Book Review: Windows Virus and Malware Troubleshooting by Andrew Bettany and Mike Halsey

Summary: A very useful volume that discusses what malware is, how to defend against it and how to remove it. Clear and simple instructions are given on ways to improve security on your PC, as well as how to deal with malware that may end up on your PC. Recommended.

Presented in a very easy to read writing style, this book immediately appeals due to the clear, concise and no-nonsense approach taken when discussing malware, what it is, how it can attack and affect your PC, how to defend against it and what to do if the worst should happen and your PC gets infected.

The first chapter provides a nice potted history of viruses and malware on PCs, discussing the various types and how both the proliferation and seriousness of infections has risen from the very first, typically benign examples to the modern day infections such as ransomware that has been in the news so much recently.

Chapter 2 deals with prevention and defence, and introduces the many security features that are built into modern versions of Microsoft Windows to help stop the initial infection. There’s a clear progression in security features as newer versions of Windows have been introduced, and it’s interesting to compare the versions of Windows that were most susceptible to the recent ‘WannaCry’ ransomware attack. Looking at the features discussed (and having been to a few presentations on the subject), this provides an excellent set of reasons for an upgrade to Windows 10 if you’ve not already done so!

Chapter 3 discusses defence in depth and includes information on firewalls, including the Windows firewall, as well as organisational firewalls (I.e. hardware firewalls and appliances) and how to generate a multi-layer defence. While at first glance this section appears to be more targeted at the organisational user, it’s actually also targeted at the home user with a hardware router/firewall combination, and some clarification that this is the case would, I feel, have been useful here. This chapter also bizarrely includes a section on keylogging software, which I feel would have been more useful in the first chapter

This chapter also provides some information on blacklists and whitelists (I.e. internet filtering) and the Internet of Things (IoT). For both of these sections I feel that there’s perhaps been a bit of a lost opportunity, for example a brief discussion of the filtering options available might have been helpful for home users (e.g. my Netgear router at home comes complete with an OpenDNS-based filtering option that can be enabled and configured quickly and easily and seems to provide reasonable protection) and further information on IoT security recommendations, particularly changing the default username and password on devices would be beneficial here.

Chapter 4 deals with identifying attacks starting with how malware infects a PC and providing pointers on how to identify both internal and external attacks. I was very pleased in this section to see information on social engineering and the role that this plays in malware infections.

Chapter 5 provides a very useful list of external resources that can be utilised to help protect your PC and clean a malware infection, including the Microsoft Malware Protection Center, a great location for finding updates, additional security recommendations and products etc. This chapter also provides some limited information on third-party tools that are available. Again, I would have liked to see a more expansive list here, and it’s worth mentioning that many anti-virus vendors provide a free option of their products.

Chapter 6 deals with manually removing malware, and for me this was probably the most useful part of this book. What do you do when malware has ended up on your PC despite your best efforts and you’re now having issues running the automated tools to get rid if it? This chapter helps in this scenario, and provides some steps to take to identify what’s running on the PC, suspend and/or kill the process and remove the infection. In particular I’m pleased to see the Microsoft Sysinternals tools discussed (albeit briefly) as they are my ‘go to’ toolset when dealing with an infection on a PC. If you’re interested in these and how they can be used, it’s worth looking at some of Mark Russinovich’sCase of the Unexplained’ videos as Mark goes through the use of these tools in more detail.

There are one or two downsides; the book is only a slim volume. This has both plusses and minuses insofar as being slim, more people are likely to read it end-to-end and therefore benefit the most from it, however in one or two areas a few more details might be appreciated. For such a slim volume, it’s also more expensive than I would hope for at an RRP of £14.99, which may limit its take-up.

All in all however this is a very easily accessible book that provides great guidance on how to secure your PC, what to watch out for and how to deal with a malware infection. I’ll be encouraging a few people I know to buy a copy and read it!

Title: Windows Virus and Malware Troubleshooting
Author(s): Andrew Bettany, MVP and Mike Halsey, MVP
Publisher: Apress
ISBN-13: 978-1-4842-2606-3

Windows Home Server 2011 Backup of UEFI/GPT Windows 8.1

Since upgrading to Windows 8.1 at home, I’ve had issues with backing up the computer using my Home Server (not that I helped by introducing a GPT disk and a UEFI rig at the same time…). The symptoms were that the client backup process appeared stuck at 1% progress for a long time before eventually failing.

I finally got a bit of time to look at the machines in question over the weekend and here are the issues that appeared to be causing problems for which I needed to find solutions:

  • The PC is a UEFI machine.
  • The PC uses a GPT hard disk.
  • A VSS error was appearing in the event log on the PC being backed up.
  • A CAPI2 error was appearing in the event log on the PC being backed up.

The first two issues were dealt with quickly by a hotfix for Home Server 2011: http://support.microsoft.com/kb/2781272. Note that the same issue also affects Windows Storage Server 2008 R2 Essentials and Windows Small Business Server 2011 Essentials. More information for these platforms can be found at http://support.microsoft.com/kb/2781278

The VSS error manifests as the event 8194 appearing in the event log of the PC that the backup attempt is run on:

VSS Error 8194

Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
. This is often caused by incorrect security settings in either the writer or requestor process.

Examination of the binary data for event 8194 indicates that ‘NT AUTHORITY\NETWORK SERVICE’ is account receiving the access denied error:

VSS Error Binary Data

Event 8194 is caused by the inability of one or more VSS system writers to communicate with the backup application VSS requesting process via the COM calls exposed in the IVssWriterCallback interface. The issue is not caused by a functional error in the backup application, but rather is a security issue caused by the selected VSS writers running as a service under the ‘Network Service’ (or ‘Local Service’) account, not the Local System or Administrator account. By default, in order for a Windows service to perform a COM activation it must be running as Local System or as a member of the Administrators group.

There are two ways to fix this issue; either change the account under which the erroring VSS writers are running from Network Service to Local System (at which point the service will be running with higher privileges than was originally designed), or add the Network Service account to the list of default COM activation permissions allowing this user account to activate the IVssWrtierCallback interface. This latter option is the preferred one to use and can be performed by completing the following steps:

  1. Run dcomcnfg to open the Component Services dialog.
  2. Expand Component Services, then Computers and then right-click on My Computer and select Properties:
    Component Services
  3. Select the COM Security tab and click the Edit Default… button in the Access Permissions area at the top of the dialog.
  4. Click Add and enter Network Service as the account to be added.
  5. Click OK and ensure that only the Local Access checkbox is selected.
  6. Click OK to close the Access Permission dialog, then clock OK to close the My Computer Properties dialog.
  7. Close the Component Services Dialog and restart the computer to apply the changes. Event 8194 should not longer appear in the event log for the Home Server backup.

The CAPI2 error manifests as the event 513 appearing in the event log of the PC that the backup attempt is run on:

CAPI2 Error 513

Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:
Access is denied.
.

The Microsoft Link-Layer Discovery Protocol binary is located at C:\Windows\System32\drivers\mslldp.sys. During the backup process, the VSS process running under the Network Service account calls cryptcatsvc!CSystemWriter::AddLegacyDriverFiles(), which enumerates all the driver records in Service Control Manager database and tries opening each one of them. The function fails on the MSLLDP record with an ‘Access Denied’ error.

The mslldp.sys configuration registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp and the binary security descriptor for the record is located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp\Security.

Examining the security descriptor for mslldp using AccessChk (part of the SysInternals suite, available at http://technet.microsoft.com/en-us/sysinternals/bb664922) gives the following result (note: your security descriptor may differ from the permissions below):

C:\>accesschk.exe -c mslldp

Accesschk v5.2 – Reports effective permissions for securable objects
Copyright (C) 2006-2014 Mark Russinovich
Sysinternals – www.sysinternals.com

mslldp
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  RW S-1-5-32-549
  R  NT SERVICE\NlaSvc

Checking the access rights of another driver in the same location gives the following result:

C:\>accesschk.exe -c mspclock

Accesschk v5.2 – Reports effective permissions for securable objects
Copyright (C) 2006-2014 Mark Russinovich
Sysinternals – www.sysinternals.com

mspclock
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  R  NT AUTHORITY\INTERACTIVE
  R  NT AUTHORITY\SERVICE

In the case of mslldp.sys, there is no entry for ‘NT AUTHORITY\SERVICE’, therefore no service account will have access to the mslldp driver, hence the error.

To correct this issue, complete the following steps:

  1. From an elevated command prompt, run
    sc sdshow mslldp
    You should receive the following output, or something similar:
    D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
    Note: Details on Security Descriptor Definition Language can be found at http://msdn.microsoft.com/en-us/library/windows/desktop/aa379567(v=vs.85).aspx
  2. Add the ‘NT AUTHORITY\SERVICE’ entry immediately before the S::(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) entry and use this with the sdset option, for example using the output from the sdshow option above, this would be:
    sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
    Note: The above should all be on a single line when entering/pasting it; do not include line breaks in the command. It’s also important to use the output you receive from the command rather than that which I got as yours may be different.
  3. Check the access permissions again with:
    accesschk.exe -c mslldp
    You should now see a list of permissions that includes ‘NT AUTHORITY\SERVICE’:
    C:\>accesschk.exe -c mslldp
  4. Accesschk v5.2 – Reports effective permissions for securable objects
    Copyright (C) 2006-2014 Mark Russinovich
    Sysinternals – www.sysinternals.com

    mslldp
      RW NT AUTHORITY\SYSTEM
      RW BUILTIN\Administrators
      RW S-1-5-32-549
      R  NT SERVICE\NlaSvc
      R  NT AUTHORITY\SERVICE

  5. Now that the ‘NT AUTHORIT\SERVICE’ permission has been added, Network Service should be able to access the mslldp.sys driver file.

Following the above fixes, my computer is now being successfully backed up using Home Server 2011.