- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Apr 25, 2005 (Vol. 10, #17 - Issue #522)
WebCast: Detecting and Removing Rootkits in Windows
  This issue of W2Knews™ contains:
    • WebCast: Detecting and Removing Rootkits in Windows
    • Oh Boy. The IRS Income Tax Filing System Has Leaks
    • Admin Tools We Think You Shouldn't Be Without
    • Mark Minasi's April Windows Tech Newsletter Is Out
    • Need Some Help Writing Scripts?
    • Step-by-Step Guide: Time management
    • Exchange Admin 101: Configuring OMA and ActiveSync
    • SQL Server 2000 SP4: An Overview
    • Microsoft Data Protection Manager With Double-Take
    • Finding Enterprise AntiSpyware Has Gotten Easier
    • What's New in iHateSpam for Exchange Version 1.6x?
    • So, How Good Is ScriptLogic's Anti-Spyware?
    • And Finally Symantec Lifts Their Antispyware Veil
    • Air Force Taps Sunbelt Software Anti-Spyware Solution
    • Latest SNSI Vulnerability Database Update
  6. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • Licensed Per Admin: Sunbelt Network Security Inspector
  SPONSOR: CounterSpy
CounterSpy was chosen as PC World's BEST BUY. Laptop Magazine
gave it their Editor's Choice.
CounterSpy is the best. We're
proving it. We want you to be the judge. CounterSpy has the best
spyware database in the industry, the highest detection rate,
and has the fastest scan times. It's just $19.95, and that
includes a subscription of one year with updates, upgrades and
technical support. CounterSpy has Active Protection(tm), call it
a "spy-wall." Buy CounterSpy now for $19.95; You'll get live
tech support from right here the U.S.!
Visit CounterSpy for more information.

WebCast: Detecting and Removing Rootkits in Windows

Visit this interesting event from your own desk! The speaker is Kurt Dillard, Microsoft Program Manager and Author.

Here is a summary of the "RootKit WebCast":

Rootkits are stealthy and non-destructive threats that are intended to provide an attacker with a backdoor for ongoing remote access to a Microsoft operating system. This webcast will focus on the latest methods used by rootkit developers to hide their tools on computers running Windows. While active detection tools are proliferating, malware developers are constantly looking for new ways to cover their tracks. The session will demonstrate how to apply advanced techniques for revealing what has been added, changed or removed. Sponsored by Sunbelt Software.

When: May 10, 2005, 9:00 EDT (13:00 GMT) Sign up here, and forward this item to any friend that might be interested!

Oh Boy. The IRS Income Tax Filing System Has Leaks

ComputerWorld reported that security flaws in computer systems used by the Internal Revenue Service expose millions of taxpayers to potential identity theft or illegal police snooping, according to a congressional report. The IRS also is unlikely to know if outsiders are browsing through citizens' tax returns because it doesn't effectively police its computer systems for unauthorized use, the Government Accountability Office found.

The report was released three days after the deadline for filing personal income tax returns, and at a time when concerns about identity theft and computer security are running high. "This lack of systems security at the IRS is completely unacceptable and needs to be corrected immediately," said Representative James Sensenbrenner (R-Wis.), chairman of the House Judiciary Committee. Ouch. You would have hoped they were on the ball. But then, it's the IRS. Time to get rid of 'em! [grin] Read the story here:

Quotes Of The Week:
"The only way to abolish war is to make peace heroic." -- John Dewey

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])


Admin Tools We Think You Shouldn't Be Without


Mark Minasi's April Windows Tech Newsletter Is Out

This month, more on AD names: at many of your request, he talks about how to rename Exchange 2003 mailboxes. Then he explains SMB signing, corrects an error from last month and answers a reader letter about DNS caching versus HOSTS. And of course he reminds you about the final three sets of seminars for this year... after that there's no more! Check it out over here:

Need Some Help Writing Scripts?

Interesting for script writers is the new HTA Helpomatic. It's a free a download at Redmond and you should check it out:

Step-by-Step Guide: Time management

In the hustling bustling world of IT, one thing Windows computing managers never have enough of is time. How often have you arrived at work in the morning with an ambitious agenda, only to find yourself sitting at your desk eight to ten hours later with nothing crossed off your to-do list? If this happens to you regularly, you may have a time management problem. Here are 10 key pointers to help you work more efficiently, reducing your stress and increasing your productivity.

Exchange Admin 101: Configuring OMA and ActiveSync

There are two different components used by Exchange 2003's Mobile Information Services: Outlook Mobile Access and ActiveSync. This tip explains how to set up and configure these wireless features.

SQL Server 2000 SP4: An Overview

Serdar Yegulalp discusses the most important new features in SQL Server 2000 Service Pack 4.


Microsoft Data Protection Manager With Double-Take

Microsoft released a public beta of Microsoft System Center Data Protection Manager, a new disk-based backup and recovery server for Windows that was previously called Data Protection Server. Here is how this relates to Double-Take and we have a whitepaper that explains the techynical detail. (Link at the end).

By Q4 2005, Microsoft will have released version 1.0 of Data Protection Manager. NSI Software, the developer of Double-Take has had a strong collaborative relationship with the Storage team within Microsoft and is happy to be a launch partner around this storage product.

Data Protection Manager (DPM) extends the snapshot capabilities which originally shipped with Microsoft Volume Shadow Services (VSS). The idea is to centralize previous versions of data and in part to facilitate consolidated backups. Specifically, DPM requires an agent technology to install on local file servers whereby a periodic copy of the flat and closed user files is sent on a schedule configured by the admin to a centralized server.

When to use DPM or Double-Take for protecting servers:

There are constraints to the DPM architecture. You should seriously look at a combined solution with NSI Double-Take.

- Because of the manner in which Microsoft acquires its copies of the data changes, DPM supports only closed user files. Files that are maintained opened, including shared data directories and all traditional applications (e.g. SQL, Exchange, Sharepoint, etc.) are not supported.

- DPM agent (production) servers must be member servers and not active domain controllers. If a machine is a DC, perhaps in the data center, or even as the only server at a branch office, DPM cannot be used to protect the files. Double-Take supports this configuration.

- Data Protection Manager's core architecture lends itself ONLY to a LAN environment. Due to the nature of WAN traffic, one typically needs true real-time to avoid the large surges of changed data. In addition, WAN implementations require intelligent compression, bandwidth management, and resiliency to sporadically WAN outages; all of which necessitate Double-Take.

- And as a last comment on deciding, the DPM server itself is not resilient, meaning that one requires a replication and failover technology (like Double-Take) to protect the DPM data in much the same way that Double Take is the choice for protecting Exchange, SQL, and other service-based applications.

Combining DPM and Double-Take

As a combined solution, you should look at deploying DPM in order to provide scheduled data protection for the file servers within your local environment and use Double Take replication to protect the various application servers on the same network.

- For file servers, you could install the DPM agents on each production fileserver and then points those servers to the DPM (target) server. Lag time may be one hour to twelve hours.
- For the application servers, you should run Double Take on each production platform and replicate their data directories in real-time to the Double Take target server.

All that is left to do is to protect the DPM server itself, since it is the front line for guarding one's information long-term. Like any other Microsoft server application, you simply install Double Take on the DPM server, which would then act as a "source" to the Double Take target server (for HA/DR), but also as a "target" to the DPM agents.

A final comment: DPM, while providing data protection, does not offer availability. For those admins wanting their file servers to be available again within minutes of a crisis, Double-Take would be used instead. Double-Take has over 50,000 licenses in production, including 12,000 on Exchange, 10,000 on SQL, and nearly 10 years of protecting Windows servers since 1996. This makes Double-Take the undisputed leader in protecting Microsoft environments through replication.

Technical Backgrounder: combining DPT and DT

Double-Take 30-day eval copy:


Finding Enterprise AntiSpyware Has Gotten Easier

You downloaded CounterSpy Enterprise because you needed a true enterprise antispyware tool. But any professional would be looking at the best offer in the market, and do their homework. We just were alerted on a report that Ziff-Davis put together. It compares over 20 possible antispyware solutions for enterprises, feature by feature, all the specs and the pricing models.

It's not free, you have to pay $249 dollars for it, but it saves a lot of time. CounterSpy Enterprise is of course in there, and we feel very confident that when you see what's in this report, you'll decide to deploy CounterSpy. Note, we did not sponsor this, and do not get any affiliate fees. We only found out about this a few days ago when it was released. Here is the link:

Second, if you want to stay aware of the latest developments on the antispyware front, get yourself an RSS reader and/or check the sunbelt blog on a regular basis. This blog is written by our President Alex Eckelberry and gets you the nitty gritty of the war between spyware and antispyware providers and other items relating to spyware that are newsworthy. Check this out:

Last, progress on Version 1.5 with active protection is good. Expect it in a few weeks! More info here:

What's New in iHateSpam for Exchange Version 1.6x?

Problem: We all know that spam is a productivity killer. But it has gotten worse. Over 1.78 million people have fallen victim to email fraud as a result of phishing, which is unfortunately growing exponentially. There were more attacks in the last 6 months than in the past 10 years.

iHateSpam for Exchange is uniquely tailored to the exact features you require. It simply makes spam go away, frees up both you and your user's time again, and cuts down on email-borne security threats. No more complaining users, either about spam or about 'lost' email. No digging through thousands of quarantines messages for the system admin. You finally have the ultimate tool to get everyone what they want. Now you can effortlessly navigate the political minefield that enterprise spam has become.

iHateSpam for Exchange Version 1.6 uses a brand new engine with a dramatic increase in spam detection and speed. It uses several integrated proprietary approaches that define how likely it is that a message really is spam. The amount of messages being processed per minute has gone up ten-fold, with the amount of CPU used remaining virtually the same as the old engine. Here are some features of the new (Cloudmark) engine:

  • Greatly improved message processing speed
  • Reduced memory footprint
  • A very high rate of detection (in excess of 98%)
  • Very low false positives
  • Frequent updates of the signatures (often every few minutes)

And the best thing is that Version 2.0, expected in June, will have integrated anti-virus engines as well. Requirements: Windows 2000 SP2 or later; Exchange 2000 SP2 or later. iHateSpam for Exchange does NOT support Windows NT 4.0. Download Size: 22.1Mb Click here and find out why 6,500 sites run this on Exchange!

So, How Good Is ScriptLogic's Anti-Spyware?

We were a bit surprised to see that ScriptLogic's Desktop Authority has added anti-spyware and patch management options to the remote desktop configuration management software, but had not talked to us about possibly using CounterSpy for that. They said about their new V6.5: "We're going after security in what our customers believe are the biggest pain points. Now we hear more about malware instead of viruses-and to help with an enterprise-class patch management [system] that works with the tools they already have in place," said Andy Langsam, chief operating officer of the company in Boca Raton, Fla. Now, hear this. "Toward that end, the new release includes a scanning engine that can detect and remove spyware based on technology licensed from Aluria."

Huh? Aluria? Why? Check out how Aluria did in the April 2005 bake-off by PC World. I'm still scratching my head and wonder what I missed because Aluria only caught 32% of the test infections:

And Finally Symantec Lifts Their Antispyware Veil

Their marketing had been pushing vaporware for months, trying to hold on to their market share, but now they released a beta of their new spyware offering, which is included as part of their Internet Security suite. It's good it is finally out, because now it can be compared to the existing antispyware market leaders.

Well... from an early preview, it's big, slow, expensive and has a 50% catch rate. It takes 30 minutes to install to start with! From our perspective it makes no longer any sense to "wait for Symantec". Check out this first look here:

Air Force Taps Sunbelt Software Anti-Spyware Solution

Sunbelt Software announced that its anti-spyware solution, CounterSpy Enterprise, has been added to the U.S. Air Force's Network Centric Solutions (NETCENTS) program. The five-year, $9 billion contract was awarded to eight prime contractors in September 2004. This contract allows the Air Force and other agencies to purchase net-centric antispyware technology, software and equipment. More at ZDNet:

Latest SNSI Vulnerability Database Update

New vulnerability updates for this release include:
18 new Windows checks
10 new Linux checks
1 new HP-UX check
1 new Mac check
4 new Cisco checks

ID         Name
L114  OpenView NNM Vulnerability HP-UX 11
L790  XLoadImage & Xli compressed Image Vulnerability - FC
L791  Epiphany - Multiple Mozilla based vulnerabilities - FC
L792  Kernel - Multiple vulnerabilities - FC
L793  LibXpm - integer flaw - FC
L794  Gdk-Pixbuf BMP loader double free error - FC, RHE
L795  Tetex - Malformed file handling - RHE
L796  Xfree86 - libXPM integer overflow - RHE, SuSE
L797  Kernel - Bluetooth kernel stack - SuSE
L798  Sharutils -o and line parsing vulnerabilities - FC, MDK
L799  Xshared - libXPM integer overflow - SuSE
M38   Telnet Client LINEMODE env_opt_add
N45   Cisco - Vpn 3000, Crafted SSL Attack
N46   Cisco - IPSec Malformed IKE Packet
N47   Cisco - SSH server w/ TACACS+ authentication
N48   Cisco - Unauthorized IKE Xauth authentication
W2445  TSAC ActiveX Vulnerability
W2446  Exchange Server 2000 User Account Vulnerability
W2447  OCX Attachment Vulnerability
W2448  Media License Request Vulnerability
W2449  Site Wizard Input Validation Vulnerability
W2450  Restricted Group Vulnerability - W2K3
W2451  Authz.dll Faulting Module Vulnerability
W2452  Service Pack Missing - W2K3
W2453  Adobe Acrobat Reader ActiveX Control Vulnerability
W2454  Shell Folders Directory Traversal Vulnerability - W2K3
W2455  Message Queuing Vulnerability - W2K, XP
W2456  TCP/IP Vulnerabilities
W2457  IE April 2005 Cumulative Patch Missing
W2458  Kernel Validation Vulnerability
W2459  Exchange Server SMTP Vulnerability
W2460  MSN Messenger GIF Vulnerability
W2461  Microsoft Word Unchecked Buffer Vulnerability
W2462  Windows Shell Application Association Handling W2K/XP/W2K3

In addition, there were improvements in the following vulnerability checks:

W1142,W1986,W1999,W2067 - Anti-Virus
W1998, W2217,W2428, W2437 - logic change
S167,S250,S262 - Updated logic
H33,H51,H64,H70,H98,H101 - Vendor superseded patches

L615 - Added MDK 10.0, 10.1 to Gaim Gtk2- MSN protocol handling
L715 - Added FC2, 3 checks to GNU Mailman - "Scripts/Driver" sanitize error
L732 - Added MDK 10.0, 10.1 to htdig - Cross site Scripting
L735 - Added FC2, 3 checks to Squirrelmail - missing variable
L747 - Added FC2, 3 checks to KDE - DCOP, IDN and newline %0a
L768 - Added MDK 10.0, 10.1 to Grip - CDDB excess lookup
L773 - Added MDK 10.0, 10.1 to Kame Racoon - ISADMP parsing error
L780 - Added MDK 10.0, 10.1 to IimageMagick - Multiple vulnerabilities
L780 - Added FC2, 3 checks to ImageMagick - Multiple vulnerabilities
L783 - Added MDK 10.0, 10.1 to Libexif - EXIF tag parsing
L784 - Added FC2, 3 checks to Mozilla - Multiple vulnerabilities
L786 - Added FC3 check to Firefox - Bookmarks/XUL/GIF processing
L787 - Added MDK 10.1, 10.0 to MySQL - User-defined function mishandling
L789 - Added FC2, 3 checks to Telnet & Krb5 - Client message handling
L789 - Added MDK 10.0, 10.1 to Telnet & Krb5 - Client message handling

Get a 30-day eval here:


This Week's Links We Like. Tips, Hints And Fun Stuff


Licensed Per Admin: Sunbelt Network Security Inspector

High-end vulnerability scanners are only licensed per IP and are generally very expensive. Small and medium business with up to 500 seats cannot afford those kinds of products. That is why Sunbelt created its Network Security Inspector. (SNSI). You get a database that is on par with the high-end stuff out there, but you only have to pay per administrator, and it's less than 2 grand. This is a unique offer. SNSI is a tool you should run, even if you use other scanners. Rated 4 stars by Windows IT Pro mag: "Excellent vulnerability descriptions and remediation instructions; low cost... user-friendly."