Teefer2.Sys Fix
Sandeep Cheema
July 2nd, 2009
During some of my testing I have found out that the NTP part which otherwise requires a reboot to be active also becomes active when you stop and start the SMC Service after the client install. This is definately a +ve thing for us as we wouldnt have to use the reboot criterion when deploying the package. I am just a li'l confused if everything is fine here, Does anyone know if this is documented somewhere? I know the sysplant.sys is a kernel driver and wouldn't get active until registered but we are not going to use that for sure, All I am concerned about is the teefer2.sys.
Thanks...
HI sandeep
HI Sandeep,
Can you check after installing SEP and after doing smc stop start..
Once it all shows green does the firewall policy work and block anything..
you can also test if IPS engine works as mainly WPSand WPSHelper sits just above the Kernel.
Even I have seen this abnormality many times but haven't tested it once..
Celebrating 2 years as a community member....
It would really be a nice
It would really be a nice find if the test results indicate that NTP is active without a reboot. In that case we may need more details on the system on which this was done.
Cheers,
Aniket
Will Report Back
I have tested it on R2 and standard, both VM's. I will make some block rule and see if it's a cosmetic thing or an actual one. Thanks Vikram and Aniket. It's pretty simple to reproduce, Install SEP with NTP, As soon as it's installed, Open the GUI and verify that the NTP is not there. Stop and start the SMC service, The NTP shows itself up.I will check for the IPS as well with netcat..........
Confirmed: NTP and IPS are
Confirmed: NTP and IPS are getting active without a reboot.
POC:
a) Create a test group within the SEPM.
b) Edit the firewall policy to create a rule for block all and move it to the top.
c) Export a client install package with the policies from this group.
d) Install the package.
e) Verify that the NTP is not active.(Save the VM snapshot here)
f) Ping a remote host (e.g. google.com), verify that there is reply from it.
g) Once SEP is installed, stop (smc –stop) and start (Smc –start) the SmcService.
h) Verify that the NTP in the GUI is active.
i) Ping a remote host(e.g. google.com) with loss in connectivity due to the rule created for “block all”
j) Revert to the snapshot in e)( For network connectivity for the IPS testing)
k) Open internet explorer and paste the following URL in it which is an exploit for CodeRed(Replace with HTTP)
..
l) SEP IPS detects the attack and gives a balloon pop up.
m) “i)” and “l)” state that the firewall\IPS become active with a restart of the SmcService after the install.(without rebooting)
Okay. This has been patched
Okay. This has been patched with RU5.
Good or bad bug? I don't know but shameful on the vendor's part to do that without an acknowledgement.
Would you like to reply?
Login or Register to post your comment.