Networking.docx

Full Transcript

Slow Performance
1333
Slow performance was addressed previously in this chapter in relation to operating system issues. Viruses, worms, and other malware can slow performance because they rob resources from the other applications and services forced to share them.
By using the tools previously discussed in this chapter, such as Task Manager and Resource Monitor, you can identify applications that are slowing performance of the operating system. If the application identified is not a known program that you installed on the system and the program is robbing performance, it may be malicious and should be terminated.
Internet Connectivity Issues
If your computer is hooked up to a network, you need to know when your computer is not functioning properly on the network and what to do about it. In most cases, the problem can be attributed either to a malfunctioning network interface card (NIC) or improperly installed network software. The biggest indicator in Windows that some component of the network software is nonfunctional is that you can’t log in to the network or access any network service. To fix this problem, you must first fix the underlying hardware problem (if one exists) and then properly install or configure the network software.
In some situations, Internet connectivity issues can be related to security threats. Although you might not seem to have Internet connectivity, the NIC might be working fine, while the real problem is a malicious program that has crashed or not operating as the malicious creator of the program intends. The malware will act as a proxy for the network traffic. This type of malware is usually intent on stealing credentials or banking information. However, it can also be used to inject ads and cause browser redirection, as previously discussed.
Not all malware that causes Internet connectivity issues acts as a proxy. Some malware changes network settings, such as your DNS servers. This type of malware will cause browser redirections by controlling what you resolve through their DNS. It is also common for malware to change your system proxy so that all requests go through their remote proxy.
PC/OS Lock Up
It is obvious when a system lockup occurs. The system simply stops responding to commands and stops processing completely. System lockups can occur when a computer is asked to process too many instructions at once with too little memory. The cure for a system lockup usually is to reboot. If the lockups are persistent, they may be hardware-related problems instead of software problems.
1334
In rare cases, the lockup can be attributed to malware or a virus on your operating system. Malware and viruses are not normally well written and can cause memory leaks that rob resources and eventually lock up the operating system. If you suspect a malicious acting application is creating the lock up, you should run an antivirus scan to identify and remove the threat.
Application Crash
When an application crashes, you want to isolate the cause of the crash—it could be a compatibility issue, a hardware issue, or a host of other problems—and solve it. One step to take early on is to look for updates/patches/fixes to the application released by the vendor, as previously discussed in this chapter. Be sure to try these updates on a test machine before rolling them out to all machines, and verify that they address the problem and not introduce new problems.
 Remember that there are two universal solutions to Windows problems: rebooting and obtaining an update from the software manufacturer. If neither of these solutions works, your hardware could be causing the problem.
Application crashes can also be attributed to malware or viruses. When malware tries to hook into an application, such as a web browser, it can make the application crash expectantly. This is mainly because malware and viruses are not well written and can sometimes be compared to a hammer trying to open a can; it’ll work and won’t be pretty. If a malicious application is suspected, a complete virus scan should be completed on the operating system.

Dr. Watson?
Earlier versions of Windows included a special utility known as Dr. Watson that intercepted all error conditions and, instead of presenting the user with a cryptic Windows error, displayed a slew of information that could be used to troubleshoot the problem. Starting with Windows 7, Dr. Watson was removed for debugging.
Windows now includes a feature called Problem Reports. To access Problem Reports, click the Start menu, type Problem Reports, and then select it from the results, as shown in Figure 24.45. The reports allow developers to identify problems with their applications. The reports can also tell you if malware or a virus is crashing the system.
Figure 24.45 Problem Reports
OS Update Failures
1335
Failed updates for Windows—assuming they aren’t caused by connectivity issues—can often be traced to misconfigured settings. These settings can also cause the operating system to report that an update needs to be installed when it has already been installed. The best solution is to find the error code being reported in Windows Update Troubleshooter, solve the problem, and download the update. You can download the Windows Update Troubleshooter for Windows 7, Windows 8/8.1, and Windows 10 from https://support.microsoft.com/en-us/help/4027322/windows-update-troubleshooter. Recent versions of Windows 10 now include a troubleshooting utility. To access the utility, click the Start menu and select the settings gear. Once the Setting app opens, select Update & Security, and then click Troubleshoot.
Rogue Antivirus
One of the cleverer ways of spreading a virus is to disguise it so that it looks like an antivirus program. When it alerts the user to a fictitious problem, the user then begins interacting with the program and allowing the rogue program to do all sorts of damage. One of1336the trickier things for troublemakers to do is to make the program look as if it came from a trusted source—such as Microsoft—and mimic the Windows Action Center interface enough to fool an unsuspecting user.
Microsoft offers a page on fake virus alerts that can be shared with employees to help educate them about rogue security software. You can visit it at www.microsoft.com/security/pc-security/antivirus-rogue.aspx.
Spam
While spam is not truly a virus or a hoax, it is one of the most annoying things with which an administrator must contend. Spam is defined as any unwanted, unsolicited email. Not only can the sheer volume of it be irritating, it can often open the door to larger problems. For instance, some of the sites advertised in spam may be infected with viruses, worms, and other unwanted programs. If users begin to respond to spam by visiting those sites, then viruses and other problems will multiply in your system.
 Numerous antispam programs are available, and users as well as administrators can run them. One of the biggest problems with many of these applications is false positives: they will occasionally flag legitimate email as spam and stop it from being delivered. You should routinely check your spam folders and make sure that legitimate email is not being flagged and held there.
Just as you can—and must—install good antivirus software, you should also consider similar measures for spam. Filtering the messages and preventing them from ever entering the network is the most effective method of dealing with the problem. Recently, the word “spam” has found its way into other forms of unwanted messaging beyond email, giving birth to the acronyms SPIM (spam over instant messaging) and SPIT (spam over Internet telephony).
Renamed System Files/Disappearing Files/Permission Changes/Access Denied
Creators of malware have a number of methods by which they can wreak havoc on a system. One of the simplest ways is to delete key system files and replace them with malicious copies. When this occurs, the user can no longer perform the operation associated with the file, such as printing, saving, and so on. Just as harmful as deleting a file is to rename it or change the permissions associated with it so that the user can no longer access it or perform those operations.
1337
Starting with Windows Vista, Microsoft enabled the User Account Control (UAC) by default. This change to the operating system greatly reduced the number of attempts to use elevated privileges and definitely made it more difficult to change system files. In addition to enabling the UAC, Microsoft removed the Modify NTFS permission from system files for the Administrator account. Only the Trusted Installer (Windows Update) has access to modify these files; even the System (operating system) permissions are Read and Execute. If that wasn’t enough, a self-healing service watches for files changed and replaces them with trusted versions. The System File Checker (SFC) is a user tool that can be used to manually heal missing or modified system files. Malware can maliciously modify files and, in some cases, cause them to go missing. The System File Checker was covered in Chapter 16.
Hijacked Email
One of the easiest ways to spread malware is to capture the email contacts of a user and send the malware as an attachment to everyone in their circle. The recipient is likely to open the attachment because it seemingly comes from a trusted source. It is important that you scan all email, both internal and external, and identify problems before they spread.
Be wary of responses from users regarding email that they haven’t sent and watch for automated replies from unknown sent email. As good as your malware detection may be, one of the best things to do to prevent these types of attacks from being successful is to educate users of what to watch out for, how to respond, and how to get ahold of you as quickly as possible.
Invalid Certificate
Public key infrastructure (PKI), previously discussed in Chapter 22, “Security Concepts,” relies on digital certificates for security. An invalid certificate usually means that the certificate has expired or has another security-related problem. If you are visiting a website that is secured with SSL (HTTPS) and the web browser displays a message similar to the message in Figure 24.46, the site may not actually be the site you are trying to visit.
Certificate errors can happen for a multitude of reasons. The most common reason is that your operating system’s time or date is off and should be adjusted. When you check this, make sure to verify that you are in the right time zone. If your operating system time and date are correct, then you should suspect another problem—usually a security-related problem with the site you are trying to visit. Proceed with caution, especially if you are entering credentials, personal information, or banking information.
Figure 24.46 An invalid certificate
1338Event Viewer Log Errors
Event Viewer (eventvwr.exe) can show a lot of detailed information about what is running on your operating system. Table 24.3 highlights the three main event logs that you should be concerned with.
Table 24.3 Event Viewer logs

Event Log
Description

Application
Events generated by applications installed on the operating system

Security
Events generated by the Security Reference Monitor in the Executive kernel

System
Events generated by the operating system

Although you might think that all the security-related information is in the Security log, you’re only half right. The Security log is used by the Security Reference Monitor1339inside of the Executive kernel. It is responsible for reporting object audit attempts. Examples of object audit attempts include file access, group membership, and password changes.
Most of the useful security-related information will be in the Application and System logs. From these logs, you can see errors and warnings that will alert you to potential security-related problems. When you suspect an issue with the operating system or an application that interacts with the operating system, you should check these logs for clues. The event log won’t tell you exactly what is wrong and how to fix it, but it will tell you there is an issue and that it needs to be investigated closer, as shown in Figure 24.47.
Figure 24.47 Event Viewer logs
Best Practices for Malware Removal
Best practices for malware removal is a key objective for the 220-1002 exam. The best way to think about this is as a seven-item list of what CompTIA wants you to consider when approaching a possible malware infestation. The following discussion presents the information that you need to know.
1. Identify and Research Malware Symptoms.
1340
Before doing anything major, it is imperative first to be sure that you are dealing with the right issue. If you suspect malware, try to identify the type (spyware, virus, and so on) and look for the proof needed to substantiate that it is indeed the culprit.
Identifying malware is no different from the troubleshooting you learned about in Chapter 13. You first need to identify the problem. This can be done with a multitude of tools, but hopefully your antivirus/anti-malware software will be the first tool that helps to identify the problem. If the antivirus/anti-malware software fails to identify the problem, then other third-party tools must be used.
Earlier in this chapter, in the section “Troubleshooting Microsoft Windows OS Problems,” we introduced you to Resource Monitor to isolate performance problems. A similar tool, called Process Explorer, can be downloaded from Microsoft Sysinternals. This tool allows a different visualization from what Resource Monitor provides, as shown in Figure 24.48. You can see the process list on the operating system; in this case, there is a process called regsvr32.exe. When you look closer, you can see that it is creating network traffic and is very active on the operating system. The process is actually a ransomware application calling out to command-and-control servers. It is sneakily disguising itself as the regsvr32.exe utility, which is normally used to register DLLs.
Figure 24.48 Process Explorer
1341
Unfortunately, this lone example will not give you the expertise of a professional virus/malware hunter. However, it provides just one of many examples of third-party software that can help you to detect and identify viruses and malware running on a computer.
Many built-in tools, such as netstat.exe, can also provide assistance. For example, the netstat -nab command enables you to view all the processes on the operating system and their network connections. Using the netstat -nab command is how it was identified that something looked wrong with the regsvr32.exe process, otherwise the command would have looked like any other process on the operating system.
In addition to applications that can identify viruses and malware, third-party websites can aid in detection. One such website is VirusTotal (https://www.virustotal.com). VirusTotal allows users to upload potentially unsafe applications. Their service will scan the applications against more than 70 antivirus engines and report if the signature is found. It’s a valuable tool to validate that you’ve found an application on your operating system that is malicious. Many tools, such as Process Explorer, can even check against the VirusTotal database.
2. Quarantine Infected Systems.
Once you have confirmed that a virus or malware is at hand, then quarantine the infected system to prevent it from spreading the virus or malware to other systems. Bear in mind that the virus or malware can spread in any number of ways, including through a network connection, email, and so on. The quarantine needs to be complete enough to prevent any spread.
Ransomware is probably the biggest risk, since it will spread through a network rapidly and encrypt files in its path. The ransom is usually equivalent to the number of files or the total size of files. In either case, over the past 5 years, it has made headline news, as it has taken down extremely large companies. In one instance, the Petya ransomware even took down most of the computers in Ukraine, along with several other countries.
If an infected system is discovered and needs further analysis, it should be quarantined from the network and put into an isolated network. This hot network is a place where it can be studied further, without repercussions to the operational network.
3. Disable System Restore (in Windows).
This is a necessary step because you do not want to have the infected system create a restore point—or return to one—where the infection exists. System Protection in Windows 10 is turned off by default. You can disable System Protection by clicking the Start menu, then typing Recovery and then select it, then choose Configure System Restore, select the system drive, then Configure, then Disable System Protection, then Delete (Disk Space Usage), then Continue (confirmation), then Close, then OK, then Yes (confirmation), as shown in Figure 24.49.
Figure 24.49 System Protection
 Most ransomware will dump your restore points for you, since you could potentially recover the operating system and then recover files using your previous versions.
4. Remediate the Infected Systems.
1342
The steps taken here need to depend on the type of virus or malware with which you’re dealing, but they should include updating antivirus and anti-malware software with the latest definitions and using the appropriate scan and removal techniques. You can update Windows Defender from the Windows Defender Security Center by clicking the task tray in the lower-right corner, then right-click the shield, and finally click Check for Updates, as shown in Figure 24.50.
Depending on the type of virus or malware, you may need to boot into Safe Mode or the Windows Recovery Environment (as discussed previously in this chapter). However, the remediation of the virus or malware will be different for each situation. Windows Defender Security can automatically perform an offline scan. To perform an offline scan, click the task tray in the lower-right corner, then right-click the shield, then View Security Dashboard, then Virus & Threat Protection, then Virus & Threat Protection Settings, then Run a New Advanced Scan, and finally Windows Defender Offline Scan, as shown in Figure 24.51.1343
Figure 24.50 Windows Defender Security updates
Figure 24.51 Windows Defender Offline scan
1344
After you confirm that you will save your work by clicking Scan on the confirmation dialog box, the UAC will prompt you to answer Yes, and then Windows will reboot. The Windows Recovery Environment will boot and Windows Defender Antivirus will run, as shown in Figure 24.52.
Figure 24.52 An offline Windows Defender Antivirus scan
In some situations, such as in a ransomware attack, no remediation can be performed because the user files are encrypted. In these cases, the malware should be removed from the operating system, and then the user data must be restored from a backup. The unfortunate and terrifying fact when it comes to ransomware is that there will be loss of work.
In many instances, remediating the virus or malware is impossible because no one knows for sure what the virus or malware actually does. Antivirus researchers can document the delivery system that a virus or malware uses to enter your system. You can then patch the vulnerability, which is part of the remediation process. What antivirus research cannot do most of the time is to document the payload of a virus or malware. This is because most of the time it is encrypted and is changed, depending on the need of its creator. In these cases, the remediation might be to sanitize the drive and reinstall the operating system from an image or manually install it.
5. Schedule Scans and Run Updates.
1345
The odds of the system never being confronted by malware again are slim. To reduce the chances of it being infected again, schedule scans and updates to run regularly. Most anti-malware programs can be configured to run automatically at specific intervals; however, should you encounter one that does not have such a feature, you can run it through Task Scheduler.
Windows Defender Security is scheduled to automatically scan the operating system during idle times. However, if you want to schedule a scan, you can use Task Scheduler by clicking the Start menu, then typing Task Scheduler and then select Task Scheduler from the results, then open the Task Scheduler Library, then Microsoft, then Windows, then Windows Defender, then double-click Windows Defender Scheduled Scan, then the Triggers tab, then New… , then select Weekly, then choose the day of the week, and then finally select OK, as shown in Figure 24.53. You’ll need to click OK again after the New Trigger dialog box closes.
Figure 24.53 Creating a Windows Defender Security scheduled scan
Windows Defender Security is scheduled to automatically download updates during the Windows Update check, which is daily. If you require the latest updates, it is recommended to1346either use the Check for Updates option in the Windows Update settings or the Check for Updates option in the Windows Defender Security Center.
6. Enable System Restore and Create a Restore Point (in Windows).
Once everything is working properly, it is important once again to create restore points, should a future problem occur and you need to revert back. You can enable System Protection by clicking the Start menu, then typing Recovery and select it from the results, then Configure System Restore, then select the System drive, then Configure, then Turn on System Protection, and finally select OK. You can then manually create a restore point by clicking Create…, then type a description (such as after remediation - date), then Close (confirmation dialog box), and finally select OK to close the System Properties.
7. Educate the End User.
Education should always be viewed as the final step. The end user needs to understand what led to the malware infestation and what to avoid, or look for, in the future to keep it from happening again. This training can be formal training in a classroom setting, or it can be an online training in which the user must participate and answer questions.
It is common for large companies to require annual or bi-annual end-user training for threats. It is becoming more common for training to be done online, and a number of companies offer this as a service. It is not uncommon for a company to send a phishing attempt to their employees. When an employee falls for the phishing attempt, they are automatically signed up for mandatory training. Incentives are also common, such as the first employee that notifies the IT department of the phishing attempt gets a gift card.