Tuesday, June 8, 2010

My last day with ACA

Hi All,

I am sorry to inform you starting from tomorrow, I will no longer be part of ACA. With a heavy heart, I'm leaving this TCSE community blog that I have created since 2008.

Hope our paths cross again. Happy Supporting Trend!

Rgds,
TheInstructor

Wednesday, April 14, 2010

Malware log analysis

Q: I was analyzing the 30 days malware log file and found hundreds of "BKDR_Generic.DIT" and "TROJ_Generic.DIT" which stated questionable action result - Passed Potential Security Risk. I am sure that I have already enabled Generic Detection by adding few lines in the ofcscan.ini. Anything to worry about?

A: You have done the right thing by enabling generic detection. The purpose of this detection is to make us aware that there is a certain file that is posing some threats. There is a big possibility that this is malicious file. We are just letting it pass because we do not have still an enhanced clean pattern for that one. If we quarantine or delete that file, it is very risky. Why? It is because the file could be a system file or a .dll file that is an important file on Windows. If we quarantine/delete it, there is a chance that your Windows will hang or even BSOD.

The moment you are aware of such generic virus. The next step is to collect them. Compress the files using WinZip and put a password: virus. Send the sample files to us and we will create an enhanced pattern file for you. Also, it will be much better if you use our SIC Tool to further analyze your system for other infections. Then send the sic logs and suspect.zip. Furthermore, send the Virus logs for us to know who are being infected and find the PC that is the one infecting the system.

I hope this helps.

Tuesday, April 13, 2010

March 2010 Class


Fellow attendees for March 2010 class. From left is Ms Ong, Wan, Elson, Chin, myself and Raj.

IMSS 7.1 - some fine tuning steps

q. You might get 550 Access denied - Invalid HELO name from receiving domain (certain domain only) What fine tuning need to be done?

a. There are few things that you can check. First, verify that your MX record has reverse MX record. Some receiving domain will check for this and if you don't comply you will be rejected.

Please refer below for configuration that you might want to fine tune:

1. http://esupport.trendmicro.com/Pages/Receiving-mail-server-replies-with-504-5.5.2-machinename-Helo-command.aspx

2. http://esupport.trendmicro.com/pages/Bogus-HELO-name-used-and-HELO-command-rejected-errors-appear-on-outbou.aspx

3. http://esupport.trendmicro.com/pages/InterScan-Messaging-Security-Suite-IMSS-for-70-Windows-is-unable-to-de.aspx

If you have tried all, but still the problem persist do escalate and make sure you attach together tsmtpd.ini, log.imss and tsmtpd.log in debug mode.

Note: To enable debug you can use CDT else login to IMSS web console Choose Logs > Settings from the menu. Application log level option change to "debug". Replicate the issue. Don't forget to disable the debug option once done.

Reference link for basic info and troubleshooting:
http://esupport.trendmicro.com/Pages/IMSS-70-Windows-basic-info-and-troubleshooting-guide.aspx#P25_1130

Monday, April 12, 2010

OSCE SP1 ; found encrypted as the action in malware log

q: I found "encrypted" as the result action in malware log for OSCE 10 with SP1

a: This is is a new feature in OfficeScan 10, where the virus logs will show an "encrypted" result. The "Encrypted" result happens when the Scan Engine (VSAPI) is unable to take action (quarantine, delete, rename) on a malware. Instead, the OfficeScan client will just encrypt the malware.

Friday, March 26, 2010

Missing mail log entry for IMSS 7.0

When you want to trace a mail, you normally will query Message Tracking and put in the sender or recipient name. Let say you tried that and no relevant log entry appear.

You might want to try and query the log file itself. Locate Log folder in IMSS installation folder. Look for file with the name 'mailtrace.log.########'. The # indicates the date.

Probably there is a problem to upload the logs to database.
You might also want to do the following to rectify this issue:
1. Stop all IMSS related services
2. Backup mail_trace_bookmark file which can be found in Program Files\Trend Micro\IMSS\bin by renaming it.
3. Restart all IMSS related services
Note: This should generate new bookmark
4. Install the latest patch (if applicable)

Friday, March 19, 2010

To drop or reject the packets?



Before you decide which action to enforce on your clients, perhaps you need to understand the effect of doing it.

Drop will drop the packet without response
Reject will reject packet but with response that the packet has been rejected (ICMP unreachable equivalent send to the source)