Posts Tagged Symantec

Adding drivers to Ghost WinPE

GhostEventDetails

This post is using the Symantec Solution Suite 2.5

I’m setting it up so that I have the ghost client installed on the majority of our workstations. The only ones I’m not installing it on our encrypted laptops. The first problem I came across was it getting stuck at “Polling for bound server.” I found that means the NIC drivers for my computer aren’t in the WinPE PreOS. So I found the drivers for my card and popped open the ghost boot wizard. Even after adding the NIC driver I couldn’t get the damn thing to work and could not find where it would tell me what the problem was. It was my own fault. I discovered the error at the top by double clicking on the failed job in the ghost console, which brings up the event log and it always failed on “To Virtual Partition.” I didn’t realize I could then click on that and the specific error would pop up. That error up above means the SATA drivers for my board weren’t in WinPE either. After going to the motherboard manufacturer’s website to get them and adding them through the steps below, it is now creating my image of my test computer.

Any missing drivers will need to be the Vista 32-bit version. It doesn’t matter what OS your computer is running.

Open the ghost boot wizard to edit the Windows PE PreOS. Then on the second screen click on WinPE-512 and click copy. The 512 image is for machines that have over 512mb of memory. Name it whatever you want. You don’t want to go editing the original copy of it in case it gets messed up somehow.

BootWizardBootWizardCopy

Now go ahead and click edit on the image you named. Depending on which drivers you are updating, select the proper tab and add new driver.

WinPEDrivers

After finding the path for the driver and giving it a descriptive name make sure you check the box for Vista as the OS.

AddNewDriver

Sometimes it doesn’t actually add the drivers to the image the first time you hit OK on the top two images. So click edit one more time and scroll down the list for the drivers you added to make sure their boxes are selected. It takes a few minutes for it to update the image.

Any computers that you have already installed the ghost client on need to have the virtual partition changed to the version you just created. In the ghost console right-click on them, go to the client tab and select the correct one from the drop down list. After changing that on all of your machines you’ll then need to run a task that refreshes the configuration and inventory on all the computers. THEN the backup regime or image create task will work. If you want all the new computers you install the ghost client on to use the same version of WinPE then go to the tools menu in the ghost console, down to options and change it on the client tab there.

Oh, in the midst of troubleshooting these problems I tried the PC-DOS virtual partition, but ended up getting stuck in a boot loop that kept sending me back to it and not letting me go back to Windows. The second article below describes how to hide the ghost partition to fix that.

Sources:

,

Leave a comment

Imaging an encrypted drive

This is using Ghost Solution Suite 2.5, which is ghost 11.5, to image a hard drive that is encrypted by PGP encryption. But there is a good chance these same steps will work with other encryption software.

If you want to bypass all my troubleshooting that it took for me to get this to work then click here to go straight to the solution.

July 5, 2011

This adventure began late last week. I need to figure out how to image our encrypted hard drives in a manner that keeps the encryption intact. I’m not going to wait hours for a drive to decrypt just so I can image it and then have it spend another few hours, or however long, to re-encrypt it. The plan is to get this to work so that I can pull an image of each of our laptops every time we have huge software changes. I’m not sure what’s going to qualify as large enough changes to make me go through this, but I’ll figure it out when I get there. After I get this process to work properly I’ll just use the ghost client on the machines to back up the user files every 2 weeks or so.

Well last week I started my experiment with ghosting one of our unused encrypted laptops. It took me forever to realize that I can’t use the windows client to pull or push an image because ghost doesn’t like that I have to enter the password before the computer will finish booting up. Even though I was standing at the laptop when the client forced a reboot and typed the password in right when it prompted for it, it wouldn’t go into the WindowsPE environment. I thought I was being too slow at first, but that wasn’t the case.

I created a boot disk with the right NIC drivers on it for these laptops and had it boot to the CD. I finally got it imaging and then noticed it was splitting the image into the default 2GB chunks. With these laptops being 500GBs, that just isn’t going to work. I kept thinking of spanning, not splitting, so it then took me awhile to find the correct switch to add to the settings /facepalm. I finally got it to pull the image, it took 4 or 5 hours to do it and the next day I turned around and pushed the image back out to it – I’m using the ghostcast server on one of my servers since I don’t have a large enough external hard drive for a 500GB image and I don’t feel like buying one right now.

I came in this morning and rebooted the machine to see if the image worked. Well it prompted me for my encryption password but then it won’t boot into windows so I need to run the repair command. But I can’t do that until I decrypt the drive because the repair boot disk won’t see the hard drive until I do. So now I get to yank the hard drive out and hook it up to another laptop in order to decrypt it, that will take 12-24 hrs.

But, there is one more thing I will try before I become stumped. I used the split=0 switch, but not the switch to force a sector-by-sector copy (-ia). I thought I read in the documentation or in their forum that it would detect whether it needed to be sector-by-sector, but I don’t know how to find out and it didn’t work. The last time I had to decrypt a drive by hooking it up to another laptop as an external it took at least 20 hrs to finish. I’ll start that process shortly and try to image it again tomorrow.

If anybody has any advice please feel free to share it.

To be continued….

Continued:

Well I tried imaging it again after waiting 20 hrs for it to decrypt, then 20 more hours for it to encrypt itself again. The image failed. I tried using both the -split=0 and -ia switches and did see an error where it was saying something about -split=0 not being used properly or whatever. So now I have to decrypt it again (20 hrs), run the fixboot command, and let it encrypt itself again (20 hrs). Then I will try imaging one more time only using the -ia switch for sector-by-sector copy. I will report back once this has been attempted. I will figure this out, damn it.

October 11, 2011

So 3 months have past since I last spent much time trying to figure this out. I’m too stubborn to admit defeat and let something like this go without exhausting all resources first. I just knew there had to be a way to get it to work. I came across a KB article on Symantec’s website that sounded like exactly what I needed to do. Why this was never mentioned in any forum posts about PGP (or encryption in general) and Symantec Ghost (that I found anyway) is beyond me. I only ever saw mention of sector-by-sector copying and if you read my original post, then you know how well that worked out. I just realized the new article that  I found also refers to the -IR switch, which is a raw disk image, as sector-by-sector. What the hell? Let’s be a little more confusing please /sarcasm.


Solution:

  1. Use a ghost boot CD or usb drive to get into the WindowsPE environment.
  2. After it boots up and pops the Ghost GUI up, close that so you’re at the black command prompt.
  3. From here I had to go back a couple directories by typing cd.. to find the directory the ghost executable lives in. I think it’s Ghost32.exe.
  4. The switches you need to use are -IR, -FRO, and -SPLIT=0. So type ghost32.exe -IR -FRO -SPLIT=0 and hit enter. Now go through the normal steps to select the disk to image and the place to save it.

You are going to need a removable hard drive or the ability to ghostcast from a server that has enough space for the image to be the entire size of the hard disk, even if the disk only has 50GB of information on it. Since the image is a raw disk image (the -IR switch) it is imaging the entire disk. You can use the -SPLIT switch to chop the image into smaller bits, but that doesn’t make the image any easier to manage with hard disks being so large these days. Unless you need to chop the image into files that will fit on DVDs or Blu-Rays, I don’t see that being useful. Or maybe you have small usb hard drives to split the image onto, I suppose that’s helpful.

I pulled an image and turned around and pushed it back out and it worked perfectly. I rebooted the laptop this afternoon and it was like nothing happened – encryption and everything is intact. It looks like, based off the switch descriptions linked below, that the only difference between raw disk image and sector-by-sector is that the raw disk image ignores the partition table. Funny how the KB article still refers to it as sector-by-sector, yet their own switch description page does not.

Sources:

  1. Ghost and PGP – Norton Community
  2. Symantec KB Article TECH104163
  3. Switches: Alphabetical list of switches

, , ,

8 Comments

You have received a Hallmark e-card!

hallmark-e-cardYes, it’s that time of year again.  A friendly reminder to NEVER open attachments or click on links in emails if you don’t know who or where it’s coming from.  Curiosity killed the cat, your curiosity might kill your computer.

This virus is probably most commonly known as W32.Ackantta@mm, at least to those familar with Symantec/Norton.  What happens is you get an email like the one above and get sucked into clicking on the link which then downloads a file to your computer.  I’m not quite certain whether clicking the link automatically executes the virus, just downloads the file, or if the virus is a file attached to the email.  So far I’ve seen it where a file called postcard.zip is attached to the email and then where you click on a link to download a file called postcard.pdf.exe.  Either way, a file eventually ends up on your computer that installs the virus if you execute it.

This virus is a variant of the Trojan.Vundo virus we saw an outbreak on campus of a little over 4 years ago.  It’s such a pain to remove because, like before, we got it when it was fairly new so none of the anti-virus programs out there could do anything to prevent or remove it.  I heard from one of the other Tech departments on campus that we were the first to report it to Symantec.  I had someone forward me the virus so I could upload to VirusTotal.com to see which programs are able to detect it and hopefully remove it.  Here’s the list as of 3 hrs ago:

virustotal-postcardzip1

What happens?

  1. Once the file mentioned above is opened and the virus installs itself in numerous places in the computer.  What a user will notice is tons of pop-up ads showing up all of a sudden saying that you need to download a fake program to remove the spyware on your computer.  Don’t fall for that, it’s just more spyware/viruses to bog down your computer.
  2. It creates copies of itself in the system folder as javale.exe, javawx.exe, and a random .dll file.
  3. It also creates and edits registry keys in order to imbed itself in the startup processes so it’s running at all times.  To see the specific registry keys and file names see the links at the end of the post.
  4. The virus finds your address book on your computer and sends out mass-emails to everybody in it.
  5. It blocks access to some security related websites.
  6. Spreads through any USB drives you plug into the computer and also has the potential to spread through network drives, this can create an evil loop of cleaning and re-infecting.

How do I get rid of it?

  1. Disable system restore.
  2. Update your anti-virus & anti-spyware programs and definitions.  You want to make sure you have the most up-to-date client as well as the definitions. AVG Free and Malwarebytes are known to detect and remove the virus when used in conjunction with each other.
      a) If you don’t have the programs on your computer or are unable to update them, burn the programs and their most recent definition files to a CD and install them that way. This virus jumps onto USB drives so you do not want use them on an infected computer.
  3. Restart your computer into safe mode.
  4. Scan with both your anti-virus and anti-spyware programs.  You may need to do this a few times in order to make sure it found everything.

Malwarebytes and either Symantec/Norton or AVG was used to clean computers on campus. AVG was used on student computers since we couldn’t install Symantec Endpoint Protection on there for licensing reasons. But I can confirm that both Malwarebytes and AVG work together to get rid of it. Be sure to disable system restore and boot into safe mode though, as stated above.

There are far too many different files this virus creates and registry keys it creates and edits, so I avoided putting that specific information in the post.  All of the specifics can be seen at the links below.

Information Sources:

,

4 Comments

The conficker virus – 9 million PCs and counting

What is conficker and what does it do?

It’s a worm/virus that will infect computers via a vulnerability (MS08-067) in any Windows XP or Vista machines if the computer hasn’t been patched with the patch Microsoft released back in October/November.  Once infected, the virus:

  • Embeds itself into the system services and makes some changes to the registry in order to run constantly, including after reboots.
  • Disables antivirus and other security services, as well as blocks websites related to those services.
  • Disables system restore and deletes all restore points making the recovery process that much more difficult.
  • Opens the infected machine to more infections.
  • Scans the subnet the infected computer is on for vulnerable machines and passes the infection on by creating an HTTP server for the new victim to download it from.
  • Also copies itself to any usb drives, making the potential for spreading on networks much higher.
  • Can crack weak passwords to accounts and lock you out of your own files and folders.
  • It also schedules tasks and edits the autorun.inf file enabling it to re-activate after a computer is “cleaned.”

How do I know if my computer is infected?

I mentioned a few noticeable things above but here are the things an average computer user would notice:

  • The computer will feel much more sluggish than normal.
  • Your internet connection might become much slower as well.
  • You may not be able to log into your computer.  If the password is weak it could crack it and lock you out.
  • Automatic Windows updates will not work.
  • You may not be able to get to any websites related to virus scanner updates or Windows updates.
  • This virus is known to disable any security software you have – firewalls or virus scanners.

What can I do to protect myself?

  1. Run a Windows update to make sure your computer has the patch installed.
  2. Windows XP
    Open Internet Explorer  -> go to the tools menu -> click on windows update -> choose express and download all suggested updates.

    Windows Vista
    Click on your start menu -> in the search box type windows update -> click check for updates in the left column and download any important updates.

  3. Update your virus scanner and run a scan to be safe.  If you do not have a scanner I personally like AVG free.  Symantec has a new thing called Norton Security Scan which is also free.  I’ve never tried it so I don’t have an opinion about it.

What if my computer is infected?

Run a virus scan in safe mode (hold F8 down when restarting the computer).  Safe mode is used in times like this because nearly every service and program that typically runs whenever you turn your computer on will be turned off, making it easier for the scanner to remove any infections.  Microsoft suggests downloading their Windows Malicious Software Removal Tool.  If you have a Norton product you can go here for information on how to remove it.  McAfee also has information, although not very helpful in my opinion.  In some instances the virus scanner may not be able to remove the infection so a more technical solution is needed.

F-Secure is the only company I’ve found so far that has an actual removal tool specifically for this virus/worm, but it is in the beta stage so be careful using it if you choose to do so.  I just ran it on my laptop without any issues.  If I come across someone at work who has this I’ll have no problem using it if a normal virus scan is unable to help.  Especially since it sounds like unless your scanner can remove it, all you can do is reformat so you don’t have much to lose.

More information can be found at pcworld.com and BBC News.  If you’re a geek like me F-Secure is keeping track of the number of infections and also has a list of domains network admins can block to help prevent this from spreading.

3/31/09: With yet another explosion in news coverage I’m adding a couple more removal tool links from F-Secure.  The one linked to above is no longer a beta version.  They are all for different variants of this same virus.

Everything in the article is still accurate, the basic behavior hasn’t changed at all.  I heard that the security professionals haven’t been able to reverse engineer the virus so they don’t even know what is supposed to happen on April 1st.  That leads me to a question, if they haven’t reversed engineered it to figure out exactly what it does, where did the doomsday date of April 1st come from?

Removal tool #2

Removal tool #3

, ,

2 Comments

Vista and the mysterious unidentified network

We’ve been having problems with this since Vista came out, luckily it’s not a terribly frequent occurrence.  A new year has started and we’re seeing it again.  We currently have 2 students who cannot connect to our network, they keep getting the unidentified network with a 169.254 IP.  We have tried everything we can think of:

  1. release/renew just times out
  2. disable/re-enable the nic
  3. checked all the TCP/IP settings & checked the LAN settings
  4. typed netsh interface ipv6 show neighbors into the cmd prompt to see if anybody on campus was broadcasting as a gateway
  5. I’ve even gone into the registry to disable the broadcast flag.  NOTHING HAS WORKED.
  6. Setting the network type to private instead of public if it’s even set wrong.

I’ve spent hours and hours researching this online but so far have only come up with a couple more things to try.  One of which is doing a TCP/IP stack repair and the other just deals with disabling firewalls (windows and otherwise).  Has anybody actually found a solution that works?  This is driving me insane.

Edit #1: It appears that Norton and possibly McAfee cause some sort of problem.  I’m not exactly sure what yet.  We’ve tried disabling both programs, but that didn’t work.  A student uninstalled Norton and was able to get online.  I like those programs less and less the more I work with them.

Edit #2: We came across another one of these and they had some weird panda anti-virus software, uninstalling it got them online.  So if you come across this problem try uninstalling the anti-virus/firewall and see if that fixes it – just disabling them hasn’t worked.  I really wish I knew what specifically about those programs caused the problems.

, ,

3 Comments

Ghost 11 (suite 2.0)

The migration from 7.5 to 11 was not as smooth as I had hoped. We used to netboot and ghostcast that way but with this new version I would have had to edit all the config files and I am not willing to put in the time to figure out how to do that when I’ve never attempted something like that before. So I opted for the boot CD, which wasn’t the easiest thing in the world to come by either.

Our newest machines are Dell Optiplex 755’s. I was able to find a forum online where someone posted directions on how to make the boot disk for it with the correct NIC drivers. It worked perfectly, I was finally able to ghostcast.

1. I went to Dell’s support site (support.dell.com) and downloaded the Intel drivers (about 5MB). Or you can download them here; ftp://ftp.us.dell.com/network/R162323.EXE
2. Extracted the contents to a new folder
3. Located the DOSNDIS2 directory. Within there there should be 2 files (e1000.dos and protocol.ini).
4. Created a new file called oemsetup.inf
5. Edit the oemsetup.inf file and copy/paste the following into it.
; OEMSETUP.INF for Broadcom Ethernet Adapter
[netcard]
E1000$=”Intel Ethernet”, 0, NDIS, Ethernet, REAL, E1000$_ini, E1000$_ini
[E1000$_ini]
DriverName=E1000$
device=E1000.dos, @INSTE1000$.dos
NETDIR=5:E1000$.dos
6. Save the file
7. Run the Symantec Ghost Boot Wizard Creator.
8. When asked to Select the Network Driver choose Add
9. Click the Setup Button and point to the NDIS folder you just created.
10. Everything else is default until the end.

Now I’ve hit another snag; we dual boot linux-windows and now linux won’t boot up. I can’t get it to boot up into anything because I’m using the linux bootloader. It’s stuck with GRUB in the upper left corner of the screen. I thought ghost was supposed to work with linux. Anybody know what to do?

Update: I just reinstalled grub and it works perfectly now. Sweet.

, , ,

4 Comments