Thursday, August 26, 2010

Skydrive: Uploading Files For Community Support

If you receive a comment such as "please post this file to SkyDrive" in the forums for a community member to look at a dump file or a large log file, then you can easily post it to Microsoft Live SkyDrive. The key thing is to ensure that the file that you are posting is publicly accessible. At the time of this writing, everyone gets 25 GB of free storage.

To Upload a Publicly Accessible File to SkyDrive

  • Log in to SkyDrive or create an account.
  • Generally there are two folders by default "My Documents" and "Public." Uploading a file and posting a link from the "Public" folder is usually sufficient.
  • Click the Public Folder and click "Add files." From here it is easy to select files from your computer. Note that if you run into a size limit, the files may need to be split to upload.
  • After uploading the files, it is a good idea to post a link to the files, this can be accomplished by selecting Share -> Embed and copying the resulting link back to a post or email.
  • Note that if you are not using the default public folder or need to allow access to a different folder that you have created, then you may need to enable access for everyone. Select Share -> Edit permissions (note that I created a new Test directory to demonstrate the sharing process). Note that it appears that the permissions can only be modified on top level folders. I tried creating a Test folder under My Documents and the sharing permissions could not be modified, but creating a new top level folder allowed the permissions to be set properly.



See Also:
Windows Crash Dump Analysis
How To Split a Large File For E-mail and Upload

Thursday, August 5, 2010

Virus Alerts in System Center Operations Manager 2007 R2 from Forefront Client Security

The Event...

Recently a colleague asked me to build a monitor for a file server that was running Forefront Client Security. The idea is that the monitor can be used to generate an alert that is used to notify our security team for remediation.  I don't routinely have viruses on any of the systems that I run so I didn't know whether Forefront Client Security would generate any events that we could use to generate the alert or feed the subscription. Naturally the first question that I have is "Where can I find a test file that Forefront will detect as a virus?". After a short Google search, I find a post that indicates that the EICAR test file can be used.

<event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="FCSAM" />
    <EventID Qualifiers="0">3004</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-08-05T15:02:37.000000000Z" />
    <EventRecordID>5565</EventRecordID>
    <Channel>System</Channel>
    <Computer>hostname.domain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%830</Data>
    <Data>1.5.1981.0</Data>
    <Data>{0241B15E-FF55-4937-A417-CC72198D3A9F}</Data>
    <Data>10</Data>
    <Data>%%843</Data>
    <Data />
    <Data>C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>
    <Data>domain</Data>
    <Data>username</Data>
    <Data>SID</Data>
    <Data>Virus:DOS/EICAR_Test_File</Data>
    <Data>2147519003</Data>
    <Data>5</Data>
    <Data>42</Data>
    <Data>http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003</Data>
    <Data>file:C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LFQVJNIJ\eicar[1].com</Data>
    <Data />
    <Data />
    <Data>4</Data>
    <Data>%%814</Data>
    <Data>0</Data>
    <Data>%%823</Data>
    <Data />
    <Data />
    <Data>Severe</Data>
    <Data>Virus</Data>
    <Data />
    <Data />
  </EventData>
</event>

Before I even have a chance to choose a file path for saving the file, ForeFront Client Security has already detected the file as a virus. Poking around in the event logs, these events are created in Windows Logs\System and are from the source FCSAM with ID 3004. Now that we have sufficiently covered the Forefront event that is logged, the big question is how to create the monitor and generate the alert.

The Monitor...

The background of the monitor is that Operations is not interested in remediation of the file server, so the alerts that are generated should not last very long in the "Active Alerts" view and should be sent directly to the security team for review and remediation.

Without actually writing a management pack in the Authoring console, this monitor can be created from the Authoring tab of the Operations console. Under Management Packs\Monitors we will use the "Create a Monitor" action item to create a new unit monitor in an appropriate management pack.

In the first part of the wizard, select Windows Events\Simple Event Detection\Timer Reset and select an appropriate management pack. Click Next.

Pick a valid name and description. I used the name "Forefront Client Security Realtime Monitoring Virus alert" and a description describing the monitor. For target, select "Windows Computer" (or another target as appropriate). The parent monitor is likely going to be Entity Health\Security. Click Next

Select the System Event log and click Next. Configure Event Id "3004" and Source "FCSAM". Click Next. Specify a short wait time, I used 10 seconds. Click Next.

Under the "Configure Health" step, configure the "Event Raised" condition to trigger a health state of "Warning" and the "Timer Event Raised" to trigger a health state of "Healthy." Then configure the monitor to generate an alert when it is in the "Warning" state. The monitor is now set up to alert if a virus is found.

The subscription...

The next step is to create a new subscription. This assumes that the appropriate channels and subscribers have been created. Under the Administration tab of the Operations Console, create a new Subscription by either right clicking any node of the navigation tree and selecting "New subscription..." or clicking the Subscriptions node and "New..." in the actions pane.

Select an appropriate name and description for the subscription. Under the "Criteria" step, select "created by specific rules or monitors (e.g., sources)" and search for and select the monitor that we created in the previous section. Select the appropriate subscribers, channels, and configure the appropriate information and create the subscription.

Alternative Method Not Using SCOM...

If you don't want to use SCOM and want to use the native event log functionality in Windows to generate the email. This can be done by right clicking the event in the "System" log in the event viewer and selecting "Attach a Task To this Event..." **Note that this event needs to appear at least once in the event log, so you will need to manually generate it with the EICAR test file referenced above.

Note that this procedure will need to be followed to include the event text in the email. Note that the wevutil script will likely follow

del %temp%\query.txt
wevtutil qe System "/q:*[System [(EventID=3004)]]" /f:text /rd:true /c:1 > %temp%\query.txt

and the %temp%\query.txt file will still be included as the attachment to the email.


Tuesday, August 3, 2010

COMExceptions, HRESULTS, and Windows Calculator

I was recently building a small web application in ASP.Net and C# where I had to deal with a little bit of ADSI and the System.DirectoryServices namespace. During the debugging phase, I used try/catch block to catch exceptions and present them in a label for development purposes and to create useful error messages for users for reasons that they would know and care about (such as an invalid username and password). One of the errors was a COMException with an ErrorCode property of 8007052E:
# as an HRESULT: Severity: FAILURE (1), Facility: 0x7, Code 0x52e 
# for hex 0x52e / decimal 1326 :   ERROR_LOGON_FAILURE                                           winerror.h 
# Logon failure: unknown user name or bad password. 
# 1 matches found for "8007052e" 
So, obviously I give the following a try in C# and am presented with a warning:

if (ex.ErrorCode == 0x8007052E)

Visual studio says "Comparison of integral constant is useless; the constant is outside the range of type 'int'". So I start working with the Exchange Error Code Look-up Tool  (note that it is not just for Exchange, but for any of the "19871 return codes registered from 172 sources" that it has archived on my system) and trial and error and do a little bit of truncation, looking up 0x7052E and 0x52E, which are presumably the same error code,

C:\>err 7052e 
# as an HRESULT: Severity: SUCCESS (0), Facility: 0x7, Code 0x52e 
# for hex 0x52e / decimal 1326 :   ERROR_LOGON_FAILURE                                           winerror.h 
# Logon failure: unknown user name or bad password. 
# 1 matches found for "7052e"  

C:\>err 52e 
# for hex 0x52e / decimal 1326 :   ERROR_LOGON_FAILURE                                           winerror.h 
# Logon failure: unknown user name or bad password. 
# 1 matches found for "52e" 
Sadly, these don't work. Then I remember what I learned when I studied a little bit about two's complement numbers and realize that these error codes will never match and that the MSB of the 8-digit hex value is the one that is going to make the value negative for a 4-byte number, but in a decimal representation. **Note above that I was in error to work with 0x7052E, the error lookup tool was primarily interested in 4 or 8 digit hexadecimal representations of the error, so for the second one it was interested in 0x052E, returning the same error**.

I start poking around with some of the improvements to Windows Calculator (since I didn't want to use pencil and paper) in Windows Server 2008 R2 and Windows 7 and stumble upon the new Programmer mode (you can still perform this in the old calculator application, but using the Scientific mode). I enter the hex code 8007052E, remember that HRESULTs are dwords (4 bytes/32 bits)  and convert to decimal.

The correct value to use in the branch is actually -2147023570. No more warning. The word value is 0x52e (decimal 46), another possible result if the return value for a function written in an old version of Windows or one that only returns a 2 byte (16 bit) value.