Out of this world AV

No matter if it’s a utility or a game, I’m always on the look out for software that is free and reliable. Rollie Hawk pointed me to a new antivirus program that has become a staple on my home PC’s. The program is called Moon Secure AV.

Moon Secure AV, in a nutshell, is ClamAV with a user friendly GUI. The GUI isn’t pretty like more mature AV’s like AVG and Norton. Think along the lines of the nerdy girl in school versus the prom queen. It’s not the prettiest but it gets the job done. Screenshots can be found here.

Here are the things that I like about MSAV:

• Real-time scanning and automatic updates are enabled by default.
• No reboot required after installation.
• Resource usage, compared to other AV programs, is relatively low
  • Less than 30MB of memory.
  • Low CPU utilization during real-time protection. It does go up during active scans.

What didn’t I like?

• Windows XP and Vista support only. Windows 2000 support would be nice because I know quite a few businesses, as well as home users, that still use 2K Professional on their workstations.
• There isn’t a setting to exclude directories from being scanned. This is going to be implemented later according to the developers.
• Scanning is slow. The ClamAV engine isn’t known for it’s speed.

I recommend MSAV and look forward to seeing it develop, just like the nerdy girl from high school.

Coming together is a beginning. Keeping together is progress. Working together is success. - Henry Ford

21.Nov.07 Security, Software Comments (4)

Cisco conference call

I had a conference call at work today with a couple of Cisco sales reps. The point of the conference call was to discuss the Cisco NAC evaluation taking place later this week. The conference call took place using WebEx. It was a little strange using WebEx for a phone conference call. Everyone where I work that was also involved in the call, as well as myself, thought that the Cisco reps were going to do a video demonstration but they didn’t.

The Cisco reps wanted to nail down a few details before the evaluation took place. The main points discussed were what we were looking for, how our network is currently set up and what we hoped to gain using the Cisco NAC. I’m really looking forward to checking out their system.

One big highlight that came out of the meeting was that I’m getting a chance to attend a Cisco CCNA boot camp for free. The CCNA training will be held at a local Cisco office. They are still trying to nail down the exact dates for the week long training. Once they get that, someone from the Cisco office is going to email me. A $2300 training course for free? I’ll take that in a heart beat.

Pain is inevitable. Suffering is optional. - M. Kathleen Casey

10.Sep.07 Certifications, Networking, Security Comments (4)

Trend Micro’s NAC needs some work

For the last week, I’ve been testing out a Network VirusWall Enforcer from Trend Micro. I’ve only found one thing about it that really impresses me. That would be the number of antivirus programs, 63 at this time, it supports. Other than that, I am really disappointed in it.

The main reason I requested the demo is because we use Trend Micro OfficeScan on all of our Windows servers and workstations. We use Trend Micro Control Manager 3.5 and were told it could control the VirusWall NAC. That was the first surprise of the demo. Out of the two units, one 1200 and the other a 2500, only the 2500 could be managed via TMCM. The 1200 had to be managed through the console or by connecting to the admin web page running on the appliance.

The sales guy called his boss and was told that the 1200 was about to be marked EoL so it would not be supported in TMCM 3.5. Nice. I just wish that was the only problem with the whole setup.

Here is a quick rundown of other problems I have with the Trend Micro NAC:

• No HTTPS support for redirect/remediation URL’s.
  • Any fields where URL’s had to be typed, an error would pop up if the URL started with HTTPS stating that only “http://” is allowed.
  • By default, you have to use a secure site (https://OfficeScanInstall) if you want to allow TM OfficeScan to be installed via a web page. How could they not know that and allow HTTPS URL’s on the redirect pages?
  • Should be fixed in a future update according to the salesman.
• Rules cannot be nested.
• Only user authentication is supported. Machine authentication (i.e. approved MAC address) is not supported.
• Detection of OfficeScan client was inconsistant.
  • Even though the NAC was configured to look for OfficeScan on the right port, it still couldn’t detect it every time. This would cause the workstation to fall out of compliance randomly and have to be reassessed.
  • No firewall was blocking the scan and the Persistant Agent was installed.

There may also be a problem with the device that I am awaiting a response from Trend about. It involves a hole in how devices may be able to gain network access even after failing policy compliance checks. I emailed the info (issue & steps to reproduce) to my Trend Micro contacts. Hopefully, I’ll hear something soon.

Great minds have purposes, others have wishes. - Washington Irving

29.Aug.07 Networking, Security Comments (0)

Secunia Software Inspector

Unpatched and obsolete (End-of-Life) software can pose a security risk to any system. EoL software is especially bad because the software maker no longer provides support or updates. While there are several programs that have a built-in auto update feature, the programs that don’t can remain vulnerable for a long time because the user doesn’t know an update is available unless they check the manufacturer’s website on a regular basis.

Secunia, a massive online database that provides information about security vulnerabilities and patches, has released software that will check your Windows PC for vulnerable software. The program is called Personal Software Inspector. It works the same way as the web based Secunia Software Inspector does except for a couple of differences. The main difference is that the online version requires users to manually scan their system while PSI, by default, runs constantly in the background.

Installation is straight forward and no reboot is required so a system scan can begin immediately after exiting setup. A thorough scan can take anywhere from a few minutes to almost an hour to complete. The scan time is determined by how many programs you have and how fast your system runs. Closing the main window does not exit the program so it can be closed during scans or monitoring. Double-clicking the Secunia PSI icon in the system tray will open the main window. Right-clicking the icon and choosing Exit will close the program.

Clicking on any of the programs listed under Insecure Software or End-of-Life Software provides details about the detected version, the latest version available, installation path and links to the updates. It even gives information on how to remove older versions if installing the updating will not remove it. One example of an older version not being removed by an update is Sun Java. You must remove the older version of Java using Add or Remove Programs.

All communication between the Secunia PSI and the Secunia web servers is done through a secure HTTPS connection. System requirements and other general information about Personal Software Inspector can be found on the About Secunia PSI page.

NOTE: At this time, the software is Beta. Don’t be surprised if it doesn’t work perfectly. Also, I do not recommend running PSI in the background at all times if you don’t have a lot of free Physical Memory (check Task Manager). Secunia PSI uses about 16 to 20 MB of memory on my system during the monitoring phase.

Nature does not hurry, yet everything is accomplished. - Lao Tzu

07.Aug.07 Security, Software Comments (2)

No, you can’t use the sa login. Not yours.

As previously posted, I’m in the process of locking down the MS SQL 2005 server that I am in charge of maintaining. The built-in admin account group was no longer in the sysadmin group so it was time to move to the next hole. The ’sa’ account.

The ’sa’ account is the default admin login that has full control of the MS SQL server. If the server is only going to use Windows Authentication, a random password can be created and forgotten. A Windows domain user would be assigned to the sysadmin SQL server group because ’sa’ could not be used (SQL logins disabled). This isn’t the case for my server. I had to set it up for mixed mode authentication. Mix mode means that Windows Authentication or SQL logins can be used. The reason I had to use mix mode is due to some software that we use that does not support WA for it’s SQL connection.
(more…)

04.Aug.07 Microsoft SQL, Security Comment (1)