Trend Micro OfficeScan 11 XG – Executables and Logs

Trend Micro OfficeScan 11 XG – Executables and Logs

The following is a list of key executables and a description of there task or roles when working with Trend Micro OfficeScan 11 XG. This is not a complete list.

Executable Task or Role
AUTOPCC.exe UNC based agent deployment program
CNTAoSMGR.exe OfficeScan agent plugin manager
DBSERVER.exe Interface to OfficeScan DB
iCRCSERVICE.exe Smart Scan functionality, File reputation and Web reputation
NTRTSCAN.exe Scanning, collects logs & requests for malware info
OFCSERVICE.exe Central Management for OfficeScan
OSCEINTEGRATIONSERVICE.exe Interface to Active Directory
SQLTxFr.exe Migrating OfficeScan HTTP DB to SQL
SVRSVCSETUP.exe GetInfo, Uninstall, Install OfficeScan server
SVRTUNE.exe Adjust setting, such as increase time to download for Updated Agents
TMBMSRV.exe Prevent unauthorised change to the registry
TMLISTEN.exe Server – Agent comms
TMPFW.exe Firewall
TMPROXY.exe Sending and recieveing HTTP/HTTPS traffic
TMVS.exe Vulnerabity scanner with option to deploy agent

 

The following is a list of key logs and a description of there task or roles when working with Trend Micro OfficeScan 11 XG. This is not a complete list.

Log Decription
OFCNT.log Client / Agent port info / Install info
OFCMAS.log OfficeScan server install info
OFCDEBUG.log OfficeScan debugging log
TMUDUMP.txt Update errors

 

Please note, this info may be incorrect. These are study notes and not official material. Comments are my own.

This site is funded by advert clicks. If you found this post useful, please click on an ad of interest.

VMworld 2018 registration is open! Take…

Any of my contacts going to VMworld 2018? Registration is open with early-bird rates

VMworld 2018 registration is open! Take…

No matter what path you’re on, you’ll discover the technology, learn the trends, and meet the people that are shaping the future of digital business and taking IT to the next level. Welcome to a world where it all begins with you. Welcome to VMworld 2018.


VMware Social Media Advocacy

VMware vCenter Single Sign-On – Invalid Credentials – Native Platform Error code 1765328360

Logging in to the vCenter Server Appliance fails with the error: Failed to authenticate user

or

Failed to authenticate principal for tenant vsphere.local 6.5 update1

KB on issue https://kb.vmware.com/s/article/2147174

Logging in to the vCenter Server Appliance Web Client and / or vSphere Client fails with the error:

Failed to authenticate user
/logs/sso/vmware-sts-idmd.log file, you see entries similar to:

 

  • [YYYY-MM-DDT<time> vsphere.local d5ee8f23-b216-4585-b829-6e4c671d6ede ERROR] [IdentityManager] Failed to authenticate principal [Username@DOMAIN] for tenant [vsphere.local]
    com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: -1765328347][null][null]

Trouble shoot

Login as administrator@vsphere.local

Open VCSA consoleCommand for the appliance

Check VCSA version

vpxd -v

We had : build-8024368

Which log to check :

Become an Expert on vCenter Server appliance Log File Location in 120 seconds


vCenter Server appliance log file location

Connect into vCenter Server appliance using SSH as root and browse towards the directory “/var/log/vmware” to see the list of all logs files of vCenter server appliance 6.5
Browse to the log and open file

To go back down a directory in VCSA

cd ../

to check the date and time on the VCSA

date      Note it is displayed in UTC time zone

They time on ours appears to be out of sync between the vCenter Server machine, and the domain controller

 

So we then set NTP on the vCenter Server Appliance 6.5

https://kb.vmware.com/s/article/2113610

Steps to enable and add NTP servers on the vCenter Server Appliance 6.5

To enable NTP on the vCenter Server Appliance 6.5:

  1. Open a console session to the vCenter Server Appliance and press ALT+F1
  2. Log in using the root user credentials.
  3. Run this command to view the current settings:
    ntp.get
  4. Run this command to add an NTP server:
    ntp.server.add –servers ntp_servername
  5. Run this command to verify the NTP server settings:
    ntp.get
  6. Get NTP ModeTimesync.getNTP Mode
  7. To remove an NTP server, run this command:
    ntp.server.delete –-servers ntp_servername 

     

    Cause

    This issue occurs when:

    • The time is out of Sync with the domain controller the appliance is joined to
    • No NTP time source
    • NTP status down

     

     

    VMware vCenter Server 6.5 Update 1 Release Notes

    https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-651-release-notes.html

     

    This blog is funded by AD clicks. See and AD of interest? Click it. 🙂

Sysinternals – Permissions, LoggedOn, Endpoints

How to Get the permission on folders:
PowerShell:
Get-ChildItem | Get-ACL
Path | Owner | Access

or more in depth use:

GUI based : Run AccessEnum against the drive or folder – (SysInternals tool) and save to text file (Run as administrator or a specific user)

Who is logged on via the resource shares:
Launch cmd and run PSLoggedon (SysInternals tool)
Displays :
1) Users logged on locally
2) Users logged on via resource shares

List TCP and UDP Endpoints connected
Run TCPView application (SysInternals tool) and save to text file

Ever need to identify the before and after changes in Active Directory
Use : ADExplorer (SystInternals tool)

Download Sysinternals 
https://docs.microsoft.com/en-gb/sysinternals/downloads/sysinternals-suite

Suggested top 10 sysinternals tools
https://www.techrepublic.com/blog/10-things/10-sysinternals-tools-you-shouldnt-be-without/
See an advert of interest, CLICK IT!  This site is funded by AD clicks.

Client failed to RDP to RDS server following Windows Server Patching – CredSSP updates for CVE-2018-0886

CredSSP updates for CVE-2018-0886

That Monday morning issue when servers were patched on a Sunday… All Windows 10 clients fail to RDP to the RDS server following Windows Server Patching.

The cause?

“By default, after this update is installed, patched clients cannot communicate with unpatched servers. Use the interoperability matrix and group policy settings described in this article to enable an “allowed” configuration.”

https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

Temp Solution until clients are patched

Create a registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters

CredSSP and Parameters keys had to be created
Create the AllowEncryptionOracle DWORD and give it a value of 2

or Command lined:

REG  ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

 

Tested on Windows 7 and Windows 10.
No reboot required.

Note this reduces the security the patch was put in to fix

See an advert of interest, CLICK IT!  This site is funded by AD clicks.

Check / Set / Sync Time Source for Windows Servers

To set the time ( Tested against Windows 2016)

Launch CMD as administrator
exampled c:\time 09:00:00 AM   – This will set the time to 9am

Note a time source if domain joined will up date the time clock again
Check the source
c:\w32tm /query /status Will show the time “Source”

To set an internet based NTP

c:\w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org
3.pool.ntp.org”

This will take effect after stopping and starting the W32Time service

Powershell….
stop-service w32time
start-service w32time

for settings to take effect

check status
c:\w32tm /query /status Will show the new time “Source”

To check sync is working
c:\w32tm /resync (Check the time sync)

 

See an advert of interest, click it, this site is funded by ad clicks.

Get-AdUser -Filter {Multiple Filters Complex } -Properties | Export to CSV

#Import AD modules

import-module servermanager
Add-WindowsFeature -Name “RSAT-AD-PowerShell” -IncludeAllSubFeature

#List AD user accounts and show DisplayName, Email, Title and export to CSV

Get-ADUser -Filter * -Properties DisplayName, EmailAddress, Title | select DisplayName, EmailAddress, Title | Export-CSV “C:\temp\Email_Addresses.csv”

#List AD user accounts and show DisplayName, Email, Title and export to CSV. Advanced filter to show ENABLED accounts only

Get-ADUser -Filter {Enabled -eq $true} -Properties DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | select DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | Export-CSV “C:\temp\Email_Addresses_allusers.csv”

#List AD user accounts and show DisplayName, Email, Title and export to CSV. Advanced filter to show ENABLED accounts only and email address ending @test.com

Get-ADUser -Filter {(Enabled -eq $true) -And (EmailAddress -Like “*@test.com”)} -Properties DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | select DisplayName, SamAccountName, EmailAddress, Enabled, DistinguishedName | Export-CSV “C:\temp\Email_Addresses_testdomain.csv”

Get a list of inactive computers which have not logged on to the domain in the last 12 weeks

# Inactive computers ( this will include systems not regularly used)

# Launch command prompt as administrator and run the following commands

Dsquery computer -inactive 12 -limit 500

# Lists computers inactive for over 12 weeks and returns a limit of 500 results

Dsquery computer -inactive 12 -limit 500 | dsmod computer -disabled

# Lists computers inactive for over 12 weeks and returns a limit of 500 results and disables the computer accounts

 

# Similar command can be done for users.

 

Get a list of active computers which have logged on to the domain in the last 7 days

# Trying to work out is servers, laptops or desktops have been decommissioned
# Try this script
# Get a list of active computers which have logged on to the domain in the last 7 days

$Date = (Get-Date).AddDays(-7)
Get-ADComputer -Filter {LastLogonDate -gt $Date} | Select distinguishedName

# https://social.technet.microsoft.com/Forums/windows/en-US/4d412730-5937-48c2-bf17-0dc9db013241/list-active-computers-in-ad?forum=winserverDS
# Credit to Richard Mueller – MVP Enterprise Mobility (Directory Services)

Email Phishing

Phishing email will contain a link to a web site, typically to get the user to launch an action or input some details……

For more information and live example demos, join us for TechUG Newcastle
Register for out next event in Newcastle 10th May

https://www.technologyug.co.uk/Events/Newcastle/TechUG-Newcastle-Thurs-10th-May-2018