Things that are bad, Tools

Cisco Immunet anti-malware software

Leave a comment

In brief: stay away from this software.

I’m always interested in evaluating anti-malware/antivirus software, especially when it claims to be ‘lightweight’. All too often, anti-malware software that’s configured to run in the background has a very noticeable effect on performance.

So I installed Cisco’s Immunet on my main Windows computer. About ten minutes later, I removed it.

The user interface is horrible, seeming more like a first-time coder might have produced it, rather than an organization with the resources of Cisco.

I was very careful to configure Immunet before I ran any scans. In particular, I configured it to ask me before quarantining any files. Imagine my surprise when on its initial scan, it went ahead and quarantined three executables, none of which were actually malware.

Of the three quarantined files, I was able to use Immunet to restore one. The others were irretrievable, and I had to reinstall the associated software. For one of them, I lost its settings as well.

Normally I would persist with an evaluation like this, to give it a thorough test. But really, having suffered this much in such a short space of time, why bother?

This is crappy software. Avoid at all costs.

Microsoft, Patches and updates, Things that are bad, Windows

Microsoft updates still breaking things

Leave a comment

Is it just me, or is Microsoft actually getting worse at this? It seems that every month there are more horror stories about problems caused by MS software updates. Given that Microsoft is still pushing hard for all Windows updates to happen automatically, this is very troubling.

In the latest instance, updates pushed out for January’s Patch Tuesday caused some Windows servers to reboot continuously. For server admins, this is a nightmare scenario.

One could argue that since the problem only affected a specific subset of Windows servers, this was less serious than something that affects all Windows 10 users. But affected servers were potentially used by hundreds or even thousands of people, which amplifies the scope of the problem.

Microsoft’s approach to testing changed with the release of Windows 10, and they now rely on reports from regular users who have opted in to pre-release versions of Windows. It’s clear that this kind of testing is much less useful than proper, methodical testing. Whether Microsoft will eventually go back to proper testing remains unclear. Meanwhile, we all suffer. And wonder whether the next Patch Tuesday is going to be a day of disaster.

Ars Technica and The Verge have more.

*nix, Hacking, Internet, Internet crime, Security

Blocking IP ranges at the router

Leave a comment

I’m sure that Russia is a wonderful place, and I’m sure that the vast majority of people there are lovely, and have no interest in harming anyone.

Sadly, from the perspective of a server operator, it sometimes feels that nothing good ever comes from Russia.

Being the diligent server operator that I (hopefully) am, I monitor things pretty closely. That includes network traffic coming from the Internet. Over the years, I’ve noticed that a huge proportion of the probes, DDoS attacks, spam, phishing, and hack attempts against my network come from IP addresses in Russia.

It’s gotten to the point where I am now actively blocking huge swathes of Internet addresses (IPs) that originate in Russia and neighbouring countries like the Ukraine.

Blocking those nasty IPs

I run a Linux web server, as well as several Internet-enabled services, at my home office. All of the communications between my server and the Internet pass through a router, making it the ideal place to block unwanted traffic for my entire network, which includes media computers, development systems, and the Windows computer on which I’m writing this.

I’m using a commercial router, but I’ve replaced the original firmware with Advanced Tomato. Doing this provides many benefits, including making it easier to manage the router’s firewall, IPTABLES. Here’s a typical IPTABLES command to block an IP address from the router’s Linux command line:
iptables -I FORWARD -s 185.219.52.90 -j DROP

The DROP directive tells the router to unceremoniously drop any traffic from the specified IP, without logging this action. Traffic can also be logged when it’s dropped, but excessive logging can cause performance problems and fill up logs with junk, so I just drop this traffic.

I issue commands like the one above at my router’s command line to block the traffic immediately, and then I update the router’s startup firewall script with the same command, so that it persists after the next router restart.

So there’s this one guy

There’s been one particularly persistent attacker in the last year or so. This person wants desperately to gain access to one of my Internet-accessible services, but he’s not particularly intelligent, because he keeps trying the same things over and over, in rapid succession. So much so, that at times the traffic he generates comes within shouting distance of a DDoS attack.

I started paying particular attention to traffic associated with a series of ports that are used by the service, and blocking the IP addresses at the other end of that traffic. Whereupon we embarked upon a long game of whac-a-mole, in which I blocked an IP or IP range, and the attacker moved to another host or VPN provider and resumed his attacks from there. It seems clear that this was all being done by one attacker, based on his quick reactions to my blocking.

This went on for several months, but now he appears to have given up. Or at least he’s moved on to other methods.

In the process of blocking all these IPs and networks, the attacker has also helpfully provided me with a list of VPN providers that should be blocked by, well, everyone. Everyone who doesn’t specifically need to allow them.

IP addresses and ranges I’m blocking

Almost all of these IPs and IP ranges are in Russia and the Ukraine. A few are elsewhere in Asia. Most of the ranges are VPN providers.
103.48.51.116
104.129.18.0/23
104.237.192.0/19
104.237.203.0/24
141.98.10.0/24
173.244.208.60
176.67.85.0/24
185.156.72.0/24
185.156.74.0/24
185.193.88.0/24
185.217.69.157
185.219.52.112
185.219.52.90
185.219.52.91
193.106.191.25
193.106.191.35
193.106.191.41
193.32.164.85
193.93.62.0/24
195.54.160.27
198.8.81.220
216.131.114.0/24
216.131.116.0/23
216.131.68.0/24
216.131.88.0/23
217.138.255.202
31.43.185.29
31.43.185.9
37.120.218.0/24
45.134.26.0/24
45.143.203.121
45.145.64.0/23
45.145.65.11
45.146.164.0/23
45.146.166.0/23
45.155.204.0/24
45.155.205.0/24
45.227.253.0/24
45.9.20.0/24
5.188.206.230
71.19.251.0/24
76.180.16.74
77.243.191.120
77.83.36.0/24
78.128.112.18
82.145.32.0/19
84.17.41.141
84.17.41.151
87.251.75.0/24
89.187.182.87
89.187.183.76
91.191.209.110
92.204.240.75
92.255.85.0/24
94.232.40.0/21
98.175.213.148

Here are a few other ranges I’m blocking for various reasons:

  • Hungarian ISP MAGYAR-TELEKOM-MAIN-AS IP range (unceasing garbage): 94.27.128.0/17
  • MediaLand BPH IP range (generally just horrible): 45.141.84.0/24
  • EE-GIGAHOSTINGSERVICES (constant email relay attempts): 176.111.173.0/24
Edge, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for December 2021

Leave a comment

Time for another thrilling game of I Hope These Critical Security Updates Don’t Break Anything On My Computer with your permanent host, Microsoft.

This month’s edition includes approximately thirty-seven updates, with fixes for eighty-eight vulnerabilities, in Office, Defender, Edge, SharePoint, Visual Studio, Visual Studio Code, and Windows.

The challenge of counting the number of updates and vulnerabilities each month isn’t getting any easier, as some Microsoft applications (especially Edge) now update themselves outside of the monthly cycle. The source of both information and confusion about Microsoft updates is the Security Update Guide.

Microsoft isn’t showing any signs of giving up their ultimate power over your PC, and will continue to install updates pretty much at their whim, for the foreseeable future. Those of us still running Windows versions that are unsupported (7, XP), and soon-to-be-unsupported (8.x) are starting to seem like the last holdouts in a battle that’s already lost. The battle for control over our own computers.

Or maybe that’s just hyperbole.

Regardless of the status of automatic updates on your version of Windows, at this time of the month it’s a good idea to head over to the Windows Control Panel (or Settings), find Windows Update, and check for new updates.

Edge, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for November 2021

Leave a comment

To paraphrase butcher Oscar Wilde: the only thing worse than having to install security updates every month is having no security updates at all. If you’re not getting a steady supply of security updates, your software is probably no longer being developed or supported. If you’re just choosing not to install the available updates, you’re asking for trouble. Either is bad, but at least you can do something about the latter.

It’s my duty to inform you that — at least by my count — Microsoft has made available this day approximately twenty-nine updates for Windows, Office, Edge, Visual Studio, Exchange Server, SharePoint, Visual Studio Code, and Windows Server. A total of fifty-five vulnerabilities are fixed by the updates.

The source of this information is Microsoft’s Security Update Guide (SUG). It’s a sluggish and weirdly complicated system to navigate, but does seem to contain the necessary information.

As usual, this month’s collection includes updates for Windows 7, but those updates remain tantalizingly out of reach for most Windows 7 users, because obtaining them involves entering into a special agreement with Microsoft that’s way too expensive for regular folks.

Windows 10 systems get the updates automatically, and Windows 8.1 users — if automatic updates are disabled — should navigate to the Windows Control Panel and Windows Update to install them.

Java, Patches and updates, Security

Java 8 update 311

Leave a comment

Oracle just released its quarterly Critical Patch Update Advisory for October 2021.

As usual, there’s a section in the advisory for Java. The details show that previous versions of Java, including Java 8 Update 301, have fifteen known security vulnerabilities.

Java: What is it and why do I need it?

There’s a new version of Java that addresses the vulnerabilities in version 8u301: Java 8 Update 311.

If Java is installed on your computer, it’s a good idea to keep it up to date. If you’re not sure whether Java is installed, go to the Windows Control Panel and look for a Java entry. If it’s not there, great! You don’t use (or apparently need) Java.

Otherwise, click the Java Control Panel entry and go to the Update tab. Click the Update Now button to start the update process.

Edge, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for October 2021

Leave a comment

Like clockwork, Microsoft has once again provided us with a month’s worth of new security updates.

According to Microsoft’s Security Update Guide, this month there are patches for one hundred and seven vulnerabilties, in Office (2013, 2016, and 2019), Edge, Exchange Server, SharePoint, Visual Studio, System Center, Windows (7, 8.1, 10, and 11) and Windows Server.

As usual, Microsoft is taunting Windows 7 users with updates for that O/S, because most of us regular folks can’t afford them.

Windows 8.1 users — of which I’m one of the very few remaining — can either enable automatic updates, or navigate the Start menu to Windows Update to install available updates manually.

Windows 10 users can still delay updates, though just how long a delay is allowed depends on the flavour of Windows 10 you’re running. Windows 10 Home doesn’t give you much to work with in that respect.

Since Windows 11 isn’t even officially released yet, it’s difficult to predict exactly how updates will be handled for that O/S. However, it’s a safe bet that updates will be shoved down our throats as they are with Windows 10.

Microsoft, Windows 11

Windows 11 workarounds

Leave a comment

Windows 11 hasn’t even been released yet, and people are already looking for ways to work around some of the changes Microsoft has decided we really need.

First up, it’s the venerable Start menu, which for some reason Microsoft has decided to move from its traditional place at the bottom left of the display, to the bottom center. Perhaps because that’s the way macOS does it?

I have no problem with Microsoft making changes like these, as long as there’s a way to revert those changes. In this case, there’s no obvious way to do that, but helpful folks have found a workaround.

Next, it’s the incredibly annoying prompts, taskbar icons, alerts, and other associated distractions generated by Microsoft Teams. That software isn’t included with Windows 11, but Microsoft has packed the new O/S with what amounts to advertising for Teams. Again, helpful folks have figured out how to get rid of this crap.

Meanwhile, Mozilla has discovered how to get past the hurdles Microsoft erected to prevent Firefox from making itself the default web browser automatically. You’ve no doubt seen what is normally required to change the default browser on Windows 10 (which now affects Windows 11 as well): you’re forced to make the change manually.

Forcing the user to intervene in changing the default browser (and other applications) was added to Windows as a security measure, because otherwise malicious software could more easily take over affected applications. But Microsoft’s applications don’t seem to be affected by this restriction, making the whole thing seem more like Microsoft giving itself an unfair advantage.

Edge, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for September 2021

Leave a comment

Summer is winding down, young folks are risking their health going back to school, and anti-vaccination cretins are revealing to the world how incredibly stupid they are by protesting at hospitals.

The good news is that you can easily distract yourself from the bad news for a few minutes by doing something straightforward and comfortable. I’m referring, of course, to installing Microsoft updates on your Windows computers.

If you’re looking for detailed information about the updates being made available by Microsoft today, the best place to start is the official source: the Security Update Guide (SUG). I’m not saying you’ll find it easy to navigate (you likely won’t). But it is the official source.

For those of you not inclined to risk a migraine by looking at the SUG, I’ve done my usual analysis of this month’s offerings, based on data downloaded from the SUG and viewed in a spreadsheet application (any one will do).

This month’s patches address a total of ninety-three security vulnerabilities, in Office, Edge, SharePoint, Visual Studio, Visual Studio Code, Windows Server, Windows 10, Windows 7, and Windows 8.1.

The Windows 7 patches are not available to regular folks, and can only be obtained (legally) by paying Microsoft a large amount of money. Windows 7 users are encouraged to upgrade to, well, I guess Windows 10, which is currently somewhat less terrible than it was when it was released.

Windows 8.1 users — the few of us who remain — have the luxury of deciding whether and when to install updates via Windows Update.

Windows 10 users can only delay updates, and then only if you’re running the Pro (not Home) version.

Mobile, Spam and scams, Things that are bad

COVID-related phish received via text

Leave a comment

I just received a text message from someone pretending to be a representative of the Liberal Party of Canada.

The message, sent via SMS to my mobile phone from a phone number in Toronto, offers a monetary reward for being vaccinated for COVID-19, and invites the recipient to click a link to liberalparty-assist[dot]com. Here it is:

The phishing message I received on my phone this morning

If you receive this message, or anything similar, please do not click the provided link. I can’t be sure what will happen, but it won’t be good.

While I avoided clicking the phishing link, I did look into the site it points to. The domain is actually owned by a provider in Paris, France: M247-LTD-Paris. Definitely not anything to do with a political party in Canada. The phone number has been reported numerous times as a scam source.

Since the majority of Canadians have been vaccinated, this phishing message seems likely to attract many clicks from unsuspecting people. Sadly, that will include people who desperately need the money, as well as older folks and others who may not be as technically astute as the rest of us.

Some day it may be possible to track down the people responsible for these scams. I enjoy dreaming up interesting forms of punishment for these people.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.