Just another site

Microsoft System Centre EndPoint Protection 2012 vs Sophos

Having noticed an increasing number of fake AV and ransom-ware installations on our network where we now run Forefront Client Security as endpoint protection, I ran a comparison between the latest version of Microsoft’s latest A/V product, System Center EndPoint Protection 2012 SP1 and Sophos’s most recent PC client A/V to decide whether the MS offering was still up to snuff before we deployed it.

Having used malc0de’s database to retrieve live malware links posted over the last three days we used a pair of VM’s on a segregated network to test detection of malicious code. Both VM’s were snapshot-ted before infection, one was installed with a fully updated (defs: 07/01) EPP and the other with Sophos (defs: 07/01), both running W8 x64. The comparison is solely with Sophos as we currently use that product on our macs. We use the Microsoft forefront Client Protection A/V on PC’s as it is free as part of the software assurance benefits received as part of our EA, I should add that i realise this is no reason on which to base a choice of endpoint protection product and this experience has prompted an immediate review of that choice.

Admittedly this is a very limited range of tests, and not particularly thorough, but as a quick review it indicates that EPP is not sufficiently often or thoroughly updated and is severely compromised by the lack of access to a url blacklist (which in fairness it does not claim to offer). In the below list, every single piece of malware was allowed to be downloaded by EPP and was not detected when manually executed – though if you tried to run directly from IE all but one piece of malware was initially blocked due to signature verification problems. Sophos blocked access to the below known malware sites and where they were unknown it recognised the malware and prevented its execution. Time to read some reviews and get some prices for alternative endpoint protection.


Converged Fabric for Hyper-V hosts on Server 2012 – super elegant.

Recently I’ve been working to simplify and consolidate our service provision. The path of least pain has been determined as placing core applications in colocation. While investigating the provision of storage and with memories of building 2008 R2 clusters still clear in my head I have begun trialling Server 2012. Having read a series of articles by Aidan Finn (his excellent blog here) about Virtualisation on server 2012 and I happened across his converged fabrics posts, here.

First some background, in Hyper-v R2 you need upwards of six nic’s to build a VM host cluster, you can get functionality with less but you leave yourself exposed, it would not be N+1. Also bear in mind that teaming for fault tolerance across multiport network cards is  only going to give you a false sense of security on the server side (it is after all only a single card regardless of how many ports it has).

In a nutshell, what I’m excited about is that you can use native teaming (or otherwise) on Server 2012 to bond a series of nics together, then spread your live-migration, storage, guest access and other nic requirements across a series of virtual nic’s connected to the virtual switch bound to this nic team (phew). You then set QOS on the virtual switch for the different virtual adaptors so you can guarantee service for the different aspects of connectivity your Hyper-V cluster will need. Anyway, have a look at the Aidan’s posts on the matter, they make for a great lab.

In my lab I’ve used a pair of 1gbe links and it works great for testing, in production you’d be looking at 2+10gbe links ideally, giving you resilience and most of the bandwidth you’d ever need in the forseeable future, at least for the kind of services/load experienced in most SME’s.

ISP Redundancy on Checkpoint R75.45 Gaia – does not work

I installed R75.45 Gaia on a UTM-1 270 appliance recently, installation from USB went fine and performance was adequate with a low load, VPN, default IPS and a short QOS rule set.

In order to support a degree of resilience we’re using ISP Redundancy at all sites with multiple internet connections, despite configuring this site identically I was not able to get the failover to work. Usually, the script cp_isp_update runs and updates the gateways default route to match that of the secondary ISP, however when i tested this on R75.45 the route was not updated when primary was disconnected.

I contacted Checkpoint support and was informed that ISP Redundancy does not work in either version of Gaia, R75.45 or R75.40 – however there is a patch available for R75.40 if you contact them and reference this sk. I applied this patch on 75.40 but still didn’t see the solution work as expected so instead deployed R75.30 as I have at other ISP redundant sites.

I should also mention that my in no way scientific, cursory observations indicated that load on the CPU was much lower (15-20pc lower) on SPLAT (with 75.30) than on either version of GAIA. Something to bear in mind for older appliances like the UTM-1 270.

VMWare vCenter Converter “Unable to obtain hardware information for the selected machine.”

When converting a machine from VMWare Workstation to another virtualisation platform you may come up against a “Unable to obtain hardware information for the selected machine.” warning and red cross after selecting the VM you wish to convert.

This is easily resolved, simply right click the VMWare VCenter Converter icon/start menu item and select run as administrator.

Server 2012 on Vmware ESXi – “Your computer ran into a problem and needs to restart”

Trying to migrate a 2012 VM from VMWare Workstation 9 to an ESXi host i found i saw the ‘sad face’, as below.

“Your computer ran into a problem and needs to restart”

A little research led me to this: but actually patching ESX was not something I’d done for some time, and before i think i used update manager.

A little digging led me here which is much clearer than the vmware instructions for patching. Many thanks Chris! Simply upload the patch to a datastore, enable ssh (or do from console), put server in maintenance mode, run the patch as Chris’ link shows, reboot, and your 2012 and Windows 8 VM’s will now boot just fine.

HA Exchange 2010 two All-In-One servers in a DAG, CAS arrays, Windows NLB….. – confusion and solution

In the process of lab testing for the viability of a HA mail installation with HP’s E5000 series of messaging appliances I came up against some confusion about the configuration of the CAS array when using a 2 member DAG where the servers also host the CAS and HT roles. I am aware a hardware Load Balancer is required for this to work but was not clear on exactly how to configure exchange to work with such a device.

Initially in a lab I configured a DAG between two exchange 2010 VM’s, this seemed to be working as expected. Next instruction was to add both servers to a CAS array, and assign a VIP and put this in DNS.

I then configured a CAS array, assigned a VIP and configured the DNS record. The array included the two all-in-one servers, it created successfully  but none of my clients were able to connect, neither was i able to ping the array address. Further reading, in particular this:  led me to realise:

  1. Windows NLB is needed for a CAS array to work without additional hardware.
  2. Windows NLB is incompatible with Server 2008 R2 failover clustering.
  3. Server 2008 R2 failover clustering is needed for DAG…
  4. I need a DAG….
  5. Therefore i cannot use windows NLB…..

Which led me to read the “Best practices for networking and load balancing with the E5000 messaging systems” pdf on the HP site.

Essentially I’d gone about it backwards:

  • You still create the CAS Array, but use a VIP that is assigned to the load balancers and it is that IP that must be defined when you create the array. Once this is in place and the HLB is configured they proxy the requests to the separate CAS servers and all is good.
  • It seems the CAS array is  a simple object, a pointer more than a mechanism, a CAS array object does not load balance your traffic, Windows NLB does that or in our case, our hardware load balancer, all the object does is tell the mail client where to go to get mail.

“Code 800B0001 Windows update ran into a problem” on Windows 8 and 2012 when using WSUS or WSUS with SCCM

This issue is caused by Windows 8 using a newer update client than WSUS SP2 is aware of, consequently the client doesnt trust the server.

Despite having KB2720211-x64 installed, still see this error on Windows 8 and Windows 2012 machines in my SCCM lab.

Seems this recent KB solves the issue: 

If I understand it correctly the issue is to related to the signing of the updates with a certificate that is not approved by Win8/2012 update client. This issue is corrected during the WSUS resync/reindex after the above update is applied.

Once the sync is complete, before you try to apply the updates to any new clients be sure to stop the local wu service client on the windows8/2012 client and delete the software distribution folder in C:\Windows. Be sure to start the Windows Update service again before you try to check for updates and then run the update installation again. Instructions below:

  1. Open an administrative command prompt on the affected computer
  2. Type the following:
  • net stop wuauserv
  • rd /s %windir%\softwaredistribution\
  • net start wuauserv

In my case i’d already tried to publish the SCCM client before i did the update and before i applied the SP1/CTP for SCCM and ran into problems even after the above because the SCCM client is not resigned during the WSUS update.

As i had not yet published the latest version of the SCCM client that came with SCCM SP1/CTP to WSUS, i published it AFTER applying KB2734608, to do this you go to Sites, Client Installation Settings and Software Update-Based Client Installation and it will tell you there is a new client available, agree, then apply and it will be correctly signed and will install on Server 2012 and Windows 8.

SO if you publish a version of the client through WSUS before you do the KB update and resync, it doesnt get re-signed, only if you distribute it AFTER the update. ( I think…..)


Cannot install Server 2012 – The file may be corrupt or missing. Error code:0x80070570

For disclosure – No such issues on VMWare Workstation 9 and i got the ISO to eventually install on the old desktop by burning it at 4x…… I could not however get it to install on Workstation 8 without enabling the VT extensions.


While trying to install Server 2012 on both VMWare Workstation 8 and an oldish desktop, I found myself repeatedly running into: “Windows cannot install required files. The file may be corrupt or missing. Make sure all files required for installation are available, and restart the installation. Error code: 0x80070570”.


Various online resources blamed ISO’s, bad memory etc. But seemed odd that i saw the same message on old desktop and VM and listed out what these two machines were missing that the server i had installed it on successfully did have…. Then i realised, VT extensions.

So i went into the VM properties (see picture below), enabled virtualisatin of VT extensions and lo and behold a successful install in VMWare Workstation.


Using Avaya IPO as sip trunk with Lync – problems dialling international and cellphone numbers

After connecting Avaya IPO to our Lync infrastructure we discovered that long distance calls from Lync often failed, especially to cell phones/mobiles – usually with a “cannot accept call 405”.

Thanks to this:

I discovered it’s due to Lync giving up on calls through the pstn after 10 seconds! change the config file referenced here so the timeout is 20 seconds and restart server (or just front end and mediation service) and your issue will be resolved.

Server 2008 R2 VSS – volsnap error: “The shadow copies of volume C: were aborted because of a failed free space computation.”

While trying to get a DPM backup of a server we were seeing volsnap errors every time we tried to sync the target, and the same error if we tried to configure shadow copies directly.

The volsnap errors referenced an inability to calculate free space on volume in question, specifically: “The shadow copies of volume C: were aborted because of a failed free space computation.”. There are lots of articles referencing this issue on 2003 but nothing at all on 2008 or 2008 R2.

All VSS providers were showing healthy, so looked at more general VSS troubleshooting and came across this:

Specifically, following these steps as detailed by Shaon Shan:
As always ensure you backup the registry before making any changes.

1. Stop the Following services:

Volume Shadow Copy Service.
MS Software Shadow Copy Provider — keep it stopped
“COM+ event system”
“COM+ System Application”

2. Take the backup of the “Subscriptions” key


3. Delete the “Subscriptions” key

4. Restart/Start the following services

“COM+ event system”
“COM+ System Application”
“Microsoft Software Shadow Copy Provider”
“Volume Shadow Copy”

5. Reboot the machine.