During the past weeks we have seen quite some messages about the MS10-015 security update which can cause bluescreens after being installed. According to a recent post on the Microsoft Security Response Center blog there is a revised installation package for MS10-015 that prevents the update from installing if abnormal conditions exist such as an infection of a computer virus as the Alureon rootkit. More details about the updated MS10-015 security update can be found here

In addition Microsoft today also released the Kernel Update Compatibility Assessment Tool that allows systems administrators who are concerned about deploying MS10-015 throughout their enterprise to perform an upfront assessment to identify clients that could have a compatibility issue with MS10-015.

Beside the Compatibility Tool mpsyschk.exe itself Microsoft has also added a sample batch file that could be added to a corporate logon or startup script. The script executes mpsyschk.exe and reports the status into a log file that can be stored on a central share. In a very large environment you also want to consider to write the status into a local log file and collect the results through a custom inventory on your Systems Management system.

During an Application Compatibility webcast I attended recently the presenter mentioned the Fiddler Tool. There are many network traffic monitoring Tools out there, but if you are just after capturing HTTP traffic, this one should get your attention.

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data

Fiddler is FREE and can be downloaded from here and some demonstration videos here

Just going through an AGPM Installation (Advanced Group Policy Management) where I had to choose an Account for the AGPM Service which can be the Local System Account or a domain user account. Instead of just clicking next next…. I found some good guidance in the Ask the Directory Services Team blog – AGPM Least Privilege Scenario article. Also read Locking down AGPM fit for least privilege.

Never heard of AGPM before ? Then watch this 4-5 minute Tour on Advanced Group Policy Management. And finally here’s a video provided by Kurt Roggen showing how to install the AGPM Server.

Having trouble with a client not getting updates from your Windows Update Services Server ? Then have a look at the WSUS Client Diagnostics Tool.  The tool performs various system checks and tests the communication between your client and the WSUS server.

The Tool can be downloaded from the Windows Server Update Services Tools and Utilities site at Microsoft TechNet.

I’m currently busy with integrating the Symantec Endpoint Protection software into a Windows 7 build for one of our customers. I wondered if the Security team had really provided me with the latest and greatest version and ended up searching for that information on the Symantec web site where I came across a post mentioning the Symantec Endpoint Protection Support Tool.

For those that have a SEP 11 version prior RU5 the tool can be downloaded from here and as of RU5 (11.0.5002.333) the tool can also be downloaded from within the Symantec Endpoint Protection client by opening the Client user interface and selecting Help & Support > Download Support Tool.

when completed all results are listed in categories.

and for my case, answering my question whether I am using the latest and greatest version.

The tool provides much more information than just the current version, so if you are a Security Professional (then you probably know this tool already) or an IT Pro this is a must have for SEP troubleshooting or information gathering.

Additional Information: (thanks to Grant Hall)
About the Symantec Endpoint Protection Support Tool
The Symantec Endpoint Protection Support Tool

Microsoft Security Essentials (MSE) is Microsoft’s free Antivirus Software which helps protecting clients against viruses and spyware. For years I had used other free Antivirus programs on my home based clients, but have switched them all to MSE since it’s release in September 2009.

The MSE binaries are located in the following folder: C:\Program Files\Microsoft Security Essentials. In that folder we also find the MpCmdRun.exe which provides a command line interface for MSE. The tool provides the following options:

-? / –h
Displays all available options for this tool

-Trace [-Grouping #] [-Level #]
Starts diagnostic tracing

-RemoveDefinitions [-All]
Restores the installed signature definitions to a previous backup copy or to the original default set of signatures

-RestoreDefaults
Resets the registry values for Microsoft Antimalware settings to known good defaults

-SignatureUpdate [-UNC]
Checks for new definition updates

-Scan [-ScanType]
Scans for malicious software

-Restore -Name <name> [-All]
Restore the most recently or all quarantined item(s) based on name

-GetFiles
Collects support information

When I booted my Windows 7 client this afternoon, the virus and spyware definition status was set as shown in the picture below.

After running mpcmdrun –SignatureUpdate the definition files were updated.

When using the –scan option you can define whether you want to run a default, quick or full system scan. To run a quick scan simply type MpCmdRun –scan –1 at the command prompt.

By running MpCmdRun –Getfiles a file called MPSupportFiles.cab is being generated and stored under C:\ProgramData\Microsoft\Microsoft Antimalware\Support. The cab file contains all relevant data related to MSE. (log files, registry settings and events)

Additional Information
Microsoft Security Essentials Home
MSE – Microsoft Security
How to manually download the latest definition updates for Microsoft Security Essentials

When opening Windows Update, you might see a number of Important and optional updates that are available to your system. But what to do if you are not interested in installing one of these updates? Over time the list will keep growing as new updates will be released and it becomes quite an annoying job to go over the entire list over and over again.

When you click on the “optional updates are available” link, all updates are listed as shown in the picture below.

So if don’t intent to install certain updates, then select these and within the right mouse context menu select "Hide Update”, this will make the update disappear from the updates list.

If at some stage you feel that you would want to install an update that you have hided, then click on the “Restore Hidden Updates” link which will then show you all the updates you have hided previously.

You then select the updates you would like to get back in the list again, and click on the Restore button. The word Restore might be a bit misleading, but no worries, it will not install anything yet, it just adds the update back into the available updates list. 

I’ve spend some time to figure out where the system stores this information (hided updates), but besides the c:\windows\windowsupdate.log file, I was not able to figure out where in the registry or file system this information is being stored. Any hints are welcome.

With the launch of Windows 7 Microsoft also released an updated version of the Microsoft Baseline Security Analyzer also known as MBSA. The version is 2.1.1 which is indicating that this is basically just a minor revision of the previous MBSA 2.1, and that is exactly what it is . MBSA 2.1.1 does not appear to bring any new features other than adding support for Windows 7 and Windows Server 2008 R2.

Hoping to find at least something new, i had extracted the content of the the MBSASetup-x64-EN.msi of both versions, but could not find any differences other than some updated readme and about files and the new compiled executables. Also when launching the new MBSA it’s only showing 2.1 and not 2.1.1.

The MBSA 2.1.1 can be downloaded from here

Instead of opening several windows, here’s an easy way to get a list of installed QFE’s. simply open a command prompt and type:

WMIC QFE

or

WMIC QFE get caption,hotfixid,installedon

or if you are looking for a specific update, enter the following command:

WMIC QFE | find “958559”

where 958559 relates to the MS KB number. If the QFE is installed, it will be listed.

Related posts:

3 seconds to get system serial number

The AppLocker Technical Documentation for Windows 7 and Windows Server 2008 R2 provides technical guidance about understanding how AppLocker works and how to effectively plan and deploy AppLocker policies.

The download contains two documents:

BETA – AppLocker Frequently Asked Questions.pdf
BETA – Planning and Deploying Windows AppLocker Policies.pdf

Download here

On April 14th mainstream support for Windows XP will end. for the next 5 years the operating system goes into extended support. The table below illustrates the differences between mainstream and extended support.

The Microsoft Windows XP product page explains it as following:

Mainstream Support delivers complimentary and paid support, free security updates, and bug fixes to all Windows customers who purchase a retail copy of Windows XP (i.e., a shrink-wrapped, not pre-installed copy). Mainstream Support for Windows XP will continue through April 2009.

Extended Support delivers free security updates to all Windows customers. Customers can also pay for support on a per incident basis. Extended Support for Windows XP will continue until April 2014. New bug fixes require the Extended Hotfix Support program.

More Information:

Microsoft Support Lifecycle Policy

Microsoft Support Lifecycle for Windows XP

Microsoft Support Lifecycle for Windows 2000

Microsoft Support Lifecycle for Windows Vista Enterprise

Another thing I came across this week was the Intel Anti-Theft Technology videos. So if you are interested to see how Intel could help you getting back your notebook watch the videos posted here.

Here’s another video from GPanswers explaining how to restrict the use of certain devices within your managed environment.

Watch the Using AppLocker in Win7 video on TechNet where Paul Cooke gives an insight on what Applocker is, how it works and how to deploy it.

With Windows 7 we can not only encrypt our local fixed drives but also USB devices. Considering that probably many of do carry around one or more memory sticks that could contain sensitive data or just data you don’t want anyone else to get access too.

Now of course any new operating system comes with tons of new features, but I would consider this as one of those features that people are also really going to use, as it simple to use.

Encrypting a USB memory stick within Windows 7 is a matter of a few clicks, the process is very intuitive and self-explaining. Once you have a USB memory stick attached to your system, simply select the device in Windows Explorer and select “Turn on Bitlocker” in the context menu.

What makes the Windows 7 USB device encryption even more useful is that you cannot only use that encrypted device on a Windows 7 system, but also on Windows Vista (don’t know if also on XP as I am to lazy to try that out right now).

When you insert a Windows 7 encrypted USB device to a Windows Vista client, you will only see the following content on the device.

To access the encrypted data, you must launch the BitLockerToGo.exe

Enter your previously set password, then you’re ready to browse the content of the device.

If you want to remove encryption from your USB device, you must start the Bitlocker Drive Encryption applet within the Control Panel and select “Turn off Bitlocker”.

More about Windows 7 Bitlocker:

Windows 7 Screencast – BitLocker To Go       

BitLocker in Win7         

Bitlocker Screencast (for those interested in history)

TechNet – Bitlocker area

TechNet Radio: BitLocker (January 2009)