Super-Networking Blog

I am still running Endpoint Protection on my laptop, only one issue so far. Endpoint Protection 11 breaks WPA and WPA2 authentication for your wireless network. From reading in some Symantec forums it is a known issue with this software. The easiest way around it is to disable Network Threat Protection while you are authenticating then enable it was the connection is established.

I looked for more of a permanent solution but even when I disabled the HIPS rules and allowed all traffic to pass on my wireless card it still failed. I guess this is the case when the client is unmanaged, if you have a managed client which I don’t you can work around it by allowing EAPOL. I can’t test this because I don’t have the server and so it isn’t managed. Hopefully they come out with a workaround.

If you are running Virtual Server 2005 on a server with multiple processors you should be aware that the virtual machines you run on the server can only use one processor. So if you have a four processor server and are running two Virtual Machines you will only be able to utilize two out of the four processors. To make things worse if you have hyper-threading enabled on your processors the Virtual Machines can only use one logical processor or half of the physical processor. This will slow down your Virtual Machines a lot.

It is always recommended that you disable hyper-threading to get the best performance out of your Virtual Machines. Dual core processors are fine because it is actually two full speed processors in one instead of cutting the processing power in half like hyper-threading does. That said Virtual Machines in Virtual Server 2005 can still only use one core on a dual core processor but it is the same as running one physical processor.

Also I am hearing that the new Microsoft Server 2008 Hyper-V server will be able to utilize multi-core processors in Virtual Machines. This will break the single processor restriction in the current 2005 server.

How often do you find that one of your servers has a drive that is full or overnight has doubled in space usage. If you are like me you don’t want to spend the time to look through explorer to find out what the size of each folder is manually.

An easy free tool to tell you exactly what all the folder sizes are on any Windows drive is called TreeSize Free. You don’t even have to install it, just move over a folder with two files that are under a meg and you are up and running. It will make a quick scan of the drive of your choice and list the folders in order by size, you can then drill down in the folder structure to find what you need right away.

So I ran into a new one today on my Windows XP Pro machine. I was trying to extract a program out of a zip file using XP’s built in compressed file program. The Zip file was 12MB in size, when I did an extract all it was only 100K worth of files in the directory. No errors no alerts, nothing in the event logs. I went into the folder and saw the .EXE was missing. I disabled my Antivirus and tried again, same result. I checked windows defender and it was disabled.

Windows itself was blocking it, I had never had Windows stop me from extracting a file before. I tried to run the file from within the Zip file and that is when I got the error that Windows has blocked the file.

Here is what Windows says about it:

How blocking some attachments helps protect your computer

Sending and reading e-mail is one of the most popular activities on the Internet. The widespread use of this technology, however, makes it a primary way for computer viruses to spread. Because viruses and other security threats are often contained in e-mail attachments, Microsoft Windows XP Service Pack 2 (SP2) helps protect your computer by blocking e-mail attachments that might be harmful.

In most cases, Windows XP SP2 will block files that have the potential to harm your computer if they come to you through e-mail or other communication programs. Windows will block these files if your program is running in a strong security mode. Most files that contain script or code that could run without your permission will be blocked. Some common examples of this file type are those with file names that end in .exe, .bat, and .js.

Blocking these files is very important to do, since directly opening files of this type poses a risk to your computer and personal data.

Is there any way I can open files that have been blocked?

If you are certain that you trust this file and want to open it, follow the instructions below.

2. Save the file onto your computer.
3. Click Start, click My Computer, and navigate to the file that you saved.
4. Right-click the file that you saved, and then click Properties.
5. Click Unblock near the bottom of the dialog box.

Sure enough once I “Unblocked” the Zip file it extracted and the EXE ran.

I installed a trial of Symantec’s Endpoint Protection which is the new version of Symantec’s Enterprise Antivirus. I have used Symantec in business all the way back to version 7 and have always liked it. Version 10 switched its servers to client communication from UDP to TCP which improved network stability. They also changed new virus definitions to be deltas instead of full definitions.

Well Symantec has taken it to the next level now with Endpoint Protection. Now the firewall package is built into all of their clients instead of just their SCS clients. They have also added a HIPS or Host Intrusion Protection Software into this client. This is the next step that a lot of companies have been trying to pull off but haven’t done well yet. IPS watches for known and unknown attacks by watching for activity that could be trying to do malicious things.

Firewalls are great because it blocks connections that aren’t specifically allowed but that still allows all traffic on open ports, the IPS piece will analyze the traffic and watch for malicious activity. So far I have been very impressed how well it is designed, I have not had to make any changes to allow things to work on my machine. I am on a domain and typically you have to allow a ton of stuff just for your machine to function and I did not. Only change I made was to turn off the alerts when the firewall blocked something.

One more note that a lot of standards including PCI require you to run HIDS/HIPS on your machines.

So as many of you know who have used it in the past netflow is a great tool. Netflow gives you detailed information about traffic flowing through your routers. You can find out what IPs the traffic is coming from and going to, you can see what protocols, what ports and how much traffic is going through that router. Big help if you are trying to find what a traffic spike is or why your Internet connection is maxed out.

Typically you need software to collect the exported netflow data and then compile it into some easy to read form. This software isn’t typically cheap or what if you need it now and don’t have time to install a collector. I will give you the commands you need to get a quick look at the traffic flowing right now.

First thing you have to do is have the router watch the flows:

Under each interface type the command “ip route-cache flow”

Exit the interface config and add the command “ip flow-export version 5” to select a version.

Let is collect traffic for a little bit, shouldn’t impact the performance or your router.

Then to see the traffic break down type the command “show ip cache flow”

This will give you the basic traffic breakdown going through you router. Look at Pkts column to see where the heavy hitters are. When you are down looking at it just leave it running on your interfaces, won’t affect performance and will be in place for when you have a netflow collector installed.

So I am not a DBA, I have never done much work on SQL servers other than back them up, patch them or install new copies of them. At my new job I have started to take on some of the tasks of a DBA including troubleshooting poor performing SQL boxes.

Don’t expect me to be adding in a ton of query statements of SQL traces because I try to stay out of most of that stuff at this point of the game. The first thing I did to aid me in maintaining and troubleshooting SQL was to install SQL Server Management Studio from the SQL 2005 install media. This allows you to connect to SQL instances without having to login to the console of the box.

Two places to take a look right away to see what is going on in that SQL instance is go under SQL Server Agent - > Job Activity Monitor. In here you will be able to see if any scheduled jobs are running, the history of the jobs etc… The other place to look right away is under Management go into Activity Monitor. In here you will see what Processes are currently running. You can see pretty much in real time what is using resources like disk, memory, and CPU. You can also see what processes might have locks.

Now getting back to high SQL on your SQL box, unless it is one job or one long running query that is using all the CPU the Activity Monitor isn’t going to really help you. It could be that a short running query is running 100s or 1000s of times a minute and this is causing the CPU issues. One easy way to tell what is taking of the CPU is built in reports of SQL 2005. Right click on the Instance name in Management Studio -> Go to Reports - > Standard Reports - > Find “Performance - Top Queries by Total CPU” This will give a break down of what queries being running again this instance are using the most CPU and are being run the most times. These stats are being taking all the time by SQL 2005 and so you aren’t taking up for resources to monitor the instance.

This is just one place to start looking but it gives you a lot of good info.