I’m Afraid I Can’t Do That, Dave: When Firewall Upgrades Go Wrong

A client called this morning saying “I clicked on a security alert and now I can’t get on the internet…”  Of course, my spideysense said “Ah!  Classic Malware!”

However, when I got on-site, there was no malware on the machine. 

A quick glance over the Autoruns turned up nothing out of the ordinary, MalwareBytes turned up nothing, doing a netsh winsock reset did nothing to improve the situation… not feeling like standard malware… was this thing rootkitted?

But then I noticed there was an odd entry in his start menu called “ZoneAlarm!12dc_532f!erased” which had a broken link to a “ZoneAlarm Security Tutorial”

The client does use ZoneAlarm, and prior issues with his machine had been traced back to ZA — most notably when a Microsoft DNS patch befuddled the firewall, forcing it to block all DNS traffic — so I didn’t rule ZA out of the equation.

Searching all the files on his machine which were created in the past 24 hours, turned up a file in c:\windows\internet logs called fwpktlog.txt (FireWall PacKeT LOG anyone?  And why are we still limiting ourselves to 8.3 naming?  Does anything other than our own laziness still rely on that?)

In this file was a whole bunch of lines denying packets from the local machine to Internet addresses.  I could still access machines on the local network, but nothing outside.

What created that packet filter file?

I looked in the services list and there was nothing for ZoneAlarm in there, but there was a entry for ForceField (ZA’s browser security program) and it was running.  Stopping the service and setting it to disabled did nothing.

Open the pod bay doors, Hal! 
I’m afraid I can’t do that, Dave.

Also, among the recently created files, I found an installer_02251175403.log file, also in the c:\windows\internet logs folder.  Opening it up, it pointed me to a temp folder it had created: C:\DOCUME~1\Steve\LOCALS~1\Temp\02251175403 within which was a bunch of files including an executable called cpes_clean.exe which is listed as “Check Point Endpoint Security Cleaner” from “Check Point Software Technologies LTD” in the file properties.

Going for broke, I ran the program.

It ate up some CPU according to Task Manager, but didn’t show any sort of UI until it popped up a box asking to reboot.

Rebooted the machine, and lo and behold, we could access sites out on the internet.

Pop over to ZoneAlarm’s and download the latest build, and 145MB and 15 minutes later (DSL!!!) and the download is corrupt.

Another 15 minute download, and ZA is happily reinstalling itself.

Connecting Macs to a Windows 2003 Server

We have a client with two offices, one is a PC shop and the other is a Mac shop. The enjoy a friendly rivalry and it’s up to me to make sure that they play nicely together.

We recently upgraded the servers in Microsoft shop to Windows 2003 and found that the Mac clients could no longer access the shares over the VPN.

Some googling and experimenting later, and we stumbled upon the issue.

The Samba client that the Macs use doesn’t support encrypted communications, and the Windows 2003 server out of the box turns on encrypted communications and prevents anyone who isn’t encrypting from accessing its shares.

So, a quick detour through the Domain Controller Security Policy applet in the Administrative Tools folder did the trick.

In there, go to Local Policies / Security Options.

Scroll down to “Microsoft network server: digitally sign communications (always)” and set that sucker to DISABLED.

Reapply the policy by running GPUPDATE (start, run, gpupdate) and sit back in delight as your clients can connect to the shares once again.

Thanks to MacOSXHints and AllInTheHead for the pointers.

Remotely Find MAC Addresses on Your Windows Network

I had to find the MAC address of a remote machine on my network this morning. Happily, WindowsXP (and above) make this easy.

They include a tool called getmac which does just that — it gets the MAC address of any machine on the local network.

(This utility first made its appearance, it seems, as part of the Windows 2000 Resource Kit, and is available as a download from Microsoft.)

The tool couldn’t be simpler to use, just open a command prompt and type:

getmac /s <computername>

It then spits back:

Physical Address Transport Name
=================== =========================================================
00-00-00-XX-XX-XX \Device\Tcpip_{0AB4C22A-1EEE-AAAA-XXXX-0X0X0X0X0X0X},

There are additional switches you can use to format the output or run the command under different credentials (from the TechNet article):

/u Domain \ User : Runs the command with the account permissions of the user specified by User or Domain\User. The default is the permissions of the current logged on user on the computer issuing the command.

/p Password : Specifies the password of the user account that is specified in the /u parameter.

/fo { TABLE | LIST | CSV } : Specifies the format to use for the query output. Valid values are TABLE, LIST, and CSV. The default format for output is TABLE.

/nh : Suppresses column header in output. Valid when the /fo parameter is set to TABLE or CSV.

/v : Specifies that the output display verbose information.

/? : Displays help at the command prompt.