DOCSLIB.ORG

ACRONIS BACKUP TROUBLESHOOTING Performing Basic Acronis Backup and Acronis Backup Cloud Troubleshooting

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
ACRONIS BACKUP TROUBLESHOOTING Performing Basic Acronis Backup and Acronis Backup Cloud Troubleshooting ACRONIS BACKUP TROUBLESHOOTING Performing basic Acronis Backup and Acronis Backup Cloud troubleshooting Acronis Training and Certification – Authorized Use Only 1 Module Outline 1. Acronis Backup Troubleshooting Steps 2. Acronis Support Resources 3. Collecting Acronis Backup System Information and Logs 4. Troubleshooting Tools 5. Acronis Troubleshooting Guidelines 6. Acronis Customer Service & Support Acronis Training and Certification – Authorized Use Only 2 Acronis Backup Troubleshooting Steps Steps for performing troubleshooting Acronis Training and Certification – Authorized Use Only 3 1. Acronis Backup Troubleshooting Steps Review UG and Find out exact KB to understand software behavior expected Learn product functionality or error message behavior Search for the Review training known issues in content for release notes, KB troubleshooting Find known issues or forums guidelines Troubleshoot Collect necessary Try available Collect troubleshooting using suggested logs and Contact Acronis solutions and methods and troubleshooting Support workarounds information and escalate tools tools’ outputs Acronis Training and Certification – Authorized Use Only 4 Acronis Support Resources Resources available from Acronis Acronis Training and Certification – Authorized Use Only 5 2. Acronis Backup Documentation ‒ User guide is available for viewing in Backup Console > About or from the Help button ‒ User guide is also available on Acronis website’s Support > Documentation page: http://www.acronis.com/en-us/support/documentation/ ‒ Other technical documentation such as Integration references, are also available on the same page Acronis Training and Certification – Authorized Use Only 6 2. Acronis Knowledge Base ‒ Acronis Knowledge Base is source of official information on: ▪ Product functionality ▪ Product limitations and known issues/workarounds ▪ Product troubleshooting techniques and tools ▪ Product support information. ‒ Acronis Backup articles are listed by topics at: https://kb.acronis.com/acronis-backup-12-5 ‒ Acronis Backup Cloud articles are listed by topic at: https://kb.acronis.com/acronis-backup-cloud ‒ Troubleshooting articles for all Acronis products: https://kb.acronis.com/dst Acronis Training and Certification – Authorized Use Only 7 2. Acronis Knowledge Base Search Rules ‒ Use the following rules to enhance keyword search in Acronis KB: ▪ Use quotation marks “write error” “failed to read snapshot” ▪ Use the (-) sign to exclude a word/phrase “creating bootable media” –”mac” ▪ Use the (+) sign to include a word/phrase “shadow copy provider” + “fail” ▪ Use product filters Acronis Training and Certification – Authorized Use Only 8 2. Acronis Support Forums ‒ Acronis Support Forums is an open community where you can get in touch with: ▪ Acronis Customer Service & Support Team ▪ Acronis Development Team ▪ Acronis Forum MVPs and other Service Providers. ‒ Requires Acronis web account in order to post in the discussion boards ‒ For Acronis Backup-related discussions: https://forum.acronis.com/forum/acronis-business- products-discussions/acronis-backup-125 ‒ For Acronis Backup Cloud-related discussions: https://forum.acronis.com/forum/solutions-service- providers/acronis-backup-cloud-forum Acronis Training and Certification – Authorized Use Only 9 Collecting Acronis Backup System Information and Logs Collecting system information and logs for troubleshooting Acronis Training and Certification – Authorized Use Only 10 3. Collecting System Information ‒ Acronis System Information is a collection of diagnostic files and logs that can be collected from a machine with an Agent or Management Server installed or from Acronis Bootable Media Windows Linux Acronis Training and Certification – Authorized Use Only 11 3. Collecting System Information ‒ There are 3 ways to collect System Information: ▪ From Activities > Collect system information on a machine with an Agent or Management Server installed ▪ From Help > Collect system information from Acronis Bootable Media ▪ Using the standalone Acronisinfo utility. Download from https://kb.acronis.com/acroinfo for Windows and for Linux, follow the instructions on https://kb.acronis.com/linuxreport ▪ Save the resultant compressed archive (.zip or .tar.bz2). Take note that it may take some time for the required information to be collected and that it can be very large in size Acronis Training and Certification – Authorized Use Only 12 Troubleshooting Tools Recommended Troubleshooting Tools Acronis Training and Certification – Authorized Use Only 16 4. List of Application Processes Windows Process Name Linux & Mac Process Name Component Function service_process.exe service_process Agent Backup, replication, restore, validation operations mms.exe mms Agent Manages tasks and processes on the machine schedule (Linux) schedul2.exe Agent Executes scheduled tasks on certain events schedwrapper (Mac) Cron (Linux) schedhlp notifies about logon/logoff schedhlp.exe Agent launchd.plist (Mac) cron/launchd triggers scheduler agent.exe agent Agent Provides connectivity with Management Console Shows tray notifications about tasks and agent mmsmonitor.exe - Tray Monitor status <backup_agent_[version]>.exe <package_name> Installer Installation systeminfo.exe systeminfo System Report Collects system information Acronis Training and Certification – Authorized Use Only 17 4. List of Troubleshooting Tools Tool When to collect How to collect Link Size of log AcronisInfo / ▪ From Backup Console Any issue with Agent http://kb.acronis.com/content/2707 ~1MB – 100MB System Information ▪ Run tool Connection Connectivity issues ▪ Run tool and capture screenshot https://kb.acronis.com/content/47678 ~100KB Verification Tool ▪ Run tool and work in CMD, capture Scheduler Manager Issues with scheduled tasks https://kb.acronis.com/content/1859 ~100KB screenshot http://www.acronis.com/en- ▪ Run tool - Acronis VSS Doctor sg/personal/vss-diagnostic-free-tool/ Issues with VSS snapshots: ▪ Disk and file backup ▪ From CMD and capture screenshot VSSADMIN https://kb.acronis.com/vsslog ~5KB ▪ Application backup ▪ Run script ▪ Hyper-V backup DiskShadow ▪ From CMD and capture screenshot https://kb.acronis.com/content/45472 ~100KB ▪ File access issues Process Monitor https://kb.acronis.com/content/2295 ~20MB – 500MB ▪ Performance issues ▪ From UI ▪ *.zip after creating Wireshark / tcpdump Connectivity issues https://kb.acronis.com/content/1763 ~10MB – 500MB Procdump https://kb.acronis.com/content/27931 ~50MB – 500MB ▪ Crash ▪ From CMD/Terminal ▪ Lockup ▪ *.zip after creating Strace https://kb.acronis.com/content/37659 ~50MB – 500MB Acronis Training and Certification – Authorized Use Only 18 4. Connection Verification Tool ‒ Connection Verification Tool is a Windows-based port checker by Acronis that verifies network connectivity to Acronis cloud management and storage ‒ Used for: ▪ Connectivity issues (cloud-based Backup Console not accessible) ▪ Backup/restore to/from cloud failures (cloud storage not accessible) ▪ Backup/restore to/from cloud and network folder interruptions Acronis Training and Certification – Authorized Use Only 19 4. Connection Verification Tool ‒ Use the following instructions to collect Connection Verification Tool output: 1. Download Connection Verification Tool at https://kb.acronis.com/content/47678 2. Open Windows command-line and run these commands: cd <path_to_folder> msp_port_checker_en-US_x86.exe -u=<login> -p=<password> where <login> is your Backup Account and <password> is the password for that Backup Account 3. Check the output of the tool and see whether all hosts were successfully accessed. If any problems are identified, the Connection Verification Tool will tell you which port to open 4. If you need to provide Connection Verification Tool output to Acronis Customer Service & Support, create a screenshot of the screen. Acronis Training and Certification – Authorized Use Only 20 4. Scheduler Manager ‒ Scheduler Manager is a command-line utility that allows you to manage scheduled tasks on Windows and Linux ‒ Included when Agent for Windows/Linux is installed or download from https://kb.acronis.com/content/1859 ‒ Used for: ▪ Monitoring scheduled tasks ▪ Detect unremoved deleted backup tasks ▪ Detect individual tasks that are not running ▪ Collect Scheduler log in case of an issue Acronis Training and Certification – Authorized Use Only 21 4. Scheduler Manager ‒ Use the following instructions to collect Scheduler Manager log: 1. Locate and open the Scheduler Manager in the following locations: \Program Files (x86)\Acronis\BackupAndRecovery – in Windows /usr/sbin/ – in Linux 2. Open a command prompt in the Scheduler Manager location and run the following command to enable logging: set logflags support 3. Reproduce the issue and run the following command to stop logging: set logflags 0 4. Run AcronisInfo utility/Collect system information to obtain the output Acronis Training and Certification – Authorized Use Only 22 4. Scheduler Manager ‒ To manage scheduled tasks, use the following commands: 1. To get a list of scheduled tasks: get list 2. To delete all scheduled tasks: task zap 3. To run a task: task run 4. To delete a single task: task [task_number], task delete, e.g., task 1-12, task delete ‒ Scheduled tasks run on Mac in the following manner: 1. Launchd.plist is created for the task in /Library/LaunchDaemons/ E.g., com.acronis.3_1.plist where “3” is the scheduler task name 2. The created .plist is loaded into launchd. To check that it is loaded, open Terminal and run: sudo launchctl list | grep
Load more

Recommended publications
  • Crypto Ransomware Analysis and Detection Using
    CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR by ASHWINI BALKRUSHNA KARDILE Presented to the Faculty of the Graduate School of The University of Texas at Arlington in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE IN COMPUTER SCIENCE THE UNIVERSITY OF TEXAS AT ARLINGTON December 2017 Copyright © by Ashwini Balkrushna Kardile 2017 All Rights Reserved ii Acknowledgements I would like to thank Dr. Ming for his timely guidance and motivation. His insights for this research were valuable. I would also like to thank my committee members Dr. David Levine and Dr. David Kung for taking out time from their schedule and attending my dissertation. I am grateful to John Podolanko; it would not have been possible without his help and support. Thank you, John, for helping me and foster my confidence. I would like to thank my colleagues for supporting me directly or indirectly. Last but not the least; I would like to thank my parents, my family and my friends for encouraging me and supporting me throughout my research. November 16, 2017 iii Abstract CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR Ashwini Balkrushna Kardile, MS The University of Texas at Arlington, 2017 Supervising Professor: Jiang Ming Ransomware is a faster growing threat that encrypts user’s files and locks the computer and holds the key required to decrypt the files for ransom. Over the past few years, the impact of ransomware has increased exponentially. There have been several reported high profile ransomware attacks, such as CryptoLocker, CryptoWall, WannaCry, Petya and Bad Rabbit which have collectively cost individuals and companies well over a billion dollars according to FBI.
    [Show full text]
  • Development Environment
    BLUESPAWN BLUESPAWN Dev Team Apr 28, 2021 CONTENTS 1 Our Mission 3 2 What is BLUESPAWN 5 3 Get Involved & Contribute to the project7 4 Why we made BLUESPAWN9 4.1 Contact Us................................................9 4.2 Sponsoring................................................9 4.3 Licensing.................................................9 4.4 Project Authors.............................................. 10 4.5 Publications............................................... 11 4.6 Hunts................................................... 11 4.7 Scan Mode................................................ 11 4.8 Mitigations................................................ 11 4.9 Reactions................................................. 11 4.10 Logging and Output........................................... 11 4.11 Agent7 Integration............................................ 11 4.12 Getting Started.............................................. 11 4.13 Examples of BLUESPWAN in Action.................................. 13 4.14 Using Mitigations............................................ 14 4.15 Getting Involved............................................. 18 4.16 Setting up your Development Environment............................... 18 4.17 Software Architecture Info........................................ 19 4.18 Project Roadmap............................................. 21 i ii BLUESPAWN CONTENTS 1 BLUESPAWN 2 CONTENTS CHAPTER ONE OUR MISSION BLUESPAWN helps blue teams monitor systems in real-time against active attackers by detecting
    [Show full text]
  • Multiband Plasma-Process Monitor C10346-01
    Multiband plasma-process monitor C10346-01 C10346-01 is a multiband plasma process monitor designed for real-time, monitoring of wide spectrum. Monitoring Plasma (Emission Spectrum) in Real-Time C10346-01 is a monitoring system to detect wide spectrum plasma emission during the process of etching, spattering and CVD in semiconductor manufacturing . With the various analysis functions, it can be used for setting up end-point detection conditions and automatic detection of etching and cleaning, estimation of plasma species and monitoring (plasma) contamination and abnormal discharges. Features Simultaneous measurements of wide (plasma) spectrum Easy measurement using optical fibers Captures wide spectrum (emission) from (plasma) radicals or ions. The equipped optical fiber can be easily attached to plasma C10346-01 : 200 nm to 950 nm chambers through a SMA connector widely used. Real-time plasma (emission) measurement Operation with multiple chambers Continuously measures up to 15 000 spectra at an interval of 20 ms A single analysis unit can control up to four C10346-01 (50 ms with concurrent running of detection software) Multiband plasma-process monitor via a USB 2.0 interface. Highly accurate and reliable measurements Data acquisition software A high resolution spectrometer and a ultra-high sensitive photo The data acquisition software stores the spectrum data into detector are firmly locked in position to assure the acquisition of the database during plasma process. This stored data can accurate spectrum and precise spectrum responsivity data then be used for spectrum data calculations. through sharply focused plasma emission spectrum images. Optional software High-sensitivity detection in UV spectrum region High sensitive endpoint detection and real-time monitoring of Detects the UV spectrum region from 200 nm with high process abnormality are achieved by creating ''detection model''.
    [Show full text]
  • Process Monitor
    Моим коллегам — специалистам по устранению неполадок Windows. Никогда не отступайте и не сдавайтесь! – Марк Руссинович Элизе, благодаря ей сбываются самые прекрасные мечты! (И она гораздо круче меня!) – Аарон Маргозис SIN_Titul.indd I 29.12.2011 13:41:15 Mark Russinovich Aaron Margosis Windows® Sysinternals Administrator's Reference SIN_Titul.indd II 29.12.2011 13:41:15 Марк Руссинович Аарон Маргозис Предисловие Дэвида Соломона Утилиты Sysinternals Справочник администратора 2012 SIN_Titul.indd III 29.12.2011 13:41:15 УДК 004.738.5 ББК 32.973.202 P89 Руссинович Марк, Маргозис Аарон P89 Утилиты Sysinternals. Справочник администратора. / Пер. с англ. — М. : Издательство «Русская редакция» ; СПб. : БХВ-Петербург, 2012. — 480 стр. : ил. ISBN 978-5-7502-0411-3 («Русская редакция») ISBN 978-5-9775-0826-1 («БХВ-Петербург») Эта книга — исчерпывающее руководство по использованию утилит Sysin- ternals. Авторы книги — создатель утилит Sysinternals Марк Руссинович и при- знанный эксперт по Windows Аарон Маргозис — подробно разбирают многочис- ленные функции утилит для диагностики и управления файлами, дисками, си- стемой безопасности и встроенным инструментарием Windows. Рекомендации авторов проиллюстрированы многочисленными примерами из реальной жизни. Изучив их, вы сможете справиться с неполадками в ИТ-системах так, как это делают настоящие профессионалы. Книга состоит из 18 глав и предметного указателя. Она предназначена для ИТ-специалистов и опытных пользователей Windows, которые хотят применять утилиты Sysinternals с максимальной эффективностью. УДК 004.738.5 ББК 32.973.202 © 2011-2012, Translation Russian Edition Publishers. Authorized Russian translation of the English edition of Windows® Sysinternals Administrator’s Reference, ISBN 978- 0-7356-5672-7 © Aaron Margosis and Mark Russinovich. This translation is published and sold by permission of O’Reilly Media, Inc., which owns or controls all rights to publish and sell the same.
    [Show full text]
  • JTB Process Monitor
    JTB Process Monitor About JTB Process Monitor makes it possible to monitor usage of more applications than the core JTB FlexReport handles. There is a service part and a client part of Process Monitor. You need to first install the service and configure it and then install the client and configure it. The data is saved into the JTB FlexReport core database and reports on the usage can be done in the normal way. This means that JTB FlexReport Core and JTB FlexReport Chart Service/Client also need to be installed. The client computer to monitor does not need to be connected to the network all the time. It still can monitor the usage and when connected again it will send back the data to the server. The client-server solution is based on WCF (Windows Communication Foundation) and XML Web services. System requirements .NET Framework 4.0 or newer is needed for the service and client. Other than that most Windows operating systems are supported like Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016. Both 32-bit and 64-bit systems are supported. One limitation is that processes that run in Windows compatibility mode cannot be monitored. Installation of Service The service needs to be installed on one location and it is recommended to be on the same computer where JTB FlexReport’s other services are installed as it needs to save the usage to the JTB FlexReport database. For a trial it can be installed on a workstation if that is easier for the evaluation.
    [Show full text]
  • Windows Rootkit Analysis Report
    Windows Rootkit Analysis Report HBGary Contract No: NBCHC08004 SBIR Data Rights November 2008 Page 1 Table of Contents Introduction ................................................................................................................................... 4 Clean Monitoring Tool Logs......................................................................................................... 5 Clean System PSList ................................................................................................................. 5 Clean System Process Explorer ................................................................................................ 6 Vanquish......................................................................................................................................... 7 PSList Vanquish ........................................................................................................................ 7 Vanquish Process Monitor (Process Start – Exit) .................................................................. 8 Process Explorer Thread Stack Vanquish .............................................................................. 8 Process Monitor Events Vanquish ........................................................................................... 9 Vanquish Log File (Created by rootkit, placed in root directory “C:”) ............................. 21 Process Explorer Memory Strings Vanquish ........................................................................ 23 NTIllusion....................................................................................................................................
    [Show full text]
  • Application Help for SAP Business Planning and Consolidation, Version for SAP Netweaver Company
    PUBLIC SAP Business Planning and Consolidation for SAP NetWeaver 10.1 Document Version: 1.0 – 2021-06-09 Application Help for SAP Business Planning and Consolidation, version for SAP NetWeaver company. All rights reserved. All rights company. affiliate THE BEST RUN 2021 SAP SE or an SAP SE or an SAP SAP 2021 © Content 1 SAP Business Planning and Consolidation, version for SAP NetWeaver...................4 1.1 Getting Started..............................................................10 Preferences..............................................................10 Grid....................................................................11 1.2 Home Page and Navigation......................................................11 1.3 Business Process Flows........................................................12 My Activities.............................................................13 1.4 Process Monitor.............................................................15 1.5 Library....................................................................16 1.6 Documents (Standard only).....................................................17 1.7 Run Consolidation (Standard only)................................................18 Consolidation Monitor (Standard only)...........................................19 Controls Monitor (Standard only)..............................................24 Journals (Standard only)....................................................30 Ownership Manager (Standard only)............................................41 1.8 Run
    [Show full text]
  • Prmon: Process Monitor
    prmon: Process Monitor Serhan Mete (Argonne) and Graeme A Stewart (CERN) Grid Deployment Board Meeting September 9, 2020 What is Process Monitor (prmon)? ● “... a small stand alone program that can monitor the resource consumption of a process and its children.” ○ An open source HSF project, completely application agnostic and self-contained ■ The only external library dependency is nlohmann/json (and only for the build) ○ Tracks (process-level) CPU/GPU, memory, disk I/O, and (device-level) network I/O usage ■ Metrics are primarily collected from ProcFS (except for GPU which comes from nvidia-smi) ● Adding support for additional hardware is in the future plans ○ It produces two main outputs: ■ Time-series text file that contains the measurements at each capture ■ JSON file that contains averages and maxima along with some hardware information ○ It includes python-based software to visualize the time-series data https://github.com/HSF/prmon 2 Building/Distributing/Using prmon... ● prmon has been used in ATLAS distributed computing for many years ○ Predecessor was named MemoryMonitor, which was the starting point for prmon ● There are two main build/deployment options: ○ Integrating prmon as an external software and building it from scratch ■ Primarily requires C++11, Cmake 3.3+, and nlohmann/json ■ For GPU support, needs nvidia-smi installed ○ Using statically built prmon (published for each release, approx. 1 MB) ○ In either case, the binaries can be (are) distributed via CVMFS ○ More information can be found at https://github.com/HSF/prmon#build-and-deployment ● There are two main ways to execute: ○ Attach to an existing process w/ PID : prmon --pid PID ○ Start the program with prmon : prmon [prmon options] -- program [program options] ○ More information can be found at https://github.com/HSF/prmon#running Latest Release: v2.1.0 on Sep 8 3 Available options, monitors, and output formats..
    [Show full text]
  • Legoos: a Disseminated, Distributed OS for Hardware Resource
    LegoOS: A Disseminated, Distributed OS for Hardware Resource Disaggregation Yizhou Shan, Yutong Huang, Yilun Chen, and Yiying Zhang, Purdue University https://www.usenix.org/conference/osdi18/presentation/shan This paper is included in the Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’18). October 8–10, 2018 • Carlsbad, CA, USA ISBN 978-1-939133-08-3 Open access to the Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation is sponsored by USENIX. LegoOS: A Disseminated, Distributed OS for Hardware Resource Disaggregation Yizhou Shan, Yutong Huang, Yilun Chen, Yiying Zhang Purdue University Abstract that can fit into monolithic servers and deploying them in datacenters is a painful and cost-ineffective process that The monolithic server model where a server is the unit often limits the speed of new hardware adoption. of deployment, operation, and failure is meeting its lim- We believe that datacenters should break mono- its in the face of several recent hardware and application lithic servers and organize hardware devices like CPU, trends. To improve resource utilization, elasticity, het- DRAM, and disks as independent, failure-isolated, erogeneity, and failure handling in datacenters, we be- network-attached components, each having its own con- lieve that datacenters should break monolithic servers troller to manage its hardware. This hardware re- into disaggregated, network-attached hardware compo- source disaggregation architecture is enabled by recent nents. Despite the promising benefits of hardware re- advances in network technologies [24, 42, 52, 66, 81, 88] source disaggregation, no existing OSes or software sys- and the trend towards increasing processing power in tems can properly manage it.
    [Show full text]
  • Brno University of Technology Vysoké Učení Technické V Brně
    BRNO UNIVERSITY OF TECHNOLOGY VYSOKÉ UČENÍ TECHNICKÉ V BRNĚ FACULTY OF INFORMATION TECHNOLOGY FAKULTA INFORMAČNÍCH TECHNOLOGIÍ DEPARTMENT OF INTELLIGENT SYSTEMS ÚSTAV INTELIGENTNÍCH SYSTÉMŮ AUTOMATED SECURITY COMPLIANCE SCANNING OF MS WINDOWS OPERATING SYSTEM USING OPENSCAP PROJECT AUTOMATIZOVANÉ OVĚŘOVÁNÍ KONFIGURACE OPERAČNÍHO SYSTÉMU MS WINDOWS POMOCÍ PROJEKTU OPENSCAP MASTER’S THESIS DIPLOMOVÁ PRÁCE AUTHOR Bc. JAN ČERNÝ AUTOR PRÁCE SUPERVISOR Ing. ALEŠ SMRČKA, Ph.D. VEDOUCÍ PRÁCE BRNO 2018 Abstract This work deals with security compliance of computer systems, namely operating systems, applications and system services. Concept of security policies, their evaluation and their enforcement is described. Security compliance automation and the SCAP standard are presented. OpenSCAP project, which is used as an SCAP scanner, is described together with its tools and its usage. An idea to add support of Microsoft Windows within Open- SCAP, which was previously unsupported, is presented. The core part of the thesis is to identify necessary changes of OpenSCAP and to design an extension of this project. All these modifications are implemented. The solution is demonstrated on security policies for Windows. The solution is evaluated and further improvements are discussed. Abstrakt Tato práce se zabývá problematikou bezpečné konfigurace výpočetních systémů, jako jsou operační systémy, aplikace a služby. Seznamuje čtenáře s konceptem bezpečnostních poli- tik a jejich ověřováním. Soustředí se na problematiku automatizace bezpečné konfigurace s důrazem na standard SCAP. Popisuje projekt OpenSCAP, který se používá jako SCAP scanner, jeho aplikace a jejich použití. Navrhuje rozšířit OpenSCAP i na operační sys- tém Microsoft Windows, který doposud nebyl podporován. Těžištěm práce je identifikace nutných změn projektu OpenSCAP a návrh jeho rozšíření.
    [Show full text]
  • Sysinternals Learning Resources
    THE PERSONAL COMPUTER SPECIALIST Sysinternals Learning Resources Help and Support Sysinternals Learning Resources Help Desk Books Windows Internals Book Homepage The official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon. Windows Sysinternals Administrator's Reference The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use. Articles Inside the Windows Vista Kernel: Part 1 Inside the Windows Vista Kernel: Part 2 Inside the Windows Vista Kernel: Part 3 Inside Windows Vista User Account Control Inside Windows Server 2008 Kernel Changes Mark's Blog Articles Hunting Down and Killing Ransomware Scareware, a type of malware that mimics antimalware software, has been around for a decade and shows no sign of going away. The goal of scareware is to fool a user into thinking that their computer is heavily infected with malware and the most convenient...(read more) Monday, Jan 7 The Case of the Unexplained FTP Connections A key part of any cybersecurity plan is “continuous monitoring”, or enabling auditing and monitoring throughout a network environment and configuring automated analysis of the resulting logs to identify anomalous behaviors that merit investigation. This...(read more) Tuesday, Oct 30 Windows Azure Host Updates: Why, When, and How Windows Azure’s compute platform, which includes Web Roles, Worker Roles, and Virtual Machines, is based on machine virtualization. It’s the deep access to the underlying operating system that makes Windows Azure’s Platform-as-a-Service (PaaS) uniquely...(read more) Wednesday, Aug 22 The Case of the Veeerrry Slow Logons This case is my favorite kind of case, one where I use my own tools to solve a This case is my favorite kind of case, one where I use my own tools to solve a problem affecting me personally.
    [Show full text]
  • Finding Privesc with Procmon
    FINDING PRIVESC WITH PROCMON Vetle Økland ::1 • Pentester @ Nagarro • Live here in Oslo • Too young to understand why Windows does anything • Twitter: @bordplate • Blog: https://bordplate.no/blog/en What is Procmon? Process Monitor Boot logging • Consider disabling anti-virus scanning for smaller log files What are we looking for? Image from: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation- cve-2019-0841/ DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed Paths and Files • PATH NOT FOUND • NAME NOT FOUND Both of these in a user-writable folder indicate you can influence the program. Will wary based on file type and the program handling the files. Image from a vulnerability found by Florian Bogner at bogner.sh: https://bogner.sh/2018/02/local-privilege-escalation-in-crashplans-windows-client/ SetSecurityFile / Permission Overwrite CVE-2019-8452 – Permission Overwrite Hard links to any file • Courtesy of James Forshaw from Google’s Project Zero • Normal mklink tool does not allow hard links to files you don’t have write-access to • ZwSetInformationFile does not enforce that check • CreateHardLinkW does however • Native-HardLink.ps1 from https://github.com/ FuzzySecurity/PowerShell-Suite/blob/master/Native- HardLink.ps1 by @fuzzysec (Ruben Boonen) Unquoted service paths DLL search order hijacking Configuration • Need to have local admin Useful filters • SYSTEM • NAME NOT FOUND / PATH NOT FOUND • SetSecurityFilter (by its own) Exporting for other tools • Exports to CSV and XML • Exporting for XML with stack traces can create *really* big files Exploring in Procmon Hunting in registry • Not seen any potential for abuse • Include SYSTEM user • Exclude starting with HKLM and HKCU AccessEnum .
    [Show full text]