John Croson's Blog Home: 11/01/2008 - 12/01/2008

Friday, November 28, 2008

Symantec Endpoint Protection and Outlook's 0x800CCC0F Error

After upgrading from SEP 11 MR2 to MR3, my users 0x800CCC0F Outlook error stopped....for one day, then re-appeared. This issue ONLY occurred during his mail retrieval process.

During my troubleshooting, I had initially opened a command prompt, and issued the command:

telnet 110

And received an inline PGP reply, that it was proxying the connection. That prompted me to do a little Googling, but revealed nothing.

I found a MS Kb article that pointed to some troubleshooting steps, but they didn't help at all, and neither did Symantec's kb or forums

Much to my surprise and glee, he started to experiment with his POP settings. After setting his POP connection to SSL, his problems went away!

Thursday, November 20, 2008

Symantec Endpoint Protection MR2 to MR3 Upgrade

Not much to mention...it_just_works. THIS TIME.

Steps for upgrading:

    1. Download MR3
    2. Stop all SEPM services.
    3. Run installer over the top of previous installation.

Interestingly, researching an Outlook error 0x800CCC0F while POP'ing email down from our mail host, I found this article about how much better MR3 will perform, even over the likes of v10.

Hopefully my test client will not experience any issues, as the SEPM surely didn't.

Wednesday, November 19, 2008

Redeploy Symantec Endpoint Security Client

I need a method to reinstall a SEP client package. Unfortunately, SEPM doesn't have a method in their GUI to do this...*nudgenudgewinkwink*, you must use the Migration and Deployment Wizard, and choose the default option Deploy the Client, and then Select and Existing Package to Deploy.

I found a clue in a thread at Symantec's forums where one can use the %PROGRAMFILES%\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\ClientRemote.exe utility, which is usually only revealed when you use the wizard, or initially install the product.

You'll find your repository of packages you created in said installation at %PROGRAMFILES%\Symantec\Symantec Endpoint Protection Manager\Inetpub\ClientPackages, one folder for each package represented in SEPM, with a sub-folder called full. Unfortunately the folder names are named using the package checksum number, and I can't immediately tell by looking at the GUI which one is which. Fortunately for me, I only created two packages; a 32bit and 64bit version. If you look at the contents of the directory, it's pretty easy to determine which one is 32bit or 64bit. There will be a Symantec AntiVirus Win64.msi file in the 64bin version folder.

Simply choose the folder for your architecture, and push it to the client.

Monday, November 03, 2008

The Sinowal Trojan Steals You Blind

This morning, home sick, reading /. I find this story about the Sinowal Trojan.

Evidently, starting in 2006, this Trojan has been stealing sensitive data from thousands of Internet users across the globe, except for those in Russia. Seems even the Russian mob has a heart.

This all raises a question I've often asked myself. I've been managing enterprise environments for years now, using a variety of methods to protect the sheep, in hopes that the worst is avoided; a full network infection.

It's happened to me once, when I worked for the Racine Art Museum. I'd been hired to oversee the IT side of a new museum we were raising capitol for. The environment was rather new at the time; NT Back Office server, 2000 clients, Trend AV suite.

Unfortunately, as in some environments like this, there are applications that require elevated privileges to run. I suspect that this may have had something to do with the rapid spread of this virus. The signs were odd; in each network share on the server, .msg files started to mysteriously appear. A cursory search on the web revealed that this was a strain of virii that spread itself in this manner, eventually filling up all volumes on all systems and bringing the network to a screeching halt. I was able to quickly find a fix and apply it, saving us from disaster.

Which brings me to the question that I've been wondering...

Just how many more of these types of virii exist, and have not been detected? If this one was able to survive for this period of time before discovery, I must conclude that there are more out there, undiscovered, collecting data, sending it to some Russian mobster, so they can go on with their mobbing ways.

I'm not snubbing the AV companies by any stretch. They have all they can do to keep up with the virii Jones' next door. What frightens me is that while technology is a wonderful thing, we also grow increasingly reliant on it, and the AV companies to protect us from the bad guys. Can we expect them to do a satisfactory job for $59.99?

With that growing reliance, we will also see a parallel in the growth of cyber crime. I already stay away from questionable websites, don't open mail from unknown senders, or run software from unknown sources. I have a popular AV package and Spyware protection solution running on my systems. This doesn't gaurantee my safety, and I certainly don't like the idea of some idiot obtaining my SSN, opening an account at Best Buy, and running up several thousand dollars of the latest-and-greatest HD/Gaming system bundle. What measures will we need to take to secure our sensitive data beyond AV/Spyware/Trojan protection?

Surely, someone will develop a system that will cross check our Credit Card number with a PSK embedded in our head some day.... Until then, I'll cross my fingers and toes.