Skip to content

Security

Unable to access OS Drive to delete C-00000291*.sys CrowdStrike bluescreen

If your laptops SSD/NVME drive is Bitlocker encrypted and you’re not able to see/access the primary Windows 11 or 10 OS partition (typically the C:\ drive) in Windows Recovery (WinRE) whilst following Crowdstrikes remediation instructions at https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/ (this will be apparent as you won’t be prompted for a Bitlocker key when you access the Command Prompt in the Windows Recovery Environment)

To get around this you’ll need to boot into your laptops BIOS to enable an alternative storage boot option

The below steps should be safe to complete if your laptop is not configured with multiple physical drives enrolled in a raided configuration

Depending on your laptops manufacturer/model the BIOS may be accessible via F12, F1, F2 or Esc

1. Once in the BIOS look for “Storage” or “Advanced” options and enable the opposite storage boot option to the one currently selected. The storage boot options you need to look for may indicate (AHCI and RAID) or (AHCI/NVME and RAID On). Select the opposite storage option to the one currently selected then save your BIOS setting changes and exit the BIOS and shut the laptop down

2. Now turn on the laptop again and boot into Windows Recovery again (this should happen automatically). If not let Windows 11 or 10 fully boot and wait for the bluescreen, the bluescreen/reboot cycle may need to be repeated for up to fives times or more before you’ll be prompted to enter Windows Recovery again, but once this happens, launch the Command Prompt from

“Advanced Options” > “Troubleshoot” > “Advanced Options” > “Command Prompt”

You should now be prompted to enter your Bitlocker Recovery Password (if you don’t have access to your Bitlocker Recovery Password then contact your domain administrator)

Once you’ve entered the Bitlocker Recovery Password your CMD dialog should auto launch to the X:\ drive

3. cd to %WINDIR%\System32\drivers\CrowdStrike or C:\windows\System32\drivers\CrowdStrike, and delete the C-00000291*.sys file as per Crowdstrikes instructions at https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/ then type “exit” to exit the CMD prompt

4. Very Important: The final step is to enter your laptop BIOS again before Windows 11 or 10 fully boots to the login screen and revert the storage boot option changes made in Step 2 to it’s original setting

5. Save your BIOS setting change again and exit the BIOS once more then let Windows 11 or 10 boot. The Crowdstrike bluescreen/reboot issue should now be resolved

Approval buttons not working in SAP interface in Chrome

If you’ve found some SAP approval buttons are no longer working in Chrome the issue may be down to a feature implemented in Chrome 88 but only enabled by default in recent versions of Chrome (versions 115 and 116)

The origin-agent-cluster header isn’t a security feature but a http header (for browsers that support the origin-agent-cluster feature/flag) that web developers can implement to change the default behaviour for a web page, putting it into an origin keyed agent cluster so that it is grouped with other pages that have the exact same origin

Same site but cross origin pages will then be excluded from the agent cluster. Your browser will then decide (if it has the origin-agent-cluster-default enabled and if your device has enough resources) to allocate same site but cross origin pages their own process or seperate threads

This can benefit web based applications such as video conferencing or other web based applications that can be resource intensive so each “instance” of a cross origin page don’t impact another cross origin page running in the same browser

If you’re affected by the SAP approval issue, depending on what you use SAP for in your organisation you’ll find you’re no longer able to approve items like invoices, expenses, holidays etc.

No error messages appear when you click on the buttons normally used to approve the above, they just seem to be completely unresponsive in Chrome versions 115 and 116

Try disabling the chrome://flags/#origin-agent-cluster-default flag in Chome and restarting your browser and this will most likely resolve your issue

You may need to go back and disable the chrome://flags/#origin-agent-cluster-default flag later if Chrome is updated in the future (I can’t confirm this as I already have the latest version of Chrome installed)

I found the workaround for the issue here but it wasn’t very well documented https://answers.sap.com/questions/13949753/enterprise-portal-problem-after-chrome-115116.html

More information here: https://web.dev/origin-agent-cluster/#when-to-use-origin-keyed-agent-clusters

Edge has yet to enable its equivalent edge://flags/#origin-agent-cluster-default flag by default so Edge can be used as an alternative browser if you don’t want to disable the chrome://flags/#origin-agent-cluster-default flag in Chrome

Here’s a related Oracle Enterprise issue

Make sure Sender Policy Framework (SPF) is correctly configured

We had some issues at work recently with intermittent e-mail’s from a third party not arriving in our Google App’s mailboxes (we’ve now migrated to using Google App’s for Business as opposed to using Exchange exclusively).

This was a big problem for us as these e-mail’s are an important source for news stories.

I immediately suspected spam/DNS server issues due to my previous experience trouble-shooting our Ironport issue two years ago.

This time however the problem lay with the third parties DNS not ours.

Here are the steps I took to troubleshoot then fix the problem:

Symptoms:

The issue was first reported when one of our news reporters noted some e-mails were not arriving – sent in from this news sources distribution list.

Some e-mail not all were being dropped – this is an important factor as we’ll see below.

Troubleshooting steps:

1. I realised straight away the problem wasn’t related to any e-mail filters in the reporters inbox or SMTP blacklists since approx only 20% of the mails were not arriving. Nonetheless I ran the check’s necessary and found nothing causing mail to be filtering into the users bin.

2. I checked in on another colleague who’s mail domain address is different from the news reporter that detected the problem (We use multiple domain names for separate titles and business teams). That colleague indicated they were missing the exact same e-mails that the first reporter detected missing.

3. The distribution list in question is used by a number of other news organisations so I sent a mail out to another news organisation’s IT dept to ask if they’d noticed those particular e-mails missing – they hadn’t.

4. I then asked an ordinary user at the news sources site, (I’m calling her [email protected] here) to send me an e-mail so I could evaluate the incoming e-mail headers for anything out of place. The e-mail she sent arrived fine but the information I found in her mail header provided the light bulb moment when taken into account with the rest of the information gathered. I found two key entries in [email protected]‘s mail header:

Received-SPF: fail (google.com: domain of [email protected] does not designate 137.191.225.35 as permitted sender) client-ip=137.191.225.35

Authentication-Results: mx.google.com; 

spf=hardfail (google.com: domain of [email protected] does not designate 137.191.225.35 as permitted sender) smtp.mail=137.191.225.35;

It was time to brush up on SPF or Sender Policy Framework

SPF basically boils down to a DNS entry that indicates which SMTP servers are permitted to send e-mail on behalf of a mail domain. This prevents spammers from getting e-mail’s into a users inbox since spam prevention e-mail gateways like Ironport and Postini will perform a DNS verification check each time a particular SMTP server tries to deliver an e-mail purporting to be from a particular e-mail address (domain).

As an example say a spammer tried to deliver an e-mail to [email protected], by spoofing an innocent individuals e-mail address (let’s say [email protected]) and used their spamming SMTP server to try to send [email protected] a spam e-mail. The Ironport/Postini/Spam Gateway when it’s first contacted examines the mailing domain indicated in the e-mail address of the message – say “hotmail.com” and the accompanying IP address of the spamming SMTP server.

Ironport/Postini will then contact the DNS server (which should always be accessible on the internet) for hotmail.com  to check that DNS Server’s SPF record. If it see’s that the IP addresses listed in the SPF record doesn’t match the IP address of the SMTP server that just tried to deliver an e-mail purporting to be from [email protected] it will drop that e-mail delivery attempt to [email protected], thereby preventing the spam reaching [email protected]‘s inbox. According to hotmail.com‘s DNS SPF record the spamming SMTP server trying to deliver a message purporting to be from [email protected] is not authorized…

Now back to our problem – So our news organisations Postini gateway was designating the IP address of our third parties SMTP server 137.191.225.35 as not being permitted to send e-mail on behalf of that user.

I had two problems with that –

1. First why did the SPF fail?

2. The SPF failed but [email protected]‘s e-mail got through anyway.

It was time to probe our news sources (xxxx.ie‘s) DNS configuration. In the process of doing so I discovered it was possible to expose the SPF configuration for DNS server’s available on the internet using this tool

So I plugged in the IP Address of the 137.191.225.35 SMTP server designated not authorized in [email protected]‘s e-mail header.

The Beveridge SPF Test tool then exposed the following SPF configuration for the xxxx.ie domain (some IP addresses changed for security purposes):

v=spf1 mx ip4:137.191.xxx.x1 ip4:137.191.xxx.x2 ip4:137.191.xxx.x3 -all [TTL=86400]

But I also noticed subsequent SPF test’s also returned a different SPF configuration below:

v=spf1 mx ip4:137.191.xxx.x1 ip4:137.191.xxx.x2 ip4:137.191.xxx.x3 ip4:137.191.225.35 ip4:137.191.xxx.x5 -all

So what was I looking at?

Basically one of more DNS servers for the domain xxxx.ie which our Postini gateway was performing SPF checks against had an incorrect/out of date SPF configuration. The second SPF configuration was the correct one as it listed 5 SMTP servers that were authorized to send mail on behalf of the xxxx.ie domain

The first incorrect SPF also should not have contained the  “[TTL=86400]” reference, as this doesn’t conform to SPF standards.

Cross-referencing the IP address of the 137.191.225.35 SMTP Server in the e-mail header I found that 137.191.225.35 matched a missing IP address in the incorrect SPF record. 137.191.225.35 was present in the second SPF record but not the first.

So our Postini was hitting the DNS server with the incorrect SPF configuration about 20% of the time and therefore dropping 20% of the e-mails sent because it was determining that 137.191.225.35 wasn’t authorized to send e-mail on behalf of xxxx.ie 20% of the time.

I’d figured out the issue was was due to an incomplete SPF record on one xxxx.ie DNS server but why did the e-mail from [email protected] deliver though it was given an SPF failure while some e-mails from the distribution list [email protected] were not being at all delivered?

My guess is that our Postini gateway even though it flagged [email protected] as being an SPF failure – SPF checking for Google/Postini is evidently not that strict. There must be additional spam filtering criteria in place on our Postini that flags the [email protected] e-mails based on message content, that together with the results returned from the problem DNS server flagged the [email protected] as being spam 20% of the time. Our Postini services are provided by an outsourced company so I don’t have access to the specific spam filtering criteria to verify this.

Fix:

I contacted the IT Security department manager for the xxxx.ie, who confirmed my findings and isolated the problem DNS server. The DNS server in question was not under his dept’s direct control but was managed by another dept – I’m guessing for redundancy purposes.

He logged a change to have the SPF details applied to the problem DNS server which should eliminate our problems receiving mail from any @xxxx.ie addresses in the future.

Hopefully this has given you an insight to the complex world of spam filtering….

Problem with Direct Access and Vodafone 3G/HSDPA – Update. SEP is the problem

I found the source of our Direct Access problems back in May during a lull period at work. Sorry for not updating then guys…

Here’s a link to my previous Direct Access post

I had a suspicion our anti-virus may have been causing our Direct Access problem so I went ahead and removed Symantec Endpoint Protection using CleanWipe which you can find here

I’m not that big a fan of Symantec as we had problems with our previous generation of PC’s – we suspected it was causing random out of the blue power downs of some PC’s while users were working. We could never prove it though as no event viewer logs were recorded just before the PC’s powered down unexpectedly. Luckily we’ve not had any problems of this type on our current generation of PC’s – they do have a new version of SEP installed though! In hindsight I should have tried removing SEP to test with Direct Access sooner in light of my previous experience with Symantec.

Anyway – Back to Direct Access. Once SEP was uninstalled with MS Security Essentials replacing it – Direct Access started behaving as it should on our laptops over a HSDPA/3G connection, and I didn’t have to run the “netsh interface 6to4 set state disabled” command  indicated in my previous post anymore.

I then decided to do  some more digging on the subject once I realised SEP was causing the problem and found this little nugget from a Symantec forum post.

So if you’re thinking about deploying Direct Access and have SEP deployed you have three choices:

1. Wait for the SEP update to come out in August 2012.

2. Uninstall SEP and replace with an antivirus that works with Direct Access (might be workable if you’ve only a small group of users that need to use Direct Access) i.e. replace AV for that group and leave the others with SEP.

3. Create a batch file that will run the “netsh interface 6to4 set state disabled” on start up on each laptop.

Hope this helps guys

 

Firefox crashing

If you’re having problems with Firefox crashing on your PC – the most likely culprit is Flash.

You’ll need the latest version of the Adobe’s Flash Plugin which you can find here:

http://get.adobe.com/flashplayer/

If the install fails using the above link the most likely reason is that your proxy/firewall is stopping the online installer from downloading the required install files.

In that case try downloading and installing from here (hopefully you have local admin privileges on your PC):

http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player.exe

 

Problem with Direct Access and Vodafone 3G/HSDPA

I’ve been testing Microsoft’s Direct Access at work.

In my opinion it’s a true VPN killer, if you only need to deal with Windows Technology in your workplace.

Direct Access uses certificate/IPSEC based encryption/authentication to authorise a remote user and allow them to access a corporate network. The key thing here though is that the remote user doesn’t interact with any software to authenticate. The user’s authenticated without any action on their part – all they need to do is insert their username and password at the login screen much like you would if you were logging onto a terminal in the office.

No more fumbling around with a VPN dongle – if you have a broadband connection you can login and access network resources at the office from home.

I have noticed some problems using Direct Access with a Vodafone 3G/HSDPA connection though so I’d like to share what I did to get the service to work because it can be a pain in the butt to trouble shoot and the advanced diagnostic logs can be hard to decipher.

Firstly make sure you’re using the latest version of your Vodafone Mobile Broadband software (formerly called Vodafone Mobile Connect). I use version 10.2.302. Type “Vodafone Mobile Broadband Software” into Google and your first hit should take you to a page with the latest version. It’s important you get the latest version installed – I initially tried Vodafone Mobile Connect 9.4.6.20539 and couldn’t get Direct Access working no matter what.

The second part of the puzzle is 6to4. I had to completely disable this virtual adapter to force Direct Access to make a connection via Teredo. My suspicion (and this only seems to be a problem with mobile broadband connections) is that Direct Access doesn’t auto-configure the 6to4 adapter address properly and as a result Direct Access doesn’t fail over to any other connection type if it can’t communicate with the 6to4 adapter.

So start a CMD prompt with “Run as administrator” – as below. It’s important you start the CMD prompt with “Run as administrator” as a domain user even with local admin privileges will not be sufficient.

Once you have the CMD prompt up use the following command to disable 6to4:

netsh interface 6to4 set state disabled

And Direct Access should miraculously connect

The following command will take you back to where you started:

netsh interface 6to4 set state enabled

 

 

 

 

Have fun – I hope this helps you out of any Direct Access problems you may be having

How to block spam comments being posted on your blog

MollomI installed Mollom on my hosted WordPress blog yesterday to take care of the endless amount of spam comments I receive daily.

So far it seems to be working quite well, the only drawback I’ve encountered is that you cannot verify Molloms disposing of valid or invalid spam comments since there’s no dashboard to view the trashed comments themselves. Therefore you must have complete faith in Molloms spam detection and that it’s not shooting down friendlies…

The install though carried off without a hitch right into my hosted wordpress – and so far it’s detected and trashed numerous spam comments.

chkdsk c: /f – An Unmountable_Boot_Volume story…

I had problems with a virus recently making posts to my Facebook profile of all things. When I first noticed the problem I started going through in my head what I did in the past couple of days to expose my laptop to malware. The cause was simply down to being lax updating my AVG antivirus.  Always, Always, Always keep your anti-virus up to date

So I got home after my work day and set to work killing this virus. First came MalwareBytes which detected two malware and one trojan.

It was then time for an AVG update. After one definition update I ran the updater a second time and more definitions were installed (I’d been very lax)

All was well until I restarted the laptop. Which is when my problems started. The laptop wouldn’t boot back into the OS.

I could detect a bluescreen but couldn’t see what the error message was.

If this happens to you boot into F8 (Safe Mode) then choose the option to “Disable automatic restart on system failure” – this will give you a chance to see what’s causing the blue screen.

In my case it was an Unmountable_Boot_Volume.

I can only put this down to the virus corrupting my MBR when Malware Bytes removed it. Nasty…

So I set about booting into my WinXP setup cd to access the recovery console and run the fixmbr cmd to repair my hard disks Master Boot Record. This had no effect however. Fixboot was a non starter also.

It was at this point that I began to think I’d need something more powerful. My second thought was Microsoft must have a fix for this?

CHKDSK – chkdsk really? The program that runs when your PC restarts after it’s power plug caught your foot? Yes – That chkdsk….

http://support.microsoft.com/kb/555302

chkdsk driveletter: /f

In my case chkdsk f: /f

Damn if it didn’t work! Here’s what I got back….

chkdsk


I’ll never underestimate chkdsk again…

The importance of regular server status reporting for unexpected events

The following scenario highlights the importance of having regular server status reporting in place for unexpected events.

For a couple of months at irregular intervals we had users complain that some mails (not all) they’d been expecting from external users were arriving days later or were not arriving at all.

I’d been examining the headers of delayed e-mails when they did arrive and had found that external mail servers delivering e-mails to ours were taking a number of hours or days to do so. Most of the delayed e-mails “seemed” to originate from Eircom (an ISP based in Ireland) so I chalked the problem down to an issue on Eircoms side. Our Security team agreed. This was an oversight on my part however which I’ll explain later…

As I examined more closely I was able to pull more delayed e-mails from external users whose e-mail were not routed through Eircom so logically this meant the problem wasn’t specifically with Eircom.

As a test I had some of the users that reported delays e-mail my employers e-mail address whilst CCing in my personal gmail address. Eventually the issue reproduced itself.

Mails arrived in my Gmail Inbox within a couple of minutes whilst e-mail destined for my employers e-mail address arrived a number of hours later. In the end I was able to reproduce the issue with the help of 4 seperate senders.

Convincing the Security team was a problem however as everything looked fine on our end. They had a hard time accepting the issue was on our side even though I could reproduce the problem with four seperate senders. Four seperate external mail servers behaving in the same way at the same time? and the problem is not on our end?

They needed more evidence…

So the next port of call was Eircom – They were able to provide the following logs. IP addresses and e-mail addresses removed:

2010-07-13 17:22:19.744009500 starting delivery 2146375: msg 3317173 to remote [email protected]
2010-07-13 17:28:59.581941500 starting delivery 2147602: msg 3317173 to remote [email protected]
2010-07-13 17:49:00.077173500 starting delivery 2150674: msg 3317173 to remote [email protected]
2010-07-13 18:22:19.009197500 starting delivery 2158998: msg 3317173 to remote [email protected]
2010-07-13 19:08:59.078851500 starting delivery 2171856: msg 3317173 to remote [email protected]
2010-07-13 20:08:59.270208500 starting delivery 2188502: msg 3317173 to remote [email protected]
2010-07-13 21:22:20.122931500 starting delivery 2203875: msg 3317173 to remote [email protected]
2010-07-13 22:48:59.138197500 starting delivery 2224308: msg 3317173 to remote [email protected]
2010-07-14 00:28:59.064738500 starting delivery 2244997: msg 3317173 to remote [email protected]
2010-07-14 02:22:19.239298500 starting delivery 2261581: msg 3317173 to remote [email protected]
2010-07-14 04:28:59.989719500 starting delivery 2279211: msg 3317173 to remote [email protected]
2010-07-14 06:48:59.004682500 starting delivery 2299239: msg 3317173 to remote [email protected]
2010-07-14 09:22:19.021063500 starting delivery 2342483: msg 3317173 to remote [email protected]
2010-07-14 12:08:59.033052500 starting delivery 2428140: msg 3317173 to remote [email protected]
2010-07-13 17:22:19.744009500 starting delivery 2146375: msg 3317173 to remote [email protected]

2010-07-13 17:24:09.861329500 delivery 2146375: deferral: Connected_to_<IPAddress>_but_sender_was_rejected./Remote_host_said:_451_#4.1.8_Domain

_of_sender_address_<3rdparty@theircompany.ie>_does_not_resolve/

From the above you can see that Eircoms gateway had attempted to deliver the mail in question numerous times over two days but was being rejected because the senders e-mail address could not be resolved.

So I asked the Security team to investigate if any work had been carried out on our DNS infrastructure (or any failures) on the 13th that would prevent the Ironport performing a DNS lookup.

They found that one of the DNS servers which our Ironport server was actively using for sender verification was restarting intermittently causing our Ironport to drop connection attempts when the external mail server attempted delivery. 

They didn’t have status reporting in place for the DNS servers to report any unexpected events.

Moral of the story – don’t rely on e-mail headers to judge mail delivery attempts (they only indicate successful connections) and make sure you have status reporting in place.

Microsoft attempts to silence their critics…

Are you tired of those Mac users that always whine about how their OSX operating system “never gets viruses….” blah blah blah? Are any members of your family Mac fanboys?

If you answered No Please-please-please enjoy the silence while it lasts. Those moments are golden.

If you answered Yes – I commiserate because I feel your pain…

You could try hitting back at these fanboys by saying that  Microsoft operating systems get viruses because they have a greater market share. If there is a greater percentage of interconnected PCs running the same OS it makes for easy virus propagation. Estimates of global OS usage can be found here but statistics just seem to boggle the typical fanboy. There’s no place for numbers in their minds…

Finally Microsoft have also decided to strike back. Microsoft Security Essentials is a free A/V scanner which will use the same anti-virus definitions used in Microsofts Forefront line of security products, so MS is putting their business money where their mouth is…

Benefits:

Its free – Is free good?

Low resource usage Microsoft say

Drawbacks:

Unproven as yet

I’ll be installing it on my desktop PC which is running Windows 7 Ultimate – Thanks Microsoft!!

 

Microsoft Security Essentials

Update 01-11-2009 Microsoft’s Security Essentials been rated the best free anti-virus for Windows

The Blog of Martin Birrane