sábado, 11 de setembro de 2010

๑ Deleting the Win32_Product WMI Class to hide local software installed

I know very few people have had the need to delete WMI Classes, but incidentely i was once one of them, why? Well, WMI is a great resource to obtain information about remote machines, so perhaps you just like to be selective on what to provide from yours, right?

Various network administration tools take advantage of the WMI component to know how their co-workers computers are doing, or what the co-workers are doing with it. This information is passed to those tools trough the WMI Classes. So suppose you don't want to tell them what software you have installed on your computer, then, without stoping WMI service ( leading to the administrator knowing that there was a scan error with your machine ) you can instead delete the WMI CLass Win32_Product and Win32_ProductCheck, lets see:

On the command line:

c:\> wbemtest

( the wbemtest window pops up on Windows)

Click Connect, and where it says root\default replace with root\cimv2 press OK

Now press the button Enum Instances... and you should see:


There enter Win32_Product and accept, you should see a bunch of entries like this:




You can conclude that Win32_Product class is announcing that i have, among lots of other stuff, Microsoft Office installed.

To stop this class from reporting software, the simpler solution i know is to delete the class. Just press where it says Delete Class and enter it's name, but beware: I don't think there is a practicall way to reinstall this class again unless you fully reinstall WMI. So proceed wisely.

Of course, there are other ways to obtain the installed software on your machine remotely. :)

Thanks for reading
 

sábado, 4 de setembro de 2010

Stopping All Services Backup Exec 2010 - Job Cancel Pending

This happened to me the other day while i was changing settings for a BE Job. As soon as i hit submit button the job would go to run mode. My fault as i had to define a schedule or submit the job "on hold" first.

When i realize the job was running i right clicked the job to cancel it while it was still in the "pre-processing" fase. But the job would not stop. I tried several approaches, including stopping all services from the BE management console:


And starting them again, but to my surprise the BE server and engine services would not start. Viewing event viewer this was what we got:




Little to no help. After reading symantec words on the subject and before believing the only solution was to restart the server ( after applying the supposed hotfix ) we decided to give it a last shot as we found out that the services woud not start because another process was taking over the 3527 Port and supposedly all we had to do was terminate this connection using a CurrPorts aprroach:


 But the connection would not terminate, the process name was System and thus the unability.

Restarting the server was what ultimately fixed it. Perhaps disabling the network interface and clearing the arp cache would have helped tough.

Thanks for reading

Taken from http://netprobe.blogspot.com/

Disabling Multiple RDP Session with same User

In order to disable multiple RDP Sessions with the same user, enable the restrict each user to one session option. This way you disable concurrent connections from the same users.

With this option enabled, you can still login another session, called a console session. Be aware tough if you do this in a production environment, depending on your software environment and applications running on one RDP Session for user "x", opening the console session for that same user "x" can lead to your custom apps malfunctioning. Happened to me with a VB6 application running in debug mode.


Taken from http://netprobe.blogspot.com/

Panda Desktop HTTP Updates / Ports Used

Well, Panda products documentation altough it's pretty extensive sometimes do not tell you much. For instance, you want to know what ports are required for Panda Desktop to be able to periodically update it's definitions, what are these ports? This is what i will briefly discusse only based on my findings

If you have deployed Panda Antivirus Product in your company then you probably have configured a repository from which Panda Clients are able to fetch periodic updates. This repository can be configured trough regular network shared folder resources, or trough HTTP repository, where you may have a tomcat server serving the client requests. This second alternative is better, as the first one will lead to more unnecessary overhead ( ref.) .

After clients are deployed automatically, a .ini file is configured in each client machine containing a reference to the original server.

This server is the server the clients will query for updates, sending packets trough port 19226 (folder repository), if it does not succed he will try http repository port 8080, if it does not respond, he will try http repository with port 80:



If it still does not respond he will query the internet, where?
1. Regedit.exe
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Panda Software\Panda Administrator 3.0\PLAgent

URL is listed on the right side.

The username and password to access the updates are also defined here, altough encrypted.




In sum, the following ports are used from the client side, depending on your infrastructure scenario:

Port 19226
Port 80
Port 8080

This information was gathered using the tool CurrPorts and log analysing.

Panda logs are located in Pavupg folder. The file is called PAVupg.log

To get a detailed log use the command:

Pavupg -c:ALL

It will then try to update the virus definitions and you can analyse the results too.

Taken from http://netproble.blogspot.com/

SMB:R; Tree Connect Andx - DOS OS Error, (5) ACCESS_DENIED

Konica Bizhub 350 - Scan to network Folder

Are you scanning to a network folder and wondering why the files are not there when all the configurations are correct?
What needs to be done to allow a Canon/Konica/Minolta, in this case a Minolta Bizhub 350 to send PDF files over the network to a share folder in a server?

SMB Signing is what this is all about, it was a security measure ro respond to man-in-the-middle attacks.

http://www.mcseworld.com/forums/showthread.php?p=53765

SMB Signing and Security:
http://www.networkworld.com/community/node/56638

http://www.littlepud.com/windows-information/windows---smb-signing
http://blogs.technet.com/b/jesper_johansson/archive/2005/11/22/414976.aspx

If your printer does not support SMB Signing you have to choices to allow end users to fetch their scans:

1 - Disable SMB Signing one the remote server that was configured in the printer. For that you need to go to regedit HKLM\System\CurrentControlSet\Services\ Lanmanserver\Parameters and change o RequireSecuritysignature to 0 to disable SMB Signing ( restart not needed), you can observe the successfull ( or unsucsseful connection attempt with Microsoft Network Monitor )

2 - And probably much more confortable. Send directly to user's email and forget SMB Signing ( keeping your servers safe )
Here is a successfull connection attempt:


Taken from http://netprobe.blogspot.com/



Thanks for reading

Etiquetas: , ,