Information explosion, an increasingly complex threat landscape, and other key IT trends today are already driving you toward the IT infrastructure of tomorrow. Join us for three intense days of training, peer interactions, and direct engagement with Symantec experts to learn how you can stay ahead of the trends by keeping your users productive and protected, making your organization safe and compliant, and keeping your business up and running.

Register for this must-attend event to expand your Symantec product knowledge, get in-depth, hands-on experience with new products, and explore the impact of technology trends on your business.

You simply won’t find a larger, more comprehensive gathering of valuable Symantec content, top experts and prime networking opportunities.

Click here to register today!

(Click on the hyperlink below and open the PDF for the full case study.)

Teaser:

By investing in Symantec Certification, Endpoint Management knowledge and experience drive customer confidence and business growth

Resource Service, a Symantec Platinum Partner based in Moscow, Russia, has more experience and knowledge in Symantec Endpoint Management solutions than any other IT systems integrator in Russia. The company has calculated that Symantec certifications help its technical staff—which has years’ more experience than its competitors—resolve technical issues 51 to 75 percent faster, design and manage heterogeneous systems more efficiently, slash technical support calls, and boost the bottom line by 30 percent return on investment (ROI).

Natural disasters, like tornadoes and earthquakes, are quite common in the United States of America. Unfortunately, the Oklahoma City suburb of Moore experienced a violent tornado on Monday, May 20, that sadly resulted in dozens of casualties. Spammers take advantage of natural disasters with luring scams and Symantec Security Response has started to observe spam messages related to this tornado flowing into the Symantec Probe Networks. The top word combinations used in message headlines include:

• Tornado – hits – Oklahoma
• Massive – Tornado
• Huge – Tornado
• Tornado – survivors

Figure 1: Oklahoma City tornado spam campaign
 

These headers have been observed in the spam attack:

Subject: People Killed After Violent Tornado Hits Oklahoma

From: Hottestxxx<TornadoHitsOklahoma@[REMOVED]>

Spammers will always make use of the relief efforts by sending spam emails that urge people to help the survivors of the disaster. Users should be careful when looking for news of recent popular incidents and events. Symantec recommends that users take extra caution with any donations or relief funds and recommends using trusted and secure sites to stay safe.

We predict a rise in malicious attacks and other spam campaigns over the next few days. Do not click on suspicious links or open attachments received in unsolicited emails. Keep your security software up-to-date in order to protect your information from online viruses and scams. We are monitoring this trend around-the-clock to ensure that readers are kept up to date with information on the latest threats.

Symantec is observing an increase in spam containing URLs. On May 16, URL spam volume increased by 12% from 84% to 96% and since then the URL spam volume fluctuated between 95% and 99%. That means 95% of the spam messages delivered during this period has one or more URLs in it.

Figure 1. URL spam message volume

During this period, .ru was the most used top-level domain (TLD). As illustrated in Figure 2, it is interesting to note a drop in .ru spam and a simultaneous rise in .com and .pw spam. Over 73% of the URL spam contained the .ru, .com, or .pw TLDs.

Figure 2. Top 3 TLDs distribution (last seven days)

Table 1. Spam volume of top 5 TLDs that contributed to total URL spam

We are observing an increasing use of shortened URLs and free Web domains with the .ru TLD. The spam examples seen are mainly hit-and-run (a.k.a. snowshoe) spam. The call to action URL in the spam message leads to fake offers or online pharmacy stores.

Below are the Subject lines that may be seen in spam emails.

• Subject: Ends Today! Buy One, Get One Free
• Subject: 48 Hours Only | Free Shipping!
• Subject: FREE LIFETIME PASS - WHENEVER YOU WANT
• Subject: Are you dreaming about good health?
• Subject: Satisfy your girl fully
• Subject: Win your lady's addiction
• Subject: Present your women real care
• Subject: You need Ukrainian woman with beautiful eyes that are ready to talk to private theme?

Figure 3. URL spam message

This sudden rise in URL spam volume was seen in December 2012 and January this year when holiday season spam and year-end spam was on the rise. Symantec will continue to monitor this uptick in spam containing URLs and will keep our customers protected with additional filters to block these attacks.

Dear NetBackup Users,

I came across an awesome story about how one company used NetBackup AIR to save them in a disaster recovery scenario.  I was pretty impressed with how they used the technology, and more so by how much it saved them in a real DR situation.  Here's the super consolidated and simplified version (or watch the VIDEO):

Super Cool Industries (real names have been changed) had recently upgraded their backup solution to NetBackup 7.5, which features a slick replication technology called AIR (Auto Image Replication).  They immediately began using AIR to replicate backup images from one of their plants to another.  One day, a crazy ice storm knocked the power out at the first plant, which left both it, and another plant that relied on one of its servers, stranded.

Now, previous to this upgrade, their old way of doing DR was to load up the backup tapes in a truck and send them over to a DR location.  If they had to employ this method to get their server back up and running again - in the middle of an ice storm and while roads were frozen over and closed, they literally could've been stranded for weeks, if not longer.  However, because they were "AIR -ing" their backup images to the second plant, they simply stood up a virtual machine there, recovered all their data to it, and were back in business the very next morning.

When I heard about the story, I thought to myself, there must be a ton of other folks out there with similar experiences!  Right? 

And why not have a little fun to tease the best stories out?

So here's what I'm asking:

• Share your story in the comments section of this blog down below (2 paragraphs max please)

• We also encourage you to share your story on our Facebook page (not required to win, but encouraged)

• We'll have our internal teams look through the stories below and judge them based on: 1) creativity, 2) WOW factor, 3) relative impact on the buisness' up time and 4) the number of 'thumbs up' on the comment you leave (this would indicate that others dig your story too!).  See official contest rules here.

• On July 1st we'll announce the winner (via direct message on connect and social media channels), who'll take home a brand new Symantec-branded ZBOARD electric skateboard!

• If your stories really stand out, we may ask for your permission to create a short animated video (without any identifiable information) out of your story to share with the world (see Super Cool Industries VIDEO example below)

• Sound good? 

And BTW, the ZBOARD we're giving away is the Pro Model that goes up to 17 mph and can travel up to 10 miles on a single charge (ZBOARDSHOP.COM)!  Check it out:

Symantec Branded ZBOARD

VIDEO: NetBackup AIR Saves the Day for Super Cool Industries (Click the image below)

Here are some quick questions that can help frame your comment below (focused on AIR, but feel free to share any DR experience), and remember, brevity is your friend.

• What was the OLD way of doing things before NetBackup or before NetBackup AIR?
• What were some of the benefits you saw once NetBackup AIR or other NetBackup DR-focused technology was implemented?
• What kind of disaster put the solution to the test (this could be man-made or natural)?
• What was the WOW factor (if any) from seeing NetBackup at work in a real DR situation?
• Any technical details you'd like to share?

Thanks and I hope you enjoy this fun little contest!

All the best,

Alex Sakaguchi, Product Marketing Manager, NetBackup

@ASakaguchi | +Alex Sakaguchi | +NetBackup | Symantec Connect

Read the official rules of the contest here

Downloader.Liftoh is a Trojan horse detected by Symantec that downloads malware onto the compromised computer without the user noticing.

A new variant of this threat, discovered in early May, was identified in some Spanish-speaking countries in Latin America. This variant of Downloader.Liftoh sends messages in Spanish instead of English. The threat is similar to W32.Phopifas which we wrote about in our blog from October 2012.

The creators of Downloader.Liftoh use Skype, which is popular in Latin America, as well as other instant messaging applications to distribute the malware:

1. The victim receives a message from someone who seems to be on their contact list. The message says, “esta es una foto muy amable de tu parte,” or “jaja, esta foto extraña de tu perfil,” or some similar message to entice the victim to click on a provided link. The link is from one of several URL shortener services, including goo.gl, url9.de, fur.ly, bit.ly, and is.gd.
    
    
    
   Figure 1. Malicious Skype message
    
2. If the victim clicks on the shortened URL, they are redirected to a URL on the 4shared.com website.
    
3. Once on the 4shared.com website, the victim is prompted to download a .zip file that contains Downloader.Liftoh disguised as a legitimate instant messaging file.
    
4. If the victim unzips the file, they will find an .exe file inside.
    
5. If the victim executes that .exe file, Downloader.Liftoh will have successfully compromised the computer.
    

Symantec has observed 171,553 clicks that this attack has received recently through Google’s URL shortener which the cybercriminals use in their campaign.
 

Figure 2. Downloader.Liftoh has 171,553 global clicks since May 20
 

Figure 3. Downloader.Liftoh Latin American click rate distribution
 

There are no geographic boundaries for malware distribution. Attackers only need to change malware code to a different language to find new computers to compromise. To protect yourself, Symantec recommends having up to date and comprehensive security solutions that include antispam and antivirus protections to prevent the compromise of personal computers and networks. It is also recommended that users not click on suspicious links or open any unusual files—even if they are sent from a known contact.

Symantec™ ServiceDesk 7.5 MP1 Release Notes

http://www.symantec.com/docs/DOC6515

Thanks to all who attended yesterday's Webcast focused on using Symantec Workspace Streaming for software license management.

Also, this White Paper discussing the role of SWS and dynamic software license management may be of interest:
http://www.symantec.com/content/en/us/enterprise/white_papers/b-license-mgmt-wp-21220954-en.us.pdf

Contributor: Binny Kuriakose

Anonymity disguised as freedom of expression and lack of clear cut laws makes cyberspace murky from a security point of view. Countries are waking up and realizing that there is a need for laws which enable authorities to catch and punish cyberspace miscreants; however, these miscreants are very crafty.

Spammers are known to use ingenious methods to peddle spam and lately they have even begun using antispam laws themselves in an effort to spearhead spam attacks. This blog is not about analyzing the effectiveness of antispam laws; it is about how spammers are quoting the laws in emails in order to make the spam look legitimate.

There are some “grey area” emails, which fall somewhere between spam and legitimate mail, and sometimes there can be something very inconspicuous in the mail that can tip the balance in the mind of a recipient. Quoting antispam law in the body of the email and claiming that the email adheres to the law is proving to be a popular technique when it comes to painting “grey area” spam white.
 

CAN-SPAM Act - Public Law No. 108-187 (USA - English)

The sample in Figure 1 claims to be adhering to the conditions set by the CAN-SPAM Act, which is the antispam law in the USA. The mail has a disclaimer section at the end which explains the law.
 

Figure 1. Spam sample with antispam law quoted in the body
 

How is this spam?

What is transgressed here is that, the option given by the spammer to ‘opt-out’ is bogus. He merely slides you out of one mailing list and inserts you into another. In all such spam instances the spammer gives the quote and the ‘unsubscribe’ or ‘opt-out’ so convincingly that the victim falls for it.
 

Other laws which are most commonly seen ‘misused’ in spam

1. MURK - Bill S.1618 Title III (U.S.A - English)

   By far the most misused legal reference by any scale is Bill S.1618 Title III of the United States, which goes by the alias MURK. Although it did concern spamming, the Bill DID NOT BECOME A LAW in USA since it did not pass both the houses.  So any mail which says it is compliant to Bill S.1618 Title III should be put under scrutiny as you are staring at a lie right there. Spam mails quoting this bill were seen from 1998 when this Bill was presented.

   Figure 2. Disclaimer in spam quoting Bill S.1618 Title III

   Something which is more disturbing is that the spammers actually take it as far as threatening the readers, using this quote.

   Figure 3. Bill S.1618 quoted in a threatening manner

   However, this drama has spilled beyond the shores of United States. This quote is also seen in other language spam, like Portuguese and Spanish.

   Figure 4. Disclaimer in a Spanish spam quoting Bill S.1618 Title III
    

2. Habeas data - Law No. 25, 326 Art. 27 Inc. 3 (Argentina - Spanish and Portuguese)

   Habeas Data is a law which lays guidelines for commercial emails in Argentina. This law like most other laws in this league is to empower a user to demand that his details should be removed from a database.

   It is seen quoted in Spanish and Portuguese spam email campaigns where the opt-out option is manipulated to make it look legit. The fact remains that the opt-out options are bogus and they do not help the victims from getting more spam.

   Figure 5. Disclaimer in a spam mail quoting Habeas data law
    

3. Law No. 28493 / 29246 / D. S. 031-2005-MTC (Peru - Spanish)

   This Law No. 28493 / 29246 / D. S. 031-2005-MTC is a law in Peru, which has Spanish as its language. The Spanish mails from even other countries are seen displaying this law and claiming legitimacy by this law. This sample is seen giving an unsubscribe option by sending a reply to a webmail.

   Figure 6.Disclaimer in a spam mail quoting Peruvian Law No. 28493 / 29246
    

4. Déclaration CNIL n°1291376 and Déclaration CNIL n°1181416 (France - French)

   Two French legislations regulating commercial mailings are seen displayed in spam, which does not give a proper opt-out option to customer. The opt-out link usually redirected to another webpage showing a message that the user’s details are removed. But in reality the opt-out does not happen.

   Figure 7. Disclaimer in a spam mail quoting French CNIL No 1291376
    

Conclusion

From these it is strikingly obvious that spammers are trying to whitewash their spam, using the laws conveniently to create an aura of fake legitimacy. The recipients unfortunately are falling victims to this.

Many countries have recognized the right of individuals to unsubscribe from any communication and the right to demand the removal of their personal information from any database. But these instances expose that a strong law regarding opt-in to a list is equally important along with the law for opt-out, since the spammers can slide you into a new mailing list after you unsubscribe from one. End users should be aware of what rights the anti-spam laws grants to every individual.

フィッシング詐欺師は、ユーザーの個人情報を手に入れるチャンスを少しでも増やそうとして、あらゆることを試みます。よく知られているのは、さまざまな偽のソーシャルメディアアプリを使ってユーザーを誘い込む手口です。最近も、新しい偽アプリの例がいくつか見つかっています。

1 つ目の例は、女の子の写真と Facebook の［いいね］ボタンを使ったフィッシングサイトです。ボタンをクリックすると、この写真に「いいね」を付けるために Facebook のログイン情報を入力するよう求められます。ログイン情報を入力するとログインが確認され、もう 1 度［いいね］ボタンをクリックするよう求められます。ボタンの隣には、これまでに付けられた「いいね」の件数も表示されますが、これは偽の数字です。このフィッシングサイトのホストサーバーは、オランダのアムステルダムに置かれていました。

図 1.女の子の写真と、Facebook の［いいね］ボタン

図 2.写真に「いいね」を付けるにはログイン情報の入力が必要

図 3.［いいね］ボタンの隣に表示された「いいね」の数

2 つ目の例は Facebook のログインページに偽装したフィッシングサイトで、インドのユーザーに向けて新機能が追加されたと称しています。フィッシングサイトの名前は「Chehrakitab」であり、これはヒンディー語で「Face Book」という意味です。この例のように、インドのユーザーを狙って設計されたフィッシングサイトは、きまって作りがお粗末です。以前に出現した偽の Facebook 2013 デモバージョンがそのいい例でした。フィッシングページに書かれた説明によれば、サイトはまだ作成中だがログインは可能ということになっています。ロゴの下に「ユーザーの時間を無駄にしている」と書かれているところを見ると、このフィッシング詐欺師は Facebook を蔑視しているのかもしれません。このフィッシングサイトは、無料の Web ホスティングサイトをホストとして利用していました。このフィッシングサイトに騙されたユーザーは、個人情報を盗まれ、なりすまし犯罪に使われてしまいます。

図 4. インド版の Facebook を装ったフィッシングサイト

インターネットを利用する場合は、フィッシング攻撃を防ぐためにできる限りの対策を講じることを推奨します。

• 電子メールメッセージの中の疑わしいリンクはクリックしない。
• 電子メールに返信するときに個人情報を記述しない。
• ポップアップページやポップアップウィンドウに個人情報を入力しない。
• 個人情報や口座情報を入力する際には、鍵マーク、「https」の文字、緑色のアドレスバーなどが使われていることを確かめ、その Web サイトが SSL で暗号化されていることを確認する。
• ノートン インターネットセキュリティやノートン 360 など、フィッシング詐欺およびソーシャルネットワーク詐欺から保護する統合セキュリティソフトウェアを使う。
• 電子メールで送られてきたや、ソーシャルネットワークに掲載されているリンクがどんなに魅力的でも不用意にクリックしない。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

シマンテックは、URL が含まれるスパムの増加を確認しています。5 月 16 日に 84% から 96% へと 12% の増加を示して以来、URL スパムの比率は 95% から 99% の範囲で推移していました。つまり、この間に配信されたスパムメッセージのうち 95% に、少なくとも 1 つの URL が含まれていたということです。

図 1. URL スパムメッセージの比率

同期間に最も多く使われていたトップレベルドメイン（TLD）は .ru でした。.ru を含むスパムが減少すると、入れ替わるように .com を含むスパムと .pw を含むスパムが増加している点に注目してください（図 2）。TLD に .ru、.com、または .pw を含む URL スパムが、全体の 73% を占めています。

図 2. 上位 3 位までの TLD の比率（過去 7 日間）

表 1. TLD の上位 5 位が URL スパム全体に占める割合

.ru の TLD と、短縮 URL や無料 Web ドメインを組み合わせて使う例も増えています。確認されているスパムサンプルの多くは、一撃離脱タイプのスパムです（「かんじきスパム」とも呼ばれます）。スパムメッセージに記載されている URL をクリックすると、偽の広告や医薬品のオンライン販売サイトにリダイレクトされます。

スパムメールで確認されている件名の例を以下に挙げます。

• 件名: Ends Today! Buy One, Get One Free（本日かぎり! 1 つ買えばもう 1 つサービス）
• 件名: 48 Hours Only | Free Shipping!（48 時間限定。送料無料）
• 件名: FREE LIFETIME PASS - WHENEVER YOU WANT（生涯無料、いつでもほしいときに）
• 件名: Are you dreaming about good health?（健康でいたいと思いませんか?）
• 件名: Satisfy your girl fully（彼女も 100 % 満足間違いなし）
• 件名: Win your lady's addiction（奥様も夢中に）
• 件名: Present your women real care（恋人に本当の愛を贈ろう）
• 件名: You need Ukrainian woman with beautiful eyes that are ready to talk to private theme?（魅力的なまなざしのウクライナ美女と 2 人だけで会話できる）

図 3. URL スパムのメッセージ

URL スパムの急激な増加が見られたのは、2012 年 12 月と今年の 1 月、ちょうどホリデーシーズンを狙うスパムや年末スパムが増加した時期でした。シマンテックは、URL を含むスパムの増加を引き続き監視し、今後もこういった攻撃を遮断するためのフィルタを追加してお客様を保護します。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

シマンテックが検出した Downloader.Liftohは、ユーザーに気づかれないまま侵入先のコンピュータにマルウェアをダウンロードするトロイの木馬です。

この脅威の新しい亜種が 5 月の初めに発見され、スペイン語圏の中南米諸国で検出されました。Downloader.Liftoh のこの亜種は英語ではなくスペイン語のメッセージを送信しますが、2012 年 10 月にこのブログで取り上げたW32.Phopifasに類似しています。

Downloader.Liftoh の作成者は、中南米でも人気の高い Skype や、他のインスタントメッセージアプリケーションをマルウェアの拡散に利用しています。

1. 被害者が、連絡先に登録されていると思われるユーザーからのメッセージを受信します。メッセージは、「esta es una foto muy amable de tu parte（あなたの素敵な写真です）」や「jaja, esta foto extraña de tu perfil（笑える、ほら、あなたの写真だよ）」など似通った内容で、掲載されている URL をクリックさせようと誘うものです。URL は、goo.gl、url9.de、fur.ly、bit.ly、is.gd といった短縮 URL サービスを使って短縮されています。
    
    
    
   図 1.悪質な Skype メッセージ
    
2. 短縮 URL をクリックすると、被害者は 4shared.com サイト上の URL にリダイレクトされます。
    
3. 4shared.com サイトに進むと .zip ファイルをダウンロードするよう要求され、そこに正規のインスタントメッセージファイルに偽装した Downloader.Liftoh が含まれています。
    
4. このファイルの圧縮を解除すると、中に .exe ファイルがあります。
    
5. この .exe ファイルを実行すると、Downloader.Liftoh はコンピュータへの侵入に成功します。
    

この攻撃は、サイバー犯罪者が攻撃に利用している Google 社の URL 短縮サービスを通じて、171,553 回のクリックを獲得したことが確認されています。

図 2. Downloader.Liftoh は、5 月 20 日以降全世界で 171,553 回のクリックを獲得
 

図 3. 中南米における Downloader.Liftoh のクリック数分布
 

マルウェアの拡散に、地理的な国境はありません。攻撃者に必要なのは、各言語に合わせてマルウェアのコードを書き換えて、新しい侵入先コンピュータを探すことだけです。個人のコンピュータやネットワークを侵入から保護するために、スパム対策やウイルス対策の機能を備えた統合セキュリティソリューションを導入し、常に最新の状態に保つことをお勧めします。また、たとえ知っている相手から届いた場合でも、疑わしいリンクをクリックしたり、怪しいファイルを開いたりしないようにしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

When you use Enterprise Vault to export mailbox archives back to the original location or out to a PST file, Enterprise Vault processes the requests sequentially. This means that if you have a list of 10 or 20 or 100 mailbox archives that you want to export it can take some time to process them all. Below I'll describe an option to export them in parallel. It should be noted however that doing this may not mean that they are exported any faster, as there are other limits which will come in to play, such as storage speed and so on.

As mentioned above, the export process goes through each requested mailbox sequentially:

And that can take some time... especially if one or more of the mailbox archives is very large. The smaller exports then get stuck behind the big one.

What you can do though is when the first export starts running, you can click on the Vault Admin Console, right click the Archives node, and export again. You walk through the same wizard, select some other archives, and the wizard will proceed. You'll end up with this sort of effect:

I've heard of people running 5 or more exports in this manner, and if your Enterprise Vault server has the horsepower to do that then maybe you'll get the exports out of the system a little faster... for a few extra clicks.  Personally I usually 'fire and forget' and leave the Enterprise Vault server churning through a single long list.  How do you do your exports? Let me know in the comments below...

I’ve written before about the importance of building a LinkedIn presence for your business. And that is because LinkedIn is primarily a professional network, where there are opportunities to build relationships and sales leads unavailable on other networks like Facebook or Twitter.

One way that you can help to build a community of peers and prospects for your company on LinkedIn is by creating and managing a group. If you aren’t familiar with them, LinkedIn Groups are a feature of LinkedIn related to users’ professions, industries or a shared interest. Within a group, members can start and participate in discussions.

How to start your LinkedIn group
Your company can start or sponsor a group, which can allow you to build long-lasting relationships with your customers and partners and demonstrate knowledge in areas that are important to them. By building a community around your firm or shared interest, you can also establish an exclusive and direct contact with group members. If there are important announcements from your firm or useful information that you want to share with your most loyal customers and partners, you can share that information first on your group and collect direct feedback.

Starting a group is easy, and LinkedIn many resources to help you create, manage and grow your LinkedIn group. You can also register for a monthly webinar from LinkedIn to learn more about effective strategies for running your group.

Tips for managing and building your LinkedIn group
In order to nurture engaging conversations among group members, try to post new discussions to the group regularly—perhaps once or more per week. Also think about posing the discussion topic in a way that will solicit responses from group members. You can do this by asking a question or encouraging members to share their own experiences.

Other best practices include:

• Completely fill out your group’s profile and include a recognizable image or badge for that group that members can be proud is displayed on their profile.
• Establish “rules of the road” for the group, including determining the type of conversations the group should be used for. For instance you may not want to allow group members to directly advertise their services.
• Once your group is ready, invite members of your network who you think would be interested in the group’s focus to join, and ask them to invite their colleagues and peers.

Here at Symantec, we have a LinkedIn group for our partners where we discuss promotions, upcoming webcasts and company and industry news. If you haven’t already, please join us on the Symantec Partners group! And don’t hesitate to share any advice or best practices you’ve found in using social media to connect with your peers and customers.

Find the complete Symantec Partner social media series.

As a Symantec Master Specialist, Syntax Information Technology in Athens, Greece, has seen its business benefit. Coupled with Symantec’s best-in-class services and top-of-the-line reputation, Syntax Information Technology is a leader specializing in everything from IT compliance to archiving.  Yet, even the best need a little assistance, which is why Syntax leverages the Symantec PartnerAssist program. PartnerAssist provides remote consultative assistance from senior experts inside Symantec to partners like Syntax, who are designing or deploying a Symantec solution. Syntax reached out to PartnerAssist to solve an issue a customer had with email archiving and PST files. After reaching out to PartnerAssist through Syntax, the customer projects to reclaim 65,000 hours a year of productivity. To learn more about Symantec’s PartnerAssist program and how it is helping Syntax Information Technology address customer needs, check out this partner case study: http://bit.ly/Y2Drus

Posted on behalf of Brian Burch

There were 388 million entrepreneurs globally starting or running a new business last year.[i] These startups play a huge role in our economy and are leading the recovery in job creation – 85 percent of all new jobs in the European Union between 2002 and 2010 were created by small businesses,[ii] while 70 percent of new jobs in the U.S. come from startups and young businesses.[iii] But being a startup is no walk in the park. It takes more than a brilliant idea, a solid team to work on it and an endless supply of single-serve coffee for a startup to survive and thrive.

Your business is at its most vulnerable when it’s just starting out – finances are often on a knife-edge, you worry about who to trust with your business plan and who to hire. But risks go beyond poor cash flow and personnel – in today’s digital economy, information is money, and cybercriminals are stealing whatever information they can from businesses large and small, young and old. Startups are not escaping their attention. In fact, the largest growth area for targeted attacks last year was businesses with fewer than 250 employees; 31 percent of all attacks targeted them in 2012, a threefold increase from 2011.[iv]

What makes startups so attractive to attackers?

First, you’re seen as easier targets. As soon as a new business is formed, creating an online presence is of immediate importance – you depend on having a website up as quickly as possible to start driving traffic and conducting transactions. Many new websites are designed without considering security in detail, so they are particularly vulnerable to attackers, and for a startup business the effects can be devastating. Even if no financial information or sensitive data is lost as a result, an attack can put a website down for weeks on end – or worse, infect your customers’ computers.

And it’s not just your own assets that cybercriminals are after; smaller businesses can also be a gateway to larger enterprises that depend on small businesses for the goods and services that keep their businesses running. The top 500 global businesses have an average of 60 alliances each.[v] We’re seeing an alarming trend where the small business increasingly is not the final target of an attack – it’s just a stepping stone. The bad guys are sneaking in the back door, through their small business partners, to infiltrate bigger corporate targets.

The First Year

You may think that being new to the market means you have some time before attackers will notice you, but you’d be wrong. Cybercriminals are quick to capitalize on new businesses. Once the Web domain is set up and the first emails or IMs are sent or received, attacks begin on user accounts almost immediately. These attacks can take many forms. Some of them you are already familiar with, such as spam emails that contain malicious links. Web-based malware also abounds, hijacking machines that visit infected websites. In 2012, the number of Web-based attacks increased by 30 percent.[vi]

Within two months a typical user account will receive dozens of spam emails, among which are a few malicious messages. By the time the business is five months old this increases to hundreds of spam messages containing dozens of malicious links or attachments. Some businesses experience severe ‘spikes’ because their domains have shown up prominently on cybercriminals’ radar; this can be due to an employee simply using their work email account to register for a forum or blog used by hackers to harvest email addresses. Within 10 months malicious messages expand to other accounts throughout the company, each of which only needs to click on one innocent-looking message to potentially compromise your information.

Figure 1. Spam and malware per user in first 18 months (source: Symantec, Is IT Security the Achilles’ heel of your Small Business?)

 In addition to these broad, general threats there are more sophisticated targeted attacks, whereby criminals identify specific individuals within an organization and tailor their tactics accordingly, often through a well-researched spear phishing campaign. These attacks are successful because they are highly believable. The targeted individual thinks they are participating in a completely legitimate business email conversation, but which was carefully engineered to dupe the user into clicking a link or opening an attachment which contains the payload.

What can you do protect your big idea?

A new business that is not properly protecting itself against attacks is taking more risk than necessary because it takes just one successful attack early on to tarnish your reputation before your business is even off the ground properly. Startups must plan for complete information protection out of the gate. Consider these five tips to start right:

1. Know what you need to protect. The first step is do not think of yourself as small, at least not when it comes to your technology needs. Startups should carefully consider their market segment. A pizza shop may have relatively little in the way of IT resources, beyond a couple registers and the need to protect customer payment information. On the other hand, even a small financial services company is in an industry with strict encryption requirements that require they know and demonstrate where data is being stored. Their needs might be more closely aligned with a large enterprise. Startups should hold candid conversations about their needs with technology providers, to ensure that they receive the level of security appropriate for their business.
2. Secure your online activity. One of the best ways to safeguard your new business and your customers is by protecting your website with strong authentication and Secure Sockets Layer (SSL) certificates. The Internet is full of malicious websites that look legitimate, but aren’t. These sites steal information when would-be customers try to make payments. Having an SSL certificate authenticates the identity of your new business and is a visible indicator that you consider security important, instilling confidence in your website’s visitors. The SSL certificate also enables encryption, which means that the sensitive information exchanged via the website cannot be intercepted and read by anyone other than the intended recipient.
3. Use anti-malware software. While securing the Web domain is typically higher on the list of things to do, securing email and endpoints is too often a secondary consideration, making startups vulnerable to a variety of other threats. And, anti-virus alone is not enough. Today's security solutions do more than just prevent viruses and spam; they scan files regularly for unusual changes in file size, programs that match known malware, suspicious e-mail attachments and other warning signs. It's the most important step to protect your information. And, stay up to date. A security solution is only as good as the frequency with which it is updated. New viruses, worms, Trojan horses and other malware are created daily, and variations of them can slip by software that is not current.
4. Harness the cloud. Moving security to the cloud is more than just a cheaper way to tackle a necessary expense. With cloud-hosted security, startups can quickly and effortlessly protect your business – these solutions are easy to install and easier to manage. Most security issues occur because systems haven’t been patched and aren’t properly configured. By using cloud-hosted security, everything happens seamlessly over the Web and updates take place automatically, so you know you’re always protected against the latest viruses or malware. The cloud is also ideal for backup, protecting against damage or loss of data that is stored on-premise. It also typically requires less capital outlay than purchasing an on-premise solution, and reduces the ongoing costs of in-house management. Cloud-hosted security and backup provide the same level of protection whether you’re a large enterprise or small business, so without major investment your startup can be as well protected as multinational corporations.
5. Find a trusted partner.Cash-strapped startups typically don’t have IT staff to help them with protecting their information. Take advantage of the growing number of managed service providers (MSPs) who are sprouting up to deliver backup and security services. These MSPs are utilizing the same cloud technology to deliver a better lower cost solution, with minimal need for employee management. “Set it and forget it” should be the goal, particularly since you likely will not have permanent IT presence. You should also look for a provider that can supply a full range of technologies, including anti-malware, Web security, backup, encryption and data loss prevention.

So what’s the bottom line? While you’re burning the midnight oil to make your brilliant idea a reality, cybercriminals are working night and day on new attack vectors. And, when you consider that four in five small businesses experience an IT security incident in their first year[vii], it’s clear that startups need to view cyber security as a critical investment that is part of the entire business set-up process – as vital a step as getting your business license and buying computers. Today’s startups can benefit greatly from comprehensive solutions that effectively block threats across email, Web and IM to keep you and your information safe. Otherwise, you’ll be unnecessarily exposed to danger from the day your domain goes live.

I stumbled across this article the other day. LPL Fined $9 Million for Email 'Failures' herehttp://online.wsj.com/article/SB10001424127887323648304578497054039151168.html and also http://www.businessweek.com/ap/2013-05-21/lpl-to-pay-9-million-to-settle-email-archive-case

Some excerpts from the WSJ article:

Recently LPL Financial Holdings Inc. agreed to pay at least $9 million to end allegations by regulators that the brokerage firm was plagued by "systemic email failures" but did too little to fix them.

and this one:

The breakdowns included failing to review more than 28 million emails sent or received by thousands of brokers. That meant LPL didn't keep sufficient track of what brokers told clients by email.

Then there is this:

In addition, LPL didn't "review or archive" about 3.5 million messages sent using Bloomberg terminals in a seven-year period, Finra said. And when LPL "switched to a cheaper email archive provider" in 2009, snafus with the new system caused the brokerage firm to lose access to 280 million emails for five months, Finra said.

It looks like they were trying to meet their obligation but may have chosen wrongly. Thanks to the email museum I found this: http://email-museum.com/2009/07/30/ca-message-manager-chosen-by-lpl-financial-for-superior-email-supervision-recognizing-1m-savings-a-year-446/ and then also the complete press release on Bloomberg, http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aXoZcJrXMMzw.

The purpose of this post isn't to disparage anyone but rather point out how critical it is to choose correctly when deciding on technology to be able to comply with governing regulations.  In this open letter the EV Team reached out to all CA Customers, https://www-secure.symantec.com/connect/blogs/open... to underline the benefits of Enterprise Vault and what it has to offer.

If you don't have systems in place to manage and monitor your email systems or even if you do but they aren't doing the job please feel free to contact me for more information about Enterprise Vault and our migration services. 

2013-04-05 23:59:59 192.168.145.167 GET /EnterpriseVault/download.asp VaultID=18A5257C941B9A84F8A6CA597937F3B611110000evsql.ev.local&SaveSetID=201304287177491~201304081913380000~Z~D006154F7F2EA1F13C9DC57A4D6D4C81&FormatType=Unicode&Client=EV10.0.3.1090-Outlook14&Format=MUD&AttachmentID=0 80 EV\rob1 192.168.145.18 EnterpriseVaultOutlookExt-V10.0.3.1090 200 0 0 164

28/04/2013 19:37:02.159[3976][M]: Acquiring lock: 0x6EAB7ADC

28/04/2013 19:37:02.159[3976][M]: Acquired lock: 0x6EAB7ADC

28/04/2013 19:37:02.159[3976][M]: Released lock: 0x6EAB7ADC

28/04/2013 19:37:02.275[3976][M]: Have unadvised on ItemEvents_10

28/04/2013 19:37:02.783[3976][M]: Have unadvised on ItemEvents_10

28/04/2013 19:37:02.900[3976][M]: Connections now on Desktop object: 3

28/04/2013 19:37:02.900[3976][M]:     Desktop Setting: ForwardOriginalItem

28/04/2013 19:37:02.901[3976][M]:     No Value

28/04/2013 19:37:02.901[3976][M]:     Desktop Setting: ReplyToOriginalItem

28/04/2013 19:37:02.901[3976][M]:     No Value

28/04/2013 19:37:02.902[3976][M]: Connections left on Desktop object: 2

28/04/2013 19:37:02.902[3976][M]:     Desktop Setting: DefaultDoubleClickView

28/04/2013 19:37:02.902[3976][M]:     Value: 0

28/04/2013 19:37:02.902[3976][M]:     Desktop Setting: WebAppURL[evsql.ev.local]

28/04/2013 19:37:02.903[3976][M]:     No Value

28/04/2013 19:37:02.903[3976][M]:     Desktop Setting: DefaultDoubleClickView

28/04/2013 19:37:02.903[3976][M]:     Value: 0

28/04/2013 19:37:02.903[3976][M]: Downloading from: http://evsql.ev.local/EnterpriseVault/download.asp...

28/04/2013 19:37:02.903[3976][M]: ::CInternetReconnect - refCount : 1

28/04/2013 19:37:02.904[3976][M]: CThreadManager::Add thread THID=372

28/04/2013 19:37:02.913[3976][M]: Acquiring lock: 0x6EAB7ADC

28/04/2013 19:37:02.913[3976][M]: Acquired lock: 0x6EAB7ADC

28/04/2013 19:37:02.914[3976][M]: Released lock: 0x6EAB7ADC

28/04/2013 19:37:02.918[ 372][M]: Downloading: http://evsql.ev.local/EnterpriseVault/download.asp...

28/04/2013 19:37:02.919[ 372][M]: CThreadManager::Add thread THID=3308

28/04/2013 19:37:02.919[ 372][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 19:37:02.920[ 372][M]:     No Value

28/04/2013 19:37:02.920[ 372][M]:     Desktop Setting: DOWNLOADSHORTCUTHIDEPROGRESS

28/04/2013 19:37:02.920[ 372][M]:     No Value

28/04/2013 19:37:02.920[ 372][M]:  DOWNLOADSHORTCUTHIDEPROGRESS = 1 [default]

28/04/2013 19:37:02.920[ 372][M]: Download progress dialog delay set to 1 seconds.

28/04/2013 19:37:02.924[3308][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 19:37:02.924[3308][M]:     No Value

28/04/2013 19:37:02.924[3308][M]:     Desktop Setting: INTERNETOPENTYPEDIRECT

28/04/2013 19:37:02.924[3308][M]:     No Value

28/04/2013 19:37:02.924[3308][M]:  INTERNETOPENTYPEDIRECT = 0 [default]

28/04/2013 19:37:02.924[3308][M]: Acquiring lock: 0x6EAB7ADC

28/04/2013 19:37:02.924[3308][M]: Acquired lock: 0x6EAB7ADC

28/04/2013 19:37:02.925[3308][M]: Released lock: 0x6EAB7ADC

28/04/2013 19:37:02.940[3308][M]: sHeader = [Accept-Language:en]

28/04/2013 19:37:03.017[3308][M]: CDownloadBytesImpl::FetchSavesetContent: Reading 44032 bytes

28/04/2013 19:37:03.033[ 372][M]: Waiting for DownloadBytes thread, THID=3308 to exit

28/04/2013 19:37:03.034[3308][M]: CThreadManager::Remove thread THID=3308

28/04/2013 19:37:03.034[3976][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 19:37:03.034[3976][M]:     No Value

28/04/2013 19:37:03.034[3976][M]:     Desktop Setting: DisplayItemsUsingOOM

28/04/2013 19:37:03.035[3976][M]:     No Value

28/04/2013 19:37:03.035[3976][M]:  DisplayItemsUsingOOM = 1 [default]

28/04/2013 19:37:03.037[3976][M]: CShortcutItem::Callback...Display downloaded item

28/04/2013 19:37:03.037[3976][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 19:37:03.037[3976][M]:     No Value

28/04/2013 19:37:03.037[3976][M]:     Desktop Setting: DisplayItemsUsingOOM

28/04/2013 19:37:03.037[3976][M]:     No Value

28/04/2013 19:37:03.037[3976][M]:  DisplayItemsUsingOOM = 1 [default]

28/04/2013 19:37:03.040[3976][M]: CDisplayItem::ReadItemClass: ItemClass [43]

28/04/2013 19:37:03.118[ 372][M]: Deleting CComCallback thread THID=372

28/04/2013 19:37:03.118[ 372][M]: ::CInternetReconnect - refCount : 1

28/04/2013 19:37:03.118[ 372][M]: CComCallback: calling CoUninitialize, thread THID=372

28/04/2013 19:37:03.145[ 372][M]: CComCallback: CoUninitialize completed, thread THID=372

28/04/2013 19:37:03.145[ 372][M]: CThreadManager::Remove thread THID=372

28/04/2013 19:37:05.052[3976][M]: Have unadvised on ItemEvents_10

28/04/2013 19:37:05.052[3976][M]: Have unadvised on InspectorEvents_10

28/04/2013 19:37:05.060[3976][M]: Acquiring lock: 0x6EAB7ADC

28/04/2013 19:37:05.060[3976][M]: Acquired lock: 0x6EAB7ADC

28/04/2013 19:37:05.060[3976][M]: Released lock: 0x6EAB7ADC

28/04/2013 19:37:05.060[3976][M]: Have unadvised on ItemEvents_10

28/04/2013 19:37:02.918[ 372][M]: Downloading: http://evsql.ev.local/EnterpriseVault/download.asp?VaultID=18A5257C941B9A84F8A6CA597937F3B611110000evsql.ev.local&SaveSetID=201304287177491~201304081913380000~Z~D006154F7F2EA1F13C9DC57A4D6D4C81&FormatType=Unicode&Client=EV10.0.3.1090-Outlook14&Format=MUD&AttachmentID=0

28/04/2013 19:37:03.118[ 372][M]: Deleting CComCallback thread THID=372

28/04/2013 19:37:03.118[ 372][M]: ::CInternetReconnect - refCount : 1

28/04/2013 19:37:03.118[ 372][M]: CComCallback: calling CoUninitialize, thread THID=372

28/04/2013 19:37:03.145[ 372][M]: CComCallback: CoUninitialize completed, thread THID=372

28/04/2013 19:37:03.145[ 372][M]: CThreadManager::Remove thread THID=372

28/04/2013 19:51:29.214[4004][M]: Acquiring lock: 0x5F162A20

28/04/2013 19:51:29.215[4004][M]: Acquired lock: 0x5F162A20

28/04/2013 19:51:29.215[4004][M]: Acquiring lock: 0x5F162A20

28/04/2013 19:51:29.215[4004][M]: Acquired lock: 0x5F162A20

28/04/2013 19:51:29.215[4004][M]: Released lock: 0x5F162A20

28/04/2013 19:51:29.215[4004][M]: Released lock: 0x5F162A20

28/04/2013 19:51:29.216[4004][M]: Calling CC to OpenItem

28/04/2013 19:51:29.216[4004][M]: Acquiring lock: 0x02826098

28/04/2013 19:51:29.216[4004][M]: Acquired lock: 0x02826098

28/04/2013 19:51:29.217[4004][M]: CONTENT:STORE: Computing hash using hash algorithm - SHA256

28/04/2013 19:51:29.217[4004][M]: Key: buffeting breather's remorseless skates moat~Vault Admin~2013-04-08T19:13:38~IPM.Note~1

28/04/2013 19:51:29.217[4004][M]: Hash Algorithm: SHA256

28/04/2013 19:51:29.217[4004][M]: Hash Value: 8e3556e965151aad3ba6af242aaf15e4e2fb4f51d058e3d6689bef94421b5607

28/04/2013 19:51:29.218[4004][M]: CONTENT:STORE: Main StoreIdMap will be checked first, then cached StoreIdMap

28/04/2013 19:51:29.218[4004][M]: CONTENT:STORE: Searching using SSID

28/04/2013 19:51:29.218[4004][M]: CONTENT:STORE: Using main StoreIdMap

28/04/2013 19:51:29.218[4004][M]: CONTENT:STORE:     Query store map: /ITEMS/ITEM[@SSID='201304287177491~201304081913380000~Z~D006154F7F2EA1F13C9DC57A4D6D4C81']

28/04/2013 19:51:29.218[4004][M]: CONTENT:STORE: Checking for existance of DBID '1'

28/04/2013 19:51:29.219[4004][M]: CONTENT:STORE:     Result: ENTRYID = 000000008D130CEF589AC14EBCDACB0BD504A94724002000 DBID = 1

28/04/2013 19:51:29.219[4004][M]: Released lock: 0x02826098

28/04/2013 19:51:29.222[3056][M]: Acquiring lock: 0x5F162A20

28/04/2013 19:51:29.222[3056][M]: Acquired lock: 0x5F162A20

28/04/2013 19:51:29.222[3056][M]: Released lock: 0x5F162A20

28/04/2013 19:51:29.222[3976][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 19:51:29.222[3976][M]:     No Value

28/04/2013 19:51:29.222[3976][M]:     Desktop Setting: DisplayItemsUsingOOM

28/04/2013 19:51:29.222[3976][M]:     No Value

28/04/2013 19:51:29.223[3976][M]:  DisplayItemsUsingOOM = 1 [default]

28/04/2013 19:51:29.224[3976][M]: CDisplayItem::ReadItemClass: ItemClass [43]

28/04/2013 19:51:30.357[3976][M]: Have unadvised on ItemEvents_10

28/04/2013 19:51:30.357[3976][M]: Have unadvised on InspectorEvents_10

28/04/2013 19:51:30.366[3976][M]: Acquiring lock: 0x6EAB7ADC

28/04/2013 19:51:30.366[3976][M]: Acquired lock: 0x6EAB7ADC

28/04/2013 19:51:30.366[3976][M]: Released lock: 0x6EAB7ADC

28/04/2013 19:51:30.367[3976][M]: Have unadvised on ItemEvents_10

28/04/2013 20:06:54.878[2320][M]: Acquiring lock: 0x024EBA58

28/04/2013 20:06:54.878[2320][M]: Acquired lock: 0x024EBA58

28/04/2013 20:06:54.879[2320][M]: CONTENT:STORE: Computing hash using hash algorithm - SHA256

28/04/2013 20:06:54.879[2320][M]: Key: Continental drift~rob1~2013-04-28T20:06:03~IPM.Note~1

28/04/2013 20:06:54.879[2320][M]: Hash Algorithm: SHA256

28/04/2013 20:06:54.879[2320][M]: Hash Value: 2deb32e1f01f6db997ffe7c0ba9a20be05c9f12a7ce18481914a25264b321c48

28/04/2013 20:06:54.879[2320][M]: CONTENT:STORE: Main StoreIdMap will be checked first, then cached StoreIdMap

28/04/2013 20:06:54.880[2320][M]: CONTENT:STORE: Searching using SSID

28/04/2013 20:06:54.880[2320][M]: CONTENT:STORE: Using main StoreIdMap

28/04/2013 20:06:54.880[2320][M]: CONTENT:STORE:     Query store map: /ITEMS/ITEM[@SSID='201304287179590~201304282006030000~Z~D09214689B22127993BED9AED07B47C1']

28/04/2013 20:06:54.881[2320][M]: CONTENT:STORE: Using cached StoreIdMap

28/04/2013 20:06:54.882[2320][M]: CONTENT:STORE:     Query store map: /ITEMS/ITEM[@SHA2='2deb32e1f01f6db997ffe7c0ba9a20be05c9f12a7ce18481914a25264b321c48']

28/04/2013 20:06:54.882[2320][M]: CONTENT:STORE:     Result: ENTRYID = (null) DBID = 0

28/04/2013 20:06:54.882[2320][M]: Released lock: 0x024EBA58

28/04/2013 20:06:54.882[2320][H]: A COM error occurred: 0x80040205

28/04/2013 20:06:54.883[3552][M]: Acquiring lock: 0x5F362A20

28/04/2013 20:06:54.883[3552][M]: Acquired lock: 0x5F362A20

28/04/2013 20:06:54.883[3552][M]: Released lock: 0x5F362A20

28/04/2013 20:06:54.883[1948][M]:  OVReset = 0 [default]

28/04/2013 20:06:54.883[1948][M]:     Desktop Setting: OVEnabled

28/04/2013 20:06:54.883[1948][M]:     Value: 2

28/04/2013 20:06:54.884[1948][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 20:06:54.884[1948][M]:     No Value

28/04/2013 20:06:54.884[1948][M]:     Desktop Setting: RPCOVERHTTPRESTRICTIONS

28/04/2013 20:06:54.884[1948][M]:     No Value

28/04/2013 20:06:54.884[1948][M]:  RPCOVERHTTPRESTRICTIONS = 255 [default]

28/04/2013 20:06:54.884[1948][M]:     Desktop Setting: DefaultWebAppURL

28/04/2013 20:06:54.884[1948][M]:     Value: http://evsql.ev.local/EnterpriseVault

28/04/2013 20:06:54.884[1948][M]: HaveConnection::ExecuteTest (6283267) - Starting connection

28/04/2013 20:06:54.885[1948][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 20:06:54.885[1948][M]:     No Value

28/04/2013 20:06:54.885[1948][M]:     Desktop Setting: INTERNETOPENTYPEDIRECT

28/04/2013 20:06:54.885[1948][M]:     No Value

28/04/2013 20:06:54.885[1948][M]:  INTERNETOPENTYPEDIRECT = 0 [default]

28/04/2013 20:06:54.885[1948][M]: HaveConnection::CallBack (6283267) - Callback status is '60'

28/04/2013 20:06:54.886[1948][M]: HaveConnection::CallBack (6283267) - Callback status is '60'

28/04/2013 20:06:54.887[2848][M]: HaveConnection::CallBack (6283267) - Callback status is '30'

28/04/2013 20:06:54.887[2848][M]: HaveConnection::CallBack (6283267) - Callback status is '31'

28/04/2013 20:06:54.887[2848][M]: HaveConnection::CallBack (6283267) - Callback status is '40'

28/04/2013 20:06:54.888[2848][M]: HaveConnection::CallBack (6283267) - Callback status is '41'

28/04/2013 20:06:54.888[2848][M]: HaveConnection::CallBack (6283267) - Callback status is '100'

28/04/2013 20:06:54.889[2848][M]: HaveConnection::CallBack (6283267) - Request has completed

28/04/2013 20:06:54.889[2848][M]: HaveConnection::CallBack (6283267) - Callback status is '70'

28/04/2013 20:06:54.889[2848][M]: HaveConnection::CallBack (6283267) - Request handle closing

28/04/2013 20:06:54.889[1948][M]: HaveConnection::ExecuteTest - Connection test to: evsql.ev.local/EnterpriseVault/clienttest.gif succeeded

28/04/2013 20:06:54.889[1948][M]: HaveConnection::ExecuteTest (6283267) - Ending connection

28/04/2013 20:06:54.889[1948][M]: Successfully contacted the EV web server using: http://evsql.ev.local/EnterpriseVault

28/04/2013 20:06:54.890[1948][M]: ::CInternetReconnect - refCount : 1

28/04/2013 20:06:54.890[1948][M]: CThreadManager::Add thread THID=3196

28/04/2013 20:06:54.900[1948][M]: Acquiring lock: 0x6F0D7ADC

28/04/2013 20:06:54.900[1948][M]: Acquired lock: 0x6F0D7ADC

28/04/2013 20:06:54.900[1948][M]: Released lock: 0x6F0D7ADC

28/04/2013 20:06:54.909[3196][M]: Downloading: http://evsql.ev.local/EnterpriseVault/download.asp...

28/04/2013 20:06:54.910[3196][M]: CThreadManager::Add thread THID=716

28/04/2013 20:06:54.910[3196][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 20:06:54.910[3196][M]:     No Value

28/04/2013 20:06:54.910[3196][M]:     Desktop Setting: DOWNLOADSHORTCUTHIDEPROGRESS

28/04/2013 20:06:54.911[3196][M]:     No Value

28/04/2013 20:06:54.911[3196][M]:  DOWNLOADSHORTCUTHIDEPROGRESS = 1 [default]

28/04/2013 20:06:54.911[3196][M]: Download progress dialog delay set to 1 seconds.

28/04/2013 20:06:54.959[ 716][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 20:06:54.960[ 716][M]:     No Value

28/04/2013 20:06:54.960[ 716][M]:     Desktop Setting: INTERNETOPENTYPEDIRECT

28/04/2013 20:06:54.960[ 716][M]:     No Value

28/04/2013 20:06:54.960[ 716][M]:  INTERNETOPENTYPEDIRECT = 0 [default]

28/04/2013 20:06:54.960[ 716][M]: Acquiring lock: 0x6F0D7ADC

28/04/2013 20:06:54.960[ 716][M]: Acquired lock: 0x6F0D7ADC

28/04/2013 20:06:54.960[ 716][M]: Released lock: 0x6F0D7ADC

28/04/2013 20:06:54.975[ 716][M]: sHeader = [Accept-Language:en]

28/04/2013 20:06:55.072[1948][M]: Have unadvised on ItemEvents_10

28/04/2013 20:06:55.147[ 716][M]: CDownloadBytesImpl::FetchSavesetContent: Reading 25088 bytes

28/04/2013 20:06:55.163[3196][M]: Waiting for DownloadBytes thread, THID=716 to exit

28/04/2013 20:06:55.163[ 716][M]: CThreadManager::Remove thread THID=716

28/04/2013 20:06:55.164[1948][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 20:06:55.164[1948][M]:     No Value

28/04/2013 20:06:55.164[1948][M]:     Desktop Setting: OVContentDownload

28/04/2013 20:06:55.164[1948][M]:     No Value

28/04/2013 20:06:55.164[1948][M]:  OVContentDownload = 1 [default]

28/04/2013 20:06:55.165[2388][M]: Acquiring lock: 0x5F362A20

28/04/2013 20:06:55.165[2388][M]: Acquired lock: 0x5F362A20

28/04/2013 20:06:55.165[2388][M]: Acquiring lock: 0x5F362A20

28/04/2013 20:06:55.165[2388][M]: Acquired lock: 0x5F362A20

28/04/2013 20:06:55.165[2388][M]: Released lock: 0x5F362A20

28/04/2013 20:06:55.165[2388][M]: Released lock: 0x5F362A20

28/04/2013 20:06:55.166[2388][M]: Calling CC to InsertBytes

28/04/2013 20:06:55.166[2388][M]: Acquiring lock: 0x024EBA58

28/04/2013 20:06:55.166[2388][M]: Acquired lock: 0x024EBA58

28/04/2013 20:06:55.167[2388][M]: Acquiring lock: 0x024EB6A4

28/04/2013 20:06:55.167[2388][M]: Acquired lock: 0x024EB6A4

28/04/2013 20:06:55.167[2388][M]:     Desktop Setting: WORKING_DIRECTORY

28/04/2013 20:06:55.167[2388][M]:     Value: C:\Users\rob1\AppData\Local\KVS\Enterprise Vault\4EEB7C7FA3D7C4479F2B03170A822A83\

28/04/2013 20:06:55.167[2388][M]: Released lock: 0x024EB6A4

28/04/2013 20:06:55.167[2388][M]: CONTENT:STORE: Inserting item into store: 1

28/04/2013 20:06:55.168[2388][M]: Token extracted : "C:"

28/04/2013 20:06:55.168[2388][M]: Token extracted : "Users"

28/04/2013 20:06:55.168[2388][M]: Token extracted : "rob1"

28/04/2013 20:06:55.168[2388][M]: Token extracted : "AppData"

28/04/2013 20:06:55.168[2388][M]: Token extracted : "Local"

28/04/2013 20:06:55.168[2388][M]: Token extracted : "KVS"

28/04/2013 20:06:55.168[2388][M]: Token extracted : "Enterprise Vault"

28/04/2013 20:06:55.168[2388][M]: Token extracted : "4EEB7C7FA3D7C4479F2B03170A822A83"

28/04/2013 20:06:55.169[2388][M]: Token extracted : "2013_04_06_0001.db"

28/04/2013 20:06:55.169[2388][M]: Successfully created the registry key HKCU\SOFTWARE\KVS\Enterprise Vault\Client\4EEB7C7FA3D7C4479F2B03170A822A83\WDS Index Data\ReIndex\2013_04_06_0001.db to process the WDS index.

28/04/2013 20:06:55.169[2388][M]: CONTENT:DB: WDSUtil::PersistWDSIndexingInfo returned '1'

28/04/2013 20:06:55.169[2388][M]: CONTENT:DB: GTF - Using Db file 'C:\Users\rob1\AppData\Local\KVS\Enterprise Vault\4EEB7C7FA3D7C4479F2B03170A822A83\2013_04_06_0001.db'

28/04/2013 20:06:55.169[2388][M]: CONTENT:DB: GTF - Date is year '2013-4-28'

28/04/2013 20:06:55.170[2388][M]: CONTENT:DB:  GTF - Already got root folder

28/04/2013 20:06:55.170[2388][M]: CONTENT:DB: GTF - Creating folder for year'2013'

28/04/2013 20:06:55.170[2388][M]: CONTENT:DB: GTF - Creating folder for month'04'

28/04/2013 20:06:55.170[2388][M]: CONTENT:DB: GTF - Creating folder for day'28'

28/04/2013 20:06:55.173[2388][M]: Acquiring lock: 0x024EB6A4

28/04/2013 20:06:55.173[2388][M]: Acquired lock: 0x024EB6A4

28/04/2013 20:06:55.173[2388][M]: Released lock: 0x024EB6A4

28/04/2013 20:06:55.173[2388][M]:     Desktop Setting: OFFLINE_STORE

28/04/2013 20:06:55.173[2388][M]:     Value: 1

28/04/2013 20:06:55.173[2388][M]: Key: Continental drift~rob1~2013-04-28T20:06:03~IPM.Note~1

28/04/2013 20:06:55.174[2388][M]: Hash Algorithm: SHA256

28/04/2013 20:06:55.174[2388][M]: Hash Value: 2deb32e1f01f6db997ffe7c0ba9a20be05c9f12a7ce18481914a25264b321c48

28/04/2013 20:06:55.174[2388][M]: CONTENT:STORE: Items in StoreIdMap is '1111'

28/04/2013 20:06:55.174[2388][M]: Released lock: 0x024EBA58

28/04/2013 20:06:55.176[2388][M]: Acquiring lock: 0x5F362A20

28/04/2013 20:06:55.176[2388][M]: Acquired lock: 0x5F362A20

28/04/2013 20:06:55.176[2388][M]: Released lock: 0x5F362A20

28/04/2013 20:06:55.177[1948][M]: Message has been loaded from the bytes (and now owns them), releasing AutoCOMByteFree

28/04/2013 20:06:55.177[1948][M]: CShortcutItem::Callback...Display downloaded item

28/04/2013 20:06:55.177[1948][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 20:06:55.177[1948][M]:     No Value

28/04/2013 20:06:55.177[1948][M]:     Desktop Setting: DisplayItemsUsingOOM

28/04/2013 20:06:55.177[1948][M]:     No Value

28/04/2013 20:06:55.177[1948][M]:  DisplayItemsUsingOOM = 1 [default]

28/04/2013 20:06:55.179[1948][M]: CDisplayItem::ReadItemClass: ItemClass [43]

28/04/2013 20:06:55.247[3196][M]: Deleting CComCallback thread THID=3196

28/04/2013 20:06:55.247[3196][M]: ::CInternetReconnect - refCount : 1

28/04/2013 20:06:55.247[3196][M]: CComCallback: calling CoUninitialize, thread THID=3196

28/04/2013 20:06:55.271[1948][M]: Have unadvised on ItemEvents_10

28/04/2013 20:06:55.288[3196][M]: CComCallback: CoUninitialize completed, thread THID=3196

28/04/2013 20:06:55.288[3196][M]: CThreadManager::Remove thread THID=3196

28/04/2013 20:06:56.611[1948][M]: Have unadvised on ItemEvents_10

28/04/2013 20:06:56.611[1948][M]: Have unadvised on InspectorEvents_10

28/04/2013 20:09:40.582[2744][L]: CONTENT:STORE: CCStore::InsertItem: 0x0

28/04/2013 20:09:40.583[2744][L]: CONTENT:STORE: CCStore::GetIndexingItemDate: 0x0

28/04/2013 20:09:40.583[2744][L]: CCGeneral::CalculateIndexingDate: 0x0

28/04/2013 20:09:40.583[2744][L]: CCGeneral::GetMAPIDateProperty: 0x0

28/04/2013 20:09:40.583[2744][L]: ~CCGeneral::GetMAPIDateProperty: 0x40380

28/04/2013 20:09:40.583[2744][L]: ~CCGeneral::CalculateIndexingDate: 0x40380

28/04/2013 20:09:40.583[2744][L]: CONTENT:STORE: ~CCStore::GetIndexingItemDate: 0x40380

28/04/2013 20:09:40.583[2744][L]: CONTENT:STORE: CCStore::MakeSpaceForInsertion: 0x0

28/04/2013 20:09:40.584[2744][L]: CComAutoUnlock<class ATL::CComAutoCriticalSection>::CComAutoUnlock

28/04/2013 20:09:40.584[2744][L]: ~CComAutoUnlock<class ATL::CComAutoCriticalSection>::CComAutoUnlock

28/04/2013 20:09:40.584[2744][L]: CComAutoLock<class ATL::CComAutoCriticalSection>::CComAutoLock

28/04/2013 20:09:40.584[2744][M]: Acquiring lock: 0x027710D4

28/04/2013 20:09:40.584[2744][M]: Acquired lock: 0x027710D4

28/04/2013 20:09:40.584[2744][L]: ~CComAutoLock<class ATL::CComAutoCriticalSection>::CComAutoLock

28/04/2013 20:09:40.584[2744][L]: CONTENT:STORE: CCStoreHelper::SyncPVFileSize

28/04/2013 20:09:40.585[2744][L]: DesktopCommonConfig::GetSetting: 0x0

28/04/2013 20:09:40.585[2744][M]:     Desktop Setting: WORKING_DIRECTORY

28/04/2013 20:09:40.585[2744][M]:     Value: C:\Users\rob1\AppData\Local\KVS\Enterprise Vault\4EEB7C7FA3D7C4479F2B03170A822A83\

28/04/2013 20:09:40.585[2744][L]: ~DesktopCommonConfig::GetSetting: 0x0

28/04/2013 20:09:40.585[2744][L]: CONTENT:STORE: ~CCStoreHelper::SyncPVFileSize

28/04/2013 20:09:40.585[2744][L]: CComAutoUnlock<class ATL::CComAutoCriticalSection>::~CComAutoUnlock

28/04/2013 20:09:40.586[2744][M]: Released lock: 0x027710D4

28/04/2013 20:09:40.586[2744][L]: ~CComAutoUnlock<class ATL::CComAutoCriticalSection>::~CComAutoUnlock

28/04/2013 20:09:40.586[2744][L]: CONTENT:STORE: ~CCStore::MakeSpaceForInsertion: 0x0

28/04/2013 20:09:40.586[2744][L]: CONTENT:STORE: CCDatabaseList::FindDBByDateAndArchive: 0x0

28/04/2013 20:09:40.586[2744][L]: CONTENT:STORE: CCDatabaseList::Init: 0x0

28/04/2013 20:09:40.586[2744][L]: CComAutoUnlock<class ATL::CComAutoCriticalSection>::CComAutoUnlock

28/04/2013 20:09:40.586[2744][L]: ~CComAutoUnlock<class ATL::CComAutoCriticalSection>::CComAutoUnlock

28/04/2013 20:09:40.587[2744][L]: CComAutoLock<class ATL::CComAutoCriticalSection>::CComAutoLock

28/04/2013 20:09:40.587[2744][M]: Acquiring lock: 0x027BC5A4

28/04/2013 20:09:40.587[2744][M]: Acquired lock: 0x027BC5A4

28/04/2013 20:09:40.587[2744][L]: ~CComAutoLock<class ATL::CComAutoCriticalSection>::CComAutoLock

28/04/2013 20:09:40.587[2744][L]: CONTENT:STORE: CCDatabaseList::Load: 0x0

28/04/2013 20:09:40.587[2744][L]: CONTENT:STORE: CCDatabaseList::GetHighestDbId: 0x0

28/04/2013 20:09:40.598[2744][L]: CONTENT:STORE: ~CCDatabaseList::GetHighestDbId: 0x0

28/04/2013 20:09:40.598[2744][L]: CONTENT:STORE: CCDatabaseList::PopulateValuesForSection

28/04/2013 20:09:40.599[2744][L]: CONTENT:STORE: ~CCDatabaseList::PopulateValuesForSection

28/04/2013 20:09:40.599[2744][L]: CONTENT:STORE: CCDatabaseList::PopulateValuesForSection

28/04/2013 20:09:40.599[2744][L]: CONTENT:STORE: ~CCDatabaseList::PopulateValuesForSection

28/04/2013 20:09:40.599[2744][L]: CONTENT:STORE: CCDatabaseList::PopulateValuesForSection

28/04/2013 20:09:40.599[2744][L]: CONTENT:STORE: ~CCDatabaseList::PopulateValuesForSection

28/04/2013 20:09:40.600[2744][L]: CONTENT:STORE: CCDatabaseList::PopulateValuesForSection

28/04/2013 20:09:40.600[2744][L]: CONTENT:STORE: ~CCDatabaseList::PopulateValuesForSection

28/04/2013 20:09:40.600[2744][L]: CONTENT:STORE: CCDatabaseList::PopulateValuesForSection

28/04/2013 20:09:40.600[2744][L]: CONTENT:STORE: ~CCDatabaseList::PopulateValuesForSection

28/04/2013 20:09:40.600[2744][L]: CONTENT:STORE: ~CCDatabaseList::Load: 0x0

28/04/2013 20:09:40.600[2744][L]: CComAutoUnlock<class ATL::CComAutoCriticalSection>::~CComAutoUnlock

28/04/2013 20:09:40.601[2744][M]: Released lock: 0x027BC5A4

28/04/2013 20:09:40.601[2744][L]: ~CComAutoUnlock<class ATL::CComAutoCriticalSection>::~CComAutoUnlock

28/04/2013 20:09:40.601[2744][L]: CONTENT:STORE: ~CCDatabaseList::Init: 0x0

28/04/2013 20:09:40.601[2744][L]: CONTENT:STORE: ~CCDatabaseList::FindDBByDateAndArchive: 0x0

28/04/2013 20:09:40.601[2744][L]: CONTENT:STORE: CCStore::InitDB: 0x0

28/04/2013 20:09:40.601[2744][L]: DCC::ConfigBase::GetClientStoreKey: 0x0

28/04/2013 20:09:40.601[2744][L]: DesktopCommonConfig::GetClientStoreKey: 0x0

28/04/2013 20:09:40.602[2744][L]: ~DesktopCommonConfig::GetClientStoreKey: 0x0

28/04/2013 20:09:40.602[2744][L]: ~DCC::ConfigBase::GetClientStoreKey: 0x0

28/04/2013 20:09:40.602[2744][L]: DesktopCommonConfig::GetConfigValue: 0x0

28/04/2013 20:09:40.602[2744][L]: DesktopCommonConfig::GetSetting: 0x0

28/04/2013 20:09:40.602[2744][M]:     Desktop Setting: RESTRICTPOLICYLOOKUP

28/04/2013 20:09:40.602[2744][M]:     No Value

28/04/2013 20:09:40.602[2744][L]: ~DesktopCommonConfig::GetSetting: 0x1

28/04/2013 20:09:40.602[2744][L]: DesktopCommonConfig::GetClientStoreKey: 0x0

28/04/2013 20:09:40.603[2744][L]: ~DesktopCommonConfig::GetClientStoreKey: 0x0

28/04/2013 20:09:40.603[2744][L]: DesktopCommonConfig::GetSetting: 0x0

28/04/2013 20:09:40.603[2744][M]:     Desktop Setting: OVAETimeMatchWindow

28/04/2013 20:09:40.603[2744][M]:     No Value

28/04/2013 20:09:40.603[2744][L]: ~DesktopCommonConfig::GetSetting: 0x1

28/04/2013 20:09:40.603[2744][M]:  OVAETimeMatchWindow = 60 [default]

28/04/2013 20:09:40.603[2744][L]: ~DesktopCommonConfig::GetConfigValue: 0x1

28/04/2013 20:09:40.603[2744][L]: CONTENT:STORE: ~CCStore::InitDB: 0x0

28/04/2013 20:09:40.603[2744][M]: CONTENT:STORE: Inserting item into store: 1

28/04/2013 20:09:40.604[2744][L]: CONTENT:STORE: CCStore::CloseOtherOpenDb

28/04/2013 20:09:40.604[2744][L]: CONTENT:STORE: ~CCStore::CloseOtherOpenDb

28/04/2013 20:09:40.604[2744][L]: CONTENT:DB: CCDatabase::InsertItem: 0x0

寄稿: Binny Kuriakose

サイバー空間は、表現の自由を隠れ蓑にした匿名性が横行し、明確な法律も欠如しているため、セキュリティの観点から見ると混沌としています。各国とも、サイバー空間に巣くう犯罪者を管轄当局が逮捕して処罰するために法律の整備が必要であると自覚しつつあるものの、犯罪者は実に巧妙です。

スパマーが絶妙な手口でスパムを拡散することは知られていますが、最近ではスパム攻撃を仕掛けるためにスパム対策の法律すら悪用し始めました。今回のブログでは、スパム対策法の実効性を吟味するのではなく、電子メールで法律を引用してスパムの信憑性を装う手口について説明したいと思います。

なかには、スパムと正規メールのどちらともつかない「グレーゾーン」の電子メールもあり、あまりに微妙な言い回しのために、受信したユーザーがその判断を誤ってしまう場合も少なくありません。電子メールの本文中でスパム対策法を引用し、その法律に従った電子メールであると主張するのは、こうした「グレーゾーン」のスパムをシロに見せかけるための常套手段です。
 

CAN-SPAM 法（ポルノおよび広告の迷惑メールによる攻撃の取締法）- 公法 108-187（米国、英語）

図 1 に示したサンプルでは、CAN-SPAM 法、すなわち米国におけるスパム対策法の規定に従っていると書かれています。電子メールの最後に免責条項のセクションがあり、この法律について説明されています。
 

図 1.スパム対策法を本文中に引用したスパムのサンプル
 

このスパムの問題点

このサンプルの違法性は、スパマーが提示している「受信拒否（オプトアウト）」のオプションが偽ものだという点にあります。受信を拒否しても、別のメール送信対象者リストにアドレスが移し替えられるだけです。これに類するスパムには必ず、法律を引用したうえで「購読解除」または「受信拒否（オプトアウト）」のオプションが用意されているので、その信憑性に被害者は引っかかってしまいます。
 

スパムで「悪用」が広く確認されている他の法律

1. MURK 法案 - Bill S.1618 Title III（米国、英語）

   これまでに最も多く悪用されている法律的な記述は、米国の「Bill S.1618 Title III」、通称「MURK」という法案です。スパムに関連しているものの、この法案は上下両院で否決されたため、制定には至っていません。したがって、「Bill S.1618 Title III に従っている」と書かれていたら、その言葉自体に嘘があることになり、まず疑ってかかる必要があります。この法案を引用したスパムメールは、同法案が提出された 1998 年から確認されています。

   図 2. Bill S.1618 Title III を引用したスパムの免責事項

   さらに不愉快なのは、スパマーがこの引用を盾にとって、ユーザーを脅迫までしていることです。

   図 3. Bill S.1618 を引用して脅迫するスパム

   ところが、この事例は米国の国境を越えて広まっています。同じ引用が、ポルトガル語やスペイン語など他の言語でも見つかっているからです。

   図 4. Bill S.1618 Title III を引用したスペイン語のスパムでの免責事項
    

2. ヘイビアスデータ法 No. 25、326 Art. 27 Inc. 3（アルゼンチン、スペイン語とポルトガル語）

   ヘイビアスデータ法は、アルゼンチンにおいて商用電子メールのガイドラインを定めた法律です。同種の他の法律と同じく、ヘイビアスデータ法でも、個人情報をデータベースから削除するよう請求する権利をユーザーに保証しています。

   スペイン語やポルトガル語のスパムメール攻撃でこの法律が引用され、また本物らしく見せるために受信拒否（オプトアウト）のオプションも使われています。受信拒否（オプトアウト）オプションが偽ものである点は変わらず、受信されるスパムが減るわけではありません。

   図 5.ヘイビアスデータ法を引用したスパムの免責事項
    

3. 法律 No. 28493 / 29246 / D. S. 031-2005-MTC（ペルー、スペイン語）

   No. 28493 / 29246 / D. S. 031-2005-MTC はペルーの法律で、当然スペイン語で書かれています。他の国や地域から送信されたスペイン語のメールでも、この法律を引用して合法性を主張するものがあります。以下のサンプルでは、登録解除オプションとして Web メールに返信するように説明されています。

   図 6.ペルーの法律 No. 28493 / 29246 を引用したスパムの免責事項
    

4. Déclaration CNIL n°1291376 と Déclaration CNIL n°1181416（フランス、フランス語）

   商用メールに関するフランスの 2 つの法律がスパムで確認されていますが、この例では適切な受信拒否（オプトアウト）オプションがユーザーに示されていません。受信拒否（オプトアウト）リンクがある場合には、ユーザーの個人情報が削除されるというメッセージの書かれた Web ページにリダイレクトされるのが一般的です。もちろん、実際に削除が実行されることはありません。

   図 7. フランスの CNIL No 1291376 を引用したスパムの免責事項
    

まとめ

以上のサンプルから、スパマーが法律を都合よく利用してスパムを糊塗し、偽の合法性を演出しようとしていることは明らかです。残念ながら、受信したユーザーは今でもこの手口の犠牲になっています。

個人がいかなる通信についても受信を拒否する権利と、個人情報をデータベースから削除するよう請求する権利は、多くの国や地域で認められています。しかし、リストからの登録解除だけではなく、リストへの登録そのものを取り締まる強力な法律も同じくらい必要であることが、今回の事例から明らかになりました。スパマーは、登録を解除しても、別の送信リストに加えるだけだからです。ユーザー側でも、スパム対策の各法律によって個人にどのような権利が付与されるのか知っておくべきでしょう。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

In case distinguished names in your AD are very long, due to nested OU`s, SMP will cut it to 255 chars during AD import. This is limitation of database table.

Herebelow is solution to this. Please note this was tested only against 7.1 sp2 mp1 version.  

KB article Unable to import some accounts from Active Directory is not mentioning Inv_Global_Active_Directory_Details, which is also populated during AD Import. 

2. Run the following two SQL Queries on the Symantec_CMDB database: