phishing Filter on Internet Explorer 7).

SmartScreen Filter has been first introduced on Internet Explorer 7, named as Phishing Filter. Then Microsoft has released IE 8 and greatly improved SmartScreen technology. This improvement was compared to other market solutions. The results can be seen in the below graphic:

Figure 1 – Internet Explorer 8 vs. Other browsers

Almost two years later Microsoft Released To Web a new version of Internet Explorer, the version 9.0. This version came with many others security features and even better SmartScreen rates accordingly to NSS Labs research.

Figure 2 – Internet Explorer 9 vs. Other browsers

The whole reason I´m talking about it is because the other day a member of www.isaserver.org message boards came up with a question on how to block a certain malicious URL. He was worried about the fact that some user could be tricked to access it and get infected.

The way he wanted to block was not supported by ISA firewall syntax to block Domains and URLs.

Now what!? The war is over and the bad guys won this round? I say, no way!!!

Event though his first recommendations was to not try to access the malicious URL I started a test machine using latest Microsoft Operating System and browser software fully updated. As soon as I try to access the malicious URL the Internet Explorer 9 has returned the follow screen to me:

Figure 3 – Internet Explorer 9 SmartScreen in action

How cool is that!!??

For the matter of fact I also submitted the URL to Virus Total website for analysis on a different variety of web filters:

Figure 4 – Screenshot from VirusTotal website

As you can see only 3 of 16 web filters identified the URL as malicious. How do you think NSS Labs tests are accurate now?

Internet Explorer SmartScreen filter has done its job. How about Microsoft firewall technology? Can it block the malicious URL?? What´s the problem with that?

The truth is that none of ISA firewalls versions have a built-in URL Filtering functionality (it can be installed as an add-on though). On the other hand, the most recent version of Microsoft firewall (Forefront Threat Management Gateway (TMG) 2010) has URL Filtering out-of-the-box!

Forefront TMG 2010 leverages Microsoft Reputation Services (MRS) to query URLs categories.

Since I´m evaluating TMG 2010 at the company I work I decided to test it. At TMG 2010 GUI you can query a URL to check what category it belongs to.

Figure 5 – TMG 2010 GUI query

You can see this URL is categorized as Malicious and Spam URLs. We can assume from now that TMG will successfully block the URL, if a deny rule is blocking these categories, when an user try to access it, right?

That´s right! However, since I´m testing TMG 2010 I do not assume anything, I want to be certain! This is the result when I am trying to access this URL from a machine behind TMG 2010:

Figure 6 – TMG 2010 block page

As expected TMG 2010 successfully blocked the page!

Oh! To make it clear I returned to use Internet Explorer when the version 8 was launched and still using IE since then!

The bottom line is that Microsoft has been heavily investing in security in the past years. No matter if you are a home user or a corporate user, your back it is being covered.

Regards,

Paulo Oliveira.