Determining the cause of FCS client performance issues

Realistically this process should work for other AV clients as well but I’m doing it in the context of the one I support.  Although it isn’t extremely common we do run into scenarios where customer has issues with the FCS client taking up large amounts of CPU on a system.  Sometimes it is constant and…

2

Logparsing FCS to find files that were infected

Working an interesting case at the moment where we have multiple files across servers that were infected and we are needing to generate a list of all the files that were infected on each server. So the first thing to realize is that the 1006 and 3004 events in the system event log under the…

0

Rare off-topic post :)

It is currently MS’s giving campaign where we promote philanthropicness :).  A coworker sent this out to our internal blogger alias along with some others from this site that various MS MVP’s and internal employees worth with asking if we could post one on our blogs.  Since I grew up myself in Haiti for about…

0

Dealing with malware that creates .exe’s on file shares

So lately we keep seeing variants of malware that modifies content on file servers in an environment in hopes of spreading to other users.  My guess is that it is just using mapped drive letters thinking they are USB keys but the effects is the same regardless.  The actions they take are usually something as…

5

How to go green with FCS

I’m not a treehugger but I can definitely see the $$ with power savings.  Having said that I had a customer recently that wanted his computers to wake up from sleep in order to do their scheduled scans for FCS.  At first I was like nope not possible we have no such feature. Then I…

0

Some Interesting FCS SQL Queries

With a recent case I have an issue where the client count of managed computers in MOM admin console was quite different then that in the FCS console so I was trying to find out exactly which computers were not in FCS so I could troubleshoot some of those more effectively.  The first thing I…

4

Update Views for FCS in WSUS

Nothing profound with this post just detailing out a step I typically recommend to most of our new customers with regards to making life easier when viewing updates in WSUS.  In order to make your life easier viewing FCS inside of WSUS I typically recommend creating 2 new views one for FCS Definitions and another…

0

Cheap real time monitoring for Conficker clients

I already did one post about using eventcomb/logparser to look for clients but found a better way to do it on a case last night which I wanted to share.  The first thing you need is to enable netlogon debug logging on all of your DC’s save the following as a .reg file and import…

0

WSUS FCS Definitions

This is a follow up post to my previous FCS definitions post.  The first one focused on the mpam-fe files and what is contained that you can find on the security portal at www.microsoft.com/security/portal.  This one instead focuses on what is actually downloaded by your WSUS server and what is in turn downloaded by your…

4

Blocking and finding Conficker and Downadup systems

EDIT 4/27/09: THIS NO LONGER WORKS WITH NEW VARIANTS OF CONFICKER HOWEVER THE CONCEPT IS STILL SOUND IF YOU ARE LOOKING FOR SYSTEMS THAT ARE QUERYING FOR SPECIFIC DNS NAMES.   I’ve already created one post on finding malware systems using eventcomb however when it comes to Conficker or Downadup and realistically other malware too…

0