Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Troubleshooting NIS on TMG 2010
1. Troubleshooting Network Inspection System (NIS) on Forefront TMG 2010 Yuri Diogenes | Senior Technical Writer Microsoft Windows iX IT PRO Security Team http://blogs.technet.com/yuridiogenes
2. NIS: Powered by GAPA Generic Application Protocol Analyzer A framework and platform for safe and rapid low level protocol parsers development Supports extensibility and layering Enables creating parsing based “rules” for checking and applying specific conditions (signatures)
3. The NIS Architecture Design Time GAPAL (GAPA Language) Compiler Signatures & Protocol Parsers Protocol Parsers Signatures Microsoft Update Run Time Telemetry & Portal NIS Engine Network Interception 3
4. NIS Value Proposition Protections against exploitation of known vulnerabilities Avg survival time of un-patched Win XP <20 Min Only ~2% of windows machine have no insecure program installed Zero-Day-Protection: Close the vulnerability window between security patch announcement and deployment Respond to newly discovered vulnerabilities
6. Signatures for Testing HTML test signature: Access http://www.contoso.com/testNIS.aspx?testValue=1!2@34$5%6^[{NIS-Test-URL}]1!2@34$5%6^ SMB test signature: Copy file C0AABD79-351B-4c98-8AE7-69F4279FEF54.txt to a remote share
8. Troubleshooting NISWrong Detection False negative detection Isolate the signature that is causing problem Confirm that is not blocking a suspicious traffic Validate Collect Netmon traces Contact Microsoft False positive detection Isolate the signature that is causing problem Confirm that is blocking a valid traffic Temporary set the signature to Detect Only (or disable) Contact Microsoft
9. Troubleshooting NISHigh CPU High utilization on wspsrv.exe Use Process Monitor for initial assessment Collect Perfmon (before and while issue is happening Collect user mode dump from wspsrv.exe Verify if trace is enabled under HKLMOFTWAREicrosoftetwork Inspection SystemPPomponentsAPA or NIS
10. Troubleshooting NISReviewing the Dump Look for patterns Check for Critical Sections Review threads that are locked in Critical Sections Check if most of threads are from GapaEngine
11. Troubleshooting NISSignature Update Flow TMG Job Scheduler Windows Update UpdateAgent Updateagent.exe %windir%empSA_updateagent.log WSUS Windows Update API %windir%indowsUpdate.log
14. Troubleshooting NISSignature Update Registry key settings: HKLMOFTWAREicrosoftpcIS LatestSnapshotVersion - contain the version of the most recent update LatestSnapshotFilepath - contain the full file path of the most recent signature set file ReinstallApplicableUpdate – control whether to force re-installation of the latest update (TMG COM control this on force full update option)