Re: Trend Micro Client Outbreak - Need to remove it from Domain ...fast

2009-06-28 Thread Devin Meade 
FYI If you need to re-home the servers, you will need to TCP port the
clients are using.  From my fading memory it could be 8080 or 8090 as
the defaults.  It depends on the TM version, I think.
-Devin

On Sun, Jun 28, 2009 at 11:07 PM, Devin Meade wrote:
> There might be a group policy installing this.  Maybe the option to
> "uninstall the software if it falls out of the scope of management"
> was checked on, if so disable the GPO, force a policy update and
> reboot them.
>
> Could it be that the clients are homed to a server that is no more?
> If so, you may be able to re-home them to the existing and working
> server, then uninstall.  Look for a move operation under the client
> management piece.
>
> If you have the TMVS running, then you could identify the machines and
> write a quick startup script (with a "if computername==xxx" to
> uninstall them - I don't have the cmd line for that, sorry.
>
> Hopefully you are now done with this... :-)
>
> hth, Devin
>
> On Sun, Jun 28, 2009 at 5:06 PM, aci wrote:
>> Thank you for your replies.
>>
>> Unfortunately, the domain has SAV version 10.1.8. I do not see any options 
>> for removing T/M in there, but of course, I could have missed it.
>>
>> As for the T/M web console, when I am in it, the desktops group is 
>> completely empty. That is why I say I am not sure how the installations were 
>> done. For all I know, he went out and did them manually because he thought 
>> better to have something on the workstation that nothing...
>>
>> I was able to do a scan of the network using the TM vulnerability scanner. 
>> It was able to find all of the workstations, T/M managed or otherwise...) 
>> but I did not see any way to remove clients because they, themselves were 
>> not listed in the web console. I don't know how to refresh the console to 
>> see what is actually installed. If I were able to do that, perhaps I would 
>> be able to right click on them and uninstall the client as suggested.
>>
>> and ideas???
>>
>> TIA
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
> --
> Devin
>



-- 
Devin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Trend Micro Client Outbreak - Need to remove it from Domain ...fast

2009-06-28 Thread Devin Meade 
There might be a group policy installing this.  Maybe the option to
"uninstall the software if it falls out of the scope of management"
was checked on, if so disable the GPO, force a policy update and
reboot them.

Could it be that the clients are homed to a server that is no more?
If so, you may be able to re-home them to the existing and working
server, then uninstall.  Look for a move operation under the client
management piece.

If you have the TMVS running, then you could identify the machines and
write a quick startup script (with a "if computername==xxx" to
uninstall them - I don't have the cmd line for that, sorry.

Hopefully you are now done with this... :-)

hth, Devin

On Sun, Jun 28, 2009 at 5:06 PM, aci wrote:
> Thank you for your replies.
>
> Unfortunately, the domain has SAV version 10.1.8. I do not see any options 
> for removing T/M in there, but of course, I could have missed it.
>
> As for the T/M web console, when I am in it, the desktops group is completely 
> empty. That is why I say I am not sure how the installations were done. For 
> all I know, he went out and did them manually because he thought better to 
> have something on the workstation that nothing...
>
> I was able to do a scan of the network using the TM vulnerability scanner. It 
> was able to find all of the workstations, T/M managed or otherwise...) but I 
> did not see any way to remove clients because they, themselves were not 
> listed in the web console. I don't know how to refresh the console to see 
> what is actually installed. If I were able to do that, perhaps I would be 
> able to right click on them and uninstall the client as suggested.
>
> and ideas???
>
> TIA
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>



-- 
Devin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Trend Micro Client Outbreak - Need to remove it from Domain ...fast

2009-06-28 Thread aci 
Thank you for your replies.

Unfortunately, the domain has SAV version 10.1.8. I do not see any options for 
removing T/M in there, but of course, I could have missed it.

As for the T/M web console, when I am in it, the desktops group is completely 
empty. That is why I say I am not sure how the installations were done. For all 
I know, he went out and did them manually because he thought better to have 
something on the workstation that nothing...

I was able to do a scan of the network using the TM vulnerability scanner. It 
was able to find all of the workstations, T/M managed or otherwise...) but I 
did not see any way to remove clients because they, themselves were not listed 
in the web console. I don't know how to refresh the console to see what is 
actually installed. If I were able to do that, perhaps I would be able to right 
click on them and uninstall the client as suggested.

and ideas???

TIA
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Trend Micro Client Outbreak - Need to remove it from Domain ...fast

2009-06-28 Thread Art DeKneef 
>From the Web Console click on Security Settings. You should see groups listed 
>on the left. Click on Desktops. Computers should be listed there. Highlight a 
>computer and click Remove. Of the two choices choose Uninstall the selected 
>agents and click Apply. That should remove the files from the computer.

He pushed out the software by adding the computers and choosing to remote 
install probably.

Offhand I'm not aware of a script to remove the software via a GPO. I'm sure it 
could be done given the time to figure it out. Might be quicker to just use the 
Trend console based on the number of clients.


-Original Message-
From: aci [mailto:tkcont...@yahoo.com] 
Sent: Sunday, June 28, 2009 12:11 PM
To: NT System Admin Issues
Subject: Trend Micro Client Outbreak - Need to remove it from Domain ...fast

TIA to any and all replies...

Fell into a situation where a previous employee installed Trend/Micro SMB to a 
test server on the domain. He somehow managed to push out countless client 
installations to various XP and possibly Vista workstations before he got 
canned. Trouble is, this is reeking havoc with the SAV console which is no 
longer able to communicate with most of the managed clients who now may or may 
not have the T/M AV software on them. 

I am at crunch time, having to now clean up this mess, as management wants to 
know who is and is not protected via a properly configured SAV client. Rather 
than manually audit this situation, I would like to find a way to script the 
removal of the T/M product via a GPO. Trying to get this done remotely over 
this weekend as all the PC's are on and there are no users to get in the way of 
the process and required reboots. 

I am not a T/M guru by any means, but looking through the console I can't 
figure out how he managed to push out the clients, nor how to initiate a 
removal of the clients from the system. 

Any initial ideas for scripting this would be greatly appreciated
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Trend Micro Client Outbreak - Need to remove it from Domain ...fast

2009-06-28 Thread Michael Hoffman 
There is a tool on the server called the Trend Micro Vulnerability Scanner 
\Security Server\PCCSRV\Admin\Utility\TMVS which scans and allows pushed 
deployment. You might find it easier to finish the deployment and then remove 
the agents via the uninstall option on the web management screen.

The tool will let you know what agents are there and in what state. Been doing 
this today for some clients so I hope this helps. Also SAV has tools to remove 
T/M in the latest version.

Mike

-Original Message-
From: aci [mailto:tkcont...@yahoo.com] 
Sent: 28 June 2009 20:11
To: NT System Admin Issues
Subject: Trend Micro Client Outbreak - Need to remove it from Domain ...fast

TIA to any and all replies...

Fell into a situation where a previous employee installed Trend/Micro SMB to a 
test server on the domain. He somehow managed to push out countless client 
installations to various XP and possibly Vista workstations before he got 
canned. Trouble is, this is reeking havoc with the SAV console which is no 
longer able to communicate with most of the managed clients who now may or may 
not have the T/M AV software on them. 

I am at crunch time, having to now clean up this mess, as management wants to 
know who is and is not protected via a properly configured SAV client. Rather 
than manually audit this situation, I would like to find a way to script the 
removal of the T/M product via a GPO. Trying to get this done remotely over 
this weekend as all the PC's are on and there are no users to get in the way of 
the process and required reboots. 

I am not a T/M guru by any means, but looking through the console I can't 
figure out how he managed to push out the clients, nor how to initiate a 
removal of the clients from the system. 

Any initial ideas for scripting this would be greatly appreciated
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Trend Micro Client Outbreak - Need to remove it from Domain ...fast

2009-06-28 Thread aci 
TIA to any and all replies...

Fell into a situation where a previous employee installed Trend/Micro SMB to a 
test server on the domain. He somehow managed to push out countless client 
installations to various XP and possibly Vista workstations before he got 
canned. Trouble is, this is reeking havoc with the SAV console which is no 
longer able to communicate with most of the managed clients who now may or may 
not have the T/M AV software on them. 

I am at crunch time, having to now clean up this mess, as management wants to 
know who is and is not protected via a properly configured SAV client. Rather 
than manually audit this situation, I would like to find a way to script the 
removal of the T/M product via a GPO. Trying to get this done remotely over 
this weekend as all the PC's are on and there are no users to get in the way of 
the process and required reboots. 

I am not a T/M guru by any means, but looking through the console I can't 
figure out how he managed to push out the clients, nor how to initiate a 
removal of the clients from the system. 

Any initial ideas for scripting this would be greatly appreciated
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Server wants to boot from USB drive

2009-06-28 Thread Tom Miller 
I have an HP Proliant GL110 server for a remote office.  I use NT backups to a 
USB drive.  When the USB device is connected to the server and powered on, the 
server seems to attempt to boot to the USB drive and I get "operating system 
not found".
 
I unplug the USB drive and the system boots normally.
 
I changed the boot order in the bios to put "removable drives" last, but that 
has no impact.  It cannot be disabled via BIOS boot order, unfortunately.
 
Suggestions?
 
 
 
 
 
Tom Miller
Engineer, Information Technology
Hampton-Newport News Community Services Board
757-788-0528 

Confidentiality Notice:  This e-mail message, including attachments, is for the 
sole use of the intended recipient(s) and may contain confidential and 
privileged information.  Any unauthorized review, use, disclosure, or 
distribution is prohibited.  If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: OT: consumer routers resetting to default

2009-06-28 Thread Angus Scott-Fleming 
On 26 Jun 2009 at 9:29, Art DeKneef  wrote:

> Thought I would ask and see if others have experienced this.
> 
> During the past two weeks I have had customers call and ask them to help them
> with getting their Internet access working again at their house. In the five
> cases that I have seen all of the routers have been reset to default. All
> are made by Linksys, are different models, wireless, had been setup with
> security and working fine for over a year. After entering the information
> again the clients can access the Internet fine. 
> 
> Seems strange to me that would happen to this many devices within a relative
> short period of time. 

I have seen this, too.  I wouldn't be at all surprised to find out that there 
is an exploitable hole in the Linksys software and the bad guys are using this 
to reset the routers to disable security and get access to them.  

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
+---+




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: GPO's and remote servers

2009-06-28 Thread Steven M. Caesare 
And if you've managed to curve space-time.

 

Which is why I've never had good success with GPO's near black holes.

 

-sc

 

From: Webster [mailto:carlwebs...@gmail.com] 
Sent: Saturday, June 27, 2009 9:21 AM
To: NT System Admin Issues
Subject: RE: GPO's and remote servers

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Subject: RE: GPO's and remote servers

 

Well, not according to Einstein...

 

It all depends on how fast you are traveling.

 

 

Webster

 

From: Carl Houseman [mailto:c.house...@gmail.com] 
Subject: RE: GPO's and remote servers

 

Computers don't care about time zones, they exist only to display time
for humans.   Any time settings you establish are converted to universal
time based on the TZ of your machine.  And universal time is the same
everywhere.

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~