Quantcast
Channel: Symantec Connect - ブログエントリ
Viewing all 5094 articles
Browse latest View live

A new Symantec.pl.xml was released (2013-02-19)

0
0

Today the Biomni Frontoffice Solution 7.3.1 was added to the Symantec product listing xml as shown in the below change log:

Revision: f5c249e2956c
Author:   Ludovic FERRE <ludovic@15-cloud.fr>
Date:     Tue Feb 19 13:51:26 2013
Log:      Symantec.pl.xml md5 = 459d3f36a28022efcc63c695783178b3

http://code.google.com/p/ns7pl/source/detail?r=f5c249e2956c

Added:
 /solutions/7_1/biomni/7_3_sp1/biomni_frontoffice_x64_7_3_1.msi_info
Modified:
 /symantec.pl.xml

=======================================
--- /dev/null
+++ /solutions/7_1/biomni/7_3_sp1/biomni_frontoffice_x64_7_3_1.msi_info Tue Feb 19 13:51:26 2013
@@ -0,0 +1,4 @@
+File name:     biomni_frontoffice_x64_7_3_1.msi
+File size:     101617664
+Url path:      http://www.solutionsam.com/solutions/7_1/biomni/7_3_sp1/biomni_frontoffice_x64_7_3_1.msi
+File hash:     538ccf5023e6cf536f0161745440f46abe1590ed64c96135734a665c275dee9c
=======================================
--- /symantec.pl.xml    Mon Feb  4 15:51:07 2013
+++ /symantec.pl.xml    Tue Feb 19 13:51:26 2013
File is too large to display a diff.


APT1: Q&A on Attacks by the Comment Crew

0
0

Today Mandiant released an detailed report dubbed "APT1" which focuses on a prolific cyber espionage campaign by the Comment Crew going back to at least 2006 and targeting a broad range of industries. The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec. We have detected this threat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks. The following Q&A briefly outlines some of the relevant Symantec information around this group:

Q: Do Symantec and Norton products protect against threats used by this group?

Yes. Symantec confirms protection for attacks associated with the Comment Crew through our antivirus and IPS signatures, as well as STAR malware protection technologies such as our reputation and behavior-based technologies. Symantec Mail Security for Microsoft Exchange also detects the targeted emails used by this group.

Q: Has Symantec been aware of the activities of the Comment Crew?

Yes. Symantec has been actively tracking the work of the Comment Crew for a period of time to ensure that the best possible protection is in place for the different threats used by this group.

Q: Why are they called the Comment Crew?

They were dubbed the Comment Crew due to their use of HTML comments to hide communication to the command-and-control servers.

Q: How does a victim get infected?

The initial compromise occurs through a spear phishing email sent to the target. The email contains an attachment using a theme relevant to the target. Some recent examples used by this group and blocked by Symantec technologies are listed here:

  • U.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip
  • Instruction_of_KC-135_share_space.doc
  • New contact sheet of the AN-UYQ-100 contractors.pdf
  • U.S. Department of Commerce Preliminarily Determines Chinese and Vietnamese Illegally Dumped Wind Towers in the United States.doc
  • ArmyPlansConferenceOnNewGCVSolicitation.pdf
  • Chinese Oil Executive Learning From Experience.doc
  • My Eight-year In Bank Of America.pdf

Similar to what Symantec indicated in a recent blog, if the malicious attachment is opened, it attempts to use an exploit against the target victim's system. It drops the malicious payload as well as a clean document to keep the ruse going.

Q: Does Symantec know who this group is targeting?

Yes. Symantec telemetry has identified many different industries being targeted by this group including Finance, Information Technology, Aerospace, Energy, Telecommunications, Manufacturing, Transportation, Media, and Public Services. The following Figure shows a worldwide heatmap for detections related to this group since the beginning of 2012.
 

Figure. Heatmap of Comment Crew related detections
 

Q: Currently, what are the most prevalent threats being used by this group?

Symantec, in the last year, has identified the most prevalent threats being used by this group as Trojan.Ecltys, Backdoor.Barkiofork, and Trojan.Downbot.

Q: Has Symantec released any publications around these attacks?

Yes. We have recently released publications to address techniques and targets of Trojan.Ecltys and Backdoor.Barkiofork, both of which are threats used by this group:

We have also investigated associated attacks of this group:

Q: What are the Symantec detection family names for threats used by this group?

Symantec also detects numerous other files used by this group under various detection names:

Q: Does Symantec have IPS protection for these threat families?

Yes. There are several IPS signatures to catch threat families associated with this group:

Q: How will this report affect the Comment Crew operations?

Despite the exposure of the Comment Crew, Symantec believes they will continue their activities. We will continue to monitor activities and provide protection against these attacks. We advise customers to use the latest Symantec technologies and incorporate layered defenses to best protect against attacks by groups like the Comment Crew.

The story of a very expensive filter

0
0

One of my customer reported a problem that caused one of their child nothing server to run at 100% CPU and consume almost all memory (out of 32GiB available).

I first looked at the timing (it was reported last Friday) and I thought this was possibly linked to the PMImport release as last week we had PAtch Tuesday (so we released the PMImport wednesday and replicated it to the child server Thursday evening.

But this was not it. First the memory ballooning problem happened on 3 different processes: the w3wp pools for the Altiris-NS-Agent and TaskManagement as well as the AeXSvc itself.

With all three processes running we would see large chunks of memory being released in a clean drop and go right back up in after nice curve. This was because the 3 processes were fighting for the scarce memory resources and causing each other to have to be scavenged every now and then.

Stopping on of the application pool pegged the memory to ~12 GiB for each of the other two processes, restoring access to the console but not resolving the problem.

In the end we found that this was a re-occurence of an issue seen in November (before I was on the account) caused by a "rogue" filter.

The following SQL allowed us to find and clean up the culprit:

select top 1 collectionguid, count(*)
  from collectionmembership
 group by collectionguid
having count(*) > 1000000
 order by count(*) desc

delete from collectionmembership where collectionguid = <guid found above>

This return 2.9 Million entries!

So the deletion took 25 minutes to run, but after restarting the application pools and Altiris Service all was back to work. We looked at the audit information on the filter and the person who last modified it had not changed anything specific from their recollection.

However we saw from the edit view (whilst deletion was running) that the filter was set to "Query Mode: Query Builder" mode instead of "Query Mode: none" (as the filter is used for patch targetting and we only need to do filter inclusions or exclusions.

When the same happened today we quickly fixed the issue, but the user again confirmed that he had not done anything bad.

So I tested this on my server and had the same problem: when the query mode is set to Query Builder if you save it as is (without modifying anything) all resources are included in the filter.

This doesn't matter on my test system as it can cope with a low 25,000 objects in the cache. But in a large environment the 2.9 million items were fully replicated in memory (we use a complete cache for the collection membership cache) on 3 different process - demanding an awful lot of resources and grinding the server to a halt.

 

 

Help Us Improve Veritas Operations Manager

0
0

The Veritas Operations Manager team is launching a new version middle of this year, and we want you (current or new customers) to try out the beta and give us feedback. Check out the VOM and VOM Advanced 6.0 Technology Preview post on what new features you can expect and how to participate in the beta program.

Also, the VOM Tell Your Story Contest for current VOM or VOM Advanced customers has been extended to April 30, 2013. Share your experience about VOM or VOM Advanced to earn extra Symantec Connect points. Here are the contest details.

Knowledge Base Articles of ADC Policy

0
0

In this blog, I have mentioned the number of articles links which can help and guide about ADC policy.

 

Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies

http://www.symantec.com/docs/TECH145973

Symantec Endpoint Protection Manager - Application and Device Control - Policies explained

http://www.symantec.com/docs/TECH104431

White Paper on Application and Device Control

http://www.symantec.com/avcenter/security/ADC/Configuring_Application_Control_1.1.pdf

How to configure Application Control in Symantec Endpoint Protection 11.0 : Configuring Application Control Policies

http://www.symantec.com/business/support/index?page=content&id=TECH102525

DevViewer --Tool helpful for Application and Device control to find Hardware Device ID and GUID

https://www-secure.symantec.com/connect/downloads/devviewer-tool-helpful-application-and-device-control-find-hardware-device-id-and-guid

Symantec Endpoint Protection 11.0: Application and Device Control & NTP White Paper

https://www-secure.symantec.com/connect/downloads/symantec-endpoint-protection-110-application-and-device-control-ntp-white-paper

How to block or allow device's in Symantec Endpoint Protection

https://www-secure.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection

How to Block or Allow Devices in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH175220

SEP policy to block the USB and to exclude the Keyboard and Mouse

https://www-secure.symantec.com/connect/downloads/sep-policy-block-usb-and-exclude-keyboard-and-mouse

After setting up an Application and Device Control policy to block CD writing, CD writing is not blocked as expected, and write attempt is not logged

http://www.symantec.com/docs/TECH104800

To disable CD/DVD writer on System through Symantec Endpoint Protection Manager

https://www-secure.symantec.com/connect/downloads/disable-cddvd-writer-system-through-symantec-endpoint-protection-manager

How to make USB drives read-only with Symantec Endpoint Protection using Application and Device Control

http://www.symantec.com/docs/TECH95813

How to block USB hard drives in SEP, but allow reading specific USB drives in the SEPM Application and Device Control Policy

http://www.symantec.com/docs/TECH173724

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/docs/TECH106304

How to block USB flash drives while allowing other USB devices.

http://www.symantec.com/docs/TECH104299

How to block USB devices while excluding mouse and keyboard?

http://www.symantec.com/docs/TECH161779

How to use Application and Device Control to block all USB devices except those I specifically want to allow

http://www.symantec.com/docs/TECH105770

Block copy and execution of specific files from an USB.

http://www.symantec.com/docs/TECH94989

How to create a rule that will allow only specific USB’s on to your network.

http://www.symantec.com/docs/TECH92943

Data Card Policy

https://www-secure.symantec.com/connect/downloads/data-card-policy

How to block users to perform download of files with specific extentions using Application and Device Control.

https://www-secure.symantec.com/connect/articles/how-block-users-perform-download-files-specific-extentions-using-application-and-device-con

Block the access of Extension (.mp3, .mp4, .mpg, .mpeg, .flv)

https://www-secure.symantec.com/connect/downloads/block-access-extension-mp3-mp4-mpg-mpeg-flv

How to Block unwanted Memory Cards

https://www-secure.symantec.com/connect/articles/how-block-unwanted-memory-cards

How do I Block File Shares using Symantec Endpoint Protection (SEP) Application and Device Control policy

https://www-secure.symantec.com/connect/downloads/how-do-i-block-file-shares-using-symantec-endpoint-protection-sep-application-and-device-c

How do I Block access to Autorun.inf using Symantec Endpoint Protection (SEP) Application and Device Control policy

https://www-secure.symantec.com/connect/downloads/how-do-i-block-access-autoruninf-using-symantec-endpoint-protection-sep-application-and-de

Block access to Autorun.inf

https://www-secure.symantec.com/connect/downloads/block-access-autoruninf

How do I Block hosts file modification using Symantec Endpoint Protection (SEP) Application and Device Control policy

https://www-secure.symantec.com/connect/downloads/how-do-i-block-hosts-file-modification-using-symantec-endpoint-protection-sep-application-

Application Control Policy for psexec.exe

https://www-secure.symantec.com/connect/downloads/application-control-policy-psexecexe

Using Application And Device Control Policy - registry access prevention

https://www-secure.symantec.com/connect/downloads/using-application-and-device-control-policy-registry-access-prevention

Determine why a Scheduled Task or Query failed

0
0

How to determine the cause of Scheduled Task or Query failure

Solution:

The cause of failed schedules can be determined from the Schedule Logs.

The logs for the RMS schedules are stored in text format at the following location: 

\Program Files (x86)\Symantec\RMS\data\<User Name>\ScheduleLogs

Note:

The name of each log file corrosponds to the name of the schedule in RMS.

These log files are automatically overwritten by the new log files after the respective schedule re-runs.

At any given point in time, one schedule in RMS has a corresponding one schedule log file from its latest run.

 

APT1: Comment Crew による攻撃についての Q&A

0
0

2 月 18 日、Mandiant 社から「APT1」と題する詳細なレポートが公開されました。このレポートは、多発しているある一連のサイバースパイ活動に焦点を当てており、これに関与している Comment Crew は、少なくとも 2006 年以降さまざまな業種を標的にしてきました。同レポートでは、APT1 インフラに関する最初期の言及としてシマンテックからの発表が引用されています。シマンテックは 2006 年に初めてこの脅威を Backdoor.Wualessとして検出し、それ以来率先してこの攻撃の背後にいるグループを追跡しています。以下の Q&A では、このグループについて特にシマンテックに関連のある情報の概略をお伝えします。

Q: シマンテック製品やノートン製品は、このグループによって利用されている脅威に対する保護を提供していますか?

はい。シマンテックは、ウイルス対策と IPS シグネチャ、さらには評価ベースや振る舞いベースの技術などの STAR マルウェア対策技術によって、Comment Crew が関与する攻撃から保護しています。また、Symantec Mail Security for Microsoft Exchangeも、このグループによる標的型電子メールを検出します。

Q: シマンテックは Comment Crew の活動に気づいていましたか?

はい。シマンテックは、Comment Crew によって利用されているさまざまな脅威に対して常に最善の保護対策を提供するべく、同グループの活動を長年にわたって追跡してきました。

Q: Comment Crew という名前の由来は何ですか?

Comment Crew と名付けられたのは、このグループが HTML のコメントを利用してコマンド & コントロールサーバーへの通信を秘匿することに由来しています。

Q: この攻撃の被害者はどのように感染するのですか?

最初の感染は、標的に送りつけられたスピア型フィッシングメールから始まります。この電子メールには、その標的に関連するテーマに沿ったファイルが添付されています。Comment Crew によって利用されたサンプルの内、シマンテックの技術によって遮断された最近のサンプルをいくつか紹介します。

  • U.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip
  • Instruction_of_KC-135_share_space.doc
  • New contact sheet of the AN-UYQ-100 contractors.pdf
  • U.S. Department of Commerce Preliminarily Determines Chinese and Vietnamese Illegally Dumped Wind Towers in the United States.doc
  • ArmyPlansConferenceOnNewGCVSolicitation.pdf
  • Chinese Oil Executive Learning From Experience.doc
  • My Eight-year In Bank Of America.pdf

最近のブログでご報告した例と同様に、悪質な添付ファイルを開くと、標的システムに対して悪用が試みられます。悪質なペイロードだけでなく、成功率を高めるために正常な PDF ファイルも一緒に投下されます。

Q: シマンテックは、このグループがどのような組織を標的としているか把握していますか?

はい。シマンテックの遠隔測定によれば、金融、情報技術、航空宇宙、エネルギー、電気通信、製造、運輸、メディア、公共部門など、多岐の業種が標的になっていることが判明しています。以下の図は、このグループに関連する脅威の検出件数を 2012 年初頭からまとめた分布図です。
 

図. Comment Crew に関連する脅威検出の分布図
 

Q: 現在、このグループによって最も多く利用されている脅威は何ですか?

シマンテックは昨年、このグループによって最も多く利用されている脅威として Trojan.EcltysBackdoor.BarkioforkTrojan.Downbotを特定しました。

Q: シマンテックはこれらの攻撃について、これまでに何か発表していますか?

はい。最近シマンテックは、Trojan.Ecltysおよび Backdoor.Barkioforkの標的と技術に関する情報を公開しました。いずれの脅威も、Comment Crew によって利用されているものです。

また、このグループに関連する攻撃の調査も行っています。

Q: Comment Crew によって利用されている脅威に対するシマンテックの検出定義にはどのようなものがありますか?

また、このグループによって利用されているその他の数多くのファイルを各種検出定義で検出します。

Q: これらの脅威に対する IPS 保護は提供されていますか?

はい。Comment Crew に関連する脅威を捕捉するために、いくつかの IPS シグネチャを用意しています。

Q: 今回のレポートは、Comment Crew の活動にどう影響するでしょうか?

ここまで情報が明らかになりながらも、Comment Crew は今後も活動を継続するものとシマンテックは考えています。シマンテックでは、Comment Crew の活動について監視を続け、各種の攻撃に対する万全の保護を引き続き提供します。Comment Crew のようなグループの攻撃から確実に身を守るために、シマンテックの最新技術をお使いいただき、多層防御を導入することをお勧めします。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Every IT person's nightmare.

0
0

So you have support on the line, and they have a fix for an issue for you. WebEx session, servers configured service restarted, all good right?

Not so quick, 5 minutes later, complaint about console not longer accessible. 10 minutes after that's resolved, no jobs/tasks will run!

That's the worst moment in IT, when everyone that's never roamed near your cube is now gathering inside or huddled in to an empty space just to spectate. It's like mosh pit thick ring side when Tyson's strolling down the isle, and in my mind, a numbing silence like someone that just got TKO'ed.

Starting from the beginning, we had NSE processing performance issues and a call was made to support to change queue processing size. (TECH183347 ) After the changes, both server seems normal when using the console while remoted to the server. The call ends, and then we found out the console no longer work remote. Some search on Connect while emailing and calling the support engineering back and leaving messages to anyone I can get a hold of. So this apparently gets the remote console working, don't ask me why it only affected 1 server not the other when the same configurations were applied to both. So unchecking this box does the trick:

Tools- Internet Options - Advanced - Security - enable integrated windows authentication*

Then more calls, this time none of the jobs/tasks assigned would run on the server with the Browser connection issue, while the other server working as normal. More emails sent, finally Thomas Baird calls me with a suggestion while he was driving around for lunch.

Restart the Altiris Object Host Service on the Site Server. Everything started working immediately.

Normally resolving issues are gratifying, as you ponder future accomplishments for days to come. But in this case it was a down right disappointment. An enterprise product that would have odd issues fail, with no log or indication of what could have gone wrong. As in this case, the Altiris Object Host Service was running on all servers.

Cant wait for what's next.

 

 


Should I Worry about Data Corruption? - Unfortunately Yes......

0
0

Recently one of my customers had a series of outages in the Communications between their buildings. The upshot of this is because of the way they had deployed their clusters they weren’t protected against their cluster nodes losing communications between each other. I have seen mixed experiences from my customers in terms of split brain issues (split brain is when all nodes in a cluster begin writing in an uncoordinated fashion to shared storage as they each believe they are the last node in the cluster)

I have seen customers running Campus Clusters with no split brain protection and have yet to see any problems. I have also seen other customers who go belt and braces using IO fencing which is built into VERITAS cluster server. Some have issues due to the way they handle the IO fencing devices as they are often not understood. So what's it all about then? it’s pretty simple.

For a cluster to work there needs to be a communication system between the nodes in the cluster to establish which systems are up and which are down. VERITAS Cluster Server uses the concept of heartbeats. These are isolated channels which once a second pass a message  between nodes saying "i am alive". Normally we state 2 heartbeats plus a low priority heartbeat. This is a heartbeat which  uses a public interface only when the real fulltime heartbeats fail. In this way we can prevent the nodes from any arbitration behavior by using a public interface temporarily.

Lets say you have a 2 node cluster and I walk into your data Centre and yank out your heartbeat cables between your nodes. Suddenly after a specified interval of checking,  each node comes to the conclusion that it is the last node in the cluster.  It will then attempt to force import the storage. Now consider this could be a genuine failure of one of the nodes in the cluster. In that scenario  we want the remaining node to import the storage that was being used before the crash and start our applications. (otherwise what's the point of high availability) In our scenario where we have actually not lost any nodes simply the communications between systems both systems will import the storage and begin writing to the filesystems. Time to get your backup tapes out or resync from a hardware replica from this morning. This is what we call a split brain.

Symantec do have some good mechanisms to protect you from this. The first is a type of membership arbitrations is called IO fencing. This is  leveraging SCSI3 reservations from the hardware storage subsystems itself. The storage subsystem can forcibly stop a specific system doing IO to a device. It involves having 3 coordination points (vote disks) when the cluster starts each node joining the cluster registers keys on these vote disks. Now in the scenario above where all communication is lost between cluster nodes an arbitration race begins. Each node in the cluster will race to gain control of the vote disks, which ever loses the race by getting the minority of the vote disks will be fenced out of the cluster and sent a panic request.

So we are forcibly crashing the race loser to avoid it writing to the shared disks. IO fencing is bullet proof and will also block IO from any 3rd party hosts mistakenly gaining access to the shared disks. Also if a system has hung there is the possibility when it comes out of its hung state that it could flush IO down to the shared devices causing corruption.  SCSI3 reservations and IO fencing stop this.  This is the recommended way to configure clusters, it does come at the price of needing 3 vote disks for each cluster. Additionally in virtualised environments SCSI3 reservations are often not supported so this becomes a little irrelevant.

Symantec also have another clever arbitration method known as Coordination Point Server(CPS). It offers a solution for customers wishing to vastly reduce the possibility of split brain without needing the vote disks and scsi3.  Coordination point servers are used to independently judge which nodes are up in a cluster. So as with the vote disks three are needed to judge fairly. Three coordination point servers are required in the environment. These are effectively three single node VCS clusters which sit idle until there is a dispute. The difference here is that these three servers can arbitrate many hundreds of clusters as they are simply contacting the nodes over IP to see if they are alive. In my example above when both systems believe they are the last remaining  node the following takes place. The three coordination point servers attempt to contact each system in the cluster, which ever system gets the most votes is the winner and stays up. The losing node is send a kill command and crashes. Thus this is split brain protection by taking out the other contenders who might want to write to the storage.

This raises an interesting scenario. In a two node cluster if I have a production server and test server acting as a standby node. If there is a loss of communications between the two and the arbitration process starts using the coordination points server, what happens if your test server wins the race? you might have a red faced service manager shouting at you. The good news is from VCS 6.0 onwards there is the concept of preferred fencing. This simply means you can weight a race to choses either a system or service group. This way in the loss of communication scenario you can ensure your test system is taken out of the equation instead of your production server.

So which is better? it's horses for courses I'm afraid. SCSI3 offers bullet proof protection, of that there is no question. But it comes at the price of needing many vote disks and SCSI3 compliant storage. Coordination Point Server offers a best efforts approach to arbitration and the effort involved in terms of hardware and effort is almost negligible. But there will be corner cases as mentioned where you could face corruption if a hung system came back before it was killed and was able to flush it's data buffers down to disk.

If the data Centre  was mine I would risk the second approach with the CPS servers. It's much better than having no arbitration and is a doddle to setup. Of course if I stared seeing data corruption I could change my mind……and job.

Cordination Point Server is availalable from VCS 5.1SP1 onwards.

Connect Dev Notes: 20 Feb 2013

0
0

User Facing: Desktop

  • Added an RSS Wizard that lets users build an RSS URL that pulls targeted information from Connect based on community, content type, product and more. We've documented this new feature (for easy future reference) in the Connect FAQ.
  • Since the first question asked in reply to many forum posts is, "What operating system are you using?", we've added the ability to tag your forum post with a relevant operating system.
  • Added the ability for users to add a status message to their user profile page.
  • Fixed an issue in user Workspaces (Account -> My Workspace) so clicking the 'comments' tab will correctly display the comments you've posted.
  • Removed the phrase "I need a solution" from items that display on a user's activity feed (Account > My Profile)
  • Fixed an issue with translated titles on IT Trends pages that were displaying character encoding.
  • Fixed an issue with posts of different languages appearing on blog list pages that had been filtered for a target language.
  • Fixed an issue with file attachments not displaying properly on a few articles.
  • Fixed character encoding issues that were displaying in the titles of nodes rendered in the "Can you solve these?" and "Recently Solved" blocks.

User Facing: Mobile

  • Added code that improves the experience for those who use the footer link to switch from the desktop UI to the mobile UI. The improved code takes the user to the page they were viewing before the switch instead to their user profile page.

Admin Facing

  • Added code that gives group owners the ability to require acceptance of a membership agreement or NDA to the "request membership" workflow for prospective group members.

Behind the Scenes

  • Added code that serves Connect pages to Symantec's Solution Center via https to minimize security risks.

NetBackup 7.5.0.5 (NetBackup 7.5 Maintenance Release 5) is now available!

0
0

I'm very pleased to announce that the next Maintenance Release for NetBackup 7.5 is now available!

NetBackup 7.5.0.5 is the fifth maintenance release for NetBackup 7.5.  It is a cumulative release containing fixes and content from 7.5.0.1 through 7.5.0.4. In addition, this release contains almost 400 additional fixes (bringing the total fixes in 7.5.0.5 to over 1100!) including the most commonly downloaded EEBs, several customer escalations, and internal engineering defects.

NetBackup 7.5.0.5 includes the following proliferations and enhancements:

  • vSphere 5.1 Support - Consuming VDDK 5.0 U1
  • VMware backup host is now supported on the following operating systems:
    • Red Hat Enterprise Linux 5.5 x64
    • Red Hat Enterprise Linux 6.3 x64
  • Bare Metal Restore is now supported on the following operating systems:
    • Red Hat Enterprise Linux 5.8
    • Red Hat Enterprise Linux 6.3
    • Oracle Linux 5.7
    • Oracle Linux 6.3
  • DB2 10.1 Support (streaming support only; snapshot backup/restore is not supported)

To download 7.5.0.5, please visit the following page:

NetBackup 7.5.0.5 Download Links
 http://symantec.com/docs/TECH199269

This is a MAINTENANCE Release for NetBackup (as opposed to a Release Update) - it can ONLY be applied on top of NetBackup 7.5.  (If you are currently running 7.0, 7.0.1, 7.1, or 7.1.0.x, you will need to upgrade to 7.5 before you can apply 7.5.0.5.)

Please note that maintenance releases are CUMULATIVE - that means that 7.5.0.5 contains all product fixes included in 7.5.0.1, 7.5.0.2, 7.5.0.3 AND 7.5.0.4.  If you are currently running NetBackup 7.5, you may apply the 7.5.0.5 maintenanace release without installing 7.5.0.1, 7.5.0.3 or 7.5.0.4.  In fact, if you are still running NetBackup 7.5, we would HIGHLY encourage applying 7.5.0.5!

To check to see if your particular Etrack is resolved in NetBackup 7.5.0.5, please refer to these Release Notes:

NetBackup 7.5.0.5 Release Notes
 http://symantec.com/docs/DOC6038

The NetBackup 7.5 Late Breaking News has also been updated to reflect newly released fixes in 7.5.0.5 for some of our highest visibility issues:

NetBackup 7.5 Late Breaking News
 http://symantec.com/docs/TECH178334

Altiris Helpdesk: Practical Limit of 63 Characters for Attachment Filenames

0
0

Spent the last couple of hours looking into an issue with the Altiris 6 Helpdesk. As I couldn't find the issue reported elsewhere, and its bitten me before I thought I'd just pop this in the blog.

In summary,  be aware that for practical purposes the limit for attachment filenames in the Altiris Helpdesk is 63 characters.  If you are using Microsoft Exchange for your enterprise email services, internal users mailing into the helpdesk with attachment filenames exceeding this limit will have their attachment silently dropped.

The evidence of a ticket having a dropped attachment is found in ticket history: it will state that ‘the following attachments were added:’ in the incident update without stating the filename (as would normally be the case).

The workaround we put in place is to have helpdesk email going to an mailbox which is then automatically forwarded to the helpdesk. This allows our helpdesk staff to extract the attachment to the ticket directly when the encounter the empty attachment field.

 

Background

For several years we’ve seen a strange scenario where  user emails can have their attachments silently dropped by the helpdesk, depending on which mail servers they’ve been passed through. As we’ve had a few mailservers around it’s been difficult to figure out what’s going on. Although rare, it is reproducible if the same user is asked to send the same attachment again.

Today we made some progress in understanding the issue. It seems that Exchange does ‘something’ to internal emails which results in the Altiris helpdesk email interpreter falling over when the attachment filename exceeds 63 characters. The same email sent from Google or Yahoo into the helpdesk does not suffer from this problem. The same email sent via other internal mailservers may, or may not, suffer from this problem –it seems to depend on the email server vendor and version in question.

So what we know for sure is that this issue is the result of how Exchange (and possibly other mail servers) deal with attachment filenames once they get to 64 bytes. And whatever is happening here, the Altiris helpdesk email interpreter doesn’t understand it (despite being able to understand attachments with long filenames originating from the likes of Yahoo and Google).

There are references out there on the internet of Exchange becoming a bit frustrating when dealing with long filename attachments[1], but no resolution in sight.

So for now such attachments will continue to go missing, and we'll have to re-attach them as before when that happens. But, at least now we can do so with a bit of reassurance that there isn’t much we can do about it. ;-)

[1] http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaginglegacy/thread/610630f9-ef9d-4ee6-8434-2af777f751fe/

How to report on agent based Unix Server hosting multiple databases

0
0

How to report on an agent based Unix Server hosting multiple databases

Desired reports:

- Reports from the Unix Host

- Reports from DB1, DB2, DB3

Refer to the diagram below:

Solution:

To report on the Unix Host:

Install the Unix agent on Unix Host.

- Register Interface 1 with BVIS using command:

  • /setup.sh -a <IP of BVIS> <IP of Interface 1> <Username> <Password> -s UNX

 

To report on DB1, DB2, DB3:

- Register Interface 2 with BVIS using the -lip (logical IP) commands:

  • /setup.sh -a <IP of BVIS> <IP of Interface 1> <Username> <Password> -s UNX -lip <IP of Interface 2>
  • /setup.sh -a <IP of BVIS> <IP of Interface 1> <Username> <Password> -s ORCL -lip <IP of Interface 2>

 

- Repeat the above step to complete Unix and Oracle logical IP registrations for Interface 3 and Interface 4

Excel cells break when a report is exported to CSV format

0
0

Issue: When a result of a Collection Evaluation Report job is exported in CSV format, the cells break - giving a non-uniform report output.

 

Cause: When the evidence of the failed checks is large, Microsoft Excel cannot handle the large character count of an individual cell. This causes the cells to break.

 

Explaination: The capacity of Microsoft excel to handle the length of cell contents is 32,767 characters. The first 1,024 characters display in a cell and the remaining appear in the formula bar. If the character count of the evidence in a cell is more than 32,767 characters, the cell will break. This is a limitation of Microsoft Excel.

Solutions:

Solution 1:

Instead of exporting the report in CSV format, export the result to excel by the following method:

Go to the Evaluation Result >> Select "Asset Based View" >> Highlight and select the assets >> Right Click on the assets >> Export Results to Xls

This report will look some what different than the CSV report, but with uniform cells.

Solution 2:

In scenarios where the output needs to be a CSV file, re-write the check so that it will not give a large amount of data in the evidence field.

Reference:

http://office.microsoft.com/en-in/excel-help/excel-specifications-and-limits-HP005199291.aspx

 

Useful SQL Queries

0
0

So, I've been cobbling together a few SQL queries lately that help get large amounts of information from EV.  I figured I'd provide one of these to everyone.  As I post these queries I will also provide the information it gathers below so people know what they are looking at.  I hope these queries are as helpful to others as they have been for me.

(Note: As we cannot take into consideration every environment, please run these queries with caution as they MAY cause performance issues while being run)

-- Start Query
-- Prerequisite : Must be run on SQL instance with EnterpriseVaultDirectory DB

USE EnterpriseVaultDirectory 

SELECT Distinct
     CASE WHEN AV.archivename IS NULL THEN '--Folder' ELSE AV.archivename END AS 'ArchiveName/Folder?'
     ,CASE WHEN AV.Type = '5' THEN 'Shared' 
      WHEN AV.Type = '9' THEN 'Mailbox' 
      WHEN AV.Type = '17' THEN 'Journal' 
      WHEN AV.Type = '33' THEN 'PublicFolder' 
      WHEN AV.Type = '65' THEN 'SharePointServer' 
      WHEN AV.Type = '129' THEN 'FSA' 
      WHEN AV.Type = '257' THEN 'Sharepoint' 
      WHEN AV.Type = '513' THEN 'LotusJournal' 
      WHEN AV.Type = '1025' THEN 'LotusMbx' 
      ELSE 'Undefined' END AS ArchiveType
     ,CASE WHEN VEMS.MbxAlias IS NULL THEN 'Not Associated' ELSE VEMS.MbxAlias END AS MbxAlias
     ,CASE WHEN AFV.FolderName IS NULL THEN 'N/A' ELSE AFV.FolderName END AS 'FolderName if applicable'
     ,r1.VaultEntryId as 'ArchiveID - FolderID if ArchiveName = Folder'
     ,SQLServer
     ,VSE.VaultStoreName
     ,VSE.DatabaseName
     ,CASE WHEN VEMS.ExchangeComputer IS NULL THEN 'Not Associated' ELSE VEMS.ExchangeComputer END AS ExchangeServer
     ,ce.ComputerName as StorageServiceComputer
     ,CASE WHEN ce2.ComputerName IS NULL THEN 'Not Associated' ELSE ce2.ComputerName END AS EVTaskServer
     ,CASE WHEN AV.ArchiveStatus = '1' THEN 'Archive Enabled' WHEN AV.ArchiveStatus = '3' THEN 'Archive Disabled/Closed' WHEN AV.ArchiveStatus = '4' THEN 'Marked for Deletion' ELSE 'Other' END AS ArchiveStatus
     ,CASE WHEN AV.HasHistory = '1' THEN 'Moved' WHEN AV.HasHistory = '0' THEN 'Not Moved' END AS 'Moved with MA?'
     ,CASE WHEN PTG.DisplayName IS NULL THEN 'Archive Not Provisioned' ELSE PTG.DisplayName END AS ProvisioningGroup   
     ,CASE WHEN EPV.poName IS NULL THEN 'No MBX Policy' ELSE EPV.poName END AS "Exchange MBX Policy Name"
     ,CASE WHEN PE.poName IS NULL THEN 'No Desktop Policy' ELSE PE.poName END AS "Desktop Policy Name"
     ,CASE WHEN RCE.RetentionCategoryName IS NULL THEN 'Not Assigned' ELSE RCE.RetentionCategoryName END AS "Assigned Default Retention"
     ,CASE WHEN IVV.IndexedItems IS NOT NULL THEN CONVERT(VARCHAR(24), IVV.IndexedItems) ELSE 'N/A' END AS "IndexedItems"
     ,IVV.OldestArchivedDateUTC
     ,IVV.YoungestArchivedDateUTC
     ,CASE WHEN Archive.Structured = '1' THEN 'Structured' WHEN Archive.Structured = '0' THEN 'Unstructured' ELSE 'Unknown' END AS "Structured?"
     ,CASE WHEN VI.VaultEntryId IS NULL THEN 'Archive Not Of Interest' ELSE 'Archive Of Interest' END AS OfInterest_DA
     
FROM
     EnterpriseVaultDirectory.dbo.Root r1
     left JOIN  EnterpriseVaultDirectory.dbo.Root r2 on r1.rootidentity = r2.containerrootidentity
     inner JOIN EnterpriseVaultDirectory.dbo.Archive Archive on r1.rootidentity = Archive.rootidentity
     inner JOIN EnterpriseVaultDirectory.dbo.VaultStoreEntry VSE on Archive.VaultStoreEntryId = VSE.VaultStoreEntryId
     inner JOIN EnterpriseVaultDirectory.dbo.ArchiveView AV on Archive.ArchiveName = AV.ArchiveName
     inner JOIN EnterpriseVaultDirectory.dbo.view_ExchangeMailbox_By_Server VEMS on AV.VaultEntryId = VEMS.DefaultVaultID
     left JOIN EnterpriseVaultDirectory.dbo.ArchiveFolderView AFV on r1.VaultEntryID = AFV.VaultEntryID
     inner JOIN EnterpriseVaultDirectory.dbo.PolicyTargetGroup PTG on VEMS.PolicyTargetGroupEntryID = PTG.PolicyTargetGroupEntryID
     inner JOIN EnterpriseVaultDirectory.dbo.ExchangePolicyView EPV on VEMS.PolicyEntryID = EPV.poPolicyEntryID
     inner JOIN EnterpriseVaultDirectory.dbo.PolicyEntry PE on VEMS.DesktopPolicyEntryID = PE.poPolicyEntryID
     left JOIN EnterpriseVaultDirectory.dbo.VaultInterest VI on VI.VaultEntryId = r1.VaultEntryID
     inner JOIN EnterpriseVaultDirectory.dbo.StorageServiceEntry sse on vse.StorageServiceEntryId = sse.ServiceEntryId
     inner JOIN EnterpriseVaultDirectory.dbo.ComputerEntry ce on sse.ComputerEntryId = ce.ComputerEntryId
     inner JOIN EnterpriseVaultDirectory.dbo.ExchangeServerEntry ese on VEMS.ExchangeServerIdentity = ese.ExchangeServerIdentity
     inner JOIN EnterpriseVaultDirectory.dbo.ArchivingRetrievalTaskView artv on artv.ExchangeComputer = ese.ExchangeComputer
     inner JOIN EnterpriseVaultDirectory.dbo.ComputerEntry ce2 on ce2.ComputerEntryId = artv.ComputerEntryId
     inner JOIN EnterpriseVaultDirectory.dbo.IndexVolumeView IVV on IVV.VaultEntryID = AV.VaultEntryID
     inner JOIN EnterpriseVaultDirectory.dbo.RetentionCategoryEntry RCE on RCE.RetentionCategoryId = PTG.RetentionCategoryId
     
WHERE
--AV.archivename IS NOT NULL AND
AV.archivename LIKE '%John%'

-- End Query

Information gathered:
a. If the entry refers to a folder within the archive or the archive itself.
b. What type of Archive is it (Ex. Mailbox, Journal, FSA, Shared, etc)
c. If the Archive is currently associated with a Mailbox.
- Ex. If there are 2 archives for 1 user, only one archive can be currently associated with the mailbox.  This is the active archive.
d. If the entry associated with the archive is a folder, what is the foldername.
e. 'ArchiveID - FolderID if ArchiveName = Folder' : Archive ID if entry is an archive, FolderID if a folder in the archive.
f. SQLServer : SQL Server Instance
g. VaultStoreName
h. DatabaseName = VaultStoreDBName

i. StorageServiceComputer : What EV Server has the Storage Service associated with the Archive.*
j. EVTaskServer : What EV Server has the Archiving Task associated with the Mailbox.*
- For values i and j, when an archive is created, it is associated with a specific Storage Service. It is possible to move a mailbox to another server.  When these values do not match, this can cause performance issues as the items archived must be moved between EV servers to be processed by a different Storage Services from where the Task is.
k. ArchiveStatus : Active, Closed, Marked for Deletion...
l. Moved with MA? : Identifies if the Archive was previously moved with Move Archive.
m. ProvisioningGroup : Provisioning Group Name associated with Archive.  Not Associated if archive is not associated with a mailbox.
n. Exchange MBX Policy Name : Exchange Mailbox Policy name associated with Archive. Not Associated if archive is not associated with a mailbox.
o. Desktop Policy Name : Desktop Policy Name associated with Archive.  Not Associated if archive is not associated with a mailbox.
p. RetentionCategoryName : Default Retention Category associated with Archive.
q. IndexedItems : How many indexed items are associated with Archive.
r. OldestArchivedDateUTC
s. YoungestArchivedDateUTC
t. Structured? : If the archive is structured or not.
- By default, mailbox archives are Structured. Journal and Shared Mailbox archives are Not Structured.
u. OfInterest_DA : Archives that are related to Discovery Accellerator cases will be 'Of Interest'.
- Archives of interest cannot be deleted due to being locked by Discovery Accellerator searches.
 
Enjoy!

Making the most of website analytics

0
0

 

Following on from our recent webinar on the theme of website optimisation we have developed a series of three blog posts that discuss website optimisation. These are high level blogs and not intended to be all encompassing but rather have been designed to kick start thoughts on concepts such as tips to keep your website safe, SEO and in this final post, website analytics.....

How to make the most of website analytics

Website analytics tools, such as Google Analytics, Optimizely or Mint, are invaluable tools when it comes to guiding your marketing and website development but only if you know how to make the most of the data they provide.

Resisting temptation: Vanity metrics

The term vanity metrics was coined by author Eric Ries in his book The Lean Startup. They are numbers like raw page views or registered users, which always make the graph go up and which sound impressive, but rarely tell you anything valuable. As TechCrunch points out, vanity metrics aren’t completely useless as they give you an indication of traction, “just don’t be fooled by them”.

Dig deeper: real metrics

Instead, concentrate on metrics that help you make decisions. Actionable metrics tell you what is working and what is, so you can tweak your site and repeat success. For example, you can measure conversions from organic search, or analyse which pages generate the most conversions.

Measure twice, cut once

The next step is to understand what causes the results you see. One page may outperform another but the real question is why? And how do you get it do even better. It could be the bigger font, or the fact that there is less writing, or maybe it’s the image.

One answer is A/B testing. Use a tool such as Google Content Experiments or Optimizely to set up several different versions of a web page, each one changing a single element. Then enter your desired objective, such as sales or signups. The testing tool will send some visitors to the different pages at random and analyse what they do afterwards. Many Symantec customers have used analytics to understand the value that website security can bring to their site - such as testing the impact of Always on SSL, or the impact a trust seal can have on website conversions.

Once you have had enough visitors the tool will tell you which version has been the most successful. Ideally you want a tool that will also assess the statistical validity of that outcome, so that you know you are not changing your web design based on a statistical fluke.

The combination of actionable metrics and A/B testing is a powerful way of improving your website’s effectiveness.

To accompany this post we’ve developed an eBook that can be downloaded here https://www.symantec-wss.com/uk/optimise/ext

 

Redirect Enterprise Vault FSA 'Restore'

0
0

 

The question is whether or not you can redirect the restore/recall of archived Enterprise Vault FSA data to a different location, and whether the source server needs to be online or not?
 
Well the answer is that if you use:
 
FSAUTILITY -t -s \\source\share -d \\dest\share
 
Then the source doesn't need to be online. In addition the destination doesn't need any EV services installed, it can be 'any' network share.

内なる「フレネミー」 - 従業員による知的財産の窃盗

0
0

フレネミー【frenemy】<名詞> 味方でも敵でもある存在。相互に利益をもたらす、または依存しあうとともに、競争相手であり、リスクの多い関係のこと。

知的財産の窃盗という点で従業員はあまり目立ちませんが、最大の「フレネミー」になる可能性を秘めています。信頼されている従業員が日常的な業務を行うために機密データを持ち運び、共有、公開するのは普通のことです。それどころか、転職先で利用するために機密情報を故意に持ち出す場合さえあります。もちろん、こうした従業員がもともと悪質だということではありません。たいていは、その違法性を自覚していないだけなのです。

知的財産の窃盗をめぐる従業員の行動と態度についてシマンテックが最近実施した調査によると、知的財産の盗難は想像以上に多発しています。従業員の半数は、退職の際に企業データを持ち出したことを認めており、40 パーセントはそのデータを次の職場で使うつもりだと答えています。つまり、重要な情報が競合他社の手に渡るということです。最終的には、知的財産を持ち出す従業員も、知的財産に投資してきた組織も、そして意図せずにそれを受け取ってしまう新しい雇用主も、全員がリスクにさらされます。誰もが責任を問われる恐れがあり、勝者にはなりえません。

特に驚かされるのは、企業データの持ち出しを悪いことだと考えていない従業員がきわめて多いということです。62 パーセントの従業員が、企業データを個人のコンピュータやタブレット、スマートフォン、クラウドのファイル共有アプリなどに転送しても構わないと考えています。しかも、いったん転送されたデータはそこに残り続けます。削除する従業員はほとんどいないからです。

企業データの持ち出しについて従業員の思慮が浅いのは、その損害を知らないためです。以前の職場から持ち出した企業秘密を利用することが犯罪であると考えていない従業員は、56 パーセントにのぼります。その無自覚の根底にあるのは、知的財産の所有者が誰かということの理解の欠如です。調査によると、知的財産の所有権はその作成者に帰すると従業員は考えています。

従業員の所有物と企業の所有物を明確に区別する訓練を企業は実施しておらず、業務情報の保護について従業員の責任と説明責任を促す環境も作られていません。また、前の職場の機密データを利用することが現在の雇用主にとってリスク要因になるという点も教育されていません。

従業員による知的財産の窃盗のリスクを低減するために、企業には何ができるでしょうか。シマンテックは、調査結果に基づいて 3 つの推奨事項をまとめました。

  • 従業員の教育:企業は従業員に機密情報を持ち出してはいけないと認識させる必要があります。知的財産の窃盗に関する認識はセキュリティ意識向上トレーニングに不可欠です。
  • 機密保持契約(NDA)の徹底:より強力で、より具体的な言葉を従業員との契約に含め、退職者との面接を通じて機密情報を保護し、(どこに保存されていても)企業情報と財産をすべて企業に帰属させるために、従業員と責任について対話する必要があります。ポリシー違反による企業情報の窃盗は自分と将来の雇用主にマイナスの結果を生むことを認識させます。
  • 監視技術:知的財産への不適切なアクセスと使用を監視し、機密情報の送信やコピーといった不適切な公開が行われた場合にリアルタイムで自動的に従業員に違反を知らせる情報漏えい防止ソフトウェアを実装することで、セキュリティ意識を高め窃盗を阻止します。

貴重な知的財産の保護を考えるうえで、企業は外部の攻撃者や、金銭目的で盗み出した知的財産を売ろうとする悪質な従業員を警戒するだけでは不十分です。通常の従業員も、企業にとっては同じくらい損害の原因になりえます。今回の調査の教訓はこれで明確になりました。敵は身近に置け、そして「フレネミー」はもっと近くに置け、ということです。

詳しくは、「What’s Yours Is Mine: How Employees are Putting Your Intellectual Property at Risk(あなたのものは私のもの: 従業員による企業の知的財産のリスクに関する調査)」と題するレポートをご覧ください。http://bit.ly/XFjYwQからダウンロードできます。

Backing up a UEFI based System

0
0

Backing up a UEFI based System:-

New Symantec System Recovery 2013 supports the Backup and Restore of UEFI based system.

The following document is intended to walk through the backup procedure of UEFI based systems.

 

On the Define Backup Wizard SSR 2013 will list all the volumes on the system that can be backed up. In the following image we have ‘C drive’ available.

The ‘Show Hidden Drives’ option enables the user to view and select the system hidden partitions such as Recovery partition(usually OEM partitions) and ESP(EFI System Partition) as shown in image below.

 

In any case if the user misses to check the ‘Show Hidden Drives’ option and select these system partition and just selects the ‘C drive’ SSR 2013 intuitively prompts to select the related drives/partitions such as Recovery partitions and ESP.

In the above image of Define Backup Wizard the ‘Add all related drives’ is selected by default to ensure the backup of system is done correctly in order to do a Disaster Recovery.

This wizard will also show user unmounted volumes if there are any. If a user decides not to include those unmounted volumes in the backup, the option ‘Edit the list of selected drives’ can be selected to make the specific selection.

It might also happen that User would want to explicitly backup only ‘C drive’ or ‘D drive’ in that case ‘Do not add related drives’ option can be selected.

Rest of the configuration process is same as the backup configuration of any other system.

 

Malicious Mandiant Report in Circulation

0
0

The report, APT1: Exposing One of China's Cyber Espionage Units, published by Mandiant earlier this week has drawn worldwide attention by both the security world and the general public. This interest is due to the conclusion the report has drawn regarding the origin of targeted attacks, using advanced persistent threats (APT), performed by a certain group of attackers dubbed the Comment Crew. You can read Symantec’s response to the report here.

Today, Symantec has discovered someone performing targeted attacks is using the report as bait in an attempt to infect those who might be interested in reading it. The email we have come across is in Japanese, but this does not mean there are no emails in other languages spreading in the wild. The email purports to be from someone in the media recommending the report. As you can see in Figure 1, the attachment is made to appear like the actual report with the use of a PDF file and the name of the company as the file name. However, like in many targeted attacks, the email is sent from a free email account and the content of the email uses subpar language. It is obvious to a typical Japanese person reading the email that it was not written by a native speaker.

When the fake report, which Symantec detects as Trojan.Pidief, is opened, a blank PDF is shown but in the background exploit code for Adobe Acrobat and Reader Remote Code Execution Vulnerability (CVE-2013-0641) is executed. The PDF file may drop Trojan.Swaylib and Trojan.Dropper, which drops Downloader, if the vulnerbility is successfully exploited. Could the Comment Crew be playing a prank in response to the publication? The truth is we don’t know.

Figure 1. Malicious email purporting to contain the report

Similar tactics have been used in the past, one of which actually involved Symantec. Back in 2011, when we released a whitepaper on another group performing targeted attacks, the attackers took the opportunity to use the publication to infect those interested in reading the paper. They did this by spamming targets with the actual whitepaper along with malware hidden in an archive attachment.

If you want to read the actual Mandiant report, or any other for that matter, we advise you to download it directly from the company’s website. The Mandiant download page also provides the hash of the file so that viewers can confirm its authenticity. It is also a good idea to check the hash if you are unsure where you acquired the file from.

Update - February, 2013

Initially, this blog stated that the PDF file didn't drop any additional malware. However, after further analysis, it has been found to drop malware in some environments. The blog has been updated to reflect this finding.

We have also confirmed that there are multiple variants of the malicious fake report.

Viewing all 5094 articles
Browse latest View live




Latest Images