Is it a false security alert? - offset

I'm getting this alert:
Microsoft Kodak Imaging small offset malformed tiff-small endian
I scanned the affected system with an antivirus: no infection found. Is this a false IPS alert ?

Assume that the alert is true. The only way to know for sure is to submit the file to the maker of the software giving the alert and ask them to verify.
Here an explanation of that alert:
Kodak Image Viewer in Microsoft Windows 2000 SP4, and in some cases XP
SP2 and Server 2003 SP1 and SP2, allows remote attackers to execute
arbitrary code via crafted image files that trigger memory corruption,
as demonstrated by a certain .tif (TIFF) file.
https://www.snort.org/rule_docs/1-34135

Related

Can't set the priority of a service

I noticed that my fan goes up a lot on occasion for no apparent reason. Investigation shows that it's the process Antimalware Service Executable, the service Windows Defender Antivirus Service and the file executed is MsMpEng.exe.
I want it to be able to run still but not go bananas, so I tried to set its priority to low. However, Windows barked at me that the operation could not be completed and that access was denied.
How can I force the service to run at a limited performance?
You can't, by design. That "by design" means that if you find a hack, a future security update of Windows will likely render your hack inoperable.
The key word here is "security". The whole point of anti-malware is that detects malware even when the malware tries to avoid detection. To make that work, Windows treats anti-malware software as a special case, and offers it additional protection. If there was an answer to your question, it would be treated by Microsoft as a bug.

Prevent self-developed software from being diagnosed as a virus

Let me describe my situation, I develop some accounting software of VB winform to use, normaly my software will modify registry to set offcie trusted location and whether the user who reads in registry has admin authority. However, I found here that it is no problem for VirusTotal to scan my exe on the first day after I developed the software. But after a few days, VirusTotal will appear and say that my exe is a virus,this makes my exe in the another computer antivirus detect as a virus, even if I run scaning on VirusTotal on the first day.
Why is it not a virus on the first day, but later diagnosed as a virus?
Is reading registry or modifying registry the cause of the diagnosed virus?
Any documentation or any behavior that is not allowed?
What can be done to avoid this problem other than to file a false positives list after it is detected as a virus
Antivirus software works based on heuristics and signatures. In your case an actual virus may have similar behavior, e.g. because it modifies the same registry entries, which leads to the false positive. The is no "documentation on what is allowed" otherwise somebody writing an actual virus would use that as a rule book to evade detection. The delay in detection is likely caused because the antivirus software performs a periodic scan, which only then checks your executable.
Most antivirus software allows to mark files or directories as trusted and exclude them from scanning. This may be a suitable solution for you.

Site on two different servers

Im considering taking web server from China to reduce site loading times from China/China users. Problem is, how to sync/keep same data between two sites? When editing content in the site it should update these changes to site in China server.
Server is running Linux, Apache and MySQL. Website is using WordPress.
FYI I'm already using CDN and site loading speed is still too long from China.
Basically your solution would need to...
Copy the entire contents of your http'd directory from the main server to the Chinese server.
Copy the entire contents of your MySQL database from the main server to the Chinese server.
Perform these tasks at a regular interval without manual intervention.
I can guide you to references that will help with each task and sometimes can show you a quick example. However, if you want to get it to work and especially if you want to optimize the process, you're going to have to look through the references yourself.
If I didn't do it this way this answer would get even more horrendously long that it already is.
Before we start you should remember...
Thing 0 - Please Try Not to be Intimidated by the Length of this Answer
I know I've written a lot, perhaps more than I should have, but I guarantee you are capable of implementing this in no more than a day. I have tried to be thorough but that does not mean that what I'm describing is particularly complicated.
Thing 1 - Shutdown your Chinese Server During Transfer
This transfer of data is going to make your Chinese server unusable while it's in progress, as you might have guessed. You need to make sure that you're Chinese server is not operational during the transfer. Otherwise the server might have only partial data available which could cause problems for both client and server, particularly in relation to MySQL.
Thing 2 - Use Compression as much as You Can
As time consuming as compression and decompression can be for large amounts of data, believe me it is nothing compared to the time you will waste sending the uncompressed data to China. Network usage, not processor time, is really going to be the limiting factor in getting the transfer done quickly. Try to send compressed files whenever possible.
Thing 3 - Try to Use Checksums
Sending all your data, particularly in compressed format, will leave it vulnerable to corruption in transit. Whenever you send a file I encourage you to use some kind of checksum on the data to verify that it has not been corrupted. For brevity I will not be showing you how to do this but I'm sure you're smart enough to figure out how to pepper in some verification.
In case you're not familiar with checksums, the Wikipedia article about them is pretty straight forward. The most commonly used are the MD5 and the SHA-1, but both of those are somewhat collision prone. I would recommend the SHA-2 (also called SHA-256/512) or the very new SHA-3.
Copying your Http'd Directory to the Chinese Server
As far as I know (and I could be wrong) there is no built in way to transfer files from one Apache server to another...so you're going to have to write your own script for this.
You're also going to need to have two separate scripts: one for the main server and one for the Chinese server. Here's a breakdown of what each script needs to do.
On your main server...
Log in as you're Apache server's user. (Reference for switching users.)
zip/gzip/tar.gz your http'd directory's contents. (Reference for zip. Reference for gzip. Reference for tar.)
scp (secure copy) the compressed file to your Chinese server. Make sure to copy it to the username that Apache runs under. (Reference for scp.)
Delete the compressed file.
Initiate the Chinese server's script (this will be discussed later).
You will likely be using a shell script for all of this, so I hope you're familiar with the terminal. A simple example would look like this.
#!/bin/sh
## First I'll define some variables to explain this better.
APACHE_USER="whatever your Apache server's username is (usually it's www-data)";
WWW_DIR="your http'd directory relative to ~ (usually it's /var/www)";
CHINA_HOST="the host name/IP address of your Chinese server"
CHINA_USER="Apache's username on the Chinese server";
CHINA_PWD="Apache's user password on the Chinese server";
CHINA_HOME="the home directory of the Apache user on your Chinese server";
## Now to the real scripting. I will be using zip for compression.
su - "$APACHE_USER";
zip -r copy.zip "$WWW_DIR";
scp copy.zip "$CHINA_USER#$CHINA_HOST:$CHINA_HOME" < echo $CHINA_PWD;
rm copy.zip;
## Then you initiate the next step of the process.
## Like I said this will be covered later.
On your Chinese server...
Log in as the Apache user.
Delete the content of the http'd directory (probably /var/www relative to ~).
Decompress the scp'd file (this will change depending on how you compressed it).
Copy the decompressed directory to the http'd directory (this step is unnecessary if you choose to compress with zip).
Deleted the compressed, scp'd file.
Notify main server to continue next step (again, will be discussed later).
This is pretty straight forward and I don't think you need another example for this part.
Copying the MySQL Database Contents
You can find a good reference for how to do this in this article from the MySQL website. Basically copying database contents is a built in feature. Try to make use of the compression options!
Performing these Tasks at Regular Intervals without Manual Intervention
Ok this is where things get kind of complicated.
The first thing you need to know is how to schedule tasks at regular intervals on Linux. This is done with a command line tool called crontab. You can see good examples for setting up cron jobs in this article, and the full crontab documentation here.
However what will take more skill than just scheduling the job at regular intervals will be synchronizing the data transfer. If you simply set one server to send data at a certain time and the other to receive it at a certain time, you will get many bugs. Be sure of that.
My recommendation would be to create a socket in the Chinese server that listens for instructions from the main server.
This can be done in a variety of languages. Because you're using Linux I would recommend doing this in C, but it can be done in almost any language including Bash.
A full example would be too much but basically this will be the flow of what you have to do.
Socket in China listens for connections.
Cron job in main server connects to China socket.
Main server authenticates itself.
Chinese server stops Apache, stops accepting requests.
Chinese server acknowledges authentication approved.
Main server scp's website contents to Chinese server.
Main server tells Chinese server that scp is complete.
Chinese server replaces Apache's http'd directory's contents with the data that has been scp'd.
Chinese server announces success to main server.
Main server copies MySQL data.
Main server tells Chinese server process is complete.
Chinese server resumes Apache service.
Chinese server notify's main server that service is resumed.
Socket is closed.
Chinese server goes back to listening for connection from main server.
I hope this helps!

Capture HTTPS traffic from VSTO in fiddler

I am using an Excel VSTO add-in and I want to capture the HTTPS traffic using Fiddler (v4.5.0.0). The add-in downloads data (reports) from the server into the spreadsheet, it has also a pop-up that allows authentication and selection of the elements of the reports.
I am able to capture and decode traffic from all browsers and I have already imported the cert using Internet Options...
I have set Excel's Trust Centre options to the minimum security allowing as much a I could.
Yet when I enable capturing in Excel, no matter if with or without decoding, the addin does not work, and if I enable it after log in using the VSTO's pop-up it shows me a "connection impossible" error.
Any suggestions?
Thanks
I believe the issue is not related to VSTO because there is no difference between a regular .Net application and VSTO add-ins from the Fiddler point of view. Try to reproduce the issue with a regular .net application and Fiddler.
I have found a (temporary and shabby) workaround:
I try several times enabling and disabling the decrypt option and after a few attempts it works. Note that I had already tried to repeat the request without disabling decryption with no result.
I have also enabled all the SSL and TLS versions supported by Fiddler for good measure.
I will try EmilLaw's suggestion to see what IE says, but for now I am under time pressure as I need to debug a few reports for customers.
Thanks guys for the suggestions!!

Why won't Entourage work with Exchange 2007?

So this is IT more than programming but Google found nothing, and you guys are just the right kind of geniuses.
My Exchange Server 2007 and Entourage clients don't play nice.
Right now the big issue is that the entourage client will not connect to Exchange 2007 ( Entourage 2004 or 2008)
The account settings are correct and use the proper format of https://exchange2007.mydomain.com/exchange/user#domain.com
The issue is with a dll called davex.dll when it is where it belongs, the OWA application pool crashes a whole bunch of nasty things happen.
When it isn’t there, I can connect to everything fine - and the OWA app pool doesn’t crash - but Entourage never propogates the folders in the mailbox and doesn't send or receive.
Any help or ideas would be appreciated: Microsoft support is silent on the issue, and Google doesn't turn up much.
Try it without using the /exchange in the server properties field. Here's a link with relevant info.
davex.dll is the legacy webdav component for Exchange server, which Entourage uses. Your first step should be investigating why the application pool crashes. My guess is that Entourage can't do anything when the dll isn't present because webdav is not responding to any requests.