Last night Malwarebyte’s AntiMalware program detected a false positive of the Atapi.sys driver and associated registry keys. As you may know, Atapi.sys is required by the storage system in Windows, and as such deleting it will render the system unbootable.

If you have the reboot on error checked in your system properties, your system will continuously reboot itself without giving an error. If you have a stop on reboot option checked, you will see the STOP error 0x0000007B.

I have included a zip file with the following registry keys and atapi.sys (5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)) taken from a fresh install of Windows XP SP2. Apparently it only affects SP2 installations.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi

Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys

A few ways to fix this:

Use another machine to load Atapi.Sys and Registry Keys

1. Install the hard drive into another Windows computer and copy the computer’s good Atapi.sys driver (Windows\System32\Drivers) to your hard drive. Or download the XP SP2 one here.
2. Put the hard drive back into the original computer and select “Last known good configuration” to boot – this will restore the registry keys.
3. If the “Last known good configuration” doesn’t work, you may try editing the registry hive of your installation via another computer. Put the hard drive into a second machine and load the hive within that machine’s registry editor. If you are uncomfortable doing this, create a LiveCD of Windows (below).

Make a BartPE or LiveCD of Windows

1. Go to http://www.ubcd4win.com/howto.htm and follow the instructions to make a LiveCD of Windows. You can also use BartPE, but the following instructions may be different (http://www.nu2.nu/pebuilder/).
2. From a known good machine, export the above 3 registry keys to a USB drive.
3. From a known good machine, copy the atapi.sys driver from Windows\System32\Drivers to a USB drive. Or download the XP SP2 keys and atapi.sys here (zip).
4. When the LiveCD loads (this will take a while), attach the USB key to the machine. Copy the atapi.sys to your machine’s Windows\System32\Drivers directory.
5. In the LiveCD’s Windows environment, go to: Start>Program Files>Registry Editors>Regedit (remote).
6. You will be prompted to select a user from your machine to edit. Most likely it is “Administrator.”
7. Go to File and Import in the registry editor.
8. Import each of the 3 .reg keys you exported from a known good machine.
9. Restart your computer, taking out the LiveCD.
10. Everything should work.

Use Windows Repair

I don’t like this option because it does not always work. You may also need to reinstall or fix some programs after this procedure.

1. Put the Windows XP disc into the machine.
2. When the machine boots into the Setup environment, it will give you the following options:
   To setup Windows XP now, press ENTER.
   To repair a Windows XP installation using Recovery Console, press R.
3. Press ENTER, not R.
4. On the next screen, it will detect a previous installation and ask if you want to repair it. Choose to do so.
5. Windows will go through the setup by reinstalling all default options and drivers. You will need your Windows XP key.

14 Comments |  Print This Post

Most System Administrators use a hardware firewall to block IP addresses from accessing their network. Co-located servers do not always have the advantage of utilizing a hardware firewall. Software firewalls can often be expensive.

As you may already know, Windows 2003 lets administrators control IP access from the configuration panels in SMTP and IIS, among others. But what if you want to block an IP address from all services with only one motion? This is where the IP Security Policy Management snap-in comes in handy.

Configure the IP Security Policy to block your first IP address

1. Click “Start” and “Run” – type “MMC” and press OK.
2. In the MMC, click “File” and “Add/Remove Snap In.”
3. In the “Standalone” tab, click “Add.”
4. Select “IP Security Policy Management” and click “Add.”
5. Select “Local Computer” and click “Finish.”
6. Close the “Add standalone Snap-in” window and click “OK” on the “Add/Remove Snap-in” window.
7. Now that you are back in the MMC console, right-click on “IP Security Policies on Local Computer” in the left-hand pane and select “Create IP Security Policy.”
8. Click “Next.”
9. Enter a name (ex. IP Block List) and description into the boxes and click “Next.”
10. Leave “Activate the default response rule” checked. Click “Next.”
11. Leave “Active Directory default (Kerberos)” checked. Click “Next.”
12. Leave “Edit properties” checked. Click “Finish.”
13. The Properties box should be open.
14. To add your first IP address, click “Add.” Make sure “Use Add Wizard” is checked beside the button.
15. Click “Next” when the “Create IP Security Rule” wizard opens.
16. Leave “This rule does not specify a tunnel” checked. Click “Next.”
17. Select “All network connections” under Network Type (unless you want to specify by adapter). Click “Next.”
18. You are now at the “IP Filter List.” The “All ICMP Traffic” and “All IP Traffic” options will not meet our needs; we will need to add another. Click “Add.”
19. Name the IP Filter List (ex. Blocked IP List) and enter a description. Click “Add” to enter the first IP address to block.
20. The “IP Filter Wizard” will pop up. Click “Next.”
21. This will be the first IP address or IP range we enter to block. Enter a description (I usually enter the IP itself) and make sure “Mirrored” is selected below. This will ensure packets to/from are blocked, allowing you to create one rule instead of two. Click “Next.”
22. Keep “Source Address” as “My IP Address” and click “Next.”
23. Under “Destination Address” select “A specific IP Address” or “A specific IP Subnet.” If you select “Any IP address” it will block all IPs!
24. Enter in the IP address in the fields below and click “Next.”
25. Under “select protocol type” choose “Any” (means “All”) unless you specifically want to block from RDP (Remote Desktop), TCP or UDP, etc. Click “Next.”
26. Click “Finish.”
27. Now that you are back to the “IP Filter List” click “OK.”
28. You will be back in the “IP Filter List” list in the Security Rule Wizard – make sure you select your new “Blocked IP List” and not “All IP Traffic” or “All ICMP Traffic.” Click “Next.”
29. You will be taken to “Filter Action.” The lists: Permit, Request Security (Optional), and Require Security will not meet our needs. Click “Add.”
30. In the “IP Security Filter Action” wizard, click “Next.”
31. Select a name (ex. Block all Packets) and click “Next.”
32. Select “Block” for the filter action behavior. Click “Next.”
33. Click “Finish.”
34. You are back to the “Filter Action” list. Select your new list (Block All Packets) and click “Next.”
35. Click “Finish.”
36. You are back to your IP Security Policy list (Blocked IP List) Properties. Click “OK.”
37. Back in the “IP Security Policies on Local Computer” snap-in, you’ll need to assign the new policy. In the right-hand pane, right-click on your new list (IP Block List) and select “assign.”

To make it easier the next time you wish to block an IP address, save the MMC Snap-in configuration as a shortcut. Go to “File” and “Save As” and save it on your Desktop or Start Menu.

To Block Additional IP Addresses

1. Enter the IP Block List snap-in you saved.
2. In the right-hand pane double-click your IP Block List.
3. Under “IP Filter List” select the newly created “Blocked IP List” and click “Edit.” Make sure “Use Add Wizard” is checked.
4. Under “IP Filter Lists” select your “Blocked IP List” (not All ICMP or IP Traffic) and click “Edit.”
5. You are now in the “Add IP wizard” area. You will see the first IP address you blocked in a listing under “IP Filters.” Click “Add.”
6. Follow all previous steps to add the IP address you wish to block. Once finished, exit all dialog boxes.

You may need to restart the server for the settings to take effect.

6 Comments |  Print This Post

This past week I’ve been busy battling 29 different IP addresses that have been attacking a server that I maintain.

In my effort to rid the world of this behaviour, I recorded the IP addresses, found out as much information as possible, and then blocked them.

Locations of the IP addresses:

• 12 – China
• 9 - United States
• 5 – Canada
• 1 – Netherlands
• 1 – Vietnam
• 1 – Japan

Compromised Operating System:

• 29 – Windows 2003

Compromised Web Server:

• 29 – IIS 6

Percentage without a Firewall:

• 100%

Twelve of the IP addresses were associated with specific companies running their own dedicated server for email, ftp or a website. I decided to call or email each company to let them know their server was compromised. Most were grateful that someone took the time to notify them. By the end of the week, 8 of these servers were considerably more secure! One of the companies I called was a Canadian computer store. The person I talked to had mentioned their server was slow and bandwidth usage was high for about a week.

These servers were compromised through poor security practices. Many did not have a firewall due to co-location requirements, and others did not have a firewall due to email and ftp not working properly when it was enabled. Clearly they did not know how to properly configure a firewall to let DNS, SMTP, POP3 and Passive FTP in/out.

I find one of the biggest problems with Windows is that it is too easy to set up and administer at a basic level. Because of its ease of use, the technical knowledge of the person setting it up doesn’t need to exceed that of a typical desktop user. They fail to take into consideration items such as security, assuming the operating system takes care of it.

1 Comment |  Print This Post

Intel has released the long-awaited trim feature for its newer 34nm SSDs (Intel X25-M and X18-M G2). For those of you with the older G1 series, there is no trim feature available.

Trim is enabled by installing the firmware update from Intel to bring all G2 SSDs to the 02HA firmware. http://www.intel.com/go/ssdfirmware. When updating, remember to take your system out of AHCI mode (but put it back after the update). The firmware tool cannot update drives in RAID.

You must also download the SSD Toolbox from Intel. It is recommended to run the trim tool daily for optimal performance (scheduled task) if you are using Windows XP or Vista. Windows 7 users will not need to run it as long as they have the drive in AHCI mode. http://www.intel.com/go/ssdtoolbox

The trim feature in Windows 7 helps to alleviate the ‘re-write’ penalty found in most SSDs. When you have a fresh SSD, unwritten blocks only require one operation to fill, whereas a previously full (even if the data is deleted) SSD requires two operations to fill a block.

What trim does is ‘zero’-out the SSD’s free space to return it to a factory fresh state. In a previous entry I described how to do this (but it required erasing the whole drive – not very useful).

Here are some benchmarks from PC Perspective outlining the IO improvements of the Intel X25-M with trim enabled. If you run a database or web server you’ll want to use the trim feature. Anandtech’s writeup is here (more technical).

UPDATE: I’ve just updated the firmware on my Thinkpad T400 with the 34nm G2 X25-M 80GB SSD. Everything went smoothly, the firmware update DID NOT erase any files. Before you do the firmware update, backup all of your files with the expectation that you will need to reinstall everything! Just because it worked for me, doesn’t mean it will work for you. Below are the screenshots step by step just in case you were curious. It took about 12 minutes from downloading the ISO to booting Windows 7 back up.

1 Comment |  Print This Post

Internet Explorer 8 is showing up in Windows XP’s Windows Update as a critical update. Although this may be a good thing for developers (getting a “more” standards compliant browser out there), it can wreak havoc on networks with applications designed for IE6/7.

There is an IE8 Blocker toolkit from Microsoft. Simply download it and install on your network. It will disable the IE8 update through Windows Update.

http://go.microsoft.com/fwlink/?LinkId=133921

2 Comments |  Print This Post