Monday, July 20, 2015

Time to remove Adobe Flash

Adobe Flash has lead a moderately good life, but with security flaws, and because Adobe keeps tries to install malware with each Flash update (see Keyliner article: Adobe installs Aggressive McAffee Security Scan Plus), it is time to disable then un-install this product.

Will you miss Flash?  Probably not.  Most of the sites still using Flash are using it for advertising. Some web-games may use flash, often driving in-app purchases.  Finally, I have seen news video clips that still use flash.  Better sites have changed to HTML5, mostly to accommodate Apple. 

Important Update:  As of 2016.11, removing or disabling Flash will cause problems with airline ticketing sites, with some banking sites, and I noticed problems using Pandora.   This was enough of a nuisance, that I had to undo these changes on my computers.



Follow these steps to disable Flash, then once satisfied, uninstall the program.  While disabled, if you find it is needed, it is only a click away to re-enable.  These steps were written for Microsoft Windows.

Disable Flash in Internet Explorer

Do this step, even if IE is not your default browser.


1.  Launch IE.  Open the top-line menu (File, Edit, View...) by pressing ALT, or by other-mouse-clicking just below the URL line and selecting "[x] Menu Bar"

2.  Select Top-menu "Tools", "Manage Add-ons"

3.  In Tools and Extensions, other-mouse-click "Shockwave Flash Object", choose "Disable"

4.  Click bottom "Close"

If you do not see Shockwave flash, you may be running IE11 and the Flash Player may not be installed.  Microsoft is calling this product "Shockwave Flash" -- this is the Flash Player, even though Adobe has another product called Shockwave.


Disable Flash in Mozilla Firefox

1.  Open the top-line menu (File, Edit, View..) by pressing ALT, or by other-mouse clicking a grey area next to the URL tabs and selecting [x] Menu Bar

2.  Select top-menu "Tools", "Add-ons"

3.  In the left-nav, select "Plugins"

4.  Locate the Shockwave Flash plugin.  Click the far-right button, changing from Always Ask (or Ask) to "Never Ask".

5.  Close the add-on manager tab to save the changes


Disable Flash in Google Chrome

1.  Launch Google Chrome.  In the URL, type chrome://plugins/  and press Enter.

2.  Locate Adobe Flash Player

3.  Click Disable

4.  Close the Tab


Testing
Open this site:
http://www.adobe.com/software/flash/about

If the top-section shows an animation, flash is still active.  If the area is blank, it has been disabled.  Ideally, test in each of your browsers.

If Flash is set to auto-update, it may re-enable the features.  I have not tested this thought.


Permanently Uninstalling Adobe Flash

For Windows 10:
Flash cannot be uninstalled (at least not through the control panel's Add-Remove).  Do the following to cripple it:
A.  In Control Panel, Flash, see the first [Storage] tab.
B.  Select "Block all sites from storing information on this computer
C.  click button "Delete All"

If you are more adventurous, continue with these steps.  However, be aware this leaves flash in a zombie state and future Windows updates Flash updates will have problems -- but it still helps cripple the product.

D.  On the Windows Start Menu, Search for COMMAND (a DOS Prompt).  Other-mouse-click and choose "Run as Administrator"

E.  Type this command:  CD \Windows\System32\Macromed\Flash

F.  Type this command:  Regsvr32 /u Flash.ocx

G.  Ideally, you would also unregister "FlashUtil_ActiveX.dll" and you would rename "FlashUtil_ActiveX.exe" to some other name, but you will find you do not have rights and no amount of 'rights-granting' will give you enough power to completely kill this program.


For Windows 8 and older:
once your testing is complete, remove Adobe Flash Player with these steps:

A.  Download the Uninstaller from Adobe.com

http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Save to a known location, such as your desktop.

Note, it is not recommended using the Control Panel 'Programs and Features'.

B.  Close all Browsers (IE, Firefox, chrome, etc.). 
C.  Close other programs, such as Yahoo Instant Messenger and any games that might use Flash.

D.  Using Windows File Explorer, locate the downloaded un-installer.  Launch the program and follow the prompts.

Next, follow these optional steps:

E.  Using Windows File Explorer, tunnel to these locations and delete all files and folders at these locations:

C:\Windows\System32\Macromed\Flash
C:\Windows\SysWow64\Macromed\Flash

F:  Using Windows File Explorer, type this address in the URL\file-line at the top of the screen:

%appdata%\Adobe\Flash Player  (note percents)
%appdata%\Macromedia\Flash Player  (note percents)

Delete all files and folders within these locations.

Source for this information was Adobe.com
https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html

G.  Reboot


Recommended Next Steps

Consider removing Acrobat Reader / Acrobat Reader DC.  Acrobat Reader has become a pig.  It is big, complex and cumbersome and it too has had more than its share of security problems.  With all of its features, most of which you never use, it also loads slowly.

Adding further insult, Adobe Reader keeps trying to install McAfee's advertising program "McAfee Security Scan plus", which I consider to be malware (see Keyliner article: http://keyliner.blogspot.com/2012/06/aggressive-mcafee-security-scan-plus.html).  Because of this, I never allowed the program to auto-update.

A simpler program, "Foxit Reader" is a free PDF reader and it perfectly replaces Adobe's Reader. 

1.  Using the Control Panel's "Programs and Features", uninstall Adobe Acrobat Reader or Adobe Acrobat Reader DC.

optionally, use this recommended de-installer from Adobe.com.  Be sure to pick the correct version.  As of 2015.07, you probably want version "10.x and later"

http://labs.adobe.com/downloads/acrobatcleaner.html


2.  Download and install the Foxit Reader:

https://www.foxitsoftware.com/products/pdf-reader


As an aside, Adobe released the PDF format to the public domain and there are many other players in the PDF market.  I have been very comfortable with this change.  It displays all of my PDF's without issue.

It may seem I am on an anti-Adobe crusade with this article.  I am not.  It is just that Flash has become dangerous and Acrobat Reader has become unwieldy.

Thursday, July 16, 2015

PSExec - Access is denied

Solution: PSExec - Access is denied

Symptoms:
Using Microsoft Powertool "PSExec" to execute a program on a remote server. This message is displayed on the source computer: Access is denied

Solution:
On the Remote (destination) server or workstation, the calling credentials must be in that machine's Administrator's group.

1.  On the remote server, see Windows Control Panel, Administrative Tools, Computer Management

2.  Still on the remote server, in Computer Management, under Users and Groups, add the userID to the Administrator's Group.  This is the source-machine's User-ID/Credentials (the machine launching PSExec).

On the remote server,
You do not need to build Shares, but they are handy to shrink path-lengths
You do not need to grant the remote ID "Execute" rights within the share
You do not need to worry about turning on File Sharing
Do not bother installing PSExec on the remote machine

This is regardless of whether -u and -p parameters are used.  Because the user is in the Administrator's group, it gets all of these rights, regardless.  To my knowledge, you cannot bypass the Administrator requirement.


Discussion:
The local PSExec temporarily installs a service at the remote machine and because it is building a new service "on-the-fly," it needs to have Administrative rights.  Because you have to grant Administrative rights, the elevated privileges trump all other rights.

The program literally copies a file, psexecsvc to the remote server's Admin$ share and starts the service on that device.  When the command completes, the service is de-installed.



Other helpful hints:

*  On the Source computer, copy PSExec.exe into C:\Windows\System32 so it will be on the path
*  On the Source computer, launch PSExec.exe with no parameters at least one time to approve the Legal-accept screen

Example, as typed on the Source machine:

psexec.exe  \\RemoteServerName  \\RemoteServerName\Share\Path\program.exe
psexec.exe  \\RemoteServerName  "C:\Program Files (x86)\program.exe"  param-1  param-2
psexec.exe -acceptULA \\RemoteServerName  "C:\Program......"  (etc.)

Different credentials can be used.  Naturally, this account must be defined in AD or as a local account on the remote server:

psexec.exe -u myaccountname -p mypassword   \\RemoteServerName  "C:\Program....."  (etc.)

use psexec.exe /? for additional help and parameters.


What is PSExec:

This is a tool developed by the talented Mark Russinovich, now of Microsoft, that allows system administrators to execute programs on a remote computer, without having to have direct control of the desktop or without using a remote console.  This is also known as Windows SysInternals or formerly "power toys".  The "ps" refers to similar Unix system commands.

When the remote program runs, it runs *on* the remote computer -- not from the calling computer. 

For example, this command retrieves the ipconfig.exe program from the remote computer and runs it on your local CPU -- giving you your machine's IP configuration -- probably not what you wanted.

\\RemoteServerName\Share\ipconfig.exe

while: 
psexec.exe  \\RemoteServerName  "ipconfig.exe"

runs on the remote server, getting the remote server's IP Config information and displays the results on your local computer.

Downloading PSExec

Download the program directly from Microsoft as a ZIP file.  An install is not required. 

From www.Microsoft.com, search for "PSTools" or "PSExec". 
Download the ZIP file.  
Open the ZIP and copy PSExec to C:\Windows\System32 or another directory of your choice. 
An install is not required.

It is helpful to have this program on the local workstation's path.  You do not need to install the program on the remote servers.


Wednesday, July 1, 2015

Virus Cleanup Steps

How To: Virus Cleanup steps for Windows PC's.  Generals steps that work for almost all infections.

Over the years I have written many articles on how to cleanup specific viruses but the articles become dated and are less useful when other viruses take their place.  This article generalizes the steps I take for all infections.  Although time-consuming, the results are almost always good.

When cleaning viruses, it is best to boot from a non-infected virus-cleaning disk -- usually a bootable CD.  Because you are booting from a guaranteed, non-infected operating system, and because it has full-control of the hard drive, there are no locked or in-use files and the software gets complete access to the disk.  Because of this, it can clean the most stubborn infections

Microsoft and other vendors now have free, bootable CD's.  To do the job right, you will have to run multiple products, from multiple vendors.  This will take time. 



In General:

Build the bootable CD's from a non-infected machine
You will be building multiple CD's, from multiple vendors
You can build bootable CD's or bootable USB sticks; I prefer CD's
Build the disks on the day they are needed -- they become obsolete within a few days

Important: If you have a laptop, running Windows 8.x or 10.x, see below for concerns about UEFI disks***.


Build the CD's

From a non-infected computer

Download Windows Defender Offline

This is a bootable CD* that runs Microsoft's virus cleaning utility.
http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline


- You must use Microsoft's Internet Explorer to download
- Always download and use the latest version
- It will download a stub program, msstools.exe.  Run this stub.
- It will build the CD automatically; follow the on-screen prompts or see the steps below.
- Most Windows 8, 7 and Vista users should choose the 64-bit version.


Download Kaspersky Rescue Disk

This is a bootable CD that is downloaded as an .iso file.  Use the .iso to build the CD


http://support.kaspersky.com/us/viruses/rescuedisk#downloads
Click "Distributive" to download the ISO

- Click the Download Kaspersky Rescue Disk link.
- This will write an ISO file, which is a CD disk image.
- From Windows 7, 8 or 10, follow these steps to write the ISO file to a CD.


Download AVG Rescue CD

This may be overkill, but a third vendor may find things that the others miss.
 http://www.avg.com/us-en/avg-rescue-cd

- Click the AVG Rescue CD Free Download link; download the ISO version.
- See these keyliner steps to write the ISO file to a CD.



Begin the Cleanup

Once the Bootable CD's have been built and labeled, do the following:


0.  Malware Bytes

If your machine is healthy enough to run other software, from the infected machine, download and run this program, from MalwareBytes.org.  This is my favorite anti-virus program.
https://www.malwarebytes.org/mwb-download/

If the machine is not healthy enough, download the installation from another computer and burn it to a CD.  Then, disconnect the network cable from your infected computer, or disable the Wireless.  Then run this program; it will probably succeed.  Because it is not on the wire, it won't be able to update its definition files; cancel the update and let it run a full-scan with the version you downloaded. 

- Select the Free Download
- Decline the offer to install the 30-day trial
- If possible, allow the program to update its definition / dictionary files
- Allow the program to do a full-system scan
- It will take hours to run.  It runs unattended

Once it is complete, continue with the next bootable CD

If you cannot get MalwareBytes to install or run, continue with the next CD.


1.  Kaspersky First

Have your network cable plugged in or your wireless enabled.  Boot the computer with this CD and follow the on-screen prompts.

- Insert the Kaspersky CD into your drive and boot the computer.
- Hopefully, you are prompted "Press any key to boot from the CD"
- If you do not see this prompt, see below on how to change your BIOS boot Order**

Allow the program to do a full-system scan.  The program is a little weird.  Click the big red (or green) button in the upper-left corner to begin the process.  On the current version as of this writing, the button looks like a bunch of LED' in a circle and it is not clear this is a button.

The scan will take hours and can run unattended.


2.  MSE Second

Boot the Microsoft CD and instruct it to do a full (not quick) scan.


3.  AVG - Optionally Third

Consider booting the AVG disk if you want to be even more thorough.  Personally, I have not actually done this, but if you have the time, it is worth the effort.  It may find something the others missed.


4.  Last Step

If you were unable to run MalwareBytes in Step 0, allow the computer to boot normally (without a bootable CD).  Install MalwareBytes and allow it to run.


In my experience, these steps have almost always fixed the computer, with one notable exception.

RANSOMWARE Viruses

If you detect a Ransomware virus, the programs above will remove the virus but they will not be able to save the data and many programs.  It will render your computer useless.  It is repairable, but your data will be lost. 

(Ransom viruses encrypt all of your data files, such as Word, WordPerfect, Excel, PPT, photos, etc., and invite you to pay a fee of $100-$500 for the decryption key.  The fee is usually paid in bitcoins, which are untraceable.  Under no circumstances should you pay.  To begin, they will take your money and may not give a decryption key.  They may give the key, which will restore your data files, but will like re-encrypt in the future and charge ransom again.  This is truly a lost-cause.)

The only way I have found to 'recover' from this type of attack is to build your system recovery CD's (from your hardware vendor - usually a menu to build "recovery disks", or contact the vendor to have one shipped), format the hard disk and start over.  This will save the hardware, but all data will be lost.  Recover data from your backups.

Other Notes:

**BIOS Boot Order

Your PC may not allow booting from a CD.  Follow these rough steps, which vary by each computer model.

A.  Cold boot the PC
B.  At the hardware banner screen, press F10, or F12 or F2, to enter the BIOS Setup or Boot Setup menu.  Sadly, this varies.
C.  If you arrive at at UEFI Secure Boot screen, see the note below* before going further
D.  Enter the BIOS Setup (sometimes called simply "Setup").
E.  In the top BOOT menu, look for a choice that shows boot order.  Arrange the order so the CD is first to boot, then the Hard Disk.
F.  Most BIOS screens use a bottom-menu F10 to SAVE your changes.
G. Allow the PC to reboot.  Watch the screen for a Press any key to boot from CD


***UEFI Disks

Very new laptops, with Windows 8.x or 10.x have a UEFI encryption, which prevents viruses from writing boot-sector changes.  Unfortunately, this also blocks bootable CD's from seeing the disk (UEFI is actually a very good security feature -- it just stops some of these tools).  If your vendor has signed drivers, they can boot, but as of this writing, I have not found a vendor who can do this.

For example, if you have a UEFI disk, Microsoft's MSE claims to be able to boot and clean the disk, but I have not yet got this to work.  I am still researching this.

If you have a UEFI disk, I do not know how to use these bootable CD's.  Your only hope will be MalwareBytes.

Your comments are welcome.