24 November 2010

Malware Infected Website protection with TMG, IE and Sophos

More and more we are seeing a trend where malware authors compromise legitimate sites for the purpose of spreading malware.

A few years ago URL filtering or site blocking was a very effective way of preventing users from inadvertently being lured to a malicious site.  An updated list of malicious site was distributed and corporate web filtering product would prevent users from accessing these sites.  there are two big problem with this approach in today's world.
1. There are far to many sites being turned malicious to keep up, so a real time lookup is required.
2. If a site is not blocked, any malware on that is allowed to make it onto the client machine where the local malware scanner is required to clean it up.  If the definitions on the client machine do not detect the malware you are cooked.  It is therefore much better to scan content at proxy level for malware and either block or cleanup the content.  This should also have a live malicious code lookup to reduce the missed detection window.

Microsoft Forefront Threat Management Gateway (TMG)
One of the most exciting features added to this is the ability to not only do URL filtering but to also do inline malware scanning and cleanup.  By enabling URL filtering you can greatly reduce the threat from know malicous sites.  By enabling malware scanning you can catch infection attempt form legitimate sites.  Most of this happens without anyone knowing that this is going on.  I set up a custom report using Webspy to highlight malware action on my TMG environment.

Turning on the protection in the web access policy

Configure the malware detection behavior

My custom Webspy Malware report so that I can check what is happening

One of the increasing problems is that more users are working outside the corporate network on open public internet connections, so all the protection offered by TMG effectively falls away if the user connected to his home ADSL / 3G / Public Wifi etc.

Internet Explorer
IE has had many improvements over the years to protect users from malicious sites.  The latest incarnation of this is called smart screen filtering.  Sites are checked against the microsft reputation services database.  If a site is flagged as being malicous the site is blocked and you would have to manually override this.

Malicious site is detected and blocked

Determined user turns off SmartScreen
The user can now browse his redirected infected site in relative peace

If the user switches to another browse that does not offer a "Smart Screen" feature you have a problem.

Sophos Live Protection and Web protection
In the past malware products would only be able to prevent malware infection when it was all ready "knocking on the door."  Sophos live protection allows live lookup for any suspicious code, as another feature they also allow you to block access to malicious web sites.  Unlike Internet Explorer, the Sophos block cannot be turned off or bypassed by the user.  Another advantage I found is that a compromised legitimate site can still be accessed while only the malware redirects are blocked.  In my testing IE would block the whole site.

Configure the Antivirus and HIPS policy on the Sophos management server

The legitimate site opens up but Sophos prevent access to the redirected site.Notifications are displayed and recorded in the machine's log

 If I then manually attempt to access the malicious site I get the Sophos blocked screen

The advantage here is that unlike browser protection that is application specific, using a malware product makes it a system protection solution.

The constantly evolving malware landscape requires administrators to implement the new protection technologies as they become available. Using a combination of Security products, native Operating System features and a full featured Malware package helps you cover the bases whether the users are in our out of your corporate environment.

TMG, IE and Sophos are not the only products that offer these features, but this is the combination I use. :)

22 November 2010

Configure Sophos message relay for improved scalability on Windows Server 2008 R2

One of the recommendation form Sophos is that message relays should be used when one console manages more than 10 000 devices.  In my experience this is a optimistic number.  In reality you start running into server response issues from about 5000 devices and up.

Client machines update the Sophos management server by sending status messages all the time.  These messages or envelopes as they are called are handled by the Remote Management Service (RMS).  Normally these messages are sent directly from the client to the management server.  When using a relay, the messages are sent to the relay, combined and then forwarded onto the management server.   It is possible to nest relays up to 6 levels, but unless you have a network that has a similar relay layout I would avoid nested relays all together, I rather use a flat structure and use multiple relays at "the same 1 hop level"

Configuring a message relay involves a few steps.  (The steps and paths are based on a Windows 2008 R2 since this is a x64 OS the path might differ slightly if you are using an x86 OS)

Step 1 Identify an existing or create a new CID and configure. 
This is the same as setting up and configuring any normal CID

Step 2 Edit the mrinit.conf file
The mrinit.conf file is used by the RMS to route messages.  By editing the file you can configure client to point to a new server that will then become a relay by the virtue or handling messages other than it's own.

On the machine that will be hosting the CID

  • Browse to C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
  • Find the mrinit.conf file 
  • Open the file for editing in notepad.



  • Now edit the variable string for ParentRrouterAddress.
  • The message relay must be Windows Server 2000,2003 or 2008
  • Specify the IP,FQDN, hostname of the machine that will be the message relay (it does not have to be the CID machine)
  • Create a new text file, copy the content of the  edited file into it, save as mrinit.conf
  • Save the changes.
  • Copy the file to the RMS folder

NOTE: the file is quite sensitive to formatting:

  • Do not edit the MRParentAddress this should be pointing to your management server.
  • There need to be an empty line at the bottom of the file (do not delete the final carriage return while editing)
  • The created on date MUST be different to the original mrinit.conf file.  You can't copy the file, edit it and paste it into the RMS folder.

Step 3 Register the changes using ConfigCID.exe
On the machine that will be hosting the CID

  • Open a command prompt and browse to the following folder : C:\Program Files (x86)\Sophos\Update Manager
  • Use the following command line :  configCID.exe "C:\programdata\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP"
  • Check for the following lines in the result
  •  - Adding entry for \rms\mrinit.conf
  •  - Adding entry for \mrinit.conf

One more really important step

  • Reinstall the message relay machine form the updated CID.

If you check the communication report on the message relay machine you should see that the RMS router type has changed from Endpoint to message relay

See Update 2 below

Step 4 Configure machines to use the message router
Use an updating policy to point your client machines to the CID.  Any machine updating from the updated CID will now reinstall the RMS component and start using the message relay.  Since the RMS component is reinstalled and not simply updated this needs to be considered if you are changing really resource constrained machines.

Step 5 Check the Client
You can check the client machine in two ways
  • Click on start -> All programs -> Sophos -> View Sophos Network Communications Report
  • There should be no errors listed and the Parent Address should be the Message Relay's details.
Check the registry
  • HKLM\Software\WOW6432Node\Sophos\Messaging System\Router\Parent Address
If you check the Sophos Management console the machine should still be updating and communicating.

Step 6 Check The Message Relay
When a machine acts as a relay it has to collect messages and send them on and of course back again.  For this to work the message relay need to build up a "Routing Table"

On the Message relay machine
  • Browse to C:\programdata\Sophos\Remote Management System\3\Router
  • If you open the table_router.txt file you should see the router to all the message relay "clients"


  • Open the Envelopes folder.  
  • If you watch this folder carefully you should see files come in and disappear right away.  
  • If you have a large number of connecting machines files can build up for a few seconds before being sent off.  
This envelope cue should be monitored and checked out if machines are not communicating with the management console.  It is sometime necessary to stop the message router service, delete the table_router.txt file and restart the service to fix a corrupted routing table.  This normally take  about 5 minutes before the cue starts decreasing.

In small deployments the Management server is often used "for everything."  As the deployment grow in size you should use CID's that are not hosted and the management server, the same goes for using message relays.
By using relays you can greatly improve the amount of machined being managed from a single management server.


Check out http://fixmyitsystem.blogspot.com/2010/12/troubleshooting-sophos-message-relay.html if you have issues... and you probably will


We recently deployed another message relay, and ran into some more issues.  If in step 3 you check the netowrk communications report and the RMD router type remains showing Endpoint you need to do the following:

Copy the cac.pem and newly created mrinit.conf files from your CID location - typically this would be:

C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S0xx\SAVSCFXP\

These files need to also be placed in:

C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S0xx\SAVSCFXP\rms\program files\Sophos\Remote Management System\

In the same directory you need to run the ClientMRinit.exe - You must Run As Administrator

Once complete the network communications report should correctly state that the machine is now indeed a Message Relay

Thanks to Jacques De Villiers from Woolworths and Monique Burger form Netactix for figuring this one out

19 November 2010

Windows Activation error code 0x80072EE2 and activation URLs

When trying to activate Windows you might encounter the following error  0x80072EE2

This error code refers to the activation servers not being reachable.  This normally happen because Internet connectivity is not available.  By default in Windows 2008 onwards the Auto Detect proxy settings is not enabled.

To resolve this issue open Internet Explorer and enable auto detect proxy setting, or manually specify your proxy settings.

For my deployment I have also allowed anonymous access through my TMG proxy to the activation servers.
(This is not required if the logged on users has access to these sites)


That should be it.  Try again and it should succeed

18 November 2010

Using Sophos Update Managers and IIS sites for better WAN performance

By far the worst thing about Sophos 8 was the EM Library.  It was niggly and tricky and if it did not work properly it would freeze all the data on your console.

Eversince Sophos 9 they have been using the new and improved version of the EM Library - now called Software Update Managers (SUM).  There are a few advantages but the one we are concerned with is that it is far more robust. See 10 reasons to use SUM

For anyone having to update a distributed environment without having a SUM at each location there is one BIG problem.  By default SUM only offers up a UNC share for the clients to update from.  This is fine for clients updating from a local SUM but clients located at the other end of a slow link is a problem.  Using a UNC share means that the clients will use Server Message Block (SMB) aka Common Internet File System (CIFS) The big problem with CIFS is that it is very chatty and does not like latency, both of which is a problem on a slow WAN link.  For more info check out http://en.wikipedia.org/wiki/Server_Message_Block

Fortunately the Sophos clients support updating from an HTTP source.  This means we can supplement the normal UNC share with an IIS web site.  This will then use HTTP which is a far better option for a slow WAN link.  Also built into IIS we have limit control where we can throttle down the bandwidth and the allowed open sessions.

1. Set up a SUM

  • Decide which machine you would like to use as a SUM / HTTP update server
  • Configure the SUM to be subscribed the the relevant packages
  • Update your SUM and check that the relevant CID's are populated
  • (C:\programdata\Sophos\Update Manager\Update Manager\CIDs)
2. Install the IIS server role

  • Using server manager install the IIS role.  
  • Most role features can be left out as this will be a very basic IIS site

3. Configure your IIS Site

  • From the Actions menu select Basic setting.
  • Change the Physical path to be C:\programdata\Sophos\Update Manager\Update Manager

  • From the Middle pane open MIME Types
  • This control what kind of data can be served through your site.  Since we are sending Malware updates we need to add a wildcard MIME type
  • From the Actions pane Click Add
  • For File Name extention enter .*
  • For MIME Type enter */*

  • You can now also specify IIS limits if you want. From the Actions Pane select Limits
  • Specify the relevant limits you want to apply, they can be done individually or you can apply all

4. Configure an Update Policy

  • From the Sophos Enterprise Console
  • Create a new update policy
  • in the address specify the name or IP of your IIS server
  • Check that the right subscription is selected
  • You will be reminded that "The primary update location may not contain the selected software subscription - Do you want to continue anyway"
  • Apply the policy to your machines

5. Test a client and confirm that the updates succeed

  • From a client machine open the Sophos Endpoint Security and Control
  • By Clicking on Configure Updating you can verify that the update location is what you specified in the policy  (You will see that it has automatically appended the down level directories)

  • Right Click the Sophos shield in the System try and click update now
  • To determine that everything worked the way we want it to open the  View Updating Log

Using SUM will be a big improvement over using the EMlibrary.  By Using IIS you can overcome the limitations and service your distributed environment with fewer  SUMs and that means fewer policies.  By using Multiple IIS sites from one server you can also gain very granular control as that what is enabled or disabled.

15 November 2010

Outlook Web with mobile devices and custom forms

In http://fixmyitsystem.blogspot.com/2010/11/customise-tmg-exchange-forms.html I cover how to change the exchange login form.  Something to note is that when using the Exhange forms the mobile templates are not available unless you explicitly put them on each TMG server.

Using the default paths you need to copy the cHTML and xHTML folders from

C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\ISA
C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\Exchange

Now you will have forms that will allow web enabled mobile devices to authenticate.

The default look of the farms is really bland.  Basically no text and and a back and white Microsoft logo at the top.  This does really not inspire any confidence for a user that they have reached the site they are looking for.

Same as with the HTML form you can specify different string values to populate existing fields in the various pages.  But here you are going to have to check on on the pages to see what string values are used.

To change the graphic at the top of the form you need to edit the mslogo.gif file.  Once you are done copy the change files to all the array nodes and restart.

Here is my before and after graphic.  Just to show what a difference it can make.

I know, I know again with that pesky fruit logo.

12 November 2010

Customise TMG Exchange forms authentication page

When publishing Exchange web access through TMG or ISA the supported method for authentication is forms based authentication.

Be default you have two choices.  You can go for the standard TMG template (still called ISA) or you can use the Exchange template.

These templates are located in c:\program files\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\

  • HTML—Intended for standard browsers. 
  • cHTML—Intended for browsers that support cHTML, such as i-mode mobile devices.
  • xHTML—Intended for browsers that support xhtml-mp, such as Microsoft Windows Mobile® and other mobile devices.

We are going to be looking at the HTML version.  There are many different pages that can be changed if you really want to but all you need to do to change the look and feel of the page it to edit a few images and change a few text strings.

The key images you will probably want to change are the following:

  • lngtopl.gif
  • lngtopr.gif
  • lngbotl.gif
  • lngbotr.gif
I my case I would like to keep the general Office 2010 theme going. I would just like to insert my company logo and change some of the text. I also want to change the color to something more inline with my corporate image.

All the text on the pages are dynamically retrieved from the strings.txt file. here is a small part of it so you can get the idea.

;Strings used in login page

L_LoginButton_Text="Log On"
L_WindowTitle_Text="Microsoft Forefront TMG"
L_ShowDetail_Text="show explanation"
L_HideDetail_Text="hide explanation"
L_ShowSimpleUI_Text="I have a slow Internet connection. If you select this option, the Web applications you use may offer fewer features, but will provide a better experience in some situations."
L_UIBasicDescription_Text="The basic client provides fewer features than the full-featured client but offers faster performance. Use the basic client if you are on a slow connection."

You can open the individual html pages and look for the variable string values or you can look at the rendered page and search the file for the text string you want to change.

There are also two style sheets, one for the fonts owafont.css and another for styles logon_styles.css.  I use SharePoint designer to edit these so that the colours are inline with my corporate ones.

Editing the Logon_styles.css I change the following styles that contain yellow / orange definitions.
  • select,text
  • input.btn
  • .btnOnFcs
  • .btnonmseover
  • .btnonmsedwn
  • a
  • .wrng
Last but not least, I also want to change favicon (the little icon in the address bar) I created an .ico file or the corporate logo and replaced the original one.

Now to put this all together.  Copy your edited files to all the nodes in the array. And restart.

If it was not for writing this blog while I was doing the changes you are looking at about 15mins worth of effort, not bad considering the corporate gratitude and salary increase you will be receiving...

The official guide is here; http://technet.microsoft.com/en-us/library/ee914625.aspx But they don't have pictures :)

Okay, you got me - I don't work for apple - Just trying to get an I-Pad to work so it was top of mind when looking for an alternative logo...

05 November 2010

TMG rule organising enhancements

One of the nice new features in TMG 2010 is that it is a lot easier to manager your rules, especially if you have a lot of them.

The first feature I want to explore is the search.   If you have ever had an ISA deployment where you publish multiple web applications you will know that the list can get quite long and tedious to look through to find that one rule you want to look at.  Sure, a really good naming convention will take you a long way, but there comes a time when it just does not cut it anymore.


The search allows you to find the rule you are looking for based on:

Free Text
Any free text. If you use free text, the search result contains all the matches in text-based properties, as well as matches in non-text properties defined as “searchable”.

 “default rule” finds the rules containing this string.
Default rule finds the rules containing the word default and the word rule. For example, a rule containing a listener with the following description: Many rules, all defaulted to this listener

The Name is a column name or a distinct UI property (e.g. Content Type) in the Firewall Policy node of the Forefront TMG Management console. The Value is one of the allowed values for this Name.
The result of the search contains all the matches within the available values of Name, including values of implied sub-properties.

From:Internal To:External Protocol:HTTP finds the rules that provide Web access.
Action:Allow Condition:"All Users" Listener:MyListener finds the rules allowing access to all users via a Web listener named MyListener.

The Property is a COM property name as defined in the Forefront TMG SDK. The Value is one of the allowed values for this Property.
The result of the search contains all the matches within the available values of Property, including values of implied sub-properties.

Type:fpcPolicyRuleAccess finds the access rules.
SourceSelectionIPs:Internal DestinationSelectionIPs:External SpecifiedProtocols:HTTP finds the same rules that From:Internal To:External Protocol:HTTP finds.

All in all pretty impressive really, considering it was not in ISA at all!

Rule Groups
Groups allow you to group together rules that belong together.  As an example you may have an application that you publish that requires a few rules to handle the various allows / blocks and redirects.  You can now create the separate rules and put them in a group.  It does not impact on how the rules work I just displays or hide them as a pack.

You cannot create sub groups.
Rules must be in sequential number order to be able to group them.

Rules cannot be added to a group. you have to ungroup the rules and then select old an new rules and then group them again.

Following good naming convention is always a good idea and allows you to visually and logically organise your rules in a way that makes sense to you, the administrator, even if it does not makes sense to DD.  The new features have been added to handle increasing amounts of rules. Take the time to plan how you want to use them and they can make finding the right rule a breeze.

04 November 2010

Generating a self signed certificate for HTTPS and FTP-ES

From time to time you will need a certificate for testing.  You can go the route of requesting one from your local PKI / CA but you can also generate a self signed certificate from the IIS management console.

  • Open the IIS Management console
  • At the server level select Server Certificates

  • From the Actions Pane click on "Create self-signed certificate"
  • Specify a friendly name
  • Click OK

  • The cert will now be listed
  • To check it out double click the friendly name and the cert will open up
  • You will not the the issues to and issued by are the same and hence it is a self-signed certificate

The limitation to self signed certs is that they are not trusted by anyone.
But they can be handy form time to time and in cases like FTP-ES it does not really matter what cert you use as long as you use one to enable the encryption.

01 November 2010

Sophos client not communicating with Enterprise Console

While testing the new version of Sophos I ran into this error.

I have existing client machines currently running Sophos endpoint 8.  To test I installed a separate server with Enterprise Console 9.  I then manually install on a few client machines.

I would install the client form the Enterprise Console's own CID.  The install would complete successfully but there would be no comms from the client to the server.  Running the Sophos Communications report showed that there was an error, but it listed as the rather generic:

Sophos Anti-Virus cannot report to Sophos Enterprise Console (SEC) or receive new security policies. 
This is because it is using an SSL certificate that is incompatible with the SEC server. 
Sophos Anti-Virus should be reinstalled by the system administrator.

This indicates that there is an issue with the server certificate and the listed solution to this is to reinstall the client from the CID....  This is exactly what got me to this point in the first place.

I finally found the problem.  The message router is specified by the mrinit.conf file.  This file is retrieved from CID.  My client machines however had a file that remianed after the Sophos client was unistalled.  This file was called mrinit.conf.orig.  This file contained the Orginal sophos servers address.  If i manually removed this file then the install woudl succeed without any issues.  This is however not practical for a large deployment.  The fix for this was to copy the mrinit.conf file from the cid and rename it to mrinit.conf.orig.  Copy these two files into the RMF folder of the CID.  Then by running configcid these files are then included into the CID.

Now when you install, the problem causing mrninit.conf.orig file is overwritten and all thing work nicely again.