Some Notes on the Machines

This is the Internet DNS name of a Microsoft server. On a Windows operating system, immediately before any and all of a wide variety of things occur, the machine will contact this server for some bandwidth and connectivity tests.

There are often issues with this. If attempt is made and fails, Windows may throw up a popup in the lower-right corner, asking for a mouse-click. Sometimes DNS servers lack this record for some reason, causing odd and unusual troubles. There have been other consequences.

There are ways to turn this off altogether. So far testing has found zero gotchas for shutting it off, it is not clear whether it is essential. The simplest way to do so, is probably to enable this item in local or domain group policy:

Computer Configuration
Administrative Templates
System
Internet Communication Management
Internet Communication settings
Turn off Windows Network Connectivity Status Indicator active tests

Just learned about this:

www.the-sz.com/products/homedale/

Appears to be very very good. Better ping than many from some major ISPs. Also very sophisticated and configurable, and considerably less expensive for the features, than some.

https://nextdns.io

The hidden NTFS “System Volume Information” folders on Windows machines, can build up and up and up in size. I’ve seen instances ranging from 20G to hundreds of gigabytes, and every time this occurs, the overall system slows down, and often slows down a whole lot. SpaceSniffer is my favorite method of identifying this situation, but there are many. The only preventative I have been able to identify so far, is here.

But here we are discussing cleanup. If you have SentinelOne (S1) installed on this machine, you need to know that S1 considers deletion of volume shadows to be very bad actor behavior. This is because it often is a way that cryptolockers and others delete last-known-good checkpoints. S1 will not let you clear SVI, unless you disable it first, and it will complain very loudly if you try. Instructions for disabling S1, are at the end of this article. There may well be other security tools which will behave similarly, and need similar interaction beforehand.

General cleanup steps:

1. This command usually gets all of them: wmic shadowcopy delete /nointeractive
2. Very rarely, this will get a few more: vssadmin delete shadows /all
3. And even more rarely on a server only, the above two don’t get it done, and this is needed:
   
   diskshadow
   then within diskshadow’s command line: delete shadows all
   

Any of these can take a while, especially if SVI is big, e.g., more than 20-30 gigabytes. It can get huge occasionally, hundreds of gigabytes. I recently saw 1,022 shadow copies deleted (the first and third methods tell you the count) from one server.

Special case cleanup steps

Special cases do occur. Here are steps which can help a lot.

• Sometimes the steps above quit in the middle. Start them over again. Often they’ll complete.
• If the above does not completely solve the situation (if the SVI folder is still huge), do vssadmin resize shadowstorage for the relevant drive(s) (try /? for syntax…), first to 10%, then back to whatever it was. Sometimes Windows will do a lot of steady cleanup for you, sometimes over hours of time. You’ll see it by watching File Explorer.
• Run CHKDSK /F at reboot. Then start from the beginning :-)

To disable SentinelOne:

1. First get the Passphrase for the machine, from the S1 console. It’s under Actions, you can choose Show Passphrase. Do be aware that your S1 admin may receive a notice that you have asked for this.
2. cd "C:\Program Files\SentinelOne\Sentinel*"
3. Please put the actual passphrase in, and the quotes are necessary:
   .\sentinelctl.exe unload -slam -k "<passphrase>"

Then, and only then, will the cleanup commands above work.

To reenable S1:

4. .\sentinelctl.exe load -slam

If you should need to reenable S1 and your command prompt is not where you need it, here’s a paste:

cd "C:\Program Files\SentinelOne\Sentinel*"
.\sentinelctl.exe load -slam

Ran into this recently. First one then four more users at a site, encountered it. This page:

community.adobe.com/t5/acrobat-reader-discussions/adobe-reader-freezes-after-opening-a-document/m-p/3903334

has a fix with registry entries for version 2015. The fix reportedly works all the way up to the current (DC). Here’s Powershell to get the fix in; reportedly restart and/or reboot is required:

$RegistryPath = "HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown"
If (-Not (Test-Path -Path $RegistryPath)) { 
    "Adobe Acrobat DC is not installed; fix not appropriate or needs modification."
    exit
}
cd $RegistryPath
If (-Not (Test-Path -Path "cServices")) { 
    mkdir cServices 
}
cd cServices
New-ItemProperty -Path . -Name bToggleAdobeDocumentServices -Value 1 -PropertyType "DWord"
New-ItemProperty -Path . -Name bToggleAdobeSign -Value 1 -PropertyType "DWord"
New-ItemProperty -Path . -Name bToggleAdobePrefSync -Value 1 -PropertyType "DWord"
New-ItemProperty -Path . -Name bUpdater -Value 0 -PropertyType "DWord"

There are multiple methods; this is reported to be undeprecated by Apache, possibly the only undeprecated way to do this.

AuthType Basic
AuthName "myserver publicname"
AuthUserFile "/myserverpath/.htpasswds/public/passwd"
require ip 11.12.13.14
require ip 11.12.13.15
require valid-user

This very nice tool will download an executable from a web site and test it for bad actor behavior.

www.virustotal.com/

This works well as of this writing.

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
md -Path $env:temp\edgeinstall -erroraction SilentlyContinue | Out-Null
$Download = join-path $env:temp\edgeinstall MicrosoftEdgeEnterpriseX64.msi
Invoke-WebRequest 'http://go.microsoft.com/fwlink/?LinkID=2093437'  -OutFile $Download
Start-Process "$Download" -ArgumentList "/quiet"
# placeholder for "enter" autokeyhit

This is a change to a replacement URL, and it will hopefully be a more lasting kind than the previous. The above works for AMD64 Windows; the URL comes from here:

techcommunity.microsoft.com/t5/discussions/official-download-links-for-microsoft-edge-stable-enterprise/m-p/1082549

and there is support for other platforms on that page.

We see it fairly often. An email comes “From” a real name, but the actual email address is wrong, a spammer’s or scammer’s Gmail or worse. Once we saw this with a very slightly misspelled domain — let’s say “pondervorthy” instead of “ponderworthy”. I just learned of a way to handle it, when one has email filtration which can do it, and when it works for another reason:

Let’s say we’re protecting me. I know all of my email addresses, at work and home. If I set my email filtration system to consider spam everything From “Jonathan E. Brickman” and “Jonathan Brickman”, which does not come from any of my email addresses, that will take good care. The biggest risk is another person named Jonathan Brickman trying to email me. Reportedly, one should actually do it like this, scanning email headers:

FROM: Jonathan Brickman, FROM: "Jonathan Brickman

This is because some of the bad actors are adding spaces after the name text. So the final quote is not set up in the filter rule. It’s really two different FROM field lookups within headers of the email, OR’d, in this system.

Now there are a number of Jonathan Brickmans in the world, but I haven’t met one yet (if you are one, please do email me at jeb@ponderworthy.com, that way we both will have done so at least once); I’m not sure there are many Jonathan Edward Brickmans; but if I found that there were, I’d put in a nickname in parenthesis, set the filtration rule for it

FROM: Jonathan Brickman (JEB), FROM: "Jonathan Brickman (JEB)

and that should do the job nicely, giving me a unique “From” real name for filtration purposes.

There may be other “gotchas”, I will test this over time. It cannot do a comprehensive block, but can clearly help.

In Microsoft Outlook rules, some of the above logic seems to be missing: one cannot filter based on text or email addresses not in the header. I will be checking Exchange Online shortly. One third-party service is confirmed as working well for this.

Simple web-filters often cannot do the job on YouTube, because YouTube is one big web site. To deny access to certain kinds of content, a worthwhile route is Group Policy for Chrome and Edge, to require YouTube restricted mode:

www.thewindowsclub.com/how-to-enforce-youtube-restricted-mode-in-chrome

www.thewindowsclub.com/youtube-restricted-mode-in-microsoft-edge

This plus cleanbrowsing.org DNS, seems to do the job very well.