Malware Win32/Conficker.B W32.Downadup.B

So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware. You can find write-ups from various AV companies at the following URL’s http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852 http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-123015-3826-99 http://www.symantec.com/norton/security_response/writeup.jsp?docid=2009-010717-4209-99 So the write-up’s are all pretty good some have details that the…

17

Restricted Admin mode for RDP in Windows 8.1 / 2012 R2

<# EDIT .. there has been a wiki article posted by my colleague John Rodriguez at http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx that discusses RDPRA configuration further which is a good source for information and seeing it’s a WIKI is also a better place to keep updated easily #> So we released some information a couple of weeks ago on…

16

Automatically refreshing EMET GPO’s

If' you’ve tried configuring EMET via GPO’s you’ve probably come to realize that while the GPO’s may process normally and change registry keys locally on the system it does not actually affect the running configuration of EMET.   From the user guide for EMET see the following “Once EMET Group Policies are enabled, they will be…

16

Setting EMET Local Configuration via GPP

Our PG released EMET 5.0 yeah and it works pretty well and has some cool new functionality such as actually blocking on pin rules and the new ASR feature which I feel is very cool too. A big fix was the fact that there is a service now and that service will properly refresh GPO…

10

Testing the ASR feature for Office documents in EMET 5.0

  Had a customer recently ask me how to test the ASR feature for EMET 5.0 so figured I would write this up to help others as well.  Keep in mind there are 2 different sets of programs that utilize ASR one is IE and the other is Office programs or more specifically Word, Excel…

7

Configuring EMET via GPO/GPP w/o using the ADMX files

[UPDATE 7/23/2014] I've create a wiki page at http://social.technet.microsoft.com/wiki/contents/articles/25585.emet-gpo-gpp-using-task-scheduler-to-import-emet-settings.aspx that condenses these steps and adds a few new items and is open to collaborative editing as well so you may want to view that as well [/UPDATE??] If you have deployed EMET in an enterprise setting you have probably realized there are basically 2 different…

7

Troubleshooting an EMET Mitigation Application Crash

  In the process of deploying and piloting EMET there is a definite possibility that a legitimate application will not function properly with EMET. Lets try to set some expectations here there are basically 2 things you can do when this occurs: Work with the developer of the application and see if they can make…

6

Creating Exclusions from the Default Sets in EMET ADMX GPO’s

  I’m going to preface this with I do not recommend usage of our .admx GPO’s currently for EMET.  With that being said some customers are required to use them from a compliance perspective so this may help you with your role. If you use the .admx settings for EMET and have ever realized that…

5

Dealing with malware that creates .exe’s on file shares

So lately we keep seeing variants of malware that modifies content on file servers in an environment in hopes of spreading to other users.  My guess is that it is just using mapped drive letters thinking they are USB keys but the effects is the same regardless.  The actions they take are usually something as…

5

Using Logparser + Eventcomb to find malware

During the course of these Conficker / Downadup issues we typically see cases that started because accounts are getting locked out.  I pause briefly here to point out that account lockouts are the work of the devil and are a sorry excuse for most people to not use a complex password policy.  So it seems…

5