File copy issues with Symantec Endpoint Protection on Windows 7

I’ve been trying to copy some files from my work PC to my home PC. That should be straightforward enough – after all they are both running Windows 7 (x64) with all current updates installed – but I frequently found that Windows Explorer would hang in the middle of a file copy.  I found anecdotal evidence that disabling anti-virus software may help as the file filters can get in the way but my attempts to disable Symantec Endpoint Protection (SEP) were thwarted by the policies that my admins have, understandably, put in place.

It seems that certain versions of Symantec Endpoint Prevention (ahem…) Protection 11 have an issue with Server Message Block (SMB) 2.0 file copies. Disabling SMB 2.0 is one option, using the following commands on the client machine:

sc config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc config mrxsmb20 start= disabled

(I’m not sure if a reboot is required, but I rebooted anyway.)

Whilst this could potentially reduce performance of the file copy operation, I could that it did at least allow it to work. (There’s also an unofficial Symantec tool that can be used to disable/enable SMB 2.0 on Windows 7.)

Unfortunately, the copy process was still not flawless and several times a dialog box appeared warning about Error 0x8007046A: Not enough server storage is available to process this command. Restarting the Server service on the remote PC (net stop server, then net start server answering Y to continue the operation when prompted about existing sessions or dependant services such as Computer Browser or HomeGroup Listener) and then clicking Try Again on the client, let the copy process continue

Once the file copy was completed, I enabled SMB 2.0 again, using:

sc config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc config mrxsmb20 start= auto

Sadly, the lost time circumventing issues caused by security software doesn’t seem to be a criteria used by IT departments when considering their approach to desktop service provision, which is another reason I believe that a “dirty” network is not such a bad thing

How much is your personal information worth?

We’ve all heard the horror stories about personal information, such as credit card details, falling into the wrong hands and, thankfully, in many cases the banking system limits the damage but it’s a growing problem.

Now Symantec have issued the results of some research which shows that this information may be sold on the black market for as little as a few pence as cyber criminals use generous retail promotions like bulk buying and “try before you buy” to sell consumer information and credit card details to other criminals. According to the Internet Security Threat Report 2009 e-mail addresses and accounts are traded among criminals from as little as five pence to as much as £60, with a full identity going for around £45. I don’t know about you but I find those figures to be alarmingly low – until I read on and discover that, according to Symantec, more than 10 million stolen identities are traded each year on the black market.

The online black market is booming compared to real-world criminal activity. It is more profitable, harder to prosecute and provides anonymity. Whereas on the streets of London Metropolitan Police figures indicate that a crime is committed every 37 seconds, an identity is stolen online every three seconds.

So how does this happen? Well, much of the information is harvested using malware on our PCs with many victims unaware that their computer is a “zombie” acting as part of the botnets that are the main source of online fraud, spam and other scams on the Internet today. In addition, we are putting increasing volumes of personal information onto the web through social networking. Meanwhile, action against criminals is hampered by the fact that national laws typically lag behind technological advances and the fact that the Internet is a global network and so requires co-operation from multiple law enforcement agencies.

So, what can we do about it? Well, much of the information in this blog post comes from Symantec/Norton and it’s no surprise that they would like us to buy the latest version of their security suite but, even if you use another reputable company’s security products, it’s worth checking out the advice on their Every Click Matters site including a victim assessment tool that helps you assess your risk (and black market worth) and 10 simple steps we can all take to stay safe. Maybe you, as a reader of this blog, know what to do – put it may be worth highlighting the advice to less-technical friends and family.

What does your digital tattoo say about you?

We’ve all heard of employers Googling prospective (and current) employees to check out their history/online status and there’s the recent story that went viral about someone who forgot she’d added her Manager on Facebook before bitching about her job (needless to say she didn’t have a job when he read what she had to say). Then there’s the story of the Australian call centre worker who was too drunk to work and pulled a sickie… only to be busted on Facebook.

Maybe these things sound like something that happens to someone else – none of us would be that stupid, would we?

Actually, it can happens to the best of us, although maybe not in quite an extreme manner. I’ve become a bit of a Twitter evangelist at work (David Cameron might say that makes me something else…) and, after one of my colleagues suggested that my new manager check out my feed as an example of effective technical knowledge sharing, I hastily checked for any potential lapses of judgment. I did actually remove an update that was probably OK, but I didn’t want to chance it.

Generally I’m pretty careful about what I say online. I never name my family members or give out my address, family photos are only available to a select group of people, I don’t often mention the name of the town where I live (although this blog is geotagged) and I am very careful to avoid mixing the details of my day job too closely with this website (technical knowledge sharing is fine… company, partner and customer details are not).

Digital tattooIt seems that there is a generation of Internet users who are a little more blasé though and Symantec are advising consumers against the dangers of sharing their personal information on the ‘net, referring to a “digital tattoo” (described as “the amount of personal information which can be easily found through search engines by a potential or current employer, friends or acquaintances, or anyone else who has malicious intent”).

The digital tattoo term seems particularly apt because there is a misconception that, once deleted, information is removed from the ‘net but that is rarely the case. Just like a physical (skin) tattoo, removing a digital tattoo can be extremely difficult with the effects including hindered job prospects and identity theft. Symantec’s survey revealed that 31% of under-25s would like to erase some of their personal information online. Nearly two-thirds have uploaded personal photographs and private details such as postcodes (79%) and phone numbers (48%) but, worryingly, one-in-ten under-25s have put their bank details online (not including online purchases) and one-in-20 have even noted their passport number!

Of course, there are positive sides to social networking – I personally have benefited from an improved relationship with several technology vendors as a result of this blog/my Twitter feed and it’s also helped me to expand my professional network (backed up with sites like LinkedIn and, to a lesser extent, Facebook). What seems clear is that there is a balance to be struck and today’s young people have clearly not been sufficiently educated about the dangers of life in an online society.

Tracking down the source of my overheating MacBook

My home office is a warm place. I don’t have a thermometer in here, but there is a fair amount of IT kicking out a fair amount of heat. Even so, there are two machines that make a noticeable difference – the Fujitsu-Siemens Lifebook S7210 that I use for work, and my Apple MacBook – both of which have 2.2GHz Intel Core2Duo CPUs (T7500 “Merom”) and 4GB of RAM. Admittedly, the MacBook has also been upgraded with a 320GB disk but Apple now offers a similar, if not identical, option in its current MacBook White model.

It’s quite normal to hear the fan blowing on the MacBook, and iStat Menus regularly suggests temperatures of 50-60°C, but last weekend it seemed the fan was running almost non-stop, and I saw reported CPU temperatures in the high 80s (even peaking at 90°C). After shutting down many applications to reduce the load on the system (iTunes, Photoshop and Bridge CS3, VMware Fusion) and ejecting my external hard disk, it still wasn’t coming down, so I began to have a look around on the ‘net.

The best advice I found was on a Mac Rumors forum post which suggest running up Activity Monitor to see which process was driving up the CPU utilisation (and therefore making the machine run hot)… sure enough, it was a Norton AntiVirus process!

It may have been co-incidence that the product doing this was one which has such a bad name as a resource hog (I’m told the 2009 products are not as resource hungry as their predecessors but this is Norton AntiVirus 11 for Mac, which, according to the copyright notice, dates back to 2007). Whatever the cause, killing that process dropped the CPU utilisation and within seconds the machine was back down to a more normal level.

Symantec and Veritas – after the merger

Symantec/Veritas merger completion

Last December, I blogged about the merger between Symantec and Veritas. Then, a couple of weeks ago, I got the chance to see Mark Seager, Symantec‘s VP Technology (EMEA), present about the new organisation. Apologies if what follows appears to be a marketing plug for Symantec, but bear in mind where the information came from – I still think it makes some valid points.

Symantec’s view is that information is the “fuel” driving the global economy. Often, this information is irreplaceable and the IT department is the its custodian. According to the UK Department of Trade and Industry, 70 percent of organisations that experience serious data loss go out of business within 18 months.

Symantec quotes the following fast facts:

  • A University of California at Berkeley study suggests that we will create more data in the next 3 years than we did in the last 40,000.
  • The number of Internet users is expected to triple between 2001 and 2007 to 1.5 billion.
  • It is estimated that corporate data storage requirements are doubling every six to nine months and the resulting cost of managing new storage is five to seven times the price of the storage.
  • In the second half of 2005, the average time between the disclosure of a vulnerability and the release of an associated exploit was 6.0 days.

On the surface, some of these statistics may seem a little unbelievable (after all they do originate from a vendor of security and storage management products) but taking the data growth statistic, consider the growth in broadband Internet services and the mobile phone operators who have reached complete market saturation but still have huge costs to cover for third generation (3G) mobile phone licenses. The networks need to get users to transfer to their 3G networks and to do that they need a killer application, for example live TV. Even on the reduced-size screen of a mobile handset, that represents a lot of data.

Furthermore, network managers used to look at securing the perimeter network but nowadays that perimeter doesn’t exist. Remote users with VPN connections and mobile users with data on portable devices mean that security has to be all-pervasive. Combined with the advances in the incidence of social engineering (including phishing attacks), the security landscape is shifting.

Symantec have traditionally looked at risk management from a security management perspective (i.e. when information is unsecured, business is at risk). The Veritas approach was around failure management – whether it was environmental, component, or human error (i.e. when information is unavailable, business is at risk). Bringing together the two organisations makes a lot of sense, with significant synergies but very little product overlap. The new strategy is that when failure occurs, security management processes take over.

Worldwide, there are three areas in particular where pressures are having an increasing (and significant) effect on businesses: regulatory compliance; operational requirements and security threats. Compliance has to be demonstrable. IT operations are under pressure to drive out extra costs (like security tools for threat management) and IT is often inefficient, built on 3 or 5 year growth plans and siloed for a particular application, leading to typical storage utilisation of just 50% and only 20% CPU utilisation. By comparison, imagine what would happen if an organisation’s office space was purchased using a similar model of keeping it half empty to allow for growth!

The result is ever-greater demands on the IT infrastructure at the same time as a need to drive out cost. What is needed is a dynamic IT infrastructure.

Seager discussed the concept of an “electronic chain” of information from the user/client, through the gateway, network and servers, to the application, with its database and associated storage. This may be replicated many times over within an organisation or with different customers, suppliers and partners. This “information stack” needs to be secure, available and performant. Furthermore, it needs to support operational requirements (consider a a bank ATM – a typical customer doesn’t care that the back-end system is 99.999% available – they just need enough ATMs to be available at a particular time so that they can withdraw money without queuing).

What if…

  • …an external threat alert could trigger an internal assessment?
  • …internal audit correlated with inelegance for patch management?
  • …external intelligence could prompt more frequent backups, end-to-end from remote user to data centre?
  • …performance issues could be proactively addressed (e.g. network storms, system issues, human errors, system vulnerabilities), in-plan (not on-overtime)?
  • …early warning could trigger failover to a secure network?
  • …a compromised system could automatically be recovered?
  • …all of these actions where audited to show compliance with company standards?

Symantec claim to be able to meet this through products in four segments that cross the information stack:

  • Security infrastructure and management tools.
  • Storage management capabilities to ensure that information is continuously available.
  • Data management solutions to reduce the risk of downtime.
  • Application service management to allow dynamic service provision.

All of this is wrapped up by intelligence – what Symantec refer to as insight – from the combined experience of Symantec and Veritas with a worldwide capability of:

  • 5 security operations centres.
  • 81 monitored countries.
  • 28 support centres.
  • 20000 sensors in 180 countries.
  • 8 security response labs.

Of course, there is also a healthy dose of reality required here – if an expenses policy didn’t restrict me to certain expectations when travelling on business I would always stay in the penthouse suite at a luxury hotel and have a fantastic meal at the best restaurant in town but the reality is a probably more like a standard room at a normal business-class hotel, with a curry from the local Indian restaurant. Likewise, the level of information protection for an organisation’s IT infrastructure has to be selected based on realistic requirements and in line with budget constraints.

The integration of Symantec and Veritas has now started, with a three stage plan:

  • Stage 1 is to ensure interoperability between Symantec and Veritas products, ensuring that all of the technologies offered work together and developing solutions which combine services and technologies from across the portfolio. No products are classified as “end of life” (even though some have alternative views on the same issues).
  • Stage 2 will ensure that common components are used and that there is consistency across the product set, focusing on key areas of integration and identifying the product areas that will deliver the most immediate synergies (common user interface, common licensing terms, common installation, LiveUpdate integration, integrated support infrastructure, product-to-product integration).
  • Stage 3 is about new value – through deeper technology integration but also integration in other aspects of customer relationships such as support offerings, and license management.

Symantec now claims to be able to deliver an end-to-end solution to “keep your business up, running and growing, no matter what happens”. They use an e-mail scenario as an example, controlling unsolicited commercial e-mail (UCE), managing data volumes and ensuring system availability (as shown in the diagram below) but a similar model could be applied to many enterprise applications.

E-mail security

The Symantec Internet security threat report

Earlier today, I downloaded the Eighth Edition of the Symantec Internet Security Threat Report. Published twice a year, this report highlights trends in the Internet security space and the following list highlights some of the key findings (according to Symantec).

Vulnerability trend highlights:

  • Symantec documented 1,862 new vulnerabilities, the highest number since Symantec started tracking vulnerabilities in six-month increments.
  • The time between the disclosure of a vulnerability and the release of an associated exploit was 6.0 days.
  • The average patch-release time for the past 6 months was 54 days. This means that, on average, 48 days elapsed between the release of an exploit and the release of an associated patch.
  • 97% of vulnerabilities were either moderately or highly severe.
  • 73% of reported vulnerabilities this period were classified as easily exploitable.
  • 59% of vulnerabilities were associated with web application technologies.
  • 25 vulnerabilities were disclosed for Mozilla browsers and 13 for Microsoft Internet Explorer.

Attack trend highlights:

  • For the fourth consecutive reporting period, the Microsoft SQL Server Resolution Service Stack Overflow Attack was the most common attack, accounting for 33% of all attacks.
  • Symantec sensors detected an average of 57 attacks per day.
  • TCP port 445, commonly implemented for Microsoft file and printer sharing, was the most frequently targeted port.
  • Symantec identified an average of 10,352 bots per day, up from 4,348 in December 2004.
  • On average, the number of denial of service (DoS) attacks grew from 119 to 927 per day, an increase of 679% over the previous reporting period.
  • 33% of Internet attacks originated in the United States, up from 30% last period.
  • Between January 1 and June 30, 2005, education was the most frequently targeted industry followed by small business.

Malicious code trend highlights:

  • Symantec documented more than 10, 866 new Win32 virus and worm variants, a 48% increase over the second half of 2004 and a 142% increase of the first half of 2004.
  • For the second straight period, Netsky.P was the most reported malicious code sample. Gaobot and Spybot were the second and third most reported, respectively.
  • Malicious code that exposes confidential information represented 74% of the top 50 malicious code samples received by Symantec.
  • Bot-related malicious code reported to Symantec made up 14% of the top 50 reports.
  • 6,361 new variants of Spybot were reported to Symantec, a 48% increase over the 4,288 new variants documented in the second half of 2004.

Additional security risks:

  • Adware made up 8% of the top 50 reported programs, up from 5% in the previous reporting period.
  • Eight of the top ten adware programs were installed through web browsers.
  • Six of the top ten spyware programs were bundled with other programs and six were installed through web browsers.
  • Of the top ten adware programs reported in the first six months of 2005, five hijacked browsers.
  • Messages that constitute phishing attempts increased from an average of 2.99 million per day to approximately 5.70 million messages.
  • Spam made up 61% of all email traffic.
  • 51% of all spam received worldwide originated in the United States.

Some interesting (and some frankly frightening) statistics there. Definitely worth a read for any network administrator or IT manager.

Symantec and Veritas to merge

December seems to be the month for high-profile corporate takeovers in the IT world!

A couple of weeks back IBM sold its PC business.

Then last week Microsoft bought an anti-spyware company.

Now I’ve read that Symantec and Veritas are to merge in a $13.5bn deal.

I regularly recommend Veritas’ BackupExec suite of products to corporate clients because it is so well integrated with the Microsoft platform – indeed, the Backup utility for Windows (NTBackup) is actually a cut-down version of BackupExec. Let’s just hope that the new company will be as quick to embrace new Microsoft technologies as Veritas has been in the past.